patch from russell, Thu, 5 Oct 2006 22:44:49 +1000
Allow unconfined processes to see unlabeled processes in ps. Removed a redundant rule in samba.te Removed support for the pre-Fedora Red Hat code to create sym-links in /boot. Removed support for devpts_t files in /tmp (there is no way that would ever work). Allowed postgrey to create socket files. Made the specs for the /lib and /lib64 directories better support stem compression.
This commit is contained in:
parent
e070dd2df0
commit
3c3c0439f6
@ -1,3 +1,4 @@
|
||||
- Patch from Russell Coker Thu, 5 Oct 2006
|
||||
- Move range transitions to modules.
|
||||
- Make number of MLS sensitivities, and number of MLS and MCS
|
||||
categories configurable as build options.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.3.16)
|
||||
policy_module(kernel,1.3.17)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -351,5 +351,6 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
||||
allow kern_unconfined unlabeled_t:filesystem *;
|
||||
allow kern_unconfined unlabeled_t:association *;
|
||||
allow kern_unconfined unlabeled_t:packet *;
|
||||
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
|
||||
|
||||
kernel_rw_all_sysctls(kern_unconfined)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(terminal,1.1.9)
|
||||
policy_module(terminal,1.1.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -28,7 +28,6 @@ dev_node(console_device_t)
|
||||
type devpts_t;
|
||||
files_mountpoint(devpts_t)
|
||||
fs_associate_tmpfs(devpts_t)
|
||||
files_associate_tmp(devpts_t)
|
||||
fs_type(devpts_t)
|
||||
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mailman,1.1.7)
|
||||
policy_module(mailman,1.1.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -44,10 +44,12 @@ optional_policy(`
|
||||
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
|
||||
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
|
||||
|
||||
files_search_spool(mailman_cgi_t)
|
||||
|
||||
term_use_controlling_term(mailman_cgi_t)
|
||||
|
||||
files_search_spool(mailman_cgi_t)
|
||||
# for python pre-compile foolishness
|
||||
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
|
||||
|
||||
apache_sigchld(mailman_cgi_t)
|
||||
apache_use_fds(mailman_cgi_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postgrey,1.0.2)
|
||||
policy_module(postgrey,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -40,7 +40,7 @@ files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
|
||||
allow postgrey_t postgrey_var_run_t:file create_file_perms;
|
||||
allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
|
||||
allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
|
||||
files_pid_filetrans(postgrey_t,postgrey_var_run_t,{ file sock_file })
|
||||
|
||||
kernel_read_system_state(postgrey_t)
|
||||
kernel_read_kernel_sysctls(postgrey_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(samba,1.2.10)
|
||||
policy_module(samba,1.2.11)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -500,10 +500,6 @@ sysnet_read_config(smbmount_t)
|
||||
userdom_use_all_users_fds(smbmount_t)
|
||||
userdom_use_sysadm_ttys(smbmount_t)
|
||||
|
||||
optional_policy(`
|
||||
cups_read_rw_config(smbd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(smbmount_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init,1.3.27)
|
||||
policy_module(init,1.3.28)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -430,11 +430,6 @@ ifdef(`distro_redhat',`
|
||||
|
||||
selinux_set_enforce_mode(initrc_t)
|
||||
|
||||
# Create and read /boot/kernel.h and /boot/System.map.
|
||||
# Redhat systems typically create this file at boot time.
|
||||
bootloader_create_runtime_file(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
# during device initialization:
|
||||
dev_create_generic_dirs(initrc_t)
|
||||
|
@ -41,8 +41,10 @@ ifdef(`distro_redhat',`
|
||||
#
|
||||
# /lib(64)?
|
||||
#
|
||||
/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib -d gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib/.* gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib64 -d gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib64/.* gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/lib64/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
@ -57,7 +59,8 @@ ifdef(`distro_debian',`
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib32 -d gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib32/.* gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
')
|
||||
|
@ -201,6 +201,31 @@ interface(`libs_search_lib',`
|
||||
allow $1 lib_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write to library directories.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Do not audit attempts to write to library directories.
|
||||
## Typically this is used to quiet attempts to recompile
|
||||
## python byte code.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_dontaudit_write_lib_dirs',`
|
||||
gen_require(`
|
||||
type lib_t;
|
||||
')
|
||||
|
||||
dontaudit $1 lib_t:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete library directories.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(libraries,1.3.14)
|
||||
policy_module(libraries,1.3.15)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user