- Additional ports for vnc and allow qemu and libvirt to search all
directories
This commit is contained in:
parent
b19d470cd4
commit
11ac4bcde1
@ -3058,7 +3058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
|
||||
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.6/policy/modules/apps/mono.if
|
||||
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/apps/mono.if 2008-02-01 16:01:42.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/apps/mono.if 2008-02-02 10:25:13.000000000 -0500
|
||||
@@ -18,3 +18,105 @@
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, mono_exec_t, mono_t)
|
||||
@ -3154,7 +3154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
|
||||
+
|
||||
+ userdom_unpriv_usertype($1, $1_mono_t)
|
||||
+
|
||||
+ allow $1_mono_t self:process { execheap execmem };
|
||||
+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem };
|
||||
+ allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
|
||||
+
|
||||
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
|
||||
@ -3167,13 +3167,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.6/policy/modules/apps/mono.te
|
||||
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/apps/mono.te 2008-02-01 16:01:42.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/apps/mono.te 2008-02-02 10:38:18.000000000 -0500
|
||||
@@ -15,7 +15,7 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow mono_t self:process { execheap execmem };
|
||||
+allow mono_t self:process { signal getsched execheap execmem };
|
||||
+allow mono_t self:process { ptrace signal getsched execheap execmem };
|
||||
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
|
||||
|
||||
@ -4818,7 +4818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in 2008-02-01 16:01:42.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in 2008-02-02 10:38:16.000000000 -0500
|
||||
@@ -82,6 +82,7 @@
|
||||
network_port(clockspeed, udp,4041,s0)
|
||||
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
||||
@ -4861,6 +4861,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
network_port(rsh, tcp,514,s0)
|
||||
network_port(rsync, tcp,873,s0, udp,873,s0)
|
||||
network_port(rwho, udp,513,s0)
|
||||
@@ -171,6 +176,8 @@
|
||||
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||
network_port(uucpd, tcp,540,s0)
|
||||
network_port(vnc, tcp,5900,s0)
|
||||
+# Reserve 50 ports for vnc/virt machines
|
||||
+portcon tcp 5901-5950 gen_context(system_u:object_r:vnc_port_t, s0)
|
||||
network_port(wccp, udp,2048,s0)
|
||||
network_port(xdmcp, udp,177,s0, tcp,177,s0)
|
||||
network_port(xen, tcp,8002,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in.cyphesis
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in.cyphesis 2008-02-01 16:01:42.000000000 -0500
|
||||
@ -23485,7 +23494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.6/policy/modules/system/qemu.te
|
||||
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/system/qemu.te 2008-02-02 01:25:31.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/system/qemu.te 2008-02-02 10:40:41.000000000 -0500
|
||||
@@ -0,0 +1,56 @@
|
||||
+policy_module(qemu,1.0.0)
|
||||
+
|
||||
@ -23530,7 +23539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
|
||||
+files_read_etc_files(qemu_t)
|
||||
+files_read_usr_files(qemu_t)
|
||||
+files_read_var_files(qemu_t)
|
||||
+files_search_var_lib(qemu_t)
|
||||
+files_search_all(qemu_t)
|
||||
+
|
||||
+fs_rw_anon_inodefs_files(qemu_t)
|
||||
+
|
||||
@ -28115,7 +28124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
|
||||
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-01 17:30:47.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-02 10:41:16.000000000 -0500
|
||||
@@ -0,0 +1,123 @@
|
||||
+
|
||||
+policy_module(virt,1.0.0)
|
||||
@ -28192,7 +28201,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||
+corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||
+corenet_tcp_bind_all_nodes(virtd_t)
|
||||
+corenet_tcp_bind_vnc_port(virtd_t)
|
||||
+
|
||||
+corenet_rw_tun_tap_dev(virtd_t)
|
||||
+
|
||||
+kernel_read_system_state(virtd_t)
|
||||
@ -28204,6 +28212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||
+
|
||||
+files_read_etc_files(virtd_t)
|
||||
+files_read_etc_runtime_files(virtd_t)
|
||||
+files_search_all(virtd_t)
|
||||
+
|
||||
+libs_use_ld_so(virtd_t)
|
||||
+libs_use_shared_libs(virtd_t)
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.2.6
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -387,6 +387,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Feb 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-2
|
||||
- Additional ports for vnc and allow qemu and libvirt to search all directories
|
||||
|
||||
* Fri Feb 1 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-1
|
||||
- Update to upstream
|
||||
- Add libvirt policy
|
||||
|
Loading…
Reference in New Issue
Block a user