5 patches from dan. confine insmod and udev on targeted, misc fc fixes, sasl kerberos use, and samba port fixes
This commit is contained in:
Chris PeBenito
parent
99064c9fbd
commit
697489040e
@ -1,4 +1,5 @@
|
||||
- Patch to confine ldconfig in the targeted policy from Dan Walsh.
|
||||
- Patch for sasl's use of kerberos from Dan Walsh.
|
||||
- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
|
||||
- Man page updates from Dan Walsh.
|
||||
- Two patches from Paul Moore to for ipsec to remove redundant rules and
|
||||
have setkey read the config file.
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
/usr/games/powermanga -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/games/nethack-3.4.3/nethack -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/games/vulturesclaw/vulturesclaw -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/games/vultureseye/vultureseye -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
|
||||
/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(games,1.1.3)
|
||||
policy_module(games,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -189,6 +189,7 @@ ifdef(`distro_gentoo', `
|
||||
ifdef(`distro_redhat', `
|
||||
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -205,6 +206,7 @@ ifdef(`distro_redhat', `
|
||||
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.5.4)
|
||||
policy_module(corecommands,1.5.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.2.5)
|
||||
policy_module(corenetwork,1.2.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -108,7 +108,7 @@ network_port(monopd, tcp,1234,s0)
|
||||
network_port(mysqld, tcp,3306,s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
|
||||
network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
|
||||
network_port(nmbd, udp,137,s0, udp,138,s0)
|
||||
network_port(ntp, udp,123,s0)
|
||||
network_port(ocsp, tcp,9080,s0)
|
||||
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
|
||||
@ -132,7 +132,7 @@ network_port(rndc, tcp,953,s0)
|
||||
network_port(router, udp,520,s0)
|
||||
network_port(rsh, tcp,514,s0)
|
||||
network_port(rsync, tcp,873,s0, udp,873,s0)
|
||||
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
|
||||
network_port(smbd, tcp,139,s0, tcp,445,s0)
|
||||
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
||||
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
||||
network_port(spamd, tcp,783,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sasl,1.4.2)
|
||||
policy_module(sasl,1.4.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -17,6 +17,9 @@ type saslauthd_t;
|
||||
type saslauthd_exec_t;
|
||||
init_daemon_domain(saslauthd_t,saslauthd_exec_t)
|
||||
|
||||
type saslauthd_tmp_t;
|
||||
files_tmp_file(saslauthd_tmp_t)
|
||||
|
||||
type saslauthd_var_run_t;
|
||||
files_pid_file(saslauthd_var_run_t)
|
||||
|
||||
@ -33,6 +36,10 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow saslauthd_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow saslauthd_t saslauthd_tmp_t:dir setattr;
|
||||
manage_files_pattern(saslauthd_t,saslauthd_tmp_t,saslauthd_tmp_t)
|
||||
files_tmp_filetrans(saslauthd_t,saslauthd_tmp_t,file)
|
||||
|
||||
manage_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t)
|
||||
manage_sock_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t)
|
||||
files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
|
||||
@ -95,6 +102,10 @@ tunable_policy(`allow_saslauthd_read_shadow',`
|
||||
auth_tunable_read_shadow(saslauthd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_read_keytab(saslauthd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mysql_search_db(saslauthd_t)
|
||||
mysql_stream_connect(saslauthd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(modutils,1.2.1)
|
||||
policy_module(modutils,1.2.2)
|
||||
|
||||
gen_require(`
|
||||
bool secure_mode_insmod;
|
||||
@ -68,7 +68,7 @@ files_read_kernel_modules(insmod_t)
|
||||
# for locking: (cjp: ????)
|
||||
files_write_kernel_modules(insmod_t)
|
||||
|
||||
dev_read_sysfs(insmod_t)
|
||||
dev_rw_sysfs(insmod_t)
|
||||
dev_search_usbfs(insmod_t)
|
||||
dev_rw_mtrr(insmod_t)
|
||||
dev_read_urand(insmod_t)
|
||||
@ -117,7 +117,8 @@ if( ! secure_mode_insmod ) {
|
||||
}
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(insmod_t)
|
||||
term_use_unallocated_ttys(insmod_t)
|
||||
term_use_generic_ptys(insmod_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# udev
|
||||
|
||||
/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
|
||||
/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
|
||||
/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
|
||||
/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(udev,1.5.1)
|
||||
policy_module(udev,1.5.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -164,6 +164,8 @@ ifdef(`distro_redhat',`
|
||||
fs_relabel_tmpfs_blk_file(udev_t)
|
||||
fs_relabel_tmpfs_chr_file(udev_t)
|
||||
|
||||
term_search_ptys(udev_t)
|
||||
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
netutils_domtrans(udev_t)
|
||||
')
|
||||
@ -171,8 +173,6 @@ ifdef(`distro_redhat',`
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(udev_t)
|
||||
term_dontaudit_use_generic_ptys(udev_t)
|
||||
|
||||
unconfined_domain(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
Loading…
Reference in New Issue
Block a user