- fix multiple directory ownership of mandirs
This commit is contained in:
parent
a85aeff615
commit
819f419b33
@ -300,14 +300,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.21/policy/mcs
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.21/policy/mcs
|
||||||
--- nsaserefpolicy/policy/mcs 2009-05-21 08:43:08.000000000 -0400
|
--- nsaserefpolicy/policy/mcs 2009-05-21 08:43:08.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/mcs 2009-07-01 10:43:35.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/mcs 2009-07-07 14:12:47.000000000 -0400
|
||||||
@@ -66,8 +66,8 @@
|
@@ -66,8 +66,8 @@
|
||||||
#
|
#
|
||||||
# Note that getattr on files is always permitted.
|
# Note that getattr on files is always permitted.
|
||||||
#
|
#
|
||||||
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
||||||
- ( h1 dom h2 );
|
- ( h1 dom h2 );
|
||||||
+mlsconstrain { file chr_file blk_file sock_file lnk_file fifo_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
+mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
||||||
+ (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
|
+ (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
|
||||||
|
|
||||||
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
|
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
|
||||||
@ -414,7 +414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.21/policy/modules/admin/kismet.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.21/policy/modules/admin/kismet.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500
|
||||||
+++ serefpolicy-3.6.21/policy/modules/admin/kismet.te 2009-07-06 08:49:16.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/admin/kismet.te 2009-07-07 14:23:36.000000000 -0400
|
||||||
@@ -20,21 +20,37 @@
|
@@ -20,21 +20,37 @@
|
||||||
type kismet_log_t;
|
type kismet_log_t;
|
||||||
logging_log_file(kismet_log_t)
|
logging_log_file(kismet_log_t)
|
||||||
@ -487,7 +487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ dbus_system_bus_client(kismet_t)
|
+ dbus_system_bus_client(kismet_t)
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ networkmanager_dbus_chatkismet_t)
|
+ networkmanager_dbus_chat(kismet_t)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.21/policy/modules/admin/logrotate.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.21/policy/modules/admin/logrotate.te
|
||||||
@ -10767,7 +10767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.21/policy/modules/services/consolekit.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.21/policy/modules/services/consolekit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:43:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:43:08.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/consolekit.te 2009-07-01 10:43:35.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/consolekit.te 2009-07-07 14:09:28.000000000 -0400
|
||||||
@@ -11,7 +11,7 @@
|
@@ -11,7 +11,7 @@
|
||||||
init_daemon_domain(consolekit_t, consolekit_exec_t)
|
init_daemon_domain(consolekit_t, consolekit_exec_t)
|
||||||
|
|
||||||
@ -11779,7 +11779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.21/policy/modules/services/cups.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.21/policy/modules/services/cups.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cups.te 2009-06-26 13:59:19.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/cups.te 2009-06-26 13:59:19.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/cups.te 2009-07-05 22:15:25.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/cups.te 2009-07-07 14:21:24.000000000 -0400
|
||||||
@@ -20,9 +20,18 @@
|
@@ -20,9 +20,18 @@
|
||||||
type cupsd_etc_t;
|
type cupsd_etc_t;
|
||||||
files_config_file(cupsd_etc_t)
|
files_config_file(cupsd_etc_t)
|
||||||
@ -12186,7 +12186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+files_read_etc_files(cups_pdf_t)
|
+files_read_etc_files(cups_pdf_t)
|
||||||
+files_read_usr_files(cups_pdf_t)
|
+files_read_usr_files(cups_pdf_t)
|
||||||
+
|
+
|
||||||
+fs_rw_anon_inodefs_files(cupsd_pdf_t)
|
+fs_rw_anon_inodefs_files(cups_pdf_t)
|
||||||
+
|
+
|
||||||
+kernel_read_system_state(cups_pdf_t)
|
+kernel_read_system_state(cups_pdf_t)
|
||||||
+
|
+
|
||||||
@ -12889,8 +12889,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.21/policy/modules/services/devicekit.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.21/policy/modules/services/devicekit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/devicekit.te 2009-07-06 14:26:02.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/devicekit.te 2009-07-07 14:07:07.000000000 -0400
|
||||||
@@ -0,0 +1,237 @@
|
@@ -0,0 +1,239 @@
|
||||||
+policy_module(devicekit,1.0.0)
|
+policy_module(devicekit,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -13037,6 +13037,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
|
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
