- Allow iptables to talk to terminals

- Fixes for policy kit
- lots of fixes for booting.
This commit is contained in:
Daniel J Walsh 2008-12-04 21:43:55 +00:00
parent c136db3296
commit 2ae1615a14
2 changed files with 28 additions and 30 deletions

View File

@ -3313,7 +3313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.1/policy/modules/apps/qemu.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.1/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-11-11 16:13:42.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-11-11 16:13:42.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-11-25 09:45:43.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-12-04 16:29:05.000000000 -0500
@@ -6,6 +6,8 @@ @@ -6,6 +6,8 @@
# Declarations # Declarations
# #
@ -3323,7 +3323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <desc> ## <desc>
## <p> ## <p>
## Allow qemu to connect fully to the network ## Allow qemu to connect fully to the network
@@ -13,16 +15,99 @@ @@ -13,16 +15,98 @@
## </desc> ## </desc>
gen_tunable(qemu_full_network, false) gen_tunable(qemu_full_network, false)
@ -3392,9 +3392,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_rw_anon_inodefs_files(qemutype) +fs_rw_anon_inodefs_files(qemutype)
+fs_rw_tmpfs_files(qemutype) +fs_rw_tmpfs_files(qemutype)
+ +
+term_use_ptmx(qemutype) +term_use_all_terms(qemutype)
+term_getattr_pty_fs(qemutype) +term_getattr_pty_fs(qemutype)
+term_use_generic_ptys(qemutype)
+ +
+auth_use_nsswitch(qemutype) +auth_use_nsswitch(qemutype)
+ +
@ -3423,7 +3422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`qemu_full_network',` tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms; allow qemu_t self:udp_socket create_socket_perms;
@@ -35,6 +120,30 @@ @@ -35,6 +119,30 @@
corenet_tcp_connect_all_ports(qemu_t) corenet_tcp_connect_all_ports(qemu_t)
') ')
@ -7991,7 +7990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500 --- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-11-25 09:45:43.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-12-04 14:56:42.000000000 -0500
@@ -19,6 +19,8 @@ @@ -19,6 +19,8 @@
# Declarations # Declarations
# #
@ -8570,22 +8569,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -724,10 +921,10 @@ @@ -724,6 +921,10 @@
optional_policy(` optional_policy(`
mysql_stream_connect(httpd_sys_script_t) mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t)
-')
-
-optional_policy(`
- postgresql_stream_connect(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t) + mysql_read_config(httpd_sys_script_t)
+ mysql_stream_connect(httpd_suexec_t) + mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t) + mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t) + mysql_read_config(httpd_suexec_t)
') ')
######################################## optional_policy(`
@@ -735,6 +932,8 @@ @@ -735,6 +936,8 @@
# httpd_rotatelogs local policy # httpd_rotatelogs local policy
# #
@ -8594,7 +8589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -762,3 +961,66 @@ @@ -762,3 +965,66 @@
userdom_search_user_home_dirs(httpd_suexec_t) userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t) userdom_search_user_home_dirs(httpd_user_script_t)
') ')
@ -12845,7 +12840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500 --- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-02 15:10:58.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-04 16:14:16.000000000 -0500
@@ -13,6 +13,9 @@ @@ -13,6 +13,9 @@
type munin_etc_t alias lrrd_etc_t; type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t) files_config_file(munin_etc_t)
@ -12898,7 +12893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t) corenet_all_recvfrom_netlabel(munin_t)
@@ -73,24 +82,35 @@ @@ -73,24 +82,36 @@
corenet_udp_sendrecv_all_nodes(munin_t) corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t) corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t)
@ -12909,6 +12904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_sysfs(munin_t) dev_read_sysfs(munin_t)
dev_read_urand(munin_t) dev_read_urand(munin_t)
+fs_list_inotifyfs(munin_t)
domain_use_interactive_fds(munin_t) domain_use_interactive_fds(munin_t)
+domain_read_all_domains_state(munin_t) +domain_read_all_domains_state(munin_t)
@ -12935,7 +12931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -105,7 +125,30 @@ @@ -105,7 +126,30 @@
') ')
optional_policy(` optional_policy(`
@ -12967,7 +12963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -115,3 +158,10 @@ @@ -115,3 +159,10 @@
optional_policy(` optional_policy(`
udev_read_db(munin_t) udev_read_db(munin_t)
') ')
@ -15630,8 +15626,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.1/policy/modules/services/polkit.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.1/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-04 11:20:36.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-04 16:37:06.000000000 -0500
@@ -0,0 +1,222 @@ @@ -0,0 +1,224 @@
+policy_module(polkit_auth, 1.0.0) +policy_module(polkit_auth, 1.0.0)
+ +
+######################################## +########################################
@ -15701,8 +15697,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) +manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
+files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir }) +files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir })
+ +
+userdom_read_all_users_state(polkit_t)
+
+optional_policy(` +optional_policy(`
+ dbus_system_domain(polkit_t, polkit_exec_t) + dbus_system_domain(polkit_t, polkit_exec_t)
+
+ optional_policy(` + optional_policy(`
+ consolekit_dbus_chat(polkit_t) + consolekit_dbus_chat(polkit_t)
+ ') + ')
@ -15741,11 +15740,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) +manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t)
+files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir }) +files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir })
+ +
+userdom_read_all_users_state(polkit_t)
+userdom_dontaudit_read_user_home_content_files(polkit_auth_t) +userdom_dontaudit_read_user_home_content_files(polkit_auth_t)
+ +
+optional_policy(` +optional_policy(`
+ cron_read_system_job_lib_files(polkit_t) + cron_read_system_job_lib_files(polkit_auth_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -15754,7 +15752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dbus_session_bus_client(polkit_auth_t) + dbus_session_bus_client(polkit_auth_t)
+ +
+ optional_policy(` + optional_policy(`
+ consolekit_dbus_chat(polkit_t) + consolekit_dbus_chat(polkit_auth_t)
+ ') + ')
+') +')
+ +
@ -23627,7 +23625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.1/policy/modules/system/selinuxutil.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.1/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-11-11 16:13:48.000000000 -0500 --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.if 2008-11-25 09:45:43.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.if 2008-12-04 16:28:46.000000000 -0500
@@ -535,6 +535,53 @@ @@ -535,6 +535,53 @@
######################################## ########################################
@ -25463,7 +25461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 14:28:00.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 16:31:37.000000000 -0500
@@ -30,8 +30,9 @@ @@ -30,8 +30,9 @@
') ')
@ -26760,7 +26758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains. ## Send a dbus message to all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2981,3 +3172,262 @@ @@ -2981,3 +3172,263 @@
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')
@ -26932,6 +26930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+ dontaudit $1 admin_home_t:dir search_dir_perms; + dontaudit $1 admin_home_t:dir search_dir_perms;
+') +')
+
+######################################## +########################################
+## <summary> +## <summary>
+## dontaudit list /root +## dontaudit list /root

View File

@ -446,11 +446,10 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-6 * Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-7
- Allow iptables to talk to terminals
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-5
- Allow iptables to talk to terminals - Allow iptables to talk to terminals
- Fixes for policy kit
- lots of fixes for booting.
* Wed Dec 3 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-4 * Wed Dec 3 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-4
- Cleanup policy - Cleanup policy