- Add devicekit policy
This commit is contained in:
Daniel J Walsh
parent
055d177c4c
commit
4e42f3a511
@ -4262,7 +4262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
network_port(xfs, tcp,7100,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.3/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-08 21:42:58.000000000 -0400
|
||||
+++ serefpolicy-3.6.3/policy/modules/kernel/devices.fc 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/kernel/devices.fc 2009-01-19 14:33:15.000000000 -0500
|
||||
@@ -1,7 +1,7 @@
|
||||
|
||||
/dev -d gen_context(system_u:object_r:device_t,s0)
|
||||
@ -4350,15 +4350,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
|
||||
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
|
||||
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
@@ -91,6 +108,7 @@
|
||||
@@ -91,20 +108,32 @@
|
||||
|
||||
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
|
||||
|
||||
-/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||
+/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||
/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||
+/dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
|
||||
|
||||
@@ -98,13 +116,23 @@
|
||||
/dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0)
|
||||
|
||||
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
|
||||
@ -4378,6 +4379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
|
||||
+/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
+/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||
+/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
|
||||
/dev/pts(/.*)? <<none>>
|
||||
@ -5404,6 +5406,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
########################################
|
||||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.3/policy/modules/kernel/filesystem.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.fc 2009-01-19 13:53:22.000000000 -0500
|
||||
@@ -1 +1 @@
|
||||
-# This module currently does not have any file contexts.
|
||||
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-19 13:10:02.000000000 -0500
|
||||
@ -6040,7 +6048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.3/policy/modules/kernel/storage.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400
|
||||
+++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc 2009-01-19 13:53:59.000000000 -0500
|
||||
@@ -36,7 +36,7 @@
|
||||
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
@ -6050,6 +6058,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
ifdef(`distro_redhat', `
|
||||
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
@@ -67,6 +67,8 @@
|
||||
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
+/dev/device-mapper -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
+
|
||||
/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.3/policy/modules/kernel/terminal.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/kernel/terminal.if 2009-01-19 13:10:02.000000000 -0500
|
||||
@ -8332,7 +8349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 15:38:07.000000000 -0500
|
||||
@@ -19,6 +19,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -8427,15 +8444,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type httpd_tmp_t;
|
||||
files_tmp_file(httpd_tmp_t)
|
||||
|
||||
@@ -196,6 +242,7 @@
|
||||
userdom_user_home_content(httpd_user_script_rw_t)
|
||||
@@ -187,15 +233,22 @@
|
||||
files_tmpfs_file(httpd_tmpfs_t)
|
||||
|
||||
apache_content_template(user)
|
||||
+
|
||||
ubac_constrained(httpd_user_script_t)
|
||||
+typeattribue httpd_user_content_t, httpdcontent;
|
||||
+typeattribue httpd_user_content_rw_t, httpdcontent;
|
||||
+typeattribue httpd_user_content_ra_t, httpdcontent;
|
||||
+typeattribue httpd_user_script_exec_t, httpdcontent;
|
||||
+
|
||||
userdom_user_home_content(httpd_user_content_t)
|
||||
userdom_user_home_content(httpd_user_htaccess_t)
|
||||
userdom_user_home_content(httpd_user_script_exec_t)
|
||||
-userdom_user_home_content(httpd_user_script_ra_t)
|
||||
-userdom_user_home_content(httpd_user_script_ro_t)
|
||||
-userdom_user_home_content(httpd_user_script_rw_t)
|
||||
+userdom_user_home_content(httpd_user_content_ra_t)
|
||||
+userdom_user_home_content(httpd_user_content_ro_t)
|
||||
+userdom_user_home_content(httpd_user_content_rw_t)
|
||||
typeattribute httpd_user_script_t httpd_script_domains;
|
||||
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
|
||||
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
|
||||
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
|
||||
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
|
||||
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
|
||||
@@ -230,7 +277,7 @@
|
||||
@@ -230,7 +283,7 @@
|
||||
# Apache server local policy
|
||||
#
|
||||
|
||||
@ -8444,7 +8479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow httpd_t self:fd use;
|
||||
@@ -272,6 +319,7 @@
|
||||
@@ -272,6 +325,7 @@
|
||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
@ -8452,7 +8487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
apache_domtrans_rotatelogs(httpd_t)
|
||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||
@@ -283,9 +331,9 @@
|
||||
@@ -283,9 +337,9 @@
|
||||
|
||||
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||
|
||||
@ -8465,7 +8500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
@@ -301,6 +349,7 @@
|
||||
@@ -301,6 +355,7 @@
|
||||
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
||||
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
|
||||
|
||||
@ -8473,7 +8508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
|
||||
@@ -312,6 +361,7 @@
|
||||
@@ -312,6 +367,7 @@
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
@ -8481,7 +8516,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_t)
|
||||
@@ -322,6 +372,7 @@
|
||||
@@ -322,6 +378,7 @@
|
||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||
corenet_tcp_bind_generic_node(httpd_t)
|
||||
@ -8489,7 +8524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_http_port(httpd_t)
|
||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||
corenet_sendrecv_http_server_packets(httpd_t)
|
||||
@@ -335,12 +386,12 @@
|
||||
@@ -335,12 +392,12 @@
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
@ -8505,7 +8540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
@@ -358,6 +409,10 @@
|
||||
@@ -358,6 +415,10 @@
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
@ -8516,7 +8551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
libs_read_lib_files(httpd_t)
|
||||
|
||||
@@ -372,18 +427,33 @@
|
||||
@@ -372,18 +433,33 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
@ -8554,7 +8589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -391,20 +461,54 @@
|
||||
@@ -391,20 +467,54 @@
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
@ -8610,7 +8645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
@@ -415,20 +519,28 @@
|
||||
@@ -415,20 +525,28 @@
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
')
|
||||
|
||||
@ -8643,7 +8678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -459,8 +571,13 @@
|
||||
@@ -459,8 +577,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8659,7 +8694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -472,18 +589,13 @@
|
||||
@@ -472,18 +595,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8679,7 +8714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -493,6 +605,12 @@
|
||||
@@ -493,6 +611,12 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
@ -8692,7 +8727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
@@ -500,6 +618,7 @@
|
||||
@@ -500,6 +624,7 @@
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
@ -8700,7 +8735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -508,6 +627,7 @@
|
||||
@@ -508,6 +633,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8708,7 +8743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -535,6 +655,22 @@
|
||||
@@ -535,6 +661,22 @@
|
||||
|
||||
userdom_use_user_terminals(httpd_helper_t)
|
||||
|
||||
@ -8731,7 +8766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -564,20 +700,25 @@
|
||||
@@ -564,20 +706,25 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -8763,7 +8798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -595,23 +736,24 @@
|
||||
@@ -595,23 +742,24 @@
|
||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
@ -8792,7 +8827,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -641,12 +783,25 @@
|
||||
@@ -624,6 +772,7 @@
|
||||
logging_send_syslog_msg(httpd_suexec_t)
|
||||
|
||||
miscfiles_read_localization(httpd_suexec_t)
|
||||
+miscfiles_read_public_files(httpd_suexec_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -641,12 +790,25 @@
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -8821,7 +8864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -655,6 +810,12 @@
|
||||
@@ -655,6 +817,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -8834,7 +8877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -672,15 +833,14 @@
|
||||
@@ -672,15 +840,14 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -8853,7 +8896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
@@ -699,12 +859,24 @@
|
||||
@@ -699,12 +866,24 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -8880,7 +8923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -712,6 +884,35 @@
|
||||
@@ -712,6 +891,35 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -8916,7 +8959,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -724,6 +925,10 @@
|
||||
@@ -724,6 +932,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -8927,7 +8970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -735,6 +940,8 @@
|
||||
@@ -735,6 +947,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@ -8936,7 +8979,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -762,3 +969,66 @@
|
||||
@@ -754,6 +968,9 @@
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_user_script_t httpdcontent:file entrypoint;
|
||||
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
||||
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
||||
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
')
|
||||
|
||||
# allow accessing files/dirs below the users home dir
|
||||
@@ -762,3 +979,66 @@
|
||||
userdom_search_user_home_dirs(httpd_suexec_t)
|
||||
userdom_search_user_home_dirs(httpd_user_script_t)
|
||||
')
|
||||
@ -9811,7 +9864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.3/policy/modules/services/consolekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/consolekit.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/consolekit.te 2009-01-19 14:46:22.000000000 -0500
|
||||
@@ -13,6 +13,9 @@
|
||||
type consolekit_var_run_t;
|
||||
files_pid_file(consolekit_var_run_t)
|
||||
@ -9889,11 +9942,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dbus_chat(consolekit_t)
|
||||
@@ -61,6 +93,29 @@
|
||||
@@ -61,6 +93,30 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ polkit_domtrans_auth(consolekit_t)
|
||||
+ polkit_read_lib(consolekit_t)
|
||||
+ polkit_read_reload(consolekit_t)
|
||||
+')
|
||||
+
|
||||
@ -12187,8 +12241,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.3/policy/modules/services/gnomeclock.te
|
||||
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/gnomeclock.te 2009-01-19 13:10:02.000000000 -0500
|
||||
@@ -0,0 +1,50 @@
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/gnomeclock.te 2009-01-19 14:46:31.000000000 -0500
|
||||
@@ -0,0 +1,51 @@
|
||||
+policy_module(gnomeclock, 1.0.0)
|
||||
+########################################
|
||||
+#
|
||||
@ -12236,6 +12290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+optional_policy(`
|
||||
+ polkit_domtrans_auth(gnomeclock_t)
|
||||
+ polkit_read_lib(gnomeclock_t)
|
||||
+ polkit_read_reload(gnomeclock_t)
|
||||
+')
|
||||
+
|
||||
@ -12267,7 +12322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.3/policy/modules/services/hal.te
|
||||
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-19 14:46:49.000000000 -0500
|
||||
@@ -49,6 +49,15 @@
|
||||
type hald_var_lib_t;
|
||||
files_type(hald_var_lib_t)
|
||||
@ -12309,12 +12364,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||
userdom_dontaudit_search_user_home_dirs(hald_t)
|
||||
@@ -277,6 +292,12 @@
|
||||
@@ -277,6 +292,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ polkit_domtrans_auth(hald_t)
|
||||
+ polkit_domtrans_resolve(hald_t)
|
||||
+ polkit_read_lib(hald_t)
|
||||
+ polkit_read_reload(hald_t)
|
||||
+')
|
||||
+
|
||||
@ -12322,7 +12378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
rpc_search_nfs_state_data(hald_t)
|
||||
')
|
||||
|
||||
@@ -301,12 +322,16 @@
|
||||
@@ -301,12 +323,16 @@
|
||||
virt_manage_images(hald_t)
|
||||
')
|
||||
|
||||
@ -12340,7 +12396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow hald_acl_t self:process { getattr signal };
|
||||
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@@ -321,6 +346,7 @@
|
||||
@@ -321,6 +347,7 @@
|
||||
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
|
||||
@ -12348,7 +12404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_bin(hald_acl_t)
|
||||
|
||||
@@ -339,6 +365,8 @@
|
||||
@@ -339,6 +366,8 @@
|
||||
|
||||
storage_getattr_removable_dev(hald_acl_t)
|
||||
storage_setattr_removable_dev(hald_acl_t)
|
||||
@ -12357,12 +12413,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
auth_use_nsswitch(hald_acl_t)
|
||||
|
||||
@@ -346,12 +374,17 @@
|
||||
@@ -346,12 +375,18 @@
|
||||
|
||||
miscfiles_read_localization(hald_acl_t)
|
||||
|
||||
+optional_policy(`
|
||||
+ polkit_domtrans_auth(hald_acl_t)
|
||||
+ polkit_read_lib(hald_acl_t)
|
||||
+ polkit_read_reload(hald_acl_t)
|
||||
+')
|
||||
+
|
||||
@ -12376,7 +12433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
|
||||
allow hald_t hald_mac_t:process signal;
|
||||
@@ -418,3 +451,49 @@
|
||||
@@ -418,3 +453,49 @@
|
||||
files_read_usr_files(hald_keymap_t)
|
||||
|
||||
miscfiles_read_localization(hald_keymap_t)
|
||||
@ -12896,7 +12953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.3/policy/modules/services/mailman.te
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/mailman.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/mailman.te 2009-01-19 15:30:18.000000000 -0500
|
||||
@@ -53,10 +53,8 @@
|
||||
apache_use_fds(mailman_cgi_t)
|
||||
apache_dontaudit_append_log(mailman_cgi_t)
|
||||
@ -12910,7 +12967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -65,15 +63,22 @@
|
||||
@@ -65,15 +63,27 @@
|
||||
#
|
||||
|
||||
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -12920,6 +12977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+files_search_spool(mailman_mail_t)
|
||||
+fs_rw_anon_inodefs_files(mailman_mail_t)
|
||||
+fs_list_inotifyfs(mailman_mail_t)
|
||||
+
|
||||
+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
|
||||
+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
|
||||
@ -12933,12 +12991,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
|
||||
- # do we really need this?
|
||||
- allow mailman_mail_t qmail_lspawn_t:fifo_file write;
|
||||
-')
|
||||
+ postfix_search_spool(mailman_mail_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ cron_read_pipes(mailman_mail_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -99,11 +104,15 @@
|
||||
@@ -99,11 +109,15 @@
|
||||
# for su
|
||||
seutil_dontaudit_search_config(mailman_queue_t)
|
||||
|
||||
@ -13813,7 +13874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.3/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/networkmanager.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/networkmanager.te 2009-01-19 14:46:55.000000000 -0500
|
||||
@@ -33,9 +33,9 @@
|
||||
|
||||
# networkmanager will ptrace itself if gdb is installed
|
||||
@ -13956,7 +14017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -155,23 +199,48 @@
|
||||
@@ -155,23 +199,49 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -13987,6 +14048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+optional_policy(`
|
||||
+ polkit_domtrans_auth(NetworkManager_t)
|
||||
+ polkit_read_lib(NetworkManager_t)
|
||||
+ polkit_read_reload(NetworkManager_t)
|
||||
')
|
||||
|
||||
@ -14007,7 +14069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -184,7 +253,9 @@
|
||||
@@ -184,7 +254,9 @@
|
||||
|
||||
optional_policy(`
|
||||
vpn_domtrans(NetworkManager_t)
|
||||
@ -15974,8 +16036,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.3/policy/modules/services/polkit.if
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/polkit.if 2009-01-19 13:10:02.000000000 -0500
|
||||
@@ -0,0 +1,240 @@
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/polkit.if 2009-01-19 14:47:07.000000000 -0500
|
||||
@@ -0,0 +1,241 @@
|
||||
+
|
||||
+## <summary>policy for polkit_auth</summary>
|
||||
+
|
||||
@ -16193,6 +16255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+template(`polkit_role',`
|
||||
+ polkit_run_auth($2, $1)
|
||||
+ polkit_run_grant($2, $1)
|
||||
+ polkit_read_lib($2)
|
||||
+ polkit_read_reload($2)
|
||||
+')
|
||||
+
|
||||
@ -20250,17 +20313,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.3/policy/modules/services/squid.te
|
||||
--- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/squid.te 2009-01-19 13:10:02.000000000 -0500
|
||||
@@ -118,6 +118,8 @@
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/squid.te 2009-01-19 15:16:22.000000000 -0500
|
||||
@@ -118,6 +118,9 @@
|
||||
|
||||
fs_getattr_all_fs(squid_t)
|
||||
fs_search_auto_mountpoints(squid_t)
|
||||
+#squid requires the following when run in diskd mode, the recommended setting
|
||||
+fs_rw_tmpfs_files(squid_t)
|
||||
+fs_list_inotify(squid_t)
|
||||
|
||||
selinux_dontaudit_getattr_dir(squid_t)
|
||||
|
||||
@@ -185,8 +187,3 @@
|
||||
@@ -185,8 +188,3 @@
|
||||
optional_policy(`
|
||||
udev_read_db(squid_t)
|
||||
')
|
||||
@ -21444,7 +21508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## display.
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 14:47:14.000000000 -0500
|
||||
@@ -34,6 +34,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -21810,11 +21874,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -542,6 +622,18 @@
|
||||
@@ -542,6 +622,19 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ polkit_domtrans_auth(xdm_t)
|
||||
+ polkit_read_lib(xdm_t)
|
||||
+ polkit_read_reload(xdm_t)
|
||||
+')
|
||||
+
|
||||
@ -21829,7 +21894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
seutil_sigchld_newrole(xdm_t)
|
||||
')
|
||||
|
||||
@@ -550,8 +642,8 @@
|
||||
@@ -550,8 +643,8 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21839,7 +21904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -571,6 +663,10 @@
|
||||
@@ -571,6 +664,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21850,7 +21915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -635,6 +731,15 @@
|
||||
@@ -635,6 +732,15 @@
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -21866,7 +21931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Create files in /var/log with the xserver_log_t type.
|
||||
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
|
||||
logging_log_filetrans(xserver_t, xserver_log_t,file)
|
||||
@@ -682,6 +787,7 @@
|
||||
@@ -682,6 +788,7 @@
|
||||
dev_rw_input_dev(xserver_t)
|
||||
dev_rwx_zero(xserver_t)
|
||||
|
||||
@ -21874,7 +21939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
domain_mmap_low(xserver_t)
|
||||
|
||||
files_read_etc_files(xserver_t)
|
||||
@@ -697,6 +803,7 @@
|
||||
@@ -697,6 +804,7 @@
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
@ -21882,7 +21947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
mls_xwin_read_to_clearance(xserver_t)
|
||||
|
||||
@@ -806,7 +913,7 @@
|
||||
@@ -806,7 +914,7 @@
|
||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
@ -21891,7 +21956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -830,6 +937,10 @@
|
||||
@@ -830,6 +938,10 @@
|
||||
|
||||
xserver_use_user_fonts(xserver_t)
|
||||
|
||||
@ -21902,7 +21967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
@@ -844,11 +955,14 @@
|
||||
@@ -844,11 +956,14 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
@ -21918,7 +21983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -856,6 +970,11 @@
|
||||
@@ -856,6 +971,11 @@
|
||||
rhgb_rw_tmpfs_files(xserver_t)
|
||||
')
|
||||
|
||||
@ -21930,7 +21995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Rules common to all X window domains
|
||||
@@ -972,6 +1091,37 @@
|
||||
@@ -972,6 +1092,37 @@
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
@ -21968,7 +22033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ifdef(`TODO',`
|
||||
tunable_policy(`allow_polyinstantiation',`
|
||||
# xdm needs access for linking .X11-unix to poly /tmp
|
||||
@@ -986,3 +1136,13 @@
|
||||
@@ -986,3 +1137,13 @@
|
||||
#
|
||||
allow xdm_t user_home_type:file unlink;
|
||||
') dnl end TODO
|
||||
|
||||
Loading…
Reference in New Issue
Block a user