Allow nmbd to manage sock file in /var/run/nmbd
ricci_modservice send syslog msgs Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly Allow systemd_logind_t to manage /run/USER/dconf/user
This commit is contained in:
Dan Walsh
parent
14d7aac744
commit
859ba0c85a
@ -1,6 +1,6 @@
|
||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||
#
|
||||
allow_execmem = true
|
||||
allow_execmem = false
|
||||
|
||||
# Allow making a modified private filemapping executable (text relocation).
|
||||
#
|
||||
@ -8,7 +8,7 @@ allow_execmod = true
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
allow_execstack = true
|
||||
allow_execstack = false
|
||||
|
||||
# Allow ftpd to read cifs directories.
|
||||
#
|
||||
@ -210,6 +210,10 @@ allow_daemons_use_tty = false
|
||||
#
|
||||
allow_polyinstantiation = false
|
||||
|
||||
# Allow confined domains to ptrace them selves
|
||||
#
|
||||
allow_ptrace = true
|
||||
|
||||
# Allow all domains to dump core
|
||||
#
|
||||
allow_daemons_dump_core = true
|
||||
|
||||
91
passwd.patch
91
passwd.patch
@ -12,10 +12,18 @@ index ef8bc09..ea06507 100644
|
||||
|
||||
miscfiles_read_localization(mcelog_t)
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 4779a8d..c2ee43e 100644
|
||||
index 4779a8d..b8eac3e 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -96,11 +96,12 @@ corecmd_check_exec_shell(chfn_t)
|
||||
@@ -89,6 +89,7 @@ fs_search_auto_mountpoints(chfn_t)
|
||||
dev_read_urand(chfn_t)
|
||||
dev_dontaudit_getattr_all(chfn_t)
|
||||
|
||||
+auth_manage_passwd(chfn_t)
|
||||
auth_use_pam(chfn_t)
|
||||
|
||||
# allow checking if a shell is executable
|
||||
@@ -96,7 +97,6 @@ corecmd_check_exec_shell(chfn_t)
|
||||
|
||||
domain_use_interactive_fds(chfn_t)
|
||||
|
||||
@ -23,13 +31,37 @@ index 4779a8d..c2ee43e 100644
|
||||
files_read_etc_runtime_files(chfn_t)
|
||||
files_dontaudit_search_var(chfn_t)
|
||||
files_dontaudit_search_home(chfn_t)
|
||||
@@ -205,8 +205,8 @@ init_dontaudit_write_utmp(groupadd_t)
|
||||
|
||||
+auth_manage_passwd(chfn_t)
|
||||
+
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(chfn_t)
|
||||
@@ -310,13 +311,14 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
|
||||
domain_use_interactive_fds(groupadd_t)
|
||||
|
||||
-files_manage_etc_files(groupadd_t)
|
||||
files_relabel_etc_files(groupadd_t)
|
||||
+files_read_etc_files(groupadd_t)
|
||||
files_read_etc_runtime_files(groupadd_t)
|
||||
files_read_usr_symlinks(groupadd_t)
|
||||
|
||||
@@ -221,9 +221,10 @@ miscfiles_read_localization(groupadd_t)
|
||||
auth_domtrans_chk_passwd(groupadd_t)
|
||||
auth_rw_lastlog(groupadd_t)
|
||||
auth_use_nsswitch(groupadd_t)
|
||||
+auth_manage_passwd(groupadd_t)
|
||||
+auth_manage_shadow(groupadd_t)
|
||||
# these may be unnecessary due to the above
|
||||
# domtrans_chk_passwd() call.
|
||||
-auth_manage_shadow(groupadd_t)
|
||||
auth_relabel_shadow(groupadd_t)
|
||||
auth_etc_filetrans_shadow(groupadd_t)
|
||||
|
||||
@@ -296,6 +297,7 @@ selinux_compute_user_contexts(passwd_t)
|
||||
|
||||
term_use_all_inherited_terms(passwd_t)
|
||||
|
||||
+auth_manage_passwd(passwd_t)
|
||||
auth_manage_shadow(passwd_t)
|
||||
auth_relabel_shadow(passwd_t)
|
||||
auth_etc_filetrans_shadow(passwd_t)
|
||||
@@ -310,7 +312,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
|
||||
domain_use_interactive_fds(passwd_t)
|
||||
|
||||
files_read_etc_runtime_files(passwd_t)
|
||||
@ -37,15 +69,15 @@ index 4779a8d..c2ee43e 100644
|
||||
files_search_var(passwd_t)
|
||||
files_dontaudit_search_pids(passwd_t)
|
||||
files_relabel_etc_files(passwd_t)
|
||||
@@ -390,6 +391,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
|
||||
|
||||
term_search_ptys(passwd_t)
|
||||
term_use_all_inherited_terms(sysadm_passwd_t)
|
||||
|
||||
+auth_manage_passwd(passwd_t)
|
||||
+
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(passwd_t)
|
||||
@@ -402,12 +404,13 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
+auth_manage_passwd(sysadm_passwd_t)
|
||||
auth_manage_shadow(sysadm_passwd_t)
|
||||
auth_relabel_shadow(sysadm_passwd_t)
|
||||
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
||||
@@ -402,7 +404,6 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(sysadm_passwd_t)
|
||||
|
||||
@ -53,14 +85,7 @@ index 4779a8d..c2ee43e 100644
|
||||
files_relabel_etc_files(sysadm_passwd_t)
|
||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||
# for nscd lookups
|
||||
files_dontaudit_search_pids(sysadm_passwd_t)
|
||||
|
||||
+auth_manage_passwd(sysadm_passwd_t)
|
||||
+
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(sysadm_passwd_t)
|
||||
@@ -461,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
|
||||
@@ -461,7 +462,6 @@ domain_use_interactive_fds(useradd_t)
|
||||
domain_read_all_domains_state(useradd_t)
|
||||
domain_dontaudit_read_all_domains_state(useradd_t)
|
||||
|
||||
@ -68,7 +93,7 @@ index 4779a8d..c2ee43e 100644
|
||||
files_search_var_lib(useradd_t)
|
||||
files_relabel_etc_files(useradd_t)
|
||||
files_read_etc_runtime_files(useradd_t)
|
||||
@@ -488,6 +490,7 @@ auth_rw_faillog(useradd_t)
|
||||
@@ -488,6 +488,7 @@ auth_rw_faillog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
# these may be unnecessary due to the above
|
||||
# domtrans_chk_passwd() call.
|
||||
@ -152,10 +177,10 @@ index 4f9a575..5fc3a55 100644
|
||||
miscfiles_read_fonts(plymouthd_t)
|
||||
miscfiles_manage_fonts_cache(plymouthd_t)
|
||||
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
|
||||
index 290f8c4..cd2909f 100644
|
||||
index 52df08a..7790f7e 100644
|
||||
--- a/policy/modules/services/virt.te
|
||||
+++ b/policy/modules/services/virt.te
|
||||
@@ -881,6 +881,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
|
||||
@@ -882,6 +882,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
|
||||
fs_list_inotifyfs(svirt_lxc_domain)
|
||||
fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
|
||||
|
||||
@ -164,19 +189,20 @@ index 290f8c4..cd2909f 100644
|
||||
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
auth_search_pam_console_data(svirt_lxc_domain)
|
||||
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
|
||||
index 59742f4..51ca568 100644
|
||||
index 59742f4..904e39c 100644
|
||||
--- a/policy/modules/system/authlogin.fc
|
||||
+++ b/policy/modules/system/authlogin.fc
|
||||
@@ -7,6 +7,7 @@
|
||||
@@ -7,6 +7,8 @@
|
||||
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
+/etc/passwd.* -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
+/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
+/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
|
||||
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
|
||||
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
|
||||
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
||||
index f05a80f..c317b16 100644
|
||||
index f05a80f..4372e5d 100644
|
||||
--- a/policy/modules/system/authlogin.if
|
||||
+++ b/policy/modules/system/authlogin.if
|
||||
@@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`
|
||||
@ -216,7 +242,7 @@ index f05a80f..c317b16 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1810,19 +1817,115 @@ interface(`auth_unconfined',`
|
||||
@@ -1810,19 +1817,118 @@ interface(`auth_unconfined',`
|
||||
interface(`authlogin_filetrans_named_content',`
|
||||
gen_require(`
|
||||
type shadow_t;
|
||||
@ -333,6 +359,9 @@ index f05a80f..c317b16 100644
|
||||
+ files_rw_etc_dirs($1)
|
||||
+ allow $1 passwd_file_t:file manage_file_perms;
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
|
||||
+')
|
||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||
index a53db2b..16e2e63 100644
|
||||
|
||||
130
policy-F16.patch
130
policy-F16.patch
@ -11166,10 +11166,10 @@ index 0000000..b78aa77
|
||||
+
|
||||
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
|
||||
new file mode 100644
|
||||
index 0000000..73e7983
|
||||
index 0000000..fc5b449
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/thumb.te
|
||||
@@ -0,0 +1,127 @@
|
||||
@@ -0,0 +1,123 @@
|
||||
+policy_module(thumb, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -11258,10 +11258,6 @@ index 0000000..73e7983
|
||||
+
|
||||
+userdom_use_inherited_user_ptys(thumb_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_dontaudit_session_bus_connect(thumb_t)
|
||||
+')
|
||||
+
|
||||
+# optional_policy(`
|
||||
+# gnome_read_gconf_home_files(thumb_t)
|
||||
+# gnome_read_gstreamer_home_content(thumb_t)
|
||||
@ -13644,7 +13640,7 @@ index 6cf8784..935a96c 100644
|
||||
+#
|
||||
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||
index f820f3b..7139ab3 100644
|
||||
index f820f3b..60394ec 100644
|
||||
--- a/policy/modules/kernel/devices.if
|
||||
+++ b/policy/modules/kernel/devices.if
|
||||
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
@ -14044,11 +14040,13 @@ index f820f3b..7139ab3 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -2932,7 +3168,7 @@ interface(`dev_dontaudit_write_mtrr',`
|
||||
@@ -2931,8 +3167,8 @@ interface(`dev_dontaudit_write_mtrr',`
|
||||
type mtrr_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 mtrr_device_t:file write;
|
||||
- dontaudit $1 mtrr_device_t:file write;
|
||||
- dontaudit $1 mtrr_device_t:chr_file write;
|
||||
+ dontaudit $1 mtrr_device_t:file write_file_perms;
|
||||
+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
|
||||
')
|
||||
|
||||
@ -21423,7 +21421,7 @@ index 0000000..8b2cdf3
|
||||
+
|
||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||
new file mode 100644
|
||||
index 0000000..fcc8949
|
||||
index 0000000..e1113e0
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/roles/unconfineduser.te
|
||||
@@ -0,0 +1,503 @@
|
||||
@ -21530,7 +21528,7 @@ index 0000000..fcc8949
|
||||
+init_domtrans_script(unconfined_t)
|
||||
+init_telinit(unconfined_t)
|
||||
+
|
||||
+libs_run_ldconfig(unconfined_t, unconfined_r)
|
||||
+lib_filetrans_named_content(unconfined_t)
|
||||
+
|
||||
+logging_send_syslog_msg(unconfined_t)
|
||||
+logging_run_auditctl(unconfined_t, unconfined_r)
|
||||
@ -37459,18 +37457,10 @@ index 671d8fd..25c7ab8 100644
|
||||
+ dontaudit gnomeclock_t $1:dbus send_msg;
|
||||
+')
|
||||
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
|
||||
index 4fde46b..ab59945 100644
|
||||
index 4fde46b..86ba356 100644
|
||||
--- a/policy/modules/services/gnomeclock.te
|
||||
+++ b/policy/modules/services/gnomeclock.te
|
||||
@@ -9,24 +9,31 @@ type gnomeclock_t;
|
||||
type gnomeclock_exec_t;
|
||||
dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
|
||||
|
||||
+systemd_systemctl_domain(gnomeclock)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# gnomeclock local policy
|
||||
@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
|
||||
#
|
||||
|
||||
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
|
||||
@ -37497,7 +37487,7 @@ index 4fde46b..ab59945 100644
|
||||
|
||||
miscfiles_read_localization(gnomeclock_t)
|
||||
miscfiles_manage_localization(gnomeclock_t)
|
||||
@@ -35,12 +42,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
|
||||
@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
|
||||
userdom_read_all_users_state(gnomeclock_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -37531,25 +37521,6 @@ index 4fde46b..ab59945 100644
|
||||
policykit_dbus_chat(gnomeclock_t)
|
||||
policykit_domtrans_auth(gnomeclock_t)
|
||||
policykit_read_lib(gnomeclock_t)
|
||||
policykit_read_reload(gnomeclock_t)
|
||||
')
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# gnomeclock systemctl local policy
|
||||
+#
|
||||
+
|
||||
+files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t)
|
||||
+files_manage_etc_symlinks(gnomeclock_systemctl_t)
|
||||
+
|
||||
+miscfiles_read_localization(gnomeclock_systemctl_t)
|
||||
+
|
||||
+systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ntp_read_unit_file(gnomeclock_systemctl_t)
|
||||
+ ntp_read_state(gnomeclock_systemctl_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
|
||||
index 7d97298..d6b2959 100644
|
||||
--- a/policy/modules/services/gpm.if
|
||||
@ -52467,7 +52438,7 @@ index f7826f9..679d185 100644
|
||||
+ admin_pattern($1, ricci_var_run_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
|
||||
index 33e72e8..28d2775 100644
|
||||
index 33e72e8..7582159 100644
|
||||
--- a/policy/modules/services/ricci.te
|
||||
+++ b/policy/modules/services/ricci.te
|
||||
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
|
||||
@ -52615,7 +52586,7 @@ index 33e72e8..28d2775 100644
|
||||
miscfiles_read_localization(ricci_modrpm_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t)
|
||||
@@ -394,10 +416,10 @@ files_search_usr(ricci_modservice_t)
|
||||
# Needed for running chkconfig
|
||||
files_manage_etc_symlinks(ricci_modservice_t)
|
||||
|
||||
@ -52623,8 +52594,12 @@ index 33e72e8..28d2775 100644
|
||||
-
|
||||
init_domtrans_script(ricci_modservice_t)
|
||||
|
||||
+logging_send_syslog_msg(ricci_modservice_t)
|
||||
+
|
||||
miscfiles_read_localization(ricci_modservice_t)
|
||||
@@ -405,6 +425,10 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
@@ -405,6 +427,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -52635,7 +52610,7 @@ index 33e72e8..28d2775 100644
|
||||
nscd_dontaudit_search_pid(ricci_modservice_t)
|
||||
')
|
||||
|
||||
@@ -444,22 +468,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
|
||||
@@ -444,22 +470,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
|
||||
files_read_usr_files(ricci_modstorage_t)
|
||||
files_read_kernel_modules(ricci_modstorage_t)
|
||||
|
||||
@ -52665,7 +52640,7 @@ index 33e72e8..28d2775 100644
|
||||
optional_policy(`
|
||||
aisexec_stream_connect(ricci_modstorage_t)
|
||||
corosync_stream_connect(ricci_modstorage_t)
|
||||
@@ -471,12 +495,24 @@ optional_policy(`
|
||||
@@ -471,12 +497,24 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -53831,7 +53806,7 @@ index 82cb169..87d1eec 100644
|
||||
+ samba_systemctl($1)
|
||||
')
|
||||
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
|
||||
index e30bb63..fed972d 100644
|
||||
index e30bb63..49941ec 100644
|
||||
--- a/policy/modules/services/samba.te
|
||||
+++ b/policy/modules/services/samba.te
|
||||
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
|
||||
@ -53983,18 +53958,19 @@ index e30bb63..fed972d 100644
|
||||
########################################
|
||||
#
|
||||
# nmbd Local policy
|
||||
@@ -484,8 +487,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
|
||||
@@ -484,8 +487,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
|
||||
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
|
||||
+manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
|
||||
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
|
||||
-files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
|
||||
+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file })
|
||||
+manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
|
||||
+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
|
||||
|
||||
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||
@@ -560,13 +564,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
|
||||
@@ -560,13 +565,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
|
||||
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow smbcontrol_t nmbd_t:process { signal signull };
|
||||
@ -54012,7 +53988,7 @@ index e30bb63..fed972d 100644
|
||||
samba_read_config(smbcontrol_t)
|
||||
samba_rw_var_files(smbcontrol_t)
|
||||
samba_search_var(smbcontrol_t)
|
||||
@@ -574,11 +578,19 @@ samba_read_winbind_pid(smbcontrol_t)
|
||||
@@ -574,11 +579,19 @@ samba_read_winbind_pid(smbcontrol_t)
|
||||
|
||||
domain_use_interactive_fds(smbcontrol_t)
|
||||
|
||||
@ -54033,7 +54009,7 @@ index e30bb63..fed972d 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -644,19 +656,21 @@ auth_use_nsswitch(smbmount_t)
|
||||
@@ -644,19 +657,21 @@ auth_use_nsswitch(smbmount_t)
|
||||
|
||||
miscfiles_read_localization(smbmount_t)
|
||||
|
||||
@ -54058,7 +54034,7 @@ index e30bb63..fed972d 100644
|
||||
########################################
|
||||
#
|
||||
# SWAT Local policy
|
||||
@@ -677,7 +691,7 @@ samba_domtrans_nmbd(swat_t)
|
||||
@@ -677,7 +692,7 @@ samba_domtrans_nmbd(swat_t)
|
||||
allow swat_t nmbd_t:process { signal signull };
|
||||
allow nmbd_t swat_t:process signal;
|
||||
|
||||
@ -54067,7 +54043,7 @@ index e30bb63..fed972d 100644
|
||||
|
||||
allow swat_t smbd_port_t:tcp_socket name_bind;
|
||||
|
||||
@@ -692,12 +706,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
|
||||
@@ -692,12 +707,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
|
||||
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
|
||||
|
||||
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
|
||||
@ -54082,7 +54058,7 @@ index e30bb63..fed972d 100644
|
||||
|
||||
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||
@@ -710,6 +726,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
|
||||
@@ -710,6 +727,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
|
||||
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
|
||||
allow swat_t winbind_t:process { signal signull };
|
||||
|
||||
@ -54090,7 +54066,7 @@ index e30bb63..fed972d 100644
|
||||
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
|
||||
allow swat_t winbind_var_run_t:sock_file { create unlink };
|
||||
|
||||
@@ -754,6 +771,8 @@ logging_search_logs(swat_t)
|
||||
@@ -754,6 +772,8 @@ logging_search_logs(swat_t)
|
||||
|
||||
miscfiles_read_localization(swat_t)
|
||||
|
||||
@ -54099,7 +54075,7 @@ index e30bb63..fed972d 100644
|
||||
optional_policy(`
|
||||
cups_read_rw_config(swat_t)
|
||||
cups_stream_connect(swat_t)
|
||||
@@ -806,15 +825,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
|
||||
@@ -806,15 +826,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
|
||||
allow winbind_t winbind_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(winbind_t, winbind_log_t, file)
|
||||
|
||||
@ -54121,7 +54097,7 @@ index e30bb63..fed972d 100644
|
||||
kernel_read_kernel_sysctls(winbind_t)
|
||||
kernel_read_system_state(winbind_t)
|
||||
|
||||
@@ -833,6 +853,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
|
||||
@@ -833,6 +854,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
|
||||
corenet_tcp_bind_generic_node(winbind_t)
|
||||
corenet_udp_bind_generic_node(winbind_t)
|
||||
corenet_tcp_connect_smbd_port(winbind_t)
|
||||
@ -54129,7 +54105,7 @@ index e30bb63..fed972d 100644
|
||||
corenet_tcp_connect_epmap_port(winbind_t)
|
||||
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
|
||||
@@ -863,6 +884,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
|
||||
@@ -863,6 +885,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
|
||||
userdom_manage_user_home_content_sockets(winbind_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
|
||||
|
||||
@ -54142,7 +54118,7 @@ index e30bb63..fed972d 100644
|
||||
optional_policy(`
|
||||
kerberos_use(winbind_t)
|
||||
')
|
||||
@@ -904,7 +931,7 @@ logging_send_syslog_msg(winbind_helper_t)
|
||||
@@ -904,7 +932,7 @@ logging_send_syslog_msg(winbind_helper_t)
|
||||
|
||||
miscfiles_read_localization(winbind_helper_t)
|
||||
|
||||
@ -54151,7 +54127,7 @@ index e30bb63..fed972d 100644
|
||||
|
||||
optional_policy(`
|
||||
apache_append_log(winbind_helper_t)
|
||||
@@ -922,6 +949,18 @@ optional_policy(`
|
||||
@@ -922,6 +950,18 @@ optional_policy(`
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
@ -54170,7 +54146,7 @@ index e30bb63..fed972d 100644
|
||||
type samba_unconfined_script_t;
|
||||
type samba_unconfined_script_exec_t;
|
||||
domain_type(samba_unconfined_script_t)
|
||||
@@ -932,9 +971,12 @@ optional_policy(`
|
||||
@@ -932,9 +972,12 @@ optional_policy(`
|
||||
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||
|
||||
@ -67047,7 +67023,7 @@ index 560dc48..6673319 100644
|
||||
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
|
||||
index 808ba93..ed84884 100644
|
||||
index 808ba93..8f5a243 100644
|
||||
--- a/policy/modules/system/libraries.if
|
||||
+++ b/policy/modules/system/libraries.if
|
||||
@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
|
||||
@ -67130,6 +67106,29 @@ index 808ba93..ed84884 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -534,3 +533,22 @@ interface(`lib_filetrans_shared_lib',`
|
||||
interface(`files_lib_filetrans_shared_lib',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Transition to lib named content
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`lib_filetrans_named_content',`
|
||||
+ gen_require(`
|
||||
+ type ld_so_cache_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
|
||||
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
|
||||
+')
|
||||
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
|
||||
index e5836d3..eae9427 100644
|
||||
--- a/policy/modules/system/libraries.te
|
||||
@ -71332,10 +71331,10 @@ index 0000000..46a3ec0
|
||||
+
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..ff4814a
|
||||
index 0000000..3790267
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,369 @@
|
||||
@@ -0,0 +1,370 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -71471,6 +71470,7 @@ index 0000000..ff4814a
|
||||
+optional_policy(`
|
||||
+ # we label /run/user/$USER/dconf as config_home_t
|
||||
+ gnome_manage_home_config_dirs(systemd_logind_t)
|
||||
+ gnome_manage_home_config(systemd_logind_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 36.1%{?dist}
|
||||
Release: 37%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -25,6 +25,10 @@ patch: policy-F16.patch
|
||||
patch1: unconfined_permissive.patch
|
||||
patch2: passwd.patch
|
||||
patch3: thumb.patch
|
||||
patch4: execmem.patch
|
||||
patch5: userdomain.patch
|
||||
patch6: apache.patch
|
||||
patch7: ptrace.patch
|
||||
Source1: modules-targeted.conf
|
||||
Source2: booleans-targeted.conf
|
||||
Source3: Makefile.devel
|
||||
@ -241,6 +245,10 @@ Based off of reference policy: Checked out revision 2.20091117
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1 -b .execmem
|
||||
%patch5 -p1 -b .userdomain
|
||||
%patch6 -p1 -b .apache
|
||||
#%patch7 -p1 -b .ptrace
|
||||
|
||||
%install
|
||||
mkdir selinux_config
|
||||
@ -472,6 +480,15 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Oct 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-37
|
||||
- Allow nmbd to manage sock file in /var/run/nmbd
|
||||
- ricci_modservice send syslog msgs
|
||||
- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
|
||||
- Allow systemd_logind_t to manage /run/USER/dconf/user
|
||||
|
||||
* Tue Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.2
|
||||
- Make allow_ptrace remove all ptrace
|
||||
|
||||
* Tue Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.1
|
||||
- Fix missing patch from F16
|
||||
|
||||
|
||||
15
thumb.patch
15
thumb.patch
@ -14,18 +14,3 @@ index 1105ff5..620e17b 100644
|
||||
optional_policy(`
|
||||
setroubleshoot_dbus_chat(unconfined_usertype)
|
||||
setroubleshoot_dbus_chat_fixit(unconfined_t)
|
||||
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
|
||||
index 73e7983..fc5b449 100644
|
||||
--- a/policy/modules/apps/thumb.te
|
||||
+++ b/policy/modules/apps/thumb.te
|
||||
@@ -86,10 +86,6 @@ userdom_write_user_tmp_files(thumb_t)
|
||||
|
||||
userdom_use_inherited_user_ptys(thumb_t)
|
||||
|
||||
-optional_policy(`
|
||||
- dbus_dontaudit_session_bus_connect(thumb_t)
|
||||
-')
|
||||
-
|
||||
# optional_policy(`
|
||||
# gnome_read_gconf_home_files(thumb_t)
|
||||
# gnome_read_gstreamer_home_content(thumb_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user