- Fix labeling for oracle
This commit is contained in:
parent
2ede4ec7ba
commit
094ef3d610
@ -6439,7 +6439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+wm_domain_template(user,xdm)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc 2008-09-25 08:33:18.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc 2008-10-01 09:45:44.000000000 -0400
|
||||
@@ -129,6 +129,8 @@
|
||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -6462,7 +6462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@@ -292,3 +292,13 @@
|
||||
@@ -292,3 +292,14 @@
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -6476,6 +6476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.9/policy/modules/kernel/corecommands.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.if 2008-09-25 08:33:18.000000000 -0400
|
||||
@ -8794,7 +8795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.9/policy/modules/roles/sysadm.if
|
||||
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-09-29 15:11:59.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-10-01 08:10:36.000000000 -0400
|
||||
@@ -334,10 +334,10 @@
|
||||
#
|
||||
interface(`sysadm_getattr_home_dirs',`
|
||||
@ -8808,7 +8809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -354,10 +354,10 @@
|
||||
@@ -354,10 +354,29 @@
|
||||
#
|
||||
interface(`sysadm_dontaudit_getattr_home_dirs',`
|
||||
gen_require(`
|
||||
@ -8818,10 +8819,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
- dontaudit $1 sysadm_home_dir_t:dir getattr;
|
||||
+ dontaudit $1 admin_home_t:dir getattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to write to
|
||||
+## sysadm users home directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sysadm_dontaudit_write_home_dirs',`
|
||||
+ gen_require(`
|
||||
+ type admin_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 admin_home_t:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -372,10 +372,10 @@
|
||||
@@ -372,10 +391,10 @@
|
||||
#
|
||||
interface(`sysadm_search_home_dirs',`
|
||||
gen_require(`
|
||||
@ -8834,7 +8854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -391,10 +391,10 @@
|
||||
@@ -391,10 +410,10 @@
|
||||
#
|
||||
interface(`sysadm_dontaudit_search_home_dirs',`
|
||||
gen_require(`
|
||||
@ -8847,7 +8867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -409,10 +409,10 @@
|
||||
@@ -409,10 +428,10 @@
|
||||
#
|
||||
interface(`sysadm_list_home_dirs',`
|
||||
gen_require(`
|
||||
@ -8860,7 +8880,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -428,10 +428,10 @@
|
||||
@@ -428,10 +447,10 @@
|
||||
#
|
||||
interface(`sysadm_dontaudit_list_home_dirs',`
|
||||
gen_require(`
|
||||
@ -8873,7 +8893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -458,10 +458,10 @@
|
||||
@@ -458,10 +477,10 @@
|
||||
#
|
||||
interface(`sysadm_home_dir_filetrans',`
|
||||
gen_require(`
|
||||
@ -8886,7 +8906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -476,10 +476,10 @@
|
||||
@@ -476,10 +495,10 @@
|
||||
#
|
||||
interface(`sysadm_search_home_content_dirs',`
|
||||
gen_require(`
|
||||
@ -8899,7 +8919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -494,13 +494,12 @@
|
||||
@@ -494,13 +513,12 @@
|
||||
#
|
||||
interface(`sysadm_read_home_content_files',`
|
||||
gen_require(`
|
||||
@ -8916,7 +8936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -516,13 +515,33 @@
|
||||
@@ -516,13 +534,33 @@
|
||||
#
|
||||
interface(`sysadm_dontaudit_read_home_content_files',`
|
||||
gen_require(`
|
||||
@ -13546,7 +13566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-') dnl end TODO
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.9/policy/modules/services/cups.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-10-01 07:43:49.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-10-01 07:45:00.000000000 -0400
|
||||
@@ -8,24 +8,33 @@
|
||||
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
@ -13593,7 +13613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
@@ -43,10 +52,19 @@
|
||||
@@ -43,10 +52,18 @@
|
||||
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
|
||||
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
@ -13610,7 +13630,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+
|
||||
+
|
||||
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+
|
||||
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
|
||||
@ -15771,7 +15790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.9/policy/modules/services/exim.te
|
||||
--- nsaserefpolicy/policy/modules/services/exim.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/exim.te 2008-09-25 08:33:18.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/exim.te 2008-10-01 13:40:55.000000000 -0400
|
||||
@@ -21,9 +21,20 @@
|
||||
## </desc>
|
||||
gen_tunable(exim_manage_user_files, false)
|
||||
@ -15834,16 +15853,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
dev_read_rand(exim_t)
|
||||
dev_read_urand(exim_t)
|
||||
@@ -89,6 +107,8 @@
|
||||
@@ -89,7 +107,10 @@
|
||||
# Init script handling
|
||||
domain_use_interactive_fds(exim_t)
|
||||
|
||||
+files_search_usr(exim_t)
|
||||
+files_search_var(exim_t)
|
||||
files_read_etc_files(exim_t)
|
||||
+files_read_etc_runtime_files(exim_t)
|
||||
|
||||
auth_use_nsswitch(exim_t)
|
||||
@@ -99,23 +119,86 @@
|
||||
|
||||
@@ -99,23 +120,86 @@
|
||||
logging_send_syslog_msg(exim_t)
|
||||
|
||||
miscfiles_read_localization(exim_t)
|
||||
@ -16664,6 +16685,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
||||
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
||||
/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.5.9/policy/modules/services/inetd.te
|
||||
--- nsaserefpolicy/policy/modules/services/inetd.te 2008-09-03 07:59:15.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/inetd.te 2008-10-01 13:39:05.000000000 -0400
|
||||
@@ -136,6 +136,7 @@
|
||||
domain_use_interactive_fds(inetd_t)
|
||||
|
||||
files_read_etc_files(inetd_t)
|
||||
+files_read_etc_runtime_files(inetd_t)
|
||||
|
||||
libs_use_ld_so(inetd_t)
|
||||
libs_use_shared_libs(inetd_t)
|
||||
@@ -223,6 +224,7 @@
|
||||
fs_getattr_xattr_fs(inetd_child_t)
|
||||
|
||||
files_read_etc_files(inetd_child_t)
|
||||
+files_read_etc_runtime_files(inetd_child_t)
|
||||
|
||||
auth_use_nsswitch(inetd_child_t)
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.fc serefpolicy-3.5.9/policy/modules/services/inn.fc
|
||||
--- nsaserefpolicy/policy/modules/services/inn.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/inn.fc 2008-09-25 08:33:18.000000000 -0400
|
||||
@ -22574,6 +22614,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 rpcbind_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.9/policy/modules/services/rpcbind.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-09-24 09:07:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/rpcbind.te 2008-10-01 13:35:59.000000000 -0400
|
||||
@@ -60,6 +60,7 @@
|
||||
domain_use_interactive_fds(rpcbind_t)
|
||||
|
||||
files_read_etc_files(rpcbind_t)
|
||||
+files_read_etc_runtime_files(rpcbind_t)
|
||||
|
||||
libs_use_ld_so(rpcbind_t)
|
||||
libs_use_shared_libs(rpcbind_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.9/policy/modules/services/rshd.te
|
||||
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/rshd.te 2008-09-25 08:33:18.000000000 -0400
|
||||
@ -25682,7 +25733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.9/policy/modules/services/stunnel.te
|
||||
--- nsaserefpolicy/policy/modules/services/stunnel.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/stunnel.te 2008-09-25 08:33:18.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/stunnel.te 2008-10-01 13:38:33.000000000 -0400
|
||||
@@ -54,6 +54,8 @@
|
||||
kernel_read_system_state(stunnel_t)
|
||||
kernel_read_network_state(stunnel_t)
|
||||
@ -25692,6 +25743,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_all_recvfrom_unlabeled(stunnel_t)
|
||||
corenet_all_recvfrom_netlabel(stunnel_t)
|
||||
corenet_tcp_sendrecv_all_if(stunnel_t)
|
||||
@@ -109,6 +111,7 @@
|
||||
dev_read_urand(stunnel_t)
|
||||
|
||||
files_read_etc_files(stunnel_t)
|
||||
+ files_read_etc_runtime_files(stunnel_t)
|
||||
files_search_home(stunnel_t)
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.5.9/policy/modules/services/sysstat.te
|
||||
--- nsaserefpolicy/policy/modules/services/sysstat.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/sysstat.te 2008-10-01 07:40:20.000000000 -0400
|
||||
@ -25749,7 +25808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.9/policy/modules/services/tftp.te
|
||||
--- nsaserefpolicy/policy/modules/services/tftp.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/tftp.te 2008-09-25 08:33:18.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/tftp.te 2008-10-01 08:09:03.000000000 -0400
|
||||
@@ -37,7 +37,6 @@
|
||||
allow tftpd_t self:udp_socket create_socket_perms;
|
||||
allow tftpd_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -25758,7 +25817,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit tftpd_t self:capability sys_tty_config;
|
||||
|
||||
allow tftpd_t tftpdir_t:dir { getattr read search };
|
||||
@@ -80,6 +79,8 @@
|
||||
@@ -76,10 +75,13 @@
|
||||
domain_use_interactive_fds(tftpd_t)
|
||||
|
||||
files_read_etc_files(tftpd_t);
|
||||
+files_read_etc_runtime_files(tftpd_t);
|
||||
files_read_var_files(tftpd_t)
|
||||
files_read_var_symlinks(tftpd_t)
|
||||
files_search_var(tftpd_t)
|
||||
|
||||
@ -25767,7 +25831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
libs_use_ld_so(tftpd_t)
|
||||
libs_use_shared_libs(tftpd_t)
|
||||
|
||||
@@ -88,11 +89,7 @@
|
||||
@@ -88,11 +90,7 @@
|
||||
miscfiles_read_localization(tftpd_t)
|
||||
miscfiles_read_public_files(tftpd_t)
|
||||
|
||||
@ -25779,7 +25843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
sysadm_dontaudit_use_ttys(tftpd_t)
|
||||
sysadm_dontaudit_search_home_dirs(tftpd_t)
|
||||
|
||||
@@ -105,14 +102,6 @@
|
||||
@@ -105,14 +103,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27416,7 +27480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.9/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-09-29 12:10:48.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-10-01 08:10:49.000000000 -0400
|
||||
@@ -8,6 +8,14 @@
|
||||
|
||||
## <desc>
|
||||
@ -27655,12 +27719,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
@@ -301,21 +383,25 @@
|
||||
@@ -301,21 +383,26 @@
|
||||
libs_exec_lib_files(xdm_t)
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
+logging_send_audit_msgs(xdm_t)
|
||||
|
||||
+miscfiles_dontaudit_write_fonts(xdm_t)
|
||||
miscfiles_read_localization(xdm_t)
|
||||
miscfiles_read_fonts(xdm_t)
|
||||
-
|
||||
@ -27686,7 +27751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
@@ -348,10 +434,12 @@
|
||||
@@ -348,10 +435,12 @@
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(xdm_t)
|
||||
@ -27699,7 +27764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -359,6 +447,22 @@
|
||||
@@ -359,6 +448,22 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27722,7 +27787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Talk to the console mouse server.
|
||||
gpm_stream_connect(xdm_t)
|
||||
gpm_setattr_gpmctl(xdm_t)
|
||||
@@ -382,16 +486,33 @@
|
||||
@@ -382,16 +487,34 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27744,6 +27809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
+ sysadm_dontaudit_search_home_dirs(xdm_t)
|
||||
+ sysadm_dontaudit_read_home_sym_links(xdm_t)
|
||||
+ sysadm_dontaudit_write_home_dirs(xdm_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -27757,7 +27823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -427,7 +548,7 @@
|
||||
@@ -427,7 +550,7 @@
|
||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
@ -27766,7 +27832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -439,6 +560,15 @@
|
||||
@@ -439,6 +562,15 @@
|
||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xdm_xserver_t)
|
||||
|
||||
@ -27782,7 +27848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# VNC v4 module in X server
|
||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||
|
||||
@@ -450,10 +580,19 @@
|
||||
@@ -450,10 +582,19 @@
|
||||
# xdm_xserver_t may no longer have any reason
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
@ -27803,7 +27869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||
fs_manage_nfs_files(xdm_xserver_t)
|
||||
@@ -468,8 +607,19 @@
|
||||
@@ -468,8 +609,19 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
|
||||
@ -27823,7 +27889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
resmgr_stream_connect(xdm_t)
|
||||
@@ -481,8 +631,25 @@
|
||||
@@ -481,8 +633,25 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27851,7 +27917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_xserver_t self:process { execheap execmem };
|
||||
@@ -491,7 +658,6 @@
|
||||
@@ -491,7 +660,6 @@
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_xserver_t self:process { execheap execmem };
|
||||
')
|
||||
@ -27859,7 +27925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -544,3 +710,56 @@
|
||||
@@ -544,3 +712,56 @@
|
||||
#
|
||||
allow pam_t xdm_t:fifo_file { getattr ioctl write };
|
||||
') dnl end TODO
|
||||
@ -30896,7 +30962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.9/policy/modules/system/sysnetwork.te
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-09-25 08:33:18.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-10-01 08:16:34.000000000 -0400
|
||||
@@ -20,6 +20,9 @@
|
||||
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
||||
role system_r types dhcpc_t;
|
||||
@ -30917,7 +30983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
||||
-allow dhcpc_t self:process signal_perms;
|
||||
+allow dhcpc_t self:process { ptrace signal_perms };
|
||||
+allow dhcpc_t self:process { setfscreate ptrace signal_perms };
|
||||
allow dhcpc_t self:fifo_file rw_file_perms;
|
||||
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
|
||||
allow dhcpc_t self:udp_socket create_socket_perms;
|
||||
@ -31036,7 +31102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
|
||||
@@ -279,8 +291,11 @@
|
||||
@@ -279,8 +291,12 @@
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
|
||||
@ -31045,10 +31111,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
term_dontaudit_use_all_user_ttys(ifconfig_t)
|
||||
term_dontaudit_use_all_user_ptys(ifconfig_t)
|
||||
+term_dontaudit_use_ptmx(ifconfig_t)
|
||||
+term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
domain_use_interactive_fds(ifconfig_t)
|
||||
|
||||
@@ -336,6 +351,14 @@
|
||||
@@ -336,6 +352,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.9
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -390,6 +390,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-4
|
||||
- Fix labeling for oracle
|
||||
|
||||
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-3
|
||||
- Allow nsplugin to comminicate with xdm_tmp_t sock_file
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user