Eliminate some confined domains from being able to talk to abrt

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 619029772d37b5de7533f6f0d698532e25236f0a..0ffb0e44f50780a6e5f4cb63d48f2f627d20092d 100644 (file)
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -225,7 +225,6 @@ optional_policy(`
        abrt_read_pid_files(domain)
        abrt_read_state(domain)
        abrt_signull(domain)
-       abrt_stream_connect(domain)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 6e35cb22815206a6c4a7cf5a386ad3b99ceb66aa..5a0ca9fe6d65e918a539ef68672d1cdb1149b74d 100644 (file)
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -487,6 +487,10 @@ interface(`dbus_system_domain',`
        userdom_dontaudit_search_admin_dir($1)
        userdom_read_all_users_state($1)
 
+       optional_policy(`
+               abrt_stream_connect($1)
+       ')
+
        optional_policy(`
                rpm_script_dbus_chat($1)
        ')

diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
index 6985546a854b0017c82f002ab39bce8404d39b08..878d9df03aa5f89f0706e294baf3c34d378be932 100644 (file)
--- a/policy/modules/services/inetd.if
+++ b/policy/modules/services/inetd.if
@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
 
        domtrans_pattern(inetd_t, $2, $1)
        allow inetd_t $1:process { siginh sigkill };
+
+       optional_policy(`
+               abrt_stream_connect($1)
+       ')
 ')
 
 ########################################

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7947c80ed550dc2ec367cdfcdc600906f1a39f8f..65690963a5ca14bec93873d1e74e12eb8857aa61 100644 (file)
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -448,6 +448,10 @@ interface(`init_system_domain',`
        # these apps are often redirect output to random log files
        logging_inherit_append_all_logs($1)
 
+       optional_policy(`
+               abrt_stream_connect($1)
+       ')
+
        optional_policy(`
                cron_rw_pipes($1)
        ')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 822d7a02109f7933039ad502dd7248853309aa75..f2897607885a3371844505e63d05b48b4468e551 100644 (file)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -739,8 +739,8 @@ ifdef(`distro_redhat',`
        ')
 
        optional_policy(`
-        abrt_manage_pid_files(initrc_t)
-    ')
+               abrt_manage_pid_files(initrc_t)
+       ')
 
        optional_policy(`
                bind_manage_config_dirs(initrc_t)
@@ -1242,6 +1242,10 @@ optional_policy(`
 
 init_rw_script_stream_sockets(daemon)
 
+optional_policy(`
+       abrt_stream_connect(daemon)
+')
+
 optional_policy(`
        fail2ban_read_lib_files(daemon)
 ')
@@ -1255,4 +1259,3 @@ init_rw_stream_sockets(daemon)
 allow init_t var_run_t:dir relabelto;
 
 init_stream_connect(initrc_t)
-

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cda5a682c684f8fa2a7240a8ff97e3b5ae698c9b..240fa6c23c7093bc6c2c0fcd5b5ca24acb6bf6eb 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -152,6 +152,10 @@ template(`userdom_base_user_template',`
                allow $1_t self:process execstack;
        ')
 
+       optional_policy(`
+               abrt_stream_connect($1_usertype)
+       ')
+
        optional_policy(`
                fs_list_cgroup_dirs($1_usertype)
        ')