- Fix sudo setting of user keys
This commit is contained in:
Daniel J Walsh
parent
163db10557
commit
9a43d2b055
@ -264,6 +264,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
|
||||
|
||||
.SH SHARING FILES
|
||||
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/constraints serefpolicy-3.6.1/policy/constraints
|
||||
--- nsaserefpolicy/policy/constraints 2008-11-18 18:57:21.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/constraints 2008-12-08 14:26:15.000000000 -0500
|
||||
@@ -99,7 +99,7 @@
|
||||
constrain process { transition noatsecure siginh rlimitinh }
|
||||
(
|
||||
r1 == r2
|
||||
- or ( t1 == can_change_process_identity and t2 == process_user_target )
|
||||
+ or ( t1 == can_change_process_role and t2 == process_user_target )
|
||||
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
|
||||
or ( t1 == can_system_change and u2 == system_u )
|
||||
or ( t1 == process_uncond_exempt )
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.1/policy/flask/access_vectors
|
||||
--- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400
|
||||
+++ serefpolicy-3.6.1/policy/flask/access_vectors 2008-11-25 09:45:43.000000000 -0500
|
||||
@ -379,7 +391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_read_etc_files(kismet_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.1/policy/modules/admin/logrotate.te
|
||||
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-11-11 16:13:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/admin/logrotate.te 2008-11-25 09:45:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/admin/logrotate.te 2008-12-08 15:22:19.000000000 -0500
|
||||
@@ -116,7 +116,7 @@
|
||||
seutil_dontaudit_read_config(logrotate_t)
|
||||
|
||||
@ -389,6 +401,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_use_unpriv_users_fds(logrotate_t)
|
||||
|
||||
cron_system_entry(logrotate_t, logrotate_exec_t)
|
||||
@@ -187,5 +187,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ squid_exec(logrotate_t)
|
||||
squid_signal(logrotate_t)
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.1/policy/modules/admin/logwatch.te
|
||||
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-11-11 16:13:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/admin/logwatch.te 2008-11-25 09:45:43.000000000 -0500
|
||||
@ -1082,7 +1101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
java_domtrans_unconfined(rpm_script_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.1/policy/modules/admin/sudo.if
|
||||
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-05 14:31:30.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-08 13:08:28.000000000 -0500
|
||||
@@ -51,7 +51,7 @@
|
||||
#
|
||||
|
||||
@ -1146,7 +1165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg($1_sudo_t)
|
||||
|
||||
miscfiles_read_localization($1_sudo_t)
|
||||
@@ -114,6 +120,30 @@
|
||||
@@ -114,6 +120,31 @@
|
||||
userdom_manage_user_tmp_files($1_sudo_t)
|
||||
userdom_manage_user_tmp_symlinks($1_sudo_t)
|
||||
userdom_use_user_terminals($1_sudo_t)
|
||||
@ -1163,6 +1182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
# for some PAM modules and for cwd
|
||||
userdom_dontaudit_search_user_home_content($1_sudo_t)
|
||||
+ userdom_manage_all_users_keys($1_sudo_t)
|
||||
+
|
||||
+ domain_role_change_exemption($1_sudo_t)
|
||||
+ userdom_spec_domtrans_all_users($1_sudo_t)
|
||||
@ -2233,12 +2253,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.1/policy/modules/apps/nsplugin.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.fc 2008-11-25 09:45:43.000000000 -0500
|
||||
@@ -0,0 +1,11 @@
|
||||
+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.fc 2008-12-08 16:24:57.000000000 -0500
|
||||
@@ -0,0 +1,12 @@
|
||||
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
+HOME_DIR/\.config/gxine(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
+
|
||||
@ -3939,7 +3960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-11-12 09:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-03 08:59:59.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-08 15:25:19.000000000 -0500
|
||||
@@ -65,10 +65,12 @@
|
||||
type server_packet_t, packet_type, server_packet_type;
|
||||
|
||||
@ -4036,12 +4057,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
|
||||
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
||||
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
||||
@@ -171,13 +192,16 @@
|
||||
@@ -171,14 +192,17 @@
|
||||
network_port(syslogd, udp,514,s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
|
||||
+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
|
||||
+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
|
||||
network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
|
||||
network_port(transproxy, tcp,8081,s0)
|
||||
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||
@ -4049,11 +4070,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
||||
network_port(vnc, tcp,5900,s0)
|
||||
network_port(wccp, udp,2048,s0)
|
||||
-network_port(whois, tcp,43,s0, udp,43,s0)
|
||||
+# Reserve 100 ports for vnc/virt machines
|
||||
+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
|
||||
network_port(whois, tcp,43,s0, udp,43,s0)
|
||||
+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
|
||||
network_port(xdmcp, udp,177,s0, tcp,177,s0)
|
||||
network_port(xen, tcp,8002,s0)
|
||||
network_port(xfs, tcp,7100,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.1/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-08 21:42:58.000000000 -0400
|
||||
+++ serefpolicy-3.6.1/policy/modules/kernel/devices.fc 2008-11-25 09:45:43.000000000 -0500
|
||||
@ -8018,7 +8041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-12-04 14:56:42.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-12-08 16:47:30.000000000 -0500
|
||||
@@ -19,6 +19,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -8175,11 +8198,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_http_port(httpd_t)
|
||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||
corenet_sendrecv_http_server_packets(httpd_t)
|
||||
@@ -335,12 +386,11 @@
|
||||
@@ -335,12 +386,12 @@
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
+fs_list_inotifyfs(httpd_t)
|
||||
+fs_read_iso9660_files(httpd_t)
|
||||
|
||||
auth_use_nsswitch(httpd_t)
|
||||
|
||||
@ -8190,7 +8214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
@@ -358,6 +408,10 @@
|
||||
@@ -358,6 +409,10 @@
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
@ -8201,7 +8225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
libs_read_lib_files(httpd_t)
|
||||
|
||||
@@ -372,18 +426,33 @@
|
||||
@@ -372,18 +427,33 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
@ -8239,7 +8263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -391,20 +460,54 @@
|
||||
@@ -391,20 +461,54 @@
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
@ -8295,7 +8319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
@@ -415,20 +518,28 @@
|
||||
@@ -415,20 +519,28 @@
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
')
|
||||
|
||||
@ -8328,7 +8352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -459,8 +570,13 @@
|
||||
@@ -459,8 +571,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8344,7 +8368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -472,18 +588,13 @@
|
||||
@@ -472,18 +589,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8364,7 +8388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -493,6 +604,12 @@
|
||||
@@ -493,6 +605,12 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
@ -8377,7 +8401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
@@ -500,6 +617,7 @@
|
||||
@@ -500,6 +618,7 @@
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
@ -8385,7 +8409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -508,6 +626,7 @@
|
||||
@@ -508,6 +627,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8393,7 +8417,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -535,6 +654,22 @@
|
||||
@@ -535,6 +655,22 @@
|
||||
|
||||
userdom_use_user_terminals(httpd_helper_t)
|
||||
|
||||
@ -8416,7 +8440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -564,20 +699,25 @@
|
||||
@@ -564,20 +700,25 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -8448,7 +8472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -595,12 +735,14 @@
|
||||
@@ -595,23 +736,24 @@
|
||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
@ -8464,8 +8488,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@@ -609,9 +751,7 @@
|
||||
|
||||
dev_read_urand(httpd_suexec_t)
|
||||
|
||||
+fs_read_iso9660_files(httpd_suexec_t)
|
||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||
|
||||
-# for shell scripts
|
||||
@ -8475,7 +8501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -641,12 +781,25 @@
|
||||
@@ -641,12 +783,25 @@
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -8504,7 +8530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -655,6 +808,12 @@
|
||||
@@ -655,6 +810,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -8517,7 +8543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -672,15 +831,14 @@
|
||||
@@ -672,15 +833,14 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -8536,7 +8562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
@@ -699,12 +857,22 @@
|
||||
@@ -699,12 +859,24 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -8548,6 +8574,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
-tunable_policy(`httpd_enable_homedirs',`
|
||||
- userdom_read_user_home_content_files(httpd_sys_script_t)
|
||||
+fs_read_iso9660_files(httpd_sys_script_t)
|
||||
+
|
||||
+tunable_policy(`httpd_use_nfs',`
|
||||
+ fs_manage_nfs_dirs(httpd_sys_script_t)
|
||||
+ fs_manage_nfs_files(httpd_sys_script_t)
|
||||
@ -8561,7 +8589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -712,6 +880,35 @@
|
||||
@@ -712,6 +884,35 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -8597,7 +8625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -724,6 +921,10 @@
|
||||
@@ -724,6 +925,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -8608,7 +8636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -735,6 +936,8 @@
|
||||
@@ -735,6 +940,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@ -8617,7 +8645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -762,3 +965,66 @@
|
||||
@@ -762,3 +969,66 @@
|
||||
userdom_search_user_home_dirs(httpd_suexec_t)
|
||||
userdom_search_user_home_dirs(httpd_user_script_t)
|
||||
')
|
||||
@ -8793,6 +8821,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.1/policy/modules/services/bind.fc
|
||||
--- nsaserefpolicy/policy/modules/services/bind.fc 2008-11-11 16:13:45.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/bind.fc 2008-12-08 11:44:38.000000000 -0500
|
||||
@@ -1,17 +1,22 @@
|
||||
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
+
|
||||
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
||||
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
||||
|
||||
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
|
||||
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
|
||||
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
|
||||
/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
|
||||
+/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
|
||||
|
||||
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
|
||||
|
||||
/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
|
||||
/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
||||
/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
||||
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.1/policy/modules/services/bind.if
|
||||
--- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/bind.if 2008-11-25 09:45:43.000000000 -0500
|
||||
@ -12286,13 +12340,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Init script handling
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.1/policy/modules/services/ldap.te
|
||||
--- nsaserefpolicy/policy/modules/services/ldap.te 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/ldap.te 2008-11-25 09:45:43.000000000 -0500
|
||||
@@ -117,7 +117,7 @@
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/ldap.te 2008-12-08 14:32:23.000000000 -0500
|
||||
@@ -117,7 +117,11 @@
|
||||
userdom_dontaudit_search_user_home_dirs(slapd_t)
|
||||
|
||||
optional_policy(`
|
||||
- kerberos_use(slapd_t)
|
||||
+ kerberos_keytab_template(slapd, slapd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sasl_connect(slapd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18201,7 +18259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.1/policy/modules/services/samba.te
|
||||
--- nsaserefpolicy/policy/modules/services/samba.te 2008-11-11 16:13:47.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-11-25 09:45:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-12-08 15:15:10.000000000 -0500
|
||||
@@ -66,6 +66,13 @@
|
||||
## </desc>
|
||||
gen_tunable(samba_share_nfs, false)
|
||||
@ -18255,7 +18313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
-
|
||||
+allow samba_net_t self:capability { dac_read_search dac_override };
|
||||
+allow samba_net_t self:process getsched;
|
||||
+allow samba_net_t self:process { getsched setsched };
|
||||
allow samba_net_t self:unix_dgram_socket create_socket_perms;
|
||||
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow samba_net_t self:udp_socket create_socket_perms;
|
||||
@ -18281,7 +18339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
auth_use_nsswitch(samba_net_t)
|
||||
|
||||
@@ -197,8 +213,10 @@
|
||||
@@ -197,8 +213,14 @@
|
||||
|
||||
miscfiles_read_localization(samba_net_t)
|
||||
|
||||
@ -18290,10 +18348,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_use_user_terminals(samba_net_t)
|
||||
-userdom_dontaudit_search_user_home_dirs(samba_net_t)
|
||||
+userdom_list_user_home_dirs(samba_net_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ pcscd_read_pub_files(samba_net_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(samba_net_t)
|
||||
@@ -208,7 +226,7 @@
|
||||
@@ -208,7 +230,7 @@
|
||||
#
|
||||
# smbd Local policy
|
||||
#
|
||||
@ -18302,7 +18364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit smbd_t self:capability sys_tty_config;
|
||||
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow smbd_t self:process setrlimit;
|
||||
@@ -226,10 +244,8 @@
|
||||
@@ -226,10 +248,8 @@
|
||||
|
||||
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
|
||||
|
||||
@ -18314,7 +18376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow smbd_t samba_net_tmp_t:file getattr;
|
