- Fix service start stop terminal avc's
This commit is contained in:
parent
ec4fb1ce99
commit
6c319e4011
@ -312,6 +312,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
|
||||
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
||||
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
||||
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if
|
||||
--- nsaserefpolicy/policy/modules/admin/alsa.if 2007-05-29 14:10:59.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if 2007-09-22 06:43:02.000000000 -0400
|
||||
@@ -74,3 +74,39 @@
|
||||
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
|
||||
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## search alsa lib config files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`alsa_search_lib',`
|
||||
+ gen_require(`
|
||||
+ type alsa_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 alsa_var_lib_t:dir search_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read alsa lib config files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`alsa_read_lib',`
|
||||
+ gen_require(`
|
||||
+ type alsa_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1,alsa_var_lib_t,alsa_var_lib_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
|
||||
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-21 19:08:24.000000000 -0400
|
||||
@ -2429,7 +2472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-09-21 14:29:01.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-09-22 08:10:42.000000000 -0400
|
||||
@@ -20,6 +20,7 @@
|
||||
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
|
||||
@ -2442,10 +2485,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
|
||||
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
+/dev/input/uimput -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
+/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
|
||||
|
||||
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-06-15 14:54:30.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-09-22 08:11:28.000000000 -0400
|
||||
@@ -1306,6 +1306,44 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Get the attributes of the event devices.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_getattr_event_dev',`
|
||||
+ gen_require(`
|
||||
+ type device_t, event_device_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 device_t:dir r_dir_perms;
|
||||
+ allow $1 event_device_t:chr_file getattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Set the attributes of the event devices.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_setattr_event_dev',`
|
||||
+ gen_require(`
|
||||
+ type device_t, event_device_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 device_t:dir r_dir_perms;
|
||||
+ allow $1 event_device_t:chr_file setattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read input event devices (/dev/input).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-09-17 16:20:18.000000000 -0400
|
||||
@ -3730,7 +3821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-09-17 16:20:18.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-09-22 07:26:32.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -6290,7 +6381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
|
||||
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-09-17 16:20:18.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-09-22 07:42:39.000000000 -0400
|
||||
@@ -42,6 +42,10 @@
|
||||
dontaudit $1 krb5_conf_t:file write;
|
||||
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
|
||||
@ -6302,7 +6393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
|
||||
tunable_policy(`allow_kerberos',`
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
@@ -172,3 +176,25 @@
|
||||
@@ -172,3 +176,26 @@
|
||||
allow $1 krb5kdc_conf_t:file read_file_perms;
|
||||
|
||||
')
|
||||
@ -6325,6 +6416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
+
|
||||
+ files_search_tmp($1)
|
||||
+ allow $1 self:process setfscreate;
|
||||
+ selinux_validate_context($1)
|
||||
+ seutil_read_file_contexts($1)
|
||||
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
|
||||
+')
|
||||
@ -6977,6 +7069,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
|
||||
|
||||
########################################
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:50.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2007-09-22 07:16:25.000000000 -0400
|
||||
@@ -5,3 +5,4 @@
|
||||
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
+/var/log/wpa_supplicant.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-15 14:54:33.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-09-20 08:50:57.000000000 -0400
|
||||
@ -7007,8 +7107,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-09-12 10:34:50.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-09-20 08:50:29.000000000 -0400
|
||||
@@ -20,7 +20,7 @@
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-09-22 07:14:54.000000000 -0400
|
||||
@@ -13,6 +13,9 @@
|
||||
type NetworkManager_var_run_t;
|
||||
files_pid_file(NetworkManager_var_run_t)
|
||||
|
||||
+type NetworkManager_log_t;
|
||||
+files_pid_file(NetworkManager_log_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -20,7 +23,7 @@
|
||||
|
||||
# networkmanager will ptrace itself if gdb is installed
|
||||
# and it receives a unexpected signal (rh bug #204161)
|
||||
@ -7017,7 +7127,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
|
||||
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
|
||||
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -138,6 +138,9 @@
|
||||
@@ -38,6 +41,9 @@
|
||||
manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
|
||||
files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
|
||||
|
||||
+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t)
|
||||
+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file)
|
||||
+
|
||||
kernel_read_system_state(NetworkManager_t)
|
||||
kernel_read_network_state(NetworkManager_t)
|
||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||
@@ -138,6 +144,9 @@
|
||||
dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
|
||||
dbus_connect_system_bus(NetworkManager_t)
|
||||
dbus_send_system_bus(NetworkManager_t)
|
||||
@ -7027,7 +7147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -173,8 +176,10 @@
|
||||
@@ -173,8 +182,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8015,7 +8135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te
|
||||
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-09-17 16:20:18.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-09-22 07:43:42.000000000 -0400
|
||||
@@ -64,9 +64,10 @@
|
||||
fs_getattr_xattr_fs(rlogind_t)
|
||||
fs_search_auto_mountpoints(rlogind_t)
|
||||
@ -8028,25 +8148,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
|
||||
|
||||
files_read_etc_files(rlogind_t)
|
||||
files_read_etc_runtime_files(rlogind_t)
|
||||
@@ -82,7 +83,7 @@
|
||||
@@ -82,21 +83,17 @@
|
||||
|
||||
miscfiles_read_localization(rlogind_t)
|
||||
|
||||
-seutil_dontaudit_search_config(rlogind_t)
|
||||
-
|
||||
-sysnet_read_config(rlogind_t)
|
||||
+seutil_read_config(rlogind_t)
|
||||
|
||||
sysnet_read_config(rlogind_t)
|
||||
userdom_setattr_unpriv_users_ptys(rlogind_t)
|
||||
# cjp: this is egregious
|
||||
userdom_read_all_users_home_content_files(rlogind_t)
|
||||
|
||||
@@ -93,7 +94,9 @@
|
||||
remotelogin_domtrans(rlogind_t)
|
||||
+remotelogin_signal(rlogind_t)
|
||||
|
||||
optional_policy(`
|
||||
+ kerberos_use(rlogind_t)
|
||||
kerberos_read_keytab(rlogind_t)
|
||||
-')
|
||||
-
|
||||
-ifdef(`TODO',`
|
||||
-# Allow krb5 rlogind to use fork and open /dev/tty for use
|
||||
-allow rlogind_t userpty_type:chr_file setattr;
|
||||
+ kerberos_manage_host_rcache(rlogind_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-07-03 07:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2007-09-17 16:20:18.000000000 -0400
|
||||
@ -8920,7 +9047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-09-12 10:34:50.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-09-17 16:20:18.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-09-22 07:08:31.000000000 -0400
|
||||
@@ -20,19 +20,22 @@
|
||||
mta_mailserver_delivery(sendmail_t)
|
||||
mta_mailserver_sender(sendmail_t)
|
||||
@ -9460,7 +9587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.8/policy/modules/services/telnet.te
|
||||
--- nsaserefpolicy/policy/modules/services/telnet.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2007-09-17 16:20:18.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2007-09-22 07:45:00.000000000 -0400
|
||||
@@ -32,7 +32,6 @@
|
||||
allow telnetd_t self:udp_socket create_socket_perms;
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
@ -9482,7 +9609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
|
||||
files_read_etc_files(telnetd_t)
|
||||
files_read_etc_runtime_files(telnetd_t)
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
@@ -80,9 +81,7 @@
|
||||
@@ -80,27 +81,26 @@
|
||||
|
||||
miscfiles_read_localization(telnetd_t)
|
||||
|
||||
@ -9493,7 +9620,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
|
||||
|
||||
remotelogin_domtrans(telnetd_t)
|
||||
|
||||
@@ -90,17 +89,16 @@
|
||||
+userdom_search_unpriv_users_home_dirs(telnetd_t)
|
||||
+
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
optional_policy(`
|
||||
kerberos_use(telnetd_t)
|
||||
kerberos_read_keytab(telnetd_t)
|
||||
@ -10565,7 +10694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-08-22 07:14:12.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-21 16:37:58.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-22 08:12:19.000000000 -0400
|
||||
@@ -9,6 +9,13 @@
|
||||
attribute can_read_shadow_passwords;
|
||||
attribute can_write_shadow_passwords;
|
||||
@ -10601,7 +10730,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
########################################
|
||||
#
|
||||
# PAM local policy
|
||||
@@ -159,6 +173,8 @@
|
||||
@@ -149,6 +163,8 @@
|
||||
dev_setattr_apm_bios_dev(pam_console_t)
|
||||
dev_getattr_dri_dev(pam_console_t)
|
||||
dev_setattr_dri_dev(pam_console_t)
|
||||
+dev_getattr_event_dev(pam_console_t)
|
||||
+dev_setattr_event_dev(pam_console_t)
|
||||
dev_getattr_framebuffer_dev(pam_console_t)
|
||||
dev_setattr_framebuffer_dev(pam_console_t)
|
||||
dev_getattr_generic_usb_dev(pam_console_t)
|
||||
@@ -159,6 +175,8 @@
|
||||
dev_setattr_mouse_dev(pam_console_t)
|
||||
dev_getattr_power_mgmt_dev(pam_console_t)
|
||||
dev_setattr_power_mgmt_dev(pam_console_t)
|
||||
@ -10610,7 +10748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
dev_getattr_scanner_dev(pam_console_t)
|
||||
dev_setattr_scanner_dev(pam_console_t)
|
||||
dev_getattr_sound_dev(pam_console_t)
|
||||
@@ -236,7 +252,7 @@
|
||||
@@ -236,7 +254,7 @@
|
||||
|
||||
optional_policy(`
|
||||
xserver_read_xdm_pid(pam_console_t)
|
||||
@ -10619,7 +10757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -302,3 +318,28 @@
|
||||
@@ -302,3 +320,28 @@
|
||||
xserver_use_xdm_fds(utempter_t)
|
||||
xserver_rw_xdm_pipes(utempter_t)
|
||||
')
|
||||
@ -10829,8 +10967,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
|
||||
--- nsaserefpolicy/policy/modules/system/init.if 2007-08-22 07:14:12.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-09-17 16:20:18.000000000 -0400
|
||||
@@ -540,18 +540,19 @@
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-09-22 07:07:39.000000000 -0400
|
||||
@@ -211,6 +211,13 @@
|
||||
kernel_dontaudit_use_fds($1)
|
||||
')
|
||||
')
|
||||
+ tunable_policy(`allow_daemons_use_tty',`
|
||||
+ term_use_all_user_ttys($1)
|
||||
+ term_use_all_user_ptys($1)
|
||||
+ ', `
|
||||
+ term_dontaudit_use_all_user_ttys($1)
|
||||
+ term_dontaudit_use_all_user_ptys($1)
|
||||
+ ')
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -540,18 +547,19 @@
|
||||
#
|
||||
interface(`init_spec_domtrans_script',`
|
||||
gen_require(`
|
||||
@ -10854,7 +11006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
')
|
||||
|
||||
@@ -567,18 +568,46 @@
|
||||
@@ -567,18 +575,46 @@
|
||||
#
|
||||
interface(`init_domtrans_script',`
|
||||
gen_require(`
|
||||
@ -10905,7 +11057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
')
|
||||
|
||||
@@ -609,11 +638,11 @@
|
||||
@@ -609,11 +645,11 @@
|
||||
# cjp: added for gentoo integrated run_init
|
||||
interface(`init_script_file_domtrans',`
|
||||
gen_require(`
|
||||
@ -10919,7 +11071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -684,11 +713,11 @@
|
||||
@@ -684,11 +720,11 @@
|
||||
#
|
||||
interface(`init_getattr_script_files',`
|
||||
gen_require(`
|
||||
@ -10933,7 +11085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -703,11 +732,11 @@
|
||||
@@ -703,11 +739,11 @@
|
||||
#
|
||||
interface(`init_exec_script_files',`
|
||||
gen_require(`
|
||||
@ -10947,7 +11099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -931,6 +960,7 @@
|
||||
@@ -931,6 +967,7 @@
|
||||
|
||||
dontaudit $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
@ -10955,7 +11107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
########################################
|
||||
## <summary>
|
||||
## Send messages to init scripts over dbus.
|
||||
@@ -1030,11 +1060,11 @@
|
||||
@@ -1030,11 +1067,11 @@
|
||||
#
|
||||
interface(`init_read_script_files',`
|
||||
gen_require(`
|
||||
@ -10969,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1252,7 +1282,7 @@
|
||||
@@ -1252,7 +1289,7 @@
|
||||
type initrc_var_run_t;
|
||||
')
|
||||
|
||||
@ -10978,7 +11130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1273,3 +1303,64 @@
|
||||
@@ -1273,3 +1310,64 @@
|
||||
files_search_pids($1)
|
||||
allow $1 initrc_var_run_t:file manage_file_perms;
|
||||
')
|
||||
@ -11045,7 +11197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2007-09-12 10:34:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-09-18 11:07:20.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-09-22 07:06:37.000000000 -0400
|
||||
@@ -10,6 +10,20 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -11140,7 +11292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@@ -497,6 +515,39 @@
|
||||
@@ -497,6 +515,43 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11152,9 +11304,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
+tunable_policy(`allow_daemons_use_tty',`
|
||||
+ term_use_unallocated_ttys(daemon)
|
||||
+ term_use_generic_ptys(daemon)
|
||||
+ term_use_all_user_ttys(daemon)
|
||||
+ term_use_all_user_ptys(daemon)
|
||||
+', `
|
||||
+ term_dontaudit_use_unallocated_ttys(daemon)
|
||||
+ term_dontaudit_use_generic_ptys(daemon)
|
||||
+ term_dontaudit_use_all_user_ttys(daemon)
|
||||
+ term_dontaudit_use_all_user_ptys(daemon)
|
||||
+ ')
|
||||
+
|
||||
+# system-config-services causes avc messages that should be dontaudited
|
||||
@ -11180,7 +11336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
')
|
||||
@@ -632,12 +683,6 @@
|
||||
@@ -632,12 +687,6 @@
|
||||
mta_read_config(initrc_t)
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
@ -11193,7 +11349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
optional_policy(`
|
||||
ifdef(`distro_redhat',`
|
||||
@@ -703,6 +748,9 @@
|
||||
@@ -703,6 +752,9 @@
|
||||
|
||||
# why is this needed:
|
||||
rpm_manage_db(initrc_t)
|
||||
@ -12991,6 +13147,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
|
||||
term_dontaudit_use_all_user_ttys(ifconfig_t)
|
||||
term_dontaudit_use_all_user_ptys(ifconfig_t)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
|
||||
--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-09-22 06:43:22.000000000 -0400
|
||||
@@ -184,6 +184,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ alsa_search_lib(udev_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
brctl_domtrans(udev_t)
|
||||
')
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-05-29 14:10:58.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2007-09-21 06:46:14.000000000 -0400
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.8
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -362,6 +362,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Sep 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-9
|
||||
- Fix service start stop terminal avc's
|
||||
|
||||
* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-8
|
||||
- Allow also to search var_lib
|
||||
- New context for dbus launcher
|
||||
|
Loading…
Reference in New Issue
Block a user