- Fix bug in mozilla policy to allow xguest transition
- This will fix the
This commit is contained in:
Daniel J Walsh
parent
97081dcb9d
commit
954e7c7340
@ -1486,7 +1486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
|
||||
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.3.1/policy/modules/admin/kismet.if
|
||||
--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-03-17 15:26:30.000000000 -0400
|
||||
@@ -0,0 +1,275 @@
|
||||
+
|
||||
+## <summary>policy for kismet</summary>
|
||||
@ -1721,7 +1721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
|
||||
+
|
||||
+ kismet_domtrans($1)
|
||||
+ role $2 types kismet_t;
|
||||
+ dontaudit kismet_t $3:chr_file rw_term_perms;
|
||||
+ allow kismet_t $3:chr_file rw_term_perms;
|
||||
+')
|
||||
+
|
||||
+
|
||||
@ -4405,7 +4405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.3.1/policy/modules/apps/mono.te
|
||||
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/mono.te 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/mono.te 2008-03-17 17:40:05.000000000 -0400
|
||||
@@ -15,7 +15,7 @@
|
||||
# Local policy
|
||||
#
|
||||
@ -7247,7 +7247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-03-04 17:23:42.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-03-17 11:22:13.000000000 -0400
|
||||
@@ -1266,6 +1266,24 @@
|
||||
|
||||
########################################
|
||||
@ -7425,7 +7425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
# etc_runtime_t is the type of various
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-03-06 10:50:35.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-03-17 09:11:52.000000000 -0400
|
||||
@@ -310,6 +310,25 @@
|
||||
|
||||
########################################
|
||||
@ -7655,7 +7655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.3.1/policy/modules/kernel/filesystem.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-12-19 05:32:07.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2008-03-17 11:03:50.000000000 -0400
|
||||
@@ -25,6 +25,8 @@
|
||||
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
||||
@ -7685,6 +7685,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
|
||||
#
|
||||
# iso9660_t is the type for CD filesystems
|
||||
@@ -231,6 +239,9 @@
|
||||
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
+genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
||||
+genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
+
|
||||
|
||||
########################################
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-02-27 16:58:04.000000000 -0500
|
||||
@ -8743,7 +8753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-03-11 19:28:21.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-03-17 11:11:53.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -10346,7 +10356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.3.1/policy/modules/services/bluetooth.te
|
||||
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/bluetooth.te 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/bluetooth.te 2008-03-17 08:41:36.000000000 -0400
|
||||
@@ -32,19 +32,22 @@
|
||||
type bluetooth_var_run_t;
|
||||
files_pid_file(bluetooth_var_run_t)
|
||||
@ -10372,7 +10382,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
|
||||
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:udp_socket create_socket_perms;
|
||||
|
||||
@@ -110,6 +113,8 @@
|
||||
@@ -92,6 +95,7 @@
|
||||
dev_rw_usbfs(bluetooth_t)
|
||||
dev_rw_generic_usb_dev(bluetooth_t)
|
||||
dev_read_urand(bluetooth_t)
|
||||
+dev_rw_input_dev(bluetooth_t)
|
||||
|
||||
fs_getattr_all_fs(bluetooth_t)
|
||||
fs_search_auto_mountpoints(bluetooth_t)
|
||||
@@ -110,6 +114,8 @@
|
||||
files_read_etc_runtime_files(bluetooth_t)
|
||||
files_read_usr_files(bluetooth_t)
|
||||
|
||||
@ -10381,7 +10399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
|
||||
libs_use_ld_so(bluetooth_t)
|
||||
libs_use_shared_libs(bluetooth_t)
|
||||
|
||||
@@ -118,19 +123,18 @@
|
||||
@@ -118,19 +124,18 @@
|
||||
miscfiles_read_localization(bluetooth_t)
|
||||
miscfiles_read_fonts(bluetooth_t)
|
||||
|
||||
@ -10533,14 +10551,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
|
||||
+/etc/rc.d/init.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.3.1/policy/modules/services/clamav.if
|
||||
--- nsaserefpolicy/policy/modules/services/clamav.if 2007-01-02 12:57:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/clamav.if 2008-02-26 08:29:22.000000000 -0500
|
||||
@@ -91,3 +91,97 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/clamav.if 2008-03-17 09:22:39.000000000 -0400
|
||||
@@ -91,3 +91,116 @@
|
||||
|
||||
domtrans_pattern($1,clamscan_exec_t,clamscan_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute clamscan without a transition.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`clamav_exec_clamscan',`
|
||||
+ gen_require(`
|
||||
+ type clamscan_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ can_exec($1,clamscan_exec_t)
|
||||
+
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute clamav server in the clamav domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -12632,7 +12669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-02-26 14:09:20.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-17 09:13:14.000000000 -0400
|
||||
@@ -9,6 +9,7 @@
|
||||
#
|
||||
# Delcarations
|
||||
@ -12684,15 +12721,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
|
||||
read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
|
||||
@@ -65,6 +80,7 @@
|
||||
@@ -65,6 +80,8 @@
|
||||
|
||||
fs_getattr_all_fs(system_dbusd_t)
|
||||
fs_search_auto_mountpoints(system_dbusd_t)
|
||||
+fs_list_inotifyfs(system_dbusd_t)
|
||||
+fs_dontaudit_list_nfs(system_dbusd_t)
|
||||
|
||||
selinux_get_fs_mount(system_dbusd_t)
|
||||
selinux_validate_context(system_dbusd_t)
|
||||
@@ -81,7 +97,6 @@
|
||||
@@ -81,7 +98,6 @@
|
||||
corecmd_list_bin(system_dbusd_t)
|
||||
corecmd_read_bin_pipes(system_dbusd_t)
|
||||
corecmd_read_bin_sockets(system_dbusd_t)
|
||||
@ -12700,7 +12738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
|
||||
domain_use_interactive_fds(system_dbusd_t)
|
||||
|
||||
@@ -91,6 +106,8 @@
|
||||
@@ -91,6 +107,8 @@
|
||||
|
||||
init_use_fds(system_dbusd_t)
|
||||
init_use_script_ptys(system_dbusd_t)
|
||||
@ -12709,7 +12747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
|
||||
libs_use_ld_so(system_dbusd_t)
|
||||
libs_use_shared_libs(system_dbusd_t)
|
||||
@@ -121,9 +138,20 @@
|
||||
@@ -121,9 +139,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -14075,7 +14113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
|
||||
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-03-06 16:54:16.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-03-17 09:28:06.000000000 -0400
|
||||
@@ -18,6 +18,9 @@
|
||||
type fail2ban_var_run_t;
|
||||
files_pid_file(fail2ban_var_run_t)
|
||||
@ -14086,6 +14124,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
|
||||
########################################
|
||||
#
|
||||
# fail2ban local policy
|
||||
@@ -25,7 +28,7 @@
|
||||
|
||||
allow fail2ban_t self:process signal;
|
||||
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
# log files
|
||||
allow fail2ban_t fail2ban_log_t:dir setattr;
|
||||
@@ -33,8 +36,9 @@
|
||||
logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
|
||||
|
||||
@ -14097,9 +14144,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
|
||||
|
||||
kernel_read_system_state(fail2ban_t)
|
||||
|
||||
@@ -47,14 +51,23 @@
|
||||
@@ -46,15 +50,25 @@
|
||||
domain_use_interactive_fds(fail2ban_t)
|
||||
|
||||
files_read_etc_files(fail2ban_t)
|
||||
+files_read_etc_runtime_files(fail2ban_t)
|
||||
files_read_usr_files(fail2ban_t)
|
||||
+files_list_var(fail2ban_t)
|
||||
+files_search_var_lib(fail2ban_t)
|
||||
@ -14122,7 +14171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
|
||||
optional_policy(`
|
||||
apache_read_log(fail2ban_t)
|
||||
')
|
||||
@@ -64,5 +77,11 @@
|
||||
@@ -64,5 +78,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -15655,8 +15704,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
|
||||
# Local policy
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.3.1/policy/modules/services/lpd.fc
|
||||
--- nsaserefpolicy/policy/modules/services/lpd.fc 2007-11-16 13:45:14.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/lpd.fc 2008-02-26 08:29:22.000000000 -0500
|
||||
@@ -22,6 +22,8 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/lpd.fc 2008-03-17 09:33:24.000000000 -0400
|
||||
@@ -22,11 +22,15 @@
|
||||
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
|
||||
@ -15665,8 +15714,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
|
||||
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
|
||||
|
||||
#
|
||||
@@ -30,3 +32,4 @@
|
||||
# /var
|
||||
#
|
||||
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
|
||||
+/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
|
||||
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
|
||||
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
|
||||
+
|
||||
@ -16250,7 +16301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
|
||||
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-03-17 11:21:36.000000000 -0400
|
||||
@@ -25,26 +25,33 @@
|
||||
type munin_var_run_t alias lrrd_var_run_t;
|
||||
files_pid_file(munin_var_run_t)
|
||||
@ -16288,22 +16339,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
|
||||
manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
|
||||
manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
|
||||
@@ -62,8 +69,11 @@
|
||||
@@ -61,9 +68,11 @@
|
||||
files_pid_filetrans(munin_t,munin_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(munin_t)
|
||||
kernel_read_kernel_sysctls(munin_t)
|
||||
-kernel_read_kernel_sysctls(munin_t)
|
||||
+kernel_read_network_state(munin_t)
|
||||
+kernel_read_sysctl(munin_t)
|
||||
+kernel_read_all_sysctls(munin_t)
|
||||
|
||||
corecmd_exec_bin(munin_t)
|
||||
+corecmd_exec_shell(munin_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(munin_t)
|
||||
corenet_all_recvfrom_netlabel(munin_t)
|
||||
@@ -73,11 +83,15 @@
|
||||
@@ -73,27 +82,36 @@
|
||||
corenet_udp_sendrecv_all_nodes(munin_t)
|
||||
corenet_tcp_sendrecv_all_ports(munin_t)
|
||||
corenet_udp_sendrecv_all_ports(munin_t)
|
||||
+corenet_tcp_bind_munin_port(munin_t)
|
||||
+corenet_tcp_connect_munin_port(munin_t)
|
||||
+corenet_tcp_connect_http_port(munin_t)
|
||||
+corenet_tcp_bind_all_nodes(munin_t)
|
||||
@ -16316,7 +16369,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
|
||||
files_read_etc_files(munin_t)
|
||||
files_read_etc_runtime_files(munin_t)
|
||||
@@ -86,14 +100,17 @@
|
||||
files_read_usr_files(munin_t)
|
||||
+files_list_spool(munin_t)
|
||||
|
||||
fs_getattr_all_fs(munin_t)
|
||||
fs_search_auto_mountpoints(munin_t)
|
||||
|
||||
@ -16335,7 +16390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
|
||||
@@ -108,7 +125,19 @@
|
||||
@@ -108,7 +126,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -16348,6 +16403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mysql_read_config(munin_t)
|
||||
+ mysql_stream_connect(munin_t)
|
||||
+')
|
||||
+
|
||||
@ -16356,7 +16412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -118,3 +147,9 @@
|
||||
@@ -118,3 +149,9 @@
|
||||
optional_policy(`
|
||||
udev_read_db(munin_t)
|
||||
')
|
||||
@ -16377,7 +16433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
|
||||
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.3.1/policy/modules/services/mysql.if
|
||||
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2008-03-17 11:21:07.000000000 -0400
|
||||
@@ -157,3 +157,74 @@
|
||||
logging_search_logs($1)
|
||||
allow $1 mysqld_log_t:file { write append setattr ioctl };
|
||||
@ -17751,7 +17807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
||||
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-03-17 17:34:40.000000000 -0400
|
||||
@@ -0,0 +1,189 @@
|
||||
+
|
||||
+## <summary>policy for polkit_auth</summary>
|
||||
@ -18292,7 +18348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
# Local Policy
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-03-17 09:23:03.000000000 -0400
|
||||
@@ -6,6 +6,14 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -18363,7 +18419,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
mta_read_aliases(postfix_local_t)
|
||||
mta_delete_spool(postfix_local_t)
|
||||
# For reading spamassasin
|
||||
@@ -285,6 +306,8 @@
|
||||
@@ -280,11 +301,14 @@
|
||||
|
||||
optional_policy(`
|
||||
clamav_search_lib(postfix_local_t)
|
||||
+ clamav_exec_clamscan(postfix_local_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# for postalias
|
||||
mailman_manage_data_files(postfix_local_t)
|
||||
@ -18372,7 +18434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -295,8 +318,7 @@
|
||||
@@ -295,8 +319,7 @@
|
||||
#
|
||||
# Postfix map local policy
|
||||
#
|
||||
@ -18382,7 +18444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -346,8 +368,6 @@
|
||||
@@ -346,8 +369,6 @@
|
||||
|
||||
miscfiles_read_localization(postfix_map_t)
|
||||
|
||||
@ -18391,7 +18453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(postfix_map_t)
|
||||
files_read_default_files(postfix_map_t)
|
||||
@@ -360,6 +380,11 @@
|
||||
@@ -360,6 +381,11 @@
|
||||
locallogin_dontaudit_use_fds(postfix_map_t)
|
||||
')
|
||||
|
||||
@ -18403,7 +18465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
########################################
|
||||
#
|
||||
# Postfix pickup local policy
|
||||
@@ -392,6 +417,10 @@
|
||||
@@ -392,6 +418,10 @@
|
||||
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -18414,7 +18476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
procmail_domtrans(postfix_pipe_t)
|
||||
')
|
||||
|
||||
@@ -400,6 +429,10 @@
|
||||
@@ -400,6 +430,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18425,7 +18487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
uucp_domtrans_uux(postfix_pipe_t)
|
||||
')
|
||||
|
||||
@@ -532,9 +565,6 @@
|
||||
@@ -532,9 +566,6 @@
|
||||
# connect to master process
|
||||
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
|
||||
|
||||
@ -18435,7 +18497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
# for prng_exch
|
||||
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
||||
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
|
||||
@@ -557,6 +587,10 @@
|
||||
@@ -557,6 +588,10 @@
|
||||
sasl_connect(postfix_smtpd_t)
|
||||
')
|
||||
|
||||
@ -18446,7 +18508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
########################################
|
||||
#
|
||||
# Postfix virtual local policy
|
||||
@@ -584,3 +618,4 @@
|
||||
@@ -584,3 +619,4 @@
|
||||
# For reading spamassasin
|
||||
mta_read_config(postfix_virtual_t)
|
||||
mta_manage_spool(postfix_virtual_t)
|
||||
@ -23068,7 +23130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.3.1/policy/modules/services/squid.te
|
||||
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/squid.te 2008-02-26 08:29:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/squid.te 2008-03-17 14:58:21.000000000 -0400
|
||||
@@ -31,12 +31,15 @@
|
||||
type squid_var_run_t;
|
||||
files_pid_file(squid_var_run_t)
|
||||
@ -23111,7 +23173,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
|
||||
|
||||
selinux_dontaudit_getattr_dir(squid_t)
|
||||
|
||||
@@ -148,11 +155,7 @@
|
||||
@@ -128,6 +135,7 @@
|
||||
files_getattr_home_dir(squid_t)
|
||||
|
||||
auth_use_nsswitch(squid_t)
|
||||
+auth_domtrans_chkpwd(squid_t)
|
||||
|
||||
libs_use_ld_so(squid_t)
|
||||
libs_use_shared_libs(squid_t)
|
||||
@@ -148,11 +156,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23124,7 +23194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -167,7 +170,12 @@
|
||||
@@ -167,7 +171,12 @@
|
||||
udev_read_db(squid_t)
|
||||
')
|
||||
|
||||
@ -26131,7 +26201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-11 17:52:13.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-17 08:59:58.000000000 -0400
|
||||
@@ -59,6 +59,9 @@
|
||||
type utempter_exec_t;
|
||||
application_domain(utempter_t,utempter_exec_t)
|
||||
@ -26152,7 +26222,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
########################################
|
||||
#
|
||||
# PAM local policy
|
||||
@@ -122,6 +128,12 @@
|
||||
@@ -111,7 +117,8 @@
|
||||
term_use_all_user_ttys(pam_t)
|
||||
term_use_all_user_ptys(pam_t)
|
||||
|
||||
-init_dontaudit_rw_utmp(pam_t)
|
||||
+init_read_utmp(pam_t)
|
||||
+init_dontaudit_write_utmp(pam_t)
|
||||
|
||||
files_read_etc_files(pam_t)
|
||||
|
||||
@@ -122,6 +129,12 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(pam_t)
|
||||
|
||||
@ -26165,7 +26245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(pam_t)
|
||||
@@ -282,6 +294,11 @@
|
||||
@@ -282,6 +295,11 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -26177,7 +26257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
########################################
|
||||
#
|
||||
# updpwd local policy
|
||||
@@ -297,8 +314,10 @@
|
||||
@@ -297,8 +315,10 @@
|
||||
files_manage_etc_files(updpwd_t)
|
||||
|
||||
term_dontaudit_use_console(updpwd_t)
|
||||
@ -26189,7 +26269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
|
||||
auth_manage_shadow(updpwd_t)
|
||||
auth_use_nsswitch(updpwd_t)
|
||||
@@ -359,11 +378,6 @@
|
||||
@@ -359,11 +379,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28401,8 +28481,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te
|
||||
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-02-26 08:29:22.000000000 -0500
|
||||
@@ -0,0 +1,47 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-03-17 17:40:17.000000000 -0400
|
||||
@@ -0,0 +1,50 @@
|
||||
+policy_module(qemu,1.0.0)
|
||||
+
|
||||
+## <desc>
|
||||
@ -28450,6 +28530,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
|
||||
+allow qemu_unconfined_t self:process { execstack execmem };
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_xdm_rw_shm(qemu_unconfined_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te
|
||||
--- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-02-26 08:29:22.000000000 -0500
|
||||
@ -33358,8 +33441,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
|
||||
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-03-05 18:05:21.000000000 -0500
|
||||
@@ -0,0 +1,162 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-03-17 17:37:52.000000000 -0400
|
||||
@@ -0,0 +1,179 @@
|
||||
+
|
||||
+policy_module(virt,1.0.0)
|
||||
+
|
||||
@ -33443,6 +33526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
+
|
||||
+corecmd_exec_bin(virtd_t)
|
||||
+corecmd_exec_shell(virtd_t)
|
||||
+
|
||||
+corenet_all_recvfrom_unlabeled(virtd_t)
|
||||
+corenet_all_recvfrom_netlabel(virtd_t)
|
||||
@ -33457,6 +33541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||
+corenet_rw_tun_tap_dev(virtd_t)
|
||||
+
|
||||
+dev_read_sysfs(virtd_t)
|
||||
+dev_read_rand(virtd_t)
|
||||
+
|
||||
+kernel_read_system_state(virtd_t)
|
||||
+kernel_read_network_state(virtd_t)
|
||||
@ -33467,7 +33552,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||
+# Init script handling
|
||||
+domain_use_interactive_fds(virtd_t)
|
||||
+
|
||||
+files_read_usr_files(virtd_t)
|
||||
+files_read_etc_files(virtd_t)
|
||||
+files_read_usr_files(virtd_t)
|
||||
+files_read_etc_runtime_files(virtd_t)
|
||||
+files_search_all(virtd_t)
|
||||
+
|
||||
@ -33478,9 +33565,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||
+miscfiles_read_certs(virtd_t)
|
||||
+
|
||||
+auth_use_nsswitch(virtd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(virtd_t)
|
||||
+
|
||||
+userdom_read_all_users_state(virtd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ brctl_domtrans(virtd_t)
|
||||
+')
|
||||
@ -33492,6 +33580,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ consolekit_dbus_chat(virtd_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ hal_dbus_chat(virtd_t)
|
||||
+ ')
|
||||
+')
|
||||
@ -33507,6 +33599,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ polkit_domtrans_auth(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ qemu_domtrans(virtd_t)
|
||||
+ qemu_read_state(virtd_t)
|
||||
+ qemu_signal(virtd_t)
|
||||
@ -33522,6 +33618,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||
+ xen_stream_connect_xenstore(virtd_t)
|
||||
+')
|
||||
+
|
||||
+allow virtd_t unconfined_t:dir { getattr search };
|
||||
+allow virtd_t unconfined_t:file read;
|
||||
+allow virtd_t unconfined_t:process getattr;
|
||||
+allow virtd_t usr_t:file read;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if
|
||||
--- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/xen.if 2008-02-26 08:29:22.000000000 -0500
|
||||
|
||||
Loading…
Reference in New Issue
Block a user