- Fix labeling for oracle
This commit is contained in:
parent
2ede4ec7ba
commit
094ef3d610
@ -6439,7 +6439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+wm_domain_template(user,xdm)
|
+wm_domain_template(user,xdm)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc
|
||||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc 2008-09-25 08:33:18.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.fc 2008-10-01 09:45:44.000000000 -0400
|
||||||
@@ -129,6 +129,8 @@
|
@@ -129,6 +129,8 @@
|
||||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
@ -6462,7 +6462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
@@ -292,3 +292,13 @@
|
@@ -292,3 +292,14 @@
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
@ -6476,6 +6476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+
|
+
|
||||||
|
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.9/policy/modules/kernel/corecommands.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.9/policy/modules/kernel/corecommands.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.if 2008-09-25 08:33:18.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/kernel/corecommands.if 2008-09-25 08:33:18.000000000 -0400
|
||||||
@ -8794,7 +8795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.9/policy/modules/roles/sysadm.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.9/policy/modules/roles/sysadm.if
|
||||||
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-09-29 15:11:59.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-10-01 08:10:36.000000000 -0400
|
||||||
@@ -334,10 +334,10 @@
|
@@ -334,10 +334,10 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_getattr_home_dirs',`
|
interface(`sysadm_getattr_home_dirs',`
|
||||||
@ -8808,7 +8809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -354,10 +354,10 @@
|
@@ -354,10 +354,29 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_dontaudit_getattr_home_dirs',`
|
interface(`sysadm_dontaudit_getattr_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8818,10 +8819,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
- dontaudit $1 sysadm_home_dir_t:dir getattr;
|
- dontaudit $1 sysadm_home_dir_t:dir getattr;
|
||||||
+ dontaudit $1 admin_home_t:dir getattr;
|
+ dontaudit $1 admin_home_t:dir getattr;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Do not audit attempts to write to
|
||||||
|
+## sysadm users home directory.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`sysadm_dontaudit_write_home_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type admin_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 admin_home_t:dir write;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -372,10 +372,10 @@
|
@@ -372,10 +391,10 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_search_home_dirs',`
|
interface(`sysadm_search_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8834,7 +8854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -391,10 +391,10 @@
|
@@ -391,10 +410,10 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_dontaudit_search_home_dirs',`
|
interface(`sysadm_dontaudit_search_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8847,7 +8867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -409,10 +409,10 @@
|
@@ -409,10 +428,10 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_list_home_dirs',`
|
interface(`sysadm_list_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8860,7 +8880,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -428,10 +428,10 @@
|
@@ -428,10 +447,10 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_dontaudit_list_home_dirs',`
|
interface(`sysadm_dontaudit_list_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8873,7 +8893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -458,10 +458,10 @@
|
@@ -458,10 +477,10 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_home_dir_filetrans',`
|
interface(`sysadm_home_dir_filetrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8886,7 +8906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -476,10 +476,10 @@
|
@@ -476,10 +495,10 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_search_home_content_dirs',`
|
interface(`sysadm_search_home_content_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8899,7 +8919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -494,13 +494,12 @@
