- Dontaudit dbus user client search of /root
This commit is contained in:
parent
f14d51e840
commit
5928688f61
|
@ -5848,7 +5848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
|
||||||
-')
|
-')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.4/policy/modules/services/dbus.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.4/policy/modules/services/dbus.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
||||||
+++ serefpolicy-3.2.4/policy/modules/services/dbus.if 2007-12-13 13:34:36.000000000 -0500
|
+++ serefpolicy-3.2.4/policy/modules/services/dbus.if 2007-12-13 16:46:07.000000000 -0500
|
||||||
@@ -91,7 +91,7 @@
|
@@ -91,7 +91,7 @@
|
||||||
# SE-DBus specific permissions
|
# SE-DBus specific permissions
|
||||||
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
||||||
|
@ -5868,17 +5868,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||||
allow $1_dbusd_t $2:process sigkill;
|
allow $1_dbusd_t $2:process sigkill;
|
||||||
allow $2 $1_dbusd_t:fd use;
|
allow $2 $1_dbusd_t:fd use;
|
||||||
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
||||||
@@ -161,7 +160,8 @@
|
@@ -161,7 +160,9 @@
|
||||||
seutil_read_config($1_dbusd_t)
|
seutil_read_config($1_dbusd_t)
|
||||||
seutil_read_default_contexts($1_dbusd_t)
|
seutil_read_default_contexts($1_dbusd_t)
|
||||||
|
|
||||||
- userdom_read_user_home_content_files($1, $1_dbusd_t)
|
- userdom_read_user_home_content_files($1, $1_dbusd_t)
|
||||||
|
+ userdom_dontaudit_search_sysadm_home_dirs($1_dbusd_t)
|
||||||
+ userdom_read_unpriv_users_home_content_files($1_dbusd_t)
|
+ userdom_read_unpriv_users_home_content_files($1_dbusd_t)
|
||||||
+ userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t)
|
+ userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t)
|
||||||
|
|
||||||
ifdef(`hide_broken_symptoms', `
|
ifdef(`hide_broken_symptoms', `
|
||||||
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
|
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
|
||||||
@@ -214,7 +214,7 @@
|
@@ -214,7 +215,7 @@
|
||||||
|
|
||||||
# SE-DBus specific permissions
|
# SE-DBus specific permissions
|
||||||
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
|
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
|
||||||
|
@ -5887,7 +5888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||||
|
|
||||||
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||||
files_search_var_lib($2)
|
files_search_var_lib($2)
|
||||||
@@ -366,3 +366,35 @@
|
@@ -366,3 +367,35 @@
|
||||||
|
|
||||||
allow $1 system_dbusd_t:dbus *;
|
allow $1 system_dbusd_t:dbus *;
|
||||||
')
|
')
|
||||||
|
@ -14010,7 +14011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.4/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.4/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
||||||
+++ serefpolicy-3.2.4/policy/modules/system/userdomain.if 2007-12-13 13:34:37.000000000 -0500
|
+++ serefpolicy-3.2.4/policy/modules/system/userdomain.if 2007-12-13 16:45:56.000000000 -0500
|
||||||
@@ -29,8 +29,9 @@
|
@@ -29,8 +29,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.2.4
|
Version: 3.2.4
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -316,8 +316,9 @@ restorecon -R /root /etc/selinux/targeted 2> /dev/null
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%files targeted
|
%files targeted
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/xguest_u
|
|
||||||
%fileList targeted
|
%fileList targeted
|
||||||
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/unconfined_u
|
||||||
|
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/xguest_u
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{BUILD_OLPC}
|
%if %{BUILD_OLPC}
|
||||||
|
@ -379,6 +380,9 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 13 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-1
|
||||||
|
- Dontaudit dbus user client search of /root
|
||||||
|
|
||||||
* Wed Dec 12 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-1
|
* Wed Dec 12 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-1
|
||||||
- Update to upstream
|
- Update to upstream
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue