- Fix dhcpc startup of service
This commit is contained in:
Daniel J Walsh
parent
bf33202534
commit
60a9ef60f0
@ -468,7 +468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.5/policy/modules/admin/consoletype.te
|
||||
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-07-25 10:37:43.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/admin/consoletype.te 2007-08-07 09:39:49.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/admin/consoletype.te 2007-08-10 15:47:06.000000000 -0400
|
||||
@@ -8,9 +8,11 @@
|
||||
|
||||
type consoletype_t;
|
||||
@ -504,6 +504,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
|
||||
logrotate_dontaudit_use_fds(consoletype_t)
|
||||
')
|
||||
|
||||
@@ -114,3 +120,7 @@
|
||||
xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
|
||||
xen_dontaudit_use_fds(consoletype_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_use_terminals(consoletype_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.5/policy/modules/admin/kudzu.te
|
||||
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-05-29 14:10:59.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/admin/kudzu.te 2007-08-07 09:39:49.000000000 -0400
|
||||
@ -656,8 +664,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.5/policy/modules/admin/netutils.te
|
||||
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-07-25 10:37:43.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/admin/netutils.te 2007-08-07 09:39:49.000000000 -0400
|
||||
@@ -113,6 +113,7 @@
|
||||
+++ serefpolicy-3.0.5/policy/modules/admin/netutils.te 2007-08-10 15:49:00.000000000 -0400
|
||||
@@ -94,9 +94,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ unconfined_dontaudit_use_terminals(netutils_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
xen_append_log(netutils_t)
|
||||
')
|
||||
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Ping local policy
|
||||
@@ -113,6 +118,7 @@
|
||||
corenet_tcp_sendrecv_all_if(ping_t)
|
||||
corenet_raw_sendrecv_all_if(ping_t)
|
||||
corenet_raw_sendrecv_all_nodes(ping_t)
|
||||
@ -3145,7 +3168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.5/policy/modules/services/apache.if
|
||||
--- nsaserefpolicy/policy/modules/services/apache.if 2007-07-03 07:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/apache.if 2007-08-07 09:39:49.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/apache.if 2007-08-10 15:52:40.000000000 -0400
|
||||
@@ -18,10 +18,6 @@
|
||||
attribute httpd_script_exec_type;
|
||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||
@ -4997,7 +5020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.5/policy/modules/services/dbus.te
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/dbus.te 2007-08-07 09:39:49.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/dbus.te 2007-08-10 15:24:38.000000000 -0400
|
||||
@@ -23,6 +23,9 @@
|
||||
type system_dbusd_var_run_t;
|
||||
files_pid_file(system_dbusd_var_run_t)
|
||||
@ -5017,6 +5040,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
|
||||
manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
|
||||
files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
|
||||
@@ -116,9 +121,18 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ rhgb_use_ptys(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
sysnet_domtrans_dhcpc(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(system_dbusd_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_use_terminals(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.5/policy/modules/services/dhcp.te
|
||||
--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/dhcp.te 2007-08-07 09:39:49.000000000 -0400
|
||||
@ -5961,7 +6003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.5/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te 2007-08-10 11:35:13.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te 2007-08-10 15:24:52.000000000 -0400
|
||||
@@ -41,6 +41,8 @@
|
||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||
kernel_load_module(NetworkManager_t)
|
||||
@ -5983,14 +6025,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
ppp_domtrans(NetworkManager_t)
|
||||
ppp_read_pid_files(NetworkManager_t)
|
||||
ppp_signal(NetworkManager_t)
|
||||
@@ -166,6 +173,7 @@
|
||||
@@ -166,8 +173,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ unconfined_rw_pipes(NetworkManager_t)
|
||||
# Read gnome-keyring
|
||||
unconfined_read_home_content_files(NetworkManager_t)
|
||||
+ unconfined_use_terminals(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.5/policy/modules/services/nis.fc
|
||||
--- nsaserefpolicy/policy/modules/services/nis.fc 2007-05-29 14:10:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/nis.fc 2007-08-07 09:39:49.000000000 -0400
|
||||
@ -6133,6 +6178,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
|
||||
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
|
||||
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.0.5/policy/modules/services/ntp.if
|
||||
--- nsaserefpolicy/policy/modules/services/ntp.if 2007-05-29 14:10:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/ntp.if 2007-08-10 15:57:31.000000000 -0400
|
||||
@@ -53,3 +53,41 @@
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to manage
|
||||
+## ntp pid file
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ntp_manage_pid',`
|
||||
+ gen_require(`
|
||||
+ type ntpd_var_run_t;
|
||||
+ ')
|
||||
+ manage_files_pattern($1,ntpd_var_run_t,ntpd_var_run_t)
|
||||
+ files_pid_filetrans($1,ntpd_var_run_t,file)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send generic signals to the ntp domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ntp_signal',`
|
||||
+ gen_require(`
|
||||
+ type ntpd_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 ntpd_t:process signal;
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.5/policy/modules/services/ntp.te
|
||||
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/ntp.te 2007-08-07 09:39:49.000000000 -0400
