- Allow NetworkManager to read inotifyfs
This commit is contained in:
Daniel J Walsh
parent
aa7b9cbc5e
commit
6b838056a8
259
policy-F12.patch
259
policy-F12.patch
@ -5325,7 +5325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.14/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-06-08 15:22:17.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/kernel/devices.if 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/kernel/devices.if 2009-06-11 08:31:29.000000000 -0400
|
||||
@@ -1655,6 +1655,78 @@
|
||||
|
||||
########################################
|
||||
@ -5780,7 +5780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.14/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/kernel/files.if 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/kernel/files.if 2009-06-11 11:53:08.000000000 -0400
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
@ -5855,10 +5855,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Mount a filesystem on a directory with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1915,6 +1957,26 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -1911,6 +1953,27 @@
|
||||
allow $1 etc_t:dir list_dir_perms;
|
||||
read_files_pattern($1, etc_t, etc_t)
|
||||
read_lnk_files_pattern($1, etc_t, etc_t)
|
||||
+ files_read_etc_runtime_files($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read config files in /etc.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -5875,14 +5880,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ allow $1 etcfile:dir list_dir_perms;
|
||||
+ read_files_pattern($1, etcfile, etcfile)
|
||||
+ read_lnk_files_pattern($1, etcfile, etcfile)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts to write generic files in /etc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2250,6 +2312,49 @@
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2250,6 +2313,49 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5932,7 +5933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Do not audit attempts to search directories on new filesystems
|
||||
## that have not yet been labeled.
|
||||
## </summary>
|
||||
@@ -2820,6 +2925,7 @@
|
||||
@@ -2820,6 +2926,7 @@
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir search_dir_perms;
|
||||
@ -5940,7 +5941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3390,6 +3496,24 @@
|
||||
@@ -3390,6 +3497,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5965,7 +5966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Read all tmp files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3456,6 +3580,8 @@
|
||||
@@ -3456,6 +3581,8 @@
|
||||
delete_lnk_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_fifo_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_sock_files_pattern($1, tmpfile, tmpfile)
|
||||
@ -5974,7 +5975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3546,7 +3672,7 @@
|
||||
@@ -3546,7 +3673,7 @@
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
@ -5983,7 +5984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3564,7 +3690,12 @@
|
||||
@@ -3564,7 +3691,12 @@
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
@ -5997,7 +5998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4413,6 +4544,28 @@
|
||||
@@ -4413,6 +4545,28 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6026,7 +6027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Create an object in the locks directory, with a private
|
||||
## type using a type transition.
|
||||
## </summary>
|
||||
@@ -4532,7 +4685,8 @@
|
||||
@@ -4532,7 +4686,8 @@
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -6036,7 +6037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4873,7 +5027,7 @@
|
||||
@@ -4873,7 +5028,7 @@
|
||||
selinux_compute_member($1)
|
||||
|
||||
# Need sys_admin capability for mounting
|
||||
@ -6045,7 +6046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Need to give access to the directories to be polyinstantiated
|
||||
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
|
||||
@@ -4895,12 +5049,15 @@
|
||||
@@ -4895,12 +5050,15 @@
|
||||
allow $1 poly_t:dir { create mounton };
|
||||
fs_unmount_xattr_fs($1)
|
||||
|
||||
@ -6062,7 +6063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -4921,3 +5078,173 @@
|
||||
@@ -4921,3 +5079,173 @@
|
||||
|
||||
typeattribute $1 files_unconfined_type;
|
||||
')
|
||||
@ -6611,7 +6612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.14/policy/modules/kernel/terminal.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/kernel/terminal.if 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/kernel/terminal.if 2009-06-11 10:02:52.000000000 -0400
|
||||
@@ -173,7 +173,7 @@
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
@ -6657,6 +6658,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## ioctl of generic pty devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -552,6 +571,25 @@
|
||||
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Set the attributes of the tty device
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`term_setattr_controlling_term',`
|
||||
+ gen_require(`
|
||||
+ type devtty_t;
|
||||
+ ')
|
||||
+
|
||||
+ dev_list_all_dev_nodes($1)
|
||||
+ allow $1 devtty_t:chr_file setattr;
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the controlling
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.14/policy/modules/roles/guest.te
|
||||
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/roles/guest.te 2009-06-08 21:43:15.000000000 -0400
|
||||
@ -10170,7 +10197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.14/policy/modules/services/avahi.te
|
||||
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/avahi.te 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/avahi.te 2009-06-11 08:36:56.000000000 -0400
|
||||
@@ -33,6 +33,7 @@
|
||||
allow avahi_t self:tcp_socket create_stream_socket_perms;
|
||||
allow avahi_t self:udp_socket create_socket_perms;
|
||||
@ -12318,7 +12345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.14/policy/modules/services/dbus.te
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/dbus.te 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/dbus.te 2009-06-11 11:10:09.000000000 -0400
|
||||
@@ -9,14 +9,15 @@
|
||||
#
|
||||
# Delcarations
|
||||
@ -12382,15 +12409,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
|
||||
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
|
||||
@@ -75,6 +92,7 @@
|
||||
@@ -73,8 +90,10 @@
|
||||
dev_read_urand(system_dbusd_t)
|
||||
dev_read_sysfs(system_dbusd_t)
|
||||
|
||||
+fs_list_inotifyfs(system_dbusd_t)
|
||||
fs_getattr_all_fs(system_dbusd_t)
|
||||
fs_search_auto_mountpoints(system_dbusd_t)
|
||||
+fs_dontaudit_list_nfs(system_dbusd_t)
|
||||
|
||||
selinux_get_fs_mount(system_dbusd_t)
|
||||
selinux_validate_context(system_dbusd_t)
|
||||
@@ -91,9 +109,9 @@
|
||||
@@ -91,9 +110,9 @@
|
||||
corecmd_list_bin(system_dbusd_t)
|
||||
corecmd_read_bin_pipes(system_dbusd_t)
|
||||
corecmd_read_bin_sockets(system_dbusd_t)
|
||||
@ -12401,7 +12431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(system_dbusd_t)
|
||||
files_list_home(system_dbusd_t)
|
||||
@@ -101,6 +119,8 @@
|
||||
@@ -101,6 +120,8 @@
|
||||
|
||||
init_use_fds(system_dbusd_t)
|
||||
init_use_script_ptys(system_dbusd_t)
|
||||
@ -12410,7 +12440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
logging_send_audit_msgs(system_dbusd_t)
|
||||
logging_send_syslog_msg(system_dbusd_t)
|
||||
@@ -128,9 +148,38 @@
|
||||
@@ -128,9 +149,38 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12706,8 +12736,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.14/policy/modules/services/devicekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/devicekit.te 2009-06-08 21:43:15.000000000 -0400
|
||||
@@ -0,0 +1,233 @@
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/devicekit.te 2009-06-11 08:32:14.000000000 -0400
|
||||
@@ -0,0 +1,234 @@
|
||||
+policy_module(devicekit,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -12785,6 +12815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+kernel_rw_kernel_sysctl(devicekit_power_t)
|
||||
+kernel_write_proc_files(devicekit_power_t)
|
||||
+
|
||||
+dev_read_input(devicekit_power_t)
|
||||
+dev_rw_generic_usb_dev(devicekit_power_t)
|
||||
+dev_rw_netcontrol(devicekit_power_t)
|
||||
+dev_rw_sysfs(devicekit_power_t)
|
||||
@ -13511,8 +13542,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.14/policy/modules/services/fprintd.te
|
||||
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/fprintd.te 2009-06-08 21:43:15.000000000 -0400
|
||||
@@ -0,0 +1,52 @@
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/fprintd.te 2009-06-11 09:53:33.000000000 -0400
|
||||
@@ -0,0 +1,54 @@
|
||||
+policy_module(fprintd,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -13544,6 +13575,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+files_read_etc_files(fprintd_t)
|
||||
+files_read_usr_files(fprintd_t)
|
||||
+
|
||||
+fs_list_inotifyfs(fprintd_t)
|
||||
+
|
||||
+kernel_read_system_state(fprintd_t)
|
||||
+
|
||||
+auth_use_nsswitch(fprintd_t)
|
||||
@ -14373,7 +14406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.14/policy/modules/services/kerneloops.te
|
||||
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/kerneloops.te 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/kerneloops.te 2009-06-11 09:54:27.000000000 -0400
|
||||
@@ -13,6 +13,9 @@
|
||||
type kerneloops_initrc_exec_t;
|
||||
init_script_file(kerneloops_initrc_exec_t)
|
||||
@ -14395,10 +14428,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_ring_buffer(kerneloops_t)
|
||||
|
||||
@@ -38,14 +43,13 @@
|
||||
@@ -38,14 +43,15 @@
|
||||
|
||||
files_read_etc_files(kerneloops_t)
|
||||
|
||||
+fs_list_inotifyfs(kerneloops_t)
|
||||
+
|
||||
+auth_use_nsswitch(kerneloops_t)
|
||||
+
|
||||
logging_send_syslog_msg(kerneloops_t)
|
||||
@ -15516,7 +15551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.14/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/networkmanager.te 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/networkmanager.te 2009-06-11 08:40:45.000000000 -0400
|
||||
@@ -19,6 +19,9 @@
|
||||
type NetworkManager_tmp_t;
|
||||
files_tmp_file(NetworkManager_tmp_t)
|
||||
@ -15561,7 +15596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(NetworkManager_t)
|
||||
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
||||
@@ -81,10 +88,14 @@
|
||||
@@ -81,13 +88,18 @@
|
||||
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_all_client_packets(NetworkManager_t)
|
||||
@ -15576,7 +15611,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_getattr_all_fs(NetworkManager_t)
|
||||
fs_search_auto_mountpoints(NetworkManager_t)
|
||||
@@ -98,15 +109,19 @@
|
||||
+fs_list_inotifyfs(NetworkManager_t)
|
||||
|
||||
mls_file_read_all_levels(NetworkManager_t)
|
||||
|
||||
@@ -98,15 +110,19 @@
|
||||
|
||||
domain_use_interactive_fds(NetworkManager_t)
|
||||
domain_read_confined_domains_state(NetworkManager_t)
|
||||
@ -15597,7 +15636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(NetworkManager_t)
|
||||
|
||||
miscfiles_read_localization(NetworkManager_t)
|
||||
@@ -116,25 +131,40 @@
|
||||
@@ -116,25 +132,40 @@
|
||||
|
||||
seutil_read_config(NetworkManager_t)
|
||||
|
||||
@ -15645,7 +15684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -146,8 +176,25 @@
|
||||
@@ -146,8 +177,25 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -15673,7 +15712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -155,23 +202,50 @@
|
||||
@@ -155,23 +203,50 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -15726,7 +15765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -179,12 +253,15 @@
|
||||
@@ -179,12 +254,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20645,7 +20684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te
|
||||
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-10 11:22:43.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-11 08:41:02.000000000 -0400
|
||||
@@ -11,6 +11,9 @@
|
||||
domain_type(setroubleshootd_t)
|
||||
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
|
||||
@ -20680,7 +20719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_bin(setroubleshootd_t)
|
||||
corecmd_exec_shell(setroubleshootd_t)
|
||||
@@ -68,16 +76,23 @@
|
||||
@@ -68,16 +76,24 @@
|
||||
|
||||
dev_read_urand(setroubleshootd_t)
|
||||
dev_read_sysfs(setroubleshootd_t)
|
||||
@ -20702,10 +20741,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+fs_read_fusefs_symlinks(setroubleshootd_t)
|
||||
+fs_dontaudit_read_nfs_files(setroubleshootd_t)
|
||||
+fs_dontaudit_read_cifs_files(setroubleshootd_t)
|
||||
+fs_list_inotifyfs(setroubleshootd_t)
|
||||
|
||||
selinux_get_enforce_mode(setroubleshootd_t)
|
||||
selinux_validate_context(setroubleshootd_t)
|
||||
@@ -94,22 +109,28 @@
|
||||
@@ -94,22 +110,28 @@
|
||||
|
||||
locallogin_dontaudit_use_fds(setroubleshootd_t)
|
||||
|
||||
@ -22436,8 +22476,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Allow the specified domain to append to ulogd's log files.
