- Allow setroubleshoot to read policy config and send audit messages
This commit is contained in:
parent
e26fef9ac3
commit
4a2a836d9e
@ -4561,7 +4561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-14 13:32:12.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-16 16:09:12.000000000 -0500
|
||||
@@ -82,6 +82,7 @@
|
||||
network_port(clockspeed, udp,4041,s0)
|
||||
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
||||
@ -6549,7 +6549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.5/policy/modules/services/consolekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2008-01-16 16:21:23.000000000 -0500
|
||||
@@ -36,6 +36,7 @@
|
||||
|
||||
domain_read_all_domains_state(consolekit_t)
|
||||
@ -6575,7 +6575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template(consolekit, consolekit_t)
|
||||
dbus_connect_system_bus(consolekit_t)
|
||||
@@ -67,3 +76,8 @@
|
||||
@@ -67,3 +76,13 @@
|
||||
xserver_read_all_users_xauth(consolekit_t)
|
||||
xserver_stream_connect_xdm_xserver(consolekit_t)
|
||||
')
|
||||
@ -6583,6 +6583,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
||||
+optional_policy(`
|
||||
+ #reading .Xauthity
|
||||
+ unconfined_ptrace(consolekit_t)
|
||||
+ unconfined_stream_connect(consolekit_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ userdom_read_user_tmp_files(consolekit_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.5/policy/modules/services/cron.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
|
||||
@ -9158,7 +9163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
## </summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
|
||||
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-11 14:28:19.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-16 06:23:08.000000000 -0500
|
||||
@@ -6,6 +6,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -9237,7 +9242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
logrotate_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -136,11 +158,30 @@
|
||||
@@ -136,11 +158,33 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9253,6 +9258,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
')
|
||||
|
||||
-# should break this up among sections:
|
||||
+init_stream_connect_script(mailserver_delivery)
|
||||
+init_rw_script_stream_sockets(mailserver_delivery)
|
||||
+
|
||||
+tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_manage_cifs_dirs(mailserver_delivery)
|
||||
+ fs_manage_cifs_files(mailserver_delivery)
|
||||
@ -9269,7 +9277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
optional_policy(`
|
||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||
arpwatch_search_data(mailserver_delivery)
|
||||
@@ -154,3 +195,4 @@
|
||||
@@ -154,3 +198,4 @@
|
||||
cron_read_system_job_tmp_files(mta_user_agent)
|
||||
')
|
||||
')
|
||||
@ -9289,8 +9297,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te
|
||||
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500
|
||||
@@ -37,14 +37,18 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2008-01-16 16:05:13.000000000 -0500
|
||||
@@ -30,21 +30,25 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow munin_t self:capability { setgid setuid };
|
||||
+allow munin_t self:capability { dac_override setgid setuid };
|
||||
dontaudit munin_t self:capability sys_tty_config;
|
||||
allow munin_t self:process { getsched setsched signal_perms };
|
||||
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow munin_t self:tcp_socket create_stream_socket_perms;
|
||||
allow munin_t self:udp_socket create_socket_perms;
|
||||
@ -10813,7 +10829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-08 11:05:41.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-16 15:49:34.000000000 -0500
|
||||
@@ -102,6 +102,10 @@
|
||||
')
|
||||
|
||||
@ -10825,7 +10841,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
|
||||
munin_dontaudit_search_lib(procmail_t)
|
||||
')
|
||||
|
||||
@@ -129,7 +133,9 @@
|
||||
@@ -116,6 +120,7 @@
|
||||
|
||||
optional_policy(`
|
||||
pyzor_domtrans(procmail_t)
|
||||
+ pyzor_signal(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -129,7 +134,9 @@
|
||||
corenet_udp_bind_generic_port(procmail_t)
|
||||
corenet_dontaudit_udp_bind_all_ports(procmail_t)
|
||||
|
||||
@ -10851,7 +10875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
|
||||
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.5/policy/modules/services/pyzor.if
|
||||
--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2008-01-16 15:43:01.000000000 -0500
|
||||
@@ -25,16 +25,18 @@
|
||||
#
|
||||
template(`pyzor_per_role_template',`
|
||||
@ -14931,7 +14955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.5/policy/modules/system/init.if
|
||||
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/init.if 2007-12-20 08:48:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/init.if 2008-01-16 06:20:54.000000000 -0500
|
||||
@@ -211,6 +211,13 @@
|
||||
kernel_dontaudit_use_fds($1)
|
||||
')
|
||||
@ -15408,7 +15432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2008-01-14 12:58:45.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2008-01-16 15:54:07.000000000 -0500
|
||||
@@ -133,6 +133,7 @@
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -15417,7 +15441,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@@ -183,6 +184,7 @@
|
||||
@@ -165,6 +166,7 @@
|
||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -183,6 +185,7 @@
|
||||
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -15425,7 +15457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -242,7 +244,7 @@
|
||||
@@ -242,7 +245,7 @@
|
||||
|
||||
# Flash plugin, Macromedia
|
||||
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -15434,7 +15466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -292,6 +294,8 @@
|
||||
@@ -292,6 +295,8 @@
|
||||
#
|
||||
# /var
|
||||
#
|
||||
@ -15443,11 +15475,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
||||
@@ -304,3 +308,4 @@
|
||||
@@ -304,3 +309,5 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2008-01-02 15:02:58.000000000 -0500
|
||||
@ -16013,7 +16046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
|
||||
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-14 10:34:15.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-16 10:54:21.000000000 -0500
|
||||
@@ -8,7 +8,7 @@
|
||||
|
||||
## <desc>
|
||||
@ -16092,7 +16125,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||
|
||||
auth_use_nsswitch(mount_t)
|
||||
|
||||
@@ -161,6 +168,8 @@
|
||||
@@ -119,6 +126,7 @@
|
||||
seutil_read_config(mount_t)
|
||||
|
||||
userdom_use_all_users_fds(mount_t)
|
||||
+userdom_read_sysadm_home_content_files(mount_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -161,6 +169,8 @@
|
||||
fs_search_rpc(mount_t)
|
||||
|
||||
rpc_stub(mount_t)
|
||||
@ -16101,7 +16142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -175,6 +184,11 @@
|
||||
@@ -175,6 +185,11 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -16113,7 +16154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||
# for kernel package installation
|
||||
optional_policy(`
|
||||
rpm_rw_pipes(mount_t)
|
||||
@@ -182,6 +196,7 @@
|
||||
@@ -182,6 +197,7 @@
|
||||
|
||||
optional_policy(`
|
||||
samba_domtrans_smbmount(mount_t)
|
||||
@ -16121,7 +16162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -192,4 +207,26 @@
|
||||
@@ -192,4 +208,26 @@
|
||||
optional_policy(`
|
||||
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
||||
unconfined_domain(unconfined_mount_t)
|
||||
@ -16992,7 +17033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.5/policy/modules/system/unconfined.fc
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.fc 2008-01-17 08:46:28.000000000 -0500
|
||||
@@ -10,7 +10,11 @@
|
||||
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
|
||||
@ -17274,7 +17315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-11 15:57:35.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-17 08:47:06.000000000 -0500
|
||||
@@ -9,32 +9,48 @@
|
||||
# usage in this module of types created by these
|
||||
# calls is not correct, however we dont currently
|
||||
@ -17489,7 +17530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -219,14 +238,32 @@
|
||||
@@ -219,14 +238,34 @@
|
||||
|
||||
allow unconfined_execmem_t self:process { execstack execmem };
|
||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||
@ -17527,6 +17568,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
+allow unconfined_notrans_t self:process { execstack execmem };
|
||||
+unconfined_domain_noaudit(unconfined_notrans_t)
|
||||
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
|
||||
+# Allow SELinux aware applications to request rpm_script execution
|
||||
+rpm_transition_script(unconfined_notrans_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.5/policy/modules/system/userdomain.fc
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
@ -17542,7 +17585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-15 11:58:29.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-16 16:19:31.000000000 -0500
|
||||
@@ -29,8 +29,9 @@
|
||||
')
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user