- dontaudit pam_t and dbusd writing to user_home_t
This commit is contained in:
Daniel J Walsh
parent
5baf53aabd
commit
4be3ba520d
@ -1645,7 +1645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal
|
||||
#######################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.5/policy/modules/apps/ethereal.te
|
||||
--- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-12-19 05:32:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.te 2007-12-19 05:38:08.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.te 2008-01-11 13:39:25.000000000 -0500
|
||||
@@ -16,6 +16,13 @@
|
||||
type tethereal_tmp_t;
|
||||
files_tmp_file(tethereal_tmp_t)
|
||||
@ -1783,7 +1783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
|
||||
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.5/policy/modules/apps/gnome.if
|
||||
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/gnome.if 2007-12-19 05:38:08.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/gnome.if 2008-01-11 13:39:51.000000000 -0500
|
||||
@@ -33,9 +33,60 @@
|
||||
## </param>
|
||||
#
|
||||
@ -2016,8 +2016,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.5/policy/modules/apps/gnome.te
|
||||
--- nsaserefpolicy/policy/modules/apps/gnome.te 2007-12-19 05:32:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/gnome.te 2007-12-19 05:38:08.000000000 -0500
|
||||
@@ -8,8 +8,15 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/gnome.te 2008-01-11 13:40:13.000000000 -0500
|
||||
@@ -8,8 +8,19 @@
|
||||
|
||||
attribute gnomedomain;
|
||||
|
||||
@ -2036,6 +2036,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
|
||||
+
|
||||
+type user_gconf_tmp_t;
|
||||
+files_tmp_file(user_gconf_tmp_t)
|
||||
+
|
||||
+typealias user_gnome_home_t alias unconfined_gnome_home_t;
|
||||
+typealias user_gconf_home_t alias unconfined_gconf_home_t;
|
||||
+typealias user_gconf_tmp_t alias unconfined_gconf_tmp_t;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.5/policy/modules/apps/gpg.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2008-01-03 16:26:50.000000000 -0500
|
||||
@ -2050,7 +2054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
|
||||
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.5/policy/modules/apps/gpg.if
|
||||
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-03 17:11:22.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-11 13:40:51.000000000 -0500
|
||||
@@ -38,6 +38,10 @@
|
||||
gen_require(`
|
||||
type gpg_exec_t, gpg_helper_exec_t;
|
||||
@ -3069,7 +3073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
||||
# /bin
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
|
||||
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-03 17:10:37.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-11 13:41:19.000000000 -0500
|
||||
@@ -35,7 +35,10 @@
|
||||
template(`mozilla_per_role_template',`
|
||||
gen_require(`
|
||||
@ -3510,7 +3514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.5/policy/modules/apps/mozilla.te
|
||||
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-12-19 05:32:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te 2007-12-19 05:38:08.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te 2008-01-11 14:37:00.000000000 -0500
|
||||
@@ -6,15 +6,15 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -6014,7 +6018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
|
||||
+/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.5/policy/modules/services/automount.if
|
||||
--- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/automount.if 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/automount.if 2008-01-08 15:20:43.000000000 -0500
|
||||
@@ -74,3 +74,21 @@
|
||||
|
||||
dontaudit $1 automount_tmp_t:dir getattr;
|
||||
@ -6786,7 +6790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.5/policy/modules/services/cups.te
|
||||
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/cups.te 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/cups.te 2008-01-10 16:16:06.000000000 -0500
|
||||
@@ -43,14 +43,12 @@
|
||||
|
||||
type cupsd_var_run_t;
|
||||
@ -6931,9 +6935,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
auth_use_nsswitch(cupsd_t)
|
||||
|
||||
libs_use_ld_so(cupsd_t)
|
||||
@@ -220,16 +230,19 @@
|
||||
@@ -219,17 +229,22 @@
|
||||
miscfiles_read_fonts(cupsd_t)
|
||||
|
||||
seutil_read_config(cupsd_t)
|
||||
+sysnet_exec_ifconfig(cupsd_t)
|
||||
|
||||
-sysnet_read_config(cupsd_t)
|
||||
-
|
||||
@ -6944,6 +6950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
# Write to /var/spool/cups.
|
||||
lpd_manage_spool(cupsd_t)
|
||||
+lpd_read_config(cupsd_t)
|
||||
+lpd_exec_lpr(cupsd_t)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
lpd_relabel_spool(cupsd_t)
|
||||
@ -6953,7 +6960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -242,12 +255,21 @@
|
||||
@@ -242,12 +257,21 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template(cupsd,cupsd_t)
|
||||
@ -6975,7 +6982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -263,6 +285,10 @@
|
||||
@@ -263,6 +287,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6986,7 +6993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
# cups execs smbtool which reads samba_etc_t files
|
||||
samba_read_config(cupsd_t)
|
||||
samba_rw_var_files(cupsd_t)
|
||||
@@ -326,6 +352,7 @@
|
||||
@@ -326,6 +354,7 @@
|
||||
dev_read_sysfs(cupsd_config_t)
|
||||
dev_read_urand(cupsd_config_t)
|
||||
dev_read_rand(cupsd_config_t)
|
||||
@ -6994,7 +7001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
|
||||
fs_getattr_all_fs(cupsd_config_t)
|
||||
fs_search_auto_mountpoints(cupsd_config_t)
|
||||
@@ -372,6 +399,10 @@
|
||||
@@ -372,6 +401,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -7005,7 +7012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
|
||||
')
|
||||
|
||||
@@ -387,6 +418,7 @@
|
||||
@@ -387,6 +420,7 @@
|
||||
optional_policy(`
|
||||
hal_domtrans(cupsd_config_t)
|
||||
hal_read_tmp_files(cupsd_config_t)
|
||||
@ -7013,7 +7020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -499,14 +531,12 @@
|
||||
@@ -499,14 +533,12 @@
|
||||
allow hplip_t self:udp_socket create_socket_perms;
|
||||
allow hplip_t self:rawip_socket create_socket_perms;
|
||||
|
||||
@ -7032,7 +7039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
|
||||
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
|
||||
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
|
||||
@@ -537,14 +567,14 @@
|
||||
@@ -537,14 +569,14 @@
|
||||
dev_read_urand(hplip_t)
|
||||
dev_read_rand(hplip_t)
|
||||
dev_rw_generic_usb_dev(hplip_t)
|
||||
@ -7049,7 +7056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
domain_use_interactive_fds(hplip_t)
|
||||
|
||||
files_read_etc_files(hplip_t)
|
||||
@@ -565,6 +595,7 @@
|
||||
@@ -565,6 +597,7 @@
|
||||
userdom_dontaudit_search_all_users_home_content(hplip_t)
|
||||
|
||||
lpd_read_config(cupsd_t)
|
||||
@ -8500,7 +8507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
|
||||
+files_type(mailscanner_spool_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
|
||||
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-04 10:12:33.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-11 14:28:39.000000000 -0500
|
||||
@@ -133,6 +133,12 @@
|
||||
sendmail_create_log($1_mail_t)
|
||||
')
|
||||
@ -8514,23 +8521,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -217,6 +223,15 @@
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files($1_mail_t)
|
||||
@@ -219,6 +225,11 @@
|
||||
fs_manage_cifs_symlinks($1_mail_t)
|
||||
+ fs_manage_cifs_files(mailserver_delivery)
|
||||
+ fs_manage_cifs_symlinks(mailserver_delivery)
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
+ tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_files($1_mail_t)
|
||||
+ fs_manage_nfs_symlinks($1_mail_t)
|
||||
+ fs_manage_nfs_files(mailserver_delivery)
|
||||
+ fs_manage_nfs_symlinks(mailserver_delivery)
|
||||
')
|
||||
|
||||
+ ')
|
||||
+
|
||||
optional_policy(`
|
||||
@@ -305,6 +320,42 @@
|
||||
allow $1_mail_t self:capability dac_override;
|
||||
|
||||
@@ -305,6 +316,42 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8573,7 +8576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
