- Add getsched to hald_t
- Add file context for Fedora/Redhat Directory Server
This commit is contained in:
Daniel J Walsh
parent
b0f36568e1
commit
4d67b40db1
@ -10856,7 +10856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
|
||||
sysnet_use_ldap(amavis_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.8/policy/modules/services/apache.fc
|
||||
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-01-27 11:16:47.000000000 -0500
|
||||
+++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-01-27 15:19:37.000000000 -0500
|
||||
@@ -2,12 +2,17 @@
|
||||
|
||||
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
@ -10877,12 +10877,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
@@ -21,10 +26,13 @@
|
||||
@@ -21,10 +26,16 @@
|
||||
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
+/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
|
||||
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
+
|
||||
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
@ -10891,7 +10894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
|
||||
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
|
||||
@@ -32,14 +40,28 @@
|
||||
@@ -32,14 +43,28 @@
|
||||
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
')
|
||||
|
||||
@ -10920,7 +10923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
@@ -47,16 +69,21 @@
|
||||
@@ -47,16 +72,21 @@
|
||||
|
||||
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
@ -10942,7 +10945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
ifdef(`distro_debian', `
|
||||
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
')
|
||||
@@ -64,11 +91,33 @@
|
||||
@@ -64,11 +94,33 @@
|
||||
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
@ -17453,7 +17456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.8/policy/modules/services/hal.te
|
||||
--- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.7.8/policy/modules/services/hal.te 2010-01-18 15:18:03.000000000 -0500
|
||||
+++ serefpolicy-3.7.8/policy/modules/services/hal.te 2010-01-27 13:13:18.000000000 -0500
|
||||
@@ -55,6 +55,9 @@
|
||||
type hald_var_lib_t;
|
||||
files_type(hald_var_lib_t)
|
||||
@ -17464,6 +17467,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -63,7 +66,7 @@
|
||||
# execute openvt which needs setuid
|
||||
allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
|
||||
dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
|
||||
-allow hald_t self:process { getattr signal_perms };
|
||||
+allow hald_t self:process { getsched getattr signal_perms };
|
||||
allow hald_t self:fifo_file rw_fifo_file_perms;
|
||||
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow hald_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -100,7 +103,9 @@
|
||||
kernel_rw_irq_sysctls(hald_t)
|
||||
kernel_rw_vm_sysctls(hald_t)
|
||||
@ -17817,15 +17829,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.8/policy/modules/services/ldap.fc
|
||||
--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.7.8/policy/modules/services/ldap.fc 2010-01-18 15:18:03.000000000 -0500
|
||||
@@ -1,5 +1,7 @@
|
||||
+++ serefpolicy-3.7.8/policy/modules/services/ldap.fc 2010-01-27 15:28:08.000000000 -0500
|
||||
@@ -1,8 +1,12 @@
|
||||
|
||||
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
|
||||
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
|
||||
+
|
||||
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/dirsrv.* -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
|
||||
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
|
||||
@@ -10,8 +14,12 @@
|
||||
|
||||
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
|
||||
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
|
||||
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
|
||||
+
|
||||
+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:slapd_log_t,s0)
|
||||
|
||||
/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
|
||||
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
|
||||
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
|
||||
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
|
||||
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.8/policy/modules/services/ldap.if
|
||||
--- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.7.8/policy/modules/services/ldap.if 2010-01-18 15:18:03.000000000 -0500
|
||||
@ -17873,6 +17903,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the contents of the OpenLDAP
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.8/policy/modules/services/ldap.te
|
||||
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.7.8/policy/modules/services/ldap.te 2010-01-27 15:24:00.000000000 -0500
|
||||
@@ -28,6 +28,9 @@
|
||||
type slapd_replog_t;
|
||||
files_type(slapd_replog_t)
|
||||
|
||||
+type slapd_log_t;
|
||||
+logging_log_file(slapd_log_t)
|
||||
+
|
||||
type slapd_tmp_t;
|
||||
files_tmp_file(slapd_tmp_t)
|
||||
|
||||
@@ -68,6 +71,10 @@
|
||||
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
|
||||
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
|
||||
|
||||
+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
|
||||
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
|
||||
+files_log_filetrans(slapd_t, slapd_log_t, { file dir })
|
||||
+
|
||||
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
|
||||
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
|
||||
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.8/policy/modules/services/lircd.te
|
||||
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500
|
||||
+++ serefpolicy-3.7.8/policy/modules/services/lircd.te 2010-01-18 15:18:03.000000000 -0500
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.7.8
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -459,6 +459,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jan 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-4
|
||||
- Add getsched to hald_t
|
||||
- Add file context for Fedora/Redhat Directory Server
|
||||
|
||||
* Mon Jan 25 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-3
|
||||
- Allow abrt_helper to getattr on all filesystems
|
||||
- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so
|
||||
|
||||
Loading…
Reference in New Issue
Block a user