- Allow NetworkManager to manage /etc/NetworkManager/system-connections
This commit is contained in:
Daniel J Walsh
parent
150ff59c76
commit
99fbfb417d
|
|
@ -120,14 +120,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
||||||
+user_r:user_t:s0 user_r:user_t:s0
|
+user_r:user_t:s0 user_r:user_t:s0
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.6/config/appconfig-mcs/virtual_domain_context
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.6/config/appconfig-mcs/virtual_domain_context
|
||||||
--- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/config/appconfig-mcs/virtual_domain_context 2009-02-18 13:57:20.000000000 -0500
|
+++ serefpolicy-3.6.6/config/appconfig-mcs/virtual_domain_context 2009-02-25 15:59:16.000000000 -0500
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+system_u:system_r:qemu_t:s0
|
+system_u:system_r:qemu_t:s0
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.6/config/appconfig-mcs/virtual_image_context
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.6/config/appconfig-mcs/virtual_image_context
|
||||||
--- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/config/appconfig-mcs/virtual_image_context 2009-02-18 13:57:52.000000000 -0500
|
+++ serefpolicy-3.6.6/config/appconfig-mcs/virtual_image_context 2009-02-25 15:59:31.000000000 -0500
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+system_u:object_r:virt_image_t:s0
|
+system_u:object_r:virt_image_t:s0
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.6/config/appconfig-mcs/xguest_u_default_contexts
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.6/config/appconfig-mcs/xguest_u_default_contexts
|
||||||
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/config/appconfig-mcs/xguest_u_default_contexts 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/config/appconfig-mcs/xguest_u_default_contexts 2009-02-16 13:18:06.000000000 -0500
|
||||||
|
|
@ -194,14 +194,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
||||||
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.6/config/appconfig-mls/virtual_domain_context
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.6/config/appconfig-mls/virtual_domain_context
|
||||||
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/config/appconfig-mls/virtual_domain_context 2009-02-18 13:58:20.000000000 -0500
|
+++ serefpolicy-3.6.6/config/appconfig-mls/virtual_domain_context 2009-02-25 15:59:44.000000000 -0500
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+system_u:system_r:qemu_t:s0
|
+system_u:system_r:qemu_t:s0
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.6/config/appconfig-mls/virtual_image_context
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.6/config/appconfig-mls/virtual_image_context
|
||||||
--- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/config/appconfig-mls/virtual_image_context 2009-02-18 13:58:20.000000000 -0500
|
+++ serefpolicy-3.6.6/config/appconfig-mls/virtual_image_context 2009-02-25 15:59:44.000000000 -0500
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+system_u:object_r:virt_image_t:s0
|
+system_u:object_r:virt_image_t:s0
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.6.6/config/appconfig-mls/xguest_u_default_contexts
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.6.6/config/appconfig-mls/xguest_u_default_contexts
|
||||||
--- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/config/appconfig-mls/xguest_u_default_contexts 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/config/appconfig-mls/xguest_u_default_contexts 2009-02-16 13:18:06.000000000 -0500
|
||||||
|
|
@ -1420,8 +1420,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
java_domtrans_unconfined(rpm_script_t)
|
java_domtrans_unconfined(rpm_script_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.6/policy/modules/admin/sudo.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.6/policy/modules/admin/sudo.if
|
||||||
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/admin/sudo.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/admin/sudo.if 2009-02-23 10:23:38.000000000 -0500
|
||||||
@@ -51,7 +51,7 @@
|
@@ -32,6 +32,7 @@
|
||||||
|
|
||||||
|
gen_require(`
|
||||||
|
type sudo_exec_t;
|
||||||
|
+ attribute sudodomain;
|
||||||
|
')
|
||||||
|
|
||||||
|
##############################
|
||||||
|
@@ -39,7 +40,7 @@
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
- type $1_sudo_t;
|
||||||
|
+ type $1_sudo_t, sudodomain;
|
||||||
|
application_domain($1_sudo_t, sudo_exec_t)
|
||||||
|
domain_interactive_fd($1_sudo_t)
|
||||||
|
ubac_constrained($1_sudo_t)
|
||||||
|
@@ -51,7 +52,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# Use capabilities.
