- Change unconfined_t to transition to unconfined_mono_t when running mono
- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so
gnome-do will work
This commit is contained in:
Daniel J Walsh
parent
2d8ff5157a
commit
86881dd93f
|
|
@ -793,7 +793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg
|
|||
+system_r:xdm_t xguest_r:xguest_t
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.3.1/man/man8/ftpd_selinux.8
|
||||
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2007-10-12 08:56:10.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/man/man8/ftpd_selinux.8 2008-04-28 08:39:05.840182000 -0400
|
||||
+++ serefpolicy-3.3.1/man/man8/ftpd_selinux.8 2008-04-28 08:39:05.000000000 -0400
|
||||
@@ -35,10 +35,6 @@
|
||||
directorories, you need to set the ftp_home_dir boolean.
|
||||
.TP
|
||||
|
|
@ -3239,7 +3239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
|
|||
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if
|
||||
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-04-21 11:02:48.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-04-29 09:37:23.004992000 -0400
|
||||
@@ -33,9 +33,60 @@
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -4522,8 +4522,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
|
|||
+userdom_dontaudit_list_sysadm_home_dirs(loadkeys_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if
|
||||
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-04-21 11:02:48.000000000 -0400
|
||||
@@ -18,3 +18,101 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-04-29 11:57:14.653875000 -0400
|
||||
@@ -18,3 +18,102 @@
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, mono_exec_t, mono_t)
|
||||
')
|
||||
|
|
@ -4624,6 +4624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
|
|||
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
|
||||
+
|
||||
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
|
||||
+ corecmd_bin_domtrans($1_mono_t, $1_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.3.1/policy/modules/apps/mono.te
|
||||
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500
|
||||
|
|
@ -7480,7 +7481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
|||
type lvm_control_t;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.3.1/policy/modules/kernel/domain.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-11-29 13:29:34.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/domain.if 2008-04-28 09:14:07.261479000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/domain.if 2008-04-28 09:14:07.000000000 -0400
|
||||
@@ -1242,18 +1242,34 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
|
|
@ -7917,7 +7918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-28 17:00:20.022613000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-28 17:00:20.000000000 -0400
|
||||
@@ -310,6 +310,25 @@
|
||||
|
||||
########################################
|
||||
|
|
@ -8616,7 +8617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
|
|||
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.3.1/policy/modules/kernel/storage.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-10-29 18:02:31.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-04-28 15:02:52.901366000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-04-28 15:02:52.000000000 -0400
|
||||
@@ -13,6 +13,7 @@
|
||||
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
|
@ -8635,7 +8636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
|
|||
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.3.1/policy/modules/kernel/storage.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/storage.if 2008-02-26 08:17:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/storage.if 2008-04-28 16:19:58.789387000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/storage.if 2008-04-28 16:19:58.000000000 -0400
|
||||
@@ -81,6 +81,26 @@
|
||||
|
||||
########################################
|
||||
|
|
@ -8665,7 +8666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
|
|||
## SELinux protections for filesystem objects, and
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.3.1/policy/modules/kernel/terminal.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-09-12 10:34:17.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/terminal.if 2008-04-28 15:49:59.242976000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/terminal.if 2008-04-28 15:49:59.000000000 -0400
|
||||
@@ -525,11 +525,13 @@
|
||||
interface(`term_use_generic_ptys',`
|
||||
gen_require(`
|
||||
|
|
@ -12506,7 +12507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
|
||||
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-28 15:33:05.015286000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-28 15:33:05.000000000 -0400
|
||||
@@ -43,14 +43,13 @@
|
||||
|
||||
type cupsd_var_run_t;
|
||||
|
|
@ -13211,7 +13212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-04-21 12:08:05.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-04-29 10:45:04.731105000 -0400
|
||||
@@ -53,6 +53,7 @@
|
||||
gen_require(`
|
||||
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
||||
|
|
@ -13478,7 +13479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-28 17:24:06.516754000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-28 17:24:06.000000000 -0400
|
||||
@@ -9,9 +9,10 @@
|
||||
#
|
||||
# Delcarations
|
||||
|
|
@ -15489,7 +15490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
|
||||
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-28 10:32:02.385047000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-28 10:32:02.000000000 -0400
|
||||
@@ -0,0 +1,55 @@
|
||||
+policy_module(gnomeclock,1.0.0)
|
||||
+########################################
|
||||
|
|
@ -17421,7 +17422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
|
|||
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.3.1/policy/modules/services/mysql.if
|
||||
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2008-04-28 14:00:53.714473000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2008-04-28 14:00:53.000000000 -0400
|
||||
@@ -32,9 +32,11 @@
|
||||
interface(`mysql_stream_connect',`
|
||||
gen_require(`
|
||||
|
|
@ -17786,7 +17787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
|
|||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-04-28 17:01:05.578193000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-04-28 17:01:05.000000000 -0400
|
||||
@@ -1,7 +1,11 @@
|
||||
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
|
|
@ -17801,7 +17802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
|||
+/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-04-28 17:23:33.835317000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-04-28 17:23:33.000000000 -0400
|
||||
@@ -97,3 +97,40 @@
|
||||
allow $1 NetworkManager_t:dbus send_msg;
|
||||
allow NetworkManager_t $1:dbus send_msg;
|
||||
|
|
@ -17845,7 +17846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-28 17:20:44.106667000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-28 17:20:44.000000000 -0400
|
||||
@@ -13,6 +13,13 @@
|
||||
type NetworkManager_var_run_t;
|
||||
files_pid_file(NetworkManager_var_run_t)
|
||||
|
|
@ -18872,7 +18873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.3.1/policy/modules/services/polkit.fc
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.fc 2008-04-28 15:14:56.271771000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.fc 2008-04-28 15:14:56.000000000 -0400
|
||||
@@ -0,0 +1,9 @@
|
||||
+
|
||||
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
|
||||
|
|
@ -18885,7 +18886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-28 15:56:30.712486000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-28 15:56:30.000000000 -0400
|
||||
@@ -0,0 +1,208 @@
|
||||
+
|
||||
+## <summary>policy for polkit_auth</summary>
|
||||
|
|
@ -19097,7 +19098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-04-28 16:10:18.292199000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-04-28 16:10:18.000000000 -0400
|
||||
@@ -0,0 +1,190 @@
|
||||
+policy_module(polkit_auth,1.0.0)
|
||||
+
|
||||
|
|
@ -21410,7 +21411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-28 16:23:06.250792000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-28 16:23:06.000000000 -0400
|
||||
@@ -23,7 +23,7 @@
|
||||
gen_tunable(allow_nfsd_anon_write,false)
|
||||
|
||||
|
|
@ -22999,7 +23000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te
|
||||
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te 2008-04-28 15:21:41.039805000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te 2008-04-28 15:21:41.000000000 -0400
|
||||
@@ -22,13 +22,16 @@
|
||||
type setroubleshoot_var_run_t;
|
||||
files_pid_file(setroubleshoot_var_run_t)
|
||||
|
|
@ -25255,7 +25256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-25 13:53:23.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-29 09:37:38.934561000 -0400
|
||||
@@ -12,9 +12,15 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
|
|
@ -26631,7 +26632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-23 10:06:49.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-29 11:09:45.700467000 -0400
|
||||
@@ -8,6 +8,14 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -26820,7 +26821,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# Allow gdm to run gdm-binary
|
||||
can_exec(xdm_t, xdm_exec_t)
|
||||
@@ -131,15 +239,22 @@
|
||||
@@ -124,6 +232,8 @@
|
||||
manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||
manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
||||
+relabelfrom_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||
+relabelfrom_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||
|
||||
manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
@@ -131,15 +241,22 @@
|
||||
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
|
@ -26845,7 +26855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
allow xdm_t xdm_xserver_t:process signal;
|
||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
@@ -153,6 +268,7 @@
|
||||
@@ -153,6 +270,7 @@
|
||||
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||
|
||||
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
||||
|
|
@ -26853,7 +26863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# connect to xdm xserver over stream socket
|
||||
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||
@@ -173,6 +289,8 @@
|
||||
@@ -173,6 +291,8 @@
|
||||
|
||||
corecmd_exec_shell(xdm_t)
|
||||
corecmd_exec_bin(xdm_t)
|
||||
|
|
@ -26862,7 +26872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
corenet_all_recvfrom_unlabeled(xdm_t)
|
||||
corenet_all_recvfrom_netlabel(xdm_t)
|
||||
@@ -184,6 +302,7 @@
|
||||
@@ -184,6 +304,7 @@
|
||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||
corenet_tcp_bind_all_nodes(xdm_t)
|
||||
corenet_udp_bind_all_nodes(xdm_t)
|
||||
|
|
@ -26870,7 +26880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
corenet_tcp_connect_all_ports(xdm_t)
|
||||
corenet_sendrecv_all_client_packets(xdm_t)
|
||||
# xdm tries to bind to biff_port_t
|
||||
@@ -196,6 +315,7 @@
|
||||
@@ -196,6 +317,7 @@
|
||||
dev_getattr_mouse_dev(xdm_t)
|
||||
dev_setattr_mouse_dev(xdm_t)
|
||||
dev_rw_apm_bios(xdm_t)
|
||||
|
|
@ -26878,7 +26888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
dev_setattr_apm_bios_dev(xdm_t)
|
||||
dev_rw_dri(xdm_t)
|
||||
dev_rw_agp(xdm_t)
|
||||
@@ -208,14 +328,15 @@
|
||||
@@ -208,14 +330,15 @@
|
||||
dev_setattr_video_dev(xdm_t)
|
||||
dev_getattr_scanner_dev(xdm_t)
|
||||
dev_setattr_scanner_dev(xdm_t)
|
||||
|
|
@ -26896,7 +26906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
files_read_etc_files(xdm_t)
|
||||
files_read_var_files(xdm_t)
|
||||
@@ -226,9 +347,13 @@
|
||||
@@ -226,9 +349,13 @@
|
||||
files_read_usr_files(xdm_t)
|
||||
# Poweroff wants to create the /poweroff file when run from xdm
|
||||
files_create_boot_flag(xdm_t)
|
||||
|
|
@ -26910,7 +26920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||
@@ -237,6 +362,7 @@
|
||||
@@ -237,6 +364,7 @@
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
|
|
@ -26918,7 +26928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
term_setattr_console(xdm_t)
|
||||
term_use_unallocated_ttys(xdm_t)
|
||||
@@ -245,6 +371,7 @@
|
||||
@@ -245,6 +373,7 @@
|
||||
auth_domtrans_pam_console(xdm_t)
|
||||
auth_manage_pam_pid(xdm_t)
|
||||
auth_manage_pam_console_data(xdm_t)
|
||||
|
|
@ -26926,7 +26936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
@@ -256,22 +383,29 @@
|
||||
@@ -256,22 +385,29 @@
|
||||
libs_exec_lib_files(xdm_t)
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
|
|
@ -26959,7 +26969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_t)
|
||||
@@ -297,14 +431,20 @@
|
||||
@@ -297,14 +433,20 @@
|
||||
# xserver_rw_session_template(xdm,unpriv_userdomain)
|
||||
# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
|
||||
# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
|
||||
|
|
@ -26981,7 +26991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -312,6 +452,23 @@
|
||||
@@ -312,6 +454,23 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27005,7 +27015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
# Talk to the console mouse server.
|
||||
gpm_stream_connect(xdm_t)
|
||||
gpm_setattr_gpmctl(xdm_t)
|
||||
@@ -322,6 +479,10 @@
|
||||
@@ -322,6 +481,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27016,7 +27026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
loadkeys_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -335,6 +496,11 @@
|
||||
@@ -335,6 +498,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27028,7 +27038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
seutil_sigchld_newrole(xdm_t)
|
||||
')
|
||||
|
||||
@@ -343,8 +509,8 @@
|
||||
@@ -343,8 +511,8 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27038,7 +27048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -380,7 +546,7 @@
|
||||
@@ -380,7 +548,7 @@
|
||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
|
|
@ -27047,7 +27057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||
@@ -392,6 +558,15 @@
|
||||
@@ -392,6 +560,15 @@
|
||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xdm_xserver_t)
|
||||
|
||||
|
|
@ -27063,7 +27073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
# VNC v4 module in X server
|
||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||
|
||||
@@ -404,9 +579,18 @@
|
||||
@@ -404,9 +581,18 @@
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
|
||||
|
|
@ -27082,7 +27092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||
fs_manage_nfs_files(xdm_xserver_t)
|
||||
@@ -420,6 +604,22 @@
|
||||
@@ -420,6 +606,22 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27105,7 +27115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
resmgr_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -429,47 +629,138 @@
|
||||
@@ -429,47 +631,138 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27506,7 +27516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-28 09:15:47.070186000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-29 10:58:08.742336000 -0400
|
||||
@@ -99,7 +99,7 @@
|
||||
template(`authlogin_per_role_template',`
|
||||
|
||||
|
|
@ -27553,7 +27563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
# for SSP/ProPolice
|
||||
dev_read_urand($1)
|
||||
# for fingerprint readers
|
||||
@@ -226,8 +243,38 @@
|
||||
@@ -226,8 +243,40 @@
|
||||
seutil_read_config($1)
|
||||
seutil_read_default_contexts($1)
|
||||
|
||||
|
|
@ -27589,10 +27599,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
files_polyinstantiate_all($1)
|
||||
+ userdom_manage_user_home_content_dirs(user, $1)
|
||||
+ userdom_manage_user_home_content_files(user, $1)
|
||||
+ userdom_relabel_all_home_dirs($1)
|
||||
+ userdom_relabel_all_home_files($1)
|
||||
')
|
||||
')
|
||||
|
||||
@@ -342,6 +389,8 @@
|
||||
@@ -342,6 +391,8 @@
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1)
|
||||
|
|
@ -27601,7 +27613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -356,6 +405,28 @@
|
||||
@@ -356,6 +407,28 @@
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
')
|
||||
|
|
@ -27630,7 +27642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -369,12 +440,12 @@
|
||||
@@ -369,12 +442,12 @@
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
|
|
@ -27645,7 +27657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -386,6 +457,7 @@
|
||||
@@ -386,6 +459,7 @@
|
||||
auth_domtrans_chk_passwd($1)
|
||||
role $2 types system_chkpwd_t;
|
||||
allow system_chkpwd_t $3:chr_file rw_file_perms;
|
||||
|
|
@ -27653,7 +27665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1457,6 +1529,7 @@
|
||||
@@ -1457,6 +1531,7 @@
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
samba_read_var_files($1)
|
||||
|
|
@ -27661,7 +27673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||
')
|
||||
')
|
||||
|
||||
@@ -1491,3 +1564,59 @@
|
||||
@@ -1491,3 +1566,59 @@
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
|
@ -27915,7 +27927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
|
|||
-
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
|
||||
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-04-28 09:15:35.654776000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-04-28 09:15:35.000000000 -0400
|
||||
@@ -211,6 +211,13 @@
|
||||
kernel_dontaudit_use_fds($1)
|
||||
')
|
||||
|
|
@ -28593,7 +28605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
|
||||
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-04-28 10:29:25.956857000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-04-28 10:29:25.000000000 -0400
|
||||
@@ -29,7 +29,7 @@
|
||||
#
|
||||
|
||||
|
|
@ -28838,7 +28850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
|
||||
--- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-21 11:02:50.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-29 08:53:40.798973000 -0400
|
||||
@@ -213,12 +213,7 @@
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -29304,7 +29316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
|
|||
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
|
||||
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-23 10:09:00.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-29 08:38:10.482745000 -0400
|
||||
@@ -22,7 +22,7 @@
|
||||
role system_r types lvm_t;
|
||||
|
||||
|
|
@ -29615,7 +29627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
|||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te
|
||||
--- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-21 11:02:50.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-29 08:36:55.595920000 -0400
|
||||
@@ -22,6 +22,8 @@
|
||||
type insmod_exec_t;
|
||||
application_domain(insmod_t,insmod_exec_t)
|
||||
|
|
@ -30246,7 +30258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te
|
||||
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-04-28 16:14:23.857051000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-04-28 16:14:23.000000000 -0400
|
||||
@@ -0,0 +1,49 @@
|
||||
+policy_module(qemu,1.0.0)
|
||||
+
|
||||
|
|
@ -30299,7 +30311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te
|
||||
--- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-21 11:02:50.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-29 08:35:21.523317000 -0400
|
||||
@@ -19,7 +19,7 @@
|
||||
# Local policy
|
||||
#
|
||||
|
|
@ -30623,7 +30635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-06 10:33:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-28 10:24:53.045591000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-28 10:24:53.000000000 -0400
|
||||
@@ -75,7 +75,6 @@
|
||||
type restorecond_exec_t;
|
||||
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
||||
|
|
@ -31165,7 +31177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
|
|||
xen_append_log(ifconfig_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.3.1/policy/modules/system/udev.if
|
||||
--- nsaserefpolicy/policy/modules/system/udev.if 2007-01-02 12:57:49.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/udev.if 2008-04-28 10:54:03.940707000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/udev.if 2008-04-29 08:34:43.098742000 -0400
|
||||
@@ -96,6 +96,24 @@
|
||||
|
||||
########################################
|
||||
|
|
@ -31191,7 +31203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
|
|||
## Allow process to read list of devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -106,11 +124,11 @@
|
||||
@@ -106,11 +124,13 @@
|
||||
#
|
||||
interface(`udev_read_db',`
|
||||
gen_require(`
|
||||
|
|
@ -31201,11 +31213,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
|
|||
|
||||
dev_list_all_dev_nodes($1)
|
||||
- allow $1 udev_tdb_t:file read_file_perms;
|
||||
+ allow $1 udev_tbl_t:dir list_dir_perms;
|
||||
+ read_files_pattern($1, udev_tbl_t, udev_tbl_t)
|
||||
+ read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -125,9 +143,9 @@
|
||||
@@ -125,9 +145,9 @@
|
||||
#
|
||||
interface(`udev_rw_db',`
|
||||
gen_require(`
|
||||
|
|
@ -31646,7 +31660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-25 14:52:17.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-29 12:04:03.912060000 -0400
|
||||
@@ -6,35 +6,74 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -31819,26 +31833,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -134,82 +188,97 @@
|
||||
@@ -134,14 +188,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mono_domtrans(unconfined_t)
|
||||
+ oddjob_domtrans_mkhomedir(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
|
||||
+ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
oddjob_domtrans_mkhomedir(unconfined_t)
|
||||
')
|
||||
|
||||
@@ -154,38 +200,46 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- oddjob_domtrans_mkhomedir(unconfined_t)
|
||||
+ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
- # cjp: this should probably be removed:
|
||||
- postfix_domtrans_master(unconfined_t)
|
||||
-')
|
||||
-
|
||||
-
|
||||
-optional_policy(`
|
||||
- pyzor_per_role_template(unconfined)
|
||||
+ tunable_policy(`allow_unconfined_qemu_transition', `
|
||||
+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ ', `
|
||||
|
|
@ -31849,7 +31870,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
- # cjp: this should probably be removed:
|
||||
- rpc_domtrans_nfsd(unconfined_t)
|
||||
+ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ # Allow SELinux aware applications to request rpm_script execution
|
||||
+ rpm_transition_script(unconfined_t)
|
||||
|
|
@ -31857,9 +31879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
- # cjp: this should probably be removed:
|
||||
- postfix_domtrans_master(unconfined_t)
|
||||
- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ cron_per_role_template(unconfined, unconfined_t, unconfined_r)
