patch from erich Sat, 02 Sep 2006 03:37:44 +0200
This commit is contained in:
Chris PeBenito
parent
5dbda5558a
commit
13d7cec671
@ -1,3 +1,4 @@
|
||||
- Debian updates from Erich Schubert.
|
||||
- Add nscd_socket_use() to auth_use_nsswitch().
|
||||
- Remove old selopt rules.
|
||||
- Full support for netfilter_contexts.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apt,1.0.1)
|
||||
policy_module(apt,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,7 +10,6 @@ type apt_t;
|
||||
type apt_exec_t;
|
||||
init_system_domain(apt_t,apt_exec_t)
|
||||
domain_system_change_exemption(apt_t)
|
||||
domain_getattr_all_domains(apt_t)
|
||||
role system_r types apt_t;
|
||||
|
||||
type apt_tmp_t;
|
||||
@ -91,10 +90,15 @@ corenet_sendrecv_all_client_packets(apt_t)
|
||||
|
||||
dev_read_urand(apt_t)
|
||||
|
||||
domain_getattr_all_domains(apt_t)
|
||||
domain_use_interactive_fds(apt_t)
|
||||
|
||||
files_exec_usr_files(apt_t)
|
||||
files_read_etc_files(apt_t)
|
||||
files_read_etc_runtime_files(apt_t)
|
||||
|
||||
fs_dontaudit_getattr_all_fs(apt_t)
|
||||
|
||||
term_list_ptys(apt_t)
|
||||
term_use_all_terms(apt_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sxid,1.0.2)
|
||||
policy_module(sxid,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -69,6 +69,7 @@ fs_list_all(sxid_t)
|
||||
term_dontaudit_use_console(sxid_t)
|
||||
|
||||
auth_read_all_files_except_shadow(sxid_t)
|
||||
auth_dontaudit_getattr_shadow(sxid_t)
|
||||
|
||||
init_use_fds(sxid_t)
|
||||
init_use_script_ptys(sxid_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(usermanage,1.3.9)
|
||||
policy_module(usermanage,1.3.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -170,6 +170,7 @@ files_read_etc_runtime_files(crack_t)
|
||||
files_read_usr_files(crack_t)
|
||||
|
||||
corecmd_exec_bin(crack_t)
|
||||
corecmd_dontaudit_search_sbin(crack_t)
|
||||
|
||||
libs_use_ld_so(crack_t)
|
||||
libs_use_shared_libs(crack_t)
|
||||
|
||||
@ -98,6 +98,11 @@ ifdef(`distro_suse', `
|
||||
|
||||
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
# used by udev init script as temporary mount point
|
||||
/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
# used by init scripts to initally populate udev /dev
|
||||
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(devices,1.1.19)
|
||||
policy_module(devices,1.1.20)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -120,6 +120,7 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
#
|
||||
# Mount points; do not relabel subdirectories, since
|
||||
# we don't want to change any removable media by default.
|
||||
/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
|
||||
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
|
||||
/media/[^/]*/.* <<none>>
|
||||
|
||||
@ -131,6 +132,7 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
#
|
||||
# /mnt
|
||||
#
|
||||
/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
|
||||
/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
|
||||
/mnt/[^/]*/.* <<none>>
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files,1.2.14)
|
||||
policy_module(files,1.2.15)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -4,6 +4,10 @@
|
||||
|
||||
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
|
||||
')
|
||||
|
||||
/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
|
||||
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
|
||||
/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amavis,1.0.7)
|
||||
policy_module(amavis,1.0.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -143,6 +143,7 @@ logging_send_syslog_msg(amavis_t)
|
||||
miscfiles_read_localization(amavis_t)
|
||||
|
||||
sysnet_dns_name_resolve(amavis_t)
|
||||
sysnet_use_ldap(amavis_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.3.12)
|
||||
policy_module(hal,1.3.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -47,6 +47,7 @@ kernel_read_system_state(hald_t)
|
||||
kernel_read_network_state(hald_t)
|
||||
kernel_read_kernel_sysctls(hald_t)
|
||||
kernel_read_fs_sysctls(hald_t)
|
||||
kernel_read_irq_sysctls(hald_t)
|
||||
kernel_rw_vm_sysctls(hald_t)
|
||||
kernel_write_proc_files(hald_t)
|
||||
|
||||
|
||||
@ -3,6 +3,10 @@
|
||||
|
||||
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
|
||||
')
|
||||
|
||||
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
|
||||
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ldap,1.2.6)
|
||||
policy_module(ldap,1.2.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(openvpn,1.0.4)
|
||||
policy_module(openvpn,1.0.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -28,7 +28,7 @@ files_pid_file(openvpn_var_run_t)
|
||||
# openvpn local policy
|
||||
#
|
||||
|
||||
allow openvpn_t self:capability { net_admin setgid setuid };
|
||||
allow openvpn_t self:capability { net_admin setgid setuid sys_tty_config };
|
||||
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow openvpn_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rpc,1.2.12)
|
||||
policy_module(rpc,1.2.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -44,6 +44,7 @@ allow rpcd_t rpcd_var_run_t:file manage_file_perms;
|
||||
allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
|
||||
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(rpcd_t)
|
||||
kernel_search_network_state(rpcd_t)
|
||||
# for rpc.rquotad
|
||||
kernel_read_sysctl(rpcd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tor,1.0.3)
|
||||
policy_module(tor,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -61,6 +61,8 @@ allow tor_t tor_var_run_t:sock_file manage_file_perms;
|
||||
allow tor_t tor_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_system_state(tor_t)
|
||||
|
||||
# networking basics
|
||||
corenet_non_ipsec_sendrecv(tor_t)
|
||||
corenet_tcp_sendrecv_all_if(tor_t)
|
||||
@ -82,6 +84,9 @@ dev_read_urand(tor_t)
|
||||
domain_use_interactive_fds(tor_t)
|
||||
|
||||
files_read_etc_files(tor_t)
|
||||
files_read_etc_runtime_files(tor_t)
|
||||
|
||||
term_dontaudit_use_console(tor_t)
|
||||
|
||||
# comm with init
|
||||
init_use_fds(tor_t)
|
||||
|
||||
@ -38,3 +38,5 @@
|
||||
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
|
||||
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
|
||||
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(fstools,1.3.3)
|
||||
policy_module(fstools,1.3.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -12,6 +12,9 @@ init_system_domain(fsadm_t,fsadm_exec_t)
|
||||
mls_file_read_up(fsadm_t)
|
||||
role system_r types fsadm_t;
|
||||
|
||||
type fsadm_log_t;
|
||||
logging_log_file(fsadm_log_t)
|
||||
|
||||
type fsadm_tmp_t;
|
||||
files_tmp_file(fsadm_tmp_t)
|
||||
|
||||
@ -44,6 +47,11 @@ allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
|
||||
allow fsadm_t fsadm_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
|
||||
|
||||
# log files
|
||||
allow fsadm_t fsadm_log_t:file manage_file_perms;
|
||||
allow fsadm_t fsadm_log_t:dir { rw_dir_perms setattr };
|
||||
logging_log_filetrans(fsadm_t,fsadm_log_t,file)
|
||||
|
||||
# Enable swapping to files
|
||||
allow fsadm_t swapfile_t:file { read write getattr swapon };
|
||||
|
||||
|
||||
@ -1,6 +1,15 @@
|
||||
#
|
||||
# /emul
|
||||
#
|
||||
ifdef(`distro_debian',`
|
||||
/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/emul/ia32-linux/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
|
||||
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/emul/ia32-linux/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/emul/linux/x86/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
@ -42,6 +51,11 @@ ifdef(`distro_redhat',`
|
||||
/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/lib32 -l gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib64 -l gen_context(system_u:object_r:lib_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
@ -64,7 +78,7 @@ ifdef(`distro_gentoo',`
|
||||
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
# despite the extensions, they're actually libs
|
||||
# despite the extensions, they are actually libs
|
||||
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(libraries,1.3.12)
|
||||
policy_module(libraries,1.3.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -41,10 +41,6 @@
|
||||
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
# /var/run
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinuxutil,1.2.14)
|
||||
policy_module(selinuxutil,1.2.15)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
gen_require(`
|
||||
@ -576,6 +576,7 @@ dev_read_urand(semanage_t)
|
||||
domain_use_interactive_fds(semanage_t)
|
||||
|
||||
files_read_etc_files(semanage_t)
|
||||
files_read_etc_runtime_files(semanage_t)
|
||||
files_read_usr_files(semanage_t)
|
||||
files_list_pids(semanage_t)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user