rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Change userdom_read_all_users_state to include reading symbolic links in 

/proc
This commit is contained in:
Daniel J Walsh 2008-12-27 13:06:14 +00:00
parent 1cf70680c7
commit 32363900ec
2 changed files with 40 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
policy-20081111.patch
View File

@ -13504,7 +13504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500 --- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-18 11:36:14.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-27 07:23:35.000000000 -0500
@@ -13,6 +13,9 @@ @@ -13,6 +13,9 @@
type munin_etc_t alias lrrd_etc_t; type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t) files_config_file(munin_etc_t)
@ -13595,7 +13595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -105,7 +126,30 @@ @@ -105,7 +126,31 @@
') ')
optional_policy(` optional_policy(`
@ -13616,6 +13616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+optional_policy(` +optional_policy(`
+ postfix_list_spool(munin_t) + postfix_list_spool(munin_t)
+ postfix_getattr_spool_files(munin_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -13627,7 +13628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -115,3 +159,10 @@ @@ -115,3 +160,10 @@
optional_policy(` optional_policy(`
udev_read_db(munin_t) udev_read_db(munin_t)
') ')
@ -16679,7 +16680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.1/policy/modules/services/postfix.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.1/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2008-11-11 16:13:45.000000000 -0500 --- nsaserefpolicy/policy/modules/services/postfix.if 2008-11-11 16:13:45.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-12-18 11:31:37.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-12-27 07:23:23.000000000 -0500
@@ -174,9 +174,8 @@ @@ -174,9 +174,8 @@
type postfix_etc_t; type postfix_etc_t;
') ')
@ -16740,28 +16741,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_spool($1) files_search_spool($1)
') ')
@@ -437,10 +455,10 @@ @@ -437,11 +455,30 @@
# #
interface(`postfix_list_spool',` interface(`postfix_list_spool',`
gen_require(` gen_require(`
- type postfix_spool_t; - type postfix_spool_t;
+ attribute postfix_spool_type;
+ ')
+
+ allow $1 postfix_spool_type:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Getattr postfix mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type; + attribute postfix_spool_type;
') ')
- allow $1 postfix_spool_t:dir list_dir_perms; - allow $1 postfix_spool_t:dir list_dir_perms;
+ allow $1 postfix_spool_type:dir list_dir_perms;
files_search_spool($1) files_search_spool($1)
+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
') ')
@@ -456,11 +474,30 @@ ########################################
@@ -456,11 +493,30 @@
# #
interface(`postfix_read_spool_files',` interface(`postfix_read_spool_files',`
gen_require(` gen_require(`
- type postfix_spool_t; - type postfix_spool_t;
+ attribute postfix_spool_type; + attribute postfix_spool_type;
+ ') ')
+
+ files_search_spool($1) files_search_spool($1)
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type) + read_files_pattern($1, postfix_spool_type, postfix_spool_type)
+') +')
+ +
@ -16778,15 +16800,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`postfix_manage_spool_files',` +interface(`postfix_manage_spool_files',`
+ gen_require(` + gen_require(`
+ attribute postfix_spool_type; + attribute postfix_spool_type;
') + ')
+
files_search_spool($1) + files_search_spool($1)
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type) + manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
') ')
######################################## ########################################
@@ -481,3 +518,23 @@ @@ -481,3 +537,23 @@
typeattribute $1 postfix_user_domtrans; typeattribute $1 postfix_user_domtrans;
') ')

5
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.1 Version: 3.6.1
Release: 13%{?dist} Release: 14%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -446,6 +446,9 @@ exit 0
%endif %endif
%changelog %changelog
* Sat Dec 27 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-14
- Change userdom_read_all_users_state to include reading symbolic links in /proc
* Mon Dec 22 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-13 * Mon Dec 22 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-13
- Fix dbus reading /proc information - Fix dbus reading /proc information