- Allow init to transition to initrc_t on shell exec.
- Fix init to be able to sendto init_t. - Allow syslog to connect to mysql - Allow lvm to manage its own fifo_files - Allow bugzilla to use ldap - More mls fixes
This commit is contained in:
Daniel J Walsh
parent
110bce3a29
commit
59c6413a37
|
|
@ -8483,7 +8483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-29 13:36:51.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-03-11 19:28:21.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -8975,7 +8975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -724,3 +859,46 @@
|
||||
@@ -724,3 +859,47 @@
|
||||
logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
|
|
@ -9013,6 +9013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
+mta_send_mail(httpd_bugzilla_script_t)
|
||||
+
|
||||
+sysnet_read_config(httpd_bugzilla_script_t)
|
||||
+sysnet_use_ldap(httpd_bugzilla_script_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mysql_search_db(httpd_bugzilla_script_t)
|
||||
|
|
@ -19545,6 +19546,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
|
|||
userdom_use_unpriv_users_fds(remote_login_t)
|
||||
userdom_search_all_users_home_content(remote_login_t)
|
||||
# Only permit unprivileged user domains to be entered via rlogin,
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.3.1/policy/modules/services/rhgb.te
|
||||
--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/rhgb.te 2008-03-11 20:07:53.000000000 -0400
|
||||
@@ -92,6 +92,7 @@
|
||||
term_getattr_pty_fs(rhgb_t)
|
||||
|
||||
init_write_initctl(rhgb_t)
|
||||
+init_chat(rhgb_t)
|
||||
|
||||
libs_use_ld_so(rhgb_t)
|
||||
libs_use_shared_libs(rhgb_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.3.1/policy/modules/services/ricci.if
|
||||
--- nsaserefpolicy/policy/modules/services/ricci.if 2007-01-02 12:57:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/ricci.if 2008-02-26 08:29:22.000000000 -0500
|
||||
|
|
@ -20154,8 +20166,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
+/etc/rc.d/init.d/smb -- gen_context(system_u:object_r:samba_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.3.1/policy/modules/services/samba.if
|
||||
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/samba.if 2008-02-26 21:19:09.000000000 -0500
|
||||
@@ -63,6 +63,25 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/samba.if 2008-03-11 17:56:00.000000000 -0400
|
||||
@@ -52,6 +52,25 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
+interface(`samba_domtrans_smb',`
|
||||
+ gen_require(`
|
||||
+ type smbd_t, smbd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1,smbd_exec_t,smbd_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute samba net in the samba_net domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## The type of the process performing this action.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
interface(`samba_domtrans_net',`
|
||||
gen_require(`
|
||||
type samba_net_t, samba_net_exec_t;
|
||||
@@ -63,6 +82,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -20181,7 +20219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
## Execute samba net in the samba_net domain, and
|
||||
## allow the specified role the samba_net domain.
|
||||
## </summary>
|
||||
@@ -95,6 +114,38 @@
|
||||
@@ -95,6 +133,38 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -20220,7 +20258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
## Execute smbmount in the smbmount domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -331,6 +382,25 @@
|
||||
@@ -331,6 +401,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -20246,7 +20284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
## Allow the specified domain to
|
||||
## read and write samba /var files.
|
||||
## </summary>
|
||||
@@ -348,6 +418,7 @@
|
||||
@@ -348,6 +437,7 @@
|
||||
files_search_var($1)
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1,samba_var_t,samba_var_t)
|
||||
|
|
@ -20254,7 +20292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -492,3 +563,221 @@
|
||||
@@ -492,3 +582,221 @@
|
||||
allow $1 samba_var_t:dir search_dir_perms;
|
||||
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
|
||||
')
|
||||
|
|
@ -21371,7 +21409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
|
|||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.3.1/policy/modules/services/smartmon.te
|
||||
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-02-15 09:52:56.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/smartmon.te 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/smartmon.te 2008-03-11 18:55:46.000000000 -0400
|
||||
@@ -16,6 +16,9 @@
|
||||
type fsdaemon_tmp_t;
|
||||
files_tmp_file(fsdaemon_tmp_t)
|
||||
|
|
@ -21382,6 +21420,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
|
|||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -62,6 +65,7 @@
|
||||
fs_search_auto_mountpoints(fsdaemon_t)
|
||||
|
||||
mls_file_read_all_levels(fsdaemon_t)
|
||||
+mls_file_write_all_levels(fsdaemon_t)
|
||||
|
||||
storage_raw_read_fixed_disk(fsdaemon_t)
|
||||
storage_raw_write_fixed_disk(fsdaemon_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.3.1/policy/modules/services/snmp.fc
|
||||
--- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:06.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/snmp.fc 2008-02-26 08:29:22.000000000 -0500
|
||||
|
|
@ -23383,7 +23429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-10 16:54:19.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 19:56:07.000000000 -0400
|
||||
@@ -12,9 +12,15 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
|
|
@ -23468,7 +23514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
files_read_etc_files($1_xserver_t)
|
||||
files_read_etc_runtime_files($1_xserver_t)
|
||||
@@ -140,12 +159,16 @@
|
||||
@@ -140,26 +159,37 @@
|
||||
fs_getattr_xattr_fs($1_xserver_t)
|
||||
fs_search_nfs($1_xserver_t)
|
||||
fs_search_auto_mountpoints($1_xserver_t)
|
||||
|
|
@ -23486,7 +23532,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
term_setattr_unallocated_ttys($1_xserver_t)
|
||||
term_use_unallocated_ttys($1_xserver_t)
|
||||
|
||||
@@ -153,13 +176,17 @@
|
||||
+ mls_file_read_to_clearance($1_xserver_t)
|
||||
+ mls_file_write_to_clearance($1_xserver_t)
|
||||
+
|
||||
libs_use_ld_so($1_xserver_t)
|
||||
libs_use_shared_libs($1_xserver_t)
|
||||
|
||||
logging_send_syslog_msg($1_xserver_t)
|
||||
|
|
@ -23505,7 +23554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
ifndef(`distro_redhat',`
|
||||
allow $1_xserver_t self:process { execmem execheap execstack };
|
||||
@@ -169,6 +196,46 @@
|
||||
@@ -169,6 +199,46 @@
|
||||
allow $1_xserver_t self:process { execmem execheap execstack };
|
||||
')
|
||||
|
||||
|
|
@ -23552,7 +23601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
optional_policy(`
|
||||
apm_stream_connect($1_xserver_t)
|
||||
')
|
||||
@@ -223,8 +290,10 @@
|
||||
@@ -223,8 +293,10 @@
|
||||
template(`xserver_per_role_template',`
|
||||
|
||||
gen_require(`
|
||||
|
|
@ -23565,7 +23614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
##############################
|
||||
@@ -232,189 +301,119 @@
|
||||
@@ -232,189 +304,119 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
|
|
@ -23704,15 +23753,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
- allow $1_xauth_t self:process signal;
|
||||
- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||
|
||||
-
|
||||
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
|
||||
- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
|
||||
-
|
||||
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
|
||||
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
|
||||
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
|
||||
-
|
||||
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||
|
||||
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||
-
|
||||
- allow $2 $1_xauth_t:process signal;
|
||||
|
|
@ -23726,10 +23775,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
-
|
||||
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
|
||||
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
|
||||
-
|
||||
- domain_use_interactive_fds($1_xauth_t)
|
||||
+ ps_process_pattern($2,xauth_t)
|
||||
|
||||
- domain_use_interactive_fds($1_xauth_t)
|
||||
-
|
||||
- files_read_etc_files($1_xauth_t)
|
||||
- files_search_pids($1_xauth_t)
|
||||
-
|
||||
|
|
@ -23779,47 +23828,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
# allow ps to show iceauth
|
||||
- ps_process_pattern($2,$1_iceauth_t)
|
||||
+ ps_process_pattern($2,iceauth_t)
|
||||
+
|
||||
+ allow $2 user_iceauth_home_t:file manage_file_perms;
|
||||
+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
|
||||
|
||||
- allow $2 $1_iceauth_home_t:file manage_file_perms;
|
||||
- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
|
||||
+ userdom_use_user_terminals($1,iceauth_t)
|
||||
+ allow $2 user_iceauth_home_t:file manage_file_perms;
|
||||
+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
|
||||
|
||||
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
|
||||
+ userdom_use_user_terminals($1,iceauth_t)
|
||||
|
||||
- fs_search_auto_mountpoints($1_iceauth_t)
|
||||
+ optional_policy(`
|
||||
+ xserver_read_user_iceauth($1, $2)
|
||||
+ ')
|
||||
|
||||
- fs_search_auto_mountpoints($1_iceauth_t)
|
||||
- libs_use_ld_so($1_iceauth_t)
|
||||
- libs_use_shared_libs($1_iceauth_t)
|
||||
+ ##############################
|
||||
+ #
|
||||
+ # User X object manager local policy
|
||||
+ #
|
||||
|
||||
- libs_use_ld_so($1_iceauth_t)
|
||||
- libs_use_shared_libs($1_iceauth_t)
|
||||
- userdom_use_user_terminals($1,$1_iceauth_t)
|
||||
+ # Device rules
|
||||
+ allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
|
||||
|
||||
- userdom_use_user_terminals($1,$1_iceauth_t)
|
||||
+ allow $2 { input_xevent_t }:x_event send;
|
||||
+ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
|
||||
|
||||
- tunable_policy(`use_nfs_home_dirs',`
|
||||
- fs_manage_nfs_files($1_iceauth_t)
|
||||
- ')
|
||||
+ mls_xwin_read_to_clearance($2)
|
||||
+ allow $2 { input_xevent_t }:x_event send;
|
||||
+ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
|
||||
|
||||
- tunable_policy(`use_samba_home_dirs',`
|
||||
- fs_manage_cifs_files($1_iceauth_t)
|
||||
- ')
|
||||
+ mls_xwin_read_to_clearance($2)
|
||||
+
|
||||
+ xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -521,19 +520,18 @@
|
||||
@@ -521,19 +523,18 @@
|
||||
## </param>
|
||||
#
|
||||
template(`xserver_user_client_template',`
|
||||
|
|
@ -23847,7 +23896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@@ -542,25 +540,542 @@
|
||||
@@ -542,25 +543,541 @@
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
|
||||
|
|
@ -23974,7 +24023,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+ type screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
|
||||
+ type disallowed_xext_t;
|
||||
+ type output_xext_t;
|
||||
+ type accelgraphics_xext_t, xdm_xserver_t;
|
||||
+
|
||||
+ attribute x_server_domain, x_domain;
|
||||
+ attribute xproperty_type;
|
||||
|
|
@ -24009,7 +24057,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+ allow $1 std_xext_t:x_extension query;
|
||||
+ allow $1 x_rootwindow_t:x_drawable { get_property getattr };
|
||||
+
|
||||
+
|
||||
+ # Hacks
|
||||
+ # everyone can get the input focus of everyone else
|
||||
+ # this is a fundamental brokenness in the X protocol
|
||||
|
|
@ -24083,10 +24130,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+
|
||||
+ # X Input
|
||||
+ # can receive own events
|
||||
+ allow $1 input_xevent_t:{ x_event x_synthetic_event } receive;
|
||||
+ allow $1 input_xevent_t:{ x_event x_synthetic_event } { send receive };
|
||||
+ allow $1 $1:{ x_event x_synthetic_event } { send receive };
|
||||
+ allow $1 default_xevent_t:x_event receive;
|
||||
+ allow $1 default_xevent_t:x_synthetic_event send;
|
||||
+ allow $1 default_xevent_t:x_synthetic_event { receive send };
|
||||
+
|
||||
+
|
||||
+ # can receive certain root window events
|
||||
+ allow $1 focus_xevent_t:x_event receive;
|
||||
|
|
@ -24396,7 +24444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
')
|
||||
|
||||
@@ -593,26 +1107,44 @@
|
||||
@@ -593,26 +1110,44 @@
|
||||
#
|
||||
template(`xserver_use_user_fonts',`
|
||||
gen_require(`
|
||||
|
|
@ -24448,14 +24496,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -638,10 +1170,77 @@
|
||||
@@ -638,10 +1173,77 @@
|
||||
#
|
||||
template(`xserver_domtrans_user_xauth',`
|
||||
gen_require(`
|
||||
- type $1_xauth_t, xauth_exec_t;
|
||||
+ type xauth_exec_t, xauth_t;
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -24520,15 +24569,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+template(`xserver_read_user_iceauth',`
|
||||
+ gen_require(`
|
||||
+ type user_iceauth_home_t;
|
||||
')
|
||||
|
||||
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||
+ ')
|
||||
+
|
||||
+ # Read .Iceauthority file
|
||||
+ allow $2 user_iceauth_home_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -671,10 +1270,10 @@
|
||||
@@ -671,10 +1273,10 @@
|
||||
#
|
||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||
gen_require(`
|
||||
|
|
@ -24541,7 +24589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -760,7 +1359,7 @@
|
||||
@@ -760,7 +1362,7 @@
|
||||
type xconsole_device_t;
|
||||
')
|
||||
|
||||
|
|
@ -24550,7 +24598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -860,6 +1459,25 @@
|
||||
@@ -860,6 +1462,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -24576,7 +24624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
## Read xdm-writable configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -914,6 +1532,7 @@
|
||||
@@ -914,6 +1535,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||
|
|
@ -24584,7 +24632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -955,6 +1574,24 @@
|
||||
@@ -955,6 +1577,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -24609,7 +24657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
## Execute the X server in the XDM X server domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -965,15 +1602,47 @@
|
||||
@@ -965,15 +1605,47 @@
|
||||
#
|
||||
interface(`xserver_domtrans_xdm_xserver',`
|
||||
gen_require(`
|
||||
|
|
@ -24658,7 +24706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1123,7 +1792,7 @@
|
||||
@@ -1123,7 +1795,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
|
|
@ -24667,7 +24715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1312,3 +1981,83 @@
|
||||
@@ -1312,3 +1984,83 @@
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||
')
|
||||
|
|
@ -24753,7 +24801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-10 14:23:28.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-11 19:35:25.000000000 -0400
|
||||
@@ -8,6 +8,14 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -24896,7 +24944,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
@@ -95,8 +191,9 @@
|
||||
@@ -86,6 +182,11 @@
|
||||
init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
+ifdef(`enable_mls',`
|
||||
+ init_ranged_domain(xdm_t,xdm_exec_t,s0 - mls_systemhigh)
|
||||
+ init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mls_systemhigh)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
prelink_object_file(xkb_var_lib_t)
|
||||
')
|
||||
@@ -95,8 +196,9 @@
|
||||
# XDM Local policy
|
||||
#
|
||||
|
||||
|
|
@ -24908,7 +24968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
||||
allow xdm_t self:shm create_shm_perms;
|
||||
allow xdm_t self:sem create_sem_perms;
|
||||
@@ -109,6 +206,8 @@
|
||||
@@ -109,6 +211,8 @@
|
||||
allow xdm_t self:key { search link write };
|
||||
|
||||
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||
|
|
@ -24917,7 +24977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# Allow gdm to run gdm-binary
|
||||
can_exec(xdm_t, xdm_exec_t)
|
||||
@@ -131,15 +230,22 @@
|
||||
@@ -131,15 +235,22 @@
|
||||
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
|
@ -24941,7 +25001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
allow xdm_t xdm_xserver_t:process signal;
|
||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
@@ -153,6 +259,7 @@
|
||||
@@ -153,6 +264,7 @@
|
||||
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||
|
||||
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
||||
|
|
@ -24949,7 +25009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# connect to xdm xserver over stream socket
|
||||
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||
@@ -173,6 +280,8 @@
|
||||
@@ -173,6 +285,8 @@
|
||||
|
||||
corecmd_exec_shell(xdm_t)
|
||||
corecmd_exec_bin(xdm_t)
|
||||
|
|
@ -24958,7 +25018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
corenet_all_recvfrom_unlabeled(xdm_t)
|
||||
corenet_all_recvfrom_netlabel(xdm_t)
|
||||
@@ -184,6 +293,7 @@
|
||||
@@ -184,6 +298,7 @@
|
||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||
corenet_tcp_bind_all_nodes(xdm_t)
|
||||
corenet_udp_bind_all_nodes(xdm_t)
|
||||
|
|
@ -24966,7 +25026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
corenet_tcp_connect_all_ports(xdm_t)
|
||||
corenet_sendrecv_all_client_packets(xdm_t)
|
||||
# xdm tries to bind to biff_port_t
|
||||
@@ -196,6 +306,7 @@
|
||||
@@ -196,6 +311,7 @@
|
||||
dev_getattr_mouse_dev(xdm_t)
|
||||
dev_setattr_mouse_dev(xdm_t)
|
||||
dev_rw_apm_bios(xdm_t)
|
||||
|
|
@ -24974,7 +25034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
dev_setattr_apm_bios_dev(xdm_t)
|
||||
dev_rw_dri(xdm_t)
|
||||
dev_rw_agp(xdm_t)
|
||||
@@ -208,8 +319,8 @@
|
||||
@@ -208,8 +324,8 @@
|
||||
dev_setattr_video_dev(xdm_t)
|
||||
dev_getattr_scanner_dev(xdm_t)
|
||||
dev_setattr_scanner_dev(xdm_t)
|
||||
|
|
@ -24985,7 +25045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
dev_getattr_power_mgmt_dev(xdm_t)
|
||||
dev_setattr_power_mgmt_dev(xdm_t)
|
||||
|
||||
@@ -226,6 +337,7 @@
|
||||
@@ -226,6 +342,7 @@
|
||||
files_read_usr_files(xdm_t)
|
||||
# Poweroff wants to create the /poweroff file when run from xdm
|
||||
files_create_boot_flag(xdm_t)
|
||||
|
|
@ -24993,7 +25053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
fs_getattr_all_fs(xdm_t)
|
||||
fs_search_auto_mountpoints(xdm_t)
|
||||
@@ -237,6 +349,7 @@
|
||||
@@ -237,6 +354,7 @@
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
|
|
@ -25001,7 +25061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
term_setattr_console(xdm_t)
|
||||
term_use_unallocated_ttys(xdm_t)
|
||||
@@ -245,6 +358,7 @@
|
||||
@@ -245,6 +363,7 @@
|
||||
auth_domtrans_pam_console(xdm_t)
|
||||
auth_manage_pam_pid(xdm_t)
|
||||
auth_manage_pam_console_data(xdm_t)
|
||||
|
|
@ -25009,7 +25069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
@@ -256,12 +370,11 @@
|
||||
@@ -256,12 +375,11 @@
|
||||
libs_exec_lib_files(xdm_t)
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
|
|
@ -25023,7 +25083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
@@ -270,8 +383,13 @@
|
||||
@@ -270,8 +388,13 @@
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
|
|
@ -25037,7 +25097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_t)
|
||||
@@ -304,7 +422,11 @@
|
||||
@@ -304,7 +427,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25050,7 +25110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -312,6 +434,23 @@
|
||||
@@ -312,6 +439,23 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25074,7 +25134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
# Talk to the console mouse server.
|
||||
gpm_stream_connect(xdm_t)
|
||||
gpm_setattr_gpmctl(xdm_t)
|
||||
@@ -322,6 +461,10 @@
|
||||
@@ -322,6 +466,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25085,7 +25145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
loadkeys_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -335,6 +478,11 @@
|
||||
@@ -335,6 +483,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25097,7 +25157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
seutil_sigchld_newrole(xdm_t)
|
||||
')
|
||||
|
||||
@@ -343,8 +491,8 @@
|
||||
@@ -343,8 +496,8 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25107,7 +25167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -380,7 +528,7 @@
|
||||
@@ -380,7 +533,7 @@
|
||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
|
|
@ -25116,7 +25176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||
@@ -392,6 +540,15 @@
|
||||
@@ -392,6 +545,15 @@
|
||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xdm_xserver_t)
|
||||
|
||||
|
|
@ -25132,7 +25192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
# VNC v4 module in X server
|
||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||
|
||||
@@ -404,9 +561,17 @@
|
||||
@@ -404,9 +566,17 @@
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
|
||||
|
|
@ -25150,7 +25210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||
fs_manage_nfs_files(xdm_xserver_t)
|
||||
@@ -420,6 +585,22 @@
|
||||
@@ -420,6 +590,22 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25173,7 +25233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
resmgr_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -429,47 +610,139 @@
|
||||
@@ -429,47 +615,139 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25223,21 +25283,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+
|
||||
+tunable_policy(`allow_xserver_execmem', `
|
||||
+ allow xdm_xserver_t self:process { execheap execmem execstack };
|
||||
')
|
||||
|
||||
+')
|
||||
+
|
||||
+ifndef(`distro_redhat',`
|
||||
+ allow xdm_xserver_t self:process { execheap execmem };
|
||||
+')
|
||||
+
|
||||
+ifdef(`distro_rhel4',`
|
||||
+ allow xdm_xserver_t self:process { execheap execmem };
|
||||
+')
|
||||
+
|
||||
')
|
||||
|
||||
+##############################
|
||||
#
|
||||
-# Wants to delete .xsession-errors file
|
||||
+# xauth_t Local policy
|
||||
+#
|
||||
#
|
||||
-allow xdm_t user_home_type:file unlink;
|
||||
+domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
|
||||
+
|
||||
+userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
|
||||
|
|
@ -25284,10 +25345,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+
|
||||
+##############################
|
||||
#
|
||||
-allow xdm_t user_home_type:file unlink;
|
||||
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
|
||||
+# iceauth_t Local policy
|
||||
#
|
||||
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
|
||||
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
|
||||
-') dnl end TODO
|
||||
+
|
||||
+allow iceauth_t user_iceauth_home_t:file manage_file_perms;
|
||||
+userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
|
||||
|
|
@ -25311,9 +25373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
|
||||
+
|
||||
+########################################
|
||||
#
|
||||
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
|
||||
-') dnl end TODO
|
||||
+#
|
||||
+# Rules for unconfined access to this module
|
||||
+#
|
||||
+
|
||||
|
|
@ -25744,7 +25804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-05 15:46:36.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-11 17:52:13.000000000 -0400
|
||||
@@ -59,6 +59,9 @@
|
||||
type utempter_exec_t;
|
||||
application_domain(utempter_t,utempter_exec_t)
|
||||
|
|
@ -25944,7 +26004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
|||
')
|
||||
')
|
||||
|
||||
@@ -463,11 +470,13 @@
|
||||
@@ -463,11 +470,12 @@
|
||||
interface(`init_telinit',`
|
||||
gen_require(`
|
||||
type initctl_t;
|
||||
|
|
@ -25955,7 +26015,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
|||
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
|
||||
-
|
||||
+ allow $1 init_t:unix_dgram_socket sendto;
|
||||
+ allow init_t $1:unix_dgram_socket sendto;
|
||||
init_exec($1)
|
||||
')
|
||||
|
||||
|
|
@ -26270,7 +26329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-07 16:07:39.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-11 18:57:27.000000000 -0400
|
||||
@@ -10,6 +10,20 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -26333,6 +26392,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
# is ~sys_module really needed? observed:
|
||||
# sys_boot
|
||||
# sys_tty_config
|
||||
@@ -86,7 +112,7 @@
|
||||
# Re-exec itself
|
||||
can_exec(init_t,init_exec_t)
|
||||
|
||||
-allow init_t initrc_t:unix_stream_socket connectto;
|
||||
+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
||||
|
||||
# For /var/run/shutdown.pid.
|
||||
allow init_t init_var_run_t:file manage_file_perms;
|
||||
@@ -102,8 +128,11 @@
|
||||
kernel_read_system_state(init_t)
|
||||
kernel_share_state(init_t)
|
||||
|
|
@ -26354,7 +26422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
')
|
||||
@@ -163,22 +194,31 @@
|
||||
@@ -163,22 +194,25 @@
|
||||
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
|
||||
')
|
||||
|
||||
|
|
@ -26382,18 +26450,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
-optional_policy(`
|
||||
- unconfined_domain(init_t)
|
||||
+ifndef(`distro_ubuntu',`
|
||||
+# Run the shell in the unconfined_t or sysadm_t domain for single-user mode.
|
||||
+ifdef(`enable_mls',`
|
||||
+ userdom_shell_domtrans_sysadm(init_t)
|
||||
+',`
|
||||
+ optional_policy(`
|
||||
+ unconfined_shell_domtrans(init_t)
|
||||
+ ')
|
||||
+')
|
||||
+ corecmd_shell_domtrans(init_t,initrc_t)
|
||||
+ corecmd_shell_entry_type(initrc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -187,7 +227,7 @@
|
||||
@@ -187,7 +221,7 @@
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
|
|
@ -26402,7 +26464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||
allow initrc_t self:passwd rootok;
|
||||
|
||||
@@ -201,10 +241,9 @@
|
||||
@@ -201,10 +235,9 @@
|
||||
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
|
||||
term_create_pty(initrc_t,initrc_devpts_t)
|
||||
|
||||
|
|
@ -26415,7 +26477,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
|
||||
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
||||
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
||||
@@ -283,7 +322,6 @@
|
||||
@@ -257,7 +290,7 @@
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
dev_setattr_all_chr_files(initrc_t)
|
||||
-dev_read_lvm_control(initrc_t)
|
||||
+dev_rw_lvm_control(initrc_t)
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -283,7 +316,6 @@
|
||||
mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
|
|
@ -26423,7 +26494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@@ -496,6 +534,31 @@
|
||||
@@ -496,6 +528,31 @@
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -26455,7 +26526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -559,14 +622,6 @@
|
||||
@@ -559,14 +616,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -26470,7 +26541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
ftp_read_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -639,12 +694,6 @@
|
||||
@@ -639,12 +688,6 @@
|
||||
mta_read_config(initrc_t)
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
|
@ -26483,7 +26554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
|
||||
optional_policy(`
|
||||
ifdef(`distro_redhat',`
|
||||
@@ -705,6 +754,9 @@
|
||||
@@ -705,6 +748,9 @@
|
||||
|
||||
# why is this needed:
|
||||
rpm_manage_db(initrc_t)
|
||||
|
|
@ -26493,7 +26564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -717,9 +769,11 @@
|
||||
@@ -717,9 +763,11 @@
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
|
|
@ -26508,7 +26579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -738,6 +792,11 @@
|
||||
@@ -738,6 +786,11 @@
|
||||
uml_setattr_util_sockets(initrc_t)
|
||||
')
|
||||
|
||||
|
|
@ -26520,7 +26591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
optional_policy(`
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
@@ -752,6 +811,10 @@
|
||||
@@ -752,6 +805,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -26531,7 +26602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
vmware_read_system_config(initrc_t)
|
||||
vmware_append_system_config(initrc_t)
|
||||
')
|
||||
@@ -774,3 +837,4 @@
|
||||
@@ -774,3 +831,4 @@
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
|
@ -26927,7 +26998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
|
||||
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-10 12:22:41.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-11 20:22:56.000000000 -0400
|
||||
@@ -61,10 +61,24 @@
|
||||
logging_log_file(var_log_t)
|
||||
files_mountpoint(var_log_t)
|
||||
|
|
@ -27007,15 +27078,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
# manage temporary files
|
||||
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
||||
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
||||
@@ -327,6 +349,7 @@
|
||||
@@ -327,6 +349,8 @@
|
||||
# Allow users to define additional syslog ports to connect to
|
||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||
corenet_tcp_connect_syslogd_port(syslogd_t)
|
||||
+corenet_tcp_connect_postgresql_port(syslogd_t)
|
||||
+corenet_tcp_connect_mysqld_port(syslogd_t)
|
||||
|
||||
# syslog-ng can send or receive logs
|
||||
corenet_sendrecv_syslogd_client_packets(syslogd_t)
|
||||
@@ -344,14 +367,14 @@
|
||||
@@ -339,19 +363,20 @@
|
||||
domain_use_interactive_fds(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
+files_read_usr_files(syslogd_t)
|
||||
files_read_var_files(syslogd_t)
|
||||
files_read_etc_runtime_files(syslogd_t)
|
||||
# /initrd is not umounted before minilog starts
|
||||
files_dontaudit_search_isid_type_dirs(syslogd_t)
|
||||
|
||||
|
|
@ -27032,7 +27110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
miscfiles_read_localization(syslogd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
||||
@@ -380,15 +403,11 @@
|
||||
@@ -380,15 +405,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27050,7 +27128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -399,3 +418,37 @@
|
||||
@@ -399,3 +420,37 @@
|
||||
# log to the xconsole
|
||||
xserver_rw_console(syslogd_t)
|
||||
')
|
||||
|
|
@ -27088,9 +27166,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
+logging_domtrans_audisp(auditd_t)
|
||||
+logging_audisp_signal(auditd_t)
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc
|
||||
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/lvm.fc 2008-03-11 18:59:24.000000000 -0400
|
||||
@@ -55,6 +55,7 @@
|
||||
/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
+/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
|
||||
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-27 23:23:39.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-03-11 19:04:42.000000000 -0400
|
||||
@@ -44,9 +44,9 @@
|
||||
# Cluster LVM daemon local policy
|
||||
#
|
||||
|
|
@ -27151,7 +27240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
|||
|
||||
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
|
||||
@@ -146,7 +159,8 @@
|
||||
@@ -146,17 +159,19 @@
|
||||
|
||||
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
||||
# rawio needed for dmraid
|
||||
|
|
@ -27161,7 +27250,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
|||
dontaudit lvm_t self:capability sys_tty_config;
|
||||
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
|
||||
# LVM will complain a lot if it cannot set its priority.
|
||||
@@ -156,7 +170,8 @@
|
||||
allow lvm_t self:process setsched;
|
||||
allow lvm_t self:file rw_file_perms;
|
||||
-allow lvm_t self:fifo_file rw_file_perms;
|
||||
+allow lvm_t self:fifo_file manage_fifo_file_perms;
|
||||
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
||||
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
|
|
@ -27634,8 +27726,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f
|
|||
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
|
||||
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-10 10:10:04.000000000 -0400
|
||||
@@ -0,0 +1,294 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-11 17:53:51.000000000 -0400
|
||||
@@ -0,0 +1,303 @@
|
||||
+
|
||||
+## <summary>policy for qemu</summary>
|
||||
+
|
||||
|
|
@ -27885,6 +27977,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
|
|||
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+ allow $1_t self:shm create_shm_perms;
|
||||
+
|
||||
+ allow $1_t $1_tmp_t:dir manage_dir_perms;
|
||||
+ allow $1_t $1_tmp_t:file manage_file_perms;
|
||||
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
|
||||
+
|
||||
+ corenet_all_recvfrom_unlabeled($1_t)
|
||||
+ corenet_all_recvfrom_netlabel($1_t)
|
||||
+ corenet_tcp_sendrecv_all_if($1_t)
|
||||
|
|
@ -27903,6 +27999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
|
|||
+ files_read_var_files($1_t)
|
||||
+ files_search_all($1_t)
|
||||
+
|
||||
+ fs_list_inotify($1_t)
|
||||
+ fs_rw_anon_inodefs_files($1_t)
|
||||
+ fs_rw_tmpfs_files($1_t)
|
||||
+
|
||||
|
|
@ -27924,6 +28021,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
|
|||
+ virt_read_config($1_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ samba_domtrans_smb($1_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ xserver_stream_connect_xdm_xserver($1_t)
|
||||
+ xserver_read_xdm_tmp_files($1_t)
|
||||
+ xserver_xdm_rw_shm($1_t)
|
||||
|
|
@ -28585,7 +28686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-06 11:55:26.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-11 19:26:26.000000000 -0400
|
||||
@@ -145,6 +145,25 @@
|
||||
|
||||
########################################
|
||||
|
|
|
|||
Loading…
Reference in New Issue