- Eliminate mount_ntfs_t policy, merge into mount_t
This commit is contained in:
Daniel J Walsh
parent
07351eb493
commit
47a35fa722
|
|
@ -2233,7 +2233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.4/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/corecommands.fc 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/corecommands.fc 2007-07-31 13:41:19.000000000 -0400
|
||||
@@ -36,6 +36,11 @@
|
||||
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -2246,7 +2246,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
|||
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -217,6 +222,7 @@
|
||||
@@ -127,7 +132,10 @@
|
||||
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
-/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -160,6 +168,7 @@
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
@@ -217,6 +226,7 @@
|
||||
/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -2317,8 +2337,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.4/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-06-15 14:54:30.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/devices.fc 2007-07-25 13:27:51.000000000 -0400
|
||||
@@ -53,7 +53,7 @@
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/devices.fc 2007-07-31 13:38:24.000000000 -0400
|
||||
@@ -19,6 +19,7 @@
|
||||
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
|
||||
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
@@ -53,7 +54,7 @@
|
||||
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
|
|
@ -2327,7 +2355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
|||
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
@@ -65,6 +65,7 @@
|
||||
@@ -65,6 +66,7 @@
|
||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
|
||||
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
|
|
@ -2335,7 +2363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
|||
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
ifdef(`distro_suse', `
|
||||
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
@@ -127,3 +128,7 @@
|
||||
@@ -127,3 +129,7 @@
|
||||
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||
')
|
||||
|
|
@ -2656,6 +2684,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||
+ allow $1 root_t:dir rw_dir_perms;
|
||||
+ allow $1 root_t:file { create getattr write };
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.0.4/policy/modules/kernel/files.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.te 2007-07-25 10:37:36.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/files.te 2007-07-31 13:52:33.000000000 -0400
|
||||
@@ -55,6 +55,7 @@
|
||||
# compatibility aliases for removed types:
|
||||
typealias etc_t alias automount_etc_t;
|
||||
typealias etc_t alias snmpd_etc_t;
|
||||
+typealias etc_t alias gconf_etc_t;
|
||||
|
||||
#
|
||||
# etc_runtime_t is the type of various
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:15.000000000 -0400
|
||||
|
|
@ -3708,8 +3747,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.4/policy/modules/services/apcupsd.fc
|
||||
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.fc 2007-07-25 13:27:51.000000000 -0400
|
||||
@@ -1,9 +1,10 @@
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.fc 2007-07-30 11:44:31.000000000 -0400
|
||||
@@ -1,9 +1,11 @@
|
||||
-ifdef(`distro_debian',`
|
||||
-/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
|
||||
-')
|
||||
|
|
@ -3717,6 +3756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
|
|||
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
|
||||
|
||||
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
|
||||
+/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
|
||||
|
||||
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
|
||||
+
|
||||
|
|
@ -3755,7 +3795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.4/policy/modules/services/apcupsd.te
|
||||
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-30 11:42:36.000000000 -0400
|
||||
@@ -16,6 +16,9 @@
|
||||
type apcupsd_log_t;
|
||||
logging_log_file(apcupsd_log_t)
|
||||
|
|
@ -3798,19 +3838,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
|
|||
|
||||
dev_rw_generic_usb_dev(apcupsd_t)
|
||||
|
||||
@@ -56,9 +67,53 @@
|
||||
@@ -55,6 +66,15 @@
|
||||
|
||||
files_read_etc_files(apcupsd_t)
|
||||
files_search_locks(apcupsd_t)
|
||||
|
||||
+# Creates /etc/nologin
|
||||
+files_manage_etc_runtime_files(apcupsd_t)
|
||||
+files_etc_filetrans_etc_runtime(apcuspd_t,file)
|
||||
+
|
||||
+#apcupsd runs shutdown, probably need a shutdown domain
|
||||
+init_rw_utmp(apcupsd_t)
|
||||
+init_telinit(apcupsd_t)
|
||||
+
|
||||
+kernel_read_system_state(apcupsd_t)
|
||||
+
|
||||
|
||||
libs_use_ld_so(apcupsd_t)
|
||||
libs_use_shared_libs(apcupsd_t)
|
||||
|
||||
@@ -62,3 +82,41 @@
|
||||
logging_send_syslog_msg(apcupsd_t)
|
||||
|
||||
miscfiles_read_localization(apcupsd_t)
|
||||
|
|
@ -4503,7 +4547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||
ifdef(`TODO',`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.4/policy/modules/services/cups.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-29 14:10:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/cups.fc 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/cups.fc 2007-07-31 13:36:05.000000000 -0400
|
||||
@@ -8,6 +8,7 @@
|
||||
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
|
|
@ -4512,14 +4556,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
|||
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
|
||||
@@ -52,3 +53,4 @@
|
||||
@@ -17,8 +18,6 @@
|
||||
|
||||
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
|
||||
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
|
||||
|
||||
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
@@ -52,3 +51,4 @@
|
||||
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
||||
|
||||
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
|
||||
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
|
||||
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.4/policy/modules/services/cups.te
|
||||
--- nsaserefpolicy/policy/modules/services/cups.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-25 14:08:39.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-31 12:58:26.000000000 -0400
|
||||
@@ -81,12 +81,11 @@
|
||||
# /usr/lib/cups/backend/serial needs sys_admin(?!)
|
||||
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
|
||||
|
|
@ -4534,6 +4587,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
|||
allow cupsd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow cupsd_t self:udp_socket create_socket_perms;
|
||||
allow cupsd_t self:appletalk_socket create_socket_perms;
|
||||
@@ -105,7 +104,7 @@
|
||||
|
||||
# allow cups to execute its backend scripts
|
||||
can_exec(cupsd_t, cupsd_exec_t)
|
||||
-allow cupsd_t cupsd_exec_t:dir search;
|
||||
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
|
||||
allow cupsd_t cupsd_exec_t:lnk_file read;
|
||||
|
||||
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
|
||||
@@ -150,14 +149,17 @@
|
||||
corenet_tcp_bind_reserved_port(cupsd_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
|
||||
|
|
@ -7605,7 +7667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.4/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/xserver.te 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/xserver.te 2007-07-31 10:08:15.000000000 -0400
|
||||
@@ -16,6 +16,13 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -7702,16 +7764,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
resmgr_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -434,47 +453,15 @@
|
||||
@@ -434,47 +453,19 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- unconfined_domain_noaudit(xdm_xserver_t)
|
||||
- unconfined_domtrans(xdm_xserver_t)
|
||||
-
|
||||
+ rpm_dontaudit_rw_shm(xdm_xserver_t)
|
||||
+')
|
||||
|
||||
- ifndef(`distro_redhat',`
|
||||
- allow xdm_xserver_t self:process { execheap execmem };
|
||||
- ')
|
||||
+optional_policy(`
|
||||
+ unconfined_rw_shm(xdm_xserver_t)
|
||||
+ unconfined_execmem_rw_shm(xdm_xserver_t)
|
||||
+')
|
||||
|
|
@ -8238,7 +8303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.4/policy/modules/system/brctl.te
|
||||
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-27 13:35:00.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-30 11:23:32.000000000 -0400
|
||||
@@ -0,0 +1,50 @@
|
||||
+policy_module(brctl,1.0.0)
|
||||
+
|
||||
|
|
@ -8262,7 +8327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
|
|||
+allow brctl_t self:tcp_socket create_socket_perms;
|
||||
+allow brctl_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+dev_read_sysfs(brctl_t)
|
||||
+dev_rw_sysfs(brctl_t)
|
||||
+
|
||||
+# Init script handling
|
||||
+domain_use_interactive_fds(brctl_t)
|
||||
|
|
@ -9438,13 +9503,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
|||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.4/policy/modules/system/mount.fc
|
||||
--- nsaserefpolicy/policy/modules/system/mount.fc 2007-05-29 14:10:58.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/mount.fc 2007-07-25 13:27:51.000000000 -0400
|
||||
@@ -1,4 +1,3 @@
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/mount.fc 2007-07-30 11:34:24.000000000 -0400
|
||||
@@ -1,4 +1,2 @@
|
||||
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
-
|
||||
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
+/sbin/mount.ntfs-3g -- gen_context(system_u:object_r:mount_ntfs_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.0.4/policy/modules/system/mount.if
|
||||
--- nsaserefpolicy/policy/modules/system/mount.if 2007-06-11 16:05:30.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/mount.if 2007-07-25 13:27:51.000000000 -0400
|
||||
|
|
@ -9491,7 +9555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.4/policy/modules/system/mount.te
|
||||
--- nsaserefpolicy/policy/modules/system/mount.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-26 13:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-30 11:32:20.000000000 -0400
|
||||
@@ -8,6 +8,13 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -9506,16 +9570,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
## Allow mount to mount any file
|
||||
## </p>
|
||||
## </desc>
|
||||
@@ -16,19 +23,22 @@
|
||||
@@ -16,19 +23,21 @@
|
||||
type mount_t;
|
||||
type mount_exec_t;
|
||||
init_system_domain(mount_t,mount_exec_t)
|
||||
+application_executable_file(mount_exec_t)
|
||||
role system_r types mount_t;
|
||||
|
||||
+type mount_ntfs_t;
|
||||
+type mount_ntfs_exec_t;
|
||||
+init_system_domain(mount_ntfs_t, mount_ntfs_exec_t)
|
||||
+typealias mount_t alias mount_ntfs_t;
|
||||
+typealias mount_exec_t alias mount_ntfs_exec_t;
|
||||
+
|
||||
type mount_loopback_t; # customizable
|
||||
files_type(mount_loopback_t)
|
||||
|
|
@ -9532,7 +9595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
|
||||
########################################
|
||||
#
|
||||
@@ -36,7 +46,7 @@
|
||||
@@ -36,7 +45,7 @@
|
||||
#
|
||||
|
||||
# setuid/setgid needed to mount cifs
|
||||
|
|
@ -9541,7 +9604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
|
||||
allow mount_t mount_loopback_t:file read_file_perms;
|
||||
allow mount_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
@@ -51,6 +61,7 @@
|
||||
@@ -51,6 +60,7 @@
|
||||
kernel_read_system_state(mount_t)
|
||||
kernel_read_kernel_sysctls(mount_t)
|
||||
kernel_dontaudit_getattr_core_if(mount_t)
|
||||
|
|
@ -9549,7 +9612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
|
||||
dev_getattr_all_blk_files(mount_t)
|
||||
dev_list_all_dev_nodes(mount_t)
|
||||
@@ -101,6 +112,8 @@
|
||||
@@ -101,6 +111,8 @@
|
||||
init_use_fds(mount_t)
|
||||
init_use_script_ptys(mount_t)
|
||||
init_dontaudit_getattr_initctl(mount_t)
|
||||
|
|
@ -9558,7 +9621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
|
||||
libs_use_ld_so(mount_t)
|
||||
libs_use_shared_libs(mount_t)
|
||||
@@ -127,10 +140,15 @@
|
||||
@@ -127,10 +139,15 @@
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -9575,7 +9638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -201,4 +219,54 @@
|
||||
@@ -201,4 +218,29 @@
|
||||
optional_policy(`
|
||||
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
||||
unconfined_domain(unconfined_mount_t)
|
||||
|
|
@ -9586,48 +9649,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
+
|
||||
+########################################
|
||||
+#
|
||||
+# mount_ntfs local policy
|
||||
+# ntfs local policy
|
||||
+#
|
||||
+allow mount_ntfs_t self:capability { setuid sys_admin };
|
||||
+allow mount_ntfs_t self:fifo_file { read write };
|
||||
+allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow mount_ntfs_t self:unix_dgram_socket { connect create };
|
||||
+allow mount_t self:fifo_file { read write };
|
||||
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow mount_t self:unix_dgram_socket { connect create };
|
||||
+
|
||||
+corecmd_read_bin_symlinks(mount_ntfs_t)
|
||||
+corecmd_exec_shell(mount_ntfs_t)
|
||||
+corecmd_exec_shell(mount_t)
|
||||
+
|
||||
+files_read_etc_files(mount_ntfs_t)
|
||||
+files_search_all(mount_ntfs_t)
|
||||
+fusermount_domtrans(mount_t)
|
||||
+fusermount_use_fds(mount_t)
|
||||
+
|
||||
+libs_use_ld_so(mount_ntfs_t)
|
||||
+libs_use_shared_libs(mount_ntfs_t)
|
||||
+
|
||||
+fusermount_domtrans(mount_ntfs_t)
|
||||
+fusermount_use_fds(mount_ntfs_t)
|
||||
+
|
||||
+init_dontaudit_use_fds(mount_ntfs_t)
|
||||
+
|
||||
+kernel_read_system_state(mount_ntfs_t)
|
||||
+
|
||||
+logging_send_syslog_msg(mount_ntfs_t)
|
||||
+
|
||||
+miscfiles_read_localization(mount_ntfs_t)
|
||||
+
|
||||
+modutils_domtrans_insmod(mount_ntfs_t)
|
||||
+
|
||||
+mount_ntfs_domtrans(mount_t)
|
||||
+
|
||||
+storage_raw_read_fixed_disk(mount_ntfs_t)
|
||||
+storage_raw_write_fixed_disk(mount_ntfs_t)
|
||||
+# modutils_domtrans_insmod(mount_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nscd_socket_use(mount_ntfs_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ hal_write_log(mount_ntfs_t)
|
||||
+ hal_use_fds(mount_ntfs_t)
|
||||
+ hal_rw_pipes(mount_ntfs_t)
|
||||
+ hal_write_log(mount_t)
|
||||
+ hal_use_fds(mount_t)
|
||||
+ hal_rw_pipes(mount_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.0.4/policy/modules/system/netlabel.te
|
||||
|
|
@ -9644,7 +9682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlab
|
|||
libs_use_ld_so(netlabel_mgmt_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.4/policy/modules/system/raid.te
|
||||
--- nsaserefpolicy/policy/modules/system/raid.te 2007-06-15 14:54:34.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/raid.te 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/raid.te 2007-07-31 09:56:48.000000000 -0400
|
||||
@@ -19,7 +19,7 @@
|
||||
# Local policy
|
||||
#
|
||||
|
|
@ -9654,6 +9692,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
|
|||
dontaudit mdadm_t self:capability sys_tty_config;
|
||||
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
|
||||
allow mdadm_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -70,6 +70,7 @@
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
|
||||
userdom_dontaudit_use_sysadm_ttys(mdadm_t)
|
||||
+userdom_dontaudit_search_all_users_home_content(mdadm_t)
|
||||
|
||||
mta_send_mail(mdadm_t)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.4/policy/modules/system/selinuxutil.fc
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-30 11:47:29.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/selinuxutil.fc 2007-07-25 13:27:51.000000000 -0400
|
||||
|
|
@ -10591,7 +10637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
+corecmd_exec_all_executables(unconfined_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.4/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-28 11:09:17.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-31 09:56:28.000000000 -0400
|
||||
@@ -62,6 +62,10 @@
|
||||
|
||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.4
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPL
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -359,6 +359,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-4
|
||||
- Eliminate mount_ntfs_t policy, merge into mount_t
|
||||
|
||||
* Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-3
|
||||
- Allow xserver to write to ramfs mounted by rhgb
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue