- Dontaudit attempts by xdm_t to write to bin_t for kdm
- Allow initrc_t to manage system_conf_t
This commit is contained in:
parent
7c487e9739
commit
5ae8fb66d8
248
policy-F14.patch
248
policy-F14.patch
@ -3701,7 +3701,7 @@ index 9a6d67d..47aa143 100644
|
|||||||
## mozilla over dbus.
|
## mozilla over dbus.
|
||||||
## </summary>
|
## </summary>
|
||||||
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
||||||
index cbf4bec..001dc99 100644
|
index cbf4bec..3ecd99b 100644
|
||||||
--- a/policy/modules/apps/mozilla.te
|
--- a/policy/modules/apps/mozilla.te
|
||||||
+++ b/policy/modules/apps/mozilla.te
|
+++ b/policy/modules/apps/mozilla.te
|
||||||
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
|
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
|
||||||
@ -3774,7 +3774,7 @@ index cbf4bec..001dc99 100644
|
|||||||
pulseaudio_exec(mozilla_t)
|
pulseaudio_exec(mozilla_t)
|
||||||
pulseaudio_stream_connect(mozilla_t)
|
pulseaudio_stream_connect(mozilla_t)
|
||||||
pulseaudio_manage_home_files(mozilla_t)
|
pulseaudio_manage_home_files(mozilla_t)
|
||||||
@@ -266,3 +291,105 @@ optional_policy(`
|
@@ -266,3 +291,108 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
thunderbird_domtrans(mozilla_t)
|
thunderbird_domtrans(mozilla_t)
|
||||||
')
|
')
|
||||||
@ -3833,6 +3833,8 @@ index cbf4bec..001dc99 100644
|
|||||||
+miscfiles_read_localization(mozilla_plugin_t)
|
+miscfiles_read_localization(mozilla_plugin_t)
|
||||||
+miscfiles_read_fonts(mozilla_plugin_t)
|
+miscfiles_read_fonts(mozilla_plugin_t)
|
||||||
+
|
+
|
||||||
|
+sysnet_dns_name_resolve(mozilla_plugin_t)
|
||||||
|
+
|
||||||
+term_getattr_all_ttys(mozilla_plugin_t)
|
+term_getattr_all_ttys(mozilla_plugin_t)
|
||||||
+term_getattr_all_ptys(mozilla_plugin_t)
|
+term_getattr_all_ptys(mozilla_plugin_t)
|
||||||
+
|
+
|
||||||
@ -3858,7 +3860,7 @@ index cbf4bec..001dc99 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gnome_manage_home_config(mozilla_plugin_t)
|
+ gnome_manage_config(mozilla_plugin_t)
|
||||||
+ gnome_setattr_home_config(mozilla_plugin_t)
|
+ gnome_setattr_home_config(mozilla_plugin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -3872,6 +3874,7 @@ index cbf4bec..001dc99 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
|
||||||
+ pulseaudio_rw_home_files(mozilla_plugin_t)
|
+ pulseaudio_rw_home_files(mozilla_plugin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -4424,7 +4427,7 @@ index 0000000..4dbb161
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
|
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..7bc0dcf
|
index 0000000..4e8a49e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/nsplugin.te
|
+++ b/policy/modules/apps/nsplugin.te
|
||||||
@@ -0,0 +1,310 @@
|
@@ -0,0 +1,310 @@
|
||||||
@ -4491,10 +4494,10 @@ index 0000000..7bc0dcf
|
|||||||
+allow nsplugin_t self:shm create_shm_perms;
|
+allow nsplugin_t self:shm create_shm_perms;
|
||||||
+allow nsplugin_t self:msgq create_msgq_perms;
|
+allow nsplugin_t self:msgq create_msgq_perms;
|
||||||
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
+allow nsplugin_t self:unix_dgram_socket create_socket_perms;
|
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||||
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
|
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
|
||||||
+read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+
|
+
|
||||||
+tunable_policy(`allow_nsplugin_execmem',`
|
+tunable_policy(`allow_nsplugin_execmem',`
|
||||||
+ allow nsplugin_t self:process { execstack execmem };
|
+ allow nsplugin_t self:process { execstack execmem };
|
||||||
@ -6981,7 +6984,7 @@ index 82842a0..369c3b5 100644
|
|||||||
dbus_system_bus_client($1_wm_t)
|
dbus_system_bus_client($1_wm_t)
|
||||||
dbus_session_bus_client($1_wm_t)
|
dbus_session_bus_client($1_wm_t)
|
||||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||||
index 0eb1d97..794a0eb 100644
|
index 0eb1d97..38d675c 100644
|
||||||
--- a/policy/modules/kernel/corecommands.fc
|
--- a/policy/modules/kernel/corecommands.fc
|
||||||
+++ b/policy/modules/kernel/corecommands.fc
|
+++ b/policy/modules/kernel/corecommands.fc
|
||||||
@@ -9,8 +9,11 @@
|
@@ -9,8 +9,11 @@
|
||||||
@ -6996,7 +6999,16 @@ index 0eb1d97..794a0eb 100644
|
|||||||
/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -101,6 +104,9 @@ ifdef(`distro_redhat',`
|
@@ -71,6 +74,8 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
|
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
|
+/etc/PackageKit/events(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
+
|
||||||
|
/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
|
@@ -101,6 +106,9 @@ ifdef(`distro_redhat',`
|
||||||
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@ -7006,7 +7018,7 @@ index 0eb1d97..794a0eb 100644
|
|||||||
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -109,6 +115,8 @@ ifdef(`distro_debian',`
|
@@ -109,6 +117,8 @@ ifdef(`distro_debian',`
|
||||||
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -7015,7 +7027,7 @@ index 0eb1d97..794a0eb 100644
|
|||||||
#
|
#
|
||||||
# /lib
|
# /lib
|
||||||
#
|
#
|
||||||
@@ -126,6 +134,8 @@ ifdef(`distro_gentoo',`
|
@@ -126,6 +136,8 @@ ifdef(`distro_gentoo',`
|
||||||
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
|
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
@ -7024,7 +7036,7 @@ index 0eb1d97..794a0eb 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# /sbin
|
# /sbin
|
||||||
@@ -145,6 +155,12 @@ ifdef(`distro_gentoo',`
|
@@ -145,6 +157,12 @@ ifdef(`distro_gentoo',`
|
||||||
|
|
||||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@ -7037,7 +7049,7 @@ index 0eb1d97..794a0eb 100644
|
|||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -169,6 +185,7 @@ ifdef(`distro_gentoo',`
|
@@ -169,6 +187,7 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -7045,7 +7057,7 @@ index 0eb1d97..794a0eb 100644
|
|||||||
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -205,7 +222,8 @@ ifdef(`distro_gentoo',`
|
@@ -205,7 +224,8 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -7055,7 +7067,7 @@ index 0eb1d97..794a0eb 100644
|
|||||||
|
|
||||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@@ -218,8 +236,11 @@ ifdef(`distro_gentoo',`
|
@@ -218,8 +238,11 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
|
|
||||||
@ -7067,7 +7079,7 @@ index 0eb1d97..794a0eb 100644
|
|||||||
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -228,6 +249,8 @@ ifdef(`distro_gentoo',`
|
@@ -228,6 +251,8 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -7076,7 +7088,7 @@ index 0eb1d97..794a0eb 100644
|
|||||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -314,6 +337,7 @@ ifdef(`distro_redhat', `
|
@@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
|
||||||
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -7084,7 +7096,7 @@ index 0eb1d97..794a0eb 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_suse', `
|
ifdef(`distro_suse', `
|
||||||
@@ -340,3 +364,27 @@ ifdef(`distro_suse', `
|
@@ -340,3 +366,27 @@ ifdef(`distro_suse', `
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
@ -7113,10 +7125,44 @@ index 0eb1d97..794a0eb 100644
|
|||||||
+/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
+/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
+/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
|
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
|
||||||
index 1cc7ef6..58b4e9d 100644
|
index 1cc7ef6..ae853de 100644
|
||||||
--- a/policy/modules/kernel/corecommands.if
|
--- a/policy/modules/kernel/corecommands.if
|
||||||
+++ b/policy/modules/kernel/corecommands.if
|
+++ b/policy/modules/kernel/corecommands.if
|
||||||
@@ -931,6 +931,7 @@ interface(`corecmd_exec_chroot',`
|
@@ -163,7 +163,7 @@ interface(`corecmd_list_bin',`
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
-## Do not auidt attempts to write bin directories.
|
||||||
|
+## Do not audit attempts to write bin directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
@@ -181,6 +181,24 @@ interface(`corecmd_dontaudit_write_bin_dirs',`
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Do not audit attempts to write bin files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`corecmd_dontaudit_write_bin_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type bin_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 bin_t:file write;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Get the attributes of files in bin directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -931,6 +949,7 @@ interface(`corecmd_exec_chroot',`
|
||||||
|
|
||||||
read_lnk_files_pattern($1, bin_t, bin_t)
|
read_lnk_files_pattern($1, bin_t, bin_t)
|
||||||
can_exec($1, chroot_exec_t)
|
can_exec($1, chroot_exec_t)
|
||||||
@ -7124,7 +7170,7 @@ index 1cc7ef6..58b4e9d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1030,6 +1031,7 @@ interface(`corecmd_manage_all_executables',`
|
@@ -1030,6 +1049,7 @@ interface(`corecmd_manage_all_executables',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -31019,10 +31065,18 @@ index adea9f9..d5b2d93 100644
|
|||||||
|
|
||||||
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
|
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
|
||||||
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
|
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
|
||||||
index 4804f14..894f62d 100644
|
index 4804f14..6f49778 100644
|
||||||
--- a/policy/modules/services/smartmon.te
|
--- a/policy/modules/services/smartmon.te
|
||||||
+++ b/policy/modules/services/smartmon.te
|
+++ b/policy/modules/services/smartmon.te
|
||||||
@@ -82,6 +82,8 @@ mls_file_read_all_levels(fsdaemon_t)
|
@@ -72,6 +72,7 @@ files_exec_etc_files(fsdaemon_t)
|
||||||
|
files_read_etc_runtime_files(fsdaemon_t)
|
||||||
|
# for config
|
||||||
|
files_read_etc_files(fsdaemon_t)
|
||||||
|
+files_read_usr_files(fsdaemon_t)
|
||||||
|
|
||||||
|
fs_getattr_all_fs(fsdaemon_t)
|
||||||
|
fs_search_auto_mountpoints(fsdaemon_t)
|
||||||
|
@@ -82,6 +83,8 @@ mls_file_read_all_levels(fsdaemon_t)
|
||||||
storage_raw_read_fixed_disk(fsdaemon_t)
|
storage_raw_read_fixed_disk(fsdaemon_t)
|
||||||
storage_raw_write_fixed_disk(fsdaemon_t)
|
storage_raw_write_fixed_disk(fsdaemon_t)
|
||||||
storage_raw_read_removable_device(fsdaemon_t)
|
storage_raw_read_removable_device(fsdaemon_t)
|
||||||
@ -31913,7 +31967,7 @@ index 4b2230e..744b172 100644
|
|||||||
gen_tunable(squid_use_tproxy, false)
|
gen_tunable(squid_use_tproxy, false)
|
||||||
|
|
||||||
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
|
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
|
||||||
index 078bcd7..dd706b0 100644
|
index 078bcd7..06da5f7 100644
|
||||||
--- a/policy/modules/services/ssh.fc
|
--- a/policy/modules/services/ssh.fc
|
||||||
+++ b/policy/modules/services/ssh.fc
|
+++ b/policy/modules/services/ssh.fc
|
||||||
@@ -1,4 +1,9 @@
|
@@ -1,4 +1,9 @@
|
||||||
@ -31932,8 +31986,8 @@ index 078bcd7..dd706b0 100644
|
|||||||
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
|
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
|
||||||
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
|
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
|
||||||
+
|
+
|
||||||
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
|
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||||
+/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0)
|
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
|
||||||
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
|
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
|
||||||
index 22adaca..784c363 100644
|
index 22adaca..784c363 100644
|
||||||
--- a/policy/modules/services/ssh.if
|
--- a/policy/modules/services/ssh.if
|
||||||
@ -35796,7 +35850,7 @@ index da2601a..f963642 100644
|
|||||||
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
|
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index e226da4..6c6f684 100644
|
index e226da4..69093aa 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -26,27 +26,43 @@ gen_require(`
|
@@ -26,27 +26,43 @@ gen_require(`
|
||||||
@ -36222,7 +36276,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
@@ -367,15 +502,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
@@ -367,18 +502,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
|
|
||||||
@ -36246,7 +36300,11 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
corecmd_exec_shell(xdm_t)
|
corecmd_exec_shell(xdm_t)
|
||||||
corecmd_exec_bin(xdm_t)
|
corecmd_exec_bin(xdm_t)
|
||||||
@@ -390,18 +532,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
+corecmd_dontaudit_write_bin_files(xdm_t)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_unlabeled(xdm_t)
|
||||||
|
corenet_all_recvfrom_netlabel(xdm_t)
|
||||||
|
@@ -390,18 +533,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_generic_node(xdm_t)
|
corenet_tcp_bind_generic_node(xdm_t)
|
||||||
corenet_udp_bind_generic_node(xdm_t)
|
corenet_udp_bind_generic_node(xdm_t)
|
||||||
@ -36270,7 +36328,7 @@ index e226da4..6c6f684 100644
|
|||||||
dev_setattr_apm_bios_dev(xdm_t)
|
dev_setattr_apm_bios_dev(xdm_t)
|
||||||
dev_rw_dri(xdm_t)
|
dev_rw_dri(xdm_t)
|
||||||
dev_rw_agp(xdm_t)
|
dev_rw_agp(xdm_t)
|
||||||
@@ -410,18 +556,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
|
@@ -410,18 +557,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
|
||||||
dev_getattr_misc_dev(xdm_t)
|
dev_getattr_misc_dev(xdm_t)
|
||||||
dev_setattr_misc_dev(xdm_t)
|
dev_setattr_misc_dev(xdm_t)
|
||||||
dev_dontaudit_rw_misc(xdm_t)
|
dev_dontaudit_rw_misc(xdm_t)
|
||||||
@ -36297,7 +36355,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -432,9 +583,17 @@ files_list_mnt(xdm_t)
|
@@ -432,9 +584,17 @@ files_list_mnt(xdm_t)
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -36315,7 +36373,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -443,28 +602,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
@@ -443,28 +603,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -36354,7 +36412,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -473,9 +640,25 @@ userdom_read_user_home_content_files(xdm_t)
|
@@ -473,9 +641,25 @@ userdom_read_user_home_content_files(xdm_t)
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -36380,7 +36438,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xdm_t)
|
fs_manage_nfs_dirs(xdm_t)
|
||||||
@@ -504,11 +687,17 @@ tunable_policy(`xdm_sysadm_login',`
|
@@ -504,11 +688,17 @@ tunable_policy(`xdm_sysadm_login',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36398,7 +36456,7 @@ index e226da4..6c6f684 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -516,12 +705,49 @@ optional_policy(`
|
@@ -516,12 +706,49 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36448,7 +36506,7 @@ index e226da4..6c6f684 100644
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -539,28 +765,63 @@ optional_policy(`
|
@@ -539,28 +766,63 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36521,7 +36579,7 @@ index e226da4..6c6f684 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -572,6 +833,10 @@ optional_policy(`
|
@@ -572,6 +834,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36532,7 +36590,7 @@ index e226da4..6c6f684 100644
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -596,7 +861,7 @@ allow xserver_t input_xevent_t:x_event send;
|
@@ -596,7 +862,7 @@ allow xserver_t input_xevent_t:x_event send;
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -36541,7 +36599,7 @@ index e226da4..6c6f684 100644
|
|||||||
dontaudit xserver_t self:capability chown;
|
dontaudit xserver_t self:capability chown;
|
||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
@@ -610,6 +875,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
@@ -610,6 +876,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -36556,7 +36614,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -629,12 +902,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
@@ -629,12 +903,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -36578,7 +36636,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -642,6 +922,7 @@ kernel_read_modprobe_sysctls(xserver_t)
|
@@ -642,6 +923,7 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||||
# Xorg wants to check if kernel is tainted
|
# Xorg wants to check if kernel is tainted
|
||||||
kernel_read_kernel_sysctls(xserver_t)
|
kernel_read_kernel_sysctls(xserver_t)
|
||||||
kernel_write_proc_files(xserver_t)
|
kernel_write_proc_files(xserver_t)
|
||||||
@ -36586,7 +36644,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
# Run helper programs in xserver_t.
|
# Run helper programs in xserver_t.
|
||||||
corecmd_exec_bin(xserver_t)
|
corecmd_exec_bin(xserver_t)
|
||||||
@@ -668,7 +949,6 @@ dev_rw_apm_bios(xserver_t)
|
@@ -668,7 +950,6 @@ dev_rw_apm_bios(xserver_t)
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
@ -36594,7 +36652,7 @@ index e226da4..6c6f684 100644
|
|||||||
dev_create_generic_dirs(xserver_t)
|
dev_create_generic_dirs(xserver_t)
|
||||||
dev_setattr_generic_dirs(xserver_t)
|
dev_setattr_generic_dirs(xserver_t)
|
||||||
# raw memory access is needed if not using the frame buffer
|
# raw memory access is needed if not using the frame buffer
|
||||||
@@ -678,8 +958,13 @@ dev_wx_raw_memory(xserver_t)
|
@@ -678,8 +959,13 @@ dev_wx_raw_memory(xserver_t)
|
||||||
dev_rw_xserver_misc(xserver_t)
|
dev_rw_xserver_misc(xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
@ -36608,7 +36666,7 @@ index e226da4..6c6f684 100644
|
|||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
files_read_etc_runtime_files(xserver_t)
|
files_read_etc_runtime_files(xserver_t)
|
||||||
files_read_usr_files(xserver_t)
|
files_read_usr_files(xserver_t)
|
||||||
@@ -693,8 +978,13 @@ fs_getattr_xattr_fs(xserver_t)
|
@@ -693,8 +979,13 @@ fs_getattr_xattr_fs(xserver_t)
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -36622,7 +36680,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -716,11 +1006,14 @@ logging_send_audit_msgs(xserver_t)
|
@@ -716,11 +1007,14 @@ logging_send_audit_msgs(xserver_t)
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
@ -36637,7 +36695,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
userdom_search_user_home_dirs(xserver_t)
|
userdom_search_user_home_dirs(xserver_t)
|
||||||
userdom_use_user_ttys(xserver_t)
|
userdom_use_user_ttys(xserver_t)
|
||||||
@@ -773,12 +1066,28 @@ optional_policy(`
|
@@ -773,12 +1067,28 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36667,7 +36725,7 @@ index e226da4..6c6f684 100644
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -787,6 +1096,10 @@ optional_policy(`
|
@@ -787,6 +1097,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36678,7 +36736,7 @@ index e226da4..6c6f684 100644
|
|||||||
xfs_stream_connect(xserver_t)
|
xfs_stream_connect(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -802,10 +1115,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
@@ -802,10 +1116,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
@ -36692,7 +36750,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -813,7 +1126,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
@@ -813,7 +1127,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
|
|
||||||
# Run xkbcomp.
|
# Run xkbcomp.
|
||||||
@ -36701,7 +36759,7 @@ index e226da4..6c6f684 100644
|
|||||||
can_exec(xserver_t, xkb_var_lib_t)
|
can_exec(xserver_t, xkb_var_lib_t)
|
||||||
|
|
||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
@@ -826,6 +1139,9 @@ init_use_fds(xserver_t)
|
@@ -826,6 +1140,9 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -36711,7 +36769,7 @@ index e226da4..6c6f684 100644
|
|||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
@@ -841,11 +1157,14 @@ tunable_policy(`use_samba_home_dirs',`
|
@@ -841,11 +1158,14 @@ tunable_policy(`use_samba_home_dirs',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -36728,7 +36786,7 @@ index e226da4..6c6f684 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -853,6 +1172,10 @@ optional_policy(`
|
@@ -853,6 +1173,10 @@ optional_policy(`
|
||||||
rhgb_rw_tmpfs_files(xserver_t)
|
rhgb_rw_tmpfs_files(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -36739,7 +36797,7 @@ index e226da4..6c6f684 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -896,7 +1219,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
@@ -896,7 +1220,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
@ -36748,7 +36806,7 @@ index e226da4..6c6f684 100644
|
|||||||
# operations allowed on all windows
|
# operations allowed on all windows
|
||||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||||
|
|
||||||
@@ -950,11 +1273,31 @@ allow x_domain self:x_resource { read write };
|
@@ -950,11 +1274,31 @@ allow x_domain self:x_resource { read write };
|
||||||
# can mess with the screensaver
|
# can mess with the screensaver
|
||||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||||
|
|
||||||
@ -36780,7 +36838,7 @@ index e226da4..6c6f684 100644
|
|||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined(x_domain),
|
# should be xserver_unconfined(x_domain),
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
@@ -976,18 +1319,32 @@ tunable_policy(`! xserver_object_manager',`
|
@@ -976,18 +1320,32 @@ tunable_policy(`! xserver_object_manager',`
|
||||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -38319,7 +38377,7 @@ index f6aafe7..666a58f 100644
|
|||||||
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||||
index 698c11e..00283ba 100644
|
index 698c11e..d17f2bf 100644
|
||||||
--- a/policy/modules/system/init.te
|
--- a/policy/modules/system/init.te
|
||||||
+++ b/policy/modules/system/init.te
|
+++ b/policy/modules/system/init.te
|
||||||
@@ -16,6 +16,27 @@ gen_require(`
|
@@ -16,6 +16,27 @@ gen_require(`
|
||||||
@ -38553,7 +38611,7 @@ index 698c11e..00283ba 100644
|
|||||||
|
|
||||||
can_exec(initrc_t, initrc_tmp_t)
|
can_exec(initrc_t, initrc_tmp_t)
|
||||||
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||||
@@ -258,11 +362,22 @@ kernel_change_ring_buffer_level(initrc_t)
|
@@ -258,11 +362,23 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||||
kernel_clear_ring_buffer(initrc_t)
|
kernel_clear_ring_buffer(initrc_t)
|
||||||
kernel_get_sysvipc_info(initrc_t)
|
kernel_get_sysvipc_info(initrc_t)
|
||||||
kernel_read_all_sysctls(initrc_t)
|
kernel_read_all_sysctls(initrc_t)
|
||||||
@ -38570,13 +38628,14 @@ index 698c11e..00283ba 100644
|
|||||||
files_read_kernel_symbol_table(initrc_t)
|
files_read_kernel_symbol_table(initrc_t)
|
||||||
+files_exec_etc_files(initrc_t)
|
+files_exec_etc_files(initrc_t)
|
||||||
+files_manage_etc_symlinks(initrc_t)
|
+files_manage_etc_symlinks(initrc_t)
|
||||||
|
+files_manage_system_conf_files(initrc_t)
|
||||||
+
|
+
|
||||||
+fs_manage_tmpfs_dirs(initrc_t)
|
+fs_manage_tmpfs_dirs(initrc_t)
|
||||||
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
|
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
|
||||||
|
|
||||||
corecmd_exec_all_executables(initrc_t)
|
corecmd_exec_all_executables(initrc_t)
|
||||||
|
|
||||||
@@ -291,6 +406,7 @@ dev_read_sound_mixer(initrc_t)
|
@@ -291,6 +407,7 @@ dev_read_sound_mixer(initrc_t)
|
||||||
dev_write_sound_mixer(initrc_t)
|
dev_write_sound_mixer(initrc_t)
|
||||||
dev_setattr_all_chr_files(initrc_t)
|
dev_setattr_all_chr_files(initrc_t)
|
||||||
dev_rw_lvm_control(initrc_t)
|
dev_rw_lvm_control(initrc_t)
|
||||||
@ -38584,7 +38643,7 @@ index 698c11e..00283ba 100644
|
|||||||
dev_delete_lvm_control_dev(initrc_t)
|
dev_delete_lvm_control_dev(initrc_t)
|
||||||
dev_manage_generic_symlinks(initrc_t)
|
dev_manage_generic_symlinks(initrc_t)
|
||||||
dev_manage_generic_files(initrc_t)
|
dev_manage_generic_files(initrc_t)
|
||||||
@@ -298,13 +414,13 @@ dev_manage_generic_files(initrc_t)
|
@@ -298,13 +415,13 @@ dev_manage_generic_files(initrc_t)
|
||||||
dev_delete_generic_symlinks(initrc_t)
|
dev_delete_generic_symlinks(initrc_t)
|
||||||
dev_getattr_all_blk_files(initrc_t)
|
dev_getattr_all_blk_files(initrc_t)
|
||||||
dev_getattr_all_chr_files(initrc_t)
|
dev_getattr_all_chr_files(initrc_t)
|
||||||
@ -38600,7 +38659,7 @@ index 698c11e..00283ba 100644
|
|||||||
domain_sigchld_all_domains(initrc_t)
|
domain_sigchld_all_domains(initrc_t)
|
||||||
domain_read_all_domains_state(initrc_t)
|
domain_read_all_domains_state(initrc_t)
|
||||||
domain_getattr_all_domains(initrc_t)
|
domain_getattr_all_domains(initrc_t)
|
||||||
@@ -323,8 +439,10 @@ files_getattr_all_symlinks(initrc_t)
|
@@ -323,8 +440,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||||
files_getattr_all_pipes(initrc_t)
|
files_getattr_all_pipes(initrc_t)
|
||||||
files_getattr_all_sockets(initrc_t)
|
files_getattr_all_sockets(initrc_t)
|
||||||
files_purge_tmp(initrc_t)
|
files_purge_tmp(initrc_t)
|
||||||
@ -38612,7 +38671,7 @@ index 698c11e..00283ba 100644
|
|||||||
files_delete_all_pids(initrc_t)
|
files_delete_all_pids(initrc_t)
|
||||||
files_delete_all_pid_dirs(initrc_t)
|
files_delete_all_pid_dirs(initrc_t)
|
||||||
files_read_etc_files(initrc_t)
|
files_read_etc_files(initrc_t)
|
||||||
@@ -340,8 +458,12 @@ files_list_isid_type_dirs(initrc_t)
|
@@ -340,8 +459,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||||
files_mounton_isid_type_dirs(initrc_t)
|
files_mounton_isid_type_dirs(initrc_t)
|
||||||
files_list_default(initrc_t)
|
files_list_default(initrc_t)
|
||||||
files_mounton_default(initrc_t)
|
files_mounton_default(initrc_t)
|
||||||
@ -38626,7 +38685,7 @@ index 698c11e..00283ba 100644
|
|||||||
fs_list_inotifyfs(initrc_t)
|
fs_list_inotifyfs(initrc_t)
|
||||||
fs_register_binary_executable_type(initrc_t)
|
fs_register_binary_executable_type(initrc_t)
|
||||||
# rhgb-console writes to ramfs
|
# rhgb-console writes to ramfs
|
||||||
@@ -351,6 +473,8 @@ fs_mount_all_fs(initrc_t)
|
@@ -351,6 +474,8 @@ fs_mount_all_fs(initrc_t)
|
||||||
fs_unmount_all_fs(initrc_t)
|
fs_unmount_all_fs(initrc_t)
|
||||||
fs_remount_all_fs(initrc_t)
|
fs_remount_all_fs(initrc_t)
|
||||||
fs_getattr_all_fs(initrc_t)
|
fs_getattr_all_fs(initrc_t)
|
||||||
@ -38635,7 +38694,7 @@ index 698c11e..00283ba 100644
|
|||||||
|
|
||||||
# initrc_t needs to do a pidof which requires ptrace
|
# initrc_t needs to do a pidof which requires ptrace
|
||||||
mcs_ptrace_all(initrc_t)
|
mcs_ptrace_all(initrc_t)
|
||||||
@@ -363,6 +487,7 @@ mls_process_read_up(initrc_t)
|
@@ -363,6 +488,7 @@ mls_process_read_up(initrc_t)
|
||||||
mls_process_write_down(initrc_t)
|
mls_process_write_down(initrc_t)
|
||||||
mls_rangetrans_source(initrc_t)
|
mls_rangetrans_source(initrc_t)
|
||||||
mls_fd_share_all_levels(initrc_t)
|
mls_fd_share_all_levels(initrc_t)
|
||||||
@ -38643,7 +38702,7 @@ index 698c11e..00283ba 100644
|
|||||||
|
|
||||||
selinux_get_enforce_mode(initrc_t)
|
selinux_get_enforce_mode(initrc_t)
|
||||||
|
|
||||||
@@ -380,6 +505,7 @@ auth_read_pam_pid(initrc_t)
|
@@ -380,6 +506,7 @@ auth_read_pam_pid(initrc_t)
|
||||||
auth_delete_pam_pid(initrc_t)
|
auth_delete_pam_pid(initrc_t)
|
||||||
auth_delete_pam_console_data(initrc_t)
|
auth_delete_pam_console_data(initrc_t)
|
||||||
auth_use_nsswitch(initrc_t)
|
auth_use_nsswitch(initrc_t)
|
||||||
@ -38651,7 +38710,7 @@ index 698c11e..00283ba 100644
|
|||||||
|
|
||||||
libs_rw_ld_so_cache(initrc_t)
|
libs_rw_ld_so_cache(initrc_t)
|
||||||
libs_exec_lib_files(initrc_t)
|
libs_exec_lib_files(initrc_t)
|
||||||
@@ -394,13 +520,14 @@ logging_read_audit_config(initrc_t)
|
@@ -394,13 +521,14 @@ logging_read_audit_config(initrc_t)
|
||||||
|
|
||||||
miscfiles_read_localization(initrc_t)
|
miscfiles_read_localization(initrc_t)
|
||||||
# slapd needs to read cert files from its initscript
|
# slapd needs to read cert files from its initscript
|
||||||
@ -38667,7 +38726,7 @@ index 698c11e..00283ba 100644
|
|||||||
userdom_read_user_home_content_files(initrc_t)
|
userdom_read_user_home_content_files(initrc_t)
|
||||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||||
@@ -473,7 +600,7 @@ ifdef(`distro_redhat',`
|
@@ -473,7 +601,7 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
@ -38676,7 +38735,7 @@ index 698c11e..00283ba 100644
|
|||||||
files_dontaudit_read_root_files(initrc_t)
|
files_dontaudit_read_root_files(initrc_t)
|
||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
@@ -519,6 +646,19 @@ ifdef(`distro_redhat',`
|
@@ -519,6 +647,19 @@ ifdef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
bind_manage_config_dirs(initrc_t)
|
bind_manage_config_dirs(initrc_t)
|
||||||
bind_write_config(initrc_t)
|
bind_write_config(initrc_t)
|
||||||
@ -38696,7 +38755,7 @@ index 698c11e..00283ba 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -526,10 +666,17 @@ ifdef(`distro_redhat',`
|
@@ -526,10 +667,17 @@ ifdef(`distro_redhat',`
|
||||||
rpc_write_exports(initrc_t)
|
rpc_write_exports(initrc_t)
|
||||||
rpc_manage_nfs_state_data(initrc_t)
|
rpc_manage_nfs_state_data(initrc_t)
|
||||||
')
|
')
|
||||||
@ -38714,7 +38773,7 @@ index 698c11e..00283ba 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -544,6 +691,35 @@ ifdef(`distro_suse',`
|
@@ -544,6 +692,35 @@ ifdef(`distro_suse',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -38750,7 +38809,7 @@ index 698c11e..00283ba 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_search_lib(initrc_t)
|
amavis_search_lib(initrc_t)
|
||||||
amavis_setattr_pid_files(initrc_t)
|
amavis_setattr_pid_files(initrc_t)
|
||||||
@@ -556,6 +732,8 @@ optional_policy(`
|
@@ -556,6 +733,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_read_config(initrc_t)
|
apache_read_config(initrc_t)
|
||||||
apache_list_modules(initrc_t)
|
apache_list_modules(initrc_t)
|
||||||
@ -38759,7 +38818,7 @@ index 698c11e..00283ba 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -572,6 +750,7 @@ optional_policy(`
|
@@ -572,6 +751,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cgroup_stream_connect_cgred(initrc_t)
|
cgroup_stream_connect_cgred(initrc_t)
|
||||||
@ -38767,7 +38826,7 @@ index 698c11e..00283ba 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -584,6 +763,11 @@ optional_policy(`
|
@@ -584,6 +764,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38779,7 +38838,7 @@ index 698c11e..00283ba 100644
|
|||||||
dev_getattr_printer_dev(initrc_t)
|
dev_getattr_printer_dev(initrc_t)
|
||||||
|
|
||||||
cups_read_log(initrc_t)
|
cups_read_log(initrc_t)
|
||||||
@@ -600,6 +784,9 @@ optional_policy(`
|
@@ -600,6 +785,9 @@ optional_policy(`
|
||||||
dbus_connect_system_bus(initrc_t)
|
dbus_connect_system_bus(initrc_t)
|
||||||
dbus_system_bus_client(initrc_t)
|
dbus_system_bus_client(initrc_t)
|
||||||
dbus_read_config(initrc_t)
|
dbus_read_config(initrc_t)
|
||||||
@ -38789,7 +38848,7 @@ index 698c11e..00283ba 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consolekit_dbus_chat(initrc_t)
|
consolekit_dbus_chat(initrc_t)
|
||||||
@@ -701,7 +888,13 @@ optional_policy(`
|
@@ -701,7 +889,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38803,7 +38862,7 @@ index 698c11e..00283ba 100644
|
|||||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -724,6 +917,10 @@ optional_policy(`
|
@@ -724,6 +918,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38814,7 +38873,7 @@ index 698c11e..00283ba 100644
|
|||||||
postgresql_manage_db(initrc_t)
|
postgresql_manage_db(initrc_t)
|
||||||
postgresql_read_config(initrc_t)
|
postgresql_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -745,6 +942,10 @@ optional_policy(`
|
@@ -745,6 +943,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38825,7 +38884,7 @@ index 698c11e..00283ba 100644
|
|||||||
fs_write_ramfs_sockets(initrc_t)
|
fs_write_ramfs_sockets(initrc_t)
|
||||||
fs_search_ramfs(initrc_t)
|
fs_search_ramfs(initrc_t)
|
||||||
|
|
||||||
@@ -766,8 +967,6 @@ optional_policy(`
|
@@ -766,8 +968,6 @@ optional_policy(`
|
||||||
# bash tries ioctl for some reason
|
# bash tries ioctl for some reason
|
||||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||||
|
|
||||||
@ -38834,7 +38893,7 @@ index 698c11e..00283ba 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -776,14 +975,21 @@ optional_policy(`
|
@@ -776,14 +976,21 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38856,7 +38915,7 @@ index 698c11e..00283ba 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
ssh_dontaudit_read_server_keys(initrc_t)
|
||||||
@@ -805,11 +1011,19 @@ optional_policy(`
|
@@ -805,11 +1012,19 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38877,7 +38936,7 @@ index 698c11e..00283ba 100644
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
# system-config-services causes avc messages that should be dontaudited
|
# system-config-services causes avc messages that should be dontaudited
|
||||||
@@ -819,6 +1033,25 @@ optional_policy(`
|
@@ -819,6 +1034,25 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mono_domtrans(initrc_t)
|
mono_domtrans(initrc_t)
|
||||||
')
|
')
|
||||||
@ -38903,7 +38962,7 @@ index 698c11e..00283ba 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -844,3 +1077,55 @@ optional_policy(`
|
@@ -844,3 +1078,55 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@ -40695,7 +40754,7 @@ index 8b5c196..3490497 100644
|
|||||||
+ role $2 types showmount_t;
|
+ role $2 types showmount_t;
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
||||||
index fca6947..0fcd4e7 100644
|
index fca6947..8848e14 100644
|
||||||
--- a/policy/modules/system/mount.te
|
--- a/policy/modules/system/mount.te
|
||||||
+++ b/policy/modules/system/mount.te
|
+++ b/policy/modules/system/mount.te
|
||||||
@@ -17,8 +17,15 @@ type mount_exec_t;
|
@@ -17,8 +17,15 @@ type mount_exec_t;
|
||||||
@ -40745,7 +40804,7 @@ index fca6947..0fcd4e7 100644
|
|||||||
|
|
||||||
allow mount_t mount_loopback_t:file read_file_perms;
|
allow mount_t mount_loopback_t:file read_file_perms;
|
||||||
|
|
||||||
@@ -46,32 +68,56 @@ can_exec(mount_t, mount_exec_t)
|
@@ -46,60 +68,94 @@ can_exec(mount_t, mount_exec_t)
|
||||||
|
|
||||||
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
|
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
|
||||||
|
|
||||||
@ -40794,17 +40853,22 @@ index fca6947..0fcd4e7 100644
|
|||||||
files_read_etc_files(mount_t)
|
files_read_etc_files(mount_t)
|
||||||
files_manage_etc_runtime_files(mount_t)
|
files_manage_etc_runtime_files(mount_t)
|
||||||
files_etc_filetrans_etc_runtime(mount_t, file)
|
files_etc_filetrans_etc_runtime(mount_t, file)
|
||||||
|
+# for when /etc/mtab loses its type
|
||||||
|
+files_delete_etc_files(mount_t)
|
||||||
files_mounton_all_mountpoints(mount_t)
|
files_mounton_all_mountpoints(mount_t)
|
||||||
+# ntfs-3g checks whether the mountpoint is writable before mounting
|
+# ntfs-3g checks whether the mountpoint is writable before mounting
|
||||||
+files_write_all_mountpoints(mount_t)
|
+files_write_all_mountpoints(mount_t)
|
||||||
files_unmount_rootfs(mount_t)
|
files_unmount_rootfs(mount_t)
|
||||||
|
+
|
||||||
# These rules need to be generalized. Only admin, initrc should have it:
|
# These rules need to be generalized. Only admin, initrc should have it:
|
||||||
-files_relabelto_all_file_type_fs(mount_t)
|
-files_relabelto_all_file_type_fs(mount_t)
|
||||||
+files_relabel_all_file_type_fs(mount_t)
|
+files_relabel_all_file_type_fs(mount_t)
|
||||||
files_mount_all_file_type_fs(mount_t)
|
files_mount_all_file_type_fs(mount_t)
|
||||||
files_unmount_all_file_type_fs(mount_t)
|
files_unmount_all_file_type_fs(mount_t)
|
||||||
# for when /etc/mtab loses its type
|
-# for when /etc/mtab loses its type
|
||||||
@@ -81,25 +127,34 @@ files_read_isid_type_files(mount_t)
|
-# cjp: this seems wrong, the type should probably be etc
|
||||||
|
files_read_isid_type_files(mount_t)
|
||||||
|
# For reading cert files
|
||||||
files_read_usr_files(mount_t)
|
files_read_usr_files(mount_t)
|
||||||
files_list_mnt(mount_t)
|
files_list_mnt(mount_t)
|
||||||
|
|
||||||
@ -40842,7 +40906,7 @@ index fca6947..0fcd4e7 100644
|
|||||||
|
|
||||||
term_use_all_terms(mount_t)
|
term_use_all_terms(mount_t)
|
||||||
|
|
||||||
@@ -108,6 +163,8 @@ auth_use_nsswitch(mount_t)
|
@@ -108,6 +164,8 @@ auth_use_nsswitch(mount_t)
|
||||||
init_use_fds(mount_t)
|
init_use_fds(mount_t)
|
||||||
init_use_script_ptys(mount_t)
|
init_use_script_ptys(mount_t)
|
||||||
init_dontaudit_getattr_initctl(mount_t)
|
init_dontaudit_getattr_initctl(mount_t)
|
||||||
@ -40851,7 +40915,7 @@ index fca6947..0fcd4e7 100644
|
|||||||
|
|
||||||
logging_send_syslog_msg(mount_t)
|
logging_send_syslog_msg(mount_t)
|
||||||
|
|
||||||
@@ -118,6 +175,12 @@ sysnet_use_portmap(mount_t)
|
@@ -118,6 +176,12 @@ sysnet_use_portmap(mount_t)
|
||||||
seutil_read_config(mount_t)
|
seutil_read_config(mount_t)
|
||||||
|
|
||||||
userdom_use_all_users_fds(mount_t)
|
userdom_use_all_users_fds(mount_t)
|
||||||
@ -40864,7 +40928,7 @@ index fca6947..0fcd4e7 100644
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -133,10 +196,17 @@ ifdef(`distro_ubuntu',`
|
@@ -133,10 +197,17 @@ ifdef(`distro_ubuntu',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -40882,7 +40946,7 @@ index fca6947..0fcd4e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -166,6 +236,8 @@ optional_policy(`
|
@@ -166,6 +237,8 @@ optional_policy(`
|
||||||
fs_search_rpc(mount_t)
|
fs_search_rpc(mount_t)
|
||||||
|
|
||||||
rpc_stub(mount_t)
|
rpc_stub(mount_t)
|
||||||
@ -40891,7 +40955,7 @@ index fca6947..0fcd4e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -173,6 +245,25 @@ optional_policy(`
|
@@ -173,6 +246,25 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -40917,7 +40981,7 @@ index fca6947..0fcd4e7 100644
|
|||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
# for a bug in the X server
|
# for a bug in the X server
|
||||||
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
||||||
@@ -180,13 +271,36 @@ optional_policy(`
|
@@ -180,13 +272,36 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -40954,7 +41018,7 @@ index fca6947..0fcd4e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -195,6 +309,42 @@ optional_policy(`
|
@@ -195,6 +310,42 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
|
||||||
%define distro redhat
|
%define distro redhat
|
||||||
%define polyinstatiate n
|
%define polyinstatiate n
|
||||||
%define monolithic n
|
%define monolithic n
|
||||||
@ -20,7 +21,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.9.5
|
Version: 3.9.5
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -469,7 +470,11 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Sep 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-7
|
* Wed Sep 29 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-8
|
||||||
|
- Dontaudit attempts by xdm_t to write to bin_t for kdm
|
||||||
|
- Allow initrc_t to manage system_conf_t
|
||||||
|
|
||||||
|
* Mon Sep 27 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-7
|
||||||
- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
|
- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
|
||||||
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
|
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
|
||||||
- Allow confined users to read xdm_etc_t files
|
- Allow confined users to read xdm_etc_t files
|
||||||
|
Loading…
Reference in New Issue
Block a user