- Allow xserver to use netlink_kobject_uevent_socket
This commit is contained in:
Daniel J Walsh
parent
1a2981be4a
commit
35651d45d8
235
policy-F12.patch
235
policy-F12.patch
@ -277,7 +277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.30/policy/modules/admin/prelink.if
|
||||
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-07-23 14:11:04.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/admin/prelink.if 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/admin/prelink.if 2009-09-04 10:32:08.000000000 -0400
|
||||
@@ -140,3 +140,22 @@
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
|
||||
@ -293,14 +293,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`prelink_relabelfrom_var_lib',`
|
||||
+interface(`prelink_relabel_var_lib',`
|
||||
+ gen_require(`
|
||||
+ type prelink_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
|
||||
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.30/policy/modules/admin/prelink.te
|
||||
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/admin/prelink.te 2009-09-04 11:49:19.000000000 -0400
|
||||
@@ -89,6 +89,7 @@
|
||||
miscfiles_read_localization(prelink_t)
|
||||
|
||||
userdom_use_user_terminals(prelink_t)
|
||||
+userdom_manage_user_home_content(prelink_t)
|
||||
|
||||
optional_policy(`
|
||||
amanda_manage_lib(prelink_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.30/policy/modules/admin/readahead.te
|
||||
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/admin/readahead.te 2009-08-31 13:40:47.000000000 -0400
|
||||
@ -964,6 +975,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kismet_manage_log(tmpreaper_t)
|
||||
')
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.30/policy/modules/admin/tzdata.te
|
||||
--- nsaserefpolicy/policy/modules/admin/tzdata.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/admin/tzdata.te 2009-09-04 11:18:45.000000000 -0400
|
||||
@@ -19,6 +19,8 @@
|
||||
files_read_etc_files(tzdata_t)
|
||||
files_search_spool(tzdata_t)
|
||||
|
||||
+fs_getattr_xattr_fs(tzdata_t)
|
||||
+
|
||||
term_dontaudit_list_ptys(tzdata_t)
|
||||
|
||||
locallogin_dontaudit_use_fds(tzdata_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.30/policy/modules/admin/usermanage.if
|
||||
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.if 2009-08-31 13:40:47.000000000 -0400
|
||||
@ -1125,7 +1148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
sysnet_dns_name_resolve(awstats_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.30/policy/modules/apps/calamaris.te
|
||||
--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/apps/calamaris.te 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/apps/calamaris.te 2009-09-02 09:37:44.000000000 -0400
|
||||
@@ -59,12 +59,12 @@
|
||||
|
||||
libs_read_lib_files(calamaris_t)
|
||||
@ -3726,8 +3749,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.30/policy/modules/apps/sandbox.te
|
||||
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.30/policy/modules/apps/sandbox.te 2009-08-31 13:40:47.000000000 -0400
|
||||
@@ -0,0 +1,302 @@
|
||||
+++ serefpolicy-3.6.30/policy/modules/apps/sandbox.te 2009-09-03 10:41:22.000000000 -0400
|
||||
@@ -0,0 +1,304 @@
|
||||
+policy_module(sandbox,1.0.0)
|
||||
+dbus_stub()
|
||||
+attribute sandbox_domain;
|
||||
@ -3873,6 +3896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+auth_use_nsswitch(sandbox_x_domain)
|
||||
+
|
||||
+init_read_utmp(sandbox_x_domain)
|
||||
+init_dontaudit_write_utmp(sandbox_x_domain)
|
||||
+
|
||||
+miscfiles_read_localization(sandbox_x_domain)
|
||||
+
|
||||
@ -3892,10 +3916,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ cups_read_rw_config(sandbox_x_domain)
|
||||
+')
|
||||
+
|
||||
+#============= sandbox_x_t ==============
|
||||
+allow sandbox_x_t home_root_t:dir search;
|
||||
+allow sandbox_x_t user_devpts_t:chr_file { read write };
|
||||
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
|
||||
+
|
||||
+#============= sandbox_x_t ==============
|
||||
+files_search_home(sandbox_x_t)
|
||||
+userdom_use_user_ptys(sandbox_x_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
@ -4370,8 +4395,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.30/policy/modules/apps/wine.te
|
||||
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/apps/wine.te 2009-08-31 13:40:47.000000000 -0400
|
||||
@@ -9,20 +9,35 @@
|
||||
+++ serefpolicy-3.6.30/policy/modules/apps/wine.te 2009-09-02 09:37:57.000000000 -0400
|
||||
@@ -9,20 +9,36 @@
|
||||
type wine_t;
|
||||
type wine_exec_t;
|
||||
application_domain(wine_t, wine_exec_t)
|
||||
@ -4387,6 +4412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-optional_policy(`
|
||||
allow wine_t self:process { execstack execmem execheap };
|
||||
- unconfined_domain_noaudit(wine_t)
|
||||
+allow wine_t self:fifo_file manage_fifo_file_perms;
|
||||
+
|
||||
+domain_mmap_low_type(wine_t)
|
||||
+tunable_policy(`mmap_low_allowed',`
|
||||
@ -4413,7 +4439,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.30/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.fc 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.fc 2009-09-03 10:35:24.000000000 -0400
|
||||
@@ -1,4 +1,4 @@
|
||||
-
|
||||
+c
|
||||
#
|
||||
# /bin
|
||||
#
|
||||
@@ -54,6 +54,7 @@
|
||||
/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -4440,15 +4472,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@@ -221,6 +226,7 @@
|
||||
@@ -221,6 +226,8 @@
|
||||
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -315,3 +321,21 @@
|
||||
@@ -263,6 +270,7 @@
|
||||
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -315,3 +323,21 @@
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -5642,7 +5683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.30/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-09-04 11:37:45.000000000 -0400
|
||||
@@ -1537,6 +1537,24 @@
|
||||
|
||||
########################################
|
||||
@ -7390,8 +7431,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.30/policy/modules/roles/unconfineduser.te
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.30/policy/modules/roles/unconfineduser.te 2009-08-31 13:40:47.000000000 -0400
|
||||
@@ -0,0 +1,392 @@
|
||||
+++ serefpolicy-3.6.30/policy/modules/roles/unconfineduser.te 2009-09-04 10:33:43.000000000 -0400
|
||||
@@ -0,0 +1,393 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -7670,6 +7711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rtkit_daemon_system_domain(unconfined_t)
|
||||
+ rtkit_daemon_system_domain(unconfined_execmem_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -8133,8 +8175,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.30/policy/modules/services/abrt.te
|
||||
--- nsaserefpolicy/policy/modules/services/abrt.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/abrt.te 2009-08-31 13:40:47.000000000 -0400
|
||||
@@ -0,0 +1,124 @@
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/abrt.te 2009-09-06 15:27:50.000000000 -0400
|
||||
@@ -0,0 +1,120 @@
|
||||
+
|
||||
+policy_module(abrt,1.0.0)
|
||||
+
|
||||
@ -8146,6 +8188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+type abrt_t;
|
||||
+type abrt_exec_t;
|
||||
+init_daemon_domain(abrt_t,abrt_exec_t)
|
||||
+dbus_system_domain(abrt_t,abrt_exec_t)
|
||||
+
|
||||
+type abrt_initrc_exec_t;
|
||||
+init_script_file(abrt_initrc_exec_t)
|
||||
@ -8237,11 +8280,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+miscfiles_read_certs(abrt_t)
|
||||
+miscfiles_read_localization(abrt_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_connect_system_bus(abrt_t)
|
||||
+ dbus_system_bus_client(abrt_t)
|
||||
+')
|
||||
+
|
||||
+# to run bugzilla plugin
|
||||
+# read ~/.abrt/Bugzilla.conf
|
||||
+userdom_read_user_home_content_files(abrt_t)
|
||||
@ -10383,7 +10421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.30/policy/modules/services/cron.te
|
||||
--- nsaserefpolicy/policy/modules/services/cron.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/cron.te 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/cron.te 2009-09-04 10:32:17.000000000 -0400
|
||||
@@ -38,6 +38,10 @@
|
||||
type cron_var_lib_t;
|
||||
files_type(cron_var_lib_t)
|
||||
@ -10704,7 +10742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ prelink_manage_lib(system_cronjob_t)
|
||||
+ prelink_manage_log(system_cronjob_t)
|
||||
+ prelink_read_cache(system_cronjob_t)
|
||||
+ prelink_relabelfrom_var_lib(system_cronjob_t)
|
||||
+ prelink_relabel_var_lib(system_cronjob_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -14023,7 +14061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.30/policy/modules/services/policykit.te
|
||||
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-08-18 11:41:14.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/policykit.te 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/policykit.te 2009-09-04 11:37:59.000000000 -0400
|
||||
@@ -36,11 +36,12 @@
|
||||
# policykit local policy
|
||||
#
|
||||
@ -14091,7 +14129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
|
||||
|
||||
@@ -92,12 +112,13 @@
|
||||
@@ -92,12 +112,14 @@
|
||||
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
|
||||
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
|
||||
|
||||
@ -14101,13 +14139,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_read_usr_files(policykit_auth_t)
|
||||
|
||||
+fs_getattr_all_fs(polkit_auth_t)
|
||||
+fs_search_tmpfs(polkit_auth_t)
|
||||
+
|
||||
auth_use_nsswitch(policykit_auth_t)
|
||||
+auth_domtrans_chk_passwd(policykit_auth_t)
|
||||
|
||||
logging_send_syslog_msg(policykit_auth_t)
|
||||
|
||||
@@ -106,7 +127,7 @@
|
||||
@@ -106,7 +128,7 @@
|
||||
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -14116,7 +14155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dbus_session_bus_client(policykit_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -119,6 +140,14 @@
|
||||
@@ -119,6 +141,14 @@
|
||||
hal_read_state(policykit_auth_t)
|
||||
')
|
||||
|
||||
@ -14131,7 +14170,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# polkit_grant local policy
|
||||
@@ -126,7 +155,8 @@
|
||||
@@ -126,7 +156,8 @@
|
||||
|
||||
allow policykit_grant_t self:capability setuid;
|
||||
allow policykit_grant_t self:process getattr;
|
||||
@ -14141,7 +14180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
||||
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@@ -156,9 +186,12 @@
|
||||
@@ -156,9 +187,12 @@
|
||||
userdom_read_all_users_state(policykit_grant_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -14155,7 +14194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
consolekit_dbus_chat(policykit_grant_t)
|
||||
')
|
||||
')
|
||||
@@ -170,7 +203,8 @@
|
||||
@@ -170,7 +204,8 @@
|
||||
|
||||
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
|
||||
allow policykit_resolve_t self:process getattr;
|
||||
@ -14942,7 +14981,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.30/policy/modules/services/ppp.te
|
||||
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/ppp.te 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/ppp.te 2009-09-04 10:22:17.000000000 -0400
|
||||
@@ -38,7 +38,7 @@
|
||||
files_type(pppd_etc_rw_t)
|
||||
|
||||
type pppd_initrc_exec_t alias pppd_script_exec_t;
|
||||
-files_type(pppd_initrc_exec_t)
|
||||
+init_script_file(pppd_initrc_exec_t)
|
||||
|
||||
# pppd_secret_t is the type of the pap and chap password files
|
||||
type pppd_secret_t;
|
||||
@@ -193,6 +193,8 @@
|
||||
|
||||
optional_policy(`
|
||||
@ -15473,7 +15521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.30/policy/modules/services/rtkit_daemon.if
|
||||
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/rtkit_daemon.if 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/rtkit_daemon.if 2009-09-04 10:33:29.000000000 -0400
|
||||
@@ -0,0 +1,63 @@
|
||||
+
|
||||
+## <summary>policy for rtkit_daemon</summary>
|
||||
@ -16520,7 +16568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.30/policy/modules/services/setroubleshoot.te
|
||||
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/setroubleshoot.te 2009-08-31 17:31:34.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/setroubleshoot.te 2009-09-06 15:49:01.000000000 -0400
|
||||
@@ -22,13 +22,19 @@
|
||||
type setroubleshoot_var_run_t;
|
||||
files_pid_file(setroubleshoot_var_run_t)
|
||||
@ -16582,7 +16630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
selinux_get_enforce_mode(setroubleshootd_t)
|
||||
selinux_validate_context(setroubleshootd_t)
|
||||
@@ -94,23 +113,70 @@
|
||||
@@ -94,23 +113,73 @@
|
||||
|
||||
locallogin_dontaudit_use_fds(setroubleshootd_t)
|
||||
|
||||
@ -16647,7 +16695,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_read_db(setroubleshoot_fixit_t)
|
||||
+ rpm_signull(setroubleshootd_fixit_t)
|
||||
+ rpm_read_db(setroubleshootd_fixit_t)
|
||||
+ rpm_dontaudit_manage_db(setroubleshootd_fixit_t)
|
||||
+ rpm_use_script_fds(setroubleshootd_fixit_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -19635,7 +19686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.30/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/xserver.te 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/services/xserver.te 2009-09-04 09:41:10.000000000 -0400
|
||||
@@ -34,6 +34,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -19793,7 +19844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
domain_use_interactive_fds(xauth_t)
|
||||
|
||||
files_read_etc_files(xauth_t)
|
||||
@@ -300,20 +325,29 @@
|
||||
@@ -300,20 +325,31 @@
|
||||
# XDM Local policy
|
||||
#
|
||||
|
||||
@ -19815,6 +19866,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow xdm_t self:appletalk_socket create_socket_perms;
|
||||
allow xdm_t self:key { search link write };
|
||||
|
||||
+allow xdm_t xauth_home_t:file rw_file_perms;
|
||||
+
|
||||
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
@ -19826,7 +19879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Allow gdm to run gdm-binary
|
||||
can_exec(xdm_t, xdm_exec_t)
|
||||
@@ -329,22 +363,39 @@
|
||||
@@ -329,22 +365,39 @@
|
||||
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
|
||||
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
|
||||
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
||||
@ -19869,7 +19922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow xdm_t xserver_t:process signal;
|
||||
allow xdm_t xserver_t:unix_stream_socket connectto;
|
||||
@@ -358,6 +409,7 @@
|
||||
@@ -358,6 +411,7 @@
|
||||
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||
|
||||
allow xdm_t xserver_t:shm rw_shm_perms;
|
||||
@ -19877,7 +19930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# connect to xdm xserver over stream socket
|
||||
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||
@@ -366,10 +418,14 @@
|
||||
@@ -366,10 +420,14 @@
|
||||
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||
|
||||
@ -19893,7 +19946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_system_state(xdm_t)
|
||||
kernel_read_kernel_sysctls(xdm_t)
|
||||
@@ -389,11 +445,13 @@
|
||||
@@ -389,11 +447,13 @@
|
||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||
corenet_tcp_bind_generic_node(xdm_t)
|
||||
corenet_udp_bind_generic_node(xdm_t)
|
||||
@ -19907,7 +19960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_rand(xdm_t)
|
||||
dev_read_sysfs(xdm_t)
|
||||
dev_getattr_framebuffer_dev(xdm_t)
|
||||
@@ -401,6 +459,7 @@
|
||||
@@ -401,6 +461,7 @@
|
||||
dev_getattr_mouse_dev(xdm_t)
|
||||
dev_setattr_mouse_dev(xdm_t)
|
||||
dev_rw_apm_bios(xdm_t)
|
||||
@ -19915,7 +19968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_setattr_apm_bios_dev(xdm_t)
|
||||
dev_rw_dri(xdm_t)
|
||||
dev_rw_agp(xdm_t)
|
||||
@@ -413,14 +472,17 @@
|
||||
@@ -413,14 +474,17 @@
|
||||
dev_setattr_video_dev(xdm_t)
|
||||
dev_getattr_scanner_dev(xdm_t)
|
||||
dev_setattr_scanner_dev(xdm_t)
|
||||
@ -19935,7 +19988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(xdm_t)
|
||||
files_read_var_files(xdm_t)
|
||||
@@ -431,9 +493,13 @@
|
||||
@@ -431,9 +495,13 @@
|
||||
files_read_usr_files(xdm_t)
|
||||
# Poweroff wants to create the /poweroff file when run from xdm
|
||||
files_create_boot_flag(xdm_t)
|
||||
@ -19949,7 +20002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||
@@ -442,6 +508,7 @@
|
||||
@@ -442,6 +510,7 @@
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
@ -19957,7 +20010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
term_setattr_console(xdm_t)
|
||||
term_use_unallocated_ttys(xdm_t)
|
||||
@@ -450,6 +517,7 @@
|
||||
@@ -450,6 +519,7 @@
|
||||
auth_domtrans_pam_console(xdm_t)
|
||||
auth_manage_pam_pid(xdm_t)
|
||||
auth_manage_pam_console_data(xdm_t)
|
||||
@ -19965,7 +20018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
@@ -460,10 +528,11 @@
|
||||
@@ -460,10 +530,11 @@
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
|
||||
@ -19979,7 +20032,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
@@ -472,6 +541,9 @@
|
||||
@@ -472,6 +543,9 @@
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
@ -19989,7 +20042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
xserver_rw_session(xdm_t, xdm_tmpfs_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
@@ -504,10 +576,12 @@
|
||||
@@ -504,10 +578,12 @@
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(xdm_t)
|
||||
@ -20002,7 +20055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -515,12 +589,46 @@
|
||||
@@ -515,12 +591,46 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20049,7 +20102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -542,6 +650,30 @@
|
||||
@@ -542,6 +652,30 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20080,7 +20133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
seutil_sigchld_newrole(xdm_t)
|
||||
')
|
||||
|
||||
@@ -550,8 +682,9 @@
|
||||
@@ -550,8 +684,9 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20092,7 +20145,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -560,7 +693,6 @@
|
||||
@@ -560,7 +695,6 @@
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
@ -20100,7 +20153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
userhelper_dontaudit_search_config(xdm_t)
|
||||
@@ -571,6 +703,10 @@
|
||||
@@ -571,6 +705,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20111,7 +20164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -587,10 +723,9 @@
|
||||
@@ -587,10 +725,9 @@
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
@ -20123,11 +20176,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow xserver_t self:fd use;
|
||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||
allow xserver_t self:sock_file read_sock_file_perms;
|
||||
@@ -602,9 +737,11 @@
|
||||
@@ -602,9 +739,12 @@
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
+allow xserver_t self:netlink_selinux_socket create_socket_perms;
|
||||
+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
# Device rules
|
||||
allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
|
||||
@ -20135,7 +20189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||
|
||||
@@ -616,13 +753,14 @@
|
||||
@@ -616,13 +756,14 @@
|
||||
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
||||
|
||||
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
||||
@ -20151,7 +20205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
@@ -635,9 +773,19 @@
|
||||
@@ -635,9 +776,19 @@
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -20171,7 +20225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
@@ -671,7 +819,6 @@
|
||||
@@ -671,7 +822,6 @@
|
||||
dev_rw_agp(xserver_t)
|
||||
dev_rw_framebuffer(xserver_t)
|
||||
dev_manage_dri_dev(xserver_t)
|
||||
@ -20179,7 +20233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_create_generic_dirs(xserver_t)
|
||||
dev_setattr_generic_dirs(xserver_t)
|
||||
# raw memory access is needed if not using the frame buffer
|
||||
@@ -681,9 +828,12 @@
|
||||
@@ -681,9 +831,12 @@
|
||||
dev_rw_xserver_misc(xserver_t)
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev(xserver_t)
|
||||
@ -20193,7 +20247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(xserver_t)
|
||||
files_read_etc_runtime_files(xserver_t)
|
||||
@@ -698,8 +848,12 @@
|
||||
@@ -698,8 +851,12 @@
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
@ -20206,7 +20260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
selinux_compute_access_vector(xserver_t)
|
||||
@@ -721,6 +875,7 @@
|
||||
@@ -721,6 +878,7 @@
|
||||
|
||||
miscfiles_read_localization(xserver_t)
|
||||
miscfiles_read_fonts(xserver_t)
|
||||
@ -20214,7 +20268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
modutils_domtrans_insmod(xserver_t)
|
||||
|
||||
@@ -743,7 +898,7 @@
|
||||
@@ -743,7 +901,7 @@
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
@ -20223,7 +20277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||
')
|
||||
|
||||
@@ -775,12 +930,20 @@
|
||||
@@ -775,12 +933,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20245,7 +20299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
unconfined_domtrans(xserver_t)
|
||||
')
|
||||
|
||||
@@ -807,7 +970,7 @@
|
||||
@@ -807,7 +973,7 @@
|
||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
@ -20254,7 +20308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -828,9 +991,14 @@
|
||||
@@ -828,9 +994,14 @@
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -20269,7 +20323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
@@ -845,11 +1013,14 @@
|
||||
@@ -845,11 +1016,14 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
@ -20285,7 +20339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -882,6 +1053,8 @@
|
||||
@@ -882,6 +1056,8 @@
|
||||
# X Server
|
||||
# can read server-owned resources
|
||||
allow x_domain xserver_t:x_resource read;
|
||||
@ -20294,7 +20348,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# can mess with own clients
|
||||
allow x_domain self:x_client { manage destroy };
|
||||
|
||||
@@ -906,6 +1079,8 @@
|
||||
@@ -906,6 +1082,8 @@
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
|
||||
@ -20303,7 +20357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# X Colormaps
|
||||
# can use the default colormap
|
||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||
@@ -973,17 +1148,49 @@
|
||||
@@ -973,17 +1151,49 @@
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
@ -21121,7 +21175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.30/policy/modules/system/init.if
|
||||
--- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/system/init.if 2009-08-31 13:40:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/system/init.if 2009-09-03 10:39:12.000000000 -0400
|
||||
@@ -174,6 +174,7 @@
|
||||
role system_r types $1;
|
||||
|
||||
@ -22492,7 +22546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.30/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/system/libraries.fc 2009-09-01 08:55:51.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/system/libraries.fc 2009-09-04 11:35:21.000000000 -0400
|
||||
@@ -60,12 +60,15 @@
|
||||
#
|
||||
# /opt
|
||||
@ -22542,7 +22596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
||||
@@ -115,27 +120,31 @@
|
||||
@@ -115,27 +120,30 @@
|
||||
|
||||
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -22550,13 +22604,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
+/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
|
||||
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -22582,7 +22635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
|
||||
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -143,11 +152,8 @@
|
||||
@@ -143,11 +151,8 @@
|
||||
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -22594,7 +22647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -168,12 +174,12 @@
|
||||
@@ -168,12 +173,12 @@
|
||||
|
||||
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||
@ -22609,7 +22662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -185,15 +191,10 @@
|
||||
@@ -185,15 +190,10 @@
|
||||
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -22626,7 +22679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -228,31 +229,17 @@
|
||||
@@ -228,31 +228,17 @@
|
||||
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -22662,7 +22715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Jai, Sun Microsystems (Jpackage SPRM)
|
||||
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -268,8 +255,8 @@
|
||||
@@ -268,8 +254,8 @@
|
||||
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -22673,7 +22726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Java, Sun Microsystems (JPackage SRPM)
|
||||
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -295,6 +282,8 @@
|
||||
@@ -295,6 +281,8 @@
|
||||
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -22682,7 +22735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
') dnl end distro_redhat
|
||||
|
||||
#
|
||||
@@ -307,10 +296,94 @@
|
||||
@@ -307,10 +295,96 @@
|
||||
|
||||
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
|
||||
|
||||
@ -22739,6 +22792,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+ifdef(`fixed',`
|
||||
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -23787,8 +23842,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.30/policy/modules/system/raid.te
|
||||
--- nsaserefpolicy/policy/modules/system/raid.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/system/raid.te 2009-08-31 13:40:47.000000000 -0400
|
||||
@@ -44,6 +44,7 @@
|
||||
+++ serefpolicy-3.6.30/policy/modules/system/raid.te 2009-09-06 15:32:46.000000000 -0400
|
||||
@@ -44,11 +44,13 @@
|
||||
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
|
||||
dev_dontaudit_getattr_generic_blk_files(mdadm_t)
|
||||
dev_read_realtime_clock(mdadm_t)
|
||||
@ -23796,6 +23851,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_use_interactive_fds(mdadm_t)
|
||||
|
||||
files_read_etc_files(mdadm_t)
|
||||
files_read_etc_runtime_files(mdadm_t)
|
||||
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
|
||||
|
||||
fs_search_auto_mountpoints(mdadm_t)
|
||||
fs_dontaudit_list_tmpfs(mdadm_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.30/policy/modules/system/selinuxutil.fc
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.30/policy/modules/system/selinuxutil.fc 2009-08-31 13:40:47.000000000 -0400
|
||||
|
||||
Loading…
Reference in New Issue
Block a user