- Allow avahi to access inotify
- Remove a lot of bogus security_t:filesystem avcs
This commit is contained in:
Daniel J Walsh
parent
1afb424363
commit
7f44213c00
@ -6602,7 +6602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.1/policy/modules/services/samba.te
|
||||
--- nsaserefpolicy/policy/modules/services/samba.te 2007-06-19 16:23:35.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/services/samba.te 2007-06-19 17:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/services/samba.te 2007-06-27 11:39:37.000000000 -0400
|
||||
@@ -189,6 +189,8 @@
|
||||
|
||||
miscfiles_read_localization(samba_net_t)
|
||||
@ -6678,6 +6678,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
||||
|
||||
domain_use_interactive_fds(winbind_t)
|
||||
|
||||
@@ -767,6 +782,7 @@
|
||||
#
|
||||
# Winbind helper local policy
|
||||
#
|
||||
+corecmd_exec_bin(winbind_t)
|
||||
|
||||
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
|
||||
allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.1/policy/modules/services/sasl.te
|
||||
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-29 14:10:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/services/sasl.te 2007-06-19 17:06:27.000000000 -0400
|
||||
@ -7442,7 +7450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.1/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-06-15 14:54:34.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/system/authlogin.if 2007-06-21 10:33:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/system/authlogin.if 2007-06-27 10:19:29.000000000 -0400
|
||||
@@ -27,7 +27,8 @@
|
||||
domain_type($1_chkpwd_t)
|
||||
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
|
||||
@ -8318,7 +8326,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
|
||||
# Sulogin local policy
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.1/policy/modules/system/logging.fc
|
||||
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-05-29 14:10:58.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/system/logging.fc 2007-06-20 07:06:30.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/system/logging.fc 2007-06-27 10:17:24.000000000 -0400
|
||||
@@ -1,6 +1,6 @@
|
||||
-
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
|
||||
+/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
|
||||
|
||||
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
|
||||
@@ -43,3 +43,5 @@
|
||||
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
|
||||
|
||||
@ -8327,7 +8343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
+/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.1/policy/modules/system/logging.if
|
||||
--- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/system/logging.if 2007-06-19 17:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/system/logging.if 2007-06-27 10:20:58.000000000 -0400
|
||||
@@ -33,8 +33,13 @@
|
||||
## </param>
|
||||
#
|
||||
@ -8343,10 +8359,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -238,6 +243,25 @@
|
||||
@@ -238,6 +243,63 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Manage the syslogd configuration files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`logging_manage_syslog_config',`
|
||||
+ gen_require(`
|
||||
+ type syslogd_etc_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ manage_files_pattern($1,syslog_conf_t,syslog_conf_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Automatic transition from etc to syslog_conf_t.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`logging_etc_filetrans_syslog_conf',`
|
||||
+ gen_require(`
|
||||
+ type syslog_conf_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_etc_filetrans($1,syslog_conf_t,file)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute klogd in the klog domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -8369,7 +8423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
## Create an object in the log directory, with a private
|
||||
## type using a type transition.
|
||||
## </summary>
|
||||
@@ -317,6 +341,25 @@
|
||||
@@ -317,6 +379,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8395,7 +8449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
## Allows the domain to open a file in the
|
||||
## log directory, but does not allow the listing
|
||||
## of the contents of the log directory.
|
||||
@@ -451,7 +494,7 @@
|
||||
@@ -451,7 +532,7 @@
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
@ -8404,7 +8458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -495,6 +538,8 @@
|
||||
@@ -495,6 +576,8 @@
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1,logfile,logfile)
|
||||
read_lnk_files_pattern($1,logfile,logfile)
|
||||
@ -8413,7 +8467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -578,3 +623,101 @@
|
||||
@@ -578,3 +661,101 @@
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1,var_log_t,var_log_t)
|
||||
')
|
||||
@ -8517,7 +8571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.1/policy/modules/system/logging.te
|
||||
--- nsaserefpolicy/policy/modules/system/logging.te 2007-06-15 14:54:33.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/system/logging.te 2007-06-20 07:06:09.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/system/logging.te 2007-06-27 10:16:37.000000000 -0400
|
||||
@@ -7,10 +7,15 @@
|
||||
#
|
||||
|
||||
@ -8534,7 +8588,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
role system_r types auditctl_t;
|
||||
|
||||
type auditd_etc_t;
|
||||
@@ -48,6 +53,9 @@
|
||||
@@ -45,9 +50,15 @@
|
||||
type syslogd_exec_t;
|
||||
init_daemon_domain(syslogd_t,syslogd_exec_t)
|
||||
|
||||
+type syslog_conf_t;
|
||||
+files_type(syslog_conf_t)
|
||||
+
|
||||
type syslogd_tmp_t;
|
||||
files_tmp_file(syslogd_tmp_t)
|
||||
|
||||
@ -8544,7 +8604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
type syslogd_var_run_t;
|
||||
files_pid_file(syslogd_var_run_t)
|
||||
|
||||
@@ -59,14 +67,17 @@
|
||||
@@ -59,14 +70,17 @@
|
||||
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
|
||||
')
|
||||
|
||||
@ -8565,7 +8625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
|
||||
allow auditctl_t auditd_etc_t:dir list_dir_perms;
|
||||
|
||||
@@ -91,6 +102,7 @@
|
||||
@@ -91,6 +105,7 @@
|
||||
|
||||
locallogin_dontaudit_use_fds(auditctl_t)
|
||||
|
||||
@ -8573,7 +8633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
logging_send_syslog_msg(auditctl_t)
|
||||
|
||||
########################################
|
||||
@@ -98,12 +110,11 @@
|
||||
@@ -98,12 +113,11 @@
|
||||
# Auditd local policy
|
||||
#
|
||||
|
||||
@ -8587,7 +8647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
allow auditd_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow auditd_t auditd_etc_t:dir list_dir_perms;
|
||||
@@ -141,6 +152,7 @@
|
||||
@@ -141,6 +155,7 @@
|
||||
|
||||
init_telinit(auditd_t)
|
||||
|
||||
@ -8595,7 +8655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
logging_send_syslog_msg(auditd_t)
|
||||
|
||||
libs_use_ld_so(auditd_t)
|
||||
@@ -157,6 +169,8 @@
|
||||
@@ -157,6 +172,8 @@
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
|
||||
@ -8604,7 +8664,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(auditd_t)
|
||||
@@ -249,6 +263,10 @@
|
||||
@@ -243,12 +260,18 @@
|
||||
allow syslogd_t self:udp_socket create_socket_perms;
|
||||
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
+allow syslogd_t syslog_conf_t:file read;
|
||||
+
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
|
||||
|
||||
# create/append log files.
|
||||
manage_files_pattern(syslogd_t,var_log_t,var_log_t)
|
||||
@ -8615,7 +8683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
# Allow access for syslog-ng
|
||||
allow syslogd_t var_log_t:dir { create setattr };
|
||||
|
||||
@@ -257,6 +275,9 @@
|
||||
@@ -257,6 +280,9 @@
|
||||
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
||||
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
|
||||
|
||||
@ -8625,7 +8693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
|
||||
|
||||
@@ -313,6 +334,7 @@
|
||||
@@ -313,6 +339,7 @@
|
||||
domain_use_interactive_fds(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
@ -10902,9 +10970,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.1/policy/modules/users/logadm.fc
|
||||
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.1/policy/modules/users/logadm.fc 2007-06-19 17:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.1/policy/modules/users/logadm.fc 2007-06-27 10:17:08.000000000 -0400
|
||||
@@ -0,0 +1 @@
|
||||
+/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
+# No logadm file contexts.
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.1/policy/modules/users/logadm.if
|
||||
--- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.1/policy/modules/users/logadm.if 2007-06-19 17:06:27.000000000 -0400
|
||||
@ -10912,8 +10980,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
|
||||
+## <summary>Policy for logadm user</summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.1/policy/modules/users/logadm.te
|
||||
--- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.1/policy/modules/users/logadm.te 2007-06-19 17:06:27.000000000 -0400
|
||||
@@ -0,0 +1,35 @@
|
||||
+++ serefpolicy-3.0.1/policy/modules/users/logadm.te 2007-06-27 10:21:24.000000000 -0400
|
||||
@@ -0,0 +1,37 @@
|
||||
+policy_module(logadm,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -10925,13 +10993,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
|
||||
+files_type(syslog_conf_t)
|
||||
+
|
||||
+userdom_base_user_template(logadm)
|
||||
+allow logadm_t syslog_conf_t:file manage_file_perms;
|
||||
+files_etc_filetrans(logadm_t, syslog_conf_t, file)
|
||||
+
|
||||
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
|
||||
+
|
||||
+logging_etc_filetrans_syslog_conf(logadm_t)
|
||||
+logging_manage_syslog_config(logadm_t)
|
||||
+logging_manage_all_logs(logadm_t)
|
||||
+
|
||||
+seutil_run_runinit(logadm_t, logadm_r, { logadm_tty_device_t logadm_devpts_t })
|
||||
+
|
||||
+domain_kill_all_domains(logadm_t)
|
||||
+seutil_read_bin_policy(logadm_t)
|
||||
+corecmd_exec_shell(logadm_t)
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPL
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -355,6 +355,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jun 26 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-2
|
||||
- Allow avahi to access inotify
|
||||
- Remove a lot of bogus security_t:filesystem avcs
|
||||
|
||||
* Fri May 25 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-1
|
||||
- Remove ifdef strict policy from upstream
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user