- More mls/rpm fixes
This commit is contained in:
parent
6f376018b9
commit
48adbeae08
@ -561,10 +561,54 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
pcmcia_use_cardmgr_fds(ping_t)
|
pcmcia_use_cardmgr_fds(ping_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.3/policy/modules/admin/prelink.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2008-08-07 11:15:13.000000000 -0400
|
||||||
|
+++ serefpolicy-3.6.3/policy/modules/admin/prelink.fc 2009-01-26 09:28:03.000000000 -0500
|
||||||
|
@@ -5,3 +5,5 @@
|
||||||
|
|
||||||
|
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
|
||||||
|
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
|
||||||
|
+
|
||||||
|
+/var/lib/misc/prelink\* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.3/policy/modules/admin/prelink.if
|
||||||
|
--- nsaserefpolicy/policy/modules/admin/prelink.if 2008-11-11 16:13:49.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.3/policy/modules/admin/prelink.if 2009-01-26 09:29:12.000000000 -0500
|
||||||
|
@@ -120,3 +120,23 @@
|
||||||
|
logging_search_logs($1)
|
||||||
|
manage_files_pattern($1, prelink_log_t, prelink_log_t)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Create, read, write, and delete
|
||||||
|
+## prelink var_lib files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="file_type">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`prelink_manage_var_lib',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type prelink_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
|
||||||
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.3/policy/modules/admin/prelink.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.3/policy/modules/admin/prelink.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/admin/prelink.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/admin/prelink.te 2009-01-26 09:33:41.000000000 -0500
|
||||||
@@ -26,7 +26,7 @@
|
@@ -21,12 +21,15 @@
|
||||||
|
type prelink_tmp_t;
|
||||||
|
files_tmp_file(prelink_tmp_t)
|
||||||
|
|
||||||
|
+type prelink_var_lib_t;
|
||||||
|
+files_tmp_file(prelink_var_lib_t)
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -573,7 +617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow prelink_t self:process { execheap execmem execstack signal };
|
allow prelink_t self:process { execheap execmem execstack signal };
|
||||||
allow prelink_t self:fifo_file rw_fifo_file_perms;
|
allow prelink_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
@@ -40,7 +40,7 @@
|
@@ -40,17 +43,20 @@
|
||||||
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
|
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
|
||||||
logging_log_filetrans(prelink_t, prelink_log_t, file)
|
logging_log_filetrans(prelink_t, prelink_log_t, file)
|
||||||
|
|
||||||
@ -582,7 +626,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
|
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
|
||||||
fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
|
fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
|
||||||
|
|
||||||
@@ -49,8 +49,7 @@
|
+manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
|
||||||
|
+manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
|
||||||
|
+files_search_var_lib(prelink_t)
|
||||||
|
+
|
||||||
|
# prelink misc objects that are not system
|
||||||
|
# libraries or entrypoints
|
||||||
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
|
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
|
||||||
|
|
||||||
kernel_read_system_state(prelink_t)
|
kernel_read_system_state(prelink_t)
|
||||||
@ -592,7 +641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corecmd_manage_all_executables(prelink_t)
|
corecmd_manage_all_executables(prelink_t)
|
||||||
corecmd_relabel_all_executables(prelink_t)
|
corecmd_relabel_all_executables(prelink_t)
|
||||||
@@ -65,6 +64,8 @@
|
@@ -65,6 +71,8 @@
|
||||||
files_read_etc_files(prelink_t)
|
files_read_etc_files(prelink_t)
|
||||||
files_read_etc_runtime_files(prelink_t)
|
files_read_etc_runtime_files(prelink_t)
|
||||||
files_dontaudit_read_all_symlinks(prelink_t)
|
files_dontaudit_read_all_symlinks(prelink_t)
|
||||||
@ -601,19 +650,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(prelink_t)
|
fs_getattr_xattr_fs(prelink_t)
|
||||||
|
|
||||||
@@ -81,6 +82,11 @@
|
@@ -81,6 +89,9 @@
|
||||||
|
|
||||||
userdom_use_user_terminals(prelink_t)
|
userdom_use_user_terminals(prelink_t)
|
||||||
|
|
||||||
+# prelink executables in the user homedir
|
+# prelink executables in the user homedir
|
||||||
+userdom_manage_user_home_content_files(prelink_t)
|
+userdom_manage_home_role(system_r, prelink_t)
|
||||||
+userdom_mmap_user_home_content_files(prelink_t)
|
|
||||||
+userdom_manage_user_home_content_symlinks(prelink_t)
|
|
||||||
+
|
+
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
amanda_manage_lib(prelink_t)
|
amanda_manage_lib(prelink_t)
|
||||||
')
|
')
|
||||||
@@ -88,3 +94,7 @@
|
@@ -88,3 +99,7 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_system_entry(prelink_t, prelink_exec_t)
|
cron_system_entry(prelink_t, prelink_exec_t)
|
||||||
')
|
')
|
||||||
@ -656,7 +703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`distro_suse', `
|
ifdef(`distro_suse', `
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.3/policy/modules/admin/rpm.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.3/policy/modules/admin/rpm.if
|
||||||
--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/admin/rpm.if 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/admin/rpm.if 2009-01-26 08:58:21.000000000 -0500
|
||||||
@@ -146,6 +146,24 @@
|
@@ -146,6 +146,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -989,7 +1036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.3/policy/modules/admin/rpm.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.3/policy/modules/admin/rpm.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/admin/rpm.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/admin/rpm.te 2009-01-26 09:14:27.000000000 -0500
|
||||||
@@ -31,6 +31,9 @@
|
@@ -31,6 +31,9 @@
|
||||||
files_type(rpm_var_lib_t)
|
files_type(rpm_var_lib_t)
|
||||||
typealias rpm_var_lib_t alias var_lib_rpm_t;
|
typealias rpm_var_lib_t alias var_lib_rpm_t;
|
||||||
@ -1000,16 +1047,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type rpm_script_t;
|
type rpm_script_t;
|
||||||
type rpm_script_exec_t;
|
type rpm_script_exec_t;
|
||||||
domain_obj_id_change_exemption(rpm_script_t)
|
domain_obj_id_change_exemption(rpm_script_t)
|
||||||
@@ -52,7 +55,8 @@
|
@@ -52,8 +55,9 @@
|
||||||
# rpm Local policy
|
# rpm Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
|
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
|
||||||
|
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
|
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
|
||||||
+
|
+
|
||||||
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
|
||||||
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
|
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
|
||||||
allow rpm_t self:fd use;
|
allow rpm_t self:fd use;
|
||||||
|
allow rpm_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -68,6 +72,8 @@
|
@@ -68,6 +72,8 @@
|
||||||
allow rpm_t self:sem create_sem_perms;
|
allow rpm_t self:sem create_sem_perms;
|
||||||
allow rpm_t self:msgq create_msgq_perms;
|
allow rpm_t self:msgq create_msgq_perms;
|
||||||
@ -1032,15 +1081,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corecmd_exec_all_executables(rpm_t)
|
corecmd_exec_all_executables(rpm_t)
|
||||||
|
|
||||||
@@ -115,6 +125,7 @@
|
@@ -115,6 +125,8 @@
|
||||||
fs_manage_nfs_symlinks(rpm_t)
|
fs_manage_nfs_symlinks(rpm_t)
|
||||||
fs_getattr_all_fs(rpm_t)
|
fs_getattr_all_fs(rpm_t)
|
||||||
fs_search_auto_mountpoints(rpm_t)
|
fs_search_auto_mountpoints(rpm_t)
|
||||||
+fs_list_inotifyfs(rpm_t)
|
+fs_list_inotifyfs(rpm_t)
|
||||||
|
+fs_getattr_all_fs(rpm_t)
|
||||||
|
|
||||||
mls_file_read_all_levels(rpm_t)
|
mls_file_read_all_levels(rpm_t)
|
||||||
mls_file_write_all_levels(rpm_t)
|
mls_file_write_all_levels(rpm_t)
|
||||||
@@ -132,6 +143,8 @@
|
@@ -132,6 +144,8 @@
|
||||||
# for installing kernel packages
|
# for installing kernel packages
|
||||||
storage_raw_read_fixed_disk(rpm_t)
|
storage_raw_read_fixed_disk(rpm_t)
|
||||||
|
|
||||||
@ -1049,7 +1099,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
auth_relabel_all_files_except_shadow(rpm_t)
|
auth_relabel_all_files_except_shadow(rpm_t)
|
||||||
auth_manage_all_files_except_shadow(rpm_t)
|
auth_manage_all_files_except_shadow(rpm_t)
|
||||||
auth_dontaudit_read_shadow(rpm_t)
|
auth_dontaudit_read_shadow(rpm_t)
|
||||||
@@ -174,10 +187,20 @@
|
@@ -155,6 +169,7 @@
|
||||||
|
files_exec_etc_files(rpm_t)
|
||||||
|
|
||||||
|
init_domtrans_script(rpm_t)
|
||||||
|
+init_use_script_ptys(rpm_t)
|
||||||
|
|
||||||
|
libs_exec_ld_so(rpm_t)
|
||||||
|
libs_exec_lib_files(rpm_t)
|
||||||
|
@@ -174,10 +189,20 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -1070,7 +1128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
prelink_domtrans(rpm_t)
|
prelink_domtrans(rpm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -185,6 +208,7 @@
|
@@ -185,6 +210,7 @@
|
||||||
unconfined_domain(rpm_t)
|
unconfined_domain(rpm_t)
|
||||||
# yum-updatesd requires this
|
# yum-updatesd requires this
|
||||||
unconfined_dbus_chat(rpm_t)
|
unconfined_dbus_chat(rpm_t)
|
||||||
@ -1078,18 +1136,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@@ -210,8 +234,8 @@
|
@@ -210,8 +236,8 @@
|
||||||
# rpm-script Local policy
|
# rpm-script Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
|
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
|
||||||
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_nice mknod kill };
|
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_nice mknod kill net_admin };
|
||||||
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
|
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
|
||||||
allow rpm_script_t self:fd use;
|
allow rpm_script_t self:fd use;
|
||||||
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
|
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
|
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
|
||||||
@@ -222,12 +246,15 @@
|
@@ -222,12 +248,15 @@
|
||||||
allow rpm_script_t self:sem create_sem_perms;
|
allow rpm_script_t self:sem create_sem_perms;
|
||||||
allow rpm_script_t self:msgq create_msgq_perms;
|
allow rpm_script_t self:msgq create_msgq_perms;
|
||||||
allow rpm_script_t self:msg { send receive };
|
allow rpm_script_t self:msg { send receive };
|
||||||
@ -1105,7 +1163,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
|
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
|
||||||
|
|
||||||
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
||||||
@@ -272,12 +299,15 @@
|
@@ -239,6 +268,8 @@
|
||||||
|
|
||||||
|
kernel_read_kernel_sysctls(rpm_script_t)
|
||||||
|
kernel_read_system_state(rpm_script_t)
|
||||||
|
+kernel_read_network_state(rpm_script_t)
|
||||||
|
+kernel_list_all_proc(rpm_script_t)
|
||||||
|
|
||||||
|
dev_list_sysfs(rpm_script_t)
|
||||||
|
|
||||||
|
@@ -255,6 +286,7 @@
|
||||||
|
fs_mount_xattr_fs(rpm_script_t)
|
||||||
|
fs_unmount_xattr_fs(rpm_script_t)
|
||||||
|
fs_search_auto_mountpoints(rpm_script_t)
|
||||||
|
+fs_getattr_all_fs(rpm_script_t)
|
||||||
|
|
||||||
|
mcs_killall(rpm_script_t)
|
||||||
|
mcs_ptrace_all(rpm_script_t)
|
||||||
|
@@ -272,14 +304,19 @@
|
||||||
storage_raw_read_fixed_disk(rpm_script_t)
|
storage_raw_read_fixed_disk(rpm_script_t)
|
||||||
storage_raw_write_fixed_disk(rpm_script_t)
|
storage_raw_write_fixed_disk(rpm_script_t)
|
||||||
|
|
||||||
@ -1120,8 +1195,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+auth_relabel_shadow(rpm_script_t)
|
+auth_relabel_shadow(rpm_script_t)
|
||||||
|
|
||||||
corecmd_exec_all_executables(rpm_script_t)
|
corecmd_exec_all_executables(rpm_script_t)
|
||||||
|
+can_exec(rpm_script_t, rpm_script_tmp_t)
|
||||||
|
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
|
||||||
|
|
||||||
@@ -291,6 +321,7 @@
|
domain_read_all_domains_state(rpm_script_t)
|
||||||
|
domain_getattr_all_domains(rpm_script_t)
|
||||||
|
@@ -291,6 +328,7 @@
|
||||||
files_exec_etc_files(rpm_script_t)
|
files_exec_etc_files(rpm_script_t)
|
||||||
files_read_etc_runtime_files(rpm_script_t)
|
files_read_etc_runtime_files(rpm_script_t)
|
||||||
files_exec_usr_files(rpm_script_t)
|
files_exec_usr_files(rpm_script_t)
|
||||||
@ -1129,15 +1208,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
init_domtrans_script(rpm_script_t)
|
init_domtrans_script(rpm_script_t)
|
||||||
|
|
||||||
@@ -308,6 +339,7 @@
|
@@ -308,8 +346,10 @@
|
||||||
seutil_domtrans_loadpolicy(rpm_script_t)
|
seutil_domtrans_loadpolicy(rpm_script_t)
|
||||||
seutil_domtrans_setfiles(rpm_script_t)
|
seutil_domtrans_setfiles(rpm_script_t)
|
||||||
seutil_domtrans_semanage(rpm_script_t)
|
seutil_domtrans_semanage(rpm_script_t)
|
||||||
+seutil_domtrans_setsebool(rpm_script_t)
|
+seutil_domtrans_setsebool(rpm_script_t)
|
||||||
|
|
||||||
userdom_use_all_users_fds(rpm_script_t)
|
userdom_use_all_users_fds(rpm_script_t)
|
||||||
|
+userdom_exec_admin_home_files(rpm_script_t)
|
||||||
|
|
||||||
@@ -326,6 +358,10 @@
|
ifdef(`distro_redhat',`
|
||||||
|
optional_policy(`
|
||||||
|
@@ -326,6 +366,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -1148,7 +1230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tzdata_domtrans(rpm_t)
|
tzdata_domtrans(rpm_t)
|
||||||
tzdata_domtrans(rpm_script_t)
|
tzdata_domtrans(rpm_script_t)
|
||||||
')
|
')
|
||||||
@@ -333,6 +369,7 @@
|
@@ -333,6 +377,7 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(rpm_script_t)
|
unconfined_domain(rpm_script_t)
|
||||||
unconfined_domtrans(rpm_script_t)
|
unconfined_domtrans(rpm_script_t)
|
||||||
@ -5472,7 +5554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-21 13:00:37.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-26 08:55:48.000000000 -0500
|
||||||
@@ -534,6 +534,24 @@
|
@@ -534,6 +534,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -5916,16 +5998,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#
|
#
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.3/policy/modules/kernel/kernel.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.3/policy/modules/kernel/kernel.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-21 17:29:54.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-26 08:54:44.000000000 -0500
|
||||||
@@ -1197,6 +1197,7 @@
|
@@ -1197,6 +1197,26 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 proc_type:dir list_dir_perms;
|
dontaudit $1 proc_type:dir list_dir_perms;
|
||||||
+ dontaudit $1 proc_type:file getattr;
|
+ dontaudit $1 proc_type:file getattr;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow attempts to list all proc directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kernel_list_all_proc',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute proc_type;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 proc_type:dir list_dir_perms;
|
||||||
|
+ allow $1 proc_type:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1233,9 +1234,11 @@
|
@@ -1233,9 +1253,11 @@
|
||||||
interface(`kernel_read_sysctl',`
|
interface(`kernel_read_sysctl',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type sysctl_t;
|
type sysctl_t;
|
||||||
@ -5937,7 +6038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1568,6 +1571,26 @@
|
@@ -1568,6 +1590,26 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -5964,7 +6065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Read generic kernel sysctls.
|
## Read generic kernel sysctls.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1767,6 +1790,7 @@
|
@@ -1767,6 +1809,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 sysctl_type:dir list_dir_perms;
|
dontaudit $1 sysctl_type:dir list_dir_perms;
|
||||||
@ -5972,7 +6073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2580,6 +2604,24 @@
|
@@ -2580,6 +2623,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -5997,7 +6098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Unconfined access to kernel module resources.
|
## Unconfined access to kernel module resources.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2595,3 +2637,23 @@
|
@@ -2595,3 +2656,23 @@
|
||||||
|
|
||||||
typeattribute $1 kern_unconfined;
|
typeattribute $1 kern_unconfined;
|
||||||
')
|
')
|
||||||
@ -6975,7 +7076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## requiring the caller to use setexeccon().
|
## requiring the caller to use setexeccon().
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.3/policy/modules/roles/sysadm.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.3/policy/modules/roles/sysadm.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/roles/sysadm.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/roles/sysadm.te 2009-01-26 09:04:25.000000000 -0500
|
||||||
@@ -15,7 +15,7 @@
|
@@ -15,7 +15,7 @@
|
||||||
|
|
||||||
role sysadm_r;
|
role sysadm_r;
|
||||||
@ -7138,7 +7239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
quota_run(sysadm_t, sysadm_r)
|
quota_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -320,10 +254,6 @@
|
@@ -320,22 +254,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -7149,10 +7250,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
rpc_domtrans_nfsd(sysadm_t)
|
rpc_domtrans_nfsd(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -332,10 +262,6 @@
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
- rpm_run(sysadm_t, sysadm_r)
|
||||||
|
-')
|
||||||
|
-
|
||||||
|
-optional_policy(`
|
||||||
- rssh_role(sysadm_r, sysadm_t)
|
- rssh_role(sysadm_r, sysadm_t)
|
||||||
-')
|
-')
|
||||||
-
|
-
|
||||||
@ -7160,7 +7262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
rsync_exec(sysadm_t)
|
rsync_exec(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -345,10 +271,6 @@
|
@@ -345,10 +267,6 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -7171,7 +7273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
secadm_role_change(sysadm_r)
|
secadm_role_change(sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -358,35 +280,15 @@
|
@@ -358,35 +276,15 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -7207,7 +7309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tripwire_run_siggen(sysadm_t, sysadm_r)
|
tripwire_run_siggen(sysadm_t, sysadm_r)
|
||||||
tripwire_run_tripwire(sysadm_t, sysadm_r)
|
tripwire_run_tripwire(sysadm_t, sysadm_r)
|
||||||
tripwire_run_twadmin(sysadm_t, sysadm_r)
|
tripwire_run_twadmin(sysadm_t, sysadm_r)
|
||||||
@@ -394,18 +296,10 @@
|
@@ -394,18 +292,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -7226,7 +7328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
unconfined_domtrans(sysadm_t)
|
unconfined_domtrans(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -418,20 +312,12 @@
|
@@ -418,20 +308,12 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -7247,7 +7349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
vpn_run(sysadm_t, sysadm_r)
|
vpn_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -440,13 +326,5 @@
|
@@ -440,13 +322,5 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10438,7 +10540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-23 15:14:37.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-26 09:29:38.000000000 -0500
|
||||||
@@ -38,6 +38,10 @@
|
@@ -38,6 +38,10 @@
|
||||||
type cron_var_lib_t;
|
type cron_var_lib_t;
|
||||||
files_type(cron_var_lib_t)
|
files_type(cron_var_lib_t)
|
||||||
@ -10671,7 +10773,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -460,8 +529,7 @@
|
@@ -447,6 +516,7 @@
|
||||||
|
prelink_read_cache(system_cronjob_t)
|
||||||
|
prelink_manage_log(system_cronjob_t)
|
||||||
|
prelink_delete_cache(system_cronjob_t)
|
||||||
|
+ prelink_manage_var_lib(system_cronjob_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
@@ -460,8 +530,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10681,7 +10791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -469,24 +537,17 @@
|
@@ -469,24 +538,17 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10709,7 +10819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow cronjob_t self:process { signal_perms setsched };
|
allow cronjob_t self:process { signal_perms setsched };
|
||||||
allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@@ -570,6 +631,9 @@
|
@@ -570,6 +632,9 @@
|
||||||
userdom_manage_user_home_content_sockets(cronjob_t)
|
userdom_manage_user_home_content_sockets(cronjob_t)
|
||||||
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
|
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
|
||||||
|
|
||||||
@ -13777,7 +13887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-#')
|
