rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Merge upstream changes

Browse Source 
- Add Xavier Toth patches
This commit is contained in:
Daniel J Walsh 2008-09-18 14:19:06 +00:00
parent b844bb281b
commit 8d197ddd11
3 changed files with 119 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
modules-mls.conf
View File

@ -161,7 +161,7 @@ netutils = base
#
# Virtual Private Networking client
#
vpn = base
vpn = module
# Layer: admin
# Module: su
@ -189,7 +189,7 @@ anaconda = base
#
# Automated backup program.
#
amanda = base
amanda = module
# Layer: admin
# Module: logrotate
@ -232,14 +232,14 @@ firstboot = base
#
# Digital Certificate Tracking
#
certwatch = base
certwatch = module
# Layer: admin
# Module: tmpreaper
#
# Manage temporary directory sizes and file ages
#
tmpreaper = base
tmpreaper = module
# Layer: admin
# Module: dmidecode
@ -253,7 +253,7 @@ dmidecode = base
#
# Policy for GNU Privacy Guard and related programs.
#
gpg = base
gpg = module
# Layer: apps
# Module: loadkeys
@ -267,7 +267,7 @@ loadkeys = base
#
# Web server log analysis
#
webalizer = base
webalizer = module
# Layer: kernel
# Module: bootloader
@ -288,7 +288,7 @@ storage = base
#
# Policy for NIS (YP) servers and clients
#
nis = base
nis = module
# Layer: services
# Module: distcc
@ -302,7 +302,7 @@ distcc = off
#
# Remote shell service.
#
rshd = base
rshd = module
# Layer: services
# Module: cpucontrol
@ -323,35 +323,35 @@ vbetool = base
#
# Berkeley internet name domain DNS server.
#
bind = base
bind = module
# Layer: services
# Module: canna
#
# Canna - kana-kanji conversion server
#
canna = base
canna = module
# Layer: services
# Module: uucp
#
# Unix to Unix Copy
#
uucp = base
uucp = module
# Layer: services
# Module: sasl
#
# SASL authentication server
#
sasl = base
sasl = module
# Layer: services
# Module: pegasus
#
# The Open Group Pegasus CIM/WBEM Server.
#
pegasus = base
pegasus = module
# Layer: services
# Module: cron
@ -374,7 +374,7 @@ sendmail = base
# name Service Switch daemon for resolving names
# from Windows NT servers.
#
samba = base
samba = module
# Layer: services
# Module: dbus
@ -388,21 +388,21 @@ dbus = base
#
# Port of Apple Rendezvous multicast DNS
#
howl = base
howl = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = base
postgresql = module
# Layer: services
# Module: snmp
#
# Simple network management protocol services
#
snmp = base
snmp = module
# Layer: services
# Module: remotelogin
@ -430,56 +430,56 @@ irqbalance = base
#
# Mailman is for managing electronic mail discussion and e-newsletter lists
#
mailman = base
mailman = module
# Layer: services
# Module: dbskk
#
# Dictionary server for the SKK Japanese input method system.
#
dbskk = base
dbskk = module
# Layer: services
# Module: ldap
#
# OpenLDAP directory server
#
ldap = base
ldap = module
# Layer: services
# Module: tftp
#
# Trivial file transfer protocol daemon
#
tftp = base
tftp = module
# Layer: services
# Module: portmap
#
# RPC port mapping service.
#
portmap = base
portmap = module
# Layer: services
# Module: arpwatch
#
# Ethernet activity monitor.
#
arpwatch = base
arpwatch = module
# Layer: services
# Module: dovecot
#
# Dovecot POP and IMAP mail server
#
dovecot = base
dovecot = module
# Layer: services
# Module: cups
#
# Common UNIX printing system
#
cups = base
cups = module
# Layer: services
# Module: networkmanager
@ -493,35 +493,35 @@ networkmanager = base
#
# Internet News NNTP server
#
inn = base
inn = module
# Layer: services
# Module: sysstat
#
# Policy for sysstat. Reports on various system states
#
sysstat = base
sysstat = module
# Layer: services
# Module: comsat
#
# Comsat, a biff server.
#
comsat = base
comsat = module
# Layer: services
# Module: squid
#
# Squid caching http proxy server
#
squid = base
squid = module
# Layer: services
# Module: zebra
#
# Zebra border gateway protocol network routing service
#
zebra = base
zebra = module
# Layer: services
# Module: xfs
@ -535,35 +535,35 @@ xfs = off
#
# KDE Talk daemon
#
ktalk = base
ktalk = module
# Layer: services
# Module: procmail
#
# Procmail mail delivery agent
#
procmail = base
procmail = module
# Layer: services
# Module: lpd
#
# Line printer daemon
#
lpd = base
lpd = module
# Layer: services
# Module: cyrus
#
# Cyrus is an IMAP service intended to be run on sealed servers
#
cyrus = base
cyrus = module
# Layer: services
# Module: rdisc
#
# Network router discovery daemon
#
rdisc = base
rdisc = module
# Layer: services
# Module: xserver
@ -584,21 +584,21 @@ nscd = base
#
# Point to Point Protocol daemon creates links in ppp networks
#
ppp = base
ppp = module
# Layer: services
# Module: ftp
#
# File transfer protocol service
#
ftp = base
ftp = module
# Layer: services
# Module: gpm
#
# General Purpose Mouse driver
#
gpm = base
gpm = module
# Layer: services
# Module: mta
@ -612,28 +612,28 @@ mta = base
#
# Postfix email server
#
postfix = base
postfix = module
# Layer: services
# Module: fetchmail
#
# Remote-mail retrieval and forwarding utility
#
fetchmail = base
fetchmail = module
# Layer: services
# Module: ntp
#
# Network time protocol daemon
#
ntp = base
ntp = module
# Layer: services
# Module: bluetooth
#
# Bluetooth tools and system services.
#
bluetooth = base
bluetooth = module
# Layer: services
# Module: hal
@ -647,7 +647,7 @@ hal = base
#
# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
#
avahi = base
avahi = module
# Layer: services
# Module: rpc
@ -661,35 +661,35 @@ rpc = base
#
# Apache web server
#
apache = base
apache = module
# Layer: services
# Module: rsync
#
# Fast incremental file transfer for synchronization
#
rsync = base
rsync = module
# Layer: services
# Module: automount
#
# Filesystem automounter service.
#
automount = base
automount = module
# Layer: services
# Module: kerberos
#
# MIT Kerberos admin and KDC
#
kerberos = base
kerberos = module
# Layer: services
# Module: dhcp
#
# Dynamic host configuration protocol (DHCP) server
#
dhcp = base
dhcp = module
# Layer: services
# Module: ssh
@ -710,42 +710,42 @@ inetd = base
#
# Policy for MySQL
#
mysql = base
mysql = module
# Layer: services
# Module: dictd
#
# Dictionary daemon
#
dictd = base
dictd = module
# Layer: services
# Module: finger
#
# Finger user information service.
#
finger = base
finger = module
# Layer: services
# Module: radius
#
# RADIUS authentication and accounting server.
#
radius = base
radius = module
# Layer: services
# Module: spamassassin
#
# Filter used for removing unsolicited email.
#
spamassassin = base
spamassassin = module
# Layer: services
# Module: radvd
#
# IPv6 router advertisement daemon
#
radvd = base
radvd = module
# Layer: services
# Module: apm
@ -767,35 +767,35 @@ application = base
#
# Policy for TCP daemon.
#
tcpd = base
tcpd = module
# Layer: services
# Module: stunnel
#
# SSL Tunneling Proxy
#
stunnel = base
stunnel = module
# Layer: services
# Module: privoxy
#
# Privacy enhancing web proxy.
#
privoxy = base
privoxy = module
# Layer: services
# Module: cvs
#
# Concurrent versions system
#
cvs = base
cvs = module
# Layer: services
# Module: rlogin
#
# Remote login daemon
#
rlogin = base
rlogin = module
# Layer: system
# Module: application
@ -965,7 +965,7 @@ miscfiles = base
#
# TCP/IP encryption
#
ipsec = base
ipsec = module
# Layer: apps
# Module: java
@ -986,7 +986,7 @@ prelink = base
#
# locate executable
#
slocate = base
slocate = module
# Layer: services
# Module: logwatch
@ -1008,14 +1008,14 @@ setrans = base
#
# Policy for OPENVPN full-featured SSL VPN solution
#
openvpn = base
openvpn = module
# Layer: services
# Module: smartmon
#
# Smart disk monitoring daemon policy
#
smartmon = base
smartmon = module
# Layer: system
# Module: netlabel
@ -1023,14 +1023,14 @@ smartmon = base
#
# Basic netlabel types and interfaces.
#
netlabel = base
netlabel = module
# Layer: services
# Module: aide
#
# Policy for aide
#
aide = base
aide = module
# Layer: service
# Module: pcscd
@ -1131,16 +1131,31 @@ courier = module
rpcbind = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Layer: apps
# Module: wm
#
# X windows window manager
#
wm = module
# Layer: services
# Module: virt
#
# Virtualization libraries
#
virt = module
# Layer: apps
# Module: qemu
#
# Virtualization emulator
#
qemu = module
# Layer: system
# Module: brctl
#
# Utilities for configuring the linux ethernet bridge
#
brctl = base

28
modules-targeted.conf
View File

@ -108,7 +108,7 @@ authlogin = base
#
# Filesystem automounter service.
#
automount = base
automount = module
# Layer: services
# Module: avahi
@ -331,7 +331,7 @@ devices = base
#
# Dynamic host configuration protocol (DHCP) server
#
dhcp = base
dhcp = module
# Layer: services
# Module: dictd
@ -374,7 +374,7 @@ domain = base
#
# Dovecot POP and IMAP mail server
#
dovecot = base
dovecot = module
# Layer: apps
# Module: gpg
@ -489,7 +489,7 @@ gnomeclock = module
#
# Hardware abstraction layer
#
hal = module
hal = base
# Layer: services
# Module: polkit
@ -741,7 +741,7 @@ modutils = base
#
# mono executable
#
mono = base
mono = module
# Layer: system
# Module: mount
@ -785,7 +785,6 @@ gpg = module
#
mrtg = module
# Layer: services
# Module: mta
#
@ -985,7 +984,7 @@ qmail = module
#
# File system quota management
#
quota = off
quota = base
# Layer: system
# Module: raid
@ -1027,7 +1026,7 @@ readahead = base
#
# X windows login display manager
#
rhgb = base
rhgb = module
# Layer: services
# Module: rdisc
@ -1041,7 +1040,7 @@ rdisc = module
#
# Policy for rshd, rlogind, and telnetd.
#
remotelogin = module
remotelogin = base
# Layer: services
# Module: ricci
@ -1446,7 +1445,7 @@ updfstab = base
#
# Virtual Private Networking client
#
vpn = base
vpn = module
# Layer: admin
# Module: vbetool
@ -1663,3 +1662,12 @@ snort = module
# high-performance memory object caching system
#
memcached = module
# Layer: system
# Module: netlabel
# Required in base
#
# Basic netlabel types and interfaces.
#
netlabel = module

27
policy-20080710.patch
View File

@ -26600,7 +26600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.8/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-17 08:49:09.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-18 08:51:19.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@ -26660,15 +26660,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled($1_ssh_t)
corenet_all_recvfrom_netlabel($1_ssh_t)
@@ -115,6 +118,7 @@
@@ -115,6 +118,8 @@
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
+ corenet_tcp_bind_all_nodes($1_ssh_t)
+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
dev_read_urand($1_ssh_t)
@@ -212,7 +216,7 @@
@@ -212,7 +217,7 @@
ssh_basic_client_template($1, $2, $3)
@ -26677,7 +26678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type $1_ssh_agent_t;
application_domain($1_ssh_agent_t, ssh_agent_exec_t)
@@ -240,9 +244,9 @@
@@ -240,9 +245,9 @@
manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@ -26690,7 +26691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
@@ -254,6 +258,8 @@
@@ -254,6 +259,8 @@
userdom_use_unpriv_users_fds($1_ssh_t)
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
userdom_search_user_home_dirs($1,$1_ssh_t)
@ -26699,7 +26700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_t)
# needs to read krb tgt
@@ -282,21 +288,10 @@
@@ -282,21 +289,10 @@
')
optional_policy(`
@ -26722,7 +26723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# $1_ssh_agent_t local policy
@@ -383,10 +378,6 @@
@@ -383,10 +379,6 @@
xserver_rw_xdm_pipes($1_ssh_agent_t)
')
@ -26733,7 +26734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# $1_ssh_keysign_t local policy
@@ -413,6 +404,25 @@
@@ -413,6 +405,25 @@
')
')
@ -26759,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#######################################
## <summary>
## The template to define a ssh server.
@@ -443,13 +453,14 @@
@@ -443,13 +454,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
@ -26775,7 +26776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
@@ -479,6 +490,10 @@
@@ -479,6 +491,10 @@
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
@ -26786,7 +26787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_dontaudit_getattr_all_fs($1_t)
@@ -506,9 +521,14 @@
@@ -506,9 +522,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
@ -26801,7 +26802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`use_samba_home_dirs',`
@@ -517,11 +537,7 @@
@@ -517,11 +538,7 @@
optional_policy(`
kerberos_use($1_t)
@ -26814,7 +26815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -710,3 +726,22 @@
@@ -710,3 +727,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')