Shrink size of policy through use of attributes for userdomain and apache
This commit is contained in:
Dan Walsh
parent
1000555932
commit
2a89dffbb5
362
apache.patch
Normal file
362
apache.patch
Normal file
@ -0,0 +1,362 @@
|
||||
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
||||
index cf3d50b..3ded83e 100644
|
||||
--- a/policy/modules/kernel/domain.if
|
||||
+++ b/policy/modules/kernel/domain.if
|
||||
@@ -75,34 +75,6 @@ interface(`domain_base_type',`
|
||||
interface(`domain_type',`
|
||||
# start with basic domain
|
||||
domain_base_type($1)
|
||||
-
|
||||
- ifdef(`distro_redhat',`
|
||||
- optional_policy(`
|
||||
- unconfined_use_fds($1)
|
||||
- ')
|
||||
- ')
|
||||
-
|
||||
- # send init a sigchld and signull
|
||||
- optional_policy(`
|
||||
- init_sigchld($1)
|
||||
- init_signull($1)
|
||||
- ')
|
||||
-
|
||||
- # these seem questionable:
|
||||
-
|
||||
- optional_policy(`
|
||||
- rpm_use_fds($1)
|
||||
- rpm_read_pipes($1)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- selinux_dontaudit_getattr_fs($1)
|
||||
- selinux_dontaudit_read_fs($1)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- seutil_dontaudit_read_config($1)
|
||||
- ')
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index 00e20f7..db2a183 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -285,3 +285,30 @@ optional_policy(`
|
||||
# broken kernel
|
||||
dontaudit can_change_object_identity can_change_object_identity:key link;
|
||||
|
||||
+ifdef(`distro_redhat',`
|
||||
+ optional_policy(`
|
||||
+ unconfined_use_fds(domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+# send init a sigchld and signull
|
||||
+optional_policy(`
|
||||
+ init_sigchld(domain)
|
||||
+ init_signull(domain)
|
||||
+')
|
||||
+
|
||||
+# these seem questionable:
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_use_fds(domain)
|
||||
+ rpm_read_pipes(domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ selinux_dontaudit_getattr_fs(domain)
|
||||
+ selinux_dontaudit_read_fs(domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ seutil_dontaudit_read_config(domain)
|
||||
+')
|
||||
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
|
||||
index e12bbc0..606323d 100644
|
||||
--- a/policy/modules/services/apache.if
|
||||
+++ b/policy/modules/services/apache.if
|
||||
@@ -16,55 +16,43 @@ template(`apache_content_template',`
|
||||
attribute httpd_exec_scripts, httpd_script_exec_type;
|
||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||
type httpd_sys_content_t;
|
||||
+ attribute httpd_script_type, httpd_content_type;
|
||||
')
|
||||
|
||||
#This type is for webpages
|
||||
type httpd_$1_content_t; # customizable;
|
||||
+ typeattribute httpd_$1_content_t httpd_content_type;
|
||||
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
|
||||
files_type(httpd_$1_content_t)
|
||||
|
||||
# This type is used for .htaccess files
|
||||
- type httpd_$1_htaccess_t; # customizable;
|
||||
+ type httpd_$1_htaccess_t, httpd_content_type; # customizable;
|
||||
+ typeattribute httpd_$1_htaccess_t httpd_content_type;
|
||||
files_type(httpd_$1_htaccess_t)
|
||||
|
||||
# Type that CGI scripts run as
|
||||
- type httpd_$1_script_t;
|
||||
+ type httpd_$1_script_t, httpd_script_type;
|
||||
domain_type(httpd_$1_script_t)
|
||||
role system_r types httpd_$1_script_t;
|
||||
|
||||
- search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
|
||||
-
|
||||
# This type is used for executable scripts files
|
||||
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
|
||||
- corecmd_shell_entry_type(httpd_$1_script_t)
|
||||
+ typeattribute httpd_$1_script_exec_t httpd_content_type;
|
||||
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
|
||||
|
||||
type httpd_$1_rw_content_t; # customizable
|
||||
+ typeattribute httpd_$1_rw_content_t httpd_content_type;
|
||||
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
|
||||
files_type(httpd_$1_rw_content_t)
|
||||
|
||||
- type httpd_$1_ra_content_t; # customizable
|
||||
+ type httpd_$1_ra_content_t, httpd_content_type; # customizable
|
||||
+ typeattribute httpd_$1_ra_content_t httpd_content_type;
|
||||
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
|
||||
files_type(httpd_$1_ra_content_t)
|
||||
|
||||
- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
|
||||
-
|
||||
- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
-
|
||||
- allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
||||
- allow httpd_$1_script_t self:unix_stream_socket connectto;
|
||||
-
|
||||
- allow httpd_$1_script_t httpd_t:fifo_file write;
|
||||
- # apache should set close-on-exec
|
||||
- apache_dontaudit_leaks(httpd_$1_script_t)
|
||||
-
|
||||
# Allow the script process to search the cgi directory, and users directory
|
||||
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
|
||||
|
||||
- append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
|
||||
- logging_search_logs(httpd_$1_script_t)
|
||||
-
|
||||
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
||||
allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
|
||||
|
||||
@@ -83,27 +71,6 @@ template(`apache_content_template',`
|
||||
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
|
||||
- kernel_dontaudit_search_sysctl(httpd_$1_script_t)
|
||||
- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
|
||||
-
|
||||
- dev_read_rand(httpd_$1_script_t)
|
||||
- dev_read_urand(httpd_$1_script_t)
|
||||
-
|
||||
- corecmd_exec_all_executables(httpd_$1_script_t)
|
||||
- application_exec_all(httpd_$1_script_t)
|
||||
-
|
||||
- files_exec_etc_files(httpd_$1_script_t)
|
||||
- files_read_etc_files(httpd_$1_script_t)
|
||||
- files_search_home(httpd_$1_script_t)
|
||||
-
|
||||
- libs_exec_ld_so(httpd_$1_script_t)
|
||||
- libs_exec_lib_files(httpd_$1_script_t)
|
||||
-
|
||||
- miscfiles_read_fonts(httpd_$1_script_t)
|
||||
- miscfiles_read_public_files(httpd_$1_script_t)
|
||||
-
|
||||
- seutil_dontaudit_search_config(httpd_$1_script_t)
|
||||
-
|
||||
# Allow the web server to run scripts and serve pages
|
||||
tunable_policy(`httpd_builtin_scripting',`
|
||||
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
@@ -111,19 +78,11 @@ template(`apache_content_template',`
|
||||
manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
|
||||
- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
||||
+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
|
||||
read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
|
||||
- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
||||
- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
-
|
||||
- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
||||
- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
- allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
@@ -138,49 +97,6 @@ template(`apache_content_template',`
|
||||
|
||||
# apache runs the script:
|
||||
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
-
|
||||
- allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
|
||||
- allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms;
|
||||
-
|
||||
- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
|
||||
- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
|
||||
-
|
||||
- allow httpd_$1_script_t self:process { setsched signal_perms };
|
||||
- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
|
||||
- allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
|
||||
-
|
||||
- allow httpd_$1_script_t httpd_t:fd use;
|
||||
- allow httpd_$1_script_t httpd_t:process sigchld;
|
||||
-
|
||||
- dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
|
||||
-
|
||||
- kernel_read_system_state(httpd_$1_script_t)
|
||||
-
|
||||
- dev_read_urand(httpd_$1_script_t)
|
||||
-
|
||||
- fs_getattr_xattr_fs(httpd_$1_script_t)
|
||||
-
|
||||
- files_read_etc_runtime_files(httpd_$1_script_t)
|
||||
- files_read_usr_files(httpd_$1_script_t)
|
||||
-
|
||||
- libs_read_lib_files(httpd_$1_script_t)
|
||||
-
|
||||
- miscfiles_read_localization(httpd_$1_script_t)
|
||||
- allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||
- nis_use_ypbind_uncond(httpd_$1_script_t)
|
||||
- ')
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- postgresql_unpriv_client(httpd_$1_script_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- nscd_socket_use(httpd_$1_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
|
||||
index f165efd..adf2423 100644
|
||||
--- a/policy/modules/services/apache.te
|
||||
+++ b/policy/modules/services/apache.te
|
||||
@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_write, false)
|
||||
|
||||
attribute httpdcontent;
|
||||
attribute httpd_user_content_type;
|
||||
+attribute httpd_content_type;
|
||||
|
||||
# domains that can exec all users scripts
|
||||
attribute httpd_exec_scripts;
|
||||
|
||||
+attribute httpd_script_type;
|
||||
attribute httpd_script_exec_type;
|
||||
attribute httpd_user_script_exec_type;
|
||||
|
||||
@@ -293,6 +295,10 @@ files_tmp_file(httpd_suexec_tmp_t)
|
||||
# setup the system domain for system CGI scripts
|
||||
apache_content_template(sys)
|
||||
|
||||
+optional_policy(`
|
||||
+ postgresql_unpriv_client(httpd_sys_script_t)
|
||||
+')
|
||||
+
|
||||
typeattribute httpd_sys_content_t httpdcontent; # customizable
|
||||
typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
|
||||
typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
|
||||
@@ -1308,3 +1314,91 @@ systemd_passwd_agent_dev_template(httpd)
|
||||
domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
|
||||
dontaudit httpd_passwd_t httpd_config_t:file read;
|
||||
|
||||
+
|
||||
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
|
||||
+corecmd_shell_entry_type(httpd_script_type)
|
||||
+
|
||||
+allow httpd_script_type self:fifo_file rw_file_perms;
|
||||
+allow httpd_script_type self:unix_stream_socket connectto;
|
||||
+
|
||||
+allow httpd_script_type httpd_t:fifo_file write;
|
||||
+# apache should set close-on-exec
|
||||
+apache_dontaudit_leaks(httpd_script_type)
|
||||
+
|
||||
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
|
||||
+logging_search_logs(httpd_script_type)
|
||||
+
|
||||
+kernel_dontaudit_search_sysctl(httpd_script_type)
|
||||
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
|
||||
+
|
||||
+dev_read_rand(httpd_script_type)
|
||||
+dev_read_urand(httpd_script_type)
|
||||
+
|
||||
+corecmd_exec_all_executables(httpd_script_type)
|
||||
+application_exec_all(httpd_script_type)
|
||||
+
|
||||
+files_exec_etc_files(httpd_script_type)
|
||||
+files_read_etc_files(httpd_script_type)
|
||||
+files_search_home(httpd_script_type)
|
||||
+
|
||||
+libs_exec_ld_so(httpd_script_type)
|
||||
+libs_exec_lib_files(httpd_script_type)
|
||||
+
|
||||
+miscfiles_read_fonts(httpd_script_type)
|
||||
+miscfiles_read_public_files(httpd_script_type)
|
||||
+
|
||||
+seutil_dontaudit_search_config(httpd_script_type)
|
||||
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
|
||||
+
|
||||
+allow httpd_t httpd_script_exec_type:file read_file_perms;
|
||||
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
|
||||
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
|
||||
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
|
||||
+
|
||||
+allow httpd_script_type self:process { setsched signal_perms };
|
||||
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+allow httpd_script_type httpd_t:fd use;
|
||||
+allow httpd_script_type httpd_t:process sigchld;
|
||||
+
|
||||
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
|
||||
+
|
||||
+kernel_read_system_state(httpd_script_type)
|
||||
+
|
||||
+dev_read_urand(httpd_script_type)
|
||||
+
|
||||
+fs_getattr_xattr_fs(httpd_script_type)
|
||||
+
|
||||
+files_read_etc_runtime_files(httpd_script_type)
|
||||
+files_read_usr_files(httpd_script_type)
|
||||
+
|
||||
+libs_read_lib_files(httpd_script_type)
|
||||
+
|
||||
+miscfiles_read_localization(httpd_script_type)
|
||||
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
|
||||
+
|
||||
+tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||
+ nis_use_ypbind_uncond(httpd_script_type)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nscd_socket_use(httpd_script_type)
|
||||
+')
|
||||
+
|
||||
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+
|
||||
+tunable_policy(`httpd_builtin_scripting',`
|
||||
+ allow httpd_t httpd_content_type:dir search_dir_perms;
|
||||
+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
|
||||
+
|
||||
+ allow httpd_t httpd_content_type:dir list_dir_perms;
|
||||
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+
|
||||
+ allow httpd_t httpd_content_type:dir list_dir_perms;
|
||||
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+')
|
||||
+
|
||||
+
|
||||
@ -15080,45 +15080,10 @@ index 08f01e7..1c2562c 100644
|
||||
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
|
||||
allow devices_unconfined_type mtrr_device_t:file *;
|
||||
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
||||
index 6a1e4d1..3ded83e 100644
|
||||
index 6a1e4d1..cf3d50b 100644
|
||||
--- a/policy/modules/kernel/domain.if
|
||||
+++ b/policy/modules/kernel/domain.if
|
||||
@@ -75,34 +75,6 @@ interface(`domain_base_type',`
|
||||
interface(`domain_type',`
|
||||
# start with basic domain
|
||||
domain_base_type($1)
|
||||
-
|
||||
- ifdef(`distro_redhat',`
|
||||
- optional_policy(`
|
||||
- unconfined_use_fds($1)
|
||||
- ')
|
||||
- ')
|
||||
-
|
||||
- # send init a sigchld and signull
|
||||
- optional_policy(`
|
||||
- init_sigchld($1)
|
||||
- init_signull($1)
|
||||
- ')
|
||||
-
|
||||
- # these seem questionable:
|
||||
-
|
||||
- optional_policy(`
|
||||
- rpm_use_fds($1)
|
||||
- rpm_read_pipes($1)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- selinux_dontaudit_getattr_fs($1)
|
||||
- selinux_dontaudit_read_fs($1)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- seutil_dontaudit_read_config($1)
|
||||
- ')
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -631,7 +603,7 @@ interface(`domain_read_all_domains_state',`
|
||||
@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15127,7 +15092,7 @@ index 6a1e4d1..3ded83e 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -655,7 +627,7 @@ interface(`domain_getattr_all_domains',`
|
||||
@@ -655,7 +655,7 @@ interface(`domain_getattr_all_domains',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -15136,7 +15101,7 @@ index 6a1e4d1..3ded83e 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -1530,4 +1502,29 @@ interface(`domain_unconfined',`
|
||||
@@ -1530,4 +1530,29 @@ interface(`domain_unconfined',`
|
||||
typeattribute $1 can_change_object_identity;
|
||||
typeattribute $1 set_curr_context;
|
||||
typeattribute $1 process_uncond_exempt;
|
||||
@ -15167,7 +15132,7 @@ index 6a1e4d1..3ded83e 100644
|
||||
+ dontaudit $1 domain:socket_class_set { read write };
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index fae1ab1..db2a183 100644
|
||||
index fae1ab1..00e20f7 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
|
||||
@ -15260,7 +15225,7 @@ index fae1ab1..db2a183 100644
|
||||
# Act upon any other process.
|
||||
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
||||
|
||||
@@ -160,3 +197,118 @@ allow unconfined_domain_type domain:key *;
|
||||
@@ -160,3 +197,91 @@ allow unconfined_domain_type domain:key *;
|
||||
|
||||
# receive from all domains over labeled networking
|
||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||
@ -15352,33 +15317,6 @@ index fae1ab1..db2a183 100644
|
||||
+# broken kernel
|
||||
+dontaudit can_change_object_identity can_change_object_identity:key link;
|
||||
+
|
||||
+ifdef(`distro_redhat',`
|
||||
+ optional_policy(`
|
||||
+ unconfined_use_fds(domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+# send init a sigchld and signull
|
||||
+optional_policy(`
|
||||
+ init_sigchld(domain)
|
||||
+ init_signull(domain)
|
||||
+')
|
||||
+
|
||||
+# these seem questionable:
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_use_fds(domain)
|
||||
+ rpm_read_pipes(domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ selinux_dontaudit_getattr_fs(domain)
|
||||
+ selinux_dontaudit_read_fs(domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ seutil_dontaudit_read_config(domain)
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
||||
index c19518a..12e8e9c 100644
|
||||
--- a/policy/modules/kernel/files.fc
|
||||
|
||||
3727
ptrace.patch
Normal file
3727
ptrace.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 38%{?dist}
|
||||
Release: 38.1%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -246,7 +246,7 @@ Based off of reference policy: Checked out revision 2.20091117
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1 -b .execmem
|
||||
#%patch5 -p1 -b .userdomain
|
||||
%patch5 -p1 -b .userdomain
|
||||
%patch6 -p1 -b .apache
|
||||
#%patch7 -p1 -b .ptrace
|
||||
|
||||
@ -480,6 +480,9 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Oct 6 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-38.1
|
||||
- Shrink size of policy through use of attributes for userdomain and apache
|
||||
|
||||
* Wed Oct 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-38
|
||||
- Allow virsh to read xenstored pid file
|
||||
- Backport corenetwork fixes from upstream
|
||||
|
||||
1395
userdomain.patch
Normal file
1395
userdomain.patch
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user