- Fixes for reading xserver_tmp_t
This commit is contained in:
parent
87fb15321a
commit
339bf3bba8
28627
policy-20081111.patch
28627
policy-20081111.patch
File diff suppressed because it is too large
Load Diff
|
@ -388,7 +388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
allow consoletype_t self:fifo_file rw_fifo_file_perms;
|
allow consoletype_t self:fifo_file rw_fifo_file_perms;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.2/policy/modules/admin/kismet.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.2/policy/modules/admin/kismet.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/admin/kismet.te 2009-01-05 17:54:58.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/admin/kismet.te 2009-01-13 09:46:00.000000000 -0500
|
||||||
@@ -25,11 +25,14 @@
|
@@ -25,11 +25,14 @@
|
||||||
# kismet local policy
|
# kismet local policy
|
||||||
#
|
#
|
||||||
|
@ -406,7 +406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
||||||
allow kismet_t kismet_log_t:dir setattr;
|
allow kismet_t kismet_log_t:dir setattr;
|
||||||
@@ -47,6 +50,15 @@
|
@@ -47,9 +50,19 @@
|
||||||
|
|
||||||
corecmd_exec_bin(kismet_t)
|
corecmd_exec_bin(kismet_t)
|
||||||
|
|
||||||
|
@ -422,6 +422,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
auth_use_nsswitch(kismet_t)
|
auth_use_nsswitch(kismet_t)
|
||||||
|
|
||||||
files_read_etc_files(kismet_t)
|
files_read_etc_files(kismet_t)
|
||||||
|
+files_read_usr_files(kismet_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(kismet_t)
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.2/policy/modules/admin/logrotate.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.2/policy/modules/admin/logrotate.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-01-05 15:39:44.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-01-05 15:39:44.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/admin/logrotate.te 2009-01-05 17:54:58.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/admin/logrotate.te 2009-01-05 17:54:58.000000000 -0500
|
||||||
|
@ -1710,7 +1714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
|
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.2/policy/modules/apps/gpg.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.2/policy/modules/apps/gpg.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.if 2009-01-05 17:54:58.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.if 2009-01-12 14:03:31.000000000 -0500
|
||||||
@@ -30,7 +30,7 @@
|
@@ -30,7 +30,7 @@
|
||||||
|
|
||||||
# allow ps to show gpg
|
# allow ps to show gpg
|
||||||
|
@ -1720,7 +1724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
# communicate with the user
|
# communicate with the user
|
||||||
allow gpg_helper_t $2:fd use;
|
allow gpg_helper_t $2:fd use;
|
||||||
@@ -46,9 +46,17 @@
|
@@ -46,9 +46,16 @@
|
||||||
manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
||||||
manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
||||||
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
|
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
|
||||||
|
@ -1735,13 +1739,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+ dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
|
+ dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
|
||||||
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
|
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
|
||||||
+
|
+
|
||||||
+ userdom_manage_user_home_content_files(gpg_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.2/policy/modules/apps/gpg.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.2/policy/modules/apps/gpg.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/gpg.te 2008-11-11 16:13:42.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/gpg.te 2008-11-11 16:13:42.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.te 2009-01-05 17:54:58.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.te 2009-01-12 14:04:38.000000000 -0500
|
||||||
@@ -60,7 +60,7 @@
|
@@ -60,7 +60,7 @@
|
||||||
|
|
||||||
allow gpg_t self:capability { ipc_lock setuid };
|
allow gpg_t self:capability { ipc_lock setuid };
|
||||||
|
@ -1819,10 +1822,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_dontaudit_rw_nfs_files(gpg_helper_t)
|
fs_dontaudit_rw_nfs_files(gpg_helper_t)
|
||||||
@@ -157,6 +162,17 @@
|
@@ -157,6 +162,19 @@
|
||||||
xserver_rw_xdm_pipes(gpg_t)
|
xserver_rw_xdm_pipes(gpg_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
+userdom_manage_user_tmp_files(gpg_t)
|
||||||
|
+userdom_manage_user_home_content_files(gpg_t)
|
||||||
+
|
+
|
||||||
+tunable_policy(`use_nfs_home_dirs',`
|
+tunable_policy(`use_nfs_home_dirs',`
|
||||||
+ fs_manage_nfs_dirs(gpg_t)
|
+ fs_manage_nfs_dirs(gpg_t)
|
||||||
|
@ -3477,7 +3482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.2/policy/modules/apps/qemu.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.2/policy/modules/apps/qemu.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/apps/qemu.te 2009-01-05 17:54:58.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/apps/qemu.te 2009-01-13 10:44:38.000000000 -0500
|
||||||
@@ -6,6 +6,8 @@
|
@@ -6,6 +6,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
@ -3487,7 +3492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow qemu to connect fully to the network
|
## Allow qemu to connect fully to the network
|
||||||
@@ -13,16 +15,105 @@
|
@@ -13,16 +15,107 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(qemu_full_network, false)
|
gen_tunable(qemu_full_network, false)
|
||||||
|
|
||||||
|
@ -3565,6 +3570,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
+term_use_all_terms(qemutype)
|
+term_use_all_terms(qemutype)
|
||||||
+term_getattr_pty_fs(qemutype)
|
+term_getattr_pty_fs(qemutype)
|
||||||
|
+term_use_generic_ptys(qemutype)
|
||||||
|
+term_use_ptmx(qemutype)
|
||||||
+
|
+
|
||||||
+auth_use_nsswitch(qemutype)
|
+auth_use_nsswitch(qemutype)
|
||||||
+
|
+
|
||||||
|
@ -3593,7 +3600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
tunable_policy(`qemu_full_network',`
|
tunable_policy(`qemu_full_network',`
|
||||||
allow qemu_t self:udp_socket create_socket_perms;
|
allow qemu_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
@@ -35,6 +126,38 @@
|
@@ -35,6 +128,38 @@
|
||||||
corenet_tcp_connect_all_ports(qemu_t)
|
corenet_tcp_connect_all_ports(qemu_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -5048,7 +5055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.2/policy/modules/kernel/files.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.2/policy/modules/kernel/files.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/kernel/files.if 2009-01-05 17:54:58.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/kernel/files.if 2009-01-13 09:30:48.000000000 -0500
|
||||||
@@ -110,6 +110,11 @@
|
@@ -110,6 +110,11 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -6060,7 +6067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.2/policy/modules/kernel/terminal.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.2/policy/modules/kernel/terminal.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/kernel/terminal.if 2009-01-05 17:54:59.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/kernel/terminal.if 2009-01-13 09:31:44.000000000 -0500
|
||||||
@@ -250,9 +250,11 @@
|
@@ -250,9 +250,11 @@
|
||||||
interface(`term_dontaudit_use_console',`
|
interface(`term_dontaudit_use_console',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -8295,7 +8302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.2/policy/modules/services/apache.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.2/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/services/apache.te 2009-01-05 17:54:59.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/services/apache.te 2009-01-13 09:27:31.000000000 -0500
|
||||||
@@ -19,6 +19,8 @@
|
@@ -19,6 +19,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
@ -19161,7 +19168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.2/policy/modules/services/sendmail.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.2/policy/modules/services/sendmail.if
|
||||||
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.6.2/policy/modules/services/sendmail.if 2009-01-05 17:54:59.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/services/sendmail.if 2009-01-13 09:34:43.000000000 -0500
|
||||||
@@ -149,3 +149,92 @@
|
@@ -149,3 +149,92 @@
|
||||||
|
|
||||||
logging_log_filetrans($1, sendmail_log_t, file)
|
logging_log_filetrans($1, sendmail_log_t, file)
|
||||||
|
@ -20483,6 +20490,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
files_search_home(stunnel_t)
|
files_search_home(stunnel_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.2/policy/modules/services/sysstat.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-01-05 15:39:43.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.2/policy/modules/services/sysstat.te 2009-01-12 15:45:05.000000000 -0500
|
||||||
|
@@ -26,6 +26,7 @@
|
||||||
|
can_exec(sysstat_t, sysstat_exec_t)
|
||||||
|
|
||||||
|
manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||||
|
+read_lnk_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||||
|
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
|
||||||
|
|
||||||
|
# get info from /proc
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.6.2/policy/modules/services/telnet.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.6.2/policy/modules/services/telnet.te
|
||||||
--- nsaserefpolicy/policy/modules/services/telnet.te 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/telnet.te 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/services/telnet.te 2009-01-05 17:54:59.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/services/telnet.te 2009-01-05 17:54:59.000000000 -0500
|
||||||
|
@ -20709,6 +20727,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+miscfiles_read_localization(ulogd_t)
|
+miscfiles_read_localization(ulogd_t)
|
||||||
+
|
+
|
||||||
+permissive ulogd_t;
|
+permissive ulogd_t;
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.6.2/policy/modules/services/uucp.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/services/uucp.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
|
+++ serefpolicy-3.6.2/policy/modules/services/uucp.fc 2009-01-13 09:34:09.000000000 -0500
|
||||||
|
@@ -7,3 +7,5 @@
|
||||||
|
/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
|
||||||
|
|
||||||
|
/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)
|
||||||
|
+
|
||||||
|
+/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.2/policy/modules/services/uucp.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-01-05 15:39:43.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.2/policy/modules/services/uucp.te 2009-01-13 09:35:13.000000000 -0500
|
||||||
|
@@ -10,6 +10,9 @@
|
||||||
|
inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
|
||||||
|
role system_r types uucpd_t;
|
||||||
|
|
||||||
|
+type uucpd_lock_t;
|
||||||
|
+files_lock_file(uucpd_lock_t)
|
||||||
|
+
|
||||||
|
type uucpd_tmp_t;
|
||||||
|
files_tmp_file(uucpd_tmp_t)
|
||||||
|
|
||||||
|
@@ -58,6 +61,10 @@
|
||||||
|
|
||||||
|
uucp_manage_spool(uucpd_t)
|
||||||
|
|
||||||
|
+files_search_locks(uucpd_t)
|
||||||
|
+manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
|
||||||
|
+manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
|
||||||
|
+
|
||||||
|
manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
|
||||||
|
manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
|
||||||
|
files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
|
||||||
|
@@ -122,6 +129,7 @@
|
||||||
|
optional_policy(`
|
||||||
|
mta_send_mail(uux_t)
|
||||||
|
mta_read_queue(uux_t)
|
||||||
|
+ sendmail_rw_unix_stream_sockets(uux_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.2/policy/modules/services/virt.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.2/policy/modules/services/virt.te
|
||||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/services/virt.te 2009-01-05 17:54:59.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/services/virt.te 2009-01-05 17:54:59.000000000 -0500
|
||||||
|
@ -20842,7 +20901,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.2/policy/modules/services/xserver.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.2/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/services/xserver.if 2009-01-05 17:54:59.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/services/xserver.if 2009-01-12 14:24:38.000000000 -0500
|
||||||
|
@@ -156,7 +156,7 @@
|
||||||
|
allow $1 xserver_t:process signal;
|
||||||
|
|
||||||
|
# Read /tmp/.X0-lock
|
||||||
|
- allow $1 xserver_tmp_t:file { getattr read };
|
||||||
|
+ allow $1 xserver_tmp_t:file read_file_perms;
|
||||||
|
|
||||||
|
# Client read xserver shm
|
||||||
|
allow $1 xserver_t:fd use;
|
||||||
|
@@ -219,12 +219,12 @@
|
||||||
|
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
|
||||||
|
# Read .Xauthority file
|
||||||
|
- allow $1 xauth_home_t:file { getattr read };
|
||||||
|
- allow $1 iceauth_home_t:file { getattr read };
|
||||||
|
+ allow $1 xauth_home_t:file read_file_perms;
|
||||||
|
+ allow $1 iceauth_home_t:file read_file_perms;
|
||||||
|
|
||||||
|
# for when /tmp/.X11-unix is created by the system
|
||||||
|
allow $1 xdm_t:fd use;
|
||||||
|
- allow $1 xdm_t:fifo_file { getattr read write ioctl };
|
||||||
|
+ allow $1 xdm_t:fifo_file rw_fifo_file_perms;
|
||||||
|
allow $1 xdm_tmp_t:dir search;
|
||||||
|
allow $1 xdm_tmp_t:sock_file { read write };
|
||||||
|
dontaudit $1 xdm_t:tcp_socket { read write };
|
||||||
@@ -397,11 +397,12 @@
|
@@ -397,11 +397,12 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type xdm_t, xdm_tmp_t;
|
type xdm_t, xdm_tmp_t;
|
||||||
|
@ -20859,6 +20943,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
# Read .Xauthority file
|
# Read .Xauthority file
|
||||||
allow $2 xauth_home_t:file read_file_perms;
|
allow $2 xauth_home_t:file read_file_perms;
|
||||||
|
@@ -409,7 +410,7 @@
|
||||||
|
|
||||||
|
# for when /tmp/.X11-unix is created by the system
|
||||||
|
allow $2 xdm_t:fd use;
|
||||||
|
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
|
||||||
|
+ allow $2 xdm_t:fifo_file rw_fifo_file_perms;
|
||||||
|
allow $2 xdm_tmp_t:dir search_dir_perms;
|
||||||
|
allow $2 xdm_tmp_t:sock_file { read write };
|
||||||
|
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||||
@@ -437,6 +438,10 @@
|
@@ -437,6 +438,10 @@
|
||||||
allow $2 xserver_t:shm rw_shm_perms;
|
allow $2 xserver_t:shm rw_shm_perms;
|
||||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||||
|
@ -25884,7 +25977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.2/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.2/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.2/policy/modules/system/userdomain.if 2009-01-06 10:53:21.000000000 -0500
|
+++ serefpolicy-3.6.2/policy/modules/system/userdomain.if 2009-01-12 14:04:30.000000000 -0500
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.2
|
Version: 3.6.2
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -445,6 +445,9 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-4
|
||||||
|
- Fixes for reading xserver_tmp_t
|
||||||
|
|
||||||
* Thu Jan 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-3
|
* Thu Jan 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-3
|
||||||
- Allow cups_pdf_t write to nfs_t
|
- Allow cups_pdf_t write to nfs_t
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue