- Remove user specific crond_t
This commit is contained in:
Daniel J Walsh
parent
965b62cceb
commit
3a54e4809f
@ -1256,7 +1256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.1.2/policy/modules/admin/rpm.te
|
||||
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-12 08:56:09.000000000 -0400
|
||||
+++ serefpolicy-3.1.2/policy/modules/admin/rpm.te 2007-11-26 16:40:13.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/admin/rpm.te 2007-11-28 10:57:00.000000000 -0500
|
||||
@@ -139,6 +139,7 @@
|
||||
auth_relabel_all_files_except_shadow(rpm_t)
|
||||
auth_manage_all_files_except_shadow(rpm_t)
|
||||
@ -1287,7 +1287,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -289,6 +296,7 @@
|
||||
@@ -195,6 +202,7 @@
|
||||
unconfined_domain(rpm_t)
|
||||
# yum-updatesd requires this
|
||||
unconfined_dbus_chat(rpm_t)
|
||||
+ unconfined_dbus_chat(rpm_script_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
@@ -289,6 +297,7 @@
|
||||
auth_dontaudit_getattr_shadow(rpm_script_t)
|
||||
# ideally we would not need this
|
||||
auth_manage_all_files_except_shadow(rpm_script_t)
|
||||
@ -1295,7 +1303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
|
||||
|
||||
corecmd_exec_all_executables(rpm_script_t)
|
||||
|
||||
@@ -321,6 +329,7 @@
|
||||
@@ -321,6 +330,7 @@
|
||||
seutil_domtrans_loadpolicy(rpm_script_t)
|
||||
seutil_domtrans_setfiles(rpm_script_t)
|
||||
seutil_domtrans_semanage(rpm_script_t)
|
||||
@ -1303,7 +1311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
|
||||
|
||||
userdom_use_all_users_fds(rpm_script_t)
|
||||
|
||||
@@ -339,10 +348,6 @@
|
||||
@@ -339,10 +349,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -2869,7 +2877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
network_port(postgrey, tcp,60000,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.1.2/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-11-14 16:20:13.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/kernel/devices.fc 2007-11-26 16:40:13.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/kernel/devices.fc 2007-11-28 10:30:00.000000000 -0500
|
||||
@@ -4,6 +4,7 @@
|
||||
|
||||
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
@ -2896,18 +2904,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
@@ -30,7 +34,10 @@
|
||||
@@ -30,6 +34,8 @@
|
||||
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
||||
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
|
||||
+/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
+/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
||||
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
@@ -114,9 +121,14 @@
|
||||
@@ -114,9 +120,14 @@
|
||||
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
|
||||
@ -4610,8 +4616,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.1.2/policy/modules/services/cron.if
|
||||
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.1.2/policy/modules/services/cron.if 2007-11-26 16:40:13.000000000 -0500
|
||||
@@ -35,6 +35,7 @@
|
||||
+++ serefpolicy-3.1.2/policy/modules/services/cron.if 2007-11-28 08:46:16.000000000 -0500
|
||||
@@ -35,38 +35,23 @@
|
||||
#
|
||||
template(`cron_per_role_template',`
|
||||
gen_require(`
|
||||
@ -4619,10 +4625,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
attribute cron_spool_type;
|
||||
type crond_t, cron_spool_t, crontab_exec_t;
|
||||
')
|
||||
@@ -44,29 +45,13 @@
|
||||
+ typealias $1_t alias $1_crond_t;
|
||||
|
||||
# Type of user crontabs once moved to cron spool.
|
||||
type $1_cron_spool_t, cron_spool_type;
|
||||
files_type($1_cron_spool_t)
|
||||
|
||||
type $1_crond_t;
|
||||
- type $1_crond_t;
|
||||
- domain_type($1_crond_t)
|
||||
- domain_cron_exemption_target($1_crond_t)
|
||||
- corecmd_shell_entry_type($1_crond_t)
|
||||
@ -4815,7 +4824,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
|
||||
tunable_policy(`fcron_crond',`
|
||||
# fcron wants an instant update of a crontab change for the administrator
|
||||
@@ -438,6 +333,25 @@
|
||||
@@ -285,14 +180,12 @@
|
||||
template(`cron_admin_template',`
|
||||
gen_require(`
|
||||
attribute cron_spool_type;
|
||||
- type $1_crontab_t, $1_crond_t;
|
||||
+ type $1_crontab_t;
|
||||
')
|
||||
|
||||
# Allow our crontab domain to unlink a user cron spool file.
|
||||
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
|
||||
|
||||
- logging_read_generic_logs($1_crond_t)
|
||||
-
|
||||
# Manipulate other users crontab.
|
||||
selinux_get_fs_mount($1_crontab_t)
|
||||
selinux_validate_context($1_crontab_t)
|
||||
@@ -438,6 +331,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5054,8 +5079,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
ifdef(`TODO',`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.1.2/policy/modules/services/cups.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/services/cups.fc 2007-11-26 16:40:13.000000000 -0500
|
||||
@@ -8,17 +8,14 @@
|
||||
+++ serefpolicy-3.1.2/policy/modules/services/cups.fc 2007-11-28 08:28:27.000000000 -0500
|
||||
@@ -8,17 +8,15 @@
|
||||
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
@ -5068,13 +5093,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
|
||||
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
|
||||
|
||||
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
|
||||
|
||||
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
@@ -26,6 +23,11 @@
|
||||
@@ -26,6 +24,11 @@
|
||||
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
|
||||
@ -5086,7 +5112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
|
||||
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
|
||||
@@ -33,7 +35,7 @@
|
||||
@@ -33,7 +36,7 @@
|
||||
|
||||
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
||||
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
@ -5095,7 +5121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
|
||||
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
@@ -50,3 +52,6 @@
|
||||
@@ -50,3 +53,6 @@
|
||||
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
|
||||
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
||||
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
||||
@ -9312,7 +9338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.1.2/policy/modules/services/sendmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.1.2/policy/modules/services/sendmail.te 2007-11-26 16:40:13.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/services/sendmail.te 2007-11-28 07:25:24.000000000 -0500
|
||||
@@ -20,19 +20,22 @@
|
||||
mta_mailserver_delivery(sendmail_t)
|
||||
mta_mailserver_sender(sendmail_t)
|
||||
@ -9347,7 +9373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
||||
corenet_all_recvfrom_unlabeled(sendmail_t)
|
||||
corenet_all_recvfrom_netlabel(sendmail_t)
|
||||
corenet_tcp_sendrecv_all_if(sendmail_t)
|
||||
@@ -94,30 +99,32 @@
|
||||
@@ -94,30 +99,33 @@
|
||||
miscfiles_read_certs(sendmail_t)
|
||||
miscfiles_read_localization(sendmail_t)
|
||||
|
||||
@ -9356,6 +9382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
||||
-
|
||||
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
|
||||
+userdom_read_all_users_home_content_files(sendmail_t)
|
||||
|
||||
mta_read_config(sendmail_t)
|
||||
mta_etc_filetrans_aliases(sendmail_t)
|
||||
@ -9386,7 +9413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -131,10 +138,18 @@
|
||||
@@ -131,10 +139,18 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9405,7 +9432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
||||
udev_read_db(sendmail_t)
|
||||
')
|
||||
|
||||
@@ -156,3 +171,15 @@
|
||||
@@ -156,3 +172,15 @@
|
||||
|
||||
dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
|
||||
') dnl end TODO
|
||||
@ -13007,6 +13034,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
optional_policy(`
|
||||
hotplug_use_fds(setfiles_t)
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.1.2/policy/modules/system/sysnetwork.fc
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2006-11-16 17:15:24.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/system/sysnetwork.fc 2007-11-28 11:55:44.000000000 -0500
|
||||
@@ -52,8 +52,7 @@
|
||||
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
|
||||
-/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
|
||||
-/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
|
||||
+/var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.1.2/policy/modules/system/sysnetwork.if
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
|
||||
+++ serefpolicy-3.1.2/policy/modules/system/sysnetwork.if 2007-11-26 16:40:13.000000000 -0500
|
||||
@ -13484,7 +13524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.2/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-11-16 15:30:49.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/system/unconfined.te 2007-11-26 16:40:13.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/system/unconfined.te 2007-11-28 08:47:02.000000000 -0500
|
||||
@@ -16,6 +16,10 @@
|
||||
|
||||
type unconfined_exec_t;
|
||||
@ -13545,17 +13585,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
unconfined_domain(httpd_unconfined_script_t)
|
||||
')
|
||||
|
||||
@@ -73,6 +87,9 @@
|
||||
@@ -71,8 +85,8 @@
|
||||
|
||||
optional_policy(`
|
||||
cron_per_role_template(unconfined, unconfined_t, unconfined_r)
|
||||
# this is disallowed usage:
|
||||
unconfined_domain(unconfined_crond_t)
|
||||
- # this is disallowed usage:
|
||||
- unconfined_domain(unconfined_crond_t)
|
||||
+ unconfined_domain(unconfined_crontab_t)
|
||||
+ role system_r types unconfined_crontab_t;
|
||||
+ rpm_transition_script(unconfined_crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -107,6 +124,10 @@
|
||||
@@ -107,6 +121,10 @@
|
||||
optional_policy(`
|
||||
oddjob_dbus_chat(unconfined_t)
|
||||
')
|
||||
@ -13566,7 +13607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -118,11 +139,11 @@
|
||||
@@ -118,11 +136,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -13580,7 +13621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -134,11 +155,7 @@
|
||||
@@ -134,11 +152,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -13593,7 +13634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -154,33 +171,20 @@
|
||||
@@ -154,33 +168,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -13631,7 +13672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -205,11 +209,22 @@
|
||||
@@ -205,11 +206,22 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -13656,7 +13697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -219,14 +234,26 @@
|
||||
@@ -219,14 +231,26 @@
|
||||
|
||||
allow unconfined_execmem_t self:process { execstack execmem };
|
||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||
@ -13694,7 +13735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.1.2/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-14 08:17:58.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/system/userdomain.if 2007-11-26 22:54:17.000000000 -0500
|
||||
+++ serefpolicy-3.1.2/policy/modules/system/userdomain.if 2007-11-28 07:19:08.000000000 -0500
|
||||
@@ -29,8 +29,9 @@
|
||||
')
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.1.2
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -379,6 +379,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Nov 28 2007 Dan Walsh <dwalsh@redhat.com> 3.1.2-2
|
||||
- Remove user specific crond_t
|
||||
|
||||
* Mon Nov 19 2007 Dan Walsh <dwalsh@redhat.com> 3.1.2-1
|
||||
- Merge with upstream
|
||||
- Allow xsever to read hwdata_t
|
||||
|
||||
Loading…
Reference in New Issue
Block a user