- Add pulseaudio context
This commit is contained in:
Daniel J Walsh
parent
0c34c69a38
commit
46b5649f90
@ -1273,6 +1273,13 @@ squid = module
|
||||
#
|
||||
ssh = base
|
||||
|
||||
# Layer: services
|
||||
# Module: sssd
|
||||
#
|
||||
# System Security Services Daemon
|
||||
#
|
||||
sssd = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: storage
|
||||
#
|
||||
|
||||
@ -1266,6 +1266,13 @@ squid = module
|
||||
#
|
||||
ssh = base
|
||||
|
||||
# Layer: services
|
||||
# Module: sssd
|
||||
#
|
||||
# System Security Services Daemon
|
||||
#
|
||||
sssd = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: storage
|
||||
#
|
||||
|
||||
@ -1273,6 +1273,13 @@ squid = module
|
||||
#
|
||||
ssh = base
|
||||
|
||||
# Layer: services
|
||||
# Module: sssd
|
||||
#
|
||||
# System Security Services Daemon
|
||||
#
|
||||
sssd = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: storage
|
||||
#
|
||||
|
||||
@ -3553,8 +3553,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if
|
||||
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if 2009-03-08 08:48:02.000000000 -0400
|
||||
@@ -0,0 +1,85 @@
|
||||
+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if 2009-03-09 16:50:20.000000000 -0400
|
||||
@@ -0,0 +1,86 @@
|
||||
+
|
||||
+## <summary>policy for pulseaudio</summary>
|
||||
+
|
||||
@ -3631,19 +3631,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ ps_process_pattern($2, pulseaudio_t)
|
||||
+
|
||||
+ allow pulseaudio_t $2:process { signal signull };
|
||||
+ allow $2 pulseaudio_t:process { signal signull };
|
||||
+ ps_process_pattern(pulseaudio_t, $2)
|
||||
+
|
||||
+ allow pulseaudio_t $2:unix_stream_socket connectto;
|
||||
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
|
||||
+
|
||||
+ userdom_manage_home_role($1, $2)
|
||||
+ userdom_manage_tmp_role($1, $2)
|
||||
+ userdom_manage_tmpfs_role($1, $2)
|
||||
+ userdom_manage_home_role($1, pulseaudio_t)
|
||||
+ userdom_manage_tmp_role($1, pulseaudio_t)
|
||||
+ userdom_manage_tmpfs_role($1, pulseaudio_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te
|
||||
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te 2009-03-08 08:48:02.000000000 -0400
|
||||
@@ -0,0 +1,82 @@
|
||||
+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te 2009-03-09 16:49:50.000000000 -0400
|
||||
@@ -0,0 +1,88 @@
|
||||
+policy_module(pulseaudio,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -3687,10 +3688,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+files_read_usr_files(pulseaudio_t)
|
||||
+
|
||||
+fs_rw_anon_inodefs_files(pulseaudio_t)
|
||||
+fs_getattr_tmpfs(pulseaudio_t)
|
||||
+
|
||||
+term_use_all_user_ttys(pulseaudio_t)
|
||||
+term_use_all_user_ptys(pulseaudio_t)
|
||||
+
|
||||
+auth_use_nsswitch(pulseaudio_t)
|
||||
+
|
||||
+miscfiles_read_localization(pulseaudio_t)
|
||||
+
|
||||
+logging_send_syslog_msg(pulseaudio_t)
|
||||
@ -3718,6 +3722,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_common_app(pulseaudio_t)
|
||||
+ xserver_read_xdm_pid(pulseaudio_t)
|
||||
+ xserver_stream_connect(pulseaudio_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`pulseaudio_network',`
|
||||
@ -3726,6 +3732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+#FALSE
|
||||
+')
|
||||
+
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.8/policy/modules/apps/qemu.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400
|
||||
+++ serefpolicy-3.6.8/policy/modules/apps/qemu.fc 2009-03-07 12:11:40.000000000 -0500
|
||||
@ -12684,7 +12691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.8/policy/modules/services/hal.if
|
||||
--- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/services/hal.if 2009-03-09 12:17:13.000000000 -0400
|
||||
+++ serefpolicy-3.6.8/policy/modules/services/hal.if 2009-03-09 16:17:22.000000000 -0400
|
||||
@@ -20,6 +20,24 @@
|
||||
|
||||
########################################
|
||||
@ -12777,7 +12784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+#
|
||||
+interface(`hal_create_log',`
|
||||
+ gen_require(`
|
||||
+ type hald_logd_t;
|
||||
+ type hald_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ # log files for hald
|
||||
@ -21256,6 +21263,328 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(ssh_keygen_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.8/policy/modules/services/sssd.fc
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/services/sssd.fc 2009-03-09 15:47:38.000000000 -0400
|
||||
@@ -0,0 +1,6 @@
|
||||
+
|
||||
+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
+
|
||||
+/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
|
||||
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||
+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.8/policy/modules/services/sssd.if
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/services/sssd.if 2009-03-09 15:49:56.000000000 -0400
|
||||
@@ -0,0 +1,249 @@
|
||||
+
|
||||
+## <summary>policy for sssd</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run sssd.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t;
|
||||
+ type sssd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1,sssd_exec_t,sssd_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute sssd server in the sssd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## The type of the process performing this action.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_initrc_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type sssd_initrc_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ init_labeled_script_domtrans($1,sssd_initrc_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read sssd PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_read_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ allow $1 sssd_var_run_t:file read_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage sssd var_run files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_manage_var_run',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t)
|
||||
+ manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
|
||||
+ manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search sssd lib directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_search_lib',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sssd_var_lib_t:dir search_dir_perms;
|
||||
+ files_search_var_lib($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read sssd lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_read_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete
|
||||
+## sssd lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_manage_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage sssd var_lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_manage_var_lib',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
|
||||
+ manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
|
||||
+ manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send and receive messages from
|
||||
+## sssd over dbus.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_dbus_chat',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t;
|
||||
+ class dbus send_msg;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sssd_t:dbus send_msg;
|
||||
+ allow sssd_t $1:dbus send_msg;
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect to sssd over an unix stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t, sssd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ allow $1 sssd_var_run_t:sock_file write;
|
||||
+ allow $1 sssd_t:unix_stream_socket connectto;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an sssd environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed to manage the sssd domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="terminal">
|
||||
+## <summary>
|
||||
+## The type of the user terminal.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`sssd_admin',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sssd_t:process { ptrace signal_perms getattr };
|
||||
+ read_files_pattern($1, sssd_t, sssd_t)
|
||||
+
|
||||
+
|
||||
+ gen_require(`
|
||||
+ type sssd_initrc_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ # Allow sssd_t to restart the apache service
|
||||
+ sssd_initrc_domtrans($1)
|
||||
+ domain_system_change_exemption($1)
|
||||
+ role_transition $2 sssd_initrc_exec_t system_r;
|
||||
+ allow $2 system_r;
|
||||
+
|
||||
+ sssd_manage_var_run($1)
|
||||
+
|
||||
+ sssd_manage_var_lib($1)
|
||||
+
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.8/policy/modules/services/sssd.te
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/services/sssd.te 2009-03-09 15:47:36.000000000 -0400
|
||||
@@ -0,0 +1,55 @@
|
||||
+policy_module(sssd,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type sssd_t;
|
||||
+type sssd_exec_t;
|
||||
+init_daemon_domain(sssd_t, sssd_exec_t)
|
||||
+
|
||||
+permissive sssd_t;
|
||||
+
|
||||
+type sssd_initrc_exec_t;
|
||||
+init_script_file(sssd_initrc_exec_t)
|
||||
+
|
||||
+type sssd_var_run_t;
|
||||
+files_pid_file(sssd_var_run_t)
|
||||
+
|
||||
+type sssd_var_lib_t;
|
||||
+files_type(sssd_var_lib_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# sssd local policy
|
||||
+#
|
||||
+
|
||||
+# Init script handling
|
||||
+domain_use_interactive_fds(sssd_t)
|
||||
+
|
||||
+# internal communication is often done using fifo and unix sockets.
|
||||
+allow sssd_t self:fifo_file rw_file_perms;
|
||||
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
+
|
||||
+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
+files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir })
|
||||
+
|
||||
+manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
|
||||
+
|
||||
+corecmd_exec_bin(sssd_t)
|
||||
+
|
||||
+dev_read_urand(sssd_t)
|
||||
+
|
||||
+files_read_etc_files(sssd_t)
|
||||
+
|
||||
+miscfiles_read_localization(sssd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(sssd_t)
|
||||
+ dbus_connect_system_bus(sssd_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.6.8/policy/modules/services/stunnel.fc
|
||||
--- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.8/policy/modules/services/stunnel.fc 2009-03-07 12:11:40.000000000 -0500
|
||||
@ -22706,7 +23035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.8/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/services/xserver.te 2009-03-07 12:11:40.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/services/xserver.te 2009-03-09 16:07:15.000000000 -0400
|
||||
@@ -34,6 +34,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -23121,7 +23450,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -542,6 +639,19 @@
|
||||
@@ -542,6 +639,23 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23130,6 +23459,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ polkit_read_reload(xdm_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ pulseaudio_role(system_r, xdm_t)
|
||||
+')
|
||||
+
|
||||
+# On crash gdm execs gdb to dump stack
|
||||
+optional_policy(`
|
||||
+ rpm_exec(xdm_t)
|
||||
@ -23141,7 +23474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
seutil_sigchld_newrole(xdm_t)
|
||||
')
|
||||
|
||||
@@ -550,8 +660,9 @@
|
||||
@@ -550,8 +664,9 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23153,7 +23486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -560,7 +671,6 @@
|
||||
@@ -560,7 +675,6 @@
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
@ -23161,7 +23494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
userhelper_dontaudit_search_config(xdm_t)
|
||||
@@ -571,6 +681,10 @@
|
||||
@@ -571,6 +685,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23172,7 +23505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -587,7 +701,7 @@
|
||||
@@ -587,7 +705,7 @@
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
@ -23181,7 +23514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit xserver_t self:capability chown;
|
||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow xserver_t self:memprotect mmap_zero;
|
||||
@@ -602,9 +716,11 @@
|
||||
@@ -602,9 +720,11 @@
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
@ -23193,7 +23526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||
|
||||
@@ -622,7 +738,7 @@
|
||||
@@ -622,7 +742,7 @@
|
||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||
|
||||
@ -23202,7 +23535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
@@ -635,9 +751,19 @@
|
||||
@@ -635,9 +755,19 @@
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -23222,7 +23555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
@@ -680,9 +806,14 @@
|
||||
@@ -680,9 +810,14 @@
|
||||
dev_rw_xserver_misc(xserver_t)
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev(xserver_t)
|
||||
@ -23237,7 +23570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(xserver_t)
|
||||
files_read_etc_runtime_files(xserver_t)
|
||||
@@ -697,8 +828,13 @@
|
||||
@@ -697,8 +832,13 @@
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
@ -23251,7 +23584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
selinux_compute_access_vector(xserver_t)
|
||||
@@ -720,6 +856,7 @@
|
||||
@@ -720,6 +860,7 @@
|
||||
|
||||
miscfiles_read_localization(xserver_t)
|
||||
miscfiles_read_fonts(xserver_t)
|
||||
@ -23259,7 +23592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
modutils_domtrans_insmod(xserver_t)
|
||||
|
||||
@@ -742,7 +879,7 @@
|
||||
@@ -742,7 +883,7 @@
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
@ -23268,7 +23601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||
')
|
||||
|
||||
@@ -774,6 +911,10 @@
|
||||
@@ -774,6 +915,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23279,7 +23612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
rhgb_getpgid(xserver_t)
|
||||
rhgb_signal(xserver_t)
|
||||
')
|
||||
@@ -806,7 +947,7 @@
|
||||
@@ -806,7 +951,7 @@
|
||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
@ -23288,7 +23621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -827,9 +968,14 @@
|
||||
@@ -827,9 +972,14 @@
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -23303,7 +23636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
@@ -844,11 +990,14 @@
|
||||
@@ -844,11 +994,14 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
@ -23319,7 +23652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -856,6 +1005,11 @@
|
||||
@@ -856,6 +1009,11 @@
|
||||
rhgb_rw_tmpfs_files(xserver_t)
|
||||
')
|
||||
|
||||
@ -23331,7 +23664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Rules common to all X window domains
|
||||
@@ -881,6 +1035,8 @@
|
||||
@@ -881,6 +1039,8 @@
|
||||
# X Server
|
||||
# can read server-owned resources
|
||||
allow x_domain xserver_t:x_resource read;
|
||||
@ -23340,7 +23673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# can mess with own clients
|
||||
allow x_domain self:x_client { manage destroy };
|
||||
|
||||
@@ -905,6 +1061,8 @@
|
||||
@@ -905,6 +1065,8 @@
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
|
||||
@ -23349,7 +23682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# X Colormaps
|
||||
# can use the default colormap
|
||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||
@@ -972,17 +1130,51 @@
|
||||
@@ -972,17 +1134,51 @@
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
@ -23559,7 +23892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.8/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/system/authlogin.if 2009-03-07 12:11:40.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/system/authlogin.if 2009-03-09 15:51:16.000000000 -0400
|
||||
@@ -43,20 +43,38 @@
|
||||
interface(`auth_login_pgm_domain',`
|
||||
gen_require(`
|
||||
@ -23607,7 +23940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
init_rw_utmp($1)
|
||||
|
||||
@@ -100,9 +119,38 @@
|
||||
@@ -100,11 +119,40 @@
|
||||
seutil_read_config($1)
|
||||
seutil_read_default_contexts($1)
|
||||
|
||||
@ -23627,9 +23960,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ optional_policy(`
|
||||
+ oddjob_dbus_chat($1)
|
||||
+ oddjob_domtrans_mkhomedir($1)
|
||||
+ ')
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
')
|
||||
|
||||
+ optional_policy(`
|
||||
+ corecmd_exec_bin($1)
|
||||
+ storage_getattr_fixed_disk_dev($1)
|
||||
@ -23638,16 +23971,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ nis_authenticate($1)
|
||||
')
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ ssh_agent_exec($1)
|
||||
+ userdom_read_user_home_content_files($1)
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Use the login program as an entry point program.
|
||||
@@ -197,8 +245,11 @@
|
||||
interface(`auth_domtrans_chk_passwd',`
|
||||
gen_require(`
|
||||
@ -23780,15 +24115,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
nis_use_ypbind($1)
|
||||
')
|
||||
|
||||
@@ -1307,6 +1413,7 @@
|
||||
@@ -1305,8 +1411,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ sssd_stream_connect($1)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
samba_read_var_files($1)
|
||||
+ samba_dontaudit_write_var_files($1)
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1341,3 +1448,99 @@
|
||||
@@ -1341,3 +1452,99 @@
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
@ -27942,7 +28283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.8/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/system/userdomain.if 2009-03-07 12:36:20.000000000 -0500
|
||||
+++ serefpolicy-3.6.8/policy/modules/system/userdomain.if 2009-03-09 16:06:34.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user