- Fixes from yum-cron

- Update to latest upstream
This commit is contained in:
Daniel J Walsh 2008-02-20 22:44:00 +00:00
parent b0260f2000
commit 8d4af9d064
2 changed files with 48 additions and 19 deletions

View File

@ -262,3 +262,7 @@ allow_postfix_local_write_mail_spool=true
# Allow common users to read/write noexattrfile systems # Allow common users to read/write noexattrfile systems
# #
user_rw_noexattrfile=true user_rw_noexattrfile=true
# Allow qemu to connect fully to the network
#
allow_qemu_full_network=true

View File

@ -1976,7 +1976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.9/policy/modules/apps/gpg.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.9/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.9/policy/modules/apps/gpg.if 2008-02-20 14:28:23.000000000 -0500 +++ serefpolicy-3.2.9/policy/modules/apps/gpg.if 2008-02-20 17:37:31.000000000 -0500
@@ -38,6 +38,10 @@ @@ -38,6 +38,10 @@
gen_require(` gen_require(`
type gpg_exec_t, gpg_helper_exec_t; type gpg_exec_t, gpg_helper_exec_t;
@ -1988,7 +1988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
') ')
######################################## ########################################
@@ -45,275 +49,53 @@ @@ -45,275 +49,56 @@
# Declarations # Declarations
# #
@ -2174,6 +2174,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
- manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) - manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
- manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) - manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+ allow $2 gpg_t:process signal_perms; + allow $2 gpg_t:process signal_perms;
+ # Thunderbird leaks descriptors
+ dontaudit gpg_t $2:tcp_socket rw_socket_perms;
+ dontaudit gpg_t $2:udp_socket rw_socket_perms;
- # allow gpg to connect to the gpg agent - # allow gpg to connect to the gpg agent
- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t) - stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
@ -2294,8 +2297,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
######################################## ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.9/policy/modules/apps/gpg.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.9/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.9/policy/modules/apps/gpg.te 2008-02-20 14:28:23.000000000 -0500 +++ serefpolicy-3.2.9/policy/modules/apps/gpg.te 2008-02-20 17:36:41.000000000 -0500
@@ -7,15 +7,232 @@ @@ -7,15 +7,228 @@
# #
# Type for gpg or pgp executables. # Type for gpg or pgp executables.
@ -2373,6 +2376,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+files_read_usr_files(gpg_t) +files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t) +files_dontaudit_search_var(gpg_t)
+ +
+auth_use_nsswitch(gpg_t)
+
+libs_use_shared_libs(gpg_t) +libs_use_shared_libs(gpg_t)
+libs_use_ld_so(gpg_t) +libs_use_ld_so(gpg_t)
+ +
@ -2380,12 +2385,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+ +
+logging_send_syslog_msg(gpg_t) +logging_send_syslog_msg(gpg_t)
+ +
+sysnet_read_config(gpg_t)
+
+optional_policy(`
+ nis_use_ypbind(gpg_t)
+')
+
+######################################## +########################################
+# +#
+# GPG helper local policy +# GPG helper local policy
@ -4848,7 +4847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
######################################## ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
+++ serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in 2008-02-20 14:28:23.000000000 -0500 +++ serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in 2008-02-20 17:15:58.000000000 -0500
@@ -82,6 +82,7 @@ @@ -82,6 +82,7 @@
network_port(clockspeed, udp,4041,s0) network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@ -4865,7 +4864,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp_data, tcp,20,s0) network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0) network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@@ -122,6 +124,8 @@ @@ -109,6 +111,7 @@
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
@@ -122,6 +125,8 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0) network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0)
@ -4874,7 +4881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(mysqld, tcp,1186,s0, tcp,3306,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0) network_port(nessus, tcp,1241,s0)
@@ -133,10 +137,12 @@ @@ -133,10 +138,12 @@
network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0) network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0) network_port(postfix_policyd, tcp,10031,s0)
@ -4887,7 +4894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0) network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0) network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0) network_port(pxe, udp,4011,s0)
@@ -148,7 +154,7 @@ @@ -148,7 +155,7 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0) network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0) network_port(rndc, tcp,953,s0)
@ -4896,7 +4903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(rsh, tcp,514,s0) network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0) network_port(rwho, udp,513,s0)
@@ -170,7 +176,11 @@ @@ -170,7 +177,11 @@
network_port(transproxy, tcp,8081,s0) network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0) network_port(uucpd, tcp,540,s0)
@ -20054,7 +20061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.9/policy/modules/services/squid.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.9/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 16:57:35.000000000 -0500 +++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 17:25:10.000000000 -0500
@@ -31,12 +31,15 @@ @@ -31,12 +31,15 @@
type squid_var_run_t; type squid_var_run_t;
files_pid_file(squid_var_run_t) files_pid_file(squid_var_run_t)
@ -22960,6 +22967,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
vmware_read_system_config(initrc_t) vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t) vmware_append_system_config(initrc_t)
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.2.9/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500
+++ serefpolicy-3.2.9/policy/modules/system/iscsi.te 2008-02-20 17:17:56.000000000 -0500
@@ -63,6 +63,7 @@
corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t)
corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.9/policy/modules/system/libraries.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.9/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.9/policy/modules/system/libraries.fc 2008-02-20 14:28:23.000000000 -0500 +++ serefpolicy-3.2.9/policy/modules/system/libraries.fc 2008-02-20 14:28:23.000000000 -0500
@ -24318,10 +24336,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.9/policy/modules/system/qemu.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.9/policy/modules/system/qemu.te
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 17:01:56.000000000 -0500 +++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 17:27:29.000000000 -0500
@@ -0,0 +1,40 @@ @@ -0,0 +1,47 @@
+policy_module(qemu,1.0.0) +policy_module(qemu,1.0.0)
+ +
+## <desc>
+## <p>
+## Allow qemu to connect fully to the network
+## </p>
+## </desc>
+gen_tunable(allow_qemu_full_network,false)
+
+######################################## +########################################
+# +#
+# Declarations +# Declarations
@ -24340,7 +24365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
+# qemu local policy +# qemu local policy
+# +#
+ +
+tunable_policy(`qemu_full_network',` +tunable_policy(`allow_qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms; + allow qemu_t self:udp_socket create_socket_perms;
+ corenet_udp_sendrecv_all_if(qemu_t) + corenet_udp_sendrecv_all_if(qemu_t)
+ corenet_udp_sendrecv_all_nodes(qemu_t) + corenet_udp_sendrecv_all_nodes(qemu_t)