- Allow amanda to read tape
- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi - Add support for netware file systems
This commit is contained in:
parent
0ec686ba42
commit
273a44c689
@ -284,7 +284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.4.2/policy/modules/admin/amanda.te
|
||||
--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-06-12 23:25:08.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/admin/amanda.te 2008-07-02 08:47:04.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/admin/amanda.te 2008-07-07 11:14:20.000000000 -0400
|
||||
@@ -82,8 +82,9 @@
|
||||
allow amanda_t amanda_config_t:file { getattr read };
|
||||
|
||||
@ -297,7 +297,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
|
||||
|
||||
# access to amanda_dumpdates_t
|
||||
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
|
||||
@@ -220,6 +221,7 @@
|
||||
@@ -146,6 +147,8 @@
|
||||
fs_list_all(amanda_t)
|
||||
|
||||
storage_raw_read_fixed_disk(amanda_t)
|
||||
+storage_read_tape(amanda_t)
|
||||
+storage_write_tape(amanda_t)
|
||||
|
||||
# Added for targeted policy
|
||||
term_use_unallocated_ttys(amanda_t)
|
||||
@@ -220,6 +223,7 @@
|
||||
auth_use_nsswitch(amanda_recover_t)
|
||||
|
||||
fstools_domtrans(amanda_t)
|
||||
@ -1460,7 +1469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
|
||||
#######################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.4.2/policy/modules/admin/sudo.if
|
||||
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-06-12 23:25:08.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/admin/sudo.if 2008-07-02 08:47:04.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/admin/sudo.if 2008-07-07 11:49:07.000000000 -0400
|
||||
@@ -55,7 +55,7 @@
|
||||
#
|
||||
|
||||
@ -1510,7 +1519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
|
||||
|
||||
domain_use_interactive_fds($1_sudo_t)
|
||||
domain_sigchld_interactive_fds($1_sudo_t)
|
||||
@@ -106,32 +108,49 @@
|
||||
@@ -106,32 +108,50 @@
|
||||
files_getattr_usr_files($1_sudo_t)
|
||||
# for some PAM modules and for cwd
|
||||
files_dontaudit_search_home($1_sudo_t)
|
||||
@ -1549,6 +1558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
|
||||
# for some PAM modules and for cwd
|
||||
+ sysadm_search_home_content_dirs($1_sudo_t)
|
||||
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
|
||||
+ userdom_manage_all_users_keys($1_sudo_t)
|
||||
|
||||
- ifdef(`TODO',`
|
||||
- # for when the network connection is killed
|
||||
@ -7375,7 +7385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.4.2/policy/modules/kernel/filesystem.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-06-12 23:25:02.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/kernel/filesystem.te 2008-07-02 08:47:04.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/kernel/filesystem.te 2008-07-07 12:19:45.000000000 -0400
|
||||
@@ -21,7 +21,6 @@
|
||||
|
||||
# Use xattrs for the following filesystem types.
|
||||
@ -7396,6 +7406,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
type eventpollfs_t;
|
||||
fs_type(eventpollfs_t)
|
||||
# change to task SID 20060628
|
||||
@@ -241,6 +245,7 @@
|
||||
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.4.2/policy/modules/kernel/kernel.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-06-12 23:25:03.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/kernel/kernel.if 2008-07-02 08:47:04.000000000 -0400
|
||||
@ -21376,7 +21394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
|
||||
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-07-02 08:47:04.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-07-07 11:27:54.000000000 -0400
|
||||
@@ -19,12 +19,31 @@
|
||||
type prelude_var_lib_t;
|
||||
files_type(prelude_var_lib_t)
|
||||
@ -21520,12 +21538,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||
########################################
|
||||
#
|
||||
# prewikka_cgi Declarations
|
||||
@@ -135,6 +234,10 @@
|
||||
@@ -135,6 +234,12 @@
|
||||
apache_content_template(prewikka)
|
||||
files_read_etc_files(httpd_prewikka_script_t)
|
||||
|
||||
+ auth_use_nsswitch(httpd_prewikka_script_t)
|
||||
+
|
||||
+ logging_send_syslog_msg(httpd_prewikka_script_t)
|
||||
+
|
||||
+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
|
||||
+
|
||||
optional_policy(`
|
||||
@ -28282,7 +28302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.4.2/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:25:07.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/system/authlogin.if 2008-07-02 08:47:05.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/system/authlogin.if 2008-07-07 11:48:48.000000000 -0400
|
||||
@@ -56,10 +56,6 @@
|
||||
miscfiles_read_localization($1_chkpwd_t)
|
||||
|
||||
@ -29779,7 +29799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.4.2/policy/modules/system/logging.if
|
||||
--- nsaserefpolicy/policy/modules/system/logging.if 2008-06-12 23:25:07.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/system/logging.if 2008-07-02 08:55:06.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/system/logging.if 2008-07-07 11:43:15.000000000 -0400
|
||||
@@ -213,12 +213,7 @@
|
||||
## </param>
|
||||
#
|
||||
@ -29884,7 +29904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -771,6 +803,131 @@
|
||||
@@ -771,6 +803,132 @@
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_admin',`
|
||||
@ -29995,6 +30015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
+ role system_r types $1;
|
||||
+
|
||||
+ domtrans_pattern(audisp_t,$2,$1)
|
||||
+ allow $1 audisp_t:process signal;
|
||||
+
|
||||
+ allow audisp_t $2:file getattr;
|
||||
+ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
|
||||
@ -33457,7 +33478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.4.2/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:25:07.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/system/userdomain.if 2008-07-02 08:47:05.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/system/userdomain.if 2008-07-07 11:47:08.000000000 -0400
|
||||
@@ -28,10 +28,14 @@
|
||||
class context contains;
|
||||
')
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.4.2
|
||||
Release: 11%{?dist}
|
||||
Release: 12%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -375,6 +375,11 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jul 7 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-12
|
||||
- Allow amanda to read tape
|
||||
- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi
|
||||
- Add support for netware file systems
|
||||
|
||||
* Thu Jul 3 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-11
|
||||
- Allow ypbind apps to net_bind_service
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user