- Remove mod_fcgid-selinux package
This commit is contained in:
parent
b9e15d9766
commit
236d3cc19a
@ -6940,7 +6940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## all protocols (TCP, UDP, etc)
|
## all protocols (TCP, UDP, etc)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-21 11:21:45.000000000 -0400
|
||||||
@@ -5,6 +5,13 @@
|
@@ -5,6 +5,13 @@
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@ -6955,7 +6955,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Mark process types as domains
|
# Mark process types as domains
|
||||||
attribute domain;
|
attribute domain;
|
||||||
@@ -85,6 +92,7 @@
|
@@ -80,11 +87,14 @@
|
||||||
|
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
|
||||||
|
allow domain self:file rw_file_perms;
|
||||||
|
kernel_read_proc_symlinks(domain)
|
||||||
|
+kernel_read_crypto_sysctls(domain)
|
||||||
|
+
|
||||||
|
# Every domain gets the key ring, so we should default
|
||||||
|
# to no one allowed to look at it; afs kernel support creates
|
||||||
# a keyring
|
# a keyring
|
||||||
kernel_dontaudit_search_key(domain)
|
kernel_dontaudit_search_key(domain)
|
||||||
kernel_dontaudit_link_key(domain)
|
kernel_dontaudit_link_key(domain)
|
||||||
@ -6963,7 +6970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# create child processes in the domain
|
# create child processes in the domain
|
||||||
allow domain self:process { fork sigchld };
|
allow domain self:process { fork sigchld };
|
||||||
@@ -131,6 +139,9 @@
|
@@ -131,6 +141,9 @@
|
||||||
allow unconfined_domain_type domain:fd use;
|
allow unconfined_domain_type domain:fd use;
|
||||||
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
||||||
|
|
||||||
@ -6973,7 +6980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Act upon any other process.
|
# Act upon any other process.
|
||||||
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
||||||
|
|
||||||
@@ -140,7 +151,7 @@
|
@@ -140,7 +153,7 @@
|
||||||
|
|
||||||
# For /proc/pid
|
# For /proc/pid
|
||||||
allow unconfined_domain_type domain:dir list_dir_perms;
|
allow unconfined_domain_type domain:dir list_dir_perms;
|
||||||
@ -6982,7 +6989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||||
|
|
||||||
# act on all domains keys
|
# act on all domains keys
|
||||||
@@ -148,3 +159,39 @@
|
@@ -148,3 +161,39 @@
|
||||||
|
|
||||||
# receive from all domains over labeled networking
|
# receive from all domains over labeled networking
|
||||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||||
@ -7913,7 +7920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#
|
#
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-20 14:00:25.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-21 10:34:57.000000000 -0400
|
||||||
@@ -1198,6 +1198,7 @@
|
@@ -1198,6 +1198,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -7934,7 +7941,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1768,6 +1771,7 @@
|
@@ -1569,6 +1572,26 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Read generic crypto sysctls.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kernel_read_crypto_sysctls',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type proc_t, sysctl_t, sysctl_crypto_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
|
||||||
|
+
|
||||||
|
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Read generic kernel sysctls.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -1768,6 +1791,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 sysctl_type:dir list_dir_perms;
|
dontaudit $1 sysctl_type:dir list_dir_perms;
|
||||||
@ -7942,7 +7976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2582,6 +2586,24 @@
|
@@ -2582,6 +2606,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7969,7 +8003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-21 10:34:03.000000000 -0400
|
||||||
@@ -63,6 +63,15 @@
|
@@ -63,6 +63,15 @@
|
||||||
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
|
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
|
||||||
|
|
||||||
@ -7986,7 +8020,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# kvmFS
|
# kvmFS
|
||||||
#
|
#
|
||||||
|
|
||||||
@@ -160,6 +169,7 @@
|
@@ -120,6 +129,10 @@
|
||||||
|
type sysctl_rpc_t, sysctl_type;
|
||||||
|
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
|
||||||
|
|
||||||
|
+# /proc/sys/crypto directory and files
|
||||||
|
+type sysctl_crypto_t, sysctl_type;
|
||||||
|
+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
|
||||||
|
+
|
||||||
|
# /proc/sys/fs directory and files
|
||||||
|
type sysctl_fs_t, sysctl_type;
|
||||||
|
files_mountpoint(sysctl_fs_t)
|
||||||
|
@@ -160,6 +173,7 @@
|
||||||
#
|
#
|
||||||
type unlabeled_t;
|
type unlabeled_t;
|
||||||
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||||
@ -7994,7 +8039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# These initial sids are no longer used, and can be removed:
|
# These initial sids are no longer used, and can be removed:
|
||||||
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||||
@@ -274,6 +284,8 @@
|
@@ -274,6 +288,8 @@
|
||||||
fs_rw_tmpfs_chr_files(kernel_t)
|
fs_rw_tmpfs_chr_files(kernel_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10499,7 +10544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-20 15:37:58.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-21 09:18:28.000000000 -0400
