patch from russell, Thu, 5 Oct 2006 22:44:49 +1000
Allow unconfined processes to see unlabeled processes in ps. Removed a redundant rule in samba.te Removed support for the pre-Fedora Red Hat code to create sym-links in /boot. Removed support for devpts_t files in /tmp (there is no way that would ever work). Allowed postgrey to create socket files. Made the specs for the /lib and /lib64 directories better support stem compression.
This commit is contained in:
parent
e070dd2df0
commit
3c3c0439f6
@ -1,3 +1,4 @@
|
|||||||
|
- Patch from Russell Coker Thu, 5 Oct 2006
|
||||||
- Move range transitions to modules.
|
- Move range transitions to modules.
|
||||||
- Make number of MLS sensitivities, and number of MLS and MCS
|
- Make number of MLS sensitivities, and number of MLS and MCS
|
||||||
categories configurable as build options.
|
categories configurable as build options.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kernel,1.3.16)
|
policy_module(kernel,1.3.17)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -351,5 +351,6 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
|||||||
allow kern_unconfined unlabeled_t:filesystem *;
|
allow kern_unconfined unlabeled_t:filesystem *;
|
||||||
allow kern_unconfined unlabeled_t:association *;
|
allow kern_unconfined unlabeled_t:association *;
|
||||||
allow kern_unconfined unlabeled_t:packet *;
|
allow kern_unconfined unlabeled_t:packet *;
|
||||||
|
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
|
||||||
|
|
||||||
kernel_rw_all_sysctls(kern_unconfined)
|
kernel_rw_all_sysctls(kern_unconfined)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(terminal,1.1.9)
|
policy_module(terminal,1.1.10)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -28,7 +28,6 @@ dev_node(console_device_t)
|
|||||||
type devpts_t;
|
type devpts_t;
|
||||||
files_mountpoint(devpts_t)
|
files_mountpoint(devpts_t)
|
||||||
fs_associate_tmpfs(devpts_t)
|
fs_associate_tmpfs(devpts_t)
|
||||||
files_associate_tmp(devpts_t)
|
|
||||||
fs_type(devpts_t)
|
fs_type(devpts_t)
|
||||||
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
|
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mailman,1.1.7)
|
policy_module(mailman,1.1.8)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -44,10 +44,12 @@ optional_policy(`
|
|||||||
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
|
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
|
||||||
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
|
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
|
||||||
|
|
||||||
|
files_search_spool(mailman_cgi_t)
|
||||||
|
|
||||||
term_use_controlling_term(mailman_cgi_t)
|
term_use_controlling_term(mailman_cgi_t)
|
||||||
|
|
||||||
files_search_spool(mailman_cgi_t)
|
# for python pre-compile foolishness
|
||||||
|
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
|
||||||
|
|
||||||
apache_sigchld(mailman_cgi_t)
|
apache_sigchld(mailman_cgi_t)
|
||||||
apache_use_fds(mailman_cgi_t)
|
apache_use_fds(mailman_cgi_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(postgrey,1.0.2)
|
policy_module(postgrey,1.0.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -40,7 +40,7 @@ files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
|
|||||||
allow postgrey_t postgrey_var_run_t:file create_file_perms;
|
allow postgrey_t postgrey_var_run_t:file create_file_perms;
|
||||||
allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
|
allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
|
||||||
allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
|
allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
|
||||||
files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
|
files_pid_filetrans(postgrey_t,postgrey_var_run_t,{ file sock_file })
|
||||||
|
|
||||||
kernel_read_system_state(postgrey_t)
|
kernel_read_system_state(postgrey_t)
|
||||||
kernel_read_kernel_sysctls(postgrey_t)
|
kernel_read_kernel_sysctls(postgrey_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(samba,1.2.10)
|
policy_module(samba,1.2.11)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
@ -500,10 +500,6 @@ sysnet_read_config(smbmount_t)
|
|||||||
userdom_use_all_users_fds(smbmount_t)
|
userdom_use_all_users_fds(smbmount_t)
|
||||||
userdom_use_sysadm_ttys(smbmount_t)
|
userdom_use_sysadm_ttys(smbmount_t)
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
cups_read_rw_config(smbd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nis_use_ypbind(smbmount_t)
|
nis_use_ypbind(smbmount_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(init,1.3.27)
|
policy_module(init,1.3.28)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -430,11 +430,6 @@ ifdef(`distro_redhat',`
|
|||||||
|
|
||||||
selinux_set_enforce_mode(initrc_t)
|
selinux_set_enforce_mode(initrc_t)
|
||||||
|
|
||||||
# Create and read /boot/kernel.h and /boot/System.map.
|
|
||||||
# Redhat systems typically create this file at boot time.
|
|
||||||
bootloader_create_runtime_file(initrc_t)
|
|
||||||
files_rw_boot_symlinks(initrc_t)
|
|
||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
# during device initialization:
|
# during device initialization:
|
||||||
dev_create_generic_dirs(initrc_t)
|
dev_create_generic_dirs(initrc_t)
|
||||||
|
@ -41,8 +41,10 @@ ifdef(`distro_redhat',`
|
|||||||
#
|
#
|
||||||
# /lib(64)?
|
# /lib(64)?
|
||||||
#
|
#
|
||||||
/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/lib -d gen_context(system_u:object_r:lib_t,s0)
|
||||||
/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/lib/.* gen_context(system_u:object_r:lib_t,s0)
|
||||||
|
/lib64 -d gen_context(system_u:object_r:lib_t,s0)
|
||||||
|
/lib64/.* gen_context(system_u:object_r:lib_t,s0)
|
||||||
/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/lib64/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
/lib64/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
@ -57,7 +59,8 @@ ifdef(`distro_debian',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/lib32 -d gen_context(system_u:object_r:lib_t,s0)
|
||||||
|
/lib32/.* gen_context(system_u:object_r:lib_t,s0)
|
||||||
/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
')
|
')
|
||||||
|
@ -201,6 +201,31 @@ interface(`libs_search_lib',`
|
|||||||
allow $1 lib_t:dir search;
|
allow $1 lib_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to write to library directories.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to write to library directories.
|
||||||
|
## Typically this is used to quiet attempts to recompile
|
||||||
|
## python byte code.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`libs_dontaudit_write_lib_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 lib_t:dir write;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete library directories.
|
## Create, read, write, and delete library directories.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(libraries,1.3.14)
|
policy_module(libraries,1.3.15)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user