- Remove mod_fcgid-selinux package
This commit is contained in:
Daniel J Walsh
parent
b9e15d9766
commit
236d3cc19a
|
|
@ -6940,7 +6940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## all protocols (TCP, UDP, etc)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-21 11:21:45.000000000 -0400
|
||||
@@ -5,6 +5,13 @@
|
||||
#
|
||||
# Declarations
|
||||
|
|
@ -6955,7 +6955,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Mark process types as domains
|
||||
attribute domain;
|
||||
@@ -85,6 +92,7 @@
|
||||
@@ -80,11 +87,14 @@
|
||||
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
|
||||
allow domain self:file rw_file_perms;
|
||||
kernel_read_proc_symlinks(domain)
|
||||
+kernel_read_crypto_sysctls(domain)
|
||||
+
|
||||
# Every domain gets the key ring, so we should default
|
||||
# to no one allowed to look at it; afs kernel support creates
|
||||
# a keyring
|
||||
kernel_dontaudit_search_key(domain)
|
||||
kernel_dontaudit_link_key(domain)
|
||||
|
|
@ -6963,7 +6970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# create child processes in the domain
|
||||
allow domain self:process { fork sigchld };
|
||||
@@ -131,6 +139,9 @@
|
||||
@@ -131,6 +141,9 @@
|
||||
allow unconfined_domain_type domain:fd use;
|
||||
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
||||
|
||||
|
|
@ -6973,7 +6980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# Act upon any other process.
|
||||
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
||||
|
||||
@@ -140,7 +151,7 @@
|
||||
@@ -140,7 +153,7 @@
|
||||
|
||||
# For /proc/pid
|
||||
allow unconfined_domain_type domain:dir list_dir_perms;
|
||||
|
|
@ -6982,7 +6989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
|
||||
# act on all domains keys
|
||||
@@ -148,3 +159,39 @@
|
||||
@@ -148,3 +161,39 @@
|
||||
|
||||
# receive from all domains over labeled networking
|
||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||
|
|
@ -7913,7 +7920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-20 14:00:25.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-21 10:34:57.000000000 -0400
|
||||
@@ -1198,6 +1198,7 @@
|
||||
')
|
||||
|
||||
|
|
@ -7934,7 +7941,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1768,6 +1771,7 @@
|
||||
@@ -1569,6 +1572,26 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Read generic crypto sysctls.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_read_crypto_sysctls',`
|
||||
+ gen_require(`
|
||||
+ type proc_t, sysctl_t, sysctl_crypto_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
|
||||
+
|
||||
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read generic kernel sysctls.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1768,6 +1791,7 @@
|
||||
')
|
||||
|
||||
dontaudit $1 sysctl_type:dir list_dir_perms;
|
||||
|
|
@ -7942,7 +7976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2582,6 +2586,24 @@
|
||||
@@ -2582,6 +2606,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -7969,7 +8003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-21 10:34:03.000000000 -0400
|
||||
@@ -63,6 +63,15 @@
|
||||
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
|
||||
|
||||
|
|
@ -7986,7 +8020,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# kvmFS
|
||||
#
|
||||
|
||||
@@ -160,6 +169,7 @@
|
||||
@@ -120,6 +129,10 @@
|
||||
type sysctl_rpc_t, sysctl_type;
|
||||
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
|
||||
|
||||
+# /proc/sys/crypto directory and files
|
||||
+type sysctl_crypto_t, sysctl_type;
|
||||
+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
|
||||
+
|
||||
# /proc/sys/fs directory and files
|
||||
type sysctl_fs_t, sysctl_type;
|
||||
files_mountpoint(sysctl_fs_t)
|
||||
@@ -160,6 +173,7 @@
|
||||
#
|
||||
type unlabeled_t;
|
||||
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
|
|
@ -7994,7 +8039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# These initial sids are no longer used, and can be removed:
|
||||
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
@@ -274,6 +284,8 @@
|
||||
@@ -274,6 +288,8 @@
|
||||
fs_rw_tmpfs_chr_files(kernel_t)
|
||||
')
|
||||
|
||||
|
|
@ -10499,7 +10544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-20 15:37:58.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-21 09:18:28.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -10593,18 +10638,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
type httpd_lock_t;
|
||||
files_lock_file(httpd_lock_t)
|
||||
|
||||
@@ -180,6 +220,10 @@
|
||||
@@ -180,6 +220,13 @@
|
||||
|
||||
# setup the system domain for system CGI scripts
|
||||
apache_content_template(sys)
|
||||
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
|
||||
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
|
||||
+
|
||||
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
|
||||
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
|
||||
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
|
||||
|
||||
type httpd_tmp_t;
|
||||
files_tmp_file(httpd_tmp_t)
|
||||
@@ -202,12 +246,16 @@
|
||||
@@ -202,12 +249,16 @@
|
||||
prelink_object_file(httpd_modules_t)
|
||||
')
|
||||
|
||||
|
|
@ -10622,7 +10670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow httpd_t self:fd use;
|
||||
@@ -249,6 +297,7 @@
|
||||
@@ -249,6 +300,7 @@
|
||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
|
|
@ -10630,7 +10678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
apache_domtrans_rotatelogs(httpd_t)
|
||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||
@@ -260,9 +309,9 @@
|
||||
@@ -260,9 +312,9 @@
|
||||
|
||||
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||
|
||||
|
|
@ -10643,7 +10691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
@@ -289,6 +338,7 @@
|
||||
@@ -289,6 +341,7 @@
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
|
|
@ -10651,7 +10699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_t)
|
||||
@@ -299,6 +349,7 @@
|
||||
@@ -299,6 +352,7 @@
|
||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||
corenet_tcp_bind_all_nodes(httpd_t)
|
||||
|
|
@ -10659,7 +10707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
corenet_tcp_bind_http_port(httpd_t)
|
||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||
corenet_sendrecv_http_server_packets(httpd_t)
|
||||
@@ -312,12 +363,11 @@
|
||||
@@ -312,12 +366,11 @@
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
|
|
@ -10674,7 +10722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
@@ -335,6 +385,10 @@
|
||||
@@ -335,6 +388,10 @@
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
|
|
@ -10685,7 +10733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
libs_use_ld_so(httpd_t)
|
||||
libs_use_shared_libs(httpd_t)
|
||||
@@ -351,18 +405,33 @@
|
||||
@@ -351,18 +408,33 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
|
|
@ -10723,7 +10771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
')
|
||||
|
||||
@@ -370,20 +439,45 @@
|
||||
@@ -370,20 +442,45 @@
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
|
|
@ -10770,7 +10818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
@@ -394,11 +488,12 @@
|
||||
@@ -394,11 +491,12 @@
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
')
|
||||
|
||||
|
|
@ -10786,7 +10834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
fs_read_nfs_files(httpd_t)
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
@@ -408,6 +503,11 @@
|
||||
@@ -408,6 +506,11 @@
|
||||
fs_read_cifs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
|
|
@ -10798,7 +10846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -441,8 +541,13 @@
|
||||
@@ -441,8 +544,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -10814,7 +10862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -454,18 +559,13 @@
|
||||
@@ -454,18 +562,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -10834,7 +10882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -475,6 +575,12 @@
|
||||
@@ -475,6 +578,12 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
|
|
@ -10847,7 +10895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
@@ -482,6 +588,7 @@
|
||||
@@ -482,6 +591,7 @@
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
|
|
@ -10855,7 +10903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
')
|
||||
|
||||
@@ -490,6 +597,7 @@
|
||||
@@ -490,6 +600,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -10863,7 +10911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -519,9 +627,28 @@
|
||||
@@ -519,9 +630,28 @@
|
||||
logging_send_syslog_msg(httpd_helper_t)
|
||||
|
||||
tunable_policy(`httpd_tty_comm',`
|
||||
|
|
@ -10892,7 +10940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -551,22 +678,27 @@
|
||||
@@ -551,22 +681,27 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
|
|
@ -10926,7 +10974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -584,12 +716,14 @@
|
||||
@@ -584,12 +719,14 @@
|
||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
|
|
@ -10942,7 +10990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@@ -598,9 +732,7 @@
|
||||
@@ -598,9 +735,7 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||
|
||||
|
|
@ -10953,7 +11001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -633,12 +765,25 @@
|
||||
@@ -633,12 +768,25 @@
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
|
|
@ -10982,7 +11030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -647,6 +792,12 @@
|
||||
@@ -647,6 +795,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
|
|
@ -10995,7 +11043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -664,10 +815,6 @@
|
||||
@@ -664,10 +818,6 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
|
|
@ -11006,7 +11054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
@@ -677,7 +824,8 @@
|
||||
@@ -677,7 +827,8 @@
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
|
|
@ -11016,7 +11064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@@ -691,12 +839,15 @@
|
||||
@@ -691,12 +842,15 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
|
|
@ -11034,7 +11082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -704,6 +855,30 @@
|
||||
@@ -704,6 +858,30 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
|
|
@ -11065,7 +11113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -716,10 +891,10 @@
|
||||
@@ -716,10 +894,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
|
|
@ -11080,7 +11128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -727,6 +902,8 @@
|
||||
@@ -727,6 +905,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
|
|
@ -11089,7 +11137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -741,3 +918,56 @@
|
||||
@@ -741,3 +921,56 @@
|
||||
logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
|
|
@ -17120,25 +17168,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.13/policy/modules/services/nscd.if
|
||||
--- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-10-17 10:31:27.000000000 -0400
|
||||
@@ -20,6 +20,42 @@
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-10-20 16:13:12.000000000 -0400
|
||||
@@ -2,7 +2,27 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Send signulls to NSCD.
|
||||
-## Send generic signals to NSCD.
|
||||
+## Execute NSCD in the nscd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## The type of the process performing this action.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`nscd_signull',`
|
||||
+interface(`nscd_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type nscd_t;
|
||||
+ type nscd_t, nscd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 nscd_t:process signull;
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, nscd_exec_t, nscd_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to execute nscd
|
||||
+## in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -10,37 +30,53 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`nscd_signal',`
|
||||
+interface(`nscd_exec',`
|
||||
+ gen_require(`
|
||||
+ type nscd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ can_exec($1, nscd_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -17152,18 +17222,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+## </param>
|
||||
+#
|
||||
+interface(`nscd_sigkill',`
|
||||
+ gen_require(`
|
||||
+ type nscd_t;
|
||||
+ ')
|
||||
+
|
||||
gen_require(`
|
||||
type nscd_t;
|
||||
')
|
||||
|
||||
- allow $1 nscd_t:process signal;
|
||||
+ allow $1 nscd_t:process sigkill;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Execute NSCD in the nscd domain.
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Execute NSCD in the nscd domain.
|
||||
+## Send generic signals to NSCD.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## The type of the process performing this action.
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`nscd_domtrans',`
|
||||
+interface(`nscd_signal',`
|
||||
gen_require(`
|
||||
- type nscd_t, nscd_exec_t;
|
||||
+ type nscd_t;
|
||||
')
|
||||
|
||||
- corecmd_search_bin($1)
|
||||
- domtrans_pattern($1, nscd_exec_t, nscd_t)
|
||||
+ allow $1 nscd_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Allow the specified domain to execute nscd
|
||||
-## in the caller domain.
|
||||
+## Send signulls to NSCD.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -48,12 +84,12 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`nscd_exec',`
|
||||
+interface(`nscd_signull',`
|
||||
gen_require(`
|
||||
- type nscd_exec_t;
|
||||
+ type nscd_t;
|
||||
')
|
||||
|
||||
- can_exec($1, nscd_exec_t)
|
||||
+ allow $1 nscd_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -70,15 +106,14 @@
|
||||
interface(`nscd_socket_use',`
|
||||
gen_require(`
|
||||
|
|
@ -18481,7 +18595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-21 11:23:16.000000000 -0400
|
||||
@@ -6,6 +6,14 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -22987,7 +23101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-21 10:06:54.000000000 -0400
|
||||
@@ -36,6 +36,7 @@
|
||||
gen_require(`
|
||||
attribute ssh_server;
|
||||
|
|
@ -23008,16 +23122,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
##############################
|
||||
#
|
||||
@@ -65,7 +67,7 @@
|
||||
@@ -65,8 +67,7 @@
|
||||
allow $1_ssh_t self:sem create_sem_perms;
|
||||
allow $1_ssh_t self:msgq create_msgq_perms;
|
||||
allow $1_ssh_t self:msg { send receive };
|
||||
- allow $1_ssh_t self:tcp_socket create_socket_perms;
|
||||
- allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+ allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# for rsync
|
||||
@@ -93,20 +95,21 @@
|
||||
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
|
||||
@@ -93,20 +94,21 @@
|
||||
ps_process_pattern($2, $1_ssh_t)
|
||||
|
||||
# user can manage the keys and config
|
||||
|
|
@ -23047,7 +23162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
corenet_all_recvfrom_unlabeled($1_ssh_t)
|
||||
corenet_all_recvfrom_netlabel($1_ssh_t)
|
||||
@@ -115,6 +118,8 @@
|
||||
@@ -115,6 +117,8 @@
|
||||
corenet_tcp_sendrecv_all_ports($1_ssh_t)
|
||||
corenet_tcp_connect_ssh_port($1_ssh_t)
|
||||
corenet_sendrecv_ssh_client_packets($1_ssh_t)
|
||||
|
|
@ -23056,7 +23171,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
dev_read_urand($1_ssh_t)
|
||||
|
||||
@@ -212,7 +217,7 @@
|
||||
@@ -133,6 +137,8 @@
|
||||
files_read_etc_files($1_ssh_t)
|
||||
files_read_var_files($1_ssh_t)
|
||||
|
||||
+ auth_use_nsswitch($1_ssh_t)
|
||||
+
|
||||
libs_use_ld_so($1_ssh_t)
|
||||
libs_use_shared_libs($1_ssh_t)
|
||||
|
||||
@@ -143,9 +149,6 @@
|
||||
|
||||
seutil_read_config($1_ssh_t)
|
||||
|
||||
- sysnet_read_config($1_ssh_t)
|
||||
- sysnet_dns_name_resolve($1_ssh_t)
|
||||
-
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default($1_ssh_t)
|
||||
files_read_default_files($1_ssh_t)
|
||||
@@ -157,14 +160,6 @@
|
||||
optional_policy(`
|
||||
kerberos_use($1_ssh_t)
|
||||
')
|
||||
-
|
||||
- optional_policy(`
|
||||
- nis_use_ypbind($1_ssh_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- nscd_socket_use($1_ssh_t)
|
||||
- ')
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -212,7 +207,7 @@
|
||||
|
||||
ssh_basic_client_template($1, $2, $3)
|
||||
|
||||
|
|
@ -23065,7 +23214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
type $1_ssh_agent_t;
|
||||
application_domain($1_ssh_agent_t, ssh_agent_exec_t)
|
||||
@@ -240,9 +245,9 @@
|
||||
@@ -240,9 +235,9 @@
|
||||
manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
|
||||
fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
|
|
@ -23078,7 +23227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Allow the ssh program to communicate with ssh-agent.
|
||||
stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
|
||||
@@ -254,6 +259,8 @@
|
||||
@@ -254,6 +249,8 @@
|
||||
userdom_use_unpriv_users_fds($1_ssh_t)
|
||||
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
|
||||
userdom_search_user_home_dirs($1,$1_ssh_t)
|
||||
|
|
@ -23087,7 +23236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# Write to the user domain tty.
|
||||
userdom_use_user_terminals($1,$1_ssh_t)
|
||||
# needs to read krb tgt
|
||||
@@ -279,24 +286,14 @@
|
||||
@@ -279,24 +276,14 @@
|
||||
# for port forwarding
|
||||
tunable_policy(`user_tcp_server',`
|
||||
corenet_tcp_bind_ssh_port($1_ssh_t)
|
||||
|
|
@ -23114,7 +23263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
##############################
|
||||
#
|
||||
# $1_ssh_agent_t local policy
|
||||
@@ -381,12 +378,9 @@
|
||||
@@ -381,12 +368,9 @@
|
||||
optional_policy(`
|
||||
xserver_use_xdm_fds($1_ssh_agent_t)
|
||||
xserver_rw_xdm_pipes($1_ssh_agent_t)
|
||||
|
|
@ -23128,7 +23277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
##############################
|
||||
#
|
||||
# $1_ssh_keysign_t local policy
|
||||
@@ -413,6 +407,25 @@
|
||||
@@ -413,6 +397,25 @@
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -23154,7 +23303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
#######################################
|
||||
## <summary>
|
||||
## The template to define a ssh server.
|
||||
@@ -443,13 +456,14 @@
|
||||
@@ -443,13 +446,14 @@
|
||||
type $1_var_run_t;
|
||||
files_pid_file($1_var_run_t)
|
||||
|
||||
|
|
@ -23170,7 +23319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
|
||||
term_create_pty($1_t,$1_devpts_t)
|
||||
@@ -478,7 +492,12 @@
|
||||
@@ -478,7 +482,12 @@
|
||||
corenet_udp_bind_all_nodes($1_t)
|
||||
corenet_tcp_bind_ssh_port($1_t)
|
||||
corenet_tcp_connect_all_ports($1_t)
|
||||
|
|
@ -23183,7 +23332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
fs_dontaudit_getattr_all_fs($1_t)
|
||||
|
||||
@@ -506,9 +525,14 @@
|
||||
@@ -506,9 +515,14 @@
|
||||
|
||||
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
|
||||
userdom_search_all_users_home_dirs($1_t)
|
||||
|
|
@ -23198,7 +23347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -517,11 +541,7 @@
|
||||
@@ -517,11 +531,7 @@
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1_t)
|
||||
|
|
@ -23211,7 +23360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -710,3 +730,22 @@
|
||||
@@ -710,3 +720,22 @@
|
||||
|
||||
dontaudit $1 sshd_key_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -23236,7 +23385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-14 11:58:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-21 10:05:20.000000000 -0400
|
||||
@@ -24,7 +24,7 @@
|
||||
|
||||
# Type for the ssh-agent executable.
|
||||
|
|
@ -23297,6 +23446,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
unconfined_shell_domtrans(sshd_t)
|
||||
')
|
||||
|
||||
@@ -176,6 +197,8 @@
|
||||
init_use_fds(ssh_keygen_t)
|
||||
init_use_script_ptys(ssh_keygen_t)
|
||||
|
||||
+auth_use_nsswitch(ssh_keygen_t)
|
||||
+
|
||||
libs_use_ld_so(ssh_keygen_t)
|
||||
libs_use_shared_libs(ssh_keygen_t)
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.5.13/policy/modules/services/stunnel.fc
|
||||
--- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/stunnel.fc 2008-10-17 10:31:27.000000000 -0400
|
||||
|
|
@ -23701,7 +23859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-17 17:26:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-21 11:39:30.000000000 -0400
|
||||
@@ -16,6 +16,7 @@
|
||||
gen_require(`
|
||||
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
|
||||
|
|
@ -23946,7 +24104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
##############################
|
||||
#
|
||||
@@ -441,16 +385,16 @@
|
||||
@@ -441,16 +385,17 @@
|
||||
|
||||
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
|
||||
|
||||
|
|
@ -23965,10 +24123,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
|
||||
+ xserver_use_xdm($2)
|
||||
+ xserver_rw_xdm_xserver_shm($2)
|
||||
|
||||
fs_search_auto_mountpoints($1_iceauth_t)
|
||||
|
||||
@@ -473,33 +417,12 @@
|
||||
@@ -473,33 +418,12 @@
|
||||
#
|
||||
|
||||
# Device rules
|
||||
|
|
@ -24005,7 +24164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
|
||||
allow $2 info_xproperty_t:x_property { create write append };
|
||||
@@ -548,7 +471,7 @@
|
||||
@@ -548,7 +472,7 @@
|
||||
allow $2 $1_xserver_t:process signal;
|
||||
|
||||
# Read /tmp/.X0-lock
|
||||
|
|
@ -24014,7 +24173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Client read xserver shm
|
||||
allow $2 $1_xserver_t:fd use;
|
||||
@@ -616,7 +539,7 @@
|
||||
@@ -616,7 +540,7 @@
|
||||
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
|
||||
gen_require(`
|
||||
type xdm_t, xdm_tmp_t;
|
||||
|
|
@ -24023,7 +24182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
allow $2 self:shm create_shm_perms;
|
||||
@@ -624,12 +547,12 @@
|
||||
@@ -624,12 +548,12 @@
|
||||
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
# Read .Xauthority file
|
||||
|
|
@ -24039,7 +24198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
allow $2 xdm_tmp_t:dir search;
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
@@ -649,13 +572,210 @@
|
||||
@@ -649,13 +573,210 @@
|
||||
|
||||
xserver_read_xdm_tmp_files($2)
|
||||
|
||||
|
|
@ -24091,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property };
|
||||
+ # X Windows
|
||||
+ # operations allowed on root windows
|
||||
+ allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive override destroy hide };
|
||||
+ allow $3 $1_rootwindow_t:x_drawable { read getattr list_child add_child remove_child send receive override destroy hide };
|
||||
+# type_transition $3 $1_rootwindow_t:x_drawable $2_t;
|
||||
+
|
||||
+ allow $3 $1_xproperty_t:x_property { write read };
|
||||
|
|
@ -24254,7 +24413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
#######################################
|
||||
## <summary>
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
@@ -682,7 +802,7 @@
|
||||
@@ -682,7 +803,7 @@
|
||||
#
|
||||
template(`xserver_common_x_domain_template',`
|
||||
gen_require(`
|
||||
|
|
@ -24263,7 +24422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
|
||||
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
|
||||
type xevent_t, client_xevent_t;
|
||||
@@ -691,7 +811,6 @@
|
||||
@@ -691,7 +812,6 @@
|
||||
attribute x_server_domain, x_domain;
|
||||
attribute xproperty_type;
|
||||
attribute xevent_type, xextension_type;
|
||||
|
|
@ -24271,7 +24430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
class x_drawable all_x_drawable_perms;
|
||||
class x_screen all_x_screen_perms;
|
||||
@@ -708,6 +827,7 @@
|
||||
@@ -708,6 +828,7 @@
|
||||
class x_resource all_x_resource_perms;
|
||||
class x_event all_x_event_perms;
|
||||
class x_synthetic_event all_x_synthetic_event_perms;
|
||||
|
|
@ -24279,7 +24438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
##############################
|
||||
@@ -715,20 +835,22 @@
|
||||
@@ -715,20 +836,22 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
|
|
@ -24305,7 +24464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
##############################
|
||||
#
|
||||
# Local Policy
|
||||
@@ -746,7 +868,7 @@
|
||||
@@ -746,7 +869,7 @@
|
||||
allow $3 x_server_domain:x_server getattr;
|
||||
# everyone can do override-redirect windows.
|
||||
# this could be used to spoof labels
|
||||
|
|
@ -24314,7 +24473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# everyone can receive management events on the root window
|
||||
# allows to know when new windows appear, among other things
|
||||
allow $3 manage_xevent_t:x_event receive;
|
||||
@@ -755,36 +877,30 @@
|
||||
@@ -755,36 +878,30 @@
|
||||
# can read server-owned resources
|
||||
allow $3 x_server_domain:x_resource read;
|
||||
# can mess with own clients
|
||||
|
|
@ -24361,7 +24520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# X Input
|
||||
# can receive own events
|
||||
@@ -811,6 +927,12 @@
|
||||
@@ -811,6 +928,12 @@
|
||||
allow $3 manage_xevent_t:x_synthetic_event send;
|
||||
allow $3 client_xevent_t:x_synthetic_event send;
|
||||
|
||||
|
|
@ -24374,7 +24533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# X Selections
|
||||
# can use the clipboard
|
||||
allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
|
||||
@@ -819,13 +941,15 @@
|
||||
@@ -819,13 +942,15 @@
|
||||
|
||||
# Other X Objects
|
||||
# can create and use cursors
|
||||
|
|
@ -24394,7 +24553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined($3),
|
||||
@@ -885,24 +1009,17 @@
|
||||
@@ -885,24 +1010,17 @@
|
||||
#
|
||||
template(`xserver_user_x_domain_template',`
|
||||
gen_require(`
|
||||
|
|
@ -24426,7 +24585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Allow connections to X server.
|
||||
files_search_tmp($3)
|
||||
@@ -917,16 +1034,16 @@
|
||||
@@ -917,16 +1035,16 @@
|
||||
xserver_rw_session_template($1, $3, $4)
|
||||
xserver_use_user_fonts($1, $3)
|
||||
|
||||
|
|
@ -24450,7 +24609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -958,26 +1075,43 @@
|
||||
@@ -958,26 +1076,43 @@
|
||||
#
|
||||
template(`xserver_use_user_fonts',`
|
||||
gen_require(`
|
||||
|
|
@ -24501,7 +24660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -1003,10 +1137,77 @@
|
||||
@@ -1003,10 +1138,77 @@
|
||||
#
|
||||
template(`xserver_domtrans_user_xauth',`
|
||||
gen_require(`
|
||||
|
|
@ -24581,7 +24740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1036,10 +1237,10 @@
|
||||
@@ -1036,10 +1238,10 @@
|
||||
#
|
||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||
gen_require(`
|
||||
|
|
@ -24594,7 +24753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1180,7 +1381,7 @@
|
||||
@@ -1180,7 +1382,7 @@
|
||||
type xdm_t;
|
||||
')
|
||||
|
||||
|
|
@ -24603,7 +24762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1225,6 +1426,25 @@
|
||||
@@ -1225,6 +1427,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -24629,7 +24788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Read xdm-writable configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1239,7 +1459,7 @@
|
||||
@@ -1239,7 +1460,7 @@
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
|
|
@ -24638,7 +24797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1279,6 +1499,7 @@
|
||||
@@ -1279,6 +1500,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||
|
|
@ -24646,7 +24805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1297,7 +1518,7 @@
|
||||
@@ -1297,7 +1519,7 @@
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
|
|
@ -24655,7 +24814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1315,7 +1536,25 @@
|
||||
@@ -1315,7 +1537,25 @@
|
||||
type xdm_var_lib_t;
|
||||
')
|
||||
|
||||
|
|
@ -24682,7 +24841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1330,15 +1569,47 @@
|
||||
@@ -1330,15 +1570,47 @@
|
||||
#
|
||||
interface(`xserver_domtrans_xdm_xserver',`
|
||||
gen_require(`
|
||||
|
|
@ -24731,7 +24890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1488,7 +1759,7 @@
|
||||
@@ -1488,7 +1760,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
|
|
@ -24740,7 +24899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1680,6 +1951,26 @@
|
||||
@@ -1680,6 +1952,26 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -24767,7 +24926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## xdm xserver RW shared memory socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1698,6 +1989,24 @@
|
||||
@@ -1698,6 +1990,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -24792,7 +24951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Interface to provide X object permissions on a given X server to
|
||||
## an X client domain. Gives the domain complete control over the
|
||||
## display.
|
||||
@@ -1710,8 +2019,157 @@
|
||||
@@ -1710,8 +2020,157 @@
|
||||
#
|
||||
interface(`xserver_unconfined',`
|
||||
gen_require(`
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.13
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -312,6 +312,7 @@ Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Conflicts: audispd-plugins <= 1.7.7-1
|
||||
Obsoletes: mod_fcgid-selinux
|
||||
|
||||
%description targeted
|
||||
SELinux Reference policy targeted base module.
|
||||
|
|
@ -461,6 +462,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Oct 21 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-3
|
||||
- Remove mod_fcgid-selinux package
|
||||
|
||||
* Mon Oct 20 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-2
|
||||
- Fix dovecot access
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue