- Fixes for nsplugin
This commit is contained in:
parent
60c693e546
commit
380f3cb7b1
@ -4528,7 +4528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
|
|||||||
########################################
|
########################################
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.6/policy/modules/apps/vmware.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.6/policy/modules/apps/vmware.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400
|
||||||
+++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc 2008-02-04 10:23:03.000000000 -0500
|
||||||
@@ -1,9 +1,9 @@
|
@@ -1,9 +1,9 @@
|
||||||
#
|
#
|
||||||
# HOME_DIR/
|
# HOME_DIR/
|
||||||
@ -4568,11 +4568,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
|
|||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||||
@@ -49,3 +55,4 @@
|
@@ -49,3 +55,6 @@
|
||||||
/opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
/opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||||
/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||||
')
|
')
|
||||||
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
|
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
|
||||||
|
+/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
|
||||||
|
+/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.6/policy/modules/apps/vmware.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.6/policy/modules/apps/vmware.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/apps/vmware.if 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/apps/vmware.if 2008-02-01 16:01:42.000000000 -0500
|
||||||
@ -4747,7 +4749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
|
|||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc
|
||||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc 2008-02-04 11:10:30.000000000 -0500
|
||||||
@@ -7,11 +7,11 @@
|
@@ -7,11 +7,11 @@
|
||||||
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
@ -4799,13 +4801,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
|||||||
|
|
||||||
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -284,3 +291,6 @@
|
@@ -284,3 +291,7 @@
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
+/usr/lib(64)?/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib(64)?/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0)
|
||||||
+
|
+
|
||||||
|
+/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.6/policy/modules/kernel/corecommands.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.6/policy/modules/kernel/corecommands.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.if 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.if 2008-02-01 16:01:42.000000000 -0500
|
||||||
@ -5457,7 +5460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.6/policy/modules/kernel/files.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.6/policy/modules/kernel/files.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
|
||||||
+++ serefpolicy-3.2.6/policy/modules/kernel/files.if 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/kernel/files.if 2008-02-04 12:03:13.000000000 -0500
|
||||||
@@ -1266,6 +1266,24 @@
|
@@ -1266,6 +1266,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -6109,7 +6112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
|
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.6/policy/modules/services/apache.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.6/policy/modules/services/apache.if
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
|
||||||
+++ serefpolicy-3.2.6/policy/modules/services/apache.if 2008-02-01 16:48:52.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/services/apache.if 2008-02-04 10:16:22.000000000 -0500
|
||||||
@@ -18,10 +18,6 @@
|
@@ -18,10 +18,6 @@
|
||||||
attribute httpd_script_exec_type;
|
attribute httpd_script_exec_type;
|
||||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||||
@ -8205,16 +8208,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.6/policy/modules/services/consolekit.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.6/policy/modules/services/consolekit.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2007-10-12 08:56:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2007-10-12 08:56:07.000000000 -0400
|
||||||
+++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc 2008-02-04 11:46:55.000000000 -0500
|
||||||
@@ -1,3 +1,5 @@
|
@@ -1,3 +1,5 @@
|
||||||
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
|
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
|
||||||
|
|
||||||
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
|
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
|
||||||
+
|
+
|
||||||
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
|
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
|
||||||
|
Binary files nsaserefpolicy/policy/modules/services/consolekit.pp and serefpolicy-3.2.6/policy/modules/services/consolekit.pp differ
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.6/policy/modules/services/consolekit.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.6/policy/modules/services/consolekit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-01 22:35:15.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-04 11:52:57.000000000 -0500
|
||||||
@@ -13,6 +13,9 @@
|
@@ -13,6 +13,9 @@
|
||||||
type consolekit_var_run_t;
|
type consolekit_var_run_t;
|
||||||
files_pid_file(consolekit_var_run_t)
|
files_pid_file(consolekit_var_run_t)
|
||||||
@ -8225,7 +8229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# consolekit local policy
|
# consolekit local policy
|
||||||
@@ -24,6 +27,9 @@
|
@@ -24,20 +27,26 @@
|
||||||
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
|
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow consolekit_t self:unix_dgram_socket create_socket_perms;
|
allow consolekit_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
@ -8235,7 +8239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||||||
manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
|
manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
|
||||||
files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
|
files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
|
||||||
|
|
||||||
@@ -36,8 +42,10 @@
|
kernel_read_system_state(consolekit_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(consolekit_t)
|
||||||
|
+corecmd_exec_shell(consolekit_t)
|
||||||
|
|
||||||
|
dev_read_urand(consolekit_t)
|
||||||
|
dev_read_sysfs(consolekit_t)
|
||||||
|
|
||||||
domain_read_all_domains_state(consolekit_t)
|
domain_read_all_domains_state(consolekit_t)
|
||||||
domain_use_interactive_fds(consolekit_t)
|
domain_use_interactive_fds(consolekit_t)
|
||||||
@ -8246,7 +8256,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||||||
# needs to read /var/lib/dbus/machine-id
|
# needs to read /var/lib/dbus/machine-id
|
||||||
files_read_var_lib_files(consolekit_t)
|
files_read_var_lib_files(consolekit_t)
|
||||||
|
|
||||||
@@ -50,12 +58,25 @@
|
@@ -47,15 +56,31 @@
|
||||||
|
|
||||||
|
auth_use_nsswitch(consolekit_t)
|
||||||
|
|
||||||
|
+init_telinit(consolekit_t)
|
||||||
|
+init_rw_utmp(consolekit_t)
|
||||||
|
+
|
||||||
libs_use_ld_so(consolekit_t)
|
libs_use_ld_so(consolekit_t)
|
||||||
libs_use_shared_libs(consolekit_t)
|
libs_use_shared_libs(consolekit_t)
|
||||||
|
|
||||||
@ -8273,17 +8289,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||||||
hal_dbus_chat(consolekit_t)
|
hal_dbus_chat(consolekit_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -64,6 +85,32 @@
|
@@ -64,6 +89,33 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ polkit_domtrans_auth(consolekit_t)
|
+ polkit_domtrans_auth(consolekit_t)
|
||||||
|
+ polkit_search_lib(consolekit_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
xserver_read_all_users_xauth(consolekit_t)
|
xserver_read_all_users_xauth(consolekit_t)
|
||||||
xserver_stream_connect_xdm_xserver(consolekit_t)
|
xserver_stream_connect_xdm_xserver(consolekit_t)
|
||||||
')
|
+ xserver_ptrace_xdm(consolekit_t)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ #reading .Xauthity
|
+ #reading .Xauthity
|
||||||
@ -8298,14 +8316,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||||||
+tunable_policy(`use_nfs_home_dirs',`
|
+tunable_policy(`use_nfs_home_dirs',`
|
||||||
+ fs_dontaudit_list_nfs(consolekit_t)
|
+ fs_dontaudit_list_nfs(consolekit_t)
|
||||||
+ fs_dontaudit_rw_nfs_files(consolekit_t)
|
+ fs_dontaudit_rw_nfs_files(consolekit_t)
|
||||||
+')
|
')
|
||||||
+
|
+
|
||||||
+tunable_policy(`use_samba_home_dirs',`
|
+tunable_policy(`use_samba_home_dirs',`
|
||||||
+ fs_dontaudit_list_cifs(consolekit_t)
|
+ fs_dontaudit_list_cifs(consolekit_t)
|
||||||
+ fs_dontaudit_rw_cifs_files(consolekit_t)
|
+ fs_dontaudit_rw_cifs_files(consolekit_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.6/policy/modules/services/cron.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.6/policy/modules/services/cron.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/services/cron.fc 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/services/cron.fc 2008-02-01 16:01:42.000000000 -0500
|
||||||
@ -12652,7 +12669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
## </summary>
|
## </summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.6/policy/modules/services/mta.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.6/policy/modules/services/mta.te
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/services/mta.te 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/services/mta.te 2008-02-04 12:04:01.000000000 -0500
|
||||||
@@ -6,6 +6,8 @@
|
@@ -6,6 +6,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -12670,7 +12687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
|
|
||||||
mta_base_mail_template(system)
|
mta_base_mail_template(system)
|
||||||
role system_r types system_mail_t;
|
role system_r types system_mail_t;
|
||||||
@@ -37,30 +40,43 @@
|
@@ -37,30 +40,45 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# newalias required this, not sure if it is needed in 'if' file
|
# newalias required this, not sure if it is needed in 'if' file
|
||||||
@ -12679,6 +12696,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
|
|
||||||
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
|
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
|
||||||
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
|
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
|
||||||
|
+
|
||||||
|
+files_read_all_tmp_files(system_mail_t)
|
||||||
|
|
||||||
kernel_read_system_state(system_mail_t)
|
kernel_read_system_state(system_mail_t)
|
||||||
kernel_read_network_state(system_mail_t)
|
kernel_read_network_state(system_mail_t)
|
||||||
@ -12715,7 +12734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -73,6 +89,7 @@
|
@@ -73,6 +91,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_read_system_job_tmp_files(system_mail_t)
|
cron_read_system_job_tmp_files(system_mail_t)
|
||||||
@ -12723,7 +12742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
cron_dontaudit_write_pipes(system_mail_t)
|
cron_dontaudit_write_pipes(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -81,6 +98,11 @@
|
@@ -81,6 +100,11 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -12735,7 +12754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
logrotate_read_tmp_files(system_mail_t)
|
logrotate_read_tmp_files(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -136,11 +158,33 @@
|
@@ -136,11 +160,33 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -12753,7 +12772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
-# should break this up among sections:
|
-# should break this up among sections:
|
||||||
+init_stream_connect_script(mailserver_delivery)
|
+init_stream_connect_script(mailserver_delivery)
|
||||||
+init_rw_script_stream_sockets(mailserver_delivery)
|
+init_rw_script_stream_sockets(mailserver_delivery)
|
||||||
+
|
|
||||||
+tunable_policy(`use_samba_home_dirs',`
|
+tunable_policy(`use_samba_home_dirs',`
|
||||||
+ fs_manage_cifs_dirs(mailserver_delivery)
|
+ fs_manage_cifs_dirs(mailserver_delivery)
|
||||||
+ fs_manage_cifs_files(mailserver_delivery)
|
+ fs_manage_cifs_files(mailserver_delivery)
|
||||||
@ -12765,12 +12784,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
+ fs_manage_nfs_files(mailserver_delivery)
|
+ fs_manage_nfs_files(mailserver_delivery)
|
||||||
+ fs_manage_nfs_symlinks(mailserver_delivery)
|
+ fs_manage_nfs_symlinks(mailserver_delivery)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+# should break this up among sections:
|
+# should break this up among sections:
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||||
arpwatch_search_data(mailserver_delivery)
|
arpwatch_search_data(mailserver_delivery)
|
||||||
@@ -154,3 +198,4 @@
|
@@ -154,3 +200,4 @@
|
||||||
cron_read_system_job_tmp_files(mta_user_agent)
|
cron_read_system_job_tmp_files(mta_user_agent)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@ -14377,8 +14396,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||||||
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.6/policy/modules/services/polkit.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.6/policy/modules/services/polkit.if
|
||||||
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-04 11:48:36.000000000 -0500
|
||||||
@@ -0,0 +1,59 @@
|
@@ -0,0 +1,62 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for polkit_auth</summary>
|
+## <summary>policy for polkit_auth</summary>
|
||||||
+
|
+
|
||||||
@ -14437,6 +14456,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||||||
+
|
+
|
||||||
+ files_search_var_lib($1)
|
+ files_search_var_lib($1)
|
||||||
+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t)
|
+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t)
|
||||||
|
+
|
||||||
|
+ # Broken placement
|
||||||
|
+ cron_read_system_job_lib_files($1)
|
||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.6/policy/modules/services/polkit.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.6/policy/modules/services/polkit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
@ -17750,7 +17772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.6/policy/modules/services/sendmail.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.6/policy/modules/services/sendmail.te
|
||||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/services/sendmail.te 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/services/sendmail.te 2008-02-04 12:03:27.000000000 -0500
|
||||||
@@ -20,13 +20,17 @@
|
@@ -20,13 +20,17 @@
|
||||||
mta_mailserver_delivery(sendmail_t)
|
mta_mailserver_delivery(sendmail_t)
|
||||||
mta_mailserver_sender(sendmail_t)
|
mta_mailserver_sender(sendmail_t)
|
||||||
@ -17779,7 +17801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(sendmail_t)
|
corenet_all_recvfrom_unlabeled(sendmail_t)
|
||||||
corenet_all_recvfrom_netlabel(sendmail_t)
|
corenet_all_recvfrom_netlabel(sendmail_t)
|
||||||
@@ -69,10 +74,12 @@
|
@@ -69,13 +74,16 @@
|
||||||
|
|
||||||
# for piping mail to a command
|
# for piping mail to a command
|
||||||
corecmd_exec_shell(sendmail_t)
|
corecmd_exec_shell(sendmail_t)
|
||||||
@ -17792,7 +17814,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||||||
files_search_spool(sendmail_t)
|
files_search_spool(sendmail_t)
|
||||||
# for piping mail to a command
|
# for piping mail to a command
|
||||||
files_read_etc_runtime_files(sendmail_t)
|
files_read_etc_runtime_files(sendmail_t)
|
||||||
@@ -97,20 +104,35 @@
|
+files_read_all_tmp_files(sendmail_t)
|
||||||
|
|
||||||
|
init_use_fds(sendmail_t)
|
||||||
|
init_use_script_ptys(sendmail_t)
|
||||||
|
@@ -97,20 +105,35 @@
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
|
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
|
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
|
||||||
@ -17829,7 +17855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||||||
postfix_exec_master(sendmail_t)
|
postfix_exec_master(sendmail_t)
|
||||||
postfix_read_config(sendmail_t)
|
postfix_read_config(sendmail_t)
|
||||||
postfix_search_spool(sendmail_t)
|
postfix_search_spool(sendmail_t)
|
||||||
@@ -118,6 +140,7 @@
|
@@ -118,6 +141,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
procmail_domtrans(sendmail_t)
|
procmail_domtrans(sendmail_t)
|
||||||
@ -17837,7 +17863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -125,24 +148,25 @@
|
@@ -125,24 +149,25 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20191,7 +20217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.6/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.6/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/services/xserver.if 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/services/xserver.if 2008-02-04 11:52:35.000000000 -0500
|
||||||
@@ -15,6 +15,7 @@
|
@@ -15,6 +15,7 @@
|
||||||
template(`xserver_common_domain_template',`
|
template(`xserver_common_domain_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -20393,16 +20419,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
|
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
|
||||||
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
|
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
|
||||||
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
|
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
|
||||||
|
-
|
||||||
|
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||||
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||||
|
|
||||||
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
|
||||||
-
|
|
||||||
- allow $2 $1_xauth_t:process signal;
|
- allow $2 $1_xauth_t:process signal;
|
||||||
+ allow $2 xauth_t:process signal;
|
+ allow $2 xauth_t:process signal;
|
||||||
|
|
||||||
# allow ps to show xauth
|
# allow ps to show xauth
|
||||||
- ps_process_pattern($2,$1_xauth_t)
|
- ps_process_pattern($2,$1_xauth_t)
|
||||||
-
|
+ ps_process_pattern($2,xauth_t)
|
||||||
|
|
||||||
- allow $2 $1_xauth_home_t:file manage_file_perms;
|
- allow $2 $1_xauth_home_t:file manage_file_perms;
|
||||||
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
|
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
|
||||||
-
|
-
|
||||||
@ -20416,8 +20443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
-
|
-
|
||||||
- fs_getattr_xattr_fs($1_xauth_t)
|
- fs_getattr_xattr_fs($1_xauth_t)
|
||||||
- fs_search_auto_mountpoints($1_xauth_t)
|
- fs_search_auto_mountpoints($1_xauth_t)
|
||||||
+ ps_process_pattern($2,xauth_t)
|
-
|
||||||
|
|
||||||
- # cjp: why?
|
- # cjp: why?
|
||||||
- term_use_ptmx($1_xauth_t)
|
- term_use_ptmx($1_xauth_t)
|
||||||
-
|
-
|
||||||
@ -20847,7 +20873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1312,3 +1411,45 @@
|
@@ -1312,3 +1411,63 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
')
|
')
|
||||||
@ -20893,9 +20919,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+
|
+
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Ptrace XDM
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_ptrace_xdm',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type xdm_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 xdm_t:process ptrace;
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.6/policy/modules/services/xserver.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.6/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/services/xserver.te 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/services/xserver.te 2008-02-04 11:50:03.000000000 -0500
|
||||||
@@ -16,6 +16,13 @@
|
@@ -16,6 +16,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -20970,18 +21014,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
xserver_common_domain_template(xdm)
|
xserver_common_domain_template(xdm)
|
||||||
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
||||||
|
|
||||||
@@ -95,8 +134,8 @@
|
@@ -95,8 +134,9 @@
|
||||||
# XDM Local policy
|
# XDM Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||||
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
||||||
+allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
+allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||||
+allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms };
|
+allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms };
|
||||||
|
+
|
||||||
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow xdm_t self:shm create_shm_perms;
|
allow xdm_t self:shm create_shm_perms;
|
||||||
allow xdm_t self:sem create_sem_perms;
|
allow xdm_t self:sem create_sem_perms;
|
||||||
@@ -109,6 +148,8 @@
|
@@ -109,6 +149,8 @@
|
||||||
allow xdm_t self:key { search link write };
|
allow xdm_t self:key { search link write };
|
||||||
|
|
||||||
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||||
@ -20990,7 +21035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Allow gdm to run gdm-binary
|
# Allow gdm to run gdm-binary
|
||||||
can_exec(xdm_t, xdm_exec_t)
|
can_exec(xdm_t, xdm_exec_t)
|
||||||
@@ -131,15 +172,22 @@
|
@@ -131,15 +173,22 @@
|
||||||
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
@ -21014,7 +21059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
allow xdm_t xdm_xserver_t:process signal;
|
allow xdm_t xdm_xserver_t:process signal;
|
||||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||||
@@ -153,6 +201,7 @@
|
@@ -153,6 +202,7 @@
|
||||||
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||||
|
|
||||||
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
||||||
@ -21022,7 +21067,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
@@ -184,6 +233,7 @@
|
@@ -173,6 +223,8 @@
|
||||||
|
|
||||||
|
corecmd_exec_shell(xdm_t)
|
||||||
|
corecmd_exec_bin(xdm_t)
|
||||||
|
+# Uses DBUS
|
||||||
|
+corecmd_bin_entry_type(xdm_t)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_unlabeled(xdm_t)
|
||||||
|
corenet_all_recvfrom_netlabel(xdm_t)
|
||||||
|
@@ -184,6 +236,7 @@
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_all_nodes(xdm_t)
|
corenet_tcp_bind_all_nodes(xdm_t)
|
||||||
corenet_udp_bind_all_nodes(xdm_t)
|
corenet_udp_bind_all_nodes(xdm_t)
|
||||||
@ -21030,7 +21084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
corenet_tcp_connect_all_ports(xdm_t)
|
corenet_tcp_connect_all_ports(xdm_t)
|
||||||
corenet_sendrecv_all_client_packets(xdm_t)
|
corenet_sendrecv_all_client_packets(xdm_t)
|
||||||
# xdm tries to bind to biff_port_t
|
# xdm tries to bind to biff_port_t
|
||||||
@@ -196,6 +246,7 @@
|
@@ -196,6 +249,7 @@
|
||||||
dev_getattr_mouse_dev(xdm_t)
|
dev_getattr_mouse_dev(xdm_t)
|
||||||
dev_setattr_mouse_dev(xdm_t)
|
dev_setattr_mouse_dev(xdm_t)
|
||||||
dev_rw_apm_bios(xdm_t)
|
dev_rw_apm_bios(xdm_t)
|
||||||
@ -21038,7 +21092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dev_setattr_apm_bios_dev(xdm_t)
|
dev_setattr_apm_bios_dev(xdm_t)
|
||||||
dev_rw_dri(xdm_t)
|
dev_rw_dri(xdm_t)
|
||||||
dev_rw_agp(xdm_t)
|
dev_rw_agp(xdm_t)
|
||||||
@@ -208,8 +259,8 @@
|
@@ -208,8 +262,8 @@
|
||||||
dev_setattr_video_dev(xdm_t)
|
dev_setattr_video_dev(xdm_t)
|
||||||
dev_getattr_scanner_dev(xdm_t)
|
dev_getattr_scanner_dev(xdm_t)
|
||||||
dev_setattr_scanner_dev(xdm_t)
|
dev_setattr_scanner_dev(xdm_t)
|
||||||
@ -21049,7 +21103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dev_getattr_power_mgmt_dev(xdm_t)
|
dev_getattr_power_mgmt_dev(xdm_t)
|
||||||
dev_setattr_power_mgmt_dev(xdm_t)
|
dev_setattr_power_mgmt_dev(xdm_t)
|
||||||
|
|
||||||
@@ -226,6 +277,7 @@
|
@@ -226,6 +280,7 @@
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -21057,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
fs_getattr_all_fs(xdm_t)
|
fs_getattr_all_fs(xdm_t)
|
||||||
fs_search_auto_mountpoints(xdm_t)
|
fs_search_auto_mountpoints(xdm_t)
|
||||||
@@ -245,6 +297,7 @@
|
@@ -245,6 +300,7 @@
|
||||||
auth_domtrans_pam_console(xdm_t)
|
auth_domtrans_pam_console(xdm_t)
|
||||||
auth_manage_pam_pid(xdm_t)
|
auth_manage_pam_pid(xdm_t)
|
||||||
auth_manage_pam_console_data(xdm_t)
|
auth_manage_pam_console_data(xdm_t)
|
||||||
@ -21065,7 +21119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
auth_rw_faillog(xdm_t)
|
auth_rw_faillog(xdm_t)
|
||||||
auth_write_login_records(xdm_t)
|
auth_write_login_records(xdm_t)
|
||||||
|
|
||||||
@@ -256,12 +309,11 @@
|
@@ -256,12 +312,11 @@
|
||||||
libs_exec_lib_files(xdm_t)
|
libs_exec_lib_files(xdm_t)
|
||||||
|
|
||||||
logging_read_generic_logs(xdm_t)
|
logging_read_generic_logs(xdm_t)
|
||||||
@ -21079,7 +21133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
|
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -270,6 +322,10 @@
|
@@ -270,6 +325,10 @@
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -21090,7 +21144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
||||||
|
|
||||||
@@ -304,7 +360,16 @@
|
@@ -304,7 +363,16 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21107,7 +21161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -322,6 +387,10 @@
|
@@ -322,6 +390,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21118,7 +21172,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
loadkeys_exec(xdm_t)
|
loadkeys_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -343,8 +412,8 @@
|
@@ -335,6 +407,11 @@
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ polkit_domtrans_auth(xdm_t)
|
||||||
|
+ polkit_read_lib(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
seutil_sigchld_newrole(xdm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -343,8 +420,8 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21128,7 +21194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -380,7 +449,7 @@
|
@@ -380,7 +457,7 @@
|
||||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -21137,7 +21203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
@@ -392,6 +461,15 @@
|
@@ -392,6 +469,15 @@
|
||||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xdm_xserver_t)
|
files_search_var_lib(xdm_xserver_t)
|
||||||
|
|
||||||
@ -21153,7 +21219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||||
|
|
||||||
@@ -404,6 +482,7 @@
|
@@ -404,6 +490,7 @@
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
|
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
|
||||||
@ -21161,7 +21227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
xserver_use_all_users_fonts(xdm_xserver_t)
|
xserver_use_all_users_fonts(xdm_xserver_t)
|
||||||
|
|
||||||
@@ -420,6 +499,14 @@
|
@@ -420,6 +507,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21176,7 +21242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
resmgr_stream_connect(xdm_t)
|
resmgr_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -429,47 +516,103 @@
|
@@ -429,47 +524,103 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21909,7 +21975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.6/policy/modules/system/init.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.6/policy/modules/system/init.if
|
||||||
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
|
||||||
+++ serefpolicy-3.2.6/policy/modules/system/init.if 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/system/init.if 2008-02-04 12:02:32.000000000 -0500
|
||||||
@@ -211,6 +211,13 @@
|
@@ -211,6 +211,13 @@
|
||||||
kernel_dontaudit_use_fds($1)
|
kernel_dontaudit_use_fds($1)
|
||||||
')
|
')
|
||||||
@ -22077,7 +22143,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1252,7 +1289,7 @@
|
@@ -1097,6 +1134,25 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Read init script temporary data.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`init_read_script_tmp_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type initrc_tmp_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_tmp($1)
|
||||||
|
+ read_files_pattern($1,initrc_tmp_t,initrc_tmp_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Create files in a init script
|
||||||
|
## temporary data directory.
|
||||||
|
## </summary>
|
||||||
|
@@ -1252,7 +1308,7 @@
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -22086,7 +22178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1273,3 +1310,92 @@
|
@@ -1273,3 +1329,92 @@
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 initrc_var_run_t:file manage_file_perms;
|
allow $1 initrc_var_run_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
@ -22181,7 +22273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.6/policy/modules/system/init.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.6/policy/modules/system/init.te
|
||||||
--- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/system/init.te 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/system/init.te 2008-02-04 11:10:57.000000000 -0500
|
||||||
@@ -10,6 +10,20 @@
|
@@ -10,6 +10,20 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -23045,7 +23137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
|
|||||||
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
|
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.6/policy/modules/system/miscfiles.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.6/policy/modules/system/miscfiles.if
|
||||||
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if 2008-02-04 08:26:35.000000000 -0500
|
||||||
@@ -489,3 +489,44 @@
|
@@ -489,3 +489,44 @@
|
||||||
manage_lnk_files_pattern($1,locale_t,locale_t)
|
manage_lnk_files_pattern($1,locale_t,locale_t)
|
||||||
')
|
')
|
||||||
@ -25015,7 +25107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.6/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.6/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/system/userdomain.if 2008-02-01 22:19:29.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/system/userdomain.if 2008-02-04 08:23:21.000000000 -0500
|
||||||
@@ -29,9 +29,14 @@
|
@@ -29,9 +29,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -28179,8 +28271,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
|
||||||
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-02 17:10:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-04 11:23:06.000000000 -0500
|
||||||
@@ -0,0 +1,135 @@
|
@@ -0,0 +1,137 @@
|
||||||
+
|
+
|
||||||
+policy_module(virt,1.0.0)
|
+policy_module(virt,1.0.0)
|
||||||
+
|
+
|
||||||
@ -28256,10 +28348,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
|||||||
+logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
|
+logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
|
||||||
+
|
+
|
||||||
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
|
+read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
+manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||||
+manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
+manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||||
+files_trans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
+manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||||
|
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||||
+
|
+
|
||||||
+corenet_all_recvfrom_unlabeled(virtd_t)
|
+corenet_all_recvfrom_unlabeled(virtd_t)
|
||||||
+corenet_all_recvfrom_netlabel(virtd_t)
|
+corenet_all_recvfrom_netlabel(virtd_t)
|
||||||
@ -28699,8 +28793,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
|
|||||||
+## <summary>Policy for staff user</summary>
|
+## <summary>Policy for staff user</summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.6/policy/modules/users/staff.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.6/policy/modules/users/staff.te
|
||||||
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-01 16:01:42.000000000 -0500
|
+++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-04 08:26:47.000000000 -0500
|
||||||
@@ -0,0 +1,47 @@
|
@@ -0,0 +1,51 @@
|
||||||
+policy_module(staff,1.0.1)
|
+policy_module(staff,1.0.1)
|
||||||
+userdom_unpriv_user_template(staff)
|
+userdom_unpriv_user_template(staff)
|
||||||
+
|
+
|
||||||
@ -28708,6 +28802,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
|
|||||||
+userdom_role_change_template(staff, sysadm)
|
+userdom_role_change_template(staff, sysadm)
|
||||||
+userdom_dontaudit_use_sysadm_terms(staff_t)
|
+userdom_dontaudit_use_sysadm_terms(staff_t)
|
||||||
+
|
+
|
||||||
|
+allow $staff_t self:capability sys_nice;
|
||||||
|
+
|
||||||
+domain_read_all_domains_state(staff_t)
|
+domain_read_all_domains_state(staff_t)
|
||||||
+domain_getattr_all_domains(staff_t)
|
+domain_getattr_all_domains(staff_t)
|
||||||
+
|
+
|
||||||
@ -28716,6 +28812,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
|
|||||||
+modutils_read_module_config(staff_t)
|
+modutils_read_module_config(staff_t)
|
||||||
+modutils_read_module_deps(staff_t)
|
+modutils_read_module_deps(staff_t)
|
||||||
+
|
+
|
||||||
|
+miscfiles_read_hwdata(staff_t)
|
||||||
|
+
|
||||||
+sudo_per_role_template(staff, staff_t, staff_r)
|
+sudo_per_role_template(staff, staff_t, staff_r)
|
||||||
+seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
|
+seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
|
||||||
+
|
+
|
||||||
|
Loading…
Reference in New Issue
Block a user