|
||||||
|
+allow devicekit_disk_t self:process signal_perms;
|
||||||
|
+
|
||||||
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
|
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
|
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
@ -16182,6 +16184,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Add/remove user home directories
|
# Add/remove user home directories
|
||||||
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
|
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
|
||||||
userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
|
userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.21/policy/modules/services/openvpn.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-03-23 13:47:11.000000000 -0400
|
||||||
|
+++ serefpolicy-3.6.21/policy/modules/services/openvpn.te 2009-07-07 14:12:16.000000000 -0400
|
||||||
|
@@ -86,6 +86,7 @@
|
||||||
|
corenet_udp_bind_openvpn_port(openvpn_t)
|
||||||
|
corenet_tcp_connect_openvpn_port(openvpn_t)
|
||||||
|
corenet_tcp_connect_http_port(openvpn_t)
|
||||||
|
+corenet_tcp_connect_http_cache_port(openvpn_t)
|
||||||
|
corenet_rw_tun_tap_dev(openvpn_t)
|
||||||
|
corenet_sendrecv_openvpn_server_packets(openvpn_t)
|
||||||
|
corenet_sendrecv_openvpn_client_packets(openvpn_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.21/policy/modules/services/pcscd.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.21/policy/modules/services/pcscd.te
|
||||||
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-03-23 13:47:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-03-23 13:47:11.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/pcscd.te 2009-07-01 10:43:36.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/pcscd.te 2009-07-01 10:43:36.000000000 -0400
|
||||||
@ -19814,7 +19827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.21/policy/modules/services/setroubleshoot.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.21/policy/modules/services/setroubleshoot.te
|
||||||
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-06-26 13:59:19.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-06-26 13:59:19.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/setroubleshoot.te 2009-07-01 14:04:44.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/setroubleshoot.te 2009-07-07 14:10:21.000000000 -0400
|
||||||
@@ -22,13 +22,19 @@
|
@@ -22,13 +22,19 @@
|
||||||
type setroubleshoot_var_run_t;
|
type setroubleshoot_var_run_t;
|
||||||
files_pid_file(setroubleshoot_var_run_t)
|
files_pid_file(setroubleshoot_var_run_t)
|
||||||
@ -19875,7 +19888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
selinux_get_enforce_mode(setroubleshootd_t)
|
selinux_get_enforce_mode(setroubleshootd_t)
|
||||||
selinux_validate_context(setroubleshootd_t)
|
selinux_validate_context(setroubleshootd_t)
|
||||||
@@ -94,23 +112,47 @@
|
@@ -94,23 +112,50 @@
|
||||||
|
|
||||||
locallogin_dontaudit_use_fds(setroubleshootd_t)
|
locallogin_dontaudit_use_fds(setroubleshootd_t)
|
||||||
|
|
||||||
@ -19923,8 +19936,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+miscfiles_read_localization(setroubleshoot_fixit_t)
|
+miscfiles_read_localization(setroubleshoot_fixit_t)
|
||||||
+
|
+
|
||||||
+permissive setroubleshoot_fixit_t;
|
+optional_policy(`
|
||||||
|
+ polkit_dbus_chat(setroubleshoot_fixit_t)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
|
+permissive setroubleshoot_fixit_t;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.21/policy/modules/services/shorewall.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.21/policy/modules/services/shorewall.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/shorewall.fc 2009-07-01 10:43:36.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/shorewall.fc 2009-07-01 10:43:36.000000000 -0400
|
||||||
@ -22730,7 +22746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.21/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.21/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-26 13:59:19.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-26 13:59:19.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/xserver.te 2009-07-01 10:43:36.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/xserver.te 2009-07-07 15:47:58.000000000 -0400
|
||||||
@@ -34,6 +34,13 @@
|
@@ -34,6 +34,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -23110,7 +23126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -515,12 +589,45 @@
|
@@ -515,12 +589,46 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23129,6 +23145,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ devicekit_power_dbus_chat(xdm_t)
|
+ devicekit_power_dbus_chat(xdm_t)
|
||||||
|
+ devicekit_disk_dbus_chat(xdm_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
@ -23156,7 +23173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -542,6 +649,28 @@
|
@@ -542,6 +650,28 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23185,7 +23202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
seutil_sigchld_newrole(xdm_t)
|
seutil_sigchld_newrole(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -550,8 +679,9 @@
|
@@ -550,8 +680,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23197,7 +23214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -560,7 +690,6 @@
|
@@ -560,7 +691,6 @@
|
||||||
ifdef(`distro_rhel4',`
|
ifdef(`distro_rhel4',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
')
|
')
|
||||||
@ -23205,7 +23222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
userhelper_dontaudit_search_config(xdm_t)
|
userhelper_dontaudit_search_config(xdm_t)
|
||||||
@@ -571,6 +700,10 @@
|
@@ -571,6 +701,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23216,7 +23233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -587,7 +720,7 @@
|
@@ -587,7 +721,7 @@
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -23225,7 +23242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit xserver_t self:capability chown;
|
dontaudit xserver_t self:capability chown;
|
||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:memprotect mmap_zero;
|
allow xserver_t self:memprotect mmap_zero;
|
||||||
@@ -602,9 +735,11 @@
|
@@ -602,9 +736,11 @@
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -23237,7 +23254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||||
|
|
||||||
@@ -616,13 +751,14 @@
|
@@ -616,13 +752,14 @@
|
||||||
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
||||||
|
|
||||||
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
||||||
@ -23253,7 +23270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -635,9 +771,19 @@
|
@@ -635,9 +772,19 @@
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -23273,7 +23290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -680,9 +826,14 @@
|
@@ -680,9 +827,14 @@
|
||||||
dev_rw_xserver_misc(xserver_t)
|
dev_rw_xserver_misc(xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
@ -23288,7 +23305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
files_read_etc_runtime_files(xserver_t)
|
files_read_etc_runtime_files(xserver_t)
|
||||||
@@ -697,8 +848,12 @@
|
@@ -697,8 +849,12 @@
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -23301,7 +23318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -720,6 +875,7 @@
|
@@ -720,6 +876,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
@ -23309,7 +23326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
modutils_domtrans_insmod(xserver_t)
|
modutils_domtrans_insmod(xserver_t)
|
||||||
|
|
||||||
@@ -742,7 +898,7 @@
|
@@ -742,7 +899,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
@ -23318,7 +23335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -774,12 +930,20 @@
|
@@ -774,12 +931,20 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23340,7 +23357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -806,7 +970,7 @@
|
@@ -806,7 +971,7 @@
|
||||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -23349,7 +23366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -827,9 +991,14 @@
|
@@ -827,9 +992,14 @@
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -23364,7 +23381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -844,11 +1013,14 @@
|
@@ -844,11 +1014,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -23380,7 +23397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -856,6 +1028,11 @@
|
@@ -856,6 +1029,11 @@
|
||||||
rhgb_rw_tmpfs_files(xserver_t)
|
rhgb_rw_tmpfs_files(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -23392,7 +23409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -881,6 +1058,8 @@
|
@@ -881,6 +1059,8 @@
|
||||||
# X Server
|
# X Server
|
||||||
# can read server-owned resources
|
# can read server-owned resources
|
||||||
allow x_domain xserver_t:x_resource read;
|
allow x_domain xserver_t:x_resource read;
|
||||||
@ -23401,7 +23418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# can mess with own clients
|
# can mess with own clients
|
||||||
allow x_domain self:x_client { manage destroy };
|
allow x_domain self:x_client { manage destroy };
|
||||||
|
|
||||||
@@ -905,6 +1084,8 @@
|
@@ -905,6 +1085,8 @@
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
|
|
||||||
@ -23410,7 +23427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# X Colormaps
|
# X Colormaps
|
||||||
# can use the default colormap
|
# can use the default colormap
|
||||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||||
@@ -972,17 +1153,49 @@
|
@@ -972,17 +1154,49 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
|
@ -185,7 +185,7 @@ fi;
|
|||||||
|
|
||||||
%description
|
%description
|
||||||
SELinux Reference Policy - modular.
|
SELinux Reference Policy - modular.
|
||||||
Based off of reference policy: Checked out revision 3005.
|
Based off of reference policy: Checked out revision 3011.
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user