- Allow cupsd_t to create link files in print_spool_t
This commit is contained in:
Daniel J Walsh
parent
4a0aac139f
commit
6203f422e2
@ -6501,8 +6501,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-09 04:44:48.000000000 -0400
|
||||
@@ -0,0 +1,30 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-15 10:01:33.000000000 -0400
|
||||
@@ -0,0 +1,32 @@
|
||||
+# Add programs here which should not be confined by SELinux
|
||||
+# e.g.:
|
||||
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
||||
@ -6522,6 +6522,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/usr/lib/opera/[^/]*/works -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/usr/lib/opera/[^/]*/opera -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+
|
||||
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
@ -7177,8 +7179,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-09 05:43:27.000000000 -0400
|
||||
@@ -0,0 +1,402 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-16 10:03:34.000000000 -0400
|
||||
@@ -0,0 +1,403 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -7267,6 +7269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+init_run_daemon(unconfined_t, unconfined_r)
|
||||
+init_domtrans_script(unconfined_t)
|
||||
+init_chat(unconfined_t)
|
||||
+
|
||||
+libs_run_ldconfig(unconfined_t, unconfined_r)
|
||||
+
|
||||
@ -12859,7 +12862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.12/policy/modules/services/exim.te
|
||||
--- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-07 16:01:44.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-15 08:33:18.000000000 -0400
|
||||
@@ -21,9 +21,20 @@
|
||||
## </desc>
|
||||
gen_tunable(exim_manage_user_files, false)
|
||||
@ -14346,8 +14349,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
|
||||
--- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-04-07 16:01:44.000000000 -0400
|
||||
@@ -0,0 +1,55 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-04-16 09:47:17.000000000 -0400
|
||||
@@ -0,0 +1,58 @@
|
||||
+policy_module(lircd,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -14393,6 +14396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+# /dev/lircd socket
|
||||
+manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
|
||||
+dev_filetrans(lircd_t, lircd_sock_t, sock_file )
|
||||
+dev_read_generic_usb_dev(lircd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(lircd_t)
|
||||
+
|
||||
@ -14401,8 +14405,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+files_manage_generic_locks(lircd_t)
|
||||
+files_read_all_locks(lircd_t)
|
||||
+
|
||||
+fs_list_inotifyfs(lircd_t)
|
||||
+
|
||||
+miscfiles_read_localization(lircd_t)
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.6.12/policy/modules/services/lpd.if
|
||||
--- nsaserefpolicy/policy/modules/services/lpd.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/lpd.if 2009-04-15 17:56:28.000000000 -0400
|
||||
@@ -134,6 +134,7 @@
|
||||
files_search_spool($1)
|
||||
manage_dirs_pattern($1, print_spool_t, print_spool_t)
|
||||
manage_files_pattern($1, print_spool_t, print_spool_t)
|
||||
+ manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.12/policy/modules/services/mailman.fc
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/mailman.fc 2009-04-07 16:01:44.000000000 -0400
|
||||
@ -17791,7 +17808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-13 11:44:30.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-15 08:35:07.000000000 -0400
|
||||
@@ -6,6 +6,15 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -17870,7 +17887,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
||||
|
||||
@@ -142,6 +159,7 @@
|
||||
@@ -132,6 +149,7 @@
|
||||
# allow access to deferred queue and allow removing bogus incoming entries
|
||||
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
||||
+files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
|
||||
allow postfix_master_t postfix_spool_bounce_t:file getattr;
|
||||
@@ -142,6 +160,7 @@
|
||||
|
||||
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
||||
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
||||
@ -17878,7 +17903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_all_sysctls(postfix_master_t)
|
||||
|
||||
@@ -153,6 +171,9 @@
|
||||
@@ -153,6 +172,9 @@
|
||||
corenet_udp_sendrecv_generic_node(postfix_master_t)
|
||||
corenet_tcp_sendrecv_all_ports(postfix_master_t)
|
||||
corenet_udp_sendrecv_all_ports(postfix_master_t)
|
||||
@ -17888,7 +17913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_generic_node(postfix_master_t)
|
||||
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
|
||||
corenet_tcp_bind_smtp_port(postfix_master_t)
|
||||
@@ -170,6 +191,8 @@
|
||||
@@ -170,6 +192,8 @@
|
||||
domain_use_interactive_fds(postfix_master_t)
|
||||
|
||||
files_read_usr_files(postfix_master_t)
|
||||
@ -17897,7 +17922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
term_dontaudit_search_ptys(postfix_master_t)
|
||||
|
||||
@@ -181,15 +204,14 @@
|
||||
@@ -181,15 +205,14 @@
|
||||
|
||||
mta_rw_aliases(postfix_master_t)
|
||||
mta_read_sendmail_bin(postfix_master_t)
|
||||
@ -17917,7 +17942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -202,9 +224,29 @@
|
||||
@@ -202,9 +225,29 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -17947,7 +17972,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Postfix bounce local policy
|
||||
@@ -245,6 +287,10 @@
|
||||
@@ -219,6 +262,7 @@
|
||||
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
+files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
|
||||
|
||||
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
|
||||
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
|
||||
@@ -240,11 +284,16 @@
|
||||
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
||||
+files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
|
||||
|
||||
corecmd_exec_bin(postfix_cleanup_t)
|
||||
|
||||
@ -17958,7 +17997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Postfix local local policy
|
||||
@@ -270,18 +316,29 @@
|
||||
@@ -270,18 +319,29 @@
|
||||
|
||||
files_read_etc_files(postfix_local_t)
|
||||
|
||||
@ -17988,7 +18027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -292,8 +349,7 @@
|
||||
@@ -292,8 +352,7 @@
|
||||
#
|
||||
# Postfix map local policy
|
||||
#
|
||||
@ -17998,7 +18037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -340,10 +396,6 @@
|
||||
@@ -340,10 +399,6 @@
|
||||
|
||||
miscfiles_read_localization(postfix_map_t)
|
||||
|
||||
@ -18009,7 +18048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(postfix_map_t)
|
||||
files_read_default_files(postfix_map_t)
|
||||
@@ -356,6 +408,11 @@
|
||||
@@ -356,6 +411,11 @@
|
||||
locallogin_dontaudit_use_fds(postfix_map_t)
|
||||
')
|
||||
|
||||
@ -18021,7 +18060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Postfix pickup local policy
|
||||
@@ -380,6 +437,7 @@
|
||||
@@ -380,6 +440,7 @@
|
||||
#
|
||||
|
||||
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -18029,7 +18068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
|
||||
|
||||
@@ -387,6 +445,12 @@
|
||||
@@ -387,6 +448,12 @@
|
||||
|
||||
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
|
||||
|
||||
@ -18042,7 +18081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
procmail_domtrans(postfix_pipe_t)
|
||||
')
|
||||
@@ -396,6 +460,15 @@
|
||||
@@ -396,6 +463,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18058,7 +18097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
uucp_domtrans_uux(postfix_pipe_t)
|
||||
')
|
||||
|
||||
@@ -432,8 +505,11 @@
|
||||
@@ -432,8 +508,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18072,7 +18111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -459,6 +535,15 @@
|
||||
@@ -459,6 +538,15 @@
|
||||
init_sigchld_script(postfix_postqueue_t)
|
||||
init_use_script_fds(postfix_postqueue_t)
|
||||
|
||||
@ -18088,7 +18127,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Postfix qmgr local policy
|
||||
@@ -513,7 +598,7 @@
|
||||
@@ -472,6 +560,7 @@
|
||||
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
||||
+files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
|
||||
@@ -513,7 +602,7 @@
|
||||
|
||||
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
@ -18097,7 +18144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
cyrus_stream_connect(postfix_smtp_t)
|
||||
@@ -543,9 +628,18 @@
|
||||
@@ -543,9 +632,18 @@
|
||||
|
||||
# for OpenSSL certificates
|
||||
files_read_usr_files(postfix_smtpd_t)
|
||||
@ -18116,7 +18163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
mailman_read_data_files(postfix_smtpd_t)
|
||||
')
|
||||
|
||||
@@ -572,15 +666,21 @@
|
||||
@@ -572,15 +670,21 @@
|
||||
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
|
||||
|
||||
# connect to master process
|
||||
@ -25240,7 +25287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
|
||||
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-13 10:35:22.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-16 10:03:08.000000000 -0400
|
||||
@@ -280,6 +280,29 @@
|
||||
kernel_dontaudit_use_fds($1)
|
||||
')
|
||||
@ -25432,7 +25479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-13 08:06:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-16 10:02:04.000000000 -0400
|
||||
@@ -17,6 +17,20 @@
|
||||
## </desc>
|
||||
gen_tunable(init_upstart,false)
|
||||
@ -25570,7 +25617,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -274,12 +312,14 @@
|
||||
@@ -270,16 +308,19 @@
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
+dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
dev_setattr_all_chr_files(initrc_t)
|
||||
@ -25586,7 +25638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -328,7 +368,7 @@
|
||||
@@ -328,7 +369,7 @@
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -25595,7 +25647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -343,14 +383,13 @@
|
||||
@@ -343,14 +384,13 @@
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -25611,7 +25663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_exec_etc_files(initrc_t)
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
@@ -366,7 +405,9 @@
|
||||
@@ -366,7 +406,9 @@
|
||||
|
||||
libs_rw_ld_so_cache(initrc_t)
|
||||
libs_exec_lib_files(initrc_t)
|
||||
@ -25621,7 +25673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(initrc_t)
|
||||
logging_manage_generic_logs(initrc_t)
|
||||
logging_read_all_logs(initrc_t)
|
||||
@@ -451,7 +492,7 @@
|
||||
@@ -451,7 +493,7 @@
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -25630,7 +25682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
selinux_set_enforce_mode(initrc_t)
|
||||
@@ -465,6 +506,7 @@
|
||||
@@ -465,6 +507,7 @@
|
||||
storage_raw_read_fixed_disk(initrc_t)
|
||||
storage_raw_write_fixed_disk(initrc_t)
|
||||
|
||||
@ -25638,7 +25690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
# wants to read /.fonts directory
|
||||
@@ -498,6 +540,7 @@
|
||||
@@ -498,6 +541,7 @@
|
||||
optional_policy(`
|
||||
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
||||
rpc_write_exports(initrc_t)
|
||||
@ -25646,7 +25698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -516,6 +559,31 @@
|
||||
@@ -516,6 +560,31 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -25678,7 +25730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -570,6 +638,10 @@
|
||||
@@ -570,6 +639,10 @@
|
||||
dbus_read_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -25689,7 +25741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
networkmanager_dbus_chat(initrc_t)
|
||||
')
|
||||
')
|
||||
@@ -647,6 +719,11 @@
|
||||
@@ -647,6 +720,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25701,7 +25753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
mailman_list_data(initrc_t)
|
||||
mailman_read_data_symlinks(initrc_t)
|
||||
')
|
||||
@@ -655,12 +732,6 @@
|
||||
@@ -655,12 +733,6 @@
|
||||
mta_read_config(initrc_t)
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
@ -25714,7 +25766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ifdef(`distro_redhat',`
|
||||
@@ -721,6 +792,9 @@
|
||||
@@ -721,6 +793,9 @@
|
||||
|
||||
# why is this needed:
|
||||
rpm_manage_db(initrc_t)
|
||||
@ -25724,7 +25776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -733,10 +807,12 @@
|
||||
@@ -733,10 +808,12 @@
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -25737,7 +25789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -754,6 +830,11 @@
|
||||
@@ -754,6 +831,11 @@
|
||||
uml_setattr_util_sockets(initrc_t)
|
||||
')
|
||||
|
||||
@ -25749,7 +25801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
@@ -761,6 +842,8 @@
|
||||
@@ -761,6 +843,8 @@
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
unconfined_dontaudit_rw_pipes(daemon)
|
||||
')
|
||||
@ -25758,7 +25810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
@@ -768,6 +851,10 @@
|
||||
@@ -768,6 +852,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25769,7 +25821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
vmware_read_system_config(initrc_t)
|
||||
vmware_append_system_config(initrc_t)
|
||||
')
|
||||
@@ -790,3 +877,25 @@
|
||||
@@ -790,3 +878,25 @@
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -28315,7 +28367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.12/policy/modules/system/unconfined.if
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-14 14:03:29.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-15 10:11:28.000000000 -0400
|
||||
@@ -12,14 +12,13 @@
|
||||
#
|
||||
interface(`unconfined_domain_noaudit',`
|
||||
@ -28373,8 +28425,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Allow making the stack executable via mprotect;
|
||||
- # execstack implies execmem;
|
||||
- allow $1 self:process { execstack execmem };
|
||||
+ # execstack implies execmem; Turned off for F11
|
||||
+ allow $1 self:process { execstack };
|
||||
+ # execstack implies execmem; Bugzilla #211271
|
||||
+ allow $1 self:process { execmem execstack };
|
||||
# auditallow $1 self:process execstack;
|
||||
')
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.12
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -440,6 +440,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Apr 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-6
|
||||
- Allow cupsd_t to create link files in print_spool_t
|
||||
|
||||
* Tue Apr 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-5
|
||||
- Allow audioentroy to read etc files
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user