mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 06:16:03 +00:00
Change #include to include in extra profiles
This commit is contained in:
Christian Boltz
@@ -15,12 +15,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile netstat /{usr/,}bin/netstat {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
@@ -13,12 +13,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/etc/cron.daily/logrotate {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
|
||||
@@ -14,10 +14,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/etc/cron.daily/slocate.cron {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
/{usr/,}bin/bash mixr,
|
||||
/dev/tty wr ,
|
||||
/etc/cron.daily/slocate.cron r ,
|
||||
|
||||
@@ -10,10 +10,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/etc/cron.daily/tmpwatch {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
/etc/cron.daily/tmpwatch r,
|
||||
/tmp r,
|
||||
/tmp/** rwl,
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}anvil mrix,
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}bounce mrix,
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
capability net_bind_service,
|
||||
capability dac_read_search,
|
||||
|
||||
@@ -12,10 +12,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-discard /usr/lib/postfix/{bin/,sbin/,}discard {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}discard mrix,
|
||||
}
|
||||
|
||||
@@ -11,10 +11,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-dnsblog /usr/lib/postfix/{bin/,sbin/,}dnsblog {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}dnsblog mrix,
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-error /usr/lib/postfix/{bin/,sbin/,}error {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}error mrix,
|
||||
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}flush mrix,
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-lmtp /usr/lib/postfix/{bin/,sbin/,}lmtp {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}lmtp mrix,
|
||||
|
||||
|
||||
@@ -11,14 +11,14 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-mail>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-mail>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/bin/procmail Px,
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
capability net_bind_service,
|
||||
capability kill,
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-nqmgr /usr/lib/postfix/{bin/,sbin/,}nqmgr {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}nqmgr mrix,
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-oqmgr /usr/lib/postfix/{bin/,sbin/,}oqmgr {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}oqmgr mrix,
|
||||
}
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-pickup /usr/lib/postfix/{bin/,sbin/,}pickup {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}pickup mrix,
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-pipe /usr/lib/postfix/{bin/,sbin/,}pipe {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}pipe mrix,
|
||||
|
||||
|
||||
@@ -10,10 +10,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-postscreen /usr/lib/postfix/{bin/,sbin/,}postscreen {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}postscreen mrix,
|
||||
}
|
||||
|
||||
@@ -12,13 +12,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-proxymap /usr/lib/postfix/{bin/,sbin/,}proxymap {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/etc/my.cnf r,
|
||||
/usr/lib/postfix/{bin/,sbin/,}proxymap mrix,
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-qmgr /usr/lib/postfix/{bin/,sbin/,}qmgr {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}qmgr mrix,
|
||||
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-qmqpd /usr/lib/postfix/{bin/,sbin/,}qmqpd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}qmqpd mrix,
|
||||
}
|
||||
|
||||
@@ -13,12 +13,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-scache /usr/lib/postfix/{bin/,sbin/,}scache {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}scache mrix,
|
||||
}
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-showq /usr/lib/postfix/{bin/,sbin/,}showq {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}showq mrix,
|
||||
|
||||
|
||||
@@ -12,13 +12,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
#include <abstractions/openssl>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
@@ -12,15 +12,15 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/ssl_certs>
|
||||
#include <abstractions/ssl_keys>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/ssl_keys>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-spawn /usr/lib/postfix/{bin/,sbin/,}spawn {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}spawn mrix,
|
||||
}
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-trivial-rewrite /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-verify /usr/lib/postfix/{bin/,sbin/,}verify {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}verify mrix,
|
||||
}
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-virtual /usr/lib/postfix/{bin/,sbin/,}virtual {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}virtual mrix,
|
||||
|
||||
|
||||
@@ -21,12 +21,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile dhclient /{usr/,}sbin/dhclient {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability net_raw,
|
||||
|
||||
|
||||
@@ -2,15 +2,15 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
# dhclient-script will call plugins from /etc/netconfig.d, so this
|
||||
# will need to be extended on a per-site basis.
|
||||
|
||||
profile dhclient-script /{usr/,}sbin/dhclient-script {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
|
||||
/{usr/,}bin/bash rix,
|
||||
/{usr/,}bin/grep rix,
|
||||
|
||||
@@ -18,11 +18,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile dhcpcd /{usr/,}sbin/dhcpcd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability net_raw,
|
||||
capability net_admin,
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile portmap /{usr/,}sbin/portmap {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability net_bind_service,
|
||||
capability setuid,
|
||||
|
||||
@@ -12,11 +12,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile resmgrd /{usr/,}sbin/resmgrd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability fowner,
|
||||
capability chown,
|
||||
|
||||
@@ -10,9 +10,9 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile rpc.lockd /{usr/,}sbin/rpc.lockd {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
/{usr/,}sbin/rpc.lockd rmix,
|
||||
}
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile rpc.statd /{usr/,}sbin/rpc.statd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
# needed to sanely drop privileges
|
||||
capability setgid,
|
||||
|
||||
@@ -11,15 +11,15 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/NX/bin/nxclient {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/X>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/X>
|
||||
|
||||
/{usr/,}bin/bash mix,
|
||||
/usr/bin/cut mix,
|
||||
|
||||
@@ -12,17 +12,17 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/X11R6/bin/acroread {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/X>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/X>
|
||||
|
||||
capability dac_override,
|
||||
|
||||
|
||||
@@ -10,12 +10,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/apropos {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
/{usr/,}bin/basename mixr,
|
||||
/{usr/,}bin/bash mixr,
|
||||
/{usr/,}bin/grep mixr,
|
||||
|
||||
@@ -2,11 +2,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/dumpcap {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability net_admin,
|
||||
capability net_raw,
|
||||
|
||||
@@ -40,19 +40,19 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/evolution-2.10 {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/user-mail>
|
||||
#include <abstractions/user-write>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/user-mail>
|
||||
include <abstractions/user-write>
|
||||
|
||||
capability ipc_lock,
|
||||
capability setuid,
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/fam {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
/tmp/.fam* wl,
|
||||
/etc/mtab rw,
|
||||
/usr/bin/fam rmix,
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/freshclam {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
@@ -12,18 +12,18 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/gaim {
|
||||
#include <abstractions/audio>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/user-tmp>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/user-tmp>
|
||||
|
||||
/{usr/,}bin/bash mixr,
|
||||
/dev/random r,
|
||||
|
||||
@@ -14,11 +14,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/man {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
@@ -12,10 +12,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/mlmmj-bounce {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
/usr/bin/mlmmj-bounce mr,
|
||||
/usr/bin/mlmmj-send Px,
|
||||
|
||||
@@ -12,10 +12,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/mlmmj-maintd {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
capability setuid,
|
||||
|
||||
|
||||
@@ -11,13 +11,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/mlmmj-make-ml.sh {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability sys_admin,
|
||||
|
||||
|
||||
@@ -12,10 +12,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/mlmmj-process {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
/usr/bin/mlmmj-process mr,
|
||||
/usr/bin/mlmmj-send Px,
|
||||
|
||||
@@ -12,10 +12,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/mlmmj-receive {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
/usr/bin/mlmmj-process Px,
|
||||
/usr/bin/mlmmj-receive mr,
|
||||
|
||||
@@ -15,10 +15,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/mlmmj-recieve {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
/usr/bin/mlmmj-process Px,
|
||||
/usr/bin/mlmmj-recieve mr,
|
||||
|
||||
@@ -12,11 +12,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/mlmmj-send {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
/usr/bin/mlmmj-send mr,
|
||||
/var/spool/mlmmj/*/archive/* w,
|
||||
|
||||
@@ -12,10 +12,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/mlmmj-sub {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
capability setuid,
|
||||
|
||||
|
||||
@@ -12,10 +12,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/mlmmj-unsub {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
/usr/bin/mlmmj-unsub mr,
|
||||
/usr/bin/mlmmj-send Px,
|
||||
|
||||
@@ -11,16 +11,16 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
/usr/bin/opera {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-write>
|
||||
#include <abstractions/user-download>
|
||||
#include <abstractions/X>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-write>
|
||||
include <abstractions/user-download>
|
||||
include <abstractions/X>
|
||||
|
||||
capability dac_override,
|
||||
|
||||
|
||||
@@ -11,14 +11,14 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/passwd {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/wutmp>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability chown,
|
||||
capability sys_resource,
|
||||
|
||||
@@ -10,13 +10,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/procmail {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-mail>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-mail>
|
||||
|
||||
# procmail configuration
|
||||
/etc/procmailrc r,
|
||||
|
||||
@@ -5,21 +5,21 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
/usr/bin/skype flags=(complain) {
|
||||
#include <abstractions/audio>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-session>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/freedesktop.org>
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/ibus>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/nvidia>
|
||||
#include <abstractions/ssl_certs>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/X>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/ibus>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/nvidia>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/X>
|
||||
|
||||
@{PROC}/sys/kernel/{ostype,osrelease} r,
|
||||
@{PROC}/@{pid}/net/arp r,
|
||||
|
||||
@@ -12,11 +12,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/spamc {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
/usr/bin/spamc r,
|
||||
}
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/svnserve {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
# network service ;)
|
||||
capability net_bind_service,
|
||||
|
||||
@@ -12,24 +12,24 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/wireshark {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/dconf>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
#include <abstractions/ibus>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/user-write>
|
||||
#include <abstractions/X>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/ibus>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/user-write>
|
||||
include <abstractions/X>
|
||||
|
||||
signal (send) peer=/usr/bin/dumpcap,
|
||||
|
||||
#include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
dbus (send)
|
||||
bus=session
|
||||
peer=(name=org.a11y.Bus),
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/xfs {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
/ r,
|
||||
/dev/tty wr,
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/GConf/2/gconfd-2 {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-tmp>
|
||||
|
||||
/etc/gconf/2/path r,
|
||||
/etc/gconf/gconf.xml.defaults r,
|
||||
|
||||
@@ -12,18 +12,18 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/RealPlayer10/realplay {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/user-download>
|
||||
#include <abstractions/X>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/user-download>
|
||||
include <abstractions/X>
|
||||
|
||||
/{usr/,}bin/bash mix,
|
||||
/{usr/,}bin/sed mixr,
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/bonobo/bonobo-activation-server {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-tmp>
|
||||
|
||||
/etc/bonobo-activation/bonobo-activation-config.xml r,
|
||||
/usr/lib/bonobo/bonobo-activation-server rmix,
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/evolution-data-server/evolution-data-server-1.10 {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-tmp>
|
||||
|
||||
/etc/mtab r,
|
||||
/etc/** r,
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
# We want to confine the binaries that match:
|
||||
# /usr/lib/firefox-4.0b8/firefox
|
||||
@@ -19,13 +19,13 @@ abi <abi/3.0>,
|
||||
# but not:
|
||||
# /usr/lib/firefox-4.0b8/firefox.sh
|
||||
/usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
|
||||
#include <abstractions/audio>
|
||||
#include <abstractions/cups-client>
|
||||
#include <abstractions/dbus-session>
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/ibus>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/ibus>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
# for networking
|
||||
network inet stream,
|
||||
|
||||
@@ -2,12 +2,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/firefox/firefox.sh {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
|
||||
deny capability sys_ptrace,
|
||||
|
||||
|
||||
@@ -12,11 +12,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/firefox/mozilla-xremote-client {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/X>
|
||||
include <abstractions/base>
|
||||
include <abstractions/X>
|
||||
|
||||
/usr/lib/mozilla/lib*so* mr,
|
||||
/usr/lib/firefox/mozilla-xremote-client rmix,
|
||||
|
||||
@@ -11,13 +11,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/man-db/man {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/user-manpages>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/user-manpages>
|
||||
|
||||
/{usr/,}bin/bash rmix,
|
||||
/{usr/,}bin/cat rmix,
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib64/GConf/2/gconfd-2 {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-tmp>
|
||||
|
||||
/etc/gconf/2/path r,
|
||||
/etc/gconf/gconf.xml.defaults r,
|
||||
|
||||
@@ -2,13 +2,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
/usr/sbin/cupsd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/dbus>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/dbus>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/perl>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/dhcpd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability dac_override,
|
||||
capability net_bind_service,
|
||||
|
||||
@@ -11,16 +11,16 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/httpd2-prefork {
|
||||
#include <abstractions/apache2-common>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
#include <abstractions/openssl>
|
||||
include <abstractions/apache2-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/kerberosclient>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability kill,
|
||||
capability net_bind_service,
|
||||
@@ -132,13 +132,13 @@ abi <abi/3.0>,
|
||||
|
||||
|
||||
^HANDLING_UNTRUSTED_INPUT {
|
||||
#include <abstractions/apache2-common>
|
||||
include <abstractions/apache2-common>
|
||||
/var/log/apache2/* w,
|
||||
}
|
||||
|
||||
^DEFAULT_URI {
|
||||
#include <abstractions/apache2-common>
|
||||
#include <abstractions/base>
|
||||
include <abstractions/apache2-common>
|
||||
include <abstractions/base>
|
||||
|
||||
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
|
||||
# execution of content regardless of 'x' permissions, as no exec(2)
|
||||
|
||||
@@ -10,14 +10,14 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/imapd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
#include <abstractions/openssl>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/user-mail>
|
||||
include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r,
|
||||
/tmp/* rwl,
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/in.fingerd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
@{HOME}/.plan r,
|
||||
@{HOME}/.project r,
|
||||
|
||||
@@ -10,12 +10,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/in.ftpd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/authentication>
|
||||
|
||||
/ r,
|
||||
/dev/urandom r,
|
||||
|
||||
@@ -10,12 +10,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/in.ntalkd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/consoles>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/consoles>
|
||||
|
||||
/usr/sbin/in.ntalkd r,
|
||||
/{,var/}run/utmp r,
|
||||
|
||||
@@ -10,14 +10,14 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/ipop2d {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
#include <abstractions/openssl>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/user-mail>
|
||||
include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r ,
|
||||
/tmp/.* rwl ,
|
||||
|
||||
@@ -10,14 +10,14 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/ipop3d {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
#include <abstractions/openssl>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/user-mail>
|
||||
include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r ,
|
||||
/tmp/.* rwl ,
|
||||
|
||||
@@ -11,13 +11,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/lighttpd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
#include <abstractions/web-data>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/web-data>
|
||||
|
||||
# needed to change max file descriptors
|
||||
capability sys_resource,
|
||||
|
||||
@@ -14,13 +14,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/mysqld {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/mysql>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
include <abstractions/base>
|
||||
include <abstractions/mysql>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-tmp>
|
||||
|
||||
capability dac_override,
|
||||
capability setgid,
|
||||
|
||||
@@ -11,11 +11,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/oidentd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability net_bind_service,
|
||||
capability dac_override,
|
||||
|
||||
@@ -12,13 +12,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/popper {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-mail>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-mail>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
@@ -10,14 +10,14 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/postalias {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/kerberosclient>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/postfix-common>
|
||||
/etc/aliases r,
|
||||
/etc/aliases.db rwlk,
|
||||
/etc/postfix r,
|
||||
|
||||
@@ -11,13 +11,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/postdrop {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/kerberosclient>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
# This is needed at least for permissions=paranoid
|
||||
capability dac_override,
|
||||
|
||||
@@ -10,13 +10,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/postmap {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/kerberosclient>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/mtab r,
|
||||
|
||||
@@ -10,14 +10,14 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/postqueue {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/kerberosclient>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
# This is needed at least for permissions=paranoid
|
||||
capability dac_override,
|
||||
|
||||
@@ -13,15 +13,15 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/sendmail {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/kerberosclient>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/bin/procmail Px,
|
||||
|
||||
|
||||
@@ -10,15 +10,15 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/sendmail.postfix {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/kerberosclient>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/etc/mtab r,
|
||||
/etc/postfix r,
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/sendmail.sendmail {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
@{PROC}/loadavg r,
|
||||
/etc/aliases rw,
|
||||
|
||||
@@ -12,13 +12,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/spamd {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/perl>
|
||||
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
|
||||
@@ -11,13 +11,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/squid {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/kerberosclient>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
@@ -16,15 +16,15 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/sshd {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/libpam-systemd>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/wutmp>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/libpam-systemd>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability sys_chroot,
|
||||
capability sys_resource,
|
||||
@@ -101,9 +101,9 @@ abi <abi/3.0>,
|
||||
# to set memory protection for passwd
|
||||
@{PROC}/@{pid}/task/@{pid}/attr/exec w,
|
||||
profile passwd {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
|
||||
@@ -11,16 +11,16 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/useradd {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/perl>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/wutmp>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
@@ -62,9 +62,9 @@ abi <abi/3.0>,
|
||||
/var/spool/mail/* rw,
|
||||
|
||||
profile pam_tally2 {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability audit_write,
|
||||
|
||||
|
||||
@@ -11,16 +11,16 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/userdel {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/perl>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/wutmp>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/vsftpd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/authentication>
|
||||
|
||||
/dev/urandom r,
|
||||
/etc/environment r,
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/sbin/xinetd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
|
||||
Reference in New Issue
Block a user