- Update to upstream policy
This commit is contained in:
parent
e0b9b8d38f
commit
80edc319f8
252
booleans-minimum.conf
Normal file
252
booleans-minimum.conf
Normal file
@ -0,0 +1,252 @@
|
||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||
#
|
||||
allow_execmem = false
|
||||
|
||||
# Allow making a modified private filemapping executable (text relocation).
|
||||
#
|
||||
allow_execmod = false
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
allow_execstack = false
|
||||
|
||||
# Allow ftpd to read cifs directories.
|
||||
#
|
||||
allow_ftpd_use_cifs = false
|
||||
|
||||
# Allow ftpd to read nfs directories.
|
||||
#
|
||||
allow_ftpd_use_nfs = false
|
||||
|
||||
# Allow ftp servers to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_ftpd_anon_write = false
|
||||
|
||||
# Allow gssd to read temp directory.
|
||||
#
|
||||
allow_gssd_read_tmp = true
|
||||
|
||||
# Allow Apache to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_httpd_anon_write = false
|
||||
|
||||
# Allow Apache to use mod_auth_pam module
|
||||
#
|
||||
allow_httpd_mod_auth_pam = false
|
||||
|
||||
# Allow system to run with kerberos
|
||||
#
|
||||
allow_kerberos = true
|
||||
|
||||
# Allow rsync to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_rsync_anon_write = false
|
||||
|
||||
# Allow sasl to read shadow
|
||||
#
|
||||
allow_saslauthd_read_shadow = false
|
||||
|
||||
# Allow samba to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_smbd_anon_write = false
|
||||
|
||||
# Allow system to run with NIS
|
||||
#
|
||||
allow_ypbind = false
|
||||
|
||||
# Allow zebra to write it own configuration files
|
||||
#
|
||||
allow_zebra_write_config = true
|
||||
|
||||
# Enable extra rules in the cron domainto support fcron.
|
||||
#
|
||||
fcron_crond = false
|
||||
|
||||
# Allow ftp to read and write files in the user home directories
|
||||
#
|
||||
ftp_home_dir = false
|
||||
|
||||
#
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
httpd_can_network_connect_db = false
|
||||
|
||||
#
|
||||
# allow httpd to network relay
|
||||
httpd_can_network_relay = false
|
||||
|
||||
# Allow httpd to use built in scripting (usually php)
|
||||
#
|
||||
httpd_builtin_scripting = true
|
||||
|
||||
# Allow http daemon to tcp connect
|
||||
#
|
||||
httpd_can_network_connect = false
|
||||
|
||||
# Allow httpd cgi support
|
||||
#
|
||||
httpd_enable_cgi = true
|
||||
|
||||
# Allow httpd to act as a FTP server bylistening on the ftp port.
|
||||
#
|
||||
httpd_enable_ftp_server = false
|
||||
|
||||
# Allow httpd to read home directories
|
||||
#
|
||||
httpd_enable_homedirs = true
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
#
|
||||
httpd_ssi_exec = false
|
||||
|
||||
# Allow http daemon to communicate with the TTY
|
||||
#
|
||||
httpd_tty_comm = true
|
||||
|
||||
# Run CGI in the main httpd domain
|
||||
#
|
||||
httpd_unified = true
|
||||
|
||||
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
||||
#
|
||||
named_write_master_zones = false
|
||||
|
||||
# Allow nfs to be exported read/write.
|
||||
#
|
||||
nfs_export_all_rw = true
|
||||
|
||||
# Allow nfs to be exported read only
|
||||
#
|
||||
nfs_export_all_ro = true
|
||||
|
||||
# Allow pppd to load kernel modules for certain modems
|
||||
#
|
||||
pppd_can_insmod = false
|
||||
|
||||
# Allow reading of default_t files.
|
||||
#
|
||||
read_default_t = true
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_enable_home_dirs = false
|
||||
|
||||
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
|
||||
#
|
||||
squid_connect_any = false
|
||||
|
||||
# Support NFS home directories
|
||||
#
|
||||
use_nfs_home_dirs = true
|
||||
|
||||
# Support SAMBA home directories
|
||||
#
|
||||
use_samba_home_dirs = false
|
||||
|
||||
# Control users use of ping and traceroute
|
||||
#
|
||||
user_ping = true
|
||||
|
||||
# allow host key based authentication
|
||||
#
|
||||
allow_ssh_keysign = false
|
||||
|
||||
# Allow pppd to be run for a regular user
|
||||
#
|
||||
pppd_for_user = false
|
||||
|
||||
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
|
||||
#
|
||||
read_untrusted_content = false
|
||||
|
||||
# Allow spamd to write to users homedirs
|
||||
#
|
||||
spamd_enable_home_dirs = true
|
||||
|
||||
# Allow regular users direct mouse access
|
||||
#
|
||||
user_direct_mouse = false
|
||||
|
||||
# Allow users to read system messages.
|
||||
#
|
||||
user_dmesg = false
|
||||
|
||||
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||
#
|
||||
user_rw_noexattrfile = false
|
||||
|
||||
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
|
||||
#
|
||||
user_tcp_server = false
|
||||
|
||||
# Allow w to display everyone
|
||||
#
|
||||
user_ttyfile_stat = false
|
||||
|
||||
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
|
||||
#
|
||||
write_untrusted_content = false
|
||||
|
||||
# Allow all domains to talk to ttys
|
||||
#
|
||||
allow_daemons_use_tty = true
|
||||
|
||||
# Allow login domains to polyinstatiate directories
|
||||
#
|
||||
allow_polyinstantiation = false
|
||||
|
||||
# Allow all domains to dump core
|
||||
#
|
||||
allow_daemons_dump_core = true
|
||||
|
||||
# Allow samba to act as the domain controller
|
||||
#
|
||||
samba_domain_controller = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_run_unconfined = true
|
||||
|
||||
# Allows XServer to execute writable memory
|
||||
#
|
||||
allow_xserver_execmem = true
|
||||
|
||||
# disallow guest accounts to execute files that they can create
|
||||
#
|
||||
allow_guest_exec_content = false
|
||||
allow_xguest_exec_content = false
|
||||
|
||||
# Only allow browser to use the web
|
||||
#
|
||||
browser_confine_xguest=false
|
||||
|
||||
# Allow postfix locat to write to mail spool
|
||||
#
|
||||
allow_postfix_local_write_mail_spool=true
|
||||
|
||||
# Allow common users to read/write noexattrfile systems
|
||||
#
|
||||
user_rw_noexattrfile=true
|
||||
|
||||
# Allow qemu to connect fully to the network
|
||||
#
|
||||
allow_qemu_full_network=true
|
||||
|
||||
# Allow nsplugin execmem/execstack for bad plugins
|
||||
#
|
||||
allow_nsplugin_execmem=true
|
||||
|
||||
# Allow unconfined domain to transition to confined domain
|
||||
#
|
||||
allow_unconfined_nsplugin_transition=true
|
||||
|
||||
# Allow unconfined domains mmap low kernel memory
|
||||
#
|
||||
allow_unconfined_mmap_low = false
|
||||
|
||||
# System uses init upstart program
|
||||
#
|
||||
init_upstart = true
|
||||
|
||||
# Allow mount to mount any file/dir
|
||||
#
|
||||
allow_mount_anyfile = true
|
1679
modules-minimum.conf
Normal file
1679
modules-minimum.conf
Normal file
File diff suppressed because it is too large
Load Diff
@ -1860,7 +1860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.5.11/policy/modules/admin/vpn.te
|
||||
--- nsaserefpolicy/policy/modules/admin/vpn.te 2008-10-08 19:00:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.11/policy/modules/admin/vpn.te 2008-10-08 20:36:17.000000000 -0400
|
||||
+++ serefpolicy-3.5.11/policy/modules/admin/vpn.te 2008-10-09 07:44:03.000000000 -0400
|
||||
@@ -23,7 +23,7 @@
|
||||
#
|
||||
|
||||
@ -1870,16 +1870,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow vpnc_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
allow vpnc_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -44,8 +44,7 @@
|
||||
@@ -44,7 +44,7 @@
|
||||
|
||||
kernel_read_system_state(vpnc_t)
|
||||
kernel_read_network_state(vpnc_t)
|
||||
-kernel_read_kernel_sysctls(vpnc_t)
|
||||
-kernel_rw_net_sysctls(vpnc_t)
|
||||
+kernel_read_all_sysctls(vpnc_t)
|
||||
kernel_rw_net_sysctls(vpnc_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(vpnc_t)
|
||||
corenet_all_recvfrom_netlabel(vpnc_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.11/policy/modules/apps/ethereal.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-08-07 11:15:03.000000000 -0400
|
||||
+++ serefpolicy-3.5.11/policy/modules/apps/ethereal.fc 2008-10-08 20:36:17.000000000 -0400
|
||||
@ -15951,7 +15950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.5.11/policy/modules/services/kerberos.if
|
||||
--- nsaserefpolicy/policy/modules/services/kerberos.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.11/policy/modules/services/kerberos.if 2008-10-08 21:22:20.000000000 -0400
|
||||
+++ serefpolicy-3.5.11/policy/modules/services/kerberos.if 2008-10-09 07:56:36.000000000 -0400
|
||||
@@ -23,6 +23,43 @@
|
||||
|
||||
########################################
|
||||
@ -16122,7 +16121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+ ## <param name="role">
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed to manage the kerberos domain.
|
||||
+## </summary>
|
||||
@ -27937,7 +27936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.11/policy/modules/system/modutils.te
|
||||
--- nsaserefpolicy/policy/modules/system/modutils.te 2008-09-12 10:48:05.000000000 -0400
|
||||
+++ serefpolicy-3.5.11/policy/modules/system/modutils.te 2008-10-08 20:36:17.000000000 -0400
|
||||
+++ serefpolicy-3.5.11/policy/modules/system/modutils.te 2008-10-09 07:40:52.000000000 -0400
|
||||
@@ -42,7 +42,7 @@
|
||||
# insmod local policy
|
||||
#
|
||||
@ -28027,7 +28026,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_rw_pipes(insmod_t)
|
||||
+ unconfined_dontaudit_use_terminals(insmod_t)
|
||||
+ unconfined_dontaudit_use_terms(insmod_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28057,7 +28056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
# Read System.map from home directories.
|
||||
- unconfined_read_home_content_files(depmod_t)
|
||||
+ unconfined_dontaudit_use_terminals(depmod_t)
|
||||
+ unconfined_dontaudit_use_terms(depmod_t)
|
||||
+ unconfined_domain(depmod_t)
|
||||
')
|
||||
|
||||
|
3
securetty_types-minimum
Normal file
3
securetty_types-minimum
Normal file
@ -0,0 +1,3 @@
|
||||
sysadm_tty_device_t
|
||||
user_tty_device_t
|
||||
staff_tty_device_t
|
19
setrans-minimum.conf
Normal file
19
setrans-minimum.conf
Normal file
@ -0,0 +1,19 @@
|
||||
#
|
||||
# Multi-Category Security translation table for SELinux
|
||||
#
|
||||
# Uncomment the following to disable translation libary
|
||||
# disable=1
|
||||
#
|
||||
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||
# Objects can be in more than one category at a time.
|
||||
# Categories are stored in the system as c0-c1023. Users can use this
|
||||
# table to translate the categories into a more meaningful output.
|
||||
# Examples:
|
||||
# s0:c0=CompanyConfidential
|
||||
# s0:c1=PatientRecord
|
||||
# s0:c2=Unclassified
|
||||
# s0:c3=TopSecret
|
||||
# s0:c1,c3=CompanyConfidentialRedHat
|
||||
s0=
|
||||
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||
s0:c0.c1023=SystemHigh
|
Loading…
Reference in New Issue
Block a user