- Update rhcs policy
This commit is contained in:
Daniel J Walsh
parent
9b29bf3f78
commit
5b96313949
|
|
@ -1199,6 +1199,20 @@ rgmanager = module
|
|||
#
|
||||
rhcs = module
|
||||
|
||||
# Layer: services
|
||||
# Module: aisexec
|
||||
#
|
||||
# RHCS - Red Hat Cluster Suite
|
||||
#
|
||||
aisexec = module
|
||||
|
||||
# Layer: services
|
||||
# Module: rgmanager
|
||||
#
|
||||
# rgmanager
|
||||
#
|
||||
rgmanager = module
|
||||
|
||||
# Layer: services
|
||||
# Module: rhgb
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1199,6 +1199,20 @@ rgmanager = module
|
|||
#
|
||||
rhcs = module
|
||||
|
||||
# Layer: services
|
||||
# Module: aisexec
|
||||
#
|
||||
# RHCS - Red Hat Cluster Suite
|
||||
#
|
||||
aisexec = module
|
||||
|
||||
# Layer: services
|
||||
# Module: rgmanager
|
||||
#
|
||||
# rgmanager
|
||||
#
|
||||
rgmanager = module
|
||||
|
||||
# Layer: services
|
||||
# Module: rhgb
|
||||
#
|
||||
|
|
|
|||
|
|
@ -2593,8 +2593,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-23 10:34:03.000000000 -0400
|
||||
@@ -0,0 +1,320 @@
|
||||
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-29 15:46:41.000000000 -0400
|
||||
@@ -0,0 +1,322 @@
|
||||
+
|
||||
+## <summary>policy for nsplugin</summary>
|
||||
+
|
||||
|
|
@ -2686,6 +2686,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ role $1 types nsplugin_config_t;
|
||||
+
|
||||
+ allow nsplugin_t $2:process signull;
|
||||
+ allow nsplugin_t $2:dbus send_msg;
|
||||
+ allow $2 nsplugin_t:dbus send_msg;
|
||||
+
|
||||
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
||||
|
|
@ -3332,6 +3334,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+type openoffice_t;
|
||||
+type openoffice_exec_t;
|
||||
+application_domain(openoffice_t, openoffice_exec_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
|
||||
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2009-09-29 15:46:25.000000000 -0400
|
||||
@@ -40,7 +40,7 @@
|
||||
userdom_manage_tmpfs_role($1, pulseaudio_t)
|
||||
|
||||
allow $2 pulseaudio_t:dbus send_msg;
|
||||
- allow pulseaudio_t $2:dbus send_msg;
|
||||
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
|
||||
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-08-31 13:30:04.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-09-16 10:03:08.000000000 -0400
|
||||
|
|
@ -20311,7 +20325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-09-21 08:22:39.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-09-29 15:34:33.000000000 -0400
|
||||
@@ -34,6 +34,13 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -20727,7 +20741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -542,6 +652,30 @@
|
||||
@@ -542,6 +652,34 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -20739,6 +20753,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ pcscd_stream_connect(xdm_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ pulseaudio_exec(xdm_t)
|
||||
+ pulseaudio_dbus_chat(xdm_t)
|
||||
+')
|
||||
|
|
@ -20758,7 +20776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
seutil_sigchld_newrole(xdm_t)
|
||||
')
|
||||
|
||||
@@ -550,8 +684,9 @@
|
||||
@@ -550,8 +688,9 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -20770,7 +20788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -560,7 +695,6 @@
|
||||
@@ -560,7 +699,6 @@
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
|
@ -20778,7 +20796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
optional_policy(`
|
||||
userhelper_dontaudit_search_config(xdm_t)
|
||||
@@ -571,6 +705,10 @@
|
||||
@@ -571,6 +709,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -20789,7 +20807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -587,10 +725,9 @@
|
||||
@@ -587,10 +729,9 @@
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
|
|
@ -20801,7 +20819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
allow xserver_t self:fd use;
|
||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||
allow xserver_t self:sock_file read_sock_file_perms;
|
||||
@@ -602,9 +739,12 @@
|
||||
@@ -602,9 +743,12 @@
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
|
|
@ -20814,7 +20832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||
|
||||
@@ -616,13 +756,14 @@
|
||||
@@ -616,13 +760,14 @@
|
||||
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
||||
|
||||
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
||||
|
|
@ -20830,7 +20848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
@@ -635,9 +776,19 @@
|
||||
@@ -635,9 +780,19 @@
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
|
|
@ -20850,7 +20868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
@@ -671,7 +822,6 @@
|
||||
@@ -671,7 +826,6 @@
|
||||
dev_rw_agp(xserver_t)
|
||||
dev_rw_framebuffer(xserver_t)
|
||||
dev_manage_dri_dev(xserver_t)
|
||||
|
|
@ -20858,7 +20876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
dev_create_generic_dirs(xserver_t)
|
||||
dev_setattr_generic_dirs(xserver_t)
|
||||
# raw memory access is needed if not using the frame buffer
|
||||
@@ -681,9 +831,12 @@
|
||||
@@ -681,9 +835,12 @@
|
||||
dev_rw_xserver_misc(xserver_t)
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev(xserver_t)
|
||||
|
|
@ -20872,7 +20890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
files_read_etc_files(xserver_t)
|
||||
files_read_etc_runtime_files(xserver_t)
|
||||
@@ -698,8 +851,12 @@
|
||||
@@ -698,8 +855,12 @@
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
|
|
@ -20885,7 +20903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
selinux_validate_context(xserver_t)
|
||||
selinux_compute_access_vector(xserver_t)
|
||||
@@ -721,6 +878,7 @@
|
||||
@@ -721,6 +882,7 @@
|
||||
|
||||
miscfiles_read_localization(xserver_t)
|
||||
miscfiles_read_fonts(xserver_t)
|
||||
|
|
@ -20893,7 +20911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
modutils_domtrans_insmod(xserver_t)
|
||||
|
||||
@@ -743,7 +901,7 @@
|
||||
@@ -743,7 +905,7 @@
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
|
|
@ -20902,7 +20920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||
')
|
||||
|
||||
@@ -775,12 +933,20 @@
|
||||
@@ -775,12 +937,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -20924,7 +20942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
unconfined_domtrans(xserver_t)
|
||||
')
|
||||
|
||||
@@ -807,7 +973,7 @@
|
||||
@@ -807,7 +977,7 @@
|
||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
|
|
@ -20933,7 +20951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -828,9 +994,14 @@
|
||||
@@ -828,9 +998,14 @@
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
|
|
@ -20948,7 +20966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
@@ -845,11 +1016,14 @@
|
||||
@@ -845,11 +1020,14 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
|
|
@ -20964,7 +20982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -882,6 +1056,8 @@
|
||||
@@ -882,6 +1060,8 @@
|
||||
# X Server
|
||||
# can read server-owned resources
|
||||
allow x_domain xserver_t:x_resource read;
|
||||
|
|
@ -20973,7 +20991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# can mess with own clients
|
||||
allow x_domain self:x_client { manage destroy };
|
||||
|
||||
@@ -906,6 +1082,8 @@
|
||||
@@ -906,6 +1086,8 @@
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
|
||||
|
|
@ -20982,7 +21000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# X Colormaps
|
||||
# can use the default colormap
|
||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||
@@ -973,17 +1151,49 @@
|
||||
@@ -973,17 +1155,49 @@
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue