- Add /usr/share/selinux/packages
- Turn on nsplugin boolean
This commit is contained in:
Daniel J Walsh
parent
0f6b92d1fa
commit
62cfafdcb7
@ -2667,8 +2667,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+seutil_domtrans_setfiles_mac(livecd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.12/policy/modules/apps/mono.if
|
||||
--- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/mono.if 2009-04-23 09:44:57.000000000 -0400
|
||||
@@ -21,6 +21,104 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/mono.if 2009-05-12 13:53:34.000000000 -0400
|
||||
@@ -21,6 +21,105 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -2751,6 +2751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ role $2 types $1_mono_t;
|
||||
+
|
||||
+ domain_interactive_fd($1_mono_t)
|
||||
+ application_type($1_mono_t)
|
||||
+
|
||||
+ userdom_unpriv_usertype($1, $1_mono_t)
|
||||
+ userdom_manage_tmpfs_role($2, $1_mono_t)
|
||||
@ -2773,7 +2774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Execute the mono program in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -31,7 +129,7 @@
|
||||
@@ -31,7 +130,7 @@
|
||||
#
|
||||
interface(`mono_exec',`
|
||||
gen_require(`
|
||||
@ -2784,7 +2785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corecmd_search_bin($1)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.12/policy/modules/apps/mono.te
|
||||
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-05-12 13:53:03.000000000 -0400
|
||||
@@ -15,7 +15,7 @@
|
||||
# Local policy
|
||||
#
|
||||
@ -2794,7 +2795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
init_dbus_chat_script(mono_t)
|
||||
|
||||
@@ -42,7 +42,11 @@
|
||||
@@ -42,7 +42,12 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -2802,11 +2803,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ unconfined_domain(mono_t)
|
||||
unconfined_dbus_chat(mono_t)
|
||||
unconfined_dbus_connect(mono_t)
|
||||
')
|
||||
+ application_type(mono_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_rw_shm(mono_t)
|
||||
+')
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.12/policy/modules/apps/mozilla.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-11-11 16:13:42.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.fc 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -3185,8 +3187,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-05-08 12:52:11.000000000 -0400
|
||||
@@ -0,0 +1,293 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-05-12 13:51:52.000000000 -0400
|
||||
@@ -0,0 +1,288 @@
|
||||
+
|
||||
+policy_module(nsplugin, 1.0.0)
|
||||
+
|
||||
@ -3464,12 +3466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ mozilla_read_user_home_files(nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type unconfined_mono_t;
|
||||
+ ')
|
||||
+ allow nsplugin_t unconfined_mono_t:process signull;
|
||||
+')
|
||||
+application_signull(nsplugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ pulseaudio_stream_connect(nsplugin_t)
|
||||
@ -4326,7 +4323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
|
||||
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-05-12 13:52:29.000000000 -0400
|
||||
@@ -13,28 +13,96 @@
|
||||
## </desc>
|
||||
gen_tunable(qemu_full_network, false)
|
||||
@ -4432,6 +4429,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# qemu_unconfined local policy
|
||||
@@ -44,6 +112,9 @@
|
||||
type qemu_unconfined_t;
|
||||
domain_type(qemu_unconfined_t)
|
||||
unconfined_domain_noaudit(qemu_unconfined_t)
|
||||
+ userdom_manage_tmpfs_role(unconfined_r, qemu_unconfined_t)
|
||||
|
||||
+ application_type(qemu_unconfined_t)
|
||||
+ role unconfined_r types qemu_unconfined_t;
|
||||
allow qemu_unconfined_t self:process { execstack execmem };
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.12/policy/modules/apps/sambagui.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/sambagui.fc 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -5926,7 +5933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.12/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-23 17:21:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-05-12 13:59:59.000000000 -0400
|
||||
@@ -723,6 +723,24 @@
|
||||
|
||||
########################################
|
||||
@ -6347,7 +6354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-05-12 08:30:38.000000000 -0400
|
||||
@@ -173,7 +173,7 @@
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
@ -6369,6 +6376,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -451,6 +453,23 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## dontaudit getattr of generic pty devices.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## The type of the process to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`term_dontaudit_getattr_generic_ptys',`
|
||||
+ gen_require(`
|
||||
+ type devpts_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 devpts_t:chr_file getattr;
|
||||
+')
|
||||
+########################################
|
||||
+## <summary>
|
||||
## ioctl of generic pty devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.12/policy/modules/roles/guest.te
|
||||
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/roles/guest.te 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -19851,7 +19882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-05-12 08:59:00.000000000 -0400
|
||||
@@ -77,6 +77,7 @@
|
||||
files_read_usr_files(procmail_t)
|
||||
|
||||
@ -19879,6 +19910,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
pyzor_domtrans(procmail_t)
|
||||
pyzor_signal(procmail_t)
|
||||
')
|
||||
@@ -136,7 +142,7 @@
|
||||
mta_read_config(procmail_t)
|
||||
sendmail_domtrans(procmail_t)
|
||||
sendmail_signal(procmail_t)
|
||||
- sendmail_rw_tcp_sockets(procmail_t)
|
||||
+ sendmail_dontaudit_rw_tcp_sockets(procmail_t)
|
||||
sendmail_rw_unix_stream_sockets(procmail_t)
|
||||
')
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.12/policy/modules/services/psad.fc
|
||||
--- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/psad.fc 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -20688,7 +20728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-11 09:09:05.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-12 14:00:28.000000000 -0400
|
||||
@@ -23,7 +23,7 @@
|
||||
gen_tunable(allow_nfsd_anon_write, false)
|
||||
|
||||
@ -20698,7 +20738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
rpc_domain_template(gssd)
|
||||
|
||||
@@ -69,26 +69,37 @@
|
||||
@@ -69,15 +69,22 @@
|
||||
kernel_read_sysctl(rpcd_t)
|
||||
kernel_rw_fs_sysctls(rpcd_t)
|
||||
kernel_dontaudit_getattr_core_if(rpcd_t)
|
||||
@ -20707,18 +20747,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corecmd_exec_bin(rpcd_t)
|
||||
|
||||
files_manage_mounttab(rpcd_t)
|
||||
+files_getattr_all_dirs(rpcd_t)
|
||||
|
||||
+fs_list_inotifyfs(rpcd_t)
|
||||
fs_list_rpc(rpcd_t)
|
||||
fs_read_rpc_files(rpcd_t)
|
||||
fs_read_rpc_symlinks(rpcd_t)
|
||||
fs_rw_rpc_sockets(rpcd_t)
|
||||
|
||||
+storage_getattr_fixed_disk_dev(rpcd_t)
|
||||
+fs_get_all_fs_quotas(rpcd_t)
|
||||
+fs_getattr_all_fs(rpcd_t)
|
||||
+
|
||||
+storage_getattr_fixed_disk_dev(rpcd_t)
|
||||
|
||||
selinux_dontaudit_read_fs(rpcd_t)
|
||||
|
||||
miscfiles_read_certs(rpcd_t)
|
||||
@@ -85,10 +92,17 @@
|
||||
|
||||
seutil_dontaudit_search_config(rpcd_t)
|
||||
|
||||
@ -20736,7 +20779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# NFSD local policy
|
||||
@@ -116,8 +127,9 @@
|
||||
@@ -116,8 +130,9 @@
|
||||
# for exportfs and rpc.mountd
|
||||
files_getattr_tmp_dirs(nfsd_t)
|
||||
# cjp: this should really have its own type
|
||||
@ -20747,7 +20790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_mount_nfsd_fs(nfsd_t)
|
||||
fs_search_nfsd_fs(nfsd_t)
|
||||
fs_getattr_all_fs(nfsd_t)
|
||||
@@ -125,6 +137,7 @@
|
||||
@@ -125,6 +140,7 @@
|
||||
fs_rw_nfsd_fs(nfsd_t)
|
||||
|
||||
storage_dontaudit_read_fixed_disk(nfsd_t)
|
||||
@ -20755,7 +20798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Read access to public_content_t and public_content_rw_t
|
||||
miscfiles_read_public_files(nfsd_t)
|
||||
@@ -141,6 +154,7 @@
|
||||
@@ -141,6 +157,7 @@
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
')
|
||||
@ -20763,7 +20806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
dev_getattr_all_blk_files(nfsd_t)
|
||||
@@ -175,6 +189,7 @@
|
||||
@@ -175,6 +192,7 @@
|
||||
|
||||
corecmd_exec_bin(gssd_t)
|
||||
|
||||
@ -20771,7 +20814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_list_rpc(gssd_t)
|
||||
fs_rw_rpc_sockets(gssd_t)
|
||||
fs_read_rpc_files(gssd_t)
|
||||
@@ -183,9 +198,12 @@
|
||||
@@ -183,9 +201,12 @@
|
||||
files_read_usr_symlinks(gssd_t)
|
||||
|
||||
auth_use_nsswitch(gssd_t)
|
||||
@ -20798,7 +20841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_write_login_records(rshd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
|
||||
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-03-23 13:47:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-04-29 13:19:21.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-05-11 20:42:00.000000000 -0400
|
||||
@@ -8,6 +8,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -21748,7 +21791,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-30 08:12:22.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-05-12 08:58:39.000000000 -0400
|
||||
@@ -59,20 +59,20 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write sendmail TCP sockets.
|
||||
+## Dontaudit Read and write sendmail TCP sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain allowed access.
|
||||
+## Domain not allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`sendmail_rw_tcp_sockets',`
|
||||
+interface(`sendmail_dontaudit_rw_tcp_sockets',`
|
||||
gen_require(`
|
||||
type sendmail_t;
|
||||
')
|
||||
|
||||
- allow $1 sendmail_t:tcp_socket { read write };
|
||||
+ dontaudit $1 sendmail_t:tcp_socket { read write };
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -89,7 +89,7 @@
|
||||
type sendmail_t;
|
||||
')
|
||||
@ -22737,7 +22805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-05-08 07:53:09.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-05-12 09:01:37.000000000 -0400
|
||||
@@ -20,6 +20,35 @@
|
||||
## </desc>
|
||||
gen_tunable(spamd_enable_home_dirs, true)
|
||||
@ -22809,15 +22877,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
sysnet_read_config(spamassassin_t)
|
||||
')
|
||||
@@ -195,6 +234,7 @@
|
||||
@@ -195,6 +234,8 @@
|
||||
optional_policy(`
|
||||
mta_read_config(spamassassin_t)
|
||||
sendmail_stub(spamassassin_t)
|
||||
+ sendmail_rw_unix_stream_sockets(spamassassin_t)
|
||||
+ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -216,16 +256,32 @@
|
||||
@@ -216,16 +257,32 @@
|
||||
allow spamc_t self:unix_stream_socket connectto;
|
||||
allow spamc_t self:tcp_socket create_stream_socket_perms;
|
||||
allow spamc_t self:udp_socket create_socket_perms;
|
||||
@ -22850,7 +22919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(spamc_t)
|
||||
corenet_all_recvfrom_netlabel(spamc_t)
|
||||
@@ -239,6 +295,7 @@
|
||||
@@ -239,6 +296,7 @@
|
||||
corenet_sendrecv_all_client_packets(spamc_t)
|
||||
|
||||
fs_search_auto_mountpoints(spamc_t)
|
||||
@ -22858,7 +22927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# cjp: these should probably be removed:
|
||||
corecmd_list_bin(spamc_t)
|
||||
@@ -255,9 +312,15 @@
|
||||
@@ -255,9 +313,15 @@
|
||||
files_dontaudit_search_var(spamc_t)
|
||||
# cjp: this may be removable:
|
||||
files_list_home(spamc_t)
|
||||
@ -22874,7 +22943,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
miscfiles_read_localization(spamc_t)
|
||||
|
||||
# cjp: this should probably be removed:
|
||||
@@ -265,13 +328,16 @@
|
||||
@@ -265,13 +329,16 @@
|
||||
|
||||
sysnet_read_config(spamc_t)
|
||||
|
||||
@ -22898,7 +22967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -280,16 +346,21 @@
|
||||
@@ -280,16 +347,22 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22919,10 +22988,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ mta_read_queue(spamc_t)
|
||||
sendmail_stub(spamc_t)
|
||||
+ sendmail_rw_pipes(spamc_t)
|
||||
+ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -301,7 +372,7 @@
|
||||
@@ -301,7 +374,7 @@
|
||||
# setuids to the user running spamc. Comment this if you are not
|
||||
# using this ability.
|
||||
|
||||
@ -22931,7 +23001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit spamd_t self:capability sys_tty_config;
|
||||
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow spamd_t self:fd use;
|
||||
@@ -317,10 +388,13 @@
|
||||
@@ -317,10 +390,13 @@
|
||||
allow spamd_t self:unix_stream_socket connectto;
|
||||
allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow spamd_t self:udp_socket create_socket_perms;
|
||||
@ -22946,7 +23016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
||||
@@ -329,10 +403,11 @@
|
||||
@@ -329,10 +405,11 @@
|
||||
|
||||
# var/lib files for spamd
|
||||
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
||||
@ -22959,7 +23029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
|
||||
|
||||
kernel_read_all_sysctls(spamd_t)
|
||||
@@ -382,22 +457,27 @@
|
||||
@@ -382,22 +459,27 @@
|
||||
|
||||
init_dontaudit_rw_utmp(spamd_t)
|
||||
|
||||
@ -22991,7 +23061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_manage_cifs_files(spamd_t)
|
||||
')
|
||||
|
||||
@@ -415,6 +495,7 @@
|
||||
@@ -415,6 +497,7 @@
|
||||
|
||||
optional_policy(`
|
||||
dcc_domtrans_client(spamd_t)
|
||||
@ -22999,7 +23069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dcc_stream_connect_dccifd(spamd_t)
|
||||
')
|
||||
|
||||
@@ -424,10 +505,6 @@
|
||||
@@ -424,10 +507,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23010,7 +23080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
postfix_read_config(spamd_t)
|
||||
')
|
||||
|
||||
@@ -442,6 +519,10 @@
|
||||
@@ -442,6 +521,10 @@
|
||||
|
||||
optional_policy(`
|
||||
razor_domtrans(spamd_t)
|
||||
@ -23021,7 +23091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -454,5 +535,9 @@
|
||||
@@ -454,5 +537,9 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25398,7 +25468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-06 08:50:01.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-12 13:45:25.000000000 -0400
|
||||
@@ -34,6 +34,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -26140,6 +26210,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.12/policy/modules/system/application.if
|
||||
--- nsaserefpolicy/policy/modules/system/application.if 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/application.if 2009-05-12 13:54:23.000000000 -0400
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Make the specified type usable as an application domain.
|
||||
+## Send signull to application domains
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
@@ -101,3 +101,21 @@
|
||||
application_executable_file($2)
|
||||
domain_entry_file($1,$2)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send signull to unprivileged user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`application_signull',`
|
||||
+ gen_require(`
|
||||
+ attribute application_domain_type;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 application_domain_type:process signull;
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.12/policy/modules/system/application.te
|
||||
--- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/application.te 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -30638,7 +30742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-08 13:06:19.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-12 13:51:30.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
@ -30650,12 +30754,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
domain_type($1_t)
|
||||
corecmd_shell_entry_type($1_t)
|
||||
corecmd_bin_entry_type($1_t)
|
||||
@@ -41,71 +42,85 @@
|
||||
@@ -41,71 +42,87 @@
|
||||
allow system_r $1_r;
|
||||
|
||||
term_user_pty($1_t, user_devpts_t)
|
||||
-
|
||||
term_user_tty($1_t, user_tty_device_t)
|
||||
+ term_dontaudit_getattr_generic_ptys($1_t)
|
||||
|
||||
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
|
||||
- allow $1_t self:fd use;
|
||||
@ -30742,6 +30847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ files_read_mnt_files($1_usertype)
|
||||
+ files_read_etc_runtime_files($1_usertype)
|
||||
+ files_read_usr_files($1_usertype)
|
||||
+ files_read_usr_src_files($1_usertype)
|
||||
# Read directories and files with the readable_t type.
|
||||
# This type is a general type for "world"-readable files.
|
||||
- files_list_world_readable($1_t)
|
||||
@ -30787,7 +30893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
# Allow loading DSOs that require executable stack.
|
||||
@@ -116,6 +131,12 @@
|
||||
@@ -116,6 +133,12 @@
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1_t self:process execstack;
|
||||
')
|
||||
@ -30800,7 +30906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -147,6 +168,7 @@
|
||||
@@ -147,6 +170,7 @@
|
||||
interface(`userdom_ro_home_role',`
|
||||
gen_require(`
|
||||
type user_home_t, user_home_dir_t;
|
||||
@ -30808,7 +30914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
role $1 types { user_home_t user_home_dir_t };
|
||||
@@ -157,6 +179,7 @@
|
||||
@@ -157,6 +181,7 @@
|
||||
#
|
||||
|
||||
type_member $2 user_home_dir_t:dir user_home_dir_t;
|
||||
@ -30816,7 +30922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# read-only home directory
|
||||
allow $2 user_home_dir_t:dir list_dir_perms;
|
||||
@@ -168,27 +191,6 @@
|
||||
@@ -168,27 +193,6 @@
|
||||
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
|
||||
files_list_home($2)
|
||||
|
||||
@ -30844,7 +30950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -220,9 +222,10 @@
|
||||
@@ -220,9 +224,10 @@
|
||||
interface(`userdom_manage_home_role',`
|
||||
gen_require(`
|
||||
type user_home_t, user_home_dir_t;
|
||||
@ -30856,7 +30962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -232,17 +235,20 @@
|
||||
@@ -232,17 +237,20 @@
|
||||
type_member $2 user_home_dir_t:dir user_home_dir_t;
|
||||
|
||||
# full control of the home directory
|
||||
@ -30887,7 +30993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
|
||||
files_list_home($2)
|
||||
|
||||
@@ -250,25 +256,23 @@
|
||||
@@ -250,25 +258,23 @@
|
||||
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
@ -30917,7 +31023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -303,6 +307,7 @@
|
||||
@@ -303,6 +309,7 @@
|
||||
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
|
||||
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
|
||||
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
|
||||
@ -30925,7 +31031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -322,6 +327,7 @@
|
||||
@@ -322,6 +329,7 @@
|
||||
')
|
||||
|
||||
exec_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
@ -30933,7 +31039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_search_tmp($1)
|
||||
')
|
||||
|
||||
@@ -368,46 +374,41 @@
|
||||
@@ -368,46 +376,41 @@
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
@ -31000,7 +31106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -420,34 +421,41 @@
|
||||
@@ -420,34 +423,41 @@
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -31060,7 +31166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -497,11 +505,7 @@
|
||||
@@ -497,11 +507,7 @@
|
||||
attribute unpriv_userdomain;
|
||||
')
|
||||
|
||||
@ -31073,7 +31179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -512,189 +516,200 @@
|
||||
@@ -512,189 +518,200 @@
|
||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||
|
||||
@ -31355,7 +31461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -722,13 +737,26 @@
|
||||
@@ -722,13 +739,26 @@
|
||||
|
||||
userdom_base_user_template($1)
|
||||
|
||||
@ -31387,7 +31493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
userdom_change_password_template($1)
|
||||
|
||||
@@ -746,70 +774,71 @@
|
||||
@@ -746,70 +776,71 @@
|
||||
|
||||
allow $1_t self:context contains;
|
||||
|
||||
@ -31492,7 +31598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -846,6 +875,28 @@
|
||||
@@ -846,6 +877,28 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
@ -31521,7 +31627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
loadkeys_run($1_t,$1_r)
|
||||
')
|
||||
@@ -876,7 +927,10 @@
|
||||
@@ -876,7 +929,10 @@
|
||||
|
||||
userdom_restricted_user_template($1)
|
||||
|
||||
@ -31533,7 +31639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -884,14 +938,19 @@
|
||||
@@ -884,14 +940,19 @@
|
||||
#
|
||||
|
||||
auth_role($1_r, $1_t)
|
||||
@ -31558,7 +31664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_dontaudit_send_audit_msgs($1_t)
|
||||
|
||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||
@@ -899,28 +958,33 @@
|
||||
@@ -899,28 +960,33 @@
|
||||
selinux_get_enforce_mode($1_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -31599,7 +31705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -954,8 +1018,8 @@
|
||||
@@ -954,8 +1020,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -31609,7 +31715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -964,11 +1028,12 @@
|
||||
@@ -964,11 +1030,12 @@
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
@ -31624,7 +31730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -986,37 +1051,55 @@
|
||||
@@ -986,37 +1053,55 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -31694,7 +31800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -1050,7 +1133,7 @@
|
||||
@@ -1050,7 +1135,7 @@
|
||||
#
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
@ -31703,7 +31809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -1059,8 +1142,7 @@
|
||||
@@ -1059,8 +1144,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
@ -31713,7 +31819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
role system_r types $1_t;
|
||||
@@ -1083,7 +1165,8 @@
|
||||
@@ -1083,7 +1167,8 @@
|
||||
# Skip authentication when pam_rootok is specified.
|
||||
allow $1_t self:passwd rootok;
|
||||
|
||||
@ -31723,7 +31829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1099,6 +1182,7 @@
|
||||
@@ -1099,6 +1184,7 @@
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
@ -31731,7 +31837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
@@ -1106,8 +1190,6 @@
|
||||
@@ -1106,8 +1192,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
@ -31740,7 +31846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1162,20 +1244,6 @@
|
||||
@@ -1162,20 +1246,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
@ -31761,7 +31867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1221,6 +1289,7 @@
|
||||
@@ -1221,6 +1291,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -31769,7 +31875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1286,11 +1355,15 @@
|
||||
@@ -1286,11 +1357,15 @@
|
||||
interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
@ -31785,7 +31891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1387,7 +1460,7 @@
|
||||
@@ -1387,7 +1462,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -31794,7 +31900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1420,6 +1493,14 @@
|
||||
@@ -1420,6 +1495,14 @@
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
@ -31809,7 +31915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1435,9 +1516,11 @@
|
||||
@@ -1435,9 +1518,11 @@
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
@ -31821,7 +31927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1494,6 +1577,25 @@
|
||||
@@ -1494,6 +1579,25 @@
|
||||
allow $1 user_home_dir_t:dir relabelto;
|
||||
')
|
||||
|
||||
@ -31847,7 +31953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
## <summary>
|
||||
## Create directories in the home dir root with
|
||||
@@ -1568,6 +1670,8 @@
|
||||
@@ -1568,6 +1672,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
@ -31856,7 +31962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1643,6 +1747,7 @@
|
||||
@@ -1643,6 +1749,7 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
@ -31864,7 +31970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
@@ -1741,30 +1846,80 @@
|
||||
@@ -1741,30 +1848,80 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -31955,7 +32061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1787,6 +1942,46 @@
|
||||
@@ -1787,6 +1944,46 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32002,7 +32108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Create, read, write, and delete files
|
||||
## in a user home subdirectory.
|
||||
## </summary>
|
||||
@@ -1799,6 +1994,7 @@
|
||||
@@ -1799,6 +1996,7 @@
|
||||
interface(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
@ -32010,7 +32116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
manage_files_pattern($1, user_home_t, user_home_t)
|
||||
@@ -2328,7 +2524,7 @@
|
||||
@@ -2328,7 +2526,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32019,7 +32125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2814,12 +3010,12 @@
|
||||
@@ -2814,12 +3012,12 @@
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
@ -32034,7 +32140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2827,17 +3023,35 @@
|
||||
@@ -2827,17 +3025,35 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -32074,7 +32180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2851,6 +3065,7 @@
|
||||
@@ -2851,6 +3067,7 @@
|
||||
')
|
||||
|
||||
read_files_pattern($1,userdomain,userdomain)
|
||||
@ -32082,7 +32188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -2981,3 +3196,481 @@
|
||||
@@ -2981,3 +3198,481 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.12
|
||||
Release: 34%{?dist}
|
||||
Release: 35%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -63,6 +63,7 @@ SELinux Base package
|
||||
%dir %{_usr}/share/selinux
|
||||
%dir %{_usr}/share/selinux/devel
|
||||
%dir %{_usr}/share/selinux/devel/include
|
||||
%dir %{_usr}/share/selinux/packages
|
||||
%dir %{_sysconfdir}/selinux
|
||||
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
||||
%ghost %{_sysconfdir}/sysconfig/selinux
|
||||
@ -234,6 +235,7 @@ make clean
|
||||
|
||||
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/packages/
|
||||
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
|
||||
install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
|
||||
install -m 644 $RPM_SOURCE_DIR/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
|
||||
@ -471,6 +473,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-35
|
||||
- Add /usr/share/selinux/packages
|
||||
- Turn on nsplugin boolean
|
||||
|
||||
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-34
|
||||
- Allow rpcd_t to send signals to kernel threads
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user