- Allow cron to run unconfined apps
This commit is contained in:
parent
99d3676891
commit
91c2fa9d31
|
@ -5323,7 +5323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.4/policy/modules/services/cron.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.4/policy/modules/services/cron.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-06 13:12:03.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-06 13:12:03.000000000 -0500
|
||||||
+++ serefpolicy-3.2.4/policy/modules/services/cron.te 2007-12-13 17:37:34.000000000 -0500
|
+++ serefpolicy-3.2.4/policy/modules/services/cron.te 2007-12-18 08:34:29.000000000 -0500
|
||||||
@@ -50,6 +50,7 @@
|
@@ -50,6 +50,7 @@
|
||||||
|
|
||||||
type crond_tmp_t;
|
type crond_tmp_t;
|
||||||
|
@ -5373,7 +5373,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(crond_t)
|
kernel_read_kernel_sysctls(crond_t)
|
||||||
kernel_search_key(crond_t)
|
kernel_search_key(crond_t)
|
||||||
@@ -148,7 +154,9 @@
|
@@ -133,6 +139,8 @@
|
||||||
|
corecmd_read_bin_symlinks(crond_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds(crond_t)
|
||||||
|
+domain_subj_id_change_exemption(crond_t)
|
||||||
|
+domain_role_change_exemption(crond_t)
|
||||||
|
|
||||||
|
files_read_etc_files(crond_t)
|
||||||
|
files_read_generic_spool(crond_t)
|
||||||
|
@@ -148,7 +156,9 @@
|
||||||
libs_use_ld_so(crond_t)
|
libs_use_ld_so(crond_t)
|
||||||
libs_use_shared_libs(crond_t)
|
libs_use_shared_libs(crond_t)
|
||||||
|
|
||||||
|
@ -5383,7 +5392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
|
|
||||||
seutil_read_config(crond_t)
|
seutil_read_config(crond_t)
|
||||||
seutil_read_default_contexts(crond_t)
|
seutil_read_default_contexts(crond_t)
|
||||||
@@ -163,9 +171,6 @@
|
@@ -163,9 +173,6 @@
|
||||||
mta_send_mail(crond_t)
|
mta_send_mail(crond_t)
|
||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
|
@ -5393,7 +5402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# Debian logcheck has the home dir set to its cache
|
# Debian logcheck has the home dir set to its cache
|
||||||
logwatch_search_cache_dir(crond_t)
|
logwatch_search_cache_dir(crond_t)
|
||||||
@@ -180,16 +185,39 @@
|
@@ -180,16 +187,39 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -5433,7 +5442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
amavis_search_lib(crond_t)
|
amavis_search_lib(crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -267,9 +295,16 @@
|
@@ -267,9 +297,16 @@
|
||||||
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
|
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
|
||||||
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
|
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
|
||||||
|
|
||||||
|
@ -5451,7 +5460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(system_crond_t)
|
kernel_read_kernel_sysctls(system_crond_t)
|
||||||
kernel_read_system_state(system_crond_t)
|
kernel_read_system_state(system_crond_t)
|
||||||
@@ -323,7 +358,7 @@
|
@@ -323,7 +360,7 @@
|
||||||
init_read_utmp(system_crond_t)
|
init_read_utmp(system_crond_t)
|
||||||
init_dontaudit_rw_utmp(system_crond_t)
|
init_dontaudit_rw_utmp(system_crond_t)
|
||||||
# prelink tells init to restart it self, we either need to allow or dontaudit
|
# prelink tells init to restart it self, we either need to allow or dontaudit
|
||||||
|
@ -5460,7 +5469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
|
|
||||||
auth_use_nsswitch(system_crond_t)
|
auth_use_nsswitch(system_crond_t)
|
||||||
|
|
||||||
@@ -333,6 +368,7 @@
|
@@ -333,6 +370,7 @@
|
||||||
libs_exec_ld_so(system_crond_t)
|
libs_exec_ld_so(system_crond_t)
|
||||||
|
|
||||||
logging_read_generic_logs(system_crond_t)
|
logging_read_generic_logs(system_crond_t)
|
||||||
|
@ -5468,7 +5477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
logging_send_syslog_msg(system_crond_t)
|
logging_send_syslog_msg(system_crond_t)
|
||||||
|
|
||||||
miscfiles_read_localization(system_crond_t)
|
miscfiles_read_localization(system_crond_t)
|
||||||
@@ -383,6 +419,14 @@
|
@@ -383,6 +421,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -5483,7 +5492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
mrtg_append_create_logs(system_crond_t)
|
mrtg_append_create_logs(system_crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -415,8 +459,7 @@
|
@@ -415,8 +461,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -5493,12 +5502,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -424,8 +467,12 @@
|
@@ -424,8 +469,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ unconfined_dbus_send(crond_t)
|
+ unconfined_dbus_send(crond_t)
|
||||||
+ unconfined_shell_domtrans(crond_t)
|
+ unconfined_shell_domtrans(crond_t)
|
||||||
|
+ unconfined_domain(crond_t)
|
||||||
unconfined_domain(system_crond_t)
|
unconfined_domain(system_crond_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.2.4
|
Version: 3.2.4
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -382,6 +382,9 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 18 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-4
|
||||||
|
- Allow cron to run unconfined apps
|
||||||
|
|
||||||
* Mon Dec 17 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-3
|
* Mon Dec 17 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-3
|
||||||
- Modify default login to unconfined_u
|
- Modify default login to unconfined_u
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue