rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Change userdom_read_all_users_state to include reading symbolic links in

Browse Source 
/proc
This commit is contained in:
Daniel J Walsh 2008-12-27 13:05:32 +00:00
parent cf8fd9f0cc
commit 1cf70680c7
1 changed files with 43 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
policy-20081111.patch
View File

@ -3442,7 +3442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.1/policy/modules/apps/qemu.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.1/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-11-11 16:13:42.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-11-11 16:13:42.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-12-04 16:29:05.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-12-23 11:34:57.000000000 -0500
@@ -6,6 +6,8 @@ @@ -6,6 +6,8 @@
# Declarations # Declarations
# #
@ -3452,10 +3452,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <desc> ## <desc>
## <p> ## <p>
## Allow qemu to connect fully to the network ## Allow qemu to connect fully to the network
@@ -13,16 +15,98 @@ @@ -13,16 +15,105 @@
## </desc> ## </desc>
gen_tunable(qemu_full_network, false) gen_tunable(qemu_full_network, false)
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
+
+## <desc> +## <desc>
+## <p> +## <p>
+## Allow qemu to use nfs file systems +## Allow qemu to use nfs file systems
@ -3551,16 +3558,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`qemu_full_network',` tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms; allow qemu_t self:udp_socket create_socket_perms;
@@ -35,6 +119,30 @@ @@ -35,6 +126,38 @@
corenet_tcp_connect_all_ports(qemu_t) corenet_tcp_connect_all_ports(qemu_t)
') ')
+tunable_policy(`qemu_use_nfs',` +tunable_policy(`qemu_use_nfs',`
+ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t) + fs_manage_nfs_files(qemu_t)
+') +')
+ +
+tunable_policy(`qemu_use_cifs',` +tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t) + fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+ dev_rw_usbfs(qemu_t)
+ fs_manage_dos_dirs(qemu_t)
+ fs_manage_dos_files(qemu_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -20626,7 +20641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500 --- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-18 10:03:59.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-27 07:07:28.000000000 -0500
@@ -75,7 +75,7 @@ @@ -75,7 +75,7 @@
ubac_constrained(ssh_tmpfs_t) ubac_constrained(ssh_tmpfs_t)
@ -20678,7 +20693,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -318,6 +323,10 @@ @@ -310,6 +315,8 @@
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
+fs_list_inotifyfs(sshd_t)
+
term_use_all_user_ptys(sshd_t)
term_setattr_all_user_ptys(sshd_t)
term_relabelto_all_user_ptys(sshd_t)
@@ -318,6 +325,10 @@
corenet_tcp_bind_xserver_port(sshd_t) corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t)
@ -20689,7 +20713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`ssh_sysadm_login',` tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd # Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to # ioctl is necessary for logout() processing for utmp entry and for w to
@@ -331,6 +340,14 @@ @@ -331,6 +342,14 @@
') ')
optional_policy(` optional_policy(`
@ -20704,7 +20728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
daemontools_service_domain(sshd_t, sshd_exec_t) daemontools_service_domain(sshd_t, sshd_exec_t)
') ')
@@ -349,7 +366,11 @@ @@ -349,7 +368,11 @@
') ')
optional_policy(` optional_policy(`
@ -20717,7 +20741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_shell_domtrans(sshd_t) unconfined_shell_domtrans(sshd_t)
') ')
@@ -408,6 +429,8 @@ @@ -408,6 +431,8 @@
init_use_fds(ssh_keygen_t) init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t)
@ -26411,7 +26435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-18 10:02:36.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-27 06:28:18.000000000 -0500
@@ -30,8 +30,9 @@ @@ -30,8 +30,9 @@
') ')
@ -27739,7 +27763,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to use user ttys. ## Do not audit attempts to use user ttys.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2965,6 +3150,24 @@ @@ -2851,6 +3036,7 @@
')
read_files_pattern($1,userdomain,userdomain)
+ read_lnk_files_pattern($1,userdomain,userdomain)
kernel_search_proc($1)
')
@@ -2965,6 +3151,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -27764,7 +27796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains. ## Send a dbus message to all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2981,3 +3184,264 @@ @@ -2981,3 +3185,264 @@
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')