- Fix label on /var/lib/dokwiki
- Change permissive domains to enforcing - Fix libvirt policy to allow it to run on mls
This commit is contained in:
parent
b923c95cd1
commit
23337281e4
100
policy-F14.patch
100
policy-F14.patch
@ -1,3 +1,25 @@
|
|||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.8.1/Changelog
|
||||||
|
--- nsaserefpolicy/Changelog 2010-05-27 12:03:30.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.1/Changelog 2010-05-26 15:48:20.000000000 -0400
|
||||||
|
@@ -13,18 +13,14 @@
|
||||||
|
- SE-Postgresql updates from KaiGai Kohei.
|
||||||
|
- X object manager revisions from Eamon Walsh.
|
||||||
|
- Added modules:
|
||||||
|
- aisexec (Dan Walsh)
|
||||||
|
chronyd (Miroslav Grepl)
|
||||||
|
cobbler (Dominick Grift)
|
||||||
|
- corosync (Dan Walsh)
|
||||||
|
dbadm (KaiGai Kohei)
|
||||||
|
denyhosts (Dan Walsh)
|
||||||
|
nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
|
||||||
|
likewise (Scott Salley)
|
||||||
|
plymouthd (Dan Walsh)
|
||||||
|
pyicqt (Stefan Schulze Frielinghaus)
|
||||||
|
- rhcs (Dan Walsh)
|
||||||
|
- rgmanager (Dan Walsh)
|
||||||
|
sectoolm (Miroslav Grepl)
|
||||||
|
usbmuxd (Dan Walsh)
|
||||||
|
vhostmd (Dan Walsh)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.1/Makefile
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.1/Makefile
|
||||||
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
|
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
|
||||||
+++ serefpolicy-3.8.1/Makefile 2010-05-26 16:28:29.000000000 -0400
|
+++ serefpolicy-3.8.1/Makefile 2010-05-26 16:28:29.000000000 -0400
|
||||||
@ -404,6 +426,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
|
|||||||
userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
|
userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
|
||||||
|
|
||||||
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.8.1/policy/modules/admin/kudzu.te
|
||||||
|
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2010-05-27 12:03:30.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.1/policy/modules/admin/kudzu.te 2010-05-26 15:48:20.000000000 -0400
|
||||||
|
@@ -65,6 +65,11 @@
|
||||||
|
mls_file_read_all_levels(kudzu_t)
|
||||||
|
mls_file_write_all_levels(kudzu_t)
|
||||||
|
|
||||||
|
+modutils_read_module_deps(kudzu_t)
|
||||||
|
+modutils_read_module_config(kudzu_t)
|
||||||
|
+modutils_rename_module_config(kudzu_t)
|
||||||
|
+modutils_delete_module_config(kudzu_t)
|
||||||
|
+
|
||||||
|
storage_read_scsi_generic(kudzu_t)
|
||||||
|
storage_read_tape(kudzu_t)
|
||||||
|
storage_raw_write_fixed_disk(kudzu_t)
|
||||||
|
@@ -113,9 +118,6 @@
|
||||||
|
miscfiles_read_localization(kudzu_t)
|
||||||
|
|
||||||
|
modutils_read_module_config(kudzu_t)
|
||||||
|
-modutils_read_module_deps(kudzu_t)
|
||||||
|
-modutils_rename_module_config(kudzu_t)
|
||||||
|
-modutils_delete_module_config(kudzu_t)
|
||||||
|
modutils_domtrans_insmod(kudzu_t)
|
||||||
|
|
||||||
|
sysnet_read_config(kudzu_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.8.1/policy/modules/admin/logrotate.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.8.1/policy/modules/admin/logrotate.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-05-25 16:28:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.1/policy/modules/admin/logrotate.te 2010-05-26 16:28:29.000000000 -0400
|
+++ serefpolicy-3.8.1/policy/modules/admin/logrotate.te 2010-05-26 16:28:29.000000000 -0400
|
||||||
@ -9302,7 +9349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.1/policy/modules/roles/sysadm.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.1/policy/modules/roles/sysadm.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
|
||||||
+++ serefpolicy-3.8.1/policy/modules/roles/sysadm.te 2010-05-26 16:28:29.000000000 -0400
|
+++ serefpolicy-3.8.1/policy/modules/roles/sysadm.te 2010-05-27 15:58:50.000000000 -0400
|
||||||
@@ -28,17 +28,29 @@
|
@@ -28,17 +28,29 @@
|
||||||
|
|
||||||
corecmd_exec_shell(sysadm_t)
|
corecmd_exec_shell(sysadm_t)
|
||||||
@ -10333,8 +10380,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.1/policy/modules/roles/unconfineduser.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.1/policy/modules/roles/unconfineduser.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.8.1/policy/modules/roles/unconfineduser.te 2010-05-26 16:28:29.000000000 -0400
|
+++ serefpolicy-3.8.1/policy/modules/roles/unconfineduser.te 2010-05-27 16:00:32.000000000 -0400
|
||||||
@@ -0,0 +1,435 @@
|
@@ -0,0 +1,439 @@
|
||||||
+policy_module(unconfineduser, 1.0.0)
|
+policy_module(unconfineduser, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -10476,6 +10523,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
|
+ certmonger_dbus_chat(unconfined_usertype)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
+ devicekit_dbus_chat(unconfined_usertype)
|
+ devicekit_dbus_chat(unconfined_usertype)
|
||||||
+ devicekit_dbus_chat_disk(unconfined_usertype)
|
+ devicekit_dbus_chat_disk(unconfined_usertype)
|
||||||
+ devicekit_dbus_chat_power(unconfined_usertype)
|
+ devicekit_dbus_chat_power(unconfined_usertype)
|
||||||
@ -13076,6 +13127,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
unconfined_use_fds(ccs_t)
|
unconfined_use_fds(ccs_t)
|
||||||
')
|
')
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.8.1/policy/modules/services/certmonger.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/certmonger.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.1/policy/modules/services/certmonger.te 2010-05-27 15:59:41.000000000 -0400
|
||||||
|
@@ -69,5 +69,5 @@
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- unconfined_dbus_send(certmonger_t)
|
||||||
|
+ pcscd_stream_connect(certmonger_t)
|
||||||
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.8.1/policy/modules/services/cgroup.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.8.1/policy/modules/services/cgroup.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.8.1/policy/modules/services/cgroup.fc 2010-05-26 16:28:29.000000000 -0400
|
+++ serefpolicy-3.8.1/policy/modules/services/cgroup.fc 2010-05-26 16:28:29.000000000 -0400
|
||||||
@ -15773,6 +15834,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local hald dccm policy
|
# Local hald dccm policy
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.8.1/policy/modules/services/hddtemp.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/hddtemp.te 2009-09-09 09:23:16.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.1/policy/modules/services/hddtemp.te 2010-05-27 14:54:40.000000000 -0400
|
||||||
|
@@ -27,6 +27,7 @@
|
||||||
|
corenet_tcp_bind_all_nodes(hddtemp_t)
|
||||||
|
corenet_tcp_bind_hddtemp_port(hddtemp_t)
|
||||||
|
|
||||||
|
+files_read_etc_files(hddtemp_t)
|
||||||
|
# read hddtemp db file
|
||||||
|
files_read_usr_files(hddtemp_t)
|
||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.1/policy/modules/services/inn.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.1/policy/modules/services/inn.te
|
||||||
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
|
||||||
+++ serefpolicy-3.8.1/policy/modules/services/inn.te 2010-05-26 16:28:29.000000000 -0400
|
+++ serefpolicy-3.8.1/policy/modules/services/inn.te 2010-05-26 16:28:29.000000000 -0400
|
||||||
@ -18921,8 +18993,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.1/policy/modules/services/rgmanager.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.1/policy/modules/services/rgmanager.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-05-25 16:28:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.1/policy/modules/services/rgmanager.te 2010-05-26 16:28:29.000000000 -0400
|
+++ serefpolicy-3.8.1/policy/modules/services/rgmanager.te 2010-05-27 15:25:30.000000000 -0400
|
||||||
@@ -60,7 +60,9 @@
|
@@ -18,6 +18,9 @@
|
||||||
|
domain_type(rgmanager_t)
|
||||||
|
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
|
||||||
|
|
||||||
|
+type rgmanager_initrc_exec_t;
|
||||||
|
+init_script_file(rgmanager_initrc_exec_t)
|
||||||
|
+
|
||||||
|
type rgmanager_tmp_t;
|
||||||
|
files_tmp_file(rgmanager_tmp_t)
|
||||||
|
|
||||||
|
@@ -60,7 +63,9 @@
|
||||||
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
|
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
|
||||||
files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
|
files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
|
||||||
|
|
||||||
@ -18932,7 +19014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
|
|||||||
kernel_read_system_state(rgmanager_t)
|
kernel_read_system_state(rgmanager_t)
|
||||||
kernel_rw_rpc_sysctls(rgmanager_t)
|
kernel_rw_rpc_sysctls(rgmanager_t)
|
||||||
kernel_search_debugfs(rgmanager_t)
|
kernel_search_debugfs(rgmanager_t)
|
||||||
@@ -79,14 +81,19 @@
|
@@ -79,14 +84,19 @@
|
||||||
domain_getattr_all_domains(rgmanager_t)
|
domain_getattr_all_domains(rgmanager_t)
|
||||||
domain_dontaudit_ptrace_all_domains(rgmanager_t)
|
domain_dontaudit_ptrace_all_domains(rgmanager_t)
|
||||||
|
|
||||||
@ -18953,7 +19035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
|
|||||||
storage_getattr_fixed_disk_dev(rgmanager_t)
|
storage_getattr_fixed_disk_dev(rgmanager_t)
|
||||||
|
|
||||||
term_getattr_pty_fs(rgmanager_t)
|
term_getattr_pty_fs(rgmanager_t)
|
||||||
@@ -141,6 +148,11 @@
|
@@ -141,6 +151,11 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21416,7 +21498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.1/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.1/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
|
||||||
+++ serefpolicy-3.8.1/policy/modules/services/xserver.if 2010-05-26 16:28:29.000000000 -0400
|
+++ serefpolicy-3.8.1/policy/modules/services/xserver.if 2010-05-27 15:12:11.000000000 -0400
|
||||||
@@ -19,9 +19,10 @@
|
@@ -19,9 +19,10 @@
|
||||||
interface(`xserver_restricted_role',`
|
interface(`xserver_restricted_role',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -21545,7 +21627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# dont audit send failures
|
# dont audit send failures
|
||||||
dontaudit $2 input_xevent_type:x_event send;
|
dontaudit $2 input_xevent_type:x_event send;
|
||||||
+
|
+
|
||||||
+ allow $2 xdm_t:x_drawable { read add_child };
|
+ allow $2 xdm_t:x_drawable { hide read add_child manage };
|
||||||
+ allow $2 xdm_t:x_client destroy;
|
+ allow $2 xdm_t:x_client destroy;
|
||||||
+
|
+
|
||||||
+ allow $2 root_xdrawable_t:x_drawable write;
|
+ allow $2 root_xdrawable_t:x_drawable write;
|
||||||
|
Loading…
Reference in New Issue
Block a user