Add temporary roleattribute patches
This commit is contained in:
parent
922fd7b529
commit
1ee0a31352
1128
policy-rawhide-roleattribute.patch
Normal file
1128
policy-rawhide-roleattribute.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -58144,7 +58144,7 @@ index 3a45f23..f4754f0 100644
|
||||
# fork
|
||||
# setexec
|
||||
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
|
||||
index f462e95..ce808db 100644
|
||||
index f462e95..d29da40 100644
|
||||
--- a/policy/flask/access_vectors
|
||||
+++ b/policy/flask/access_vectors
|
||||
@@ -393,6 +393,10 @@ class system
|
||||
@ -58158,7 +58158,16 @@ index f462e95..ce808db 100644
|
||||
}
|
||||
|
||||
#
|
||||
@@ -860,3 +864,20 @@ inherits database
|
||||
@@ -445,6 +449,8 @@ class capability2
|
||||
mac_override # unused by SELinux
|
||||
mac_admin # unused by SELinux
|
||||
syslog
|
||||
+ wake_alarm
|
||||
+ epolwakeup
|
||||
}
|
||||
|
||||
#
|
||||
@@ -860,3 +866,20 @@ inherits database
|
||||
implement
|
||||
execute
|
||||
}
|
||||
@ -79909,24 +79918,10 @@ index 0e3c2a9..40adf5a 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
|
||||
index 9fd5be7..3eb0e5e 100644
|
||||
index 9fd5be7..db7e141 100644
|
||||
--- a/policy/modules/system/locallogin.te
|
||||
+++ b/policy/modules/system/locallogin.te
|
||||
@@ -9,13 +9,22 @@ type local_login_t;
|
||||
domain_interactive_fd(local_login_t)
|
||||
auth_login_pgm_domain(local_login_t)
|
||||
auth_login_entry_type(local_login_t)
|
||||
+init_daemon_domain(local_login_t, login_exec_t)
|
||||
+init_ranged_daemon_domain(local_login_t, login_exec_t, s0 - mcs_systemhigh)
|
||||
+
|
||||
+ifdef(`enable_mls',`
|
||||
+ init_ranged_daemon_domain(local_login_t, login_exec_t, mls_systemhigh)
|
||||
+')
|
||||
+
|
||||
+ifdef(`enable_mcs',`
|
||||
+ init_ranged_daemon_domain(local_login_t, login_exec_t, mcs_systemhigh)
|
||||
+')
|
||||
|
||||
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
|
||||
type local_login_lock_t;
|
||||
files_lock_file(local_login_lock_t)
|
||||
|
||||
@ -79938,7 +79933,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
|
||||
type sulogin_t;
|
||||
type sulogin_exec_t;
|
||||
@@ -32,9 +41,8 @@ role system_r types sulogin_t;
|
||||
@@ -32,9 +31,8 @@ role system_r types sulogin_t;
|
||||
# Local login local policy
|
||||
#
|
||||
|
||||
@ -79950,7 +79945,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
allow local_login_t self:fd use;
|
||||
allow local_login_t self:fifo_file rw_fifo_file_perms;
|
||||
allow local_login_t self:sock_file read_sock_file_perms;
|
||||
@@ -51,9 +59,7 @@ allow local_login_t self:key { search write link };
|
||||
@@ -51,9 +49,7 @@ allow local_login_t self:key { search write link };
|
||||
allow local_login_t local_login_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(local_login_t, local_login_lock_t, file)
|
||||
|
||||
@ -79961,7 +79956,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
|
||||
kernel_read_system_state(local_login_t)
|
||||
kernel_read_kernel_sysctls(local_login_t)
|
||||
@@ -73,6 +79,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
|
||||
@@ -73,6 +69,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
|
||||
dev_setattr_power_mgmt_dev(local_login_t)
|
||||
dev_getattr_sound_dev(local_login_t)
|
||||
dev_setattr_sound_dev(local_login_t)
|
||||
@ -79970,7 +79965,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
|
||||
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
|
||||
dev_dontaudit_read_framebuffer(local_login_t)
|
||||
@@ -117,14 +125,18 @@ term_relabel_unallocated_ttys(local_login_t)
|
||||
@@ -117,14 +115,18 @@ term_relabel_unallocated_ttys(local_login_t)
|
||||
term_relabel_all_ttys(local_login_t)
|
||||
term_setattr_all_ttys(local_login_t)
|
||||
term_setattr_unallocated_ttys(local_login_t)
|
||||
@ -79990,7 +79985,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
|
||||
miscfiles_read_localization(local_login_t)
|
||||
|
||||
@@ -146,14 +158,14 @@ tunable_policy(`console_login',`
|
||||
@@ -146,14 +148,14 @@ tunable_policy(`console_login',`
|
||||
term_relabel_console(local_login_t)
|
||||
')
|
||||
|
||||
@ -80012,7 +80007,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -177,14 +189,6 @@ optional_policy(`
|
||||
@@ -177,14 +179,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -80027,7 +80022,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
unconfined_shell_domtrans(local_login_t)
|
||||
')
|
||||
|
||||
@@ -215,6 +219,7 @@ allow sulogin_t self:sem create_sem_perms;
|
||||
@@ -215,6 +209,7 @@ allow sulogin_t self:sem create_sem_perms;
|
||||
allow sulogin_t self:msgq create_msgq_perms;
|
||||
allow sulogin_t self:msg { send receive };
|
||||
|
||||
@ -80035,7 +80030,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
kernel_read_system_state(sulogin_t)
|
||||
|
||||
fs_search_auto_mountpoints(sulogin_t)
|
||||
@@ -223,13 +228,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
|
||||
@@ -223,13 +218,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
|
||||
files_read_etc_files(sulogin_t)
|
||||
# because file systems are not mounted:
|
||||
files_dontaudit_search_isid_type_dirs(sulogin_t)
|
||||
@ -80053,7 +80048,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
seutil_read_config(sulogin_t)
|
||||
seutil_read_default_contexts(sulogin_t)
|
||||
|
||||
@@ -238,14 +247,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
|
||||
@@ -238,14 +237,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
|
||||
userdom_search_user_home_dirs(sulogin_t)
|
||||
userdom_use_user_ptys(sulogin_t)
|
||||
|
||||
@ -80080,7 +80075,7 @@ index 9fd5be7..3eb0e5e 100644
|
||||
init_getpgid(sulogin_t)
|
||||
', `
|
||||
allow sulogin_t self:process setexec;
|
||||
@@ -256,11 +275,3 @@ ifdef(`sulogin_no_pam', `
|
||||
@@ -256,11 +265,3 @@ ifdef(`sulogin_no_pam', `
|
||||
selinux_compute_relabel_context(sulogin_t)
|
||||
selinux_compute_user_contexts(sulogin_t)
|
||||
')
|
||||
@ -84576,10 +84571,10 @@ index 0000000..0898030
|
||||
+
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..33c1c9f
|
||||
index 0000000..eec7c72
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,422 @@
|
||||
@@ -0,0 +1,423 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -84660,6 +84655,7 @@ index 0000000..33c1c9f
|
||||
+dev_getattr_all_chr_files(systemd_logind_t)
|
||||
+dev_getattr_all_blk_files(systemd_logind_t)
|
||||
+dev_rw_sysfs(systemd_logind_t)
|
||||
+dev_rw_input_dev(systemd_logind_t)
|
||||
+dev_setattr_all_chr_files(systemd_logind_t)
|
||||
+dev_setattr_dri_dev(systemd_logind_t)
|
||||
+dev_setattr_generic_usb_dev(systemd_logind_t)
|
||||
|
854
policy_contrib-rawhide-roleattribute.patch
Normal file
854
policy_contrib-rawhide-roleattribute.patch
Normal file
@ -0,0 +1,854 @@
|
||||
commit f53f820fe366940d4fdecaef80de4e5b1178fac6
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 01:38:59 2012 +0200
|
||||
|
||||
roleattribute patch
|
||||
|
||||
diff --git a/livecd.if b/livecd.if
|
||||
index bfbf676..fb7869e 100644
|
||||
--- a/livecd.if
|
||||
+++ b/livecd.if
|
||||
@@ -38,12 +38,19 @@ interface(`livecd_run',`
|
||||
gen_require(`
|
||||
type livecd_t;
|
||||
type livecd_exec_t;
|
||||
- attribute_role livecd_roles;
|
||||
+ #attribute_role livecd_roles;
|
||||
')
|
||||
|
||||
livecd_domtrans($1)
|
||||
- roleattribute $2 livecd_roles;
|
||||
+ #roleattribute $2 livecd_roles;
|
||||
+ role $2 types livecd_t;
|
||||
role_transition $2 livecd_exec_t system_r;
|
||||
+
|
||||
+ seutil_run_setfiles_mac(livecd_t, system_r)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ mount_run(livecd_t, $2)
|
||||
+ ')
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/livecd.te b/livecd.te
|
||||
index 65efdae..7a944b5 100644
|
||||
--- a/livecd.te
|
||||
+++ b/livecd.te
|
||||
@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role livecd_roles;
|
||||
-roleattribute system_r livecd_roles;
|
||||
+#attribute_role livecd_roles;
|
||||
+#roleattribute system_r livecd_roles;
|
||||
|
||||
type livecd_t;
|
||||
type livecd_exec_t;
|
||||
application_domain(livecd_t, livecd_exec_t)
|
||||
-role livecd_roles types livecd_t;
|
||||
+role system_r types livecd_t;
|
||||
+#role livecd_roles types livecd_t;
|
||||
|
||||
type livecd_tmp_t;
|
||||
files_tmp_file(livecd_tmp_t)
|
||||
@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t)
|
||||
|
||||
sysnet_filetrans_named_content(livecd_t)
|
||||
|
||||
-optional_policy(`
|
||||
- mount_run(livecd_t, livecd_roles)
|
||||
- seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# mount_run(livecd_t, livecd_roles)
|
||||
+# seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
ssh_filetrans_admin_home_content(livecd_t)
|
||||
diff --git a/mozilla.if b/mozilla.if
|
||||
index 30b0241..30bfefb 100644
|
||||
--- a/mozilla.if
|
||||
+++ b/mozilla.if
|
||||
@@ -18,10 +18,11 @@
|
||||
interface(`mozilla_role',`
|
||||
gen_require(`
|
||||
type mozilla_t, mozilla_exec_t, mozilla_home_t;
|
||||
- attribute_role mozilla_roles;
|
||||
+ #attribute_role mozilla_roles;
|
||||
')
|
||||
|
||||
- roleattribute $1 mozilla_roles;
|
||||
+ #roleattribute $1 mozilla_roles;
|
||||
+ role $1 types mozilla_t;
|
||||
|
||||
domain_auto_trans($2, mozilla_exec_t, mozilla_t)
|
||||
# Unrestricted inheritance from the caller.
|
||||
@@ -47,6 +48,8 @@ interface(`mozilla_role',`
|
||||
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||
|
||||
+ #should be remove then with adding of roleattribute
|
||||
+ mozilla_run_plugin(mozilla_t, $1)
|
||||
mozilla_dbus_chat($2)
|
||||
|
||||
userdom_manage_tmp_role($1, mozilla_t)
|
||||
@@ -63,7 +66,6 @@ interface(`mozilla_role',`
|
||||
|
||||
mozilla_filetrans_home_content($2)
|
||||
|
||||
- mozilla_dbus_chat($2)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 7bf56bf..56700a4 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false)
|
||||
## </desc>
|
||||
gen_tunable(mozilla_plugin_enable_homedirs, false)
|
||||
|
||||
-attribute_role mozilla_roles;
|
||||
+#attribute_role mozilla_roles;
|
||||
|
||||
type mozilla_t;
|
||||
type mozilla_exec_t;
|
||||
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
|
||||
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
|
||||
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
|
||||
-role mozilla_roles types mozilla_t;
|
||||
+#role mozilla_roles types mozilla_t;
|
||||
+role system_r types mozilla_t;
|
||||
|
||||
type mozilla_conf_t;
|
||||
files_config_file(mozilla_conf_t)
|
||||
@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t)
|
||||
type mozilla_plugin_t;
|
||||
type mozilla_plugin_exec_t;
|
||||
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
|
||||
-role mozilla_roles types mozilla_plugin_t;
|
||||
+#role mozilla_roles types mozilla_plugin_t;
|
||||
+role system_r types mozilla_plugin_t;
|
||||
|
||||
type mozilla_plugin_tmp_t;
|
||||
userdom_user_tmp_content(mozilla_plugin_tmp_t)
|
||||
@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t)
|
||||
type mozilla_plugin_config_t;
|
||||
type mozilla_plugin_config_exec_t;
|
||||
application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
|
||||
-role mozilla_roles types mozilla_plugin_config_t;
|
||||
+#role mozilla_roles types mozilla_plugin_config_t;
|
||||
+role system_r types mozilla_plugin_config_t;
|
||||
|
||||
type mozilla_tmp_t;
|
||||
userdom_user_tmp_file(mozilla_tmp_t)
|
||||
@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t)
|
||||
|
||||
userdom_use_inherited_user_ptys(mozilla_t)
|
||||
|
||||
-mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||
|
||||
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
|
||||
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
||||
@@ -298,7 +301,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- pulseaudio_role(mozilla_roles, mozilla_t)
|
||||
+ #pulseaudio_role(mozilla_roles, mozilla_t)
|
||||
+ pulseaudio_exec(mozilla_t)
|
||||
pulseaudio_stream_connect(mozilla_t)
|
||||
pulseaudio_manage_home_files(mozilla_t)
|
||||
')
|
||||
@@ -476,9 +480,9 @@ optional_policy(`
|
||||
java_exec(mozilla_plugin_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
mplayer_exec(mozilla_plugin_t)
|
||||
diff --git a/ncftool.if b/ncftool.if
|
||||
index 1520b6c..3a4455f 100644
|
||||
--- a/ncftool.if
|
||||
+++ b/ncftool.if
|
||||
@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',`
|
||||
#
|
||||
interface(`ncftool_run',`
|
||||
gen_require(`
|
||||
- attribute_role ncftool_roles;
|
||||
+ type ncftool_t;
|
||||
+ #attribute_role ncftool_roles;
|
||||
')
|
||||
|
||||
- ncftool_domtrans($1)
|
||||
- roleattribute $2 ncftool_roles;
|
||||
+ #ncftool_domtrans($1)
|
||||
+ #roleattribute $2 ncftool_roles;
|
||||
+
|
||||
+ role $1 types ncftool_t;
|
||||
+
|
||||
+ ncftool_domtrans($2)
|
||||
+
|
||||
+ ps_process_pattern($2, ncftool_t)
|
||||
+ allow $2 ncftool_t:process signal;
|
||||
')
|
||||
|
||||
diff --git a/ncftool.te b/ncftool.te
|
||||
index 91ab36d..8c48c33 100644
|
||||
--- a/ncftool.te
|
||||
+++ b/ncftool.te
|
||||
@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role ncftool_roles;
|
||||
-roleattribute system_r ncftool_roles;
|
||||
+#attribute_role ncftool_roles;
|
||||
+#roleattribute system_r ncftool_roles;
|
||||
|
||||
type ncftool_t;
|
||||
type ncftool_exec_t;
|
||||
application_domain(ncftool_t, ncftool_exec_t)
|
||||
domain_obj_id_change_exemption(ncftool_t)
|
||||
domain_system_change_exemption(ncftool_t)
|
||||
-role ncftool_roles types ncftool_t;
|
||||
+#role ncftool_roles types ncftool_t;
|
||||
+role system_r types ncftool_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t)
|
||||
|
||||
miscfiles_read_localization(ncftool_t)
|
||||
sysnet_delete_dhcpc_pid(ncftool_t)
|
||||
-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||||
-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||||
+sysnet_domtrans_dhcpc(ncftool_t)
|
||||
+sysnet_domtrans_ifconfig(ncftool_t)
|
||||
+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||||
+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||||
sysnet_etc_filetrans_config(ncftool_t)
|
||||
sysnet_manage_config(ncftool_t)
|
||||
sysnet_read_dhcpc_state(ncftool_t)
|
||||
@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t)
|
||||
userdom_use_user_terminals(ncftool_t)
|
||||
userdom_read_user_tmp_files(ncftool_t)
|
||||
|
||||
-optional_policy(`
|
||||
- brctl_run(ncftool_t, ncftool_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# brctl_run(ncftool_t, ncftool_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ncftool_t)
|
||||
@@ -85,9 +88,12 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
modutils_read_module_config(ncftool_t)
|
||||
- modutils_run_insmod(ncftool_t, ncftool_roles)
|
||||
+ modutils_domtrans_insmod(ncftool_t)
|
||||
+ #modutils_run_insmod(ncftool_t, ncftool_roles)
|
||||
+
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- netutils_run(ncftool_t, ncftool_roles)
|
||||
+ netutils_domtrans(ncftool_t)
|
||||
+ #netutils_run(ncftool_t, ncftool_roles)
|
||||
')
|
||||
diff --git a/ppp.if b/ppp.if
|
||||
index c174b05..a4cad0b 100644
|
||||
--- a/ppp.if
|
||||
+++ b/ppp.if
|
||||
@@ -175,11 +175,18 @@ interface(`ppp_run_cond',`
|
||||
#
|
||||
interface(`ppp_run',`
|
||||
gen_require(`
|
||||
- attribute_role pppd_roles;
|
||||
+ #attribute_role pppd_roles;
|
||||
+ type pppd_t;
|
||||
')
|
||||
|
||||
- ppp_domtrans($1)
|
||||
- roleattribute $2 pppd_roles;
|
||||
+ #ppp_domtrans($1)
|
||||
+ #roleattribute $2 pppd_roles;
|
||||
+
|
||||
+ role $2 types pppd_t;
|
||||
+
|
||||
+ tunable_policy(`pppd_for_user',`
|
||||
+ ppp_domtrans($1)
|
||||
+ ')
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/ppp.te b/ppp.te
|
||||
index 17e10a2..92cec2b 100644
|
||||
--- a/ppp.te
|
||||
+++ b/ppp.te
|
||||
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
|
||||
## </desc>
|
||||
gen_tunable(pppd_for_user, false)
|
||||
|
||||
-attribute_role pppd_roles;
|
||||
+#attribute_role pppd_roles;
|
||||
|
||||
# pppd_t is the domain for the pppd program.
|
||||
# pppd_exec_t is the type of the pppd executable.
|
||||
type pppd_t;
|
||||
type pppd_exec_t;
|
||||
init_daemon_domain(pppd_t, pppd_exec_t)
|
||||
-role pppd_roles types pppd_t;
|
||||
+#role pppd_roles types pppd_t;
|
||||
+role system_r types pppd_t;
|
||||
|
||||
type pppd_devpts_t;
|
||||
term_pty(pppd_devpts_t)
|
||||
@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t)
|
||||
type pptp_t;
|
||||
type pptp_exec_t;
|
||||
init_daemon_domain(pptp_t, pptp_exec_t)
|
||||
-role pppd_roles types pptp_t;
|
||||
+#role pppd_roles types pptp_t;
|
||||
+role system_r types pptp_t;
|
||||
|
||||
type pptp_log_t;
|
||||
logging_log_file(pptp_log_t)
|
||||
@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t)
|
||||
init_signal_script(pppd_t)
|
||||
|
||||
auth_use_nsswitch(pppd_t)
|
||||
-auth_run_chk_passwd(pppd_t,pppd_roles)
|
||||
+auth_domtrans_chk_passwd(pppd_t)
|
||||
+#auth_run_chk_passwd(pppd_t,pppd_roles)
|
||||
auth_write_login_records(pppd_t)
|
||||
|
||||
logging_send_syslog_msg(pppd_t)
|
||||
@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t)
|
||||
ppp_exec(pppd_t)
|
||||
|
||||
optional_policy(`
|
||||
- ddclient_run(pppd_t, pppd_roles)
|
||||
+ #ddclient_run(pppd_t, pppd_roles)
|
||||
+ ddclient_domtrans(pppd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/usernetctl.if b/usernetctl.if
|
||||
index d45c715..2d4f1ba 100644
|
||||
--- a/usernetctl.if
|
||||
+++ b/usernetctl.if
|
||||
@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
|
||||
#
|
||||
interface(`usernetctl_run',`
|
||||
gen_require(`
|
||||
- attribute_role usernetctl_roles;
|
||||
+ type usernetctl_t;
|
||||
+ #attribute_role usernetctl_roles;
|
||||
')
|
||||
|
||||
- usernetctl_domtrans($1)
|
||||
- roleattribute $2 usernetctl_roles;
|
||||
+ #usernetctl_domtrans($1)
|
||||
+ #roleattribute $2 usernetctl_roles;
|
||||
+
|
||||
+ sysnet_run_ifconfig(usernetctl_t, $2)
|
||||
+ sysnet_run_dhcpc(usernetctl_t, $2)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ iptables_run(usernetctl_t, $2)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ modutils_run_insmod(usernetctl_t, $2)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ ppp_run(usernetctl_t, $2)
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
diff --git a/usernetctl.te b/usernetctl.te
|
||||
index 8604c1c..35b12a6 100644
|
||||
--- a/usernetctl.te
|
||||
+++ b/usernetctl.te
|
||||
@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role usernetctl_roles;
|
||||
+#attribute_role usernetctl_roles;
|
||||
|
||||
type usernetctl_t;
|
||||
type usernetctl_exec_t;
|
||||
application_domain(usernetctl_t, usernetctl_exec_t)
|
||||
domain_interactive_fd(usernetctl_t)
|
||||
-role usernetctl_roles types usernetctl_t;
|
||||
+#role usernetctl_roles types usernetctl_t;
|
||||
+role system_r types usernetctl_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t)
|
||||
|
||||
userdom_use_inherited_user_terminals(usernetctl_t)
|
||||
|
||||
-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||||
-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||||
+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||||
+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_run(usernetctl_t, usernetctl_roles)
|
||||
+ #consoletype_run(usernetctl_t, usernetctl_roles)
|
||||
+ consoletype_exec(usernetctl_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(usernetctl_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- iptables_run(usernetctl_t, usernetctl_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# iptables_run(usernetctl_t, usernetctl_roles)
|
||||
+#')
|
||||
|
||||
-optional_policy(`
|
||||
- modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(usernetctl_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- ppp_run(usernetctl_t, usernetctl_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# ppp_run(usernetctl_t, usernetctl_roles)
|
||||
+#')
|
||||
diff --git a/vpn.if b/vpn.if
|
||||
index 7b93e07..a4e2f60 100644
|
||||
--- a/vpn.if
|
||||
+++ b/vpn.if
|
||||
@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
|
||||
#
|
||||
interface(`vpn_run',`
|
||||
gen_require(`
|
||||
- attribute_role vpnc_roles;
|
||||
+ #attribute_role vpnc_roles;
|
||||
+ type vpnc_t;
|
||||
')
|
||||
|
||||
+ #vpn_domtrans($1)
|
||||
+ #roleattribute $2 vpnc_roles;
|
||||
+
|
||||
vpn_domtrans($1)
|
||||
- roleattribute $2 vpnc_roles;
|
||||
+ role $2 types vpnc_t;
|
||||
+ sysnet_run_ifconfig(vpnc_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/vpn.te b/vpn.te
|
||||
index 99fd457..d2585bb 100644
|
||||
--- a/vpn.te
|
||||
+++ b/vpn.te
|
||||
@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role vpnc_roles;
|
||||
-roleattribute system_r vpnc_roles;
|
||||
+#attribute_role vpnc_roles;
|
||||
+#roleattribute system_r vpnc_roles;
|
||||
|
||||
type vpnc_t;
|
||||
type vpnc_exec_t;
|
||||
init_system_domain(vpnc_t, vpnc_exec_t)
|
||||
application_domain(vpnc_t, vpnc_exec_t)
|
||||
-role vpnc_roles types vpnc_t;
|
||||
+#role vpnc_roles types vpnc_t;
|
||||
+role system_r types vpnc_t;
|
||||
|
||||
type vpnc_tmp_t;
|
||||
files_tmp_file(vpnc_tmp_t)
|
||||
@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t)
|
||||
seutil_dontaudit_search_config(vpnc_t)
|
||||
seutil_use_newrole_fds(vpnc_t)
|
||||
|
||||
-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||||
+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||||
sysnet_etc_filetrans_config(vpnc_t)
|
||||
sysnet_manage_config(vpnc_t)
|
||||
|
||||
commit 88b64bdd71ef734271b9370fc37e02785f354f7f
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 02:33:40 2012 +0200
|
||||
|
||||
Fix ncftool.if
|
||||
|
||||
diff --git a/ncftool.if b/ncftool.if
|
||||
index 3a4455f..59f096b 100644
|
||||
--- a/ncftool.if
|
||||
+++ b/ncftool.if
|
||||
@@ -43,11 +43,12 @@ interface(`ncftool_run',`
|
||||
#ncftool_domtrans($1)
|
||||
#roleattribute $2 ncftool_roles;
|
||||
|
||||
- role $1 types ncftool_t;
|
||||
+ ncftool_domtrans($1)
|
||||
+ role $2 types ncftool_t;
|
||||
|
||||
- ncftool_domtrans($2)
|
||||
+ optional_policy(`
|
||||
+ brctl_run(ncftool_t, $2)
|
||||
+ ')
|
||||
|
||||
- ps_process_pattern($2, ncftool_t)
|
||||
- allow $2 ncftool_t:process signal;
|
||||
')
|
||||
|
||||
commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 10:47:57 2012 +0200
|
||||
|
||||
roleattriburte temp fixes for portage and dpkg
|
||||
|
||||
diff --git a/dpkg.if b/dpkg.if
|
||||
index 4d32b42..d945bd0 100644
|
||||
--- a/dpkg.if
|
||||
+++ b/dpkg.if
|
||||
@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
|
||||
#
|
||||
interface(`dpkg_run',`
|
||||
gen_require(`
|
||||
- attribute_role dpkg_roles;
|
||||
+ #attribute_role dpkg_roles;
|
||||
+ type dpkg_t, dpkg_script_t
|
||||
')
|
||||
|
||||
+ #dpkg_domtrans($1)
|
||||
+ #roleattribute $2 dpkg_roles;
|
||||
+
|
||||
dpkg_domtrans($1)
|
||||
- roleattribute $2 dpkg_roles;
|
||||
+ role $2 types dpkg_t;
|
||||
+ role $2 types dpkg_script_t;
|
||||
+ seutil_run_loadpolicy(dpkg_script_t, $2)
|
||||
+
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/dpkg.te b/dpkg.te
|
||||
index a1b8f92..9ac1b80 100644
|
||||
--- a/dpkg.te
|
||||
+++ b/dpkg.te
|
||||
@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role dpkg_roles;
|
||||
-roleattribute system_r dpkg_roles;
|
||||
+#attribute_role dpkg_roles;
|
||||
+#roleattribute system_r dpkg_roles;
|
||||
|
||||
type dpkg_t;
|
||||
type dpkg_exec_t;
|
||||
@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
|
||||
domain_role_change_exemption(dpkg_t)
|
||||
domain_system_change_exemption(dpkg_t)
|
||||
domain_interactive_fd(dpkg_t)
|
||||
-role dpkg_roles types dpkg_t;
|
||||
+#role dpkg_roles types dpkg_t;
|
||||
+role system_r types dpkg_t;
|
||||
|
||||
# lockfile
|
||||
type dpkg_lock_t;
|
||||
@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
|
||||
domain_obj_id_change_exemption(dpkg_script_t)
|
||||
domain_system_change_exemption(dpkg_script_t)
|
||||
domain_interactive_fd(dpkg_script_t)
|
||||
-role dpkg_roles types dpkg_script_t;
|
||||
+#role dpkg_roles types dpkg_script_t;
|
||||
+role system_r types dpkg_script_t;
|
||||
|
||||
type dpkg_script_tmp_t;
|
||||
files_tmp_file(dpkg_script_tmp_t)
|
||||
@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t)
|
||||
init_domtrans_script(dpkg_t)
|
||||
init_use_script_ptys(dpkg_t)
|
||||
|
||||
+#libs_exec_ld_so(dpkg_t)
|
||||
+#libs_exec_lib_files(dpkg_t)
|
||||
+#libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||||
libs_exec_ld_so(dpkg_t)
|
||||
libs_exec_lib_files(dpkg_t)
|
||||
-libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||||
+libs_domtrans_ldconfig(dpkg_t)
|
||||
|
||||
logging_send_syslog_msg(dpkg_t)
|
||||
|
||||
@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t)
|
||||
files_read_etc_runtime_files(dpkg_t)
|
||||
files_exec_usr_files(dpkg_t)
|
||||
miscfiles_read_localization(dpkg_t)
|
||||
-modutils_run_depmod(dpkg_t, dpkg_roles)
|
||||
-modutils_run_insmod(dpkg_t, dpkg_roles)
|
||||
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||||
-seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||||
+#modutils_run_depmod(dpkg_t, dpkg_roles)
|
||||
+#modutils_run_insmod(dpkg_t, dpkg_roles)
|
||||
+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||||
+#seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||||
userdom_use_all_users_fds(dpkg_t)
|
||||
optional_policy(`
|
||||
mta_send_mail(dpkg_t)
|
||||
')
|
||||
+
|
||||
+
|
||||
optional_policy(`
|
||||
- usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||||
- usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||||
+ modutils_domtrans_depmod(dpkg_t)
|
||||
+ modutils_domtrans_insmod(dpkg_t)
|
||||
+ seutil_domtrans_loadpolicy(dpkg_t)
|
||||
+ seutil_domtrans_setfiles(dpkg_t)
|
||||
+ usermanage_domtrans_groupadd(dpkg_t)
|
||||
+ usermanage_domtrans_useradd(dpkg_t)
|
||||
')
|
||||
|
||||
+#optional_policy(`
|
||||
+# usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||||
+# usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||||
+#')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# dpkg-script Local policy
|
||||
@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t)
|
||||
|
||||
miscfiles_read_localization(dpkg_script_t)
|
||||
|
||||
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||||
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||||
+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||||
+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||||
|
||||
-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||||
-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||||
+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||||
+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||||
|
||||
userdom_use_all_users_fds(dpkg_script_t)
|
||||
|
||||
@@ -319,9 +335,9 @@ optional_policy(`
|
||||
apt_use_fds(dpkg_script_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- bootloader_run(dpkg_script_t, dpkg_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# bootloader_run(dpkg_script_t, dpkg_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(dpkg_script_t)
|
||||
@@ -335,7 +351,7 @@ optional_policy(`
|
||||
unconfined_domain(dpkg_script_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||||
- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||||
+# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||||
+#')
|
||||
diff --git a/portage.if b/portage.if
|
||||
index b4bb48a..e5e8f12 100644
|
||||
--- a/portage.if
|
||||
+++ b/portage.if
|
||||
@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
|
||||
#
|
||||
interface(`portage_run',`
|
||||
gen_require(`
|
||||
- attribute_role portage_roles;
|
||||
+ type portage_t, portage_fetch_t, portage_sandbox_t;
|
||||
+ #attribute_role portage_roles;
|
||||
')
|
||||
|
||||
- portage_domtrans($1)
|
||||
- roleattribute $2 portage_roles;
|
||||
+ #portage_domtrans($1)
|
||||
+ #roleattribute $2 portage_roles;
|
||||
+ portage_domtrans($1)
|
||||
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||||
+
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/portage.te b/portage.te
|
||||
index 22bdf7d..f726e1d 100644
|
||||
--- a/portage.te
|
||||
+++ b/portage.te
|
||||
@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
|
||||
## </desc>
|
||||
gen_tunable(portage_use_nfs, false)
|
||||
|
||||
-attribute_role portage_roles;
|
||||
+#attribute_role portage_roles;
|
||||
|
||||
type gcc_config_t;
|
||||
type gcc_config_exec_t;
|
||||
@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
|
||||
domain_obj_id_change_exemption(portage_t)
|
||||
rsync_entry_type(portage_t)
|
||||
corecmd_shell_entry_type(portage_t)
|
||||
-role portage_roles types portage_t;
|
||||
+#role portage_roles types portage_t;
|
||||
+role system_r types portage_t;
|
||||
|
||||
# portage compile sandbox domain
|
||||
type portage_sandbox_t;
|
||||
@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
|
||||
# the shell is the entrypoint if regular sandbox is disabled
|
||||
# portage_exec_t is the entrypoint if regular sandbox is enabled
|
||||
corecmd_shell_entry_type(portage_sandbox_t)
|
||||
-role portage_roles types portage_sandbox_t;
|
||||
+#role portage_roles types portage_sandbox_t;
|
||||
+role system_r types portage_sandbox_t;
|
||||
|
||||
# portage package fetching domain
|
||||
type portage_fetch_t;
|
||||
@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
|
||||
application_domain(portage_fetch_t, portage_fetch_exec_t)
|
||||
corecmd_shell_entry_type(portage_fetch_t)
|
||||
rsync_entry_type(portage_fetch_t)
|
||||
-role portage_roles types portage_fetch_t;
|
||||
+#role portage_roles types portage_fetch_t;
|
||||
+role system_r types portage_fetch_t;
|
||||
|
||||
type portage_devpts_t;
|
||||
term_pty(portage_devpts_t)
|
||||
@@ -115,7 +118,8 @@ files_list_all(gcc_config_t)
|
||||
init_dontaudit_read_script_status_files(gcc_config_t)
|
||||
|
||||
libs_read_lib_files(gcc_config_t)
|
||||
-libs_run_ldconfig(gcc_config_t, portage_roles)
|
||||
+#libs_run_ldconfig(gcc_config_t, portage_roles)
|
||||
+libs_domtrans_ldconfig(gcc_config_t)
|
||||
libs_manage_shared_libs(gcc_config_t)
|
||||
# gcc-config creates a temp dir for the libs
|
||||
libs_manage_lib_dirs(gcc_config_t)
|
||||
@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t)
|
||||
init_exec(portage_t)
|
||||
|
||||
# run setfiles -r
|
||||
-seutil_run_setfiles(portage_t, portage_roles)
|
||||
+#seutil_run_setfiles(portage_t, portage_roles)
|
||||
# run semodule
|
||||
-seutil_run_semanage(portage_t, portage_roles)
|
||||
+#seutil_run_semanage(portage_t, portage_roles)
|
||||
|
||||
-portage_run_gcc_config(portage_t, portage_roles)
|
||||
+#portage_run_gcc_config(portage_t, portage_roles)
|
||||
# if sesandbox is disabled, compiling is performed in this domain
|
||||
portage_compile_domain(portage_t)
|
||||
|
||||
-optional_policy(`
|
||||
- bootloader_run(portage_t, portage_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# bootloader_run(portage_t, portage_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(portage_t, portage_exec_t)
|
||||
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- modutils_run_depmod(portage_t, portage_roles)
|
||||
- modutils_run_update_mods(portage_t, portage_roles)
|
||||
+#optional_policy(`
|
||||
+# modutils_run_depmod(portage_t, portage_roles)
|
||||
+# modutils_run_update_mods(portage_t, portage_roles)
|
||||
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- usermanage_run_groupadd(portage_t, portage_roles)
|
||||
- usermanage_run_useradd(portage_t, portage_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# usermanage_run_groupadd(portage_t, portage_roles)
|
||||
+# usermanage_run_useradd(portage_t, portage_roles)
|
||||
+#')
|
||||
+
|
||||
+seutil_domtrans_setfiles(portage_t)
|
||||
+seutil_domtrans_semanage(portage_t)
|
||||
+bootloader_domtrans(portage_t)
|
||||
+modutils_domtrans_depmod(portage_t)
|
||||
+modutils_domtrans_update_mods(portage_t)
|
||||
+usermanage_domtrans_groupadd(portage_t)
|
||||
+usermanage_domtrans_useradd(portage_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# seems to work ok without these
|
||||
commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 10:52:09 2012 +0200
|
||||
|
||||
Fix typo
|
||||
|
||||
diff --git a/portage.if b/portage.if
|
||||
index e5e8f12..7098ded 100644
|
||||
--- a/portage.if
|
||||
+++ b/portage.if
|
||||
@@ -50,7 +50,7 @@ interface(`portage_run',`
|
||||
#portage_domtrans($1)
|
||||
#roleattribute $2 portage_roles;
|
||||
portage_domtrans($1)
|
||||
- role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||||
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
|
||||
|
||||
')
|
||||
|
||||
commit cf999ca29d2a4401c481e28c169e10d676d73526
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 10:59:22 2012 +0200
|
||||
|
||||
One more typo
|
||||
|
||||
diff --git a/dpkg.if b/dpkg.if
|
||||
index d945bd0..78736d8 100644
|
||||
--- a/dpkg.if
|
||||
+++ b/dpkg.if
|
||||
@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',`
|
||||
interface(`dpkg_run',`
|
||||
gen_require(`
|
||||
#attribute_role dpkg_roles;
|
||||
- type dpkg_t, dpkg_script_t
|
||||
+ type dpkg_t, dpkg_script_t;
|
||||
')
|
||||
|
||||
#dpkg_domtrans($1)
|
@ -18728,7 +18728,7 @@ index 9d3201b..6e75e3d 100644
|
||||
+ allow $1 ftpd_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/ftp.te b/ftp.te
|
||||
index 4285c83..4bd0373 100644
|
||||
index 4285c83..ed96e96 100644
|
||||
--- a/ftp.te
|
||||
+++ b/ftp.te
|
||||
@@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false)
|
||||
@ -18812,7 +18812,15 @@ index 4285c83..4bd0373 100644
|
||||
dontaudit ftpd_t self:capability sys_tty_config;
|
||||
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
|
||||
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -163,13 +200,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
|
||||
@@ -151,7 +188,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
|
||||
|
||||
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
||||
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
||||
-files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
||||
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
||||
@@ -163,13 +199,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
|
||||
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
@ -18828,7 +18836,7 @@ index 4285c83..4bd0373 100644
|
||||
|
||||
# Create and modify /var/log/xferlog.
|
||||
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
||||
@@ -177,7 +214,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
|
||||
@@ -177,7 +213,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
|
||||
|
||||
kernel_read_kernel_sysctls(ftpd_t)
|
||||
kernel_read_system_state(ftpd_t)
|
||||
@ -18837,7 +18845,7 @@ index 4285c83..4bd0373 100644
|
||||
|
||||
dev_read_sysfs(ftpd_t)
|
||||
dev_read_urand(ftpd_t)
|
||||
@@ -196,9 +233,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
|
||||
@@ -196,9 +232,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
|
||||
corenet_tcp_bind_ftp_port(ftpd_t)
|
||||
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
||||
corenet_tcp_bind_generic_port(ftpd_t)
|
||||
@ -18849,7 +18857,7 @@ index 4285c83..4bd0373 100644
|
||||
corenet_sendrecv_ftp_server_packets(ftpd_t)
|
||||
|
||||
domain_use_interactive_fds(ftpd_t)
|
||||
@@ -212,13 +248,11 @@ fs_search_auto_mountpoints(ftpd_t)
|
||||
@@ -212,13 +247,11 @@ fs_search_auto_mountpoints(ftpd_t)
|
||||
fs_getattr_all_fs(ftpd_t)
|
||||
fs_search_fusefs(ftpd_t)
|
||||
|
||||
@ -18865,7 +18873,7 @@ index 4285c83..4bd0373 100644
|
||||
|
||||
init_rw_utmp(ftpd_t)
|
||||
|
||||
@@ -261,7 +295,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
|
||||
@@ -261,7 +294,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
|
||||
|
||||
tunable_policy(`allow_ftpd_full_access',`
|
||||
allow ftpd_t self:capability { dac_override dac_read_search };
|
||||
@ -18882,7 +18890,7 @@ index 4285c83..4bd0373 100644
|
||||
')
|
||||
|
||||
tunable_policy(`ftp_home_dir',`
|
||||
@@ -270,10 +312,13 @@ tunable_policy(`ftp_home_dir',`
|
||||
@@ -270,10 +311,13 @@ tunable_policy(`ftp_home_dir',`
|
||||
# allow access to /home
|
||||
files_list_home(ftpd_t)
|
||||
userdom_read_user_home_content_files(ftpd_t)
|
||||
@ -18900,7 +18908,7 @@ index 4285c83..4bd0373 100644
|
||||
')
|
||||
|
||||
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
|
||||
@@ -309,10 +354,34 @@ optional_policy(`
|
||||
@@ -309,10 +353,34 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18936,7 +18944,7 @@ index 4285c83..4bd0373 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -347,16 +416,17 @@ optional_policy(`
|
||||
@@ -347,16 +415,17 @@ optional_policy(`
|
||||
|
||||
# Allow ftpdctl to talk to ftpd over a socket connection
|
||||
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
|
||||
@ -18956,7 +18964,7 @@ index 4285c83..4bd0373 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -365,18 +435,33 @@ userdom_use_user_terminals(ftpdctl_t)
|
||||
@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t)
|
||||
|
||||
files_read_etc_files(sftpd_t)
|
||||
|
||||
@ -18993,7 +19001,7 @@ index 4285c83..4bd0373 100644
|
||||
')
|
||||
|
||||
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -394,19 +479,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
|
||||
@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
|
||||
tunable_policy(`sftpd_full_access',`
|
||||
allow sftpd_t self:capability { dac_override dac_read_search };
|
||||
fs_read_noxattr_fs_files(sftpd_t)
|
||||
@ -53059,10 +53067,10 @@ index 58e7ec0..e4119f7 100644
|
||||
+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
|
||||
+')
|
||||
diff --git a/telnet.te b/telnet.te
|
||||
index f40e67b..50163e0 100644
|
||||
index f40e67b..3519e88 100644
|
||||
--- a/telnet.te
|
||||
+++ b/telnet.te
|
||||
@@ -24,16 +24,16 @@ files_pid_file(telnetd_var_run_t)
|
||||
@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
@ -53082,7 +53090,12 @@ index f40e67b..50163e0 100644
|
||||
term_create_pty(telnetd_t, telnetd_devpts_t)
|
||||
|
||||
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
|
||||
@@ -81,15 +81,10 @@ miscfiles_read_localization(telnetd_t)
|
||||
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
|
||||
-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
|
||||
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
|
||||
@@ -81,15 +80,10 @@ miscfiles_read_localization(telnetd_t)
|
||||
|
||||
seutil_read_config(telnetd_t)
|
||||
|
||||
@ -53100,7 +53113,7 @@ index f40e67b..50163e0 100644
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_search_nfs(telnetd_t)
|
||||
@@ -98,3 +93,12 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
@@ -98,3 +92,12 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_search_cifs(telnetd_t)
|
||||
')
|
||||
|
@ -254,9 +254,11 @@ Based off of reference policy: Checked out revision 2.20091117
|
||||
%prep
|
||||
%setup -n serefpolicy-contrib-%{version} -q -b 29
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
contrib_path=`pwd`
|
||||
%setup -n serefpolicy-%{version} -q
|
||||
%patch -p1
|
||||
%patch3 -p1
|
||||
refpolicy_path=`pwd`
|
||||
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user