patch from dan Fri, 01 Sep 2006 15:45:24 -0400
This commit is contained in:
parent
9b45c60308
commit
5dbda5558a
@ -65,6 +65,7 @@
|
||||
Wed, 26 Jul 2006
|
||||
Wed, 23 Aug 2006
|
||||
Thu, 31 Aug 2006
|
||||
Fri, 01 Sep 2006
|
||||
- Added modules:
|
||||
afs
|
||||
amavis (Erich Schubert)
|
||||
|
@ -11,61 +11,11 @@
|
||||
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
|
||||
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amlogroll -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amplot\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amplot\.g -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amplot\.gp -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amtrmidx -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amtrmlog -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/calcsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-chio -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-chs -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-manual -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-multi -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-rth -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-scsi -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-zd-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/driver -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/dumper -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/killpgrp -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/patch-system -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/planner -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/rundump -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/runtar -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/selfcheck -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/sendbackup -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/sendsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/taper -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/versionsuffix -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
|
||||
/usr/sbin/amadmin -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amcheck -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amcheckdb -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amcleanup -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amdump -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amflush -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amgetconf -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amlabel -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amoverview -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amplot -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
|
||||
/usr/sbin/amreport -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amrestore -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amrmtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amstatus -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amtoc -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amverify -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
|
||||
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
|
||||
/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
|
||||
/var/lib/amanda/\.bashrc -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
|
||||
/var/lib/amanda/\.profile -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
|
||||
/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
|
||||
/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amanda,1.3.5)
|
||||
policy_module(amanda,1.3.6)
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -33,18 +33,6 @@ files_type(amanda_var_lib_t)
|
||||
type amanda_gnutarlists_t;
|
||||
files_type(amanda_gnutarlists_t)
|
||||
|
||||
# type for user startable files
|
||||
type amanda_user_exec_t;
|
||||
corecmd_executable_file(amanda_user_exec_t)
|
||||
|
||||
# type for same awk and other scripts
|
||||
type amanda_script_exec_t;
|
||||
corecmd_executable_file(amanda_script_exec_t)
|
||||
|
||||
# type for the shell configuration files
|
||||
type amanda_shellconfig_t;
|
||||
files_type(amanda_shellconfig_t)
|
||||
|
||||
type amanda_tmp_t;
|
||||
files_tmp_file(amanda_tmp_t)
|
||||
|
||||
|
@ -1,5 +1,3 @@
|
||||
# firstboot
|
||||
/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
|
||||
|
||||
/usr/share/firstboot gen_context(system_u:object_r:firstboot_rw_t,s0)
|
||||
/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(firstboot,1.1.4)
|
||||
policy_module(firstboot,1.1.5)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -20,9 +20,6 @@ role system_r types firstboot_t;
|
||||
type firstboot_etc_t;
|
||||
files_config_file(firstboot_etc_t)
|
||||
|
||||
type firstboot_rw_t;
|
||||
files_type(firstboot_rw_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -38,10 +35,6 @@ allow firstboot_t self:passwd rootok;
|
||||
|
||||
allow firstboot_t firstboot_etc_t:file { getattr read };
|
||||
|
||||
allow firstboot_t firstboot_rw_t:dir create_dir_perms;
|
||||
allow firstboot_t firstboot_rw_t:file create_file_perms;
|
||||
files_etc_filetrans(firstboot_t,firstboot_rw_t,file)
|
||||
|
||||
# The big hammer
|
||||
unconfined_domain(firstboot_t)
|
||||
|
||||
@ -68,7 +61,8 @@ corecmd_exec_all_executables(firstboot_t)
|
||||
|
||||
files_exec_etc_files(firstboot_t)
|
||||
files_manage_etc_files(firstboot_t)
|
||||
files_read_etc_runtime_files(firstboot_t)
|
||||
files_manage_etc_runtime_files(firstboot_t)
|
||||
files_etc_filetrans_etc_runtime(firstboot_t, { file dir })
|
||||
files_read_usr_files(firstboot_t)
|
||||
files_manage_var_dirs(firstboot_t)
|
||||
files_manage_var_files(firstboot_t)
|
||||
@ -122,6 +116,7 @@ optional_policy(`
|
||||
usermanage_domtrans_groupadd(firstboot_t)
|
||||
usermanage_domtrans_passwd(firstboot_t)
|
||||
usermanage_domtrans_useradd(firstboot_t)
|
||||
usermanage_domtrans_admin_passwd(firstboot_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
@ -950,6 +950,7 @@ interface(`corecmd_manage_all_executables',`
|
||||
|
||||
allow $1 exec_type:file manage_file_perms;
|
||||
allow $1 { bin_t sbin_t }:dir rw_dir_perms;
|
||||
allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.3.13)
|
||||
policy_module(corecommands,1.3.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -886,7 +886,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
type tty_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 tty_device_t:chr_file { read write };
|
||||
dontaudit $1 tty_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(terminal,1.1.6)
|
||||
policy_module(terminal,1.1.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -141,7 +141,6 @@ allow httpd_t self:msgq create_msgq_perms;
|
||||
allow httpd_t self:msg { send receive };
|
||||
allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
||||
allow httpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
@ -54,6 +54,9 @@ template(`cron_per_userdomain_template',`
|
||||
domain_entry_file($1_crontab_t,crontab_exec_t)
|
||||
role $3 types $1_crontab_t;
|
||||
|
||||
type $1_crontab_tmp_t;
|
||||
files_tmp_file($1_crontab_tmp_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# $1_crond_t local policy
|
||||
@ -175,6 +178,10 @@ template(`cron_per_userdomain_template',`
|
||||
# $1_crontab_t local policy
|
||||
#
|
||||
|
||||
# dac_override is to create the file in the directory under /tmp
|
||||
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
|
||||
allow $1_crontab_t self:process signal_perms;
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
|
||||
allow $2 $1_crontab_t:fd use;
|
||||
@ -193,9 +200,8 @@ template(`cron_per_userdomain_template',`
|
||||
# Allow crond to read those crontabs in cron spool.
|
||||
allow crond_t $1_cron_spool_t:file create_file_perms;
|
||||
|
||||
# dac_override is to create the file in the directory under /tmp
|
||||
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
|
||||
allow $1_crontab_t self:process signal_perms;
|
||||
allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
|
||||
|
||||
# create files in /var/spool/cron
|
||||
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
|
||||
@ -250,9 +256,6 @@ template(`cron_per_userdomain_template',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow $1_crond_t tmp_t:dir rw_dir_perms;
|
||||
type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
|
||||
|
||||
# Read user crontabs
|
||||
dontaudit $1_crontab_t $1_home_dir_t:dir write;
|
||||
') dnl endif TODO
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cron,1.3.11)
|
||||
policy_module(cron,1.3.12)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cyrus,1.1.5)
|
||||
policy_module(cyrus,1.1.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -93,6 +93,7 @@ domain_use_interactive_fds(cyrus_t)
|
||||
files_list_var_lib(cyrus_t)
|
||||
files_read_etc_files(cyrus_t)
|
||||
files_read_etc_runtime_files(cyrus_t)
|
||||
files_read_usr_files(cyrus_t)
|
||||
|
||||
init_use_fds(cyrus_t)
|
||||
init_use_script_ptys(cyrus_t)
|
||||
|
@ -38,7 +38,6 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
||||
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
# Receive notifications of policy reloads and enforcing status changes.
|
||||
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
|
||||
|
||||
|
@ -50,7 +50,6 @@ allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ftpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ftpd_t self:udp_socket create_socket_perms;
|
||||
allow ftpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow ftpd_t ftpd_etc_t:file r_file_perms;
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.3.11)
|
||||
policy_module(hal,1.3.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -28,7 +28,6 @@ allow hald_t self:process signal_perms;
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow hald_t self:unix_dgram_socket create_socket_perms;
|
||||
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow hald_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -78,6 +77,7 @@ dev_setattr_usbfs_files(hald_t)
|
||||
dev_rw_sysfs(hald_t)
|
||||
|
||||
domain_use_interactive_fds(hald_t)
|
||||
domain_read_all_domains_state(hald_t)
|
||||
|
||||
files_exec_etc_files(hald_t)
|
||||
files_read_etc_files(hald_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ldap,1.2.5)
|
||||
policy_module(ldap,1.2.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -70,9 +70,10 @@ allow slapd_t slapd_tmp_t:dir create_dir_perms;
|
||||
allow slapd_t slapd_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
|
||||
|
||||
allow slapd_t slapd_var_run_t:file create_file_perms;
|
||||
allow slapd_t slapd_var_run_t:file manage_file_perms;
|
||||
allow slapd_t slapd_var_run_t:sock_file manage_file_perms;
|
||||
allow slapd_t slapd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(slapd_t,slapd_var_run_t,file)
|
||||
files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file })
|
||||
|
||||
kernel_read_system_state(slapd_t)
|
||||
kernel_read_kernel_sysctls(slapd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(networkmanager,1.3.6)
|
||||
policy_module(networkmanager,1.3.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,9 +18,11 @@ files_pid_file(NetworkManager_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
# networkmanager will ptrace itself if gdb is installed
|
||||
# and it receives a unexpected signal (rh bug #204161)
|
||||
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
|
||||
dontaudit NetworkManager_t self:capability sys_tty_config;
|
||||
allow NetworkManager_t self:process { setcap getsched signal_perms };
|
||||
allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
|
||||
allow NetworkManager_t self:fifo_file rw_file_perms;
|
||||
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
@ -38,7 +38,6 @@ allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
|
||||
allow ntpd_t self:fifo_file { read write getattr };
|
||||
allow ntpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ntpd_t self:unix_stream_socket create_socket_perms;
|
||||
allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow ntpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ntpd_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(stunnel,1.1.2)
|
||||
policy_module(stunnel,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -38,6 +38,7 @@ allow stunnel_t self:process signal_perms;
|
||||
allow stunnel_t self:fifo_file rw_file_perms;
|
||||
allow stunnel_t self:tcp_socket create_stream_socket_perms;
|
||||
allow stunnel_t self:udp_socket create_socket_perms;
|
||||
allow stunnel_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow stunnel_t stunnel_etc_t:dir { getattr read search };
|
||||
allow stunnel_t stunnel_etc_t:file { read getattr };
|
||||
@ -63,7 +64,7 @@ corenet_udp_sendrecv_all_nodes(stunnel_t)
|
||||
corenet_tcp_sendrecv_all_ports(stunnel_t)
|
||||
corenet_udp_sendrecv_all_ports(stunnel_t)
|
||||
corenet_tcp_bind_all_nodes(stunnel_t)
|
||||
#corenet_tcp_bind_stunnel_port(stunnel_t)
|
||||
corenet_tcp_connect_all_ports(stunnel_t)
|
||||
|
||||
fs_getattr_all_fs(stunnel_t)
|
||||
|
||||
|
@ -23,6 +23,7 @@
|
||||
#
|
||||
/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
||||
/sbin/restorecon -- gen_context(system_u:object_r:restorecon_exec_t,s0)
|
||||
/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinuxutil,1.2.13)
|
||||
policy_module(selinuxutil,1.2.14)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
gen_require(`
|
||||
|
Loading…
Reference in New Issue
Block a user