diff --git a/distros/redhat/local_zoneminder.te b/distros/redhat/local_zoneminder.te index d164af1c5..4a060ffc3 100644 --- a/distros/redhat/local_zoneminder.te +++ b/distros/redhat/local_zoneminder.te @@ -1,7 +1,33 @@ -module local_zoneminder 1.0; +module local_zoneminder 1.1; require { + type afs_ka_port_t; + type netsupport_port_t; + type port_t; + type presence_port_t; + type postfix_pickup_t; + type httpd_t; + type var_lib_t; + type ionixnetmon_port_t; + type glance_port_t; + type mmcc_port_t; + type postfix_master_t; + type commplex_port_t; + type syslogd_port_t; + type dcc_port_t; + type sip_port_t; + type amqp_port_t; + type condor_port_t; + type afs_fs_port_t; + type nodejs_debug_port_t; + type httpd_var_lib_t; + type websm_port_t; + type afs_pt_port_t; + type postfix_qmgr_t; + type git_port_t; + type ipp_port_t; + type aol_port_t; type unconfined_t; type kernel_t; type init_t; @@ -24,10 +50,11 @@ require { type dhcpc_t; type v4l_device_t; type file_t; - class sock_file write; + class sock_file { write create unlink }; class unix_stream_socket { read connectto }; - class lnk_file { write getattr read lock unlink }; + class lnk_file { write create getattr read lock unlink }; class dir search; + class udp_socket name_bind; class file { write getattr read lock unlink open }; class shm { unix_read unix_write associate read write getattr }; class chr_file getattr; @@ -70,3 +97,27 @@ allow httpd_t unconfined_t:dir search; allow httpd_t unconfined_t:file { read getattr open }; allow httpd_t var_lib_t:lnk_file { write getattr read lock unlink }; allow httpd_t v4l_device_t:chr_file getattr; +allow httpd_t afs_fs_port_t:udp_socket name_bind; +allow httpd_t afs_ka_port_t:udp_socket name_bind; +allow httpd_t afs_pt_port_t:udp_socket name_bind; +allow httpd_t amqp_port_t:udp_socket name_bind; +allow httpd_t aol_port_t:udp_socket name_bind; +allow httpd_t commplex_port_t:udp_socket name_bind; +allow httpd_t condor_port_t:udp_socket name_bind; +allow httpd_t dcc_port_t:udp_socket name_bind; +allow httpd_t git_port_t:udp_socket name_bind; +allow httpd_t glance_port_t:udp_socket name_bind; +allow httpd_t httpd_var_lib_t:lnk_file create; +allow httpd_t ionixnetmon_port_t:udp_socket name_bind; +allow httpd_t ipp_port_t:udp_socket name_bind; +allow httpd_t mmcc_port_t:udp_socket name_bind; +allow httpd_t netsupport_port_t:udp_socket name_bind; +allow httpd_t nodejs_debug_port_t:udp_socket name_bind; +allow httpd_t port_t:udp_socket name_bind; +allow httpd_t postfix_master_t:dir search; +allow httpd_t postfix_master_t:file { read getattr open }; +allow httpd_t postfix_pickup_t:dir search; +allow httpd_t postfix_pickup_t:file { read getattr open }; +allow httpd_t postfix_qmgr_t:dir search; +allow httpd_t postfix_qmgr_t:file { read getattr open }; +allow httpd_t presence_port_t:udp_socket name_bind;