- Dontaudit consoletype talking to unconfined_t
This commit is contained in:
parent
8fd9df6414
commit
7a91e89abe
@ -586,7 +586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t
|
|||||||
# Init script handling
|
# Init script handling
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-10-03 16:57:13.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-10-08 10:28:20.000000000 -0400
|
||||||
@@ -8,9 +8,11 @@
|
@@ -8,9 +8,11 @@
|
||||||
|
|
||||||
type consoletype_t;
|
type consoletype_t;
|
||||||
@ -3086,7 +3086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||||||
#
|
#
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-05 10:23:56.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-06 08:52:10.000000000 -0400
|
||||||
@@ -271,45 +271,6 @@
|
@@ -271,45 +271,6 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -3229,7 +3229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-09-12 10:34:49.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-09-12 10:34:49.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-05 13:59:53.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-08 11:25:43.000000000 -0400
|
||||||
@@ -80,6 +80,7 @@
|
@@ -80,6 +80,7 @@
|
||||||
type fusefs_t;
|
type fusefs_t;
|
||||||
fs_noxattr_type(fusefs_t)
|
fs_noxattr_type(fusefs_t)
|
||||||
@ -3238,7 +3238,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||||||
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
|
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
|
||||||
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
|
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
|
||||||
|
|
||||||
@@ -133,6 +134,11 @@
|
@@ -116,6 +117,7 @@
|
||||||
|
|
||||||
|
type ramfs_t;
|
||||||
|
fs_type(ramfs_t)
|
||||||
|
+files_mountpoint(ramfs_t)
|
||||||
|
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
|
||||||
|
|
||||||
|
type romfs_t;
|
||||||
|
@@ -133,6 +135,11 @@
|
||||||
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
||||||
files_mountpoint(spufs_t)
|
files_mountpoint(spufs_t)
|
||||||
|
|
||||||
@ -5841,7 +5849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
|
||||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-08 11:24:32.000000000 -0400
|
||||||
@@ -15,6 +15,12 @@
|
@@ -15,6 +15,12 @@
|
||||||
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
||||||
role system_r types dovecot_auth_t;
|
role system_r types dovecot_auth_t;
|
||||||
@ -5903,7 +5911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
seutil_sigchld_newrole(dovecot_t)
|
seutil_sigchld_newrole(dovecot_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -145,33 +144,40 @@
|
@@ -145,33 +144,43 @@
|
||||||
# dovecot auth local policy
|
# dovecot auth local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -5939,6 +5947,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
+auth_domtrans_upd_passwd(dovecot_auth_t)
|
+auth_domtrans_upd_passwd(dovecot_auth_t)
|
||||||
auth_use_nsswitch(dovecot_auth_t)
|
auth_use_nsswitch(dovecot_auth_t)
|
||||||
|
|
||||||
|
+optional_policy
|
||||||
|
+nis_authenticate(dovecot_auth_t)
|
||||||
|
+
|
||||||
files_read_etc_files(dovecot_auth_t)
|
files_read_etc_files(dovecot_auth_t)
|
||||||
files_read_etc_runtime_files(dovecot_auth_t)
|
files_read_etc_runtime_files(dovecot_auth_t)
|
||||||
files_search_pids(dovecot_auth_t)
|
files_search_pids(dovecot_auth_t)
|
||||||
@ -5946,7 +5957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
files_read_usr_symlinks(dovecot_auth_t)
|
files_read_usr_symlinks(dovecot_auth_t)
|
||||||
files_search_tmp(dovecot_auth_t)
|
files_search_tmp(dovecot_auth_t)
|
||||||
files_read_var_lib_files(dovecot_t)
|
files_read_var_lib_files(dovecot_t)
|
||||||
@@ -185,12 +191,46 @@
|
@@ -185,12 +194,46 @@
|
||||||
|
|
||||||
seutil_dontaudit_search_config(dovecot_auth_t)
|
seutil_dontaudit_search_config(dovecot_auth_t)
|
||||||
|
|
||||||
@ -5960,7 +5971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
- logging_send_syslog_msg(dovecot_auth_t)
|
- logging_send_syslog_msg(dovecot_auth_t)
|
||||||
+ mysql_search_db(dovecot_auth_t)
|
+ mysql_search_db(dovecot_auth_t)
|
||||||
+ mysql_stream_connect(dovecot_auth_t)
|
+ mysql_stream_connect(dovecot_auth_t)
|
||||||
+')
|
')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ postfix_create_pivate_sockets(dovecot_auth_t)
|
+ postfix_create_pivate_sockets(dovecot_auth_t)
|
||||||
@ -5994,7 +6005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mta_manage_spool(dovecot_deliver_t)
|
+ mta_manage_spool(dovecot_deliver_t)
|
||||||
')
|
+')
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
@ -7070,7 +7081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
## <summary>
|
## <summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-06 08:52:41.000000000 -0400
|
||||||
@@ -6,6 +6,7 @@
|
@@ -6,6 +6,7 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -7087,7 +7098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
|
|
||||||
mta_base_mail_template(system)
|
mta_base_mail_template(system)
|
||||||
role system_r types system_mail_t;
|
role system_r types system_mail_t;
|
||||||
@@ -44,6 +46,7 @@
|
@@ -44,23 +46,29 @@
|
||||||
kernel_read_system_state(system_mail_t)
|
kernel_read_system_state(system_mail_t)
|
||||||
kernel_read_network_state(system_mail_t)
|
kernel_read_network_state(system_mail_t)
|
||||||
|
|
||||||
@ -7095,7 +7106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
dev_read_rand(system_mail_t)
|
dev_read_rand(system_mail_t)
|
||||||
dev_read_urand(system_mail_t)
|
dev_read_urand(system_mail_t)
|
||||||
|
|
||||||
@@ -51,16 +54,19 @@
|
+fs_rw_anon_inodefs_files(system_mail_t)
|
||||||
|
+
|
||||||
|
init_use_script_ptys(system_mail_t)
|
||||||
|
|
||||||
userdom_use_sysadm_terms(system_mail_t)
|
userdom_use_sysadm_terms(system_mail_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
|
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
|
||||||
@ -7115,7 +7128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -73,6 +79,7 @@
|
@@ -73,6 +81,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_read_system_job_tmp_files(system_mail_t)
|
cron_read_system_job_tmp_files(system_mail_t)
|
||||||
@ -7497,7 +7510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
|
|||||||
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
|
||||||
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-08 11:06:33.000000000 -0400
|
||||||
@@ -49,8 +49,8 @@
|
@@ -49,8 +49,8 @@
|
||||||
corenet_udp_bind_all_nodes($1)
|
corenet_udp_bind_all_nodes($1)
|
||||||
corenet_tcp_bind_generic_port($1)
|
corenet_tcp_bind_generic_port($1)
|
||||||
@ -7509,6 +7522,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
|
|||||||
corenet_dontaudit_tcp_bind_all_ports($1)
|
corenet_dontaudit_tcp_bind_all_ports($1)
|
||||||
corenet_dontaudit_udp_bind_all_ports($1)
|
corenet_dontaudit_udp_bind_all_ports($1)
|
||||||
corenet_tcp_connect_portmap_port($1)
|
corenet_tcp_connect_portmap_port($1)
|
||||||
|
@@ -87,6 +87,25 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Use the ypbind service to access NIS services.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the process performing this action.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`nis_authenticate',`
|
||||||
|
+ tunable_policy(`allow_ypbind',`
|
||||||
|
+ nis_use_ypbind_uncond($1)
|
||||||
|
+ corenet_tcp_bind_all_rpc_ports($1)
|
||||||
|
+ corenet_udp_bind_all_rpc_ports($1)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Execute ypbind in the ypbind domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.8/policy/modules/services/nis.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.8/policy/modules/services/nis.te
|
||||||
--- nsaserefpolicy/policy/modules/services/nis.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/nis.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/nis.te 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/nis.te 2007-10-03 11:10:24.000000000 -0400
|
||||||
@ -9470,7 +9509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
|
||||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-09-12 10:34:50.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-09-12 10:34:50.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-10-03 11:10:25.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-10-06 08:52:21.000000000 -0400
|
||||||
@@ -20,19 +20,22 @@
|
@@ -20,19 +20,22 @@
|
||||||
mta_mailserver_delivery(sendmail_t)
|
mta_mailserver_delivery(sendmail_t)
|
||||||
mta_mailserver_sender(sendmail_t)
|
mta_mailserver_sender(sendmail_t)
|
||||||
@ -10088,6 +10127,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
|
|||||||
dontaudit tftpd_t self:capability sys_tty_config;
|
dontaudit tftpd_t self:capability sys_tty_config;
|
||||||
|
|
||||||
allow tftpd_t tftpdir_t:dir { getattr read search };
|
allow tftpd_t tftpdir_t:dir { getattr read search };
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.0.8/policy/modules/services/ucspitcp.if
|
||||||
|
--- nsaserefpolicy/policy/modules/services/ucspitcp.if 2007-05-29 14:10:57.000000000 -0400
|
||||||
|
+++ serefpolicy-3.0.8/policy/modules/services/ucspitcp.if 2007-10-08 07:47:57.000000000 -0400
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`ucspitcp_service_domain', `
|
||||||
|
+interface(`ucspitcp_service_domain',`
|
||||||
|
gen_require(`
|
||||||
|
type ucspitcp_t;
|
||||||
|
role system_r;
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.8/policy/modules/services/uwimap.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.8/policy/modules/services/uwimap.te
|
||||||
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/uwimap.te 2007-10-03 11:10:25.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/uwimap.te 2007-10-03 11:10:25.000000000 -0400
|
||||||
@ -10800,7 +10851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-03 11:10:25.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-08 11:03:54.000000000 -0400
|
||||||
@@ -26,7 +26,8 @@
|
@@ -26,7 +26,8 @@
|
||||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||||
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
||||||
@ -10865,7 +10916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
selinux_get_fs_mount($1)
|
selinux_get_fs_mount($1)
|
||||||
selinux_validate_context($1)
|
selinux_validate_context($1)
|
||||||
selinux_compute_access_vector($1)
|
selinux_compute_access_vector($1)
|
||||||
@@ -196,22 +219,33 @@
|
@@ -196,22 +219,36 @@
|
||||||
mls_fd_share_all_levels($1)
|
mls_fd_share_all_levels($1)
|
||||||
|
|
||||||
auth_domtrans_chk_passwd($1)
|
auth_domtrans_chk_passwd($1)
|
||||||
@ -10878,6 +10929,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
+ auth_rw_faillog($1)
|
+ auth_rw_faillog($1)
|
||||||
auth_exec_pam($1)
|
auth_exec_pam($1)
|
||||||
+ auth_use_nsswitch($1)
|
+ auth_use_nsswitch($1)
|
||||||
|
+
|
||||||
|
+ corenet_tcp_bind_all_rpc_ports($1)
|
||||||
|
+ corenet_udp_bind_all_rpc_ports($1)
|
||||||
|
|
||||||
init_rw_utmp($1)
|
init_rw_utmp($1)
|
||||||
|
|
||||||
@ -10900,7 +10954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -309,9 +343,6 @@
|
@@ -309,9 +346,6 @@
|
||||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10910,7 +10964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
||||||
|
|
||||||
@@ -329,6 +360,8 @@
|
@@ -329,6 +363,8 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use($1)
|
kerberos_use($1)
|
||||||
@ -10919,7 +10973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -347,6 +380,37 @@
|
@@ -347,6 +383,37 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -10957,7 +11011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
## Get the attributes of the shadow passwords file.
|
## Get the attributes of the shadow passwords file.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -695,6 +759,24 @@
|
@@ -695,6 +762,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -10982,7 +11036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
## Execute pam programs in the PAM domain.
|
## Execute pam programs in the PAM domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1318,14 +1400,9 @@
|
@@ -1318,14 +1403,9 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`auth_use_nsswitch',`
|
interface(`auth_use_nsswitch',`
|
||||||
@ -10997,7 +11051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
files_list_var_lib($1)
|
files_list_var_lib($1)
|
||||||
|
|
||||||
miscfiles_read_certs($1)
|
miscfiles_read_certs($1)
|
||||||
@@ -1347,6 +1424,8 @@
|
@@ -1347,6 +1427,8 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_stream_connect_winbind($1)
|
samba_stream_connect_winbind($1)
|
||||||
@ -11006,7 +11060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1381,3 +1460,163 @@
|
@@ -1381,3 +1463,163 @@
|
||||||
typeattribute $1 can_write_shadow_passwords;
|
typeattribute $1 can_write_shadow_passwords;
|
||||||
typeattribute $1 can_relabelto_shadow_passwords;
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
')
|
')
|
||||||
@ -13168,7 +13222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-10-05 07:42:17.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-10-07 07:59:48.000000000 -0400
|
||||||
@@ -432,6 +432,7 @@
|
@@ -432,6 +432,7 @@
|
||||||
role $2 types run_init_t;
|
role $2 types run_init_t;
|
||||||
allow run_init_t $3:chr_file rw_term_perms;
|
allow run_init_t $3:chr_file rw_term_perms;
|
||||||
@ -13308,7 +13362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
## Full management of the semanage
|
## Full management of the semanage
|
||||||
## module store.
|
## module store.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1058,3 +1135,133 @@
|
@@ -1058,3 +1135,138 @@
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
|
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
|
||||||
')
|
')
|
||||||
@ -13441,10 +13495,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
+ seutil_manage_module_store($1)
|
+ seutil_manage_module_store($1)
|
||||||
+ seutil_get_semanage_trans_lock($1)
|
+ seutil_get_semanage_trans_lock($1)
|
||||||
+ seutil_get_semanage_read_lock($1)
|
+ seutil_get_semanage_read_lock($1)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ rpm_dontaudit_rw_tmp_files($1)
|
||||||
|
+ rpm_dontaudit_rw_pipes($1)
|
||||||
|
+ ')
|
||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-03 11:10:25.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-07 07:59:32.000000000 -0400
|
||||||
@@ -76,7 +76,6 @@
|
@@ -76,7 +76,6 @@
|
||||||
type restorecond_exec_t;
|
type restorecond_exec_t;
|
||||||
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
||||||
@ -13574,7 +13633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
auth_dontaudit_read_shadow(run_init_t)
|
auth_dontaudit_read_shadow(run_init_t)
|
||||||
|
|
||||||
corecmd_exec_bin(run_init_t)
|
corecmd_exec_bin(run_init_t)
|
||||||
@@ -423,77 +426,54 @@
|
@@ -423,77 +426,49 @@
|
||||||
nscd_socket_use(run_init_t)
|
nscd_socket_use(run_init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -13673,16 +13732,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
+ #signal mcstrans on reload
|
+ #signal mcstrans on reload
|
||||||
+ init_spec_domtrans_script(semanage_t)
|
+ init_spec_domtrans_script(semanage_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ rpm_dontaudit_rw_tmp_files(semanage_t)
|
|
||||||
+ rpm_dontaudit_rw_pipes(semanage_t)
|
|
||||||
+')
|
|
||||||
+
|
+
|
||||||
# cjp: need a more general way to handle this:
|
# cjp: need a more general way to handle this:
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
# read secadm tmp files
|
# read secadm tmp files
|
||||||
@@ -521,6 +501,8 @@
|
@@ -521,6 +496,8 @@
|
||||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
||||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||||
|
|
||||||
@ -13691,7 +13745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
kernel_read_system_state(setfiles_t)
|
kernel_read_system_state(setfiles_t)
|
||||||
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
|
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
|
||||||
kernel_relabelfrom_unlabeled_files(setfiles_t)
|
kernel_relabelfrom_unlabeled_files(setfiles_t)
|
||||||
@@ -537,6 +519,7 @@
|
@@ -537,6 +514,7 @@
|
||||||
|
|
||||||
fs_getattr_xattr_fs(setfiles_t)
|
fs_getattr_xattr_fs(setfiles_t)
|
||||||
fs_list_all(setfiles_t)
|
fs_list_all(setfiles_t)
|
||||||
@ -13699,7 +13753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
fs_search_auto_mountpoints(setfiles_t)
|
fs_search_auto_mountpoints(setfiles_t)
|
||||||
fs_relabelfrom_noxattr_fs(setfiles_t)
|
fs_relabelfrom_noxattr_fs(setfiles_t)
|
||||||
|
|
||||||
@@ -590,8 +573,16 @@
|
@@ -590,8 +568,16 @@
|
||||||
fs_relabel_tmpfs_chr_file(setfiles_t)
|
fs_relabel_tmpfs_chr_file(setfiles_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -13849,11 +13903,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
|
||||||
--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-03 11:10:25.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-08 11:25:00.000000000 -0400
|
||||||
@@ -184,6 +184,11 @@
|
@@ -184,6 +184,12 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ alsa_domtrans(udev_t)
|
||||||
+ alsa_search_lib(udev_t)
|
+ alsa_search_lib(udev_t)
|
||||||
+ alsa_read_lib(udev_t)
|
+ alsa_read_lib(udev_t)
|
||||||
+')
|
+')
|
||||||
@ -13873,7 +13928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-04 17:36:52.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-08 10:26:34.000000000 -0400
|
||||||
@@ -12,14 +12,13 @@
|
@@ -12,14 +12,13 @@
|
||||||
#
|
#
|
||||||
interface(`unconfined_domain_noaudit',`
|
interface(`unconfined_domain_noaudit',`
|
||||||
@ -13919,6 +13974,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
nscd_unconfined($1)
|
nscd_unconfined($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@@ -399,12 +403,11 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
-## Do not audit attempts to read and write
|
||||||
|
-## unconfined domain unnamed pipes.
|
||||||
|
+## dontaudit Read and write unconfined domain unnamed pipes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
-## Domain to not audit.
|
||||||
|
+## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
@@ -413,9 +416,10 @@
|
||||||
|
type unconfined_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- dontaudit $1 unconfined_t:fifo_file rw_file_perms;
|
||||||
|
+ dontaudit $1 unconfined_t:fifo_file rw_fifo_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect to the unconfined domain using
|
||||||
@@ -558,7 +562,7 @@
|
@@ -558,7 +562,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -13928,7 +14010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
|
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
|
||||||
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
|
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
|
||||||
')
|
')
|
||||||
@@ -601,3 +605,175 @@
|
@@ -601,3 +605,179 @@
|
||||||
|
|
||||||
allow $1 unconfined_tmp_t:file { getattr write append };
|
allow $1 unconfined_tmp_t:file { getattr write append };
|
||||||
')
|
')
|
||||||
@ -14037,10 +14119,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+#
|
+#
|
||||||
+interface(`unconfined_use_terminals',`
|
+interface(`unconfined_use_terminals',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ attribute unconfined_terminal;
|
+ type unconfined_devpts_t;
|
||||||
|
+ type unconfined_tty_device_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 unconfined_terminal:chr_file rw_term_perms;
|
+ allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
|
||||||
|
+ allow $1 unconfined_devpts_t:chr_file rw_term_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -14055,10 +14139,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+#
|
+#
|
||||||
+interface(`unconfined_dontaudit_use_terminals',`
|
+interface(`unconfined_dontaudit_use_terminals',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ attribute unconfined_terminal;
|
+ type unconfined_devpts_t;
|
||||||
|
+ type unconfined_tty_device_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ dontaudit $1 unconfined_terminal:chr_file rw_term_perms;
|
+ dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
|
||||||
|
+ dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -14106,7 +14192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-05 14:12:30.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-08 10:08:01.000000000 -0400
|
||||||
@@ -5,28 +5,38 @@
|
@@ -5,28 +5,38 @@
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.0.8
|
Version: 3.0.8
|
||||||
Release: 18%{?dist}
|
Release: 19%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -371,6 +371,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 8 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-19
|
||||||
|
- Dontaudit consoletype talking to unconfined_t
|
||||||
|
|
||||||
* Thu Oct 4 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-18
|
* Thu Oct 4 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-18
|
||||||
- Remove homedir_template
|
- Remove homedir_template
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user