- Allow xserver to write to ramfs mounted by rhgb
This commit is contained in:
Daniel J Walsh
parent
9c038630bf
commit
07351eb493
|
|
@ -434,7 +434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
|
|||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.4/policy/modules/admin/logrotate.te
|
||||
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-07-25 10:37:43.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te 2007-07-28 10:42:11.000000000 -0400
|
||||
@@ -75,11 +75,13 @@
|
||||
mls_file_read_up(logrotate_t)
|
||||
mls_file_write_down(logrotate_t)
|
||||
|
|
@ -449,7 +449,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
|
|||
|
||||
# Run helper programs.
|
||||
corecmd_exec_bin(logrotate_t)
|
||||
@@ -114,8 +116,6 @@
|
||||
@@ -95,6 +97,7 @@
|
||||
files_read_etc_files(logrotate_t)
|
||||
files_read_etc_runtime_files(logrotate_t)
|
||||
files_read_all_pids(logrotate_t)
|
||||
+files_search_all(logrotate_t)
|
||||
# Write to /var/spool/slrnpull - should be moved into its own type.
|
||||
files_manage_generic_spool(logrotate_t)
|
||||
files_manage_generic_spool_dirs(logrotate_t)
|
||||
@@ -114,8 +117,6 @@
|
||||
|
||||
seutil_dontaudit_read_config(logrotate_t)
|
||||
|
||||
|
|
@ -458,7 +466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
|
|||
userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
|
||||
userdom_use_unpriv_users_fds(logrotate_t)
|
||||
|
||||
@@ -177,14 +177,6 @@
|
||||
@@ -177,14 +178,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -2135,6 +2143,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
|
|||
auth_manage_pam_pid($1_userhelper_t)
|
||||
auth_manage_var_auth($1_userhelper_t)
|
||||
auth_search_pam_console_data($1_userhelper_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.0.4/policy/modules/apps/usernetctl.te
|
||||
--- nsaserefpolicy/policy/modules/apps/usernetctl.te 2007-07-25 10:37:37.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/apps/usernetctl.te 2007-07-28 11:05:08.000000000 -0400
|
||||
@@ -6,14 +6,6 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-## <desc>
|
||||
-## <p>
|
||||
-## Allow users to control network interfaces
|
||||
-## (also needs USERCTL=true)
|
||||
-## </p>
|
||||
-## </desc>
|
||||
-gen_tunable(user_net_control,false)
|
||||
-
|
||||
type usernetctl_t;
|
||||
type usernetctl_exec_t;
|
||||
application_domain(usernetctl_t,usernetctl_exec_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.4/policy/modules/apps/vmware.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-07-03 07:05:43.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/apps/vmware.fc 2007-07-25 13:27:51.000000000 -0400
|
||||
|
|
@ -2630,6 +2656,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||
+ allow $1 root_t:dir rw_dir_perms;
|
||||
+ allow $1 root_t:file { create getattr write };
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:15.000000000 -0400
|
||||
@@ -1192,6 +1192,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## unmount a FUSE filesystem.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_unmount_fusefs',`
|
||||
+ gen_require(`
|
||||
+ type fusefs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 fusefs_t:filesystem unmount;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Search inotifyfs filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.4/policy/modules/kernel/filesystem.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-25 10:37:36.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te 2007-07-25 13:27:51.000000000 -0400
|
||||
|
|
@ -6561,8 +6615,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
fs_search_auto_mountpoints($1_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.4/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-25 13:27:51.000000000 -0400
|
||||
@@ -59,6 +59,8 @@
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-30 09:46:58.000000000 -0400
|
||||
@@ -59,10 +59,13 @@
|
||||
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
|
||||
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
|
||||
|
||||
|
|
@ -6571,7 +6625,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
kernel_read_system_state(rpcd_t)
|
||||
kernel_search_network_state(rpcd_t)
|
||||
# for rpc.rquotad
|
||||
@@ -76,9 +78,11 @@
|
||||
kernel_read_sysctl(rpcd_t)
|
||||
+kernel_getattr_core_if(nfsd_t)
|
||||
|
||||
fs_list_rpc(rpcd_t)
|
||||
fs_read_rpc_files(rpcd_t)
|
||||
@@ -76,9 +79,11 @@
|
||||
miscfiles_read_certs(rpcd_t)
|
||||
|
||||
seutil_dontaudit_search_config(rpcd_t)
|
||||
|
|
@ -6583,7 +6642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -91,9 +95,13 @@
|
||||
@@ -91,9 +96,13 @@
|
||||
allow nfsd_t exports_t:file { getattr read };
|
||||
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
||||
|
||||
|
|
@ -6597,7 +6656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
|
||||
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
||||
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
||||
@@ -123,6 +131,7 @@
|
||||
@@ -123,6 +132,7 @@
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
|
|
@ -6605,7 +6664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -143,6 +152,8 @@
|
||||
@@ -143,6 +153,8 @@
|
||||
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
|
||||
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
||||
|
||||
|
|
@ -6614,7 +6673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
kernel_search_network_sysctl(gssd_t)
|
||||
@@ -158,6 +169,11 @@
|
||||
@@ -158,6 +170,11 @@
|
||||
|
||||
miscfiles_read_certs(gssd_t)
|
||||
|
||||
|
|
@ -7260,7 +7319,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.4/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/xserver.if 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/xserver.if 2007-07-30 10:01:38.000000000 -0400
|
||||
@@ -141,7 +141,7 @@
|
||||
fs_getattr_xattr_fs($1_xserver_t)
|
||||
fs_search_nfs($1_xserver_t)
|
||||
fs_search_auto_mountpoints($1_xserver_t)
|
||||
- fs_search_ramfs($1_xserver_t)
|
||||
+ fs_manage_ramfs_files($1_xserver_t)
|
||||
|
||||
init_getpgid($1_xserver_t)
|
||||
|
||||
@@ -353,12 +353,6 @@
|
||||
# allow ps to show xauth
|
||||
ps_process_pattern($2,$1_xauth_t)
|
||||
|
|
@ -10523,7 +10591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
+corecmd_exec_all_executables(unconfined_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.4/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-26 10:11:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-28 11:09:17.000000000 -0400
|
||||
@@ -62,6 +62,10 @@
|
||||
|
||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
||||
|
|
@ -11159,21 +11227,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||
# Need the following rule to allow users to run vpnc
|
||||
@@ -1033,14 +1127,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -1029,15 +1123,7 @@
|
||||
# and may change other protocols
|
||||
tunable_policy(`user_tcp_server',`
|
||||
corenet_tcp_bind_all_nodes($1_t)
|
||||
- corenet_tcp_bind_generic_port($1_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- kerberos_use($1_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
+ corenet_tcp_bind_all_unreserved_ports($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -1054,17 +1140,6 @@
|
||||
setroubleshoot_stream_connect($1_t)
|
||||
')
|
||||
|
|
@ -11806,7 +11876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
|
|||
+## <summary>Policy for webadm user</summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.4/policy/modules/users/webadm.te
|
||||
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.4/policy/modules/users/webadm.te 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/users/webadm.te 2007-07-27 14:44:20.000000000 -0400
|
||||
@@ -0,0 +1,70 @@
|
||||
+policy_module(webadm,1.0.0)
|
||||
+
|
||||
|
|
@ -11815,7 +11885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
|
|||
+# webadmin local policy
|
||||
+#
|
||||
+
|
||||
+userdom_login_user_template(webadm)
|
||||
+userdom_base_user_template(webadm)
|
||||
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
|
||||
+
|
||||
+# Allow webadm_t to restart the apache service
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.4
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPL
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -359,6 +359,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-3
|
||||
- Allow xserver to write to ramfs mounted by rhgb
|
||||
|
||||
* Tue Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-2
|
||||
- Add context for dbus machine id
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue