- Fix label on /var/lib/dokwiki
- Change permissive domains to enforcing - Fix libvirt policy to allow it to run on mls
This commit is contained in:
Daniel J Walsh
parent
b923c95cd1
commit
23337281e4
100
policy-F14.patch
100
policy-F14.patch
|
|
@ -1,3 +1,25 @@
|
|||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.8.1/Changelog
|
||||
--- nsaserefpolicy/Changelog 2010-05-27 12:03:30.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/Changelog 2010-05-26 15:48:20.000000000 -0400
|
||||
@@ -13,18 +13,14 @@
|
||||
- SE-Postgresql updates from KaiGai Kohei.
|
||||
- X object manager revisions from Eamon Walsh.
|
||||
- Added modules:
|
||||
- aisexec (Dan Walsh)
|
||||
chronyd (Miroslav Grepl)
|
||||
cobbler (Dominick Grift)
|
||||
- corosync (Dan Walsh)
|
||||
dbadm (KaiGai Kohei)
|
||||
denyhosts (Dan Walsh)
|
||||
nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
|
||||
likewise (Scott Salley)
|
||||
plymouthd (Dan Walsh)
|
||||
pyicqt (Stefan Schulze Frielinghaus)
|
||||
- rhcs (Dan Walsh)
|
||||
- rgmanager (Dan Walsh)
|
||||
sectoolm (Miroslav Grepl)
|
||||
usbmuxd (Dan Walsh)
|
||||
vhostmd (Dan Walsh)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.1/Makefile
|
||||
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/Makefile 2010-05-26 16:28:29.000000000 -0400
|
||||
|
|
@ -404,6 +426,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
|
|||
userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
|
||||
|
||||
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.8.1/policy/modules/admin/kudzu.te
|
||||
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2010-05-27 12:03:30.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/policy/modules/admin/kudzu.te 2010-05-26 15:48:20.000000000 -0400
|
||||
@@ -65,6 +65,11 @@
|
||||
mls_file_read_all_levels(kudzu_t)
|
||||
mls_file_write_all_levels(kudzu_t)
|
||||
|
||||
+modutils_read_module_deps(kudzu_t)
|
||||
+modutils_read_module_config(kudzu_t)
|
||||
+modutils_rename_module_config(kudzu_t)
|
||||
+modutils_delete_module_config(kudzu_t)
|
||||
+
|
||||
storage_read_scsi_generic(kudzu_t)
|
||||
storage_read_tape(kudzu_t)
|
||||
storage_raw_write_fixed_disk(kudzu_t)
|
||||
@@ -113,9 +118,6 @@
|
||||
miscfiles_read_localization(kudzu_t)
|
||||
|
||||
modutils_read_module_config(kudzu_t)
|
||||
-modutils_read_module_deps(kudzu_t)
|
||||
-modutils_rename_module_config(kudzu_t)
|
||||
-modutils_delete_module_config(kudzu_t)
|
||||
modutils_domtrans_insmod(kudzu_t)
|
||||
|
||||
sysnet_read_config(kudzu_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.8.1/policy/modules/admin/logrotate.te
|
||||
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/policy/modules/admin/logrotate.te 2010-05-26 16:28:29.000000000 -0400
|
||||
|
|
@ -9302,7 +9349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.1/policy/modules/roles/sysadm.te
|
||||
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
|
||||
+++ serefpolicy-3.8.1/policy/modules/roles/sysadm.te 2010-05-26 16:28:29.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/policy/modules/roles/sysadm.te 2010-05-27 15:58:50.000000000 -0400
|
||||
@@ -28,17 +28,29 @@
|
||||
|
||||
corecmd_exec_shell(sysadm_t)
|
||||
|
|
@ -10333,8 +10380,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.1/policy/modules/roles/unconfineduser.te
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.1/policy/modules/roles/unconfineduser.te 2010-05-26 16:28:29.000000000 -0400
|
||||
@@ -0,0 +1,435 @@
|
||||
+++ serefpolicy-3.8.1/policy/modules/roles/unconfineduser.te 2010-05-27 16:00:32.000000000 -0400
|
||||
@@ -0,0 +1,439 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -10476,6 +10523,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
|
|||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ certmonger_dbus_chat(unconfined_usertype)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ devicekit_dbus_chat(unconfined_usertype)
|
||||
+ devicekit_dbus_chat_disk(unconfined_usertype)
|
||||
+ devicekit_dbus_chat_power(unconfined_usertype)
|
||||
|
|
@ -13076,6 +13127,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
|
|||
+optional_policy(`
|
||||
unconfined_use_fds(ccs_t)
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.8.1/policy/modules/services/certmonger.te
|
||||
--- nsaserefpolicy/policy/modules/services/certmonger.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/policy/modules/services/certmonger.te 2010-05-27 15:59:41.000000000 -0400
|
||||
@@ -69,5 +69,5 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- unconfined_dbus_send(certmonger_t)
|
||||
+ pcscd_stream_connect(certmonger_t)
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.8.1/policy/modules/services/cgroup.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.1/policy/modules/services/cgroup.fc 2010-05-26 16:28:29.000000000 -0400
|
||||
|
|
@ -15773,6 +15834,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||
########################################
|
||||
#
|
||||
# Local hald dccm policy
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.8.1/policy/modules/services/hddtemp.te
|
||||
--- nsaserefpolicy/policy/modules/services/hddtemp.te 2009-09-09 09:23:16.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/policy/modules/services/hddtemp.te 2010-05-27 14:54:40.000000000 -0400
|
||||
@@ -27,6 +27,7 @@
|
||||
corenet_tcp_bind_all_nodes(hddtemp_t)
|
||||
corenet_tcp_bind_hddtemp_port(hddtemp_t)
|
||||
|
||||
+files_read_etc_files(hddtemp_t)
|
||||
# read hddtemp db file
|
||||
files_read_usr_files(hddtemp_t)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.1/policy/modules/services/inn.te
|
||||
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/policy/modules/services/inn.te 2010-05-26 16:28:29.000000000 -0400
|
||||
|
|
@ -18921,8 +18993,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.1/policy/modules/services/rgmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/policy/modules/services/rgmanager.te 2010-05-26 16:28:29.000000000 -0400
|
||||
@@ -60,7 +60,9 @@
|
||||
+++ serefpolicy-3.8.1/policy/modules/services/rgmanager.te 2010-05-27 15:25:30.000000000 -0400
|
||||
@@ -18,6 +18,9 @@
|
||||
domain_type(rgmanager_t)
|
||||
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
|
||||
|
||||
+type rgmanager_initrc_exec_t;
|
||||
+init_script_file(rgmanager_initrc_exec_t)
|
||||
+
|
||||
type rgmanager_tmp_t;
|
||||
files_tmp_file(rgmanager_tmp_t)
|
||||
|
||||
@@ -60,7 +63,9 @@
|
||||
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
|
||||
files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
|
||||
|
||||
|
|
@ -18932,7 +19014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
|
|||
kernel_read_system_state(rgmanager_t)
|
||||
kernel_rw_rpc_sysctls(rgmanager_t)
|
||||
kernel_search_debugfs(rgmanager_t)
|
||||
@@ -79,14 +81,19 @@
|
||||
@@ -79,14 +84,19 @@
|
||||
domain_getattr_all_domains(rgmanager_t)
|
||||
domain_dontaudit_ptrace_all_domains(rgmanager_t)
|
||||
|
||||
|
|
@ -18953,7 +19035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
|
|||
storage_getattr_fixed_disk_dev(rgmanager_t)
|
||||
|
||||
term_getattr_pty_fs(rgmanager_t)
|
||||
@@ -141,6 +148,11 @@
|
||||
@@ -141,6 +151,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -21416,7 +21498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.1/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
|
||||
+++ serefpolicy-3.8.1/policy/modules/services/xserver.if 2010-05-26 16:28:29.000000000 -0400
|
||||
+++ serefpolicy-3.8.1/policy/modules/services/xserver.if 2010-05-27 15:12:11.000000000 -0400
|
||||
@@ -19,9 +19,10 @@
|
||||
interface(`xserver_restricted_role',`
|
||||
gen_require(`
|
||||
|
|
@ -21545,7 +21627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
# dont audit send failures
|
||||
dontaudit $2 input_xevent_type:x_event send;
|
||||
+
|
||||
+ allow $2 xdm_t:x_drawable { read add_child };
|
||||
+ allow $2 xdm_t:x_drawable { hide read add_child manage };
|
||||
+ allow $2 xdm_t:x_client destroy;
|
||||
+
|
||||
+ allow $2 root_xdrawable_t:x_drawable write;
|
||||
|
|
|
|||
Loading…
Reference in New Issue