- Fixes for svirt
This commit is contained in:
Daniel J Walsh
parent
cb51c2687c
commit
9da6c9c025
@ -1536,6 +1536,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ xserver_write_pid(vbetool_t)
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.10/policy/modules/apps/awstats.te
|
||||
--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/apps/awstats.te 2009-03-27 09:09:07.000000000 -0400
|
||||
@@ -51,6 +51,8 @@
|
||||
|
||||
libs_read_lib_files(awstats_t)
|
||||
|
||||
+logging_read_generic_logs(awstats_t)
|
||||
+
|
||||
miscfiles_read_localization(awstats_t)
|
||||
|
||||
sysnet_dns_name_resolve(awstats_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400
|
||||
+++ serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc 2009-03-24 09:03:48.000000000 -0400
|
||||
@ -4771,7 +4783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-26 21:12:48.000000000 -0400
|
||||
+++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-27 09:36:29.000000000 -0400
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
@ -5121,8 +5133,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.10/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.if 2009-03-24 09:03:48.000000000 -0400
|
||||
@@ -754,6 +754,7 @@
|
||||
+++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.if 2009-03-27 13:53:56.000000000 -0400
|
||||
@@ -723,6 +723,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Dont audit attempts to write to all noxattrfs files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_dontaudit_write_noxattr_fs_files',`
|
||||
+ gen_require(`
|
||||
+ attribute noxattrfs;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 noxattrfs:file write;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Create, read, write, and delete all noxattrfs directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -754,6 +772,7 @@
|
||||
attribute noxattrfs;
|
||||
')
|
||||
|
||||
@ -5130,7 +5167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern($1, noxattrfs, noxattrfs)
|
||||
')
|
||||
|
||||
@@ -2173,6 +2174,7 @@
|
||||
@@ -2173,6 +2192,7 @@
|
||||
type removable_t;
|
||||
')
|
||||
|
||||
@ -5138,7 +5175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
rw_blk_files_pattern($1, removable_t, removable_t)
|
||||
')
|
||||
|
||||
@@ -3322,6 +3324,7 @@
|
||||
@@ -3322,6 +3342,7 @@
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
@ -5146,7 +5183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit $1 tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
@@ -3643,6 +3646,7 @@
|
||||
@@ -3643,6 +3664,7 @@
|
||||
')
|
||||
|
||||
allow $1 filesystem_type:filesystem getattr;
|
||||
@ -8278,6 +8315,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.10/policy/modules/services/bitlbee.te
|
||||
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/bitlbee.te 2009-03-27 10:19:31.000000000 -0400
|
||||
@@ -75,6 +75,8 @@
|
||||
# grant read-only access to the user help files
|
||||
files_read_usr_files(bitlbee_t)
|
||||
|
||||
+kernel_read_system_state(bitlbee_t)
|
||||
+
|
||||
libs_legacy_use_shared_libs(bitlbee_t)
|
||||
|
||||
miscfiles_read_localization(bitlbee_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.10/policy/modules/services/certmaster.fc
|
||||
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/certmaster.fc 2009-03-24 09:03:48.000000000 -0400
|
||||
@ -10570,6 +10619,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
|
||||
+allow session_bus_type dbusd_unconfined:dbus send_msg;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.10/policy/modules/services/dcc.fc
|
||||
--- nsaserefpolicy/policy/modules/services/dcc.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/dcc.fc 2009-03-27 08:55:46.000000000 -0400
|
||||
@@ -11,6 +11,7 @@
|
||||
/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
|
||||
|
||||
/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
|
||||
+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
|
||||
/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
|
||||
|
||||
/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.10/policy/modules/services/dcc.te
|
||||
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/dcc.te 2009-03-24 09:03:48.000000000 -0400
|
||||
@ -12833,8 +12893,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.10/policy/modules/services/lircd.te
|
||||
--- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/lircd.te 2009-03-24 09:03:48.000000000 -0400
|
||||
@@ -0,0 +1,51 @@
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/lircd.te 2009-03-27 09:36:23.000000000 -0400
|
||||
@@ -0,0 +1,55 @@
|
||||
+policy_module(lircd,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -12883,8 +12943,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+logging_send_syslog_msg(lircd_t)
|
||||
+
|
||||
+miscfiles_read_localization(lircd_t)
|
||||
+files_read_etc_files(lircd_t)
|
||||
+files_list_var(lircd_t)
|
||||
+files_manage_generic_locks(lircd_t)
|
||||
+files_read_all_locks(lircd_t)
|
||||
+
|
||||
+miscfiles_read_localization(lircd_t)
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.10/policy/modules/services/mailman.fc
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
@ -13062,7 +13126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-#')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.10/policy/modules/services/mta.if
|
||||
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/mta.if 2009-03-24 09:03:48.000000000 -0400
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/mta.if 2009-03-27 09:50:44.000000000 -0400
|
||||
@@ -130,6 +130,15 @@
|
||||
sendmail_create_log($1_mail_t)
|
||||
')
|
||||
@ -13130,6 +13194,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
|
||||
')
|
||||
|
||||
@@ -806,6 +818,7 @@
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
+ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
|
||||
manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
|
||||
')
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.10/policy/modules/services/mta.te
|
||||
--- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/mta.te 2009-03-24 09:03:48.000000000 -0400
|
||||
@ -21169,7 +21241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.10/policy/modules/services/virt.if
|
||||
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/virt.if 2009-03-24 09:03:48.000000000 -0400
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/virt.if 2009-03-27 13:53:49.000000000 -0400
|
||||
@@ -2,28 +2,6 @@
|
||||
|
||||
########################################
|
||||
@ -21264,7 +21336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## All of the rules required to administrate
|
||||
## an virt environment
|
||||
## </summary>
|
||||
@@ -327,3 +341,50 @@
|
||||
@@ -327,3 +341,53 @@
|
||||
|
||||
virt_manage_log($1)
|
||||
')
|
||||
@ -21310,6 +21382,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
|
||||
+ fs_getattr_tmpfs($1_t)
|
||||
+
|
||||
+ fs_read_noxattr_fs_files($1_t)
|
||||
+ fs_dontaudit_write_noxattr_fs_files($1_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ xserver_common_app($1_t)
|
||||
+ ')
|
||||
@ -24700,7 +24775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.10/policy/modules/system/logging.if
|
||||
--- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/system/logging.if 2009-03-24 09:03:48.000000000 -0400
|
||||
+++ serefpolicy-3.6.10/policy/modules/system/logging.if 2009-03-27 09:08:50.000000000 -0400
|
||||
@@ -623,7 +623,7 @@
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user