- Additional fixes for cyphesis
- Fix certmaster file context - Add policy for system-config-samba
This commit is contained in:
parent
a023a0be19
commit
411a424e1c
@ -1129,6 +1129,13 @@ sendmail = base
|
|||||||
#
|
#
|
||||||
samba = module
|
samba = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: sambagui
|
||||||
|
#
|
||||||
|
# policy for system-config-samba
|
||||||
|
#
|
||||||
|
sambagui = module
|
||||||
|
|
||||||
# Layer: apps
|
# Layer: apps
|
||||||
# Module: screen
|
# Module: screen
|
||||||
#
|
#
|
||||||
|
@ -1129,6 +1129,13 @@ sendmail = base
|
|||||||
#
|
#
|
||||||
samba = module
|
samba = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: sambagui
|
||||||
|
#
|
||||||
|
# policy for system-config-samba
|
||||||
|
#
|
||||||
|
sambagui = module
|
||||||
|
|
||||||
# Layer: apps
|
# Layer: apps
|
||||||
# Module: screen
|
# Module: screen
|
||||||
#
|
#
|
||||||
|
@ -5466,6 +5466,84 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# qemu_unconfined local policy
|
# qemu_unconfined local policy
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc 2008-11-04 09:44:32.000000000 -0500
|
||||||
|
@@ -0,0 +1,4 @@
|
||||||
|
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if
|
||||||
|
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if 2008-11-04 10:25:22.000000000 -0500
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+## <summary>system-config-samba policy</summary>
|
||||||
|
+
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te
|
||||||
|
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-04 10:21:56.000000000 -0500
|
||||||
|
@@ -0,0 +1,60 @@
|
||||||
|
+policy_module(sambagui,1.0.0)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# Declarations
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+type sambagui_t;
|
||||||
|
+type sambagui_exec_t;
|
||||||
|
+
|
||||||
|
+dbus_system_domain(sambagui_t, sambagui_exec_t)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# system-config-samba local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
+
|
||||||
|
+# handling with samba conf files
|
||||||
|
+samba_append_log(sambagui_t)
|
||||||
|
+samba_manage_config(sambagui_t)
|
||||||
|
+samba_manage_var_files(sambagui_t)
|
||||||
|
+samba_initrc_domtrans(sambagui_t)
|
||||||
|
+samba_domtrans_smb(sambagui_t)
|
||||||
|
+samba_domtrans_nmb(sambagui_t)
|
||||||
|
+
|
||||||
|
+# execut apps of system-config-samba
|
||||||
|
+corecmd_exec_shell(sambagui_t)
|
||||||
|
+corecmd_exec_bin(sambagui_t)
|
||||||
|
+
|
||||||
|
+files_read_etc_files(sambagui_t)
|
||||||
|
+files_search_var_lib(sambagui_t)
|
||||||
|
+files_search_usr(sambagui_t)
|
||||||
|
+
|
||||||
|
+fs_list_inotifyfs(sambagui_t)
|
||||||
|
+
|
||||||
|
+libs_use_ld_so(sambagui_t)
|
||||||
|
+libs_use_shared_libs(sambagui_t)
|
||||||
|
+
|
||||||
|
+# reading shadow by pdbedit
|
||||||
|
+#auth_read_shadow(sambagui_t)
|
||||||
|
+
|
||||||
|
+miscfiles_read_localization(sambagui_t)
|
||||||
|
+
|
||||||
|
+# read meminfo
|
||||||
|
+kernel_read_system_state(sambagui_t)
|
||||||
|
+
|
||||||
|
+dev_dontaudit_read_urand(sambagui_t)
|
||||||
|
+nscd_dontaudit_search_pid(sambagui_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ consoletype_exec(sambagui_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ polkit_dbus_chat(sambagui_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+permissive sambagui_t;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-07 11:15:03.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-07 11:15:03.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc 2008-10-28 10:56:19.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc 2008-10-28 10:56:19.000000000 -0400
|
||||||
@ -6275,8 +6353,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
|
||||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-28 10:56:19.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-04 09:01:51.000000000 -0500
|
||||||
@@ -79,6 +79,7 @@
|
@@ -79,11 +79,13 @@
|
||||||
network_port(auth, tcp,113,s0)
|
network_port(auth, tcp,113,s0)
|
||||||
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
||||||
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
||||||
@ -6284,7 +6362,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(clamd, tcp,3310,s0)
|
network_port(clamd, tcp,3310,s0)
|
||||||
network_port(clockspeed, udp,4041,s0)
|
network_port(clockspeed, udp,4041,s0)
|
||||||
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
||||||
@@ -93,6 +94,7 @@
|
network_port(comsat, udp,512,s0)
|
||||||
|
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
|
||||||
|
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
|
||||||
|
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
||||||
|
network_port(dcc, udp,6276,s0, udp,6277,s0)
|
||||||
|
network_port(dbskkd, tcp,1178,s0)
|
||||||
|
@@ -93,6 +95,7 @@
|
||||||
network_port(distccd, tcp,3632,s0)
|
network_port(distccd, tcp,3632,s0)
|
||||||
network_port(dns, udp,53,s0, tcp,53,s0)
|
network_port(dns, udp,53,s0, tcp,53,s0)
|
||||||
network_port(fingerd, tcp,79,s0)
|
network_port(fingerd, tcp,79,s0)
|
||||||
@ -6292,7 +6376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(ftp_data, tcp,20,s0)
|
network_port(ftp_data, tcp,20,s0)
|
||||||
network_port(ftp, tcp,21,s0)
|
network_port(ftp, tcp,21,s0)
|
||||||
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
||||||
@@ -117,6 +119,8 @@
|
@@ -117,6 +120,8 @@
|
||||||
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||||
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
||||||
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
||||||
@ -6301,7 +6385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||||
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
|
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
|
||||||
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
||||||
@@ -126,6 +130,7 @@
|
@@ -126,6 +131,7 @@
|
||||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||||
network_port(monopd, tcp,1234,s0)
|
network_port(monopd, tcp,1234,s0)
|
||||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||||
@ -6309,7 +6393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||||
network_port(nessus, tcp,1241,s0)
|
network_port(nessus, tcp,1241,s0)
|
||||||
@@ -137,11 +142,13 @@
|
@@ -137,11 +143,13 @@
|
||||||
network_port(pegasus_http, tcp,5988,s0)
|
network_port(pegasus_http, tcp,5988,s0)
|
||||||
network_port(pegasus_https, tcp,5989,s0)
|
network_port(pegasus_https, tcp,5989,s0)
|
||||||
network_port(postfix_policyd, tcp,10031,s0)
|
network_port(postfix_policyd, tcp,10031,s0)
|
||||||
@ -6323,7 +6407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(printer, tcp,515,s0)
|
network_port(printer, tcp,515,s0)
|
||||||
network_port(ptal, tcp,5703,s0)
|
network_port(ptal, tcp,5703,s0)
|
||||||
network_port(pxe, udp,4011,s0)
|
network_port(pxe, udp,4011,s0)
|
||||||
@@ -159,9 +166,10 @@
|
@@ -159,9 +167,10 @@
|
||||||
network_port(rwho, udp,513,s0)
|
network_port(rwho, udp,513,s0)
|
||||||
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
|
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
|
||||||
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
||||||
@ -6335,7 +6419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
|
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
|
||||||
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
||||||
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
||||||
@@ -170,13 +178,16 @@
|
@@ -170,13 +179,16 @@
|
||||||
network_port(syslogd, udp,514,s0)
|
network_port(syslogd, udp,514,s0)
|
||||||
network_port(telnetd, tcp,23,s0)
|
network_port(telnetd, tcp,23,s0)
|
||||||
network_port(tftp, udp,69,s0)
|
network_port(tftp, udp,69,s0)
|
||||||
@ -12157,16 +12241,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-10-30 14:43:22.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-11-04 08:52:09.000000000 -0500
|
||||||
@@ -0,0 +1,11 @@
|
@@ -0,0 +1,9 @@
|
||||||
+
|
+
|
||||||
+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
|
+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
|
||||||
+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
|
+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
|
+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
|
||||||
+
|
+
|
||||||
+/etc/pki/certmaster(/.*)? gen_context(system_u:object_r:certmaster_cert_t,s0)
|
|
||||||
+
|
|
||||||
+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
|
+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
|
||||||
+
|
+
|
||||||
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
|
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
|
||||||
@ -12641,7 +12723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
|
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if
|
||||||
--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-10-28 10:56:19.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-11-04 09:40:18.000000000 -0500
|
||||||
@@ -38,3 +38,24 @@
|
@@ -38,3 +38,24 @@
|
||||||
allow $1 consolekit_t:dbus send_msg;
|
allow $1 consolekit_t:dbus send_msg;
|
||||||
allow consolekit_t $1:dbus send_msg;
|
allow consolekit_t $1:dbus send_msg;
|
||||||
@ -14081,6 +14163,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
||||||
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
|
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
|
||||||
')
|
')
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-04 09:54:55.000000000 -0500
|
||||||
|
@@ -1 +1,6 @@
|
||||||
|
/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
|
||||||
|
+
|
||||||
|
+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_run_t,s0)
|
||||||
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/dbus.fc 2008-10-28 10:56:19.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/dbus.fc 2008-10-28 10:56:19.000000000 -0400
|
||||||
@ -18567,8 +18659,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if
|
||||||
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-10-28 10:56:19.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-11-04 09:56:57.000000000 -0500
|
||||||
@@ -0,0 +1,213 @@
|
@@ -0,0 +1,233 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for polkit_auth</summary>
|
+## <summary>policy for polkit_auth</summary>
|
||||||
+
|
+
|
||||||
@ -18782,9 +18874,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ polkit_read_lib($2)
|
+ polkit_read_lib($2)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send and receive messages from
|
||||||
|
+## polkit over dbus.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`polkit_dbus_chat',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type polkit_t;
|
||||||
|
+ class dbus send_msg;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 polkit_t:dbus send_msg;
|
||||||
|
+ allow polkit_t $1:dbus send_msg;
|
||||||
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-10-28 10:56:19.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-11-04 09:58:08.000000000 -0500
|
||||||
@@ -0,0 +1,231 @@
|
@@ -0,0 +1,231 @@
|
||||||
+policy_module(polkit_auth, 1.0.0)
|
+policy_module(polkit_auth, 1.0.0)
|
||||||
+
|
+
|
||||||
@ -21515,11 +21627,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
|
||||||
--- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-10-28 10:56:19.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-04 10:21:25.000000000 -0500
|
||||||
@@ -52,6 +52,25 @@
|
@@ -44,6 +44,44 @@
|
||||||
## </summary>
|
|
||||||
## </param>
|
########################################
|
||||||
#
|
## <summary>
|
||||||
|
+## Execute smbd net in the smbd_t domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the process performing this action.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
+interface(`samba_domtrans_smb',`
|
+interface(`samba_domtrans_smb',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type smbd_t, smbd_exec_t;
|
+ type smbd_t, smbd_exec_t;
|
||||||
@ -21531,7 +21651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Execute samba net in the samba_net domain.
|
+## Execute nmbd net in the nmbd_t domain.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -21539,10 +21659,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
interface(`samba_domtrans_net',`
|
+interface(`samba_domtrans_nmb',`
|
||||||
gen_require(`
|
+ gen_require(`
|
||||||
type samba_net_t, samba_net_exec_t;
|
+ type nmbd_t, nmbd_exec_t;
|
||||||
@@ -63,6 +82,25 @@
|
+ ')
|
||||||
|
+
|
||||||
|
+ corecmd_search_bin($1)
|
||||||
|
+ domtrans_pattern($1, nmbd_exec_t, nmbd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Execute samba net in the samba_net domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -63,6 +101,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -21568,7 +21699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Execute samba net in the samba_net domain, and
|
## Execute samba net in the samba_net domain, and
|
||||||
## allow the specified role the samba_net domain.
|
## allow the specified role the samba_net domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -95,6 +133,38 @@
|
@@ -95,6 +152,38 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -21607,7 +21738,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Execute smbmount in the smbmount domain.
|
## Execute smbmount in the smbmount domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -331,6 +401,25 @@
|
@@ -188,6 +277,28 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Allow the specified domain to read
|
||||||
|
+## and write samba configuration files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`samba_manage_config',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type samba_etc_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_etc($1)
|
||||||
|
+ manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
|
||||||
|
+ manage_files_pattern($1, samba_etc_t, samba_etc_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Allow the specified domain to read samba's log files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -331,6 +442,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -21633,7 +21793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Allow the specified domain to
|
## Allow the specified domain to
|
||||||
## read and write samba /var files.
|
## read and write samba /var files.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -348,6 +437,7 @@
|
@@ -348,6 +478,7 @@
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
manage_files_pattern($1, samba_var_t, samba_var_t)
|
manage_files_pattern($1, samba_var_t, samba_var_t)
|
||||||
@ -21641,7 +21801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -420,6 +510,7 @@
|
@@ -420,6 +551,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
|
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
|
||||||
@ -21649,7 +21809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -503,3 +594,190 @@
|
@@ -503,3 +635,208 @@
|
||||||
stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
|
stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@ -21756,6 +21916,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Execute samba server in the samba domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the process performing this action.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`samba_initrc_domtrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type samba_initrc_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## All of the rules required to administrate
|
+## All of the rules required to administrate
|
||||||
+## an samba environment
|
+## an samba environment
|
||||||
+## </summary>
|
+## </summary>
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.5.13
|
Version: 3.5.13
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -457,6 +457,11 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-14
|
||||||
|
- Additional fixes for cyphesis
|
||||||
|
- Fix certmaster file context
|
||||||
|
- Add policy for system-config-samba
|
||||||
|
|
||||||
* Mon Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-13
|
* Mon Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-13
|
||||||
- Allow dhcpc to restart ypbind
|
- Allow dhcpc to restart ypbind
|
||||||
- Fixup labeling in /var/run
|
- Fixup labeling in /var/run
|
||||||
|
Loading…
Reference in New Issue
Block a user