This commit is contained in:
parent
27b2b09ffe
commit
063999dd85
@ -5996,7 +5996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-02-26 13:48:22.000000000 -0500
|
||||
@@ -7,11 +7,11 @@
|
||||
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@ -6032,7 +6032,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -127,6 +135,8 @@
|
||||
@@ -99,11 +107,6 @@
|
||||
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
-ifdef(`distro_redhat',`
|
||||
-/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
-/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
-')
|
||||
-
|
||||
#
|
||||
# /sbin
|
||||
#
|
||||
@@ -127,6 +130,8 @@
|
||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
@ -6041,7 +6053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@@ -144,10 +154,7 @@
|
||||
@@ -144,10 +149,7 @@
|
||||
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -6053,7 +6065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
|
||||
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -178,6 +185,8 @@
|
||||
@@ -178,6 +180,8 @@
|
||||
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -6062,7 +6074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -185,8 +194,12 @@
|
||||
@@ -185,8 +189,12 @@
|
||||
/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -6075,7 +6087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
|
||||
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -284,3 +297,10 @@
|
||||
@@ -284,3 +292,10 @@
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -6088,7 +6100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.3.1/policy/modules/kernel/corecommands.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if 2008-02-26 11:58:10.000000000 -0500
|
||||
@@ -875,6 +875,7 @@
|
||||
|
||||
read_lnk_files_pattern($1,bin_t,bin_t)
|
||||
@ -6199,7 +6211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
network_port(xen, tcp,8002,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.3.1/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-26 14:17:28.000000000 -0500
|
||||
@@ -1,7 +1,7 @@
|
||||
|
||||
/dev -d gen_context(system_u:object_r:device_t,s0)
|
||||
@ -6209,7 +6221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
@@ -12,32 +12,45 @@
|
||||
@@ -12,42 +12,58 @@
|
||||
/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
|
||||
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
@ -6255,7 +6267,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
@@ -48,6 +61,7 @@
|
||||
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
+/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||
+/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
|
||||
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
@ -6263,7 +6280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
|
||||
@@ -69,9 +83,8 @@
|
||||
@@ -69,9 +85,8 @@
|
||||
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
|
||||
@ -6275,7 +6292,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
ifdef(`distro_suse', `
|
||||
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
@@ -98,13 +111,23 @@
|
||||
@@ -91,6 +106,7 @@
|
||||
|
||||
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
|
||||
|
||||
+/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||
/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
|
||||
|
||||
@@ -98,13 +114,23 @@
|
||||
|
||||
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
|
||||
@ -6299,9 +6324,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
|
||||
/dev/pts(/.*)? <<none>>
|
||||
|
||||
@@ -134,3 +160,4 @@
|
||||
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||
')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-02-26 14:19:56.000000000 -0500
|
||||
@@ -65,7 +65,7 @@
|
||||
|
||||
relabelfrom_dirs_pattern($1,device_t,device_node)
|
||||
@ -6476,7 +6506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
## Mount a usbfs filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3322,3 +3452,96 @@
|
||||
@@ -3322,3 +3452,150 @@
|
||||
|
||||
typeattribute $1 devices_unconfined_type;
|
||||
')
|
||||
@ -6573,9 +6603,63 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
+ rw_chr_files_pattern($1,device_t,autofs_device_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Get the attributes of the network control device
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_getattr_netcontrol',`
|
||||
+ gen_require(`
|
||||
+ type device_t, netcontrol_device_t;
|
||||
+ ')
|
||||
+
|
||||
+ getattr_chr_files_pattern($1,device_t,netcontrol_device_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read the network control identity.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_read_netcontrol',`
|
||||
+ gen_require(`
|
||||
+ type device_t, netcontrol_device_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_chr_files_pattern($1,device_t,netcontrol_device_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write the the network control device.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_rw_netcontrol',`
|
||||
+ gen_require(`
|
||||
+ type device_t, netcontrol_device_t;
|
||||
+ ')
|
||||
+
|
||||
+ rw_chr_files_pattern($1,device_t,netcontrol_device_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.3.1/policy/modules/kernel/devices.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-12-19 05:32:07.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-02-26 14:16:11.000000000 -0500
|
||||
@@ -32,6 +32,12 @@
|
||||
type apm_bios_t;
|
||||
dev_node(apm_bios_t)
|
||||
@ -6589,7 +6673,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
type cardmgr_dev_t;
|
||||
dev_node(cardmgr_dev_t)
|
||||
files_tmp_file(cardmgr_dev_t)
|
||||
@@ -66,12 +72,25 @@
|
||||
@@ -49,6 +55,12 @@
|
||||
type cpu_device_t;
|
||||
dev_node(cpu_device_t)
|
||||
|
||||
+#
|
||||
+# network control devices
|
||||
+#
|
||||
+type netcontrol_device_t;
|
||||
+dev_node(netcontrol_device_t)
|
||||
+
|
||||
# for the IBM zSeries z90crypt hardware ssl accelorator
|
||||
type crypt_device_t;
|
||||
dev_node(crypt_device_t)
|
||||
@@ -66,12 +78,25 @@
|
||||
dev_node(framebuf_device_t)
|
||||
|
||||
#
|
||||
@ -9396,7 +9493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann
|
||||
+/etc/rc.d/init.d/canna -- gen_context(system_u:object_r:canna_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.3.1/policy/modules/services/canna.if
|
||||
--- nsaserefpolicy/policy/modules/services/canna.if 2007-01-02 12:57:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/canna.if 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/canna.if 2008-02-26 11:51:53.000000000 -0500
|
||||
@@ -18,3 +18,74 @@
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1,canna_var_run_t,canna_var_run_t,canna_t)
|
||||
@ -11210,9 +11307,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.3.1/policy/modules/services/dbus.fc
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.fc 2007-09-12 10:34:18.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.fc 2008-02-26 11:48:35.000000000 -0500
|
||||
@@ -4,6 +4,9 @@
|
||||
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
|
||||
/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
|
||||
|
||||
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
|
||||
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
|
||||
+
|
||||
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
|
||||
|
||||
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-02-26 12:56:03.000000000 -0500
|
||||
@@ -53,6 +53,7 @@
|
||||
gen_require(`
|
||||
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
||||
@ -11266,6 +11376,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
allow $1_dbusd_t $2:process sigkill;
|
||||
allow $2 $1_dbusd_t:fd use;
|
||||
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
||||
@@ -115,8 +117,8 @@
|
||||
kernel_read_kernel_sysctls($1_dbusd_t)
|
||||
|
||||
corecmd_list_bin($1_dbusd_t)
|
||||
- corecmd_read_bin_symlinks($1_dbusd_t)
|
||||
corecmd_read_bin_files($1_dbusd_t)
|
||||
+ corecmd_read_bin_symlinks($1_dbusd_t)
|
||||
corecmd_read_bin_pipes($1_dbusd_t)
|
||||
corecmd_read_bin_sockets($1_dbusd_t)
|
||||
|
||||
@@ -139,6 +141,7 @@
|
||||
|
||||
fs_getattr_romfs($1_dbusd_t)
|
||||
@ -11472,7 +11592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-02-26 10:53:25.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-02-26 14:09:20.000000000 -0500
|
||||
@@ -9,6 +9,7 @@
|
||||
#
|
||||
# Delcarations
|
||||
@ -11515,7 +11635,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
allow system_dbusd_t self:fifo_file { read write };
|
||||
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
||||
@@ -65,6 +78,7 @@
|
||||
@@ -43,6 +56,8 @@
|
||||
# Receive notifications of policy reloads and enforcing status changes.
|
||||
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
|
||||
|
||||
+can_exec(system_dbusd_t,system_dbusd_exec_t)
|
||||
+
|
||||
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
|
||||
read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
|
||||
@@ -65,6 +80,7 @@
|
||||
|
||||
fs_getattr_all_fs(system_dbusd_t)
|
||||
fs_search_auto_mountpoints(system_dbusd_t)
|
||||
@ -11523,15 +11652,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
|
||||
selinux_get_fs_mount(system_dbusd_t)
|
||||
selinux_validate_context(system_dbusd_t)
|
||||
@@ -91,6 +105,7 @@
|
||||
@@ -81,7 +97,6 @@
|
||||
corecmd_list_bin(system_dbusd_t)
|
||||
corecmd_read_bin_pipes(system_dbusd_t)
|
||||
corecmd_read_bin_sockets(system_dbusd_t)
|
||||
-corecmd_exec_bin(system_dbusd_t)
|
||||
|
||||
domain_use_interactive_fds(system_dbusd_t)
|
||||
|
||||
@@ -91,6 +106,8 @@
|
||||
|
||||
init_use_fds(system_dbusd_t)
|
||||
init_use_script_ptys(system_dbusd_t)
|
||||
+init_domtrans_script(system_dbusd_t)
|
||||
+init_dbus_chat_script(system_dbusd_t)
|
||||
+init_bin_domtrans_spec(system_dbusd_t)
|
||||
|
||||
libs_use_ld_so(system_dbusd_t)
|
||||
libs_use_shared_libs(system_dbusd_t)
|
||||
@@ -121,9 +136,20 @@
|
||||
@@ -121,9 +138,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12300,24 +12438,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
+/etc/rc.d/init.d/dovecot -- gen_context(system_u:object_r:dovecot_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.3.1/policy/modules/services/dovecot.if
|
||||
--- nsaserefpolicy/policy/modules/services/dovecot.if 2008-02-26 08:17:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dovecot.if 2008-02-26 10:29:56.000000000 -0500
|
||||
@@ -21,14 +21,53 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dovecot.if 2008-02-26 13:09:21.000000000 -0500
|
||||
@@ -21,7 +21,46 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to delete dovecot lib files.
|
||||
+## Connect to dovecot auth unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
-## <summary>
|
||||
-## Domain to not audit.
|
||||
-## </summary>
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
## </param>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
#
|
||||
+#
|
||||
+interface(`dovecot_auth_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type dovecot_auth_t, dovecot_var_run_t;
|
||||
@ -12346,19 +12481,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
+ domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+### <summary>
|
||||
+### Do not audit attempts to delete dovecot lib files.
|
||||
+### </summary>
|
||||
+### <param name="domain">
|
||||
+### <summary>
|
||||
+### Domain to not audit.
|
||||
+### </summary>
|
||||
+### </param>
|
||||
+##
|
||||
interface(`dovecot_dontaudit_unlink_lib_files',`
|
||||
gen_require(`
|
||||
type dovecot_var_lib_t;
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to d`elete dovecot lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -36,3 +75,89 @@
|
||||
|
||||
dontaudit $1 dovecot_var_lib_t:file unlink;
|
||||
@ -15398,11 +15526,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-02-26 08:29:22.000000000 -0500
|
||||
@@ -1,7 +1,9 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-02-26 14:08:24.000000000 -0500
|
||||
@@ -1,7 +1,10 @@
|
||||
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
|
||||
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
@ -24225,7 +24354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-02-26 13:19:58.000000000 -0500
|
||||
@@ -99,7 +99,7 @@
|
||||
template(`authlogin_per_role_template',`
|
||||
|
||||
@ -24271,7 +24400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand($1)
|
||||
# for fingerprint readers
|
||||
@@ -226,6 +242,31 @@
|
||||
@@ -226,6 +242,33 @@
|
||||
seutil_read_config($1)
|
||||
seutil_read_default_contexts($1)
|
||||
|
||||
@ -24288,6 +24417,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ corecmd_exec_bin($1)
|
||||
+ storage_getattr_fixed_disk_dev($1)
|
||||
+ mount_domtrans($1)
|
||||
+ ')
|
||||
+
|
||||
@ -24303,7 +24434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
tunable_policy(`allow_polyinstantiation',`
|
||||
files_polyinstantiate_all($1)
|
||||
')
|
||||
@@ -342,6 +383,8 @@
|
||||
@@ -342,6 +385,8 @@
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1)
|
||||
@ -24312,7 +24443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -356,6 +399,28 @@
|
||||
@@ -356,6 +401,28 @@
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
')
|
||||
@ -24341,7 +24472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -369,12 +434,12 @@
|
||||
@@ -369,12 +436,12 @@
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
@ -24356,7 +24487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -386,6 +451,7 @@
|
||||
@@ -386,6 +453,7 @@
|
||||
auth_domtrans_chk_passwd($1)
|
||||
role $2 types system_chkpwd_t;
|
||||
allow system_chkpwd_t $3:chr_file rw_file_perms;
|
||||
@ -24364,7 +24495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1457,6 +1523,7 @@
|
||||
@@ -1457,6 +1525,7 @@
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
samba_read_var_files($1)
|
||||
@ -24372,7 +24503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1491,3 +1558,23 @@
|
||||
@@ -1491,3 +1560,23 @@
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
@ -24554,7 +24685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
|
||||
-
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
|
||||
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-02-26 10:48:51.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-02-26 14:08:51.000000000 -0500
|
||||
@@ -211,6 +211,13 @@
|
||||
kernel_dontaudit_use_fds($1)
|
||||
')
|
||||
@ -24607,26 +24738,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
')
|
||||
|
||||
@@ -567,18 +575,46 @@
|
||||
@@ -567,23 +575,70 @@
|
||||
#
|
||||
interface(`init_domtrans_script',`
|
||||
gen_require(`
|
||||
- type initrc_t, initrc_exec_t;
|
||||
+ type initrc_t;
|
||||
+ attribute initscript;
|
||||
')
|
||||
|
||||
files_list_etc($1)
|
||||
- domtrans_pattern($1,initrc_exec_t,initrc_t)
|
||||
+ ')
|
||||
+
|
||||
+ files_list_etc($1)
|
||||
