- Fix labeling on new pm*log

- Allow ssh to bind to all nodes
This commit is contained in:
Daniel J Walsh 2008-09-18 20:46:41 +00:00
parent 530772ab58
commit 8ff0154e03

View File

@ -23287,7 +23287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-08-14 13:08:27.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/rpc.te 2008-09-17 08:49:09.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/rpc.te 2008-09-18 16:45:56.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@ -23321,7 +23321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`nfs_export_all_ro',`
@@ -170,9 +173,13 @@
@@ -170,9 +173,14 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@ -23329,13 +23329,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_certs(gssd_t)
+userdom_dontaudit_search_users_home_dirs(rpcd_t)
+sysadm_dontaudit_search_home_dirs(rpcd_t)
+userdom_dontaudit_search_users_home_dirs(gssd_t)
+sysadm_dontaudit_search_home_dirs(gssd_t)
+userdom_dontaudit_write_user_tmp_files(user, gssd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
@@ -180,8 +187,7 @@
@@ -180,8 +188,7 @@
')
optional_policy(`
@ -26609,7 +26610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.8/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-18 08:51:19.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-18 15:56:17.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@ -26709,7 +26710,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_t)
# needs to read krb tgt
@@ -282,21 +289,10 @@
@@ -279,24 +286,14 @@
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port($1_ssh_t)
+ corenet_tcp_bind_all_nodes($1_ssh_t)
')
optional_policy(`
@ -26732,7 +26737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# $1_ssh_agent_t local policy
@@ -383,10 +379,6 @@
@@ -383,10 +380,6 @@
xserver_rw_xdm_pipes($1_ssh_agent_t)
')
@ -26743,7 +26748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# $1_ssh_keysign_t local policy
@@ -413,6 +405,25 @@
@@ -413,6 +406,25 @@
')
')
@ -26769,7 +26774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#######################################
## <summary>
## The template to define a ssh server.
@@ -443,13 +454,14 @@
@@ -443,13 +455,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
@ -26785,7 +26790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
@@ -479,6 +491,10 @@
@@ -479,6 +492,10 @@
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
@ -26796,7 +26801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_dontaudit_getattr_all_fs($1_t)
@@ -506,9 +522,14 @@
@@ -506,9 +523,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
@ -26811,7 +26816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`use_samba_home_dirs',`
@@ -517,11 +538,7 @@
@@ -517,11 +539,7 @@
optional_policy(`
kerberos_use($1_t)
@ -26824,7 +26829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -710,3 +727,22 @@
@@ -710,3 +728,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@ -26934,7 +26939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_sendrecv_all_if(stunnel_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.8/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/telnet.te 2008-09-17 08:49:09.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/telnet.te 2008-09-18 16:12:20.000000000 -0400
@@ -89,15 +89,19 @@
userdom_search_unpriv_users_home_dirs(telnetd_t)