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.14/policy/modules/services/uucp.te
|
||||
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/uucp.te 2009-06-08 21:43:15.000000000 -0400
|
||||
@@ -129,6 +129,7 @@
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/uucp.te 2009-06-11 09:57:39.000000000 -0400
|
||||
@@ -95,6 +95,8 @@
|
||||
files_search_home(uucpd_t)
|
||||
files_search_spool(uucpd_t)
|
||||
|
||||
+term_setattr_controlling_term(uucpd_t)
|
||||
+
|
||||
auth_use_nsswitch(uucpd_t)
|
||||
|
||||
logging_send_syslog_msg(uucpd_t)
|
||||
@@ -129,6 +131,7 @@
|
||||
optional_policy(`
|
||||
mta_send_mail(uux_t)
|
||||
mta_read_queue(uux_t)
|
||||
@ -24065,7 +24114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.14/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/xserver.te 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/services/xserver.te 2009-06-11 09:54:56.000000000 -0400
|
||||
@@ -34,6 +34,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -24268,7 +24317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Allow gdm to run gdm-binary
|
||||
can_exec(xdm_t, xdm_exec_t)
|
||||
@@ -329,22 +362,37 @@
|
||||
@@ -329,22 +362,39 @@
|
||||
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
|
||||
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
|
||||
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
||||
@ -24281,7 +24330,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
|
||||
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
|
||||
-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
+
|
||||
+fs_getattr_all_fs(xdm_t)
|
||||
+fs_list_inotifyfs(xdm_t)
|
||||
+fs_read_noxattr_fs_files(xdm_t)
|
||||
+
|
||||
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
|
||||
@ -24309,7 +24360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow xdm_t xserver_t:process signal;
|
||||
allow xdm_t xserver_t:unix_stream_socket connectto;
|
||||
@@ -358,6 +406,7 @@
|
||||
@@ -358,6 +408,7 @@
|
||||
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||
|
||||
allow xdm_t xserver_t:shm rw_shm_perms;
|
||||
@ -24317,7 +24368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# connect to xdm xserver over stream socket
|
||||
stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
|
||||
@@ -366,10 +415,14 @@
|
||||
@@ -366,10 +417,14 @@
|
||||
delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
|
||||
delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
|
||||
|
||||
@ -24333,7 +24384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_system_state(xdm_t)
|
||||
kernel_read_kernel_sysctls(xdm_t)
|
||||
@@ -389,11 +442,13 @@
|
||||
@@ -389,11 +444,13 @@
|
||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||
corenet_tcp_bind_generic_node(xdm_t)
|
||||
corenet_udp_bind_generic_node(xdm_t)
|
||||
@ -24347,7 +24398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_rand(xdm_t)
|
||||
dev_read_sysfs(xdm_t)
|
||||
dev_getattr_framebuffer_dev(xdm_t)
|
||||
@@ -401,6 +456,7 @@
|
||||
@@ -401,6 +458,7 @@
|
||||
dev_getattr_mouse_dev(xdm_t)
|
||||
dev_setattr_mouse_dev(xdm_t)
|
||||
dev_rw_apm_bios(xdm_t)
|
||||
@ -24355,7 +24406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_setattr_apm_bios_dev(xdm_t)
|
||||
dev_rw_dri(xdm_t)
|
||||
dev_rw_agp(xdm_t)
|
||||
@@ -413,14 +469,17 @@
|
||||
@@ -413,14 +471,17 @@
|
||||
dev_setattr_video_dev(xdm_t)
|
||||
dev_getattr_scanner_dev(xdm_t)
|
||||
dev_setattr_scanner_dev(xdm_t)
|
||||
@ -24375,7 +24426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(xdm_t)
|
||||
files_read_var_files(xdm_t)
|
||||
@@ -431,9 +490,13 @@
|
||||
@@ -431,9 +492,13 @@
|
||||
files_read_usr_files(xdm_t)
|
||||
# Poweroff wants to create the /poweroff file when run from xdm
|
||||
files_create_boot_flag(xdm_t)
|
||||
@ -24389,7 +24440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||
@@ -442,6 +505,7 @@
|
||||
@@ -442,6 +507,7 @@
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
@ -24397,7 +24448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
term_setattr_console(xdm_t)
|
||||
term_use_unallocated_ttys(xdm_t)
|
||||
@@ -450,6 +514,7 @@
|
||||
@@ -450,6 +516,7 @@
|
||||
auth_domtrans_pam_console(xdm_t)
|
||||
auth_manage_pam_pid(xdm_t)
|
||||
auth_manage_pam_console_data(xdm_t)
|
||||
@ -24405,7 +24456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
@@ -460,10 +525,10 @@
|
||||
@@ -460,10 +527,10 @@
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
|
||||
@ -24418,7 +24469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
@@ -472,6 +537,9 @@
|
||||
@@ -472,6 +539,9 @@
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
@ -24428,7 +24479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
xserver_rw_session(xdm_t,xdm_tmpfs_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
@@ -504,10 +572,12 @@
|
||||
@@ -504,10 +574,12 @@
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(xdm_t)
|
||||
@ -24441,7 +24492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -515,12 +585,45 @@
|
||||
@@ -515,12 +587,45 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24487,7 +24538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -542,6 +645,23 @@
|
||||
@@ -542,6 +647,23 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24511,7 +24562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
seutil_sigchld_newrole(xdm_t)
|
||||
')
|
||||
|
||||
@@ -550,8 +670,9 @@
|
||||
@@ -550,8 +672,9 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24523,7 +24574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -560,7 +681,6 @@
|
||||
@@ -560,7 +683,6 @@
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
@ -24531,7 +24582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
userhelper_dontaudit_search_config(xdm_t)
|
||||
@@ -571,6 +691,10 @@
|
||||
@@ -571,6 +693,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24542,7 +24593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -587,7 +711,7 @@
|
||||
@@ -587,7 +713,7 @@
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
@ -24551,7 +24602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit xserver_t self:capability chown;
|
||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow xserver_t self:memprotect mmap_zero;
|
||||
@@ -602,9 +726,11 @@
|
||||
@@ -602,9 +728,11 @@
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
@ -24563,7 +24614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||
|
||||
@@ -616,13 +742,14 @@
|
||||
@@ -616,13 +744,14 @@
|
||||
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
||||
|
||||
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
||||
@ -24579,7 +24630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
@@ -635,9 +762,19 @@
|
||||
@@ -635,9 +764,19 @@
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -24599,7 +24650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
@@ -680,9 +817,14 @@
|
||||
@@ -680,9 +819,14 @@
|
||||
dev_rw_xserver_misc(xserver_t)
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev(xserver_t)
|
||||
@ -24614,7 +24665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(xserver_t)
|
||||
files_read_etc_runtime_files(xserver_t)
|
||||
@@ -697,8 +839,12 @@
|
||||
@@ -697,8 +841,12 @@
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
@ -24627,7 +24678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
selinux_compute_access_vector(xserver_t)
|
||||
@@ -720,6 +866,7 @@
|
||||
@@ -720,6 +868,7 @@
|
||||
|
||||
miscfiles_read_localization(xserver_t)
|
||||
miscfiles_read_fonts(xserver_t)
|
||||
@ -24635,7 +24686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
modutils_domtrans_insmod(xserver_t)
|
||||
|
||||
@@ -742,7 +889,7 @@
|
||||
@@ -742,7 +891,7 @@
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
@ -24644,7 +24695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||
')
|
||||
|
||||
@@ -774,12 +921,16 @@
|
||||
@@ -774,12 +923,16 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24662,7 +24713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
unconfined_domtrans(xserver_t)
|
||||
')
|
||||
|
||||
@@ -806,7 +957,7 @@
|
||||
@@ -806,7 +959,7 @@
|
||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
@ -24671,7 +24722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -827,9 +978,14 @@
|
||||
@@ -827,9 +980,14 @@
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -24686,7 +24737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
@@ -844,11 +1000,14 @@
|
||||
@@ -844,11 +1002,14 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
@ -24702,7 +24753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -856,6 +1015,11 @@
|
||||
@@ -856,6 +1017,11 @@
|
||||
rhgb_rw_tmpfs_files(xserver_t)
|
||||
')
|
||||
|
||||
@ -24714,7 +24765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Rules common to all X window domains
|
||||
@@ -881,6 +1045,8 @@
|
||||
@@ -881,6 +1047,8 @@
|
||||
# X Server
|
||||
# can read server-owned resources
|
||||
allow x_domain xserver_t:x_resource read;
|
||||
@ -24723,7 +24774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# can mess with own clients
|
||||
allow x_domain self:x_client { manage destroy };
|
||||
|
||||
@@ -905,6 +1071,8 @@
|
||||
@@ -905,6 +1073,8 @@
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
|
||||
@ -24732,7 +24783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# X Colormaps
|
||||
# can use the default colormap
|
||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||
@@ -972,17 +1140,49 @@
|
||||
@@ -972,17 +1142,49 @@
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
@ -25621,7 +25672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.14/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/system/init.te 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/system/init.te 2009-06-11 09:54:00.000000000 -0400
|
||||
@@ -17,6 +17,20 @@
|
||||
## </desc>
|
||||
gen_tunable(init_upstart,false)
|
||||
@ -25749,7 +25800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -270,16 +305,20 @@
|
||||
@@ -270,17 +305,22 @@
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@ -25769,9 +25820,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+dev_getattr_all_blk_files(initrc_t)
|
||||
+dev_getattr_all_chr_files(initrc_t)
|
||||
|
||||
+fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -328,7 +367,7 @@
|
||||
fs_write_ramfs_pipes(initrc_t)
|
||||
@@ -328,7 +368,7 @@
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -25780,7 +25833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -343,14 +382,14 @@
|
||||
@@ -343,14 +383,14 @@
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -25797,7 +25850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_exec_etc_files(initrc_t)
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
@@ -366,7 +405,9 @@
|
||||
@@ -366,7 +406,9 @@
|
||||
|
||||
libs_rw_ld_so_cache(initrc_t)
|
||||
libs_exec_lib_files(initrc_t)
|
||||
@ -25807,7 +25860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(initrc_t)
|
||||
logging_manage_generic_logs(initrc_t)
|
||||
logging_read_all_logs(initrc_t)
|
||||
@@ -451,7 +492,7 @@
|
||||
@@ -451,7 +493,7 @@
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -25816,7 +25869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
selinux_set_enforce_mode(initrc_t)
|
||||
@@ -465,6 +506,7 @@
|
||||
@@ -465,6 +507,7 @@
|
||||
storage_raw_read_fixed_disk(initrc_t)
|
||||
storage_raw_write_fixed_disk(initrc_t)
|
||||
|
||||
@ -25824,7 +25877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
# wants to read /.fonts directory
|
||||
@@ -498,6 +540,7 @@
|
||||
@@ -498,6 +541,7 @@
|
||||
optional_policy(`
|
||||
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
||||
rpc_write_exports(initrc_t)
|
||||
@ -25832,7 +25885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -516,6 +559,33 @@
|
||||
@@ -516,6 +560,33 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -25866,7 +25919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -570,6 +640,10 @@
|
||||
@@ -570,6 +641,10 @@
|
||||
dbus_read_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -25877,7 +25930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
networkmanager_dbus_chat(initrc_t)
|
||||
')
|
||||
')
|
||||
@@ -591,6 +665,10 @@
|
||||
@@ -591,6 +666,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25888,7 +25941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_usbfs(initrc_t)
|
||||
|
||||
# init scripts run /etc/hotplug/usb.rc
|
||||
@@ -647,20 +725,20 @@
|
||||
@@ -647,20 +726,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25915,7 +25968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ifdef(`distro_redhat',`
|
||||
@@ -719,8 +797,6 @@
|
||||
@@ -719,8 +798,6 @@
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -25924,7 +25977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -733,10 +809,12 @@
|
||||
@@ -733,10 +810,12 @@
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -25937,7 +25990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -754,6 +832,11 @@
|
||||
@@ -754,6 +833,11 @@
|
||||
uml_setattr_util_sockets(initrc_t)
|
||||
')
|
||||
|
||||
@ -25949,7 +26002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
@@ -765,6 +848,13 @@
|
||||
@@ -765,6 +849,13 @@
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
@ -25963,7 +26016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -790,3 +880,35 @@
|
||||
@@ -790,3 +881,35 @@
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -26167,7 +26220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+miscfiles_read_localization(iscsid_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.14/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-08 15:22:18.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/system/libraries.fc 2009-06-08 21:43:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.14/policy/modules/system/libraries.fc 2009-06-11 11:46:19.000000000 -0400
|
||||
@@ -60,12 +60,15 @@
|
||||
#
|
||||
# /opt
|
||||
@ -26327,7 +26380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
|
||||
')
|
||||
@@ -311,3 +339,37 @@
|
||||
@@ -311,3 +339,39 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
@ -26365,6 +26418,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.14/policy/modules/system/libraries.if
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.if 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.14/policy/modules/system/libraries.if 2009-06-08 21:43:15.000000000 -0400
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.14
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -473,6 +473,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jun 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-3
|
||||
- Allow NetworkManager to read inotifyfs
|
||||
|
||||
* Wed Jun 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-2
|
||||
- Allow setroubleshoot to run mlocate
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user