- Fixes for confined xwindows and xdm_t
This commit is contained in:
Daniel J Walsh
parent
86369ef439
commit
1062bd3849
@ -6707,7 +6707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.10/policy/modules/kernel/devices.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.10/policy/modules/kernel/devices.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/kernel/devices.if 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/kernel/devices.if 2008-10-06 13:16:47.000000000 -0400
|
||||||
@@ -65,7 +65,7 @@
|
@@ -65,7 +65,7 @@
|
||||||
|
|
||||||
relabelfrom_dirs_pattern($1, device_t, device_node)
|
relabelfrom_dirs_pattern($1, device_t, device_node)
|
||||||
@ -6717,7 +6717,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
||||||
relabelfrom_sock_files_pattern($1, device_t, device_node)
|
relabelfrom_sock_files_pattern($1, device_t, device_node)
|
||||||
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
|
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
|
||||||
@@ -167,6 +167,25 @@
|
@@ -148,6 +148,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Del entries to directories in /dev.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to add entries.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`dev_del_entry_generic_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type device_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 device_t:dir del_entry_dir_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Create a directory in the device directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -167,6 +185,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -6743,7 +6768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Delete a directory in the device directory.
|
## Delete a directory in the device directory.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -667,6 +686,7 @@
|
@@ -667,6 +704,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 device_node:blk_file getattr;
|
dontaudit $1 device_node:blk_file getattr;
|
||||||
@ -6751,7 +6776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -704,6 +724,7 @@
|
@@ -704,6 +742,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 device_node:chr_file getattr;
|
dontaudit $1 device_node:chr_file getattr;
|
||||||
@ -6759,7 +6784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1160,6 +1181,25 @@
|
@@ -1160,6 +1199,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -6785,7 +6810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Read the CPU identity.
|
## Read the CPU identity.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1958,6 +1998,42 @@
|
@@ -1958,6 +2016,42 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -6828,7 +6853,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Read and write to the null device (/dev/null).
|
## Read and write to the null device (/dev/null).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2769,6 +2845,24 @@
|
@@ -2769,6 +2863,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -6853,7 +6878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Read and write generic the USB devices.
|
## Read and write generic the USB devices.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2787,6 +2881,97 @@
|
@@ -2787,6 +2899,97 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -6951,7 +6976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Mount a usbfs filesystem.
|
## Mount a usbfs filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3322,3 +3507,223 @@
|
@@ -3322,3 +3525,223 @@
|
||||||
|
|
||||||
typeattribute $1 devices_unconfined_type;
|
typeattribute $1 devices_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -8201,7 +8226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.10/policy/modules/kernel/filesystem.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.10/policy/modules/kernel/filesystem.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-08-14 13:08:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-08-14 13:08:27.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/kernel/filesystem.te 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/kernel/filesystem.te 2008-10-06 14:17:31.000000000 -0400
|
||||||
@@ -21,7 +21,6 @@
|
@@ -21,7 +21,6 @@
|
||||||
|
|
||||||
# Use xattrs for the following filesystem types.
|
# Use xattrs for the following filesystem types.
|
||||||
@ -8222,7 +8247,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type eventpollfs_t;
|
type eventpollfs_t;
|
||||||
fs_type(eventpollfs_t)
|
fs_type(eventpollfs_t)
|
||||||
# change to task SID 20060628
|
# change to task SID 20060628
|
||||||
@@ -241,6 +245,7 @@
|
@@ -141,6 +145,7 @@
|
||||||
|
fs_noxattr_type(vmblock_t)
|
||||||
|
files_mountpoint(vmblock_t)
|
||||||
|
genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
|
||||||
|
+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
|
||||||
|
|
||||||
|
type vxfs_t;
|
||||||
|
fs_noxattr_type(vxfs_t)
|
||||||
|
@@ -241,6 +246,7 @@
|
||||||
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
@ -8320,7 +8353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
files_read_default_files(kernel_t)
|
files_read_default_files(kernel_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.10/policy/modules/kernel/selinux.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.10/policy/modules/kernel/selinux.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/kernel/selinux.if 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/kernel/selinux.if 2008-10-06 13:08:30.000000000 -0400
|
||||||
@@ -164,6 +164,7 @@
|
@@ -164,6 +164,7 @@
|
||||||
type security_t;
|
type security_t;
|
||||||
')
|
')
|
||||||
@ -8660,8 +8693,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.10/policy/modules/roles/guest.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.10/policy/modules/roles/guest.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.10/policy/modules/roles/guest.te 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/roles/guest.te 2008-10-06 12:29:55.000000000 -0400
|
||||||
@@ -0,0 +1,34 @@
|
@@ -0,0 +1,35 @@
|
||||||
+
|
+
|
||||||
+policy_module(guest, 1.0.0)
|
+policy_module(guest, 1.0.0)
|
||||||
+
|
+
|
||||||
@ -8687,6 +8720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ mono_per_role_template(guest, guest_t, guest_r)
|
+ mono_per_role_template(guest, guest_t, guest_r)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type xguest_t;
|
+ type xguest_t;
|
||||||
@ -18892,7 +18926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.10/policy/modules/services/networkmanager.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.10/policy/modules/services/networkmanager.te
|
||||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-24 09:07:28.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-24 09:07:28.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/services/networkmanager.te 2008-10-03 11:37:02.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/services/networkmanager.te 2008-10-06 12:42:23.000000000 -0400
|
||||||
@@ -33,9 +33,9 @@
|
@@ -33,9 +33,9 @@
|
||||||
|
|
||||||
# networkmanager will ptrace itself if gdb is installed
|
# networkmanager will ptrace itself if gdb is installed
|
||||||
@ -19033,12 +19067,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -174,9 +208,18 @@
|
@@ -174,9 +208,19 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- ppp_domtrans(NetworkManager_t)
|
|
||||||
+ ppp_initrc_domtrans(NetworkManager_t)
|
+ ppp_initrc_domtrans(NetworkManager_t)
|
||||||
|
ppp_domtrans(NetworkManager_t)
|
||||||
ppp_read_pid_files(NetworkManager_t)
|
ppp_read_pid_files(NetworkManager_t)
|
||||||
+ ppp_sigkill(NetworkManager_t)
|
+ ppp_sigkill(NetworkManager_t)
|
||||||
ppp_signal(NetworkManager_t)
|
ppp_signal(NetworkManager_t)
|
||||||
@ -19053,7 +19087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -221,3 +264,28 @@
|
@@ -221,3 +265,28 @@
|
||||||
miscfiles_read_localization(wpa_cli_t)
|
miscfiles_read_localization(wpa_cli_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(wpa_cli_t)
|
term_dontaudit_use_console(wpa_cli_t)
|
||||||
@ -22900,15 +22934,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
unconfined_shell_domtrans(rshd_t)
|
unconfined_shell_domtrans(rshd_t)
|
||||||
+ unconfined_signal(rshd_t)
|
+ unconfined_signal(rshd_t)
|
||||||
')
|
')
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.5.10/policy/modules/services/rsync.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.10/policy/modules/services/rsync.fc 2008-10-06 08:55:56.000000000 -0400
|
||||||
|
@@ -3,4 +3,4 @@
|
||||||
|
|
||||||
|
/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||||
|
|
||||||
|
-/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||||
|
+/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.10/policy/modules/services/rsync.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.10/policy/modules/services/rsync.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/services/rsync.te 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/services/rsync.te 2008-10-06 12:50:44.000000000 -0400
|
||||||
@@ -45,7 +45,7 @@
|
@@ -45,7 +45,7 @@
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
-allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
|
-allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
|
||||||
+allow rsync_t self:capability { chown dac_read_search dac_override setuid setgid sys_chroot };
|
+allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
|
||||||
allow rsync_t self:process signal_perms;
|
allow rsync_t self:process signal_perms;
|
||||||
allow rsync_t self:fifo_file rw_fifo_file_perms;
|
allow rsync_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow rsync_t self:tcp_socket create_stream_socket_perms;
|
allow rsync_t self:tcp_socket create_stream_socket_perms;
|
||||||
@ -24232,7 +24275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.10/policy/modules/services/smartmon.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.10/policy/modules/services/smartmon.te
|
||||||
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/services/smartmon.te 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/services/smartmon.te 2008-10-06 13:16:57.000000000 -0400
|
||||||
@@ -10,6 +10,9 @@
|
@@ -10,6 +10,9 @@
|
||||||
type fsdaemon_exec_t;
|
type fsdaemon_exec_t;
|
||||||
init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
|
init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
|
||||||
@ -24243,7 +24286,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type fsdaemon_var_run_t;
|
type fsdaemon_var_run_t;
|
||||||
files_pid_file(fsdaemon_var_run_t)
|
files_pid_file(fsdaemon_var_run_t)
|
||||||
|
|
||||||
@@ -28,6 +31,7 @@
|
@@ -23,11 +26,12 @@
|
||||||
|
|
||||||
|
allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
|
||||||
|
dontaudit fsdaemon_t self:capability sys_tty_config;
|
||||||
|
-allow fsdaemon_t self:process signal_perms;
|
||||||
|
+allow fsdaemon_t self:process { signal_perms setfscreate };
|
||||||
|
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
|
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
|
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow fsdaemon_t self:udp_socket create_socket_perms;
|
allow fsdaemon_t self:udp_socket create_socket_perms;
|
||||||
@ -24271,6 +24320,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
sysadm_dontaudit_search_home_dirs(fsdaemon_t)
|
sysadm_dontaudit_search_home_dirs(fsdaemon_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@@ -95,3 +99,10 @@
|
||||||
|
optional_policy(`
|
||||||
|
udev_read_db(fsdaemon_t)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+dev_del_entry_generic_dirs(fsdaemon_t)
|
||||||
|
+storage_dev_filetrans_fixed_disk(fsdaemon_t)
|
||||||
|
+storage_manage_fixed_disk(fsdaemon_t)
|
||||||
|
+seutil_read_file_contexts(fsdaemon_t)
|
||||||
|
+selinux_validate_context(fsdaemon_t)
|
||||||
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.10/policy/modules/services/snmp.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.10/policy/modules/services/snmp.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/services/snmp.fc 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/services/snmp.fc 2008-10-03 11:36:44.000000000 -0400
|
||||||
@ -26535,7 +26595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.10/policy/modules/services/xserver.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.10/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-09-24 09:07:28.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-09-24 09:07:28.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/services/xserver.if 2008-10-03 16:06:18.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/services/xserver.if 2008-10-06 12:32:14.000000000 -0400
|
||||||
@@ -16,6 +16,7 @@
|
@@ -16,6 +16,7 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
|
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
|
||||||
@ -26665,14 +26725,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
- #
|
- #
|
||||||
- # $1_xserver_t Local policy
|
- # $1_xserver_t Local policy
|
||||||
- #
|
- #
|
||||||
-
|
|
||||||
- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
|
||||||
+ allow $1_xserver_t xauth_home_t:file { getattr read };
|
+ allow $1_xserver_t xauth_home_t:file { getattr read };
|
||||||
|
|
||||||
- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||||
+ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t)
|
+ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t)
|
||||||
+ role $3 types xauth_t;
|
+ role $3 types xauth_t;
|
||||||
|
|
||||||
|
- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
||||||
|
-
|
||||||
- domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
|
- domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
|
||||||
allow $1_xserver_t $2:process signal;
|
allow $1_xserver_t $2:process signal;
|
||||||
|
|
||||||
@ -26740,15 +26800,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-
|
-
|
||||||
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
|
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
|
||||||
- userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file)
|
- userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file)
|
||||||
-
|
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||||
|
+ allow $2 xauth_t:process signal;
|
||||||
|
|
||||||
- manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
|
- manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
|
||||||
- manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
|
- manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
|
||||||
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
|
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
|
||||||
-
|
-
|
||||||
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||||
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
-
|
||||||
+ allow $2 xauth_t:process signal;
|
|
||||||
|
|
||||||
- allow $2 $1_xauth_t:process signal;
|
- allow $2 $1_xauth_t:process signal;
|
||||||
+ allow $2 xauth_home_t:file manage_file_perms;
|
+ allow $2 xauth_home_t:file manage_file_perms;
|
||||||
+ allow $2 xauth_home_t:file { relabelfrom relabelto };
|
+ allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||||
@ -26772,13 +26832,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-
|
-
|
||||||
- # cjp: why?
|
- # cjp: why?
|
||||||
- term_use_ptmx($1_xauth_t)
|
- term_use_ptmx($1_xauth_t)
|
||||||
+ ps_process_pattern($2,xauth_t)
|
-
|
||||||
|
|
||||||
- auth_use_nsswitch($1_xauth_t)
|
- auth_use_nsswitch($1_xauth_t)
|
||||||
-
|
-
|
||||||
- libs_use_ld_so($1_xauth_t)
|
- libs_use_ld_so($1_xauth_t)
|
||||||
- libs_use_shared_libs($1_xauth_t)
|
- libs_use_shared_libs($1_xauth_t)
|
||||||
-
|
+ ps_process_pattern($2,xauth_t)
|
||||||
|
|
||||||
- userdom_use_user_terminals($1, $1_xauth_t)
|
- userdom_use_user_terminals($1, $1_xauth_t)
|
||||||
- userdom_read_user_tmp_files($1, $1_xauth_t)
|
- userdom_read_user_tmp_files($1, $1_xauth_t)
|
||||||
-
|
-
|
||||||
@ -26818,7 +26878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ allow $2 iceauth_home_t:file { relabelfrom relabelto };
|
+ allow $2 iceauth_home_t:file { relabelfrom relabelto };
|
||||||
|
|
||||||
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
|
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
|
||||||
+ allow xdm_t iceauth_home_t:file read_file_perms;
|
+ xserver_use_xdm($2)
|
||||||
|
|
||||||
fs_search_auto_mountpoints($1_iceauth_t)
|
fs_search_auto_mountpoints($1_iceauth_t)
|
||||||
|
|
||||||
@ -26879,7 +26939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# for when /tmp/.X11-unix is created by the system
|
||||||
allow $2 xdm_t:fd use;
|
allow $2 xdm_t:fd use;
|
||||||
@@ -643,11 +572,109 @@
|
@@ -643,13 +572,208 @@
|
||||||
|
|
||||||
xserver_read_xdm_tmp_files($2)
|
xserver_read_xdm_tmp_files($2)
|
||||||
|
|
||||||
@ -26921,8 +26981,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ attribute x_domain;
|
+ attribute x_domain;
|
||||||
+ type $1_xserver_t;
|
+ type $1_xserver_t;
|
||||||
+# type $2_input_xevent_t;
|
+# type $2_input_xevent_t;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
+ allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
|
+ allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
+# typeattribute $2_input_xevent_t $1_input_xevent_type;
|
+# typeattribute $2_input_xevent_t $1_input_xevent_type;
|
||||||
@ -26990,13 +27050,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ allow $1_xserver_t input_xevent_t:x_event send;
|
+ allow $1_xserver_t input_xevent_t:x_event send;
|
||||||
+ allow $1_xserver_t $1_rootwindow_t:x_drawable send;
|
+ allow $1_xserver_t $1_rootwindow_t:x_drawable send;
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
#######################################
|
+#######################################
|
||||||
@@ -662,6 +689,103 @@
|
+## <summary>
|
||||||
## is the prefix for user_t).
|
+## Interface to provide X object permissions on a given X server to
|
||||||
## </summary>
|
+## an X client domain. Provides the minimal set required by a basic
|
||||||
## </param>
|
+## X client application.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="user">
|
||||||
|
+## <summary>
|
||||||
|
+## The prefix of the X server domain (e.g., user
|
||||||
|
+## is the prefix for user_t).
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Client domain allowed access.
|
+## Client domain allowed access.
|
||||||
@ -27082,21 +27149,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
+#######################################
|
#######################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
+## Interface to provide X object permissions on a given X server to
|
## Interface to provide X object permissions on a given X server to
|
||||||
+## an X client domain. Provides the minimal set required by a basic
|
|
||||||
+## X client application.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="user">
|
|
||||||
+## <summary>
|
|
||||||
+## The prefix of the X server domain (e.g., user
|
|
||||||
+## is the prefix for user_t).
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
## <param name="prefix">
|
|
||||||
## <summary>
|
|
||||||
## The prefix of the X client domain (e.g., user
|
|
||||||
@@ -676,7 +800,7 @@
|
@@ -676,7 +800,7 @@
|
||||||
#
|
#
|
||||||
template(`xserver_common_x_domain_template',`
|
template(`xserver_common_x_domain_template',`
|
||||||
@ -27237,13 +27292,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined($3),
|
# should be xserver_unconfined($3),
|
||||||
@@ -879,17 +1007,17 @@
|
@@ -879,24 +1007,17 @@
|
||||||
#
|
#
|
||||||
template(`xserver_user_x_domain_template',`
|
template(`xserver_user_x_domain_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type xdm_t, xdm_tmp_t;
|
- type xdm_t, xdm_tmp_t;
|
||||||
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
|
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
|
||||||
+ type xdm_t, xdm_tmp_t, xdm_xproperty_t;
|
+ type xdm_xproperty_t;
|
||||||
+ type xauth_home_t, iceauth_home_t;
|
+ type xauth_home_t, iceauth_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27257,12 +27312,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Read .Xauthority file
|
# Read .Xauthority file
|
||||||
- allow $3 $1_xauth_home_t:file { getattr read };
|
- allow $3 $1_xauth_home_t:file { getattr read };
|
||||||
- allow $3 $1_iceauth_home_t:file { getattr read };
|
- allow $3 $1_iceauth_home_t:file { getattr read };
|
||||||
|
-
|
||||||
|
- # for when /tmp/.X11-unix is created by the system
|
||||||
|
- allow $3 xdm_t:fd use;
|
||||||
|
- allow $3 xdm_t:fifo_file { getattr read write ioctl };
|
||||||
|
- allow $3 xdm_tmp_t:dir search;
|
||||||
|
- allow $3 xdm_tmp_t:sock_file { read write };
|
||||||
|
- dontaudit $3 xdm_t:tcp_socket { read write };
|
||||||
+ allow $3 xauth_home_t:file { getattr read };
|
+ allow $3 xauth_home_t:file { getattr read };
|
||||||
+ allow $3 iceauth_home_t:file { getattr read };
|
+ allow $3 iceauth_home_t:file { getattr read };
|
||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# Allow connections to X server.
|
||||||
allow $3 xdm_t:fd use;
|
files_search_tmp($3)
|
||||||
@@ -916,11 +1044,9 @@
|
@@ -911,16 +1032,11 @@
|
||||||
|
xserver_rw_session_template($1, $3, $4)
|
||||||
|
xserver_use_user_fonts($1, $3)
|
||||||
|
|
||||||
|
- xserver_read_xdm_tmp_files($3)
|
||||||
|
-
|
||||||
# X object manager
|
# X object manager
|
||||||
xserver_common_x_domain_template($1, $2, $3)
|
xserver_common_x_domain_template($1, $2, $3)
|
||||||
|
|
||||||
@ -27271,13 +27338,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
- allow $3 $1_xserver_t:shm rw_shm_perms;
|
- allow $3 $1_xserver_t:shm rw_shm_perms;
|
||||||
- allow $3 $1_xserver_tmpfs_t:file rw_file_perms;
|
- allow $3 $1_xserver_tmpfs_t:file rw_file_perms;
|
||||||
- ')
|
- ')
|
||||||
+ allow $3 xdm_t:x_client { getattr destroy };
|
|
||||||
+ allow $3 xdm_t:x_drawable { receive get_property getattr send list_child };
|
|
||||||
+ allow $3 xdm_xproperty_t:x_property { write read };
|
+ allow $3 xdm_xproperty_t:x_property { write read };
|
||||||
|
+ xserver_use_xdm($3)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -952,26 +1078,43 @@
|
@@ -952,26 +1068,43 @@
|
||||||
#
|
#
|
||||||
template(`xserver_use_user_fonts',`
|
template(`xserver_use_user_fonts',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -27328,15 +27394,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -997,10 +1140,77 @@
|
@@ -997,10 +1130,77 @@
|
||||||
#
|
#
|
||||||
template(`xserver_domtrans_user_xauth',`
|
template(`xserver_domtrans_user_xauth',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type $1_xauth_t, xauth_exec_t;
|
- type $1_xauth_t, xauth_exec_t;
|
||||||
+ type xauth_t, xauth_exec_t;
|
+ type xauth_t, xauth_exec_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
|
||||||
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -27368,8 +27433,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+template(`xserver_read_user_xauth',`
|
+template(`xserver_read_user_xauth',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type xauth_home_t;
|
+ type xauth_home_t;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
|
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||||
+ allow $2 xauth_home_t:file { getattr read };
|
+ allow $2 xauth_home_t:file { getattr read };
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -27408,7 +27474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1030,10 +1240,10 @@
|
@@ -1030,10 +1230,10 @@
|
||||||
#
|
#
|
||||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -27421,7 +27487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1219,6 +1429,25 @@
|
@@ -1219,6 +1419,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -27447,7 +27513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Read xdm-writable configuration files.
|
## Read xdm-writable configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1273,6 +1502,7 @@
|
@@ -1273,6 +1492,7 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||||
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||||
@ -27455,7 +27521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1291,7 +1521,7 @@
|
@@ -1291,7 +1511,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
@ -27464,7 +27530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1314,6 +1544,24 @@
|
@@ -1314,6 +1534,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -27489,7 +27555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Execute the X server in the XDM X server domain.
|
## Execute the X server in the XDM X server domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1324,15 +1572,47 @@
|
@@ -1324,15 +1562,47 @@
|
||||||
#
|
#
|
||||||
interface(`xserver_domtrans_xdm_xserver',`
|
interface(`xserver_domtrans_xdm_xserver',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -27538,7 +27604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Make an X session script an entrypoint for the specified domain.
|
## Make an X session script an entrypoint for the specified domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1482,7 +1762,7 @@
|
@@ -1482,7 +1752,7 @@
|
||||||
type xdm_xserver_tmp_t;
|
type xdm_xserver_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27547,7 +27613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1674,6 +1954,26 @@
|
@@ -1674,6 +1944,26 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -27574,7 +27640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## xdm xserver RW shared memory socket.
|
## xdm xserver RW shared memory socket.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1692,6 +1992,24 @@
|
@@ -1692,6 +1982,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -27599,7 +27665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Interface to provide X object permissions on a given X server to
|
## Interface to provide X object permissions on a given X server to
|
||||||
## an X client domain. Gives the domain complete control over the
|
## an X client domain. Gives the domain complete control over the
|
||||||
## display.
|
## display.
|
||||||
@@ -1704,8 +2022,127 @@
|
@@ -1704,8 +2012,157 @@
|
||||||
#
|
#
|
||||||
interface(`xserver_unconfined',`
|
interface(`xserver_unconfined',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -27663,15 +27729,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type fonts_home_t;
|
+ type fonts_home_t;
|
||||||
+ type fonts_config_home_t;
|
+ type fonts_config_home_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
- typeattribute $1 xserver_unconfined_type;
|
|
||||||
+ manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
|
+ manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
|
||||||
+ manage_files_pattern($1, fonts_home_t, fonts_home_t)
|
+ manage_files_pattern($1, fonts_home_t, fonts_home_t)
|
||||||
+ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
|
+ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
|
||||||
+
|
+
|
||||||
+ manage_files_pattern($1, fonts_config_home_t, fonts_config_home_t)
|
+ manage_files_pattern($1, fonts_config_home_t, fonts_config_home_t)
|
||||||
')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -27729,9 +27794,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ dontaudit $1 xdm_home_t:file rw_file_perms;
|
+ dontaudit $1 xdm_home_t:file rw_file_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Interface to provide X object permissions on a given X server to
|
||||||
|
+## an X client domain. Provides the minimal set required by a basic
|
||||||
|
+## X client application.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Client domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_use_xdm',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type xdm_t, xdm_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- typeattribute $1 xserver_unconfined_type;
|
||||||
|
+ allow $1 xdm_t:fd use;
|
||||||
|
+ allow $1 xdm_t:fifo_file { getattr read write ioctl };
|
||||||
|
+ dontaudit $1 xdm_t:tcp_socket { read write };
|
||||||
|
+
|
||||||
|
+ # Allow connections to X server.
|
||||||
|
+ xserver_stream_connect_xdm($1)
|
||||||
|
+ xserver_read_xdm_tmp_files($1)
|
||||||
|
+ xserver_xdm_stream_connect($1)
|
||||||
|
+
|
||||||
|
+ allow $1 xdm_t:x_client { getattr destroy };
|
||||||
|
+ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child };
|
||||||
|
+ allow $1 xdm_xproperty_t:x_property { write read };
|
||||||
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.10/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.10/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/services/xserver.te 2008-10-03 16:06:35.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/services/xserver.te 2008-10-06 12:03:23.000000000 -0400
|
||||||
@@ -8,6 +8,14 @@
|
@@ -8,6 +8,14 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -28278,7 +28374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
+ ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+
|
+allow xdm_t iceauth_home_t:file read_file_perms;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.10/policy/modules/services/zabbix.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.10/policy/modules/services/zabbix.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/zabbix.fc 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/zabbix.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/services/zabbix.fc 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/services/zabbix.fc 2008-10-03 11:36:44.000000000 -0400
|
||||||
@ -29538,7 +29634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.10/policy/modules/system/libraries.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.10/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/system/libraries.fc 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/system/libraries.fc 2008-10-06 12:36:31.000000000 -0400
|
||||||
@@ -60,12 +60,15 @@
|
@@ -60,12 +60,15 @@
|
||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
@ -29618,7 +29714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
') dnl end distro_redhat
|
') dnl end distro_redhat
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -310,3 +321,13 @@
|
@@ -310,3 +321,15 @@
|
||||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
@ -29632,6 +29728,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
+
|
+
|
||||||
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+
|
||||||
|
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.10/policy/modules/system/libraries.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.10/policy/modules/system/libraries.te
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-08-13 15:24:56.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-08-13 15:24:56.000000000 -0400
|
||||||
+++ serefpolicy-3.5.10/policy/modules/system/libraries.te 2008-10-03 11:36:44.000000000 -0400
|
+++ serefpolicy-3.5.10/policy/modules/system/libraries.te 2008-10-03 11:36:44.000000000 -0400
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.5.10
|
Version: 3.5.10
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -390,6 +390,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 6 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-3
|
||||||
|
- Fixes for confined xwindows and xdm_t
|
||||||
|
|
||||||
* Fri Oct 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-2
|
* Fri Oct 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-2
|
||||||
- Allow confined users and xdm to exec wm
|
- Allow confined users and xdm to exec wm
|
||||||
- Allow nsplugin to talk to fifo files on nfs
|
- Allow nsplugin to talk to fifo files on nfs
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user