Daniel J Walsh
parent
6455c9d6b5
commit
3375c34d9a
|
|
@ -2198,7 +2198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
|
||||
--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-07-25 10:37:43.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-18 13:19:26.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-19 10:15:22.000000000 -0400
|
||||
@@ -22,7 +22,7 @@
|
||||
# Local policy
|
||||
#
|
||||
|
|
@ -3650,7 +3650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-07-25 10:37:36.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-03 11:10:24.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-19 11:01:04.000000000 -0400
|
||||
@@ -6,6 +6,22 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -3674,7 +3674,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
|||
# Mark process types as domains
|
||||
attribute domain;
|
||||
|
||||
@@ -134,3 +150,22 @@
|
||||
@@ -80,6 +96,8 @@
|
||||
allow domain self:lnk_file r_file_perms;
|
||||
allow domain self:file rw_file_perms;
|
||||
kernel_read_proc_symlinks(domain)
|
||||
+# Every domain gets the key ring, so we should default to no one allowed to look at it
|
||||
+kernel_dontaudit_search_key(domain)
|
||||
|
||||
# create child processes in the domain
|
||||
allow domain self:process { fork sigchld };
|
||||
@@ -134,3 +152,22 @@
|
||||
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
|
@ -4264,8 +4273,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-09-12 10:34:49.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-08 11:25:43.000000000 -0400
|
||||
@@ -80,6 +80,7 @@
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-19 10:04:10.000000000 -0400
|
||||
@@ -29,6 +29,7 @@
|
||||
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
||||
+fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
|
||||
|
||||
# Use the allocating task SID to label inodes in the following filesystem
|
||||
# types, and label the filesystem itself with the specified context.
|
||||
@@ -80,6 +81,7 @@
|
||||
type fusefs_t;
|
||||
fs_noxattr_type(fusefs_t)
|
||||
allow fusefs_t self:filesystem associate;
|
||||
|
|
@ -4273,7 +4290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
|
||||
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
|
||||
|
||||
@@ -116,6 +117,7 @@
|
||||
@@ -116,6 +118,7 @@
|
||||
|
||||
type ramfs_t;
|
||||
fs_type(ramfs_t)
|
||||
|
|
@ -4281,7 +4298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
|
||||
|
||||
type romfs_t;
|
||||
@@ -133,6 +135,11 @@
|
||||
@@ -133,6 +136,11 @@
|
||||
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
||||
files_mountpoint(spufs_t)
|
||||
|
||||
|
|
@ -4295,7 +4312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
files_mountpoint(vxfs_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-03 11:10:24.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-19 11:00:20.000000000 -0400
|
||||
@@ -352,6 +352,24 @@
|
||||
|
||||
########################################
|
||||
|
|
@ -6882,14 +6899,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
|
||||
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-10-03 11:10:24.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-10-19 10:47:35.000000000 -0400
|
||||
@@ -94,3 +94,7 @@
|
||||
optional_policy(`
|
||||
udev_read_db(dnsmasq_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ virt_rw_lib_files(dnsmasq_t)
|
||||
+ virt_manage_lib_files(dnsmasq_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc
|
||||
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
|
||||
|
|
@ -7703,7 +7720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
|
||||
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-09-12 10:34:50.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-10-10 09:28:59.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-10-19 10:51:35.000000000 -0400
|
||||
@@ -53,6 +53,8 @@
|
||||
allow inetd_t inetd_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(inetd_t,inetd_var_run_t,file)
|
||||
|
|
@ -7713,7 +7730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
|
|||
kernel_read_kernel_sysctls(inetd_t)
|
||||
kernel_list_proc(inetd_t)
|
||||
kernel_read_proc_symlinks(inetd_t)
|
||||
@@ -80,16 +82,21 @@
|
||||
@@ -80,16 +82,22 @@
|
||||
corenet_udp_bind_comsat_port(inetd_t)
|
||||
corenet_tcp_bind_dbskkd_port(inetd_t)
|
||||
corenet_udp_bind_dbskkd_port(inetd_t)
|
||||
|
|
@ -7721,6 +7738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
|
|||
corenet_udp_bind_ftp_port(inetd_t)
|
||||
corenet_tcp_bind_inetd_child_port(inetd_t)
|
||||
+corenet_udp_bind_inetd_child_port(inetd_t)
|
||||
+corenet_tcp_bind_ircd_port(inetd_t)
|
||||
corenet_udp_bind_ktalkd_port(inetd_t)
|
||||
corenet_tcp_bind_printer_port(inetd_t)
|
||||
+corenet_udp_bind_rlogind_port(inetd_t)
|
||||
|
|
@ -7735,7 +7753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
|
|||
corenet_udp_bind_tftp_port(inetd_t)
|
||||
corenet_tcp_bind_ssh_port(inetd_t)
|
||||
|
||||
@@ -132,8 +139,10 @@
|
||||
@@ -132,8 +140,10 @@
|
||||
miscfiles_read_localization(inetd_t)
|
||||
|
||||
# xinetd needs MLS override privileges to work
|
||||
|
|
@ -7746,19 +7764,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
|
|||
mls_process_set_level(inetd_t)
|
||||
|
||||
sysnet_read_config(inetd_t)
|
||||
@@ -141,6 +150,11 @@
|
||||
@@ -141,6 +151,11 @@
|
||||
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
|
||||
|
||||
+ifdef(`enable_mls',`
|
||||
+ corenet_tcp_recv_netlabel(inetd_t)
|
||||
+ corenet_udp_recv_netlabel(inetd_t)
|
||||
+ corenet_tcp_recvfrom_netlabel(inetd_t)
|
||||
+ corenet_udp_recvfrom_netlabel(inetd_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
amanda_search_lib(inetd_t)
|
||||
')
|
||||
@@ -170,6 +184,9 @@
|
||||
@@ -170,6 +185,9 @@
|
||||
# for identd
|
||||
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow inetd_child_t self:capability { setuid setgid };
|
||||
|
|
@ -7768,7 +7786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
|
|||
files_search_home(inetd_child_t)
|
||||
|
||||
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
|
||||
@@ -212,13 +229,10 @@
|
||||
@@ -212,13 +230,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -9999,7 +10017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
userdom_read_unpriv_users_tmp_files(gssd_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te
|
||||
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-09-12 10:34:50.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2007-10-18 18:33:05.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2007-10-19 10:15:23.000000000 -0400
|
||||
@@ -16,10 +16,11 @@
|
||||
#
|
||||
# Local policy
|
||||
|
|
@ -10023,13 +10041,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
|
|||
corenet_sendrecv_rsh_server_packets(rshd_t)
|
||||
|
||||
dev_read_urand(rshd_t)
|
||||
@@ -44,28 +48,44 @@
|
||||
@@ -44,28 +48,42 @@
|
||||
selinux_compute_relabel_context(rshd_t)
|
||||
selinux_compute_user_contexts(rshd_t)
|
||||
|
||||
+auth_use_nsswitch(rshd_t)
|
||||
auth_domtrans_chk_passwd(rshd_t)
|
||||
+auth_domtrans_upd_passwd_chk(rshd_t)
|
||||
-auth_domtrans_chk_passwd(rshd_t)
|
||||
+auth_login_pgm_domain(rshd_t)
|
||||
+auth_search_key(rshd_t)
|
||||
+auth_write_login_records(rshd_t)
|
||||
|
||||
|
|
@ -10071,7 +10088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
|
|||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(rshd_t)
|
||||
fs_read_nfs_symlinks(rshd_t)
|
||||
@@ -76,15 +96,3 @@
|
||||
@@ -76,15 +94,3 @@
|
||||
fs_read_cifs_symlinks(rshd_t)
|
||||
')
|
||||
|
||||
|
|
@ -12190,7 +12207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-18 17:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-19 08:20:05.000000000 -0400
|
||||
@@ -26,7 +26,8 @@
|
||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
||||
|
|
@ -12222,14 +12239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
|
||||
domain_type($1)
|
||||
domain_subj_id_change_exemption($1)
|
||||
@@ -176,11 +178,32 @@
|
||||
@@ -176,11 +178,31 @@
|
||||
domain_obj_id_change_exemption($1)
|
||||
role system_r types $1;
|
||||
|
||||
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
|
||||
+ kernel_write_proc_files($1)
|
||||
+
|
||||
+
|
||||
+ auth_keyring_domain($1)
|
||||
+ allow $1 keyring_type:key { search link };
|
||||
+
|
||||
|
|
@ -12255,7 +12271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
selinux_get_fs_mount($1)
|
||||
selinux_validate_context($1)
|
||||
selinux_compute_access_vector($1)
|
||||
@@ -196,22 +219,40 @@
|
||||
@@ -196,22 +218,40 @@
|
||||
mls_fd_share_all_levels($1)
|
||||
|
||||
auth_domtrans_chk_passwd($1)
|
||||
|
|
@ -12297,7 +12313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
')
|
||||
|
||||
@@ -309,9 +350,6 @@
|
||||
@@ -309,9 +349,6 @@
|
||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||
')
|
||||
|
||||
|
|
@ -12307,7 +12323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
||||
|
||||
@@ -329,6 +367,8 @@
|
||||
@@ -329,6 +366,8 @@
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1)
|
||||
|
|
@ -12316,7 +12332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -347,6 +387,37 @@
|
||||
@@ -347,6 +386,37 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -12354,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
## Get the attributes of the shadow passwords file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -695,6 +766,24 @@
|
||||
@@ -695,6 +765,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -12379,7 +12395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
## Execute pam programs in the PAM domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1318,16 +1407,14 @@
|
||||
@@ -1318,16 +1406,14 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_use_nsswitch',`
|
||||
|
|
@ -12399,7 +12415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
miscfiles_read_certs($1)
|
||||
|
||||
sysnet_dns_name_resolve($1)
|
||||
@@ -1347,6 +1434,8 @@
|
||||
@@ -1347,6 +1433,8 @@
|
||||
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
|
|
@ -12408,7 +12424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
')
|
||||
|
||||
@@ -1381,3 +1470,163 @@
|
||||
@@ -1381,3 +1469,163 @@
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
|
@ -15668,7 +15684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-18 16:48:24.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-19 10:29:16.000000000 -0400
|
||||
@@ -5,36 +5,48 @@
|
||||
#
|
||||
# Declarations
|
||||
|
|
@ -15725,7 +15741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
|
||||
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
|
||||
|
||||
@@ -42,37 +54,30 @@
|
||||
@@ -42,37 +54,29 @@
|
||||
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
|
||||
|
||||
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
|
||||
|
|
@ -15738,7 +15754,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
|
||||
-unconfined_domain(unconfined_t)
|
||||
-
|
||||
+userdom_unconfined(unconfined_t)
|
||||
userdom_priveleged_home_dir_manager(unconfined_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -15771,7 +15786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -107,6 +112,10 @@
|
||||
@@ -107,6 +111,10 @@
|
||||
optional_policy(`
|
||||
oddjob_dbus_chat(unconfined_t)
|
||||
')
|
||||
|
|
@ -15782,7 +15797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -118,11 +127,11 @@
|
||||
@@ -118,11 +126,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -15796,7 +15811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -134,11 +143,7 @@
|
||||
@@ -134,11 +142,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -15809,7 +15824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -155,32 +160,23 @@
|
||||
@@ -155,32 +159,23 @@
|
||||
|
||||
optional_policy(`
|
||||
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
|
||||
|
|
@ -15846,7 +15861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -205,11 +201,22 @@
|
||||
@@ -205,11 +200,22 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -15871,7 +15886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -225,8 +232,21 @@
|
||||
@@ -225,8 +231,21 @@
|
||||
|
||||
init_dbus_chat_script(unconfined_execmem_t)
|
||||
unconfined_dbus_chat(unconfined_execmem_t)
|
||||
|
|
@ -17456,8 +17471,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.f
|
|||
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.8/policy/modules/system/virt.if
|
||||
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/virt.if 2007-10-03 11:10:25.000000000 -0400
|
||||
@@ -0,0 +1,58 @@
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/virt.if 2007-10-19 10:47:26.000000000 -0400
|
||||
@@ -0,0 +1,78 @@
|
||||
+## <summary>Virtualization </summary>
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -17516,6 +17531,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
|
|||
+ files_list_var_lib($1)
|
||||
+ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to manage
|
||||
+## virt library files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virt_manage_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type virt_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_list_var_lib($1)
|
||||
+ manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.8/policy/modules/system/virt.te
|
||||
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/virt.te 2007-10-03 11:10:25.000000000 -0400
|
||||
|
|
@ -17775,7 +17810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
|
|||
+## <summary>Policy for webadm user</summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.8/policy/modules/users/webadm.te
|
||||
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2007-10-03 11:10:25.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2007-10-19 10:27:46.000000000 -0400
|
||||
@@ -0,0 +1,42 @@
|
||||
+policy_module(webadm,1.0.0)
|
||||
+
|
||||
|
|
@ -17805,7 +17840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
|
|||
+files_manage_generic_locks(webadm_t)
|
||||
+files_list_var(webadm_t)
|
||||
+selinux_get_enforce_mode(webadm_t)
|
||||
+seutil_domtrans_restorecon(webadm_t)
|
||||
+seutil_domtrans_setfiles(webadm_t)
|
||||
+
|
||||
+logging_send_syslog_msg(webadm_t)
|
||||
+
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.8
|
||||
Release: 26%{?dist}
|
||||
Release: 27%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -373,6 +373,10 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Oct 17 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-27
|
||||
- Fix dnsmasq
|
||||
- Allow rshd full login privs
|
||||
|
||||
* Thu Oct 16 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-26
|
||||
- Allow rshd to connect to ports > 1023
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue