- More access needed for devicekit
- Add dbadm policy
This commit is contained in:
parent
acb1aed3a4
commit
6578cf7413
2216
modules-minimum.conf
2216
modules-minimum.conf
File diff suppressed because it is too large
Load Diff
1
modules-minimum.conf
Symbolic link
1
modules-minimum.conf
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
modules-targeted.conf
|
@ -1812,6 +1812,13 @@ telepathy = module
|
|||||||
#
|
#
|
||||||
vmware = module
|
vmware = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: dbadm
|
||||||
|
#
|
||||||
|
# Minimally prived root role for managing databases
|
||||||
|
#
|
||||||
|
dbadm = module
|
||||||
|
|
||||||
# Layer: role
|
# Layer: role
|
||||||
# Module: logadm
|
# Module: logadm
|
||||||
#
|
#
|
||||||
|
@ -2015,6 +2015,13 @@ rssh = module
|
|||||||
#
|
#
|
||||||
vmware = module
|
vmware = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: dbadm
|
||||||
|
#
|
||||||
|
# Minimally prived root role for managing databases
|
||||||
|
#
|
||||||
|
dbadm = module
|
||||||
|
|
||||||
# Layer: role
|
# Layer: role
|
||||||
# Module: logadm
|
# Module: logadm
|
||||||
#
|
#
|
||||||
|
469
policy-F14.patch
469
policy-F14.patch
@ -502,14 +502,18 @@ index 89b9f2a..9cba75f 100644
|
|||||||
pcscd_read_pub_files(certwatch_t)
|
pcscd_read_pub_files(certwatch_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
|
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
|
||||||
index 2b12a37..ce00934 100644
|
index 2b12a37..a370656 100644
|
||||||
--- a/policy/modules/admin/consoletype.te
|
--- a/policy/modules/admin/consoletype.te
|
||||||
+++ b/policy/modules/admin/consoletype.te
|
+++ b/policy/modules/admin/consoletype.te
|
||||||
@@ -85,6 +85,7 @@ optional_policy(`
|
@@ -81,10 +81,7 @@ optional_policy(`
|
||||||
hal_dontaudit_rw_pipes(consoletype_t)
|
')
|
||||||
hal_dontaudit_rw_dgram_sockets(consoletype_t)
|
|
||||||
hal_dontaudit_write_log(consoletype_t)
|
optional_policy(`
|
||||||
+ hal_dontaudit_read_pid_files(consoletype_t)
|
- hal_dontaudit_use_fds(consoletype_t)
|
||||||
|
- hal_dontaudit_rw_pipes(consoletype_t)
|
||||||
|
- hal_dontaudit_rw_dgram_sockets(consoletype_t)
|
||||||
|
- hal_dontaudit_write_log(consoletype_t)
|
||||||
|
+ hal_dontaudit_leaks(consoletype_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -1672,6 +1676,19 @@ index 6a5004b..50cd538 100644
|
|||||||
rpm_manage_cache(tmpreaper_t)
|
rpm_manage_cache(tmpreaper_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
|
||||||
|
index aa9636d..7851643 100644
|
||||||
|
--- a/policy/modules/admin/tzdata.te
|
||||||
|
+++ b/policy/modules/admin/tzdata.te
|
||||||
|
@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
|
||||||
|
# tzdata local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
-files_read_etc_files(tzdata_t)
|
||||||
|
+files_read_config_files(tzdata_t)
|
||||||
|
files_search_spool(tzdata_t)
|
||||||
|
|
||||||
|
fs_getattr_xattr_fs(tzdata_t)
|
||||||
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
|
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
|
||||||
index aecbf1c..0b5e634 100644
|
index aecbf1c..0b5e634 100644
|
||||||
--- a/policy/modules/admin/usermanage.if
|
--- a/policy/modules/admin/usermanage.if
|
||||||
@ -2341,7 +2358,7 @@ index 00a19e3..46db5ff 100644
|
|||||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
|
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
|
||||||
index f5afe78..852f36f 100644
|
index f5afe78..ffd9870 100644
|
||||||
--- a/policy/modules/apps/gnome.if
|
--- a/policy/modules/apps/gnome.if
|
||||||
+++ b/policy/modules/apps/gnome.if
|
+++ b/policy/modules/apps/gnome.if
|
||||||
@@ -37,8 +37,26 @@ interface(`gnome_role',`
|
@@ -37,8 +37,26 @@ interface(`gnome_role',`
|
||||||
@ -2520,7 +2537,7 @@ index f5afe78..852f36f 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -122,12 +189,52 @@ interface(`gnome_stream_connect_gconf',`
|
@@ -122,12 +189,71 @@ interface(`gnome_stream_connect_gconf',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -2538,6 +2555,25 @@ index f5afe78..852f36f 100644
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## append to generic cache home files (.cache)
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gnome_append_generic_cache_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type cache_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ append_files_pattern($1, cache_home_t, cache_home_t)
|
||||||
|
+ userdom_search_user_home_dirs($1)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## write to generic cache home files (.cache)
|
+## write to generic cache home files (.cache)
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -2576,7 +2612,7 @@ index f5afe78..852f36f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -151,40 +258,270 @@ interface(`gnome_setattr_config_dirs',`
|
@@ -151,40 +277,288 @@ interface(`gnome_setattr_config_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -2694,8 +2730,10 @@ index f5afe78..852f36f 100644
|
|||||||
gen_require(`
|
gen_require(`
|
||||||
- type gnome_home_t;
|
- type gnome_home_t;
|
||||||
+ type gconfd_exec_t;
|
+ type gconfd_exec_t;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
|
- allow $1 gnome_home_t:dir manage_dir_perms;
|
||||||
|
- allow $1 gnome_home_t:file manage_file_perms;
|
||||||
+ can_exec($1, gconfd_exec_t)
|
+ can_exec($1, gconfd_exec_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -2734,10 +2772,8 @@ index f5afe78..852f36f 100644
|
|||||||
+interface(`gnome_search_gconf',`
|
+interface(`gnome_search_gconf',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type gconf_home_t;
|
+ type gconf_home_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
- allow $1 gnome_home_t:dir manage_dir_perms;
|
|
||||||
- allow $1 gnome_home_t:file manage_file_perms;
|
|
||||||
+ allow $1 gconf_home_t:dir search_dir_perms;
|
+ allow $1 gconf_home_t:dir search_dir_perms;
|
||||||
userdom_search_user_home_dirs($1)
|
userdom_search_user_home_dirs($1)
|
||||||
')
|
')
|
||||||
@ -2805,7 +2841,7 @@ index f5afe78..852f36f 100644
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## read gnome homedir content (.config)
|
+## list gnome homedir content (.config)
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="user_domain">
|
+## <param name="user_domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -2823,6 +2859,24 @@ index f5afe78..852f36f 100644
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## read gnome homedir content (.config)
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="user_domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the user domain.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+template(`gnome_read_home_config',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type config_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ read_files_pattern($1, config_home_t, config_home_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Read/Write all inherited gnome home config
|
+## Read/Write all inherited gnome home config
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -6621,7 +6675,7 @@ index 9d24449..9782698 100644
|
|||||||
/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
|
/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||||
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
|
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||||
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
|
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
|
||||||
index c26662d..9cbfded 100644
|
index c26662d..62e455a 100644
|
||||||
--- a/policy/modules/apps/wine.if
|
--- a/policy/modules/apps/wine.if
|
||||||
+++ b/policy/modules/apps/wine.if
|
+++ b/policy/modules/apps/wine.if
|
||||||
@@ -29,12 +29,16 @@
|
@@ -29,12 +29,16 @@
|
||||||
@ -6641,7 +6695,17 @@ index c26662d..9cbfded 100644
|
|||||||
allow wine_t $2:fd use;
|
allow wine_t $2:fd use;
|
||||||
allow wine_t $2:process { sigchld signull };
|
allow wine_t $2:process { sigchld signull };
|
||||||
allow wine_t $2:unix_stream_socket connectto;
|
allow wine_t $2:unix_stream_socket connectto;
|
||||||
@@ -86,6 +90,7 @@ template(`wine_role',`
|
@@ -44,8 +48,7 @@ template(`wine_role',`
|
||||||
|
allow $2 wine_t:process signal_perms;
|
||||||
|
|
||||||
|
allow $2 wine_t:fd use;
|
||||||
|
- allow $2 wine_t:shm { associate getattr };
|
||||||
|
- allow $2 wine_t:shm { unix_read unix_write };
|
||||||
|
+ allow $2 wine_t:shm { associate getattr unix_read unix_write };
|
||||||
|
allow $2 wine_t:unix_stream_socket connectto;
|
||||||
|
|
||||||
|
# X access, Home files
|
||||||
|
@@ -86,6 +89,7 @@ template(`wine_role',`
|
||||||
#
|
#
|
||||||
template(`wine_role_template',`
|
template(`wine_role_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -6649,7 +6713,7 @@ index c26662d..9cbfded 100644
|
|||||||
type wine_exec_t;
|
type wine_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -101,9 +106,16 @@ template(`wine_role_template',`
|
@@ -101,9 +105,16 @@ template(`wine_role_template',`
|
||||||
corecmd_bin_domtrans($1_wine_t, $1_t)
|
corecmd_bin_domtrans($1_wine_t, $1_t)
|
||||||
|
|
||||||
userdom_unpriv_usertype($1, $1_wine_t)
|
userdom_unpriv_usertype($1, $1_wine_t)
|
||||||
@ -6668,6 +6732,29 @@ index c26662d..9cbfded 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
xserver_role($1_r, $1_wine_t)
|
xserver_role($1_r, $1_wine_t)
|
||||||
|
@@ -153,3 +164,22 @@ interface(`wine_run',`
|
||||||
|
wine_domtrans($1)
|
||||||
|
role $2 types wine_t;
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read and write wine Shared
|
||||||
|
+## memory segments.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`wine_rw_shm',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type wine_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 wine_t:shm rw_shm_perms;
|
||||||
|
+')
|
||||||
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
|
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
|
||||||
index 8af45db..6fe38a1 100644
|
index 8af45db..6fe38a1 100644
|
||||||
--- a/policy/modules/apps/wine.te
|
--- a/policy/modules/apps/wine.te
|
||||||
@ -7703,7 +7790,7 @@ index 3517db2..bd4c23d 100644
|
|||||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||||
index 5302dac..73e4119 100644
|
index 5302dac..96a406d 100644
|
||||||
--- a/policy/modules/kernel/files.if
|
--- a/policy/modules/kernel/files.if
|
||||||
+++ b/policy/modules/kernel/files.if
|
+++ b/policy/modules/kernel/files.if
|
||||||
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
|
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
|
||||||
@ -8001,7 +8088,32 @@ index 5302dac..73e4119 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5138,12 +5355,12 @@ interface(`files_getattr_generic_locks',`
|
@@ -4718,6 +4935,24 @@ interface(`files_read_var_files',`
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Append files in the /var directory.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`files_append_var_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type var_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ append_files_pattern($1, var_t, var_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Read and write files in the /var directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -5138,12 +5373,12 @@ interface(`files_getattr_generic_locks',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_delete_generic_locks',`
|
interface(`files_delete_generic_locks',`
|
||||||
@ -8019,7 +8131,7 @@ index 5302dac..73e4119 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5317,6 +5534,43 @@ interface(`files_search_pids',`
|
@@ -5317,6 +5552,43 @@ interface(`files_search_pids',`
|
||||||
search_dirs_pattern($1, var_t, var_run_t)
|
search_dirs_pattern($1, var_t, var_run_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8063,7 +8175,7 @@ index 5302dac..73e4119 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to search
|
## Do not audit attempts to search
|
||||||
@@ -5524,6 +5778,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
@@ -5524,6 +5796,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8090,7 +8202,7 @@ index 5302dac..73e4119 100644
|
|||||||
## Read all process ID files.
|
## Read all process ID files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -5541,6 +5815,7 @@ interface(`files_read_all_pids',`
|
@@ -5541,6 +5833,7 @@ interface(`files_read_all_pids',`
|
||||||
|
|
||||||
list_dirs_pattern($1, var_t, pidfile)
|
list_dirs_pattern($1, var_t, pidfile)
|
||||||
read_files_pattern($1, pidfile, pidfile)
|
read_files_pattern($1, pidfile, pidfile)
|
||||||
@ -8098,7 +8210,7 @@ index 5302dac..73e4119 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5826,3 +6101,229 @@ interface(`files_unconfined',`
|
@@ -5826,3 +6119,229 @@ interface(`files_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 files_unconfined_type;
|
typeattribute $1 files_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -8610,7 +8722,7 @@ index e3e17ba..3b34959 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
||||||
index fb63c3a..712e644 100644
|
index fb63c3a..3561f03 100644
|
||||||
--- a/policy/modules/kernel/filesystem.te
|
--- a/policy/modules/kernel/filesystem.te
|
||||||
+++ b/policy/modules/kernel/filesystem.te
|
+++ b/policy/modules/kernel/filesystem.te
|
||||||
@@ -52,6 +52,7 @@ type anon_inodefs_t;
|
@@ -52,6 +52,7 @@ type anon_inodefs_t;
|
||||||
@ -8621,7 +8733,7 @@ index fb63c3a..712e644 100644
|
|||||||
|
|
||||||
type bdev_t;
|
type bdev_t;
|
||||||
fs_type(bdev_t)
|
fs_type(bdev_t)
|
||||||
@@ -67,7 +68,7 @@ fs_type(capifs_t)
|
@@ -67,10 +68,11 @@ fs_type(capifs_t)
|
||||||
files_mountpoint(capifs_t)
|
files_mountpoint(capifs_t)
|
||||||
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
|
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
|
||||||
|
|
||||||
@ -8630,7 +8742,11 @@ index fb63c3a..712e644 100644
|
|||||||
fs_type(cgroup_t)
|
fs_type(cgroup_t)
|
||||||
files_type(cgroup_t)
|
files_type(cgroup_t)
|
||||||
files_mountpoint(cgroup_t)
|
files_mountpoint(cgroup_t)
|
||||||
@@ -106,6 +107,15 @@ fs_type(ibmasmfs_t)
|
+dev_associate_sysfs(cgroup_t)
|
||||||
|
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
|
||||||
|
|
||||||
|
type configfs_t;
|
||||||
|
@@ -106,6 +108,15 @@ fs_type(ibmasmfs_t)
|
||||||
allow ibmasmfs_t self:filesystem associate;
|
allow ibmasmfs_t self:filesystem associate;
|
||||||
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
|
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
|
||||||
|
|
||||||
@ -8646,7 +8762,7 @@ index fb63c3a..712e644 100644
|
|||||||
type inotifyfs_t;
|
type inotifyfs_t;
|
||||||
fs_type(inotifyfs_t)
|
fs_type(inotifyfs_t)
|
||||||
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
|
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
|
||||||
@@ -148,6 +158,12 @@ fs_type(squash_t)
|
@@ -148,6 +159,12 @@ fs_type(squash_t)
|
||||||
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
|
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
|
||||||
files_mountpoint(squash_t)
|
files_mountpoint(squash_t)
|
||||||
|
|
||||||
@ -8659,7 +8775,7 @@ index fb63c3a..712e644 100644
|
|||||||
type vmblock_t;
|
type vmblock_t;
|
||||||
fs_noxattr_type(vmblock_t)
|
fs_noxattr_type(vmblock_t)
|
||||||
files_mountpoint(vmblock_t)
|
files_mountpoint(vmblock_t)
|
||||||
@@ -248,6 +264,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
@@ -248,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||||
type removable_t;
|
type removable_t;
|
||||||
allow removable_t noxattrfs:filesystem associate;
|
allow removable_t noxattrfs:filesystem associate;
|
||||||
fs_noxattr_type(removable_t)
|
fs_noxattr_type(removable_t)
|
||||||
@ -10282,10 +10398,10 @@ index 0000000..8b2cdf3
|
|||||||
+
|
+
|
||||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..faef468
|
index 0000000..821d0dd
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/roles/unconfineduser.te
|
+++ b/policy/modules/roles/unconfineduser.te
|
||||||
@@ -0,0 +1,458 @@
|
@@ -0,0 +1,462 @@
|
||||||
+policy_module(unconfineduser, 1.0.0)
|
+policy_module(unconfineduser, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -10474,7 +10590,11 @@ index 0000000..faef468
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ xserver_rw_shm(unconfined_usertype)
|
+ gen_require(`
|
||||||
|
+ type user_tmpfs_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ xserver_rw_session(unconfined_usertype, user_tmpfs_t)
|
||||||
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
|
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
|
||||||
+ xserver_dbus_chat_xdm(unconfined_usertype)
|
+ xserver_dbus_chat_xdm(unconfined_usertype)
|
||||||
+ ')
|
+ ')
|
||||||
@ -12631,7 +12751,7 @@ index 67c91aa..472ddad 100644
|
|||||||
mta_system_content(apcupsd_tmp_t)
|
mta_system_content(apcupsd_tmp_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
|
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
|
||||||
index 1c8c27e..1a44ccb 100644
|
index 1c8c27e..c6832b0 100644
|
||||||
--- a/policy/modules/services/apm.te
|
--- a/policy/modules/services/apm.te
|
||||||
+++ b/policy/modules/services/apm.te
|
+++ b/policy/modules/services/apm.te
|
||||||
@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
|
@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
|
||||||
@ -12650,18 +12770,34 @@ index 1c8c27e..1a44ccb 100644
|
|||||||
dev_read_realtime_clock(apmd_t)
|
dev_read_realtime_clock(apmd_t)
|
||||||
dev_read_urand(apmd_t)
|
dev_read_urand(apmd_t)
|
||||||
dev_rw_apm_bios(apmd_t)
|
dev_rw_apm_bios(apmd_t)
|
||||||
@@ -144,6 +146,10 @@ ifdef(`distro_redhat',`
|
@@ -142,9 +144,8 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
# ifconfig_exec_t needs to be run in its own domain for Red Hat
|
can_exec(apmd_t, apmd_var_run_t)
|
||||||
|
|
||||||
|
- # ifconfig_exec_t needs to be run in its own domain for Red Hat
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
- sysnet_domtrans_ifconfig(apmd_t)
|
||||||
|
+ fstools_domtrans(apmd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
@@ -155,6 +156,15 @@ ifdef(`distro_redhat',`
|
||||||
|
netutils_domtrans(apmd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
|
||||||
|
+ optional_policy(`
|
||||||
+ sssd_search_lib(apmd_t)
|
+ sssd_search_lib(apmd_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
sysnet_domtrans_ifconfig(apmd_t)
|
+ sysnet_domtrans_ifconfig(apmd_t)
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
@@ -218,9 +224,13 @@ optional_policy(`
|
',`
|
||||||
|
# for ifconfig which is run all the time
|
||||||
|
kernel_dontaudit_search_sysctl(apmd_t)
|
||||||
|
@@ -218,9 +228,13 @@ optional_policy(`
|
||||||
udev_read_state(apmd_t) #necessary?
|
udev_read_state(apmd_t) #necessary?
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -15329,10 +15465,23 @@ index 1b492ed..286ec9e 100644
|
|||||||
+
|
+
|
||||||
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
|
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
|
||||||
index 305ddf4..2c2a551 100644
|
index 305ddf4..fb3454a 100644
|
||||||
--- a/policy/modules/services/cups.if
|
--- a/policy/modules/services/cups.if
|
||||||
+++ b/policy/modules/services/cups.if
|
+++ b/policy/modules/services/cups.if
|
||||||
@@ -314,7 +314,7 @@ interface(`cups_stream_connect_ptal',`
|
@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
|
||||||
|
interface(`cups_read_config',`
|
||||||
|
gen_require(`
|
||||||
|
type cupsd_etc_t, cupsd_rw_etc_t;
|
||||||
|
+ type hplip_etc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
|
||||||
|
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
|
||||||
|
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -314,11 +316,12 @@ interface(`cups_stream_connect_ptal',`
|
||||||
interface(`cups_admin',`
|
interface(`cups_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
|
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
|
||||||
@ -15341,7 +15490,12 @@ index 305ddf4..2c2a551 100644
|
|||||||
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
|
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
|
||||||
type cupsd_var_run_t, ptal_etc_t;
|
type cupsd_var_run_t, ptal_etc_t;
|
||||||
type ptal_var_run_t, hplip_var_run_t;
|
type ptal_var_run_t, hplip_var_run_t;
|
||||||
@@ -341,9 +341,6 @@ interface(`cups_admin',`
|
type cupsd_initrc_exec_t;
|
||||||
|
+ type hplip_etc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 cupsd_t:process { ptrace signal_perms };
|
||||||
|
@@ -341,15 +344,14 @@ interface(`cups_admin',`
|
||||||
|
|
||||||
admin_pattern($1, cupsd_lpd_var_run_t)
|
admin_pattern($1, cupsd_lpd_var_run_t)
|
||||||
|
|
||||||
@ -15351,6 +15505,14 @@ index 305ddf4..2c2a551 100644
|
|||||||
admin_pattern($1, cupsd_tmp_t)
|
admin_pattern($1, cupsd_tmp_t)
|
||||||
files_list_tmp($1)
|
files_list_tmp($1)
|
||||||
|
|
||||||
|
admin_pattern($1, cupsd_var_run_t)
|
||||||
|
files_list_pids($1)
|
||||||
|
|
||||||
|
+ admin_pattern($1, hplip_etc_t)
|
||||||
|
+
|
||||||
|
admin_pattern($1, hplip_var_run_t)
|
||||||
|
|
||||||
|
admin_pattern($1, ptal_etc_t)
|
||||||
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
|
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
|
||||||
index 0f28095..11e74af 100644
|
index 0f28095..11e74af 100644
|
||||||
--- a/policy/modules/services/cups.te
|
--- a/policy/modules/services/cups.te
|
||||||
@ -15706,7 +15868,7 @@ index 8ba9425..d53ee7e 100644
|
|||||||
+ gnome_dontaudit_search_config(denyhosts_t)
|
+ gnome_dontaudit_search_config(denyhosts_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
|
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
|
||||||
index f231f17..a7de603 100644
|
index f231f17..ccacea9 100644
|
||||||
--- a/policy/modules/services/devicekit.te
|
--- a/policy/modules/services/devicekit.te
|
||||||
+++ b/policy/modules/services/devicekit.te
|
+++ b/policy/modules/services/devicekit.te
|
||||||
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||||
@ -15734,7 +15896,7 @@ index f231f17..a7de603 100644
|
|||||||
files_manage_isid_type_dirs(devicekit_disk_t)
|
files_manage_isid_type_dirs(devicekit_disk_t)
|
||||||
files_manage_mnt_dirs(devicekit_disk_t)
|
files_manage_mnt_dirs(devicekit_disk_t)
|
||||||
files_read_etc_files(devicekit_disk_t)
|
files_read_etc_files(devicekit_disk_t)
|
||||||
@@ -178,13 +182,25 @@ optional_policy(`
|
@@ -178,17 +182,33 @@ optional_policy(`
|
||||||
virt_manage_images(devicekit_disk_t)
|
virt_manage_images(devicekit_disk_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -15761,7 +15923,23 @@ index f231f17..a7de603 100644
|
|||||||
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
|
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
|
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
|
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
@@ -225,6 +241,8 @@ auth_use_nsswitch(devicekit_power_t)
|
|
||||||
|
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
|
||||||
|
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
|
||||||
|
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
|
||||||
|
+
|
||||||
|
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||||
|
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||||
|
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
|
||||||
|
@@ -212,6 +232,7 @@ dev_rw_generic_usb_dev(devicekit_power_t)
|
||||||
|
dev_rw_generic_chr_files(devicekit_power_t)
|
||||||
|
dev_rw_netcontrol(devicekit_power_t)
|
||||||
|
dev_rw_sysfs(devicekit_power_t)
|
||||||
|
+dev_read_rand(devicekit_power_t)
|
||||||
|
|
||||||
|
files_read_kernel_img(devicekit_power_t)
|
||||||
|
files_read_etc_files(devicekit_power_t)
|
||||||
|
@@ -225,6 +246,8 @@ auth_use_nsswitch(devicekit_power_t)
|
||||||
|
|
||||||
miscfiles_read_localization(devicekit_power_t)
|
miscfiles_read_localization(devicekit_power_t)
|
||||||
|
|
||||||
@ -17104,10 +17282,10 @@ index 03742d8..7b9c543 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
|
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
|
||||||
index 7cf6763..d01cab6 100644
|
index 7cf6763..5b9771e 100644
|
||||||
--- a/policy/modules/services/hal.if
|
--- a/policy/modules/services/hal.if
|
||||||
+++ b/policy/modules/services/hal.if
|
+++ b/policy/modules/services/hal.if
|
||||||
@@ -377,6 +377,26 @@ interface(`hal_read_pid_files',`
|
@@ -377,6 +377,25 @@ interface(`hal_read_pid_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -17125,8 +17303,7 @@ index 7cf6763..d01cab6 100644
|
|||||||
+ type hald_var_run_t;
|
+ type hald_var_run_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_pids($1)
|
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
|
||||||
+ allow $1 hald_var_run_t:file read_inherited_file_perms;
|
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -17134,6 +17311,34 @@ index 7cf6763..d01cab6 100644
|
|||||||
## Read/Write hald PID files.
|
## Read/Write hald PID files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
|
@@ -431,3 +450,27 @@ interface(`hal_manage_pid_files',`
|
||||||
|
files_search_pids($1)
|
||||||
|
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## dontaudit read and write an leaked file descriptors
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`hal_dontaudit_leaks',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type hald_log_t;
|
||||||
|
+ type hald_t;
|
||||||
|
+ type hald_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 hald_t:fd use;
|
||||||
|
+ dontaudit $1 hald_log_t:file rw_inherited_file_perms;
|
||||||
|
+ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
|
||||||
|
+ dontaudit hald_t $1:socket_class_set { read write };
|
||||||
|
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
|
||||||
|
+')
|
||||||
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
|
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
|
||||||
index 24c6253..0a54d67 100644
|
index 24c6253..0a54d67 100644
|
||||||
--- a/policy/modules/services/hal.te
|
--- a/policy/modules/services/hal.te
|
||||||
@ -17233,19 +17438,21 @@ index 24c6253..0a54d67 100644
|
|||||||
#
|
#
|
||||||
# Local hald dccm policy
|
# Local hald dccm policy
|
||||||
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
|
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
|
||||||
index a57ffc0..fbcdd74 100644
|
index a57ffc0..f441c9a 100644
|
||||||
--- a/policy/modules/services/icecast.te
|
--- a/policy/modules/services/icecast.te
|
||||||
+++ b/policy/modules/services/icecast.te
|
+++ b/policy/modules/services/icecast.te
|
||||||
@@ -37,6 +37,8 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
@@ -37,7 +37,10 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
||||||
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
||||||
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
|
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
|
||||||
|
|
||||||
+kernel_read_system_state(icecast_t)
|
+kernel_read_system_state(icecast_t)
|
||||||
+
|
+
|
||||||
corenet_tcp_bind_soundd_port(icecast_t)
|
corenet_tcp_bind_soundd_port(icecast_t)
|
||||||
|
+corenet_tcp_connect_soundd_port(icecast_t)
|
||||||
|
|
||||||
# Init script handling
|
# Init script handling
|
||||||
@@ -51,5 +53,9 @@ miscfiles_read_localization(icecast_t)
|
domain_use_interactive_fds(icecast_t)
|
||||||
|
@@ -51,5 +54,9 @@ miscfiles_read_localization(icecast_t)
|
||||||
sysnet_dns_name_resolve(icecast_t)
|
sysnet_dns_name_resolve(icecast_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23017,10 +23224,19 @@ index a96249c..ca97ead 100644
|
|||||||
role_transition $2 rpcbind_initrc_exec_t system_r;
|
role_transition $2 rpcbind_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
|
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
|
||||||
index d6d76e1..af3353c 100644
|
index d6d76e1..9cb5e25 100644
|
||||||
--- a/policy/modules/services/rpcbind.te
|
--- a/policy/modules/services/rpcbind.te
|
||||||
+++ b/policy/modules/services/rpcbind.te
|
+++ b/policy/modules/services/rpcbind.te
|
||||||
@@ -71,3 +71,7 @@ sysnet_dns_name_resolve(rpcbind_t)
|
@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t)
|
||||||
|
kernel_read_network_state(rpcbind_t)
|
||||||
|
kernel_request_load_module(rpcbind_t)
|
||||||
|
|
||||||
|
+corecmd_exec_shell(rpcbind_t)
|
||||||
|
+
|
||||||
|
corenet_all_recvfrom_unlabeled(rpcbind_t)
|
||||||
|
corenet_all_recvfrom_netlabel(rpcbind_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(rpcbind_t)
|
||||||
|
@@ -71,3 +73,7 @@ sysnet_dns_name_resolve(rpcbind_t)
|
||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
dontaudit rpcbind_t self:udp_socket listen;
|
dontaudit rpcbind_t self:udp_socket listen;
|
||||||
')
|
')
|
||||||
@ -26774,7 +26990,7 @@ index da2601a..6ff8f25 100644
|
|||||||
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
|
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index 8084740..288d513 100644
|
index 8084740..60da940 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
|
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
|
||||||
@ -27578,7 +27794,7 @@ index 8084740..288d513 100644
|
|||||||
|
|
||||||
userdom_search_user_home_dirs(xserver_t)
|
userdom_search_user_home_dirs(xserver_t)
|
||||||
userdom_use_user_ttys(xserver_t)
|
userdom_use_user_ttys(xserver_t)
|
||||||
@@ -775,14 +1072,34 @@ optional_policy(`
|
@@ -775,20 +1072,44 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27614,7 +27830,17 @@ index 8084740..288d513 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
userhelper_search_config(xserver_t)
|
userhelper_search_config(xserver_t)
|
||||||
@@ -804,10 +1121,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ wine_rw_shm(xserver_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
xfs_stream_connect(xserver_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -804,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
@ -27627,7 +27853,7 @@ index 8084740..288d513 100644
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -828,6 +1145,13 @@ init_use_fds(xserver_t)
|
@@ -828,6 +1149,13 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -27641,7 +27867,7 @@ index 8084740..288d513 100644
|
|||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
@@ -843,11 +1167,14 @@ tunable_policy(`use_samba_home_dirs',`
|
@@ -843,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -27658,7 +27884,7 @@ index 8084740..288d513 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -993,3 +1320,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
|
@@ -993,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
|
||||||
allow xserver_unconfined_type xextension_type:x_extension *;
|
allow xserver_unconfined_type xextension_type:x_extension *;
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
@ -30291,7 +30517,7 @@ index 9df8c4d..1d2236b 100644
|
|||||||
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
|
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
|
||||||
index bf416a4..6f36eca 100644
|
index bf416a4..af2af2d 100644
|
||||||
--- a/policy/modules/system/libraries.te
|
--- a/policy/modules/system/libraries.te
|
||||||
+++ b/policy/modules/system/libraries.te
|
+++ b/policy/modules/system/libraries.te
|
||||||
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
|
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
|
||||||
@ -30330,7 +30556,18 @@ index bf416a4..6f36eca 100644
|
|||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
# leaked fds from portage
|
# leaked fds from portage
|
||||||
@@ -141,6 +147,10 @@ optional_policy(`
|
@@ -131,6 +137,10 @@ optional_policy(`
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ gnome_append_generic_cache_files(ldconfig_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
puppet_rw_tmp(ldconfig_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -141,6 +151,10 @@ optional_policy(`
|
||||||
rpm_manage_script_tmp_files(ldconfig_t)
|
rpm_manage_script_tmp_files(ldconfig_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -30963,7 +31200,7 @@ index 9c0faab..def8d5a 100644
|
|||||||
## loading modules.
|
## loading modules.
|
||||||
## </summary>
|
## </summary>
|
||||||
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
|
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
|
||||||
index 74a4466..a3b7b0d 100644
|
index 74a4466..f39f39f 100644
|
||||||
--- a/policy/modules/system/modutils.te
|
--- a/policy/modules/system/modutils.te
|
||||||
+++ b/policy/modules/system/modutils.te
|
+++ b/policy/modules/system/modutils.te
|
||||||
@@ -18,6 +18,7 @@ type insmod_t;
|
@@ -18,6 +18,7 @@ type insmod_t;
|
||||||
@ -30974,7 +31211,7 @@ index 74a4466..a3b7b0d 100644
|
|||||||
role system_r types insmod_t;
|
role system_r types insmod_t;
|
||||||
|
|
||||||
# module loading config
|
# module loading config
|
||||||
@@ -55,12 +56,14 @@ corecmd_search_bin(depmod_t)
|
@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(depmod_t)
|
domain_use_interactive_fds(depmod_t)
|
||||||
|
|
||||||
@ -30985,11 +31222,12 @@ index 74a4466..a3b7b0d 100644
|
|||||||
files_read_etc_files(depmod_t)
|
files_read_etc_files(depmod_t)
|
||||||
files_read_usr_src_files(depmod_t)
|
files_read_usr_src_files(depmod_t)
|
||||||
files_list_usr(depmod_t)
|
files_list_usr(depmod_t)
|
||||||
|
+files_append_var_files(depmod_t)
|
||||||
+files_read_boot_files(depmod_t)
|
+files_read_boot_files(depmod_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(depmod_t)
|
fs_getattr_xattr_fs(depmod_t)
|
||||||
|
|
||||||
@@ -74,6 +77,7 @@ userdom_use_user_terminals(depmod_t)
|
@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t)
|
||||||
# Read System.map from home directories.
|
# Read System.map from home directories.
|
||||||
files_list_home(depmod_t)
|
files_list_home(depmod_t)
|
||||||
userdom_read_user_home_content_files(depmod_t)
|
userdom_read_user_home_content_files(depmod_t)
|
||||||
@ -30997,7 +31235,7 @@ index 74a4466..a3b7b0d 100644
|
|||||||
|
|
||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -94,17 +98,21 @@ optional_policy(`
|
@@ -94,17 +99,21 @@ optional_policy(`
|
||||||
rpm_manage_script_tmp_files(depmod_t)
|
rpm_manage_script_tmp_files(depmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -31020,7 +31258,7 @@ index 74a4466..a3b7b0d 100644
|
|||||||
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
||||||
|
|
||||||
allow insmod_t self:udp_socket create_socket_perms;
|
allow insmod_t self:udp_socket create_socket_perms;
|
||||||
@@ -125,6 +133,7 @@ kernel_write_proc_files(insmod_t)
|
@@ -125,6 +134,7 @@ kernel_write_proc_files(insmod_t)
|
||||||
kernel_mount_debugfs(insmod_t)
|
kernel_mount_debugfs(insmod_t)
|
||||||
kernel_mount_kvmfs(insmod_t)
|
kernel_mount_kvmfs(insmod_t)
|
||||||
kernel_read_debugfs(insmod_t)
|
kernel_read_debugfs(insmod_t)
|
||||||
@ -31028,7 +31266,7 @@ index 74a4466..a3b7b0d 100644
|
|||||||
# Rules for /proc/sys/kernel/tainted
|
# Rules for /proc/sys/kernel/tainted
|
||||||
kernel_read_kernel_sysctls(insmod_t)
|
kernel_read_kernel_sysctls(insmod_t)
|
||||||
kernel_rw_kernel_sysctl(insmod_t)
|
kernel_rw_kernel_sysctl(insmod_t)
|
||||||
@@ -142,6 +151,7 @@ dev_rw_agp(insmod_t)
|
@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
|
||||||
dev_read_sound(insmod_t)
|
dev_read_sound(insmod_t)
|
||||||
dev_write_sound(insmod_t)
|
dev_write_sound(insmod_t)
|
||||||
dev_rw_apm_bios(insmod_t)
|
dev_rw_apm_bios(insmod_t)
|
||||||
@ -31036,7 +31274,7 @@ index 74a4466..a3b7b0d 100644
|
|||||||
|
|
||||||
domain_signal_all_domains(insmod_t)
|
domain_signal_all_domains(insmod_t)
|
||||||
domain_use_interactive_fds(insmod_t)
|
domain_use_interactive_fds(insmod_t)
|
||||||
@@ -160,11 +170,15 @@ files_write_kernel_modules(insmod_t)
|
@@ -160,11 +171,15 @@ files_write_kernel_modules(insmod_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(insmod_t)
|
fs_getattr_xattr_fs(insmod_t)
|
||||||
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
|
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
|
||||||
@ -31052,7 +31290,7 @@ index 74a4466..a3b7b0d 100644
|
|||||||
|
|
||||||
logging_send_syslog_msg(insmod_t)
|
logging_send_syslog_msg(insmod_t)
|
||||||
logging_search_logs(insmod_t)
|
logging_search_logs(insmod_t)
|
||||||
@@ -173,8 +187,7 @@ miscfiles_read_localization(insmod_t)
|
@@ -173,8 +188,7 @@ miscfiles_read_localization(insmod_t)
|
||||||
|
|
||||||
seutil_read_file_contexts(insmod_t)
|
seutil_read_file_contexts(insmod_t)
|
||||||
|
|
||||||
@ -31062,7 +31300,7 @@ index 74a4466..a3b7b0d 100644
|
|||||||
userdom_dontaudit_search_user_home_dirs(insmod_t)
|
userdom_dontaudit_search_user_home_dirs(insmod_t)
|
||||||
|
|
||||||
if( ! secure_mode_insmod ) {
|
if( ! secure_mode_insmod ) {
|
||||||
@@ -191,6 +204,10 @@ optional_policy(`
|
@@ -191,6 +205,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -31073,7 +31311,7 @@ index 74a4466..a3b7b0d 100644
|
|||||||
hal_write_log(insmod_t)
|
hal_write_log(insmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -229,10 +246,18 @@ optional_policy(`
|
@@ -229,10 +247,18 @@ optional_policy(`
|
||||||
rpm_rw_pipes(insmod_t)
|
rpm_rw_pipes(insmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -31691,10 +31929,21 @@ index 2cc4bda..9e81136 100644
|
|||||||
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
|
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
|
||||||
index 170e2c7..3f27d1b 100644
|
index 170e2c7..bbaa8cf 100644
|
||||||
--- a/policy/modules/system/selinuxutil.if
|
--- a/policy/modules/system/selinuxutil.if
|
||||||
+++ b/policy/modules/system/selinuxutil.if
|
+++ b/policy/modules/system/selinuxutil.if
|
||||||
@@ -361,6 +361,27 @@ interface(`seutil_exec_restorecon',`
|
@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domtrans_pattern($1, load_policy_exec_t, load_policy_t)
|
||||||
|
+
|
||||||
|
+ ifdef(`hide_broken_symptoms', `
|
||||||
|
+ dontaudit load_policy_t $1:socket_class_set { read write };
|
||||||
|
+ ')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -31722,7 +31971,18 @@ index 170e2c7..3f27d1b 100644
|
|||||||
## Execute run_init in the run_init domain.
|
## Execute run_init in the run_init domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -545,6 +566,53 @@ interface(`seutil_run_setfiles',`
|
@@ -514,6 +539,10 @@ interface(`seutil_domtrans_setfiles',`
|
||||||
|
files_search_usr($1)
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
|
||||||
|
+
|
||||||
|
+ ifdef(`hide_broken_symptoms', `
|
||||||
|
+ dontaudit setfiles_t $1:socket_class_set { read write };
|
||||||
|
+ ')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -545,6 +574,53 @@ interface(`seutil_run_setfiles',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -31776,7 +32036,7 @@ index 170e2c7..3f27d1b 100644
|
|||||||
## Execute setfiles in the caller domain.
|
## Execute setfiles in the caller domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -690,6 +758,7 @@ interface(`seutil_manage_config',`
|
@@ -690,6 +766,7 @@ interface(`seutil_manage_config',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
@ -31784,10 +32044,18 @@ index 170e2c7..3f27d1b 100644
|
|||||||
manage_files_pattern($1, selinux_config_t, selinux_config_t)
|
manage_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||||
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
|
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||||
')
|
')
|
||||||
@@ -1009,6 +1078,26 @@ interface(`seutil_domtrans_semanage',`
|
@@ -1005,6 +1082,30 @@ interface(`seutil_domtrans_semanage',`
|
||||||
|
files_search_usr($1)
|
||||||
########################################
|
corecmd_search_bin($1)
|
||||||
## <summary>
|
domtrans_pattern($1, semanage_exec_t, semanage_t)
|
||||||
|
+
|
||||||
|
+ ifdef(`hide_broken_symptoms', `
|
||||||
|
+ dontaudit semanage_t $1:socket_class_set { read write };
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Execute a domain transition to run setsebool.
|
+## Execute a domain transition to run setsebool.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -31804,14 +32072,10 @@ index 170e2c7..3f27d1b 100644
|
|||||||
+ files_search_usr($1)
|
+ files_search_usr($1)
|
||||||
+ corecmd_search_bin($1)
|
+ corecmd_search_bin($1)
|
||||||
+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
|
+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
@@ -1038,6 +1139,54 @@ interface(`seutil_run_semanage',`
|
||||||
## Execute semanage in the semanage domain, and
|
|
||||||
## allow the specified role the semanage domain,
|
|
||||||
## and use the caller's terminal.
|
|
||||||
@@ -1038,6 +1127,54 @@ interface(`seutil_run_semanage',`
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -31866,7 +32130,7 @@ index 170e2c7..3f27d1b 100644
|
|||||||
## Full management of the semanage
|
## Full management of the semanage
|
||||||
## module store.
|
## module store.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1149,3 +1286,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
@@ -1149,3 +1298,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
||||||
selinux_dontaudit_get_fs_mount($1)
|
selinux_dontaudit_get_fs_mount($1)
|
||||||
seutil_dontaudit_read_config($1)
|
seutil_dontaudit_read_config($1)
|
||||||
')
|
')
|
||||||
@ -33234,7 +33498,7 @@ index 025348a..59bc26b 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||||
index a054cf5..a5d4a43 100644
|
index a054cf5..8451600 100644
|
||||||
--- a/policy/modules/system/udev.te
|
--- a/policy/modules/system/udev.te
|
||||||
+++ b/policy/modules/system/udev.te
|
+++ b/policy/modules/system/udev.te
|
||||||
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
|
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
|
||||||
@ -33282,7 +33546,7 @@ index a054cf5..a5d4a43 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -216,6 +224,10 @@ optional_policy(`
|
@@ -216,11 +224,16 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -33293,7 +33557,24 @@ index a054cf5..a5d4a43 100644
|
|||||||
consoletype_exec(udev_t)
|
consoletype_exec(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -259,6 +271,10 @@ optional_policy(`
|
optional_policy(`
|
||||||
|
cups_domtrans_config(udev_t)
|
||||||
|
+ cups_read_config(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
@@ -233,6 +246,10 @@ optional_policy(`
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ gnome_read_home_config(udev_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
lvm_domtrans(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -259,6 +276,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -33304,7 +33585,7 @@ index a054cf5..a5d4a43 100644
|
|||||||
openct_read_pid_files(udev_t)
|
openct_read_pid_files(udev_t)
|
||||||
openct_domtrans(udev_t)
|
openct_domtrans(udev_t)
|
||||||
')
|
')
|
||||||
@@ -273,6 +289,10 @@ optional_policy(`
|
@@ -273,6 +294,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.9.0
|
Version: 3.9.0
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -469,6 +469,10 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-2
|
||||||
|
- More access needed for devicekit
|
||||||
|
- Add dbadm policy
|
||||||
|
|
||||||
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-1
|
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-1
|
||||||
- Merge with upstream
|
- Merge with upstream
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user