- Disable nsplugin module
This commit is contained in:
Miroslav
parent
218172dd16
commit
0ca57d1d0a
244
policy-F16.patch
244
policy-F16.patch
@ -8570,10 +8570,10 @@ index 0000000..8d7c751
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
|
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6d4ec21
|
index 0000000..a337d62
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/namespace.te
|
+++ b/policy/modules/apps/namespace.te
|
||||||
@@ -0,0 +1,40 @@
|
@@ -0,0 +1,42 @@
|
||||||
+policy_module(namespace,1.0.0)
|
+policy_module(namespace,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -8598,6 +8598,8 @@ index 0000000..6d4ec21
|
|||||||
+
|
+
|
||||||
+kernel_read_system_state(namespace_init_t)
|
+kernel_read_system_state(namespace_init_t)
|
||||||
+
|
+
|
||||||
|
+corecmd_exec_shell(namespace_init_t)
|
||||||
|
+
|
||||||
+domain_use_interactive_fds(namespace_init_t)
|
+domain_use_interactive_fds(namespace_init_t)
|
||||||
+
|
+
|
||||||
+files_read_etc_files(namespace_init_t)
|
+files_read_etc_files(namespace_init_t)
|
||||||
@ -12554,7 +12556,7 @@ index 223ad43..d95e720 100644
|
|||||||
rsync_exec(yam_t)
|
rsync_exec(yam_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||||
index 3fae11a..37d3b99 100644
|
index 3fae11a..c82360e 100644
|
||||||
--- a/policy/modules/kernel/corecommands.fc
|
--- a/policy/modules/kernel/corecommands.fc
|
||||||
+++ b/policy/modules/kernel/corecommands.fc
|
+++ b/policy/modules/kernel/corecommands.fc
|
||||||
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
|
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
|
||||||
@ -12791,7 +12793,7 @@ index 3fae11a..37d3b99 100644
|
|||||||
|
|
||||||
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
|
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
|
||||||
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -385,3 +401,11 @@ ifdef(`distro_suse', `
|
@@ -385,3 +401,12 @@ ifdef(`distro_suse', `
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
@ -12800,6 +12802,7 @@ index 3fae11a..37d3b99 100644
|
|||||||
+# /usr/lib
|
+# /usr/lib
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
|
+/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -21553,7 +21556,7 @@ index 2be17d2..de3c13e 100644
|
|||||||
+ userdom_execmod_user_home_files(staff_usertype)
|
+ userdom_execmod_user_home_files(staff_usertype)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||||
index e14b961..b8f0df4 100644
|
index e14b961..37bdf8d 100644
|
||||||
--- a/policy/modules/roles/sysadm.te
|
--- a/policy/modules/roles/sysadm.te
|
||||||
+++ b/policy/modules/roles/sysadm.te
|
+++ b/policy/modules/roles/sysadm.te
|
||||||
@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
|
@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
|
||||||
@ -21663,7 +21666,7 @@ index e14b961..b8f0df4 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
- consoletype_run(sysadm_t, sysadm_r)
|
- consoletype_run(sysadm_t, sysadm_r)
|
||||||
+ cron_admin_role(sysadm_r, sysadm_t)
|
+ cron_admin_role(sysadm_r, sysadm_t)
|
||||||
+ cron_role(sysadm_r, sysadm_t)
|
+ #cron_role(sysadm_r, sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27260,7 +27263,7 @@ index 44a1e3d..7cc67ec 100644
|
|||||||
+ named_systemctl($1)
|
+ named_systemctl($1)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
|
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
|
||||||
index 4deca04..fc86505 100644
|
index 4deca04..7859fa1 100644
|
||||||
--- a/policy/modules/services/bind.te
|
--- a/policy/modules/services/bind.te
|
||||||
+++ b/policy/modules/services/bind.te
|
+++ b/policy/modules/services/bind.te
|
||||||
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
|
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
|
||||||
@ -27334,18 +27337,20 @@ index 4deca04..fc86505 100644
|
|||||||
tunable_policy(`named_write_master_zones',`
|
tunable_policy(`named_write_master_zones',`
|
||||||
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
|
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
|
||||||
manage_files_pattern(named_t, named_zone_t, named_zone_t)
|
manage_files_pattern(named_t, named_zone_t, named_zone_t)
|
||||||
@@ -154,6 +170,10 @@ tunable_policy(`named_write_master_zones',`
|
@@ -154,6 +170,12 @@ tunable_policy(`named_write_master_zones',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ # needed by FreeIPA with DNS support
|
||||||
+ dirsrv_stream_connect(named_t)
|
+ dirsrv_stream_connect(named_t)
|
||||||
|
+ ldap_stream_connect(named_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
init_dbus_chat_script(named_t)
|
init_dbus_chat_script(named_t)
|
||||||
|
|
||||||
sysnet_dbus_chat_dhcpc(named_t)
|
sysnet_dbus_chat_dhcpc(named_t)
|
||||||
@@ -198,18 +218,18 @@ allow ndc_t self:process { fork signal_perms };
|
@@ -198,18 +220,18 @@ allow ndc_t self:process { fork signal_perms };
|
||||||
allow ndc_t self:fifo_file rw_fifo_file_perms;
|
allow ndc_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
|
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
|
||||||
allow ndc_t self:tcp_socket create_socket_perms;
|
allow ndc_t self:tcp_socket create_socket_perms;
|
||||||
@ -27367,7 +27372,7 @@ index 4deca04..fc86505 100644
|
|||||||
kernel_read_kernel_sysctls(ndc_t)
|
kernel_read_kernel_sysctls(ndc_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(ndc_t)
|
corenet_all_recvfrom_unlabeled(ndc_t)
|
||||||
@@ -228,6 +248,8 @@ files_search_pids(ndc_t)
|
@@ -228,6 +250,8 @@ files_search_pids(ndc_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(ndc_t)
|
fs_getattr_xattr_fs(ndc_t)
|
||||||
|
|
||||||
@ -27376,7 +27381,7 @@ index 4deca04..fc86505 100644
|
|||||||
init_use_fds(ndc_t)
|
init_use_fds(ndc_t)
|
||||||
init_use_script_ptys(ndc_t)
|
init_use_script_ptys(ndc_t)
|
||||||
|
|
||||||
@@ -235,24 +257,13 @@ logging_send_syslog_msg(ndc_t)
|
@@ -235,24 +259,13 @@ logging_send_syslog_msg(ndc_t)
|
||||||
|
|
||||||
miscfiles_read_localization(ndc_t)
|
miscfiles_read_localization(ndc_t)
|
||||||
|
|
||||||
@ -29917,7 +29922,7 @@ index 1f11572..717fb8d 100644
|
|||||||
|
|
||||||
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
|
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
|
||||||
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
|
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
|
||||||
index f758323..4bc077f 100644
|
index f758323..4c06224 100644
|
||||||
--- a/policy/modules/services/clamav.te
|
--- a/policy/modules/services/clamav.te
|
||||||
+++ b/policy/modules/services/clamav.te
|
+++ b/policy/modules/services/clamav.te
|
||||||
@@ -1,9 +1,16 @@
|
@@ -1,9 +1,16 @@
|
||||||
@ -29991,7 +29996,7 @@ index f758323..4bc077f 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_read_lib_files(clamd_t)
|
amavis_read_lib_files(clamd_t)
|
||||||
amavis_read_spool_files(clamd_t)
|
amavis_read_spool_files(clamd_t)
|
||||||
@@ -142,13 +147,30 @@ optional_policy(`
|
@@ -142,13 +147,31 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30011,6 +30016,7 @@ index f758323..4bc077f 100644
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ spamd_stream_connect(clamd_t)
|
+ spamd_stream_connect(clamd_t)
|
||||||
|
+ spamd_read_pid(clamd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
tunable_policy(`clamd_use_jit',`
|
tunable_policy(`clamd_use_jit',`
|
||||||
@ -30023,7 +30029,7 @@ index f758323..4bc077f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -178,10 +200,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
|
@@ -178,10 +201,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
|
||||||
|
|
||||||
# log files (own logfiles only)
|
# log files (own logfiles only)
|
||||||
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
|
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
|
||||||
@ -30042,7 +30048,7 @@ index f758323..4bc077f 100644
|
|||||||
corenet_all_recvfrom_unlabeled(freshclam_t)
|
corenet_all_recvfrom_unlabeled(freshclam_t)
|
||||||
corenet_all_recvfrom_netlabel(freshclam_t)
|
corenet_all_recvfrom_netlabel(freshclam_t)
|
||||||
corenet_tcp_sendrecv_generic_if(freshclam_t)
|
corenet_tcp_sendrecv_generic_if(freshclam_t)
|
||||||
@@ -189,6 +217,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
|
@@ -189,6 +218,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
|
||||||
corenet_tcp_sendrecv_all_ports(freshclam_t)
|
corenet_tcp_sendrecv_all_ports(freshclam_t)
|
||||||
corenet_tcp_sendrecv_clamd_port(freshclam_t)
|
corenet_tcp_sendrecv_clamd_port(freshclam_t)
|
||||||
corenet_tcp_connect_http_port(freshclam_t)
|
corenet_tcp_connect_http_port(freshclam_t)
|
||||||
@ -30050,7 +30056,7 @@ index f758323..4bc077f 100644
|
|||||||
corenet_sendrecv_http_client_packets(freshclam_t)
|
corenet_sendrecv_http_client_packets(freshclam_t)
|
||||||
|
|
||||||
dev_read_rand(freshclam_t)
|
dev_read_rand(freshclam_t)
|
||||||
@@ -207,16 +236,18 @@ miscfiles_read_localization(freshclam_t)
|
@@ -207,16 +237,18 @@ miscfiles_read_localization(freshclam_t)
|
||||||
|
|
||||||
clamav_stream_connect(freshclam_t)
|
clamav_stream_connect(freshclam_t)
|
||||||
|
|
||||||
@ -30073,7 +30079,7 @@ index f758323..4bc077f 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# clamscam local policy
|
# clamscam local policy
|
||||||
@@ -242,15 +273,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
|
@@ -242,15 +274,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
|
||||||
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
|
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
|
||||||
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
|
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
|
||||||
|
|
||||||
@ -30103,7 +30109,7 @@ index f758323..4bc077f 100644
|
|||||||
|
|
||||||
files_read_etc_files(clamscan_t)
|
files_read_etc_files(clamscan_t)
|
||||||
files_read_etc_runtime_files(clamscan_t)
|
files_read_etc_runtime_files(clamscan_t)
|
||||||
@@ -264,10 +309,15 @@ miscfiles_read_public_files(clamscan_t)
|
@@ -264,10 +310,15 @@ miscfiles_read_public_files(clamscan_t)
|
||||||
|
|
||||||
clamav_stream_connect(clamscan_t)
|
clamav_stream_connect(clamscan_t)
|
||||||
|
|
||||||
@ -31175,10 +31181,10 @@ index 0000000..40a0157
|
|||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
|
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..e4d7098
|
index 0000000..ca71d08
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/services/collectd.te
|
+++ b/policy/modules/services/collectd.te
|
||||||
@@ -0,0 +1,79 @@
|
@@ -0,0 +1,80 @@
|
||||||
+policy_module(collectd, 1.0.0)
|
+policy_module(collectd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -31253,16 +31259,31 @@ index 0000000..e4d7098
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ apache_content_template(collectd)
|
+ apache_content_template(collectd)
|
||||||
+
|
+
|
||||||
|
+ files_search_var_lib(httpd_collectd_script_t)
|
||||||
+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
|
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
|
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
|
||||||
index 74505cc..145a4eb 100644
|
index 74505cc..246bbf9 100644
|
||||||
--- a/policy/modules/services/colord.te
|
--- a/policy/modules/services/colord.te
|
||||||
+++ b/policy/modules/services/colord.te
|
+++ b/policy/modules/services/colord.te
|
||||||
@@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
|
@@ -5,6 +5,13 @@ policy_module(colord, 1.0.0)
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow colord domain to connect to the network using TCP.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(colord_can_network_connect, false)
|
||||||
|
+
|
||||||
|
type colord_t;
|
||||||
|
type colord_exec_t;
|
||||||
|
dbus_system_domain(colord_t, colord_exec_t)
|
||||||
|
@@ -23,9 +30,11 @@ files_type(colord_var_lib_t)
|
||||||
# colord local policy
|
# colord local policy
|
||||||
#
|
#
|
||||||
allow colord_t self:capability { dac_read_search dac_override };
|
allow colord_t self:capability { dac_read_search dac_override };
|
||||||
@ -31270,7 +31291,11 @@ index 74505cc..145a4eb 100644
|
|||||||
allow colord_t self:process signal;
|
allow colord_t self:process signal;
|
||||||
allow colord_t self:fifo_file rw_fifo_file_perms;
|
allow colord_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
|
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
@@ -41,8 +42,13 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
|
+allow colord_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow colord_t self:udp_socket create_socket_perms;
|
||||||
|
allow colord_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
|
@@ -41,8 +50,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
|
||||||
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
|
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
|
||||||
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
|
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
|
||||||
|
|
||||||
@ -31282,10 +31307,11 @@ index 74505cc..145a4eb 100644
|
|||||||
+
|
+
|
||||||
+# reads *.ini files
|
+# reads *.ini files
|
||||||
+corecmd_exec_bin(colord_t)
|
+corecmd_exec_bin(colord_t)
|
||||||
|
+corecmd_exec_shell(colord_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(colord_t)
|
corenet_all_recvfrom_unlabeled(colord_t)
|
||||||
corenet_all_recvfrom_netlabel(colord_t)
|
corenet_all_recvfrom_netlabel(colord_t)
|
||||||
@@ -50,6 +56,8 @@ corenet_udp_bind_generic_node(colord_t)
|
@@ -50,6 +65,8 @@ corenet_udp_bind_generic_node(colord_t)
|
||||||
corenet_udp_bind_ipp_port(colord_t)
|
corenet_udp_bind_ipp_port(colord_t)
|
||||||
corenet_tcp_connect_ipp_port(colord_t)
|
corenet_tcp_connect_ipp_port(colord_t)
|
||||||
|
|
||||||
@ -31294,7 +31320,7 @@ index 74505cc..145a4eb 100644
|
|||||||
dev_read_video_dev(colord_t)
|
dev_read_video_dev(colord_t)
|
||||||
dev_write_video_dev(colord_t)
|
dev_write_video_dev(colord_t)
|
||||||
dev_rw_printer(colord_t)
|
dev_rw_printer(colord_t)
|
||||||
@@ -65,21 +73,24 @@ files_list_mnt(colord_t)
|
@@ -65,19 +82,36 @@ files_list_mnt(colord_t)
|
||||||
files_read_etc_files(colord_t)
|
files_read_etc_files(colord_t)
|
||||||
files_read_usr_files(colord_t)
|
files_read_usr_files(colord_t)
|
||||||
|
|
||||||
@ -31315,19 +31341,24 @@ index 74505cc..145a4eb 100644
|
|||||||
-sysnet_dns_name_resolve(colord_t)
|
-sysnet_dns_name_resolve(colord_t)
|
||||||
+fs_getattr_tmpfs(colord_t)
|
+fs_getattr_tmpfs(colord_t)
|
||||||
+userdom_rw_user_tmpfs_files(colord_t)
|
+userdom_rw_user_tmpfs_files(colord_t)
|
||||||
|
+
|
||||||
-tunable_policy(`use_nfs_home_dirs',`
|
|
||||||
- fs_read_nfs_files(colord_t)
|
|
||||||
-')
|
|
||||||
-
|
|
||||||
-tunable_policy(`use_samba_home_dirs',`
|
|
||||||
- fs_read_cifs_files(colord_t)
|
|
||||||
-')
|
|
||||||
+userdom_home_reader(colord_t)
|
+userdom_home_reader(colord_t)
|
||||||
|
+
|
||||||
|
+tunable_policy(`colord_can_network_connect',`
|
||||||
|
+ corenet_tcp_connect_all_ports(colord_t)
|
||||||
|
+')
|
||||||
|
|
||||||
optional_policy(`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
cups_read_config(colord_t)
|
+ fs_getattr_nfs(colord_t)
|
||||||
@@ -89,6 +100,12 @@ optional_policy(`
|
fs_read_nfs_files(colord_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
|
+ fs_getattr_cifs(colord_t)
|
||||||
|
fs_read_cifs_files(colord_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -89,6 +123,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -31340,7 +31371,7 @@ index 74505cc..145a4eb 100644
|
|||||||
policykit_dbus_chat(colord_t)
|
policykit_dbus_chat(colord_t)
|
||||||
policykit_domtrans_auth(colord_t)
|
policykit_domtrans_auth(colord_t)
|
||||||
policykit_read_lib(colord_t)
|
policykit_read_lib(colord_t)
|
||||||
@@ -96,5 +113,16 @@ optional_policy(`
|
@@ -96,5 +136,16 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -33674,7 +33705,7 @@ index c43ff4c..5da88b5 100644
|
|||||||
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
|
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
|
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
|
||||||
index 88e7e97..e18dc0b 100644
|
index 88e7e97..1546703 100644
|
||||||
--- a/policy/modules/services/cvs.te
|
--- a/policy/modules/services/cvs.te
|
||||||
+++ b/policy/modules/services/cvs.te
|
+++ b/policy/modules/services/cvs.te
|
||||||
@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
|
@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
|
||||||
@ -33704,7 +33735,16 @@ index 88e7e97..e18dc0b 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
|
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
|
||||||
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
|
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
|
||||||
@@ -112,4 +112,5 @@ optional_policy(`
|
@@ -81,6 +81,8 @@ files_read_etc_runtime_files(cvs_t)
|
||||||
|
# for identd; cjp: this should probably only be inetd_child rules?
|
||||||
|
files_search_home(cvs_t)
|
||||||
|
|
||||||
|
+init_dontaudit_read_utmp(cvs_t)
|
||||||
|
+
|
||||||
|
logging_send_syslog_msg(cvs_t)
|
||||||
|
logging_send_audit_msgs(cvs_t)
|
||||||
|
|
||||||
|
@@ -112,4 +114,5 @@ optional_policy(`
|
||||||
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
||||||
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
||||||
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
||||||
@ -36415,7 +36455,7 @@ index 9bd812b..144cbb7 100644
|
|||||||
+ dnsmasq_systemctl($1)
|
+ dnsmasq_systemctl($1)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
|
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
|
||||||
index fdaeeba..8542225 100644
|
index fdaeeba..b1ea136 100644
|
||||||
--- a/policy/modules/services/dnsmasq.te
|
--- a/policy/modules/services/dnsmasq.te
|
||||||
+++ b/policy/modules/services/dnsmasq.te
|
+++ b/policy/modules/services/dnsmasq.te
|
||||||
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
|
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
|
||||||
@ -36428,7 +36468,7 @@ index fdaeeba..8542225 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
@@ -48,11 +51,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
|
@@ -48,11 +51,14 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
|
||||||
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
|
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
|
||||||
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
|
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
|
||||||
|
|
||||||
@ -36439,11 +36479,12 @@ index fdaeeba..8542225 100644
|
|||||||
|
|
||||||
kernel_read_kernel_sysctls(dnsmasq_t)
|
kernel_read_kernel_sysctls(dnsmasq_t)
|
||||||
kernel_read_system_state(dnsmasq_t)
|
kernel_read_system_state(dnsmasq_t)
|
||||||
|
+kernel_read_network_state(dnsmasq_t)
|
||||||
+kernel_request_load_module(dnsmasq_t)
|
+kernel_request_load_module(dnsmasq_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(dnsmasq_t)
|
corenet_all_recvfrom_unlabeled(dnsmasq_t)
|
||||||
corenet_all_recvfrom_netlabel(dnsmasq_t)
|
corenet_all_recvfrom_netlabel(dnsmasq_t)
|
||||||
@@ -88,6 +93,8 @@ logging_send_syslog_msg(dnsmasq_t)
|
@@ -88,6 +94,8 @@ logging_send_syslog_msg(dnsmasq_t)
|
||||||
|
|
||||||
miscfiles_read_localization(dnsmasq_t)
|
miscfiles_read_localization(dnsmasq_t)
|
||||||
|
|
||||||
@ -36452,7 +36493,7 @@ index fdaeeba..8542225 100644
|
|||||||
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
|
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
|
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
|
||||||
|
|
||||||
@@ -96,7 +103,20 @@ optional_policy(`
|
@@ -96,7 +104,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36473,7 +36514,7 @@ index fdaeeba..8542225 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -114,4 +134,5 @@ optional_policy(`
|
@@ -114,4 +135,5 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
virt_manage_lib_files(dnsmasq_t)
|
virt_manage_lib_files(dnsmasq_t)
|
||||||
virt_read_pid_files(dnsmasq_t)
|
virt_read_pid_files(dnsmasq_t)
|
||||||
@ -43323,7 +43364,7 @@ index 67c7fdd..d7338be 100644
|
|||||||
## <summary>
|
## <summary>
|
||||||
## Execute mailman CGI scripts in the
|
## Execute mailman CGI scripts in the
|
||||||
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
|
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
|
||||||
index af4d572..cea085e 100644
|
index af4d572..0c0925e 100644
|
||||||
--- a/policy/modules/services/mailman.te
|
--- a/policy/modules/services/mailman.te
|
||||||
+++ b/policy/modules/services/mailman.te
|
+++ b/policy/modules/services/mailman.te
|
||||||
@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
|
@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
|
||||||
@ -43336,7 +43377,7 @@ index af4d572..cea085e 100644
|
|||||||
mailman_domain_template(mail)
|
mailman_domain_template(mail)
|
||||||
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
|
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
|
||||||
|
|
||||||
@@ -61,14 +64,22 @@ optional_policy(`
|
@@ -61,14 +64,24 @@ optional_policy(`
|
||||||
# Mailman mail local policy
|
# Mailman mail local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -43357,11 +43398,13 @@ index af4d572..cea085e 100644
|
|||||||
+# make NNTP gateway working
|
+# make NNTP gateway working
|
||||||
+corenet_tcp_connect_innd_port(mailman_mail_t)
|
+corenet_tcp_connect_innd_port(mailman_mail_t)
|
||||||
+corenet_tcp_connect_spamd_port(mailman_mail_t)
|
+corenet_tcp_connect_spamd_port(mailman_mail_t)
|
||||||
|
+
|
||||||
|
+dev_read_urand(mailman_mail_t)
|
||||||
+
|
+
|
||||||
files_search_spool(mailman_mail_t)
|
files_search_spool(mailman_mail_t)
|
||||||
|
|
||||||
fs_rw_anon_inodefs_files(mailman_mail_t)
|
fs_rw_anon_inodefs_files(mailman_mail_t)
|
||||||
@@ -81,11 +92,16 @@ optional_policy(`
|
@@ -81,11 +94,16 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -43378,7 +43421,7 @@ index af4d572..cea085e 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -104,6 +120,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
|
@@ -104,6 +122,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
|
||||||
|
|
||||||
kernel_read_proc_symlinks(mailman_queue_t)
|
kernel_read_proc_symlinks(mailman_queue_t)
|
||||||
|
|
||||||
@ -43387,7 +43430,7 @@ index af4d572..cea085e 100644
|
|||||||
auth_domtrans_chk_passwd(mailman_queue_t)
|
auth_domtrans_chk_passwd(mailman_queue_t)
|
||||||
|
|
||||||
files_dontaudit_search_pids(mailman_queue_t)
|
files_dontaudit_search_pids(mailman_queue_t)
|
||||||
@@ -125,4 +143,4 @@ optional_policy(`
|
@@ -125,4 +145,4 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
su_exec(mailman_queue_t)
|
su_exec(mailman_queue_t)
|
||||||
@ -53190,7 +53233,7 @@ index 2855a44..58bb459 100644
|
|||||||
+ allow $1 puppet_var_run_t:dir search_dir_perms;
|
+ allow $1 puppet_var_run_t:dir search_dir_perms;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
|
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
|
||||||
index 64c5f95..fb500de 100644
|
index 64c5f95..e237da7 100644
|
||||||
--- a/policy/modules/services/puppet.te
|
--- a/policy/modules/services/puppet.te
|
||||||
+++ b/policy/modules/services/puppet.te
|
+++ b/policy/modules/services/puppet.te
|
||||||
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
|
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
|
||||||
@ -53386,7 +53429,7 @@ index 64c5f95..fb500de 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
|
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
|
||||||
@@ -171,29 +258,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
|
@@ -171,29 +258,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
|
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
allow puppetmaster_t self:socket create;
|
allow puppetmaster_t self:socket create;
|
||||||
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
|
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
|
||||||
@ -53419,13 +53462,14 @@ index 64c5f95..fb500de 100644
|
|||||||
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
|
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
|
||||||
|
|
||||||
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
||||||
|
+`kernel_read_network_state(puppetmaster_t)
|
||||||
kernel_read_system_state(puppetmaster_t)
|
kernel_read_system_state(puppetmaster_t)
|
||||||
kernel_read_crypto_sysctls(puppetmaster_t)
|
kernel_read_crypto_sysctls(puppetmaster_t)
|
||||||
+kernel_read_kernel_sysctls(puppetmaster_t)
|
+kernel_read_kernel_sysctls(puppetmaster_t)
|
||||||
|
|
||||||
corecmd_exec_bin(puppetmaster_t)
|
corecmd_exec_bin(puppetmaster_t)
|
||||||
corecmd_exec_shell(puppetmaster_t)
|
corecmd_exec_shell(puppetmaster_t)
|
||||||
@@ -206,21 +299,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
|
@@ -206,21 +300,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
|
||||||
corenet_tcp_bind_puppet_port(puppetmaster_t)
|
corenet_tcp_bind_puppet_port(puppetmaster_t)
|
||||||
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
|
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
|
||||||
|
|
||||||
@ -53475,7 +53519,7 @@ index 64c5f95..fb500de 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
hostname_exec(puppetmaster_t)
|
hostname_exec(puppetmaster_t)
|
||||||
')
|
')
|
||||||
@@ -231,3 +349,9 @@ optional_policy(`
|
@@ -231,3 +350,9 @@ optional_policy(`
|
||||||
rpm_exec(puppetmaster_t)
|
rpm_exec(puppetmaster_t)
|
||||||
rpm_read_db(puppetmaster_t)
|
rpm_read_db(puppetmaster_t)
|
||||||
')
|
')
|
||||||
@ -57937,7 +57981,7 @@ index 82cb169..48c023e 100644
|
|||||||
+ samba_systemctl($1)
|
+ samba_systemctl($1)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
|
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
|
||||||
index e30bb63..d893f99 100644
|
index e30bb63..bac0112 100644
|
||||||
--- a/policy/modules/services/samba.te
|
--- a/policy/modules/services/samba.te
|
||||||
+++ b/policy/modules/services/samba.te
|
+++ b/policy/modules/services/samba.te
|
||||||
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
|
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
|
||||||
@ -58253,7 +58297,22 @@ index e30bb63..d893f99 100644
|
|||||||
corenet_tcp_connect_epmap_port(winbind_t)
|
corenet_tcp_connect_epmap_port(winbind_t)
|
||||||
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||||
|
|
||||||
@@ -863,6 +888,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
|
@@ -850,10 +875,14 @@ domain_use_interactive_fds(winbind_t)
|
||||||
|
|
||||||
|
files_read_etc_files(winbind_t)
|
||||||
|
files_read_usr_symlinks(winbind_t)
|
||||||
|
+files_list_var_lib(winbind_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(winbind_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(winbind_t)
|
||||||
|
+miscfiles_read_generic_certs(winbind_t)
|
||||||
|
+
|
||||||
|
+sysnet_use_ldap(winbind_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
|
||||||
|
userdom_manage_user_home_content_dirs(winbind_t)
|
||||||
|
@@ -863,6 +892,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
|
||||||
userdom_manage_user_home_content_sockets(winbind_t)
|
userdom_manage_user_home_content_sockets(winbind_t)
|
||||||
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
|
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
|
||||||
|
|
||||||
@ -58266,7 +58325,7 @@ index e30bb63..d893f99 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(winbind_t)
|
kerberos_use(winbind_t)
|
||||||
')
|
')
|
||||||
@@ -904,7 +935,7 @@ logging_send_syslog_msg(winbind_helper_t)
|
@@ -904,7 +939,7 @@ logging_send_syslog_msg(winbind_helper_t)
|
||||||
|
|
||||||
miscfiles_read_localization(winbind_helper_t)
|
miscfiles_read_localization(winbind_helper_t)
|
||||||
|
|
||||||
@ -58275,7 +58334,7 @@ index e30bb63..d893f99 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_append_log(winbind_helper_t)
|
apache_append_log(winbind_helper_t)
|
||||||
@@ -922,6 +953,18 @@ optional_policy(`
|
@@ -922,6 +957,18 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -58294,7 +58353,7 @@ index e30bb63..d893f99 100644
|
|||||||
type samba_unconfined_script_t;
|
type samba_unconfined_script_t;
|
||||||
type samba_unconfined_script_exec_t;
|
type samba_unconfined_script_exec_t;
|
||||||
domain_type(samba_unconfined_script_t)
|
domain_type(samba_unconfined_script_t)
|
||||||
@@ -932,9 +975,12 @@ optional_policy(`
|
@@ -932,9 +979,12 @@ optional_policy(`
|
||||||
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||||
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||||
|
|
||||||
@ -58613,7 +58672,7 @@ index f1aea88..3e6a93f 100644
|
|||||||
admin_pattern($1, saslauthd_var_run_t)
|
admin_pattern($1, saslauthd_var_run_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
|
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
|
||||||
index cfc60dd..791c5b3 100644
|
index cfc60dd..71d76cf 100644
|
||||||
--- a/policy/modules/services/sasl.te
|
--- a/policy/modules/services/sasl.te
|
||||||
+++ b/policy/modules/services/sasl.te
|
+++ b/policy/modules/services/sasl.te
|
||||||
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
|
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
|
||||||
@ -58650,7 +58709,15 @@ index cfc60dd..791c5b3 100644
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(saslauthd_t)
|
corenet_all_recvfrom_unlabeled(saslauthd_t)
|
||||||
corenet_all_recvfrom_netlabel(saslauthd_t)
|
corenet_all_recvfrom_netlabel(saslauthd_t)
|
||||||
@@ -94,6 +94,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
|
@@ -55,6 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(saslauthd_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(saslauthd_t)
|
||||||
|
corenet_tcp_connect_pop_port(saslauthd_t)
|
||||||
|
+corenet_tcp_connect_zarafa_port(saslauthd_t)
|
||||||
|
corenet_sendrecv_pop_client_packets(saslauthd_t)
|
||||||
|
|
||||||
|
dev_read_urand(saslauthd_t)
|
||||||
|
@@ -94,6 +95,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_keytab_template(saslauthd, saslauthd_t)
|
kerberos_keytab_template(saslauthd, saslauthd_t)
|
||||||
@ -59663,7 +59730,7 @@ index 6b3abf9..a785741 100644
|
|||||||
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||||
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||||
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
|
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
|
||||||
index c954f31..85e8212 100644
|
index c954f31..4aac595 100644
|
||||||
--- a/policy/modules/services/spamassassin.if
|
--- a/policy/modules/services/spamassassin.if
|
||||||
+++ b/policy/modules/services/spamassassin.if
|
+++ b/policy/modules/services/spamassassin.if
|
||||||
@@ -14,6 +14,7 @@
|
@@ -14,6 +14,7 @@
|
||||||
@ -59782,7 +59849,7 @@ index c954f31..85e8212 100644
|
|||||||
allow $1 spamd_tmp_t:file read_file_perms;
|
allow $1 spamd_tmp_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -223,5 +291,75 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
|
@@ -223,5 +291,94 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
|
||||||
type spamd_tmp_t;
|
type spamd_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -59790,6 +59857,25 @@ index c954f31..85e8212 100644
|
|||||||
+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
|
+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read spamd pid file.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to connect.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`spamd_read_pid',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type spamd_t, spamd_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Connect to run spamd.
|
+## Connect to run spamd.
|
||||||
@ -59860,7 +59946,7 @@ index c954f31..85e8212 100644
|
|||||||
+ admin_pattern($1, spamd_var_run_t)
|
+ admin_pattern($1, spamd_var_run_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
|
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
|
||||||
index ec1eb1e..fdb471a 100644
|
index ec1eb1e..9d10f0b 100644
|
||||||
--- a/policy/modules/services/spamassassin.te
|
--- a/policy/modules/services/spamassassin.te
|
||||||
+++ b/policy/modules/services/spamassassin.te
|
+++ b/policy/modules/services/spamassassin.te
|
||||||
@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
|
@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
|
||||||
@ -60280,7 +60366,15 @@ index ec1eb1e..fdb471a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -451,3 +531,51 @@ optional_policy(`
|
@@ -444,6 +524,7 @@ optional_policy(`
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ mta_send_mail(spamd_t)
|
||||||
|
sendmail_stub(spamd_t)
|
||||||
|
mta_read_config(spamd_t)
|
||||||
|
')
|
||||||
|
@@ -451,3 +532,51 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(spamd_t)
|
udev_read_db(spamd_t)
|
||||||
')
|
')
|
||||||
@ -60448,21 +60542,22 @@ index 4b2230e..950e65a 100644
|
|||||||
+ kerberos_manage_host_rcache(squid_t)
|
+ kerberos_manage_host_rcache(squid_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
|
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
|
||||||
index 078bcd7..2d60774 100644
|
index 078bcd7..84d29ee 100644
|
||||||
--- a/policy/modules/services/ssh.fc
|
--- a/policy/modules/services/ssh.fc
|
||||||
+++ b/policy/modules/services/ssh.fc
|
+++ b/policy/modules/services/ssh.fc
|
||||||
@@ -1,4 +1,10 @@
|
@@ -1,4 +1,11 @@
|
||||||
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||||
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
|
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
|
||||||
+
|
+
|
||||||
+/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
+/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||||
+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||||
|
+/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||||
+
|
+
|
||||||
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
|
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
|
||||||
|
|
||||||
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
|
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||||
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||||
@@ -14,3 +20,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
@@ -14,3 +21,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||||
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
|
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
|
||||||
|
|
||||||
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
|
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
|
||||||
@ -73997,7 +74092,7 @@ index 8b5c196..da41726 100644
|
|||||||
+ role $2 types showmount_t;
|
+ role $2 types showmount_t;
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
||||||
index 15832c7..b90b726 100644
|
index 15832c7..a50ceba 100644
|
||||||
--- a/policy/modules/system/mount.te
|
--- a/policy/modules/system/mount.te
|
||||||
+++ b/policy/modules/system/mount.te
|
+++ b/policy/modules/system/mount.te
|
||||||
@@ -17,17 +17,29 @@ type mount_exec_t;
|
@@ -17,17 +17,29 @@ type mount_exec_t;
|
||||||
@ -74078,7 +74173,7 @@ index 15832c7..b90b726 100644
|
|||||||
kernel_dontaudit_write_debugfs_dirs(mount_t)
|
kernel_dontaudit_write_debugfs_dirs(mount_t)
|
||||||
kernel_dontaudit_write_proc_dirs(mount_t)
|
kernel_dontaudit_write_proc_dirs(mount_t)
|
||||||
# To load binfmt_misc kernel module
|
# To load binfmt_misc kernel module
|
||||||
@@ -57,65 +92,93 @@ kernel_request_load_module(mount_t)
|
@@ -57,65 +92,94 @@ kernel_request_load_module(mount_t)
|
||||||
# required for mount.smbfs
|
# required for mount.smbfs
|
||||||
corecmd_exec_bin(mount_t)
|
corecmd_exec_bin(mount_t)
|
||||||
|
|
||||||
@ -74087,6 +74182,7 @@ index 15832c7..b90b726 100644
|
|||||||
dev_list_all_dev_nodes(mount_t)
|
dev_list_all_dev_nodes(mount_t)
|
||||||
+dev_read_usbfs(mount_t)
|
+dev_read_usbfs(mount_t)
|
||||||
+dev_read_rand(mount_t)
|
+dev_read_rand(mount_t)
|
||||||
|
+dev_read_urand(mount_t)
|
||||||
dev_read_sysfs(mount_t)
|
dev_read_sysfs(mount_t)
|
||||||
dev_dontaudit_write_sysfs_dirs(mount_t)
|
dev_dontaudit_write_sysfs_dirs(mount_t)
|
||||||
dev_rw_lvm_control(mount_t)
|
dev_rw_lvm_control(mount_t)
|
||||||
@ -74181,7 +74277,7 @@ index 15832c7..b90b726 100644
|
|||||||
|
|
||||||
logging_send_syslog_msg(mount_t)
|
logging_send_syslog_msg(mount_t)
|
||||||
|
|
||||||
@@ -126,6 +189,8 @@ sysnet_use_portmap(mount_t)
|
@@ -126,6 +190,8 @@ sysnet_use_portmap(mount_t)
|
||||||
seutil_read_config(mount_t)
|
seutil_read_config(mount_t)
|
||||||
|
|
||||||
userdom_use_all_users_fds(mount_t)
|
userdom_use_all_users_fds(mount_t)
|
||||||
@ -74190,7 +74286,7 @@ index 15832c7..b90b726 100644
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',`
|
@@ -141,26 +207,28 @@ ifdef(`distro_ubuntu',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -74229,7 +74325,7 @@ index 15832c7..b90b726 100644
|
|||||||
corenet_tcp_bind_generic_port(mount_t)
|
corenet_tcp_bind_generic_port(mount_t)
|
||||||
corenet_udp_bind_generic_port(mount_t)
|
corenet_udp_bind_generic_port(mount_t)
|
||||||
corenet_tcp_bind_reserved_port(mount_t)
|
corenet_tcp_bind_reserved_port(mount_t)
|
||||||
@@ -174,6 +241,8 @@ optional_policy(`
|
@@ -174,6 +242,8 @@ optional_policy(`
|
||||||
fs_search_rpc(mount_t)
|
fs_search_rpc(mount_t)
|
||||||
|
|
||||||
rpc_stub(mount_t)
|
rpc_stub(mount_t)
|
||||||
@ -74238,7 +74334,7 @@ index 15832c7..b90b726 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -181,6 +250,28 @@ optional_policy(`
|
@@ -181,6 +251,28 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -74267,7 +74363,7 @@ index 15832c7..b90b726 100644
|
|||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
# for a bug in the X server
|
# for a bug in the X server
|
||||||
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
||||||
@@ -188,21 +279,87 @@ optional_policy(`
|
@@ -188,21 +280,87 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.10.0
|
||||||
Release: 59%{?dist}
|
Release: 61%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user