|
# Use capabilities.
|
||||||
|
|
@ -1430,7 +1447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow $1_sudo_t self:process { setexec setrlimit };
|
allow $1_sudo_t self:process { setexec setrlimit };
|
||||||
allow $1_sudo_t self:fd use;
|
allow $1_sudo_t self:fd use;
|
||||||
@@ -64,33 +64,37 @@
|
@@ -64,33 +65,37 @@
|
||||||
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
|
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow $1_sudo_t self:unix_dgram_socket sendto;
|
allow $1_sudo_t self:unix_dgram_socket sendto;
|
||||||
allow $1_sudo_t self:unix_stream_socket connectto;
|
allow $1_sudo_t self:unix_stream_socket connectto;
|
||||||
|
|
@ -1472,7 +1489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
domain_use_interactive_fds($1_sudo_t)
|
domain_use_interactive_fds($1_sudo_t)
|
||||||
domain_sigchld_interactive_fds($1_sudo_t)
|
domain_sigchld_interactive_fds($1_sudo_t)
|
||||||
@@ -102,9 +106,11 @@
|
@@ -102,9 +107,11 @@
|
||||||
files_getattr_usr_files($1_sudo_t)
|
files_getattr_usr_files($1_sudo_t)
|
||||||
# for some PAM modules and for cwd
|
# for some PAM modules and for cwd
|
||||||
files_dontaudit_search_home($1_sudo_t)
|
files_dontaudit_search_home($1_sudo_t)
|
||||||
|
|
@ -1484,7 +1501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
logging_send_syslog_msg($1_sudo_t)
|
logging_send_syslog_msg($1_sudo_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_sudo_t)
|
miscfiles_read_localization($1_sudo_t)
|
||||||
@@ -114,6 +120,35 @@
|
@@ -114,6 +121,54 @@
|
||||||
userdom_manage_user_tmp_files($1_sudo_t)
|
userdom_manage_user_tmp_files($1_sudo_t)
|
||||||
userdom_manage_user_tmp_symlinks($1_sudo_t)
|
userdom_manage_user_tmp_symlinks($1_sudo_t)
|
||||||
userdom_use_user_terminals($1_sudo_t)
|
userdom_use_user_terminals($1_sudo_t)
|
||||||
|
|
@ -1520,6 +1537,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+ dbus_system_bus_client($1_sudo_t)
|
+ dbus_system_bus_client($1_sudo_t)
|
||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send a SIGCHLD signal to the sudo domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`sudo_sigchld',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute sudodomain;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 sudodomain:process sigchld;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.6/policy/modules/admin/sudo.te
|
||||||
|
--- nsaserefpolicy/policy/modules/admin/sudo.te 2009-01-05 15:39:44.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.6/policy/modules/admin/sudo.te 2009-02-23 10:23:44.000000000 -0500
|
||||||
|
@@ -4,6 +4,7 @@
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
+attribute sudodomain;
|
||||||
|
|
||||||
|
type sudo_exec_t;
|
||||||
|
application_executable_file(sudo_exec_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.6/policy/modules/admin/su.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.6/policy/modules/admin/su.if
|
||||||
--- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/admin/su.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/admin/su.if 2009-02-16 13:18:06.000000000 -0500
|
||||||
|
|
@ -3590,7 +3637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0)
|
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.6/policy/modules/apps/qemu.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.6/policy/modules/apps/qemu.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-17 17:18:08.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-20 11:37:20.000000000 -0500
|
||||||
@@ -40,6 +40,93 @@
|
@@ -40,6 +40,93 @@
|
||||||
|
|
||||||
qemu_domtrans($1)
|
qemu_domtrans($1)
|
||||||
|
|
@ -3777,7 +3824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -127,84 +290,85 @@
|
@@ -127,84 +290,84 @@
|
||||||
#
|
#
|
||||||
template(`qemu_domain_template',`
|
template(`qemu_domain_template',`
|
||||||
|
|
||||||
|
|
@ -3805,6 +3852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
+ type $1_image_t;
|
+ type $1_image_t;
|
||||||
+ virt_image($1_image_t)
|
+ virt_image($1_image_t)
|
||||||
|
+
|
||||||
|
+ allow $1_t self:capability kill;
|
||||||
|
+ allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
|
|
||||||
- allow $1_t self:capability { dac_read_search dac_override };
|
- allow $1_t self:capability { dac_read_search dac_override };
|
||||||
- allow $1_t self:process { execstack execmem signal getsched };
|
- allow $1_t self:process { execstack execmem signal getsched };
|
||||||
|
|
@ -3812,9 +3862,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
- allow $1_t self:shm create_shm_perms;
|
- allow $1_t self:shm create_shm_perms;
|
||||||
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
- allow $1_t self:tcp_socket create_stream_socket_perms;
|
- allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||||
+ allow $1_t self:capability kill;
|
|
||||||
+ allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
||||||
+
|
|
||||||
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
|
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
|
||||||
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
|
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
|
||||||
+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
|
+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
|
||||||
|
|
@ -3844,19 +3891,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
- files_read_usr_files($1_t)
|
- files_read_usr_files($1_t)
|
||||||
- files_read_var_files($1_t)
|
- files_read_var_files($1_t)
|
||||||
- files_search_all($1_t)
|
- files_search_all($1_t)
|
||||||
-
|
|
||||||
- fs_list_inotifyfs($1_t)
|
|
||||||
- fs_rw_anon_inodefs_files($1_t)
|
|
||||||
- fs_rw_tmpfs_files($1_t)
|
|
||||||
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
||||||
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
||||||
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
||||||
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
|
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
|
||||||
+ fs_getattr_tmpfs($1_t)
|
+ fs_getattr_tmpfs($1_t)
|
||||||
+
|
|
||||||
|
- fs_list_inotifyfs($1_t)
|
||||||
|
- fs_rw_anon_inodefs_files($1_t)
|
||||||
|
- fs_rw_tmpfs_files($1_t)
|
||||||
+ userdom_read_user_tmpfs_files($1_t)
|
+ userdom_read_user_tmpfs_files($1_t)
|
||||||
+ userdom_signull_unpriv_users($1_t)
|
+ userdom_signull_unpriv_users($1_t)
|
||||||
+ userdom_admin_home_dir_filetrans($1_t, $1_tmp_t, {file dir })
|
|
||||||
|
|
||||||
- storage_raw_write_removable_device($1_t)
|
- storage_raw_write_removable_device($1_t)
|
||||||
- storage_raw_read_removable_device($1_t)
|
- storage_raw_read_removable_device($1_t)
|
||||||
|
|
@ -3927,7 +3972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.6/policy/modules/apps/qemu.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.6/policy/modules/apps/qemu.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-17 16:14:43.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-23 16:13:38.000000000 -0500
|
||||||
@@ -6,6 +6,8 @@
|
@@ -6,6 +6,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
@ -3937,7 +3982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow qemu to connect fully to the network
|
## Allow qemu to connect fully to the network
|
||||||
@@ -13,28 +15,160 @@
|
@@ -13,28 +15,162 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(qemu_full_network, false)
|
gen_tunable(qemu_full_network, false)
|
||||||
|
|
||||||
|
|
@ -3989,8 +4034,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
|
+manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
|
||||||
+files_var_filetrans(qemu_t, qemu_cache_t, { file dir })
|
+files_var_filetrans(qemu_t, qemu_cache_t, { file dir })
|
||||||
+
|
+
|
||||||
|
+manage_dirs_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
|
||||||
+manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
|
+manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
|
||||||
+files_pid_filetrans(qemu_t, qemu_var_run_t, file)
|
+manage_lnk_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
|
||||||
|
+files_pid_filetrans(qemu_t, qemu_var_run_t, { dir file })
|
||||||
+
|
+
|
||||||
+kernel_read_system_state(qemutype)
|
+kernel_read_system_state(qemutype)
|
||||||
+
|
+
|
||||||
|
|
@ -4453,7 +4500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+corecmd_executable_file(wm_exec_t)
|
+corecmd_executable_file(wm_exec_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.6/policy/modules/kernel/corecommands.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.6/policy/modules/kernel/corecommands.fc
|
||||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/kernel/corecommands.fc 2009-02-16 17:52:43.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/kernel/corecommands.fc 2009-02-23 10:54:44.000000000 -0500
|
||||||
@@ -58,6 +58,8 @@
|
@@ -58,6 +58,8 @@
|
||||||
|
|
||||||
/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
@ -4479,7 +4526,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -130,6 +133,8 @@
|
@@ -124,12 +127,15 @@
|
||||||
|
|
||||||
|
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
|
+/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
ifdef(`distro_gentoo',`
|
||||||
|
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
@ -4488,7 +4542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
#
|
#
|
||||||
@@ -203,6 +208,7 @@
|
@@ -203,6 +209,7 @@
|
||||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
@ -4496,7 +4550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -223,14 +229,15 @@
|
@@ -223,14 +230,15 @@
|
||||||
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
@ -4514,7 +4568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -293,3 +300,14 @@
|
@@ -293,3 +301,14 @@
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
|
|
@ -8468,7 +8522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+permissive afs_t;
|
+permissive afs_t;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.6/policy/modules/services/apache.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.6/policy/modules/services/apache.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/apache.fc 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/apache.fc 2009-02-23 11:47:03.000000000 -0500
|
||||||
@@ -1,12 +1,13 @@
|
@@ -1,12 +1,13 @@
|
||||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||||
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||||
|
|
@ -8528,7 +8582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
@@ -64,11 +71,24 @@
|
@@ -64,11 +71,26 @@
|
||||||
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||||
|
|
@ -8552,7 +8606,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
||||||
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
||||||
|
+
|
||||||
|
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.6/policy/modules/services/apache.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.6/policy/modules/services/apache.if
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/apache.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/apache.if 2009-02-16 13:18:06.000000000 -0500
|
||||||
|
|
@ -10825,7 +10881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
|
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.6/policy/modules/services/cron.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.6/policy/modules/services/cron.if
|
||||||
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/cron.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/cron.if 2009-02-23 10:28:03.000000000 -0500
|
||||||
@@ -12,6 +12,10 @@
|
@@ -12,6 +12,10 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
|
@ -10837,7 +10893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@@ -31,13 +35,18 @@
|
@@ -31,16 +35,21 @@
|
||||||
|
|
||||||
# dac_override is to create the file in the directory under /tmp
|
# dac_override is to create the file in the directory under /tmp
|
||||||
allow $1_t self:capability { fowner setuid setgid chown dac_override };
|
allow $1_t self:capability { fowner setuid setgid chown dac_override };
|
||||||
|
|
@ -10856,8 +10912,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t)
|
+ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t)
|
||||||
manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
|
manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
|
||||||
filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
|
filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
|
||||||
files_search_spool($1_t)
|
- files_search_spool($1_t)
|
||||||
@@ -58,6 +67,12 @@
|
+ files_list_spool($1_t)
|
||||||
|
|
||||||
|
# crontab signals crond by updating the mtime on the spooldir
|
||||||
|
allow $1_t cron_spool_t:dir setattr;
|
||||||
|
@@ -55,9 +64,16 @@
|
||||||
|
domain_use_interactive_fds($1_t)
|
||||||
|
|
||||||
|
files_read_etc_files($1_t)
|
||||||
|
+ files_read_usr_files($1_t)
|
||||||
files_dontaudit_search_pids($1_t)
|
files_dontaudit_search_pids($1_t)
|
||||||
|
|
||||||
logging_send_syslog_msg($1_t)
|
logging_send_syslog_msg($1_t)
|
||||||
|
|
@ -10870,7 +10934,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
miscfiles_read_localization($1_t)
|
miscfiles_read_localization($1_t)
|
||||||
|
|
||||||
@@ -261,6 +276,7 @@
|
@@ -147,26 +163,26 @@
|
||||||
|
#
|
||||||
|
interface(`cron_unconfined_role',`
|
||||||
|
gen_require(`
|
||||||
|
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
|
||||||
|
+ type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- role $1 types { unconfined_cronjob_t crontab_t };
|
||||||
|
+ role $1 types { unconfined_cronjob_t admin_crontab_t };
|
||||||
|
|
||||||
|
# cronjob shows up in user ps
|
||||||
|
ps_process_pattern($2, unconfined_cronjob_t)
|
||||||
|
|
||||||
|
# Transition from the user domain to the derived domain.
|
||||||
|
- domtrans_pattern($2, crontab_exec_t, crontab_t)
|
||||||
|
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
|
||||||
|
|
||||||
|
# crontab shows up in user ps
|
||||||
|
- ps_process_pattern($2, crontab_t)
|
||||||
|
- allow $2 crontab_t:process signal;
|
||||||
|
+ ps_process_pattern($2, admin_crontab_t)
|
||||||
|
+ allow $2 admin_crontab_t:process signal;
|
||||||
|
|
||||||
|
# Run helper programs as the user domain
|
||||||
|
- #corecmd_bin_domtrans(crontab_t, $2)
|
||||||
|
- #corecmd_shell_domtrans(crontab_t, $2)
|
||||||
|
- corecmd_exec_bin(crontab_t)
|
||||||
|
- corecmd_exec_shell(crontab_t)
|
||||||
|
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
|
||||||
|
+ #corecmd_shell_domtrans(admin_crontab_t, $2)
|
||||||
|
+ corecmd_exec_bin(admin_crontab_t)
|
||||||
|
+ corecmd_exec_shell(admin_crontab_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
@@ -261,6 +277,7 @@
|
||||||
allow $1 system_cronjob_t:fifo_file rw_file_perms;
|
allow $1 system_cronjob_t:fifo_file rw_file_perms;
|
||||||
allow $1 system_cronjob_t:process sigchld;
|
allow $1 system_cronjob_t:process sigchld;
|
||||||
|
|
||||||
|
|
@ -10878,7 +10978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
allow $1 crond_t:fifo_file rw_file_perms;
|
allow $1 crond_t:fifo_file rw_file_perms;
|
||||||
allow $1 crond_t:fd use;
|
allow $1 crond_t:fd use;
|
||||||
allow $1 crond_t:process sigchld;
|
allow $1 crond_t:process sigchld;
|
||||||
@@ -343,6 +359,24 @@
|
@@ -343,6 +360,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
|
@ -10903,7 +11003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## Read and write a cron daemon unnamed pipe.
|
## Read and write a cron daemon unnamed pipe.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -361,7 +395,7 @@
|
@@ -361,7 +396,7 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
|
@ -10912,7 +11012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -369,7 +403,7 @@
|
@@ -369,7 +404,7 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
|
@ -10921,7 +11021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type crond_t;
|
type crond_t;
|
||||||
')
|
')
|
||||||
@@ -416,6 +450,42 @@
|
@@ -416,6 +451,42 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
|
@ -10964,7 +11064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## Inherit and use a file descriptor
|
## Inherit and use a file descriptor
|
||||||
## from system cron jobs.
|
## from system cron jobs.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -481,11 +551,14 @@
|
@@ -481,11 +552,14 @@
|
||||||
#
|
#
|
||||||
interface(`cron_read_system_job_tmp_files',`
|
interface(`cron_read_system_job_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
|
@ -10980,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -506,3 +579,101 @@
|
@@ -506,3 +580,101 @@
|
||||||
|
|
||||||
dontaudit $1 system_cronjob_tmp_t:file append;
|
dontaudit $1 system_cronjob_tmp_t:file append;
|
||||||
')
|
')
|
||||||
|
|
@ -11084,7 +11184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.6/policy/modules/services/cron.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.6/policy/modules/services/cron.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/cron.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/cron.te 2009-02-20 12:00:11.000000000 -0500
|
||||||
@@ -38,6 +38,10 @@
|
@@ -38,6 +38,10 @@
|
||||||
type cron_var_lib_t;
|
type cron_var_lib_t;
|
||||||
files_type(cron_var_lib_t)
|
files_type(cron_var_lib_t)
|
||||||
|
|
@ -13043,7 +13143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.6/policy/modules/services/dovecot.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.6/policy/modules/services/dovecot.te
|
||||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/dovecot.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/dovecot.te 2009-02-23 15:07:16.000000000 -0500
|
||||||
@@ -15,12 +15,21 @@
|
@@ -15,12 +15,21 @@
|
||||||
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
|
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
|
||||||
role system_r types dovecot_auth_t;
|
role system_r types dovecot_auth_t;
|
||||||
|
|
@ -13166,14 +13266,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
files_read_usr_symlinks(dovecot_auth_t)
|
files_read_usr_symlinks(dovecot_auth_t)
|
||||||
files_search_tmp(dovecot_auth_t)
|
files_search_tmp(dovecot_auth_t)
|
||||||
files_read_var_lib_files(dovecot_t)
|
files_read_var_lib_files(dovecot_t)
|
||||||
@@ -182,5 +213,55 @@
|
@@ -182,5 +213,58 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- logging_send_syslog_msg(dovecot_auth_t)
|
- logging_send_syslog_msg(dovecot_auth_t)
|
||||||
+ mysql_search_db(dovecot_auth_t)
|
+ mysql_search_db(dovecot_auth_t)
|
||||||
+ mysql_stream_connect(dovecot_auth_t)
|
+ mysql_stream_connect(dovecot_auth_t)
|
||||||
+')
|
')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ nis_authenticate(dovecot_auth_t)
|
+ nis_authenticate(dovecot_auth_t)
|
||||||
|
|
@ -13212,16 +13312,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
+dovecot_auth_stream_connect(dovecot_deliver_t)
|
+dovecot_auth_stream_connect(dovecot_deliver_t)
|
||||||
+
|
+
|
||||||
+userdom_manage_user_home_content_dirs(dovecot_t)
|
+files_search_tmp(dovecot_deliver_t)
|
||||||
+userdom_manage_user_home_content_files(dovecot_t)
|
+fs_getattr_all_fs(dovecot_deliver_t)
|
||||||
+userdom_manage_user_home_content_symlinks(dovecot_t)
|
+
|
||||||
+userdom_manage_user_home_content_pipes(dovecot_t)
|
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
|
||||||
+userdom_manage_user_home_content_sockets(dovecot_t)
|
+userdom_manage_user_home_content_files(dovecot_deliver_t)
|
||||||
+userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
|
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
|
||||||
|
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
|
||||||
|
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
|
||||||
|
+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mta_manage_spool(dovecot_deliver_t)
|
+ mta_manage_spool(dovecot_deliver_t)
|
||||||
')
|
+')
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.6/policy/modules/services/exim.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.6/policy/modules/services/exim.if
|
||||||
--- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
|
|
@ -14335,6 +14438,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
kernel_read_ring_buffer(kerneloops_t)
|
kernel_read_ring_buffer(kerneloops_t)
|
||||||
|
|
||||||
# Init script handling
|
# Init script handling
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.6/policy/modules/services/ktalk.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.6/policy/modules/services/ktalk.te 2009-02-23 10:01:40.000000000 -0500
|
||||||
|
@@ -69,6 +69,7 @@
|
||||||
|
files_read_etc_files(ktalkd_t)
|
||||||
|
|
||||||
|
term_search_ptys(ktalkd_t)
|
||||||
|
+term_use_all_terms(ktalkd_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(ktalkd_t)
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.6/policy/modules/services/ldap.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.6/policy/modules/services/ldap.te
|
||||||
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-02-16 08:44:12.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-02-16 08:44:12.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/ldap.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/ldap.te 2009-02-16 13:18:06.000000000 -0500
|
||||||
|
|
@ -15063,7 +15177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
#
|
#
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.6/policy/modules/services/mysql.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.6/policy/modules/services/mysql.if
|
||||||
--- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/mysql.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/mysql.if 2009-02-24 07:19:21.000000000 -0500
|
||||||
@@ -161,6 +161,25 @@
|
@@ -161,6 +161,25 @@
|
||||||
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
|
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
|
||||||
')
|
')
|
||||||
|
|
@ -15090,9 +15204,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Write to the MySQL log.
|
## Write to the MySQL log.
|
||||||
|
@@ -177,7 +196,7 @@
|
||||||
|
')
|
||||||
|
|
||||||
|
logging_search_logs($1)
|
||||||
|
- allow $1 mysqld_log_t:file { write_file_perms setattr };
|
||||||
|
+ allow $1 mysqld_log_t:file { write_file_perms setattr getattr };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.6/policy/modules/services/mysql.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.6/policy/modules/services/mysql.te
|
||||||
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/mysql.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/mysql.te 2009-02-24 07:41:51.000000000 -0500
|
||||||
@@ -10,6 +10,10 @@
|
@@ -10,6 +10,10 @@
|
||||||
type mysqld_exec_t;
|
type mysqld_exec_t;
|
||||||
init_daemon_domain(mysqld_t, mysqld_exec_t)
|
init_daemon_domain(mysqld_t, mysqld_exec_t)
|
||||||
|
|
@ -15113,7 +15236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
#
|
#
|
||||||
|
|
||||||
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
|
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
|
||||||
@@ -121,3 +125,32 @@
|
@@ -121,3 +125,36 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(mysqld_t)
|
udev_read_db(mysqld_t)
|
||||||
')
|
')
|
||||||
|
|
@ -15128,14 +15251,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+allow mysqld_safe_t self:capability { dac_override fowner chown };
|
+allow mysqld_safe_t self:capability { dac_override fowner chown };
|
||||||
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
||||||
+
|
+
|
||||||
|
+append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
||||||
|
+
|
||||||
+mysql_read_config(mysqld_safe_t)
|
+mysql_read_config(mysqld_safe_t)
|
||||||
+mysql_search_db(mysqld_safe_t)
|
|
||||||
+mysql_search_pid_files(mysqld_safe_t)
|
+mysql_search_pid_files(mysqld_safe_t)
|
||||||
+mysql_write_log(mysqld_safe_t)
|
+mysql_write_log(mysqld_safe_t)
|
||||||
+
|
+
|
||||||
+kernel_read_system_state(mysqld_safe_t)
|
+kernel_read_system_state(mysqld_safe_t)
|
||||||
+
|
+
|
||||||
+files_read_etc_files(mysqld_safe_t)
|
+files_read_etc_files(mysqld_safe_t)
|
||||||
|
+files_read_usr_files(mysqld_safe_t)
|
||||||
|
+
|
||||||
|
+dev_list_sysfs(mysqld_safe_t)
|
||||||
+
|
+
|
||||||
+corecmd_exec_bin(mysqld_safe_t)
|
+corecmd_exec_bin(mysqld_safe_t)
|
||||||
+
|
+
|
||||||
|
|
@ -21114,7 +21241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.6/policy/modules/services/samba.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.6/policy/modules/services/samba.te
|
||||||
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/samba.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/samba.te 2009-02-23 14:27:45.000000000 -0500
|
||||||
@@ -66,6 +66,13 @@
|
@@ -66,6 +66,13 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(samba_share_nfs, false)
|
gen_tunable(samba_share_nfs, false)
|
||||||
|
|
@ -21294,16 +21421,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+ fs_manage_nfs_symlinks(smbd_t)
|
+ fs_manage_nfs_symlinks(smbd_t)
|
||||||
+ fs_manage_nfs_named_pipes(smbd_t)
|
+ fs_manage_nfs_named_pipes(smbd_t)
|
||||||
+ fs_manage_nfs_named_sockets(smbd_t)
|
+ fs_manage_nfs_named_sockets(smbd_t)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
+# Support Samba sharing of ntfs/fusefs mount points
|
+# Support Samba sharing of ntfs/fusefs mount points
|
||||||
+tunable_policy(`samba_share_fusefs',`
|
+tunable_policy(`samba_share_fusefs',`
|
||||||
+ fs_manage_fusefs_dirs(smbd_t)
|
+ fs_manage_fusefs_dirs(smbd_t)
|
||||||
+ fs_manage_fusefs_files(smbd_t)
|
+ fs_manage_fusefs_files(smbd_t)
|
||||||
+',`
|
+',`
|
||||||
+ fs_search_fusefs_dirs(smbd_t)
|
+ fs_search_fusefs_dirs(smbd_t)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+
|
+
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cups_read_rw_config(smbd_t)
|
cups_read_rw_config(smbd_t)
|
||||||
|
|
@ -21352,7 +21479,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -454,6 +501,7 @@
|
@@ -417,14 +464,11 @@
|
||||||
|
files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
|
||||||
|
|
||||||
|
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||||
|
+read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||||
|
|
||||||
|
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||||
|
manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||||
|
|
||||||
|
-read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||||
|
-create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||||
|
-allow nmbd_t samba_log_t:dir setattr;
|
||||||
|
-
|
||||||
|
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
||||||
|
|
||||||
|
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
|
||||||
|
@@ -454,6 +498,7 @@
|
||||||
dev_getattr_mtrr_dev(nmbd_t)
|
dev_getattr_mtrr_dev(nmbd_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(nmbd_t)
|
fs_getattr_all_fs(nmbd_t)
|
||||||
|
|
@ -21360,7 +21503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
fs_search_auto_mountpoints(nmbd_t)
|
fs_search_auto_mountpoints(nmbd_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(nmbd_t)
|
domain_use_interactive_fds(nmbd_t)
|
||||||
@@ -553,19 +601,33 @@
|
@@ -553,21 +598,36 @@
|
||||||
userdom_use_user_terminals(smbmount_t)
|
userdom_use_user_terminals(smbmount_t)
|
||||||
userdom_use_all_users_fds(smbmount_t)
|
userdom_use_all_users_fds(smbmount_t)
|
||||||
|
|
||||||
|
|
@ -21396,8 +21539,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+allow swat_t nmbd_var_run_t:file { lock read unlink };
|
+allow swat_t nmbd_var_run_t:file { lock read unlink };
|
||||||
|
|
||||||
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
||||||
|
+read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
||||||
|
|
||||||
@@ -585,6 +647,9 @@
|
append_files_pattern(swat_t, samba_log_t, samba_log_t)
|
||||||
|
|
||||||
|
@@ -585,6 +645,9 @@
|
||||||
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
||||||
|
|
||||||
allow swat_t winbind_exec_t:file mmap_file_perms;
|
allow swat_t winbind_exec_t:file mmap_file_perms;
|
||||||
|
|
@ -21407,7 +21553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(swat_t)
|
kernel_read_kernel_sysctls(swat_t)
|
||||||
kernel_read_system_state(swat_t)
|
kernel_read_system_state(swat_t)
|
||||||
@@ -609,15 +674,18 @@
|
@@ -609,15 +672,18 @@
|
||||||
|
|
||||||
dev_read_urand(swat_t)
|
dev_read_urand(swat_t)
|
||||||
|
|
||||||
|
|
@ -21426,7 +21572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
logging_search_logs(swat_t)
|
logging_search_logs(swat_t)
|
||||||
|
|
||||||
miscfiles_read_localization(swat_t)
|
miscfiles_read_localization(swat_t)
|
||||||
@@ -635,6 +703,17 @@
|
@@ -635,6 +701,17 @@
|
||||||
kerberos_use(swat_t)
|
kerberos_use(swat_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
@ -21444,7 +21590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Winbind local policy
|
# Winbind local policy
|
||||||
@@ -642,7 +721,7 @@
|
@@ -642,7 +719,7 @@
|
||||||
|
|
||||||
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
||||||
dontaudit winbind_t self:capability sys_tty_config;
|
dontaudit winbind_t self:capability sys_tty_config;
|
||||||
|
|
@ -21453,7 +21599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@@ -683,9 +762,10 @@
|
@@ -683,9 +760,10 @@
|
||||||
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
||||||
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
|
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
|
||||||
|
|
||||||
|
|
@ -21466,7 +21612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(winbind_t)
|
corenet_all_recvfrom_unlabeled(winbind_t)
|
||||||
corenet_all_recvfrom_netlabel(winbind_t)
|
corenet_all_recvfrom_netlabel(winbind_t)
|
||||||
@@ -709,10 +789,12 @@
|
@@ -709,10 +787,12 @@
|
||||||
|
|
||||||
auth_domtrans_chk_passwd(winbind_t)
|
auth_domtrans_chk_passwd(winbind_t)
|
||||||
auth_use_nsswitch(winbind_t)
|
auth_use_nsswitch(winbind_t)
|
||||||
|
|
@ -21479,7 +21625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
logging_send_syslog_msg(winbind_t)
|
logging_send_syslog_msg(winbind_t)
|
||||||
|
|
||||||
@@ -768,8 +850,13 @@
|
@@ -768,8 +848,13 @@
|
||||||
userdom_use_user_terminals(winbind_helper_t)
|
userdom_use_user_terminals(winbind_helper_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|
@ -21493,7 +21639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -778,6 +865,16 @@
|
@@ -778,6 +863,16 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|
@ -21510,7 +21656,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
type samba_unconfined_script_t;
|
type samba_unconfined_script_t;
|
||||||
type samba_unconfined_script_exec_t;
|
type samba_unconfined_script_exec_t;
|
||||||
domain_type(samba_unconfined_script_t)
|
domain_type(samba_unconfined_script_t)
|
||||||
@@ -788,9 +885,43 @@
|
@@ -788,9 +883,43 @@
|
||||||
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||||
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||||
|
|
||||||
|
|
@ -23519,7 +23665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.6/policy/modules/services/xserver.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.6/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/xserver.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/xserver.if 2009-02-20 14:25:25.000000000 -0500
|
||||||
@@ -90,7 +90,7 @@
|
@@ -90,7 +90,7 @@
|
||||||
allow $2 xauth_home_t:file manage_file_perms;
|
allow $2 xauth_home_t:file manage_file_perms;
|
||||||
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||||
|
|
@ -24946,8 +25092,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+logging_send_syslog_msg(zos_remote_t)
|
+logging_send_syslog_msg(zos_remote_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.6/policy/modules/system/application.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.6/policy/modules/system/application.te
|
||||||
--- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.6.6/policy/modules/system/application.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/system/application.te 2009-02-23 10:22:08.000000000 -0500
|
||||||
@@ -7,6 +7,12 @@
|
@@ -7,8 +7,18 @@
|
||||||
# Executables to be run by user
|
# Executables to be run by user
|
||||||
attribute application_exec_type;
|
attribute application_exec_type;
|
||||||
|
|
||||||
|
|
@ -24960,6 +25106,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_sigchld(application_domain_type)
|
ssh_sigchld(application_domain_type)
|
||||||
ssh_rw_stream_sockets(application_domain_type)
|
ssh_rw_stream_sockets(application_domain_type)
|
||||||
|
')
|
||||||
|
|
||||||
|
+optional_policy(`
|
||||||
|
+ sudo_sigchld(application_domain_type)
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.6/policy/modules/system/authlogin.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.6/policy/modules/system/authlogin.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.6.6/policy/modules/system/authlogin.fc 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/system/authlogin.fc 2009-02-16 13:18:06.000000000 -0500
|
||||||
|
|
@ -26162,7 +26314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.6/policy/modules/system/libraries.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.6/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/system/libraries.fc 2009-02-18 09:32:59.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/system/libraries.fc 2009-02-23 11:26:27.000000000 -0500
|
||||||
@@ -60,12 +60,15 @@
|
@@ -60,12 +60,15 @@
|
||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
|
|
@ -26179,7 +26331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
# despite the extensions, they are actually libs
|
# despite the extensions, they are actually libs
|
||||||
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
|
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
|
||||||
@@ -84,9 +87,10 @@
|
@@ -84,12 +87,14 @@
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
@ -26192,7 +26344,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
||||||
/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -103,6 +107,7 @@
|
+/opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -103,6 +108,7 @@
|
||||||
#
|
#
|
||||||
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
@ -26200,7 +26356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
||||||
@@ -115,24 +120,34 @@
|
@@ -115,24 +121,34 @@
|
||||||
|
|
||||||
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
|
|
@ -26236,7 +26392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
@@ -168,7 +183,8 @@
|
@@ -168,7 +184,8 @@
|
||||||
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
||||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||||
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
@ -26246,7 +26402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -187,6 +203,7 @@
|
@@ -187,6 +204,7 @@
|
||||||
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
@ -26254,7 +26410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -233,7 +250,7 @@
|
@@ -233,7 +251,7 @@
|
||||||
/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
||||||
|
|
@ -26263,7 +26419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -246,12 +263,13 @@
|
@@ -246,12 +264,13 @@
|
||||||
|
|
||||||
# Flash plugin, Macromedia
|
# Flash plugin, Macromedia
|
||||||
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
@ -26279,7 +26435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
# Jai, Sun Microsystems (Jpackage SPRM)
|
# Jai, Sun Microsystems (Jpackage SPRM)
|
||||||
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -267,6 +285,9 @@
|
@@ -267,6 +286,9 @@
|
||||||
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
|
|
@ -26289,7 +26445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
# Java, Sun Microsystems (JPackage SRPM)
|
# Java, Sun Microsystems (JPackage SRPM)
|
||||||
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -291,6 +312,8 @@
|
@@ -291,6 +313,8 @@
|
||||||
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
@ -26298,7 +26454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
') dnl end distro_redhat
|
') dnl end distro_redhat
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -303,6 +326,8 @@
|
@@ -303,6 +327,8 @@
|
||||||
|
|
||||||
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
|
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
|
||||||
|
|
||||||
|
|
@ -26307,7 +26463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
|
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
|
||||||
')
|
')
|
||||||
@@ -310,3 +335,25 @@
|
@@ -310,3 +336,30 @@
|
||||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
|
|
@ -26333,6 +26489,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
+
|
+
|
||||||
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+
|
||||||
|
+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.6/policy/modules/system/libraries.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.6/policy/modules/system/libraries.te
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/system/libraries.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/system/libraries.te 2009-02-16 13:18:06.000000000 -0500
|
||||||
|
|
@ -28164,7 +28325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.6/policy/modules/system/sysnetwork.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.6/policy/modules/system/sysnetwork.if
|
||||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/system/sysnetwork.if 2009-02-17 11:02:02.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/system/sysnetwork.if 2009-02-23 13:58:44.000000000 -0500
|
||||||
@@ -43,6 +43,39 @@
|
@@ -43,6 +43,39 @@
|
||||||
|
|
||||||
sysnet_domtrans_dhcpc($1)
|
sysnet_domtrans_dhcpc($1)
|
||||||
|
|
@ -28714,7 +28875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.6/policy/modules/system/unconfined.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.6/policy/modules/system/unconfined.if
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/system/unconfined.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/system/unconfined.if 2009-02-23 10:16:08.000000000 -0500
|
||||||
@@ -12,14 +12,13 @@
|
@@ -12,14 +12,13 @@
|
||||||
#
|
#
|
||||||
interface(`unconfined_domain_noaudit',`
|
interface(`unconfined_domain_noaudit',`
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue