- Allow iptables to talk to terminals
This commit is contained in:
Daniel J Walsh
parent
6d74d83dae
commit
01ce3df8a6
@ -19813,7 +19813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-11-25 09:45:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-04 13:46:29.000000000 -0500
|
||||
@@ -75,7 +75,7 @@
|
||||
ubac_constrained(ssh_tmpfs_t)
|
||||
|
||||
@ -19823,7 +19823,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
|
||||
files_type(home_ssh_t)
|
||||
userdom_user_home_content(home_ssh_t)
|
||||
@@ -318,6 +318,9 @@
|
||||
@@ -115,6 +115,7 @@
|
||||
manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
|
||||
manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
|
||||
userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
|
||||
+userdom_stream_connect(ssh_t)
|
||||
|
||||
# Allow the ssh program to communicate with ssh-agent.
|
||||
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
|
||||
@@ -318,6 +319,9 @@
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
@ -19833,7 +19841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
@@ -331,6 +334,14 @@
|
||||
@@ -331,6 +335,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -19848,7 +19856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
daemontools_service_domain(sshd_t, sshd_exec_t)
|
||||
')
|
||||
|
||||
@@ -349,7 +360,11 @@
|
||||
@@ -349,7 +361,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -19861,7 +19869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
unconfined_shell_domtrans(sshd_t)
|
||||
')
|
||||
|
||||
@@ -408,6 +423,8 @@
|
||||
@@ -408,6 +424,8 @@
|
||||
init_use_fds(ssh_keygen_t)
|
||||
init_use_script_ptys(ssh_keygen_t)
|
||||
|
||||
@ -27124,7 +27132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.1/policy/modules/system/xen.te
|
||||
--- nsaserefpolicy/policy/modules/system/xen.te 2008-11-25 09:01:08.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/system/xen.te 2008-11-25 10:59:58.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/system/xen.te 2008-12-04 13:40:20.000000000 -0500
|
||||
@@ -1,11 +1,18 @@
|
||||
|
||||
-policy_module(xen, 1.7.2)
|
||||
@ -27312,7 +27320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_tcp_sendrecv_generic_if(xm_t)
|
||||
corenet_tcp_sendrecv_all_nodes(xm_t)
|
||||
@@ -339,15 +373,37 @@
|
||||
@@ -339,15 +373,38 @@
|
||||
|
||||
storage_raw_read_fixed_disk(xm_t)
|
||||
|
||||
@ -27335,6 +27343,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+optional_policy(`
|
||||
+ virt_manage_images(xm_t)
|
||||
+ virt_stream_connect(xm_t)
|
||||
+')
|
||||
+
|
||||
+#Should have a boolean wrapping these
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.1
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -87,8 +87,8 @@ SELinux policy documentation package
|
||||
/usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null
|
||||
|
||||
%define setupCmds() \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \
|
||||
cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
|
||||
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
|
||||
|
||||
@ -96,10 +96,10 @@ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
|
||||
|
||||
%define installCmds() \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
|
||||
make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
|
||||
make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
||||
#%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active \
|
||||
@ -234,7 +234,7 @@ make clean
|
||||
%installCmds olpc mcs n y allow
|
||||
%endif
|
||||
|
||||
make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
|
||||
make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
||||
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
|
||||
install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
|
||||
@ -446,6 +446,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-5
|
||||
- Allow iptables to talk to terminals
|
||||
|
||||
* Wed Dec 3 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-4
|
||||
- Cleanup policy
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user