-#')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.3/policy/modules/services/mta.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.3/policy/modules/services/mta.if
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/mta.if 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/mta.if 2009-01-26 09:31:15.000000000 -0500
|
||||||
@@ -130,6 +130,15 @@
|
@@ -130,6 +130,15 @@
|
||||||
sendmail_create_log($1_mail_t)
|
sendmail_create_log($1_mail_t)
|
||||||
')
|
')
|
||||||
@ -18605,8 +18715,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
mysql_search_db(httpd_prewikka_script_t)
|
mysql_search_db(httpd_prewikka_script_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.3/policy/modules/services/procmail.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.3/policy/modules/services/procmail.te
|
||||||
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/procmail.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/procmail.te 2009-01-26 09:31:20.000000000 -0500
|
||||||
@@ -128,6 +128,10 @@
|
@@ -92,6 +92,7 @@
|
||||||
|
userdom_dontaudit_search_user_home_dirs(procmail_t)
|
||||||
|
|
||||||
|
mta_manage_spool(procmail_t)
|
||||||
|
+mta_read_queue(procmail_t)
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms',`
|
||||||
|
mta_dontaudit_rw_queue(procmail_t)
|
||||||
|
@@ -128,6 +129,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -18617,7 +18735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
pyzor_domtrans(procmail_t)
|
pyzor_domtrans(procmail_t)
|
||||||
pyzor_signal(procmail_t)
|
pyzor_signal(procmail_t)
|
||||||
')
|
')
|
||||||
@@ -148,3 +152,7 @@
|
@@ -148,3 +153,7 @@
|
||||||
spamassassin_domtrans_client(procmail_t)
|
spamassassin_domtrans_client(procmail_t)
|
||||||
spamassassin_read_lib_files(procmail_t)
|
spamassassin_read_lib_files(procmail_t)
|
||||||
')
|
')
|
||||||
@ -22818,7 +22936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-23 16:45:11.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-26 09:17:40.000000000 -0500
|
||||||
@@ -34,6 +34,13 @@
|
@@ -34,6 +34,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -23347,7 +23465,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -830,6 +960,10 @@
|
@@ -827,9 +957,14 @@
|
||||||
|
# to read ROLE_home_t - examine this in more detail
|
||||||
|
# (xauth?)
|
||||||
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
|
+userdom_read_all_users_state(xserver_t)
|
||||||
|
|
||||||
xserver_use_user_fonts(xserver_t)
|
xserver_use_user_fonts(xserver_t)
|
||||||
|
|
||||||
@ -23358,7 +23480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -844,11 +978,14 @@
|
@@ -844,11 +979,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -23374,7 +23496,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -856,6 +993,11 @@
|
@@ -856,6 +994,11 @@
|
||||||
rhgb_rw_tmpfs_files(xserver_t)
|
rhgb_rw_tmpfs_files(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -23386,7 +23508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -972,6 +1114,37 @@
|
@@ -972,6 +1115,37 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
@ -23424,7 +23546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
tunable_policy(`allow_polyinstantiation',`
|
tunable_policy(`allow_polyinstantiation',`
|
||||||
# xdm needs access for linking .X11-unix to poly /tmp
|
# xdm needs access for linking .X11-unix to poly /tmp
|
||||||
@@ -986,3 +1159,13 @@
|
@@ -986,3 +1160,13 @@
|
||||||
#
|
#
|
||||||
allow xdm_t user_home_type:file unlink;
|
allow xdm_t user_home_type:file unlink;
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
@ -23995,7 +24117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.3/policy/modules/system/fstools.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.3/policy/modules/system/fstools.te
|
||||||
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/fstools.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/fstools.te 2009-01-26 11:19:02.000000000 -0500
|
||||||
@@ -97,6 +97,10 @@
|
@@ -97,6 +97,10 @@
|
||||||
fs_getattr_tmpfs_dirs(fsadm_t)
|
fs_getattr_tmpfs_dirs(fsadm_t)
|
||||||
fs_read_tmpfs_symlinks(fsadm_t)
|
fs_read_tmpfs_symlinks(fsadm_t)
|
||||||
@ -24007,7 +24129,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
mls_file_read_all_levels(fsadm_t)
|
mls_file_read_all_levels(fsadm_t)
|
||||||
mls_file_write_all_levels(fsadm_t)
|
mls_file_write_all_levels(fsadm_t)
|
||||||
|
|
||||||
@@ -182,4 +186,9 @@
|
@@ -150,8 +154,7 @@
|
||||||
|
|
||||||
|
seutil_read_config(fsadm_t)
|
||||||
|
|
||||||
|
-userdom_use_user_terminals(fsadm_t)
|
||||||
|
-userdom_use_unpriv_users_fds(fsadm_t)
|
||||||
|
+term_use_all_terms(fsadm_t)
|
||||||
|
|
||||||
|
tunable_policy(`read_default_t',`
|
||||||
|
files_list_default(fsadm_t)
|
||||||
|
@@ -182,4 +185,9 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
xen_append_log(fsadm_t)
|
xen_append_log(fsadm_t)
|
||||||
@ -24055,7 +24187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#
|
#
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.3/policy/modules/system/init.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.3/policy/modules/system/init.if
|
||||||
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-21 16:19:55.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-26 11:20:14.000000000 -0500
|
||||||
@@ -280,6 +280,27 @@
|
@@ -280,6 +280,27 @@
|
||||||
kernel_dontaudit_use_fds($1)
|
kernel_dontaudit_use_fds($1)
|
||||||
')
|
')
|
||||||
@ -25141,7 +25273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.3/policy/modules/system/lvm.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.3/policy/modules/system/lvm.te
|
||||||
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/lvm.te 2009-01-20 15:26:33.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/lvm.te 2009-01-26 11:20:23.000000000 -0500
|
||||||
@@ -10,6 +10,9 @@
|
@@ -10,6 +10,9 @@
|
||||||
type clvmd_exec_t;
|
type clvmd_exec_t;
|
||||||
init_daemon_domain(clvmd_t,clvmd_exec_t)
|
init_daemon_domain(clvmd_t,clvmd_exec_t)
|
||||||
@ -25298,11 +25430,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(lvm_t)
|
fs_getattr_xattr_fs(lvm_t)
|
||||||
fs_search_auto_mountpoints(lvm_t)
|
fs_search_auto_mountpoints(lvm_t)
|
||||||
@@ -239,12 +276,16 @@
|
@@ -239,12 +276,17 @@
|
||||||
storage_dev_filetrans_fixed_disk(lvm_t)
|
storage_dev_filetrans_fixed_disk(lvm_t)
|
||||||
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
|
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
|
||||||
storage_manage_fixed_disk(lvm_t)
|
storage_manage_fixed_disk(lvm_t)
|
||||||
+mls_file_read_all_levels(lvm_t)
|
+mls_file_read_all_levels(lvm_t)
|
||||||
|
+mls_file_write_to_clearance(lvm_t)
|
||||||
+
|
+
|
||||||
+term_use_all_terms(lvm_t)
|
+term_use_all_terms(lvm_t)
|
||||||
|
|
||||||
@ -25315,13 +25448,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
files_read_etc_files(lvm_t)
|
files_read_etc_files(lvm_t)
|
||||||
files_read_etc_runtime_files(lvm_t)
|
files_read_etc_runtime_files(lvm_t)
|
||||||
# for when /usr is not mounted:
|
# for when /usr is not mounted:
|
||||||
@@ -283,5 +324,18 @@
|
@@ -253,6 +295,7 @@
|
||||||
|
init_use_fds(lvm_t)
|
||||||
|
init_dontaudit_getattr_initctl(lvm_t)
|
||||||
|
init_use_script_ptys(lvm_t)
|
||||||
|
+init_read_script_state(lvm_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(lvm_t)
|
||||||
|
|
||||||
|
@@ -283,5 +326,22 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ modutils_domtrans_insmod(lvm_t)
|
+ modutils_domtrans_insmod(lvm_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ rpm_manage_script_tmp_files(lvm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
udev_read_db(lvm_t)
|
udev_read_db(lvm_t)
|
||||||
')
|
')
|
||||||
@ -25334,6 +25479,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ xen_append_log(lvm_t)
|
+ xen_append_log(lvm_t)
|
||||||
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
|
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
|
||||||
+')
|
+')
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.3/policy/modules/system/miscfiles.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-08-07 11:15:12.000000000 -0400
|
||||||
|
+++ serefpolicy-3.6.3/policy/modules/system/miscfiles.fc 2009-01-26 09:39:13.000000000 -0500
|
||||||
|
@@ -35,6 +35,7 @@
|
||||||
|
/usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
|
||||||
|
|
||||||
|
/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
|
||||||
|
+/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
|
||||||
|
|
||||||
|
/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.3/policy/modules/system/miscfiles.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.3/policy/modules/system/miscfiles.if
|
||||||
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/miscfiles.if 2009-01-21 13:05:22.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/miscfiles.if 2009-01-21 13:05:22.000000000 -0500
|
||||||
@ -26180,7 +26336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.3/policy/modules/system/selinuxutil.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.3/policy/modules/system/selinuxutil.te
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/selinuxutil.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/selinuxutil.te 2009-01-26 09:04:44.000000000 -0500
|
||||||
@@ -23,6 +23,9 @@
|
@@ -23,6 +23,9 @@
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
files_type(selinux_config_t)
|
files_type(selinux_config_t)
|
||||||
@ -26300,7 +26456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# often the administrator runs such programs from a directory that is owned
|
# often the administrator runs such programs from a directory that is owned
|
||||||
# by a different user or has restrictive SE permissions, do not want to audit
|
# by a different user or has restrictive SE permissions, do not want to audit
|
||||||
@@ -383,7 +391,6 @@
|
@@ -383,10 +391,10 @@
|
||||||
|
|
||||||
auth_use_nsswitch(run_init_t)
|
auth_use_nsswitch(run_init_t)
|
||||||
auth_domtrans_chk_passwd(run_init_t)
|
auth_domtrans_chk_passwd(run_init_t)
|
||||||
@ -26308,7 +26464,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
auth_dontaudit_read_shadow(run_init_t)
|
auth_dontaudit_read_shadow(run_init_t)
|
||||||
|
|
||||||
init_spec_domtrans_script(run_init_t)
|
init_spec_domtrans_script(run_init_t)
|
||||||
@@ -421,61 +428,22 @@
|
+
|
||||||
|
# for utmp
|
||||||
|
init_rw_utmp(run_init_t)
|
||||||
|
|
||||||
|
@@ -406,6 +414,10 @@
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
+optional_policy(`
|
||||||
|
+ rpm_domtrans(run_init_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
ifdef(`distro_ubuntu',`
|
||||||
|
optional_policy(`
|
||||||
|
unconfined_domain(run_init_t)
|
||||||
|
@@ -421,61 +433,22 @@
|
||||||
# semodule local policy
|
# semodule local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -26316,22 +26487,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
-allow semanage_t self:unix_dgram_socket create_socket_perms;
|
-allow semanage_t self:unix_dgram_socket create_socket_perms;
|
||||||
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
-
|
+seutil_semanage_policy(semanage_t)
|
||||||
|
+allow semanage_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
-allow semanage_t policy_config_t:file rw_file_perms;
|
-allow semanage_t policy_config_t:file rw_file_perms;
|
||||||
-
|
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
|
||||||
|
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
|
||||||
|
|
||||||
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
|
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
|
||||||
-allow semanage_t semanage_tmp_t:file manage_file_perms;
|
-allow semanage_t semanage_tmp_t:file manage_file_perms;
|
||||||
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
|
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
|
||||||
-
|
-
|
||||||
-kernel_read_system_state(semanage_t)
|
-kernel_read_system_state(semanage_t)
|
||||||
-kernel_read_kernel_sysctls(semanage_t)
|
-kernel_read_kernel_sysctls(semanage_t)
|
||||||
+seutil_semanage_policy(semanage_t)
|
-
|
||||||
+allow semanage_t self:fifo_file rw_fifo_file_perms;
|
|
||||||
|
|
||||||
-corecmd_exec_bin(semanage_t)
|
-corecmd_exec_bin(semanage_t)
|
||||||
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
|
-
|
||||||
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
|
|
||||||
|
|
||||||
-dev_read_urand(semanage_t)
|
-dev_read_urand(semanage_t)
|
||||||
-
|
-
|
||||||
-domain_use_interactive_fds(semanage_t)
|
-domain_use_interactive_fds(semanage_t)
|
||||||
@ -26352,14 +26523,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+can_exec(semanage_t, semanage_exec_t)
|
+can_exec(semanage_t, semanage_exec_t)
|
||||||
|
|
||||||
-term_use_all_terms(semanage_t)
|
-term_use_all_terms(semanage_t)
|
||||||
-
|
+# Admins are creating pp files in random locations
|
||||||
|
+auth_read_all_files_except_shadow(semanage_t)
|
||||||
|
|
||||||
-# Running genhomedircon requires this for finding all users
|
-# Running genhomedircon requires this for finding all users
|
||||||
-auth_use_nsswitch(semanage_t)
|
-auth_use_nsswitch(semanage_t)
|
||||||
-
|
-
|
||||||
-locallogin_use_fds(semanage_t)
|
-locallogin_use_fds(semanage_t)
|
||||||
+# Admins are creating pp files in random locations
|
-
|
||||||
+auth_read_all_files_except_shadow(semanage_t)
|
|
||||||
|
|
||||||
-logging_send_syslog_msg(semanage_t)
|
-logging_send_syslog_msg(semanage_t)
|
||||||
-
|
-
|
||||||
-miscfiles_read_localization(semanage_t)
|
-miscfiles_read_localization(semanage_t)
|
||||||
@ -26378,7 +26549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# netfilter_contexts:
|
# netfilter_contexts:
|
||||||
seutil_manage_default_contexts(semanage_t)
|
seutil_manage_default_contexts(semanage_t)
|
||||||
|
|
||||||
@@ -484,12 +452,23 @@
|
@@ -484,12 +457,23 @@
|
||||||
files_read_var_lib_symlinks(semanage_t)
|
files_read_var_lib_symlinks(semanage_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26402,7 +26573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# cjp: need a more general way to handle this:
|
# cjp: need a more general way to handle this:
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
# read secadm tmp files
|
# read secadm tmp files
|
||||||
@@ -499,111 +478,36 @@
|
@@ -499,111 +483,36 @@
|
||||||
userdom_read_user_tmp_files(semanage_t)
|
userdom_read_user_tmp_files(semanage_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26484,15 +26655,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-userdom_use_all_users_fds(setfiles_t)
|
-userdom_use_all_users_fds(setfiles_t)
|
||||||
-# for config files in a home directory
|
-# for config files in a home directory
|
||||||
-userdom_read_user_home_content_files(setfiles_t)
|
-userdom_read_user_home_content_files(setfiles_t)
|
||||||
+init_dontaudit_use_fds(setsebool_t)
|
-
|
||||||
|
|
||||||
-ifdef(`distro_debian',`
|
-ifdef(`distro_debian',`
|
||||||
- # udev tmpfs is populated with static device nodes
|
- # udev tmpfs is populated with static device nodes
|
||||||
- # and then relabeled afterwards; thus
|
- # and then relabeled afterwards; thus
|
||||||
- # /dev/console has the tmpfs type
|
- # /dev/console has the tmpfs type
|
||||||
- fs_rw_tmpfs_chr_files(setfiles_t)
|
- fs_rw_tmpfs_chr_files(setfiles_t)
|
||||||
-')
|
-')
|
||||||
-
|
+init_dontaudit_use_fds(setsebool_t)
|
||||||
|
|
||||||
-ifdef(`distro_redhat', `
|
-ifdef(`distro_redhat', `
|
||||||
- fs_rw_tmpfs_chr_files(setfiles_t)
|
- fs_rw_tmpfs_chr_files(setfiles_t)
|
||||||
- fs_rw_tmpfs_blk_files(setfiles_t)
|
- fs_rw_tmpfs_blk_files(setfiles_t)
|
||||||
@ -27642,7 +27813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-23 15:07:13.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-26 09:38:49.000000000 -0500
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -28969,43 +29140,87 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Create, read, write, and delete files
|
## Create, read, write, and delete files
|
||||||
## in a user home subdirectory.
|
## in a user home subdirectory.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1921,6 +2108,36 @@
|
@@ -1921,7 +2108,7 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
-## Create objects in a user home directory
|
||||||
+## Create objects in the /root directory
|
+## Create objects in the /root directory
|
||||||
+## with an automatic type transition to
|
## with an automatic type transition to
|
||||||
|
## a specified private type.
|
||||||
|
## </summary>
|
||||||
|
@@ -1941,34 +2128,64 @@
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`userdom_user_home_content_filetrans',`
|
||||||
|
+interface(`userdom_admin_home_dir_filetrans',`
|
||||||
|
gen_require(`
|
||||||
|
- type user_home_dir_t, user_home_t;
|
||||||
|
+ type admin_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- filetrans_pattern($1, user_home_t, $2, $3)
|
||||||
|
- allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
|
- files_search_home($1)
|
||||||
|
+ filetrans_pattern($1, admin_home_t, $2, $3)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create objects in a user home directory
|
||||||
|
## with an automatic type transition to
|
||||||
|
-## the user home file type.
|
||||||
+## a specified private type.
|
+## a specified private type.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
+## <param name="private_type">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the object to create.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
## <param name="object_class">
|
||||||
|
## <summary>
|
||||||
|
## The class of the object to be created.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`userdom_user_home_dir_filetrans_user_home_content',`
|
||||||
|
+interface(`userdom_user_home_content_filetrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type user_home_dir_t, user_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ filetrans_pattern($1, user_home_t, $2, $3)
|
||||||
|
+ allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
|
+ files_search_home($1)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Create objects in a user home directory
|
||||||
|
+## with an automatic type transition to
|
||||||
|
+## the user home file type.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+## <param name="private_type">
|
|
||||||
+## <summary>
|
|
||||||
+## The type of the object to create.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <param name="object_class">
|
+## <param name="object_class">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## The class of the object to be created.
|
+## The class of the object to be created.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+interface(`userdom_admin_home_dir_filetrans',`
|
+interface(`userdom_user_home_dir_filetrans_user_home_content',`
|
||||||
+ gen_require(`
|
gen_require(`
|
||||||
+ type admin_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
+ filetrans_pattern($1, admin_home_t, $2, $3)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
## Create objects in a user home directory
|
|
||||||
## with an automatic type transition to
|
|
||||||
## a specified private type.
|
|
||||||
@@ -2819,6 +3036,24 @@
|
@@ -2819,6 +3036,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -29064,7 +29279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Send a dbus message to all user domains.
|
## Send a dbus message to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2981,3 +3235,264 @@
|
@@ -2981,3 +3235,284 @@
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
@ -29329,6 +29544,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ allow $1 user_home_t:file execmod;
|
+ allow $1 user_home_t:file execmod;
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute user home files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_exec_admin_home_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type admin_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ exec_files_pattern($1, admin_home_t, admin_home_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.3/policy/modules/system/userdomain.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.3/policy/modules/system/userdomain.te
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.te 2009-01-19 13:10:02.000000000 -0500
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.3
|
Version: 3.6.3
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -444,6 +444,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-9
|
||||||
|
- More mls/rpm fixes
|
||||||
|
|
||||||
* Fri Jan 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-8
|
* Fri Jan 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-8
|
||||||
- Add policy to make dbus/nm-applet work
|
- Add policy to make dbus/nm-applet work
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user