- Allow sendmail to create etc_aliases_t
This commit is contained in:
parent
bea5486254
commit
601f0f04ee
@ -3164,7 +3164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
|
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.7/policy/modules/services/apache.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.7/policy/modules/services/apache.if
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400
|
||||||
+++ serefpolicy-3.0.7/policy/modules/services/apache.if 2007-09-05 07:16:31.000000000 -0400
|
+++ serefpolicy-3.0.7/policy/modules/services/apache.if 2007-09-05 22:22:33.000000000 -0400
|
||||||
@@ -18,10 +18,6 @@
|
@@ -18,10 +18,6 @@
|
||||||
attribute httpd_script_exec_type;
|
attribute httpd_script_exec_type;
|
||||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||||
@ -3409,7 +3409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1013,46 +1047,143 @@
|
@@ -1013,46 +1047,141 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -3554,8 +3554,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
+ # Allow $1 to restart the apache service
|
+ # Allow $1 to restart the apache service
|
||||||
+ apache_script_domtrans($1)
|
+ apache_script_domtrans($1)
|
||||||
+ domain_system_change_exemption($1)
|
+ domain_system_change_exemption($1)
|
||||||
+ domain_role_change_exemption($1)
|
|
||||||
+ domain_obj_id_change_exemption($1)
|
|
||||||
+ role_transition $2 httpd_script_exec_t system_r;
|
+ role_transition $2 httpd_script_exec_t system_r;
|
||||||
+ allow $2 system_r;
|
+ allow $2 system_r;
|
||||||
+
|
+
|
||||||
@ -6184,8 +6182,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
|
|||||||
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
|
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.7/policy/modules/services/mysql.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.7/policy/modules/services/mysql.if
|
||||||
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-05-29 14:10:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-05-29 14:10:57.000000000 -0400
|
||||||
+++ serefpolicy-3.0.7/policy/modules/services/mysql.if 2007-09-04 16:56:14.000000000 -0400
|
+++ serefpolicy-3.0.7/policy/modules/services/mysql.if 2007-09-05 22:11:26.000000000 -0400
|
||||||
@@ -157,3 +157,80 @@
|
@@ -157,3 +157,79 @@
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
allow $1 mysqld_log_t:file { write append setattr ioctl };
|
allow $1 mysqld_log_t:file { write append setattr ioctl };
|
||||||
')
|
')
|
||||||
@ -6241,13 +6239,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
|
|||||||
+ type mysqld_script_exec_t;
|
+ type mysqld_script_exec_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 mysqld_t:process { ptrace signal_perms };
|
+ allow $1 mysqld_t:process { ptrace signal_perms getattr };
|
||||||
|
+ read_files_pattern($1, mysqld_t, mysqld_t)
|
||||||
+
|
+
|
||||||
+ # Allow $1 to restart the apache service
|
+ # Allow $1 to restart the apache service
|
||||||
+ mysql_script_domtrans($1)
|
+ mysql_script_domtrans($1)
|
||||||
+ domain_role_change_exemption($1)
|
|
||||||
+ domain_system_change_exemption($1)
|
+ domain_system_change_exemption($1)
|
||||||
+ domain_obj_id_change_exemption($1)
|
|
||||||
+ role_transition $2 mysqld_script_exec_t system_r;
|
+ role_transition $2 mysqld_script_exec_t system_r;
|
||||||
+ allow $2 system_r;
|
+ allow $2 system_r;
|
||||||
+
|
+
|
||||||
@ -7324,8 +7321,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
|||||||
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
|
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.7/policy/modules/services/postgresql.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.7/policy/modules/services/postgresql.if
|
||||||
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-05-29 14:10:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-05-29 14:10:57.000000000 -0400
|
||||||
+++ serefpolicy-3.0.7/policy/modules/services/postgresql.if 2007-09-05 15:13:11.000000000 -0400
|
+++ serefpolicy-3.0.7/policy/modules/services/postgresql.if 2007-09-05 22:13:10.000000000 -0400
|
||||||
@@ -113,3 +113,78 @@
|
@@ -113,3 +113,77 @@
|
||||||
# Some versions of postgresql put the sock file in /tmp
|
# Some versions of postgresql put the sock file in /tmp
|
||||||
allow $1 postgresql_tmp_t:sock_file write;
|
allow $1 postgresql_tmp_t:sock_file write;
|
||||||
')
|
')
|
||||||
@ -7379,13 +7376,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
|||||||
+ type postgresql_log_t;
|
+ type postgresql_log_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 postgresql_t:process { ptrace signal_perms };
|
+ allow $1 postgresql_t:process { ptrace signal_perms getattr };
|
||||||
|
+ read_files_pattern($1, postgresql_t, postgresql_t)
|
||||||
+
|
+
|
||||||
+ # Allow $1 to restart the apache service
|
+ # Allow $1 to restart the apache service
|
||||||
+ postgresql_script_domtrans($1)
|
+ postgresql_script_domtrans($1)
|
||||||
+ domain_system_change_exemption($1)
|
+ domain_system_change_exemption($1)
|
||||||
+ domain_role_change_exemption($1)
|
|
||||||
+ domain_obj_id_change_exemption($1)
|
|
||||||
+ role_transition $2 postgresql_script_exec_t system_r;
|
+ role_transition $2 postgresql_script_exec_t system_r;
|
||||||
+ allow $2 system_r;
|
+ allow $2 system_r;
|
||||||
+
|
+
|
||||||
@ -10347,7 +10343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.7/policy/modules/system/init.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.7/policy/modules/system/init.te
|
||||||
--- nsaserefpolicy/policy/modules/system/init.te 2007-08-22 07:14:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/init.te 2007-08-22 07:14:12.000000000 -0400
|
||||||
+++ serefpolicy-3.0.7/policy/modules/system/init.te 2007-09-04 12:01:50.000000000 -0400
|
+++ serefpolicy-3.0.7/policy/modules/system/init.te 2007-09-05 22:21:18.000000000 -0400
|
||||||
@@ -10,6 +10,20 @@
|
@@ -10,6 +10,20 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -10418,7 +10414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||||||
|
|
||||||
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
||||||
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
||||||
@@ -496,6 +511,39 @@
|
@@ -496,6 +511,43 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10449,8 +10445,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||||||
+
|
+
|
||||||
+ tunable_policy(`allow_daemons_use_tty',`
|
+ tunable_policy(`allow_daemons_use_tty',`
|
||||||
+ unconfined_use_terminals(daemon)
|
+ unconfined_use_terminals(daemon)
|
||||||
|
+ term_use_all_user_ttys(daemon)
|
||||||
|
+ term_use_all_user_ptys(daemon)
|
||||||
+ ', `
|
+ ', `
|
||||||
+ unconfined_dontaudit_use_terminals(daemon)
|
+ unconfined_dontaudit_use_terminals(daemon)
|
||||||
|
+ term_dontaudit_use_all_user_ttys(daemon)
|
||||||
|
+ term_dontaudit_use_all_user_ptys(daemon)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -10458,7 +10458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||||||
amavis_search_lib(initrc_t)
|
amavis_search_lib(initrc_t)
|
||||||
amavis_setattr_pid_files(initrc_t)
|
amavis_setattr_pid_files(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -631,12 +679,6 @@
|
@@ -631,12 +683,6 @@
|
||||||
mta_read_config(initrc_t)
|
mta_read_config(initrc_t)
|
||||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||||
')
|
')
|
||||||
@ -10471,7 +10471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
@@ -702,6 +744,9 @@
|
@@ -702,6 +748,9 @@
|
||||||
|
|
||||||
# why is this needed:
|
# why is this needed:
|
||||||
rpm_manage_db(initrc_t)
|
rpm_manage_db(initrc_t)
|
||||||
@ -10720,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
|
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.7/policy/modules/system/logging.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.7/policy/modules/system/logging.if
|
||||||
--- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
|
||||||
+++ serefpolicy-3.0.7/policy/modules/system/logging.if 2007-09-04 17:01:26.000000000 -0400
|
+++ serefpolicy-3.0.7/policy/modules/system/logging.if 2007-09-05 22:22:05.000000000 -0400
|
||||||
@@ -33,8 +33,13 @@
|
@@ -33,8 +33,13 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -11014,12 +11014,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
+ type auditd_var_run_t;
|
+ type auditd_var_run_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 auditd_t:process { ptrace signal_perms };
|
+ allow $1 auditd_t:process { ptrace signal_perms getattr };
|
||||||
|
+ read_files_pattern($1, auditd_t, auditd_t)
|
||||||
|
+
|
||||||
+ # Allow $1 to restart the apache service
|
+ # Allow $1 to restart the apache service
|
||||||
+ audit_script_domtrans($1)
|
+ audit_script_domtrans($1)
|
||||||
+ domain_role_change_exemption($1)
|
|
||||||
+ domain_system_change_exemption($1)
|
+ domain_system_change_exemption($1)
|
||||||
+ domain_obj_id_change_exemption($1)
|
|
||||||
+ role_transition $2 audit_script_exec_t system_r;
|
+ role_transition $2 audit_script_exec_t system_r;
|
||||||
+ allow $2 system_r;
|
+ allow $2 system_r;
|
||||||
+
|
+
|
||||||
@ -11068,14 +11068,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
+ type var_log_t;
|
+ type var_log_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 syslogd_t:process { ptrace signal_perms };
|
+ allow $1 syslogd_t:process { ptrace signal_perms getattr };
|
||||||
+ allow $1 klogd_t:process { ptrace signal_perms };
|
+ allow $1 klogd_t:process { ptrace signal_perms getattr };
|
||||||
|
+ read_files_pattern($1, syslogd_t, syslogd_t)
|
||||||
|
+ read_files_pattern($1, klogd_t, klogd_t)
|
||||||
+
|
+
|
||||||
+ # Allow $1 to restart the apache service
|
+ # Allow $1 to restart the apache service
|
||||||
+ syslog_script_domtrans($1)
|
+ syslog_script_domtrans($1)
|
||||||
+ domain_role_change_exemption($1)
|
|
||||||
+ domain_system_change_exemption($1)
|
+ domain_system_change_exemption($1)
|
||||||
+ domain_obj_id_change_exemption($1)
|
|
||||||
+ role_transition $2 syslog_script_exec_t system_r;
|
+ role_transition $2 syslog_script_exec_t system_r;
|
||||||
+ allow $2 system_r;
|
+ allow $2 system_r;
|
||||||
+
|
+
|
||||||
@ -12585,7 +12585,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||||
+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-04 16:56:00.000000000 -0400
|
+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-05 22:07:53.000000000 -0400
|
||||||
|
@@ -45,7 +45,7 @@
|
||||||
|
type $1_tty_device_t;
|
||||||
|
term_user_tty($1_t,$1_tty_device_t)
|
||||||
|
|
||||||
|
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
|
||||||
|
+ allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
|
||||||
|
allow $1_t self:fd use;
|
||||||
|
allow $1_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
@@ -62,6 +62,10 @@
|
@@ -62,6 +62,10 @@
|
||||||
|
|
||||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
||||||
@ -14025,7 +14034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
|
|||||||
+## <summary>Policy for webadm user</summary>
|
+## <summary>Policy for webadm user</summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.7/policy/modules/users/webadm.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.7/policy/modules/users/webadm.te
|
||||||
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.0.7/policy/modules/users/webadm.te 2007-08-31 15:27:24.000000000 -0400
|
+++ serefpolicy-3.0.7/policy/modules/users/webadm.te 2007-09-05 21:49:04.000000000 -0400
|
||||||
@@ -0,0 +1,42 @@
|
@@ -0,0 +1,42 @@
|
||||||
+policy_module(webadm,1.0.0)
|
+policy_module(webadm,1.0.0)
|
||||||
+
|
+
|
||||||
|
@ -194,8 +194,8 @@ make clean
|
|||||||
%if %{BUILD_TARGETED}
|
%if %{BUILD_TARGETED}
|
||||||
# Build targeted policy
|
# Build targeted policy
|
||||||
# Commented out because only targeted ref policy currently builds
|
# Commented out because only targeted ref policy currently builds
|
||||||
%setupCmds targeted mcs n y
|
%setupCmds targeted mcs y y
|
||||||
%installCmds targeted mcs n y
|
%installCmds targeted mcs y y
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{BUILD_MLS}
|
%if %{BUILD_MLS}
|
||||||
@ -207,8 +207,8 @@ make clean
|
|||||||
%if %{BUILD_OLPC}
|
%if %{BUILD_OLPC}
|
||||||
# Build targeted policy
|
# Build targeted policy
|
||||||
# Commented out because only targeted ref policy currently builds
|
# Commented out because only targeted ref policy currently builds
|
||||||
%setupCmds olpc mcs n y
|
%setupCmds olpc mcs y y
|
||||||
%installCmds olpc mcs n y
|
%installCmds olpc mcs y y
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
|
make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
|
||||||
|
Loading…
Reference in New Issue
Block a user