- Eliminate vbetool duplicate entry
This commit is contained in:
Daniel J Walsh
parent
0b05335dd6
commit
599e9756ef
@ -1,82 +1,3 @@
|
|||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.1/Makefile
|
|
||||||
--- nsaserefpolicy/Makefile 2008-06-12 23:25:10.000000000 -0400
|
|
||||||
+++ serefpolicy-3.5.1/Makefile 2008-07-24 06:54:04.000000000 -0400
|
|
||||||
@@ -311,20 +311,22 @@
|
|
||||||
|
|
||||||
# parse-rolemap modulename,outputfile
|
|
||||||
define parse-rolemap
|
|
||||||
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
|
||||||
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
|
||||||
+ echo "" >> $2
|
|
||||||
+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
|
||||||
+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
|
||||||
endef
|
|
||||||
|
|
||||||
# perrole-expansion modulename,outputfile
|
|
||||||
define perrole-expansion
|
|
||||||
- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
|
|
||||||
- $(call parse-rolemap,$1,$2)
|
|
||||||
- $(verbose) echo "')" >> $2
|
|
||||||
-
|
|
||||||
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
|
|
||||||
- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
|
|
||||||
- $(call parse-rolemap-compat,$1,$2)
|
|
||||||
- $(verbose) echo "')" >> $2
|
|
||||||
+ echo "No longer doing perrole-expansion"
|
|
||||||
+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
|
|
||||||
+# $(call parse-rolemap,$1,$2)
|
|
||||||
+# $(verbose) echo "')" >> $2
|
|
||||||
+
|
|
||||||
+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
|
|
||||||
+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
|
|
||||||
+# $(call parse-rolemap-compat,$1,$2)
|
|
||||||
+# $(verbose) echo "')" >> $2
|
|
||||||
endef
|
|
||||||
|
|
||||||
# create-base-per-role-tmpl modulenames,outputfile
|
|
||||||
@@ -523,6 +525,10 @@
|
|
||||||
@mkdir -p $(appdir)/users
|
|
||||||
$(verbose) $(INSTALL) -m 644 $^ $@
|
|
||||||
|
|
||||||
+$(appdir)/initrc_context: $(tmpdir)/initrc_context
|
|
||||||
+ @mkdir -p $(appdir)
|
|
||||||
+ $(verbose) $(INSTALL) -m 644 $< $@
|
|
||||||
+
|
|
||||||
$(appdir)/%: $(appconf)/%
|
|
||||||
@mkdir -p $(appdir)
|
|
||||||
$(verbose) $(INSTALL) -m 644 $< $@
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.1/Rules.modular
|
|
||||||
--- nsaserefpolicy/Rules.modular 2008-06-12 23:25:10.000000000 -0400
|
|
||||||
+++ serefpolicy-3.5.1/Rules.modular 2008-07-24 06:54:04.000000000 -0400
|
|
||||||
@@ -73,8 +73,8 @@
|
|
||||||
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
|
|
||||||
@echo "Compliling $(NAME) $(@F) module"
|
|
||||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
||||||
- $(call perrole-expansion,$(basename $(@F)),$@.role)
|
|
||||||
- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
|
|
||||||
+# $(call perrole-expansion,$(basename $(@F)),$@.role)
|
|
||||||
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
|
|
||||||
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
|
||||||
|
|
||||||
$(tmpdir)/%.mod.fc: $(m4support) %.fc
|
|
||||||
@@ -129,7 +129,7 @@
|
|
||||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
||||||
# define all available object classes
|
|
||||||
$(verbose) $(genperm) $(avs) $(secclass) > $@
|
|
||||||
- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
|
|
||||||
+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
|
|
||||||
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
|
|
||||||
|
|
||||||
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
|
|
||||||
@@ -146,7 +146,7 @@
|
|
||||||
$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
|
|
||||||
$(tmpdir)/rolemap.conf: $(rolemap)
|
|
||||||
$(verbose) echo "" > $@
|
|
||||||
- $(call parse-rolemap,base,$@)
|
|
||||||
+# $(call parse-rolemap,base,$@)
|
|
||||||
|
|
||||||
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
|
|
||||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.1/config/appconfig-mcs/default_contexts
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.1/config/appconfig-mcs/default_contexts
|
||||||
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-06-12 23:25:09.000000000 -0400
|
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-06-12 23:25:09.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/config/appconfig-mcs/default_contexts 2008-07-24 06:54:04.000000000 -0400
|
