- Fix cyphesis file context
This commit is contained in:
parent
6a09cfb688
commit
074b12f275
@ -1003,6 +1003,13 @@ logwatch = base
|
||||
#
|
||||
setrans = base
|
||||
|
||||
# Layer: services
|
||||
# Module: setroubleshoot
|
||||
#
|
||||
# Policy for the SELinux troubleshooting utility
|
||||
#
|
||||
setroubleshoot = base
|
||||
|
||||
# Layer: services
|
||||
# Module: openvpn
|
||||
#
|
||||
|
@ -8400,7 +8400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2008-10-28 10:56:19.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2008-11-05 13:22:07.000000000 -0500
|
||||
@@ -36,7 +36,7 @@
|
||||
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
@ -14165,13 +14165,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-04 09:54:55.000000000 -0500
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-05 15:12:14.000000000 -0500
|
||||
@@ -1 +1,6 @@
|
||||
/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
|
||||
+
|
||||
+/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
|
||||
+
|
||||
+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_run_t,s0)
|
||||
+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0)
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
@ -26338,7 +26338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-10-29 13:26:13.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-05 15:24:47.000000000 -0500
|
||||
@@ -8,6 +8,14 @@
|
||||
|
||||
## <desc>
|
||||
@ -26443,7 +26443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xserver_common_domain_template(xdm)
|
||||
xserver_common_x_domain_template(xdm, xdm, xdm_t)
|
||||
init_system_domain(xdm_xserver_t, xserver_exec_t)
|
||||
@@ -140,8 +193,9 @@
|
||||
@@ -140,13 +193,14 @@
|
||||
# XDM Local policy
|
||||
#
|
||||
|
||||
@ -26455,6 +26455,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
||||
allow xdm_t self:shm create_shm_perms;
|
||||
allow xdm_t self:sem create_sem_perms;
|
||||
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
-allow xdm_t self:unix_dgram_socket create_socket_perms;
|
||||
+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow xdm_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xdm_t self:udp_socket create_socket_perms;
|
||||
allow xdm_t self:socket create_socket_perms;
|
||||
@@ -154,6 +208,12 @@
|
||||
allow xdm_t self:key { search link write };
|
||||
|
||||
@ -26477,7 +26483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
|
||||
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
|
||||
@@ -176,15 +238,31 @@
|
||||
@@ -176,15 +238,32 @@
|
||||
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
|
||||
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
|
||||
fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
@ -26497,6 +26503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
|
||||
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
|
||||
+# Read machine-id
|
||||
@ -26511,7 +26518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow xdm_t xdm_xserver_t:process signal;
|
||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
@@ -198,6 +276,7 @@
|
||||
@@ -198,6 +277,7 @@
|
||||
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||
|
||||
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
||||
@ -26519,7 +26526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# connect to xdm xserver over stream socket
|
||||
stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
|
||||
@@ -229,6 +308,7 @@
|
||||
@@ -229,6 +309,7 @@
|
||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||
corenet_tcp_bind_all_nodes(xdm_t)
|
||||
corenet_udp_bind_all_nodes(xdm_t)
|
||||
@ -26527,7 +26534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_connect_all_ports(xdm_t)
|
||||
corenet_sendrecv_all_client_packets(xdm_t)
|
||||
# xdm tries to bind to biff_port_t
|
||||
@@ -241,6 +321,7 @@
|
||||
@@ -241,6 +322,7 @@
|
||||
dev_getattr_mouse_dev(xdm_t)
|
||||
dev_setattr_mouse_dev(xdm_t)
|
||||
dev_rw_apm_bios(xdm_t)
|
||||
@ -26535,7 +26542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_setattr_apm_bios_dev(xdm_t)
|
||||
dev_rw_dri(xdm_t)
|
||||
dev_rw_agp(xdm_t)
|
||||
@@ -253,14 +334,17 @@
|
||||
@@ -253,14 +335,17 @@
|
||||
dev_setattr_video_dev(xdm_t)
|
||||
dev_getattr_scanner_dev(xdm_t)
|
||||
dev_setattr_scanner_dev(xdm_t)
|
||||
@ -26555,7 +26562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(xdm_t)
|
||||
files_read_var_files(xdm_t)
|
||||
@@ -271,9 +355,13 @@
|
||||
@@ -271,9 +356,13 @@
|
||||
files_read_usr_files(xdm_t)
|
||||
# Poweroff wants to create the /poweroff file when run from xdm
|
||||
files_create_boot_flag(xdm_t)
|
||||
@ -26569,7 +26576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||
@@ -282,6 +370,7 @@
|
||||
@@ -282,6 +371,7 @@
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
@ -26577,7 +26584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
term_setattr_console(xdm_t)
|
||||
term_use_unallocated_ttys(xdm_t)
|
||||
@@ -290,6 +379,7 @@
|
||||
@@ -290,6 +380,7 @@
|
||||
auth_domtrans_pam_console(xdm_t)
|
||||
auth_manage_pam_pid(xdm_t)
|
||||
auth_manage_pam_console_data(xdm_t)
|
||||
@ -26585,7 +26592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
@@ -301,21 +391,26 @@
|
||||
@@ -301,21 +392,26 @@
|
||||
libs_exec_lib_files(xdm_t)
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
@ -26617,7 +26624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
@@ -348,10 +443,12 @@
|
||||
@@ -348,10 +444,12 @@
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(xdm_t)
|
||||
@ -26630,7 +26637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -359,6 +456,22 @@
|
||||
@@ -359,6 +457,22 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26653,7 +26660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Talk to the console mouse server.
|
||||
gpm_stream_connect(xdm_t)
|
||||
gpm_setattr_gpmctl(xdm_t)
|
||||
@@ -382,16 +495,34 @@
|
||||
@@ -382,16 +496,34 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26689,7 +26696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -411,6 +542,10 @@
|
||||
@@ -411,6 +543,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26700,7 +26707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -427,7 +562,7 @@
|
||||
@@ -427,7 +563,7 @@
|
||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
@ -26709,7 +26716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -439,6 +574,15 @@
|
||||
@@ -439,6 +575,15 @@
|
||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xdm_xserver_t)
|
||||
|
||||
@ -26725,7 +26732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# VNC v4 module in X server
|
||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||
|
||||
@@ -450,10 +594,19 @@
|
||||
@@ -450,10 +595,19 @@
|
||||
# xdm_xserver_t may no longer have any reason
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
@ -26746,7 +26753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||
fs_manage_nfs_files(xdm_xserver_t)
|
||||
@@ -468,8 +621,19 @@
|
||||
@@ -468,8 +622,19 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
|
||||
@ -26766,7 +26773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
resmgr_stream_connect(xdm_t)
|
||||
@@ -481,8 +645,25 @@
|
||||
@@ -481,8 +646,25 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26794,7 +26801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_xserver_t self:process { execheap execmem };
|
||||
@@ -491,7 +672,6 @@
|
||||
@@ -491,7 +673,6 @@
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_xserver_t self:process { execheap execmem };
|
||||
')
|
||||
@ -26802,7 +26809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -512,6 +692,27 @@
|
||||
@@ -512,6 +693,27 @@
|
||||
allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
@ -26830,7 +26837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ifdef(`TODO',`
|
||||
# Need to further investigate these permissions and
|
||||
# perhaps define derived types.
|
||||
@@ -544,3 +745,70 @@
|
||||
@@ -544,3 +746,70 @@
|
||||
#
|
||||
allow pam_t xdm_t:fifo_file { getattr ioctl write };
|
||||
') dnl end TODO
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.13
|
||||
Release: 15%{?dist}
|
||||
Release: 16%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -457,6 +457,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-16
|
||||
- Fix cyphesis file context
|
||||
|
||||
* Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-15
|
||||
- Allow hal/pm-utils to look at /var/run/video.rom
|
||||
- Add ulogd policy
|
||||
|
Loading…
Reference in New Issue
Block a user