- Define user_home_type as home_type
This commit is contained in:
parent
601f0f04ee
commit
07b8680835
@ -368,6 +368,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
|
||||
+ hal_use_fds(alsa_t)
|
||||
+ hal_write_log(alsa_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.0.7/policy/modules/admin/amanda.if
|
||||
--- nsaserefpolicy/policy/modules/admin/amanda.if 2007-05-29 14:10:59.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/admin/amanda.if 2007-09-06 10:18:35.000000000 -0400
|
||||
@@ -71,6 +71,26 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Search amanda var library directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## The type of the process performing this action.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`amanda_search_var_lib',`
|
||||
+ gen_require(`
|
||||
+ type amanda_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ allow $1 amanda_var_lib_t:dir search_dir_perms;
|
||||
+
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts to read /etc/dumpdates.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -141,3 +161,4 @@
|
||||
|
||||
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
|
||||
')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.7/policy/modules/admin/anaconda.te
|
||||
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-05-29 14:10:59.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/admin/anaconda.te 2007-08-28 15:53:39.000000000 -0400
|
||||
@ -4634,7 +4669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.7/policy/modules/services/cron.te
|
||||
--- nsaserefpolicy/policy/modules/services/cron.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/cron.te 2007-08-28 15:53:39.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/cron.te 2007-09-06 10:19:10.000000000 -0400
|
||||
@@ -50,6 +50,7 @@
|
||||
|
||||
type crond_tmp_t;
|
||||
@ -4724,7 +4759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
ifdef(`distro_debian',`
|
||||
optional_policy(`
|
||||
# Debian logcheck has the home dir set to its cache
|
||||
@@ -180,6 +201,15 @@
|
||||
@@ -180,11 +201,24 @@
|
||||
locallogin_link_keys(crond_t)
|
||||
')
|
||||
|
||||
@ -4740,7 +4775,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
tunable_policy(`fcron_crond', `
|
||||
allow crond_t system_cron_spool_t:file manage_file_perms;
|
||||
')
|
||||
@@ -239,7 +269,6 @@
|
||||
|
||||
optional_policy(`
|
||||
+ amanda_search_var_lib(crond_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
amavis_search_lib(crond_t)
|
||||
')
|
||||
|
||||
@@ -239,7 +273,6 @@
|
||||
allow system_crond_t cron_var_lib_t:file manage_file_perms;
|
||||
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
|
||||
|
||||
@ -4748,7 +4792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
# The entrypoint interface is not used as this is not
|
||||
# a regular entrypoint. Since crontab files are
|
||||
# not directly executed, crond must ensure that
|
||||
@@ -249,6 +278,8 @@
|
||||
@@ -249,6 +282,8 @@
|
||||
# for this purpose.
|
||||
allow system_crond_t system_cron_spool_t:file entrypoint;
|
||||
|
||||
@ -4757,7 +4801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
# Permit a transition from the crond_t domain to this domain.
|
||||
# The transition is requested explicitly by the modified crond
|
||||
# via setexeccon. There is no way to set up an automatic
|
||||
@@ -270,9 +301,16 @@
|
||||
@@ -270,9 +305,16 @@
|
||||
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
|
||||
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
|
||||
|
||||
@ -4775,7 +4819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
|
||||
kernel_read_kernel_sysctls(system_crond_t)
|
||||
kernel_read_system_state(system_crond_t)
|
||||
@@ -326,7 +364,7 @@
|
||||
@@ -326,7 +368,7 @@
|
||||
init_read_utmp(system_crond_t)
|
||||
init_dontaudit_rw_utmp(system_crond_t)
|
||||
# prelink tells init to restart it self, we either need to allow or dontaudit
|
||||
@ -4784,7 +4828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
|
||||
libs_use_ld_so(system_crond_t)
|
||||
libs_use_shared_libs(system_crond_t)
|
||||
@@ -334,6 +372,7 @@
|
||||
@@ -334,6 +376,7 @@
|
||||
libs_exec_ld_so(system_crond_t)
|
||||
|
||||
logging_read_generic_logs(system_crond_t)
|
||||
@ -4792,7 +4836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
logging_send_syslog_msg(system_crond_t)
|
||||
|
||||
miscfiles_read_localization(system_crond_t)
|
||||
@@ -384,6 +423,14 @@
|
||||
@@ -384,6 +427,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -4807,7 +4851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
mrtg_append_create_logs(system_crond_t)
|
||||
')
|
||||
|
||||
@@ -424,8 +471,7 @@
|
||||
@@ -424,8 +475,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -4817,7 +4861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -433,9 +479,13 @@
|
||||
@@ -433,9 +483,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12585,7 +12629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-05 22:07:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-06 10:57:49.000000000 -0400
|
||||
@@ -45,7 +45,7 @@
|
||||
type $1_tty_device_t;
|
||||
term_user_tty($1_t,$1_tty_device_t)
|
||||
@ -13255,15 +13299,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1852,21 +1935,57 @@
|
||||
@@ -1856,17 +1939,53 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain to not audit
|
||||
+## Domain to not audit
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
#
|
||||
-template(`userdom_dontaudit_list_user_home_dirs',`
|
||||
+template(`userdom_dontaudit_list_user_home_dirs',`
|
||||
+ gen_require(`
|
||||
+ type $1_home_dir_t;
|
||||
@ -13296,10 +13336,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-template(`userdom_dontaudit_list_user_home_dirs',`
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+template(`userdom_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
- type $1_home_dir_t;
|
||||
@ -13378,7 +13417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5559,3 +5695,297 @@
|
||||
@@ -5559,3 +5695,299 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
@ -13633,8 +13672,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+interface(`userdom_user_home_type',`
|
||||
+ gen_require(`
|
||||
+ attribute user_home_type;
|
||||
+ attribute home_type;
|
||||
+ ')
|
||||
+ typeattribute $1 user_home_type;
|
||||
+ typeattribute $1 home_type;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.7
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -362,6 +362,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-4
|
||||
- Define user_home_type as home_type
|
||||
|
||||
* Tue Aug 28 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-3
|
||||
- Allow sendmail to create etc_aliases_t
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user