- Allow allow_httpd_mod_auth_pam to work
This commit is contained in:
Daniel J Walsh
parent
f18a882ba5
commit
7c124f5e42
|
|
@ -3765,7 +3765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-24 12:34:08.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-31 08:37:54.000000000 -0500
|
||||
@@ -0,0 +1,7 @@
|
||||
+
|
||||
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
|
||||
|
|
@ -4117,8 +4117,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-25 16:48:50.000000000 -0500
|
||||
@@ -0,0 +1,135 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-31 08:42:43.000000000 -0500
|
||||
@@ -0,0 +1,136 @@
|
||||
+policy_module(nsplugin,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -4188,6 +4188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+
|
||||
+miscfiles_read_localization(nsplugin_t)
|
||||
+miscfiles_read_fonts(nsplugin_t)
|
||||
+miscfiles_manage_home_fonts(nsplugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ userdom_read_user_home_content_files(user, nsplugin_t)
|
||||
|
|
@ -5909,7 +5910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
|
|||
+/etc/rc.d/init.d/amavis -- gen_context(system_u:object_r:amavis_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.2.5/policy/modules/services/amavis.if
|
||||
--- nsaserefpolicy/policy/modules/services/amavis.if 2007-06-27 10:10:38.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/amavis.if 2008-01-18 12:40:46.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/amavis.if 2008-01-31 08:45:42.000000000 -0500
|
||||
@@ -186,3 +186,88 @@
|
||||
allow $1 amavis_var_run_t:file create_file_perms;
|
||||
files_search_pids($1)
|
||||
|
|
@ -6370,7 +6371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2008-01-18 12:40:46.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2008-01-31 13:44:27.000000000 -0500
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -6505,7 +6506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
|
||||
libs_use_ld_so(httpd_t)
|
||||
libs_use_shared_libs(httpd_t)
|
||||
@@ -351,8 +388,6 @@
|
||||
@@ -351,25 +388,38 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
|
|
@ -6514,7 +6515,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
tunable_policy(`allow_httpd_anon_write',`
|
||||
miscfiles_manage_public_files(httpd_t)
|
||||
')
|
||||
@@ -361,6 +396,13 @@
|
||||
|
||||
-ifdef(`TODO', `
|
||||
#
|
||||
# We need optionals to be able to be within booleans to make this work
|
||||
#
|
||||
|
|
@ -6526,9 +6528,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
+gen_tunable(allow_httpd_mod_auth_pam,false)
|
||||
+
|
||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
auth_domtrans_chk_passwd(httpd_t)
|
||||
- auth_domtrans_chk_passwd(httpd_t)
|
||||
-')
|
||||
+ auth_domtrans_chkpwd(httpd_t)
|
||||
')
|
||||
@@ -370,6 +412,16 @@
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
|
|
@ -6545,7 +6550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
tunable_policy(`httpd_can_network_relay',`
|
||||
# allow httpd to work as a relay
|
||||
corenet_tcp_connect_gopher_port(httpd_t)
|
||||
@@ -382,6 +434,10 @@
|
||||
@@ -382,6 +432,10 @@
|
||||
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
||||
')
|
||||
|
||||
|
|
@ -6556,7 +6561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||
|
||||
@@ -399,11 +455,21 @@
|
||||
@@ -399,11 +453,21 @@
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
|
|
@ -6578,7 +6583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -437,8 +503,14 @@
|
||||
@@ -437,8 +501,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -6594,7 +6599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -450,19 +522,13 @@
|
||||
@@ -450,19 +520,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -6615,7 +6620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -472,13 +538,14 @@
|
||||
@@ -472,13 +536,14 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
|
|
@ -6634,7 +6639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -486,6 +553,7 @@
|
||||
@@ -486,6 +551,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -6642,7 +6647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -521,6 +589,13 @@
|
||||
@@ -521,6 +587,13 @@
|
||||
userdom_use_sysadm_terms(httpd_helper_t)
|
||||
')
|
||||
|
||||
|
|
@ -6656,7 +6661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -550,18 +625,24 @@
|
||||
@@ -550,18 +623,24 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
|
|
@ -6684,7 +6689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -585,6 +666,8 @@
|
||||
@@ -585,6 +664,8 @@
|
||||
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
|
|
@ -6693,7 +6698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@@ -593,9 +676,7 @@
|
||||
@@ -593,9 +674,7 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||
|
||||
|
|
@ -6704,7 +6709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -638,6 +719,12 @@
|
||||
@@ -638,6 +717,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
|
|
@ -6717,7 +6722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -655,10 +742,6 @@
|
||||
@@ -655,10 +740,6 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
|
|
@ -6728,7 +6733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
@@ -668,7 +751,8 @@
|
||||
@@ -668,7 +749,8 @@
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
|
|
@ -6738,7 +6743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
||||
@@ -682,15 +766,44 @@
|
||||
@@ -682,15 +764,44 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
|
|
@ -6784,7 +6789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -700,9 +813,15 @@
|
||||
@@ -700,9 +811,15 @@
|
||||
clamav_domtrans_clamscan(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
|
|
@ -6800,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -724,3 +843,46 @@
|
||||
@@ -724,3 +841,46 @@
|
||||
logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
|
|
@ -7581,7 +7586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.5/policy/modules/services/bind.te
|
||||
--- nsaserefpolicy/policy/modules/services/bind.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/bind.te 2008-01-18 12:40:46.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/bind.te 2008-01-31 09:00:42.000000000 -0500
|
||||
@@ -53,6 +53,9 @@
|
||||
init_system_domain(ndc_t,ndc_exec_t)
|
||||
role system_r types ndc_t;
|
||||
|
|
@ -7592,6 +7597,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
|
|||
########################################
|
||||
#
|
||||
# Named local policy
|
||||
@@ -222,6 +225,7 @@
|
||||
corenet_tcp_sendrecv_all_nodes(ndc_t)
|
||||
corenet_tcp_sendrecv_all_ports(ndc_t)
|
||||
corenet_tcp_connect_rndc_port(ndc_t)
|
||||
+corenet_tcp_bind_all_nodes(ndc_t)
|
||||
corenet_sendrecv_rndc_client_packets(ndc_t)
|
||||
|
||||
domain_use_interactive_fds(ndc_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.2.5/policy/modules/services/bitlbee.fc
|
||||
--- nsaserefpolicy/policy/modules/services/bitlbee.fc 2007-09-17 15:56:47.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/bitlbee.fc 2008-01-18 12:40:46.000000000 -0500
|
||||
|
|
@ -7805,8 +7818,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.5/policy/modules/services/bluetooth.te
|
||||
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te 2008-01-30 11:17:07.000000000 -0500
|
||||
@@ -32,6 +32,9 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te 2008-01-31 11:15:46.000000000 -0500
|
||||
@@ -32,19 +32,22 @@
|
||||
type bluetooth_var_run_t;
|
||||
files_pid_file(bluetooth_var_run_t)
|
||||
|
||||
|
|
@ -7816,7 +7829,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
|
|||
########################################
|
||||
#
|
||||
# Bluetooth services local policy
|
||||
@@ -44,7 +47,7 @@
|
||||
#
|
||||
|
||||
-allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
|
||||
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
|
||||
dontaudit bluetooth_t self:capability sys_tty_config;
|
||||
allow bluetooth_t self:process { getsched signal_perms };
|
||||
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
|
||||
allow bluetooth_t self:shm create_shm_perms;
|
||||
allow bluetooth_t self:socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
|
||||
|
|
@ -12469,7 +12488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||
## </summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
|
||||
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-18 12:40:46.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-31 11:45:40.000000000 -0500
|
||||
@@ -6,6 +6,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -12487,8 +12506,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||
|
||||
mta_base_mail_template(system)
|
||||
role system_r types system_mail_t;
|
||||
@@ -40,27 +43,40 @@
|
||||
allow system_mail_t self:capability { dac_override };
|
||||
@@ -37,30 +40,43 @@
|
||||
#
|
||||
|
||||
# newalias required this, not sure if it is needed in 'if' file
|
||||
-allow system_mail_t self:capability { dac_override };
|
||||
+allow system_mail_t self:capability { dac_override fowner };
|
||||
|
||||
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
|
||||
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
|
||||
|
|
@ -15087,8 +15110,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.2.5/policy/modules/services/prelude.if
|
||||
--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/prelude.if 2008-01-30 15:42:04.000000000 -0500
|
||||
@@ -0,0 +1,116 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/prelude.if 2008-01-31 08:49:34.000000000 -0500
|
||||
@@ -0,0 +1,128 @@
|
||||
+
|
||||
+## <summary>policy for prelude</summary>
|
||||
+
|
||||
|
|
@ -15155,18 +15178,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
+interface(`prelude_admin',`
|
||||
+ gen_require(`
|
||||
+ type prelude_t;
|
||||
+ type prelude_spool_t;
|
||||
+ type prelude_var_run_t;
|
||||
+ type prelude_var_lib_t;
|
||||
+ type prelude_script_exec_t;
|
||||
+ type audisp_prelude_t;
|
||||
+ type audisp_prelude_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 prelude_t:process { ptrace signal_perms getattr };
|
||||
+ read_files_pattern($1, prelude_t, prelude_t)
|
||||
+
|
||||
+
|
||||
+ allow $1 audisp_prelude_t:process { ptrace signal_perms getattr };
|
||||
+ read_files_pattern($1, audisp_prelude_t, audisp_prelude_t)
|
||||
+
|
||||
+ # Allow prelude_t to restart the apache service
|
||||
+ prelude_script_domtrans($1)
|
||||
+ domain_system_change_exemption($1)
|
||||
+ role_transition $2 prelude_script_exec_t system_r;
|
||||
+ allow $2 system_r;
|
||||
+
|
||||
+ manage_all_pattern($1, prelude_spool_t)
|
||||
+ manage_all_pattern($1, prelude_var_lib_t)
|
||||
+ manage_all_pattern($1, prelude_var_run_t)
|
||||
+ manage_all_pattern($1, audisp_prelude_var_run_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -15208,7 +15243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
Binary files nsaserefpolicy/policy/modules/services/prelude.pp and serefpolicy-3.2.5/policy/modules/services/prelude.pp differ
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.5/policy/modules/services/prelude.te
|
||||
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/prelude.te 2008-01-30 15:55:36.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/prelude.te 2008-01-31 13:09:03.000000000 -0500
|
||||
@@ -0,0 +1,114 @@
|
||||
+policy_module(prelude,1.0.0)
|
||||
+
|
||||
|
|
@ -15222,15 +15257,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
+domain_type(prelude_t)
|
||||
+init_daemon_domain(prelude_t, prelude_exec_t)
|
||||
+
|
||||
+type prelude_spool_t;
|
||||
+files_type(prelude_spool_t)
|
||||
+
|
||||
+type prelude_var_run_t;
|
||||
+files_pid_file(prelude_var_run_t)
|
||||
+
|
||||
+type prelude_var_lib_t;
|
||||
+files_type(prelude_var_lib_t)
|
||||
+
|
||||
+type prelude_spool_t;
|
||||
+files_type(prelude_spool_t)
|
||||
+
|
||||
+type prelude_script_exec_t;
|
||||
+init_script_type(prelude_script_exec_t)
|
||||
+
|
||||
|
|
@ -15968,7 +16003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if
|
||||
--- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/razor.if 2008-01-18 12:40:46.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/razor.if 2008-01-31 11:58:50.000000000 -0500
|
||||
@@ -137,6 +137,7 @@
|
||||
template(`razor_per_role_template',`
|
||||
gen_require(`
|
||||
|
|
@ -15994,6 +16029,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
|
|||
|
||||
##############################
|
||||
#
|
||||
@@ -218,3 +217,42 @@
|
||||
|
||||
domtrans_pattern($1, razor_exec_t, razor_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete razor files
|
||||
+## in a user home subdirectory.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Create, read, write, and delete razor files
|
||||
+## in a user home subdirectory.
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## This is a templated interface, and should only
|
||||
+## be called from a per-userdomain template.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+## <param name="userdomain_prefix">
|
||||
+## <summary>
|
||||
+## The prefix of the user domain (e.g., user
|
||||
+## is the prefix for user_t).
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+template(`razor_manage_user_home_files',`
|
||||
+ gen_require(`
|
||||
+ type user_home_dir_t, user_razor_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_home($2)
|
||||
+ allow $2 user_home_dir_t:dir search_dir_perms;
|
||||
+ manage_files_pattern($2,user_razor_home_t,user_razor_home_t)
|
||||
+ read_lnk_files_pattern($2,user_razor_home_t,user_razor_home_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te
|
||||
--- nsaserefpolicy/policy/modules/services/razor.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/razor.te 2008-01-18 12:40:46.000000000 -0500
|
||||
|
|
@ -16959,7 +17037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te
|
||||
--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/samba.te 2008-01-28 14:28:32.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/samba.te 2008-01-31 11:27:07.000000000 -0500
|
||||
@@ -26,28 +26,28 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -17070,7 +17148,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
|
||||
kernel_getattr_core_if(smbd_t)
|
||||
kernel_getattr_message_if(smbd_t)
|
||||
@@ -340,6 +347,17 @@
|
||||
@@ -320,6 +327,8 @@
|
||||
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
|
||||
userdom_use_unpriv_users_fds(smbd_t)
|
||||
|
||||
+term_use_ptmx(smbd_t)
|
||||
+
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
files_dontaudit_getattr_default_dirs(smbd_t)
|
||||
files_dontaudit_getattr_boot_dirs(smbd_t)
|
||||
@@ -340,6 +349,17 @@
|
||||
tunable_policy(`samba_share_nfs',`
|
||||
fs_manage_nfs_dirs(smbd_t)
|
||||
fs_manage_nfs_files(smbd_t)
|
||||
|
|
@ -17088,7 +17175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -391,7 +409,7 @@
|
||||
@@ -391,7 +411,7 @@
|
||||
allow nmbd_t self:msgq create_msgq_perms;
|
||||
allow nmbd_t self:sem create_sem_perms;
|
||||
allow nmbd_t self:shm create_shm_perms;
|
||||
|
|
@ -17097,7 +17184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
allow nmbd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow nmbd_t self:udp_socket create_socket_perms;
|
||||
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
@@ -403,8 +421,7 @@
|
||||
@@ -403,8 +423,7 @@
|
||||
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
|
||||
|
||||
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
|
||||
|
|
@ -17107,7 +17194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
|
||||
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
|
||||
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
|
||||
@@ -439,6 +456,7 @@
|
||||
@@ -439,6 +458,7 @@
|
||||
dev_getattr_mtrr_dev(nmbd_t)
|
||||
|
||||
fs_getattr_all_fs(nmbd_t)
|
||||
|
|
@ -17115,7 +17202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
fs_search_auto_mountpoints(nmbd_t)
|
||||
|
||||
domain_use_interactive_fds(nmbd_t)
|
||||
@@ -522,6 +540,7 @@
|
||||
@@ -522,6 +542,7 @@
|
||||
storage_raw_write_fixed_disk(smbmount_t)
|
||||
|
||||
term_list_ptys(smbmount_t)
|
||||
|
|
@ -17123,7 +17210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
|
||||
corecmd_list_bin(smbmount_t)
|
||||
|
||||
@@ -546,28 +565,37 @@
|
||||
@@ -546,28 +567,37 @@
|
||||
|
||||
userdom_use_all_users_fds(smbmount_t)
|
||||
|
||||
|
|
@ -17168,7 +17255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
allow swat_t smbd_var_run_t:file read;
|
||||
|
||||
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
|
||||
@@ -577,7 +605,9 @@
|
||||
@@ -577,7 +607,9 @@
|
||||
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
|
||||
files_pid_filetrans(swat_t,swat_var_run_t,file)
|
||||
|
||||
|
|
@ -17179,7 +17266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
|
||||
kernel_read_kernel_sysctls(swat_t)
|
||||
kernel_read_system_state(swat_t)
|
||||
@@ -602,6 +632,7 @@
|
||||
@@ -602,6 +634,7 @@
|
||||
|
||||
dev_read_urand(swat_t)
|
||||
|
||||
|
|
@ -17187,7 +17274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
files_read_etc_files(swat_t)
|
||||
files_search_home(swat_t)
|
||||
files_read_usr_files(swat_t)
|
||||
@@ -614,6 +645,7 @@
|
||||
@@ -614,6 +647,7 @@
|
||||
libs_use_shared_libs(swat_t)
|
||||
|
||||
logging_send_syslog_msg(swat_t)
|
||||
|
|
@ -17195,7 +17282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
logging_search_logs(swat_t)
|
||||
|
||||
miscfiles_read_localization(swat_t)
|
||||
@@ -631,6 +663,17 @@
|
||||
@@ -631,6 +665,17 @@
|
||||
kerberos_use(swat_t)
|
||||
')
|
||||
|
||||
|
|
@ -17213,7 +17300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
########################################
|
||||
#
|
||||
# Winbind local policy
|
||||
@@ -679,6 +722,8 @@
|
||||
@@ -679,6 +724,8 @@
|
||||
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
|
||||
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
|
||||
|
||||
|
|
@ -17222,7 +17309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
kernel_read_kernel_sysctls(winbind_t)
|
||||
kernel_list_proc(winbind_t)
|
||||
kernel_read_proc_symlinks(winbind_t)
|
||||
@@ -766,6 +811,7 @@
|
||||
@@ -766,6 +813,7 @@
|
||||
optional_policy(`
|
||||
squid_read_log(winbind_helper_t)
|
||||
squid_append_log(winbind_helper_t)
|
||||
|
|
@ -17230,7 +17317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -790,3 +836,37 @@
|
||||
@@ -790,3 +838,37 @@
|
||||
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
|
||||
')
|
||||
')
|
||||
|
|
@ -18171,7 +18258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||
+/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-18 12:40:46.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-31 12:54:45.000000000 -0500
|
||||
@@ -37,7 +37,9 @@
|
||||
|
||||
gen_require(`
|
||||
|
|
@ -18384,9 +18471,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||
- libs_use_shared_libs($1_spamassassin_t)
|
||||
-
|
||||
- logging_send_syslog_msg($1_spamassassin_t)
|
||||
-
|
||||
+ ifelse(`$1',`user',`',`
|
||||
+ typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
|
||||
+ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
|
||||
+ typealias user_spamc_tmp_t alias $1_spamc_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
|
||||
- miscfiles_read_localization($1_spamassassin_t)
|
||||
-
|
||||
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
|
||||
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
|
||||
|
||||
- # cjp: this could probably be removed
|
||||
- seutil_read_config($1_spamassassin_t)
|
||||
-
|
||||
|
|
@ -18448,24 +18549,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||
- # Write pid file and socket in ~/.evolution/cache/tmp
|
||||
- evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file })
|
||||
- ')
|
||||
+ ifelse(`$1',`user',`',`
|
||||
+ typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
|
||||
+ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
|
||||
+ typealias user_spamc_tmp_t alias $1_spamc_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
+ relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
|
||||
|
||||
-
|
||||
- optional_policy(`
|
||||
- # cjp: clearly some redundancy here
|
||||
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
|
||||
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
|
||||
|
||||
-
|
||||
- nis_use_ypbind($1_spamassassin_t)
|
||||
-
|
||||
- tunable_policy(`spamassassin_can_network && allow_ypbind',`
|
||||
|
|
@ -18480,6 +18567,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -370,7 +122,7 @@
|
||||
#
|
||||
interface(`spamassassin_exec_spamd',`
|
||||
gen_require(`
|
||||
- type spamd_exec_t;
|
||||
+ type spamd_eoxec_t;
|
||||
')
|
||||
|
||||
can_exec($1,spamd_exec_t)
|
||||
@@ -398,11 +150,65 @@
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -18590,7 +18686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
|
||||
')
|
||||
|
||||
@@ -528,3 +355,101 @@
|
||||
@@ -528,3 +355,133 @@
|
||||
|
||||
dontaudit $1 spamd_tmp_t:sock_file getattr;
|
||||
')
|
||||
|
|
@ -18691,10 +18787,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||
+ manage_all_pattern($1,spamd_var_run_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read spamassassin per user homedir
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Read spamassassin per user homedir
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## This is a templated interface, and should only
|
||||
+## be called from a per-userdomain template.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+## <param name="userdomain_prefix">
|
||||
+## <summary>
|
||||
+## The prefix of the user domain (e.g., user
|
||||
+## is the prefix for user_t).
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+template(`spamassassin_manage_user_home_files',`
|
||||
+ gen_require(`
|
||||
+ type user_spamassassin_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_files_pattern($1, user_spamassassin_home_t, user_spamassassin_home_t)
|
||||
+ razor_manage_user_home_files(user,$1)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-18 12:40:46.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-31 12:52:59.000000000 -0500
|
||||
@@ -21,8 +21,9 @@
|
||||
gen_tunable(spamd_enable_home_dirs,true)
|
||||
|
||||
|
|
@ -18802,7 +18930,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||
dcc_stream_connect_dccifd(spamd_t)
|
||||
')
|
||||
|
||||
@@ -212,3 +254,206 @@
|
||||
@@ -198,6 +240,10 @@
|
||||
|
||||
optional_policy(`
|
||||
razor_domtrans(spamd_t)
|
||||
+ tunable_policy(`spamd_enable_home_dirs',`
|
||||
+ razor_manage_user_home_files(user,spamd_t)
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -212,3 +258,206 @@
|
||||
optional_policy(`
|
||||
udev_read_db(spamd_t)
|
||||
')
|
||||
|
|
@ -19847,7 +19986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-25 16:50:51.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-31 11:12:11.000000000 -0500
|
||||
@@ -15,6 +15,7 @@
|
||||
template(`xserver_common_domain_template',`
|
||||
gen_require(`
|
||||
|
|
@ -21211,7 +21350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-23 09:15:22.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-31 13:43:36.000000000 -0500
|
||||
@@ -99,7 +99,7 @@
|
||||
template(`authlogin_per_role_template',`
|
||||
|
||||
|
|
@ -21303,15 +21442,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -356,6 +398,7 @@
|
||||
@@ -356,6 +398,28 @@
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
')
|
||||
+ auth_domtrans_upd_passwd($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Run unix_chkpwd to check a password.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`auth_domtrans_chkpwd',`
|
||||
+ gen_require(`
|
||||
+ type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_sbin($1)
|
||||
+ domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
||||
+ dontaudit $1 shadow_t:file { getattr read };
|
||||
+ auth_domtrans_upd_passwd($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -369,12 +412,12 @@
|
||||
@@ -369,12 +433,12 @@
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
|
|
@ -21326,7 +21486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -386,6 +429,7 @@
|
||||
@@ -386,6 +450,7 @@
|
||||
auth_domtrans_chk_passwd($1)
|
||||
role $2 types system_chkpwd_t;
|
||||
allow system_chkpwd_t $3:chr_file rw_file_perms;
|
||||
|
|
@ -21334,7 +21494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1457,6 +1501,7 @@
|
||||
@@ -1457,6 +1522,7 @@
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
samba_read_var_files($1)
|
||||
|
|
@ -21342,7 +21502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
')
|
||||
|
||||
@@ -1491,3 +1536,23 @@
|
||||
@@ -1491,3 +1557,23 @@
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
|
@ -21368,7 +21528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-22 12:59:23.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-31 11:33:23.000000000 -0500
|
||||
@@ -59,6 +59,9 @@
|
||||
type utempter_exec_t;
|
||||
application_domain(utempter_t,utempter_exec_t)
|
||||
|
|
@ -22671,6 +22831,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
|||
+ xen_append_log(lvm_t)
|
||||
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.2.5/policy/modules/system/miscfiles.fc
|
||||
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2007-08-22 17:33:53.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/miscfiles.fc 2008-01-31 08:38:35.000000000 -0500
|
||||
@@ -80,3 +80,4 @@
|
||||
/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
')
|
||||
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.5/policy/modules/system/miscfiles.if
|
||||
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/miscfiles.if 2008-01-31 08:40:50.000000000 -0500
|
||||
@@ -489,3 +489,44 @@
|
||||
manage_lnk_files_pattern($1,locale_t,locale_t)
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read user homedir fonts.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`miscfiles_read_home_fonts',`
|
||||
+ gen_require(`
|
||||
+ type user_fonts_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+ read_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read user homedir fonts.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`miscfiles_manage_home_fonts',`
|
||||
+ gen_require(`
|
||||
+ type user_fonts_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+ manage_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+ manage_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.2.5/policy/modules/system/miscfiles.te
|
||||
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/miscfiles.te 2008-01-31 08:42:09.000000000 -0500
|
||||
@@ -20,6 +20,14 @@
|
||||
files_type(fonts_t)
|
||||
|
||||
#
|
||||
+# fonts_t is the type of various font
|
||||
+# files in /usr
|
||||
+#
|
||||
+type user_fonts_home_t;
|
||||
+userdom_user_home_type(user_fonts_home_t)
|
||||
+files_type(user_fonts_home_t)
|
||||
+
|
||||
+#
|
||||
# type for /usr/share/hwdata
|
||||
#
|
||||
type hwdata_t;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.5/policy/modules/system/modutils.if
|
||||
--- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/modutils.if 2008-01-18 12:40:46.000000000 -0500
|
||||
|
|
@ -24389,7 +24623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-25 11:51:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-31 08:42:16.000000000 -0500
|
||||
@@ -29,9 +29,14 @@
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.2.5
|
||||
Release: 22%{?dist}
|
||||
Release: 23%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -387,6 +387,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-23
|
||||
- Allow allow_httpd_mod_auth_pam to work
|
||||
|
||||
* Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-22
|
||||
- Add audisp policy and prelude
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue