- Dontaudit consoletype talking to unconfined_t
This commit is contained in:
parent
7a91e89abe
commit
915a9f26cc
@ -280,7 +280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
|
|||||||
class key
|
class key
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.8/policy/global_tunables
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.8/policy/global_tunables
|
||||||
--- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400
|
--- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/global_tunables 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/global_tunables 2007-10-08 11:41:21.000000000 -0400
|
||||||
@@ -133,3 +133,18 @@
|
@@ -133,3 +133,18 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(write_untrusted_content,false)
|
gen_tunable(write_untrusted_content,false)
|
||||||
@ -2581,7 +2581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
|
||||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-08 11:30:10.000000000 -0400
|
||||||
@@ -20,6 +20,7 @@
|
@@ -20,6 +20,7 @@
|
||||||
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||||
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
|
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
|
||||||
@ -3462,8 +3462,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
|
|||||||
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
|
||||||
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-10-08 11:31:31.000000000 -0400
|
||||||
@@ -52,7 +52,7 @@
|
@@ -39,6 +39,7 @@
|
||||||
|
')
|
||||||
|
/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
|
/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
|
+/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
|
||||||
|
/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
|
||||||
|
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
|
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
|
@@ -52,7 +53,7 @@
|
||||||
|
|
||||||
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
|
|
||||||
@ -5849,7 +5857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
|
||||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-08 11:24:32.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-09 10:31:36.000000000 -0400
|
||||||
@@ -15,6 +15,12 @@
|
@@ -15,6 +15,12 @@
|
||||||
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
||||||
role system_r types dovecot_auth_t;
|
role system_r types dovecot_auth_t;
|
||||||
@ -5911,7 +5919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
seutil_sigchld_newrole(dovecot_t)
|
seutil_sigchld_newrole(dovecot_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -145,33 +144,43 @@
|
@@ -145,33 +144,40 @@
|
||||||
# dovecot auth local policy
|
# dovecot auth local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -5947,9 +5955,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
+auth_domtrans_upd_passwd(dovecot_auth_t)
|
+auth_domtrans_upd_passwd(dovecot_auth_t)
|
||||||
auth_use_nsswitch(dovecot_auth_t)
|
auth_use_nsswitch(dovecot_auth_t)
|
||||||
|
|
||||||
+optional_policy
|
|
||||||
+nis_authenticate(dovecot_auth_t)
|
|
||||||
+
|
|
||||||
files_read_etc_files(dovecot_auth_t)
|
files_read_etc_files(dovecot_auth_t)
|
||||||
files_read_etc_runtime_files(dovecot_auth_t)
|
files_read_etc_runtime_files(dovecot_auth_t)
|
||||||
files_search_pids(dovecot_auth_t)
|
files_search_pids(dovecot_auth_t)
|
||||||
@ -5957,7 +5962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
files_read_usr_symlinks(dovecot_auth_t)
|
files_read_usr_symlinks(dovecot_auth_t)
|
||||||
files_search_tmp(dovecot_auth_t)
|
files_search_tmp(dovecot_auth_t)
|
||||||
files_read_var_lib_files(dovecot_t)
|
files_read_var_lib_files(dovecot_t)
|
||||||
@@ -185,12 +194,46 @@
|
@@ -185,12 +191,50 @@
|
||||||
|
|
||||||
seutil_dontaudit_search_config(dovecot_auth_t)
|
seutil_dontaudit_search_config(dovecot_auth_t)
|
||||||
|
|
||||||
@ -5971,12 +5976,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||||||
- logging_send_syslog_msg(dovecot_auth_t)
|
- logging_send_syslog_msg(dovecot_auth_t)
|
||||||
+ mysql_search_db(dovecot_auth_t)
|
+ mysql_search_db(dovecot_auth_t)
|
||||||
+ mysql_stream_connect(dovecot_auth_t)
|
+ mysql_stream_connect(dovecot_auth_t)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ nis_authenticate(dovecot_auth_t)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ postfix_create_pivate_sockets(dovecot_auth_t)
|
+ postfix_create_pivate_sockets(dovecot_auth_t)
|
||||||
+ postfix_search_spool(dovecot_auth_t)
|
+ postfix_search_spool(dovecot_auth_t)
|
||||||
+')
|
')
|
||||||
+
|
+
|
||||||
+# for gssapi (kerberos)
|
+# for gssapi (kerberos)
|
||||||
+userdom_list_unpriv_users_tmp(dovecot_auth_t)
|
+userdom_list_unpriv_users_tmp(dovecot_auth_t)
|
||||||
@ -6533,7 +6542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
|
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
|
||||||
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-05 11:48:00.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-08 11:29:21.000000000 -0400
|
||||||
@@ -49,6 +49,9 @@
|
@@ -49,6 +49,9 @@
|
||||||
type hald_var_lib_t;
|
type hald_var_lib_t;
|
||||||
files_type(hald_var_lib_t)
|
files_type(hald_var_lib_t)
|
||||||
@ -7510,7 +7519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
|
|||||||
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
|
||||||
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-08 11:06:33.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-09 10:30:46.000000000 -0400
|
||||||
@@ -49,8 +49,8 @@
|
@@ -49,8 +49,8 @@
|
||||||
corenet_udp_bind_all_nodes($1)
|
corenet_udp_bind_all_nodes($1)
|
||||||
corenet_tcp_bind_generic_port($1)
|
corenet_tcp_bind_generic_port($1)
|
||||||
@ -7522,11 +7531,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
|
|||||||
corenet_dontaudit_tcp_bind_all_ports($1)
|
corenet_dontaudit_tcp_bind_all_ports($1)
|
||||||
corenet_dontaudit_udp_bind_all_ports($1)
|
corenet_dontaudit_udp_bind_all_ports($1)
|
||||||
corenet_tcp_connect_portmap_port($1)
|
corenet_tcp_connect_portmap_port($1)
|
||||||
@@ -87,6 +87,25 @@
|
@@ -87,6 +87,27 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
+## Use the ypbind service to access NIS services.
|
+## Use the nis to authenticate passwords
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -7538,6 +7547,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
|
|||||||
+interface(`nis_authenticate',`
|
+interface(`nis_authenticate',`
|
||||||
+ tunable_policy(`allow_ypbind',`
|
+ tunable_policy(`allow_ypbind',`
|
||||||
+ nis_use_ypbind_uncond($1)
|
+ nis_use_ypbind_uncond($1)
|
||||||
|
+ # Needs to bind to a port < 1024
|
||||||
|
+ allow $1 self:capability net_bind_service;
|
||||||
+ corenet_tcp_bind_all_rpc_ports($1)
|
+ corenet_tcp_bind_all_rpc_ports($1)
|
||||||
+ corenet_udp_bind_all_rpc_ports($1)
|
+ corenet_udp_bind_all_rpc_ports($1)
|
||||||
+ ')
|
+ ')
|
||||||
@ -8670,7 +8681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-10-08 11:39:31.000000000 -0400
|
||||||
@@ -59,10 +59,14 @@
|
@@ -59,10 +59,14 @@
|
||||||
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
|
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
|
||||||
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
|
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
|
||||||
@ -8836,8 +8847,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
|
|||||||
-')
|
-')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-10-08 11:44:11.000000000 -0400
|
||||||
@@ -17,6 +17,7 @@
|
@@ -8,6 +8,13 @@
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
+## Allow rsync export files read only
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(rsync_export_all_ro,false)
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
## Allow rsync to modify public files
|
||||||
|
## used for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
@@ -17,6 +24,7 @@
|
||||||
type rsync_t;
|
type rsync_t;
|
||||||
type rsync_exec_t;
|
type rsync_exec_t;
|
||||||
init_daemon_domain(rsync_t,rsync_exec_t)
|
init_daemon_domain(rsync_t,rsync_exec_t)
|
||||||
@ -8845,6 +8870,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
|
|||||||
role system_r types rsync_t;
|
role system_r types rsync_t;
|
||||||
|
|
||||||
type rsync_data_t;
|
type rsync_data_t;
|
||||||
|
@@ -57,6 +65,8 @@
|
||||||
|
manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
|
||||||
|
files_pid_filetrans(rsync_t,rsync_var_run_t,file)
|
||||||
|
|
||||||
|
+auth_use_nsswitch(rsync_t)
|
||||||
|
+
|
||||||
|
kernel_read_kernel_sysctls(rsync_t)
|
||||||
|
kernel_read_system_state(rsync_t)
|
||||||
|
kernel_read_network_state(rsync_t)
|
||||||
|
@@ -89,8 +99,6 @@
|
||||||
|
miscfiles_read_localization(rsync_t)
|
||||||
|
miscfiles_read_public_files(rsync_t)
|
||||||
|
|
||||||
|
-sysnet_read_config(rsync_t)
|
||||||
|
-
|
||||||
|
tunable_policy(`allow_rsync_anon_write',`
|
||||||
|
miscfiles_manage_public_files(rsync_t)
|
||||||
|
')
|
||||||
|
@@ -107,10 +115,8 @@
|
||||||
|
inetd_service_domain(rsync_t,rsync_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- nis_use_ypbind(rsync_t)
|
||||||
|
-')
|
||||||
|
-
|
||||||
|
-optional_policy(`
|
||||||
|
- nscd_socket_use(rsync_t)
|
||||||
|
+tunable_policy(`rsync_export_all_ro',`
|
||||||
|
+ allow rsync_t self:capability dac_override;
|
||||||
|
+ fs_read_noxattr_fs_files(rsync_t)
|
||||||
|
+ auth_read_all_files_except_shadow(rsync_t)
|
||||||
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.8/policy/modules/services/samba.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.8/policy/modules/services/samba.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-06-19 16:23:34.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-06-19 16:23:34.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/samba.fc 2007-10-03 11:10:24.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/samba.fc 2007-10-03 11:10:24.000000000 -0400
|
||||||
@ -10200,7 +10258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.
|
|||||||
dev_read_sysfs(xfs_t)
|
dev_read_sysfs(xfs_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-08-22 07:14:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-08-22 07:14:07.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-10-03 11:10:25.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-10-08 13:25:36.000000000 -0400
|
||||||
@@ -32,11 +32,6 @@
|
@@ -32,11 +32,6 @@
|
||||||
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||||
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||||
@ -10213,7 +10271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
#
|
#
|
||||||
@@ -92,13 +87,15 @@
|
@@ -92,13 +87,16 @@
|
||||||
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||||
|
|
||||||
@ -10222,6 +10280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
|
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
|
|
||||||
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
|
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||||
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||||
@ -10851,7 +10910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-08 11:03:54.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-09 10:32:37.000000000 -0400
|
||||||
@@ -26,7 +26,8 @@
|
@@ -26,7 +26,8 @@
|
||||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||||
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
||||||
@ -10916,7 +10975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
selinux_get_fs_mount($1)
|
selinux_get_fs_mount($1)
|
||||||
selinux_validate_context($1)
|
selinux_validate_context($1)
|
||||||
selinux_compute_access_vector($1)
|
selinux_compute_access_vector($1)
|
||||||
@@ -196,22 +219,36 @@
|
@@ -196,22 +219,40 @@
|
||||||
mls_fd_share_all_levels($1)
|
mls_fd_share_all_levels($1)
|
||||||
|
|
||||||
auth_domtrans_chk_passwd($1)
|
auth_domtrans_chk_passwd($1)
|
||||||
@ -10945,6 +11004,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
+ userdom_set_rlimitnh($1)
|
+ userdom_set_rlimitnh($1)
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
|
+ nis_authenticate($1)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
+ unconfined_set_rlimitnh($1)
|
+ unconfined_set_rlimitnh($1)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
@ -10954,7 +11017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -309,9 +346,6 @@
|
@@ -309,9 +350,6 @@
|
||||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10964,7 +11027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
||||||
|
|
||||||
@@ -329,6 +363,8 @@
|
@@ -329,6 +367,8 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use($1)
|
kerberos_use($1)
|
||||||
@ -10973,7 +11036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -347,6 +383,37 @@
|
@@ -347,6 +387,37 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11011,7 +11074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
## Get the attributes of the shadow passwords file.
|
## Get the attributes of the shadow passwords file.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -695,6 +762,24 @@
|
@@ -695,6 +766,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11036,7 +11099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
## Execute pam programs in the PAM domain.
|
## Execute pam programs in the PAM domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1318,14 +1403,9 @@
|
@@ -1318,14 +1407,9 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`auth_use_nsswitch',`
|
interface(`auth_use_nsswitch',`
|
||||||
@ -11051,7 +11114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
files_list_var_lib($1)
|
files_list_var_lib($1)
|
||||||
|
|
||||||
miscfiles_read_certs($1)
|
miscfiles_read_certs($1)
|
||||||
@@ -1347,6 +1427,8 @@
|
@@ -1347,6 +1431,8 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_stream_connect_winbind($1)
|
samba_stream_connect_winbind($1)
|
||||||
@ -11060,7 +11123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1381,3 +1463,163 @@
|
@@ -1381,3 +1467,163 @@
|
||||||
typeattribute $1 can_write_shadow_passwords;
|
typeattribute $1 can_write_shadow_passwords;
|
||||||
typeattribute $1 can_relabelto_shadow_passwords;
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
')
|
')
|
||||||
@ -13928,7 +13991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-08 10:26:34.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-09 10:33:22.000000000 -0400
|
||||||
@@ -12,14 +12,13 @@
|
@@ -12,14 +12,13 @@
|
||||||
#
|
#
|
||||||
interface(`unconfined_domain_noaudit',`
|
interface(`unconfined_domain_noaudit',`
|
||||||
@ -14421,7 +14484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-05 14:11:08.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-09 10:33:10.000000000 -0400
|
||||||
@@ -29,8 +29,9 @@
|
@@ -29,8 +29,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user