- prewika needs to contact mysql
- Allow syslog to read system_map files
This commit is contained in:
parent
ceda8feb68
commit
7f811bf534
@ -3316,7 +3316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
|
|||||||
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
|
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.3.1/policy/modules/apps/gpg.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.3.1/policy/modules/apps/gpg.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
|
||||||
+++ serefpolicy-3.3.1/policy/modules/apps/gpg.if 2008-03-12 08:31:43.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/apps/gpg.if 2008-03-12 13:45:36.000000000 -0400
|
||||||
@@ -38,6 +38,10 @@
|
@@ -38,6 +38,10 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type gpg_exec_t, gpg_helper_exec_t;
|
type gpg_exec_t, gpg_helper_exec_t;
|
||||||
@ -3328,7 +3328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -45,275 +49,61 @@
|
@@ -45,275 +49,62 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -3521,6 +3521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
|
|||||||
+ dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
|
+ dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
|
||||||
+ #Leaked File Descriptors
|
+ #Leaked File Descriptors
|
||||||
+ dontaudit gpg_helper_t $2:unix_stream_socket rw_socket_perms;
|
+ dontaudit gpg_helper_t $2:unix_stream_socket rw_socket_perms;
|
||||||
|
+ dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
|
||||||
|
|
||||||
- # allow gpg to connect to the gpg agent
|
- # allow gpg to connect to the gpg agent
|
||||||
- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
|
- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
|
||||||
@ -18656,8 +18657,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
|
||||||
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-02-26 08:29:22.000000000 -0500
|
+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-03-12 13:16:04.000000000 -0400
|
||||||
@@ -0,0 +1,152 @@
|
@@ -0,0 +1,162 @@
|
||||||
+policy_module(prelude,1.0.0)
|
+policy_module(prelude,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -18803,13 +18804,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# apcupsd_cgi Declarations
|
+# prewikka_cgi Declarations
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ apache_content_template(prewikka)
|
+ apache_content_template(prewikka)
|
||||||
+ files_read_etc_files(httpd_prewikka_script_t)
|
+ files_read_etc_files(httpd_prewikka_script_t)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ mysql_search_db(httpd_prewikka_script_t)
|
||||||
|
+ mysql_stream_connect(httpd_prewikka_script_t)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ postgresql_stream_connect(httpd_prewikka_script_t)
|
||||||
|
+ ')
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.3.1/policy/modules/services/privoxy.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.3.1/policy/modules/services/privoxy.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-02-26 08:29:22.000000000 -0500
|
+++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-02-26 08:29:22.000000000 -0500
|
||||||
@ -19553,7 +19564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
|
|||||||
# Only permit unprivileged user domains to be entered via rlogin,
|
# Only permit unprivileged user domains to be entered via rlogin,
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.3.1/policy/modules/services/rhgb.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.3.1/policy/modules/services/rhgb.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/rhgb.te 2008-03-11 20:07:53.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/services/rhgb.te 2008-03-12 13:47:40.000000000 -0400
|
||||||
@@ -92,6 +92,7 @@
|
@@ -92,6 +92,7 @@
|
||||||
term_getattr_pty_fs(rhgb_t)
|
term_getattr_pty_fs(rhgb_t)
|
||||||
|
|
||||||
@ -19562,6 +19573,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
|
|||||||
|
|
||||||
libs_use_ld_so(rhgb_t)
|
libs_use_ld_so(rhgb_t)
|
||||||
libs_use_shared_libs(rhgb_t)
|
libs_use_shared_libs(rhgb_t)
|
||||||
|
@@ -122,6 +123,7 @@
|
||||||
|
xserver_signal_xdm_xserver(rhgb_t)
|
||||||
|
xserver_read_xdm_tmp_files(rhgb_t)
|
||||||
|
xserver_stream_connect_xdm_xserver(rhgb_t)
|
||||||
|
+xserver_common_app_template(rhgb_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
consoletype_exec(rhgb_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.3.1/policy/modules/services/ricci.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.3.1/policy/modules/services/ricci.if
|
||||||
--- nsaserefpolicy/policy/modules/services/ricci.if 2007-01-02 12:57:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/ricci.if 2007-01-02 12:57:43.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/ricci.if 2008-02-26 08:29:22.000000000 -0500
|
+++ serefpolicy-3.3.1/policy/modules/services/ricci.if 2008-02-26 08:29:22.000000000 -0500
|
||||||
@ -23434,7 +23453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 22:20:09.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-12 13:48:02.000000000 -0400
|
||||||
@@ -12,9 +12,15 @@
|
@@ -12,9 +12,15 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
@ -23901,7 +23920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# for when /tmp/.X11-unix is created by the system
|
||||||
allow $2 xdm_t:fd use;
|
allow $2 xdm_t:fd use;
|
||||||
@@ -542,25 +543,533 @@
|
@@ -542,25 +543,532 @@
|
||||||
allow $2 xdm_tmp_t:sock_file { read write };
|
allow $2 xdm_tmp_t:sock_file { read write };
|
||||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||||
|
|
||||||
@ -24107,7 +24126,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+ allow $1 output_xext_t:x_property read;
|
+ allow $1 output_xext_t:x_property read;
|
||||||
+ allow $1 xserver_unconfined_type:x_property read;
|
+ allow $1 xserver_unconfined_type:x_property read;
|
||||||
+
|
+
|
||||||
+# type_transition $2_t default_xproperty_t:x_property $2_t;
|
|
||||||
+ # can read and write cut buffers
|
+ # can read and write cut buffers
|
||||||
+ allow $1 clipboard_xproperty_t:x_property { create read write };
|
+ allow $1 clipboard_xproperty_t:x_property { create read write };
|
||||||
+ # can read/write info properties
|
+ # can read/write info properties
|
||||||
@ -24441,7 +24459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -593,26 +1102,44 @@
|
@@ -593,26 +1101,44 @@
|
||||||
#
|
#
|
||||||
template(`xserver_use_user_fonts',`
|
template(`xserver_use_user_fonts',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24493,7 +24511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -638,10 +1165,77 @@
|
@@ -638,10 +1164,77 @@
|
||||||
#
|
#
|
||||||
template(`xserver_domtrans_user_xauth',`
|
template(`xserver_domtrans_user_xauth',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24573,7 +24591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -671,10 +1265,10 @@
|
@@ -671,10 +1264,10 @@
|
||||||
#
|
#
|
||||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24586,7 +24604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -760,7 +1354,7 @@
|
@@ -760,7 +1353,7 @@
|
||||||
type xconsole_device_t;
|
type xconsole_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -24595,7 +24613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -860,6 +1454,25 @@
|
@@ -860,6 +1453,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -24621,7 +24639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Read xdm-writable configuration files.
|
## Read xdm-writable configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -914,6 +1527,7 @@
|
@@ -914,6 +1526,7 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||||
@ -24629,7 +24647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -955,6 +1569,24 @@
|
@@ -955,6 +1568,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -24654,7 +24672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Execute the X server in the XDM X server domain.
|
## Execute the X server in the XDM X server domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -965,15 +1597,47 @@
|
@@ -965,15 +1596,47 @@
|
||||||
#
|
#
|
||||||
interface(`xserver_domtrans_xdm_xserver',`
|
interface(`xserver_domtrans_xdm_xserver',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24703,7 +24721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Make an X session script an entrypoint for the specified domain.
|
## Make an X session script an entrypoint for the specified domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1123,7 +1787,7 @@
|
@@ -1123,7 +1786,7 @@
|
||||||
type xdm_xserver_tmp_t;
|
type xdm_xserver_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -24712,7 +24730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1312,3 +1976,83 @@
|
@@ -1312,3 +1975,83 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
')
|
')
|
||||||
@ -27001,7 +27019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
|
||||||
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-11 20:22:56.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-12 15:39:04.000000000 -0400
|
||||||
@@ -61,10 +61,24 @@
|
@@ -61,10 +61,24 @@
|
||||||
logging_log_file(var_log_t)
|
logging_log_file(var_log_t)
|
||||||
files_mountpoint(var_log_t)
|
files_mountpoint(var_log_t)
|
||||||
@ -27027,7 +27045,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Auditctl local policy
|
# Auditctl local policy
|
||||||
@@ -158,6 +172,7 @@
|
@@ -84,6 +98,7 @@
|
||||||
|
kernel_read_kernel_sysctls(auditctl_t)
|
||||||
|
kernel_read_proc_symlinks(auditctl_t)
|
||||||
|
|
||||||
|
+
|
||||||
|
domain_read_all_domains_state(auditctl_t)
|
||||||
|
domain_use_interactive_fds(auditctl_t)
|
||||||
|
|
||||||
|
@@ -158,6 +173,7 @@
|
||||||
|
|
||||||
mls_file_read_all_levels(auditd_t)
|
mls_file_read_all_levels(auditd_t)
|
||||||
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
|
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
|
||||||
@ -27035,7 +27061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
|
|
||||||
seutil_dontaudit_read_config(auditd_t)
|
seutil_dontaudit_read_config(auditd_t)
|
||||||
|
|
||||||
@@ -171,6 +186,10 @@
|
@@ -171,6 +187,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27046,7 +27072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
seutil_sigchld_newrole(auditd_t)
|
seutil_sigchld_newrole(auditd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -208,6 +227,7 @@
|
@@ -208,6 +228,7 @@
|
||||||
|
|
||||||
fs_getattr_all_fs(klogd_t)
|
fs_getattr_all_fs(klogd_t)
|
||||||
fs_search_auto_mountpoints(klogd_t)
|
fs_search_auto_mountpoints(klogd_t)
|
||||||
@ -27054,7 +27080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
|
|
||||||
domain_use_interactive_fds(klogd_t)
|
domain_use_interactive_fds(klogd_t)
|
||||||
|
|
||||||
@@ -252,7 +272,6 @@
|
@@ -252,7 +273,6 @@
|
||||||
dontaudit syslogd_t self:capability sys_tty_config;
|
dontaudit syslogd_t self:capability sys_tty_config;
|
||||||
# setpgid for metalog
|
# setpgid for metalog
|
||||||
allow syslogd_t self:process { signal_perms setpgid };
|
allow syslogd_t self:process { signal_perms setpgid };
|
||||||
@ -27062,7 +27088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
# receive messages to be logged
|
# receive messages to be logged
|
||||||
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@@ -262,7 +281,7 @@
|
@@ -262,7 +282,7 @@
|
||||||
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
allow syslogd_t syslog_conf_t:file read_file_perms;
|
allow syslogd_t syslog_conf_t:file read_file_perms;
|
||||||
@ -27071,7 +27097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
# Create and bind to /dev/log or /var/run/log.
|
# Create and bind to /dev/log or /var/run/log.
|
||||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||||
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
|
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
|
||||||
@@ -274,6 +293,9 @@
|
@@ -274,6 +294,9 @@
|
||||||
# Allow access for syslog-ng
|
# Allow access for syslog-ng
|
||||||
allow syslogd_t var_log_t:dir { create setattr };
|
allow syslogd_t var_log_t:dir { create setattr };
|
||||||
|
|
||||||
@ -27081,7 +27107,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
# manage temporary files
|
# manage temporary files
|
||||||
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
||||||
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
||||||
@@ -327,6 +349,8 @@
|
@@ -295,6 +318,7 @@
|
||||||
|
kernel_read_messages(syslogd_t)
|
||||||
|
kernel_clear_ring_buffer(syslogd_t)
|
||||||
|
kernel_change_ring_buffer_level(syslogd_t)
|
||||||
|
+files_read_kernel_symbol_table(syslogd_t)
|
||||||
|
|
||||||
|
dev_filetrans(syslogd_t,devlog_t,sock_file)
|
||||||
|
dev_read_sysfs(syslogd_t)
|
||||||
|
@@ -327,6 +351,8 @@
|
||||||
# Allow users to define additional syslog ports to connect to
|
# Allow users to define additional syslog ports to connect to
|
||||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||||
corenet_tcp_connect_syslogd_port(syslogd_t)
|
corenet_tcp_connect_syslogd_port(syslogd_t)
|
||||||
@ -27090,7 +27124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
|
|
||||||
# syslog-ng can send or receive logs
|
# syslog-ng can send or receive logs
|
||||||
corenet_sendrecv_syslogd_client_packets(syslogd_t)
|
corenet_sendrecv_syslogd_client_packets(syslogd_t)
|
||||||
@@ -339,19 +363,20 @@
|
@@ -339,19 +365,20 @@
|
||||||
domain_use_interactive_fds(syslogd_t)
|
domain_use_interactive_fds(syslogd_t)
|
||||||
|
|
||||||
files_read_etc_files(syslogd_t)
|
files_read_etc_files(syslogd_t)
|
||||||
@ -27113,7 +27147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
miscfiles_read_localization(syslogd_t)
|
miscfiles_read_localization(syslogd_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
||||||
@@ -380,15 +405,11 @@
|
@@ -380,15 +407,11 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27131,7 +27165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -399,3 +420,37 @@
|
@@ -399,3 +422,37 @@
|
||||||
# log to the xconsole
|
# log to the xconsole
|
||||||
xserver_rw_console(syslogd_t)
|
xserver_rw_console(syslogd_t)
|
||||||
')
|
')
|
||||||
@ -27580,6 +27614,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||||||
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||||
+/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
+/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||||
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.3.1/policy/modules/system/mount.if
|
||||||
|
--- nsaserefpolicy/policy/modules/system/mount.if 2007-10-12 08:56:08.000000000 -0400
|
||||||
|
+++ serefpolicy-3.3.1/policy/modules/system/mount.if 2008-03-12 13:52:56.000000000 -0400
|
||||||
|
@@ -48,7 +48,9 @@
|
||||||
|
|
||||||
|
mount_domtrans($1)
|
||||||
|
role $2 types mount_t;
|
||||||
|
- allow mount_t $3:chr_file rw_file_perms;
|
||||||
|
+ allow mount_t $1:chr_file rw_file_perms;
|
||||||
|
+ #Leaked File Descriptors
|
||||||
|
+ dontaudit mount_t $1:unix_stream_socket rw_socket_perms;
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
samba_run_smbmount($1, $2, $3)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
|
||||||
--- nsaserefpolicy/policy/modules/system/mount.te 2008-02-06 10:33:22.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/mount.te 2008-02-06 10:33:22.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-03-04 08:35:40.000000000 -0500
|
+++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-03-04 08:35:40.000000000 -0500
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.3.1
|
Version: 3.3.1
|
||||||
Release: 16%{?dist}
|
Release: 17%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -388,6 +388,10 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-17
|
||||||
|
- prewika needs to contact mysql
|
||||||
|
- Allow syslog to read system_map files
|
||||||
|
|
||||||
* Wed Mar 12 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-16
|
* Wed Mar 12 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-16
|
||||||
- Change init_t to an unconfined_domain
|
- Change init_t to an unconfined_domain
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user