- Add shorewall policy
This commit is contained in:
Daniel J Walsh
parent
21b13fca45
commit
37ebfc9102
@ -1178,20 +1178,6 @@ rsync = module
|
||||
#
|
||||
rwho = module
|
||||
|
||||
# Layer: services
|
||||
# Module: sasl
|
||||
#
|
||||
# SASL authentication server
|
||||
#
|
||||
sasl = module
|
||||
|
||||
# Layer: services
|
||||
# Module: sendmail
|
||||
#
|
||||
# Policy for sendmail.
|
||||
#
|
||||
sendmail = base
|
||||
|
||||
# Layer: services
|
||||
# Module: samba
|
||||
#
|
||||
@ -1208,6 +1194,13 @@ samba = module
|
||||
#
|
||||
sambagui = module
|
||||
|
||||
# Layer: services
|
||||
# Module: sasl
|
||||
#
|
||||
# SASL authentication server
|
||||
#
|
||||
sasl = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: screen
|
||||
#
|
||||
@ -1230,6 +1223,20 @@ selinux = base
|
||||
#
|
||||
selinuxutil = base
|
||||
|
||||
# Layer: services
|
||||
# Module: sendmail
|
||||
#
|
||||
# Policy for sendmail.
|
||||
#
|
||||
sendmail = base
|
||||
|
||||
# Layer: services
|
||||
# Module: shorewall
|
||||
#
|
||||
# Policy for shorewall
|
||||
#
|
||||
shorewall = base
|
||||
|
||||
# Layer: system
|
||||
# Module: setrans
|
||||
# Required in base
|
||||
|
||||
@ -788,7 +788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
|
||||
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-28 15:47:35.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-30 14:18:18.000000000 -0400
|
||||
@@ -11,8 +11,8 @@
|
||||
init_daemon_domain(readahead_t, readahead_exec_t)
|
||||
application_domain(readahead_t, readahead_exec_t)
|
||||
@ -820,7 +820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_system_state(readahead_t)
|
||||
kernel_dontaudit_getattr_core_if(readahead_t)
|
||||
|
||||
@@ -46,6 +49,7 @@
|
||||
@@ -46,10 +49,12 @@
|
||||
storage_raw_read_fixed_disk(readahead_t)
|
||||
|
||||
domain_use_interactive_fds(readahead_t)
|
||||
@ -828,7 +828,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_dontaudit_getattr_all_sockets(readahead_t)
|
||||
files_list_non_security(readahead_t)
|
||||
@@ -58,6 +62,7 @@
|
||||
files_read_non_security_files(readahead_t)
|
||||
+files_dontaudit_getattr_non_security_blk_files(readahead_t)
|
||||
|
||||
fs_getattr_all_fs(readahead_t)
|
||||
fs_search_auto_mountpoints(readahead_t)
|
||||
@@ -58,6 +63,7 @@
|
||||
fs_dontaudit_search_ramfs(readahead_t)
|
||||
fs_dontaudit_read_ramfs_pipes(readahead_t)
|
||||
fs_dontaudit_read_ramfs_files(readahead_t)
|
||||
@ -836,7 +841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_read_tmpfs_symlinks(readahead_t)
|
||||
fs_list_inotifyfs(readahead_t)
|
||||
|
||||
@@ -72,6 +77,7 @@
|
||||
@@ -72,6 +78,7 @@
|
||||
init_getattr_initctl(readahead_t)
|
||||
|
||||
logging_send_syslog_msg(readahead_t)
|
||||
@ -4847,7 +4852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+corecmd_executable_file(wm_exec_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-30 08:31:43.000000000 -0400
|
||||
@@ -32,6 +32,8 @@
|
||||
#
|
||||
# /etc
|
||||
@ -4866,7 +4871,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@@ -299,3 +303,20 @@
|
||||
@@ -210,6 +214,7 @@
|
||||
/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -299,3 +304,20 @@
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -5388,7 +5401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-30 14:18:05.000000000 -0400
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
@ -10372,7 +10385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-29 13:51:27.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-30 17:45:01.000000000 -0400
|
||||
@@ -13,6 +13,9 @@
|
||||
type consolekit_var_run_t;
|
||||
files_pid_file(consolekit_var_run_t)
|
||||
@ -10451,7 +10464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dbus_chat(consolekit_t)
|
||||
@@ -61,6 +94,32 @@
|
||||
@@ -61,6 +94,33 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10466,6 +10479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xserver_stream_connect(consolekit_t)
|
||||
+ xserver_ptrace_xdm(consolekit_t)
|
||||
+ xserver_common_app(consolekit_t)
|
||||
+ corenet_tcp_connect_xserver_port(consolekit_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -14990,8 +15004,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
|
||||
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-29 10:14:21.000000000 -0400
|
||||
@@ -1,6 +1,10 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-30 17:48:59.000000000 -0400
|
||||
@@ -1,6 +1,15 @@
|
||||
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
||||
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||
|
||||
@ -15004,6 +15018,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
||||
+
|
||||
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||
+/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
|
||||
+
|
||||
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
||||
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
||||
+/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if
|
||||
--- nsaserefpolicy/policy/modules/services/milter.if 2008-11-25 09:01:08.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.if 2009-04-24 13:45:41.000000000 -0400
|
||||
@ -15043,7 +15062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.6.12/policy/modules/services/milter.te
|
||||
--- nsaserefpolicy/policy/modules/services/milter.te 2008-11-25 09:01:08.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-24 08:31:02.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-30 18:09:54.000000000 -0400
|
||||
@@ -14,6 +14,12 @@
|
||||
milter_template(regex)
|
||||
milter_template(spamass)
|
||||
@ -15068,6 +15087,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_system_state(spamass_milter_t)
|
||||
|
||||
# When used with -b or -B options, the milter invokes sendmail to send mail
|
||||
@@ -53,3 +63,40 @@
|
||||
|
||||
# The main job of the milter is to pipe spam through spamc and act on the result
|
||||
spamassassin_domtrans_client(spamass_milter_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# milter-greylist Declarations
|
||||
+#
|
||||
+
|
||||
+milter_template(greylist)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# milter-greylist local policy
|
||||
+# ensure smtp clients retry mail like real MTAs and not spamware
|
||||
+# http://hcpnet.free.fr/milter-greylist/
|
||||
+#
|
||||
+
|
||||
+# Look up username for dropping privs
|
||||
+auth_use_nsswitch(greylist_milter_t)
|
||||
+
|
||||
+# It creates a pid file /var/run/milter-greylist.pid
|
||||
+files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
|
||||
+
|
||||
+# It removes any existing socket (not owned by root) whilst running as root,
|
||||
+# fixes permissions, renices itself and then calls setgid() and setuid() to
|
||||
+# drop privileges
|
||||
+kernel_read_kernel_sysctls(greylist_milter_t)
|
||||
+allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
|
||||
+allow greylist_milter_t self:process { setsched getsched };
|
||||
+
|
||||
+# Allow the milter to read a GeoIP database in /usr/share
|
||||
+files_read_usr_files(greylist_milter_t)
|
||||
+
|
||||
+# The milter runs from /var/lib/milter-greylist and maintains files there
|
||||
+files_search_var_lib(greylist_milter_t);
|
||||
+
|
||||
+# Config is in /etc/mail/greylist.conf
|
||||
+mta_read_config(greylist_milter_t)
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.12/policy/modules/services/mta.fc
|
||||
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/mta.fc 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -15103,7 +15163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
|
||||
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-30 08:19:03.000000000 -0400
|
||||
@@ -130,6 +130,15 @@
|
||||
sendmail_create_log($1_mail_t)
|
||||
')
|
||||
@ -15112,7 +15172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ exim_read_log($1_mail_t)
|
||||
+ exim_append_log($1_mail_t)
|
||||
+ exim_manage_spool_files($1_mail_t)
|
||||
+')
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ uucp_manage_spool($1_mail_t)
|
||||
@ -21425,7 +21485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-29 13:03:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-30 08:12:22.000000000 -0400
|
||||
@@ -89,7 +89,7 @@
|
||||
type sendmail_t;
|
||||
')
|
||||
@ -21886,6 +21946,298 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
rpm_read_db(setroubleshootd_t)
|
||||
rpm_dontaudit_manage_db(setroubleshootd_t)
|
||||
rpm_use_script_fds(setroubleshootd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.12/policy/modules/services/shorewall.fc
|
||||
--- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.fc 2009-04-30 08:33:41.000000000 -0400
|
||||
@@ -0,0 +1,12 @@
|
||||
+
|
||||
+/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
|
||||
+
|
||||
+/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
|
||||
+/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
|
||||
+
|
||||
+/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0)
|
||||
+/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
|
||||
+
|
||||
+/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
|
||||
+/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.12/policy/modules/services/shorewall.if
|
||||
--- nsaserefpolicy/policy/modules/services/shorewall.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.if 2009-04-30 08:29:56.000000000 -0400
|
||||
@@ -0,0 +1,166 @@
|
||||
+## <summary>policy for shorewall</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run shorewall.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`shorewall_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type shorewall_t;
|
||||
+ type shorewall_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Read shorewall etc configuration files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`shorewall_read_etc',`
|
||||
+ gen_require(`
|
||||
+ type shorewall_etc_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Read shorewall PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`shorewall_read_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type shorewall_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Read and write shorewall PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`shorewall_rw_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type shorewall_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Read shorewall /var/lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`shorewall_read_var_lib',`
|
||||
+ gen_require(`
|
||||
+ type shorewall_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
||||
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Read and write shorewall /var/lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`shorewall_rw_var_lib',`
|
||||
+ gen_require(`
|
||||
+ type shorewall_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
||||
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an shorewall environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed to manage the syslog domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`shorewall_admin',`
|
||||
+ gen_require(`
|
||||
+ type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
|
||||
+ type shorewall_initrc_exec_t, shorewall_var_lib_t;
|
||||
+ type shorewall_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 shorewall_t:process { ptrace signal_perms };
|
||||
+ ps_process_pattern($1, shorewall_t)
|
||||
+
|
||||
+ init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
|
||||
+ domain_system_change_exemption($1)
|
||||
+ role_transition $2 shorewall_initrc_exec_t system_r;
|
||||
+ allow $2 system_r;
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ admin_pattern($1, shorewall_etc_t)
|
||||
+
|
||||
+ files_search_locks($1)
|
||||
+ admin_pattern($1, shorewall_lock_t)
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ admin_pattern($1, shorewall_var_run_t)
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ admin_pattern($1, shorewall_var_lib_t)
|
||||
+
|
||||
+ files_search_tmp($1)
|
||||
+ admin_pattern($1, shorewall_tmp_t)
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te
|
||||
--- nsaserefpolicy/policy/modules/services/shorewall.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.te 2009-04-30 08:29:56.000000000 -0400
|
||||
@@ -0,0 +1,102 @@
|
||||
+policy_module(shorewall,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type shorewall_t;
|
||||
+type shorewall_exec_t;
|
||||
+init_daemon_domain(shorewall_t, shorewall_exec_t)
|
||||
+
|
||||
+type shorewall_initrc_exec_t;
|
||||
+init_script_file(shorewall_initrc_exec_t)
|
||||
+
|
||||
+# etc files
|
||||
+type shorewall_etc_t;
|
||||
+files_config_file(shorewall_etc_t)
|
||||
+
|
||||
+# lock files
|
||||
+type shorewall_lock_t;
|
||||
+files_lock_file(shorewall_lock_t)
|
||||
+
|
||||
+# tmp files
|
||||
+type shorewall_tmp_t;
|
||||
+files_tmp_file(shorewall_tmp_t)
|
||||
+
|
||||
+# var/lib files
|
||||
+type shorewall_var_lib_t;
|
||||
+files_type(shorewall_var_lib_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# shorewall local policy
|
||||
+#
|
||||
+
|
||||
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
|
||||
+dontaudit shorewall_t self:capability sys_tty_config;
|
||||
+
|
||||
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
|
||||
+
|
||||
+# etc file
|
||||
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
|
||||
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
|
||||
+
|
||||
+# lock files
|
||||
+manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
|
||||
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
|
||||
+
|
||||
+# var/lib files for shorewall
|
||||
+exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
|
||||
+manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
|
||||
+manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
|
||||
+files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
|
||||
+
|
||||
+# tmp files for shorewall
|
||||
+manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
|
||||
+manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
|
||||
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
|
||||
+
|
||||
+kernel_read_kernel_sysctls(shorewall_t)
|
||||
+kernel_read_system_state(shorewall_t)
|
||||
+kernel_read_network_state(shorewall_t)
|
||||
+kernel_rw_net_sysctls(shorewall_t)
|
||||
+
|
||||
+corecmd_exec_bin(shorewall_t)
|
||||
+corecmd_exec_shell(shorewall_t)
|
||||
+
|
||||
+dev_read_urand(shorewall_t)
|
||||
+
|
||||
+fs_getattr_all_fs(shorewall_t)
|
||||
+
|
||||
+domain_read_all_domains_state(shorewall_t)
|
||||
+
|
||||
+files_getattr_kernel_modules(shorewall_t)
|
||||
+files_read_etc_files(shorewall_t)
|
||||
+files_read_usr_files(shorewall_t)
|
||||
+files_search_kernel_modules(shorewall_t)
|
||||
+
|
||||
+init_rw_utmp(shorewall_t)
|
||||
+
|
||||
+libs_use_ld_so(shorewall_t)
|
||||
+libs_use_shared_libs(shorewall_t)
|
||||
+
|
||||
+logging_send_syslog_msg(shorewall_t)
|
||||
+
|
||||
+miscfiles_read_localization(shorewall_t)
|
||||
+
|
||||
+userdom_dontaudit_list_admin_dir(shorewall_t)
|
||||
+
|
||||
+sysnet_domtrans_ifconfig(shorewall_t)
|
||||
+iptables_domtrans(shorewall_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ modutils_domtrans_insmod(shorewall_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ulogd_search_log(shorewall_t)
|
||||
+')
|
||||
+
|
||||
+permissive shorewall_t;
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.12/policy/modules/services/smartmon.te
|
||||
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/smartmon.te 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -22122,7 +22474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-27 11:45:25.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-30 08:12:59.000000000 -0400
|
||||
@@ -20,6 +20,35 @@
|
||||
## </desc>
|
||||
gen_tunable(spamd_enable_home_dirs, true)
|
||||
@ -22178,7 +22530,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type spamd_spool_t;
|
||||
files_type(spamd_spool_t)
|
||||
|
||||
@@ -159,6 +195,7 @@
|
||||
@@ -110,6 +146,7 @@
|
||||
dev_read_urand(spamassassin_t)
|
||||
|
||||
fs_search_auto_mountpoints(spamassassin_t)
|
||||
+fs_getattr_all_fs(spamassassin_t)
|
||||
|
||||
# this should probably be removed
|
||||
corecmd_list_bin(spamassassin_t)
|
||||
@@ -159,6 +196,7 @@
|
||||
corenet_udp_sendrecv_all_ports(spamassassin_t)
|
||||
corenet_tcp_connect_all_ports(spamassassin_t)
|
||||
corenet_sendrecv_all_client_packets(spamassassin_t)
|
||||
@ -22186,7 +22546,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
sysnet_read_config(spamassassin_t)
|
||||
')
|
||||
@@ -216,16 +253,32 @@
|
||||
@@ -195,6 +233,7 @@
|
||||
optional_policy(`
|
||||
mta_read_config(spamassassin_t)
|
||||
sendmail_stub(spamassassin_t)
|
||||
+ sendmail_rw_unix_stream_sockets(spamassassin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -216,16 +255,32 @@
|
||||
allow spamc_t self:unix_stream_socket connectto;
|
||||
allow spamc_t self:tcp_socket create_stream_socket_perms;
|
||||
allow spamc_t self:udp_socket create_socket_perms;
|
||||
@ -22219,7 +22587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(spamc_t)
|
||||
corenet_all_recvfrom_netlabel(spamc_t)
|
||||
@@ -239,6 +292,7 @@
|
||||
@@ -239,6 +294,7 @@
|
||||
corenet_sendrecv_all_client_packets(spamc_t)
|
||||
|
||||
fs_search_auto_mountpoints(spamc_t)
|
||||
@ -22227,7 +22595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# cjp: these should probably be removed:
|
||||
corecmd_list_bin(spamc_t)
|
||||
@@ -255,9 +309,15 @@
|
||||
@@ -255,9 +311,15 @@
|
||||
files_dontaudit_search_var(spamc_t)
|
||||
# cjp: this may be removable:
|
||||
files_list_home(spamc_t)
|
||||
@ -22243,7 +22611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
miscfiles_read_localization(spamc_t)
|
||||
|
||||
# cjp: this should probably be removed:
|
||||
@@ -265,13 +325,16 @@
|
||||
@@ -265,13 +327,16 @@
|
||||
|
||||
sysnet_read_config(spamc_t)
|
||||
|
||||
@ -22267,7 +22635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -280,16 +343,21 @@
|
||||
@@ -280,16 +345,21 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22291,7 +22659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -301,7 +369,7 @@
|
||||
@@ -301,7 +371,7 @@
|
||||
# setuids to the user running spamc. Comment this if you are not
|
||||
# using this ability.
|
||||
|
||||
@ -22300,7 +22668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit spamd_t self:capability sys_tty_config;
|
||||
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow spamd_t self:fd use;
|
||||
@@ -317,10 +385,13 @@
|
||||
@@ -317,10 +387,13 @@
|
||||
allow spamd_t self:unix_stream_socket connectto;
|
||||
allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow spamd_t self:udp_socket create_socket_perms;
|
||||
@ -22315,7 +22683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
||||
@@ -329,10 +400,11 @@
|
||||
@@ -329,10 +402,11 @@
|
||||
|
||||
# var/lib files for spamd
|
||||
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
||||
@ -22328,7 +22696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
|
||||
|
||||
kernel_read_all_sysctls(spamd_t)
|
||||
@@ -382,22 +454,27 @@
|
||||
@@ -382,22 +456,27 @@
|
||||
|
||||
init_dontaudit_rw_utmp(spamd_t)
|
||||
|
||||
@ -22360,7 +22728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_manage_cifs_files(spamd_t)
|
||||
')
|
||||
|
||||
@@ -415,6 +492,7 @@
|
||||
@@ -415,6 +494,7 @@
|
||||
|
||||
optional_policy(`
|
||||
dcc_domtrans_client(spamd_t)
|
||||
@ -22368,7 +22736,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dcc_stream_connect_dccifd(spamd_t)
|
||||
')
|
||||
|
||||
@@ -424,10 +502,6 @@
|
||||
@@ -424,10 +504,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22379,7 +22747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
postfix_read_config(spamd_t)
|
||||
')
|
||||
|
||||
@@ -442,6 +516,10 @@
|
||||
@@ -442,6 +518,10 @@
|
||||
|
||||
optional_policy(`
|
||||
razor_domtrans(spamd_t)
|
||||
@ -22390,7 +22758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -454,5 +532,9 @@
|
||||
@@ -454,5 +534,9 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23312,8 +23680,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.12/policy/modules/services/ulogd.if
|
||||
--- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/ulogd.if 2009-04-23 09:44:57.000000000 -0400
|
||||
@@ -0,0 +1,127 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/ulogd.if 2009-04-30 08:29:56.000000000 -0400
|
||||
@@ -0,0 +1,146 @@
|
||||
+## <summary>policy for ulogd</summary>
|
||||
+
|
||||
+########################################
|
||||
@ -23378,6 +23746,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to search ulogd's log files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ulogd_search_log',`
|
||||
+ gen_require(`
|
||||
+ type ulogd_var_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ allow $1 ulogd_var_log_t:dir search_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to append to ulogd's log files.
|
||||
@ -23693,7 +24080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-27 11:40:19.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-30 18:07:51.000000000 -0400
|
||||
@@ -8,19 +8,24 @@
|
||||
|
||||
## <desc>
|
||||
@ -23905,11 +24292,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,5 +272,80 @@
|
||||
')
|
||||
@@ -195,8 +269,84 @@
|
||||
|
||||
optional_policy(`
|
||||
- unconfined_domain(virtd_t)
|
||||
xen_stream_connect(virtd_t)
|
||||
xen_stream_connect_xenstore(virtd_t)
|
||||
+ xen_read_image_files(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ udev_domtrans(virtd_t)
|
||||
+')
|
||||
+
|
||||
@ -23982,9 +24372,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xen_rw_image_files(svirt_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- unconfined_domain(virtd_t)
|
||||
+ xen_rw_image_files(svirt_t)
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.12/policy/modules/services/w3c.te
|
||||
@ -24081,7 +24472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-30 17:44:47.000000000 -0400
|
||||
@@ -90,7 +90,7 @@
|
||||
allow $2 xauth_home_t:file manage_file_perms;
|
||||
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||
@ -26711,8 +27102,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_urand(racoon_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.12/policy/modules/system/iptables.fc
|
||||
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-04-06 12:42:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-23 09:44:57.000000000 -0400
|
||||
@@ -1,9 +1,12 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-30 08:29:56.000000000 -0400
|
||||
@@ -1,9 +1,11 @@
|
||||
/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
-/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
@ -26727,7 +27118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
+/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
|
||||
/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
|
||||
-/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te
|
||||
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-04-06 12:42:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -28774,7 +29165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.12/policy/modules/system/sysnetwork.if
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-04-30 18:03:37.000000000 -0400
|
||||
@@ -43,6 +43,39 @@
|
||||
|
||||
sysnet_domtrans_dhcpc($1)
|
||||
@ -28945,7 +29336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-04-30 18:03:46.000000000 -0400
|
||||
@@ -20,6 +20,9 @@
|
||||
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
||||
role system_r types dhcpc_t;
|
||||
@ -28983,16 +29374,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t)
|
||||
filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file)
|
||||
|
||||
@@ -65,7 +69,7 @@
|
||||
@@ -65,7 +69,8 @@
|
||||
|
||||
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
|
||||
# in /etc created by dhcpcd will be labelled net_conf_t.
|
||||
-allow dhcpc_t net_conf_t:file manage_file_perms;
|
||||
+sysnet_manage_config(dhcpc_t)
|
||||
+allow dhcpc_t net_conf_t:file relabel_file_perms;
|
||||
files_etc_filetrans(dhcpc_t,net_conf_t,file)
|
||||
|
||||
# create temp files
|
||||
@@ -116,7 +120,7 @@
|
||||
@@ -116,7 +121,7 @@
|
||||
corecmd_exec_shell(dhcpc_t)
|
||||
|
||||
domain_use_interactive_fds(dhcpc_t)
|
||||
@ -29001,7 +29393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(dhcpc_t)
|
||||
files_read_etc_runtime_files(dhcpc_t)
|
||||
@@ -183,25 +187,23 @@
|
||||
@@ -183,25 +188,23 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29035,7 +29427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -212,6 +214,7 @@
|
||||
@@ -212,6 +215,7 @@
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(dhcpc_t)
|
||||
seutil_dontaudit_search_config(dhcpc_t)
|
||||
@ -29043,7 +29435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -223,6 +226,10 @@
|
||||
@@ -223,6 +227,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29054,7 +29446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_xen_state(dhcpc_t)
|
||||
kernel_write_xen_state(dhcpc_t)
|
||||
xen_append_log(dhcpc_t)
|
||||
@@ -236,7 +243,6 @@
|
||||
@@ -236,7 +244,6 @@
|
||||
|
||||
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
|
||||
@ -29062,7 +29454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow ifconfig_t self:fd use;
|
||||
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -250,6 +256,7 @@
|
||||
@@ -250,6 +257,7 @@
|
||||
allow ifconfig_t self:sem create_sem_perms;
|
||||
allow ifconfig_t self:msgq create_msgq_perms;
|
||||
allow ifconfig_t self:msg { send receive };
|
||||
@ -29070,7 +29462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
@@ -259,13 +266,20 @@
|
||||
@@ -259,13 +267,20 @@
|
||||
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
|
||||
allow ifconfig_t self:tcp_socket { create ioctl };
|
||||
@ -29091,7 +29483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
|
||||
@@ -276,8 +290,13 @@
|
||||
@@ -276,8 +291,13 @@
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
|
||||
@ -29105,7 +29497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_use_interactive_fds(ifconfig_t)
|
||||
|
||||
@@ -296,6 +315,8 @@
|
||||
@@ -296,6 +316,8 @@
|
||||
|
||||
seutil_use_runinit_fds(ifconfig_t)
|
||||
|
||||
@ -29114,7 +29506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_use_user_terminals(ifconfig_t)
|
||||
userdom_use_all_users_fds(ifconfig_t)
|
||||
|
||||
@@ -332,6 +353,14 @@
|
||||
@@ -332,6 +354,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -32215,8 +32607,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.12/policy/modules/system/xen.if
|
||||
--- nsaserefpolicy/policy/modules/system/xen.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/xen.if 2009-04-23 09:44:57.000000000 -0400
|
||||
@@ -167,11 +167,14 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/xen.if 2009-04-30 18:08:14.000000000 -0400
|
||||
@@ -71,6 +71,8 @@
|
||||
')
|
||||
|
||||
files_list_var_lib($1)
|
||||
+
|
||||
+ list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
|
||||
read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t)
|
||||
')
|
||||
|
||||
@@ -167,11 +169,14 @@
|
||||
#
|
||||
interface(`xen_stream_connect',`
|
||||
gen_require(`
|
||||
@ -32232,7 +32633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -191,3 +194,46 @@
|
||||
@@ -191,3 +196,46 @@
|
||||
|
||||
domtrans_pattern($1,xm_exec_t,xm_t)
|
||||
')
|
||||
@ -32571,7 +32972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.12/policy/support/obj_perm_sets.spt
|
||||
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-03-12 11:16:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-30 18:02:45.000000000 -0400
|
||||
@@ -225,7 +225,7 @@
|
||||
define(`create_lnk_file_perms',`{ create getattr }')
|
||||
define(`rename_lnk_file_perms',`{ getattr rename }')
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.12
|
||||
Release: 25%{?dist}
|
||||
Release: 26%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -480,7 +480,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-25
|
||||
* Thu Apr 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-26
|
||||
- Add shorewall policy
|
||||
|
||||
* Wed Apr 29 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-25
|
||||
- Additional rules for fprintd and sssd
|
||||
|
||||
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24
|
||||
|
||||
Loading…
Reference in New Issue
Block a user