- Allow xdm to create user_tmp_t sockets for switch user to work
This commit is contained in:
Daniel J Walsh
parent
bc861e624e
commit
598de2dbc3
@ -1483,8 +1483,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.4/policy/modules/admin/usermanage.if
|
||||
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2008-11-11 16:13:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/admin/usermanage.if 2009-02-03 22:57:29.000000000 -0500
|
||||
@@ -138,6 +138,7 @@
|
||||
+++ serefpolicy-3.6.4/policy/modules/admin/usermanage.if 2009-02-07 07:19:49.000000000 -0500
|
||||
@@ -117,6 +117,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Send sigkills to passwd.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`usermanage_passwd_sigkill',`
|
||||
+ gen_require(`
|
||||
+ type passwd_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 passwd_t:process sigkill;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Execute passwd in the passwd domain, and
|
||||
## allow the specified role the passwd domain.
|
||||
## </summary>
|
||||
@@ -138,6 +156,7 @@
|
||||
|
||||
usermanage_domtrans_passwd($1)
|
||||
role $2 types passwd_t;
|
||||
@ -4634,7 +4659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.4/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/kernel/devices.if 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/kernel/devices.if 2009-02-09 09:03:10.000000000 -0500
|
||||
@@ -65,7 +65,7 @@
|
||||
|
||||
relabelfrom_dirs_pattern($1, device_t, device_node)
|
||||
@ -5410,7 +5435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.4/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/kernel/files.if 2009-02-04 10:53:13.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/kernel/files.if 2009-02-09 09:04:21.000000000 -0500
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
@ -8851,7 +8876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.4/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-06 16:08:00.000000000 -0500
|
||||
@@ -19,6 +19,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -9072,8 +9097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+## </desc>
|
||||
+gen_tunable(allow_httpd_mod_auth_pam, false)
|
||||
+
|
||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
- auth_domtrans_chk_passwd(httpd_t)
|
||||
+tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
+ auth_domtrans_chkpwd(httpd_t)
|
||||
+')
|
||||
+
|
||||
@ -9084,7 +9108,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+## </desc>
|
||||
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
|
||||
+optional_policy(`
|
||||
+tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
- auth_domtrans_chk_passwd(httpd_t)
|
||||
+ samba_domtrans_winbind_helper(httpd_t)
|
||||
')
|
||||
')
|
||||
@ -9358,20 +9383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -655,6 +809,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
+tunable_policy(`httpd_use_cifs',`
|
||||
+ fs_manage_cifs_files(httpd_suexec_t)
|
||||
+ fs_manage_cifs_symlinks(httpd_suexec_t)
|
||||
+ fs_exec_cifs_files(httpd_suexec_t)
|
||||
+')
|
||||
+
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -672,15 +832,14 @@
|
||||
@@ -672,15 +826,14 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -9390,7 +9402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
@@ -699,12 +858,24 @@
|
||||
@@ -699,12 +852,24 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -9408,16 +9420,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ fs_manage_nfs_dirs(httpd_sys_script_t)
|
||||
+ fs_manage_nfs_files(httpd_sys_script_t)
|
||||
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
|
||||
+')
|
||||
+ fs_exec_nfs_files(httpd_sys_script_t)
|
||||
+
|
||||
+tunable_policy(`httpd_use_nfs',`
|
||||
+ fs_manage_nfs_dirs(httpd_suexec_t)
|
||||
+ fs_manage_nfs_files(httpd_suexec_t)
|
||||
+ fs_manage_nfs_symlinks(httpd_suexec_t)
|
||||
+ fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -712,6 +883,35 @@
|
||||
@@ -712,6 +877,35 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -9447,13 +9459,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ fs_manage_cifs_dirs(httpd_suexec_t)
|
||||
+ fs_manage_cifs_files(httpd_suexec_t)
|
||||
+ fs_manage_cifs_symlinks(httpd_suexec_t)
|
||||
+ fs_exec_cifs_files(httpd_suexec_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -724,6 +924,10 @@
|
||||
@@ -724,6 +918,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -9464,7 +9476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -735,6 +939,8 @@
|
||||
@@ -735,6 +933,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@ -9473,7 +9485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -754,6 +960,12 @@
|
||||
@@ -754,6 +954,12 @@
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_user_script_t httpdcontent:file entrypoint;
|
||||
@ -9486,7 +9498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
# allow accessing files/dirs below the users home dir
|
||||
@@ -762,3 +974,66 @@
|
||||
@@ -762,3 +968,66 @@
|
||||
userdom_search_user_home_dirs(httpd_suexec_t)
|
||||
userdom_search_user_home_dirs(httpd_user_script_t)
|
||||
')
|
||||
@ -20074,7 +20086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.4/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:05:45.000000000 -0500
|
||||
@@ -23,7 +23,7 @@
|
||||
gen_tunable(allow_nfsd_anon_write, false)
|
||||
|
||||
@ -20100,15 +20112,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
||||
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
||||
@@ -135,6 +137,7 @@
|
||||
@@ -135,11 +137,19 @@
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
+ userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
|
||||
+ dev_getattr_all_blk_files(nfsd_t)
|
||||
+ dev_getattr_all_chr_files(nfsd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -170,6 +173,7 @@
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
+ auth_read_all_dirs_except_shadow(nfsd_t)
|
||||
auth_read_all_files_except_shadow(nfsd_t)
|
||||
+ files_getattr_all_pipes(nfsd_t)
|
||||
+ files_getattr_all_sockets(nfsd_t)
|
||||
+ dev_getattr_all_blk_files(nfsd_t)
|
||||
+ dev_getattr_all_chr_files(nfsd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -170,6 +180,7 @@
|
||||
files_read_usr_symlinks(gssd_t)
|
||||
|
||||
auth_use_nsswitch(gssd_t)
|
||||
@ -20116,7 +20140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
miscfiles_read_certs(gssd_t)
|
||||
|
||||
@@ -180,8 +184,7 @@
|
||||
@@ -180,8 +191,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20582,7 +20606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.4/policy/modules/services/samba.te
|
||||
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-07 07:19:23.000000000 -0500
|
||||
@@ -66,6 +66,13 @@
|
||||
## </desc>
|
||||
gen_tunable(samba_share_nfs, false)
|
||||
@ -20736,7 +20760,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
files_dontaudit_getattr_default_dirs(smbd_t)
|
||||
files_dontaudit_getattr_boot_dirs(smbd_t)
|
||||
@@ -338,20 +365,27 @@
|
||||
@@ -333,25 +360,33 @@
|
||||
|
||||
tunable_policy(`samba_domain_controller',`
|
||||
usermanage_domtrans_passwd(smbd_t)
|
||||
+ usermanage_passwd_sigkill(smbd_t)
|
||||
usermanage_domtrans_useradd(smbd_t)
|
||||
usermanage_domtrans_groupadd(smbd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`samba_enable_home_dirs',`
|
||||
@ -20770,7 +20800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
cups_read_rw_config(smbd_t)
|
||||
cups_stream_connect(smbd_t)
|
||||
@@ -359,6 +393,16 @@
|
||||
@@ -359,6 +394,16 @@
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(smbd_t)
|
||||
@ -20787,7 +20817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -381,8 +425,10 @@
|
||||
@@ -381,8 +426,10 @@
|
||||
|
||||
tunable_policy(`samba_export_all_ro',`
|
||||
fs_read_noxattr_fs_files(smbd_t)
|
||||
@ -20798,7 +20828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_read_all_files_except_shadow(nmbd_t)
|
||||
')
|
||||
|
||||
@@ -454,6 +500,7 @@
|
||||
@@ -454,6 +501,7 @@
|
||||
dev_getattr_mtrr_dev(nmbd_t)
|
||||
|
||||
fs_getattr_all_fs(nmbd_t)
|
||||
@ -20806,7 +20836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_search_auto_mountpoints(nmbd_t)
|
||||
|
||||
domain_use_interactive_fds(nmbd_t)
|
||||
@@ -553,19 +600,33 @@
|
||||
@@ -553,19 +601,33 @@
|
||||
userdom_use_user_terminals(smbmount_t)
|
||||
userdom_use_all_users_fds(smbmount_t)
|
||||
|
||||
@ -20843,7 +20873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
||||
|
||||
@@ -585,6 +646,9 @@
|
||||
@@ -585,6 +647,9 @@
|
||||
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
||||
|
||||
allow swat_t winbind_exec_t:file mmap_file_perms;
|
||||
@ -20853,7 +20883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_kernel_sysctls(swat_t)
|
||||
kernel_read_system_state(swat_t)
|
||||
@@ -609,15 +673,18 @@
|
||||
@@ -609,15 +674,18 @@
|
||||
|
||||
dev_read_urand(swat_t)
|
||||
|
||||
@ -20872,7 +20902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_search_logs(swat_t)
|
||||
|
||||
miscfiles_read_localization(swat_t)
|
||||
@@ -635,6 +702,17 @@
|
||||
@@ -635,6 +703,17 @@
|
||||
kerberos_use(swat_t)
|
||||
')
|
||||
|
||||
@ -20890,7 +20920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Winbind local policy
|
||||
@@ -642,7 +720,7 @@
|
||||
@@ -642,7 +721,7 @@
|
||||
|
||||
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
||||
dontaudit winbind_t self:capability sys_tty_config;
|
||||
@ -20899,7 +20929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
||||
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
||||
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -683,9 +761,10 @@
|
||||
@@ -683,9 +762,10 @@
|
||||
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
||||
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
|
||||
|
||||
@ -20912,7 +20942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(winbind_t)
|
||||
corenet_all_recvfrom_netlabel(winbind_t)
|
||||
@@ -709,10 +788,12 @@
|
||||
@@ -709,10 +789,12 @@
|
||||
|
||||
auth_domtrans_chk_passwd(winbind_t)
|
||||
auth_use_nsswitch(winbind_t)
|
||||
@ -20925,7 +20955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
logging_send_syslog_msg(winbind_t)
|
||||
|
||||
@@ -768,8 +849,13 @@
|
||||
@@ -768,8 +850,13 @@
|
||||
userdom_use_user_terminals(winbind_helper_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -20939,7 +20969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -778,6 +864,16 @@
|
||||
@@ -778,6 +865,16 @@
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
@ -20956,7 +20986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type samba_unconfined_script_t;
|
||||
type samba_unconfined_script_exec_t;
|
||||
domain_type(samba_unconfined_script_t)
|
||||
@@ -788,9 +884,43 @@
|
||||
@@ -788,9 +885,43 @@
|
||||
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||
|
||||
@ -23547,7 +23577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-05 18:20:04.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-08 17:11:40.000000000 -0500
|
||||
@@ -34,6 +34,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -23903,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
+userdom_write_user_tmp_files(xdm_t)
|
||||
+userdom_manage_user_tmp_sockets(xdm_t)
|
||||
|
||||
xserver_rw_session(xdm_t,xdm_tmpfs_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
@ -24394,7 +24424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.4/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/authlogin.if 2009-02-04 10:32:13.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/authlogin.if 2009-02-07 07:22:59.000000000 -0500
|
||||
@@ -43,20 +43,38 @@
|
||||
interface(`auth_login_pgm_domain',`
|
||||
gen_require(`
|
||||
@ -24509,11 +24539,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- sysnet_dns_name_resolve($1)
|
||||
- sysnet_use_ldap($1)
|
||||
-
|
||||
optional_policy(`
|
||||
- optional_policy(`
|
||||
- kerberos_use($1)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
optional_policy(`
|
||||
- nis_use_ypbind($1)
|
||||
+ kerberos_read_keytab($1)
|
||||
+ kerberos_connect_524($1)
|
||||
@ -24600,10 +24630,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Manage all files on the filesystem, except
|
||||
## the shadow passwords and listed exceptions.
|
||||
## </summary>
|
||||
@@ -1297,6 +1395,10 @@
|
||||
@@ -1297,6 +1395,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ ldap_stream_connect($1)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ kerberos_use($1)
|
||||
+ ')
|
||||
+
|
||||
@ -24611,7 +24645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
nis_use_ypbind($1)
|
||||
')
|
||||
|
||||
@@ -1307,6 +1409,7 @@
|
||||
@@ -1307,6 +1413,7 @@
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
samba_read_var_files($1)
|
||||
@ -24619,7 +24653,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1341,3 +1444,99 @@
|
||||
@@ -1341,3 +1448,99 @@
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
@ -25561,7 +25595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.4/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/libraries.fc 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/libraries.fc 2009-02-09 08:38:58.000000000 -0500
|
||||
@@ -60,12 +60,15 @@
|
||||
#
|
||||
# /opt
|
||||
@ -25599,7 +25633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
||||
@@ -115,9 +120,17 @@
|
||||
@@ -115,24 +120,34 @@
|
||||
|
||||
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -25617,7 +25651,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -127,12 +140,14 @@
|
||||
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
-/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -28621,7 +28658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-05 18:26:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-08 17:11:31.000000000 -0500
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user