diff options
author | Chris PeBenito <pebenito@ieee.org> | 2022-02-16 11:04:33 -0500 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2022-02-26 18:13:17 -0800 |
commit | a6f1a4be5244df25381bdc9d270765134f4d802b (patch) | |
tree | 202512595af3782e30103ea6d70488b9e2193e95 | |
parent | dontaudit net_admin without hide_broken_symptoms (diff) | |
download | hardened-refpolicy-a6f1a4be5244df25381bdc9d270765134f4d802b.tar.gz hardened-refpolicy-a6f1a4be5244df25381bdc9d270765134f4d802b.tar.bz2 hardened-refpolicy-a6f1a4be5244df25381bdc9d270765134f4d802b.zip |
cron, dbus, policykit, postfix: Minor style fixes.
No rule changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/services/cron.te | 4 | ||||
-rw-r--r-- | policy/modules/services/dbus.te | 5 | ||||
-rw-r--r-- | policy/modules/services/policykit.te | 2 | ||||
-rw-r--r-- | policy/modules/services/postfix.te | 5 |
4 files changed, 7 insertions, 9 deletions
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 9ecbe4d6e..b36fc709e 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -209,10 +209,10 @@ tunable_policy(`fcron_crond',` # Daemon local policy # -# for changing buffer sizes dontaudit crond_t self:capability net_admin; allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; +# net_admin for changing buffer sizes +dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config }; allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow crond_t self:fd use; diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 9a1e6b303..31fc905cd 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -67,10 +67,9 @@ ifdef(`enable_mls',` # Local policy # -# for changing buffer sizes -dontaudit system_dbusd_t self:capability net_admin; allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource }; -dontaudit system_dbusd_t self:capability sys_tty_config; +# net_admin for changing buffer sizes +dontaudit system_dbusd_t self:capability { net_admin sys_tty_config }; allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; allow system_dbusd_t self:fifo_file rw_fifo_file_perms; allow system_dbusd_t self:dbus { send_msg acquire_svc }; diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 46f5568fe..197dc13c5 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -68,9 +68,9 @@ miscfiles_read_localization(policykit_domain) # Local policy # +allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; # for changing buffer sizes dontaudit policykit_t self:capability net_admin; -allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; allow policykit_t self:process { getsched setsched signal }; allow policykit_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 6fe068877..5c324bc76 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -107,10 +107,9 @@ mta_mailserver_delivery(postfix_virtual_t) # Common postfix domain local policy # -# for changing buffer sizes -dontaudit postfix_domain self:capability net_admin; allow postfix_domain self:capability { sys_chroot sys_nice }; -dontaudit postfix_domain self:capability sys_tty_config; +# net_admin for changing buffer sizes +dontaudit postfix_domain self:capability { net_admin sys_tty_config }; allow postfix_domain self:process { signal_perms setpgid setsched }; allow postfix_domain self:fifo_file rw_fifo_file_perms; allow postfix_domain self:unix_stream_socket { accept connectto listen }; |