- Allow dhcpc to restart ypbind
- Fixup labeling in /var/run
This commit is contained in:
Daniel J Walsh
parent
333ebd64df
commit
a023a0be19
@ -185,9 +185,9 @@ certwatch = module
|
|||||||
# Layer: admin
|
# Layer: admin
|
||||||
# Module: certmaster
|
# Module: certmaster
|
||||||
#
|
#
|
||||||
# Digital Certificate Tracking
|
# Digital Certificate master
|
||||||
#
|
#
|
||||||
certmanager = module
|
certmaster = module
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: cipe
|
# Module: cipe
|
||||||
|
|||||||
@ -185,9 +185,9 @@ certwatch = module
|
|||||||
# Layer: admin
|
# Layer: admin
|
||||||
# Module: certmaster
|
# Module: certmaster
|
||||||
#
|
#
|
||||||
# Digital Certificate Tracking
|
# Digital Certificate master
|
||||||
#
|
#
|
||||||
certmanager = module
|
certmaster = module
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: cipe
|
# Module: cipe
|
||||||
|
|||||||
@ -676,7 +676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`distro_suse', `
|
ifdef(`distro_suse', `
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.13/policy/modules/admin/rpm.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.13/policy/modules/admin/rpm.if
|
||||||
--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-07 11:15:13.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-07 11:15:13.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/admin/rpm.if 2008-11-03 11:41:00.000000000 -0500
|
+++ serefpolicy-3.5.13/policy/modules/admin/rpm.if 2008-11-03 17:02:00.000000000 -0500
|
||||||
@@ -152,6 +152,24 @@
|
@@ -152,6 +152,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -755,7 +755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
+## Create, read, write, and delete the RPM log.
|
+## Search RPM log directory.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -8902,7 +8902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-10-29 12:02:23.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-11-03 17:03:51.000000000 -0500
|
||||||
@@ -15,7 +14,7 @@
|
@@ -15,7 +14,7 @@
|
||||||
|
|
||||||
role sysadm_r;
|
role sysadm_r;
|
||||||
@ -8945,12 +8945,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -328,3 +327,5 @@
|
|
||||||
optional_policy(`
|
|
||||||
yam_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
|
|
||||||
')
|
|
||||||
+
|
|
||||||
+#gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.13/policy/modules/roles/unprivuser.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.13/policy/modules/roles/unprivuser.if
|
||||||
--- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if 2008-10-30 13:58:02.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if 2008-10-30 13:58:02.000000000 -0400
|
||||||
@ -12178,8 +12172,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
|
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.5.13/policy/modules/services/certmaster.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.5.13/policy/modules/services/certmaster.if
|
||||||
--- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.if 2008-11-03 15:55:54.000000000 -0500
|
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.if 2008-11-03 17:32:32.000000000 -0500
|
||||||
@@ -0,0 +1,132 @@
|
@@ -0,0 +1,128 @@
|
||||||
+## <summary>policy for certmaster</summary>
|
+## <summary>policy for certmaster</summary>
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -12214,7 +12208,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+##
|
|
||||||
+#
|
+#
|
||||||
+interface(`certmaster_read_log',`
|
+interface(`certmaster_read_log',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
@ -12233,7 +12226,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+##
|
|
||||||
+#
|
+#
|
||||||
+interface(`certmaster_append_log',`
|
+interface(`certmaster_append_log',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
@ -12253,7 +12245,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+##
|
|
||||||
+#
|
+#
|
||||||
+interface(`certmaster_manage_log',`
|
+interface(`certmaster_manage_log',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
@ -12281,12 +12272,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## </param>
|
+## </param>
|
||||||
+## <rolecap/>
|
+## <rolecap/>
|
||||||
+#
|
+#
|
||||||
+
|
|
||||||
+interface(`certmaster_admin',`
|
+interface(`certmaster_admin',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
|
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
|
||||||
+ type certmaster_etc_rw_t, certmaster_var_log_t;
|
+ type certmaster_etc_rw_t, certmaster_var_log_t;
|
||||||
+ certmaster_initrc_exec_t;
|
+ type certmaster_initrc_exec_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 certmaster_t:process { ptrace signal_perms };
|
+ allow $1 certmaster_t:process { ptrace signal_perms };
|
||||||
@ -12314,8 +12304,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te
|
||||||
--- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2008-10-30 14:48:03.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2008-11-03 17:19:28.000000000 -0500
|
||||||
@@ -0,0 +1,85 @@
|
@@ -0,0 +1,81 @@
|
||||||
+policy_module(certmaster,1.0.0)
|
+policy_module(certmaster,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -12337,7 +12327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+# config files
|
+# config files
|
||||||
+type certmaster_etc_rw_t;
|
+type certmaster_etc_rw_t;
|
||||||
+files_config_type(certmaster_etc_rw_t)
|
+files_config_file(certmaster_etc_rw_t)
|
||||||
+
|
+
|
||||||
+# log files
|
+# log files
|
||||||
+type certmaster_var_log_t;
|
+type certmaster_var_log_t;
|
||||||
@ -12354,10 +12344,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+allow certmaster_t self:tcp_socket create_stream_socket_perms;
|
+allow certmaster_t self:tcp_socket create_stream_socket_perms;
|
||||||
+
|
+
|
||||||
+# certification files
|
|
||||||
+manage_dirs_pattern(certmaster_t,certmaster_cert_t,certmaster_cert_t)
|
|
||||||
+manage_files_pattern(certmaster_t, certmaster_cert_t, certmaster_cert_t)
|
|
||||||
+
|
|
||||||
+# config files
|
+# config files
|
||||||
+list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t)
|
+list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t)
|
||||||
+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
|
+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
|
||||||
@ -17638,7 +17624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.13/policy/modules/services/nis.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.13/policy/modules/services/nis.if
|
||||||
--- nsaserefpolicy/policy/modules/services/nis.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/nis.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/nis.if 2008-11-03 14:12:23.000000000 -0500
|
+++ serefpolicy-3.5.13/policy/modules/services/nis.if 2008-11-03 17:06:55.000000000 -0500
|
||||||
@@ -28,7 +28,7 @@
|
@@ -28,7 +28,7 @@
|
||||||
type var_yp_t;
|
type var_yp_t;
|
||||||
')
|
')
|
||||||
@ -17685,7 +17671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Execute ypbind in the ypbind domain.
|
## Execute ypbind in the ypbind domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -244,3 +263,105 @@
|
@@ -244,3 +263,104 @@
|
||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1, ypxfr_exec_t, ypxfr_t)
|
domtrans_pattern($1, ypxfr_exec_t, ypxfr_t)
|
||||||
')
|
')
|
||||||
@ -17719,7 +17705,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+#
|
|
||||||
+interface(`nis_ypbind_initrc_domtrans',`
|
+interface(`nis_ypbind_initrc_domtrans',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type ypbind_initrc_exec_t;
|
+ type ypbind_initrc_exec_t;
|
||||||
@ -28186,7 +28171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.5.13/policy/modules/system/miscfiles.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.5.13/policy/modules/system/miscfiles.if
|
||||||
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/system/miscfiles.if 2008-10-31 11:01:20.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/system/miscfiles.if 2008-11-03 17:18:22.000000000 -0500
|
||||||
@@ -23,6 +23,45 @@
|
@@ -23,6 +23,45 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -28200,7 +28185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## </param>
|
+## </param>
|
||||||
+## <rolecap/>
|
+## <rolecap/>
|
||||||
+#
|
+#
|
||||||
+interface(`
|
+interface(`miscfiles_manage_cert_dirs',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type cert_t;
|
+ type cert_t;
|
||||||
+ ')
|
+ ')
|
||||||
@ -30572,7 +30557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-30 16:14:16.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-03 17:15:19.000000000 -0500
|
||||||
@@ -28,10 +28,14 @@
|
@@ -28,10 +28,14 @@
|
||||||
class context contains;
|
class context contains;
|
||||||
')
|
')
|
||||||
@ -32685,31 +32670,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 userdomain:process getattr;
|
allow $1 userdomain:process getattr;
|
||||||
@@ -5429,7 +5528,7 @@
|
@@ -5447,6 +5546,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Send general signals to all user domains.
|
|
||||||
+## Send signull to all user domains.
|
+## Send signull to all user domains.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_signull_all_users',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute userdomain;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 userdomain:process signull;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Send a SIGCHLD signal to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
@@ -5483,6 +5600,42 @@
|
||||||
@@ -5437,12 +5536,12 @@
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
-interface(`userdom_signal_all_users',`
|
|
||||||
+interface(`userdom_signull_all_users',`
|
|
||||||
gen_require(`
|
|
||||||
attribute userdomain;
|
|
||||||
')
|
|
||||||
|
|
||||||
- allow $1 userdomain:process signal;
|
|
||||||
+ allow $1 userdomain:process signull;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
@@ -5483,6 +5582,42 @@
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -32752,7 +32738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Send a dbus message to all user domains.
|
## Send a dbus message to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -5513,3 +5648,546 @@
|
@@ -5513,3 +5666,546 @@
|
||||||
interface(`userdom_unconfined',`
|
interface(`userdom_unconfined',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user