patch from russell, Thu, 5 Oct 2006 22:44:49 +1000

Allow unconfined processes to see unlabeled processes in ps.

Removed a redundant rule in samba.te

Removed support for the pre-Fedora Red Hat code to create sym-links in /boot.

Removed support for devpts_t files in /tmp (there is no way that would ever 
work).

Allowed postgrey to create socket files.

Made the specs for the /lib and /lib64 directories better support stem 
compression.
This commit is contained in:
Chris PeBenito 2006-10-05 19:57:37 +00:00
parent e070dd2df0
commit 3c3c0439f6
10 changed files with 44 additions and 22 deletions

View File

@ -1,3 +1,4 @@
- Patch from Russell Coker Thu, 5 Oct 2006
- Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
categories configurable as build options.

View File

@ -1,5 +1,5 @@
policy_module(kernel,1.3.16)
policy_module(kernel,1.3.17)
########################################
#
@ -351,5 +351,6 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
kernel_rw_all_sysctls(kern_unconfined)

View File

@ -1,5 +1,5 @@
policy_module(terminal,1.1.9)
policy_module(terminal,1.1.10)
########################################
#
@ -28,7 +28,6 @@ dev_node(console_device_t)
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
files_associate_tmp(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);

View File

@ -1,5 +1,5 @@
policy_module(mailman,1.1.7)
policy_module(mailman,1.1.8)
########################################
#
@ -44,10 +44,12 @@ optional_policy(`
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
files_search_spool(mailman_cgi_t)
term_use_controlling_term(mailman_cgi_t)
files_search_spool(mailman_cgi_t)
# for python pre-compile foolishness
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)

View File

@ -1,5 +1,5 @@
policy_module(postgrey,1.0.2)
policy_module(postgrey,1.0.3)
########################################
#
@ -40,7 +40,7 @@ files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
allow postgrey_t postgrey_var_run_t:file create_file_perms;
allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
files_pid_filetrans(postgrey_t,postgrey_var_run_t,{ file sock_file })
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)

View File

@ -1,5 +1,5 @@
policy_module(samba,1.2.10)
policy_module(samba,1.2.11)
#################################
#
@ -500,10 +500,6 @@ sysnet_read_config(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
userdom_use_sysadm_ttys(smbmount_t)
optional_policy(`
cups_read_rw_config(smbd_t)
')
optional_policy(`
nis_use_ypbind(smbmount_t)
')

View File

@ -1,5 +1,5 @@
policy_module(init,1.3.27)
policy_module(init,1.3.28)
gen_require(`
class passwd rootok;
@ -430,11 +430,6 @@ ifdef(`distro_redhat',`
selinux_set_enforce_mode(initrc_t)
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
bootloader_create_runtime_file(initrc_t)
files_rw_boot_symlinks(initrc_t)
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)

View File

@ -41,8 +41,10 @@ ifdef(`distro_redhat',`
#
# /lib(64)?
#
/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
/lib -d gen_context(system_u:object_r:lib_t,s0)
/lib/.* gen_context(system_u:object_r:lib_t,s0)
/lib64 -d gen_context(system_u:object_r:lib_t,s0)
/lib64/.* gen_context(system_u:object_r:lib_t,s0)
/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib64/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@ -57,7 +59,8 @@ ifdef(`distro_debian',`
')
ifdef(`distro_gentoo',`
/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
/lib32 -d gen_context(system_u:object_r:lib_t,s0)
/lib32/.* gen_context(system_u:object_r:lib_t,s0)
/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')

View File

@ -201,6 +201,31 @@ interface(`libs_search_lib',`
allow $1 lib_t:dir search;
')
########################################
## <summary>
## Do not audit attempts to write to library directories.
## </summary>
## <desc>
## <p>
## Do not audit attempts to write to library directories.
## Typically this is used to quiet attempts to recompile
## python byte code.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`libs_dontaudit_write_lib_dirs',`
gen_require(`
type lib_t;
')
dontaudit $1 lib_t:dir write;
')
########################################
## <summary>
## Create, read, write, and delete library directories.

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.3.14)
policy_module(libraries,1.3.15)
########################################
#