trunk: 7 patches from dan, 1 from eamon.
This commit is contained in:
Chris PeBenito
parent
73edbc9101
commit
12c61f36f4
@ -15,8 +15,17 @@ role system_r types certwatch_t;
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
allow certwatch_t self:capability sys_nice;
|
||||
allow certwatch_t self:process { setsched getsched };
|
||||
|
||||
dev_read_urand(certwatch_t)
|
||||
|
||||
files_read_etc_files(certwatch_t)
|
||||
files_read_usr_files(certwatch_t)
|
||||
files_read_usr_symlinks(certwatch_t)
|
||||
files_list_tmp(certwatch_t)
|
||||
|
||||
fs_list_inotifyfs(certwatch_t)
|
||||
|
||||
libs_use_ld_so(certwatch_t)
|
||||
libs_use_shared_libs(certwatch_t)
|
||||
@ -26,8 +35,15 @@ logging_send_syslog_msg(certwatch_t)
|
||||
miscfiles_read_certs(certwatch_t)
|
||||
miscfiles_read_localization(certwatch_t)
|
||||
|
||||
apache_exec_modules(certwatch_t)
|
||||
optional_policy(`
|
||||
apache_exec_modules(certwatch_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(certwatch_t, certwatch_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
pcscd_stream_connect(certwatch_t)
|
||||
pcscd_read_pub_files(certwatch_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kismet, 1.0.2)
|
||||
policy_module(kismet, 1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,7 +26,10 @@ logging_log_file(kismet_log_t)
|
||||
#
|
||||
|
||||
allow kismet_t self:capability { net_admin net_raw setuid setgid };
|
||||
allow kismet_t self:fifo_file rw_file_perms;
|
||||
allow kismet_t self:packet_socket create_socket_perms;
|
||||
allow kismet_t self:unix_dgram_socket create_socket_perms;
|
||||
allow kismet_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
||||
allow kismet_t kismet_log_t:dir setattr;
|
||||
@ -40,6 +43,8 @@ allow kismet_t kismet_var_run_t:file manage_file_perms;
|
||||
allow kismet_t kismet_var_run_t:dir manage_dir_perms;
|
||||
files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
|
||||
|
||||
kernel_search_debugfs(kismet_t)
|
||||
|
||||
corecmd_exec_bin(kismet_t)
|
||||
|
||||
auth_use_nsswitch(kismet_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logrotate, 1.9.2)
|
||||
policy_module(logrotate, 1.9.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -97,6 +97,7 @@ files_read_usr_files(logrotate_t)
|
||||
files_read_etc_files(logrotate_t)
|
||||
files_read_etc_runtime_files(logrotate_t)
|
||||
files_read_all_pids(logrotate_t)
|
||||
files_search_all(logrotate_t)
|
||||
# Write to /var/spool/slrnpull - should be moved into its own type.
|
||||
files_manage_generic_spool(logrotate_t)
|
||||
files_manage_generic_spool_dirs(logrotate_t)
|
||||
@ -167,7 +168,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mailman_exec(logrotate_t)
|
||||
mailman_domtrans(logrotate_t)
|
||||
mailman_search_data(logrotate_t)
|
||||
mailman_manage_log(logrotate_t)
|
||||
')
|
||||
@ -189,6 +190,5 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# cjp: why?
|
||||
squid_domtrans(logrotate_t)
|
||||
squid_signal(logrotate_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(readahead, 1.6.1)
|
||||
policy_module(readahead, 1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,7 +22,7 @@ files_pid_file(readahead_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow readahead_t self:capability { dac_override dac_read_search };
|
||||
allow readahead_t self:capability { fowner dac_override dac_read_search };
|
||||
dontaudit readahead_t self:capability sys_tty_config;
|
||||
allow readahead_t self:process signal_perms;
|
||||
|
||||
|
||||
@ -48,6 +48,7 @@ interface(`vpn_run',`
|
||||
vpn_domtrans($1)
|
||||
role $2 types vpnc_t;
|
||||
allow vpnc_t $3:chr_file rw_term_perms;
|
||||
sysnet_run_ifconfig(vpnc_t, $2, $3)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(vpn, 1.8.0)
|
||||
policy_module(vpn, 1.8.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,9 +22,10 @@ files_pid_file(vpnc_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
|
||||
allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
|
||||
allow vpnc_t self:process getsched;
|
||||
allow vpnc_t self:fifo_file { getattr ioctl read write };
|
||||
allow vpnc_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
allow vpnc_t self:tcp_socket create_stream_socket_perms;
|
||||
allow vpnc_t self:udp_socket create_socket_perms;
|
||||
allow vpnc_t self:rawip_socket create_socket_perms;
|
||||
@ -102,7 +103,6 @@ miscfiles_read_localization(vpnc_t)
|
||||
seutil_dontaudit_search_config(vpnc_t)
|
||||
seutil_use_newrole_fds(vpnc_t)
|
||||
|
||||
sysnet_domtrans_ifconfig(vpnc_t)
|
||||
sysnet_etc_filetrans_config(vpnc_t)
|
||||
sysnet_manage_config(vpnc_t)
|
||||
|
||||
|
||||
@ -27,6 +27,7 @@
|
||||
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(storage, 1.6.1)
|
||||
policy_module(storage, 1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -77,6 +77,9 @@ template(`xserver_common_domain_template',`
|
||||
files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
|
||||
|
||||
filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
|
||||
ifdef(`enable_mls',`
|
||||
range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
|
||||
manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
|
||||
@ -95,6 +98,9 @@ template(`xserver_common_domain_template',`
|
||||
|
||||
# Labeling rules for default windows and colormaps
|
||||
type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
|
||||
ifdef(`enable_mls',`
|
||||
range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
|
||||
')
|
||||
|
||||
kernel_read_system_state($1_xserver_t)
|
||||
kernel_read_device_sysctls($1_xserver_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xserver, 2.1.1)
|
||||
policy_module(xserver, 2.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user