||||
|
||||
@@ -239,6 +255,7 @@
|
||||
@@ -239,6 +259,7 @@
|
||||
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||
@ -18322,7 +18384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||
@@ -256,7 +273,7 @@
|
||||
@@ -256,7 +277,7 @@
|
||||
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
|
||||
|
||||
@ -18331,7 +18393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_getattr_core_if(smbd_t)
|
||||
kernel_getattr_message_if(smbd_t)
|
||||
@@ -321,6 +338,10 @@
|
||||
@@ -321,6 +342,10 @@
|
||||
userdom_use_unpriv_users_fds(smbd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(smbd_t)
|
||||
|
||||
@ -18342,28 +18404,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
files_dontaudit_getattr_default_dirs(smbd_t)
|
||||
files_dontaudit_getattr_boot_dirs(smbd_t)
|
||||
@@ -350,8 +371,20 @@
|
||||
@@ -350,8 +375,20 @@
|
||||
tunable_policy(`samba_share_nfs',`
|
||||
fs_manage_nfs_dirs(smbd_t)
|
||||
fs_manage_nfs_files(smbd_t)
|
||||
+ fs_manage_nfs_symlinks(smbd_t)
|
||||
+ fs_manage_nfs_named_pipes(smbd_t)
|
||||
+ fs_manage_nfs_named_sockets(smbd_t)
|
||||
+')
|
||||
+
|
||||
')
|
||||
|
||||
+# Support Samba sharing of ntfs/fusefs mount points
|
||||
+tunable_policy(`samba_share_fusefs',`
|
||||
+ fs_manage_fusefs_dirs(smbd_t)
|
||||
+ fs_manage_fusefs_files(smbd_t)
|
||||
+',`
|
||||
+ fs_search_fusefs_dirs(smbd_t)
|
||||
')
|
||||
|
||||
+')
|
||||
+
|
||||
+
|
||||
optional_policy(`
|
||||
cups_read_rw_config(smbd_t)
|
||||
cups_stream_connect(smbd_t)
|
||||
@@ -359,6 +392,16 @@
|
||||
@@ -359,6 +396,16 @@
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(smbd_t)
|
||||
@ -18380,7 +18442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -381,8 +424,10 @@
|
||||
@@ -381,8 +428,10 @@
|
||||
|
||||
tunable_policy(`samba_export_all_ro',`
|
||||
fs_read_noxattr_fs_files(smbd_t)
|
||||
@ -18391,7 +18453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_read_all_files_except_shadow(nmbd_t)
|
||||
')
|
||||
|
||||
@@ -454,6 +499,7 @@
|
||||
@@ -454,6 +503,7 @@
|
||||
dev_getattr_mtrr_dev(nmbd_t)
|
||||
|
||||
fs_getattr_all_fs(nmbd_t)
|
||||
@ -18399,7 +18461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_search_auto_mountpoints(nmbd_t)
|
||||
|
||||
domain_use_interactive_fds(nmbd_t)
|
||||
@@ -553,19 +599,33 @@
|
||||
@@ -553,19 +603,33 @@
|
||||
userdom_use_user_terminals(smbmount_t)
|
||||
userdom_use_all_users_fds(smbmount_t)
|
||||
|
||||
@ -18436,7 +18498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
||||
|
||||
@@ -585,6 +645,9 @@
|
||||
@@ -585,6 +649,9 @@
|
||||
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
||||
|
||||
allow swat_t winbind_exec_t:file mmap_file_perms;
|
||||
@ -18446,7 +18508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_kernel_sysctls(swat_t)
|
||||
kernel_read_system_state(swat_t)
|
||||
@@ -609,15 +672,18 @@
|
||||
@@ -609,15 +676,18 @@
|
||||
|
||||
dev_read_urand(swat_t)
|
||||
|
||||
@ -18465,7 +18527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_search_logs(swat_t)
|
||||
|
||||
miscfiles_read_localization(swat_t)
|
||||
@@ -635,6 +701,17 @@
|
||||
@@ -635,6 +705,17 @@
|
||||
kerberos_use(swat_t)
|
||||
')
|
||||
|
||||
@ -18483,16 +18545,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Winbind local policy
|
||||
@@ -683,6 +760,8 @@
|
||||
@@ -642,7 +723,7 @@
|
||||
|
||||
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
||||
dontaudit winbind_t self:capability sys_tty_config;
|
||||
-allow winbind_t self:process signal_perms;
|
||||
+allow winbind_t self:process { signal_perms getsched };
|
||||
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
||||
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
||||
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -683,9 +764,10 @@
|
||||
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
||||
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
|
||||
|
||||
+corecmd_exec_bin(winbind_t)
|
||||
+
|
||||
kernel_read_kernel_sysctls(winbind_t)
|
||||
kernel_list_proc(winbind_t)
|
||||
kernel_read_proc_symlinks(winbind_t)
|
||||
@@ -768,8 +847,13 @@
|
||||
-kernel_list_proc(winbind_t)
|
||||
-kernel_read_proc_symlinks(winbind_t)
|
||||
+kernel_read_system_state(winbind_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(winbind_t)
|
||||
corenet_all_recvfrom_netlabel(winbind_t)
|
||||
@@ -713,6 +795,7 @@
|
||||
domain_use_interactive_fds(winbind_t)
|
||||
|
||||
files_read_etc_files(winbind_t)
|
||||
+files_read_usr_symlinks(winbind_t)
|
||||
|
||||
logging_send_syslog_msg(winbind_t)
|
||||
|
||||
@@ -768,8 +851,13 @@
|
||||
userdom_use_user_terminals(winbind_helper_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -18506,7 +18589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -778,6 +862,16 @@
|
||||
@@ -778,6 +866,16 @@
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
@ -18523,7 +18606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type samba_unconfined_script_t;
|
||||
type samba_unconfined_script_exec_t;
|
||||
domain_type(samba_unconfined_script_t)
|
||||
@@ -788,9 +882,43 @@
|
||||
@@ -788,9 +886,43 @@
|
||||
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||
|
||||
@ -19636,6 +19719,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.1/policy/modules/services/squid.if
|
||||
--- nsaserefpolicy/policy/modules/services/squid.if 2008-11-11 16:13:45.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/squid.if 2008-12-08 15:22:33.000000000 -0500
|
||||
@@ -21,6 +21,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Execute squid
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## The type of the process performing this action.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`squid_exec',`
|
||||
+ gen_require(`
|
||||
+ type squid_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ can_exec($1, squid_exec_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Send generic signals to squid.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.1/policy/modules/services/squid.te
|
||||
--- nsaserefpolicy/policy/modules/services/squid.te 2008-11-11 16:13:47.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/services/squid.te 2008-11-25 09:45:43.000000000 -0500
|
||||
@ -21640,7 +21752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-04 14:13:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-08 15:05:18.000000000 -0500
|
||||
@@ -43,6 +43,7 @@
|
||||
interface(`auth_login_pgm_domain',`
|
||||
gen_require(`
|
||||
@ -21726,7 +21838,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -207,19 +256,16 @@
|
||||
@@ -197,8 +246,11 @@
|
||||
interface(`auth_domtrans_chk_passwd',`
|
||||
gen_require(`
|
||||
type chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||
+ type auth_cache_t;
|
||||
')
|
||||
|
||||
+ allow $1 auth_cache_t:dir search_dir_perms;
|
||||
+
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
|
||||
|
||||
@@ -207,19 +259,16 @@
|
||||
dev_read_rand($1)
|
||||
dev_read_urand($1)
|
||||
|
||||
@ -21751,7 +21875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -230,6 +276,29 @@
|
||||
@@ -230,6 +279,29 @@
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
')
|
||||
@ -21781,7 +21905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -254,6 +323,7 @@
|
||||
@@ -254,6 +326,7 @@
|
||||
|
||||
auth_domtrans_chk_passwd($1)
|
||||
role $2 types chkpwd_t;
|
||||
@ -21789,7 +21913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1031,6 +1101,32 @@
|
||||
@@ -1031,6 +1104,32 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -21822,7 +21946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Manage all files on the filesystem, except
|
||||
## the shadow passwords and listed exceptions.
|
||||
## </summary>
|
||||
@@ -1297,6 +1393,10 @@
|
||||
@@ -1297,6 +1396,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21833,7 +21957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
nis_use_ypbind($1)
|
||||
')
|
||||
|
||||
@@ -1307,6 +1407,7 @@
|
||||
@@ -1307,6 +1410,7 @@
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
samba_read_var_files($1)
|
||||
@ -21841,13 +21965,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1341,3 +1442,61 @@
|
||||
@@ -1341,3 +1445,80 @@
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search authentication cache
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`auth_search_cache',`
|
||||
+ gen_require(`
|
||||
+ type auth_cache_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 auth_cache_t:dir search_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read/Write authentication cache
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -22667,6 +22810,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.1/policy/modules/system/iptables.fc
|
||||
--- nsaserefpolicy/policy/modules/system/iptables.fc 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.6.1/policy/modules/system/iptables.fc 2008-12-08 16:37:20.000000000 -0500
|
||||
@@ -6,3 +6,4 @@
|
||||
/usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
+/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.1/policy/modules/system/iptables.te
|
||||
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.1/policy/modules/system/iptables.te 2008-12-04 08:58:18.000000000 -0500
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.1
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -446,6 +446,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Dec 8 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-8
|
||||
- Fix sudo setting of user keys
|
||||
|
||||
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-7
|
||||
- Allow iptables to talk to terminals
|
||||
- Fixes for policy kit
|
||||
|
||||
Loading…
Reference in New Issue
Block a user