- Dontaudit binds to ports < 1024 for named
- Upgrade to latest upstream
This commit is contained in:
parent
510c2a3987
commit
0e78af1c39
@ -165,3 +165,4 @@ serefpolicy-3.6.7.tgz
|
|||||||
serefpolicy-3.6.8.tgz
|
serefpolicy-3.6.8.tgz
|
||||||
serefpolicy-3.6.9.tgz
|
serefpolicy-3.6.9.tgz
|
||||||
serefpolicy-3.6.10.tgz
|
serefpolicy-3.6.10.tgz
|
||||||
|
serefpolicy-3.6.11.tgz
|
||||||
|
@ -3926,7 +3926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.11/policy/modules/apps/qemu.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.11/policy/modules/apps/qemu.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
|
||||||
+++ serefpolicy-3.6.11/policy/modules/apps/qemu.te 2009-04-06 13:07:12.000000000 -0400
|
+++ serefpolicy-3.6.11/policy/modules/apps/qemu.te 2009-04-06 14:08:29.000000000 -0400
|
||||||
@@ -13,28 +13,96 @@
|
@@ -13,28 +13,96 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(qemu_full_network, false)
|
gen_tunable(qemu_full_network, false)
|
||||||
@ -3993,8 +3993,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
+tunable_policy(`qemu_use_comm',`
|
+tunable_policy(`qemu_use_comm',`
|
||||||
+ term_use_unallocated_ttys(sqemu_t)
|
+ term_use_unallocated_ttys(qemu_t)
|
||||||
+ dev_rw_printer(sqemu_t)
|
+ dev_rw_printer(qemu_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+tunable_policy(`qemu_use_nfs',`
|
+tunable_policy(`qemu_use_nfs',`
|
||||||
@ -8295,12 +8295,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.11/policy/modules/services/bind.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.11/policy/modules/services/bind.te
|
||||||
--- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.11/policy/modules/services/bind.te 2009-04-06 12:59:54.000000000 -0400
|
+++ serefpolicy-3.6.11/policy/modules/services/bind.te 2009-04-06 14:03:35.000000000 -0400
|
||||||
@@ -123,6 +123,7 @@
|
@@ -123,6 +123,7 @@
|
||||||
corenet_sendrecv_dns_client_packets(named_t)
|
corenet_sendrecv_dns_client_packets(named_t)
|
||||||
corenet_sendrecv_rndc_server_packets(named_t)
|
corenet_sendrecv_rndc_server_packets(named_t)
|
||||||
corenet_sendrecv_rndc_client_packets(named_t)
|
corenet_sendrecv_rndc_client_packets(named_t)
|
||||||
+corenet_udp_dontaudit_bind_all_reserved_ports(named_t)
|
+corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
|
||||||
corenet_udp_bind_all_unreserved_ports(named_t)
|
corenet_udp_bind_all_unreserved_ports(named_t)
|
||||||
|
|
||||||
dev_read_sysfs(named_t)
|
dev_read_sysfs(named_t)
|
||||||
@ -18331,7 +18331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ccs_read_config(ricci_modstorage_t)
|
ccs_read_config(ricci_modstorage_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.11/policy/modules/services/rpc.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.11/policy/modules/services/rpc.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
|
||||||
+++ serefpolicy-3.6.11/policy/modules/services/rpc.te 2009-04-06 12:59:54.000000000 -0400
|
+++ serefpolicy-3.6.11/policy/modules/services/rpc.te 2009-04-06 15:25:10.000000000 -0400
|
||||||
@@ -23,7 +23,7 @@
|
@@ -23,7 +23,7 @@
|
||||||
gen_tunable(allow_nfsd_anon_write, false)
|
gen_tunable(allow_nfsd_anon_write, false)
|
||||||
|
|
||||||
@ -18349,7 +18349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
tunable_policy(`nfs_export_all_ro',`
|
tunable_policy(`nfs_export_all_ro',`
|
||||||
dev_getattr_all_blk_files(nfsd_t)
|
dev_getattr_all_blk_files(nfsd_t)
|
||||||
@@ -183,6 +184,7 @@
|
@@ -183,9 +184,12 @@
|
||||||
files_read_usr_symlinks(gssd_t)
|
files_read_usr_symlinks(gssd_t)
|
||||||
|
|
||||||
auth_use_nsswitch(gssd_t)
|
auth_use_nsswitch(gssd_t)
|
||||||
@ -18357,6 +18357,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
miscfiles_read_certs(gssd_t)
|
miscfiles_read_certs(gssd_t)
|
||||||
|
|
||||||
|
+mount_signal(gssd_t)
|
||||||
|
+
|
||||||
|
tunable_policy(`allow_gssd_read_tmp',`
|
||||||
|
userdom_list_user_tmp(gssd_t)
|
||||||
|
userdom_read_user_tmp_files(gssd_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.11/policy/modules/services/rshd.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.11/policy/modules/services/rshd.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.11/policy/modules/services/rshd.te 2009-04-06 12:59:54.000000000 -0400
|
+++ serefpolicy-3.6.11/policy/modules/services/rshd.te 2009-04-06 12:59:54.000000000 -0400
|
||||||
@ -21462,8 +21467,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.11/policy/modules/services/virt.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.11/policy/modules/services/virt.te
|
||||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.11/policy/modules/services/virt.te 2009-04-06 12:59:54.000000000 -0400
|
+++ serefpolicy-3.6.11/policy/modules/services/virt.te 2009-04-06 14:11:37.000000000 -0400
|
||||||
@@ -8,19 +8,38 @@
|
@@ -8,19 +8,24 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
@ -21476,13 +21481,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
-## Allow virt to manage cifs files
|
-## Allow virt to manage cifs files
|
||||||
+## Allow svirt to manage nfs files
|
|
||||||
+## </p>
|
|
||||||
+## </desc>
|
|
||||||
+gen_tunable(virt_use_nfs, false)
|
|
||||||
+
|
|
||||||
+## <desc>
|
|
||||||
+## <p>
|
|
||||||
+## Allow svirt to manage cifs files
|
+## Allow svirt to manage cifs files
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
@ -21491,13 +21489,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-attribute virt_image_type;
|
-attribute virt_image_type;
|
||||||
+## <desc>
|
+## <desc>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow svirt to manage nfs files
|
|
||||||
+## </p>
|
|
||||||
+## </desc>
|
|
||||||
+gen_tunable(virt_use_nfs, false)
|
|
||||||
+
|
|
||||||
+## <desc>
|
|
||||||
+## <p>
|
|
||||||
+## Allow svirt to user serial/parallell communication ports
|
+## Allow svirt to user serial/parallell communication ports
|
||||||
+## </p>
|
+## </p>
|
||||||
+## </desc>
|
+## </desc>
|
||||||
@ -21505,7 +21496,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
type virt_etc_t;
|
type virt_etc_t;
|
||||||
files_config_file(virt_etc_t)
|
files_config_file(virt_etc_t)
|
||||||
@@ -29,8 +48,12 @@
|
@@ -29,8 +34,12 @@
|
||||||
files_type(virt_etc_rw_t)
|
files_type(virt_etc_rw_t)
|
||||||
|
|
||||||
# virt Image files
|
# virt Image files
|
||||||
@ -21520,7 +21511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
type virt_log_t;
|
type virt_log_t;
|
||||||
logging_log_file(virt_log_t)
|
logging_log_file(virt_log_t)
|
||||||
@@ -48,17 +71,39 @@
|
@@ -48,17 +57,39 @@
|
||||||
type virtd_initrc_exec_t;
|
type virtd_initrc_exec_t;
|
||||||
init_script_file(virtd_initrc_exec_t)
|
init_script_file(virtd_initrc_exec_t)
|
||||||
|
|
||||||
@ -21562,7 +21553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
|
|
||||||
@@ -67,7 +112,11 @@
|
@@ -67,7 +98,11 @@
|
||||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||||
|
|
||||||
@ -21575,7 +21566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||||
@@ -86,6 +135,7 @@
|
@@ -86,6 +121,7 @@
|
||||||
kernel_read_network_state(virtd_t)
|
kernel_read_network_state(virtd_t)
|
||||||
kernel_rw_net_sysctls(virtd_t)
|
kernel_rw_net_sysctls(virtd_t)
|
||||||
kernel_load_module(virtd_t)
|
kernel_load_module(virtd_t)
|
||||||
@ -21583,7 +21574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_t)
|
corecmd_exec_bin(virtd_t)
|
||||||
corecmd_exec_shell(virtd_t)
|
corecmd_exec_shell(virtd_t)
|
||||||
@@ -96,7 +146,7 @@
|
@@ -96,7 +132,7 @@
|
||||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||||
corenet_tcp_sendrecv_all_ports(virtd_t)
|
corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||||
corenet_tcp_bind_generic_node(virtd_t)
|
corenet_tcp_bind_generic_node(virtd_t)
|
||||||
@ -21592,7 +21583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_tcp_bind_vnc_port(virtd_t)
|
corenet_tcp_bind_vnc_port(virtd_t)
|
||||||
corenet_tcp_connect_vnc_port(virtd_t)
|
corenet_tcp_connect_vnc_port(virtd_t)
|
||||||
corenet_tcp_connect_soundd_port(virtd_t)
|
corenet_tcp_connect_soundd_port(virtd_t)
|
||||||
@@ -104,21 +154,39 @@
|
@@ -104,21 +140,39 @@
|
||||||
|
|
||||||
dev_read_sysfs(virtd_t)
|
dev_read_sysfs(virtd_t)
|
||||||
dev_read_rand(virtd_t)
|
dev_read_rand(virtd_t)
|
||||||
@ -21633,7 +21624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
term_getattr_pty_fs(virtd_t)
|
term_getattr_pty_fs(virtd_t)
|
||||||
term_use_ptmx(virtd_t)
|
term_use_ptmx(virtd_t)
|
||||||
|
|
||||||
@@ -129,6 +197,13 @@
|
@@ -129,6 +183,13 @@
|
||||||
|
|
||||||
logging_send_syslog_msg(virtd_t)
|
logging_send_syslog_msg(virtd_t)
|
||||||
|
|
||||||
@ -21647,7 +21638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
userdom_read_all_users_state(virtd_t)
|
userdom_read_all_users_state(virtd_t)
|
||||||
|
|
||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
@@ -167,22 +242,34 @@
|
@@ -167,22 +228,34 @@
|
||||||
dnsmasq_domtrans(virtd_t)
|
dnsmasq_domtrans(virtd_t)
|
||||||
dnsmasq_signal(virtd_t)
|
dnsmasq_signal(virtd_t)
|
||||||
dnsmasq_kill(virtd_t)
|
dnsmasq_kill(virtd_t)
|
||||||
@ -21670,15 +21661,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ lvm_domtrans(virtd_t)
|
+ lvm_domtrans(virtd_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
|
- qemu_domtrans(virtd_t)
|
||||||
+ polkit_domtrans_auth(virtd_t)
|
+ polkit_domtrans_auth(virtd_t)
|
||||||
+ polkit_domtrans_resolve(virtd_t)
|
+ polkit_domtrans_resolve(virtd_t)
|
||||||
+ polkit_read_lib(virtd_t)
|
+ polkit_read_lib(virtd_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
optional_policy(`
|
+optional_policy(`
|
||||||
- qemu_domtrans(virtd_t)
|
|
||||||
+ qemu_spec_domtrans(virtd_t, svirt_t)
|
+ qemu_spec_domtrans(virtd_t, svirt_t)
|
||||||
qemu_read_state(virtd_t)
|
qemu_read_state(virtd_t)
|
||||||
qemu_signal(virtd_t)
|
qemu_signal(virtd_t)
|
||||||
@ -21687,7 +21678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -198,5 +285,78 @@
|
@@ -198,5 +271,78 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -25205,7 +25196,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
|
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.11/policy/modules/system/mount.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.11/policy/modules/system/mount.if
|
||||||
--- nsaserefpolicy/policy/modules/system/mount.if 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/mount.if 2008-11-11 16:13:48.000000000 -0500
|
||||||
+++ serefpolicy-3.6.11/policy/modules/system/mount.if 2009-04-06 12:59:54.000000000 -0400
|
+++ serefpolicy-3.6.11/policy/modules/system/mount.if 2009-04-06 15:24:32.000000000 -0400
|
||||||
@@ -43,9 +43,11 @@
|
@@ -43,9 +43,11 @@
|
||||||
|
|
||||||
mount_domtrans($1)
|
mount_domtrans($1)
|
||||||
|
Loading…
Reference in New Issue
Block a user