- Allow ypbind apps to net_bind_service
This commit is contained in:
Daniel J Walsh
parent
75edec44e7
commit
258b00e5b7
|
|
@ -17880,7 +17880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
## </summary>
|
## </summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-07-02 09:54:22.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-07-03 14:44:29.000000000 -0400
|
||||||
@@ -6,6 +6,8 @@
|
@@ -6,6 +6,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
@ -17982,7 +17982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
logrotate_read_tmp_files(system_mail_t)
|
logrotate_read_tmp_files(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -136,11 +176,38 @@
|
@@ -136,11 +176,40 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|
@ -18003,9 +18003,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
')
|
')
|
||||||
|
|
||||||
-# should break this up among sections:
|
-# should break this up among sections:
|
||||||
|
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, , system_mail_tmp_t)
|
||||||
|
|
||||||
+init_stream_connect_script(mailserver_delivery)
|
+init_stream_connect_script(mailserver_delivery)
|
||||||
+init_rw_script_stream_sockets(mailserver_delivery)
|
+init_rw_script_stream_sockets(mailserver_delivery)
|
||||||
|
+
|
||||||
+tunable_policy(`use_samba_home_dirs',`
|
+tunable_policy(`use_samba_home_dirs',`
|
||||||
+ fs_manage_cifs_dirs(mailserver_delivery)
|
+ fs_manage_cifs_dirs(mailserver_delivery)
|
||||||
+ fs_manage_cifs_files(mailserver_delivery)
|
+ fs_manage_cifs_files(mailserver_delivery)
|
||||||
|
|
@ -18022,7 +18024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||||
arpwatch_search_data(mailserver_delivery)
|
arpwatch_search_data(mailserver_delivery)
|
||||||
@@ -154,3 +221,5 @@
|
@@ -154,3 +223,5 @@
|
||||||
cron_read_system_job_tmp_files(mta_user_agent)
|
cron_read_system_job_tmp_files(mta_user_agent)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
@ -18888,7 +18890,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
|
||||||
+/etc/rc.d/init.d/ypxfrd -- gen_context(system_u:object_r:nis_script_exec_t,s0)
|
+/etc/rc.d/init.d/ypxfrd -- gen_context(system_u:object_r:nis_script_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.4.2/policy/modules/services/nis.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.4.2/policy/modules/services/nis.if
|
||||||
--- nsaserefpolicy/policy/modules/services/nis.if 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/nis.if 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/nis.if 2008-07-02 08:47:04.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/nis.if 2008-07-03 12:19:00.000000000 -0400
|
||||||
|
@@ -28,7 +28,7 @@
|
||||||
|
type var_yp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- dontaudit $1 self:capability net_bind_service;
|
||||||
|
+ allow $1 self:capability net_bind_service;
|
||||||
|
|
||||||
|
allow $1 self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow $1 self:udp_socket create_socket_perms;
|
||||||
@@ -49,8 +49,8 @@
|
@@ -49,8 +49,8 @@
|
||||||
corenet_udp_bind_all_nodes($1)
|
corenet_udp_bind_all_nodes($1)
|
||||||
corenet_tcp_bind_generic_port($1)
|
corenet_tcp_bind_generic_port($1)
|
||||||
|
|
@ -22794,12 +22805,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
|
||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.4.2/policy/modules/services/rsync.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.4.2/policy/modules/services/rsync.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/rsync.fc 2008-07-02 08:47:04.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/rsync.fc 2008-07-03 14:07:31.000000000 -0400
|
||||||
@@ -1,2 +1,4 @@
|
@@ -1,2 +1,6 @@
|
||||||
|
|
||||||
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
|
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
|
+/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||||
|
+
|
||||||
|
+/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.4.2/policy/modules/services/rsync.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.4.2/policy/modules/services/rsync.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/rsync.te 2008-07-02 08:47:04.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/rsync.te 2008-07-02 08:47:04.000000000 -0400
|
||||||
|
|
@ -30007,7 +30020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.4.2/policy/modules/system/logging.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.4.2/policy/modules/system/logging.te
|
||||||
--- nsaserefpolicy/policy/modules/system/logging.te 2008-06-12 23:25:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/logging.te 2008-06-12 23:25:07.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/system/logging.te 2008-07-02 08:47:05.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/system/logging.te 2008-07-03 12:27:05.000000000 -0400
|
||||||
@@ -61,10 +61,29 @@
|
@@ -61,10 +61,29 @@
|
||||||
logging_log_file(var_log_t)
|
logging_log_file(var_log_t)
|
||||||
files_mountpoint(var_log_t)
|
files_mountpoint(var_log_t)
|
||||||
|
|
@ -30644,7 +30657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||||
samba_run_smbmount($1, $2, $3)
|
samba_run_smbmount($1, $2, $3)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.4.2/policy/modules/system/mount.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.4.2/policy/modules/system/mount.te
|
||||||
--- nsaserefpolicy/policy/modules/system/mount.te 2008-06-12 23:25:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/mount.te 2008-06-12 23:25:07.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/system/mount.te 2008-07-02 08:47:05.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/system/mount.te 2008-07-03 15:34:48.000000000 -0400
|
||||||
@@ -18,17 +18,18 @@
|
@@ -18,17 +18,18 @@
|
||||||
init_system_domain(mount_t,mount_exec_t)
|
init_system_domain(mount_t,mount_exec_t)
|
||||||
role system_r types mount_t;
|
role system_r types mount_t;
|
||||||
|
|
@ -30699,26 +30712,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||||
dev_rw_lvm_control(mount_t)
|
dev_rw_lvm_control(mount_t)
|
||||||
dev_dontaudit_getattr_all_chr_files(mount_t)
|
dev_dontaudit_getattr_all_chr_files(mount_t)
|
||||||
dev_dontaudit_getattr_memory_dev(mount_t)
|
dev_dontaudit_getattr_memory_dev(mount_t)
|
||||||
@@ -62,6 +68,7 @@
|
@@ -62,16 +68,18 @@
|
||||||
storage_raw_write_fixed_disk(mount_t)
|
storage_raw_write_fixed_disk(mount_t)
|
||||||
storage_raw_read_removable_device(mount_t)
|
storage_raw_read_removable_device(mount_t)
|
||||||
storage_raw_write_removable_device(mount_t)
|
storage_raw_write_removable_device(mount_t)
|
||||||
+storage_rw_fuse(mount_t)
|
+storage_rw_fuse(mount_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(mount_t)
|
-fs_getattr_xattr_fs(mount_t)
|
||||||
fs_getattr_cifs(mount_t)
|
-fs_getattr_cifs(mount_t)
|
||||||
@@ -71,7 +78,10 @@
|
+fs_list_all(mount_t)
|
||||||
|
+fs_getattr_all_fs(mount_t)
|
||||||
|
fs_mount_all_fs(mount_t)
|
||||||
|
fs_unmount_all_fs(mount_t)
|
||||||
|
fs_remount_all_fs(mount_t)
|
||||||
fs_relabelfrom_all_fs(mount_t)
|
fs_relabelfrom_all_fs(mount_t)
|
||||||
fs_list_auto_mountpoints(mount_t)
|
-fs_list_auto_mountpoints(mount_t)
|
||||||
fs_rw_tmpfs_chr_files(mount_t)
|
fs_rw_tmpfs_chr_files(mount_t)
|
||||||
+fs_manage_tmpfs_dirs(mount_t)
|
+fs_manage_tmpfs_dirs(mount_t)
|
||||||
fs_read_tmpfs_symlinks(mount_t)
|
fs_read_tmpfs_symlinks(mount_t)
|
||||||
+fs_search_fusefs_dirs(mount_t)
|
|
||||||
+fs_manage_nfs_dirs(mount_t)
|
+fs_manage_nfs_dirs(mount_t)
|
||||||
|
|
||||||
term_use_all_terms(mount_t)
|
term_use_all_terms(mount_t)
|
||||||
|
|
||||||
@@ -79,6 +89,7 @@
|
@@ -79,6 +87,7 @@
|
||||||
corecmd_exec_bin(mount_t)
|
corecmd_exec_bin(mount_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(mount_t)
|
domain_use_interactive_fds(mount_t)
|
||||||
|
|
@ -30726,7 +30742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||||
|
|
||||||
files_search_all(mount_t)
|
files_search_all(mount_t)
|
||||||
files_read_etc_files(mount_t)
|
files_read_etc_files(mount_t)
|
||||||
@@ -100,6 +111,8 @@
|
@@ -100,6 +109,8 @@
|
||||||
init_use_fds(mount_t)
|
init_use_fds(mount_t)
|
||||||
init_use_script_ptys(mount_t)
|
init_use_script_ptys(mount_t)
|
||||||
init_dontaudit_getattr_initctl(mount_t)
|
init_dontaudit_getattr_initctl(mount_t)
|
||||||
|
|
@ -30735,7 +30751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||||
|
|
||||||
auth_use_nsswitch(mount_t)
|
auth_use_nsswitch(mount_t)
|
||||||
|
|
||||||
@@ -119,6 +132,8 @@
|
@@ -119,6 +130,8 @@
|
||||||
seutil_read_config(mount_t)
|
seutil_read_config(mount_t)
|
||||||
|
|
||||||
userdom_use_all_users_fds(mount_t)
|
userdom_use_all_users_fds(mount_t)
|
||||||
|
|
@ -30744,7 +30760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -167,6 +182,8 @@
|
@@ -167,6 +180,8 @@
|
||||||
fs_search_rpc(mount_t)
|
fs_search_rpc(mount_t)
|
||||||
|
|
||||||
rpc_stub(mount_t)
|
rpc_stub(mount_t)
|
||||||
|
|
@ -30753,7 +30769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -181,6 +198,11 @@
|
@@ -181,6 +196,11 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
@ -30765,7 +30781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||||
# for kernel package installation
|
# for kernel package installation
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_rw_pipes(mount_t)
|
rpm_rw_pipes(mount_t)
|
||||||
@@ -188,6 +210,7 @@
|
@@ -188,6 +208,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_domtrans_smbmount(mount_t)
|
samba_domtrans_smbmount(mount_t)
|
||||||
|
|
@ -30773,7 +30789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -198,4 +221,26 @@
|
@@ -198,4 +219,26 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
||||||
unconfined_domain(unconfined_mount_t)
|
unconfined_domain(unconfined_mount_t)
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.4.2
|
Version: 3.4.2
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
|
@ -375,6 +375,9 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jul 3 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-11
|
||||||
|
- Allow ypbind apps to net_bind_service
|
||||||
|
|
||||||
* Wed Jul 2 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-10
|
* Wed Jul 2 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-10
|
||||||
- Allow all system domains and application domains to append to any log file
|
- Allow all system domains and application domains to append to any log file
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue