- Fixes for IBM java location
This commit is contained in:
Daniel J Walsh
parent
dcd0c96f34
commit
33c7eab541
@ -357,14 +357,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow consoletype_t self:fifo_file rw_fifo_file_perms;
|
allow consoletype_t self:fifo_file rw_fifo_file_perms;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.1/policy/modules/admin/kismet.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.1/policy/modules/admin/kismet.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/kismet.te 2008-11-11 16:13:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/kismet.te 2008-11-11 16:13:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/admin/kismet.te 2008-12-02 11:02:15.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/admin/kismet.te 2008-12-12 09:38:02.000000000 -0500
|
||||||
@@ -25,11 +25,13 @@
|
@@ -25,11 +25,14 @@
|
||||||
# kismet local policy
|
# kismet local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
-allow kismet_t self:capability { net_admin net_raw setuid setgid };
|
-allow kismet_t self:capability { net_admin net_raw setuid setgid };
|
||||||
|
+allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
|
||||||
+allow kismet_t self:capability { kill net_admin net_raw setuid setgid };
|
+allow kismet_t self:capability { kill net_admin net_raw setuid setgid };
|
||||||
+allow kismet_t self:process signal;
|
+allow kismet_t self:process signal_perms;
|
||||||
allow kismet_t self:fifo_file rw_file_perms;
|
allow kismet_t self:fifo_file rw_file_perms;
|
||||||
allow kismet_t self:packet_socket create_socket_perms;
|
allow kismet_t self:packet_socket create_socket_perms;
|
||||||
-allow kismet_t self:unix_dgram_socket create_socket_perms;
|
-allow kismet_t self:unix_dgram_socket create_socket_perms;
|
||||||
@ -374,7 +375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
||||||
allow kismet_t kismet_log_t:dir setattr;
|
allow kismet_t kismet_log_t:dir setattr;
|
||||||
@@ -47,6 +49,14 @@
|
@@ -47,6 +50,15 @@
|
||||||
|
|
||||||
corecmd_exec_bin(kismet_t)
|
corecmd_exec_bin(kismet_t)
|
||||||
|
|
||||||
@ -385,6 +386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+corenet_tcp_sendrecv_all_ports(kismet_t)
|
+corenet_tcp_sendrecv_all_ports(kismet_t)
|
||||||
+corenet_tcp_bind_all_nodes(kismet_t)
|
+corenet_tcp_bind_all_nodes(kismet_t)
|
||||||
+corenet_tcp_bind_kismet_port(kismet_t)
|
+corenet_tcp_bind_kismet_port(kismet_t)
|
||||||
|
+corenet_tcp_connect_kismet_port(kismet_t)
|
||||||
+
|
+
|
||||||
auth_use_nsswitch(kismet_t)
|
auth_use_nsswitch(kismet_t)
|
||||||
|
|
||||||
@ -1784,13 +1786,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# GPG agent local policy
|
# GPG agent local policy
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.1/policy/modules/apps/java.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.1/policy/modules/apps/java.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/java.fc 2008-08-07 11:15:03.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/java.fc 2008-08-07 11:15:03.000000000 -0400
|
||||||
+++ serefpolicy-3.6.1/policy/modules/apps/java.fc 2008-11-25 09:45:43.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/apps/java.fc 2008-12-17 09:13:47.000000000 -0500
|
||||||
@@ -3,14 +3,15 @@
|
@@ -2,15 +2,16 @@
|
||||||
|
# /opt
|
||||||
#
|
#
|
||||||
/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
|
/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
|
-/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
|
-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
|
-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
|
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
|
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
|
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
|
|
||||||
@ -2546,7 +2550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.1/policy/modules/apps/nsplugin.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.1/policy/modules/apps/nsplugin.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-05 08:34:32.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-15 12:10:00.000000000 -0500
|
||||||
@@ -0,0 +1,275 @@
|
@@ -0,0 +1,275 @@
|
||||||
+
|
+
|
||||||
+policy_module(nsplugin, 1.0.0)
|
+policy_module(nsplugin, 1.0.0)
|
||||||
@ -2742,7 +2746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
|
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
|
||||||
+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
|
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
|
||||||
+#execing pulseaudio
|
+#execing pulseaudio
|
||||||
+dontaudit nsplugin_t self:process { getcap setcap };
|
+dontaudit nsplugin_t self:process { getcap setcap };
|
||||||
+
|
+
|
||||||
@ -4770,7 +4774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type power_device_t;
|
type power_device_t;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.1/policy/modules/kernel/domain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.1/policy/modules/kernel/domain.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-10-16 17:21:13.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-10-16 17:21:13.000000000 -0400
|
||||||
+++ serefpolicy-3.6.1/policy/modules/kernel/domain.if 2008-11-25 09:45:43.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/kernel/domain.if 2008-12-11 15:07:55.000000000 -0500
|
||||||
@@ -1247,18 +1247,34 @@
|
@@ -1247,18 +1247,34 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
@ -5812,7 +5816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.1/policy/modules/kernel/filesystem.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.1/policy/modules/kernel/filesystem.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-14 11:58:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-14 11:58:07.000000000 -0400
|
||||||
+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.te 2008-11-25 09:48:01.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.te 2008-12-12 10:10:06.000000000 -0500
|
||||||
@@ -21,7 +21,7 @@
|
@@ -21,7 +21,7 @@
|
||||||
|
|
||||||
# Use xattrs for the following filesystem types.
|
# Use xattrs for the following filesystem types.
|
||||||
@ -5843,11 +5847,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
type vxfs_t;
|
type vxfs_t;
|
||||||
fs_noxattr_type(vxfs_t)
|
fs_noxattr_type(vxfs_t)
|
||||||
@@ -241,6 +248,7 @@
|
@@ -241,6 +248,8 @@
|
||||||
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
|
+genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -6628,7 +6633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-')
|
-')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.1/policy/modules/roles/staff.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.1/policy/modules/roles/staff.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/roles/staff.te 2008-11-25 09:45:43.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/roles/staff.te 2008-12-11 15:08:24.000000000 -0500
|
||||||
@@ -8,112 +8,32 @@
|
@@ -8,112 +8,32 @@
|
||||||
|
|
||||||
role staff_r;
|
role staff_r;
|
||||||
@ -10558,7 +10563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.1/policy/modules/services/cups.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.1/policy/modules/services/cups.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cups.te 2008-11-11 16:13:46.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cups.te 2008-11-11 16:13:46.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/services/cups.te 2008-12-05 08:56:46.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/services/cups.te 2008-12-15 11:14:17.000000000 -0500
|
||||||
@@ -20,9 +20,18 @@
|
@@ -20,9 +20,18 @@
|
||||||
type cupsd_etc_t;
|
type cupsd_etc_t;
|
||||||
files_config_file(cupsd_etc_t)
|
files_config_file(cupsd_etc_t)
|
||||||
@ -10615,7 +10620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
|
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
|
||||||
-allow cupsd_t self:process { setsched signal_perms };
|
-allow cupsd_t self:process { setsched signal_perms };
|
||||||
-allow cupsd_t self:fifo_file rw_file_perms;
|
-allow cupsd_t self:fifo_file rw_file_perms;
|
||||||
+allow cupsd_t self:process { setpgid setsched signal_perms };
|
+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
|
||||||
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
|
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow cupsd_t self:unix_dgram_socket create_socket_perms;
|
allow cupsd_t self:unix_dgram_socket create_socket_perms;
|
||||||
@ -10869,17 +10874,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -491,7 +555,8 @@
|
@@ -491,7 +555,10 @@
|
||||||
allow hplip_t self:udp_socket create_socket_perms;
