- Allow hal_acl_t to getattr/setattr fixed_disk
This commit is contained in:
Daniel J Walsh
parent
32363900ec
commit
5df2628335
|
|
@ -2004,7 +2004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.1/policy/modules/apps/java.te
|
||||
--- nsaserefpolicy/policy/modules/apps/java.te 2008-11-11 16:13:41.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/apps/java.te 2008-11-25 09:45:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/apps/java.te 2009-01-04 13:53:30.000000000 -0500
|
||||
@@ -40,7 +40,7 @@
|
||||
# Local policy
|
||||
#
|
||||
|
|
@ -2014,7 +2014,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
allow java_t self:fifo_file rw_fifo_file_perms;
|
||||
allow java_t self:tcp_socket create_socket_perms;
|
||||
allow java_t self:udp_socket create_socket_perms;
|
||||
@@ -147,4 +147,11 @@
|
||||
@@ -116,12 +116,13 @@
|
||||
|
||||
allow java_t java_tmp_t:file execute;
|
||||
|
||||
- libs_legacy_use_shared_libs(java_t)
|
||||
libs_legacy_use_ld_so(java_t)
|
||||
|
||||
miscfiles_legacy_read_localization(java_t)
|
||||
')
|
||||
|
||||
+libs_legacy_use_shared_libs(java_t)
|
||||
+
|
||||
optional_policy(`
|
||||
nis_use_ypbind(java_t)
|
||||
')
|
||||
@@ -147,4 +148,11 @@
|
||||
|
||||
unconfined_domain_noaudit(unconfined_java_t)
|
||||
unconfined_dbus_chat(unconfined_java_t)
|
||||
|
|
@ -5496,7 +5511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.1/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-11-11 16:13:41.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.if 2008-12-01 16:27:54.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.if 2009-01-04 12:00:43.000000000 -0500
|
||||
@@ -534,6 +534,24 @@
|
||||
|
||||
########################################
|
||||
|
|
@ -7814,7 +7829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+permissive afs_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.1/policy/modules/services/apache.fc
|
||||
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/apache.fc 2008-11-25 09:45:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/apache.fc 2008-12-29 10:16:33.000000000 -0500
|
||||
@@ -1,12 +1,13 @@
|
||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
|
|
@ -7874,10 +7889,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
@@ -64,11 +71,21 @@
|
||||
@@ -64,11 +71,22 @@
|
||||
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
|
||||
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
|
||||
|
|
@ -8432,7 +8448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-12-08 16:47:30.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2009-01-04 12:50:52.000000000 -0500
|
||||
@@ -19,6 +19,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -12351,7 +12367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.1/policy/modules/services/hal.te
|
||||
--- nsaserefpolicy/policy/modules/services/hal.te 2008-11-19 11:51:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/hal.te 2008-12-19 17:16:25.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/hal.te 2009-01-04 12:01:07.000000000 -0500
|
||||
@@ -49,6 +49,15 @@
|
||||
type hald_var_lib_t;
|
||||
files_type(hald_var_lib_t)
|
||||
|
|
@ -12368,7 +12384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -143,6 +152,7 @@
|
||||
@@ -143,11 +152,16 @@
|
||||
files_getattr_all_dirs(hald_t)
|
||||
files_read_kernel_img(hald_t)
|
||||
files_rw_lock_dirs(hald_t)
|
||||
|
|
@ -12376,7 +12392,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
fs_getattr_all_fs(hald_t)
|
||||
fs_search_all(hald_t)
|
||||
@@ -195,6 +205,7 @@
|
||||
fs_list_inotifyfs(hald_t)
|
||||
fs_list_auto_mountpoints(hald_t)
|
||||
+fs_mount_dos_fs(hald_t)
|
||||
+fs_unmount_dos_fs(hald_t)
|
||||
+fs_manage_dos_files(hald_t)
|
||||
+
|
||||
files_getattr_all_mountpoints(hald_t)
|
||||
|
||||
mls_file_read_all_levels(hald_t)
|
||||
@@ -195,6 +209,7 @@
|
||||
seutil_read_file_contexts(hald_t)
|
||||
|
||||
sysnet_read_config(hald_t)
|
||||
|
|
@ -12384,7 +12409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||
userdom_dontaudit_search_user_home_dirs(hald_t)
|
||||
@@ -277,6 +288,12 @@
|
||||
