- Dontaudit consoletype talking to unconfined_t

This commit is contained in:
Daniel J Walsh 2007-10-09 14:51:25 +00:00
parent 7a91e89abe
commit 915a9f26cc

View File

@ -280,7 +280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
class key class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.8/policy/global_tunables diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.8/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400 --- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.8/policy/global_tunables 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/global_tunables 2007-10-08 11:41:21.000000000 -0400
@@ -133,3 +133,18 @@ @@ -133,3 +133,18 @@
## </desc> ## </desc>
gen_tunable(write_untrusted_content,false) gen_tunable(write_untrusted_content,false)
@ -2581,7 +2581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-08 11:30:10.000000000 -0400
@@ -20,6 +20,7 @@ @@ -20,6 +20,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
@ -3462,8 +3462,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-10-08 11:31:31.000000000 -0400
@@ -52,7 +52,7 @@ @@ -39,6 +39,7 @@
')
/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -52,7 +53,7 @@
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@ -5849,7 +5857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400 --- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-08 11:24:32.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-09 10:31:36.000000000 -0400
@@ -15,6 +15,12 @@ @@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t; role system_r types dovecot_auth_t;
@ -5911,7 +5919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
seutil_sigchld_newrole(dovecot_t) seutil_sigchld_newrole(dovecot_t)
') ')
@@ -145,33 +144,43 @@ @@ -145,33 +144,40 @@
# dovecot auth local policy # dovecot auth local policy
# #
@ -5947,9 +5955,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+auth_domtrans_upd_passwd(dovecot_auth_t) +auth_domtrans_upd_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t) auth_use_nsswitch(dovecot_auth_t)
+optional_policy
+nis_authenticate(dovecot_auth_t)
+
files_read_etc_files(dovecot_auth_t) files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t) files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t) files_search_pids(dovecot_auth_t)
@ -5957,7 +5962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
files_read_usr_symlinks(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t) files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t) files_read_var_lib_files(dovecot_t)
@@ -185,12 +194,46 @@ @@ -185,12 +191,50 @@
seutil_dontaudit_search_config(dovecot_auth_t) seutil_dontaudit_search_config(dovecot_auth_t)
@ -5971,12 +5976,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
- logging_send_syslog_msg(dovecot_auth_t) - logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t) + mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t)
') +')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
+')
+ +
+optional_policy(` +optional_policy(`
+ postfix_create_pivate_sockets(dovecot_auth_t) + postfix_create_pivate_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t)
+') ')
+ +
+# for gssapi (kerberos) +# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t) +userdom_list_unpriv_users_tmp(dovecot_auth_t)
@ -6533,7 +6542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400 --- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-05 11:48:00.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-08 11:29:21.000000000 -0400
@@ -49,6 +49,9 @@ @@ -49,6 +49,9 @@
type hald_var_lib_t; type hald_var_lib_t;
files_type(hald_var_lib_t) files_type(hald_var_lib_t)
@ -7510,7 +7519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400 --- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-08 11:06:33.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-09 10:30:46.000000000 -0400
@@ -49,8 +49,8 @@ @@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1) corenet_tcp_bind_generic_port($1)
@ -7522,11 +7531,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_dontaudit_tcp_bind_all_ports($1) corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1) corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1) corenet_tcp_connect_portmap_port($1)
@@ -87,6 +87,25 @@ @@ -87,6 +87,27 @@
######################################## ########################################
## <summary> ## <summary>
+## Use the ypbind service to access NIS services. +## Use the nis to authenticate passwords
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
+## <summary> +## <summary>
@ -7538,6 +7547,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
+interface(`nis_authenticate',` +interface(`nis_authenticate',`
+ tunable_policy(`allow_ypbind',` + tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1) + nis_use_ypbind_uncond($1)
+ # Needs to bind to a port < 1024
+ allow $1 self:capability net_bind_service;
+ corenet_tcp_bind_all_rpc_ports($1) + corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1)
+ ') + ')
@ -8670,7 +8681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## <param name="domain"> ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400 --- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-10-08 11:39:31.000000000 -0400
@@ -59,10 +59,14 @@ @@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@ -8836,8 +8847,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
-') -')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-07-25 10:37:42.000000000 -0400 --- nsaserefpolicy/policy/modules/services/rsync.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-10-08 11:44:11.000000000 -0400
@@ -17,6 +17,7 @@ @@ -8,6 +8,13 @@
## <desc>
## <p>
+## Allow rsync export files read only
+## </p>
+## </desc>
+gen_tunable(rsync_export_all_ro,false)
+
+## <desc>
+## <p>
## Allow rsync to modify public files
## used for public file transfer services.
## </p>
@@ -17,6 +24,7 @@
type rsync_t; type rsync_t;
type rsync_exec_t; type rsync_exec_t;
init_daemon_domain(rsync_t,rsync_exec_t) init_daemon_domain(rsync_t,rsync_exec_t)
@ -8845,6 +8870,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
role system_r types rsync_t; role system_r types rsync_t;
type rsync_data_t; type rsync_data_t;
@@ -57,6 +65,8 @@
manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+auth_use_nsswitch(rsync_t)
+
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -89,8 +99,6 @@
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
-sysnet_read_config(rsync_t)
-
tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
@@ -107,10 +115,8 @@
inetd_service_domain(rsync_t,rsync_exec_t)
')
-optional_policy(`
- nis_use_ypbind(rsync_t)
-')
-
-optional_policy(`
- nscd_socket_use(rsync_t)
+tunable_policy(`rsync_export_all_ro',`
+ allow rsync_t self:capability dac_override;
+ fs_read_noxattr_fs_files(rsync_t)
+ auth_read_all_files_except_shadow(rsync_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.8/policy/modules/services/samba.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.8/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-06-19 16:23:34.000000000 -0400 --- nsaserefpolicy/policy/modules/services/samba.fc 2007-06-19 16:23:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/samba.fc 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/samba.fc 2007-10-03 11:10:24.000000000 -0400
@ -10200,7 +10258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.
dev_read_sysfs(xfs_t) dev_read_sysfs(xfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-08-22 07:14:07.000000000 -0400 --- nsaserefpolicy/policy/modules/services/xserver.fc 2007-08-22 07:14:07.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-10-03 11:10:25.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-10-08 13:25:36.000000000 -0400
@@ -32,11 +32,6 @@ @@ -32,11 +32,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@ -10213,7 +10271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# #
# /opt # /opt
# #
@@ -92,13 +87,15 @@ @@ -92,13 +87,16 @@
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
@ -10222,6 +10280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
@ -10851,7 +10910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400 --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-08 11:03:54.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-09 10:32:37.000000000 -0400
@@ -26,7 +26,8 @@ @@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords; type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t) application_domain($1_chkpwd_t,chkpwd_exec_t)
@ -10916,7 +10975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
selinux_get_fs_mount($1) selinux_get_fs_mount($1)
selinux_validate_context($1) selinux_validate_context($1)
selinux_compute_access_vector($1) selinux_compute_access_vector($1)
@@ -196,22 +219,36 @@ @@ -196,22 +219,40 @@
mls_fd_share_all_levels($1) mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1) auth_domtrans_chk_passwd($1)
@ -10945,6 +11004,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ userdom_set_rlimitnh($1) + userdom_set_rlimitnh($1)
+ +
+ optional_policy(` + optional_policy(`
+ nis_authenticate($1)
+ ')
+
+ optional_policy(`
+ unconfined_set_rlimitnh($1) + unconfined_set_rlimitnh($1)
+ ') + ')
+ +
@ -10954,7 +11017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
') ')
') ')
@@ -309,9 +346,6 @@ @@ -309,9 +350,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t; type system_chkpwd_t, chkpwd_exec_t, shadow_t;
') ')
@ -10964,7 +11027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
@@ -329,6 +363,8 @@ @@ -329,6 +367,8 @@
optional_policy(` optional_policy(`
kerberos_use($1) kerberos_use($1)
@ -10973,7 +11036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
') ')
optional_policy(` optional_policy(`
@@ -347,6 +383,37 @@ @@ -347,6 +387,37 @@
######################################## ########################################
## <summary> ## <summary>
@ -11011,7 +11074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file. ## Get the attributes of the shadow passwords file.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -695,6 +762,24 @@ @@ -695,6 +766,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -11036,7 +11099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Execute pam programs in the PAM domain. ## Execute pam programs in the PAM domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1318,14 +1403,9 @@ @@ -1318,14 +1407,9 @@
## </param> ## </param>
# #
interface(`auth_use_nsswitch',` interface(`auth_use_nsswitch',`
@ -11051,7 +11114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1) files_list_var_lib($1)
miscfiles_read_certs($1) miscfiles_read_certs($1)
@@ -1347,6 +1427,8 @@ @@ -1347,6 +1431,8 @@
optional_policy(` optional_policy(`
samba_stream_connect_winbind($1) samba_stream_connect_winbind($1)
@ -11060,7 +11123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
') ')
') ')
@@ -1381,3 +1463,163 @@ @@ -1381,3 +1467,163 @@
typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords;
') ')
@ -13928,7 +13991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-08 10:26:34.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-09 10:33:22.000000000 -0400
@@ -12,14 +12,13 @@ @@ -12,14 +12,13 @@
# #
interface(`unconfined_domain_noaudit',` interface(`unconfined_domain_noaudit',`
@ -14421,7 +14484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-05 14:11:08.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-09 10:33:10.000000000 -0400
@@ -29,8 +29,9 @@ @@ -29,8 +29,9 @@
') ')