- Fixes from yum-cron
- Update to latest upstream
This commit is contained in:
parent
b0260f2000
commit
8d4af9d064
@ -262,3 +262,7 @@ allow_postfix_local_write_mail_spool=true
|
|||||||
# Allow common users to read/write noexattrfile systems
|
# Allow common users to read/write noexattrfile systems
|
||||||
#
|
#
|
||||||
user_rw_noexattrfile=true
|
user_rw_noexattrfile=true
|
||||||
|
|
||||||
|
# Allow qemu to connect fully to the network
|
||||||
|
#
|
||||||
|
allow_qemu_full_network=true
|
||||||
|
@ -1976,7 +1976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
|
|||||||
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
|
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.9/policy/modules/apps/gpg.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.9/policy/modules/apps/gpg.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
|
||||||
+++ serefpolicy-3.2.9/policy/modules/apps/gpg.if 2008-02-20 14:28:23.000000000 -0500
|
+++ serefpolicy-3.2.9/policy/modules/apps/gpg.if 2008-02-20 17:37:31.000000000 -0500
|
||||||
@@ -38,6 +38,10 @@
|
@@ -38,6 +38,10 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type gpg_exec_t, gpg_helper_exec_t;
|
type gpg_exec_t, gpg_helper_exec_t;
|
||||||
@ -1988,7 +1988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -45,275 +49,53 @@
|
@@ -45,275 +49,56 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -2174,6 +2174,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
|
|||||||
- manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
|
- manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
|
||||||
- manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
|
- manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
|
||||||
+ allow $2 gpg_t:process signal_perms;
|
+ allow $2 gpg_t:process signal_perms;
|
||||||
|
+ # Thunderbird leaks descriptors
|
||||||
|
+ dontaudit gpg_t $2:tcp_socket rw_socket_perms;
|
||||||
|
+ dontaudit gpg_t $2:udp_socket rw_socket_perms;
|
||||||
|
|
||||||
- # allow gpg to connect to the gpg agent
|
- # allow gpg to connect to the gpg agent
|
||||||
- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
|
- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
|
||||||
@ -2294,8 +2297,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
|
|||||||
########################################
|
########################################
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.9/policy/modules/apps/gpg.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.9/policy/modules/apps/gpg.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
|
||||||
+++ serefpolicy-3.2.9/policy/modules/apps/gpg.te 2008-02-20 14:28:23.000000000 -0500
|
+++ serefpolicy-3.2.9/policy/modules/apps/gpg.te 2008-02-20 17:36:41.000000000 -0500
|
||||||
@@ -7,15 +7,232 @@
|
@@ -7,15 +7,228 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# Type for gpg or pgp executables.
|
# Type for gpg or pgp executables.
|
||||||
@ -2373,6 +2376,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
|
|||||||
+files_read_usr_files(gpg_t)
|
+files_read_usr_files(gpg_t)
|
||||||
+files_dontaudit_search_var(gpg_t)
|
+files_dontaudit_search_var(gpg_t)
|
||||||
+
|
+
|
||||||
|
+auth_use_nsswitch(gpg_t)
|
||||||
|
+
|
||||||
+libs_use_shared_libs(gpg_t)
|
+libs_use_shared_libs(gpg_t)
|
||||||
+libs_use_ld_so(gpg_t)
|
+libs_use_ld_so(gpg_t)
|
||||||
+
|
+
|
||||||
@ -2380,12 +2385,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
|
|||||||
+
|
+
|
||||||
+logging_send_syslog_msg(gpg_t)
|
+logging_send_syslog_msg(gpg_t)
|
||||||
+
|
+
|
||||||
+sysnet_read_config(gpg_t)
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ nis_use_ypbind(gpg_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# GPG helper local policy
|
+# GPG helper local policy
|
||||||
@ -4848,7 +4847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||||||
########################################
|
########################################
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in
|
||||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
|
||||||
+++ serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in 2008-02-20 14:28:23.000000000 -0500
|
+++ serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in 2008-02-20 17:15:58.000000000 -0500
|
||||||
@@ -82,6 +82,7 @@
|
@@ -82,6 +82,7 @@
|
||||||
network_port(clockspeed, udp,4041,s0)
|
network_port(clockspeed, udp,4041,s0)
|
||||||
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
||||||
@ -4865,7 +4864,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||||||
network_port(ftp_data, tcp,20,s0)
|
network_port(ftp_data, tcp,20,s0)
|
||||||
network_port(ftp, tcp,21,s0)
|
network_port(ftp, tcp,21,s0)
|
||||||
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
||||||
@@ -122,6 +124,8 @@
|
@@ -109,6 +111,7 @@
|
||||||
|
network_port(ircd, tcp,6667,s0)
|
||||||
|
network_port(isakmp, udp,500,s0)
|
||||||
|
network_port(iscsi, tcp,3260,s0)
|
||||||
|
+network_port(isns, tcp,3205,s0, udp,3205,s0)
|
||||||
|
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
||||||
|
network_port(jabber_interserver, tcp,5269,s0)
|
||||||
|
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||||
|
@@ -122,6 +125,8 @@
|
||||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||||
network_port(monopd, tcp,1234,s0)
|
network_port(monopd, tcp,1234,s0)
|
||||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||||
@ -4874,7 +4881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||||
network_port(nessus, tcp,1241,s0)
|
network_port(nessus, tcp,1241,s0)
|
||||||
@@ -133,10 +137,12 @@
|
@@ -133,10 +138,12 @@
|
||||||
network_port(pegasus_http, tcp,5988,s0)
|
network_port(pegasus_http, tcp,5988,s0)
|
||||||
network_port(pegasus_https, tcp,5989,s0)
|
network_port(pegasus_https, tcp,5989,s0)
|
||||||
network_port(postfix_policyd, tcp,10031,s0)
|
network_port(postfix_policyd, tcp,10031,s0)
|
||||||
@ -4887,7 +4894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||||||
network_port(printer, tcp,515,s0)
|
network_port(printer, tcp,515,s0)
|
||||||
network_port(ptal, tcp,5703,s0)
|
network_port(ptal, tcp,5703,s0)
|
||||||
network_port(pxe, udp,4011,s0)
|
network_port(pxe, udp,4011,s0)
|
||||||
@@ -148,7 +154,7 @@
|
@@ -148,7 +155,7 @@
|
||||||
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
||||||
network_port(rlogind, tcp,513,s0)
|
network_port(rlogind, tcp,513,s0)
|
||||||
network_port(rndc, tcp,953,s0)
|
network_port(rndc, tcp,953,s0)
|
||||||
@ -4896,7 +4903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||||||
network_port(rsh, tcp,514,s0)
|
network_port(rsh, tcp,514,s0)
|
||||||
network_port(rsync, tcp,873,s0, udp,873,s0)
|
network_port(rsync, tcp,873,s0, udp,873,s0)
|
||||||
network_port(rwho, udp,513,s0)
|
network_port(rwho, udp,513,s0)
|
||||||
@@ -170,7 +176,11 @@
|
@@ -170,7 +177,11 @@
|
||||||
network_port(transproxy, tcp,8081,s0)
|
network_port(transproxy, tcp,8081,s0)
|
||||||
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||||
network_port(uucpd, tcp,540,s0)
|
network_port(uucpd, tcp,540,s0)
|
||||||
@ -20054,7 +20061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.9/policy/modules/services/squid.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.9/policy/modules/services/squid.te
|
||||||
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 16:57:35.000000000 -0500
|
+++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 17:25:10.000000000 -0500
|
||||||
@@ -31,12 +31,15 @@
|
@@ -31,12 +31,15 @@
|
||||||
type squid_var_run_t;
|
type squid_var_run_t;
|
||||||
files_pid_file(squid_var_run_t)
|
files_pid_file(squid_var_run_t)
|
||||||
@ -22960,6 +22967,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||||||
vmware_read_system_config(initrc_t)
|
vmware_read_system_config(initrc_t)
|
||||||
vmware_append_system_config(initrc_t)
|
vmware_append_system_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.2.9/policy/modules/system/iscsi.te
|
||||||
|
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500
|
||||||
|
+++ serefpolicy-3.2.9/policy/modules/system/iscsi.te 2008-02-20 17:17:56.000000000 -0500
|
||||||
|
@@ -63,6 +63,7 @@
|
||||||
|
corenet_tcp_sendrecv_all_ports(iscsid_t)
|
||||||
|
corenet_tcp_connect_http_port(iscsid_t)
|
||||||
|
corenet_tcp_connect_iscsi_port(iscsid_t)
|
||||||
|
+corenet_tcp_connect_isns_port(iscsid_t)
|
||||||
|
|
||||||
|
dev_rw_sysfs(iscsid_t)
|
||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.9/policy/modules/system/libraries.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.9/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
|
||||||
+++ serefpolicy-3.2.9/policy/modules/system/libraries.fc 2008-02-20 14:28:23.000000000 -0500
|
+++ serefpolicy-3.2.9/policy/modules/system/libraries.fc 2008-02-20 14:28:23.000000000 -0500
|
||||||
@ -24318,10 +24336,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.9/policy/modules/system/qemu.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.9/policy/modules/system/qemu.te
|
||||||
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 17:01:56.000000000 -0500
|
+++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 17:27:29.000000000 -0500
|
||||||
@@ -0,0 +1,40 @@
|
@@ -0,0 +1,47 @@
|
||||||
+policy_module(qemu,1.0.0)
|
+policy_module(qemu,1.0.0)
|
||||||
+
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow qemu to connect fully to the network
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(allow_qemu_full_network,false)
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# Declarations
|
+# Declarations
|
||||||
@ -24340,7 +24365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
|
|||||||
+# qemu local policy
|
+# qemu local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+tunable_policy(`qemu_full_network',`
|
+tunable_policy(`allow_qemu_full_network',`
|
||||||
+ allow qemu_t self:udp_socket create_socket_perms;
|
+ allow qemu_t self:udp_socket create_socket_perms;
|
||||||
+ corenet_udp_sendrecv_all_if(qemu_t)
|
+ corenet_udp_sendrecv_all_if(qemu_t)
|
||||||
+ corenet_udp_sendrecv_all_nodes(qemu_t)
|
+ corenet_udp_sendrecv_all_nodes(qemu_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user