- Fix labeling on new pm*log
- Allow ssh to bind to all nodes
This commit is contained in:
parent
530772ab58
commit
8ff0154e03
@ -23287,7 +23287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.8/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-08-14 13:08:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/rpc.te 2008-09-17 08:49:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/rpc.te 2008-09-18 16:45:56.000000000 -0400
|
||||
@@ -23,7 +23,7 @@
|
||||
gen_tunable(allow_nfsd_anon_write, false)
|
||||
|
||||
@ -23321,7 +23321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -170,9 +173,13 @@
|
||||
@@ -170,9 +173,14 @@
|
||||
files_read_usr_symlinks(gssd_t)
|
||||
|
||||
auth_use_nsswitch(gssd_t)
|
||||
@ -23329,13 +23329,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
miscfiles_read_certs(gssd_t)
|
||||
|
||||
+userdom_dontaudit_search_users_home_dirs(rpcd_t)
|
||||
+sysadm_dontaudit_search_home_dirs(rpcd_t)
|
||||
+userdom_dontaudit_search_users_home_dirs(gssd_t)
|
||||
+sysadm_dontaudit_search_home_dirs(gssd_t)
|
||||
+userdom_dontaudit_write_user_tmp_files(user, gssd_t)
|
||||
+
|
||||
tunable_policy(`allow_gssd_read_tmp',`
|
||||
userdom_list_unpriv_users_tmp(gssd_t)
|
||||
userdom_read_unpriv_users_tmp_files(gssd_t)
|
||||
@@ -180,8 +187,7 @@
|
||||
@@ -180,8 +188,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26609,7 +26610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.8/policy/modules/services/ssh.if
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-18 08:51:19.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-18 15:56:17.000000000 -0400
|
||||
@@ -36,6 +36,7 @@
|
||||
gen_require(`
|
||||
attribute ssh_server;
|
||||
@ -26709,7 +26710,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Write to the user domain tty.
|
||||
userdom_use_user_terminals($1,$1_ssh_t)
|
||||
# needs to read krb tgt
|
||||
@@ -282,21 +289,10 @@
|
||||
@@ -279,24 +286,14 @@
|
||||
# for port forwarding
|
||||
tunable_policy(`user_tcp_server',`
|
||||
corenet_tcp_bind_ssh_port($1_ssh_t)
|
||||
+ corenet_tcp_bind_all_nodes($1_ssh_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26732,7 +26737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
##############################
|
||||
#
|
||||
# $1_ssh_agent_t local policy
|
||||
@@ -383,10 +379,6 @@
|
||||
@@ -383,10 +380,6 @@
|
||||
xserver_rw_xdm_pipes($1_ssh_agent_t)
|
||||
')
|
||||
|
||||
@ -26743,7 +26748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
##############################
|
||||
#
|
||||
# $1_ssh_keysign_t local policy
|
||||
@@ -413,6 +405,25 @@
|
||||
@@ -413,6 +406,25 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -26769,7 +26774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#######################################
|
||||
## <summary>
|
||||
## The template to define a ssh server.
|
||||
@@ -443,13 +454,14 @@
|
||||
@@ -443,13 +455,14 @@
|
||||
type $1_var_run_t;
|
||||
files_pid_file($1_var_run_t)
|
||||
|
||||
@ -26785,7 +26790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
|
||||
term_create_pty($1_t,$1_devpts_t)
|
||||
@@ -479,6 +491,10 @@
|
||||
@@ -479,6 +492,10 @@
|
||||
corenet_tcp_bind_ssh_port($1_t)
|
||||
corenet_tcp_connect_all_ports($1_t)
|
||||
corenet_sendrecv_ssh_server_packets($1_t)
|
||||
@ -26796,7 +26801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_dontaudit_getattr_all_fs($1_t)
|
||||
|
||||
@@ -506,9 +522,14 @@
|
||||
@@ -506,9 +523,14 @@
|
||||
|
||||
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
|
||||
userdom_search_all_users_home_dirs($1_t)
|
||||
@ -26811,7 +26816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -517,11 +538,7 @@
|
||||
@@ -517,11 +539,7 @@
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1_t)
|
||||
@ -26824,7 +26829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -710,3 +727,22 @@
|
||||
@@ -710,3 +728,22 @@
|
||||
|
||||
dontaudit $1 sshd_key_t:file { getattr read };
|
||||
')
|
||||
@ -26934,7 +26939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_sendrecv_all_if(stunnel_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.8/policy/modules/services/telnet.te
|
||||
--- nsaserefpolicy/policy/modules/services/telnet.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/telnet.te 2008-09-17 08:49:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/telnet.te 2008-09-18 16:12:20.000000000 -0400
|
||||
@@ -89,15 +89,19 @@
|
||||
|
||||
userdom_search_unpriv_users_home_dirs(telnetd_t)
|
||||
|
Loading…
Reference in New Issue
Block a user