|
||||||
@@ -20,6 +20,8 @@
|
@@ -20,6 +20,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -10593,18 +10638,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type httpd_lock_t;
|
type httpd_lock_t;
|
||||||
files_lock_file(httpd_lock_t)
|
files_lock_file(httpd_lock_t)
|
||||||
|
|
||||||
@@ -180,6 +220,10 @@
|
@@ -180,6 +220,13 @@
|
||||||
|
|
||||||
# setup the system domain for system CGI scripts
|
# setup the system domain for system CGI scripts
|
||||||
apache_content_template(sys)
|
apache_content_template(sys)
|
||||||
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||||
|
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
|
||||||
|
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
|
||||||
|
+
|
||||||
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
|
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
|
||||||
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
|
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
|
||||||
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
|
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
|
||||||
|
|
||||||
type httpd_tmp_t;
|
type httpd_tmp_t;
|
||||||
files_tmp_file(httpd_tmp_t)
|
files_tmp_file(httpd_tmp_t)
|
||||||
@@ -202,12 +246,16 @@
|
@@ -202,12 +249,16 @@
|
||||||
prelink_object_file(httpd_modules_t)
|
prelink_object_file(httpd_modules_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10622,7 +10670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow httpd_t self:fd use;
|
allow httpd_t self:fd use;
|
||||||
@@ -249,6 +297,7 @@
|
@@ -249,6 +300,7 @@
|
||||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||||
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||||
@ -10630,7 +10678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
apache_domtrans_rotatelogs(httpd_t)
|
apache_domtrans_rotatelogs(httpd_t)
|
||||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||||
@@ -260,9 +309,9 @@
|
@@ -260,9 +312,9 @@
|
||||||
|
|
||||||
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||||
|
|
||||||
@ -10643,7 +10691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||||
@@ -289,6 +338,7 @@
|
@@ -289,6 +341,7 @@
|
||||||
kernel_read_kernel_sysctls(httpd_t)
|
kernel_read_kernel_sysctls(httpd_t)
|
||||||
# for modules that want to access /proc/meminfo
|
# for modules that want to access /proc/meminfo
|
||||||
kernel_read_system_state(httpd_t)
|
kernel_read_system_state(httpd_t)
|
||||||
@ -10651,7 +10699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||||
corenet_all_recvfrom_netlabel(httpd_t)
|
corenet_all_recvfrom_netlabel(httpd_t)
|
||||||
@@ -299,6 +349,7 @@
|
@@ -299,6 +352,7 @@
|
||||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||||
corenet_tcp_bind_all_nodes(httpd_t)
|
corenet_tcp_bind_all_nodes(httpd_t)
|
||||||
@ -10659,7 +10707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_tcp_bind_http_port(httpd_t)
|
corenet_tcp_bind_http_port(httpd_t)
|
||||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||||
corenet_sendrecv_http_server_packets(httpd_t)
|
corenet_sendrecv_http_server_packets(httpd_t)
|
||||||
@@ -312,12 +363,11 @@
|
@@ -312,12 +366,11 @@
|
||||||
|
|
||||||
fs_getattr_all_fs(httpd_t)
|
fs_getattr_all_fs(httpd_t)
|
||||||
fs_search_auto_mountpoints(httpd_t)
|
fs_search_auto_mountpoints(httpd_t)
|
||||||
@ -10674,7 +10722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
domain_use_interactive_fds(httpd_t)
|
domain_use_interactive_fds(httpd_t)
|
||||||
|
|
||||||
@@ -335,6 +385,10 @@
|
@@ -335,6 +388,10 @@
|
||||||
files_read_var_lib_symlinks(httpd_t)
|
files_read_var_lib_symlinks(httpd_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||||
@ -10685,7 +10733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
libs_use_ld_so(httpd_t)
|
libs_use_ld_so(httpd_t)
|
||||||
libs_use_shared_libs(httpd_t)
|
libs_use_shared_libs(httpd_t)
|
||||||
@@ -351,18 +405,33 @@
|
@@ -351,18 +408,33 @@
|
||||||
|
|
||||||
userdom_use_unpriv_users_fds(httpd_t)
|
userdom_use_unpriv_users_fds(httpd_t)
|
||||||
|
|
||||||
@ -10723,7 +10771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -370,20 +439,45 @@
|
@@ -370,20 +442,45 @@
|
||||||
corenet_tcp_connect_all_ports(httpd_t)
|
corenet_tcp_connect_all_ports(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10770,7 +10818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||||
@@ -394,11 +488,12 @@
|
@@ -394,11 +491,12 @@
|
||||||
corenet_tcp_bind_ftp_port(httpd_t)
|
corenet_tcp_bind_ftp_port(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10786,7 +10834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
fs_read_nfs_files(httpd_t)
|
fs_read_nfs_files(httpd_t)
|
||||||
fs_read_nfs_symlinks(httpd_t)
|
fs_read_nfs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -408,6 +503,11 @@
|
@@ -408,6 +506,11 @@
|
||||||
fs_read_cifs_symlinks(httpd_t)
|
fs_read_cifs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10798,7 +10846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_ssi_exec',`
|
tunable_policy(`httpd_ssi_exec',`
|
||||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||||
allow httpd_sys_script_t httpd_t:fd use;
|
allow httpd_sys_script_t httpd_t:fd use;
|
||||||
@@ -441,8 +541,13 @@
|
@@ -441,8 +544,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10814,7 +10862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -454,18 +559,13 @@
|
@@ -454,18 +562,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10834,7 +10882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -475,6 +575,12 @@
|
@@ -475,6 +578,12 @@
|
||||||
openca_kill(httpd_t)
|
openca_kill(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10847,7 +10895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
# Allow httpd to work with postgresql
|
# Allow httpd to work with postgresql
|
||||||
postgresql_stream_connect(httpd_t)
|
postgresql_stream_connect(httpd_t)
|
||||||
@@ -482,6 +588,7 @@
|
@@ -482,6 +591,7 @@
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect_db',`
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
postgresql_tcp_connect(httpd_t)
|
postgresql_tcp_connect(httpd_t)
|
||||||
@ -10855,7 +10903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -490,6 +597,7 @@
|
@@ -490,6 +600,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10863,7 +10911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -519,9 +627,28 @@
|
@@ -519,9 +630,28 @@
|
||||||
logging_send_syslog_msg(httpd_helper_t)
|
logging_send_syslog_msg(httpd_helper_t)
|
||||||
|
|
||||||
tunable_policy(`httpd_tty_comm',`
|
tunable_policy(`httpd_tty_comm',`
|
||||||
@ -10892,7 +10940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache PHP script local policy
|
# Apache PHP script local policy
|
||||||
@@ -551,22 +678,27 @@
|
@@ -551,22 +681,27 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_php_t)
|
fs_search_auto_mountpoints(httpd_php_t)
|
||||||
|
|
||||||
@ -10926,7 +10974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -584,12 +716,14 @@
|
@@ -584,12 +719,14 @@
|
||||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
@ -10942,7 +10990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||||
kernel_list_proc(httpd_suexec_t)
|
kernel_list_proc(httpd_suexec_t)
|
||||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||||
@@ -598,9 +732,7 @@
|
@@ -598,9 +735,7 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||||
|
|
||||||
@ -10953,7 +11001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_read_etc_files(httpd_suexec_t)
|
files_read_etc_files(httpd_suexec_t)
|
||||||
files_read_usr_files(httpd_suexec_t)
|
files_read_usr_files(httpd_suexec_t)
|
||||||
@@ -633,12 +765,25 @@
|
@@ -633,12 +768,25 @@
|
||||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10982,7 +11030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -647,6 +792,12 @@
|
@@ -647,6 +795,12 @@
|
||||||
fs_exec_nfs_files(httpd_suexec_t)
|
fs_exec_nfs_files(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10995,7 +11043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_suexec_t)
|
fs_read_cifs_files(httpd_suexec_t)
|
||||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||||
@@ -664,10 +815,6 @@
|
@@ -664,10 +818,6 @@
|
||||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11006,7 +11054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache system script local policy
|
# Apache system script local policy
|
||||||
@@ -677,7 +824,8 @@
|
@@ -677,7 +827,8 @@
|
||||||
|
|
||||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||||
|
|
||||||
@ -11016,7 +11064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||||
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||||
@@ -691,12 +839,15 @@
|
@@ -691,12 +842,15 @@
|
||||||
# Should we add a boolean?
|
# Should we add a boolean?
|
||||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||||
|
|
||||||
@ -11034,7 +11082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -704,6 +855,30 @@
|
@@ -704,6 +858,30 @@
|
||||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11065,7 +11113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -716,10 +891,10 @@
|
@@ -716,10 +894,10 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_sys_script_t)
|
mysql_stream_connect(httpd_sys_script_t)
|
||||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||||
@ -11080,7 +11128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -727,6 +902,8 @@
|
@@ -727,6 +905,8 @@
|
||||||
# httpd_rotatelogs local policy
|
# httpd_rotatelogs local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -11089,7 +11137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||||
@@ -741,3 +918,56 @@
|
@@ -741,3 +921,56 @@
|
||||||
logging_search_logs(httpd_rotatelogs_t)
|
logging_search_logs(httpd_rotatelogs_t)
|
||||||
|
|
||||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||||
@ -17120,25 +17168,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.13/policy/modules/services/nscd.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.13/policy/modules/services/nscd.if
|
||||||
--- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-10-20 16:13:12.000000000 -0400
|
||||||
@@ -20,6 +20,42 @@
|
@@ -2,7 +2,27 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
+## Send signulls to NSCD.
|
-## Send generic signals to NSCD.
|
||||||
|
+## Execute NSCD in the nscd domain.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain allowed access.
|
+## The type of the process performing this action.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+interface(`nscd_signull',`
|
+interface(`nscd_domtrans',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type nscd_t;
|
+ type nscd_t, nscd_exec_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 nscd_t:process signull;
|
+ corecmd_search_bin($1)
|
||||||
|
+ domtrans_pattern($1, nscd_exec_t, nscd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow the specified domain to execute nscd
|
||||||
|
+## in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
@@ -10,37 +30,53 @@
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`nscd_signal',`
|
||||||
|
+interface(`nscd_exec',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type nscd_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ can_exec($1, nscd_exec_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -17152,18 +17222,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+interface(`nscd_sigkill',`
|
+interface(`nscd_sigkill',`
|
||||||
+ gen_require(`
|
gen_require(`
|
||||||
+ type nscd_t;
|
type nscd_t;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
|
- allow $1 nscd_t:process signal;
|
||||||
+ allow $1 nscd_t:process sigkill;
|
+ allow $1 nscd_t:process sigkill;
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
## Execute NSCD in the nscd domain.
|
-## Execute NSCD in the nscd domain.
|
||||||
|
+## Send generic signals to NSCD.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
-## The type of the process performing this action.
|
||||||
|
+## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`nscd_domtrans',`
|
||||||
|
+interface(`nscd_signal',`
|
||||||
|
gen_require(`
|
||||||
|
- type nscd_t, nscd_exec_t;
|
||||||
|
+ type nscd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- corecmd_search_bin($1)
|
||||||
|
- domtrans_pattern($1, nscd_exec_t, nscd_t)
|
||||||
|
+ allow $1 nscd_t:process signal;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
-## Allow the specified domain to execute nscd
|
||||||
|
-## in the caller domain.
|
||||||
|
+## Send signulls to NSCD.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
@@ -48,12 +84,12 @@
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`nscd_exec',`
|
||||||
|
+interface(`nscd_signull',`
|
||||||
|
gen_require(`
|
||||||
|
- type nscd_exec_t;
|
||||||
|
+ type nscd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- can_exec($1, nscd_exec_t)
|
||||||
|
+ allow $1 nscd_t:process signull;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
@@ -70,15 +106,14 @@
|
@@ -70,15 +106,14 @@
|
||||||
interface(`nscd_socket_use',`
|
interface(`nscd_socket_use',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -18481,7 +18595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te
|
||||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-21 11:23:16.000000000 -0400
|
||||||
@@ -6,6 +6,14 @@
|
@@ -6,6 +6,14 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -22987,7 +23101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
|
||||||
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-21 10:06:54.000000000 -0400
|
||||||
@@ -36,6 +36,7 @@
|
@@ -36,6 +36,7 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute ssh_server;
|
attribute ssh_server;
|
||||||
@ -23008,16 +23122,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -65,7 +67,7 @@
|
@@ -65,8 +67,7 @@
|
||||||
allow $1_ssh_t self:sem create_sem_perms;
|
allow $1_ssh_t self:sem create_sem_perms;
|
||||||
allow $1_ssh_t self:msgq create_msgq_perms;
|
allow $1_ssh_t self:msgq create_msgq_perms;
|
||||||
allow $1_ssh_t self:msg { send receive };
|
allow $1_ssh_t self:msg { send receive };
|
||||||
- allow $1_ssh_t self:tcp_socket create_socket_perms;
|
- allow $1_ssh_t self:tcp_socket create_socket_perms;
|
||||||
|
- allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
+ allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
|
+ allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
|
|
||||||
|
|
||||||
# for rsync
|
# for rsync
|
||||||
@@ -93,20 +95,21 @@
|
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
|
||||||
|
@@ -93,20 +94,21 @@
|
||||||
ps_process_pattern($2, $1_ssh_t)
|
ps_process_pattern($2, $1_ssh_t)
|
||||||
|
|
||||||
# user can manage the keys and config
|
# user can manage the keys and config
|
||||||
@ -23047,7 +23162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled($1_ssh_t)
|
corenet_all_recvfrom_unlabeled($1_ssh_t)
|
||||||
corenet_all_recvfrom_netlabel($1_ssh_t)
|
corenet_all_recvfrom_netlabel($1_ssh_t)
|
||||||
@@ -115,6 +118,8 @@
|
@@ -115,6 +117,8 @@
|
||||||
corenet_tcp_sendrecv_all_ports($1_ssh_t)
|
corenet_tcp_sendrecv_all_ports($1_ssh_t)
|
||||||
corenet_tcp_connect_ssh_port($1_ssh_t)
|
corenet_tcp_connect_ssh_port($1_ssh_t)
|
||||||
corenet_sendrecv_ssh_client_packets($1_ssh_t)
|
corenet_sendrecv_ssh_client_packets($1_ssh_t)
|
||||||
@ -23056,7 +23171,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
dev_read_urand($1_ssh_t)
|
dev_read_urand($1_ssh_t)
|
||||||
|
|
||||||
@@ -212,7 +217,7 @@
|
@@ -133,6 +137,8 @@
|
||||||
|
files_read_etc_files($1_ssh_t)
|
||||||
|
files_read_var_files($1_ssh_t)
|
||||||
|
|
||||||
|
+ auth_use_nsswitch($1_ssh_t)
|
||||||
|
+
|
||||||
|
libs_use_ld_so($1_ssh_t)
|
||||||
|
libs_use_shared_libs($1_ssh_t)
|
||||||
|
|
||||||
|
@@ -143,9 +149,6 @@
|
||||||
|
|
||||||
|
seutil_read_config($1_ssh_t)
|
||||||
|
|
||||||
|
- sysnet_read_config($1_ssh_t)
|
||||||
|
- sysnet_dns_name_resolve($1_ssh_t)
|
||||||
|
-
|
||||||
|
tunable_policy(`read_default_t',`
|
||||||
|
files_list_default($1_ssh_t)
|
||||||
|
files_read_default_files($1_ssh_t)
|
||||||
|
@@ -157,14 +160,6 @@
|
||||||
|
optional_policy(`
|
||||||
|
kerberos_use($1_ssh_t)
|
||||||
|
')
|
||||||
|
-
|
||||||
|
- optional_policy(`
|
||||||
|
- nis_use_ypbind($1_ssh_t)
|
||||||
|
- ')
|
||||||
|
-
|
||||||
|
- optional_policy(`
|
||||||
|
- nscd_socket_use($1_ssh_t)
|
||||||
|
- ')
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
@@ -212,7 +207,7 @@
|
||||||
|
|
||||||
ssh_basic_client_template($1, $2, $3)
|
ssh_basic_client_template($1, $2, $3)
|
||||||
|
|
||||||
@ -23065,7 +23214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
type $1_ssh_agent_t;
|
type $1_ssh_agent_t;
|
||||||
application_domain($1_ssh_agent_t, ssh_agent_exec_t)
|
application_domain($1_ssh_agent_t, ssh_agent_exec_t)
|
||||||
@@ -240,9 +245,9 @@
|
@@ -240,9 +235,9 @@
|
||||||
manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
|
manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
|
||||||
fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||||
|
|
||||||
@ -23078,7 +23227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Allow the ssh program to communicate with ssh-agent.
|
# Allow the ssh program to communicate with ssh-agent.
|
||||||
stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
|
stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
|
||||||
@@ -254,6 +259,8 @@
|
@@ -254,6 +249,8 @@
|
||||||
userdom_use_unpriv_users_fds($1_ssh_t)
|
userdom_use_unpriv_users_fds($1_ssh_t)
|
||||||
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
|
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
|
||||||
userdom_search_user_home_dirs($1,$1_ssh_t)
|
userdom_search_user_home_dirs($1,$1_ssh_t)
|
||||||
@ -23087,7 +23236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Write to the user domain tty.
|
# Write to the user domain tty.
|
||||||
userdom_use_user_terminals($1,$1_ssh_t)
|
userdom_use_user_terminals($1,$1_ssh_t)
|
||||||
# needs to read krb tgt
|
# needs to read krb tgt
|
||||||
@@ -279,24 +286,14 @@
|
@@ -279,24 +276,14 @@
|
||||||
# for port forwarding
|
# for port forwarding
|
||||||
tunable_policy(`user_tcp_server',`
|
tunable_policy(`user_tcp_server',`
|
||||||
corenet_tcp_bind_ssh_port($1_ssh_t)
|
corenet_tcp_bind_ssh_port($1_ssh_t)
|
||||||
@ -23114,7 +23263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# $1_ssh_agent_t local policy
|
# $1_ssh_agent_t local policy
|
||||||
@@ -381,12 +378,9 @@
|
@@ -381,12 +368,9 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
xserver_use_xdm_fds($1_ssh_agent_t)
|
xserver_use_xdm_fds($1_ssh_agent_t)
|
||||||
xserver_rw_xdm_pipes($1_ssh_agent_t)
|
xserver_rw_xdm_pipes($1_ssh_agent_t)
|
||||||
@ -23128,7 +23277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# $1_ssh_keysign_t local policy
|
# $1_ssh_keysign_t local policy
|
||||||
@@ -413,6 +407,25 @@
|
@@ -413,6 +397,25 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -23154,7 +23303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## The template to define a ssh server.
|
## The template to define a ssh server.
|
||||||
@@ -443,13 +456,14 @@
|
@@ -443,13 +446,14 @@
|
||||||
type $1_var_run_t;
|
type $1_var_run_t;
|
||||||
files_pid_file($1_var_run_t)
|
files_pid_file($1_var_run_t)
|
||||||
|
|
||||||
@ -23170,7 +23319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
|
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
|
||||||
term_create_pty($1_t,$1_devpts_t)
|
term_create_pty($1_t,$1_devpts_t)
|
||||||
@@ -478,7 +492,12 @@
|
@@ -478,7 +482,12 @@
|
||||||
corenet_udp_bind_all_nodes($1_t)
|
corenet_udp_bind_all_nodes($1_t)
|
||||||
corenet_tcp_bind_ssh_port($1_t)
|
corenet_tcp_bind_ssh_port($1_t)
|
||||||
corenet_tcp_connect_all_ports($1_t)
|
corenet_tcp_connect_all_ports($1_t)
|
||||||
@ -23183,7 +23332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
fs_dontaudit_getattr_all_fs($1_t)
|
fs_dontaudit_getattr_all_fs($1_t)
|
||||||
|
|
||||||
@@ -506,9 +525,14 @@
|
@@ -506,9 +515,14 @@
|
||||||
|
|
||||||
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
|
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
|
||||||
userdom_search_all_users_home_dirs($1_t)
|
userdom_search_all_users_home_dirs($1_t)
|
||||||
@ -23198,7 +23347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_samba_home_dirs',`
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
@@ -517,11 +541,7 @@
|
@@ -517,11 +531,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use($1_t)
|
kerberos_use($1_t)
|
||||||
@ -23211,7 +23360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -710,3 +730,22 @@
|
@@ -710,3 +720,22 @@
|
||||||
|
|
||||||
dontaudit $1 sshd_key_t:file { getattr read };
|
dontaudit $1 sshd_key_t:file { getattr read };
|
||||||
')
|
')
|
||||||
@ -23236,7 +23385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te
|
||||||
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-14 11:58:09.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-14 11:58:09.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-21 10:05:20.000000000 -0400
|
||||||
@@ -24,7 +24,7 @@
|
@@ -24,7 +24,7 @@
|
||||||
|
|
||||||
# Type for the ssh-agent executable.
|
# Type for the ssh-agent executable.
|
||||||
@ -23297,6 +23446,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
unconfined_shell_domtrans(sshd_t)
|
unconfined_shell_domtrans(sshd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@@ -176,6 +197,8 @@
|
||||||
|
init_use_fds(ssh_keygen_t)
|
||||||
|
init_use_script_ptys(ssh_keygen_t)
|
||||||
|
|
||||||
|
+auth_use_nsswitch(ssh_keygen_t)
|
||||||
|
+
|
||||||
|
libs_use_ld_so(ssh_keygen_t)
|
||||||
|
libs_use_shared_libs(ssh_keygen_t)
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.5.13/policy/modules/services/stunnel.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.5.13/policy/modules/services/stunnel.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/stunnel.fc 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/stunnel.fc 2008-10-17 10:31:27.000000000 -0400
|
||||||
@ -23701,7 +23859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-17 17:26:09.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-21 11:39:30.000000000 -0400
|
||||||
@@ -16,6 +16,7 @@
|
@@ -16,6 +16,7 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
|
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
|
||||||
@ -23946,7 +24104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -441,16 +385,16 @@
|
@@ -441,16 +385,17 @@
|
||||||
|
|
||||||
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
|
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
|
||||||
|
|
||||||
@ -23965,10 +24123,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
|
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
|
||||||
+ xserver_use_xdm($2)
|
+ xserver_use_xdm($2)
|
||||||
|
+ xserver_rw_xdm_xserver_shm($2)
|
||||||
|
|
||||||
fs_search_auto_mountpoints($1_iceauth_t)
|
fs_search_auto_mountpoints($1_iceauth_t)
|
||||||
|
|
||||||
@@ -473,33 +417,12 @@
|
@@ -473,33 +418,12 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# Device rules
|
# Device rules
|
||||||
@ -24005,7 +24164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
|
# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
|
||||||
allow $2 info_xproperty_t:x_property { create write append };
|
allow $2 info_xproperty_t:x_property { create write append };
|
||||||
@@ -548,7 +471,7 @@
|
@@ -548,7 +472,7 @@
|
||||||
allow $2 $1_xserver_t:process signal;
|
allow $2 $1_xserver_t:process signal;
|
||||||
|
|
||||||
# Read /tmp/.X0-lock
|
# Read /tmp/.X0-lock
|
||||||
@ -24014,7 +24173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Client read xserver shm
|
# Client read xserver shm
|
||||||
allow $2 $1_xserver_t:fd use;
|
allow $2 $1_xserver_t:fd use;
|
||||||
@@ -616,7 +539,7 @@
|
@@ -616,7 +540,7 @@
|
||||||
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
|
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type xdm_t, xdm_tmp_t;
|
type xdm_t, xdm_tmp_t;
|
||||||
@ -24023,7 +24182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $2 self:shm create_shm_perms;
|
allow $2 self:shm create_shm_perms;
|
||||||
@@ -624,12 +547,12 @@
|
@@ -624,12 +548,12 @@
|
||||||
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
|
||||||
# Read .Xauthority file
|
# Read .Xauthority file
|
||||||
@ -24039,7 +24198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow $2 xdm_tmp_t:dir search;
|
allow $2 xdm_tmp_t:dir search;
|
||||||
allow $2 xdm_tmp_t:sock_file { read write };
|
allow $2 xdm_tmp_t:sock_file { read write };
|
||||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||||
@@ -649,13 +572,210 @@
|
@@ -649,13 +573,210 @@
|
||||||
|
|
||||||
xserver_read_xdm_tmp_files($2)
|
xserver_read_xdm_tmp_files($2)
|
||||||
|
|
||||||
@ -24091,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property };
|
+ allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property };
|
||||||
+ # X Windows
|
+ # X Windows
|
||||||
+ # operations allowed on root windows
|
+ # operations allowed on root windows
|
||||||
+ allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive override destroy hide };
|
+ allow $3 $1_rootwindow_t:x_drawable { read getattr list_child add_child remove_child send receive override destroy hide };
|
||||||
+# type_transition $3 $1_rootwindow_t:x_drawable $2_t;
|
+# type_transition $3 $1_rootwindow_t:x_drawable $2_t;
|
||||||
+
|
+
|
||||||
+ allow $3 $1_xproperty_t:x_property { write read };
|
+ allow $3 $1_xproperty_t:x_property { write read };
|
||||||
@ -24254,7 +24413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Interface to provide X object permissions on a given X server to
|
## Interface to provide X object permissions on a given X server to
|
||||||
@@ -682,7 +802,7 @@
|
@@ -682,7 +803,7 @@
|
||||||
#
|
#
|
||||||
template(`xserver_common_x_domain_template',`
|
template(`xserver_common_x_domain_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24263,7 +24422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
|
type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
|
||||||
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
|
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
|
||||||
type xevent_t, client_xevent_t;
|
type xevent_t, client_xevent_t;
|
||||||
@@ -691,7 +811,6 @@
|
@@ -691,7 +812,6 @@
|
||||||
attribute x_server_domain, x_domain;
|
attribute x_server_domain, x_domain;
|
||||||
attribute xproperty_type;
|
attribute xproperty_type;
|
||||||
attribute xevent_type, xextension_type;
|
attribute xevent_type, xextension_type;
|
||||||
@ -24271,7 +24430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
class x_drawable all_x_drawable_perms;
|
class x_drawable all_x_drawable_perms;
|
||||||
class x_screen all_x_screen_perms;
|
class x_screen all_x_screen_perms;
|
||||||
@@ -708,6 +827,7 @@
|
@@ -708,6 +828,7 @@
|
||||||
class x_resource all_x_resource_perms;
|
class x_resource all_x_resource_perms;
|
||||||
class x_event all_x_event_perms;
|
class x_event all_x_event_perms;
|
||||||
class x_synthetic_event all_x_synthetic_event_perms;
|
class x_synthetic_event all_x_synthetic_event_perms;
|
||||||
@ -24279,7 +24438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -715,20 +835,22 @@
|
@@ -715,20 +836,22 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -24305,7 +24464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Local Policy
|
# Local Policy
|
||||||
@@ -746,7 +868,7 @@
|
@@ -746,7 +869,7 @@
|
||||||
allow $3 x_server_domain:x_server getattr;
|
allow $3 x_server_domain:x_server getattr;
|
||||||
# everyone can do override-redirect windows.
|
# everyone can do override-redirect windows.
|
||||||
# this could be used to spoof labels
|
# this could be used to spoof labels
|
||||||
@ -24314,7 +24473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# everyone can receive management events on the root window
|
# everyone can receive management events on the root window
|
||||||
# allows to know when new windows appear, among other things
|
# allows to know when new windows appear, among other things
|
||||||
allow $3 manage_xevent_t:x_event receive;
|
allow $3 manage_xevent_t:x_event receive;
|
||||||
@@ -755,36 +877,30 @@
|
@@ -755,36 +878,30 @@
|
||||||
# can read server-owned resources
|
# can read server-owned resources
|
||||||
allow $3 x_server_domain:x_resource read;
|
allow $3 x_server_domain:x_resource read;
|
||||||
# can mess with own clients
|
# can mess with own clients
|
||||||
@ -24361,7 +24520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# X Input
|
# X Input
|
||||||
# can receive own events
|
# can receive own events
|
||||||
@@ -811,6 +927,12 @@
|
@@ -811,6 +928,12 @@
|
||||||
allow $3 manage_xevent_t:x_synthetic_event send;
|
allow $3 manage_xevent_t:x_synthetic_event send;
|
||||||
allow $3 client_xevent_t:x_synthetic_event send;
|
allow $3 client_xevent_t:x_synthetic_event send;
|
||||||
|
|
||||||
@ -24374,7 +24533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# X Selections
|
# X Selections
|
||||||
# can use the clipboard
|
# can use the clipboard
|
||||||
allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
|
allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
|
||||||
@@ -819,13 +941,15 @@
|
@@ -819,13 +942,15 @@
|
||||||
|
|
||||||
# Other X Objects
|
# Other X Objects
|
||||||
# can create and use cursors
|
# can create and use cursors
|
||||||
@ -24394,7 +24553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined($3),
|
# should be xserver_unconfined($3),
|
||||||
@@ -885,24 +1009,17 @@
|
@@ -885,24 +1010,17 @@
|
||||||
#
|
#
|
||||||
template(`xserver_user_x_domain_template',`
|
template(`xserver_user_x_domain_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24426,7 +24585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Allow connections to X server.
|
# Allow connections to X server.
|
||||||
files_search_tmp($3)
|
files_search_tmp($3)
|
||||||
@@ -917,16 +1034,16 @@
|
@@ -917,16 +1035,16 @@
|
||||||
xserver_rw_session_template($1, $3, $4)
|
xserver_rw_session_template($1, $3, $4)
|
||||||
xserver_use_user_fonts($1, $3)
|
xserver_use_user_fonts($1, $3)
|
||||||
|
|
||||||
@ -24450,7 +24609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -958,26 +1075,43 @@
|
@@ -958,26 +1076,43 @@
|
||||||
#
|
#
|
||||||
template(`xserver_use_user_fonts',`
|
template(`xserver_use_user_fonts',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24501,7 +24660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -1003,10 +1137,77 @@
|
@@ -1003,10 +1138,77 @@
|
||||||
#
|
#
|
||||||
template(`xserver_domtrans_user_xauth',`
|
template(`xserver_domtrans_user_xauth',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24581,7 +24740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1036,10 +1237,10 @@
|
@@ -1036,10 +1238,10 @@
|
||||||
#
|
#
|
||||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24594,7 +24753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1180,7 +1381,7 @@
|
@@ -1180,7 +1382,7 @@
|
||||||
type xdm_t;
|
type xdm_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -24603,7 +24762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1225,6 +1426,25 @@
|
@@ -1225,6 +1427,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -24629,7 +24788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Read xdm-writable configuration files.
|
## Read xdm-writable configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1239,7 +1459,7 @@
|
@@ -1239,7 +1460,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
@ -24638,7 +24797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1279,6 +1499,7 @@
|
@@ -1279,6 +1500,7 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||||
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||||
@ -24646,7 +24805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1297,7 +1518,7 @@
|
@@ -1297,7 +1519,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
@ -24655,7 +24814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1315,7 +1536,25 @@
|
@@ -1315,7 +1537,25 @@
|
||||||
type xdm_var_lib_t;
|
type xdm_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -24682,7 +24841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1330,15 +1569,47 @@
|
@@ -1330,15 +1570,47 @@
|
||||||
#
|
#
|
||||||
interface(`xserver_domtrans_xdm_xserver',`
|
interface(`xserver_domtrans_xdm_xserver',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24731,7 +24890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Make an X session script an entrypoint for the specified domain.
|
## Make an X session script an entrypoint for the specified domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1488,7 +1759,7 @@
|
@@ -1488,7 +1760,7 @@
|
||||||
type xdm_xserver_tmp_t;
|
type xdm_xserver_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -24740,7 +24899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1680,6 +1951,26 @@
|
@@ -1680,6 +1952,26 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -24767,7 +24926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## xdm xserver RW shared memory socket.
|
## xdm xserver RW shared memory socket.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1698,6 +1989,24 @@
|
@@ -1698,6 +1990,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -24792,7 +24951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Interface to provide X object permissions on a given X server to
|
## Interface to provide X object permissions on a given X server to
|
||||||
## an X client domain. Gives the domain complete control over the
|
## an X client domain. Gives the domain complete control over the
|
||||||
## display.
|
## display.
|
||||||
@@ -1710,8 +2019,157 @@
|
@@ -1710,8 +2020,157 @@
|
||||||
#
|
#
|
||||||
interface(`xserver_unconfined',`
|
interface(`xserver_unconfined',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.5.13
|
Version: 3.5.13
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -312,6 +312,7 @@ Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|||||||
Requires(pre): coreutils
|
Requires(pre): coreutils
|
||||||
Requires(pre): selinux-policy = %{version}-%{release}
|
Requires(pre): selinux-policy = %{version}-%{release}
|
||||||
Conflicts: audispd-plugins <= 1.7.7-1
|
Conflicts: audispd-plugins <= 1.7.7-1
|
||||||
|
Obsoletes: mod_fcgid-selinux
|
||||||
|
|
||||||
%description targeted
|
%description targeted
|
||||||
SELinux Reference policy targeted base module.
|
SELinux Reference policy targeted base module.
|
||||||
@ -461,6 +462,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 21 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-3
|
||||||
|
- Remove mod_fcgid-selinux package
|
||||||
|
|
||||||
* Mon Oct 20 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-2
|
* Mon Oct 20 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-2
|
||||||
- Fix dovecot access
|
- Fix dovecot access
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user