|
allow hplip_t self:udp_socket create_socket_perms;
|
||||||
allow hplip_t self:rawip_socket create_socket_perms;
|
allow hplip_t self:rawip_socket create_socket_perms;
|
||||||
|
|
||||||
-allow hplip_t cupsd_etc_t:dir search;
|
-allow hplip_t cupsd_etc_t:dir search;
|
||||||
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
|
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
|
||||||
+allow hplip_t cupsd_tmp_t:file rw_file_perms;
|
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||||
|
+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||||
|
+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
|
||||||
|
|
||||||
cups_stream_connect(hplip_t)
|
cups_stream_connect(hplip_t)
|
||||||
|
|
||||||
@@ -500,6 +565,10 @@
|
@@ -500,6 +567,10 @@
|
||||||
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
|
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
|
||||||
files_search_etc(hplip_t)
|
files_search_etc(hplip_t)
|
||||||
|
|
||||||
@ -10890,7 +10897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
||||||
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
||||||
|
|
||||||
@@ -529,7 +598,8 @@
|
@@ -529,7 +600,8 @@
|
||||||
dev_read_urand(hplip_t)
|
dev_read_urand(hplip_t)
|
||||||
dev_read_rand(hplip_t)
|
dev_read_rand(hplip_t)
|
||||||
dev_rw_generic_usb_dev(hplip_t)
|
dev_rw_generic_usb_dev(hplip_t)
|
||||||
@ -10900,7 +10907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
fs_getattr_all_fs(hplip_t)
|
fs_getattr_all_fs(hplip_t)
|
||||||
fs_search_auto_mountpoints(hplip_t)
|
fs_search_auto_mountpoints(hplip_t)
|
||||||
@@ -553,7 +623,9 @@
|
@@ -553,7 +625,9 @@
|
||||||
userdom_dontaudit_search_user_home_dirs(hplip_t)
|
userdom_dontaudit_search_user_home_dirs(hplip_t)
|
||||||
userdom_dontaudit_search_user_home_content(hplip_t)
|
userdom_dontaudit_search_user_home_content(hplip_t)
|
||||||
|
|
||||||
@ -10911,7 +10918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(hplip_t)
|
dbus_system_bus_client(hplip_t)
|
||||||
@@ -635,3 +707,39 @@
|
@@ -635,3 +709,39 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(ptal_t)
|
udev_read_db(ptal_t)
|
||||||
')
|
')
|
||||||
@ -12187,7 +12194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.1/policy/modules/services/hal.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.1/policy/modules/services/hal.te
|
||||||
--- nsaserefpolicy/policy/modules/services/hal.te 2008-11-19 11:51:44.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/hal.te 2008-11-19 11:51:44.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/services/hal.te 2008-12-10 09:03:53.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/services/hal.te 2008-12-12 09:32:41.000000000 -0500
|
||||||
@@ -49,6 +49,9 @@
|
@@ -49,6 +49,9 @@
|
||||||
type hald_var_lib_t;
|
type hald_var_lib_t;
|
||||||
files_type(hald_var_lib_t)
|
files_type(hald_var_lib_t)
|
||||||
@ -12206,7 +12213,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
fs_getattr_all_fs(hald_t)
|
fs_getattr_all_fs(hald_t)
|
||||||
fs_search_all(hald_t)
|
fs_search_all(hald_t)
|
||||||
@@ -277,6 +281,12 @@
|
@@ -195,6 +199,7 @@
|
||||||
|
seutil_read_file_contexts(hald_t)
|
||||||
|
|
||||||
|
sysnet_read_config(hald_t)
|
||||||
|
+sysnet_domtrans_dhcpc(hald_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||||
|
userdom_dontaudit_search_user_home_dirs(hald_t)
|
||||||
|
@@ -277,6 +282,12 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -12219,7 +12234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
rpc_search_nfs_state_data(hald_t)
|
rpc_search_nfs_state_data(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -301,12 +311,16 @@
|
@@ -301,12 +312,16 @@
|
||||||
virt_manage_images(hald_t)
|
virt_manage_images(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -12237,7 +12252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow hald_acl_t self:process { getattr signal };
|
allow hald_acl_t self:process { getattr signal };
|
||||||
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
|
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
@@ -346,12 +360,17 @@
|
@@ -346,12 +361,17 @@
|
||||||
|
|
||||||
miscfiles_read_localization(hald_acl_t)
|
miscfiles_read_localization(hald_acl_t)
|
||||||
|
|
||||||
@ -12256,7 +12271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
|
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
|
||||||
allow hald_t hald_mac_t:process signal;
|
allow hald_t hald_mac_t:process signal;
|
||||||
@@ -418,3 +437,7 @@
|
@@ -418,3 +438,7 @@
|
||||||
files_read_usr_files(hald_keymap_t)
|
files_read_usr_files(hald_keymap_t)
|
||||||
|
|
||||||
miscfiles_read_localization(hald_keymap_t)
|
miscfiles_read_localization(hald_keymap_t)
|
||||||
@ -12919,14 +12934,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+files_type(mailscanner_spool_t)
|
+files_type(mailscanner_spool_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.1/policy/modules/services/mta.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.1/policy/modules/services/mta.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400
|
||||||
+++ serefpolicy-3.6.1/policy/modules/services/mta.fc 2008-11-25 09:45:43.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/services/mta.fc 2008-12-15 09:22:51.000000000 -0500
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
|
|
||||||
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||||
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||||
@@ -22,7 +22,3 @@
|
@@ -11,9 +11,11 @@
|
||||||
|
|
||||||
|
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
|
|
||||||
|
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
|
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
|
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
|
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
|
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
|
|
||||||
|
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||||
|
|
||||||
|
@@ -22,7 +24,3 @@
|
||||||
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||||
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
||||||
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||||
@ -18579,7 +18606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.1/policy/modules/services/samba.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.1/policy/modules/services/samba.te
|
||||||
--- nsaserefpolicy/policy/modules/services/samba.te 2008-11-11 16:13:47.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/samba.te 2008-11-11 16:13:47.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-12-08 15:15:10.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-12-15 12:23:46.000000000 -0500
|
||||||
@@ -66,6 +66,13 @@
|
@@ -66,6 +66,13 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(samba_share_nfs, false)
|
gen_tunable(samba_share_nfs, false)
|
||||||
@ -18632,7 +18659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Samba net local policy
|
# Samba net local policy
|
||||||
#
|
#
|
||||||
-
|
-
|
||||||
+allow samba_net_t self:capability { dac_read_search dac_override };
|
+allow samba_net_t self:capability { sys_nice dac_read_search dac_override };
|
||||||
+allow samba_net_t self:process { getsched setsched };
|
+allow samba_net_t self:process { getsched setsched };
|
||||||
allow samba_net_t self:unix_dgram_socket create_socket_perms;
|
allow samba_net_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
|
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -18651,15 +18678,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(samba_net_t)
|
corenet_all_recvfrom_unlabeled(samba_net_t)
|
||||||
corenet_all_recvfrom_netlabel(samba_net_t)
|
corenet_all_recvfrom_netlabel(samba_net_t)
|
||||||
@@ -190,6 +205,7 @@
|
@@ -190,15 +205,23 @@
|
||||||
domain_use_interactive_fds(samba_net_t)
|
domain_use_interactive_fds(samba_net_t)
|
||||||
|
|
||||||
files_read_etc_files(samba_net_t)
|
files_read_etc_files(samba_net_t)
|
||||||
+files_read_usr_symlinks(samba_net_t)
|
+files_read_usr_symlinks(samba_net_t)
|
||||||
|
|
||||||
auth_use_nsswitch(samba_net_t)
|
auth_use_nsswitch(samba_net_t)
|
||||||
|
+auth_read_cache(samba_net_t)
|
||||||
|
|
||||||
@@ -197,8 +213,14 @@
|
logging_send_syslog_msg(samba_net_t)
|
||||||
|
|
||||||
miscfiles_read_localization(samba_net_t)
|
miscfiles_read_localization(samba_net_t)
|
||||||
|
|
||||||
@ -18675,7 +18703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(samba_net_t)
|
kerberos_use(samba_net_t)
|
||||||
@@ -208,7 +230,7 @@
|
@@ -208,7 +231,7 @@
|
||||||
#
|
#
|
||||||
# smbd Local policy
|
# smbd Local policy
|
||||||
#
|
#
|
||||||
@ -18684,7 +18712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit smbd_t self:capability sys_tty_config;
|
dontaudit smbd_t self:capability sys_tty_config;
|
||||||
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow smbd_t self:process setrlimit;
|
allow smbd_t self:process setrlimit;
|
||||||
@@ -226,10 +248,8 @@
|
@@ -226,10 +249,8 @@
|
||||||
|
|
||||||
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
|
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
|
||||||
|
|
||||||
@ -18696,7 +18724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
allow smbd_t samba_net_tmp_t:file getattr;
|
allow smbd_t samba_net_tmp_t:file getattr;
|
||||||
|
|
||||||
@@ -239,6 +259,7 @@
|
@@ -239,6 +260,7 @@
|
||||||
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
|
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||||
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||||
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||||
@ -18704,7 +18732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
|
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||||
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||||
@@ -256,7 +277,7 @@
|
@@ -256,7 +278,7 @@
|
||||||
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
||||||
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
|
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
|
||||||
|
|
||||||
@ -18713,7 +18741,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
kernel_getattr_core_if(smbd_t)
|
kernel_getattr_core_if(smbd_t)
|
||||||
kernel_getattr_message_if(smbd_t)
|
kernel_getattr_message_if(smbd_t)
|
||||||
@@ -321,6 +342,10 @@
|
@@ -298,6 +320,7 @@
|
||||||
|
|
||||||
|
auth_use_nsswitch(smbd_t)
|
||||||
|
auth_domtrans_chk_passwd(smbd_t)
|
||||||
|
+auth_domtrans_upd_passwd(smbd_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds(smbd_t)
|
||||||
|
domain_dontaudit_list_all_domains_state(smbd_t)
|
||||||
|
@@ -321,6 +344,10 @@
|
||||||
userdom_use_unpriv_users_fds(smbd_t)
|
userdom_use_unpriv_users_fds(smbd_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(smbd_t)
|
userdom_dontaudit_search_user_home_dirs(smbd_t)
|
||||||
|
|
||||||
@ -18724,7 +18760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`hide_broken_symptoms', `
|
ifdef(`hide_broken_symptoms', `
|
||||||
files_dontaudit_getattr_default_dirs(smbd_t)
|
files_dontaudit_getattr_default_dirs(smbd_t)
|
||||||
files_dontaudit_getattr_boot_dirs(smbd_t)
|
files_dontaudit_getattr_boot_dirs(smbd_t)
|
||||||
@@ -350,8 +375,20 @@
|
@@ -350,8 +377,20 @@
|
||||||
tunable_policy(`samba_share_nfs',`
|
tunable_policy(`samba_share_nfs',`
|
||||||
fs_manage_nfs_dirs(smbd_t)
|
fs_manage_nfs_dirs(smbd_t)
|
||||||
fs_manage_nfs_files(smbd_t)
|
fs_manage_nfs_files(smbd_t)
|
||||||
@ -18745,7 +18781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
cups_read_rw_config(smbd_t)
|
cups_read_rw_config(smbd_t)
|
||||||
cups_stream_connect(smbd_t)
|
cups_stream_connect(smbd_t)
|
||||||
@@ -359,6 +396,16 @@
|
@@ -359,6 +398,16 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(smbd_t)
|
kerberos_use(smbd_t)
|
||||||
@ -18762,7 +18798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -381,8 +428,10 @@
|
@@ -381,8 +430,10 @@
|
||||||
|
|
||||||
tunable_policy(`samba_export_all_ro',`
|
tunable_policy(`samba_export_all_ro',`
|
||||||
fs_read_noxattr_fs_files(smbd_t)
|
fs_read_noxattr_fs_files(smbd_t)
|
||||||
@ -18773,7 +18809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
auth_read_all_files_except_shadow(nmbd_t)
|
auth_read_all_files_except_shadow(nmbd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -454,6 +503,7 @@
|
@@ -454,6 +505,7 @@
|
||||||
dev_getattr_mtrr_dev(nmbd_t)
|
dev_getattr_mtrr_dev(nmbd_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(nmbd_t)
|
fs_getattr_all_fs(nmbd_t)
|
||||||
@ -18781,7 +18817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
fs_search_auto_mountpoints(nmbd_t)
|
fs_search_auto_mountpoints(nmbd_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(nmbd_t)
|
domain_use_interactive_fds(nmbd_t)
|
||||||
@@ -553,19 +603,33 @@
|
@@ -553,19 +605,33 @@
|
||||||
userdom_use_user_terminals(smbmount_t)
|
userdom_use_user_terminals(smbmount_t)
|
||||||
userdom_use_all_users_fds(smbmount_t)
|
userdom_use_all_users_fds(smbmount_t)
|
||||||
|
|
||||||
@ -18818,7 +18854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
||||||
|
|
||||||
@@ -585,6 +649,9 @@
|
@@ -585,6 +651,9 @@
|
||||||
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
||||||
|
|
||||||
allow swat_t winbind_exec_t:file mmap_file_perms;
|
allow swat_t winbind_exec_t:file mmap_file_perms;
|
||||||
@ -18828,7 +18864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
kernel_read_kernel_sysctls(swat_t)
|
kernel_read_kernel_sysctls(swat_t)
|
||||||
kernel_read_system_state(swat_t)
|
kernel_read_system_state(swat_t)
|
||||||
@@ -609,15 +676,18 @@
|
@@ -609,15 +678,18 @@
|
||||||
|
|
||||||
dev_read_urand(swat_t)
|
dev_read_urand(swat_t)
|
||||||
|
|
||||||
@ -18847,7 +18883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
logging_search_logs(swat_t)
|
logging_search_logs(swat_t)
|
||||||
|
|
||||||
miscfiles_read_localization(swat_t)
|
miscfiles_read_localization(swat_t)
|
||||||
@@ -635,6 +705,17 @@
|
@@ -635,6 +707,17 @@
|
||||||
kerberos_use(swat_t)
|
kerberos_use(swat_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -18865,16 +18901,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Winbind local policy
|
# Winbind local policy
|
||||||
@@ -642,7 +723,7 @@
|
@@ -642,7 +725,7 @@
|
||||||
|
|
||||||
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
||||||
dontaudit winbind_t self:capability sys_tty_config;
|
dontaudit winbind_t self:capability sys_tty_config;
|
||||||
-allow winbind_t self:process signal_perms;
|
-allow winbind_t self:process signal_perms;
|
||||||
+allow winbind_t self:process { signal_perms getsched };
|
+allow winbind_t self:process { signal_perms getsched setsched };
|
||||||
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@@ -683,9 +764,10 @@
|
@@ -683,9 +766,10 @@
|
||||||
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
||||||
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
|
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
|
||||||
|
|
||||||
@ -18887,7 +18923,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(winbind_t)
|
corenet_all_recvfrom_unlabeled(winbind_t)
|
||||||
corenet_all_recvfrom_netlabel(winbind_t)
|
corenet_all_recvfrom_netlabel(winbind_t)
|
||||||
@@ -713,6 +795,7 @@
|
@@ -709,10 +793,12 @@
|
||||||
|
|
||||||
|
auth_domtrans_chk_passwd(winbind_t)
|
||||||
|
auth_use_nsswitch(winbind_t)
|
||||||
|
+auth_rw_cache(winbind_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(winbind_t)
|
domain_use_interactive_fds(winbind_t)
|
||||||
|
|
||||||
files_read_etc_files(winbind_t)
|
files_read_etc_files(winbind_t)
|
||||||
@ -18895,7 +18936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
logging_send_syslog_msg(winbind_t)
|
logging_send_syslog_msg(winbind_t)
|
||||||
|
|
||||||
@@ -768,8 +851,13 @@
|
@@ -768,8 +854,13 @@
|
||||||
userdom_use_user_terminals(winbind_helper_t)
|
userdom_use_user_terminals(winbind_helper_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -18909,7 +18950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -778,6 +866,16 @@
|
@@ -778,6 +869,16 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -18926,7 +18967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type samba_unconfined_script_t;
|
type samba_unconfined_script_t;
|
||||||
type samba_unconfined_script_exec_t;
|
type samba_unconfined_script_exec_t;
|
||||||
domain_type(samba_unconfined_script_t)
|
domain_type(samba_unconfined_script_t)
|
||||||
@@ -788,9 +886,43 @@
|
@@ -788,9 +889,43 @@
|
||||||
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||||
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||||
|
|
||||||
@ -21059,7 +21100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.1/policy/modules/services/xserver.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.1/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-11-11 16:13:47.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-11-11 16:13:47.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-12-04 13:08:52.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-12-11 14:52:07.000000000 -0500
|
||||||
@@ -397,11 +397,12 @@
|
@@ -397,11 +397,12 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type xdm_t, xdm_tmp_t;
|
type xdm_t, xdm_tmp_t;
|
||||||
@ -21432,7 +21473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## display.
|
## display.
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-08 10:28:07.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-11 14:53:37.000000000 -0500
|
||||||
@@ -34,6 +34,13 @@
|
@@ -34,6 +34,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -21917,10 +21958,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -972,6 +1091,21 @@
|
@@ -972,6 +1091,37 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
|
+allow xserver_unconfined_type self:x_drawable all_x_drawable_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_screen all_x_screen_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_gc all_x_gc_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_font all_x_font_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_colormap all_x_colormap_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_property all_x_property_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_selection all_x_selection_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_cursor all_x_cursor_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_client all_x_client_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_device all_x_device_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_server all_x_server_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_extension all_x_extension_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_resource all_x_resource_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_event all_x_event_perms;
|
||||||
|
+allow xserver_unconfined_type self:x_synthetic_event all_x_synthetic_event_perms;
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ unconfined_rw_shm(xserver_t)
|
+ unconfined_rw_shm(xserver_t)
|
||||||
+ unconfined_execmem_rw_shm(xserver_t)
|
+ unconfined_execmem_rw_shm(xserver_t)
|
||||||
@ -21939,7 +21996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
tunable_policy(`allow_polyinstantiation',`
|
tunable_policy(`allow_polyinstantiation',`
|
||||||
# xdm needs access for linking .X11-unix to poly /tmp
|
# xdm needs access for linking .X11-unix to poly /tmp
|
||||||
@@ -986,3 +1120,13 @@
|
@@ -986,3 +1136,13 @@
|
||||||
#
|
#
|
||||||
allow xdm_t user_home_type:file unlink;
|
allow xdm_t user_home_type:file unlink;
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
@ -22093,7 +22150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-11 09:57:10.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-17 09:20:00.000000000 -0500
|
||||||
@@ -43,6 +43,7 @@
|
@@ -43,6 +43,7 @@
|
||||||
interface(`auth_login_pgm_domain',`
|
interface(`auth_login_pgm_domain',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -22310,7 +22367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1341,3 +1449,80 @@
|
@@ -1341,3 +1449,99 @@
|
||||||
typeattribute $1 can_write_shadow_passwords;
|
typeattribute $1 can_write_shadow_passwords;
|
||||||
typeattribute $1 can_relabelto_shadow_passwords;
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
')
|
')
|
||||||
@ -22336,6 +22393,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Read authentication cache
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`auth_read_cache',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type auth_cache_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ read_files_pattern($1, auth_cache_t, auth_cache_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Read/Write authentication cache
|
+## Read/Write authentication cache
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -23212,7 +23288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.1/policy/modules/system/libraries.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.1/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
||||||
+++ serefpolicy-3.6.1/policy/modules/system/libraries.fc 2008-12-09 10:20:24.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/system/libraries.fc 2008-12-15 11:27:38.000000000 -0500
|
||||||
@@ -60,12 +60,15 @@
|
@@ -60,12 +60,15 @@
|
||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
@ -23321,7 +23397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
') dnl end distro_redhat
|
') dnl end distro_redhat
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -310,3 +331,20 @@
|
@@ -310,3 +331,19 @@
|
||||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
@ -23338,9 +23414,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
||||||
+/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
||||||
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.1/policy/modules/system/libraries.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.1/policy/modules/system/libraries.te
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-11-11 16:13:48.000000000 -0500
|
||||||
@ -25020,7 +25095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.1/policy/modules/system/sysnetwork.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.1/policy/modules/system/sysnetwork.if
|
||||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-11-11 16:13:48.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/system/sysnetwork.if 2008-12-03 10:18:59.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/system/sysnetwork.if 2008-12-12 10:01:10.000000000 -0500
|
||||||
@@ -192,7 +192,25 @@
|
@@ -192,7 +192,25 @@
|
||||||
type dhcpc_state_t;
|
type dhcpc_state_t;
|
||||||
')
|
')
|
||||||
@ -26056,7 +26131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
|
||||||
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-09 14:27:56.000000000 -0500
|
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-11 15:08:45.000000000 -0500
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26187,7 +26262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
- sysnet_read_config($1_t)
|
- sysnet_read_config($1_t)
|
||||||
+ files_dontaudit_getattr_all_dirs($1_usertype)
|
+ files_dontaudit_getattr_all_dirs($1_usertype)
|
||||||
+ files_dontaudit_list_non_security($1_usertype)
|
+ files_dontaudit_list_non_security($1_usertype)
|
||||||
+ files_dontaudit_getattr_non_security_files($1_usertype)
|
+ files_dontaudit_getattr_all_files($1_usertype)
|
||||||
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
|
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
|
||||||
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
|
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
|
||||||
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
|
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
|
||||||
@ -26686,7 +26761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
- pcscd_read_pub_files($1_t)
|
- pcscd_read_pub_files($1_t)
|
||||||
- pcscd_stream_connect($1_t)
|
- pcscd_stream_connect($1_t)
|
||||||
+ nsplugin_role($1_r, $1_t)
|
+ nsplugin_role($1_r, $1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27046,7 +27121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ mono_role_template($1, $1_r, $1_t)
|
+ mono_role_template($1, $1_r, $1_t)
|
||||||
')
|
+ ')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ mount_run($1_t, $1_r)
|
+ mount_run($1_t, $1_r)
|
||||||
@ -27055,7 +27130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ # Run pppd in pppd_t by default for user
|
+ # Run pppd in pppd_t by default for user
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ ppp_run_cond($1_t, $1_r)
|
+ ppp_run_cond($1_t, $1_r)
|
||||||
+ ')
|
')
|
||||||
+
|
+
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27409,7 +27484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Send a dbus message to all user domains.
|
## Send a dbus message to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2981,3 +3184,263 @@
|
@@ -2981,3 +3184,264 @@
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
@ -27495,6 +27570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ domain_read_all_domains_state($1_t)
|
+ domain_read_all_domains_state($1_t)
|
||||||
+ domain_getattr_all_domains($1_t)
|
+ domain_getattr_all_domains($1_t)
|
||||||
|
+ domain_obj_id_change_exemption($1_t)
|
||||||
+
|
+
|
||||||
+ files_read_kernel_modules($1_t)
|
+ files_read_kernel_modules($1_t)
|
||||||
+
|
+
|
||||||
|
|||||||
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.1
|
Version: 3.6.1
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -446,6 +446,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 17 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-11
|
||||||
|
- Fixes for IBM java location
|
||||||
|
|
||||||
* Thu Dec 11 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-10
|
* Thu Dec 11 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-10
|
||||||
- Allow unconfined_r unconfined_java_t
|
- Allow unconfined_r unconfined_java_t
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user