Daniel J Walsh
parent
881d64a16e
commit
7483cf9369
|
|
@ -6429,7 +6429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.6/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/apache.te 2008-02-01 16:01:42.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/apache.te 2008-02-05 13:01:09.000000000 -0500
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -7516,7 +7516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.6/policy/modules/services/avahi.te
|
||||
--- nsaserefpolicy/policy/modules/services/avahi.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/avahi.te 2008-02-01 16:01:42.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/avahi.te 2008-02-05 13:17:08.000000000 -0500
|
||||
@@ -13,6 +13,9 @@
|
||||
type avahi_var_run_t;
|
||||
files_pid_file(avahi_var_run_t)
|
||||
|
|
@ -8223,7 +8223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||
Binary files nsaserefpolicy/policy/modules/services/consolekit.pp and serefpolicy-3.2.6/policy/modules/services/consolekit.pp differ
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.6/policy/modules/services/consolekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-04 11:52:57.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-05 13:20:29.000000000 -0500
|
||||
@@ -13,6 +13,9 @@
|
||||
type consolekit_var_run_t;
|
||||
files_pid_file(consolekit_var_run_t)
|
||||
|
|
@ -8261,7 +8261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||
# needs to read /var/lib/dbus/machine-id
|
||||
files_read_var_lib_files(consolekit_t)
|
||||
|
||||
@@ -47,15 +56,31 @@
|
||||
@@ -47,16 +56,32 @@
|
||||
|
||||
auth_use_nsswitch(consolekit_t)
|
||||
|
||||
|
|
@ -8282,18 +8282,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||
+hal_ptrace(consolekit_t)
|
||||
+mcs_ptrace_all(consolekit_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
optional_policy(`
|
||||
- dbus_system_bus_client_template(consolekit, consolekit_t)
|
||||
- dbus_connect_system_bus(consolekit_t)
|
||||
+ cron_read_system_job_lib_files(consolekit_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template(consolekit, consolekit_t)
|
||||
dbus_connect_system_bus(consolekit_t)
|
||||
-
|
||||
|
||||
- hal_dbus_chat(consolekit_t)
|
||||
+optional_policy(`
|
||||
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
|
||||
hal_dbus_chat(consolekit_t)
|
||||
+ optional_policy(`
|
||||
+ hal_dbus_chat(consolekit_t)
|
||||
+ ')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dbus_chat(consolekit_t)
|
||||
@@ -64,6 +89,33 @@
|
||||
')
|
||||
|
||||
|
|
@ -9659,7 +9662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
|
|||
# Local policy
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.6/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/dbus.if 2008-02-01 16:01:42.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/dbus.if 2008-02-05 13:18:08.000000000 -0500
|
||||
@@ -53,6 +53,7 @@
|
||||
gen_require(`
|
||||
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
||||
|
|
@ -9840,7 +9843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||
## Read dbus configuration.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -366,3 +443,52 @@
|
||||
@@ -366,3 +443,55 @@
|
||||
|
||||
allow $1 system_dbusd_t:dbus *;
|
||||
')
|
||||
|
|
@ -9892,10 +9895,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||
+
|
||||
+ domtrans_pattern(system_dbusd_t,$2,$1)
|
||||
+
|
||||
+ dbus_system_bus_client_template($1,$1)
|
||||
+ dbus_connect_system_bus($1)
|
||||
+
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.2.6/policy/modules/services/dbus.te
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/dbus.te 2008-02-01 16:01:42.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/dbus.te 2008-02-05 13:15:48.000000000 -0500
|
||||
@@ -9,6 +9,7 @@
|
||||
#
|
||||
# Delcarations
|
||||
|
|
@ -9921,6 +9927,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||
|
||||
selinux_get_fs_mount(system_dbusd_t)
|
||||
selinux_validate_context(system_dbusd_t)
|
||||
@@ -121,9 +123,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ polkit_domtrans_auth(system_dbusd_t)
|
||||
+ polkit_search_lib(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
sysnet_domtrans_dhcpc(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(system_dbusd_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ consolekit_dbus_chat(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.6/policy/modules/services/dcc.if
|
||||
--- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/dcc.if 2008-02-01 16:01:42.000000000 -0500
|
||||
|
|
@ -11510,6 +11537,146 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.2.6/policy/modules/services/gnomeclock.fc
|
||||
--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/gnomeclock.fc 2008-02-05 13:14:26.000000000 -0500
|
||||
@@ -0,0 +1,2 @@
|
||||
+
|
||||
+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.2.6/policy/modules/services/gnomeclock.if
|
||||
--- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/gnomeclock.if 2008-02-05 13:14:26.000000000 -0500
|
||||
@@ -0,0 +1,75 @@
|
||||
+
|
||||
+## <summary>policy for gnomeclock</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run gnomeclock.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`gnomeclock_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type gnomeclock_t;
|
||||
+ type gnomeclock_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1,gnomeclock_exec_t,gnomeclock_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute gnomeclock in the gnomeclock domain, and
|
||||
+## allow the specified role the gnomeclock domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed the gnomeclock domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="terminal">
|
||||
+## <summary>
|
||||
+## The type of the role's terminal.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`gnomeclock_run',`
|
||||
+ gen_require(`
|
||||
+ type gnomeclock_t;
|
||||
+ ')
|
||||
+
|
||||
+ gnomeclock_domtrans($1)
|
||||
+ role $2 types gnomeclock_t;
|
||||
+ dontaudit gnomeclock_t $3:chr_file rw_term_perms;
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send and receive messages from
|
||||
+## gnomeclock over dbus.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`gnomeclock_dbus_chat',`
|
||||
+ gen_require(`
|
||||
+ type gnomeclock_t;
|
||||
+ class dbus send_msg;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 gnomeclock_t:dbus send_msg;
|
||||
+ allow gnomeclock_t $1:dbus send_msg;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.2.6/policy/modules/services/gnomeclock.te
|
||||
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/gnomeclock.te 2008-02-05 13:21:34.000000000 -0500
|
||||
@@ -0,0 +1,51 @@
|
||||
+policy_module(gnomeclock,1.0.0)
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type gnomeclock_t;
|
||||
+type gnomeclock_exec_t;
|
||||
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# gnomeclock local policy
|
||||
+#
|
||||
+allow gnomeclock_t self:capability sys_time;
|
||||
+allow gnomeclock_t self:process getsched;
|
||||
+
|
||||
+## internal communication is often done using fifo and unix sockets.
|
||||
+allow gnomeclock_t self:fifo_file rw_file_perms;
|
||||
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+corecmd_search_bin(gnomeclock_t)
|
||||
+
|
||||
+files_read_etc_files(gnomeclock_t)
|
||||
+files_read_usr_files(gnomeclock_t)
|
||||
+
|
||||
+fs_list_inotifyfs(gnomeclock_t)
|
||||
+
|
||||
+auth_use_nsswitch(gnomeclock_t)
|
||||
+
|
||||
+libs_use_ld_so(gnomeclock_t)
|
||||
+libs_use_shared_libs(gnomeclock_t)
|
||||
+
|
||||
+miscfiles_read_localization(gnomeclock_t)
|
||||
+
|
||||
+userdom_read_all_users_state(gnomeclock_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ consolekit_dbus_chat(gnomeclock_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ clock_domtrans(gnomeclock_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ polkit_domtrans_auth(gnomeclock_t)
|
||||
+ polkit_read_lib(gnomeclock_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.6/policy/modules/services/hal.fc
|
||||
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/hal.fc 2008-02-01 16:01:42.000000000 -0500
|
||||
|
|
@ -12154,7 +12321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.6/policy/modules/services/kerberos.te
|
||||
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/kerberos.te 2008-02-01 16:01:42.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/kerberos.te 2008-02-05 11:26:22.000000000 -0500
|
||||
@@ -54,6 +54,12 @@
|
||||
type krb5kdc_var_run_t;
|
||||
files_pid_file(krb5kdc_var_run_t)
|
||||
|
|
@ -12228,7 +12395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||
|
||||
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
|
||||
@@ -233,6 +246,7 @@
|
||||
@@ -233,8 +246,10 @@
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(krb5kdc_t)
|
||||
|
|
@ -12236,6 +12403,185 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(krb5kdc_t)
|
||||
')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.fc serefpolicy-3.2.6/policy/modules/services/kerneloops.fc
|
||||
--- nsaserefpolicy/policy/modules/services/kerneloops.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/kerneloops.fc 2008-02-05 13:14:34.000000000 -0500
|
||||
@@ -0,0 +1,4 @@
|
||||
+
|
||||
+/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
|
||||
+
|
||||
+/etc/rc.d/init.d/kerneloops -- gen_context(system_u:object_r:kerneloops_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.2.6/policy/modules/services/kerneloops.if
|
||||
--- nsaserefpolicy/policy/modules/services/kerneloops.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/kerneloops.if 2008-02-05 13:14:34.000000000 -0500
|
||||
@@ -0,0 +1,104 @@
|
||||
+
|
||||
+## <summary>policy for kerneloops</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run kerneloops.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kerneloops_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type kerneloops_t;
|
||||
+ type kerneloops_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1,kerneloops_exec_t,kerneloops_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute kerneloops server in the kerneloops domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## The type of the process performing this action.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kerneloops_script_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type kerneloops_script_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ init_script_domtrans_spec($1,kerneloops_script_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send and receive messages from
|
||||
+## kerneloops over dbus.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kerneloops_dbus_chat',`
|
||||
+ gen_require(`
|
||||
+ type kerneloops_t;
|
||||
+ class dbus send_msg;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 kerneloops_t:dbus send_msg;
|
||||
+ allow kerneloops_t $1:dbus send_msg;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an kerneloops environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed to manage the kerneloops domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="terminal">
|
||||
+## <summary>
|
||||
+## The type of the user terminal.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`kerneloops_admin',`
|
||||
+ gen_require(`
|
||||
+ type kerneloops_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 kerneloops_t:process { ptrace signal_perms getattr };
|
||||
+ read_files_pattern($1, kerneloops_t, kerneloops_t)
|
||||
+
|
||||
+
|
||||
+ gen_require(`
|
||||
+ type kerneloops_script_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ # Allow kerneloops_t to restart the apache service
|
||||
+ kerneloops_script_domtrans($1)
|
||||
+ domain_system_change_exemption($1)
|
||||
+ role_transition $2 kerneloops_script_exec_t system_r;
|
||||
+ allow $2 system_r;
|
||||
+
|
||||
+')
|
||||
Binary files nsaserefpolicy/policy/modules/services/kerneloops.pp and serefpolicy-3.2.6/policy/modules/services/kerneloops.pp differ
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.2.6/policy/modules/services/kerneloops.te
|
||||
--- nsaserefpolicy/policy/modules/services/kerneloops.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/kerneloops.te 2008-02-05 13:14:35.000000000 -0500
|
||||
@@ -0,0 +1,55 @@
|
||||
+policy_module(kerneloops,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type kerneloops_t;
|
||||
+type kerneloops_exec_t;
|
||||
+domain_type(kerneloops_t)
|
||||
+init_daemon_domain(kerneloops_t, kerneloops_exec_t)
|
||||
+
|
||||
+type kerneloops_script_exec_t;
|
||||
+init_script_type(kerneloops_script_exec_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# kerneloops local policy
|
||||
+#
|
||||
+allow kerneloops_t self:capability sys_nice;
|
||||
+allow kerneloops_t self:process { setsched getsched };
|
||||
+
|
||||
+# Init script handling
|
||||
+domain_use_interactive_fds(kerneloops_t)
|
||||
+
|
||||
+## internal communication is often done using fifo and unix sockets.
|
||||
+allow kerneloops_t self:fifo_file rw_file_perms;
|
||||
+allow kerneloops_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+corenet_all_recvfrom_unlabeled(kerneloops_t)
|
||||
+corenet_all_recvfrom_netlabel(kerneloops_t)
|
||||
+corenet_tcp_sendrecv_all_if(kerneloops_t)
|
||||
+corenet_tcp_sendrecv_all_nodes(kerneloops_t)
|
||||
+corenet_tcp_sendrecv_all_ports(kerneloops_t)
|
||||
+corenet_tcp_bind_http_port(kerneloops_t)
|
||||
+
|
||||
+files_read_etc_files(kerneloops_t)
|
||||
+
|
||||
+kernel_read_ring_buffer(kerneloops_t)
|
||||
+
|
||||
+libs_use_ld_so(kerneloops_t)
|
||||
+libs_use_shared_libs(kerneloops_t)
|
||||
+
|
||||
+logging_send_syslog_msg(kerneloops_t)
|
||||
+logging_read_generic_logs(kerneloops_t)
|
||||
+
|
||||
+miscfiles_read_localization(kerneloops_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(kerneloops_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client_template(kerneloops,kerneloops_t)
|
||||
+ dbus_connect_system_bus(kerneloops_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.2.6/policy/modules/services/ldap.fc
|
||||
--- nsaserefpolicy/policy/modules/services/ldap.fc 2006-11-16 17:15:20.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/ldap.fc 2008-02-01 16:01:42.000000000 -0500
|
||||
|
|
@ -14390,10 +14736,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.6/policy/modules/services/polkit.fc
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/polkit.fc 2008-02-01 16:01:42.000000000 -0500
|
||||
@@ -0,0 +1,7 @@
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/polkit.fc 2008-02-05 13:14:51.000000000 -0500
|
||||
@@ -0,0 +1,8 @@
|
||||
+
|
||||
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
|
||||
+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
|
||||
+/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
|
||||
+
|
||||
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
||||
|
|
@ -14401,8 +14748,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.6/policy/modules/services/polkit.if
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-04 11:48:36.000000000 -0500
|
||||
@@ -0,0 +1,62 @@
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-05 13:14:52.000000000 -0500
|
||||
@@ -0,0 +1,119 @@
|
||||
+
|
||||
+## <summary>policy for polkit_auth</summary>
|
||||
+
|
||||
|
|
@ -14465,10 +14812,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||
+ # Broken placement
|
||||
+ cron_read_system_job_lib_files($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run polkit_grant.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`polkit_domtrans_grant',`
|
||||
+ gen_require(`
|
||||
+ type polkit_grant_t;
|
||||
+ type polkit_grant_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1,polkit_grant_exec_t,polkit_grant_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a policy_grant in the policy_grant domain, and
|
||||
+## allow the specified role the policy_grant domain,
|
||||
+## and use the caller's terminal.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed the load_policy domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="terminal">
|
||||
+## <summary>
|
||||
+## The type of the terminal allow the load_policy domain to use.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`polkit_run_grant',`
|
||||
+ gen_require(`
|
||||
+ type polkit_grant_t;
|
||||
+ type polkit_auth_t;
|
||||
+ ')
|
||||
+
|
||||
+ polkit_domtrans_grant($1)
|
||||
+ role $2 types polkit_grant_t;
|
||||
+ role $2 types polkit_auth_t;
|
||||
+ allow polkit_grant_t $3:chr_file rw_term_perms;
|
||||
+ allow $1 polkit_grant_t:process signal;
|
||||
+ read_files_pattern(polkit_grant_t, $1, $1)
|
||||
+ allow polkit_grant_t $1:process getattr;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.6/policy/modules/services/polkit.te
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/polkit.te 2008-02-01 16:01:42.000000000 -0500
|
||||
@@ -0,0 +1,110 @@
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/polkit.te 2008-02-05 13:20:13.000000000 -0500
|
||||
@@ -0,0 +1,154 @@
|
||||
+policy_module(polkit_auth,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -14478,12 +14882,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||
+
|
||||
+type polkit_t;
|
||||
+type polkit_exec_t;
|
||||
+domain_type(polkit_t)
|
||||
+init_daemon_domain(polkit_t, polkit_exec_t)
|
||||
+
|
||||
+type polkit_grant_t;
|
||||
+type polkit_grant_exec_t;
|
||||
+init_system_domain(polkit_grant_t, polkit_grant_exec_t)
|
||||
+
|
||||
+type polkit_auth_t;
|
||||
+type polkit_auth_exec_t;
|
||||
+domain_type(polkit_auth_t)
|
||||
+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
|
||||
+
|
||||
+type polkit_var_lib_t;
|
||||
|
|
@ -14528,9 +14934,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||
+files_pid_filetrans(polkit_t,polkit_var_run_t, { file dir })
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client_template(polkit, polkit_t)
|
||||
+ consolekit_dbus_chat(polkit_t)
|
||||
+ dbus_system_domain(polkit_t, polkit_exec_t)
|
||||
+ optional_policy(`
|
||||
+ consolekit_dbus_chat(polkit_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -14579,6 +14986,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||
+ hal_read_state(polkit_auth_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# polkit_grant local policy
|
||||
+#
|
||||
+
|
||||
+allow polkit_grant_t self:capability setuid;
|
||||
+allow polkit_grant_t self:process getattr;
|
||||
+
|
||||
+allow polkit_grant_t self:unix_dgram_socket create_socket_perms;
|
||||
+allow polkit_grant_t self:fifo_file rw_file_perms;
|
||||
+allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+can_exec(polkit_grant_t, polkit_grant_exec_t)
|
||||
+corecmd_search_bin(polkit_grant_t)
|
||||
+
|
||||
+files_read_etc_files(polkit_grant_t)
|
||||
+files_read_usr_files(polkit_grant_t)
|
||||
+
|
||||
+auth_use_nsswitch(polkit_grant_t)
|
||||
+auth_domtrans_chk_passwd(polkit_grant_t)
|
||||
+
|
||||
+libs_use_ld_so(polkit_grant_t)
|
||||
+libs_use_shared_libs(polkit_grant_t)
|
||||
+
|
||||
+miscfiles_read_localization(polkit_grant_t)
|
||||
+
|
||||
+logging_send_syslog_msg(polkit_grant_t)
|
||||
+
|
||||
+polkit_domtrans_auth(polkit_grant_t)
|
||||
+
|
||||
+manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client_template(polkit_grant, polkit_grant_t)
|
||||
+ consolekit_dbus_chat(polkit_grant_t)
|
||||
+')
|
||||
+
|
||||
+gen_require(`
|
||||
+ type system_crond_var_lib_t;
|
||||
+')
|
||||
+manage_files_pattern(polkit_grant_t, system_crond_var_lib_t, system_crond_var_lib_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.6/policy/modules/services/postfix.fc
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400
|
||||
+++ serefpolicy-3.2.6/policy/modules/services/postfix.fc 2008-02-01 16:01:42.000000000 -0500
|
||||
|
|
@ -24828,7 +25276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.6/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/system/unconfined.te 2008-02-02 00:21:41.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/system/unconfined.te 2008-02-05 09:47:51.000000000 -0500
|
||||
@@ -6,35 +6,59 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -24949,7 +25397,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
|
||||
optional_policy(`
|
||||
init_dbus_chat_script(unconfined_t)
|
||||
@@ -107,6 +146,10 @@
|
||||
@@ -101,12 +140,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ kerneloops_dbus_chat(unconfined_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
networkmanager_dbus_chat(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
oddjob_dbus_chat(unconfined_t)
|
||||
')
|
||||
|
|
@ -24960,7 +25418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -118,11 +161,7 @@
|
||||
@@ -118,11 +165,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -24973,7 +25431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -134,14 +173,6 @@
|
||||
@@ -134,14 +177,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -24988,7 +25446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
oddjob_domtrans_mkhomedir(unconfined_t)
|
||||
')
|
||||
|
||||
@@ -154,38 +185,32 @@
|
||||
@@ -154,38 +189,32 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25034,7 +25492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -205,11 +230,30 @@
|
||||
@@ -205,11 +234,30 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25044,14 +25502,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
+
|
||||
+optional_policy(`
|
||||
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- xserver_domtrans_xdm_xserver(unconfined_t)
|
||||
+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
|
||||
+ unconfined_domain(unconfined_mozilla_t)
|
||||
+ allow unconfined_mozilla_t self:process { execstack execmem };
|
||||
|
|
@ -25067,7 +25525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -219,14 +263,34 @@
|
||||
@@ -219,14 +267,34 @@
|
||||
|
||||
allow unconfined_execmem_t self:process { execstack execmem };
|
||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||
|
|
@ -25087,7 +25545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
- ')
|
||||
+optional_policy(`
|
||||
+ avahi_dbus_chat(unconfined_execmem_t)
|
||||
+')
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ hal_dbus_chat(unconfined_execmem_t)
|
||||
|
|
@ -25095,7 +25553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
+
|
||||
+optional_policy(`
|
||||
+ xserver_xdm_rw_shm(unconfined_execmem_t)
|
||||
')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
|
|
@ -28810,8 +29268,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
|
|||
+## <summary>Policy for staff user</summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.6/policy/modules/users/staff.te
|
||||
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-04 08:26:47.000000000 -0500
|
||||
@@ -0,0 +1,51 @@
|
||||
+++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-05 09:47:25.000000000 -0500
|
||||
@@ -0,0 +1,55 @@
|
||||
+policy_module(staff,1.0.1)
|
||||
+userdom_unpriv_user_template(staff)
|
||||
+
|
||||
|
|
@ -28843,6 +29301,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
|
|||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kerneloops_dbus_chat(staff_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mono_per_role_template(staff, staff_t, staff_r)
|
||||
+')
|
||||
+
|
||||
|
|
|
|||
Loading…
Reference in New Issue