|
@@ -494,13 +513,12 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_read_home_content_files',`
|
interface(`sysadm_read_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8916,7 +8936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -516,13 +515,33 @@
|
@@ -516,13 +534,33 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_dontaudit_read_home_content_files',`
|
interface(`sysadm_dontaudit_read_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -13546,7 +13566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-') dnl end TODO
|
-') dnl end TODO
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.9/policy/modules/services/cups.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.9/policy/modules/services/cups.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-10-01 07:43:49.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-10-01 07:45:00.000000000 -0400
|
||||||
@@ -8,24 +8,33 @@
|
@@ -8,24 +8,33 @@
|
||||||
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
@ -13593,7 +13613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
@@ -43,10 +52,19 @@
|
@@ -43,10 +52,18 @@
|
||||||
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
|
|
||||||
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||||
@ -13610,7 +13630,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
+
|
+
|
||||||
+
|
|
||||||
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
|
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
|
||||||
@ -15771,7 +15790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.9/policy/modules/services/exim.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.9/policy/modules/services/exim.te
|
||||||
--- nsaserefpolicy/policy/modules/services/exim.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/exim.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/services/exim.te 2008-09-25 08:33:18.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/services/exim.te 2008-10-01 13:40:55.000000000 -0400
|
||||||
@@ -21,9 +21,20 @@
|
@@ -21,9 +21,20 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(exim_manage_user_files, false)
|
gen_tunable(exim_manage_user_files, false)
|
||||||
@ -15834,16 +15853,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
dev_read_rand(exim_t)
|
dev_read_rand(exim_t)
|
||||||
dev_read_urand(exim_t)
|
dev_read_urand(exim_t)
|
||||||
@@ -89,6 +107,8 @@
|
@@ -89,7 +107,10 @@
|
||||||
# Init script handling
|
# Init script handling
|
||||||
domain_use_interactive_fds(exim_t)
|
domain_use_interactive_fds(exim_t)
|
||||||
|
|
||||||
+files_search_usr(exim_t)
|
+files_search_usr(exim_t)
|
||||||
+files_search_var(exim_t)
|
+files_search_var(exim_t)
|
||||||
files_read_etc_files(exim_t)
|
files_read_etc_files(exim_t)
|
||||||
|
+files_read_etc_runtime_files(exim_t)
|
||||||
|
|
||||||
auth_use_nsswitch(exim_t)
|
auth_use_nsswitch(exim_t)
|
||||||
@@ -99,23 +119,86 @@
|
|
||||||
|
@@ -99,23 +120,86 @@
|
||||||
logging_send_syslog_msg(exim_t)
|
logging_send_syslog_msg(exim_t)
|
||||||
|
|
||||||
miscfiles_read_localization(exim_t)
|
miscfiles_read_localization(exim_t)
|
||||||
@ -16664,6 +16685,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
||||||
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
||||||
/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.5.9/policy/modules/services/inetd.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/inetd.te 2008-09-03 07:59:15.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.9/policy/modules/services/inetd.te 2008-10-01 13:39:05.000000000 -0400
|
||||||
|
@@ -136,6 +136,7 @@
|
||||||
|
domain_use_interactive_fds(inetd_t)
|
||||||
|
|
||||||
|
files_read_etc_files(inetd_t)
|
||||||
|
+files_read_etc_runtime_files(inetd_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(inetd_t)
|
||||||
|
libs_use_shared_libs(inetd_t)
|
||||||
|
@@ -223,6 +224,7 @@
|
||||||
|
fs_getattr_xattr_fs(inetd_child_t)
|
||||||
|
|
||||||
|
files_read_etc_files(inetd_child_t)
|
||||||
|
+files_read_etc_runtime_files(inetd_child_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(inetd_child_t)
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.fc serefpolicy-3.5.9/policy/modules/services/inn.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.fc serefpolicy-3.5.9/policy/modules/services/inn.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/inn.fc 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/inn.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/services/inn.fc 2008-09-25 08:33:18.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/services/inn.fc 2008-09-25 08:33:18.000000000 -0400
|
||||||
@ -22574,6 +22614,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 rpcbind_initrc_exec_t system_r;
|
role_transition $2 rpcbind_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.9/policy/modules/services/rpcbind.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-09-24 09:07:28.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.9/policy/modules/services/rpcbind.te 2008-10-01 13:35:59.000000000 -0400
|
||||||
|
@@ -60,6 +60,7 @@
|
||||||
|
domain_use_interactive_fds(rpcbind_t)
|
||||||
|
|
||||||
|
files_read_etc_files(rpcbind_t)
|
||||||
|
+files_read_etc_runtime_files(rpcbind_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(rpcbind_t)
|
||||||
|
libs_use_shared_libs(rpcbind_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.9/policy/modules/services/rshd.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.9/policy/modules/services/rshd.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/services/rshd.te 2008-09-25 08:33:18.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/services/rshd.te 2008-09-25 08:33:18.000000000 -0400
|
||||||
@ -25682,7 +25733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
|
/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.9/policy/modules/services/stunnel.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.9/policy/modules/services/stunnel.te
|
||||||
--- nsaserefpolicy/policy/modules/services/stunnel.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/stunnel.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/services/stunnel.te 2008-09-25 08:33:18.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/services/stunnel.te 2008-10-01 13:38:33.000000000 -0400
|
||||||
@@ -54,6 +54,8 @@
|
@@ -54,6 +54,8 @@
|
||||||
kernel_read_system_state(stunnel_t)
|
kernel_read_system_state(stunnel_t)
|
||||||
kernel_read_network_state(stunnel_t)
|
kernel_read_network_state(stunnel_t)
|
||||||
@ -25692,6 +25743,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_all_recvfrom_unlabeled(stunnel_t)
|
corenet_all_recvfrom_unlabeled(stunnel_t)
|
||||||
corenet_all_recvfrom_netlabel(stunnel_t)
|
corenet_all_recvfrom_netlabel(stunnel_t)
|
||||||
corenet_tcp_sendrecv_all_if(stunnel_t)
|
corenet_tcp_sendrecv_all_if(stunnel_t)
|
||||||
|
@@ -109,6 +111,7 @@
|
||||||
|
dev_read_urand(stunnel_t)
|
||||||
|
|
||||||
|
files_read_etc_files(stunnel_t)
|
||||||
|
+ files_read_etc_runtime_files(stunnel_t)
|
||||||
|
files_search_home(stunnel_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.5.9/policy/modules/services/sysstat.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.5.9/policy/modules/services/sysstat.te
|
||||||
--- nsaserefpolicy/policy/modules/services/sysstat.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/sysstat.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/services/sysstat.te 2008-10-01 07:40:20.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/services/sysstat.te 2008-10-01 07:40:20.000000000 -0400
|
||||||
@ -25749,7 +25808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.9/policy/modules/services/tftp.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.9/policy/modules/services/tftp.te
|
||||||
--- nsaserefpolicy/policy/modules/services/tftp.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/tftp.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/services/tftp.te 2008-09-25 08:33:18.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/services/tftp.te 2008-10-01 08:09:03.000000000 -0400
|
||||||
@@ -37,7 +37,6 @@
|
@@ -37,7 +37,6 @@
|
||||||
allow tftpd_t self:udp_socket create_socket_perms;
|
allow tftpd_t self:udp_socket create_socket_perms;
|
||||||
allow tftpd_t self:unix_dgram_socket create_socket_perms;
|
allow tftpd_t self:unix_dgram_socket create_socket_perms;
|
||||||
@ -25758,7 +25817,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit tftpd_t self:capability sys_tty_config;
|
dontaudit tftpd_t self:capability sys_tty_config;
|
||||||
|
|
||||||
allow tftpd_t tftpdir_t:dir { getattr read search };
|
allow tftpd_t tftpdir_t:dir { getattr read search };
|
||||||
@@ -80,6 +79,8 @@
|
@@ -76,10 +75,13 @@
|
||||||
|
domain_use_interactive_fds(tftpd_t)
|
||||||
|
|
||||||
|
files_read_etc_files(tftpd_t);
|
||||||
|
+files_read_etc_runtime_files(tftpd_t);
|
||||||
|
files_read_var_files(tftpd_t)
|
||||||
files_read_var_symlinks(tftpd_t)
|
files_read_var_symlinks(tftpd_t)
|
||||||
files_search_var(tftpd_t)
|
files_search_var(tftpd_t)
|
||||||
|
|
||||||
@ -25767,7 +25831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
libs_use_ld_so(tftpd_t)
|
libs_use_ld_so(tftpd_t)
|
||||||
libs_use_shared_libs(tftpd_t)
|
libs_use_shared_libs(tftpd_t)
|
||||||
|
|
||||||
@@ -88,11 +89,7 @@
|
@@ -88,11 +90,7 @@
|
||||||
miscfiles_read_localization(tftpd_t)
|
miscfiles_read_localization(tftpd_t)
|
||||||
miscfiles_read_public_files(tftpd_t)
|
miscfiles_read_public_files(tftpd_t)
|
||||||
|
|
||||||
@ -25779,7 +25843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
sysadm_dontaudit_use_ttys(tftpd_t)
|
sysadm_dontaudit_use_ttys(tftpd_t)
|
||||||
sysadm_dontaudit_search_home_dirs(tftpd_t)
|
sysadm_dontaudit_search_home_dirs(tftpd_t)
|
||||||
|
|
||||||
@@ -105,14 +102,6 @@
|
@@ -105,14 +103,6 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27416,7 +27480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.9/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.9/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-09-29 12:10:48.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-10-01 08:10:49.000000000 -0400
|
||||||
@@ -8,6 +8,14 @@
|
@@ -8,6 +8,14 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -27655,12 +27719,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
auth_rw_faillog(xdm_t)
|
auth_rw_faillog(xdm_t)
|
||||||
auth_write_login_records(xdm_t)
|
auth_write_login_records(xdm_t)
|
||||||
|
|
||||||
@@ -301,21 +383,25 @@
|
@@ -301,21 +383,26 @@
|
||||||
libs_exec_lib_files(xdm_t)
|
libs_exec_lib_files(xdm_t)
|
||||||
|
|
||||||
logging_read_generic_logs(xdm_t)
|
logging_read_generic_logs(xdm_t)
|
||||||
+logging_send_audit_msgs(xdm_t)
|
+logging_send_audit_msgs(xdm_t)
|
||||||
|
|
||||||
|
+miscfiles_dontaudit_write_fonts(xdm_t)
|
||||||
miscfiles_read_localization(xdm_t)
|
miscfiles_read_localization(xdm_t)
|
||||||
miscfiles_read_fonts(xdm_t)
|
miscfiles_read_fonts(xdm_t)
|
||||||
-
|
-
|
||||||
@ -27686,7 +27751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
|
xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
|
||||||
xserver_unconfined(xdm_t)
|
xserver_unconfined(xdm_t)
|
||||||
@@ -348,10 +434,12 @@
|
@@ -348,10 +435,12 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
alsa_domtrans(xdm_t)
|
alsa_domtrans(xdm_t)
|
||||||
@ -27699,7 +27764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -359,6 +447,22 @@
|
@@ -359,6 +448,22 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27722,7 +27787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Talk to the console mouse server.
|
# Talk to the console mouse server.
|
||||||
gpm_stream_connect(xdm_t)
|
gpm_stream_connect(xdm_t)
|
||||||
gpm_setattr_gpmctl(xdm_t)
|
gpm_setattr_gpmctl(xdm_t)
|
||||||
@@ -382,16 +486,33 @@
|
@@ -382,16 +487,34 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27744,6 +27809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ sysadm_dontaudit_search_home_dirs(xdm_t)
|
+ sysadm_dontaudit_search_home_dirs(xdm_t)
|
||||||
+ sysadm_dontaudit_read_home_sym_links(xdm_t)
|
+ sysadm_dontaudit_read_home_sym_links(xdm_t)
|
||||||
|
+ sysadm_dontaudit_write_home_dirs(xdm_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -27757,7 +27823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -427,7 +548,7 @@
|
@@ -427,7 +550,7 @@
|
||||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -27766,7 +27832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -439,6 +560,15 @@
|
@@ -439,6 +562,15 @@
|
||||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xdm_xserver_t)
|
files_search_var_lib(xdm_xserver_t)
|
||||||
|
|
||||||
@ -27782,7 +27848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||||
|
|
||||||
@@ -450,10 +580,19 @@
|
@@ -450,10 +582,19 @@
|
||||||
# xdm_xserver_t may no longer have any reason
|
# xdm_xserver_t may no longer have any reason
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
@ -27803,7 +27869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||||
fs_manage_nfs_files(xdm_xserver_t)
|
fs_manage_nfs_files(xdm_xserver_t)
|
||||||
@@ -468,8 +607,19 @@
|
@@ -468,8 +609,19 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
|
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
|
||||||
@ -27823,7 +27889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
resmgr_stream_connect(xdm_t)
|
resmgr_stream_connect(xdm_t)
|
||||||
@@ -481,8 +631,25 @@
|
@@ -481,8 +633,25 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27851,7 +27917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_xserver_t self:process { execheap execmem };
|
allow xdm_xserver_t self:process { execheap execmem };
|
||||||
@@ -491,7 +658,6 @@
|
@@ -491,7 +660,6 @@
|
||||||
ifdef(`distro_rhel4',`
|
ifdef(`distro_rhel4',`
|
||||||
allow xdm_xserver_t self:process { execheap execmem };
|
allow xdm_xserver_t self:process { execheap execmem };
|
||||||
')
|
')
|
||||||
@ -27859,7 +27925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -544,3 +710,56 @@
|
@@ -544,3 +712,56 @@
|
||||||
#
|
#
|
||||||
allow pam_t xdm_t:fifo_file { getattr ioctl write };
|
allow pam_t xdm_t:fifo_file { getattr ioctl write };
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
@ -30896,7 +30962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.9/policy/modules/system/sysnetwork.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.9/policy/modules/system/sysnetwork.te
|
||||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400
|
||||||
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-09-25 08:33:18.000000000 -0400
|
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-10-01 08:16:34.000000000 -0400
|
||||||
@@ -20,6 +20,9 @@
|
@@ -20,6 +20,9 @@
|
||||||
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
||||||
role system_r types dhcpc_t;
|
role system_r types dhcpc_t;
|
||||||
@ -30917,7 +30983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||||
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
||||||
-allow dhcpc_t self:process signal_perms;
|
-allow dhcpc_t self:process signal_perms;
|
||||||
+allow dhcpc_t self:process { ptrace signal_perms };
|
+allow dhcpc_t self:process { setfscreate ptrace signal_perms };
|
||||||
allow dhcpc_t self:fifo_file rw_file_perms;
|
allow dhcpc_t self:fifo_file rw_file_perms;
|
||||||
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
|
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow dhcpc_t self:udp_socket create_socket_perms;
|
allow dhcpc_t self:udp_socket create_socket_perms;
|
||||||
@ -31036,7 +31102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||||
|
|
||||||
@@ -279,8 +291,11 @@
|
@@ -279,8 +291,12 @@
|
||||||
fs_getattr_xattr_fs(ifconfig_t)
|
fs_getattr_xattr_fs(ifconfig_t)
|
||||||
fs_search_auto_mountpoints(ifconfig_t)
|
fs_search_auto_mountpoints(ifconfig_t)
|
||||||
|
|
||||||
@ -31045,10 +31111,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
term_dontaudit_use_all_user_ttys(ifconfig_t)
|
term_dontaudit_use_all_user_ttys(ifconfig_t)
|
||||||
term_dontaudit_use_all_user_ptys(ifconfig_t)
|
term_dontaudit_use_all_user_ptys(ifconfig_t)
|
||||||
+term_dontaudit_use_ptmx(ifconfig_t)
|
+term_dontaudit_use_ptmx(ifconfig_t)
|
||||||
|
+term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(ifconfig_t)
|
domain_use_interactive_fds(ifconfig_t)
|
||||||
|
|
||||||
@@ -336,6 +351,14 @@
|
@@ -336,6 +352,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.5.9
|
Version: 3.5.9
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -390,6 +390,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-4
|
||||||
|
- Fix labeling for oracle
|
||||||
|
|
||||||
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-3
|
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-3
|
||||||
- Allow nsplugin to comminicate with xdm_tmp_t sock_file
|
- Allow nsplugin to comminicate with xdm_tmp_t sock_file
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user