- Cleanups from dgrift
This commit is contained in:
Daniel J Walsh
parent
daebd59668
commit
08b890455e
168
policy-F13.patch
168
policy-F13.patch
@ -4657,8 +4657,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.5/policy/modules/apps/sambagui.te
|
||||
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/apps/sambagui.te 2009-12-21 13:07:09.000000000 -0500
|
||||
@@ -0,0 +1,60 @@
|
||||
+++ serefpolicy-3.7.5/policy/modules/apps/sambagui.te 2009-12-23 12:39:59.000000000 -0500
|
||||
@@ -0,0 +1,61 @@
|
||||
+policy_module(sambagui,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -4675,6 +4675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
|
||||
+# system-config-samba local policy
|
||||
+#
|
||||
+
|
||||
+allow sambagui_t self:capability dac_override;
|
||||
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow sambagui_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
@ -4952,8 +4953,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.5/policy/modules/apps/sandbox.te
|
||||
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te 2009-12-21 14:43:49.000000000 -0500
|
||||
@@ -0,0 +1,340 @@
|
||||
+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te 2009-12-23 12:55:41.000000000 -0500
|
||||
@@ -0,0 +1,342 @@
|
||||
+policy_module(sandbox,1.0.0)
|
||||
+dbus_stub()
|
||||
+attribute sandbox_domain;
|
||||
@ -5196,6 +5197,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
|
||||
+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
|
||||
+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
|
||||
+
|
||||
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
|
||||
+
|
||||
+dev_read_rand(sandbox_web_client_t)
|
||||
+
|
||||
+# Browse the web, connect to printer
|
||||
@ -6455,7 +6458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.5/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2009-12-21 13:07:09.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2009-12-23 12:48:27.000000000 -0500
|
||||
@@ -932,10 +932,8 @@
|
||||
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
|
||||
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
|
||||
@ -6969,7 +6972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.5/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-23 07:46:46.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-23 08:58:51.000000000 -0500
|
||||
@@ -906,7 +906,7 @@
|
||||
type cifs_t;
|
||||
')
|
||||
@ -7014,7 +7017,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
#########################################
|
||||
## <summary>
|
||||
## Read named sockets on a NFS filesystem.
|
||||
@@ -4181,3 +4200,175 @@
|
||||
@@ -3684,6 +3703,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Search the XENFS filesystem.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_search_xenfs',`
|
||||
+ gen_require(`
|
||||
+ type xenfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 xenfs_t:dir search_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Mount a XENFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4181,3 +4218,175 @@
|
||||
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
|
||||
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
|
||||
')
|
||||
@ -12576,7 +12604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.5/policy/modules/services/cgroup.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/cgroup.fc 2009-12-22 11:06:28.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/cgroup.fc 2009-12-23 13:32:50.000000000 -0500
|
||||
@@ -0,0 +1,7 @@
|
||||
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
|
||||
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
|
||||
@ -14100,7 +14128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.5/policy/modules/services/cups.te
|
||||
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/cups.te 2009-12-21 13:07:09.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/cups.te 2009-12-23 12:11:21.000000000 -0500
|
||||
@@ -23,6 +23,9 @@
|
||||
type cupsd_initrc_exec_t;
|
||||
init_script_file(cupsd_initrc_exec_t)
|
||||
@ -14162,7 +14190,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
corenet_tcp_bind_reserved_port(cupsd_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
|
||||
corenet_tcp_bind_all_rpc_ports(cupsd_t)
|
||||
@@ -250,6 +262,7 @@
|
||||
@@ -191,6 +203,7 @@
|
||||
|
||||
fs_getattr_all_fs(cupsd_t)
|
||||
fs_search_auto_mountpoints(cupsd_t)
|
||||
+fs_search_fusefs(cupsd_t)
|
||||
fs_read_anon_inodefs_files(cupsd_t)
|
||||
|
||||
mls_file_downgrade(cupsd_t)
|
||||
@@ -250,6 +263,7 @@
|
||||
miscfiles_read_localization(cupsd_t)
|
||||
# invoking ghostscript needs to read fonts
|
||||
miscfiles_read_fonts(cupsd_t)
|
||||
@ -14170,7 +14206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
|
||||
seutil_read_config(cupsd_t)
|
||||
sysnet_exec_ifconfig(cupsd_t)
|
||||
@@ -317,6 +330,10 @@
|
||||
@@ -317,6 +331,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -14181,7 +14217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
udev_read_db(cupsd_t)
|
||||
')
|
||||
|
||||
@@ -327,7 +344,7 @@
|
||||
@@ -327,7 +345,7 @@
|
||||
|
||||
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
|
||||
dontaudit cupsd_config_t self:capability sys_tty_config;
|
||||
@ -14190,7 +14226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
|
||||
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
|
||||
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -378,6 +395,8 @@
|
||||
@@ -378,6 +396,8 @@
|
||||
dev_read_rand(cupsd_config_t)
|
||||
dev_rw_generic_usb_dev(cupsd_config_t)
|
||||
|
||||
@ -14199,7 +14235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
fs_getattr_all_fs(cupsd_config_t)
|
||||
fs_search_auto_mountpoints(cupsd_config_t)
|
||||
|
||||
@@ -407,6 +426,7 @@
|
||||
@@ -407,6 +427,7 @@
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
||||
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
||||
@ -14207,7 +14243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
|
||||
cups_stream_connect(cupsd_config_t)
|
||||
|
||||
@@ -419,12 +439,15 @@
|
||||
@@ -419,12 +440,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -14225,7 +14261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
|
||||
optional_policy(`
|
||||
hal_dbus_chat(cupsd_config_t)
|
||||
@@ -446,6 +469,10 @@
|
||||
@@ -446,6 +470,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -14236,7 +14272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
rpm_read_db(cupsd_config_t)
|
||||
')
|
||||
|
||||
@@ -457,6 +484,10 @@
|
||||
@@ -457,6 +485,10 @@
|
||||
udev_read_db(cupsd_config_t)
|
||||
')
|
||||
|
||||
@ -14247,7 +14283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
########################################
|
||||
#
|
||||
# Cups lpd support
|
||||
@@ -542,6 +573,8 @@
|
||||
@@ -542,6 +574,8 @@
|
||||
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
|
||||
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
|
||||
|
||||
@ -14256,7 +14292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
kernel_read_system_state(cups_pdf_t)
|
||||
|
||||
files_read_etc_files(cups_pdf_t)
|
||||
@@ -556,11 +589,15 @@
|
||||
@@ -556,11 +590,15 @@
|
||||
miscfiles_read_fonts(cups_pdf_t)
|
||||
|
||||
userdom_home_filetrans_user_home_dir(cups_pdf_t)
|
||||
@ -14272,7 +14308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(cups_pdf_t)
|
||||
@@ -601,6 +638,9 @@
|
||||
@@ -601,6 +639,9 @@
|
||||
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
|
||||
files_search_etc(hplip_t)
|
||||
|
||||
@ -14282,7 +14318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
|
||||
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
|
||||
|
||||
@@ -627,6 +667,7 @@
|
||||
@@ -627,6 +668,7 @@
|
||||
corenet_tcp_connect_ipp_port(hplip_t)
|
||||
corenet_sendrecv_hplip_client_packets(hplip_t)
|
||||
corenet_receive_hplip_server_packets(hplip_t)
|
||||
@ -14954,7 +14990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.5/policy/modules/services/dovecot.te
|
||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/dovecot.te 2009-12-22 15:39:45.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/dovecot.te 2009-12-23 12:49:57.000000000 -0500
|
||||
@@ -56,7 +56,7 @@
|
||||
|
||||
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
|
||||
@ -14964,10 +15000,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
allow dovecot_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dovecot_t self:tcp_socket create_stream_socket_perms;
|
||||
allow dovecot_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -73,8 +73,9 @@
|
||||
@@ -73,8 +73,14 @@
|
||||
|
||||
can_exec(dovecot_t, dovecot_exec_t)
|
||||
|
||||
+# Allow dovecot to create and read SSL parameters file
|
||||
+manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
|
||||
+files_search_var_lib(dovecot_t)
|
||||
+files_read_var_symlinks(dovecot_t)
|
||||
+
|
||||
+manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
||||
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
||||
-logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
|
||||
@ -14975,7 +15016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
|
||||
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
|
||||
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
|
||||
@@ -103,6 +104,7 @@
|
||||
@@ -103,6 +109,7 @@
|
||||
dev_read_urand(dovecot_t)
|
||||
|
||||
fs_getattr_all_fs(dovecot_t)
|
||||
@ -14983,7 +15024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
fs_search_auto_mountpoints(dovecot_t)
|
||||
fs_list_inotifyfs(dovecot_t)
|
||||
|
||||
@@ -142,6 +144,10 @@
|
||||
@@ -142,6 +149,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -14994,7 +15035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
seutil_sigchld_newrole(dovecot_t)
|
||||
')
|
||||
|
||||
@@ -159,7 +165,7 @@
|
||||
@@ -159,7 +170,7 @@
|
||||
#
|
||||
|
||||
allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
|
||||
@ -15003,6 +15044,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -172,11 +183,6 @@
|
||||
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
||||
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
|
||||
|
||||
-# Allow dovecot to create and read SSL parameters file
|
||||
-manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
|
||||
-files_search_var_lib(dovecot_t)
|
||||
-files_read_var_symlinks(dovecot_t)
|
||||
-
|
||||
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
|
||||
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
|
||||
dovecot_stream_connect_auth(dovecot_auth_t)
|
||||
@@ -197,9 +203,9 @@
|
||||
files_search_pids(dovecot_auth_t)
|
||||
files_read_usr_files(dovecot_auth_t)
|
||||
files_read_usr_symlinks(dovecot_auth_t)
|
||||
+files_read_var_lib_files(dovecot_auth_t)
|
||||
files_search_tmp(dovecot_auth_t)
|
||||
-files_read_var_lib_files(dovecot_t)
|
||||
-
|
||||
+files_search_var_log(dovecot_auth_t)
|
||||
init_rw_utmp(dovecot_auth_t)
|
||||
|
||||
miscfiles_read_localization(dovecot_auth_t)
|
||||
@@ -220,15 +226,23 @@
|
||||
')
|
||||
|
||||
@ -16761,7 +16826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
|
||||
## Send a generic signal to MySQL.
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.5/policy/modules/services/mysql.te
|
||||
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/mysql.te 2009-12-21 13:07:09.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/mysql.te 2009-12-23 12:06:39.000000000 -0500
|
||||
@@ -1,6 +1,13 @@
|
||||
|
||||
policy_module(mysql, 1.11.1)
|
||||
@ -16788,7 +16853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
|
||||
ifdef(`distro_redhat',`
|
||||
# because Fedora has the sock_file in the database directory
|
||||
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
|
||||
@@ -131,20 +143,22 @@
|
||||
@@ -131,20 +143,24 @@
|
||||
# Local mysqld_safe policy
|
||||
#
|
||||
|
||||
@ -16806,6 +16871,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
|
||||
|
||||
domain_read_all_domains_state(mysqld_safe_t)
|
||||
|
||||
+files_dontaudit_search_all_mountpoints(mysqld_safe_t)
|
||||
+
|
||||
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
|
||||
kernel_read_system_state(mysqld_safe_t)
|
||||
@ -19336,7 +19403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.5/policy/modules/services/policykit.te
|
||||
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/policykit.te 2009-12-21 13:07:09.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/policykit.te 2009-12-23 12:07:18.000000000 -0500
|
||||
@@ -36,11 +36,12 @@
|
||||
# policykit local policy
|
||||
#
|
||||
@ -19354,7 +19421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
|
||||
policykit_domtrans_auth(policykit_t)
|
||||
|
||||
@@ -57,32 +58,52 @@
|
||||
@@ -57,10 +58,14 @@
|
||||
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
|
||||
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
|
||||
|
||||
@ -19363,12 +19430,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
|
||||
files_read_etc_files(policykit_t)
|
||||
files_read_usr_files(policykit_t)
|
||||
|
||||
+fs_list_inotifyfs(policykit_t)
|
||||
+files_dontaudit_search_all_mountpoints(policykit_t)
|
||||
+
|
||||
+fs_list_inotifyfs(policykit_t)
|
||||
|
||||
auth_use_nsswitch(policykit_t)
|
||||
|
||||
logging_send_syslog_msg(policykit_t)
|
||||
@@ -68,21 +73,38 @@
|
||||
|
||||
miscfiles_read_localization(policykit_t)
|
||||
|
||||
@ -19411,7 +19479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
|
||||
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
|
||||
|
||||
@@ -92,21 +113,25 @@
|
||||
@@ -92,21 +114,25 @@
|
||||
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
|
||||
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
|
||||
|
||||
@ -19440,7 +19508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
dbus_session_bus_client(policykit_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -119,6 +144,14 @@
|
||||
@@ -119,6 +145,14 @@
|
||||
hal_read_state(policykit_auth_t)
|
||||
')
|
||||
|
||||
@ -19455,7 +19523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
########################################
|
||||
#
|
||||
# polkit_grant local policy
|
||||
@@ -126,7 +159,8 @@
|
||||
@@ -126,7 +160,8 @@
|
||||
|
||||
allow policykit_grant_t self:capability setuid;
|
||||
allow policykit_grant_t self:process getattr;
|
||||
@ -19465,7 +19533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
||||
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@@ -156,9 +190,12 @@
|
||||
@@ -156,9 +191,12 @@
|
||||
userdom_read_all_users_state(policykit_grant_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -19479,7 +19547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
consolekit_dbus_chat(policykit_grant_t)
|
||||
')
|
||||
')
|
||||
@@ -170,7 +207,8 @@
|
||||
@@ -170,7 +208,8 @@
|
||||
|
||||
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
|
||||
allow policykit_resolve_t self:process getattr;
|
||||
@ -26477,7 +26545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.5/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/xserver.te 2009-12-22 09:44:04.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/xserver.te 2009-12-23 09:07:52.000000000 -0500
|
||||
@@ -36,6 +36,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -26903,12 +26971,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
|
||||
+miscfiles_manage_fonts_cache(xserver_t)
|
||||
+miscfiles_search_man_pages(xdm_t)
|
||||
miscfiles_read_localization(xdm_t)
|
||||
miscfiles_read_fonts(xdm_t)
|
||||
-
|
||||
-sysnet_read_config(xdm_t)
|
||||
+miscfiles_manage_fonts_cache(xdm_t)
|
||||
+miscfiles_manage_localization(xdm_t)
|
||||
+miscfiles_read_hwdata(xdm_t)
|
||||
|
||||
@ -28945,7 +29013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
|
||||
+permissive kdump_t;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-23 07:33:05.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-23 12:43:23.000000000 -0500
|
||||
@@ -60,12 +60,15 @@
|
||||
#
|
||||
# /opt
|
||||
@ -29161,7 +29229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
') dnl end distro_redhat
|
||||
|
||||
#
|
||||
@@ -307,10 +316,114 @@
|
||||
@@ -307,10 +316,115 @@
|
||||
|
||||
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
|
||||
|
||||
@ -29276,6 +29344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
+/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.7.5/policy/modules/system/libraries.if 2009-12-21 13:07:09.000000000 -0500
|
||||
@ -34735,7 +34804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.5/policy/modules/system/xen.te
|
||||
--- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/system/xen.te 2009-12-21 13:07:09.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/system/xen.te 2009-12-23 08:58:19.000000000 -0500
|
||||
@@ -85,6 +85,7 @@
|
||||
type xenconsoled_t;
|
||||
type xenconsoled_exec_t;
|
||||
@ -34752,7 +34821,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
|
||||
storage_raw_read_fixed_disk(xend_t)
|
||||
storage_raw_write_fixed_disk(xend_t)
|
||||
@@ -421,6 +423,12 @@
|
||||
@@ -340,6 +342,8 @@
|
||||
|
||||
files_read_usr_files(xenstored_t)
|
||||
|
||||
+fs_search_xenfs(xenstored_t)
|
||||
+
|
||||
storage_raw_read_fixed_disk(xenstored_t)
|
||||
storage_raw_write_fixed_disk(xenstored_t)
|
||||
storage_raw_read_removable_device(xenstored_t)
|
||||
@@ -421,6 +425,12 @@
|
||||
xen_stream_connect_xenstore(xm_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -34765,7 +34843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
virt_manage_images(xm_t)
|
||||
virt_stream_connect(xm_t)
|
||||
')
|
||||
@@ -438,6 +446,8 @@
|
||||
@@ -438,6 +448,8 @@
|
||||
fs_manage_xenfs_dirs(xm_ssh_t)
|
||||
fs_manage_xenfs_files(xm_ssh_t)
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
t%define distro redhat
|
||||
%define distro redhat
|
||||
%define polyinstatiate n
|
||||
%define monolithic n
|
||||
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user