## Modified mailserver interface for
|
||||
## sendmail daemon use.
|
||||
## </summary>
|
||||
@@ -383,11 +434,13 @@
|
||||
@@ -383,11 +430,13 @@
|
||||
allow $1 mail_spool_t:dir list_dir_perms;
|
||||
create_files_pattern($1,mail_spool_t,mail_spool_t)
|
||||
read_files_pattern($1,mail_spool_t,mail_spool_t)
|
||||
@ -8587,7 +8590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -422,6 +475,7 @@
|
||||
@@ -422,6 +471,7 @@
|
||||
# apache should set close-on-exec
|
||||
apache_dontaudit_rw_stream_sockets($1)
|
||||
apache_dontaudit_rw_sys_script_stream_sockets($1)
|
||||
@ -8595,7 +8598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
')
|
||||
')
|
||||
|
||||
@@ -438,20 +492,18 @@
|
||||
@@ -438,20 +488,18 @@
|
||||
interface(`mta_send_mail',`
|
||||
gen_require(`
|
||||
attribute mta_user_agent;
|
||||
@ -8622,7 +8625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -586,6 +638,25 @@
|
||||
@@ -586,6 +634,25 @@
|
||||
files_search_etc($1)
|
||||
allow $1 etc_aliases_t:file { rw_file_perms setattr };
|
||||
')
|
||||
@ -8648,7 +8651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
@@ -837,6 +908,25 @@
|
||||
@@ -837,6 +904,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8676,7 +8679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
## </summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
|
||||
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-11 14:28:19.000000000 -0500
|
||||
@@ -6,6 +6,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -8755,7 +8758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
logrotate_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -136,6 +158,14 @@
|
||||
@@ -136,11 +158,30 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8770,6 +8773,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
smartmon_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
-# should break this up among sections:
|
||||
+tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_manage_cifs_dirs(mailserver_delivery)
|
||||
+ fs_manage_cifs_files(mailserver_delivery)
|
||||
+ fs_manage_cifs_symlinks(mailserver_delivery)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_dirs(mailserver_delivery)
|
||||
+ fs_manage_nfs_files(mailserver_delivery)
|
||||
+ fs_manage_nfs_symlinks(mailserver_delivery)
|
||||
+')
|
||||
|
||||
+# should break this up among sections:
|
||||
optional_policy(`
|
||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||
arpwatch_search_data(mailserver_delivery)
|
||||
@@ -154,3 +195,4 @@
|
||||
cron_read_system_job_tmp_files(mta_user_agent)
|
||||
')
|
||||
')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc
|
||||
--- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500
|
||||
@ -9905,7 +9930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-08 16:12:40.000000000 -0500
|
||||
@@ -416,7 +416,7 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -9944,7 +9969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
## </summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2008-01-11 14:27:52.000000000 -0500
|
||||
@@ -6,6 +6,14 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -10098,6 +10123,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
########################################
|
||||
#
|
||||
# Postfix virtual local policy
|
||||
@@ -584,3 +618,4 @@
|
||||
# For reading spamassasin
|
||||
mta_read_config(postfix_virtual_t)
|
||||
mta_manage_spool(postfix_virtual_t)
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc
|
||||
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
@ -10201,6 +10231,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
########################################
|
||||
#
|
||||
# postgresql Local policy
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.2.5/policy/modules/services/postgrey.te
|
||||
--- nsaserefpolicy/policy/modules/services/postgrey.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/postgrey.te 2008-01-08 16:15:30.000000000 -0500
|
||||
@@ -24,7 +24,7 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow postgrey_t self:capability { chown setgid setuid };
|
||||
+allow postgrey_t self:capability { chown dac_override setgid setuid };
|
||||
dontaudit postgrey_t self:capability sys_tty_config;
|
||||
allow postgrey_t self:process signal_perms;
|
||||
allow postgrey_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -85,6 +85,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ postfix_read_config(postgrey_t)
|
||||
+ postfix_read_spool_files(postgrey_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
seutil_sigchld_newrole(postgrey_t)
|
||||
')
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc
|
||||
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/ppp.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
@ -11632,13 +11686,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-09 09:00:58.000000000 -0500
|
||||
@@ -1,4 +1,4 @@
|
||||
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
|
||||
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0)
|
||||
|
||||
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
||||
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
|
||||
@@ -9,8 +9,11 @@
|
||||
|
||||
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
|
||||
|
||||
+/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
|
||||
+
|
||||
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||
|
||||
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
||||
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-03 12:06:11.000000000 -0500
|
||||
@ -12085,7 +12151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-03 12:54:53.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-09 09:00:24.000000000 -0500
|
||||
@@ -21,8 +21,9 @@
|
||||
gen_tunable(spamd_enable_home_dirs,true)
|
||||
|
||||
@ -12097,7 +12163,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
||||
|
||||
type spamd_t;
|
||||
type spamd_exec_t;
|
||||
@@ -42,7 +43,17 @@
|
||||
@@ -31,6 +32,9 @@
|
||||
type spamd_spool_t;
|
||||
files_type(spamd_spool_t)
|
||||
|
||||
+type spamd_log_t;
|
||||
+logging_log_file(spamd_log_t)
|
||||
+
|
||||
type spamd_tmp_t;
|
||||
files_tmp_file(spamd_tmp_t)
|
||||
|
||||
@@ -42,7 +46,17 @@
|
||||
files_pid_file(spamd_var_run_t)
|
||||
|
||||
type spamassassin_exec_t;
|
||||
@ -12116,7 +12192,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -81,10 +92,11 @@
|
||||
@@ -71,6 +85,9 @@
|
||||
allow spamd_t self:udp_socket create_socket_perms;
|
||||
allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
|
||||
+logging_log_filetrans(spamd_t,spamd_log_t,file)
|
||||
+
|
||||
manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
|
||||
manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
|
||||
files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
|
||||
@@ -81,10 +98,11 @@
|
||||
|
||||
# var/lib files for spamd
|
||||
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
||||
@ -12129,7 +12215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
||||
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
|
||||
|
||||
kernel_read_all_sysctls(spamd_t)
|
||||
@@ -149,11 +161,31 @@
|
||||
@@ -149,11 +167,31 @@
|
||||
userdom_search_unpriv_users_home_dirs(spamd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
|
||||
|
||||
@ -12161,7 +12247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
||||
fs_manage_cifs_files(spamd_t)
|
||||
')
|
||||
|
||||
@@ -171,6 +203,7 @@
|
||||
@@ -171,6 +209,7 @@
|
||||
|
||||
optional_policy(`
|
||||
dcc_domtrans_client(spamd_t)
|
||||
@ -12169,7 +12255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
||||
dcc_stream_connect_dccifd(spamd_t)
|
||||
')
|
||||
|
||||
@@ -212,3 +245,206 @@
|
||||
@@ -212,3 +251,206 @@
|
||||
optional_policy(`
|
||||
udev_read_db(spamd_t)
|
||||
')
|
||||
@ -14139,7 +14225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-11 14:30:57.000000000 -0500
|
||||
@@ -59,6 +59,9 @@
|
||||
type utempter_exec_t;
|
||||
application_domain(utempter_t,utempter_exec_t)
|
||||
@ -14160,18 +14246,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
########################################
|
||||
#
|
||||
# PAM local policy
|
||||
@@ -121,6 +127,10 @@
|
||||
@@ -121,6 +127,11 @@
|
||||
logging_send_syslog_msg(pam_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(pam_t)
|
||||
+userdom_write_unpriv_users_tmp_files(pam_t)
|
||||
+userdom_unlink_unpriv_users_tmp_files(pam_t)
|
||||
+userdom_read_unpriv_users_home_content_files(pam_t)
|
||||
+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
|
||||
+userdom_dontaudit_write_user_home_content_files(user, pam_t)
|
||||
+userdom_append_unpriv_users_home_content_files(pam_t)
|
||||
|
||||
optional_policy(`
|
||||
locallogin_use_fds(pam_t)
|
||||
@@ -279,8 +289,10 @@
|
||||
@@ -279,8 +290,10 @@
|
||||
files_manage_etc_files(updpwd_t)
|
||||
|
||||
term_dontaudit_use_console(updpwd_t)
|
||||
@ -14183,7 +14270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
|
||||
auth_manage_shadow(updpwd_t)
|
||||
auth_use_nsswitch(updpwd_t)
|
||||
@@ -329,11 +341,6 @@
|
||||
@@ -329,11 +342,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.2.5
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -387,6 +387,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jan 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-10
|
||||
- dontaudit pam_t and dbusd writing to user_home_t
|
||||
|
||||
* Mon Jan 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-9
|
||||
- Update gpg to allow reading of inotify
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user