|
||||
@ -7373,6 +7463,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
||||
+ allow $1 sendmail_t:process signal;
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.5/policy/modules/services/sendmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/sendmail.te 2007-08-10 13:14:09.000000000 -0400
|
||||
@@ -130,6 +130,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ rhgb_use_ptys(sendmail_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
seutil_sigchld_newrole(sendmail_t)
|
||||
')
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.0.5/policy/modules/services/setroubleshoot.if
|
||||
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2007-05-29 14:10:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/setroubleshoot.if 2007-08-07 09:39:49.000000000 -0400
|
||||
@ -9912,7 +10016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
|
||||
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.5/policy/modules/system/modutils.te
|
||||
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/system/modutils.te 2007-08-07 09:39:49.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/system/modutils.te 2007-08-10 14:08:13.000000000 -0400
|
||||
@@ -42,7 +42,7 @@
|
||||
# insmod local policy
|
||||
#
|
||||
@ -9975,7 +10079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
||||
hotplug_search_config(insmod_t)
|
||||
')
|
||||
|
||||
@@ -149,6 +163,7 @@
|
||||
@@ -149,10 +163,12 @@
|
||||
|
||||
optional_policy(`
|
||||
rpm_rw_pipes(insmod_t)
|
||||
@ -9983,7 +10087,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -179,6 +194,7 @@
|
||||
unconfined_dontaudit_rw_pipes(insmod_t)
|
||||
+ unconfined_dontaudit_use_terminals(insmod_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -179,6 +195,7 @@
|
||||
|
||||
files_read_kernel_symbol_table(depmod_t)
|
||||
files_read_kernel_modules(depmod_t)
|
||||
@ -9991,7 +10100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
||||
|
||||
fs_getattr_xattr_fs(depmod_t)
|
||||
|
||||
@@ -205,9 +221,12 @@
|
||||
@@ -205,9 +222,12 @@
|
||||
userdom_read_staff_home_content_files(depmod_t)
|
||||
userdom_read_sysadm_home_content_files(depmod_t)
|
||||
|
||||
@ -10738,7 +10847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.5/policy/modules/system/unconfined.if
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/system/unconfined.if 2007-08-07 09:39:49.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/system/unconfined.if 2007-08-10 15:24:16.000000000 -0400
|
||||
@@ -12,14 +12,13 @@
|
||||
#
|
||||
interface(`unconfined_domain_noaudit',`
|
||||
@ -11119,7 +11228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
+corecmd_exec_all_executables(unconfined_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.5/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if 2007-08-10 11:57:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if 2007-08-10 13:44:41.000000000 -0400
|
||||
@@ -62,6 +62,10 @@
|
||||
|
||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
||||
@ -11679,14 +11788,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
domain_interactive_fd($1_t)
|
||||
|
||||
typeattribute $1_devpts_t user_ptynode;
|
||||
@@ -985,15 +1051,53 @@
|
||||
@@ -985,15 +1051,51 @@
|
||||
typeattribute $1_tmp_t user_tmpfile;
|
||||
typeattribute $1_tty_device_t user_ttynode;
|
||||
|
||||
- userdom_poly_home_template($1)
|
||||
- userdom_poly_tmp_template($1)
|
||||
+ auth_exec_pam($1_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
||||
+ ')
|
||||
@ -11737,7 +11844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||
@@ -1024,20 +1128,12 @@
|
||||
@@ -1024,20 +1126,12 @@
|
||||
kernel_dontaudit_read_ring_buffer($1_t)
|
||||
')
|
||||
|
||||
@ -11764,7 +11871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -1054,17 +1150,6 @@
|
||||
@@ -1054,17 +1148,6 @@
|
||||
setroubleshoot_stream_connect($1_t)
|
||||
')
|
||||
|
||||
@ -11782,7 +11889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -1102,6 +1187,8 @@
|
||||
@@ -1102,6 +1185,8 @@
|
||||
class passwd { passwd chfn chsh rootok crontab };
|
||||
')
|
||||
|
||||
@ -11791,7 +11898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
@@ -1127,7 +1214,7 @@
|
||||
@@ -1127,7 +1212,7 @@
|
||||
# $1_t local policy
|
||||
#
|
||||
|
||||
@ -11800,7 +11907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
allow $1_t self:process { setexec setfscreate };
|
||||
|
||||
# Set password information for other users.
|
||||
@@ -1139,7 +1226,11 @@
|
||||
@@ -1139,7 +1224,11 @@
|
||||
# Manipulate other users crontab.
|
||||
allow $1_t self:passwd crontab;
|
||||
|
||||
@ -11813,7 +11920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1902,6 +1993,41 @@
|
||||
@@ -1902,6 +1991,41 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11855,7 +11962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
## Do not audit attempts to set the
|
||||
## attributes of user home files.
|
||||
## </summary>
|
||||
@@ -3078,7 +3204,7 @@
|
||||
@@ -3078,7 +3202,7 @@
|
||||
#
|
||||
template(`userdom_tmp_filetrans_user_tmp',`
|
||||
gen_require(`
|
||||
@ -11864,7 +11971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
files_tmp_filetrans($2,$1_tmp_t,$3)
|
||||
@@ -5323,7 +5449,7 @@
|
||||
@@ -5323,7 +5447,7 @@
|
||||
attribute user_tmpfile;
|
||||
')
|
||||
|
||||
@ -11873,7 +11980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5559,3 +5685,280 @@
|
||||
@@ -5559,3 +5683,280 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.5
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPL
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -360,6 +360,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-5
|
||||
- Fix dhcpc startup of service
|
||||
|
||||
* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-4
|
||||
- Fix dbus chat to not happen for xguest and guest users
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user