- Fixes for libvirt
This commit is contained in:
Daniel J Walsh
parent
dbfd0615ff
commit
0a03cce02d
|
|
@ -5643,7 +5643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.7/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/kernel/files.if 2009-03-03 17:11:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/kernel/files.if 2009-03-04 08:43:36.000000000 -0500
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -9914,7 +9914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## </summary>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.7/policy/modules/services/avahi.te
|
||||
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/avahi.te 2009-03-03 17:11:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/avahi.te 2009-03-04 14:39:26.000000000 -0500
|
||||
@@ -33,6 +33,7 @@
|
||||
allow avahi_t self:tcp_socket create_stream_socket_perms;
|
||||
allow avahi_t self:udp_socket create_socket_perms;
|
||||
|
|
@ -14371,7 +14371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.7/policy/modules/services/kerneloops.te
|
||||
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/kerneloops.te 2009-03-03 17:11:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/kerneloops.te 2009-03-04 14:40:13.000000000 -0500
|
||||
@@ -13,6 +13,9 @@
|
||||
type kerneloops_initrc_exec_t;
|
||||
init_script_file(kerneloops_initrc_exec_t)
|
||||
|
|
@ -14392,6 +14392,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
kernel_read_ring_buffer(kerneloops_t)
|
||||
|
||||
# Init script handling
|
||||
@@ -46,6 +52,5 @@
|
||||
sysnet_dns_name_resolve(kerneloops_t)
|
||||
|
||||
optional_policy(`
|
||||
- dbus_system_bus_client(kerneloops_t)
|
||||
- dbus_connect_system_bus(kerneloops_t)
|
||||
+ dbus_system_domain(kerneloops_t, kerneloops_exec_t)
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.7/policy/modules/services/ktalk.te
|
||||
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/ktalk.te 2009-03-03 17:11:59.000000000 -0500
|
||||
|
|
@ -16728,10 +16736,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+optional_policy(`
|
||||
+ prelude_manage_spool(pads_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.6.7/policy/modules/services/pcscd.fc
|
||||
--- nsaserefpolicy/policy/modules/services/pcscd.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/pcscd.fc 2009-03-04 08:18:35.000000000 -0500
|
||||
@@ -1,5 +1,6 @@
|
||||
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
+/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
|
||||
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.7/policy/modules/services/pcscd.te
|
||||
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/pcscd.te 2009-03-03 17:11:59.000000000 -0500
|
||||
@@ -57,6 +57,14 @@
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/pcscd.te 2009-03-04 08:18:14.000000000 -0500
|
||||
@@ -27,9 +27,10 @@
|
||||
allow pcscd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pcscd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
+manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
|
||||
manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
|
||||
manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
|
||||
-files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file })
|
||||
+files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
|
||||
|
||||
corenet_all_recvfrom_unlabeled(pcscd_t)
|
||||
corenet_all_recvfrom_netlabel(pcscd_t)
|
||||
@@ -57,6 +58,14 @@
|
||||
sysnet_dns_name_resolve(pcscd_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -22945,7 +22975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.7/policy/modules/services/ssh.te
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/ssh.te 2009-03-03 17:11:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/ssh.te 2009-03-04 12:12:58.000000000 -0500
|
||||
@@ -41,6 +41,9 @@
|
||||
files_tmp_file(sshd_tmp_t)
|
||||
files_poly_parent(sshd_tmp_t)
|
||||
|
|
@ -23016,7 +23046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
term_use_all_user_ptys(sshd_t)
|
||||
term_setattr_all_user_ptys(sshd_t)
|
||||
term_relabelto_all_user_ptys(sshd_t)
|
||||
@@ -318,6 +328,13 @@
|
||||
@@ -318,16 +328,30 @@
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
|
|
@ -23030,22 +23060,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
@@ -331,6 +348,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
- userdom_spec_domtrans_all_users(sshd_t)
|
||||
userdom_signal_all_users(sshd_t)
|
||||
-',`
|
||||
+')
|
||||
+
|
||||
userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kerberos_keytab_template(sshd, sshd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_getattr_xauth(sshd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
daemontools_service_domain(sshd_t, sshd_exec_t)
|
||||
')
|
||||
|
||||
@@ -349,7 +374,11 @@
|
||||
optional_policy(`
|
||||
@@ -349,7 +373,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -23058,7 +23092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
unconfined_shell_domtrans(sshd_t)
|
||||
')
|
||||
|
||||
@@ -408,6 +437,8 @@
|
||||
@@ -408,6 +436,8 @@
|
||||
init_use_fds(ssh_keygen_t)
|
||||
init_use_script_ptys(ssh_keygen_t)
|
||||
|
||||
|
|
@ -23558,7 +23592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.7/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/virt.te 2009-03-03 18:39:13.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/services/virt.te 2009-03-04 07:37:30.000000000 -0500
|
||||
@@ -8,20 +8,18 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -23658,7 +23692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
corenet_tcp_bind_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_soundd_port(virtd_t)
|
||||
@@ -107,18 +132,25 @@
|
||||
@@ -107,18 +132,31 @@
|
||||
|
||||
# Init script handling
|
||||
domain_use_interactive_fds(virtd_t)
|
||||
|
|
@ -23671,7 +23705,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+files_read_usr_files(virtd_t)
|
||||
files_read_etc_runtime_files(virtd_t)
|
||||
files_search_all(virtd_t)
|
||||
files_list_kernel_modules(virtd_t)
|
||||
-files_list_kernel_modules(virtd_t)
|
||||
+files_read_kernel_modules(virtd_t)
|
||||
+files_getattr_usr_src_files(virtd_t)
|
||||
+
|
||||
+# Manages /etc/sysconfig/system-config-firewall
|
||||
+files_manage_etc_files(virtd_t)
|
||||
+
|
||||
+modutils_read_module_deps(virtd_t)
|
||||
|
||||
fs_list_auto_mountpoints(virtd_t)
|
||||
+fs_getattr_xattr_fs(virtd_t)
|
||||
|
|
@ -23684,7 +23725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
term_getattr_pty_fs(virtd_t)
|
||||
term_use_ptmx(virtd_t)
|
||||
|
||||
@@ -129,7 +161,11 @@
|
||||
@@ -129,7 +167,11 @@
|
||||
|
||||
logging_send_syslog_msg(virtd_t)
|
||||
|
||||
|
|
@ -23696,7 +23737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virtd_t)
|
||||
@@ -167,22 +203,25 @@
|
||||
@@ -167,22 +209,25 @@
|
||||
dnsmasq_domtrans(virtd_t)
|
||||
dnsmasq_signal(virtd_t)
|
||||
dnsmasq_kill(virtd_t)
|
||||
|
|
@ -23727,7 +23768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -197,6 +236,69 @@
|
||||
@@ -197,6 +242,69 @@
|
||||
xen_stream_connect_xenstore(virtd_t)
|
||||
')
|
||||
|
||||
|
|
@ -29385,8 +29426,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.7/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/system/unconfined.te 2009-03-03 17:11:59.000000000 -0500
|
||||
@@ -5,36 +5,86 @@
|
||||
+++ serefpolicy-3.6.7/policy/modules/system/unconfined.te 2009-03-04 13:46:08.000000000 -0500
|
||||
@@ -5,6 +5,35 @@
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -29422,14 +29463,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# usage in this module of types created by these
|
||||
# calls is not correct, however we dont currently
|
||||
# have another method to add access to these types
|
||||
-userdom_base_user_template(unconfined)
|
||||
-userdom_manage_home_role(unconfined_r, unconfined_t)
|
||||
-userdom_manage_tmp_role(unconfined_r, unconfined_t)
|
||||
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
|
||||
+userdom_restricted_user_template(unconfined)
|
||||
+#userdom_common_user_template(unconfined)
|
||||
+#userdom_xwindows_client_template(unconfined)
|
||||
@@ -13,28 +42,50 @@
|
||||
userdom_manage_home_role(unconfined_r, unconfined_t)
|
||||
userdom_manage_tmp_role(unconfined_r, unconfined_t)
|
||||
userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
|
||||
+userdom_execmod_user_home_files(unconfined_t)
|
||||
|
||||
type unconfined_exec_t;
|
||||
|
|
@ -29480,7 +29517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
libs_run_ldconfig(unconfined_t, unconfined_r)
|
||||
|
||||
@@ -42,26 +92,46 @@
|
||||
@@ -42,26 +93,46 @@
|
||||
logging_run_auditctl(unconfined_t, unconfined_r)
|
||||
|
||||
mount_run_unconfined(unconfined_t, unconfined_r)
|
||||
|
|
@ -29529,7 +29566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -102,12 +172,24 @@
|
||||
@@ -102,12 +173,24 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -29554,7 +29591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -119,31 +201,33 @@
|
||||
@@ -119,31 +202,33 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -29595,7 +29632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -155,36 +239,38 @@
|
||||
@@ -155,36 +240,38 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -29646,7 +29683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -192,7 +278,7 @@
|
||||
@@ -192,7 +279,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -29655,7 +29692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -204,11 +290,12 @@
|
||||
@@ -204,11 +291,12 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -29670,7 +29707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -218,14 +305,61 @@
|
||||
@@ -218,14 +306,61 @@
|
||||
|
||||
allow unconfined_execmem_t self:process { execstack execmem };
|
||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||
|
|
@ -29748,7 +29785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.7/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/system/userdomain.if 2009-03-03 18:02:25.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/system/userdomain.if 2009-03-04 13:47:45.000000000 -0500
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
|
@ -30457,22 +30494,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -722,15 +736,29 @@
|
||||
@@ -722,13 +736,26 @@
|
||||
|
||||
userdom_base_user_template($1)
|
||||
|
||||
- userdom_manage_home_role($1_r, $1_t)
|
||||
+ userdom_change_password_template($1)
|
||||
+
|
||||
+ userdom_manage_home_role($1_r, $1_usertype)
|
||||
|
||||
- userdom_manage_tmp_role($1_r, $1_t)
|
||||
- userdom_manage_tmpfs_role($1_r, $1_t)
|
||||
+
|
||||
+ userdom_manage_tmp_role($1_r, $1_usertype)
|
||||
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
|
||||
|
||||
- userdom_exec_user_tmp_files($1_t)
|
||||
- userdom_exec_user_home_content_files($1_t)
|
||||
- userdom_manage_tmp_role($1_r, $1_t)
|
||||
- userdom_manage_tmpfs_role($1_r, $1_t)
|
||||
+ ifelse(`$1',`unconfined',`',`
|
||||
+ gen_tunable(allow_$1_exec_content, true)
|
||||
+
|
||||
|
|
@ -30483,17 +30516,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
|
||||
+ fs_exec_nfs_files($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
|
||||
- userdom_exec_user_tmp_files($1_t)
|
||||
- userdom_exec_user_home_content_files($1_t)
|
||||
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
|
||||
+ fs_exec_cifs_files($1_usertype)
|
||||
+ ')
|
||||
+ ')
|
||||
|
||||
- userdom_change_password_template($1)
|
||||
userdom_change_password_template($1)
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -746,70 +774,72 @@
|
||||
@@ -746,70 +773,71 @@
|
||||
|
||||
allow $1_t self:context contains;
|
||||
|
||||
|
|
@ -30513,6 +30546,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
- files_dontaudit_list_default($1_t)
|
||||
- files_dontaudit_read_default_files($1_t)
|
||||
+ files_dontaudit_list_default($1_usertype)
|
||||
+ files_dontaudit_read_default_files($1_usertype)
|
||||
# Stat lost+found.
|
||||
- files_getattr_lost_found_dirs($1_t)
|
||||
+ files_getattr_lost_found_dirs($1_usertype)
|
||||
|
|
@ -30523,18 +30558,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
- fs_search_auto_mountpoints($1_t)
|
||||
- fs_list_inotifyfs($1_t)
|
||||
- fs_rw_anon_inodefs_files($1_t)
|
||||
+ files_dontaudit_list_default($1_usertype)
|
||||
+ files_dontaudit_read_default_files($1_usertype)
|
||||
|
||||
- auth_dontaudit_write_login_records($1_t)
|
||||
+ fs_get_all_fs_quotas($1_usertype)
|
||||
+ fs_getattr_all_fs($1_usertype)
|
||||
+ fs_search_all($1_usertype)
|
||||
+ fs_list_inotifyfs($1_usertype)
|
||||
+ fs_rw_anon_inodefs_files($1_usertype)
|
||||
|
||||
auth_dontaudit_write_login_records($1_t)
|
||||
-
|
||||
- application_exec_all($1_t)
|
||||
+ auth_dontaudit_write_login_records($1_t)
|
||||
+ auth_rw_cache($1_t)
|
||||
|
||||
# The library functions always try to open read-write first,
|
||||
|
|
@ -30599,7 +30631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
')
|
||||
|
||||
@@ -846,6 +876,28 @@
|
||||
@@ -846,6 +874,28 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
|
|
@ -30628,7 +30660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
loadkeys_run($1_t,$1_r)
|
||||
')
|
||||
@@ -876,7 +928,7 @@
|
||||
@@ -876,7 +926,7 @@
|
||||
|
||||
userdom_restricted_user_template($1)
|
||||
|
||||
|
|
@ -30637,7 +30669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
##############################
|
||||
#
|
||||
@@ -884,14 +936,19 @@
|
||||
@@ -884,14 +934,19 @@
|
||||
#
|
||||
|
||||
auth_role($1_r, $1_t)
|
||||
|
|
@ -30662,7 +30694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
logging_dontaudit_send_audit_msgs($1_t)
|
||||
|
||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||
@@ -899,28 +956,29 @@
|
||||
@@ -899,28 +954,29 @@
|
||||
selinux_get_enforce_mode($1_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -30700,17 +30732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
')
|
||||
|
||||
@@ -931,8 +989,7 @@
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
-## The template for creating a unprivileged user roughly
|
||||
-## equivalent to a regular linux user.
|
||||
+## The template containing the most basic rules common to all users.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template creates a user domain, types, and
|
||||
@@ -954,8 +1011,8 @@
|
||||
@@ -954,8 +1010,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
|
|
@ -30720,7 +30742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -964,11 +1021,12 @@
|
||||
@@ -964,11 +1020,12 @@
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
|
|
@ -30735,7 +30757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -986,37 +1044,47 @@
|
||||
@@ -986,37 +1043,47 @@
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -30797,7 +30819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -1050,7 +1118,7 @@
|
||||
@@ -1050,7 +1117,7 @@
|
||||
#
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
|
|
@ -30806,7 +30828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
##############################
|
||||
@@ -1059,8 +1127,7 @@
|
||||
@@ -1059,8 +1126,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
|
|
@ -30816,7 +30838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
role system_r types $1_t;
|
||||
@@ -1083,7 +1150,8 @@
|
||||
@@ -1083,7 +1149,8 @@
|
||||
# Skip authentication when pam_rootok is specified.
|
||||
allow $1_t self:passwd rootok;
|
||||
|
||||
|
|
@ -30826,7 +30848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1099,6 +1167,7 @@
|
||||
@@ -1099,6 +1166,7 @@
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
|
|
@ -30834,7 +30856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
@@ -1106,8 +1175,6 @@
|
||||
@@ -1106,8 +1174,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
|
|
@ -30843,7 +30865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1162,20 +1229,6 @@
|
||||
@@ -1162,20 +1228,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
|
|
@ -30864,7 +30886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1221,6 +1274,7 @@
|
||||
@@ -1221,6 +1273,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
|
|
@ -30872,7 +30894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1286,11 +1340,15 @@
|
||||
@@ -1286,11 +1339,15 @@
|
||||
interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
|
|
@ -30888,7 +30910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1387,7 +1445,7 @@
|
||||
@@ -1387,7 +1444,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -30897,7 +30919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1420,6 +1478,14 @@
|
||||
@@ -1420,6 +1477,14 @@
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
|
|
@ -30912,7 +30934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1435,9 +1501,11 @@
|
||||
@@ -1435,9 +1500,11 @@
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
|
|
@ -30924,7 +30946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1494,6 +1562,25 @@
|
||||
@@ -1494,6 +1561,25 @@
|
||||
allow $1 user_home_dir_t:dir relabelto;
|
||||
')
|
||||
|
||||
|
|
@ -30950,19 +30972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
########################################
|
||||
## <summary>
|
||||
## Create directories in the home dir root with
|
||||
@@ -1547,9 +1634,9 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
- domain_auto_trans($1, user_home_t, $2)
|
||||
- allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
files_search_home($1)
|
||||
+ allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
+ domain_auto_trans($1, user_home_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1568,6 +1655,8 @@
|
||||
@@ -1568,6 +1654,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
|
|
@ -30971,7 +30981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1643,6 +1732,7 @@
|
||||
@@ -1643,6 +1731,7 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
|
|
@ -30979,7 +30989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
@@ -1741,6 +1831,62 @@
|
||||
@@ -1741,6 +1830,62 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -31042,7 +31052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Execute user home files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1757,14 +1903,6 @@
|
||||
@@ -1757,14 +1902,6 @@
|
||||
|
||||
files_search_home($1)
|
||||
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
|
|
@ -31057,7 +31067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1787,6 +1925,46 @@
|
||||
@@ -1787,6 +1924,46 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -31104,7 +31114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Create, read, write, and delete files
|
||||
## in a user home subdirectory.
|
||||
## </summary>
|
||||
@@ -1799,6 +1977,7 @@
|
||||
@@ -1799,6 +1976,7 @@
|
||||
interface(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
|
|
@ -31112,135 +31122,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
manage_files_pattern($1, user_home_t, user_home_t)
|
||||
@@ -1921,7 +2100,7 @@
|
||||
@@ -2328,7 +2506,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create objects in a user home directory
|
||||
+## Create objects in the /root directory
|
||||
## with an automatic type transition to
|
||||
## a specified private type.
|
||||
## </summary>
|
||||
@@ -1941,28 +2120,58 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_user_home_content_filetrans',`
|
||||
+interface(`userdom_admin_home_dir_filetrans',`
|
||||
gen_require(`
|
||||
- type user_home_dir_t, user_home_t;
|
||||
+ type admin_home_t;
|
||||
')
|
||||
|
||||
- filetrans_pattern($1, user_home_t, $2, $3)
|
||||
- allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
- files_search_home($1)
|
||||
+ filetrans_pattern($1, admin_home_t, $2, $3)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in a user home directory
|
||||
## with an automatic type transition to
|
||||
-## the user home file type.
|
||||
+## a specified private type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <param name="object_class">
|
||||
+## <param name="private_type">
|
||||
+## <summary>
|
||||
+## The type of the object to create.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="object_class">
|
||||
+## <summary>
|
||||
+## The class of the object to be created.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_user_home_content_filetrans',`
|
||||
+ gen_require(`
|
||||
+ type user_home_dir_t, user_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ filetrans_pattern($1, user_home_t, $2, $3)
|
||||
+ allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
+ files_search_home($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create objects in a user home directory
|
||||
+## with an automatic type transition to
|
||||
+## the user home file type.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="object_class">
|
||||
## <summary>
|
||||
## The class of the object to be created.
|
||||
## </summary>
|
||||
@@ -2336,6 +2545,27 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
+interface(`userdom_read_user_tmpfs_files',`
|
||||
+ gen_require(`
|
||||
+ type user_tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||
+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||
+ allow $1 user_tmpfs_t:dir list_dir_perms;
|
||||
+ fs_search_tmpfs($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
-## Read user tmpfs files.
|
||||
+## Read/Write user tmpfs files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
interface(`userdom_rw_user_tmpfs_files',`
|
||||
gen_require(`
|
||||
type user_tmpfs_t;
|
||||
@@ -2709,6 +2939,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Send signull to unprivileged user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_signull_unpriv_users',`
|
||||
+ gen_require(`
|
||||
+ attribute unpriv_userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 unpriv_userdomain:process signull;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Inherit the file descriptors from unprivileged user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2814,7 +3062,43 @@
|
||||
## <summary>
|
||||
@@ -2814,7 +2992,25 @@
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
|
|
@ -31250,24 +31141,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Write all users files in /tmp
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_write_user_tmp_dirs',`
|
||||
+ gen_require(`
|
||||
+ type user_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Delete all users files in /tmp
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
|
@ -31285,7 +31158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2851,6 +3135,7 @@
|
||||
@@ -2851,6 +3047,7 @@
|
||||
')
|
||||
|
||||
read_files_pattern($1,userdomain,userdomain)
|
||||
|
|
@ -31293,32 +31166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -2965,6 +3250,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Manage keys for all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_manage_all_users_keys',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 userdomain:key manage_key_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2981,3 +3284,338 @@
|
||||
@@ -2981,3 +3178,462 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
|
@ -31549,6 +31397,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Add attrinute admin domain
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_admin',`
|
||||
+ gen_require(`
|
||||
+ attribute admin_userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ typeattribute $1 admin_userdomain;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send a message to unpriv users over a unix domain
|
||||
+## datagram socket.
|
||||
+## </summary>
|
||||
|
|
@ -31657,9 +31523,115 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
+ type_transition $1 user_home_dir_t:$2 user_home_t;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create objects in the /root directory
|
||||
+## with an automatic type transition to
|
||||
+## a specified private type.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="private_type">
|
||||
+## <summary>
|
||||
+## The type of the object to create.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="object_class">
|
||||
+## <summary>
|
||||
+## The class of the object to be created.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_admin_home_dir_filetrans',`
|
||||
+ gen_require(`
|
||||
+ type admin_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ filetrans_pattern($1, admin_home_t, $2, $3)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send signull to unprivileged user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_signull_unpriv_users',`
|
||||
+ gen_require(`
|
||||
+ attribute unpriv_userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 unpriv_userdomain:process signull;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read user tmpfs files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_read_user_tmpfs_files',`
|
||||
+ gen_require(`
|
||||
+ type user_tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||
+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||
+ allow $1 user_tmpfs_t:dir list_dir_perms;
|
||||
+ fs_search_tmpfs($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Write all users files in /tmp
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_write_user_tmp_dirs',`
|
||||
+ gen_require(`
|
||||
+ type user_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage keys for all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_manage_all_users_keys',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 userdomain:key manage_key_perms;
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.7/policy/modules/system/userdomain.te
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/system/userdomain.te 2009-03-03 17:11:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.7/policy/modules/system/userdomain.te 2009-03-04 13:46:42.000000000 -0500
|
||||
@@ -8,13 +8,6 @@
|
||||
|
||||
## <desc>
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.7
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -446,6 +446,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Mar 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.7-2
|
||||
- Fixes for libvirt
|
||||
|
||||
* Mon Mar 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.7-1
|
||||
- Update to Latest upstream
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue