855 lines
23 KiB
Diff
855 lines
23 KiB
Diff
|
commit f53f820fe366940d4fdecaef80de4e5b1178fac6
|
||
|
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||
|
|
Date: Thu Jun 7 01:38:59 2012 +0200
|
||
|
|
|
||
|
|
roleattribute patch
|
||
|
|
|
||
|
|
diff --git a/livecd.if b/livecd.if
|
||
|
|
index bfbf676..fb7869e 100644
|
||
|
|
--- a/livecd.if
|
||
|
|
+++ b/livecd.if
|
||
|
|
@@ -38,12 +38,19 @@ interface(`livecd_run',`
|
||
|
|
gen_require(`
|
||
|
|
type livecd_t;
|
||
|
|
type livecd_exec_t;
|
||
|
|
- attribute_role livecd_roles;
|
||
|
|
+ #attribute_role livecd_roles;
|
||
|
|
')
|
||
|
|
|
||
|
|
livecd_domtrans($1)
|
||
|
|
- roleattribute $2 livecd_roles;
|
||
|
|
+ #roleattribute $2 livecd_roles;
|
||
|
|
+ role $2 types livecd_t;
|
||
|
|
role_transition $2 livecd_exec_t system_r;
|
||
|
|
+
|
||
|
|
+ seutil_run_setfiles_mac(livecd_t, system_r)
|
||
|
|
+
|
||
|
|
+ optional_policy(`
|
||
|
|
+ mount_run(livecd_t, $2)
|
||
|
|
+ ')
|
||
|
|
')
|
||
|
|
|
||
|
|
########################################
|
||
|
|
diff --git a/livecd.te b/livecd.te
|
||
|
|
index 65efdae..7a944b5 100644
|
||
|
|
--- a/livecd.te
|
||
|
|
+++ b/livecd.te
|
||
|
|
@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
|
||
|
|
# Declarations
|
||
|
|
#
|
||
|
|
|
||
|
|
-attribute_role livecd_roles;
|
||
|
|
-roleattribute system_r livecd_roles;
|
||
|
|
+#attribute_role livecd_roles;
|
||
|
|
+#roleattribute system_r livecd_roles;
|
||
|
|
|
||
|
|
type livecd_t;
|
||
|
|
type livecd_exec_t;
|
||
|
|
application_domain(livecd_t, livecd_exec_t)
|
||
|
|
-role livecd_roles types livecd_t;
|
||
|
|
+role system_r types livecd_t;
|
||
|
|
+#role livecd_roles types livecd_t;
|
||
|
|
|
||
|
|
type livecd_tmp_t;
|
||
|
|
files_tmp_file(livecd_tmp_t)
|
||
|
|
@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t)
|
||
|
|
|
||
|
|
sysnet_filetrans_named_content(livecd_t)
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- mount_run(livecd_t, livecd_roles)
|
||
|
|
- seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# mount_run(livecd_t, livecd_roles)
|
||
|
|
+# seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||
|
|
+#')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
ssh_filetrans_admin_home_content(livecd_t)
|
||
|
|
diff --git a/mozilla.if b/mozilla.if
|
||
|
|
index 30b0241..30bfefb 100644
|
||
|
|
--- a/mozilla.if
|
||
|
|
+++ b/mozilla.if
|
||
|
|
@@ -18,10 +18,11 @@
|
||
|
|
interface(`mozilla_role',`
|
||
|
|
gen_require(`
|
||
|
|
type mozilla_t, mozilla_exec_t, mozilla_home_t;
|
||
|
|
- attribute_role mozilla_roles;
|
||
|
|
+ #attribute_role mozilla_roles;
|
||
|
|
')
|
||
|
|
|
||
|
|
- roleattribute $1 mozilla_roles;
|
||
|
|
+ #roleattribute $1 mozilla_roles;
|
||
|
|
+ role $1 types mozilla_t;
|
||
|
|
|
||
|
|
domain_auto_trans($2, mozilla_exec_t, mozilla_t)
|
||
|
|
# Unrestricted inheritance from the caller.
|
||
|
|
@@ -47,6 +48,8 @@ interface(`mozilla_role',`
|
||
|
|
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||
|
|
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||
|
|
|
||
|
|
+ #should be remove then with adding of roleattribute
|
||
|
|
+ mozilla_run_plugin(mozilla_t, $1)
|
||
|
|
mozilla_dbus_chat($2)
|
||
|
|
|
||
|
|
userdom_manage_tmp_role($1, mozilla_t)
|
||
|
|
@@ -63,7 +66,6 @@ interface(`mozilla_role',`
|
||
|
|
|
||
|
|
mozilla_filetrans_home_content($2)
|
||
|
|
|
||
|
|
- mozilla_dbus_chat($2)
|
||
|
|
')
|
||
|
|
|
||
|
|
########################################
|
||
|
|
diff --git a/mozilla.te b/mozilla.te
|
||
|
|
index 7bf56bf..56700a4 100644
|
||
|
|
--- a/mozilla.te
|
||
|
|
+++ b/mozilla.te
|
||
|
|
@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false)
|
||
|
|
## </desc>
|
||
|
|
gen_tunable(mozilla_plugin_enable_homedirs, false)
|
||
|
|
|
||
|
|
-attribute_role mozilla_roles;
|
||
|
|
+#attribute_role mozilla_roles;
|
||
|
|
|
||
|
|
type mozilla_t;
|
||
|
|
type mozilla_exec_t;
|
||
|
|
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
|
||
|
|
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
|
||
|
|
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
|
||
|
|
-role mozilla_roles types mozilla_t;
|
||
|
|
+#role mozilla_roles types mozilla_t;
|
||
|
|
+role system_r types mozilla_t;
|
||
|
|
|
||
|
|
type mozilla_conf_t;
|
||
|
|
files_config_file(mozilla_conf_t)
|
||
|
|
@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t)
|
||
|
|
type mozilla_plugin_t;
|
||
|
|
type mozilla_plugin_exec_t;
|
||
|
|
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
|
||
|
|
-role mozilla_roles types mozilla_plugin_t;
|
||
|
|
+#role mozilla_roles types mozilla_plugin_t;
|
||
|
|
+role system_r types mozilla_plugin_t;
|
||
|
|
|
||
|
|
type mozilla_plugin_tmp_t;
|
||
|
|
userdom_user_tmp_content(mozilla_plugin_tmp_t)
|
||
|
|
@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t)
|
||
|
|
type mozilla_plugin_config_t;
|
||
|
|
type mozilla_plugin_config_exec_t;
|
||
|
|
application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
|
||
|
|
-role mozilla_roles types mozilla_plugin_config_t;
|
||
|
|
+#role mozilla_roles types mozilla_plugin_config_t;
|
||
|
|
+role system_r types mozilla_plugin_config_t;
|
||
|
|
|
||
|
|
type mozilla_tmp_t;
|
||
|
|
userdom_user_tmp_file(mozilla_tmp_t)
|
||
|
|
@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t)
|
||
|
|
|
||
|
|
userdom_use_inherited_user_ptys(mozilla_t)
|
||
|
|
|
||
|
|
-mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||
|
|
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||
|
|
|
||
|
|
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
|
||
|
|
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
||
|
|
@@ -298,7 +301,8 @@ optional_policy(`
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
- pulseaudio_role(mozilla_roles, mozilla_t)
|
||
|
|
+ #pulseaudio_role(mozilla_roles, mozilla_t)
|
||
|
|
+ pulseaudio_exec(mozilla_t)
|
||
|
|
pulseaudio_stream_connect(mozilla_t)
|
||
|
|
pulseaudio_manage_home_files(mozilla_t)
|
||
|
|
')
|
||
|
|
@@ -476,9 +480,9 @@ optional_policy(`
|
||
|
|
java_exec(mozilla_plugin_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||
|
|
+#')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
mplayer_exec(mozilla_plugin_t)
|
||
|
|
diff --git a/ncftool.if b/ncftool.if
|
||
|
|
index 1520b6c..3a4455f 100644
|
||
|
|
--- a/ncftool.if
|
||
|
|
+++ b/ncftool.if
|
||
|
|
@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',`
|
||
|
|
#
|
||
|
|
interface(`ncftool_run',`
|
||
|
|
gen_require(`
|
||
|
|
- attribute_role ncftool_roles;
|
||
|
|
+ type ncftool_t;
|
||
|
|
+ #attribute_role ncftool_roles;
|
||
|
|
')
|
||
|
|
|
||
|
|
- ncftool_domtrans($1)
|
||
|
|
- roleattribute $2 ncftool_roles;
|
||
|
|
+ #ncftool_domtrans($1)
|
||
|
|
+ #roleattribute $2 ncftool_roles;
|
||
|
|
+
|
||
|
|
+ role $1 types ncftool_t;
|
||
|
|
+
|
||
|
|
+ ncftool_domtrans($2)
|
||
|
|
+
|
||
|
|
+ ps_process_pattern($2, ncftool_t)
|
||
|
|
+ allow $2 ncftool_t:process signal;
|
||
|
|
')
|
||
|
|
|
||
|
|
diff --git a/ncftool.te b/ncftool.te
|
||
|
|
index 91ab36d..8c48c33 100644
|
||
|
|
--- a/ncftool.te
|
||
|
|
+++ b/ncftool.te
|
||
|
|
@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0)
|
||
|
|
# Declarations
|
||
|
|
#
|
||
|
|
|
||
|
|
-attribute_role ncftool_roles;
|
||
|
|
-roleattribute system_r ncftool_roles;
|
||
|
|
+#attribute_role ncftool_roles;
|
||
|
|
+#roleattribute system_r ncftool_roles;
|
||
|
|
|
||
|
|
type ncftool_t;
|
||
|
|
type ncftool_exec_t;
|
||
|
|
application_domain(ncftool_t, ncftool_exec_t)
|
||
|
|
domain_obj_id_change_exemption(ncftool_t)
|
||
|
|
domain_system_change_exemption(ncftool_t)
|
||
|
|
-role ncftool_roles types ncftool_t;
|
||
|
|
+#role ncftool_roles types ncftool_t;
|
||
|
|
+role system_r types ncftool_t;
|
||
|
|
|
||
|
|
########################################
|
||
|
|
#
|
||
|
|
@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t)
|
||
|
|
|
||
|
|
miscfiles_read_localization(ncftool_t)
|
||
|
|
sysnet_delete_dhcpc_pid(ncftool_t)
|
||
|
|
-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||
|
|
-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||
|
|
+sysnet_domtrans_dhcpc(ncftool_t)
|
||
|
|
+sysnet_domtrans_ifconfig(ncftool_t)
|
||
|
|
+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||
|
|
+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||
|
|
sysnet_etc_filetrans_config(ncftool_t)
|
||
|
|
sysnet_manage_config(ncftool_t)
|
||
|
|
sysnet_read_dhcpc_state(ncftool_t)
|
||
|
|
@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t)
|
||
|
|
userdom_use_user_terminals(ncftool_t)
|
||
|
|
userdom_read_user_tmp_files(ncftool_t)
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- brctl_run(ncftool_t, ncftool_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# brctl_run(ncftool_t, ncftool_roles)
|
||
|
|
+#')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
consoletype_exec(ncftool_t)
|
||
|
|
@@ -85,9 +88,12 @@ optional_policy(`
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
modutils_read_module_config(ncftool_t)
|
||
|
|
- modutils_run_insmod(ncftool_t, ncftool_roles)
|
||
|
|
+ modutils_domtrans_insmod(ncftool_t)
|
||
|
|
+ #modutils_run_insmod(ncftool_t, ncftool_roles)
|
||
|
|
+
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
- netutils_run(ncftool_t, ncftool_roles)
|
||
|
|
+ netutils_domtrans(ncftool_t)
|
||
|
|
+ #netutils_run(ncftool_t, ncftool_roles)
|
||
|
|
')
|
||
|
|
diff --git a/ppp.if b/ppp.if
|
||
|
|
index c174b05..a4cad0b 100644
|
||
|
|
--- a/ppp.if
|
||
|
|
+++ b/ppp.if
|
||
|
|
@@ -175,11 +175,18 @@ interface(`ppp_run_cond',`
|
||
|
|
#
|
||
|
|
interface(`ppp_run',`
|
||
|
|
gen_require(`
|
||
|
|
- attribute_role pppd_roles;
|
||
|
|
+ #attribute_role pppd_roles;
|
||
|
|
+ type pppd_t;
|
||
|
|
')
|
||
|
|
|
||
|
|
- ppp_domtrans($1)
|
||
|
|
- roleattribute $2 pppd_roles;
|
||
|
|
+ #ppp_domtrans($1)
|
||
|
|
+ #roleattribute $2 pppd_roles;
|
||
|
|
+
|
||
|
|
+ role $2 types pppd_t;
|
||
|
|
+
|
||
|
|
+ tunable_policy(`pppd_for_user',`
|
||
|
|
+ ppp_domtrans($1)
|
||
|
|
+ ')
|
||
|
|
')
|
||
|
|
|
||
|
|
########################################
|
||
|
|
diff --git a/ppp.te b/ppp.te
|
||
|
|
index 17e10a2..92cec2b 100644
|
||
|
|
--- a/ppp.te
|
||
|
|
+++ b/ppp.te
|
||
|
|
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
|
||
|
|
## </desc>
|
||
|
|
gen_tunable(pppd_for_user, false)
|
||
|
|
|
||
|
|
-attribute_role pppd_roles;
|
||
|
|
+#attribute_role pppd_roles;
|
||
|
|
|
||
|
|
# pppd_t is the domain for the pppd program.
|
||
|
|
# pppd_exec_t is the type of the pppd executable.
|
||
|
|
type pppd_t;
|
||
|
|
type pppd_exec_t;
|
||
|
|
init_daemon_domain(pppd_t, pppd_exec_t)
|
||
|
|
-role pppd_roles types pppd_t;
|
||
|
|
+#role pppd_roles types pppd_t;
|
||
|
|
+role system_r types pppd_t;
|
||
|
|
|
||
|
|
type pppd_devpts_t;
|
||
|
|
term_pty(pppd_devpts_t)
|
||
|
|
@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t)
|
||
|
|
type pptp_t;
|
||
|
|
type pptp_exec_t;
|
||
|
|
init_daemon_domain(pptp_t, pptp_exec_t)
|
||
|
|
-role pppd_roles types pptp_t;
|
||
|
|
+#role pppd_roles types pptp_t;
|
||
|
|
+role system_r types pptp_t;
|
||
|
|
|
||
|
|
type pptp_log_t;
|
||
|
|
logging_log_file(pptp_log_t)
|
||
|
|
@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t)
|
||
|
|
init_signal_script(pppd_t)
|
||
|
|
|
||
|
|
auth_use_nsswitch(pppd_t)
|
||
|
|
-auth_run_chk_passwd(pppd_t,pppd_roles)
|
||
|
|
+auth_domtrans_chk_passwd(pppd_t)
|
||
|
|
+#auth_run_chk_passwd(pppd_t,pppd_roles)
|
||
|
|
auth_write_login_records(pppd_t)
|
||
|
|
|
||
|
|
logging_send_syslog_msg(pppd_t)
|
||
|
|
@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t)
|
||
|
|
ppp_exec(pppd_t)
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
- ddclient_run(pppd_t, pppd_roles)
|
||
|
|
+ #ddclient_run(pppd_t, pppd_roles)
|
||
|
|
+ ddclient_domtrans(pppd_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
diff --git a/usernetctl.if b/usernetctl.if
|
||
|
|
index d45c715..2d4f1ba 100644
|
||
|
|
--- a/usernetctl.if
|
||
|
|
+++ b/usernetctl.if
|
||
|
|
@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
|
||
|
|
#
|
||
|
|
interface(`usernetctl_run',`
|
||
|
|
gen_require(`
|
||
|
|
- attribute_role usernetctl_roles;
|
||
|
|
+ type usernetctl_t;
|
||
|
|
+ #attribute_role usernetctl_roles;
|
||
|
|
')
|
||
|
|
|
||
|
|
- usernetctl_domtrans($1)
|
||
|
|
- roleattribute $2 usernetctl_roles;
|
||
|
|
+ #usernetctl_domtrans($1)
|
||
|
|
+ #roleattribute $2 usernetctl_roles;
|
||
|
|
+
|
||
|
|
+ sysnet_run_ifconfig(usernetctl_t, $2)
|
||
|
|
+ sysnet_run_dhcpc(usernetctl_t, $2)
|
||
|
|
+
|
||
|
|
+ optional_policy(`
|
||
|
|
+ iptables_run(usernetctl_t, $2)
|
||
|
|
+ ')
|
||
|
|
+
|
||
|
|
+ optional_policy(`
|
||
|
|
+ modutils_run_insmod(usernetctl_t, $2)
|
||
|
|
+ ')
|
||
|
|
+
|
||
|
|
+ optional_policy(`
|
||
|
|
+ ppp_run(usernetctl_t, $2)
|
||
|
|
+ ')
|
||
|
|
+
|
||
|
|
')
|
||
|
|
diff --git a/usernetctl.te b/usernetctl.te
|
||
|
|
index 8604c1c..35b12a6 100644
|
||
|
|
--- a/usernetctl.te
|
||
|
|
+++ b/usernetctl.te
|
||
|
|
@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
|
||
|
|
# Declarations
|
||
|
|
#
|
||
|
|
|
||
|
|
-attribute_role usernetctl_roles;
|
||
|
|
+#attribute_role usernetctl_roles;
|
||
|
|
|
||
|
|
type usernetctl_t;
|
||
|
|
type usernetctl_exec_t;
|
||
|
|
application_domain(usernetctl_t, usernetctl_exec_t)
|
||
|
|
domain_interactive_fd(usernetctl_t)
|
||
|
|
-role usernetctl_roles types usernetctl_t;
|
||
|
|
+#role usernetctl_roles types usernetctl_t;
|
||
|
|
+role system_r types usernetctl_t;
|
||
|
|
|
||
|
|
########################################
|
||
|
|
#
|
||
|
|
@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t)
|
||
|
|
|
||
|
|
userdom_use_inherited_user_terminals(usernetctl_t)
|
||
|
|
|
||
|
|
-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||
|
|
-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||
|
|
+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||
|
|
+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
- consoletype_run(usernetctl_t, usernetctl_roles)
|
||
|
|
+ #consoletype_run(usernetctl_t, usernetctl_roles)
|
||
|
|
+ consoletype_exec(usernetctl_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
hostname_exec(usernetctl_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- iptables_run(usernetctl_t, usernetctl_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# iptables_run(usernetctl_t, usernetctl_roles)
|
||
|
|
+#')
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||
|
|
+#')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
nis_use_ypbind(usernetctl_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- ppp_run(usernetctl_t, usernetctl_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# ppp_run(usernetctl_t, usernetctl_roles)
|
||
|
|
+#')
|
||
|
|
diff --git a/vpn.if b/vpn.if
|
||
|
|
index 7b93e07..a4e2f60 100644
|
||
|
|
--- a/vpn.if
|
||
|
|
+++ b/vpn.if
|
||
|
|
@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
|
||
|
|
#
|
||
|
|
interface(`vpn_run',`
|
||
|
|
gen_require(`
|
||
|
|
- attribute_role vpnc_roles;
|
||
|
|
+ #attribute_role vpnc_roles;
|
||
|
|
+ type vpnc_t;
|
||
|
|
')
|
||
|
|
|
||
|
|
+ #vpn_domtrans($1)
|
||
|
|
+ #roleattribute $2 vpnc_roles;
|
||
|
|
+
|
||
|
|
vpn_domtrans($1)
|
||
|
|
- roleattribute $2 vpnc_roles;
|
||
|
|
+ role $2 types vpnc_t;
|
||
|
|
+ sysnet_run_ifconfig(vpnc_t, $2)
|
||
|
|
')
|
||
|
|
|
||
|
|
########################################
|
||
|
|
diff --git a/vpn.te b/vpn.te
|
||
|
|
index 99fd457..d2585bb 100644
|
||
|
|
--- a/vpn.te
|
||
|
|
+++ b/vpn.te
|
||
|
|
@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0)
|
||
|
|
# Declarations
|
||
|
|
#
|
||
|
|
|
||
|
|
-attribute_role vpnc_roles;
|
||
|
|
-roleattribute system_r vpnc_roles;
|
||
|
|
+#attribute_role vpnc_roles;
|
||
|
|
+#roleattribute system_r vpnc_roles;
|
||
|
|
|
||
|
|
type vpnc_t;
|
||
|
|
type vpnc_exec_t;
|
||
|
|
init_system_domain(vpnc_t, vpnc_exec_t)
|
||
|
|
application_domain(vpnc_t, vpnc_exec_t)
|
||
|
|
-role vpnc_roles types vpnc_t;
|
||
|
|
+#role vpnc_roles types vpnc_t;
|
||
|
|
+role system_r types vpnc_t;
|
||
|
|
|
||
|
|
type vpnc_tmp_t;
|
||
|
|
files_tmp_file(vpnc_tmp_t)
|
||
|
|
@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t)
|
||
|
|
seutil_dontaudit_search_config(vpnc_t)
|
||
|
|
seutil_use_newrole_fds(vpnc_t)
|
||
|
|
|
||
|
|
-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||
|
|
+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||
|
|
sysnet_etc_filetrans_config(vpnc_t)
|
||
|
|
sysnet_manage_config(vpnc_t)
|
||
|
|
|
||
|
|
commit 88b64bdd71ef734271b9370fc37e02785f354f7f
|
||
|
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||
|
|
Date: Thu Jun 7 02:33:40 2012 +0200
|
||
|
|
|
||
|
|
Fix ncftool.if
|
||
|
|
|
||
|
|
diff --git a/ncftool.if b/ncftool.if
|
||
|
|
index 3a4455f..59f096b 100644
|
||
|
|
--- a/ncftool.if
|
||
|
|
+++ b/ncftool.if
|
||
|
|
@@ -43,11 +43,12 @@ interface(`ncftool_run',`
|
||
|
|
#ncftool_domtrans($1)
|
||
|
|
#roleattribute $2 ncftool_roles;
|
||
|
|
|
||
|
|
- role $1 types ncftool_t;
|
||
|
|
+ ncftool_domtrans($1)
|
||
|
|
+ role $2 types ncftool_t;
|
||
|
|
|
||
|
|
- ncftool_domtrans($2)
|
||
|
|
+ optional_policy(`
|
||
|
|
+ brctl_run(ncftool_t, $2)
|
||
|
|
+ ')
|
||
|
|
|
||
|
|
- ps_process_pattern($2, ncftool_t)
|
||
|
|
- allow $2 ncftool_t:process signal;
|
||
|
|
')
|
||
|
|
|
||
|
|
commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9
|
||
|
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||
|
|
Date: Thu Jun 7 10:47:57 2012 +0200
|
||
|
|
|
||
|
|
roleattriburte temp fixes for portage and dpkg
|
||
|
|
|
||
|
|
diff --git a/dpkg.if b/dpkg.if
|
||
|
|
index 4d32b42..d945bd0 100644
|
||
|
|
--- a/dpkg.if
|
||
|
|
+++ b/dpkg.if
|
||
|
|
@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
|
||
|
|
#
|
||
|
|
interface(`dpkg_run',`
|
||
|
|
gen_require(`
|
||
|
|
- attribute_role dpkg_roles;
|
||
|
|
+ #attribute_role dpkg_roles;
|
||
|
|
+ type dpkg_t, dpkg_script_t
|
||
|
|
')
|
||
|
|
|
||
|
|
+ #dpkg_domtrans($1)
|
||
|
|
+ #roleattribute $2 dpkg_roles;
|
||
|
|
+
|
||
|
|
dpkg_domtrans($1)
|
||
|
|
- roleattribute $2 dpkg_roles;
|
||
|
|
+ role $2 types dpkg_t;
|
||
|
|
+ role $2 types dpkg_script_t;
|
||
|
|
+ seutil_run_loadpolicy(dpkg_script_t, $2)
|
||
|
|
+
|
||
|
|
')
|
||
|
|
|
||
|
|
########################################
|
||
|
|
diff --git a/dpkg.te b/dpkg.te
|
||
|
|
index a1b8f92..9ac1b80 100644
|
||
|
|
--- a/dpkg.te
|
||
|
|
+++ b/dpkg.te
|
||
|
|
@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
|
||
|
|
# Declarations
|
||
|
|
#
|
||
|
|
|
||
|
|
-attribute_role dpkg_roles;
|
||
|
|
-roleattribute system_r dpkg_roles;
|
||
|
|
+#attribute_role dpkg_roles;
|
||
|
|
+#roleattribute system_r dpkg_roles;
|
||
|
|
|
||
|
|
type dpkg_t;
|
||
|
|
type dpkg_exec_t;
|
||
|
|
@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
|
||
|
|
domain_role_change_exemption(dpkg_t)
|
||
|
|
domain_system_change_exemption(dpkg_t)
|
||
|
|
domain_interactive_fd(dpkg_t)
|
||
|
|
-role dpkg_roles types dpkg_t;
|
||
|
|
+#role dpkg_roles types dpkg_t;
|
||
|
|
+role system_r types dpkg_t;
|
||
|
|
|
||
|
|
# lockfile
|
||
|
|
type dpkg_lock_t;
|
||
|
|
@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
|
||
|
|
domain_obj_id_change_exemption(dpkg_script_t)
|
||
|
|
domain_system_change_exemption(dpkg_script_t)
|
||
|
|
domain_interactive_fd(dpkg_script_t)
|
||
|
|
-role dpkg_roles types dpkg_script_t;
|
||
|
|
+#role dpkg_roles types dpkg_script_t;
|
||
|
|
+role system_r types dpkg_script_t;
|
||
|
|
|
||
|
|
type dpkg_script_tmp_t;
|
||
|
|
files_tmp_file(dpkg_script_tmp_t)
|
||
|
|
@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t)
|
||
|
|
init_domtrans_script(dpkg_t)
|
||
|
|
init_use_script_ptys(dpkg_t)
|
||
|
|
|
||
|
|
+#libs_exec_ld_so(dpkg_t)
|
||
|
|
+#libs_exec_lib_files(dpkg_t)
|
||
|
|
+#libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||
|
|
libs_exec_ld_so(dpkg_t)
|
||
|
|
libs_exec_lib_files(dpkg_t)
|
||
|
|
-libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||
|
|
+libs_domtrans_ldconfig(dpkg_t)
|
||
|
|
|
||
|
|
logging_send_syslog_msg(dpkg_t)
|
||
|
|
|
||
|
|
@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t)
|
||
|
|
files_read_etc_runtime_files(dpkg_t)
|
||
|
|
files_exec_usr_files(dpkg_t)
|
||
|
|
miscfiles_read_localization(dpkg_t)
|
||
|
|
-modutils_run_depmod(dpkg_t, dpkg_roles)
|
||
|
|
-modutils_run_insmod(dpkg_t, dpkg_roles)
|
||
|
|
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||
|
|
-seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||
|
|
+#modutils_run_depmod(dpkg_t, dpkg_roles)
|
||
|
|
+#modutils_run_insmod(dpkg_t, dpkg_roles)
|
||
|
|
+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||
|
|
+#seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||
|
|
userdom_use_all_users_fds(dpkg_t)
|
||
|
|
optional_policy(`
|
||
|
|
mta_send_mail(dpkg_t)
|
||
|
|
')
|
||
|
|
+
|
||
|
|
+
|
||
|
|
optional_policy(`
|
||
|
|
- usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||
|
|
- usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||
|
|
+ modutils_domtrans_depmod(dpkg_t)
|
||
|
|
+ modutils_domtrans_insmod(dpkg_t)
|
||
|
|
+ seutil_domtrans_loadpolicy(dpkg_t)
|
||
|
|
+ seutil_domtrans_setfiles(dpkg_t)
|
||
|
|
+ usermanage_domtrans_groupadd(dpkg_t)
|
||
|
|
+ usermanage_domtrans_useradd(dpkg_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
+#optional_policy(`
|
||
|
|
+# usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||
|
|
+# usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||
|
|
+#')
|
||
|
|
+
|
||
|
|
########################################
|
||
|
|
#
|
||
|
|
# dpkg-script Local policy
|
||
|
|
@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t)
|
||
|
|
|
||
|
|
miscfiles_read_localization(dpkg_script_t)
|
||
|
|
|
||
|
|
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||
|
|
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||
|
|
+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||
|
|
+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||
|
|
|
||
|
|
-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||
|
|
-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||
|
|
+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||
|
|
+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||
|
|
|
||
|
|
userdom_use_all_users_fds(dpkg_script_t)
|
||
|
|
|
||
|
|
@@ -319,9 +335,9 @@ optional_policy(`
|
||
|
|
apt_use_fds(dpkg_script_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- bootloader_run(dpkg_script_t, dpkg_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# bootloader_run(dpkg_script_t, dpkg_roles)
|
||
|
|
+#')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
mta_send_mail(dpkg_script_t)
|
||
|
|
@@ -335,7 +351,7 @@ optional_policy(`
|
||
|
|
unconfined_domain(dpkg_script_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||
|
|
- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||
|
|
+# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||
|
|
+#')
|
||
|
|
diff --git a/portage.if b/portage.if
|
||
|
|
index b4bb48a..e5e8f12 100644
|
||
|
|
--- a/portage.if
|
||
|
|
+++ b/portage.if
|
||
|
|
@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
|
||
|
|
#
|
||
|
|
interface(`portage_run',`
|
||
|
|
gen_require(`
|
||
|
|
- attribute_role portage_roles;
|
||
|
|
+ type portage_t, portage_fetch_t, portage_sandbox_t;
|
||
|
|
+ #attribute_role portage_roles;
|
||
|
|
')
|
||
|
|
|
||
|
|
- portage_domtrans($1)
|
||
|
|
- roleattribute $2 portage_roles;
|
||
|
|
+ #portage_domtrans($1)
|
||
|
|
+ #roleattribute $2 portage_roles;
|
||
|
|
+ portage_domtrans($1)
|
||
|
|
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||
|
|
+
|
||
|
|
')
|
||
|
|
|
||
|
|
########################################
|
||
|
|
diff --git a/portage.te b/portage.te
|
||
|
|
index 22bdf7d..f726e1d 100644
|
||
|
|
--- a/portage.te
|
||
|
|
+++ b/portage.te
|
||
|
|
@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
|
||
|
|
## </desc>
|
||
|
|
gen_tunable(portage_use_nfs, false)
|
||
|
|
|
||
|
|
-attribute_role portage_roles;
|
||
|
|
+#attribute_role portage_roles;
|
||
|
|
|
||
|
|
type gcc_config_t;
|
||
|
|
type gcc_config_exec_t;
|
||
|
|
@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
|
||
|
|
domain_obj_id_change_exemption(portage_t)
|
||
|
|
rsync_entry_type(portage_t)
|
||
|
|
corecmd_shell_entry_type(portage_t)
|
||
|
|
-role portage_roles types portage_t;
|
||
|
|
+#role portage_roles types portage_t;
|
||
|
|
+role system_r types portage_t;
|
||
|
|
|
||
|
|
# portage compile sandbox domain
|
||
|
|
type portage_sandbox_t;
|
||
|
|
@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
|
||
|
|
# the shell is the entrypoint if regular sandbox is disabled
|
||
|
|
# portage_exec_t is the entrypoint if regular sandbox is enabled
|
||
|
|
corecmd_shell_entry_type(portage_sandbox_t)
|
||
|
|
-role portage_roles types portage_sandbox_t;
|
||
|
|
+#role portage_roles types portage_sandbox_t;
|
||
|
|
+role system_r types portage_sandbox_t;
|
||
|
|
|
||
|
|
# portage package fetching domain
|
||
|
|
type portage_fetch_t;
|
||
|
|
@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
|
||
|
|
application_domain(portage_fetch_t, portage_fetch_exec_t)
|
||
|
|
corecmd_shell_entry_type(portage_fetch_t)
|
||
|
|
rsync_entry_type(portage_fetch_t)
|
||
|
|
-role portage_roles types portage_fetch_t;
|
||
|
|
+#role portage_roles types portage_fetch_t;
|
||
|
|
+role system_r types portage_fetch_t;
|
||
|
|
|
||
|
|
type portage_devpts_t;
|
||
|
|
term_pty(portage_devpts_t)
|
||
|
|
@@ -115,7 +118,8 @@ files_list_all(gcc_config_t)
|
||
|
|
init_dontaudit_read_script_status_files(gcc_config_t)
|
||
|
|
|
||
|
|
libs_read_lib_files(gcc_config_t)
|
||
|
|
-libs_run_ldconfig(gcc_config_t, portage_roles)
|
||
|
|
+#libs_run_ldconfig(gcc_config_t, portage_roles)
|
||
|
|
+libs_domtrans_ldconfig(gcc_config_t)
|
||
|
|
libs_manage_shared_libs(gcc_config_t)
|
||
|
|
# gcc-config creates a temp dir for the libs
|
||
|
|
libs_manage_lib_dirs(gcc_config_t)
|
||
|
|
@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t)
|
||
|
|
init_exec(portage_t)
|
||
|
|
|
||
|
|
# run setfiles -r
|
||
|
|
-seutil_run_setfiles(portage_t, portage_roles)
|
||
|
|
+#seutil_run_setfiles(portage_t, portage_roles)
|
||
|
|
# run semodule
|
||
|
|
-seutil_run_semanage(portage_t, portage_roles)
|
||
|
|
+#seutil_run_semanage(portage_t, portage_roles)
|
||
|
|
|
||
|
|
-portage_run_gcc_config(portage_t, portage_roles)
|
||
|
|
+#portage_run_gcc_config(portage_t, portage_roles)
|
||
|
|
# if sesandbox is disabled, compiling is performed in this domain
|
||
|
|
portage_compile_domain(portage_t)
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- bootloader_run(portage_t, portage_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# bootloader_run(portage_t, portage_roles)
|
||
|
|
+#')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
cron_system_entry(portage_t, portage_exec_t)
|
||
|
|
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- modutils_run_depmod(portage_t, portage_roles)
|
||
|
|
- modutils_run_update_mods(portage_t, portage_roles)
|
||
|
|
+#optional_policy(`
|
||
|
|
+# modutils_run_depmod(portage_t, portage_roles)
|
||
|
|
+# modutils_run_update_mods(portage_t, portage_roles)
|
||
|
|
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
|
||
|
|
')
|
||
|
|
|
||
|
|
-optional_policy(`
|
||
|
|
- usermanage_run_groupadd(portage_t, portage_roles)
|
||
|
|
- usermanage_run_useradd(portage_t, portage_roles)
|
||
|
|
-')
|
||
|
|
+#optional_policy(`
|
||
|
|
+# usermanage_run_groupadd(portage_t, portage_roles)
|
||
|
|
+# usermanage_run_useradd(portage_t, portage_roles)
|
||
|
|
+#')
|
||
|
|
+
|
||
|
|
+seutil_domtrans_setfiles(portage_t)
|
||
|
|
+seutil_domtrans_semanage(portage_t)
|
||
|
|
+bootloader_domtrans(portage_t)
|
||
|
|
+modutils_domtrans_depmod(portage_t)
|
||
|
|
+modutils_domtrans_update_mods(portage_t)
|
||
|
|
+usermanage_domtrans_groupadd(portage_t)
|
||
|
|
+usermanage_domtrans_useradd(portage_t)
|
||
|
|
|
||
|
|
ifdef(`TODO',`
|
||
|
|
# seems to work ok without these
|
||
|
|
commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef
|
||
|
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||
|
|
Date: Thu Jun 7 10:52:09 2012 +0200
|
||
|
|
|
||
|
|
Fix typo
|
||
|
|
|
||
|
|
diff --git a/portage.if b/portage.if
|
||
|
|
index e5e8f12..7098ded 100644
|
||
|
|
--- a/portage.if
|
||
|
|
+++ b/portage.if
|
||
|
|
@@ -50,7 +50,7 @@ interface(`portage_run',`
|
||
|
|
#portage_domtrans($1)
|
||
|
|
#roleattribute $2 portage_roles;
|
||
|
|
portage_domtrans($1)
|
||
|
|
- role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||
|
|
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
|
||
|
|
|
||
|
|
')
|
||
|
|
|
||
|
|
commit cf999ca29d2a4401c481e28c169e10d676d73526
|
||
|
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||
|
|
Date: Thu Jun 7 10:59:22 2012 +0200
|
||
|
|
|
||
|
|
One more typo
|
||
|
|
|
||
|
|
diff --git a/dpkg.if b/dpkg.if
|
||
|
|
index d945bd0..78736d8 100644
|
||
|
|
--- a/dpkg.if
|
||
|
|
+++ b/dpkg.if
|
||
|
|
@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',`
|
||
|
|
interface(`dpkg_run',`
|
||
|
|
gen_require(`
|
||
|
|
#attribute_role dpkg_roles;
|
||
|
|
- type dpkg_t, dpkg_script_t
|
||
|
|
+ type dpkg_t, dpkg_script_t;
|
||
|
|
')
|
||
|
|
|
||
|
|
#dpkg_domtrans($1)
|