- Fix labeling for oracle

This commit is contained in:
Daniel J Walsh 2008-10-01 19:15:34 +00:00
parent 2ede4ec7ba
commit 094ef3d610
2 changed files with 110 additions and 40 deletions

View File

@ -6439,7 +6439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+wm_domain_template(user,xdm)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc 2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc 2008-10-01 09:45:44.000000000 -0400
@@ -129,6 +129,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@ -6462,7 +6462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -292,3 +292,13 @@
@@ -292,3 +292,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@ -6476,6 +6476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.9/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.if 2008-09-25 08:33:18.000000000 -0400
@ -8794,7 +8795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.9/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-09-29 15:11:59.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-10-01 08:10:36.000000000 -0400
@@ -334,10 +334,10 @@
#
interface(`sysadm_getattr_home_dirs',`
@ -8808,7 +8809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -354,10 +354,10 @@
@@ -354,10 +354,29 @@
#
interface(`sysadm_dontaudit_getattr_home_dirs',`
gen_require(`
@ -8818,10 +8819,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- dontaudit $1 sysadm_home_dir_t:dir getattr;
+ dontaudit $1 admin_home_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to
+## sysadm users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_write_home_dirs',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir write;
')
########################################
@@ -372,10 +372,10 @@
@@ -372,10 +391,10 @@
#
interface(`sysadm_search_home_dirs',`
gen_require(`
@ -8834,7 +8854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -391,10 +391,10 @@
@@ -391,10 +410,10 @@
#
interface(`sysadm_dontaudit_search_home_dirs',`
gen_require(`
@ -8847,7 +8867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -409,10 +409,10 @@
@@ -409,10 +428,10 @@
#
interface(`sysadm_list_home_dirs',`
gen_require(`
@ -8860,7 +8880,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -428,10 +428,10 @@
@@ -428,10 +447,10 @@
#
interface(`sysadm_dontaudit_list_home_dirs',`
gen_require(`
@ -8873,7 +8893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -458,10 +458,10 @@
@@ -458,10 +477,10 @@
#
interface(`sysadm_home_dir_filetrans',`
gen_require(`
@ -8886,7 +8906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -476,10 +476,10 @@
@@ -476,10 +495,10 @@
#
interface(`sysadm_search_home_content_dirs',`
gen_require(`
@ -8899,7 +8919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -494,13 +494,12 @@
@@ -494,13 +513,12 @@
#
interface(`sysadm_read_home_content_files',`
gen_require(`
@ -8916,7 +8936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -516,13 +515,33 @@
@@ -516,13 +534,33 @@
#
interface(`sysadm_dontaudit_read_home_content_files',`
gen_require(`
@ -13546,7 +13566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-') dnl end TODO
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.9/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-10-01 07:43:49.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-10-01 07:45:00.000000000 -0400
@@ -8,24 +8,33 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -13593,7 +13613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -43,10 +52,19 @@
@@ -43,10 +52,18 @@
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
@ -13610,7 +13630,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
@ -15771,7 +15790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.9/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/exim.te 2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/exim.te 2008-10-01 13:40:55.000000000 -0400
@@ -21,9 +21,20 @@
## </desc>
gen_tunable(exim_manage_user_files, false)
@ -15834,16 +15853,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(exim_t)
dev_read_urand(exim_t)
@@ -89,6 +107,8 @@
@@ -89,7 +107,10 @@
# Init script handling
domain_use_interactive_fds(exim_t)
+files_search_usr(exim_t)
+files_search_var(exim_t)
files_read_etc_files(exim_t)
+files_read_etc_runtime_files(exim_t)
auth_use_nsswitch(exim_t)
@@ -99,23 +119,86 @@
@@ -99,23 +120,86 @@
logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
@ -16664,6 +16685,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.5.9/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2008-09-03 07:59:15.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/inetd.te 2008-10-01 13:39:05.000000000 -0400
@@ -136,6 +136,7 @@
domain_use_interactive_fds(inetd_t)
files_read_etc_files(inetd_t)
+files_read_etc_runtime_files(inetd_t)
libs_use_ld_so(inetd_t)
libs_use_shared_libs(inetd_t)
@@ -223,6 +224,7 @@
fs_getattr_xattr_fs(inetd_child_t)
files_read_etc_files(inetd_child_t)
+files_read_etc_runtime_files(inetd_child_t)
auth_use_nsswitch(inetd_child_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.fc serefpolicy-3.5.9/policy/modules/services/inn.fc
--- nsaserefpolicy/policy/modules/services/inn.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/inn.fc 2008-09-25 08:33:18.000000000 -0400
@ -22574,6 +22614,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.9/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-09-24 09:07:28.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/rpcbind.te 2008-10-01 13:35:59.000000000 -0400
@@ -60,6 +60,7 @@
domain_use_interactive_fds(rpcbind_t)
files_read_etc_files(rpcbind_t)
+files_read_etc_runtime_files(rpcbind_t)
libs_use_ld_so(rpcbind_t)
libs_use_shared_libs(rpcbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.9/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/rshd.te 2008-09-25 08:33:18.000000000 -0400
@ -25682,7 +25733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.9/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/stunnel.te 2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/stunnel.te 2008-10-01 13:38:33.000000000 -0400
@@ -54,6 +54,8 @@
kernel_read_system_state(stunnel_t)
kernel_read_network_state(stunnel_t)
@ -25692,6 +25743,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(stunnel_t)
corenet_all_recvfrom_netlabel(stunnel_t)
corenet_tcp_sendrecv_all_if(stunnel_t)
@@ -109,6 +111,7 @@
dev_read_urand(stunnel_t)
files_read_etc_files(stunnel_t)
+ files_read_etc_runtime_files(stunnel_t)
files_search_home(stunnel_t)
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.5.9/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/sysstat.te 2008-10-01 07:40:20.000000000 -0400
@ -25749,7 +25808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.9/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/tftp.te 2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/tftp.te 2008-10-01 08:09:03.000000000 -0400
@@ -37,7 +37,6 @@
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
@ -25758,7 +25817,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search };
@@ -80,6 +79,8 @@
@@ -76,10 +75,13 @@
domain_use_interactive_fds(tftpd_t)
files_read_etc_files(tftpd_t);
+files_read_etc_runtime_files(tftpd_t);
files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t)
@ -25767,7 +25831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(tftpd_t)
libs_use_shared_libs(tftpd_t)
@@ -88,11 +89,7 @@
@@ -88,11 +90,7 @@
miscfiles_read_localization(tftpd_t)
miscfiles_read_public_files(tftpd_t)
@ -25779,7 +25843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysadm_dontaudit_use_ttys(tftpd_t)
sysadm_dontaudit_search_home_dirs(tftpd_t)
@@ -105,14 +102,6 @@
@@ -105,14 +103,6 @@
')
optional_policy(`
@ -27416,7 +27480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.9/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-09-29 12:10:48.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-10-01 08:10:49.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@ -27655,12 +27719,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -301,21 +383,25 @@
@@ -301,21 +383,26 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
+logging_send_audit_msgs(xdm_t)
+miscfiles_dontaudit_write_fonts(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-
@ -27686,7 +27751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
@@ -348,10 +434,12 @@
@@ -348,10 +435,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@ -27699,7 +27764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -359,6 +447,22 @@
@@ -359,6 +448,22 @@
')
optional_policy(`
@ -27722,7 +27787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
@@ -382,16 +486,33 @@
@@ -382,16 +487,34 @@
')
optional_policy(`
@ -27744,6 +27809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
+ sysadm_dontaudit_search_home_dirs(xdm_t)
+ sysadm_dontaudit_read_home_sym_links(xdm_t)
+ sysadm_dontaudit_write_home_dirs(xdm_t)
+')
+
+optional_policy(`
@ -27757,7 +27823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -427,7 +548,7 @@
@@ -427,7 +550,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -27766,7 +27832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -439,6 +560,15 @@
@@ -439,6 +562,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@ -27782,7 +27848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -450,10 +580,19 @@
@@ -450,10 +582,19 @@
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
@ -27803,7 +27869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
@@ -468,8 +607,19 @@
@@ -468,8 +609,19 @@
optional_policy(`
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
@ -27823,7 +27889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
resmgr_stream_connect(xdm_t)
@@ -481,8 +631,25 @@
@@ -481,8 +633,25 @@
')
optional_policy(`
@ -27851,7 +27917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_xserver_t self:process { execheap execmem };
@@ -491,7 +658,6 @@
@@ -491,7 +660,6 @@
ifdef(`distro_rhel4',`
allow xdm_xserver_t self:process { execheap execmem };
')
@ -27859,7 +27925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
@@ -544,3 +710,56 @@
@@ -544,3 +712,56 @@
#
allow pam_t xdm_t:fifo_file { getattr ioctl write };
') dnl end TODO
@ -30896,7 +30962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.9/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-10-01 08:16:34.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@ -30917,7 +30983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process signal_perms;
+allow dhcpc_t self:process { ptrace signal_perms };
+allow dhcpc_t self:process { setfscreate ptrace signal_perms };
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
@ -31036,7 +31102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -279,8 +291,11 @@
@@ -279,8 +291,12 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@ -31045,10 +31111,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
+term_dontaudit_use_ptmx(ifconfig_t)
+term_dontaudit_use_generic_ptys(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -336,6 +351,14 @@
@@ -336,6 +352,14 @@
')
optional_policy(`

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.9
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -390,6 +390,9 @@ exit 0
%endif
%changelog
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-4
- Fix labeling for oracle
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-3
- Allow nsplugin to comminicate with xdm_tmp_t sock_file