"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "misc/selinux/cfengine-enterprise.te" between
cfengine-3.15.3.tar.gz and cfengine-3.15.4.tar.gz

About: CFEngine is a configuration management system for configuring and maintaining Unix-like computers (using an own high level policy language). Community version.

cfengine-enterprise.te  (cfengine-3.15.3):cfengine-enterprise.te  (cfengine-3.15.4)
skipping to change at line 140 skipping to change at line 140
class alg_socket { create ioctl read getattr lock write setattr append bi nd connect getopt setopt shutdown }; class alg_socket { create ioctl read getattr lock write setattr append bi nd connect getopt setopt shutdown };
class nfc_socket { create ioctl read getattr lock write setattr append bi nd connect getopt setopt shutdown }; class nfc_socket { create ioctl read getattr lock write setattr append bi nd connect getopt setopt shutdown };
class vsock_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; class vsock_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
class kcm_socket { create ioctl read getattr lock write setattr append bi nd connect getopt setopt shutdown }; class kcm_socket { create ioctl read getattr lock write setattr append bi nd connect getopt setopt shutdown };
class qipcrtr_socket { create ioctl read getattr lock write setattr appen d bind connect getopt setopt shutdown }; class qipcrtr_socket { create ioctl read getattr lock write setattr appen d bind connect getopt setopt shutdown };
class smc_socket { create ioctl read getattr lock write setattr append bi nd connect getopt setopt shutdown }; class smc_socket { create ioctl read getattr lock write setattr append bi nd connect getopt setopt shutdown };
class bridge_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; class bridge_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
class dccp_socket { create ioctl read getattr lock write setattr append b ind connect getopt setopt shutdown }; class dccp_socket { create ioctl read getattr lock write setattr append b ind connect getopt setopt shutdown };
class ib_socket { create ioctl read getattr lock write setattr append bin d connect getopt setopt shutdown }; class ib_socket { create ioctl read getattr lock write setattr append bin d connect getopt setopt shutdown };
class mpls_socket { create ioctl read getattr lock write setattr append b ind connect getopt setopt shutdown }; class mpls_socket { create ioctl read getattr lock write setattr append b ind connect getopt setopt shutdown };
class process { setrlimit transition dyntransition execstack execheap exe cmem }; class process { setrlimit transition dyntransition execstack execheap exe cmem signull };
class file { execute execute_no_trans getattr ioctl map open read unlink write entrypoint lock link rename append setattr create relabelfrom relabelto }; class file { execute execute_no_trans getattr ioctl map open read unlink write entrypoint lock link rename append setattr create relabelfrom relabelto };
class fifo_file { create open getattr setattr read write append rename li nk unlink ioctl lock relabelfrom relabelto }; class fifo_file { create open getattr setattr read write append rename li nk unlink ioctl lock relabelfrom relabelto };
class dir { getattr read search open write add_name remove_name lock ioct l create }; class dir { getattr read search open write add_name remove_name lock ioct l create };
class filesystem getattr; class filesystem getattr;
class lnk_file { create getattr read unlink }; class lnk_file { create getattr read unlink };
class unix_stream_socket connectto; class unix_stream_socket connectto;
class capability { dac_read_search sys_module chown dac_read_search dac_o verride fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_r esource setuid setgid sys_nice sys_ptrace kill net_bind_service }; class capability { dac_read_search sys_module chown dac_read_search dac_o verride fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_r esource setuid setgid sys_nice sys_ptrace kill net_bind_service };
class capability2 { mac_admin mac_override block_suspend syslog compromis e_kernel wake_alarm }; class capability2 { mac_admin mac_override block_suspend syslog compromis e_kernel wake_alarm };
class association { sendto recvfrom setcontext polmatch }; class association { sendto recvfrom setcontext polmatch };
class security setsecparam; class security setsecparam;
skipping to change at line 289 skipping to change at line 289
# allow cf-serverd to connect in case of call-collect # allow cf-serverd to connect in case of call-collect
allow cfengine_serverd_t unreserved_port_t:tcp_socket name_connect; allow cfengine_serverd_t unreserved_port_t:tcp_socket name_connect;
# TODO: this should not be needed # TODO: this should not be needed
allow cfengine_serverd_t proc_xen_t:dir search; allow cfengine_serverd_t proc_xen_t:dir search;
allow cfengine_serverd_t ssh_port_t:tcp_socket name_connect; allow cfengine_serverd_t ssh_port_t:tcp_socket name_connect;
allow cfengine_serverd_t cfengine_execd_exec_t:file getattr; allow cfengine_serverd_t cfengine_execd_exec_t:file getattr;
allow cfengine_serverd_t cfengine_monitord_exec_t:file getattr; allow cfengine_serverd_t cfengine_monitord_exec_t:file getattr;
allow cfengine_serverd_t cfengine_hub_exec_t:file getattr; allow cfengine_serverd_t cfengine_hub_exec_t:file getattr;
allow cfengine_serverd_t cfengine_log_t:lnk_file getattr;
allow cfengine_serverd_t crontab_exec_t:file getattr; allow cfengine_serverd_t crontab_exec_t:file getattr;
allow cfengine_serverd_t dmidecode_exec_t:file getattr; allow cfengine_serverd_t dmidecode_exec_t:file getattr;
allow cfengine_serverd_t fs_t:filesystem getattr; allow cfengine_serverd_t fs_t:filesystem getattr;
allow cfengine_serverd_t groupadd_exec_t:file getattr; allow cfengine_serverd_t groupadd_exec_t:file getattr;
allow cfengine_serverd_t hostname_exec_t:file getattr; allow cfengine_serverd_t hostname_exec_t:file getattr;
allow cfengine_serverd_t init_exec_t:file getattr; allow cfengine_serverd_t init_exec_t:file getattr;
allow cfengine_serverd_t init_t:dir read; allow cfengine_serverd_t init_t:dir read;
allow cfengine_serverd_t init_t:file { getattr open read }; allow cfengine_serverd_t init_t:file { getattr open read };
allow cfengine_serverd_t journalctl_exec_t:file getattr; allow cfengine_serverd_t journalctl_exec_t:file getattr;
skipping to change at line 347 skipping to change at line 348
allow cfengine_hub_t cfengine_agent_exec_t:file getattr; allow cfengine_hub_t cfengine_agent_exec_t:file getattr;
allow cfengine_hub_t cfengine_execd_exec_t:file getattr; allow cfengine_hub_t cfengine_execd_exec_t:file getattr;
allow cfengine_hub_t cfengine_monitord_exec_t:file getattr; allow cfengine_hub_t cfengine_monitord_exec_t:file getattr;
allow cfengine_hub_t cfengine_serverd_exec_t:file getattr; allow cfengine_hub_t cfengine_serverd_exec_t:file getattr;
allow cfengine_hub_t cfengine_postgres_t:unix_stream_socket connectto; allow cfengine_hub_t cfengine_postgres_t:unix_stream_socket connectto;
allow cfengine_hub_t unreserved_port_t:tcp_socket name_connect; allow cfengine_hub_t unreserved_port_t:tcp_socket name_connect;
allow cfengine_hub_t cfengine_log_t:dir getattr; allow cfengine_hub_t cfengine_log_t:dir getattr;
allow cfengine_hub_t cfengine_var_lib_t:dir { add_name getattr open read search write remove_name }; allow cfengine_hub_t cfengine_var_lib_t:dir { add_name getattr open read search write remove_name };
allow cfengine_hub_t cfengine_var_lib_t:file { create ioctl lock write }; allow cfengine_hub_t cfengine_var_lib_t:file { create ioctl lock write unlink };
allow cfengine_hub_t cfengine_var_lib_t:lnk_file { getattr read }; allow cfengine_hub_t cfengine_var_lib_t:lnk_file { getattr read };
allow cfengine_hub_t cfengine_var_lib_t:sock_file { create unlink }; allow cfengine_hub_t cfengine_var_lib_t:sock_file { create unlink };
allow cfengine_hub_t bin_t:file map; allow cfengine_hub_t bin_t:file map;
allow cfengine_hub_t bin_t:file { execute execute_no_trans }; allow cfengine_hub_t bin_t:file { execute execute_no_trans };
allow cfengine_hub_t cert_t:dir search; allow cfengine_hub_t cert_t:dir search;
allow cfengine_hub_t cert_t:file { getattr open read }; allow cfengine_hub_t cert_t:file { getattr open read };
allow cfengine_hub_t crontab_exec_t:file getattr; allow cfengine_hub_t crontab_exec_t:file getattr;
allow cfengine_hub_t devlog_t:lnk_file read; allow cfengine_hub_t devlog_t:lnk_file read;
allow cfengine_hub_t devlog_t:sock_file write; allow cfengine_hub_t devlog_t:sock_file write;
skipping to change at line 457 skipping to change at line 458
allow cfengine_postgres_t sssd_t:unix_stream_socket connectto; allow cfengine_postgres_t sssd_t:unix_stream_socket connectto;
allow cfengine_postgres_t tmp_t:dir { add_name write remove_name }; allow cfengine_postgres_t tmp_t:dir { add_name write remove_name };
allow cfengine_postgres_t tmp_t:file { create write unlink }; allow cfengine_postgres_t tmp_t:file { create write unlink };
allow cfengine_postgres_t tmp_t:sock_file { create setattr unlink write }; allow cfengine_postgres_t tmp_t:sock_file { create setattr unlink write };
allow cfengine_postgres_t tmpfs_t:dir { add_name write remove_name }; allow cfengine_postgres_t tmpfs_t:dir { add_name write remove_name };
allow cfengine_postgres_t tmpfs_t:file { create open read write map unlink }; allow cfengine_postgres_t tmpfs_t:file { create open read write map unlink };
allow cfengine_postgres_t tmpfs_t:filesystem getattr; allow cfengine_postgres_t tmpfs_t:filesystem getattr;
allow cfengine_postgres_t var_log_t:file { append open }; allow cfengine_postgres_t var_log_t:file { append open };
# Needed for systemd to be able to check PostgreSQL's PID file # Needed for systemd to be able to check PostgreSQL's PID file
allow init_t cfengine_var_lib_t:dir read; allow init_t cfengine_var_lib_t:dir { read remove_name write };
allow init_t cfengine_var_lib_t:file { getattr open read }; allow init_t cfengine_var_lib_t:file { getattr open read unlink };
# TODO: these should not be needed # TODO: these should not be needed
allow cfengine_postgres_t shell_exec_t:file map; allow cfengine_postgres_t shell_exec_t:file map;
allow cfengine_postgres_t shell_exec_t:file { execute execute_no_trans }; allow cfengine_postgres_t shell_exec_t:file { execute execute_no_trans };
#============= cfengine_httpd_t ============== #============= cfengine_httpd_t ==============
type cfengine_httpd_t; type cfengine_httpd_t;
typeattribute cfengine_httpd_t domain; typeattribute cfengine_httpd_t domain;
role system_r types cfengine_httpd_t; role system_r types cfengine_httpd_t;
skipping to change at line 492 skipping to change at line 493
allow cfengine_httpd_t cfengine_httpd_exec_t:file { ioctl read getattr lock map execute open }; allow cfengine_httpd_t cfengine_httpd_exec_t:file { ioctl read getattr lock map execute open };
allow cfengine_httpd_t cert_t:dir search; allow cfengine_httpd_t cert_t:dir search;
allow cfengine_httpd_t cert_t:file { getattr open read }; allow cfengine_httpd_t cert_t:file { getattr open read };
allow cfengine_httpd_t cert_t:lnk_file read; allow cfengine_httpd_t cert_t:lnk_file read;
allow cfengine_httpd_t cfengine_httpd_exec_t:file execute_no_trans; allow cfengine_httpd_t cfengine_httpd_exec_t:file execute_no_trans;
allow cfengine_httpd_t cfengine_postgres_t:unix_stream_socket connectto; allow cfengine_httpd_t cfengine_postgres_t:unix_stream_socket connectto;
# allow httpd to use our custom compiled module # allow httpd to use our custom compiled module
allow cfengine_httpd_t cfengine_var_lib_t:file map; allow cfengine_httpd_t cfengine_var_lib_t:file map;
allow cfengine_httpd_t cfengine_var_lib_t:file { append create execute getattr i octl lock open read setattr unlink write }; allow cfengine_httpd_t cfengine_var_lib_t:file { append create execute getattr i octl lock open read setattr unlink write rename };
allow cfengine_httpd_t cfengine_var_lib_t:dir { add_name getattr open read remov e_name search write create }; allow cfengine_httpd_t cfengine_var_lib_t:dir { add_name getattr open read remov e_name search write create };
allow cfengine_httpd_t cfengine_var_lib_t:lnk_file read; allow cfengine_httpd_t cfengine_var_lib_t:lnk_file read;
allow cfengine_httpd_t devlog_t:lnk_file read; allow cfengine_httpd_t devlog_t:lnk_file read;
allow cfengine_httpd_t devlog_t:sock_file write; allow cfengine_httpd_t devlog_t:sock_file write;
allow cfengine_httpd_t http_port_t:tcp_socket { name_bind name_connect }; allow cfengine_httpd_t http_port_t:tcp_socket { name_bind name_connect };
allow cfengine_httpd_t init_t:dbus send_msg; allow cfengine_httpd_t init_t:dbus send_msg;
allow cfengine_httpd_t init_t:unix_stream_socket { getattr ioctl }; allow cfengine_httpd_t init_t:unix_stream_socket { getattr ioctl };
allow cfengine_httpd_t init_var_run_t:dir search; allow cfengine_httpd_t init_var_run_t:dir search;
allow cfengine_httpd_t kernel_t:unix_dgram_socket sendto; allow cfengine_httpd_t kernel_t:unix_dgram_socket sendto;
allow cfengine_httpd_t net_conf_t:file { getattr open read }; allow cfengine_httpd_t net_conf_t:file { getattr open read };
allow cfengine_httpd_t node_t:tcp_socket node_bind; allow cfengine_httpd_t node_t:tcp_socket node_bind;
allow cfengine_httpd_t self:capability { dac_override dac_read_search kill net_b ind_service setgid setuid }; allow cfengine_httpd_t self:capability { dac_override dac_read_search kill net_b ind_service setgid setuid };
allow cfengine_httpd_t self:netlink_route_socket { bind create getattr nlmsg_rea d }; allow cfengine_httpd_t self:netlink_route_socket { bind create getattr nlmsg_rea d };
allow cfengine_httpd_t self:process execmem; allow cfengine_httpd_t self:process execmem;
allow cfengine_httpd_t unconfined_t:process signull;
allow cfengine_httpd_t self:tcp_socket { accept bind connect create getattr geto pt listen setopt shutdown }; allow cfengine_httpd_t self:tcp_socket { accept bind connect create getattr geto pt listen setopt shutdown };
allow cfengine_httpd_t self:udp_socket { connect create getattr }; allow cfengine_httpd_t self:udp_socket { connect create getattr };
allow cfengine_httpd_t self:unix_dgram_socket { connect create }; allow cfengine_httpd_t self:unix_dgram_socket { connect create };
allow cfengine_httpd_t sssd_public_t:dir search; allow cfengine_httpd_t sssd_public_t:dir search;
allow cfengine_httpd_t sssd_public_t:file map; allow cfengine_httpd_t sssd_public_t:file map;
allow cfengine_httpd_t sssd_public_t:file { getattr open read }; allow cfengine_httpd_t sssd_public_t:file { getattr open read };
allow cfengine_httpd_t sssd_t:unix_stream_socket connectto; allow cfengine_httpd_t sssd_t:unix_stream_socket connectto;
allow cfengine_httpd_t sssd_var_lib_t:dir search; allow cfengine_httpd_t sssd_var_lib_t:dir search;
allow cfengine_httpd_t sssd_var_lib_t:sock_file write; allow cfengine_httpd_t sssd_var_lib_t:sock_file write;
allow cfengine_httpd_t syslogd_var_run_t:dir search; allow cfengine_httpd_t syslogd_var_run_t:dir search;
 End of changes. 6 change blocks. 
5 lines changed or deleted 7 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)