@@ -277,6 +292,12 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -12397,7 +12422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
rpc_search_nfs_state_data(hald_t)
|
||||
')
|
||||
|
||||
@@ -301,12 +318,16 @@
|
||||
@@ -301,12 +322,16 @@
|
||||
virt_manage_images(hald_t)
|
||||
')
|
||||
|
||||
|
|
@ -12415,7 +12440,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
allow hald_acl_t self:process { getattr signal };
|
||||
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@@ -346,12 +367,17 @@
|
||||
@@ -321,6 +346,7 @@
|
||||
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
|
||||
+allow hald_t hald_var_run_t:dir mounton;
|
||||
|
||||
corecmd_exec_bin(hald_acl_t)
|
||||
|
||||
@@ -339,6 +365,8 @@
|
||||
|
||||
storage_getattr_removable_dev(hald_acl_t)
|
||||
storage_setattr_removable_dev(hald_acl_t)
|
||||
+storage_getattr_fixed_disk_dev(hald_acl_t)
|
||||
+storage_setattr_fixed_disk_dev(hald_acl_t)
|
||||
|
||||
auth_use_nsswitch(hald_acl_t)
|
||||
|
||||
@@ -346,12 +374,17 @@
|
||||
|
||||
miscfiles_read_localization(hald_acl_t)
|
||||
|
||||
|
|
@ -12434,7 +12476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
|
||||
allow hald_t hald_mac_t:process signal;
|
||||
@@ -418,3 +444,49 @@
|
||||
@@ -418,3 +451,49 @@
|
||||
files_read_usr_files(hald_keymap_t)
|
||||
|
||||
miscfiles_read_localization(hald_keymap_t)
|
||||
|
|
@ -18108,6 +18150,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
userdom_dontaudit_search_user_home_dirs(pyzor_t)
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.1/policy/modules/services/radvd.te
|
||||
--- nsaserefpolicy/policy/modules/services/radvd.te 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/radvd.te 2009-01-04 12:30:51.000000000 -0500
|
||||
@@ -22,7 +22,7 @@
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
-allow radvd_t self:capability { setgid setuid net_raw };
|
||||
+allow radvd_t self:capability { setgid setuid net_raw net_admin };
|
||||
dontaudit radvd_t self:capability sys_tty_config;
|
||||
allow radvd_t self:process signal_perms;
|
||||
allow radvd_t self:unix_dgram_socket create_socket_perms;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.1/policy/modules/services/razor.if
|
||||
--- nsaserefpolicy/policy/modules/services/razor.if 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/razor.if 2008-11-25 09:45:43.000000000 -0500
|
||||
|
|
@ -19423,7 +19477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.1/policy/modules/services/sendmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-11-25 09:01:08.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/sendmail.te 2008-11-25 10:40:18.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/sendmail.te 2009-01-04 12:51:01.000000000 -0500
|
||||
@@ -1,5 +1,5 @@
|
||||
|
||||
-policy_module(sendmail, 1.8.2)
|
||||
|
|
@ -19459,11 +19513,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
corenet_all_recvfrom_unlabeled(sendmail_t)
|
||||
corenet_all_recvfrom_netlabel(sendmail_t)
|
||||
@@ -64,24 +69,29 @@
|
||||
@@ -64,24 +69,30 @@
|
||||
|
||||
fs_getattr_all_fs(sendmail_t)
|
||||
fs_search_auto_mountpoints(sendmail_t)
|
||||
+fs_rw_anon_inodefs_files(sendmail_t)
|
||||
+fs_list_inotifyfs(sendmail_t)
|
||||
|
||||
term_dontaudit_use_console(sendmail_t)
|
||||
|
||||
|
|
@ -19489,7 +19544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
auth_use_nsswitch(sendmail_t)
|
||||
|
||||
@@ -89,23 +99,38 @@
|
||||
@@ -89,23 +100,38 @@
|
||||
libs_read_lib_files(sendmail_t)
|
||||
|
||||
logging_send_syslog_msg(sendmail_t)
|
||||
|
|
@ -19530,7 +19585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -113,13 +138,19 @@
|
||||
@@ -113,13 +139,19 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -19551,7 +19606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -127,24 +158,29 @@
|
||||
@@ -127,24 +159,29 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -26456,7 +26511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-27 06:28:18.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2009-01-04 13:57:22.000000000 -0500
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
|
@ -27133,7 +27188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -722,15 +740,27 @@
|
||||
@@ -722,15 +740,29 @@
|
||||
|
||||
userdom_base_user_template($1)
|
||||
|
||||
|
|
@ -27148,26 +27203,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
- userdom_exec_user_home_content_files($1_t)
|
||||
+ userdom_manage_tmp_role($1_r, $1_usertype)
|
||||
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
|
||||
+
|
||||
+ ifelse(`$1',`unconfined',`',`
|
||||
+ gen_tunable(allow_$1_exec_content, true)
|
||||
+
|
||||
+ tunable_policy(`allow_$1_exec_content',`
|
||||
+ userdom_exec_user_tmp_files($1_usertype)
|
||||
+ userdom_exec_user_home_content_files($1_usertype)
|
||||
+ ')
|
||||
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
|
||||
+ fs_exec_nfs_files($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
|
||||
+ fs_exec_cifs_files($1_usertype)
|
||||
+ ')
|
||||
+ ')
|
||||
|
||||
- userdom_change_password_template($1)
|
||||
+ gen_tunable(allow_$1_exec_content, true)
|
||||
+
|
||||
+ tunable_policy(`allow_$1_exec_content',`
|
||||
+ userdom_exec_user_tmp_files($1_usertype)
|
||||
+ userdom_exec_user_home_content_files($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
|
||||
+ fs_exec_nfs_files($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
|
||||
+ fs_exec_cifs_files($1_usertype)
|
||||
+ ')
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -746,70 +776,72 @@
|
||||
@@ -746,70 +778,72 @@
|
||||
|
||||
allow $1_t self:context contains;
|
||||
|
||||
|
|
@ -27273,7 +27330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
')
|
||||
|
||||
@@ -846,6 +878,28 @@
|
||||
@@ -846,6 +880,28 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
|
|
@ -27302,7 +27359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
loadkeys_run($1_t,$1_r)
|
||||
')
|
||||
@@ -876,7 +930,7 @@
|
||||
@@ -876,7 +932,7 @@
|
||||
|
||||
userdom_restricted_user_template($1)
|
||||
|
||||
|
|
@ -27311,17 +27368,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
##############################
|
||||
#
|
||||
@@ -884,14 +938,18 @@
|
||||
@@ -884,14 +940,18 @@
|
||||
#
|
||||
|
||||
auth_role($1_r, $1_t)
|
||||
- auth_search_pam_console_data($1_t)
|
||||
+ auth_search_pam_console_data($1_usertype)
|
||||
+
|
||||
+ xserver_role($1_r, $1_t)
|
||||
|
||||
- dev_read_sound($1_t)
|
||||
- dev_write_sound($1_t)
|
||||
+ xserver_role($1_r, $1_t)
|
||||
+
|
||||
+ dev_read_sound($1_usertype)
|
||||
+ dev_write_sound($1_usertype)
|
||||
# gnome keyring wants to read this.
|
||||
|
|
@ -27335,7 +27392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
logging_dontaudit_send_audit_msgs($1_t)
|
||||
|
||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||
@@ -899,28 +957,24 @@
|
||||
@@ -899,28 +959,24 @@
|
||||
selinux_get_enforce_mode($1_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27370,7 +27427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
')
|
||||
|
||||
@@ -931,8 +985,7 @@
|
||||
@@ -931,8 +987,7 @@
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
|
|
@ -27380,7 +27437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## </p>
|
||||
## <p>
|
||||
## This template creates a user domain, types, and
|
||||
@@ -954,8 +1007,8 @@
|
||||
@@ -954,8 +1009,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
|
|
@ -27390,7 +27447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -964,11 +1017,10 @@
|
||||
@@ -964,11 +1019,10 @@
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
|
|
@ -27403,7 +27460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -986,37 +1038,43 @@
|
||||
@@ -986,37 +1040,43 @@
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -27460,7 +27517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -1050,7 +1108,7 @@
|
||||
@@ -1050,7 +1110,7 @@
|
||||
#
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
|
|
@ -27469,7 +27526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
##############################
|
||||
@@ -1059,8 +1117,7 @@
|
||||
@@ -1059,8 +1119,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
|
|
@ -27479,7 +27536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
role system_r types $1_t;
|
||||
@@ -1083,7 +1140,8 @@
|
||||
@@ -1083,7 +1142,8 @@
|
||||
# Skip authentication when pam_rootok is specified.
|
||||
allow $1_t self:passwd rootok;
|
||||
|
||||
|
|
@ -27489,7 +27546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1106,8 +1164,6 @@
|
||||
@@ -1106,8 +1166,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
|
|
@ -27498,7 +27555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1162,20 +1218,6 @@
|
||||
@@ -1162,20 +1220,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
|
|
@ -27519,7 +27576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1221,6 +1263,7 @@
|
||||
@@ -1221,6 +1265,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
|
|
@ -27527,7 +27584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1286,11 +1329,15 @@
|
||||
@@ -1286,11 +1331,15 @@
|
||||
interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
|
|
@ -27543,7 +27600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1387,7 +1434,7 @@
|
||||
@@ -1387,7 +1436,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -27552,7 +27609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1420,6 +1467,14 @@
|
||||
@@ -1420,6 +1469,14 @@
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
|
|
@ -27567,7 +27624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1435,9 +1490,11 @@
|
||||
@@ -1435,9 +1492,11 @@
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
|
|
@ -27579,7 +27636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1494,6 +1551,25 @@
|
||||
@@ -1494,6 +1553,25 @@
|
||||
allow $1 user_home_dir_t:dir relabelto;
|
||||
')
|
||||
|
||||
|
|
@ -27605,7 +27662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
########################################
|
||||
## <summary>
|
||||
## Create directories in the home dir root with
|
||||
@@ -1547,9 +1623,9 @@
|
||||
@@ -1547,9 +1625,9 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
|
|
@ -27617,7 +27674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1568,6 +1644,8 @@
|
||||
@@ -1568,6 +1646,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
|
|
@ -27626,7 +27683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1643,6 +1721,7 @@
|
||||
@@ -1643,6 +1723,7 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
|
|
@ -27634,7 +27691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
@@ -1741,6 +1820,62 @@
|
||||
@@ -1741,6 +1822,62 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -27697,7 +27754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Execute user home files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1757,14 +1892,6 @@
|
||||
@@ -1757,14 +1894,6 @@
|
||||
|
||||
files_search_home($1)
|
||||
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
|
|
@ -27712,7 +27769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1787,6 +1914,46 @@
|
||||
@@ -1787,6 +1916,46 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -27759,7 +27816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Create, read, write, and delete files
|
||||
## in a user home subdirectory.
|
||||
## </summary>
|
||||
@@ -2819,6 +2986,24 @@
|
||||
@@ -2819,6 +2988,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -27784,7 +27841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Do not audit attempts to use user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2851,6 +3036,7 @@
|
||||
@@ -2851,6 +3038,7 @@
|
||||
')
|
||||
|
||||
read_files_pattern($1,userdomain,userdomain)
|
||||
|
|
@ -27792,7 +27849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -2965,6 +3151,24 @@
|
||||
@@ -2965,6 +3153,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -27817,7 +27874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2981,3 +3185,264 @@
|
||||
@@ -2981,3 +3187,264 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
%define distro redhat
|
||||
%define distro redhat
|
||||
%define polyinstatiate n
|
||||
%define monolithic n
|
||||
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
|
||||
|
|
@ -20,7 +20,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.1
|
||||
Release: 14%{?dist}
|
||||
Release: 15%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -446,6 +446,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Sun Jan 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.1-15
|
||||
- Allow hal_acl_t to getattr/setattr fixed_disk
|
||||
|
||||
* Sat Dec 27 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-14
|
||||
- Change userdom_read_all_users_state to include reading symbolic links in /proc
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue