- Additional access for nsplugin
- Allow xdm setcap/getcap until pulseaudio is fixed
This commit is contained in:
Daniel J Walsh
parent
f70afcdd9e
commit
478aeeca6b
@ -1885,7 +1885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
|
|||||||
-')
|
-')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.3.1/policy/modules/admin/logrotate.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.3.1/policy/modules/admin/logrotate.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-02-19 23:24:26.000000000 +0100
|
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-02-19 23:24:26.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/admin/logrotate.te 2008-02-26 14:29:22.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/admin/logrotate.te 2008-03-28 10:55:06.000000000 +0100
|
||||||
@@ -96,9 +96,11 @@
|
@@ -96,9 +96,11 @@
|
||||||
files_read_etc_files(logrotate_t)
|
files_read_etc_files(logrotate_t)
|
||||||
files_read_etc_runtime_files(logrotate_t)
|
files_read_etc_runtime_files(logrotate_t)
|
||||||
@ -3042,7 +3042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
|
|||||||
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 16:20:12.000000000 +0200
|
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 16:20:12.000000000 +0200
|
||||||
+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-02-26 14:29:22.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-03-27 23:42:35.000000000 +0100
|
||||||
@@ -33,9 +33,60 @@
|
@@ -33,9 +33,60 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -4302,13 +4302,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.3.1/policy/modules/apps/loadkeys.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.3.1/policy/modules/apps/loadkeys.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-12-19 11:32:09.000000000 +0100
|
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-12-19 11:32:09.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/apps/loadkeys.te 2008-02-26 14:29:22.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/apps/loadkeys.te 2008-03-28 21:10:09.000000000 +0100
|
||||||
@@ -44,3 +44,5 @@
|
@@ -44,3 +44,6 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nscd_dontaudit_search_pid(loadkeys_t)
|
nscd_dontaudit_search_pid(loadkeys_t)
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
|
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
|
||||||
|
+userdom_dontaudit_list_user_home_dirs(user, loadkeys_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 18:57:22.000000000 +0100
|
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 18:57:22.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-03-03 14:24:51.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-03-03 14:24:51.000000000 +0100
|
||||||
@ -5085,8 +5086,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1970-01-01 01:00:00.000000000 +0100
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1970-01-01 01:00:00.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc 2008-03-25 22:48:09.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc 2008-03-27 23:41:57.000000000 +0100
|
||||||
@@ -0,0 +1,8 @@
|
@@ -0,0 +1,9 @@
|
||||||
+
|
+
|
||||||
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
|
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
|
||||||
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
|
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
|
||||||
@ -5095,10 +5096,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
||||||
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
||||||
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
||||||
|
+HOME_DIR/\.local.* gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1970-01-01 01:00:00.000000000 +0100
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1970-01-01 01:00:00.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-25 06:36:27.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-28 08:16:42.000000000 +0100
|
||||||
@@ -0,0 +1,352 @@
|
@@ -0,0 +1,351 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for nsplugin</summary>
|
+## <summary>policy for nsplugin</summary>
|
||||||
+
|
+
|
||||||
@ -5273,7 +5275,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+ dontaudit nsplugin_t $2:process ptrace;
|
+ dontaudit nsplugin_t $2:process ptrace;
|
||||||
+
|
+
|
||||||
+ allow nsplugin_t $1_tmpfs_t:file { read getattr };
|
+ allow nsplugin_t $1_tmpfs_t:file { read getattr };
|
||||||
+
|
|
||||||
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
|
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
|
||||||
+ allow $2 nsplugin_t:unix_stream_socket connectto;
|
+ allow $2 nsplugin_t:unix_stream_socket connectto;
|
||||||
+
|
+
|
||||||
@ -5453,8 +5454,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-14 16:50:19.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-28 09:20:56.000000000 +0100
|
||||||
@@ -0,0 +1,176 @@
|
@@ -0,0 +1,179 @@
|
||||||
+
|
+
|
||||||
+policy_module(nsplugin,1.0.0)
|
+policy_module(nsplugin,1.0.0)
|
||||||
+
|
+
|
||||||
@ -5508,9 +5509,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
|
+manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
|
||||||
|
+exec_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
|
||||||
+manage_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
|
+manage_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
|
||||||
+manage_lnk_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
|
+manage_lnk_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
|
||||||
+userdom_user_home_dir_filetrans(user, nsplugin_t, user_nsplugin_home_t, {file dir})
|
+userdom_user_home_dir_filetrans(user, nsplugin_t, user_nsplugin_home_t, {file dir})
|
||||||
|
+userdom_dontaudit_write_user_home_content_files(user, nsplugin_t)
|
||||||
+
|
+
|
||||||
+corecmd_exec_bin(nsplugin_t)
|
+corecmd_exec_bin(nsplugin_t)
|
||||||
+corecmd_exec_shell(nsplugin_t)
|
+corecmd_exec_shell(nsplugin_t)
|
||||||
@ -5575,6 +5578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gnome_exec_gconf(nsplugin_t)
|
+ gnome_exec_gconf(nsplugin_t)
|
||||||
|
+ gnome_manage_user_gnome_config(user, nsplugin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -12462,7 +12466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 17:02:50.000000000 +0100
|
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 17:02:50.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-03-04 16:11:49.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-03-27 23:55:52.000000000 +0100
|
||||||
@@ -53,6 +53,7 @@
|
@@ -53,6 +53,7 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
||||||
@ -12615,7 +12619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -292,6 +307,59 @@
|
@@ -292,6 +307,55 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -12634,10 +12638,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+template(`dbus_connectto_user_bus',`
|
+template(`dbus_connectto_user_bus',`
|
||||||
+ gen_require(`
|
|
||||||
+ type $1_dbusd_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
|
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -12675,7 +12675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
## Read dbus configuration.
|
## Read dbus configuration.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -366,3 +434,55 @@
|
@@ -366,3 +430,55 @@
|
||||||
|
|
||||||
allow $1 system_dbusd_t:dbus *;
|
allow $1 system_dbusd_t:dbus *;
|
||||||
')
|
')
|
||||||
@ -14741,7 +14741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 14:17:58.000000000 +0100
|
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 14:17:58.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-03-21 23:49:34.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-03-28 10:45:08.000000000 +0100
|
||||||
@@ -8,6 +8,7 @@
|
@@ -8,6 +8,7 @@
|
||||||
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
|
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
|
||||||
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
|
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
|
||||||
@ -14813,7 +14813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
|
||||||
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 11:32:17.000000000 +0100
|
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 11:32:17.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-03-21 23:50:19.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-03-28 08:16:08.000000000 +0100
|
||||||
@@ -49,6 +49,9 @@
|
@@ -49,6 +49,9 @@
|
||||||
type hald_var_lib_t;
|
type hald_var_lib_t;
|
||||||
files_type(hald_var_lib_t)
|
files_type(hald_var_lib_t)
|
||||||
@ -14852,7 +14852,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
|
|
||||||
auth_read_pam_console_data(hald_t)
|
auth_read_pam_console_data(hald_t)
|
||||||
|
|
||||||
@@ -155,6 +160,8 @@
|
@@ -121,6 +126,7 @@
|
||||||
|
dev_rw_power_management(hald_t)
|
||||||
|
# hal is now execing pm-suspend
|
||||||
|
dev_rw_sysfs(hald_t)
|
||||||
|
+dev_read_video_dev(hald_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds(hald_t)
|
||||||
|
domain_read_all_domains_state(hald_t)
|
||||||
|
@@ -155,6 +161,8 @@
|
||||||
selinux_compute_relabel_context(hald_t)
|
selinux_compute_relabel_context(hald_t)
|
||||||
selinux_compute_user_contexts(hald_t)
|
selinux_compute_user_contexts(hald_t)
|
||||||
|
|
||||||
@ -14861,7 +14869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
storage_raw_read_removable_device(hald_t)
|
storage_raw_read_removable_device(hald_t)
|
||||||
storage_raw_write_removable_device(hald_t)
|
storage_raw_write_removable_device(hald_t)
|
||||||
storage_raw_read_fixed_disk(hald_t)
|
storage_raw_read_fixed_disk(hald_t)
|
||||||
@@ -172,6 +179,8 @@
|
@@ -172,6 +180,8 @@
|
||||||
init_rw_utmp(hald_t)
|
init_rw_utmp(hald_t)
|
||||||
init_telinit(hald_t)
|
init_telinit(hald_t)
|
||||||
|
|
||||||
@ -14870,7 +14878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
libs_use_ld_so(hald_t)
|
libs_use_ld_so(hald_t)
|
||||||
libs_use_shared_libs(hald_t)
|
libs_use_shared_libs(hald_t)
|
||||||
libs_exec_ld_so(hald_t)
|
libs_exec_ld_so(hald_t)
|
||||||
@@ -244,6 +253,10 @@
|
@@ -244,6 +254,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -14881,7 +14889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
hotplug_read_config(hald_t)
|
hotplug_read_config(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -265,6 +278,11 @@
|
@@ -265,6 +279,11 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -14893,7 +14901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
rpc_search_nfs_state_data(hald_t)
|
rpc_search_nfs_state_data(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -291,7 +309,8 @@
|
@@ -291,7 +310,8 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
allow hald_acl_t self:capability { dac_override fowner };
|
allow hald_acl_t self:capability { dac_override fowner };
|
||||||
@ -14903,7 +14911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
|
|
||||||
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
|
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
|
||||||
allow hald_t hald_acl_t:process signal;
|
allow hald_t hald_acl_t:process signal;
|
||||||
@@ -301,9 +320,14 @@
|
@@ -301,9 +321,14 @@
|
||||||
manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
|
manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
|
||||||
files_search_var_lib(hald_acl_t)
|
files_search_var_lib(hald_acl_t)
|
||||||
|
|
||||||
@ -14918,7 +14926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
dev_getattr_generic_usb_dev(hald_acl_t)
|
dev_getattr_generic_usb_dev(hald_acl_t)
|
||||||
dev_getattr_video_dev(hald_acl_t)
|
dev_getattr_video_dev(hald_acl_t)
|
||||||
dev_setattr_video_dev(hald_acl_t)
|
dev_setattr_video_dev(hald_acl_t)
|
||||||
@@ -325,6 +349,11 @@
|
@@ -325,6 +350,11 @@
|
||||||
|
|
||||||
miscfiles_read_localization(hald_acl_t)
|
miscfiles_read_localization(hald_acl_t)
|
||||||
|
|
||||||
@ -14930,7 +14938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local hald mac policy
|
# Local hald mac policy
|
||||||
@@ -338,10 +367,14 @@
|
@@ -338,10 +368,14 @@
|
||||||
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
|
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
|
||||||
files_search_var_lib(hald_mac_t)
|
files_search_var_lib(hald_mac_t)
|
||||||
|
|
||||||
@ -14945,7 +14953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
libs_use_ld_so(hald_mac_t)
|
libs_use_ld_so(hald_mac_t)
|
||||||
libs_use_shared_libs(hald_mac_t)
|
libs_use_shared_libs(hald_mac_t)
|
||||||
|
|
||||||
@@ -391,3 +424,7 @@
|
@@ -391,3 +425,7 @@
|
||||||
libs_use_shared_libs(hald_keymap_t)
|
libs_use_shared_libs(hald_keymap_t)
|
||||||
|
|
||||||
miscfiles_read_localization(hald_keymap_t)
|
miscfiles_read_localization(hald_keymap_t)
|
||||||
@ -16432,7 +16440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
|
||||||
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 11:32:17.000000000 +0100
|
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 11:32:17.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-03-17 16:21:36.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-03-28 11:44:38.000000000 +0100
|
||||||
@@ -25,26 +25,33 @@
|
@@ -25,26 +25,33 @@
|
||||||
type munin_var_run_t alias lrrd_var_run_t;
|
type munin_var_run_t alias lrrd_var_run_t;
|
||||||
files_pid_file(munin_var_run_t)
|
files_pid_file(munin_var_run_t)
|
||||||
@ -16521,7 +16529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
|
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
|
||||||
@@ -108,7 +126,20 @@
|
@@ -108,7 +126,21 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16531,6 +16539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mta_read_config(munin_t)
|
+ mta_read_config(munin_t)
|
||||||
|
+ mta_send_mail(munin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -16543,7 +16552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -118,3 +149,9 @@
|
@@ -118,3 +150,9 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(munin_t)
|
udev_read_db(munin_t)
|
||||||
')
|
')
|
||||||
@ -25374,7 +25383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 11:32:17.000000000 +0100
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 11:32:17.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-25 08:25:28.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-28 22:07:37.000000000 +0100
|
||||||
@@ -8,6 +8,14 @@
|
@@ -8,6 +8,14 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -25447,7 +25456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
type iceauth_exec_t;
|
type iceauth_exec_t;
|
||||||
-application_executable_file(iceauth_exec_t)
|
-application_executable_file(iceauth_exec_t)
|
||||||
+application_domain(iceauth_t,iceauth_exec_t)
|
+application_domain(iceauth_t,iceauth_exec_t)
|
||||||
|
+
|
||||||
+type input_xevent_t, xevent_type;
|
+type input_xevent_t, xevent_type;
|
||||||
+type manage_xevent_t, xevent_type;
|
+type manage_xevent_t, xevent_type;
|
||||||
+type output_xext_t, xextension_type;
|
+type output_xext_t, xextension_type;
|
||||||
@ -25463,7 +25472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+type x_rootcolormap_t;
|
+type x_rootcolormap_t;
|
||||||
+type x_rootscreen_t;
|
+type x_rootscreen_t;
|
||||||
+type x_rootwindow_t;
|
+type x_rootwindow_t;
|
||||||
+
|
|
||||||
+type xauth_t;
|
+type xauth_t;
|
||||||
type xauth_exec_t;
|
type xauth_exec_t;
|
||||||
-application_executable_file(xauth_exec_t)
|
-application_executable_file(xauth_exec_t)
|
||||||
@ -25529,13 +25538,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
prelink_object_file(xkb_var_lib_t)
|
prelink_object_file(xkb_var_lib_t)
|
||||||
')
|
')
|
||||||
@@ -95,8 +196,11 @@
|
@@ -95,8 +196,13 @@
|
||||||
# XDM Local policy
|
# XDM Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||||
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
||||||
+allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
+allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||||
|
+allow xdm_t self:capability { getcap setcap };
|
||||||
|
+
|
||||||
+dontaudit xdm_t self:capability sys_admin;
|
+dontaudit xdm_t self:capability sys_admin;
|
||||||
+
|
+
|
||||||
+allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms };
|
+allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms };
|
||||||
@ -25543,7 +25554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow xdm_t self:shm create_shm_perms;
|
allow xdm_t self:shm create_shm_perms;
|
||||||
allow xdm_t self:sem create_sem_perms;
|
allow xdm_t self:sem create_sem_perms;
|
||||||
@@ -109,6 +213,8 @@
|
@@ -109,6 +215,8 @@
|
||||||
allow xdm_t self:key { search link write };
|
allow xdm_t self:key { search link write };
|
||||||
|
|
||||||
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||||
@ -25552,7 +25563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Allow gdm to run gdm-binary
|
# Allow gdm to run gdm-binary
|
||||||
can_exec(xdm_t, xdm_exec_t)
|
can_exec(xdm_t, xdm_exec_t)
|
||||||
@@ -131,15 +237,22 @@
|
@@ -131,15 +239,22 @@
|
||||||
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
@ -25576,7 +25587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
allow xdm_t xdm_xserver_t:process signal;
|
allow xdm_t xdm_xserver_t:process signal;
|
||||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||||
@@ -153,6 +266,7 @@
|
@@ -153,6 +268,7 @@
|
||||||
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||||
|
|
||||||
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
||||||
@ -25584,7 +25595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
@@ -173,6 +287,8 @@
|
@@ -173,6 +289,8 @@
|
||||||
|
|
||||||
corecmd_exec_shell(xdm_t)
|
corecmd_exec_shell(xdm_t)
|
||||||
corecmd_exec_bin(xdm_t)
|
corecmd_exec_bin(xdm_t)
|
||||||
@ -25593,7 +25604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(xdm_t)
|
corenet_all_recvfrom_unlabeled(xdm_t)
|
||||||
corenet_all_recvfrom_netlabel(xdm_t)
|
corenet_all_recvfrom_netlabel(xdm_t)
|
||||||
@@ -184,6 +300,7 @@
|
@@ -184,6 +302,7 @@
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_all_nodes(xdm_t)
|
corenet_tcp_bind_all_nodes(xdm_t)
|
||||||
corenet_udp_bind_all_nodes(xdm_t)
|
corenet_udp_bind_all_nodes(xdm_t)
|
||||||
@ -25601,7 +25612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
corenet_tcp_connect_all_ports(xdm_t)
|
corenet_tcp_connect_all_ports(xdm_t)
|
||||||
corenet_sendrecv_all_client_packets(xdm_t)
|
corenet_sendrecv_all_client_packets(xdm_t)
|
||||||
# xdm tries to bind to biff_port_t
|
# xdm tries to bind to biff_port_t
|
||||||
@@ -196,6 +313,7 @@
|
@@ -196,6 +315,7 @@
|
||||||
dev_getattr_mouse_dev(xdm_t)
|
dev_getattr_mouse_dev(xdm_t)
|
||||||
dev_setattr_mouse_dev(xdm_t)
|
dev_setattr_mouse_dev(xdm_t)
|
||||||
dev_rw_apm_bios(xdm_t)
|
dev_rw_apm_bios(xdm_t)
|
||||||
@ -25609,7 +25620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dev_setattr_apm_bios_dev(xdm_t)
|
dev_setattr_apm_bios_dev(xdm_t)
|
||||||
dev_rw_dri(xdm_t)
|
dev_rw_dri(xdm_t)
|
||||||
dev_rw_agp(xdm_t)
|
dev_rw_agp(xdm_t)
|
||||||
@@ -208,8 +326,8 @@
|
@@ -208,8 +328,8 @@
|
||||||
dev_setattr_video_dev(xdm_t)
|
dev_setattr_video_dev(xdm_t)
|
||||||
dev_getattr_scanner_dev(xdm_t)
|
dev_getattr_scanner_dev(xdm_t)
|
||||||
dev_setattr_scanner_dev(xdm_t)
|
dev_setattr_scanner_dev(xdm_t)
|
||||||
@ -25620,7 +25631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dev_getattr_power_mgmt_dev(xdm_t)
|
dev_getattr_power_mgmt_dev(xdm_t)
|
||||||
dev_setattr_power_mgmt_dev(xdm_t)
|
dev_setattr_power_mgmt_dev(xdm_t)
|
||||||
|
|
||||||
@@ -226,9 +344,12 @@
|
@@ -226,9 +346,12 @@
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -25633,7 +25644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -237,6 +358,7 @@
|
@@ -237,6 +360,7 @@
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -25641,7 +25652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
term_setattr_console(xdm_t)
|
term_setattr_console(xdm_t)
|
||||||
term_use_unallocated_ttys(xdm_t)
|
term_use_unallocated_ttys(xdm_t)
|
||||||
@@ -245,6 +367,7 @@
|
@@ -245,6 +369,7 @@
|
||||||
auth_domtrans_pam_console(xdm_t)
|
auth_domtrans_pam_console(xdm_t)
|
||||||
auth_manage_pam_pid(xdm_t)
|
auth_manage_pam_pid(xdm_t)
|
||||||
auth_manage_pam_console_data(xdm_t)
|
auth_manage_pam_console_data(xdm_t)
|
||||||
@ -25649,7 +25660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
auth_rw_faillog(xdm_t)
|
auth_rw_faillog(xdm_t)
|
||||||
auth_write_login_records(xdm_t)
|
auth_write_login_records(xdm_t)
|
||||||
|
|
||||||
@@ -256,12 +379,11 @@
|
@@ -256,12 +381,11 @@
|
||||||
libs_exec_lib_files(xdm_t)
|
libs_exec_lib_files(xdm_t)
|
||||||
|
|
||||||
logging_read_generic_logs(xdm_t)
|
logging_read_generic_logs(xdm_t)
|
||||||
@ -25663,7 +25674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
|
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -270,8 +392,13 @@
|
@@ -270,8 +394,13 @@
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -25677,7 +25688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xdm_t)
|
fs_manage_nfs_dirs(xdm_t)
|
||||||
@@ -301,10 +428,15 @@
|
@@ -301,10 +430,15 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
alsa_domtrans(xdm_t)
|
alsa_domtrans(xdm_t)
|
||||||
@ -25694,7 +25705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -312,6 +444,23 @@
|
@@ -312,6 +446,23 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -25718,7 +25729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# Talk to the console mouse server.
|
# Talk to the console mouse server.
|
||||||
gpm_stream_connect(xdm_t)
|
gpm_stream_connect(xdm_t)
|
||||||
gpm_setattr_gpmctl(xdm_t)
|
gpm_setattr_gpmctl(xdm_t)
|
||||||
@@ -322,6 +471,10 @@
|
@@ -322,6 +473,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -25729,7 +25740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
loadkeys_exec(xdm_t)
|
loadkeys_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -335,6 +488,11 @@
|
@@ -335,6 +490,11 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -25741,7 +25752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
seutil_sigchld_newrole(xdm_t)
|
seutil_sigchld_newrole(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -343,8 +501,8 @@
|
@@ -343,8 +503,8 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -25751,7 +25762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -380,7 +538,7 @@
|
@@ -380,7 +540,7 @@
|
||||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -25760,7 +25771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
@@ -392,6 +550,15 @@
|
@@ -392,6 +552,15 @@
|
||||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xdm_xserver_t)
|
files_search_var_lib(xdm_xserver_t)
|
||||||
|
|
||||||
@ -25776,7 +25787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||||
|
|
||||||
@@ -404,9 +571,17 @@
|
@@ -404,9 +573,17 @@
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
|
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
|
||||||
@ -25794,7 +25805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||||
fs_manage_nfs_files(xdm_xserver_t)
|
fs_manage_nfs_files(xdm_xserver_t)
|
||||||
@@ -420,6 +595,22 @@
|
@@ -420,6 +597,22 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -25817,7 +25828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
resmgr_stream_connect(xdm_t)
|
resmgr_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -429,47 +620,139 @@
|
@@ -429,47 +622,139 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -29507,7 +29518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
|
||||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-06 16:33:22.000000000 +0100
|
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-06 16:33:22.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-03-25 06:46:13.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-03-28 13:41:55.000000000 +0100
|
||||||
@@ -45,7 +45,7 @@
|
@@ -45,7 +45,7 @@
|
||||||
dontaudit dhcpc_t self:capability sys_tty_config;
|
dontaudit dhcpc_t self:capability sys_tty_config;
|
||||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||||
@ -30353,7 +30364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 15:52:56.000000000 +0100
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 15:52:56.000000000 +0100
|
||||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-25 08:52:58.000000000 +0100
|
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-27 23:47:44.000000000 +0100
|
||||||
@@ -29,9 +29,14 @@
|
@@ -29,9 +29,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user