- Allow iptables to talk to terminals
- Fixes for policy kit - lots of fixes for booting.
This commit is contained in:
parent
c136db3296
commit
2ae1615a14
@ -3313,7 +3313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.1/policy/modules/apps/qemu.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.1/policy/modules/apps/qemu.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-11-11 16:13:42.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-11-11 16:13:42.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-11-25 09:45:43.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-12-04 16:29:05.000000000 -0500
|
||||||
@@ -6,6 +6,8 @@
|
@@ -6,6 +6,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -3323,7 +3323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow qemu to connect fully to the network
|
## Allow qemu to connect fully to the network
|
||||||
@@ -13,16 +15,99 @@
|
@@ -13,16 +15,98 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(qemu_full_network, false)
|
gen_tunable(qemu_full_network, false)
|
||||||
|
|
||||||
@ -3392,9 +3392,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+fs_rw_anon_inodefs_files(qemutype)
|
+fs_rw_anon_inodefs_files(qemutype)
|
||||||
+fs_rw_tmpfs_files(qemutype)
|
+fs_rw_tmpfs_files(qemutype)
|
||||||
+
|
+
|
||||||
+term_use_ptmx(qemutype)
|
+term_use_all_terms(qemutype)
|
||||||
+term_getattr_pty_fs(qemutype)
|
+term_getattr_pty_fs(qemutype)
|
||||||
+term_use_generic_ptys(qemutype)
|
|
||||||
+
|
+
|
||||||
+auth_use_nsswitch(qemutype)
|
+auth_use_nsswitch(qemutype)
|
||||||
+
|
+
|
||||||
@ -3423,7 +3422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`qemu_full_network',`
|
tunable_policy(`qemu_full_network',`
|
||||||
allow qemu_t self:udp_socket create_socket_perms;
|
allow qemu_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
@@ -35,6 +120,30 @@
|
@@ -35,6 +119,30 @@
|
||||||
corenet_tcp_connect_all_ports(qemu_t)
|
corenet_tcp_connect_all_ports(qemu_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -7991,7 +7990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-11-25 09:45:43.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-12-04 14:56:42.000000000 -0500
|
||||||
@@ -19,6 +19,8 @@
|
@@ -19,6 +19,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -8570,22 +8569,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -724,10 +921,10 @@
|
@@ -724,6 +921,10 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_sys_script_t)
|
mysql_stream_connect(httpd_sys_script_t)
|
||||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||||
-')
|
|
||||||
-
|
|
||||||
-optional_policy(`
|
|
||||||
- postgresql_stream_connect(httpd_sys_script_t)
|
|
||||||
+ mysql_read_config(httpd_sys_script_t)
|
+ mysql_read_config(httpd_sys_script_t)
|
||||||
+ mysql_stream_connect(httpd_suexec_t)
|
+ mysql_stream_connect(httpd_suexec_t)
|
||||||
+ mysql_rw_db_sockets(httpd_suexec_t)
|
+ mysql_rw_db_sockets(httpd_suexec_t)
|
||||||
+ mysql_read_config(httpd_suexec_t)
|
+ mysql_read_config(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
optional_policy(`
|
||||||
@@ -735,6 +932,8 @@
|
@@ -735,6 +936,8 @@
|
||||||
# httpd_rotatelogs local policy
|
# httpd_rotatelogs local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -8594,7 +8589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||||
@@ -762,3 +961,66 @@
|
@@ -762,3 +965,66 @@
|
||||||
userdom_search_user_home_dirs(httpd_suexec_t)
|
userdom_search_user_home_dirs(httpd_suexec_t)
|
||||||
userdom_search_user_home_dirs(httpd_user_script_t)
|
userdom_search_user_home_dirs(httpd_user_script_t)
|
||||||
')
|
')
|
||||||
@ -12845,7 +12840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te
|
||||||
--- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-02 15:10:58.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-04 16:14:16.000000000 -0500
|
||||||
@@ -13,6 +13,9 @@
|
@@ -13,6 +13,9 @@
|
||||||
type munin_etc_t alias lrrd_etc_t;
|
type munin_etc_t alias lrrd_etc_t;
|
||||||
files_config_file(munin_etc_t)
|
files_config_file(munin_etc_t)
|
||||||
@ -12898,7 +12893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(munin_t)
|
corenet_all_recvfrom_unlabeled(munin_t)
|
||||||
corenet_all_recvfrom_netlabel(munin_t)
|
corenet_all_recvfrom_netlabel(munin_t)
|
||||||
@@ -73,24 +82,35 @@
|
@@ -73,24 +82,36 @@
|
||||||
corenet_udp_sendrecv_all_nodes(munin_t)
|
corenet_udp_sendrecv_all_nodes(munin_t)
|
||||||
corenet_tcp_sendrecv_all_ports(munin_t)
|
corenet_tcp_sendrecv_all_ports(munin_t)
|
||||||
corenet_udp_sendrecv_all_ports(munin_t)
|
corenet_udp_sendrecv_all_ports(munin_t)
|
||||||
@ -12909,6 +12904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
dev_read_sysfs(munin_t)
|
dev_read_sysfs(munin_t)
|
||||||
dev_read_urand(munin_t)
|
dev_read_urand(munin_t)
|
||||||
|
+fs_list_inotifyfs(munin_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(munin_t)
|
domain_use_interactive_fds(munin_t)
|
||||||
+domain_read_all_domains_state(munin_t)
|
+domain_read_all_domains_state(munin_t)
|
||||||
@ -12935,7 +12931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(munin_t)
|
userdom_dontaudit_search_user_home_dirs(munin_t)
|
||||||
@@ -105,7 +125,30 @@
|
@@ -105,7 +126,30 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -12967,7 +12963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -115,3 +158,10 @@
|
@@ -115,3 +159,10 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(munin_t)
|
udev_read_db(munin_t)
|
||||||
')
|
')
|
||||||
@ -15630,8 +15626,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.1/policy/modules/services/polkit.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.1/policy/modules/services/polkit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-04 11:20:36.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-04 16:37:06.000000000 -0500
|
||||||
@@ -0,0 +1,222 @@
|
@@ -0,0 +1,224 @@
|
||||||
+policy_module(polkit_auth, 1.0.0)
|
+policy_module(polkit_auth, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -15701,8 +15697,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
|
+manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
|
||||||
+files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir })
|
+files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir })
|
||||||
+
|
+
|
||||||
|
+userdom_read_all_users_state(polkit_t)
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_system_domain(polkit_t, polkit_exec_t)
|
+ dbus_system_domain(polkit_t, polkit_exec_t)
|
||||||
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ consolekit_dbus_chat(polkit_t)
|
+ consolekit_dbus_chat(polkit_t)
|
||||||
+ ')
|
+ ')
|
||||||
@ -15741,11 +15740,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t)
|
+manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t)
|
||||||
+files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir })
|
+files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir })
|
||||||
+
|
+
|
||||||
+userdom_read_all_users_state(polkit_t)
|
|
||||||
+userdom_dontaudit_read_user_home_content_files(polkit_auth_t)
|
+userdom_dontaudit_read_user_home_content_files(polkit_auth_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ cron_read_system_job_lib_files(polkit_t)
|
+ cron_read_system_job_lib_files(polkit_auth_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -15754,7 +15752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ dbus_session_bus_client(polkit_auth_t)
|
+ dbus_session_bus_client(polkit_auth_t)
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ consolekit_dbus_chat(polkit_t)
|
+ consolekit_dbus_chat(polkit_auth_t)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -23627,7 +23625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.1/policy/modules/system/selinuxutil.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.1/policy/modules/system/selinuxutil.if
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-11-11 16:13:48.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.if 2008-11-25 09:45:43.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.if 2008-12-04 16:28:46.000000000 -0500
|
||||||
@@ -535,6 +535,53 @@
|
@@ -535,6 +535,53 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -25463,7 +25461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 14:28:00.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 16:31:37.000000000 -0500
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26760,7 +26758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Send a dbus message to all user domains.
|
## Send a dbus message to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2981,3 +3172,262 @@
|
@@ -2981,3 +3172,263 @@
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
@ -26932,6 +26930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ dontaudit $1 admin_home_t:dir search_dir_perms;
|
+ dontaudit $1 admin_home_t:dir search_dir_perms;
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## dontaudit list /root
|
+## dontaudit list /root
|
||||||
|
@ -446,11 +446,10 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-6
|
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-7
|
||||||
- Allow iptables to talk to terminals
|
|
||||||
|
|
||||||
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-5
|
|
||||||
- Allow iptables to talk to terminals
|
- Allow iptables to talk to terminals
|
||||||
|
- Fixes for policy kit
|
||||||
|
- lots of fixes for booting.
|
||||||
|
|
||||||
* Wed Dec 3 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-4
|
* Wed Dec 3 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-4
|
||||||
- Cleanup policy
|
- Cleanup policy
|
||||||
|
Loading…
Reference in New Issue
Block a user