+++ serefpolicy-3.5.1/config/appconfig-mcs/default_contexts 2008-07-24 06:54:04.000000000 -0400
|
||||||
@ -188,6 +109,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg
|
|||||||
+system_r:sshd_t xguest_r:xguest_t
|
+system_r:sshd_t xguest_r:xguest_t
|
||||||
+system_r:crond_t xguest_r:xguest_crond_t
|
+system_r:crond_t xguest_r:xguest_crond_t
|
||||||
+system_r:xdm_t xguest_r:xguest_t
|
+system_r:xdm_t xguest_r:xguest_t
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.1/Makefile
|
||||||
|
--- nsaserefpolicy/Makefile 2008-06-12 23:25:10.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.1/Makefile 2008-07-24 06:54:04.000000000 -0400
|
||||||
|
@@ -311,20 +311,22 @@
|
||||||
|
|
||||||
|
# parse-rolemap modulename,outputfile
|
||||||
|
define parse-rolemap
|
||||||
|
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
||||||
|
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||||
|
+ echo "" >> $2
|
||||||
|
+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
||||||
|
+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||||
|
endef
|
||||||
|
|
||||||
|
# perrole-expansion modulename,outputfile
|
||||||
|
define perrole-expansion
|
||||||
|
- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
|
||||||
|
- $(call parse-rolemap,$1,$2)
|
||||||
|
- $(verbose) echo "')" >> $2
|
||||||
|
-
|
||||||
|
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
|
||||||
|
- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
|
||||||
|
- $(call parse-rolemap-compat,$1,$2)
|
||||||
|
- $(verbose) echo "')" >> $2
|
||||||
|
+ echo "No longer doing perrole-expansion"
|
||||||
|
+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
|
||||||
|
+# $(call parse-rolemap,$1,$2)
|
||||||
|
+# $(verbose) echo "')" >> $2
|
||||||
|
+
|
||||||
|
+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
|
||||||
|
+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
|
||||||
|
+# $(call parse-rolemap-compat,$1,$2)
|
||||||
|
+# $(verbose) echo "')" >> $2
|
||||||
|
endef
|
||||||
|
|
||||||
|
# create-base-per-role-tmpl modulenames,outputfile
|
||||||
|
@@ -523,6 +525,10 @@
|
||||||
|
@mkdir -p $(appdir)/users
|
||||||
|
$(verbose) $(INSTALL) -m 644 $^ $@
|
||||||
|
|
||||||
|
+$(appdir)/initrc_context: $(tmpdir)/initrc_context
|
||||||
|
+ @mkdir -p $(appdir)
|
||||||
|
+ $(verbose) $(INSTALL) -m 644 $< $@
|
||||||
|
+
|
||||||
|
$(appdir)/%: $(appconf)/%
|
||||||
|
@mkdir -p $(appdir)
|
||||||
|
$(verbose) $(INSTALL) -m 644 $< $@
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.5.1/man/man8/ftpd_selinux.8
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.5.1/man/man8/ftpd_selinux.8
|
||||||
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2008-06-12 23:25:09.000000000 -0400
|
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2008-06-12 23:25:09.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/man/man8/ftpd_selinux.8 2008-07-24 06:54:04.000000000 -0400
|
+++ serefpolicy-3.5.1/man/man8/ftpd_selinux.8 2008-07-24 06:54:04.000000000 -0400
|
||||||
@ -1413,6 +1381,121 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
usermanage_domtrans_groupadd(rpm_script_t)
|
usermanage_domtrans_groupadd(rpm_script_t)
|
||||||
usermanage_domtrans_useradd(rpm_script_t)
|
usermanage_domtrans_useradd(rpm_script_t)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.1/policy/modules/admin/sudo.if
|
||||||
|
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-06-12 23:25:08.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.1/policy/modules/admin/sudo.if 2008-07-24 06:54:04.000000000 -0400
|
||||||
|
@@ -55,7 +55,7 @@
|
||||||
|
#
|
||||||
|
|
||||||
|
# Use capabilities.
|
||||||
|
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
|
||||||
|
+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
|
||||||
|
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
|
allow $1_sudo_t self:process { setexec setrlimit };
|
||||||
|
allow $1_sudo_t self:fd use;
|
||||||
|
@@ -68,33 +68,35 @@
|
||||||
|
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
allow $1_sudo_t self:unix_dgram_socket sendto;
|
||||||
|
allow $1_sudo_t self:unix_stream_socket connectto;
|
||||||
|
- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
|
||||||
|
+ allow $1_sudo_t self:key manage_key_perms;
|
||||||
|
+ allow $1_sudo_t $1_t:key search;
|
||||||
|
|
||||||
|
# Enter this derived domain from the user domain
|
||||||
|
domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
|
||||||
|
|
||||||
|
# By default, revert to the calling domain when a shell is executed.
|
||||||
|
corecmd_shell_domtrans($1_sudo_t,$2)
|
||||||
|
+ corecmd_bin_domtrans($1_sudo_t,$2)
|
||||||
|
allow $2 $1_sudo_t:fd use;
|
||||||
|
allow $2 $1_sudo_t:fifo_file rw_file_perms;
|
||||||
|
allow $2 $1_sudo_t:process sigchld;
|
||||||
|
|
||||||
|
kernel_read_kernel_sysctls($1_sudo_t)
|
||||||
|
kernel_read_system_state($1_sudo_t)
|
||||||
|
- kernel_search_key($1_sudo_t)
|
||||||
|
+ kernel_link_key($1_sudo_t)
|
||||||
|
|
||||||
|
dev_read_urand($1_sudo_t)
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints($1_sudo_t)
|
||||||
|
fs_getattr_xattr_fs($1_sudo_t)
|
||||||
|
|
||||||
|
- auth_domtrans_chk_passwd($1_sudo_t)
|
||||||
|
+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
|
||||||
|
# sudo stores a token in the pam_pid directory
|
||||||
|
auth_manage_pam_pid($1_sudo_t)
|
||||||
|
auth_use_nsswitch($1_sudo_t)
|
||||||
|
|
||||||
|
corecmd_read_bin_symlinks($1_sudo_t)
|
||||||
|
- corecmd_getattr_all_executables($1_sudo_t)
|
||||||
|
+ corecmd_exec_all_executables($1_sudo_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds($1_sudo_t)
|
||||||
|
domain_sigchld_interactive_fds($1_sudo_t)
|
||||||
|
@@ -106,32 +108,50 @@
|
||||||
|
files_getattr_usr_files($1_sudo_t)
|
||||||
|
# for some PAM modules and for cwd
|
||||||
|
files_dontaudit_search_home($1_sudo_t)
|
||||||
|
+ files_list_tmp($1_sudo_t)
|
||||||
|
|
||||||
|
init_rw_utmp($1_sudo_t)
|
||||||
|
|
||||||
|
libs_use_ld_so($1_sudo_t)
|
||||||
|
libs_use_shared_libs($1_sudo_t)
|
||||||
|
|
||||||
|
+ logging_send_audit_msgs($1_sudo_t)
|
||||||
|
logging_send_syslog_msg($1_sudo_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization($1_sudo_t)
|
||||||
|
|
||||||
|
- userdom_manage_user_home_content_files($1,$1_sudo_t)
|
||||||
|
- userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
|
||||||
|
- userdom_manage_user_tmp_files($1,$1_sudo_t)
|
||||||
|
- userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
|
||||||
|
+ mta_per_role_template($1, $1_sudo_t, $3)
|
||||||
|
+
|
||||||
|
+ unprivuser_manage_home_content_files($1_sudo_t)
|
||||||
|
+ unprivuser_manage_home_content_symlinks($1_sudo_t)
|
||||||
|
+ tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
+ fs_manage_nfs_files($1_sudo_t)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ tunable_policy(`use_samba_home_dirs',`
|
||||||
|
+ fs_manage_cifs_files($1_sudo_t)
|
||||||
|
+ ')
|
||||||
|
+ unprivuser_manage_tmp_files($1_sudo_t)
|
||||||
|
+ unprivuser_manage_tmp_symlinks($1_sudo_t)
|
||||||
|
+ userdom_exec_user_home_content_files($1,$1_sudo_t)
|
||||||
|
userdom_use_user_terminals($1,$1_sudo_t)
|
||||||
|
userdom_use_unpriv_users_fds($1_sudo_t)
|
||||||
|
# for some PAM modules and for cwd
|
||||||
|
+ sysadm_search_home_content_dirs($1_sudo_t)
|
||||||
|
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
|
||||||
|
+ userdom_manage_all_users_keys($1_sudo_t)
|
||||||
|
|
||||||
|
- ifdef(`TODO',`
|
||||||
|
- # for when the network connection is killed
|
||||||
|
- dontaudit unpriv_userdomain $1_sudo_t:process signal;
|
||||||
|
-
|
||||||
|
- ifdef(`mta.te', `
|
||||||
|
- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
|
||||||
|
- ')
|
||||||
|
+ domain_role_change_exemption($1_sudo_t)
|
||||||
|
+ userdom_spec_domtrans_all_users($1_sudo_t)
|
||||||
|
|
||||||
|
- ') dnl end TODO
|
||||||
|
+ selinux_validate_context($1_sudo_t)
|
||||||
|
+ selinux_compute_relabel_context($1_sudo_t)
|
||||||
|
+ selinux_getattr_fs($1_sudo_t)
|
||||||
|
+ seutil_read_config($1_sudo_t)
|
||||||
|
+ seutil_search_default_contexts($1_sudo_t)
|
||||||
|
+
|
||||||
|
+ term_use_all_user_ttys($1_sudo_t)
|
||||||
|
+ term_use_all_user_ptys($1_sudo_t)
|
||||||
|
+ term_relabel_all_user_ttys($1_sudo_t)
|
||||||
|
+ term_relabel_all_user_ptys($1_sudo_t)
|
||||||
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.1/policy/modules/admin/su.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.1/policy/modules/admin/su.if
|
||||||
--- nsaserefpolicy/policy/modules/admin/su.if 2008-06-12 23:25:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/su.if 2008-06-12 23:25:08.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/policy/modules/admin/su.if 2008-07-24 06:54:04.000000000 -0400
|
+++ serefpolicy-3.5.1/policy/modules/admin/su.if 2008-07-24 06:54:04.000000000 -0400
|
||||||
@ -1543,121 +1626,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.1/policy/modules/admin/sudo.if
|
|
||||||
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-06-12 23:25:08.000000000 -0400
|
|
||||||
+++ serefpolicy-3.5.1/policy/modules/admin/sudo.if 2008-07-24 06:54:04.000000000 -0400
|
|
||||||
@@ -55,7 +55,7 @@
|
|
||||||
#
|
|
||||||
|
|
||||||
# Use capabilities.
|
|
||||||
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
|
|
||||||
+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
|
|
||||||
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
||||||
allow $1_sudo_t self:process { setexec setrlimit };
|
|
||||||
allow $1_sudo_t self:fd use;
|
|
||||||
@@ -68,33 +68,35 @@
|
|
||||||
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
|
|
||||||
allow $1_sudo_t self:unix_dgram_socket sendto;
|
|
||||||
allow $1_sudo_t self:unix_stream_socket connectto;
|
|
||||||
- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
|
|
||||||
+ allow $1_sudo_t self:key manage_key_perms;
|
|
||||||
+ allow $1_sudo_t $1_t:key search;
|
|
||||||
|
|
||||||
# Enter this derived domain from the user domain
|
|
||||||
domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
|
|
||||||
|
|
||||||
# By default, revert to the calling domain when a shell is executed.
|
|
||||||
corecmd_shell_domtrans($1_sudo_t,$2)
|
|
||||||
+ corecmd_bin_domtrans($1_sudo_t,$2)
|
|
||||||
allow $2 $1_sudo_t:fd use;
|
|
||||||
allow $2 $1_sudo_t:fifo_file rw_file_perms;
|
|
||||||
allow $2 $1_sudo_t:process sigchld;
|
|
||||||
|
|
||||||
kernel_read_kernel_sysctls($1_sudo_t)
|
|
||||||
kernel_read_system_state($1_sudo_t)
|
|
||||||
- kernel_search_key($1_sudo_t)
|
|
||||||
+ kernel_link_key($1_sudo_t)
|
|
||||||
|
|
||||||
dev_read_urand($1_sudo_t)
|
|
||||||
|
|
||||||
fs_search_auto_mountpoints($1_sudo_t)
|
|
||||||
fs_getattr_xattr_fs($1_sudo_t)
|
|
||||||
|
|
||||||
- auth_domtrans_chk_passwd($1_sudo_t)
|
|
||||||
+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
|
|
||||||
# sudo stores a token in the pam_pid directory
|
|
||||||
auth_manage_pam_pid($1_sudo_t)
|
|
||||||
auth_use_nsswitch($1_sudo_t)
|
|
||||||
|
|
||||||
corecmd_read_bin_symlinks($1_sudo_t)
|
|
||||||
- corecmd_getattr_all_executables($1_sudo_t)
|
|
||||||
+ corecmd_exec_all_executables($1_sudo_t)
|
|
||||||
|
|
||||||
domain_use_interactive_fds($1_sudo_t)
|
|
||||||
domain_sigchld_interactive_fds($1_sudo_t)
|
|
||||||
@@ -106,32 +108,50 @@
|
|
||||||
files_getattr_usr_files($1_sudo_t)
|
|
||||||
# for some PAM modules and for cwd
|
|
||||||
files_dontaudit_search_home($1_sudo_t)
|
|
||||||
+ files_list_tmp($1_sudo_t)
|
|
||||||
|
|
||||||
init_rw_utmp($1_sudo_t)
|
|
||||||
|
|
||||||
libs_use_ld_so($1_sudo_t)
|
|
||||||
libs_use_shared_libs($1_sudo_t)
|
|
||||||
|
|
||||||
+ logging_send_audit_msgs($1_sudo_t)
|
|
||||||
logging_send_syslog_msg($1_sudo_t)
|
|
||||||
|
|
||||||
miscfiles_read_localization($1_sudo_t)
|
|
||||||
|
|
||||||
- userdom_manage_user_home_content_files($1,$1_sudo_t)
|
|
||||||
- userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
|
|
||||||
- userdom_manage_user_tmp_files($1,$1_sudo_t)
|
|
||||||
- userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
|
|
||||||
+ mta_per_role_template($1, $1_sudo_t, $3)
|
|
||||||
+
|
|
||||||
+ unprivuser_manage_home_content_files($1_sudo_t)
|
|
||||||
+ unprivuser_manage_home_content_symlinks($1_sudo_t)
|
|
||||||
+ tunable_policy(`use_nfs_home_dirs',`
|
|
||||||
+ fs_manage_nfs_files($1_sudo_t)
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ tunable_policy(`use_samba_home_dirs',`
|
|
||||||
+ fs_manage_cifs_files($1_sudo_t)
|
|
||||||
+ ')
|
|
||||||
+ unprivuser_manage_tmp_files($1_sudo_t)
|
|
||||||
+ unprivuser_manage_tmp_symlinks($1_sudo_t)
|
|
||||||
+ userdom_exec_user_home_content_files($1,$1_sudo_t)
|
|
||||||
userdom_use_user_terminals($1,$1_sudo_t)
|
|
||||||
userdom_use_unpriv_users_fds($1_sudo_t)
|
|
||||||
# for some PAM modules and for cwd
|
|
||||||
+ sysadm_search_home_content_dirs($1_sudo_t)
|
|
||||||
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
|
|
||||||
+ userdom_manage_all_users_keys($1_sudo_t)
|
|
||||||
|
|
||||||
- ifdef(`TODO',`
|
|
||||||
- # for when the network connection is killed
|
|
||||||
- dontaudit unpriv_userdomain $1_sudo_t:process signal;
|
|
||||||
-
|
|
||||||
- ifdef(`mta.te', `
|
|
||||||
- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
|
|
||||||
- ')
|
|
||||||
+ domain_role_change_exemption($1_sudo_t)
|
|
||||||
+ userdom_spec_domtrans_all_users($1_sudo_t)
|
|
||||||
|
|
||||||
- ') dnl end TODO
|
|
||||||
+ selinux_validate_context($1_sudo_t)
|
|
||||||
+ selinux_compute_relabel_context($1_sudo_t)
|
|
||||||
+ selinux_getattr_fs($1_sudo_t)
|
|
||||||
+ seutil_read_config($1_sudo_t)
|
|
||||||
+ seutil_search_default_contexts($1_sudo_t)
|
|
||||||
+
|
|
||||||
+ term_use_all_user_ttys($1_sudo_t)
|
|
||||||
+ term_use_all_user_ptys($1_sudo_t)
|
|
||||||
+ term_relabel_all_user_ttys($1_sudo_t)
|
|
||||||
+ term_relabel_all_user_ptys($1_sudo_t)
|
|
||||||
')
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:25:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:25:08.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te 2008-07-24 06:54:04.000000000 -0400
|
+++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te 2008-07-24 06:54:04.000000000 -0400
|
||||||
@ -20555,7 +20523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.1/policy/modules/services/polkit.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.1/policy/modules/services/polkit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/polkit.te 2008-07-24 06:54:04.000000000 -0400
|
+++ serefpolicy-3.5.1/policy/modules/services/polkit.te 2008-07-24 22:56:25.000000000 -0400
|
||||||
@@ -0,0 +1,221 @@
|
@@ -0,0 +1,221 @@
|
||||||
+policy_module(polkit_auth,1.0.0)
|
+policy_module(polkit_auth,1.0.0)
|
||||||
+
|
+
|
||||||
@ -20894,6 +20862,100 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
|||||||
## Execute postfix user mail programs
|
## Execute postfix user mail programs
|
||||||
## in their respective domains.
|
## in their respective domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2008-06-12 23:25:05.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc 2008-07-24 06:54:04.000000000 -0400
|
||||||
|
@@ -3,3 +3,5 @@
|
||||||
|
/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
|
||||||
|
|
||||||
|
/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
|
||||||
|
+
|
||||||
|
+/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if
|
||||||
|
--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2008-06-12 23:25:05.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if 2008-07-24 06:54:04.000000000 -0400
|
||||||
|
@@ -1 +1,68 @@
|
||||||
|
## <summary>Postfix policy server</summary>
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute postfixpolicyd server in the postfixpolicyd domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the process performing this action.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+interface(`postfixpolicyd_script_domtrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type postfix_policyd_script_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## All of the rules required to administrate
|
||||||
|
+## an postfixpolicyd environment
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="role">
|
||||||
|
+## <summary>
|
||||||
|
+## The role to be allowed to manage the postfixpolicyd domain.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="terminal">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the user terminal.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`postfixpolicyd_admin',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type postfix_policyd_t;
|
||||||
|
+ type postfix_policyd_script_exec_t;
|
||||||
|
+ type postfix_policyd_conf_t;
|
||||||
|
+ type postfix_policyd_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
|
||||||
|
+ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
|
||||||
|
+
|
||||||
|
+ # Allow postfix_policyd_t to restart the apache service
|
||||||
|
+ postfixpolicyd_script_domtrans($1)
|
||||||
|
+ domain_system_change_exemption($1)
|
||||||
|
+ role_transition $2 postfix_policyd_script_exec_t system_r;
|
||||||
|
+ allow $2 system_r;
|
||||||
|
+
|
||||||
|
+ files_list_etc($1)
|
||||||
|
+ manage_all_pattern($1,postfix_policyd_conf_t)
|
||||||
|
+
|
||||||
|
+ files_list_pids($1)
|
||||||
|
+ manage_all_pattern($1,postfix_policyd_var_run_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te 2008-07-24 06:54:04.000000000 -0400
|
||||||
|
@@ -16,6 +16,9 @@
|
||||||
|
type postfix_policyd_var_run_t;
|
||||||
|
files_pid_file(postfix_policyd_var_run_t)
|
||||||
|
|
||||||
|
+type postfix_policyd_script_exec_t;
|
||||||
|
+init_script_type(postfix_policyd_script_exec_t)
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local Policy
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.1/policy/modules/services/postfix.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.1/policy/modules/services/postfix.te
|
||||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-07-10 11:38:46.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-07-10 11:38:46.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/postfix.te 2008-07-24 06:54:04.000000000 -0400
|
+++ serefpolicy-3.5.1/policy/modules/services/postfix.te 2008-07-24 06:54:04.000000000 -0400
|
||||||
@ -21158,100 +21220,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
|||||||
|
|
||||||
corecmd_exec_shell(postfix_virtual_t)
|
corecmd_exec_shell(postfix_virtual_t)
|
||||||
corecmd_exec_bin(postfix_virtual_t)
|
corecmd_exec_bin(postfix_virtual_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc
|
|
||||||
--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2008-06-12 23:25:05.000000000 -0400
|
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc 2008-07-24 06:54:04.000000000 -0400
|
|
||||||
@@ -3,3 +3,5 @@
|
|
||||||
/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
|
|
||||||
|
|
||||||
/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
|
|
||||||
+
|
|
||||||
+/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if
|
|
||||||
--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2008-06-12 23:25:05.000000000 -0400
|
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if 2008-07-24 06:54:04.000000000 -0400
|
|
||||||
@@ -1 +1,68 @@
|
|
||||||
## <summary>Postfix policy server</summary>
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Execute postfixpolicyd server in the postfixpolicyd domain.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## The type of the process performing this action.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+#
|
|
||||||
+interface(`postfixpolicyd_script_domtrans',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type postfix_policyd_script_exec_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## All of the rules required to administrate
|
|
||||||
+## an postfixpolicyd environment
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <param name="role">
|
|
||||||
+## <summary>
|
|
||||||
+## The role to be allowed to manage the postfixpolicyd domain.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <param name="terminal">
|
|
||||||
+## <summary>
|
|
||||||
+## The type of the user terminal.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <rolecap/>
|
|
||||||
+#
|
|
||||||
+interface(`postfixpolicyd_admin',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type postfix_policyd_t;
|
|
||||||
+ type postfix_policyd_script_exec_t;
|
|
||||||
+ type postfix_policyd_conf_t;
|
|
||||||
+ type postfix_policyd_var_run_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
|
|
||||||
+ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
|
|
||||||
+
|
|
||||||
+ # Allow postfix_policyd_t to restart the apache service
|
|
||||||
+ postfixpolicyd_script_domtrans($1)
|
|
||||||
+ domain_system_change_exemption($1)
|
|
||||||
+ role_transition $2 postfix_policyd_script_exec_t system_r;
|
|
||||||
+ allow $2 system_r;
|
|
||||||
+
|
|
||||||
+ files_list_etc($1)
|
|
||||||
+ manage_all_pattern($1,postfix_policyd_conf_t)
|
|
||||||
+
|
|
||||||
+ files_list_pids($1)
|
|
||||||
+ manage_all_pattern($1,postfix_policyd_var_run_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te
|
|
||||||
--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2008-06-12 23:25:05.000000000 -0400
|
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te 2008-07-24 06:54:04.000000000 -0400
|
|
||||||
@@ -16,6 +16,9 @@
|
|
||||||
type postfix_policyd_var_run_t;
|
|
||||||
files_pid_file(postfix_policyd_var_run_t)
|
|
||||||
|
|
||||||
+type postfix_policyd_script_exec_t;
|
|
||||||
+init_script_type(postfix_policyd_script_exec_t)
|
|
||||||
+
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# Local Policy
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.1/policy/modules/services/postgresql.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.1/policy/modules/services/postgresql.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/postgresql.fc 2008-07-24 06:54:04.000000000 -0400
|
+++ serefpolicy-3.5.1/policy/modules/services/postgresql.fc 2008-07-24 06:54:04.000000000 -0400
|
||||||
@ -22969,6 +22937,121 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.1/policy/modules/services/rpcbind.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-06-12 23:25:05.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.fc 2008-07-24 06:54:04.000000000 -0400
|
||||||
|
@@ -5,3 +5,5 @@
|
||||||
|
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
|
||||||
|
/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
|
||||||
|
/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
|
||||||
|
+
|
||||||
|
+/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.5.1/policy/modules/services/rpcbind.if
|
||||||
|
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2008-06-12 23:25:05.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.if 2008-07-24 06:54:04.000000000 -0400
|
||||||
|
@@ -95,3 +95,68 @@
|
||||||
|
manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
|
||||||
|
files_search_var_lib($1)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute rpcbind server in the rpcbind domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the process performing this action.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+interface(`rpcbind_script_domtrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type rpcbind_script_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ init_script_domtrans_spec($1,rpcbind_script_exec_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## All of the rules required to administrate
|
||||||
|
+## an rpcbind environment
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="role">
|
||||||
|
+## <summary>
|
||||||
|
+## The role to be allowed to manage the rpcbind domain.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="terminal">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the user terminal.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`rpcbind_admin',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type rpcbind_t;
|
||||||
|
+ type rpcbind_script_exec_t;
|
||||||
|
+ type rpcbind_var_lib_t;
|
||||||
|
+ type rpcbind_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 rpcbind_t:process { ptrace signal_perms getattr };
|
||||||
|
+ read_files_pattern($1, rpcbind_t, rpcbind_t)
|
||||||
|
+
|
||||||
|
+ # Allow rpcbind_t to restart the apache service
|
||||||
|
+ rpcbind_script_domtrans($1)
|
||||||
|
+ domain_system_change_exemption($1)
|
||||||
|
+ role_transition $2 rpcbind_script_exec_t system_r;
|
||||||
|
+ allow $2 system_r;
|
||||||
|
+
|
||||||
|
+ files_list_var_lib($1)
|
||||||
|
+ manage_all_pattern($1,rpcbind_var_lib_t)
|
||||||
|
+
|
||||||
|
+ files_list_pids($1)
|
||||||
|
+ manage_all_pattern($1,rpcbind_var_run_t)
|
||||||
|
+')
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.1/policy/modules/services/rpcbind.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.te 2008-07-24 06:54:04.000000000 -0400
|
||||||
|
@@ -16,16 +16,21 @@
|
||||||
|
type rpcbind_var_lib_t;
|
||||||
|
files_type(rpcbind_var_lib_t)
|
||||||
|
|
||||||
|
+type rpcbind_script_exec_t;
|
||||||
|
+init_script_type(rpcbind_script_exec_t)
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# rpcbind local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
-allow rpcbind_t self:capability setuid;
|
||||||
|
+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
|
||||||
|
allow rpcbind_t self:fifo_file rw_file_perms;
|
||||||
|
allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
allow rpcbind_t self:udp_socket create_socket_perms;
|
||||||
|
+# BROKEN ...
|
||||||
|
+dontaudit rpcbind_t self:udp_socket listen;
|
||||||
|
allow rpcbind_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
|
||||||
|
@@ -37,6 +42,7 @@
|
||||||
|
manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
|
||||||
|
files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
|
||||||
|
|
||||||
|
+kernel_read_system_state(rpcbind_t)
|
||||||
|
kernel_read_network_state(rpcbind_t)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_unlabeled(rpcbind_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.1/policy/modules/services/rpc.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.1/policy/modules/services/rpc.if
|
||||||
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-07-10 11:38:46.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-07-10 11:38:46.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/rpc.if 2008-07-24 06:54:04.000000000 -0400
|
+++ serefpolicy-3.5.1/policy/modules/services/rpc.if 2008-07-24 06:54:04.000000000 -0400
|
||||||
@ -23124,121 +23207,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.1/policy/modules/services/rpcbind.fc
|
|
||||||
--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-06-12 23:25:05.000000000 -0400
|
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.fc 2008-07-24 06:54:04.000000000 -0400
|
|
||||||
@@ -5,3 +5,5 @@
|
|
||||||
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
|
|
||||||
/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
|
|
||||||
/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
|
|
||||||
+
|
|
||||||
+/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.5.1/policy/modules/services/rpcbind.if
|
|
||||||
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2008-06-12 23:25:05.000000000 -0400
|
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.if 2008-07-24 06:54:04.000000000 -0400
|
|
||||||
@@ -95,3 +95,68 @@
|
|
||||||
manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
|
|
||||||
files_search_var_lib($1)
|
|
||||||
')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Execute rpcbind server in the rpcbind domain.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## The type of the process performing this action.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+#
|
|
||||||
+interface(`rpcbind_script_domtrans',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type rpcbind_script_exec_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ init_script_domtrans_spec($1,rpcbind_script_exec_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## All of the rules required to administrate
|
|
||||||
+## an rpcbind environment
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <param name="role">
|
|
||||||
+## <summary>
|
|
||||||
+## The role to be allowed to manage the rpcbind domain.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <param name="terminal">
|
|
||||||
+## <summary>
|
|
||||||
+## The type of the user terminal.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <rolecap/>
|
|
||||||
+#
|
|
||||||
+interface(`rpcbind_admin',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type rpcbind_t;
|
|
||||||
+ type rpcbind_script_exec_t;
|
|
||||||
+ type rpcbind_var_lib_t;
|
|
||||||
+ type rpcbind_var_run_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ allow $1 rpcbind_t:process { ptrace signal_perms getattr };
|
|
||||||
+ read_files_pattern($1, rpcbind_t, rpcbind_t)
|
|
||||||
+
|
|
||||||
+ # Allow rpcbind_t to restart the apache service
|
|
||||||
+ rpcbind_script_domtrans($1)
|
|
||||||
+ domain_system_change_exemption($1)
|
|
||||||
+ role_transition $2 rpcbind_script_exec_t system_r;
|
|
||||||
+ allow $2 system_r;
|
|
||||||
+
|
|
||||||
+ files_list_var_lib($1)
|
|
||||||
+ manage_all_pattern($1,rpcbind_var_lib_t)
|
|
||||||
+
|
|
||||||
+ files_list_pids($1)
|
|
||||||
+ manage_all_pattern($1,rpcbind_var_run_t)
|
|
||||||
+')
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.1/policy/modules/services/rpcbind.te
|
|
||||||
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-06-12 23:25:05.000000000 -0400
|
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.te 2008-07-24 06:54:04.000000000 -0400
|
|
||||||
@@ -16,16 +16,21 @@
|
|
||||||
type rpcbind_var_lib_t;
|
|
||||||
files_type(rpcbind_var_lib_t)
|
|
||||||
|
|
||||||
+type rpcbind_script_exec_t;
|
|
||||||
+init_script_type(rpcbind_script_exec_t)
|
|
||||||
+
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# rpcbind local policy
|
|
||||||
#
|
|
||||||
|
|
||||||
-allow rpcbind_t self:capability setuid;
|
|
||||||
+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
|
|
||||||
allow rpcbind_t self:fifo_file rw_file_perms;
|
|
||||||
allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
|
|
||||||
allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
|
|
||||||
allow rpcbind_t self:udp_socket create_socket_perms;
|
|
||||||
+# BROKEN ...
