- Additional rules for fprintd and sssd
This commit is contained in:
parent
40d8f60dd7
commit
21b13fca45
@ -1833,9 +1833,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+permissive cpufreqselector_t;
|
+permissive cpufreqselector_t;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.12/policy/modules/apps/gnome.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.12/policy/modules/apps/gnome.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-11-11 16:13:42.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-11-11 16:13:42.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/apps/gnome.fc 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/apps/gnome.fc 2009-04-30 07:42:25.000000000 -0400
|
||||||
@@ -1,8 +1,16 @@
|
@@ -1,8 +1,16 @@
|
||||||
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
|
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
|
||||||
|
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
||||||
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
||||||
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
||||||
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
|
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
|
||||||
@ -5234,7 +5235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-27 11:30:40.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-29 10:47:24.000000000 -0400
|
||||||
@@ -5,6 +5,13 @@
|
@@ -5,6 +5,13 @@
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@ -5305,7 +5306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||||
|
|
||||||
# act on all domains keys
|
# act on all domains keys
|
||||||
@@ -153,3 +172,46 @@
|
@@ -153,3 +172,50 @@
|
||||||
|
|
||||||
# receive from all domains over labeled networking
|
# receive from all domains over labeled networking
|
||||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||||
@ -5338,6 +5339,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ ssh_rw_pipes(domain)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ unconfined_dontaudit_rw_pipes(domain)
|
+ unconfined_dontaudit_rw_pipes(domain)
|
||||||
+ unconfined_sigchld(domain)
|
+ unconfined_sigchld(domain)
|
||||||
+')
|
+')
|
||||||
@ -8336,7 +8341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.12/policy/modules/services/apache.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.12/policy/modules/services/apache.if
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/apache.if 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/apache.if 2009-04-29 14:18:52.000000000 -0400
|
||||||
@@ -13,21 +13,16 @@
|
@@ -13,21 +13,16 @@
|
||||||
#
|
#
|
||||||
template(`apache_content_template',`
|
template(`apache_content_template',`
|
||||||
@ -8558,7 +8563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||||
nis_use_ypbind_uncond(httpd_$1_script_t)
|
nis_use_ypbind_uncond(httpd_$1_script_t)
|
||||||
@@ -227,10 +170,6 @@
|
@@ -227,15 +170,13 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
postgresql_unpriv_client(httpd_$1_script_t)
|
postgresql_unpriv_client(httpd_$1_script_t)
|
||||||
@ -8569,7 +8574,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -504,6 +443,47 @@
|
nscd_socket_use(httpd_$1_script_t)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -504,6 +445,47 @@
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the specified domain to read
|
## Allow the specified domain to read
|
||||||
@ -8617,7 +8629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## apache configuration files.
|
## apache configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -579,7 +559,7 @@
|
@@ -579,7 +561,7 @@
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8626,7 +8638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
@@ -715,6 +695,7 @@
|
@@ -715,6 +697,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 httpd_modules_t:dir list_dir_perms;
|
allow $1 httpd_modules_t:dir list_dir_perms;
|
||||||
@ -8634,7 +8646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -782,6 +763,32 @@
|
@@ -782,6 +765,32 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8667,7 +8679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Execute all web scripts in the system
|
## Execute all web scripts in the system
|
||||||
## script domain.
|
## script domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -791,16 +798,18 @@
|
@@ -791,16 +800,18 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8690,7 +8702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -859,6 +868,8 @@
|
@@ -859,6 +870,8 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8699,7 +8711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
interface(`apache_run_all_scripts',`
|
interface(`apache_run_all_scripts',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute httpd_exec_scripts, httpd_script_domains;
|
attribute httpd_exec_scripts, httpd_script_domains;
|
||||||
@@ -884,7 +895,7 @@
|
@@ -884,7 +897,7 @@
|
||||||
type httpd_squirrelmail_t;
|
type httpd_squirrelmail_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8708,7 +8720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1040,3 +1051,160 @@
|
@@ -1040,3 +1053,160 @@
|
||||||
|
|
||||||
allow httpd_t $1:process signal;
|
allow httpd_t $1:process signal;
|
||||||
')
|
')
|
||||||
@ -10360,7 +10372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-29 13:51:27.000000000 -0400
|
||||||
@@ -13,6 +13,9 @@
|
@@ -13,6 +13,9 @@
|
||||||
type consolekit_var_run_t;
|
type consolekit_var_run_t;
|
||||||
files_pid_file(consolekit_var_run_t)
|
files_pid_file(consolekit_var_run_t)
|
||||||
@ -10400,7 +10412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# needs to read /var/lib/dbus/machine-id
|
# needs to read /var/lib/dbus/machine-id
|
||||||
files_read_var_lib_files(consolekit_t)
|
files_read_var_lib_files(consolekit_t)
|
||||||
|
|
||||||
@@ -47,13 +57,35 @@
|
@@ -47,13 +57,36 @@
|
||||||
|
|
||||||
auth_use_nsswitch(consolekit_t)
|
auth_use_nsswitch(consolekit_t)
|
||||||
|
|
||||||
@ -10409,6 +10421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+init_chat(consolekit_t)
|
+init_chat(consolekit_t)
|
||||||
+
|
+
|
||||||
+logging_send_syslog_msg(consolekit_t)
|
+logging_send_syslog_msg(consolekit_t)
|
||||||
|
+logging_send_audit_msgs(consolekit_t)
|
||||||
+
|
+
|
||||||
miscfiles_read_localization(consolekit_t)
|
miscfiles_read_localization(consolekit_t)
|
||||||
|
|
||||||
@ -10438,7 +10451,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_dbus_chat(consolekit_t)
|
unconfined_dbus_chat(consolekit_t)
|
||||||
@@ -61,6 +93,32 @@
|
@@ -61,6 +94,32 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -11834,7 +11847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.12/policy/modules/services/cvs.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.12/policy/modules/services/cvs.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-03-23 13:47:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-03-23 13:47:11.000000000 -0400
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/cvs.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/cvs.te 2009-04-29 12:56:25.000000000 -0400
|
||||||
@@ -112,4 +112,5 @@
|
@@ -112,4 +112,5 @@
|
||||||
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
||||||
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
||||||
@ -13431,8 +13444,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
|
||||||
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-28 16:07:25.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-29 10:10:42.000000000 -0400
|
||||||
@@ -0,0 +1,36 @@
|
@@ -0,0 +1,41 @@
|
||||||
+policy_module(fprintd,1.0.0)
|
+policy_module(fprintd,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -13463,8 +13476,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+userdom_read_all_users_state(fprintd_t)
|
+userdom_read_all_users_state(fprintd_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ consolekit_dbus_chat(fprintd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ polkit_read_reload(fprintd_t)
|
+ polkit_read_reload(fprintd_t)
|
||||||
+ polkit_read_lib(fprintd_t)
|
+ polkit_read_lib(fprintd_t)
|
||||||
|
+ polkit_domtrans_auth(fprintd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+permissive fprintd_t;
|
+permissive fprintd_t;
|
||||||
@ -14533,6 +14551,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+permissive ifplugd_t;
|
+permissive ifplugd_t;
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.6.12/policy/modules/services/inetd.if
|
||||||
|
--- nsaserefpolicy/policy/modules/services/inetd.if 2008-09-03 07:59:15.000000000 -0400
|
||||||
|
+++ serefpolicy-3.6.12/policy/modules/services/inetd.if 2009-04-29 14:44:12.000000000 -0400
|
||||||
|
@@ -36,8 +36,7 @@
|
||||||
|
role system_r types $1;
|
||||||
|
|
||||||
|
domtrans_pattern(inetd_t, $2, $1)
|
||||||
|
-
|
||||||
|
- allow inetd_t $1:process sigkill;
|
||||||
|
+ allow inetd_t $1:process { siginh sigkill };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if
|
||||||
--- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if 2009-04-23 09:44:57.000000000 -0400
|
||||||
@ -14959,8 +14990,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
|
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 11:46:55.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-29 10:14:21.000000000 -0400
|
||||||
@@ -1,6 +1,9 @@
|
@@ -1,6 +1,10 @@
|
||||||
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
||||||
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||||
|
|
||||||
@ -14969,6 +15000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
||||||
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
||||||
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
||||||
|
+/var/run/milter.* -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
||||||
+/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
+/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
||||||
+
|
+
|
||||||
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||||
@ -20441,6 +20473,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
auth_login_pgm_domain(rshd_t)
|
auth_login_pgm_domain(rshd_t)
|
||||||
auth_write_login_records(rshd_t)
|
auth_write_login_records(rshd_t)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-03-23 13:47:11.000000000 -0400
|
||||||
|
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-04-29 13:19:21.000000000 -0400
|
||||||
|
@@ -8,6 +8,13 @@
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
+## Allow rsync to run as a client
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(rsync_client, false)
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
## Allow rsync to export any files/directories read only.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
@@ -124,4 +131,12 @@
|
||||||
|
auth_read_all_symlinks_except_shadow(rsync_t)
|
||||||
|
auth_tunable_read_shadow(rsync_t)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+tunable_policy(`rsync_client',`
|
||||||
|
+ corenet_tcp_connect_rsync_port(rsync_t)
|
||||||
|
+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
||||||
|
+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
||||||
|
+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
auth_can_read_shadow_passwords(rsync_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.12/policy/modules/services/samba.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.12/policy/modules/services/samba.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/samba.fc 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/samba.fc 2009-04-23 09:44:57.000000000 -0400
|
||||||
@ -21363,7 +21425,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
|
||||||
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-29 13:03:31.000000000 -0400
|
||||||
|
@@ -89,7 +89,7 @@
|
||||||
|
type sendmail_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- allow $1 sendmail_t:unix_stream_socket { read write };
|
||||||
|
+ allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
@@ -149,3 +149,92 @@
|
@@ -149,3 +149,92 @@
|
||||||
|
|
||||||
logging_log_filetrans($1, sendmail_log_t, file)
|
logging_log_filetrans($1, sendmail_log_t, file)
|
||||||
@ -22406,7 +22477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
|
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
|
||||||
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-29 10:46:37.000000000 -0400
|
||||||
@@ -36,6 +36,7 @@
|
@@ -36,6 +36,7 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute ssh_server;
|
attribute ssh_server;
|
||||||
@ -22607,7 +22678,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Read a ssh server unnamed pipe.
|
## Read a ssh server unnamed pipe.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -611,3 +630,42 @@
|
@@ -469,6 +488,23 @@
|
||||||
|
|
||||||
|
allow $1 sshd_t:fifo_file { getattr read };
|
||||||
|
')
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read/write a ssh server unnamed pipe.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`ssh_rw_pipes',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type sshd_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 sshd_t:fifo_file { write read getattr ioctl };
|
||||||
|
+')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
@@ -611,3 +647,42 @@
|
||||||
|
|
||||||
dontaudit $1 sshd_key_t:file { getattr read };
|
dontaudit $1 sshd_key_t:file { getattr read };
|
||||||
')
|
')
|
||||||
@ -23085,8 +23180,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
|
||||||
--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-04-28 15:43:36.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-04-29 10:01:55.000000000 -0400
|
||||||
@@ -0,0 +1,72 @@
|
@@ -0,0 +1,74 @@
|
||||||
+policy_module(sssd,1.0.0)
|
+policy_module(sssd,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -23150,6 +23245,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+auth_domtrans_chk_passwd(sssd_t)
|
+auth_domtrans_chk_passwd(sssd_t)
|
||||||
+auth_domtrans_upd_passwd(sssd_t)
|
+auth_domtrans_upd_passwd(sssd_t)
|
||||||
+
|
+
|
||||||
|
+init_read_utmp(sssd_t)
|
||||||
|
+
|
||||||
+logging_send_syslog_msg(sssd_t)
|
+logging_send_syslog_msg(sssd_t)
|
||||||
+logging_send_audit_msgs(sssd_t)
|
+logging_send_audit_msgs(sssd_t)
|
||||||
+
|
+
|
||||||
@ -25930,8 +26027,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#
|
#
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
|
||||||
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-29 14:42:44.000000000 -0400
|
||||||
@@ -280,6 +280,36 @@
|
@@ -174,6 +174,7 @@
|
||||||
|
role system_r types $1;
|
||||||
|
|
||||||
|
domtrans_pattern(initrc_t,$2,$1)
|
||||||
|
+ allow initrc_t $1:process siginh;
|
||||||
|
|
||||||
|
# daemons started from init will
|
||||||
|
# inherit fds from init for the console
|
||||||
|
@@ -272,6 +273,7 @@
|
||||||
|
role system_r types $1;
|
||||||
|
|
||||||
|
domtrans_pattern(initrc_t,$2,$1)
|
||||||
|
+ allow initrc_t $1:process siginh;
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms',`
|
||||||
|
# RHEL4 systems seem to have a stray
|
||||||
|
@@ -280,6 +282,36 @@
|
||||||
kernel_dontaudit_use_fds($1)
|
kernel_dontaudit_use_fds($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@ -25968,7 +26081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -546,7 +576,7 @@
|
@@ -546,7 +578,7 @@
|
||||||
|
|
||||||
# upstart uses a datagram socket instead of initctl pipe
|
# upstart uses a datagram socket instead of initctl pipe
|
||||||
allow $1 self:unix_dgram_socket create_socket_perms;
|
allow $1 self:unix_dgram_socket create_socket_perms;
|
||||||
@ -25977,7 +26090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -619,18 +649,19 @@
|
@@ -619,18 +651,19 @@
|
||||||
#
|
#
|
||||||
interface(`init_spec_domtrans_script',`
|
interface(`init_spec_domtrans_script',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -26001,7 +26114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -646,23 +677,43 @@
|
@@ -646,19 +679,39 @@
|
||||||
#
|
#
|
||||||
interface(`init_domtrans_script',`
|
interface(`init_domtrans_script',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -26022,11 +26135,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
|
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
|
||||||
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
|
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
|
||||||
')
|
+ ')
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
+## Execute a file in a bin directory
|
+## Execute a file in a bin directory
|
||||||
+## in the initrc_t domain
|
+## in the initrc_t domain
|
||||||
+## </summary>
|
+## </summary>
|
||||||
@ -26039,17 +26152,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+interface(`init_bin_domtrans_spec',`
|
+interface(`init_bin_domtrans_spec',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type initrc_t;
|
+ type initrc_t;
|
||||||
+ ')
|
')
|
||||||
+
|
+
|
||||||
+ corecmd_bin_domtrans($1, initrc_t)
|
+ corecmd_bin_domtrans($1, initrc_t)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
@@ -1291,6 +1344,25 @@
|
||||||
## Execute a init script in a specified domain.
|
|
||||||
## </summary>
|
|
||||||
## <desc>
|
|
||||||
@@ -1291,6 +1342,25 @@
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -26075,7 +26184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Create files in a init script
|
## Create files in a init script
|
||||||
## temporary data directory.
|
## temporary data directory.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1521,3 +1591,51 @@
|
@@ -1521,3 +1593,51 @@
|
||||||
')
|
')
|
||||||
corenet_udp_recvfrom_labeled($1, daemon)
|
corenet_udp_recvfrom_labeled($1, daemon)
|
||||||
')
|
')
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.12
|
Version: 3.6.12
|
||||||
Release: 24%{?dist}
|
Release: 25%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -480,6 +480,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-25
|
||||||
|
- Additional rules for fprintd and sssd
|
||||||
|
|
||||||
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24
|
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24
|
||||||
- Allow nsplugin to unix_read unix_write sem for unconfined_java
|
- Allow nsplugin to unix_read unix_write sem for unconfined_java
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user