- New paths for upstart
This commit is contained in:
parent
8d55a410dc
commit
a1ef703492
167
policy-F14.patch
167
policy-F14.patch
@ -1272,6 +1272,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(shorewall_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.8.8/policy/modules/admin/shutdown.fc
|
||||
--- nsaserefpolicy/policy/modules/admin/shutdown.fc 2010-07-14 11:21:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.fc 2010-07-26 16:52:20.000000000 -0400
|
||||
@@ -3,3 +3,5 @@
|
||||
/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
|
||||
|
||||
/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
|
||||
+
|
||||
+/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.8.8/policy/modules/admin/shutdown.if
|
||||
--- nsaserefpolicy/policy/modules/admin/shutdown.if 2010-07-14 11:21:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.if 2010-07-20 10:46:10.000000000 -0400
|
||||
@ -5383,8 +5392,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
|
||||
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-06-18 13:07:19.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-07-20 10:46:10.000000000 -0400
|
||||
@@ -5,40 +5,39 @@
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-07-26 17:02:42.000000000 -0400
|
||||
@@ -5,40 +5,41 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -5419,16 +5428,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
|
||||
|
||||
-files_read_etc_files(seunshare_t)
|
||||
-files_mounton_all_poly_members(seunshare_t)
|
||||
+auth_use_nsswitch(seunshare_domain)
|
||||
+fs_manage_cgroup_dirs(seunshare_domain)
|
||||
|
||||
-auth_use_nsswitch(seunshare_t)
|
||||
+logging_send_syslog_msg(seunshare_domain)
|
||||
+auth_use_nsswitch(seunshare_domain)
|
||||
|
||||
-logging_send_syslog_msg(seunshare_t)
|
||||
+miscfiles_read_localization(seunshare_domain)
|
||||
+logging_send_syslog_msg(seunshare_domain)
|
||||
|
||||
-miscfiles_read_localization(seunshare_t)
|
||||
-
|
||||
+miscfiles_read_localization(seunshare_domain)
|
||||
|
||||
-userdom_use_user_terminals(seunshare_t)
|
||||
+userdom_use_user_terminals(seunshare_domain)
|
||||
|
||||
@ -6519,8 +6529,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-06-08 10:35:48.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-26 14:00:19.000000000 -0400
|
||||
@@ -606,6 +606,24 @@
|
||||
+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-26 16:44:30.000000000 -0400
|
||||
@@ -497,6 +497,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Read generic character device files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_read_generic_chr_files',`
|
||||
+ gen_require(`
|
||||
+ type device_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 device_t:chr_file read_chr_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read and write generic character device files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -606,6 +624,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6545,7 +6580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
## Create, delete, read, and write symbolic links in device directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1015,6 +1033,42 @@
|
||||
@@ -1015,6 +1051,42 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6588,7 +6623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
## Delete all block device files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3540,6 +3594,24 @@
|
||||
@@ -3540,6 +3612,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6613,7 +6648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
## Get the attributes of sysfs directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3851,6 +3923,24 @@
|
||||
@@ -3851,6 +3941,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6638,7 +6673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
## Mount a usbfs filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4161,11 +4251,10 @@
|
||||
@@ -4161,11 +4269,10 @@
|
||||
#
|
||||
interface(`dev_rw_vhost',`
|
||||
gen_require(`
|
||||
@ -7584,7 +7619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-14 11:21:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-21 11:43:41.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-26 17:02:26.000000000 -0400
|
||||
@@ -1233,7 +1233,7 @@
|
||||
type cifs_t;
|
||||
')
|
||||
@ -17349,7 +17384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if
|
||||
--- nsaserefpolicy/policy/modules/services/mta.if 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-21 08:47:33.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-26 17:39:52.000000000 -0400
|
||||
@@ -220,6 +220,25 @@
|
||||
application_executable_file($1)
|
||||
')
|
||||
@ -17400,7 +17435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -391,12 +408,13 @@
|
||||
@@ -391,12 +408,15 @@
|
||||
#
|
||||
interface(`mta_sendmail_domtrans',`
|
||||
gen_require(`
|
||||
@ -17412,11 +17447,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
|
||||
corecmd_read_bin_symlinks($1)
|
||||
- domain_auto_trans($1, sendmail_exec_t, $2)
|
||||
+
|
||||
+ allow $2 mta_exec_type:file entrypoint;
|
||||
+ domtrans_pattern($1, mta_exec_type, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -474,7 +492,8 @@
|
||||
@@ -474,7 +494,8 @@
|
||||
type etc_mail_t;
|
||||
')
|
||||
|
||||
@ -17426,7 +17463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -698,7 +717,7 @@
|
||||
@@ -698,7 +719,7 @@
|
||||
files_search_spool($1)
|
||||
allow $1 mail_spool_t:dir list_dir_perms;
|
||||
allow $1 mail_spool_t:file setattr;
|
||||
@ -17437,7 +17474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
|
||||
--- nsaserefpolicy/policy/modules/services/mta.te 2010-06-18 13:07:19.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-20 10:46:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-26 17:09:17.000000000 -0400
|
||||
@@ -21,7 +21,7 @@
|
||||
files_config_file(etc_mail_t)
|
||||
|
||||
@ -17447,6 +17484,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
|
||||
type mqueue_spool_t;
|
||||
files_mountpoint(mqueue_spool_t)
|
||||
@@ -62,9 +62,9 @@
|
||||
|
||||
can_exec(system_mail_t, mta_exec_type)
|
||||
|
||||
-kernel_read_system_state(system_mail_t)
|
||||
-kernel_read_network_state(system_mail_t)
|
||||
-kernel_request_load_module(system_mail_t)
|
||||
+kernel_read_system_state(user_mail_domain)
|
||||
+kernel_read_network_state(user_mail_domain)
|
||||
+kernel_request_load_module(user_mail_domain)
|
||||
|
||||
dev_read_sysfs(system_mail_t)
|
||||
dev_read_rand(system_mail_t)
|
||||
@@ -82,6 +82,9 @@
|
||||
|
||||
userdom_use_user_terminals(system_mail_t)
|
||||
@ -21487,7 +21537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te
|
||||
--- nsaserefpolicy/policy/modules/services/samba.te 2010-06-18 13:07:19.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-07-20 10:46:11.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-07-26 17:19:57.000000000 -0400
|
||||
@@ -152,9 +152,6 @@
|
||||
type winbind_log_t;
|
||||
logging_log_file(winbind_log_t)
|
||||
@ -21585,7 +21635,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
||||
|
||||
allow swat_t smbd_exec_t:file mmap_file_perms ;
|
||||
|
||||
@@ -754,6 +750,8 @@
|
||||
@@ -710,6 +706,7 @@
|
||||
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
|
||||
allow swat_t winbind_t:process { signal signull };
|
||||
|
||||
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
|
||||
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
|
||||
allow swat_t winbind_var_run_t:sock_file { create unlink };
|
||||
|
||||
@@ -754,6 +751,8 @@
|
||||
|
||||
miscfiles_read_localization(swat_t)
|
||||
|
||||
@ -21594,7 +21652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
||||
optional_policy(`
|
||||
cups_read_rw_config(swat_t)
|
||||
cups_stream_connect(swat_t)
|
||||
@@ -806,14 +804,14 @@
|
||||
@@ -806,14 +805,14 @@
|
||||
allow winbind_t winbind_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(winbind_t, winbind_log_t, file)
|
||||
|
||||
@ -21614,7 +21672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
||||
|
||||
kernel_read_kernel_sysctls(winbind_t)
|
||||
kernel_read_system_state(winbind_t)
|
||||
@@ -833,6 +831,7 @@
|
||||
@@ -833,6 +832,7 @@
|
||||
corenet_tcp_bind_generic_node(winbind_t)
|
||||
corenet_udp_bind_generic_node(winbind_t)
|
||||
corenet_tcp_connect_smbd_port(winbind_t)
|
||||
@ -21622,7 +21680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
||||
corenet_tcp_connect_epmap_port(winbind_t)
|
||||
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
|
||||
@@ -922,6 +921,18 @@
|
||||
@@ -922,6 +922,18 @@
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
@ -21641,7 +21699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
||||
type samba_unconfined_script_t;
|
||||
type samba_unconfined_script_exec_t;
|
||||
domain_type(samba_unconfined_script_t)
|
||||
@@ -932,9 +943,12 @@
|
||||
@@ -932,9 +944,12 @@
|
||||
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||
|
||||
@ -26302,8 +26360,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc
|
||||
--- nsaserefpolicy/policy/modules/system/init.fc 2010-03-18 10:35:11.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/init.fc 2010-07-20 10:46:11.000000000 -0400
|
||||
@@ -24,6 +24,11 @@
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/init.fc 2010-07-26 16:50:56.000000000 -0400
|
||||
@@ -24,7 +24,13 @@
|
||||
#
|
||||
# /sbin
|
||||
#
|
||||
@ -26313,9 +26371,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
|
||||
+# /sbin
|
||||
+#
|
||||
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
+/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
@@ -44,6 +49,9 @@
|
||||
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
@@ -44,6 +50,9 @@
|
||||
|
||||
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
@ -26693,7 +26753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-14 11:21:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-26 14:00:27.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-26 16:44:55.000000000 -0400
|
||||
@@ -16,6 +16,27 @@
|
||||
## </desc>
|
||||
gen_tunable(init_upstart, false)
|
||||
@ -26805,7 +26865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
',`
|
||||
# Run the shell in the sysadm role for single-user mode.
|
||||
@@ -185,15 +216,64 @@
|
||||
@@ -185,15 +216,65 @@
|
||||
sysadm_shell_domtrans(init_t)
|
||||
')
|
||||
|
||||
@ -26826,6 +26886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
+ dev_write_kmsg(init_t)
|
||||
+ dev_rw_autofs(init_t)
|
||||
+ dev_manage_generic_dirs(init_t)
|
||||
+ dev_read_generic_chr_files(init_t)
|
||||
+
|
||||
+ files_mounton_all_mountpoints(init_t)
|
||||
+ files_manage_all_pids_dirs(init_t)
|
||||
@ -26870,7 +26931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
nscd_socket_use(init_t)
|
||||
')
|
||||
|
||||
@@ -211,7 +291,7 @@
|
||||
@@ -211,7 +292,7 @@
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -26879,7 +26940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
@@ -240,6 +320,7 @@
|
||||
@@ -240,6 +321,7 @@
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -26887,7 +26948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
can_exec(initrc_t, initrc_tmp_t)
|
||||
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
@@ -257,11 +338,22 @@
|
||||
@@ -257,11 +339,22 @@
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -26910,7 +26971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
corecmd_exec_all_executables(initrc_t)
|
||||
|
||||
@@ -297,11 +389,13 @@
|
||||
@@ -297,11 +390,13 @@
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -26924,7 +26985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@@ -320,8 +414,10 @@
|
||||
@@ -320,8 +415,10 @@
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -26936,7 +26997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
files_delete_all_pids(initrc_t)
|
||||
files_delete_all_pid_dirs(initrc_t)
|
||||
files_read_etc_files(initrc_t)
|
||||
@@ -337,6 +433,8 @@
|
||||
@@ -337,6 +434,8 @@
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -26945,7 +27006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
fs_delete_cgroup_dirs(initrc_t)
|
||||
fs_list_cgroup_dirs(initrc_t)
|
||||
@@ -350,6 +448,8 @@
|
||||
@@ -350,6 +449,8 @@
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -26954,7 +27015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
# initrc_t needs to do a pidof which requires ptrace
|
||||
mcs_ptrace_all(initrc_t)
|
||||
@@ -362,6 +462,7 @@
|
||||
@@ -362,6 +463,7 @@
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -26962,7 +27023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@@ -393,13 +494,14 @@
|
||||
@@ -393,13 +495,14 @@
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
# slapd needs to read cert files from its initscript
|
||||
@ -26978,7 +27039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
userdom_read_user_home_content_files(initrc_t)
|
||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||
@@ -472,7 +574,7 @@
|
||||
@@ -472,7 +575,7 @@
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -26987,7 +27048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -518,6 +620,19 @@
|
||||
@@ -518,6 +621,19 @@
|
||||
optional_policy(`
|
||||
bind_manage_config_dirs(initrc_t)
|
||||
bind_write_config(initrc_t)
|
||||
@ -27007,7 +27068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -525,10 +640,17 @@
|
||||
@@ -525,10 +641,17 @@
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -27025,7 +27086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -543,6 +665,35 @@
|
||||
@@ -543,6 +666,35 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -27061,7 +27122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -555,6 +706,8 @@
|
||||
@@ -555,6 +707,8 @@
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -27070,7 +27131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -571,6 +724,7 @@
|
||||
@@ -571,6 +725,7 @@
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect(initrc_t)
|
||||
@ -27078,7 +27139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -583,6 +737,11 @@
|
||||
@@ -583,6 +738,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27090,7 +27151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -599,6 +758,7 @@
|
||||
@@ -599,6 +759,7 @@
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -27098,7 +27159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(initrc_t)
|
||||
@@ -700,7 +860,12 @@
|
||||
@@ -700,7 +861,12 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27111,7 +27172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -723,6 +888,10 @@
|
||||
@@ -723,6 +889,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27122,7 +27183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -765,8 +934,6 @@
|
||||
@@ -765,8 +935,6 @@
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -27131,7 +27192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -779,10 +946,12 @@
|
||||
@@ -779,10 +947,12 @@
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -27144,7 +27205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -804,11 +973,19 @@
|
||||
@@ -804,11 +974,19 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27165,7 +27226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
@@ -818,6 +995,25 @@
|
||||
@@ -818,6 +996,25 @@
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
@ -27191,7 +27252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -843,3 +1039,55 @@
|
||||
@@ -843,3 +1040,55 @@
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.8.8
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -469,6 +469,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-6
|
||||
- New paths for upstart
|
||||
|
||||
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-5
|
||||
- New permissions for syslog
|
||||
- New labels for /lib/upstart
|
||||
|
Loading…
Reference in New Issue
Block a user