- Allow xserver to search devpts_t
- Dontaudit ldconfig output to homedir
This commit is contained in:
parent
7ff410d3bc
commit
21c534bcb9
|
@ -302,8 +302,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.8/policy/modules/admin/alsa.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.8/policy/modules/admin/alsa.fc
|
||||||
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-29 14:10:59.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-29 14:10:59.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2007-09-19 10:53:23.000000000 -0400
|
||||||
@@ -1,4 +1,7 @@
|
@@ -1,4 +1,8 @@
|
||||||
|
|
||||||
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
||||||
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
||||||
|
@ -311,10 +311,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
|
||||||
|
|
||||||
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
||||||
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
||||||
|
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-19 10:54:14.000000000 -0400
|
||||||
@@ -19,20 +19,24 @@
|
@@ -14,25 +14,35 @@
|
||||||
|
type alsa_etc_rw_t;
|
||||||
|
files_type(alsa_etc_rw_t)
|
||||||
|
|
||||||
|
+type alsa_var_lib_t;
|
||||||
|
+files_type(alsa_var_lib_t)
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -333,6 +342,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
|
||||||
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
|
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
|
||||||
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
|
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
|
||||||
|
|
||||||
|
+manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
|
||||||
|
+manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
|
||||||
|
+
|
||||||
+files_search_home(alsa_t)
|
+files_search_home(alsa_t)
|
||||||
files_read_etc_files(alsa_t)
|
files_read_etc_files(alsa_t)
|
||||||
|
|
||||||
|
@ -342,7 +354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
|
||||||
|
|
||||||
libs_use_ld_so(alsa_t)
|
libs_use_ld_so(alsa_t)
|
||||||
libs_use_shared_libs(alsa_t)
|
libs_use_shared_libs(alsa_t)
|
||||||
@@ -43,7 +47,13 @@
|
@@ -43,7 +53,13 @@
|
||||||
|
|
||||||
userdom_manage_unpriv_user_semaphores(alsa_t)
|
userdom_manage_unpriv_user_semaphores(alsa_t)
|
||||||
userdom_manage_unpriv_user_shared_mem(alsa_t)
|
userdom_manage_unpriv_user_shared_mem(alsa_t)
|
||||||
|
@ -5978,8 +5990,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||||
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
|
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
|
||||||
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-19 13:28:57.000000000 -0400
|
||||||
@@ -293,6 +293,7 @@
|
@@ -155,6 +155,8 @@
|
||||||
|
selinux_compute_relabel_context(hald_t)
|
||||||
|
selinux_compute_user_contexts(hald_t)
|
||||||
|
|
||||||
|
+dev_read_raw_memory(hald_t)
|
||||||
|
+
|
||||||
|
storage_raw_read_removable_device(hald_t)
|
||||||
|
storage_raw_write_removable_device(hald_t)
|
||||||
|
storage_raw_read_fixed_disk(hald_t)
|
||||||
|
@@ -293,6 +295,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
allow hald_acl_t self:capability { dac_override fowner };
|
allow hald_acl_t self:capability { dac_override fowner };
|
||||||
|
@ -9321,7 +9342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-19 11:59:57.000000000 -0400
|
||||||
@@ -126,6 +126,8 @@
|
@@ -126,6 +126,8 @@
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev($1_xserver_t)
|
dev_rw_input_dev($1_xserver_t)
|
||||||
|
@ -9331,7 +9352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
|
|
||||||
domain_mmap_low($1_xserver_t)
|
domain_mmap_low($1_xserver_t)
|
||||||
|
|
||||||
@@ -141,7 +143,7 @@
|
@@ -141,10 +143,11 @@
|
||||||
fs_getattr_xattr_fs($1_xserver_t)
|
fs_getattr_xattr_fs($1_xserver_t)
|
||||||
fs_search_nfs($1_xserver_t)
|
fs_search_nfs($1_xserver_t)
|
||||||
fs_search_auto_mountpoints($1_xserver_t)
|
fs_search_auto_mountpoints($1_xserver_t)
|
||||||
|
@ -9340,7 +9361,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
|
|
||||||
init_getpgid($1_xserver_t)
|
init_getpgid($1_xserver_t)
|
||||||
|
|
||||||
@@ -353,12 +355,6 @@
|
+ term_search_ptys($1_xserver_t)
|
||||||
|
term_setattr_unallocated_ttys($1_xserver_t)
|
||||||
|
term_use_unallocated_ttys($1_xserver_t)
|
||||||
|
|
||||||
|
@@ -353,12 +356,6 @@
|
||||||
# allow ps to show xauth
|
# allow ps to show xauth
|
||||||
ps_process_pattern($2,$1_xauth_t)
|
ps_process_pattern($2,$1_xauth_t)
|
||||||
|
|
||||||
|
@ -9353,7 +9378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
domain_use_interactive_fds($1_xauth_t)
|
domain_use_interactive_fds($1_xauth_t)
|
||||||
|
|
||||||
files_read_etc_files($1_xauth_t)
|
files_read_etc_files($1_xauth_t)
|
||||||
@@ -387,6 +383,14 @@
|
@@ -387,6 +384,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -9368,7 +9393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
nis_use_ypbind($1_xauth_t)
|
nis_use_ypbind($1_xauth_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -537,16 +541,14 @@
|
@@ -537,16 +542,14 @@
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type xdm_t, xdm_tmp_t;
|
type xdm_t, xdm_tmp_t;
|
||||||
|
@ -9387,7 +9412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# for when /tmp/.X11-unix is created by the system
|
||||||
allow $2 xdm_t:fd use;
|
allow $2 xdm_t:fd use;
|
||||||
@@ -555,25 +557,46 @@
|
@@ -555,25 +558,46 @@
|
||||||
allow $2 xdm_tmp_t:sock_file { read write };
|
allow $2 xdm_tmp_t:sock_file { read write };
|
||||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||||
|
|
||||||
|
@ -9443,7 +9468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -626,6 +649,24 @@
|
@@ -626,6 +650,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -9468,7 +9493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -659,6 +700,73 @@
|
@@ -659,6 +701,73 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -9542,7 +9567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -987,6 +1095,37 @@
|
@@ -987,6 +1096,37 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -9580,7 +9605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
## Make an X session script an entrypoint for the specified domain.
|
## Make an X session script an entrypoint for the specified domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1136,7 +1275,7 @@
|
@@ -1136,7 +1276,7 @@
|
||||||
type xdm_xserver_tmp_t;
|
type xdm_xserver_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -9589,7 +9614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1325,3 +1464,62 @@
|
@@ -1325,3 +1465,62 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
')
|
')
|
||||||
|
@ -9654,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-19 11:59:42.000000000 -0400
|
||||||
@@ -16,6 +16,13 @@
|
@@ -16,6 +16,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
|
@ -10927,7 +10952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||||
+/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-09-19 13:33:20.000000000 -0400
|
||||||
@@ -23,6 +23,9 @@
|
@@ -23,6 +23,9 @@
|
||||||
init_system_domain(ldconfig_t,ldconfig_exec_t)
|
init_system_domain(ldconfig_t,ldconfig_exec_t)
|
||||||
role system_r types ldconfig_t;
|
role system_r types ldconfig_t;
|
||||||
|
@ -10964,7 +10989,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||||
files_search_var_lib(ldconfig_t)
|
files_search_var_lib(ldconfig_t)
|
||||||
files_read_etc_files(ldconfig_t)
|
files_read_etc_files(ldconfig_t)
|
||||||
files_search_tmp(ldconfig_t)
|
files_search_tmp(ldconfig_t)
|
||||||
@@ -96,4 +104,11 @@
|
@@ -79,6 +87,7 @@
|
||||||
|
logging_send_syslog_msg(ldconfig_t)
|
||||||
|
|
||||||
|
userdom_use_all_users_fds(ldconfig_t)
|
||||||
|
+userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t)
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms',`
|
||||||
|
optional_policy(`
|
||||||
|
@@ -96,4 +105,11 @@
|
||||||
# and executes ldconfig on it. If you dont allow this kernel installs
|
# and executes ldconfig on it. If you dont allow this kernel installs
|
||||||
# blow up.
|
# blow up.
|
||||||
rpm_manage_script_tmp_files(ldconfig_t)
|
rpm_manage_script_tmp_files(ldconfig_t)
|
||||||
|
@ -12959,7 +12992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-19 13:32:51.000000000 -0400
|
||||||
@@ -45,7 +45,7 @@
|
@@ -45,7 +45,7 @@
|
||||||
type $1_tty_device_t;
|
type $1_tty_device_t;
|
||||||
term_user_tty($1_t,$1_tty_device_t)
|
term_user_tty($1_t,$1_tty_device_t)
|
||||||
|
@ -13699,12 +13732,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||||
')
|
')
|
||||||
|
|
||||||
files_tmp_filetrans($2,$1_tmp_t,$3)
|
files_tmp_filetrans($2,$1_tmp_t,$3)
|
||||||
@@ -4599,7 +4718,25 @@
|
@@ -4615,6 +4734,24 @@
|
||||||
|
files_list_home($1)
|
||||||
########################################
|
allow $1 home_dir_type:dir search_dir_perms;
|
||||||
## <summary>
|
')
|
||||||
-## Search all users home directories.
|
+########################################
|
||||||
+## Search all users home directories.
|
+## <summary>
|
||||||
|
+## Read all users home directories symlinks.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
@ -13712,36 +13746,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+interface(`userdom_search_all_users_home_dirs',`
|
+interface(`userdom_read_all_users_home_dirs_symlinks',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ attribute home_dir_type;
|
+ attribute home_dir_type;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_list_home($1)
|
+ files_list_home($1)
|
||||||
+ allow $1 home_dir_type:dir search_dir_perms;
|
|
||||||
+')
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Read all users home directories symlinks.
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
@@ -4607,13 +4744,13 @@
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
-interface(`userdom_search_all_users_home_dirs',`
|
|
||||||
+interface(`userdom_read_all_users_home_dirs_symlinks',`
|
|
||||||
gen_require(`
|
|
||||||
attribute home_dir_type;
|
|
||||||
')
|
|
||||||
|
|
||||||
files_list_home($1)
|
|
||||||
- allow $1 home_dir_type:dir search_dir_perms;
|
|
||||||
+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
|
+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
|
||||||
')
|
+')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
## <summary>
|
||||||
@@ -4633,6 +4770,14 @@
|
@@ -4633,6 +4770,14 @@
|
||||||
|
|
||||||
files_list_home($1)
|
files_list_home($1)
|
||||||
|
@ -13766,7 +13781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5559,3 +5704,318 @@
|
@@ -5559,3 +5704,336 @@
|
||||||
interface(`userdom_unconfined',`
|
interface(`userdom_unconfined',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
|
@ -14067,6 +14082,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||||
+ allow $1 user_home_type:file execute;
|
+ allow $1 user_home_type:file execute;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## dontaudit attempts to write to user home dir files
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_dontaudit_write_unpriv_user_home_content_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute user_home_type;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 user_home_type:file write;
|
||||||
|
+')
|
||||||
|
+
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.0.8
|
Version: 3.0.8
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -362,6 +362,10 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-3
|
||||||
|
- Allow xserver to search devpts_t
|
||||||
|
- Dontaudit ldconfig output to homedir
|
||||||
|
|
||||||
* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-2
|
* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-2
|
||||||
- Remove hplip_etc_t change back to etc_t.
|
- Remove hplip_etc_t change back to etc_t.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue