- Allow cups_pdf_t write to nfs_t
This commit is contained in:
Daniel J Walsh
parent
2ed2ff46f8
commit
87fb15321a
|
|
@ -607,6 +607,13 @@ iscsi = module
|
|||
i18n_input = off
|
||||
|
||||
|
||||
# Layer: services
|
||||
# Module: jabber
|
||||
#
|
||||
# Jabber instant messaging server
|
||||
#
|
||||
jabber = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: java
|
||||
#
|
||||
|
|
|
|||
|
|
@ -607,6 +607,13 @@ iscsi = module
|
|||
i18n_input = off
|
||||
|
||||
|
||||
# Layer: services
|
||||
# Module: jabber
|
||||
#
|
||||
# Jabber instant messaging server
|
||||
#
|
||||
jabber = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: java
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1456,6 +1456,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
libs_read_lib_files(awstats_t)
|
||||
|
||||
miscfiles_read_localization(awstats_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.2/policy/modules/apps/cdrecord.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/cdrecord.fc 2009-01-06 10:53:56.000000000 -0500
|
||||
@@ -2,4 +2,5 @@
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
|
||||
+/usr/bin/growisoifs -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.6.2/policy/modules/apps/games.if
|
||||
--- nsaserefpolicy/policy/modules/apps/games.if 2008-11-11 16:13:42.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/games.if 2009-01-05 17:54:58.000000000 -0500
|
||||
|
|
@ -2274,8 +2283,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.2/policy/modules/apps/mozilla.if
|
||||
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-11-11 16:13:41.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/mozilla.if 2009-01-05 17:54:58.000000000 -0500
|
||||
@@ -82,8 +82,7 @@
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/mozilla.if 2009-01-12 11:19:04.000000000 -0500
|
||||
@@ -82,8 +83,7 @@
|
||||
type mozilla_home_t;
|
||||
')
|
||||
|
||||
|
|
@ -2287,7 +2296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.2/policy/modules/apps/mozilla.te
|
||||
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-11-11 16:13:42.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/mozilla.te 2009-01-05 17:54:58.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/mozilla.te 2009-01-12 11:19:32.000000000 -0500
|
||||
@@ -105,6 +105,7 @@
|
||||
# Should not need other ports
|
||||
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
|
||||
|
|
@ -2296,6 +2305,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
dev_read_urand(mozilla_t)
|
||||
dev_read_rand(mozilla_t)
|
||||
@@ -128,6 +129,7 @@
|
||||
fs_rw_tmpfs_files(mozilla_t)
|
||||
|
||||
term_dontaudit_getattr_pty_dirs(mozilla_t)
|
||||
+term_use_all_user_ttys(mozilla_t)
|
||||
|
||||
logging_send_syslog_msg(mozilla_t)
|
||||
|
||||
@@ -263,5 +265,9 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ nsplugin_manage_rw(mozilla_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
thunderbird_domtrans(mozilla_t)
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.2/policy/modules/apps/mplayer.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-11-11 16:13:42.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/mplayer.fc 2009-01-05 17:54:58.000000000 -0500
|
||||
|
|
@ -2357,8 +2384,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.2/policy/modules/apps/nsplugin.if
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/nsplugin.if 2009-01-05 17:54:58.000000000 -0500
|
||||
@@ -0,0 +1,248 @@
|
||||
+++ serefpolicy-3.6.2/policy/modules/apps/nsplugin.if 2009-01-12 11:24:07.000000000 -0500
|
||||
@@ -0,0 +1,250 @@
|
||||
+
|
||||
+## <summary>policy for nsplugin</summary>
|
||||
+
|
||||
|
|
@ -2534,6 +2561,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
|
||||
+ allow $1 nsplugin_t:unix_stream_socket connectto;
|
||||
+ allow nsplugin_t $1:process signal;
|
||||
+')
|
||||
+#######################################
|
||||
+## <summary>
|
||||
|
|
@ -4990,7 +5019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+dontaudit can_change_object_identity can_change_object_identity:key link;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.2/policy/modules/kernel/files.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/kernel/files.fc 2009-01-05 17:54:58.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/kernel/files.fc 2009-01-07 15:44:45.000000000 -0500
|
||||
@@ -8,6 +8,8 @@
|
||||
/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
|
||||
/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
|
||||
|
|
@ -5008,6 +5037,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
|
||||
@@ -228,6 +231,8 @@
|
||||
|
||||
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
+
|
||||
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
|
||||
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.2/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/kernel/files.if 2009-01-05 17:54:58.000000000 -0500
|
||||
|
|
@ -6539,7 +6577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
-')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.2/policy/modules/roles/staff.te
|
||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/roles/staff.te 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/roles/staff.te 2009-01-06 10:51:51.000000000 -0500
|
||||
@@ -8,112 +8,32 @@
|
||||
|
||||
role staff_r;
|
||||
|
|
@ -9039,7 +9077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.2/policy/modules/services/bind.fc
|
||||
--- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/bind.fc 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/bind.fc 2009-01-07 15:44:12.000000000 -0500
|
||||
@@ -1,17 +1,22 @@
|
||||
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
|
|
@ -9063,6 +9101,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
ifdef(`distro_debian',`
|
||||
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
||||
@@ -40,7 +45,6 @@
|
||||
/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
||||
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
||||
-/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
||||
/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
||||
/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
|
||||
/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.2/policy/modules/services/bind.if
|
||||
--- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/bind.if 2009-01-05 17:54:59.000000000 -0500
|
||||
|
|
@ -10523,7 +10569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.2/policy/modules/services/cups.te
|
||||
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/cups.te 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/cups.te 2009-01-12 11:25:36.000000000 -0500
|
||||
@@ -20,9 +20,18 @@
|
||||
type cupsd_etc_t;
|
||||
files_config_file(cupsd_etc_t)
|
||||
|
|
@ -10850,7 +10896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
|
||||
files_search_etc(hplip_t)
|
||||
|
||||
+fs_read_anon_inodefs_files(hplip_t)
|
||||
+fs_rw_anon_inodefs_files(hplip_t)
|
||||
+
|
||||
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
|
||||
+
|
||||
|
|
@ -10878,7 +10924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(hplip_t)
|
||||
@@ -635,3 +709,39 @@
|
||||
@@ -635,3 +709,49 @@
|
||||
optional_policy(`
|
||||
udev_read_db(ptal_t)
|
||||
')
|
||||
|
|
@ -10913,6 +10959,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+userdom_manage_user_home_content_dirs(cups_pdf_t)
|
||||
+userdom_manage_user_home_content_files(cups_pdf_t)
|
||||
+
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_dirs(cups_pdf_t)
|
||||
+ fs_manage_nfs_files(cups_pdf_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_manage_cifs_dirs(cups_pdf_t)
|
||||
+ fs_manage_cifs_files(cups_pdf_t)
|
||||
+')
|
||||
+
|
||||
+lpd_manage_spool(cups_pdf_t)
|
||||
+
|
||||
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
||||
|
|
@ -12944,16 +13000,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+files_type(mailscanner_spool_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.2/policy/modules/services/mta.fc
|
||||
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/mta.fc 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/mta.fc 2009-01-08 13:25:41.000000000 -0500
|
||||
@@ -1,4 +1,4 @@
|
||||
-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
|
||||
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
@@ -11,9 +11,11 @@
|
||||
@@ -10,10 +10,13 @@
|
||||
')
|
||||
|
||||
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
|
||||
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
|
|
@ -12963,7 +13021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||
|
||||
@@ -22,7 +24,3 @@
|
||||
@@ -22,7 +25,3 @@
|
||||
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
||||
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||
|
|
@ -16452,8 +16510,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.2/policy/modules/services/postfix.if
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/postfix.if 2009-01-05 17:54:59.000000000 -0500
|
||||
@@ -174,9 +174,8 @@
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/postfix.if 2009-01-07 13:21:46.000000000 -0500
|
||||
@@ -46,6 +46,7 @@
|
||||
|
||||
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
|
||||
+ read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
|
||||
|
||||
can_exec(postfix_$1_t, postfix_$1_exec_t)
|
||||
|
||||
@@ -174,9 +175,8 @@
|
||||
type postfix_etc_t;
|
||||
')
|
||||
|
||||
|
|
@ -16465,7 +16531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
files_search_etc($1)
|
||||
')
|
||||
|
||||
@@ -378,7 +377,7 @@
|
||||
@@ -378,7 +378,7 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -16474,7 +16540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
gen_require(`
|
||||
type postfix_private_t;
|
||||
')
|
||||
@@ -389,6 +388,25 @@
|
||||
@@ -389,6 +389,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -16500,7 +16566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Execute the master postfix program in the
|
||||
## postfix_master domain.
|
||||
## </summary>
|
||||
@@ -418,10 +436,10 @@
|
||||
@@ -418,10 +437,10 @@
|
||||
#
|
||||
interface(`postfix_search_spool',`
|
||||
gen_require(`
|
||||
|
|
@ -16513,7 +16579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
files_search_spool($1)
|
||||
')
|
||||
|
||||
@@ -437,11 +455,30 @@
|
||||
@@ -437,11 +456,30 @@
|
||||
#
|
||||
interface(`postfix_list_spool',`
|
||||
gen_require(`
|
||||
|
|
@ -16546,7 +16612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -456,16 +493,16 @@
|
||||
@@ -456,16 +494,16 @@
|
||||
#
|
||||
interface(`postfix_read_spool_files',`
|
||||
gen_require(`
|
||||
|
|
@ -16566,7 +16632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -475,11 +512,11 @@
|
||||
@@ -475,11 +513,11 @@
|
||||
#
|
||||
interface(`postfix_manage_spool_files',`
|
||||
gen_require(`
|
||||
|
|
@ -16580,7 +16646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -500,3 +537,23 @@
|
||||
@@ -500,3 +538,23 @@
|
||||
|
||||
typeattribute $1 postfix_user_domtrans;
|
||||
')
|
||||
|
|
@ -16606,7 +16672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.2/policy/modules/services/postfix.te
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/postfix.te 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/services/postfix.te 2009-01-07 13:20:40.000000000 -0500
|
||||
@@ -6,6 +6,15 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -22147,7 +22213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.2/policy/modules/system/authlogin.te
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/authlogin.te 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/authlogin.te 2009-01-12 11:15:15.000000000 -0500
|
||||
@@ -12,7 +12,7 @@
|
||||
|
||||
type chkpwd_t, can_read_shadow_passwords;
|
||||
|
|
@ -22191,6 +22257,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(pam_t)
|
||||
@@ -183,7 +196,7 @@
|
||||
# PAM console local policy
|
||||
#
|
||||
|
||||
-allow pam_console_t self:capability { chown fowner fsetid };
|
||||
+allow pam_console_t self:capability { dac_override dac_read_search chown fowner fsetid };
|
||||
dontaudit pam_console_t self:capability sys_tty_config;
|
||||
|
||||
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
|
||||
@@ -201,6 +214,8 @@
|
||||
dev_read_sysfs(pam_console_t)
|
||||
dev_getattr_apm_bios_dev(pam_console_t)
|
||||
|
|
@ -22229,7 +22304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.2/policy/modules/system/fstools.te
|
||||
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/fstools.te 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/fstools.te 2009-01-12 11:11:00.000000000 -0500
|
||||
@@ -97,6 +97,10 @@
|
||||
fs_getattr_tmpfs_dirs(fsadm_t)
|
||||
fs_read_tmpfs_symlinks(fsadm_t)
|
||||
|
|
@ -23596,7 +23671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.2/policy/modules/system/modutils.te
|
||||
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/modutils.te 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/modutils.te 2009-01-12 11:28:35.000000000 -0500
|
||||
@@ -42,7 +42,7 @@
|
||||
# insmod local policy
|
||||
#
|
||||
|
|
@ -23736,7 +23811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.2/policy/modules/system/mount.te
|
||||
--- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/mount.te 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/mount.te 2009-01-12 11:28:54.000000000 -0500
|
||||
@@ -18,17 +18,18 @@
|
||||
init_system_domain(mount_t,mount_exec_t)
|
||||
role system_r types mount_t;
|
||||
|
|
@ -23769,7 +23844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
allow mount_t mount_loopback_t:file read_file_perms;
|
||||
|
||||
@@ -47,12 +49,17 @@
|
||||
@@ -47,12 +49,18 @@
|
||||
|
||||
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
|
||||
|
||||
|
|
@ -23780,6 +23855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
kernel_read_kernel_sysctls(mount_t)
|
||||
kernel_dontaudit_getattr_core_if(mount_t)
|
||||
+kernel_search_debugfs(mount_t)
|
||||
+kernel_setsched(mount_t)
|
||||
|
||||
dev_getattr_all_blk_files(mount_t)
|
||||
dev_list_all_dev_nodes(mount_t)
|
||||
|
|
@ -23787,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
dev_rw_lvm_control(mount_t)
|
||||
dev_dontaudit_getattr_all_chr_files(mount_t)
|
||||
dev_dontaudit_getattr_memory_dev(mount_t)
|
||||
@@ -62,16 +69,19 @@
|
||||
@@ -62,16 +70,19 @@
|
||||
storage_raw_write_fixed_disk(mount_t)
|
||||
storage_raw_read_removable_device(mount_t)
|
||||
storage_raw_write_removable_device(mount_t)
|
||||
|
|
@ -23810,7 +23886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
term_use_all_terms(mount_t)
|
||||
|
||||
@@ -79,6 +89,7 @@
|
||||
@@ -79,6 +90,7 @@
|
||||
corecmd_exec_bin(mount_t)
|
||||
|
||||
domain_use_interactive_fds(mount_t)
|
||||
|
|
@ -23818,7 +23894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
files_search_all(mount_t)
|
||||
files_read_etc_files(mount_t)
|
||||
@@ -87,7 +98,7 @@
|
||||
@@ -87,7 +99,7 @@
|
||||
files_mounton_all_mountpoints(mount_t)
|
||||
files_unmount_rootfs(mount_t)
|
||||
# These rules need to be generalized. Only admin, initrc should have it:
|
||||
|
|
@ -23827,7 +23903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
files_mount_all_file_type_fs(mount_t)
|
||||
files_unmount_all_file_type_fs(mount_t)
|
||||
# for when /etc/mtab loses its type
|
||||
@@ -100,6 +111,8 @@
|
||||
@@ -100,6 +112,8 @@
|
||||
init_use_fds(mount_t)
|
||||
init_use_script_ptys(mount_t)
|
||||
init_dontaudit_getattr_initctl(mount_t)
|
||||
|
|
@ -23836,7 +23912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
auth_use_nsswitch(mount_t)
|
||||
|
||||
@@ -116,6 +129,7 @@
|
||||
@@ -116,6 +130,7 @@
|
||||
seutil_read_config(mount_t)
|
||||
|
||||
userdom_use_all_users_fds(mount_t)
|
||||
|
|
@ -23844,7 +23920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -133,7 +147,7 @@
|
||||
@@ -133,7 +148,7 @@
|
||||
|
||||
tunable_policy(`allow_mount_anyfile',`
|
||||
auth_read_all_dirs_except_shadow(mount_t)
|
||||
|
|
@ -23853,7 +23929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
files_mounton_non_security(mount_t)
|
||||
')
|
||||
|
||||
@@ -164,6 +178,8 @@
|
||||
@@ -164,6 +179,8 @@
|
||||
fs_search_rpc(mount_t)
|
||||
|
||||
rpc_stub(mount_t)
|
||||
|
|
@ -23862,7 +23938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -171,6 +187,15 @@
|
||||
@@ -171,6 +188,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -23878,7 +23954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
ifdef(`hide_broken_symptoms',`
|
||||
# for a bug in the X server
|
||||
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
||||
@@ -178,6 +203,11 @@
|
||||
@@ -178,6 +204,11 @@
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -23890,7 +23966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# for kernel package installation
|
||||
optional_policy(`
|
||||
rpm_rw_pipes(mount_t)
|
||||
@@ -185,6 +215,7 @@
|
||||
@@ -185,6 +216,7 @@
|
||||
|
||||
optional_policy(`
|
||||
samba_domtrans_smbmount(mount_t)
|
||||
|
|
@ -23898,7 +23974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -195,4 +226,26 @@
|
||||
@@ -195,4 +227,26 @@
|
||||
optional_policy(`
|
||||
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
||||
unconfined_domain(unconfined_mount_t)
|
||||
|
|
@ -25186,8 +25262,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.2/policy/modules/system/unconfined.fc
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/unconfined.fc 2009-01-05 17:54:59.000000000 -0500
|
||||
@@ -2,15 +2,29 @@
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/unconfined.fc 2009-01-08 10:06:44.000000000 -0500
|
||||
@@ -2,15 +2,28 @@
|
||||
# e.g.:
|
||||
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
||||
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
|
||||
|
|
@ -25225,7 +25301,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+
|
||||
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.2/policy/modules/system/unconfined.if
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/unconfined.if 2009-01-05 17:54:59.000000000 -0500
|
||||
|
|
@ -25809,7 +25884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.2/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/userdomain.if 2009-01-05 17:54:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.2/policy/modules/system/userdomain.if 2009-01-06 10:53:21.000000000 -0500
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
|
@ -26093,10 +26168,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
- gen_require(`
|
||||
- type $1_t;
|
||||
- ')
|
||||
-
|
||||
+interface(`userdom_basic_networking',`
|
||||
|
||||
- allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||
- allow $1_t self:udp_socket create_socket_perms;
|
||||
+interface(`userdom_basic_networking',`
|
||||
+ allow $1 self:tcp_socket create_stream_socket_perms;
|
||||
+ allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
- corenet_all_recvfrom_unlabeled($1_t)
|
||||
- corenet_all_recvfrom_netlabel($1_t)
|
||||
|
|
@ -26108,9 +26185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
- corenet_udp_sendrecv_all_ports($1_t)
|
||||
- corenet_tcp_connect_all_ports($1_t)
|
||||
- corenet_sendrecv_all_client_packets($1_t)
|
||||
+ allow $1 self:tcp_socket create_stream_socket_perms;
|
||||
+ allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
-
|
||||
- corenet_all_recvfrom_labeled($1_t, $1_t)
|
||||
+ corenet_all_recvfrom_unlabeled($1)
|
||||
+ corenet_all_recvfrom_netlabel($1)
|
||||
|
|
@ -26227,26 +26302,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ kernel_get_sysvipc_info($1_usertype)
|
||||
# Find CDROM devices:
|
||||
- kernel_read_device_sysctls($1_t)
|
||||
-
|
||||
- corecmd_exec_bin($1_t)
|
||||
+ kernel_read_device_sysctls($1_usertype)
|
||||
|
||||
- corenet_udp_bind_all_nodes($1_t)
|
||||
- corenet_udp_bind_generic_port($1_t)
|
||||
- corecmd_exec_bin($1_t)
|
||||
+ corenet_udp_bind_all_nodes($1_usertype)
|
||||
+ corenet_udp_bind_generic_port($1_usertype)
|
||||
|
||||
- dev_read_rand($1_t)
|
||||
- dev_write_sound($1_t)
|
||||
- dev_read_sound($1_t)
|
||||
- dev_read_sound_mixer($1_t)
|
||||
- dev_write_sound_mixer($1_t)
|
||||
- corenet_udp_bind_all_nodes($1_t)
|
||||
- corenet_udp_bind_generic_port($1_t)
|
||||
+ dev_read_rand($1_usertype)
|
||||
+ dev_write_sound($1_usertype)
|
||||
+ dev_read_sound($1_usertype)
|
||||
+ dev_read_sound_mixer($1_usertype)
|
||||
+ dev_write_sound_mixer($1_usertype)
|
||||
|
||||
- dev_read_rand($1_t)
|
||||
- dev_write_sound($1_t)
|
||||
- dev_read_sound($1_t)
|
||||
- dev_read_sound_mixer($1_t)
|
||||
- dev_write_sound_mixer($1_t)
|
||||
-
|
||||
- files_exec_etc_files($1_t)
|
||||
- files_search_locks($1_t)
|
||||
+ files_exec_etc_files($1_usertype)
|
||||
|
|
@ -26447,16 +26522,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
- postgresql_stream_connect($1_t)
|
||||
- postgresql_tcp_connect($1_t)
|
||||
+ postgresql_stream_connect($1_usertype)
|
||||
+ ')
|
||||
')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ # to allow monitoring of pcmcia status
|
||||
+ pcmcia_read_pid($1_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- resmgr_stream_connect($1_t)
|
||||
+ # to allow monitoring of pcmcia status
|
||||
+ pcmcia_read_pid($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ pcscd_read_pub_files($1_usertype)
|
||||
+ pcscd_stream_connect($1_usertype)
|
||||
')
|
||||
|
|
@ -26672,11 +26747,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
auth_role($1_r, $1_t)
|
||||
- auth_search_pam_console_data($1_t)
|
||||
+ auth_search_pam_console_data($1_usertype)
|
||||
+
|
||||
+ xserver_role($1_r, $1_t)
|
||||
|
||||
- dev_read_sound($1_t)
|
||||
- dev_write_sound($1_t)
|
||||
+ xserver_role($1_r, $1_t)
|
||||
+
|
||||
+ dev_read_sound($1_usertype)
|
||||
+ dev_write_sound($1_usertype)
|
||||
# gnome keyring wants to read this.
|
||||
|
|
@ -26758,7 +26833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -986,37 +1040,43 @@
|
||||
@@ -986,37 +1040,47 @@
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -26780,22 +26855,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
- netutils_run_ping_cond($1_t,$1_r)
|
||||
- netutils_run_traceroute_cond($1_t,$1_r)
|
||||
+ cron_role($1_r, $1_t)
|
||||
+ cdrecord_role($1_r, $1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- postgresql_role($1_r,$1_t)
|
||||
+ games_rw_data($1_usertype)
|
||||
+ cron_role($1_r, $1_t)
|
||||
')
|
||||
|
||||
- # Run pppd in pppd_t by default for user
|
||||
optional_policy(`
|
||||
- ppp_run_cond($1_t,$1_r)
|
||||
+ gpg_role($1_r, $1_usertype)
|
||||
+ games_rw_data($1_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- setroubleshoot_stream_connect($1_t)
|
||||
+ gpg_role($1_r, $1_usertype)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ java_role_template($1, $1_r, $1_t)
|
||||
+ ')
|
||||
+
|
||||
|
|
@ -26815,7 +26894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -1050,7 +1110,7 @@
|
||||
@@ -1050,7 +1114,7 @@
|
||||
#
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
|
|
@ -26824,7 +26903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
##############################
|
||||
@@ -1059,8 +1119,7 @@
|
||||
@@ -1059,8 +1123,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
|
|
@ -26834,7 +26913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
role system_r types $1_t;
|
||||
@@ -1083,7 +1142,8 @@
|
||||
@@ -1083,7 +1146,8 @@
|
||||
# Skip authentication when pam_rootok is specified.
|
||||
allow $1_t self:passwd rootok;
|
||||
|
||||
|
|
@ -26844,7 +26923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1106,8 +1166,6 @@
|
||||
@@ -1106,8 +1170,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
|
|
@ -26853,7 +26932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1162,20 +1220,6 @@
|
||||
@@ -1162,20 +1224,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
|
|
@ -26874,7 +26953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1221,6 +1265,7 @@
|
||||
@@ -1221,6 +1269,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
|
|
@ -26882,7 +26961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1286,11 +1331,15 @@
|
||||
@@ -1286,11 +1335,15 @@
|
||||
interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
|
|
@ -26898,7 +26977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1387,7 +1436,7 @@
|
||||
@@ -1387,7 +1440,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -26907,7 +26986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1420,6 +1469,14 @@
|
||||
@@ -1420,6 +1473,14 @@
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
|
|
@ -26922,7 +27001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1435,9 +1492,11 @@
|
||||
@@ -1435,9 +1496,11 @@
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
|
|
@ -26934,7 +27013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1494,6 +1553,25 @@
|
||||
@@ -1494,6 +1557,25 @@
|
||||
allow $1 user_home_dir_t:dir relabelto;
|
||||
')
|
||||
|
||||
|
|
@ -26960,7 +27039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
########################################
|
||||
## <summary>
|
||||
## Create directories in the home dir root with
|
||||
@@ -1547,9 +1625,9 @@
|
||||
@@ -1547,9 +1629,9 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
|
|
@ -26972,7 +27051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1568,6 +1646,8 @@
|
||||
@@ -1568,6 +1650,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
|
|
@ -26981,7 +27060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1643,6 +1723,7 @@
|
||||
@@ -1643,6 +1727,7 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
|
|
@ -26989,7 +27068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
@@ -1741,6 +1822,62 @@
|
||||
@@ -1741,6 +1826,62 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -27052,7 +27131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Execute user home files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1757,14 +1894,6 @@
|
||||
@@ -1757,14 +1898,6 @@
|
||||
|
||||
files_search_home($1)
|
||||
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
|
|
@ -27067,7 +27146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1787,6 +1916,46 @@
|
||||
@@ -1787,6 +1920,46 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -27114,7 +27193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Create, read, write, and delete files
|
||||
## in a user home subdirectory.
|
||||
## </summary>
|
||||
@@ -2819,6 +2988,24 @@
|
||||
@@ -2819,6 +2992,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -27139,7 +27218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Do not audit attempts to use user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2851,6 +3038,7 @@
|
||||
@@ -2851,6 +3042,7 @@
|
||||
')
|
||||
|
||||
read_files_pattern($1,userdomain,userdomain)
|
||||
|
|
@ -27147,7 +27226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -2965,6 +3153,24 @@
|
||||
@@ -2965,6 +3157,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -27172,7 +27251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2981,3 +3187,264 @@
|
||||
@@ -2981,3 +3191,264 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.2
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -445,6 +445,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jan 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-3
|
||||
- Allow cups_pdf_t write to nfs_t
|
||||
|
||||
* Tue Jan 6 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-2
|
||||
- Remove audio_entropy policy
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue