- Merge upstream changes
- Add Xavier Toth patches
This commit is contained in:
parent
b844bb281b
commit
8d197ddd11
159
modules-mls.conf
159
modules-mls.conf
@ -161,7 +161,7 @@ netutils = base
|
||||
#
|
||||
# Virtual Private Networking client
|
||||
#
|
||||
vpn = base
|
||||
vpn = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: su
|
||||
@ -189,7 +189,7 @@ anaconda = base
|
||||
#
|
||||
# Automated backup program.
|
||||
#
|
||||
amanda = base
|
||||
amanda = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: logrotate
|
||||
@ -232,14 +232,14 @@ firstboot = base
|
||||
#
|
||||
# Digital Certificate Tracking
|
||||
#
|
||||
certwatch = base
|
||||
certwatch = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: tmpreaper
|
||||
#
|
||||
# Manage temporary directory sizes and file ages
|
||||
#
|
||||
tmpreaper = base
|
||||
tmpreaper = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: dmidecode
|
||||
@ -253,7 +253,7 @@ dmidecode = base
|
||||
#
|
||||
# Policy for GNU Privacy Guard and related programs.
|
||||
#
|
||||
gpg = base
|
||||
gpg = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: loadkeys
|
||||
@ -267,7 +267,7 @@ loadkeys = base
|
||||
#
|
||||
# Web server log analysis
|
||||
#
|
||||
webalizer = base
|
||||
webalizer = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: bootloader
|
||||
@ -288,7 +288,7 @@ storage = base
|
||||
#
|
||||
# Policy for NIS (YP) servers and clients
|
||||
#
|
||||
nis = base
|
||||
nis = module
|
||||
|
||||
# Layer: services
|
||||
# Module: distcc
|
||||
@ -302,7 +302,7 @@ distcc = off
|
||||
#
|
||||
# Remote shell service.
|
||||
#
|
||||
rshd = base
|
||||
rshd = module
|
||||
|
||||
# Layer: services
|
||||
# Module: cpucontrol
|
||||
@ -323,35 +323,35 @@ vbetool = base
|
||||
#
|
||||
# Berkeley internet name domain DNS server.
|
||||
#
|
||||
bind = base
|
||||
bind = module
|
||||
|
||||
# Layer: services
|
||||
# Module: canna
|
||||
#
|
||||
# Canna - kana-kanji conversion server
|
||||
#
|
||||
canna = base
|
||||
canna = module
|
||||
|
||||
# Layer: services
|
||||
# Module: uucp
|
||||
#
|
||||
# Unix to Unix Copy
|
||||
#
|
||||
uucp = base
|
||||
uucp = module
|
||||
|
||||
# Layer: services
|
||||
# Module: sasl
|
||||
#
|
||||
# SASL authentication server
|
||||
#
|
||||
sasl = base
|
||||
sasl = module
|
||||
|
||||
# Layer: services
|
||||
# Module: pegasus
|
||||
#
|
||||
# The Open Group Pegasus CIM/WBEM Server.
|
||||
#
|
||||
pegasus = base
|
||||
pegasus = module
|
||||
|
||||
# Layer: services
|
||||
# Module: cron
|
||||
@ -374,7 +374,7 @@ sendmail = base
|
||||
# name Service Switch daemon for resolving names
|
||||
# from Windows NT servers.
|
||||
#
|
||||
samba = base
|
||||
samba = module
|
||||
|
||||
# Layer: services
|
||||
# Module: dbus
|
||||
@ -388,21 +388,21 @@ dbus = base
|
||||
#
|
||||
# Port of Apple Rendezvous multicast DNS
|
||||
#
|
||||
howl = base
|
||||
howl = module
|
||||
|
||||
# Layer: services
|
||||
# Module: postgresql
|
||||
#
|
||||
# PostgreSQL relational database
|
||||
#
|
||||
postgresql = base
|
||||
postgresql = module
|
||||
|
||||
# Layer: services
|
||||
# Module: snmp
|
||||
#
|
||||
# Simple network management protocol services
|
||||
#
|
||||
snmp = base
|
||||
snmp = module
|
||||
|
||||
# Layer: services
|
||||
# Module: remotelogin
|
||||
@ -430,56 +430,56 @@ irqbalance = base
|
||||
#
|
||||
# Mailman is for managing electronic mail discussion and e-newsletter lists
|
||||
#
|
||||
mailman = base
|
||||
mailman = module
|
||||
|
||||
# Layer: services
|
||||
# Module: dbskk
|
||||
#
|
||||
# Dictionary server for the SKK Japanese input method system.
|
||||
#
|
||||
dbskk = base
|
||||
dbskk = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ldap
|
||||
#
|
||||
# OpenLDAP directory server
|
||||
#
|
||||
ldap = base
|
||||
ldap = module
|
||||
|
||||
# Layer: services
|
||||
# Module: tftp
|
||||
#
|
||||
# Trivial file transfer protocol daemon
|
||||
#
|
||||
tftp = base
|
||||
tftp = module
|
||||
|
||||
# Layer: services
|
||||
# Module: portmap
|
||||
#
|
||||
# RPC port mapping service.
|
||||
#
|
||||
portmap = base
|
||||
portmap = module
|
||||
|
||||
# Layer: services
|
||||
# Module: arpwatch
|
||||
#
|
||||
# Ethernet activity monitor.
|
||||
#
|
||||
arpwatch = base
|
||||
arpwatch = module
|
||||
|
||||
# Layer: services
|
||||
# Module: dovecot
|
||||
#
|
||||
# Dovecot POP and IMAP mail server
|
||||
#
|
||||
dovecot = base
|
||||
dovecot = module
|
||||
|
||||
# Layer: services
|
||||
# Module: cups
|
||||
#
|
||||
# Common UNIX printing system
|
||||
#
|
||||
cups = base
|
||||
cups = module
|
||||
|
||||
# Layer: services
|
||||
# Module: networkmanager
|
||||
@ -493,35 +493,35 @@ networkmanager = base
|
||||
#
|
||||
# Internet News NNTP server
|
||||
#
|
||||
inn = base
|
||||
inn = module
|
||||
|
||||
# Layer: services
|
||||
# Module: sysstat
|
||||
#
|
||||
# Policy for sysstat. Reports on various system states
|
||||
#
|
||||
sysstat = base
|
||||
sysstat = module
|
||||
|
||||
# Layer: services
|
||||
# Module: comsat
|
||||
#
|
||||
# Comsat, a biff server.
|
||||
#
|
||||
comsat = base
|
||||
comsat = module
|
||||
|
||||
# Layer: services
|
||||
# Module: squid
|
||||
#
|
||||
# Squid caching http proxy server
|
||||
#
|
||||
squid = base
|
||||
squid = module
|
||||
|
||||
# Layer: services
|
||||
# Module: zebra
|
||||
#
|
||||
# Zebra border gateway protocol network routing service
|
||||
#
|
||||
zebra = base
|
||||
zebra = module
|
||||
|
||||
# Layer: services
|
||||
# Module: xfs
|
||||
@ -535,35 +535,35 @@ xfs = off
|
||||
#
|
||||
# KDE Talk daemon
|
||||
#
|
||||
ktalk = base
|
||||
ktalk = module
|
||||
|
||||
# Layer: services
|
||||
# Module: procmail
|
||||
#
|
||||
# Procmail mail delivery agent
|
||||
#
|
||||
procmail = base
|
||||
procmail = module
|
||||
|
||||
# Layer: services
|
||||
# Module: lpd
|
||||
#
|
||||
# Line printer daemon
|
||||
#
|
||||
lpd = base
|
||||
lpd = module
|
||||
|
||||
# Layer: services
|
||||
# Module: cyrus
|
||||
#
|
||||
# Cyrus is an IMAP service intended to be run on sealed servers
|
||||
#
|
||||
cyrus = base
|
||||
cyrus = module
|
||||
|
||||
# Layer: services
|
||||
# Module: rdisc
|
||||
#
|
||||
# Network router discovery daemon
|
||||
#
|
||||
rdisc = base
|
||||
rdisc = module
|
||||
|
||||
# Layer: services
|
||||
# Module: xserver
|
||||
@ -584,21 +584,21 @@ nscd = base
|
||||
#
|
||||
# Point to Point Protocol daemon creates links in ppp networks
|
||||
#
|
||||
ppp = base
|
||||
ppp = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ftp
|
||||
#
|
||||
# File transfer protocol service
|
||||
#
|
||||
ftp = base
|
||||
ftp = module
|
||||
|
||||
# Layer: services
|
||||
# Module: gpm
|
||||
#
|
||||
# General Purpose Mouse driver
|
||||
#
|
||||
gpm = base
|
||||
gpm = module
|
||||
|
||||
# Layer: services
|
||||
# Module: mta
|
||||
@ -612,28 +612,28 @@ mta = base
|
||||
#
|
||||
# Postfix email server
|
||||
#
|
||||
postfix = base
|
||||
postfix = module
|
||||
|
||||
# Layer: services
|
||||
# Module: fetchmail
|
||||
#
|
||||
# Remote-mail retrieval and forwarding utility
|
||||
#
|
||||
fetchmail = base
|
||||
fetchmail = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ntp
|
||||
#
|
||||
# Network time protocol daemon
|
||||
#
|
||||
ntp = base
|
||||
ntp = module
|
||||
|
||||
# Layer: services
|
||||
# Module: bluetooth
|
||||
#
|
||||
# Bluetooth tools and system services.
|
||||
#
|
||||
bluetooth = base
|
||||
bluetooth = module
|
||||
|
||||
# Layer: services
|
||||
# Module: hal
|
||||
@ -647,7 +647,7 @@ hal = base
|
||||
#
|
||||
# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
|
||||
#
|
||||
avahi = base
|
||||
avahi = module
|
||||
|
||||
# Layer: services
|
||||
# Module: rpc
|
||||
@ -661,35 +661,35 @@ rpc = base
|
||||
#
|
||||
# Apache web server
|
||||
#
|
||||
apache = base
|
||||
apache = module
|
||||
|
||||
# Layer: services
|
||||
# Module: rsync
|
||||
#
|
||||
# Fast incremental file transfer for synchronization
|
||||
#
|
||||
rsync = base
|
||||
rsync = module
|
||||
|
||||
# Layer: services
|
||||
# Module: automount
|
||||
#
|
||||
# Filesystem automounter service.
|
||||
#
|
||||
automount = base
|
||||
automount = module
|
||||
|
||||
# Layer: services
|
||||
# Module: kerberos
|
||||
#
|
||||
# MIT Kerberos admin and KDC
|
||||
#
|
||||
kerberos = base
|
||||
kerberos = module
|
||||
|
||||
# Layer: services
|
||||
# Module: dhcp
|
||||
#
|
||||
# Dynamic host configuration protocol (DHCP) server
|
||||
#
|
||||
dhcp = base
|
||||
dhcp = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ssh
|
||||
@ -710,42 +710,42 @@ inetd = base
|
||||
#
|
||||
# Policy for MySQL
|
||||
#
|
||||
mysql = base
|
||||
mysql = module
|
||||
|
||||
# Layer: services
|
||||
# Module: dictd
|
||||
#
|
||||
# Dictionary daemon
|
||||
#
|
||||
dictd = base
|
||||
dictd = module
|
||||
|
||||
# Layer: services
|
||||
# Module: finger
|
||||
#
|
||||
# Finger user information service.
|
||||
#
|
||||
finger = base
|
||||
finger = module
|
||||
|
||||
# Layer: services
|
||||
# Module: radius
|
||||
#
|
||||
# RADIUS authentication and accounting server.
|
||||
#
|
||||
radius = base
|
||||
radius = module
|
||||
|
||||
# Layer: services
|
||||
# Module: spamassassin
|
||||
#
|
||||
# Filter used for removing unsolicited email.
|
||||
#
|
||||
spamassassin = base
|
||||
spamassassin = module
|
||||
|
||||
# Layer: services
|
||||
# Module: radvd
|
||||
#
|
||||
# IPv6 router advertisement daemon
|
||||
#
|
||||
radvd = base
|
||||
radvd = module
|
||||
|
||||
# Layer: services
|
||||
# Module: apm
|
||||
@ -767,35 +767,35 @@ application = base
|
||||
#
|
||||
# Policy for TCP daemon.
|
||||
#
|
||||
tcpd = base
|
||||
tcpd = module
|
||||
|
||||
# Layer: services
|
||||
# Module: stunnel
|
||||
#
|
||||
# SSL Tunneling Proxy
|
||||
#
|
||||
stunnel = base
|
||||
stunnel = module
|
||||
|
||||
# Layer: services
|
||||
# Module: privoxy
|
||||
#
|
||||
# Privacy enhancing web proxy.
|
||||
#
|
||||
privoxy = base
|
||||
privoxy = module
|
||||
|
||||
# Layer: services
|
||||
# Module: cvs
|
||||
#
|
||||
# Concurrent versions system
|
||||
#
|
||||
cvs = base
|
||||
cvs = module
|
||||
|
||||
# Layer: services
|
||||
# Module: rlogin
|
||||
#
|
||||
# Remote login daemon
|
||||
#
|
||||
rlogin = base
|
||||
rlogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: application
|
||||
@ -965,7 +965,7 @@ miscfiles = base
|
||||
#
|
||||
# TCP/IP encryption
|
||||
#
|
||||
ipsec = base
|
||||
ipsec = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: java
|
||||
@ -986,7 +986,7 @@ prelink = base
|
||||
#
|
||||
# locate executable
|
||||
#
|
||||
slocate = base
|
||||
slocate = module
|
||||
|
||||
# Layer: services
|
||||
# Module: logwatch
|
||||
@ -1008,14 +1008,14 @@ setrans = base
|
||||
#
|
||||
# Policy for OPENVPN full-featured SSL VPN solution
|
||||
#
|
||||
openvpn = base
|
||||
openvpn = module
|
||||
|
||||
# Layer: services
|
||||
# Module: smartmon
|
||||
#
|
||||
# Smart disk monitoring daemon policy
|
||||
#
|
||||
smartmon = base
|
||||
smartmon = module
|
||||
|
||||
# Layer: system
|
||||
# Module: netlabel
|
||||
@ -1023,14 +1023,14 @@ smartmon = base
|
||||
#
|
||||
# Basic netlabel types and interfaces.
|
||||
#
|
||||
netlabel = base
|
||||
netlabel = module
|
||||
|
||||
# Layer: services
|
||||
# Module: aide
|
||||
#
|
||||
# Policy for aide
|
||||
#
|
||||
aide = base
|
||||
aide = module
|
||||
|
||||
# Layer: service
|
||||
# Module: pcscd
|
||||
@ -1131,16 +1131,31 @@ courier = module
|
||||
rpcbind = module
|
||||
|
||||
|
||||
# Layer: services
|
||||
# Module: xserver
|
||||
#
|
||||
# X windows login display manager
|
||||
#
|
||||
xserver = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: wm
|
||||
#
|
||||
# X windows window manager
|
||||
#
|
||||
wm = module
|
||||
|
||||
# Layer: services
|
||||
# Module: virt
|
||||
#
|
||||
# Virtualization libraries
|
||||
#
|
||||
virt = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: qemu
|
||||
#
|
||||
# Virtualization emulator
|
||||
#
|
||||
qemu = module
|
||||
|
||||
# Layer: system
|
||||
# Module: brctl
|
||||
#
|
||||
# Utilities for configuring the linux ethernet bridge
|
||||
#
|
||||
brctl = base
|
||||
|
||||
|
@ -108,7 +108,7 @@ authlogin = base
|
||||
#
|
||||
# Filesystem automounter service.
|
||||
#
|
||||
automount = base
|
||||
automount = module
|
||||
|
||||
# Layer: services
|
||||
# Module: avahi
|
||||
@ -331,7 +331,7 @@ devices = base
|
||||
#
|
||||
# Dynamic host configuration protocol (DHCP) server
|
||||
#
|
||||
dhcp = base
|
||||
dhcp = module
|
||||
|
||||
# Layer: services
|
||||
# Module: dictd
|
||||
@ -374,7 +374,7 @@ domain = base
|
||||
#
|
||||
# Dovecot POP and IMAP mail server
|
||||
#
|
||||
dovecot = base
|
||||
dovecot = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: gpg
|
||||
@ -489,7 +489,7 @@ gnomeclock = module
|
||||
#
|
||||
# Hardware abstraction layer
|
||||
#
|
||||
hal = module
|
||||
hal = base
|
||||
|
||||
# Layer: services
|
||||
# Module: polkit
|
||||
@ -741,7 +741,7 @@ modutils = base
|
||||
#
|
||||
# mono executable
|
||||
#
|
||||
mono = base
|
||||
mono = module
|
||||
|
||||
# Layer: system
|
||||
# Module: mount
|
||||
@ -785,7 +785,6 @@ gpg = module
|
||||
#
|
||||
mrtg = module
|
||||
|
||||
|
||||
# Layer: services
|
||||
# Module: mta
|
||||
#
|
||||
@ -985,7 +984,7 @@ qmail = module
|
||||
#
|
||||
# File system quota management
|
||||
#
|
||||
quota = off
|
||||
quota = base
|
||||
|
||||
# Layer: system
|
||||
# Module: raid
|
||||
@ -1027,7 +1026,7 @@ readahead = base
|
||||
#
|
||||
# X windows login display manager
|
||||
#
|
||||
rhgb = base
|
||||
rhgb = module
|
||||
|
||||
# Layer: services
|
||||
# Module: rdisc
|
||||
@ -1041,7 +1040,7 @@ rdisc = module
|
||||
#
|
||||
# Policy for rshd, rlogind, and telnetd.
|
||||
#
|
||||
remotelogin = module
|
||||
remotelogin = base
|
||||
|
||||
# Layer: services
|
||||
# Module: ricci
|
||||
@ -1446,7 +1445,7 @@ updfstab = base
|
||||
#
|
||||
# Virtual Private Networking client
|
||||
#
|
||||
vpn = base
|
||||
vpn = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: vbetool
|
||||
@ -1663,3 +1662,12 @@ snort = module
|
||||
# high-performance memory object caching system
|
||||
#
|
||||
memcached = module
|
||||
|
||||
# Layer: system
|
||||
# Module: netlabel
|
||||
# Required in base
|
||||
#
|
||||
# Basic netlabel types and interfaces.
|
||||
#
|
||||
netlabel = module
|
||||
|
||||
|
@ -26600,7 +26600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.8/policy/modules/services/ssh.if
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-17 08:49:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-18 08:51:19.000000000 -0400
|
||||
@@ -36,6 +36,7 @@
|
||||
gen_require(`
|
||||
attribute ssh_server;
|
||||
@ -26660,15 +26660,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1_ssh_t)
|
||||
corenet_all_recvfrom_netlabel($1_ssh_t)
|
||||
@@ -115,6 +118,7 @@
|
||||
@@ -115,6 +118,8 @@
|
||||
corenet_tcp_sendrecv_all_ports($1_ssh_t)
|
||||
corenet_tcp_connect_ssh_port($1_ssh_t)
|
||||
corenet_sendrecv_ssh_client_packets($1_ssh_t)
|
||||
+ corenet_tcp_bind_all_nodes($1_ssh_t)
|
||||
+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
|
||||
|
||||
dev_read_urand($1_ssh_t)
|
||||
|
||||
@@ -212,7 +216,7 @@
|
||||
@@ -212,7 +217,7 @@
|
||||
|
||||
ssh_basic_client_template($1, $2, $3)
|
||||
|
||||
@ -26677,7 +26678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
type $1_ssh_agent_t;
|
||||
application_domain($1_ssh_agent_t, ssh_agent_exec_t)
|
||||
@@ -240,9 +244,9 @@
|
||||
@@ -240,9 +245,9 @@
|
||||
manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
|
||||
fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
@ -26690,7 +26691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Allow the ssh program to communicate with ssh-agent.
|
||||
stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
|
||||
@@ -254,6 +258,8 @@
|
||||
@@ -254,6 +259,8 @@
|
||||
userdom_use_unpriv_users_fds($1_ssh_t)
|
||||
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
|
||||
userdom_search_user_home_dirs($1,$1_ssh_t)
|
||||
@ -26699,7 +26700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Write to the user domain tty.
|
||||
userdom_use_user_terminals($1,$1_ssh_t)
|
||||
# needs to read krb tgt
|
||||
@@ -282,21 +288,10 @@
|
||||
@@ -282,21 +289,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26722,7 +26723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
##############################
|
||||
#
|
||||
# $1_ssh_agent_t local policy
|
||||
@@ -383,10 +378,6 @@
|
||||
@@ -383,10 +379,6 @@
|
||||
xserver_rw_xdm_pipes($1_ssh_agent_t)
|
||||
')
|
||||
|
||||
@ -26733,7 +26734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
##############################
|
||||
#
|
||||
# $1_ssh_keysign_t local policy
|
||||
@@ -413,6 +404,25 @@
|
||||
@@ -413,6 +405,25 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -26759,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#######################################
|
||||
## <summary>
|
||||
## The template to define a ssh server.
|
||||
@@ -443,13 +453,14 @@
|
||||
@@ -443,13 +454,14 @@
|
||||
type $1_var_run_t;
|
||||
files_pid_file($1_var_run_t)
|
||||
|
||||
@ -26775,7 +26776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
|
||||
term_create_pty($1_t,$1_devpts_t)
|
||||
@@ -479,6 +490,10 @@
|
||||
@@ -479,6 +491,10 @@
|
||||
corenet_tcp_bind_ssh_port($1_t)
|
||||
corenet_tcp_connect_all_ports($1_t)
|
||||
corenet_sendrecv_ssh_server_packets($1_t)
|
||||
@ -26786,7 +26787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_dontaudit_getattr_all_fs($1_t)
|
||||
|
||||
@@ -506,9 +521,14 @@
|
||||
@@ -506,9 +522,14 @@
|
||||
|
||||
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
|
||||
userdom_search_all_users_home_dirs($1_t)
|
||||
@ -26801,7 +26802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -517,11 +537,7 @@
|
||||
@@ -517,11 +538,7 @@
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1_t)
|
||||
@ -26814,7 +26815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -710,3 +726,22 @@
|
||||
@@ -710,3 +727,22 @@
|
||||
|
||||
dontaudit $1 sshd_key_t:file { getattr read };
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user