- Allow sshd to read var_lib symlinks for freenx
This commit is contained in:
parent
a32a1594b6
commit
3c498a780b
@ -459,10 +459,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.12/policy/modules/admin/dmesg.fc
|
||||
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2008-08-07 11:15:13.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.fc 2009-04-22 14:17:05.000000000 -0400
|
||||
@@ -1,2 +1,4 @@
|
||||
|
||||
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
|
||||
+
|
||||
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te
|
||||
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-01-05 15:39:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-07 16:01:44.000000000 -0400
|
||||
@@ -35,7 +35,7 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-22 14:39:11.000000000 -0400
|
||||
@@ -9,6 +9,7 @@
|
||||
type dmesg_t;
|
||||
type dmesg_exec_t;
|
||||
init_system_domain(dmesg_t, dmesg_exec_t)
|
||||
+cron_system_entry(dmesg_t, dmesg_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -20,12 +21,14 @@
|
||||
|
||||
allow dmesg_t self:process signal_perms;
|
||||
|
||||
+kernel_read_system_state(dmesg_t)
|
||||
kernel_read_kernel_sysctls(dmesg_t)
|
||||
kernel_read_ring_buffer(dmesg_t)
|
||||
kernel_clear_ring_buffer(dmesg_t)
|
||||
kernel_change_ring_buffer_level(dmesg_t)
|
||||
kernel_list_proc(dmesg_t)
|
||||
kernel_read_proc_symlinks(dmesg_t)
|
||||
+dev_read_kmsg(dmesg_t)
|
||||
|
||||
dev_read_sysfs(dmesg_t)
|
||||
|
||||
@@ -35,7 +38,7 @@
|
||||
|
||||
domain_use_interactive_fds(dmesg_t)
|
||||
|
||||
@ -3055,8 +3086,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-17 11:13:07.000000000 -0400
|
||||
@@ -0,0 +1,293 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-22 13:50:31.000000000 -0400
|
||||
@@ -0,0 +1,294 @@
|
||||
+
|
||||
+policy_module(nsplugin, 1.0.0)
|
||||
+
|
||||
@ -3086,7 +3117,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+application_executable_file(nsplugin_config_exec_t)
|
||||
+
|
||||
+type nsplugin_rw_t;
|
||||
+files_type(nsplugin_rw_t)
|
||||
+files_poly_member(nsplugin_rw_t)
|
||||
+userdom_user_home_content(nsplugin_rw_t)
|
||||
+
|
||||
+type nsplugin_tmp_t;
|
||||
+files_tmp_file(nsplugin_tmp_t)
|
||||
@ -3611,7 +3643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if
|
||||
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if 2009-04-07 16:01:44.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if 2009-04-22 13:29:00.000000000 -0400
|
||||
@@ -0,0 +1,148 @@
|
||||
+
|
||||
+## <summary>policy for pulseaudio</summary>
|
||||
@ -5229,7 +5261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-20 12:17:02.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-22 13:33:02.000000000 -0400
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
@ -9697,6 +9729,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
libs_legacy_use_shared_libs(bitlbee_t)
|
||||
|
||||
miscfiles_read_localization(bitlbee_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
|
||||
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-03-23 13:47:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2009-04-22 13:29:27.000000000 -0400
|
||||
@@ -152,6 +152,10 @@
|
||||
optional_policy(`
|
||||
hal_dbus_chat(bluetooth_t)
|
||||
')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ pulseaudio_dbus_chat(bluetooth_t)
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.12/policy/modules/services/certmaster.fc
|
||||
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/certmaster.fc 2009-04-07 16:01:44.000000000 -0400
|
||||
@ -10693,7 +10739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
|
||||
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-21 16:03:54.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-22 14:41:00.000000000 -0400
|
||||
@@ -38,6 +38,10 @@
|
||||
type cron_var_lib_t;
|
||||
files_type(cron_var_lib_t)
|
||||
@ -10756,7 +10802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit crond_t self:capability { sys_resource sys_tty_config };
|
||||
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow crond_t self:process { setexec setfscreate };
|
||||
@@ -146,22 +163,23 @@
|
||||
@@ -146,20 +163,20 @@
|
||||
allow crond_t self:msg { send receive };
|
||||
allow crond_t self:key { search write link };
|
||||
|
||||
@ -10781,11 +10827,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+kernel_read_fs_sysctls(crond_t)
|
||||
kernel_search_key(crond_t)
|
||||
|
||||
+dev_read_kmsg(crond_t)
|
||||
dev_read_sysfs(crond_t)
|
||||
selinux_get_fs_mount(crond_t)
|
||||
selinux_validate_context(crond_t)
|
||||
@@ -174,6 +192,7 @@
|
||||
@@ -174,6 +191,7 @@
|
||||
|
||||
fs_getattr_all_fs(crond_t)
|
||||
fs_search_auto_mountpoints(crond_t)
|
||||
@ -10793,7 +10836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# need auth_chkpwd to check for locked accounts.
|
||||
auth_domtrans_chk_passwd(crond_t)
|
||||
@@ -183,7 +202,11 @@
|
||||
@@ -183,7 +201,11 @@
|
||||
corecmd_read_bin_symlinks(crond_t)
|
||||
|
||||
domain_use_interactive_fds(crond_t)
|
||||
@ -10805,7 +10848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_read_etc_files(crond_t)
|
||||
files_read_generic_spool(crond_t)
|
||||
files_list_usr(crond_t)
|
||||
@@ -192,10 +215,15 @@
|
||||
@@ -192,10 +214,15 @@
|
||||
files_search_default(crond_t)
|
||||
|
||||
init_rw_utmp(crond_t)
|
||||
@ -10821,7 +10864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
seutil_read_config(crond_t)
|
||||
seutil_read_default_contexts(crond_t)
|
||||
@@ -208,6 +236,7 @@
|
||||
@@ -208,6 +235,7 @@
|
||||
userdom_list_user_home_dirs(crond_t)
|
||||
|
||||
mta_send_mail(crond_t)
|
||||
@ -10829,7 +10872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
# pam_limits is used
|
||||
@@ -227,21 +256,44 @@
|
||||
@@ -227,21 +255,44 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -10875,7 +10918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -268,8 +320,8 @@
|
||||
@@ -268,8 +319,8 @@
|
||||
# System cron process domain
|
||||
#
|
||||
|
||||
@ -10886,7 +10929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||
allow system_cronjob_t self:passwd rootok;
|
||||
|
||||
@@ -283,7 +335,14 @@
|
||||
@@ -283,7 +334,14 @@
|
||||
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
|
||||
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
|
||||
|
||||
@ -10901,7 +10944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# The entrypoint interface is not used as this is not
|
||||
# a regular entrypoint. Since crontab files are
|
||||
# not directly executed, crond must ensure that
|
||||
@@ -303,6 +362,7 @@
|
||||
@@ -303,6 +361,7 @@
|
||||
allow system_cronjob_t crond_t:fd use;
|
||||
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
|
||||
allow system_cronjob_t crond_t:process sigchld;
|
||||
@ -10909,7 +10952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Write /var/lock/makewhatis.lock.
|
||||
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
|
||||
@@ -314,9 +374,13 @@
|
||||
@@ -314,9 +373,13 @@
|
||||
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
|
||||
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
|
||||
|
||||
@ -10924,7 +10967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_kernel_sysctls(system_cronjob_t)
|
||||
kernel_read_system_state(system_cronjob_t)
|
||||
@@ -345,6 +409,7 @@
|
||||
@@ -345,6 +408,7 @@
|
||||
fs_getattr_all_symlinks(system_cronjob_t)
|
||||
fs_getattr_all_pipes(system_cronjob_t)
|
||||
fs_getattr_all_sockets(system_cronjob_t)
|
||||
@ -10932,7 +10975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# quiet other ps operations
|
||||
domain_dontaudit_read_all_domains_state(system_cronjob_t)
|
||||
@@ -370,7 +435,8 @@
|
||||
@@ -370,7 +434,8 @@
|
||||
init_read_utmp(system_cronjob_t)
|
||||
init_dontaudit_rw_utmp(system_cronjob_t)
|
||||
# prelink tells init to restart it self, we either need to allow or dontaudit
|
||||
@ -10942,7 +10985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
auth_use_nsswitch(system_cronjob_t)
|
||||
|
||||
@@ -378,6 +444,7 @@
|
||||
@@ -378,6 +443,7 @@
|
||||
libs_exec_ld_so(system_cronjob_t)
|
||||
|
||||
logging_read_generic_logs(system_cronjob_t)
|
||||
@ -10950,7 +10993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(system_cronjob_t)
|
||||
|
||||
miscfiles_read_localization(system_cronjob_t)
|
||||
@@ -418,6 +485,10 @@
|
||||
@@ -418,6 +484,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10961,7 +11004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ftp_read_log(system_cronjob_t)
|
||||
')
|
||||
|
||||
@@ -428,11 +499,20 @@
|
||||
@@ -428,11 +498,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10982,7 +11025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -447,6 +527,7 @@
|
||||
@@ -447,6 +526,7 @@
|
||||
prelink_read_cache(system_cronjob_t)
|
||||
prelink_manage_log(system_cronjob_t)
|
||||
prelink_delete_cache(system_cronjob_t)
|
||||
@ -10990,7 +11033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -460,8 +541,7 @@
|
||||
@@ -460,8 +540,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11000,7 +11043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -469,24 +549,17 @@
|
||||
@@ -469,24 +548,17 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11028,7 +11071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow cronjob_t self:process { signal_perms setsched };
|
||||
allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -570,6 +643,9 @@
|
||||
@@ -570,6 +642,9 @@
|
||||
userdom_manage_user_home_content_sockets(cronjob_t)
|
||||
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
|
||||
|
||||
@ -21997,7 +22040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-21 13:22:50.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-22 11:47:12.000000000 -0400
|
||||
@@ -36,6 +36,7 @@
|
||||
gen_require(`
|
||||
attribute ssh_server;
|
||||
@ -22065,18 +22108,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
dev_read_urand($1_ssh_t)
|
||||
|
||||
@@ -132,6 +132,10 @@
|
||||
files_read_etc_runtime_files($1_ssh_t)
|
||||
@@ -133,6 +133,8 @@
|
||||
files_read_etc_files($1_ssh_t)
|
||||
files_read_var_files($1_ssh_t)
|
||||
+ # Required for FreeNX
|
||||
+ files_read_var_lib_symlinks($1_t)
|
||||
+
|
||||
+ auth_use_nsswitch($1_ssh_t)
|
||||
|
||||
+ auth_use_nsswitch($1_ssh_t)
|
||||
+
|
||||
logging_send_syslog_msg($1_ssh_t)
|
||||
logging_read_generic_logs($1_ssh_t)
|
||||
@@ -140,9 +144,6 @@
|
||||
|
||||
@@ -140,9 +142,6 @@
|
||||
|
||||
seutil_read_config($1_ssh_t)
|
||||
|
||||
@ -22086,7 +22127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default($1_ssh_t)
|
||||
files_read_default_files($1_ssh_t)
|
||||
@@ -154,14 +155,6 @@
|
||||
@@ -154,14 +153,6 @@
|
||||
optional_policy(`
|
||||
kerberos_use($1_ssh_t)
|
||||
')
|
||||
@ -22101,7 +22142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -194,13 +187,14 @@
|
||||
@@ -194,13 +185,14 @@
|
||||
type $1_var_run_t;
|
||||
files_pid_file($1_var_run_t)
|
||||
|
||||
@ -22117,7 +22158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
|
||||
term_create_pty($1_t,$1_devpts_t)
|
||||
@@ -214,6 +208,7 @@
|
||||
@@ -214,6 +206,7 @@
|
||||
allow $1_t sshd_key_t:file read_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctls($1_t)
|
||||
@ -22125,7 +22166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1_t)
|
||||
corenet_all_recvfrom_netlabel($1_t)
|
||||
@@ -229,7 +224,12 @@
|
||||
@@ -229,7 +222,12 @@
|
||||
corenet_udp_bind_generic_node($1_t)
|
||||
corenet_tcp_bind_ssh_port($1_t)
|
||||
corenet_tcp_connect_all_ports($1_t)
|
||||
@ -22138,6 +22179,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_dontaudit_getattr_all_fs($1_t)
|
||||
|
||||
@@ -245,6 +243,8 @@
|
||||
|
||||
files_read_etc_files($1_t)
|
||||
files_read_etc_runtime_files($1_t)
|
||||
+ # Required for FreeNX
|
||||
+ files_read_var_lib_symlinks($1_t)
|
||||
|
||||
logging_search_logs($1_t)
|
||||
|
||||
@@ -254,9 +254,14 @@
|
||||
|
||||
userdom_dontaudit_relabelfrom_user_ptys($1_t)
|
||||
@ -26090,7 +26140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
|
||||
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-07 16:01:44.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-22 14:41:22.000000000 -0400
|
||||
@@ -1,5 +1,5 @@
|
||||
|
||||
-policy_module(ipsec, 1.9.1)
|
||||
@ -26098,6 +26148,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -55,7 +55,7 @@
|
||||
|
||||
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
|
||||
dontaudit ipsec_t self:capability sys_tty_config;
|
||||
-allow ipsec_t self:process { signal setsched };
|
||||
+allow ipsec_t self:process { getsched signal setsched };
|
||||
allow ipsec_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_t self:udp_socket create_socket_perms;
|
||||
allow ipsec_t self:key_socket create_socket_perms;
|
||||
@@ -67,7 +67,7 @@
|
||||
read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
|
||||
|
||||
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
|
||||
-read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
|
||||
+rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
|
||||
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
|
||||
|
||||
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
@@ -103,11 +103,13 @@
|
||||
corenet_raw_sendrecv_all_nodes(ipsec_t)
|
||||
corenet_tcp_sendrecv_all_ports(ipsec_t)
|
||||
@ -26113,7 +26181,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_sendrecv_generic_server_packets(ipsec_t)
|
||||
corenet_sendrecv_isakmp_server_packets(ipsec_t)
|
||||
|
||||
@@ -167,6 +169,8 @@
|
||||
@@ -127,6 +129,8 @@
|
||||
domain_use_interactive_fds(ipsec_t)
|
||||
|
||||
files_read_etc_files(ipsec_t)
|
||||
+files_read_usr_files(ipsec_t)
|
||||
+files_search_tmp(ipsec_t)
|
||||
|
||||
init_use_fds(ipsec_t)
|
||||
init_use_script_ptys(ipsec_t)
|
||||
@@ -167,6 +171,8 @@
|
||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
|
||||
|
||||
@ -26122,7 +26199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
|
||||
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
|
||||
|
||||
@@ -242,8 +246,6 @@
|
||||
@@ -242,8 +248,6 @@
|
||||
init_exec_script_files(ipsec_mgmt_t)
|
||||
init_use_fds(ipsec_mgmt_t)
|
||||
|
||||
@ -26131,7 +26208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
miscfiles_read_localization(ipsec_mgmt_t)
|
||||
|
||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||
@@ -298,13 +300,10 @@
|
||||
@@ -298,13 +302,10 @@
|
||||
kernel_read_network_state(racoon_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(racoon_t)
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.12
|
||||
Release: 11%{?dist}
|
||||
Release: 12%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -446,6 +446,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-12
|
||||
- Allow sshd to read var_lib symlinks for freenx
|
||||
|
||||
* Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-11
|
||||
- Allow nsplugin unix_read and write on users shm and sem
|
||||
- Allow sysadm_t to execute su
|
||||
|
Loading…
Reference in New Issue
Block a user