+ domtrans_pattern($1,initscript,initrc_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
- range_transition $1 initrc_exec_t:process s0;
|
||||
+
|
||||
+ ifdef(`enable_mcs',`
|
||||
+ range_transition $1 initscript:process s0;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
|
||||
+ ')
|
||||
+
|
||||
+ ifdef(`enable_mls',`
|
||||
+ range_transition $1 initscript:process s0 - mls_systemhigh;
|
||||
+ ')
|
||||
+')
|
||||
@ -24644,21 +24772,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
+interface(`init_script_domtrans_spec',`
|
||||
+ gen_require(`
|
||||
+ type initrc_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_list_etc($1)
|
||||
')
|
||||
|
||||
files_list_etc($1)
|
||||
- domtrans_pattern($1,initrc_exec_t,initrc_t)
|
||||
+ domtrans_pattern($1,$2,initrc_t)
|
||||
+
|
||||
+ ifdef(`enable_mcs',`
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
- range_transition $1 initrc_exec_t:process s0;
|
||||
+ range_transition $1 $2:process s0;
|
||||
+ ')
|
||||
+
|
||||
+ ifdef(`enable_mls',`
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
|
||||
+ range_transition $1 $2:process s0 - mls_systemhigh;
|
||||
')
|
||||
')
|
||||
|
||||
@@ -609,11 +645,11 @@
|
||||
########################################
|
||||
## <summary>
|
||||
+## Execute a file in a bin directory
|
||||
+## in the initrc_t domain
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`init_bin_domtrans_spec',`
|
||||
+ gen_require(`
|
||||
+ type initrc_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_bin_domtrans($1, initrc_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Execute a init script in a specified domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -609,11 +664,11 @@
|
||||
# cjp: added for gentoo integrated run_init
|
||||
interface(`init_script_file_domtrans',`
|
||||
gen_require(`
|
||||
@ -24672,7 +24827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -684,11 +720,11 @@
|
||||
@@ -684,11 +739,11 @@
|
||||
#
|
||||
interface(`init_getattr_script_files',`
|
||||
gen_require(`
|
||||
@ -24686,7 +24841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -703,11 +739,11 @@
|
||||
@@ -703,11 +758,11 @@
|
||||
#
|
||||
interface(`init_exec_script_files',`
|
||||
gen_require(`
|
||||
@ -24700,7 +24855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -931,6 +967,7 @@
|
||||
@@ -931,6 +986,7 @@
|
||||
|
||||
dontaudit $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
@ -24708,7 +24863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
########################################
|
||||
## <summary>
|
||||
## Send messages to init scripts over dbus.
|
||||
@@ -1030,11 +1067,11 @@
|
||||
@@ -1030,11 +1086,11 @@
|
||||
#
|
||||
interface(`init_read_script_files',`
|
||||
gen_require(`
|
||||
@ -24722,7 +24877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1097,6 +1134,25 @@
|
||||
@@ -1097,6 +1153,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24748,7 +24903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
## Create files in a init script
|
||||
## temporary data directory.
|
||||
## </summary>
|
||||
@@ -1252,7 +1308,7 @@
|
||||
@@ -1252,7 +1327,7 @@
|
||||
type initrc_var_run_t;
|
||||
')
|
||||
|
||||
@ -24757,7 +24912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1273,3 +1329,112 @@
|
||||
@@ -1273,3 +1348,114 @@
|
||||
files_search_pids($1)
|
||||
allow $1 initrc_var_run_t:file manage_file_perms;
|
||||
')
|
||||
@ -24870,6 +25025,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
+ allow $1 init_t:unix_dgram_socket sendto;
|
||||
+ allow init_t $1:unix_dgram_socket sendto;
|
||||
+')
|
||||
+
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-02-26 10:49:22.000000000 -0500
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.3.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -388,8 +388,12 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-3
|
||||
|
||||
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-2
|
||||
-
|
||||
- Fix Makefile.devel to build mls modules
|
||||
- Fix qemu to be more specific on labeling
|
||||
|
||||
|
||||
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-1
|
||||
- Update to upstream fixes
|
||||
|
Loading…
Reference in New Issue
Block a user