- Update to upstream
This commit is contained in:
parent
f0a56ee31d
commit
5a152bc135
1
.gitignore
vendored
1
.gitignore
vendored
@ -226,3 +226,4 @@ serefpolicy*
|
|||||||
/serefpolicy-3.9.3.tgz
|
/serefpolicy-3.9.3.tgz
|
||||||
/serefpolicy-3.9.4.tgz
|
/serefpolicy-3.9.4.tgz
|
||||||
/serefpolicy-3.9.5.tgz
|
/serefpolicy-3.9.5.tgz
|
||||||
|
/serefpolicy-3.9.7.tgz
|
||||||
|
@ -344,10 +344,10 @@ index a2e9cb5..cec5c56 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_exec_modules(certwatch_t)
|
apache_exec_modules(certwatch_t)
|
||||||
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
|
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
|
||||||
index a768511..c07eff8 100644
|
index 66fee7d..6ddebdb 100644
|
||||||
--- a/policy/modules/admin/consoletype.te
|
--- a/policy/modules/admin/consoletype.te
|
||||||
+++ b/policy/modules/admin/consoletype.te
|
+++ b/policy/modules/admin/consoletype.te
|
||||||
@@ -82,10 +82,7 @@ optional_policy(`
|
@@ -85,10 +85,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -1447,10 +1447,10 @@ index 3863241..5280124 100644
|
|||||||
xserver_dontaudit_write_log(shutdown_t)
|
xserver_dontaudit_write_log(shutdown_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
|
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
|
||||||
index a0aa8c5..1b60ad8 100644
|
index 8c5fa3c..1a46f56 100644
|
||||||
--- a/policy/modules/admin/su.if
|
--- a/policy/modules/admin/su.if
|
||||||
+++ b/policy/modules/admin/su.if
|
+++ b/policy/modules/admin/su.if
|
||||||
@@ -212,7 +212,7 @@ template(`su_role_template',`
|
@@ -210,7 +210,7 @@ template(`su_role_template',`
|
||||||
|
|
||||||
auth_domtrans_chk_passwd($1_su_t)
|
auth_domtrans_chk_passwd($1_su_t)
|
||||||
auth_dontaudit_read_shadow($1_su_t)
|
auth_dontaudit_read_shadow($1_su_t)
|
||||||
@ -1459,7 +1459,7 @@ index a0aa8c5..1b60ad8 100644
|
|||||||
auth_rw_faillog($1_su_t)
|
auth_rw_faillog($1_su_t)
|
||||||
|
|
||||||
corecmd_search_bin($1_su_t)
|
corecmd_search_bin($1_su_t)
|
||||||
@@ -236,6 +236,7 @@ template(`su_role_template',`
|
@@ -234,6 +234,7 @@ template(`su_role_template',`
|
||||||
|
|
||||||
userdom_use_user_terminals($1_su_t)
|
userdom_use_user_terminals($1_su_t)
|
||||||
userdom_search_user_home_dirs($1_su_t)
|
userdom_search_user_home_dirs($1_su_t)
|
||||||
@ -1477,7 +1477,7 @@ index 7bddc02..2b59ed0 100644
|
|||||||
+
|
+
|
||||||
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
|
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
|
||||||
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
||||||
index 5f44f1b..bb95e79 100644
|
index 975af1a..30a7f38 100644
|
||||||
--- a/policy/modules/admin/sudo.if
|
--- a/policy/modules/admin/sudo.if
|
||||||
+++ b/policy/modules/admin/sudo.if
|
+++ b/policy/modules/admin/sudo.if
|
||||||
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
|
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
|
||||||
@ -1505,10 +1505,10 @@ index 5f44f1b..bb95e79 100644
|
|||||||
+ userdom_domtrans_user_home($1_sudo_t, $3)
|
+ userdom_domtrans_user_home($1_sudo_t, $3)
|
||||||
+ userdom_domtrans_user_tmp($1_sudo_t, $3)
|
+ userdom_domtrans_user_tmp($1_sudo_t, $3)
|
||||||
allow $3 $1_sudo_t:fd use;
|
allow $3 $1_sudo_t:fd use;
|
||||||
allow $3 $1_sudo_t:fifo_file rw_file_perms;
|
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
|
||||||
allow $3 $1_sudo_t:process signal_perms;
|
allow $3 $1_sudo_t:process signal_perms;
|
||||||
@@ -111,12 +117,15 @@ template(`sudo_role_template',`
|
@@ -113,12 +119,15 @@ template(`sudo_role_template',`
|
||||||
|
term_getattr_pty_fs($1_sudo_t)
|
||||||
term_relabel_all_ttys($1_sudo_t)
|
term_relabel_all_ttys($1_sudo_t)
|
||||||
term_relabel_all_ptys($1_sudo_t)
|
term_relabel_all_ptys($1_sudo_t)
|
||||||
+ term_getattr_pty_fs($1_sudo_t)
|
+ term_getattr_pty_fs($1_sudo_t)
|
||||||
@ -1523,7 +1523,7 @@ index 5f44f1b..bb95e79 100644
|
|||||||
init_rw_utmp($1_sudo_t)
|
init_rw_utmp($1_sudo_t)
|
||||||
|
|
||||||
logging_send_audit_msgs($1_sudo_t)
|
logging_send_audit_msgs($1_sudo_t)
|
||||||
@@ -133,13 +142,18 @@ template(`sudo_role_template',`
|
@@ -135,13 +144,18 @@ template(`sudo_role_template',`
|
||||||
userdom_manage_user_tmp_files($1_sudo_t)
|
userdom_manage_user_tmp_files($1_sudo_t)
|
||||||
userdom_manage_user_tmp_symlinks($1_sudo_t)
|
userdom_manage_user_tmp_symlinks($1_sudo_t)
|
||||||
userdom_use_user_terminals($1_sudo_t)
|
userdom_use_user_terminals($1_sudo_t)
|
||||||
@ -1544,7 +1544,7 @@ index 5f44f1b..bb95e79 100644
|
|||||||
fs_manage_nfs_files($1_sudo_t)
|
fs_manage_nfs_files($1_sudo_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
|
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
|
||||||
index c368bdc..c927b85 100644
|
index 91944a8..d1c11b9 100644
|
||||||
--- a/policy/modules/admin/sudo.te
|
--- a/policy/modules/admin/sudo.te
|
||||||
+++ b/policy/modules/admin/sudo.te
|
+++ b/policy/modules/admin/sudo.te
|
||||||
@@ -7,3 +7,7 @@ attribute sudodomain;
|
@@ -7,3 +7,7 @@ attribute sudodomain;
|
||||||
@ -1555,14 +1555,6 @@ index c368bdc..c927b85 100644
|
|||||||
+type sudo_db_t;
|
+type sudo_db_t;
|
||||||
+files_type(sudo_db_t)
|
+files_type(sudo_db_t)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
|
|
||||||
index 81077db..8208e86 100644
|
|
||||||
--- a/policy/modules/admin/tmpreaper.fc
|
|
||||||
+++ b/policy/modules/admin/tmpreaper.fc
|
|
||||||
@@ -1,2 +1,3 @@
|
|
||||||
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
|
|
||||||
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
|
|
||||||
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
|
|
||||||
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
|
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
|
||||||
index 6a5004b..c59c3cd 100644
|
index 6a5004b..c59c3cd 100644
|
||||||
--- a/policy/modules/admin/tmpreaper.te
|
--- a/policy/modules/admin/tmpreaper.te
|
||||||
@ -7636,10 +7628,10 @@ index 3b2da10..7c29e17 100644
|
|||||||
+#
|
+#
|
||||||
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||||
index 8b09281..3fb8756 100644
|
index 99482ca..8d34173 100644
|
||||||
--- a/policy/modules/kernel/devices.if
|
--- a/policy/modules/kernel/devices.if
|
||||||
+++ b/policy/modules/kernel/devices.if
|
+++ b/policy/modules/kernel/devices.if
|
||||||
@@ -318,6 +318,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
|
@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7664,7 +7656,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Read and write generic files in /dev.
|
## Read and write generic files in /dev.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -498,6 +516,24 @@ interface(`dev_getattr_generic_chr_files',`
|
@@ -516,6 +534,24 @@ interface(`dev_getattr_generic_chr_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7689,7 +7681,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Dontaudit getattr for generic character device files.
|
## Dontaudit getattr for generic character device files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -534,6 +570,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
|
@@ -552,6 +588,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7714,7 +7706,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Read and write generic character device files.
|
## Read and write generic character device files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -552,6 +606,24 @@ interface(`dev_rw_generic_chr_files',`
|
@@ -570,6 +624,24 @@ interface(`dev_rw_generic_chr_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7739,7 +7731,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Dontaudit attempts to read/write generic character device files.
|
## Dontaudit attempts to read/write generic character device files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -661,6 +733,24 @@ interface(`dev_delete_generic_symlinks',`
|
@@ -679,6 +751,24 @@ interface(`dev_delete_generic_symlinks',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7764,7 +7756,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Create, delete, read, and write symbolic links in device directories.
|
## Create, delete, read, and write symbolic links in device directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1070,6 +1160,42 @@ interface(`dev_create_all_chr_files',`
|
@@ -1088,6 +1178,42 @@ interface(`dev_create_all_chr_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7807,7 +7799,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Delete all block device files.
|
## Delete all block device files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1332,6 +1458,24 @@ interface(`dev_getattr_autofs_dev',`
|
@@ -1350,6 +1476,24 @@ interface(`dev_getattr_autofs_dev',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7832,7 +7824,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Do not audit attempts to get the attributes of
|
## Do not audit attempts to get the attributes of
|
||||||
## the autofs device node.
|
## the autofs device node.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -3595,6 +3739,24 @@ interface(`dev_manage_smartcard',`
|
@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7857,7 +7849,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Get the attributes of sysfs directories.
|
## Get the attributes of sysfs directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3737,6 +3899,24 @@ interface(`dev_rw_sysfs',`
|
@@ -3755,6 +3917,24 @@ interface(`dev_rw_sysfs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7882,7 +7874,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Read from pseudo random number generator devices (e.g., /dev/urandom).
|
## Read from pseudo random number generator devices (e.g., /dev/urandom).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -3906,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
|
@@ -3924,6 +4104,24 @@ interface(`dev_read_usbmon_dev',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7907,7 +7899,7 @@ index 8b09281..3fb8756 100644
|
|||||||
## Mount a usbfs filesystem.
|
## Mount a usbfs filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4216,11 +4414,10 @@ interface(`dev_write_video_dev',`
|
@@ -4234,11 +4432,10 @@ interface(`dev_write_video_dev',`
|
||||||
#
|
#
|
||||||
interface(`dev_rw_vhost',`
|
interface(`dev_rw_vhost',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -7922,7 +7914,7 @@ index 8b09281..3fb8756 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
||||||
index eb9c360..20c2d34 100644
|
index 7047f2f..ef76289 100644
|
||||||
--- a/policy/modules/kernel/devices.te
|
--- a/policy/modules/kernel/devices.te
|
||||||
+++ b/policy/modules/kernel/devices.te
|
+++ b/policy/modules/kernel/devices.te
|
||||||
@@ -102,6 +102,7 @@ dev_node(ksm_device_t)
|
@@ -102,6 +102,7 @@ dev_node(ksm_device_t)
|
||||||
@ -18206,7 +18198,7 @@ index e182bf4..f80e725 100644
|
|||||||
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
|
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
|
||||||
snmp_stream_connect(cyrus_t)
|
snmp_stream_connect(cyrus_t)
|
||||||
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
|
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
|
||||||
index 39e901a..74fa3d6 100644
|
index 0d5711c..ea74262 100644
|
||||||
--- a/policy/modules/services/dbus.if
|
--- a/policy/modules/services/dbus.if
|
||||||
+++ b/policy/modules/services/dbus.if
|
+++ b/policy/modules/services/dbus.if
|
||||||
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
|
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
|
||||||
@ -18328,7 +18320,7 @@ index 39e901a..74fa3d6 100644
|
|||||||
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
|
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@@ -479,3 +503,22 @@ interface(`dbus_unconfined',`
|
@@ -497,3 +521,22 @@ interface(`dbus_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 dbusd_unconfined;
|
typeattribute $1 dbusd_unconfined;
|
||||||
')
|
')
|
||||||
@ -18352,7 +18344,7 @@ index 39e901a..74fa3d6 100644
|
|||||||
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
|
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
|
||||||
index b354128..d9416fc 100644
|
index 9ce6713..ea78dc1 100644
|
||||||
--- a/policy/modules/services/dbus.te
|
--- a/policy/modules/services/dbus.te
|
||||||
+++ b/policy/modules/services/dbus.te
|
+++ b/policy/modules/services/dbus.te
|
||||||
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
||||||
@ -38418,7 +38410,7 @@ index 9775375..b338481 100644
|
|||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||||
index 8419a01..5865dba 100644
|
index df3fa64..73dc579 100644
|
||||||
--- a/policy/modules/system/init.if
|
--- a/policy/modules/system/init.if
|
||||||
+++ b/policy/modules/system/init.if
|
+++ b/policy/modules/system/init.if
|
||||||
@@ -105,7 +105,11 @@ interface(`init_domain',`
|
@@ -105,7 +105,11 @@ interface(`init_domain',`
|
||||||
@ -38669,7 +38661,7 @@ index 8419a01..5865dba 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1356,6 +1447,27 @@ interface(`init_dbus_send_script',`
|
@@ -1374,6 +1465,27 @@ interface(`init_dbus_send_script',`
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive messages from
|
## Send and receive messages from
|
||||||
@ -38697,7 +38689,7 @@ index 8419a01..5865dba 100644
|
|||||||
## init scripts over dbus.
|
## init scripts over dbus.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1442,6 +1554,25 @@ interface(`init_getattr_script_status_files',`
|
@@ -1460,6 +1572,25 @@ interface(`init_getattr_script_status_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -38723,7 +38715,7 @@ index 8419a01..5865dba 100644
|
|||||||
## Do not audit attempts to read init script
|
## Do not audit attempts to read init script
|
||||||
## status files.
|
## status files.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1655,7 +1786,7 @@ interface(`init_dontaudit_rw_utmp',`
|
@@ -1673,7 +1804,7 @@ interface(`init_dontaudit_rw_utmp',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -38732,7 +38724,7 @@ index 8419a01..5865dba 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1730,3 +1861,74 @@ interface(`init_udp_recvfrom_all_daemons',`
|
@@ -1748,3 +1879,74 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||||
')
|
')
|
||||||
corenet_udp_recvfrom_labeled($1, daemon)
|
corenet_udp_recvfrom_labeled($1, daemon)
|
||||||
')
|
')
|
||||||
@ -38808,7 +38800,7 @@ index 8419a01..5865dba 100644
|
|||||||
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||||
index 698c11e..63030ba 100644
|
index 8a105fd..e858520 100644
|
||||||
--- a/policy/modules/system/init.te
|
--- a/policy/modules/system/init.te
|
||||||
+++ b/policy/modules/system/init.te
|
+++ b/policy/modules/system/init.te
|
||||||
@@ -16,6 +16,27 @@ gen_require(`
|
@@ -16,6 +16,27 @@ gen_require(`
|
||||||
@ -46909,7 +46901,7 @@ index 22ca011..df6b5de 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
||||||
index b785e35..d9b0868 100644
|
index effb6c5..a903444 100644
|
||||||
--- a/policy/support/obj_perm_sets.spt
|
--- a/policy/support/obj_perm_sets.spt
|
||||||
+++ b/policy/support/obj_perm_sets.spt
|
+++ b/policy/support/obj_perm_sets.spt
|
||||||
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
||||||
@ -46996,13 +46988,11 @@ index b785e35..d9b0868 100644
|
|||||||
define(`create_chr_file_perms',`{ getattr create }')
|
define(`create_chr_file_perms',`{ getattr create }')
|
||||||
define(`rename_chr_file_perms',`{ getattr rename }')
|
define(`rename_chr_file_perms',`{ getattr rename }')
|
||||||
define(`delete_chr_file_perms',`{ getattr unlink }')
|
define(`delete_chr_file_perms',`{ getattr unlink }')
|
||||||
@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
|
@@ -306,6 +312,7 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
|
||||||
#
|
|
||||||
# Use (read and write) terminals
|
# Use (read and write) terminals
|
||||||
#
|
#
|
||||||
-define(`rw_term_perms', `{ getattr open read write ioctl }')
|
define(`rw_term_perms', `{ getattr open read write append ioctl }')
|
||||||
+define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
|
+define(`rw_inherited_term_perms', `{ rw_term_perms -open }')
|
||||||
+define(`rw_term_perms', `{ open rw_inherited_term_perms }')
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Sockets
|
# Sockets
|
||||||
|
@ -20,8 +20,8 @@
|
|||||||
%define CHECKPOLICYVER 2.0.21-1
|
%define CHECKPOLICYVER 2.0.21-1
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.9.6
|
Version: 3.9.7
|
||||||
Release: 3%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -470,6 +470,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-1
|
||||||
|
- Update to upstream
|
||||||
|
|
||||||
* Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-3
|
* Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-3
|
||||||
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
|
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
|
||||||
- dovecot-auth_t needs ipc_lock
|
- dovecot-auth_t needs ipc_lock
|
||||||
|
Loading…
Reference in New Issue
Block a user