- Turn off direct transition
This commit is contained in:
Daniel J Walsh
parent
c7e443c95c
commit
23716eb29c
@ -12734,7 +12734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||||
+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-06 15:43:06.000000000 -0400
|
+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-07 15:05:57.000000000 -0400
|
||||||
@@ -45,7 +45,7 @@
|
@@ -45,7 +45,7 @@
|
||||||
type $1_tty_device_t;
|
type $1_tty_device_t;
|
||||||
term_user_tty($1_t,$1_tty_device_t)
|
term_user_tty($1_t,$1_tty_device_t)
|
||||||
@ -13106,7 +13106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
samba_stream_connect_winbind($1_t)
|
samba_stream_connect_winbind($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -954,21 +881,162 @@
|
@@ -954,21 +881,163 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -13166,6 +13166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+ dontaudit $1_t self:capability { sys_nice fsetid };
|
+ dontaudit $1_t self:capability { sys_nice fsetid };
|
||||||
+
|
+
|
||||||
+ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
|
+ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
|
||||||
|
+ dontaudit $1_t self:process setrlimit;
|
||||||
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||||
+
|
+
|
||||||
+ allow $1_t self:context contains;
|
+ allow $1_t self:context contains;
|
||||||
@ -13275,7 +13276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
domain_interactive_fd($1_t)
|
domain_interactive_fd($1_t)
|
||||||
|
|
||||||
typeattribute $1_devpts_t user_ptynode;
|
typeattribute $1_devpts_t user_ptynode;
|
||||||
@@ -977,23 +1045,51 @@
|
@@ -977,23 +1046,51 @@
|
||||||
typeattribute $1_tmp_t user_tmpfile;
|
typeattribute $1_tmp_t user_tmpfile;
|
||||||
typeattribute $1_tty_device_t user_ttynode;
|
typeattribute $1_tty_device_t user_ttynode;
|
||||||
|
|
||||||
@ -13338,7 +13339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||||
@@ -1029,15 +1125,7 @@
|
@@ -1029,15 +1126,7 @@
|
||||||
# and may change other protocols
|
# and may change other protocols
|
||||||
tunable_policy(`user_tcp_server',`
|
tunable_policy(`user_tcp_server',`
|
||||||
corenet_tcp_bind_all_nodes($1_t)
|
corenet_tcp_bind_all_nodes($1_t)
|
||||||
@ -13355,7 +13356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1054,17 +1142,6 @@
|
@@ -1054,17 +1143,6 @@
|
||||||
setroubleshoot_stream_connect($1_t)
|
setroubleshoot_stream_connect($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -13373,7 +13374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -1102,6 +1179,8 @@
|
@@ -1102,6 +1180,8 @@
|
||||||
class passwd { passwd chfn chsh rootok crontab };
|
class passwd { passwd chfn chsh rootok crontab };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -13382,7 +13383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@@ -1127,7 +1206,7 @@
|
@@ -1127,7 +1207,7 @@
|
||||||
# $1_t local policy
|
# $1_t local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -13391,7 +13392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
allow $1_t self:process { setexec setfscreate };
|
allow $1_t self:process { setexec setfscreate };
|
||||||
|
|
||||||
# Set password information for other users.
|
# Set password information for other users.
|
||||||
@@ -1139,7 +1218,11 @@
|
@@ -1139,7 +1219,11 @@
|
||||||
# Manipulate other users crontab.
|
# Manipulate other users crontab.
|
||||||
allow $1_t self:passwd crontab;
|
allow $1_t self:passwd crontab;
|
||||||
|
|
||||||
@ -13404,7 +13405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
kernel_read_software_raid_state($1_t)
|
kernel_read_software_raid_state($1_t)
|
||||||
kernel_getattr_core_if($1_t)
|
kernel_getattr_core_if($1_t)
|
||||||
@@ -1856,17 +1939,53 @@
|
@@ -1856,17 +1940,53 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -13462,7 +13463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## in a user home subdirectory.
|
## in a user home subdirectory.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -1891,13 +2010,12 @@
|
@@ -1891,13 +2011,12 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -13479,7 +13480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3078,7 +3196,7 @@
|
@@ -3078,7 +3197,7 @@
|
||||||
#
|
#
|
||||||
template(`userdom_tmp_filetrans_user_tmp',`
|
template(`userdom_tmp_filetrans_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -13488,7 +13489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_tmp_filetrans($2,$1_tmp_t,$3)
|
files_tmp_filetrans($2,$1_tmp_t,$3)
|
||||||
@@ -4615,6 +4733,24 @@
|
@@ -4615,6 +4734,24 @@
|
||||||
files_list_home($1)
|
files_list_home($1)
|
||||||
allow $1 home_dir_type:dir search_dir_perms;
|
allow $1 home_dir_type:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
@ -13513,7 +13514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -5323,7 +5459,7 @@
|
@@ -5323,7 +5460,7 @@
|
||||||
attribute user_tmpfile;
|
attribute user_tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -13522,7 +13523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5559,3 +5695,299 @@
|
@@ -5559,3 +5696,299 @@
|
||||||
interface(`userdom_unconfined',`
|
interface(`userdom_unconfined',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user