|
||||
+ # this is disallowed usage:
|
||||
+ unconfined_domain(unconfined_crond_t)
|
||||
|
|
@ -31868,81 +31888,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||
+ rpm_transition_script(unconfined_crond_t)
|
||||
')
|
||||
|
||||
-
|
||||
optional_policy(`
|
||||
- pyzor_per_role_template(unconfined)
|
||||
+ samba_per_role_template(unconfined)
|
||||
samba_per_role_template(unconfined)
|
||||
- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- # cjp: this should probably be removed:
|
||||
- rpc_domtrans_nfsd(unconfined_t)
|
||||
- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
|
||||
+ sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ sysnet_dbus_chat_dhcpc(unconfined_t)
|
||||
sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
sysnet_dbus_chat_dhcpc(unconfined_t)
|
||||
+ sysnet_role_transition_dhcpc(unconfined_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- samba_per_role_template(unconfined)
|
||||
- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
- samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
|
||||
+ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
- sysnet_dbus_chat_dhcpc(unconfined_t)
|
||||
+ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
@@ -193,23 +247,33 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
|
||||
+ unconfined_domain(unconfined_mozilla_t)
|
||||
+ allow unconfined_mozilla_t self:process { execstack execmem };
|
||||
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- wine_domtrans(unconfined_t)
|
||||
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
|
||||
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- xserver_domtrans_xdm_xserver(unconfined_t)
|
||||
+ mono_per_role_template(unconfined, unconfined_t, unconfined_r)
|
||||
+ unconfined_domain(unconfined_mono_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||
+ xserver_xdm_rw_shm(unconfined_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -219,14 +288,35 @@
|
||||
@@ -219,14 +283,35 @@
|
||||
|
||||
allow unconfined_execmem_t self:process { execstack execmem };
|
||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||
|
|
@ -31998,7 +32003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-28 15:32:37.832254000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-29 10:58:27.618425000 -0400
|
||||
@@ -29,9 +29,14 @@
|
||||
')
|
||||
|
||||
|
|
@ -34596,7 +34601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5704,3 +6135,370 @@
|
||||
@@ -5704,3 +6135,408 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
|
@ -34967,6 +34972,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Relabel to all user home directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_relabel_all_home_dirs',`
|
||||
+ gen_require(`
|
||||
+ type user_home_type;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_home($1)
|
||||
+ relabel_dirs_pattern($1, user_home_type, user_home_type)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Relabel to all user home files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_relabel_all_home_files',`
|
||||
+ gen_require(`
|
||||
+ type user_home_type;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_home($1)
|
||||
+ relabel_files_pattern($1, user_home_type, user_home_type)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.te 2008-04-21 11:02:50.000000000 -0400
|
||||
|
|
@ -35294,7 +35337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.f
|
|||
+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.3.1/policy/modules/system/virt.if
|
||||
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/virt.if 2008-04-28 16:10:44.344207000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/virt.if 2008-04-28 16:10:44.000000000 -0400
|
||||
@@ -0,0 +1,324 @@
|
||||
+
|
||||
+## <summary>policy for virt</summary>
|
||||
|
|
@ -35622,7 +35665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
|
||||
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-28 16:24:22.547363000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-28 16:24:22.000000000 -0400
|
||||
@@ -0,0 +1,197 @@
|
||||
+
|
||||
+policy_module(virt,1.0.0)
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.3.1
|
||||
Release: 43%{?dist}
|
||||
Release: 44%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -385,6 +385,10 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Apr 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-44
|
||||
- Change unconfined_t to transition to unconfined_mono_t when running mono
|
||||
- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work
|
||||
|
||||
* Mon Apr 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-43
|
||||
- Remove old booleans from targeted-booleans.conf file
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue