patch from dan Wed, 20 Sep 2006 12:12:49 -0400
This commit is contained in:
Chris PeBenito
parent
a9e03b3752
commit
8708d9bef2
|
|
@ -69,6 +69,7 @@
|
|||
Thu, 31 Aug 2006
|
||||
Fri, 01 Sep 2006
|
||||
Tue, 05 Sep 2006
|
||||
Wed, 20 Sep 2006
|
||||
- Added modules:
|
||||
afs
|
||||
amavis (Erich Schubert)
|
||||
|
|
|
|||
|
|
@ -118,7 +118,6 @@ $1 == "inherits" {
|
|||
printf(" ") > outfile;
|
||||
printf("0x%08xUL\n", ind[i]) > outfile;
|
||||
}
|
||||
printf("\n") > outfile;
|
||||
for (i in ind) delete ind[i];
|
||||
for (i in inherited_perms) delete inherited_perms[i];
|
||||
|
||||
|
|
@ -214,8 +213,6 @@ $1 == "}" {
|
|||
printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
|
||||
}
|
||||
|
||||
printf("\n") > outfile;
|
||||
|
||||
nextstate = "COMMON_OR_AV";
|
||||
}
|
||||
END {
|
||||
|
|
|
|||
|
|
@ -78,6 +78,9 @@ level s0:c0.c255;
|
|||
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
||||
( h1 dom h2 );
|
||||
|
||||
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
|
||||
(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
|
||||
|
||||
# New filesystem object labels must be dominated by the relabeling subject
|
||||
# clearance, also the objects are single-level.
|
||||
mlsconstrain file { create relabelto }
|
||||
|
|
|
|||
|
|
@ -14,10 +14,13 @@
|
|||
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
|
||||
|
||||
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
|
||||
/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
|
||||
/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
|
||||
/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
|
||||
/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
# the null string in here because index is a m4 builtin function
|
||||
/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0)
|
||||
|
||||
/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(amanda,1.3.6)
|
||||
policy_module(amanda,1.3.7)
|
||||
|
||||
#######################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(logwatch,1.1.3)
|
||||
policy_module(logwatch,1.1.4)
|
||||
|
||||
#################################
|
||||
#
|
||||
|
|
@ -63,8 +63,10 @@ files_read_usr_files(logwatch_t)
|
|||
files_search_spool(logwatch_t)
|
||||
files_search_mnt(logwatch_t)
|
||||
files_dontaudit_search_home(logwatch_t)
|
||||
files_dontaudit_search_boot(logwatch_t)
|
||||
|
||||
fs_getattr_all_fs(logwatch_t)
|
||||
fs_dontaudit_list_auto_mountpoints(logwatch_t)
|
||||
|
||||
term_dontaudit_getattr_pty_dirs(logwatch_t)
|
||||
term_dontaudit_list_ptys(logwatch_t)
|
||||
|
|
|
|||
|
|
@ -10,11 +10,13 @@
|
|||
/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(rpm,1.3.10)
|
||||
policy_module(rpm,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -178,6 +178,8 @@ ifdef(`distro_redhat',`
|
|||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(rpm_t)
|
||||
# yum-updatesd requires this
|
||||
unconfined_dbus_chat(rpm_t)
|
||||
',`
|
||||
# cjp: these are here to stop type_transition
|
||||
# conflicts since rpm_t is an alias of
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@ template(`su_restricted_domain_template', `
|
|||
|
||||
allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
||||
dontaudit $1_su_t self:capability sys_tty_config;
|
||||
allow $1_su_t self:key { search write };
|
||||
allow $1_su_t self:process { setexec setsched setrlimit };
|
||||
allow $1_su_t self:fifo_file rw_file_perms;
|
||||
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
|
||||
|
|
@ -62,6 +63,7 @@ template(`su_restricted_domain_template', `
|
|||
|
||||
kernel_read_system_state($1_su_t)
|
||||
kernel_read_kernel_sysctls($1_su_t)
|
||||
kernel_search_key($1_su_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand($1_su_t)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(su,1.3.3)
|
||||
policy_module(su,1.3.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(usermanage,1.3.10)
|
||||
policy_module(usermanage,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -442,6 +442,10 @@ optional_policy(`
|
|||
nis_use_ypbind(sysadm_passwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(sysadm_passwd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Useradd local policy
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(mono,1.1.3)
|
||||
policy_module(mono,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -7,10 +7,8 @@ policy_module(mono,1.1.3)
|
|||
#
|
||||
|
||||
type mono_t;
|
||||
domain_type(mono_t)
|
||||
|
||||
type mono_exec_t;
|
||||
domain_entry_file(mono_t,mono_exec_t)
|
||||
init_system_domain(mono_t,mono_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -31,6 +29,10 @@ ifdef(`targeted_policy',`
|
|||
avahi_dbus_chat(mono_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cups_dbus_chat(mono_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_dbus_chat(mono_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -125,7 +125,6 @@ ifdef(`distro_gentoo',`
|
|||
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -143,6 +142,7 @@ ifdef(`distro_gentoo',`
|
|||
/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(corecommands,1.3.15)
|
||||
policy_module(corecommands,1.3.16)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@
|
|||
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
|
||||
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
|
||||
|
|
@ -46,6 +47,7 @@
|
|||
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
|
||||
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/raw1394. -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(devices,1.1.22)
|
||||
policy_module(devices,1.1.23)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -386,7 +386,7 @@ interface(`files_write_non_security_dirs',`
|
|||
attribute file_type, security_file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir write;
|
||||
allow $1 { file_type -security_file_type }:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -4497,3 +4497,47 @@ interface(`files_unconfined',`
|
|||
|
||||
typeattribute $1 files_unconfined_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow attempts to monage any directory
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to allow
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_non_security_dirs',`
|
||||
gen_require(`
|
||||
attribute file_type, security_file_type;
|
||||
')
|
||||
|
||||
allow $1 { file_type -security_file_type }:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a aliased type to etc_runtime_t files.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Create a aliased type to etc runtime files.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is added to remove types that should have been etc_runtime_t
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Alias type for etc_runtime_t.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_etc_runtime_alias',`
|
||||
gen_require(`
|
||||
type etc_runtime_t;
|
||||
')
|
||||
|
||||
typealias etc_runtime_t alias $1;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(files,1.2.17)
|
||||
policy_module(files,1.2.18)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -2437,6 +2437,24 @@ interface(`fs_getattr_rpc_pipefs',`
|
|||
allow $1 rpc_pipefs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <summary>
|
||||
## Read and write RPC pipe filesystem named pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_rw_rpc_named_pipes',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
allow $1 rpc_pipefs_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a tmpfs filesystem.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(filesystem,1.3.14)
|
||||
policy_module(filesystem,1.3.15)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(mcs,1.0.3)
|
||||
policy_module(mcs,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -43,6 +43,7 @@ range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
|
|||
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t setrans_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
|
||||
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
|
||||
|
||||
|
|
|
|||
|
|
@ -917,7 +917,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
|||
type tty_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 tty_device_t:chr_file rw_file_perms;
|
||||
dontaudit $1 tty_device_t:chr_file { rw_term_perms lock append };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(terminal,1.1.8)
|
||||
policy_module(terminal,1.1.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(amavis,1.0.8)
|
||||
policy_module(amavis,1.0.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -156,6 +156,7 @@ mta_read_config(amavis_t)
|
|||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(amavis_t)
|
||||
term_dontaudit_use_unallocated_ttys(amavis_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(apache,1.3.17)
|
||||
policy_module(apache,1.3.18)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
|
|
@ -514,6 +514,7 @@ optional_policy(`
|
|||
allow httpd_suexec_t self:capability { setuid setgid };
|
||||
allow httpd_suexec_t self:process signal_perms;
|
||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
gen_tunable(httpd_suexec_disable_trans,false)
|
||||
|
|
@ -691,6 +692,10 @@ optional_policy(`
|
|||
nscd_socket_use(httpd_unconfined_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# httpd_rotatelogs local policy
|
||||
|
|
@ -712,4 +717,5 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
|||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
|
||||
term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(automount,1.2.8)
|
||||
policy_module(automount,1.2.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -99,6 +99,8 @@ corenet_sendrecv_all_client_packets(automount_t)
|
|||
# Someone writes a showmount policy
|
||||
corenet_tcp_bind_reserved_port(automount_t)
|
||||
corenet_tcp_bind_all_rpc_ports(automount_t)
|
||||
corenet_udp_bind_reserved_port(automount_t)
|
||||
corenet_udp_bind_all_rpc_ports(automount_t)
|
||||
|
||||
dev_read_sysfs(automount_t)
|
||||
# for SSP
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@
|
|||
# /usr
|
||||
#
|
||||
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
|
||||
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(bluetooth,1.2.9)
|
||||
policy_module(bluetooth,1.2.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -217,6 +217,7 @@ ifdef(`targeted_policy',`
|
|||
fs_rw_tmpfs_files(bluetooth_helper_t)
|
||||
|
||||
term_dontaudit_use_generic_ptys(bluetooth_helper_t)
|
||||
term_dontaudit_use_unallocated_ttys(bluetooth_helper_t)
|
||||
|
||||
unconfined_stream_connect(bluetooth_helper_t)
|
||||
|
||||
|
|
@ -224,7 +225,8 @@ ifdef(`targeted_policy',`
|
|||
|
||||
optional_policy(`
|
||||
corenet_tcp_connect_xserver_port(bluetooth_helper_t)
|
||||
|
||||
#Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205956
|
||||
xserver_read_xdm_tmp_files(bluetooth_helper_t)
|
||||
xserver_stream_connect_xdm(bluetooth_helper_t)
|
||||
xserver_use_xdm_fds(bluetooth_helper_t)
|
||||
xserver_rw_xdm_pipes(bluetooth_helper_t)
|
||||
|
|
@ -244,6 +246,10 @@ optional_policy(`
|
|||
nscd_socket_use(bluetooth_helper_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ppp_domtrans(bluetooth_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_stream_connect_xdm(bluetooth_helper_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(clamav,1.0.5)
|
||||
policy_module(clamav,1.0.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -121,6 +121,7 @@ cron_use_system_job_fds(clamd_t)
|
|||
cron_rw_pipes(clamd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(clamd_t)
|
||||
term_dontaudit_use_generic_ptys(clamd_t)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(cups,1.3.13)
|
||||
policy_module(cups,1.3.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -159,7 +159,7 @@ fs_getattr_all_fs(cupsd_t)
|
|||
fs_search_auto_mountpoints(cupsd_t)
|
||||
|
||||
term_dontaudit_use_console(cupsd_t)
|
||||
term_write_unallocated_ttys(cupsd_t)
|
||||
term_use_unallocated_ttys(cupsd_t)
|
||||
term_search_ptys(cupsd_t)
|
||||
|
||||
auth_domtrans_chk_passwd(cupsd_t)
|
||||
|
|
@ -530,7 +530,8 @@ optional_policy(`
|
|||
# HPLIP local policy
|
||||
#
|
||||
|
||||
allow hplip_t self:capability net_raw;
|
||||
# Needed for USB Scanneer and xsane
|
||||
allow hplip_t self:capability { dac_override dac_read_search net_raw };
|
||||
dontaudit hplip_t self:capability sys_tty_config;
|
||||
allow hplip_t self:fifo_file rw_file_perms;
|
||||
allow hplip_t self:process signal_perms;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(dhcp,1.1.2)
|
||||
policy_module(dhcp,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -123,6 +123,12 @@ optional_policy(`
|
|||
bind_read_dnssec_keys(dhcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template(dhcpd,dhcpd_t)
|
||||
dbus_connect_system_bus(dhcpd_t)
|
||||
dbus_send_system_bus(dhcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(dhcpd_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -34,11 +34,13 @@
|
|||
interface(`kerberos_use',`
|
||||
gen_require(`
|
||||
type krb5_conf_t;
|
||||
type krb5kdc_conf_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 krb5_conf_t:file { getattr read };
|
||||
dontaudit $1 krb5_conf_t:file write;
|
||||
dontaudit $1 krb5kdc_conf_t:dir r_dir_perms;
|
||||
|
||||
tunable_policy(`allow_kerberos',`
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(kerberos,1.1.3)
|
||||
policy_module(kerberos,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@
|
|||
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
|
||||
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
|
||||
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
|
||||
/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(lpd,1.2.6)
|
||||
policy_module(lpd,1.2.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -3,3 +3,4 @@
|
|||
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant-global -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(networkmanager,1.3.7)
|
||||
policy_module(networkmanager,1.3.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -21,7 +21,7 @@ files_pid_file(NetworkManager_var_run_t)
|
|||
# networkmanager will ptrace itself if gdb is installed
|
||||
# and it receives a unexpected signal (rh bug #204161)
|
||||
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
|
||||
dontaudit NetworkManager_t self:capability sys_tty_config;
|
||||
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
|
||||
allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
|
||||
allow NetworkManager_t self:fifo_file rw_file_perms;
|
||||
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
|
|
@ -78,6 +78,7 @@ corecmd_exec_ls(NetworkManager_t)
|
|||
|
||||
domain_use_interactive_fds(NetworkManager_t)
|
||||
domain_read_confined_domains_state(NetworkManager_t)
|
||||
domain_dontaudit_read_all_domains_state(NetworkManager_t)
|
||||
|
||||
files_read_etc_files(NetworkManager_t)
|
||||
files_read_etc_runtime_files(NetworkManager_t)
|
||||
|
|
@ -161,6 +162,7 @@ optional_policy(`
|
|||
|
||||
optional_policy(`
|
||||
ppp_domtrans(NetworkManager_t)
|
||||
ppp_read_pid_files(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ntp,1.1.5)
|
||||
policy_module(ntp,1.1.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -122,6 +122,12 @@ ifdef(`targeted_policy', `
|
|||
term_dontaudit_use_unallocated_ttys(ntpd_t)
|
||||
term_dontaudit_use_generic_ptys(ntpd_t)
|
||||
files_dontaudit_read_root_files(ntpd_t)
|
||||
|
||||
optional_policy(`
|
||||
# The Gnome date GUI code is requesting that
|
||||
# the ntp code change the date of the machine.
|
||||
unconfined_rw_pipes(ntpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(postfix,1.2.12)
|
||||
policy_module(postfix,1.2.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -171,6 +171,11 @@ sysnet_read_config(postfix_master_t)
|
|||
mta_rw_aliases(postfix_master_t)
|
||||
mta_read_sendmail_bin(postfix_master_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(postfix_master_t)
|
||||
term_dontaudit_use_generic_ptys(postfix_master_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cyrus_stream_connect(postfix_master_t)
|
||||
')
|
||||
|
|
@ -361,6 +366,7 @@ seutil_read_config(postfix_map_t)
|
|||
sysnet_read_config(postfix_map_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(postfix_map_t)
|
||||
term_dontaudit_use_generic_ptys(postfix_map_t)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -1,14 +1,20 @@
|
|||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
|
||||
/etc/ppp/.* -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
||||
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
|
||||
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
||||
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
||||
/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
|
||||
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
||||
|
||||
# Fix /etc/ppp {up,down} family scripts (see man pppd)
|
||||
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
|
||||
|
||||
#
|
||||
# /sbin
|
||||
#
|
||||
/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
|
|
@ -20,11 +26,10 @@
|
|||
# /var
|
||||
#
|
||||
/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
|
||||
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
|
||||
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
|
||||
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
|
||||
# Fix pptp sockets
|
||||
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
|
||||
|
||||
/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
|
||||
/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -202,6 +202,24 @@ interface(`ppp_read_secrets',`
|
|||
files_search_etc($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read PPP pid files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ppp_read_pid_files',`
|
||||
gen_require(`
|
||||
type pppd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 pppd_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete PPP pid files.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ppp,1.2.4)
|
||||
policy_module(ppp,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -64,7 +64,7 @@ allow pppd_t self:fifo_file rw_file_perms;
|
|||
allow pppd_t self:socket create_socket_perms;
|
||||
allow pppd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pppd_t self:unix_stream_socket create_socket_perms;
|
||||
allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
allow pppd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow pppd_t self:udp_socket { connect connected_socket_perms };
|
||||
allow pppd_t self:packet_socket create_socket_perms;
|
||||
|
|
@ -80,9 +80,11 @@ allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
|
|||
allow pppd_t pppd_etc_t:dir rw_dir_perms;
|
||||
allow pppd_t pppd_etc_t:file r_file_perms;
|
||||
allow pppd_t pppd_etc_t:lnk_file { getattr read };
|
||||
files_etc_filetrans(pppd_t,pppd_etc_t,file)
|
||||
|
||||
allow pppd_t pppd_etc_rw_t:dir rw_dir_perms;
|
||||
allow pppd_t pppd_etc_rw_t:file create_file_perms;
|
||||
# Automatically label newly created files under /etc/ppp with this type
|
||||
type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
|
||||
|
||||
allow pppd_t pppd_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(pppd_t,pppd_lock_t,file)
|
||||
|
|
@ -104,9 +106,6 @@ allow pppd_t pptp_t:process signal;
|
|||
# Access secret files
|
||||
allow pppd_t pppd_secret_t:file r_file_perms;
|
||||
|
||||
# Automatically label newly created files under /etc/ppp with this type
|
||||
type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
|
||||
|
||||
kernel_read_kernel_sysctls(pppd_t)
|
||||
kernel_read_system_state(pppd_t)
|
||||
kernel_read_net_sysctls(pppd_t)
|
||||
|
|
@ -147,7 +146,10 @@ corecmd_exec_shell(pppd_t)
|
|||
domain_use_interactive_fds(pppd_t)
|
||||
|
||||
files_exec_etc_files(pppd_t)
|
||||
files_read_etc_runtime_files(pppd_t)
|
||||
files_manage_etc_runtime_files(pppd_t)
|
||||
files_etc_filetrans_etc_runtime(pppd_t, { dir file })
|
||||
files_dontaudit_write_etc_files(pppd_t)
|
||||
|
||||
# for scripts
|
||||
files_read_etc_files(pppd_t)
|
||||
|
||||
|
|
@ -174,6 +176,8 @@ userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
|
|||
userdom_search_sysadm_home_dirs(pppd_t)
|
||||
userdom_search_unpriv_users_home_dirs(pppd_t)
|
||||
|
||||
ppp_exec(pppd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(pppd_t)
|
||||
term_dontaudit_use_generic_ptys(pppd_t)
|
||||
|
|
@ -305,6 +309,10 @@ ifdef(`targeted_policy',`
|
|||
files_dontaudit_read_root_files(pptp_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(pppd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(pptp_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -92,6 +92,7 @@ template(`rpc_domain_template', `
|
|||
corenet_udp_bind_reserved_port($1_t)
|
||||
corenet_sendrecv_generic_server_packets($1_t)
|
||||
|
||||
fs_rw_rpc_named_pipes($1_t)
|
||||
fs_search_auto_mountpoints($1_t)
|
||||
|
||||
term_dontaudit_use_console($1_t)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(rpc,1.2.14)
|
||||
policy_module(rpc,1.2.15)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(sendmail,1.2.2)
|
||||
policy_module(sendmail,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -37,6 +37,13 @@ allow sendmail_t sendmail_log_t:file create_file_perms;
|
|||
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
|
||||
logging_log_filetrans(sendmail_t,sendmail_log_t,{ file dir })
|
||||
|
||||
allow sendmail_t sendmail_tmp_t:dir manage_dir_perms;
|
||||
allow sendmail_t sendmail_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
|
||||
|
||||
allow sendmail_t sendmail_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(sendmail_t)
|
||||
# for piping mail to a command
|
||||
kernel_read_system_state(sendmail_t)
|
||||
|
|
@ -104,13 +111,6 @@ ifdef(`targeted_policy',`
|
|||
term_dontaudit_use_unallocated_ttys(sendmail_t)
|
||||
term_dontaudit_use_generic_ptys(sendmail_t)
|
||||
files_dontaudit_read_root_files(sendmail_t)
|
||||
',`
|
||||
allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
|
||||
allow sendmail_t sendmail_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
|
||||
|
||||
allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock };
|
||||
files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(setroubleshoot,1.0.1)
|
||||
policy_module(setroubleshoot,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -69,6 +69,8 @@ corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
|
|||
|
||||
dev_read_urand(setroubleshootd_t)
|
||||
|
||||
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
|
||||
|
||||
files_read_usr_files(setroubleshootd_t)
|
||||
files_read_etc_files(setroubleshootd_t)
|
||||
files_getattr_all_dirs(setroubleshootd_t)
|
||||
|
|
@ -82,6 +84,7 @@ term_dontaudit_use_all_user_ttys(setroubleshootd_t)
|
|||
init_read_utmp(setroubleshootd_t)
|
||||
init_dontaudit_write_utmp(setroubleshootd_t)
|
||||
init_use_fds(setroubleshootd_t)
|
||||
init_use_script_ptys(setroubleshootd_t)
|
||||
|
||||
libs_use_ld_so(setroubleshootd_t)
|
||||
libs_use_shared_libs(setroubleshootd_t)
|
||||
|
|
@ -107,3 +110,7 @@ optional_policy(`
|
|||
rpm_dontaudit_manage_db(setroubleshootd_t)
|
||||
rpm_use_script_fds(setroubleshootd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(setroubleshootd_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -46,3 +46,22 @@ interface(`snmp_read_snmp_var_lib_files',`
|
|||
allow $1 snmpd_var_lib_t:file r_file_perms;
|
||||
allow $1 snmpd_var_lib_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit Read snmpd libraries.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`snmp_dontaudit_read_snmp_var_lib_files',`
|
||||
gen_require(`
|
||||
type snmpd_var_lib_t;
|
||||
')
|
||||
dontaudit $1 snmpd_var_lib_t:dir r_dir_perms;
|
||||
dontaudit $1 snmpd_var_lib_t:file r_file_perms;
|
||||
dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(snmp,1.1.3)
|
||||
policy_module(snmp,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(xfs,1.0.4)
|
||||
policy_module(xfs,1.0.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -21,7 +21,7 @@ files_pid_file(xfs_var_run_t)
|
|||
# Local policy
|
||||
#
|
||||
|
||||
allow xfs_t self:capability { setgid setuid };
|
||||
allow xfs_t self:capability { dac_override setgid setuid };
|
||||
dontaudit xfs_t self:capability sys_tty_config;
|
||||
allow xfs_t self:process { signal_perms setpgid };
|
||||
allow xfs_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(authlogin,1.3.14)
|
||||
policy_module(authlogin,1.3.15)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -206,6 +206,8 @@ files_list_mnt(pam_console_t)
|
|||
# read /etc/mtab
|
||||
files_read_etc_runtime_files(pam_console_t)
|
||||
|
||||
fs_list_auto_mountpoints(pam_console_t)
|
||||
|
||||
init_use_fds(pam_console_t)
|
||||
init_use_script_ptys(pam_console_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(fstools,1.3.4)
|
||||
policy_module(fstools,1.3.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -112,6 +112,9 @@ corecmd_list_bin(fsadm_t)
|
|||
corecmd_list_sbin(fsadm_t)
|
||||
corecmd_read_bin_symlinks(fsadm_t)
|
||||
corecmd_read_sbin_symlinks(fsadm_t)
|
||||
#RedHat bug #201164
|
||||
corecmd_exec_shell(fsadm_t)
|
||||
|
||||
# cjp: these are probably not needed:
|
||||
corecmd_read_bin_files(fsadm_t)
|
||||
corecmd_read_bin_pipes(fsadm_t)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(init,1.3.24)
|
||||
policy_module(init,1.3.25)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
|
@ -520,6 +520,11 @@ ifdef(`targeted_policy',`
|
|||
# optional_policy(`',`
|
||||
# mta_send_mail(initrc_t)
|
||||
# ')
|
||||
|
||||
# allow init scripts to su
|
||||
optional_policy(`
|
||||
su_restricted_domain_template(initrc,initrc_t,system_r)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -732,11 +737,6 @@ optional_policy(`
|
|||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
')
|
||||
|
||||
# allow init scripts to su
|
||||
optional_policy(`
|
||||
su_restricted_domain_template(initrc,initrc_t,system_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sysnet_read_dhcpc_state(initrc_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -128,6 +128,7 @@ ifdef(`distro_gentoo',`
|
|||
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
|
@ -140,8 +141,7 @@ ifdef(`distro_gentoo',`
|
|||
|
||||
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
|
|
@ -252,7 +252,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
|
|||
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
# Java, Sun Microsystems (JPackage SRPM)
|
||||
/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
|
|
@ -263,6 +263,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
|
|||
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?lib/xchat/plugins/systray.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(libraries,1.3.13)
|
||||
policy_module(libraries,1.3.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(selinuxutil,1.2.15)
|
||||
policy_module(selinuxutil,1.2.16)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
gen_require(`
|
||||
|
|
@ -449,8 +449,6 @@ selinux_compute_create_context(restorecond_t)
|
|||
selinux_compute_relabel_context(restorecond_t)
|
||||
selinux_compute_user_contexts(restorecond_t)
|
||||
|
||||
term_dontaudit_use_generic_ptys(restorecond_t)
|
||||
|
||||
auth_relabel_all_files_except_shadow(restorecond_t )
|
||||
auth_read_all_files_except_shadow(restorecond_t)
|
||||
|
||||
|
|
@ -466,6 +464,11 @@ logging_send_syslog_msg(restorecond_t)
|
|||
|
||||
miscfiles_read_localization(restorecond_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(restorecond_t)
|
||||
term_dontaudit_use_unallocated_ttys(restorecond_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_use_script_fds(restorecond_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(setrans,1.0.2)
|
||||
policy_module(setrans,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -43,6 +43,7 @@ kernel_read_proc_symlinks(setrans_t)
|
|||
|
||||
# allow performing getpidcon() on all processes
|
||||
domain_read_all_domains_state(setrans_t)
|
||||
domain_dontaudit_search_all_domains_state(setrans_t)
|
||||
domain_getattr_all_domains(setrans_t)
|
||||
domain_getsession_all_domains(setrans_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@
|
|||
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
||||
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
|
||||
|
||||
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(xen,1.0.10)
|
||||
policy_module(xen,1.0.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -68,7 +68,7 @@ init_daemon_domain(xm_t, xm_exec_t)
|
|||
# xend local policy
|
||||
#
|
||||
|
||||
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
|
||||
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
|
||||
dontaudit xend_t self:capability { sys_ptrace };
|
||||
allow xend_t self:process { signal sigkill };
|
||||
dontaudit xend_t self:process ptrace;
|
||||
|
|
@ -153,6 +153,7 @@ files_etc_filetrans_etc_runtime(xend_t,file)
|
|||
files_read_usr_files(xend_t)
|
||||
|
||||
storage_raw_read_fixed_disk(xend_t)
|
||||
storage_raw_read_removable_device(xend_t)
|
||||
|
||||
term_getattr_all_user_ptys(xend_t)
|
||||
term_use_generic_ptys(xend_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue