- Fixes for reading xserver_tmp_t
This commit is contained in:
parent
87fb15321a
commit
339bf3bba8
28627
policy-20081111.patch
28627
policy-20081111.patch
File diff suppressed because it is too large
Load Diff
|
@ -388,7 +388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
allow consoletype_t self:fifo_file rw_fifo_file_perms;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.2/policy/modules/admin/kismet.te
|
||||
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/admin/kismet.te 2009-01-05 17:54:58.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/admin/kismet.te 2009-01-13 09:46:00.000000000 -0500
|
||||
@@ -25,11 +25,14 @@
|
||||
# kismet local policy
|
||||
#
|
||||
|
@ -406,7 +406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
||||
allow kismet_t kismet_log_t:dir setattr;
|
||||
@@ -47,6 +50,15 @@
|
||||
@@ -47,9 +50,19 @@
|
||||
|
||||
corecmd_exec_bin(kismet_t)
|
||||
|
||||
|
@ -422,6 +422,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
auth_use_nsswitch(kismet_t)
|
||||
|
||||
files_read_etc_files(kismet_t)
|
||||
+files_read_usr_files(kismet_t)
|
||||
|
||||
miscfiles_read_localization(kismet_t)
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.2/policy/modules/admin/logrotate.te
|
||||
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-01-05 15:39:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/admin/logrotate.te 2009-01-05 17:54:58.000000000 -0500
|
||||
|
@ -1710,7 +1714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.2/policy/modules/apps/gpg.if
|
||||
--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.if 2009-01-05 17:54:58.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.if 2009-01-12 14:03:31.000000000 -0500
|
||||
@@ -30,7 +30,7 @@
|
||||
|
||||
# allow ps to show gpg
|
||||
|
@ -1720,7 +1724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# communicate with the user
|
||||
allow gpg_helper_t $2:fd use;
|
||||
@@ -46,9 +46,17 @@
|
||||
@@ -46,9 +46,16 @@
|
||||
manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
||||
manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
||||
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
|
||||
|
@ -1735,13 +1739,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
|
||||
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
|
||||
+
|
||||
+ userdom_manage_user_home_content_files(gpg_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.2/policy/modules/apps/gpg.te
|
||||
--- nsaserefpolicy/policy/modules/apps/gpg.te 2008-11-11 16:13:42.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.te 2009-01-05 17:54:58.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.te 2009-01-12 14:04:38.000000000 -0500
|
||||
@@ -60,7 +60,7 @@
|
||||
|
||||
allow gpg_t self:capability { ipc_lock setuid };
|
||||
|
@ -1819,10 +1822,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_dontaudit_rw_nfs_files(gpg_helper_t)
|
||||
@@ -157,6 +162,17 @@
|
||||
@@ -157,6 +162,19 @@
|
||||
xserver_rw_xdm_pipes(gpg_t)
|
||||
')
|
||||
|
||||
+userdom_manage_user_tmp_files(gpg_t)
|
||||
+userdom_manage_user_home_content_files(gpg_t)
|
||||
+
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_dirs(gpg_t)
|
||||
|
@ -3477,7 +3482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.2/policy/modules/apps/qemu.te
|
||||
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/qemu.te 2009-01-05 17:54:58.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/qemu.te 2009-01-13 10:44:38.000000000 -0500
|
||||
@@ -6,6 +6,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
@ -3487,7 +3492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## <desc>
|
||||
## <p>
|
||||
## Allow qemu to connect fully to the network
|
||||
@@ -13,16 +15,105 @@
|
||||
@@ -13,16 +15,107 @@
|
||||
## </desc>
|
||||
gen_tunable(qemu_full_network, false)
|
||||
|
||||
|
@ -3565,6 +3570,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
+term_use_all_terms(qemutype)
|
||||
+term_getattr_pty_fs(qemutype)
|
||||
+term_use_generic_ptys(qemutype)
|
||||
+term_use_ptmx(qemutype)
|
||||
+
|
||||
+auth_use_nsswitch(qemutype)
|
||||
+
|
||||
|
@ -3593,7 +3600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
tunable_policy(`qemu_full_network',`
|
||||
allow qemu_t self:udp_socket create_socket_perms;
|
||||
|
||||
@@ -35,6 +126,38 @@
|
||||
@@ -35,6 +128,38 @@
|
||||
corenet_tcp_connect_all_ports(qemu_t)
|
||||
')
|
||||
|
||||
|
@ -5048,7 +5055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.2/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/kernel/files.if 2009-01-05 17:54:58.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/kernel/files.if 2009-01-13 09:30:48.000000000 -0500
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
|
@ -6060,7 +6067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.2/policy/modules/kernel/terminal.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/kernel/terminal.if 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/kernel/terminal.if 2009-01-13 09:31:44.000000000 -0500
|
||||
@@ -250,9 +250,11 @@
|
||||
interface(`term_dontaudit_use_console',`
|
||||
gen_require(`
|
||||
|
@ -8295,7 +8302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.2/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/apache.te 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/apache.te 2009-01-13 09:27:31.000000000 -0500
|
||||
@@ -19,6 +19,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
@ -19161,7 +19168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.2/policy/modules/services/sendmail.if
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/sendmail.if 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/sendmail.if 2009-01-13 09:34:43.000000000 -0500
|
||||
@@ -149,3 +149,92 @@
|
||||
|
||||
logging_log_filetrans($1, sendmail_log_t, file)
|
||||
|
@ -20483,6 +20490,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
files_search_home(stunnel_t)
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.2/policy/modules/services/sysstat.te
|
||||
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/sysstat.te 2009-01-12 15:45:05.000000000 -0500
|
||||
@@ -26,6 +26,7 @@
|
||||
can_exec(sysstat_t, sysstat_exec_t)
|
||||
|
||||
manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||
+read_lnk_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
|
||||
|
||||
# get info from /proc
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.6.2/policy/modules/services/telnet.te
|
||||
--- nsaserefpolicy/policy/modules/services/telnet.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/telnet.te 2009-01-05 17:54:59.000000000 -0500
|
||||
|
@ -20709,6 +20727,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+miscfiles_read_localization(ulogd_t)
|
||||
+
|
||||
+permissive ulogd_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.6.2/policy/modules/services/uucp.fc
|
||||
--- nsaserefpolicy/policy/modules/services/uucp.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/uucp.fc 2009-01-13 09:34:09.000000000 -0500
|
||||
@@ -7,3 +7,5 @@
|
||||
/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
|
||||
|
||||
/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)
|
||||
+
|
||||
+/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.2/policy/modules/services/uucp.te
|
||||
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/uucp.te 2009-01-13 09:35:13.000000000 -0500
|
||||
@@ -10,6 +10,9 @@
|
||||
inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
|
||||
role system_r types uucpd_t;
|
||||
|
||||
+type uucpd_lock_t;
|
||||
+files_lock_file(uucpd_lock_t)
|
||||
+
|
||||
type uucpd_tmp_t;
|
||||
files_tmp_file(uucpd_tmp_t)
|
||||
|
||||
@@ -58,6 +61,10 @@
|
||||
|
||||
uucp_manage_spool(uucpd_t)
|
||||
|
||||
+files_search_locks(uucpd_t)
|
||||
+manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
|
||||
+manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
|
||||
+
|
||||
manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
|
||||
manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
|
||||
files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
|
||||
@@ -122,6 +129,7 @@
|
||||
optional_policy(`
|
||||
mta_send_mail(uux_t)
|
||||
mta_read_queue(uux_t)
|
||||
+ sendmail_rw_unix_stream_sockets(uux_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.2/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/virt.te 2009-01-05 17:54:59.000000000 -0500
|
||||
|
@ -20842,7 +20901,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.2/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/xserver.if 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/xserver.if 2009-01-12 14:24:38.000000000 -0500
|
||||
@@ -156,7 +156,7 @@
|
||||
allow $1 xserver_t:process signal;
|
||||
|
||||
# Read /tmp/.X0-lock
|
||||
- allow $1 xserver_tmp_t:file { getattr read };
|
||||
+ allow $1 xserver_tmp_t:file read_file_perms;
|
||||
|
||||
# Client read xserver shm
|
||||
allow $1 xserver_t:fd use;
|
||||
@@ -219,12 +219,12 @@
|
||||
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
# Read .Xauthority file
|
||||
- allow $1 xauth_home_t:file { getattr read };
|
||||
- allow $1 iceauth_home_t:file { getattr read };
|
||||
+ allow $1 xauth_home_t:file read_file_perms;
|
||||
+ allow $1 iceauth_home_t:file read_file_perms;
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $1 xdm_t:fd use;
|
||||
- allow $1 xdm_t:fifo_file { getattr read write ioctl };
|
||||
+ allow $1 xdm_t:fifo_file rw_fifo_file_perms;
|
||||
allow $1 xdm_tmp_t:dir search;
|
||||
allow $1 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $1 xdm_t:tcp_socket { read write };
|
||||
@@ -397,11 +397,12 @@
|
||||
gen_require(`
|
||||
type xdm_t, xdm_tmp_t;
|
||||
|
@ -20859,6 +20943,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Read .Xauthority file
|
||||
allow $2 xauth_home_t:file read_file_perms;
|
||||
@@ -409,7 +410,7 @@
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
|
||||
+ allow $2 xdm_t:fifo_file rw_fifo_file_perms;
|
||||
allow $2 xdm_tmp_t:dir search_dir_perms;
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
@@ -437,6 +438,10 @@
|
||||
allow $2 xserver_t:shm rw_shm_perms;
|
||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||
|
@ -25884,7 +25977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.2/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/userdomain.if 2009-01-06 10:53:21.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/userdomain.if 2009-01-12 14:04:30.000000000 -0500
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.2
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
@ -445,6 +445,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jan 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-4
|
||||
- Fixes for reading xserver_tmp_t
|
||||
|
||||
* Thu Jan 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-3
|
||||
- Allow cups_pdf_t write to nfs_t
|
||||
|
||||
|
|
Loading…
Reference in New Issue