|
|
||||||
+dontaudit rpcbind_t self:udp_socket listen;
|
|
||||||
allow rpcbind_t self:tcp_socket create_stream_socket_perms;
|
|
||||||
|
|
||||||
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
|
|
||||||
@@ -37,6 +42,7 @@
|
|
||||||
manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
|
|
||||||
files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
|
|
||||||
|
|
||||||
+kernel_read_system_state(rpcbind_t)
|
|
||||||
kernel_read_network_state(rpcbind_t)
|
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(rpcbind_t)
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.1/policy/modules/services/rshd.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.1/policy/modules/services/rshd.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/policy/modules/services/rshd.te 2008-07-24 06:54:04.000000000 -0400
|
+++ serefpolicy-3.5.1/policy/modules/services/rshd.te 2008-07-24 06:54:04.000000000 -0400
|
||||||
@ -32851,8 +32819,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
|
|||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.1/policy/modules/system/unconfined.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.1/policy/modules/system/unconfined.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-07-16 10:26:23.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-07-16 10:26:23.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/policy/modules/system/unconfined.fc 2008-07-24 06:54:05.000000000 -0400
|
+++ serefpolicy-3.5.1/policy/modules/system/unconfined.fc 2008-07-24 22:55:17.000000000 -0400
|
||||||
@@ -2,15 +2,29 @@
|
@@ -2,15 +2,28 @@
|
||||||
# e.g.:
|
# e.g.:
|
||||||
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
||||||
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
|
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
|
||||||
@ -32886,7 +32854,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
+/usr/sbin/vbetool -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.1/policy/modules/system/unconfined.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.1/policy/modules/system/unconfined.if
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-07-16 10:26:23.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-07-16 10:26:23.000000000 -0400
|
||||||
+++ serefpolicy-3.5.1/policy/modules/system/unconfined.if 2008-07-24 06:54:05.000000000 -0400
|
+++ serefpolicy-3.5.1/policy/modules/system/unconfined.if 2008-07-24 06:54:05.000000000 -0400
|
||||||
@ -36854,3 +36821,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5
|
|||||||
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
|
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
-')
|
-')
|
||||||
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.1/Rules.modular
|
||||||
|
--- nsaserefpolicy/Rules.modular 2008-06-12 23:25:10.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.1/Rules.modular 2008-07-24 06:54:04.000000000 -0400
|
||||||
|
@@ -73,8 +73,8 @@
|
||||||
|
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
|
||||||
|
@echo "Compliling $(NAME) $(@F) module"
|
||||||
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||||
|
- $(call perrole-expansion,$(basename $(@F)),$@.role)
|
||||||
|
- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
|
||||||
|
+# $(call perrole-expansion,$(basename $(@F)),$@.role)
|
||||||
|
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
|
||||||
|
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
||||||
|
|
||||||
|
$(tmpdir)/%.mod.fc: $(m4support) %.fc
|
||||||
|
@@ -129,7 +129,7 @@
|
||||||
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||||
|
# define all available object classes
|
||||||
|
$(verbose) $(genperm) $(avs) $(secclass) > $@
|
||||||
|
- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
|
||||||
|
+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
|
||||||
|
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
|
||||||
|
|
||||||
|
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
|
||||||
|
@@ -146,7 +146,7 @@
|
||||||
|
$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
|
||||||
|
$(tmpdir)/rolemap.conf: $(rolemap)
|
||||||
|
$(verbose) echo "" > $@
|
||||||
|
- $(call parse-rolemap,base,$@)
|
||||||
|
+# $(call parse-rolemap,base,$@)
|
||||||
|
|
||||||
|
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
|
||||||
|
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user