- Add policy for /var/lib/fprint
This commit is contained in:
Daniel J Walsh
parent
8a0604e919
commit
a2098a521f
@ -475,7 +475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te
|
||||
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-01-05 15:39:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-05-07 14:53:23.000000000 -0400
|
||||
@@ -9,6 +9,7 @@
|
||||
type dmesg_t;
|
||||
type dmesg_exec_t;
|
||||
@ -484,7 +484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -20,12 +21,14 @@
|
||||
@@ -20,12 +21,16 @@
|
||||
|
||||
allow dmesg_t self:process signal_perms;
|
||||
|
||||
@ -496,10 +496,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_list_proc(dmesg_t)
|
||||
kernel_read_proc_symlinks(dmesg_t)
|
||||
+dev_read_kmsg(dmesg_t)
|
||||
+
|
||||
+mls_process_read_all_levels(dmesg_t)
|
||||
|
||||
dev_read_sysfs(dmesg_t)
|
||||
|
||||
@@ -35,7 +38,7 @@
|
||||
@@ -35,7 +40,7 @@
|
||||
|
||||
domain_use_interactive_fds(dmesg_t)
|
||||
|
||||
@ -1246,7 +1248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
|
||||
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-05-07 14:59:51.000000000 -0400
|
||||
@@ -9,6 +9,8 @@
|
||||
type rpm_t;
|
||||
type rpm_exec_t;
|
||||
@ -1293,20 +1295,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow rpm_t rpm_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(rpm_t, rpm_log_t, file)
|
||||
@@ -87,8 +96,12 @@
|
||||
@@ -87,8 +96,13 @@
|
||||
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
|
||||
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
|
||||
|
||||
+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
|
||||
+files_pid_filetrans(rpm_t, rpm_var_run_t, file)
|
||||
+
|
||||
+kernel_read_network_state(rpm_t)
|
||||
kernel_read_system_state(rpm_t)
|
||||
kernel_read_kernel_sysctls(rpm_t)
|
||||
+kernel_read_network_state_symlinks(rpm_t)
|
||||
|
||||
corecmd_exec_all_executables(rpm_t)
|
||||
|
||||
@@ -108,13 +121,16 @@
|
||||
@@ -108,13 +122,16 @@
|
||||
dev_list_sysfs(rpm_t)
|
||||
dev_list_usbfs(rpm_t)
|
||||
dev_read_urand(rpm_t)
|
||||
@ -1323,7 +1326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
mls_file_read_all_levels(rpm_t)
|
||||
mls_file_write_all_levels(rpm_t)
|
||||
@@ -132,6 +148,8 @@
|
||||
@@ -132,6 +149,8 @@
|
||||
# for installing kernel packages
|
||||
storage_raw_read_fixed_disk(rpm_t)
|
||||
|
||||
@ -1332,7 +1335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_relabel_all_files_except_shadow(rpm_t)
|
||||
auth_manage_all_files_except_shadow(rpm_t)
|
||||
auth_dontaudit_read_shadow(rpm_t)
|
||||
@@ -155,6 +173,7 @@
|
||||
@@ -155,6 +174,7 @@
|
||||
files_exec_etc_files(rpm_t)
|
||||
|
||||
init_domtrans_script(rpm_t)
|
||||
@ -1340,7 +1343,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
libs_exec_ld_so(rpm_t)
|
||||
libs_exec_lib_files(rpm_t)
|
||||
@@ -174,17 +193,28 @@
|
||||
@@ -174,17 +194,28 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -1370,7 +1373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
@@ -210,8 +240,8 @@
|
||||
@@ -210,8 +241,8 @@
|
||||
# rpm-script Local policy
|
||||
#
|
||||
|
||||
@ -1381,7 +1384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow rpm_script_t self:fd use;
|
||||
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -222,12 +252,15 @@
|
||||
@@ -222,12 +253,15 @@
|
||||
allow rpm_script_t self:sem create_sem_perms;
|
||||
allow rpm_script_t self:msgq create_msgq_perms;
|
||||
allow rpm_script_t self:msg { send receive };
|
||||
@ -1397,7 +1400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
||||
@@ -239,6 +272,9 @@
|
||||
@@ -239,6 +273,9 @@
|
||||
|
||||
kernel_read_kernel_sysctls(rpm_script_t)
|
||||
kernel_read_system_state(rpm_script_t)
|
||||
@ -1407,7 +1410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
dev_list_sysfs(rpm_script_t)
|
||||
|
||||
@@ -255,6 +291,7 @@
|
||||
@@ -255,6 +292,7 @@
|
||||
fs_mount_xattr_fs(rpm_script_t)
|
||||
fs_unmount_xattr_fs(rpm_script_t)
|
||||
fs_search_auto_mountpoints(rpm_script_t)
|
||||
@ -1415,7 +1418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
mcs_killall(rpm_script_t)
|
||||
mcs_ptrace_all(rpm_script_t)
|
||||
@@ -272,14 +309,19 @@
|
||||
@@ -272,14 +310,19 @@
|
||||
storage_raw_read_fixed_disk(rpm_script_t)
|
||||
storage_raw_write_fixed_disk(rpm_script_t)
|
||||
|
||||
@ -1435,7 +1438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_read_all_domains_state(rpm_script_t)
|
||||
domain_getattr_all_domains(rpm_script_t)
|
||||
@@ -291,6 +333,7 @@
|
||||
@@ -291,6 +334,7 @@
|
||||
files_exec_etc_files(rpm_script_t)
|
||||
files_read_etc_runtime_files(rpm_script_t)
|
||||
files_exec_usr_files(rpm_script_t)
|
||||
@ -1443,7 +1446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
init_domtrans_script(rpm_script_t)
|
||||
|
||||
@@ -308,12 +351,15 @@
|
||||
@@ -308,12 +352,15 @@
|
||||
seutil_domtrans_loadpolicy(rpm_script_t)
|
||||
seutil_domtrans_setfiles(rpm_script_t)
|
||||
seutil_domtrans_semanage(rpm_script_t)
|
||||
@ -1459,7 +1462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -326,13 +372,18 @@
|
||||
@@ -326,13 +373,18 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -4490,10 +4493,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+permissive sambagui_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-02 07:46:25.000000000 -0400
|
||||
@@ -13,3 +13,4 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-07 10:29:37.000000000 -0400
|
||||
@@ -11,5 +11,5 @@
|
||||
#
|
||||
/var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0)
|
||||
# /var
|
||||
#
|
||||
-/var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0)
|
||||
/var/run/screens?/S-[^/]+/.* <<none>>
|
||||
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
|
||||
@ -4524,6 +4529,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+ manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.6.12/policy/modules/apps/screen.te
|
||||
--- nsaserefpolicy/policy/modules/apps/screen.te 2009-01-19 11:03:28.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/screen.te 2009-05-07 10:30:00.000000000 -0400
|
||||
@@ -6,9 +6,6 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-type screen_dir_t;
|
||||
-files_pid_file(screen_dir_t)
|
||||
-
|
||||
type screen_exec_t;
|
||||
application_executable_file(screen_exec_t)
|
||||
|
||||
@@ -24,7 +21,7 @@
|
||||
ubac_constrained(screen_tmp_t)
|
||||
|
||||
type screen_var_run_t;
|
||||
-typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
|
||||
+typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t screen_dir_t };
|
||||
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t };
|
||||
files_pid_file(screen_var_run_t)
|
||||
ubac_constrained(screen_var_run_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
|
||||
--- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/uml.te 2009-04-28 11:42:33.000000000 -0400
|
||||
@ -4897,7 +4924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+corecmd_executable_file(wm_exec_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-05 18:05:12.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-07 15:02:13.000000000 -0400
|
||||
@@ -32,6 +32,8 @@
|
||||
#
|
||||
# /etc
|
||||
@ -4917,15 +4944,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@@ -210,6 +215,7 @@
|
||||
@@ -209,7 +214,10 @@
|
||||
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -299,3 +305,20 @@
|
||||
@@ -299,3 +307,20 @@
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -5211,7 +5241,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type urandom_device_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-05-07 10:28:45.000000000 -0400
|
||||
@@ -1,4 +1,4 @@
|
||||
-## <summary>Core policy for domains.</summary>
|
||||
+# <summary>Core policy for domains.</summary>
|
||||
## <required val="true">
|
||||
## Contains the concept of a domain.
|
||||
## </required>
|
||||
@@ -525,7 +525,7 @@
|
||||
')
|
||||
|
||||
@ -5447,7 +5483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-30 14:18:05.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-07 10:31:31.000000000 -0400
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
@ -5599,7 +5635,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Do not audit attempts to search directories on new filesystems
|
||||
## that have not yet been labeled.
|
||||
## </summary>
|
||||
@@ -3390,6 +3495,24 @@
|
||||
@@ -2820,6 +2925,7 @@
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir search_dir_perms;
|
||||
+ read_link_file_pattern($1, modules_object_t, modules_object_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3390,6 +3496,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5624,7 +5668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Read all tmp files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3456,6 +3579,8 @@
|
||||
@@ -3456,6 +3580,8 @@
|
||||
delete_lnk_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_fifo_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_sock_files_pattern($1, tmpfile, tmpfile)
|
||||
@ -5633,7 +5677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3546,7 +3671,7 @@
|
||||
@@ -3546,7 +3672,7 @@
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
@ -5642,7 +5686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3564,7 +3689,12 @@
|
||||
@@ -3564,7 +3690,12 @@
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
@ -5656,7 +5700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4413,6 +4543,28 @@
|
||||
@@ -4413,6 +4544,28 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5685,7 +5729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Create an object in the locks directory, with a private
|
||||
## type using a type transition.
|
||||
## </summary>
|
||||
@@ -4532,7 +4684,8 @@
|
||||
@@ -4532,7 +4685,8 @@
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -5695,7 +5739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4873,7 +5026,7 @@
|
||||
@@ -4873,7 +5027,7 @@
|
||||
selinux_compute_member($1)
|
||||
|
||||
# Need sys_admin capability for mounting
|
||||
@ -5704,7 +5748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Need to give access to the directories to be polyinstantiated
|
||||
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
|
||||
@@ -4895,12 +5048,15 @@
|
||||
@@ -4895,12 +5049,15 @@
|
||||
allow $1 poly_t:dir { create mounton };
|
||||
fs_unmount_xattr_fs($1)
|
||||
|
||||
@ -5721,7 +5765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -4921,3 +5077,114 @@
|
||||
@@ -4921,3 +5078,114 @@
|
||||
|
||||
typeattribute $1 files_unconfined_type;
|
||||
')
|
||||
@ -6257,6 +6301,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ fs_type($1)
|
||||
+ mls_trusted_object($1)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.12/policy/modules/kernel/storage.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-03-05 12:28:57.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/storage.fc 2009-05-07 14:55:19.000000000 -0400
|
||||
@@ -57,7 +57,7 @@
|
||||
|
||||
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
-/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
|
||||
+/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
|
||||
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
|
||||
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.12/policy/modules/kernel/terminal.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.fc 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -9661,6 +9717,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
||||
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.12/policy/modules/services/apm.te
|
||||
--- nsaserefpolicy/policy/modules/services/apm.te 2009-02-16 08:44:12.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/apm.te 2009-05-07 14:35:37.000000000 -0400
|
||||
@@ -123,6 +123,7 @@
|
||||
libs_exec_lib_files(apmd_t)
|
||||
|
||||
logging_send_syslog_msg(apmd_t)
|
||||
+logging_send_audit_msgs(apmd_t)
|
||||
|
||||
miscfiles_read_localization(apmd_t)
|
||||
miscfiles_read_hwdata(apmd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.6.12/policy/modules/services/audioentropy.te
|
||||
--- nsaserefpolicy/policy/modules/services/audioentropy.te 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/audioentropy.te 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -10598,7 +10665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.12/policy/modules/services/cron.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-05-07 15:06:38.000000000 -0400
|
||||
@@ -1,3 +1,4 @@
|
||||
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
|
||||
|
||||
@ -10617,7 +10684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
|
||||
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
|
||||
@@ -41,7 +42,11 @@
|
||||
@@ -41,7 +42,12 @@
|
||||
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
|
||||
|
||||
/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
|
||||
@ -10630,6 +10697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
|
||||
+
|
||||
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
|
||||
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
|
||||
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -10940,7 +11008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
|
||||
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-05-07 15:05:29.000000000 -0400
|
||||
@@ -38,6 +38,10 @@
|
||||
type cron_var_lib_t;
|
||||
files_type(cron_var_lib_t)
|
||||
@ -10974,7 +11042,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
type system_cron_spool_t, cron_spool_type;
|
||||
files_type(system_cron_spool_t)
|
||||
@@ -98,11 +108,18 @@
|
||||
@@ -82,6 +92,7 @@
|
||||
init_daemon_domain(system_cronjob_t, anacron_exec_t)
|
||||
corecmd_shell_entry_type(system_cronjob_t)
|
||||
role system_r types system_cronjob_t;
|
||||
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
|
||||
|
||||
type system_cronjob_lock_t alias system_crond_lock_t;
|
||||
files_lock_file(system_cronjob_lock_t)
|
||||
@@ -98,11 +109,18 @@
|
||||
|
||||
# Type of user crontabs once moved to cron spool.
|
||||
type user_cron_spool_t, cron_spool_type;
|
||||
@ -10994,7 +11070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Admin crontab local policy
|
||||
@@ -130,7 +147,7 @@
|
||||
@@ -130,7 +148,7 @@
|
||||
# Cron daemon local policy
|
||||
#
|
||||
|
||||
@ -11003,11 +11079,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit crond_t self:capability { sys_resource sys_tty_config };
|
||||
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow crond_t self:process { setexec setfscreate };
|
||||
@@ -146,20 +163,20 @@
|
||||
@@ -146,20 +164,23 @@
|
||||
allow crond_t self:msg { send receive };
|
||||
allow crond_t self:key { search write link };
|
||||
|
||||
-allow crond_t crond_var_run_t:file manage_file_perms;
|
||||
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
|
||||
+logging_log_filetrans(crond_t, cron_log_t, file)
|
||||
+
|
||||
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
|
||||
files_pid_filetrans(crond_t,crond_var_run_t,file)
|
||||
|
||||
@ -11029,7 +11108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_search_key(crond_t)
|
||||
|
||||
dev_read_sysfs(crond_t)
|
||||
@@ -174,6 +191,7 @@
|
||||
@@ -174,6 +195,7 @@
|
||||
|
||||
fs_getattr_all_fs(crond_t)
|
||||
fs_search_auto_mountpoints(crond_t)
|
||||
@ -11037,7 +11116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# need auth_chkpwd to check for locked accounts.
|
||||
auth_domtrans_chk_passwd(crond_t)
|
||||
@@ -183,7 +201,11 @@
|
||||
@@ -183,7 +205,11 @@
|
||||
corecmd_read_bin_symlinks(crond_t)
|
||||
|
||||
domain_use_interactive_fds(crond_t)
|
||||
@ -11049,7 +11128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_read_etc_files(crond_t)
|
||||
files_read_generic_spool(crond_t)
|
||||
files_list_usr(crond_t)
|
||||
@@ -192,10 +214,15 @@
|
||||
@@ -192,10 +218,15 @@
|
||||
files_search_default(crond_t)
|
||||
|
||||
init_rw_utmp(crond_t)
|
||||
@ -11065,7 +11144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
seutil_read_config(crond_t)
|
||||
seutil_read_default_contexts(crond_t)
|
||||
@@ -208,6 +235,7 @@
|
||||
@@ -208,6 +239,7 @@
|
||||
userdom_list_user_home_dirs(crond_t)
|
||||
|
||||
mta_send_mail(crond_t)
|
||||
@ -11073,7 +11152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
# pam_limits is used
|
||||
@@ -227,21 +255,44 @@
|
||||
@@ -227,21 +259,45 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -11092,6 +11171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
+optional_policy(`
|
||||
+ # these should probably be unconfined_crond_t
|
||||
+ dbus_system_bus_client(crond_t)
|
||||
+ init_dbus_send_script(crond_t)
|
||||
+')
|
||||
+
|
||||
@ -11119,7 +11199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -268,8 +319,8 @@
|
||||
@@ -268,8 +324,8 @@
|
||||
# System cron process domain
|
||||
#
|
||||
|
||||
@ -11130,7 +11210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||
allow system_cronjob_t self:passwd rootok;
|
||||
|
||||
@@ -283,7 +334,14 @@
|
||||
@@ -283,7 +339,14 @@
|
||||
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
|
||||
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
|
||||
|
||||
@ -11145,7 +11225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# The entrypoint interface is not used as this is not
|
||||
# a regular entrypoint. Since crontab files are
|
||||
# not directly executed, crond must ensure that
|
||||
@@ -303,6 +361,7 @@
|
||||
@@ -303,6 +366,7 @@
|
||||
allow system_cronjob_t crond_t:fd use;
|
||||
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
|
||||
allow system_cronjob_t crond_t:process sigchld;
|
||||
@ -11153,7 +11233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Write /var/lock/makewhatis.lock.
|
||||
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
|
||||
@@ -314,9 +373,13 @@
|
||||
@@ -314,9 +378,13 @@
|
||||
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
|
||||
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
|
||||
|
||||
@ -11168,7 +11248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_kernel_sysctls(system_cronjob_t)
|
||||
kernel_read_system_state(system_cronjob_t)
|
||||
@@ -345,6 +408,7 @@
|
||||
@@ -345,6 +413,7 @@
|
||||
fs_getattr_all_symlinks(system_cronjob_t)
|
||||
fs_getattr_all_pipes(system_cronjob_t)
|
||||
fs_getattr_all_sockets(system_cronjob_t)
|
||||
@ -11176,7 +11256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# quiet other ps operations
|
||||
domain_dontaudit_read_all_domains_state(system_cronjob_t)
|
||||
@@ -370,7 +434,8 @@
|
||||
@@ -370,7 +439,8 @@
|
||||
init_read_utmp(system_cronjob_t)
|
||||
init_dontaudit_rw_utmp(system_cronjob_t)
|
||||
# prelink tells init to restart it self, we either need to allow or dontaudit
|
||||
@ -11186,7 +11266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
auth_use_nsswitch(system_cronjob_t)
|
||||
|
||||
@@ -378,6 +443,7 @@
|
||||
@@ -378,6 +448,7 @@
|
||||
libs_exec_ld_so(system_cronjob_t)
|
||||
|
||||
logging_read_generic_logs(system_cronjob_t)
|
||||
@ -11194,7 +11274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(system_cronjob_t)
|
||||
|
||||
miscfiles_read_localization(system_cronjob_t)
|
||||
@@ -418,6 +484,10 @@
|
||||
@@ -418,6 +489,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11205,7 +11285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ftp_read_log(system_cronjob_t)
|
||||
')
|
||||
|
||||
@@ -428,11 +498,20 @@
|
||||
@@ -428,11 +503,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11226,7 +11306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -447,6 +526,7 @@
|
||||
@@ -447,6 +531,7 @@
|
||||
prelink_read_cache(system_cronjob_t)
|
||||
prelink_manage_log(system_cronjob_t)
|
||||
prelink_delete_cache(system_cronjob_t)
|
||||
@ -11234,7 +11314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -460,8 +540,7 @@
|
||||
@@ -460,8 +545,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11244,7 +11324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -469,24 +548,17 @@
|
||||
@@ -469,24 +553,17 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11272,7 +11352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow cronjob_t self:process { signal_perms setsched };
|
||||
allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -570,6 +642,9 @@
|
||||
@@ -570,6 +647,9 @@
|
||||
userdom_manage_user_home_content_sockets(cronjob_t)
|
||||
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
|
||||
|
||||
@ -13501,14 +13581,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_pid_file(fetchmail_var_run_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc
|
||||
--- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-04-28 15:26:41.000000000 -0400
|
||||
@@ -0,0 +1,2 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-05-07 10:07:34.000000000 -0400
|
||||
@@ -0,0 +1,4 @@
|
||||
+
|
||||
+/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
|
||||
+
|
||||
+/var/lib/fprint gen_context(system_u:object_r:fprintd_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if
|
||||
--- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-01 09:45:48.000000000 -0400
|
||||
@@ -0,0 +1,42 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-07 10:09:49.000000000 -0400
|
||||
@@ -0,0 +1,43 @@
|
||||
+
|
||||
+## <summary>policy for fprintd</summary>
|
||||
+
|
||||
@ -13551,10 +13633,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ allow $1 fprintd_t:dbus send_msg;
|
||||
+ allow fprintd_t $1:dbus send_msg;
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
|
||||
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-29 10:10:42.000000000 -0400
|
||||
@@ -0,0 +1,41 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-05-07 10:09:32.000000000 -0400
|
||||
@@ -0,0 +1,48 @@
|
||||
+policy_module(fprintd,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -13566,9 +13649,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+type fprintd_exec_t;
|
||||
+dbus_system_domain(fprintd_t, fprintd_exec_t)
|
||||
+
|
||||
+type fprintd_var_lib_t;
|
||||
+files_type(fprintd_var_lib_t)
|
||||
+
|
||||
+allow fprintd_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow fprintd_t self:process { getsched signal };
|
||||
+
|
||||
+manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
|
||||
+manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
|
||||
+files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
|
||||
+
|
||||
+corecmd_search_bin(fprintd_t)
|
||||
+
|
||||
+dev_rw_generic_usb_dev(fprintd_t)
|
||||
@ -15270,7 +15360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
|
||||
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-30 08:19:03.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-05-07 14:39:20.000000000 -0400
|
||||
@@ -130,6 +130,15 @@
|
||||
sendmail_create_log($1_mail_t)
|
||||
')
|
||||
@ -15309,7 +15399,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -591,8 +603,8 @@
|
||||
@@ -446,6 +458,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## write mail server configuration.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`mta_write_config',`
|
||||
+ gen_require(`
|
||||
+ type etc_mail_t;
|
||||
+ ')
|
||||
+
|
||||
+ write_files_pattern($1, etc_mail_t, etc_mail_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read mail address aliases.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -591,8 +622,8 @@
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 mail_spool_t:dir list_dir_perms;
|
||||
@ -15320,7 +15436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -612,7 +624,7 @@
|
||||
@@ -612,7 +643,7 @@
|
||||
')
|
||||
|
||||
files_dontaudit_search_spool($1)
|
||||
@ -15329,7 +15445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit $1 mail_spool_t:lnk_file read;
|
||||
dontaudit $1 mail_spool_t:file getattr;
|
||||
')
|
||||
@@ -665,7 +677,7 @@
|
||||
@@ -665,7 +696,7 @@
|
||||
files_search_spool($1)
|
||||
allow $1 mail_spool_t:dir list_dir_perms;
|
||||
allow $1 mail_spool_t:file setattr;
|
||||
@ -15338,7 +15454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
|
||||
')
|
||||
|
||||
@@ -806,6 +818,7 @@
|
||||
@@ -806,6 +837,7 @@
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
@ -24189,7 +24305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-05 16:45:39.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-07 13:00:34.000000000 -0400
|
||||
@@ -8,19 +8,31 @@
|
||||
|
||||
## <desc>
|
||||
@ -24283,20 +24399,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
|
||||
@@ -67,7 +106,11 @@
|
||||
@@ -67,7 +106,12 @@
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
-manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
+virtual_manage_image(virtd_t)
|
||||
+virtual_image_relabel(virtd_t)
|
||||
+virtual_read_all_domains_state(virtd_t)
|
||||
+
|
||||
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
|
||||
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
@@ -86,6 +129,7 @@
|
||||
@@ -86,6 +130,7 @@
|
||||
kernel_read_network_state(virtd_t)
|
||||
kernel_rw_net_sysctls(virtd_t)
|
||||
kernel_load_module(virtd_t)
|
||||
@ -24304,7 +24421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_bin(virtd_t)
|
||||
corecmd_exec_shell(virtd_t)
|
||||
@@ -96,7 +140,7 @@
|
||||
@@ -96,7 +141,7 @@
|
||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||
corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||
corenet_tcp_bind_generic_node(virtd_t)
|
||||
@ -24313,7 +24430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_soundd_port(virtd_t)
|
||||
@@ -104,21 +148,39 @@
|
||||
@@ -104,21 +149,40 @@
|
||||
|
||||
dev_read_sysfs(virtd_t)
|
||||
dev_read_rand(virtd_t)
|
||||
@ -24325,6 +24442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+domain_read_all_domains_state(virtd_t)
|
||||
+domain_obj_id_change_exemption(virtd_t)
|
||||
+domain_subj_id_change_exemption(virtd_t)
|
||||
+domain_read_all_domains_state(virtd_t)
|
||||
|
||||
files_read_usr_files(virtd_t)
|
||||
files_read_etc_files(virtd_t)
|
||||
@ -24354,7 +24472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
term_getattr_pty_fs(virtd_t)
|
||||
term_use_ptmx(virtd_t)
|
||||
|
||||
@@ -129,6 +191,13 @@
|
||||
@@ -129,6 +193,13 @@
|
||||
|
||||
logging_send_syslog_msg(virtd_t)
|
||||
|
||||
@ -24368,7 +24486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_read_all_users_state(virtd_t)
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
@@ -167,22 +236,34 @@
|
||||
@@ -167,22 +238,34 @@
|
||||
dnsmasq_domtrans(virtd_t)
|
||||
dnsmasq_signal(virtd_t)
|
||||
dnsmasq_kill(virtd_t)
|
||||
@ -24408,7 +24526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -195,8 +276,88 @@
|
||||
@@ -195,8 +278,88 @@
|
||||
|
||||
xen_stream_connect(virtd_t)
|
||||
xen_stream_connect_xenstore(virtd_t)
|
||||
@ -24592,7 +24710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-30 17:44:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-05-07 14:58:55.000000000 -0400
|
||||
@@ -90,7 +90,7 @@
|
||||
allow $2 xauth_home_t:file manage_file_perms;
|
||||
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||
@ -24732,7 +24850,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -738,6 +738,7 @@
|
||||
@@ -680,6 +680,7 @@
|
||||
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
|
||||
+ xserver_common_app($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -738,6 +739,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||
@ -24740,7 +24866,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -756,7 +757,26 @@
|
||||
@@ -756,7 +758,26 @@
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
@ -24768,7 +24894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -779,6 +799,50 @@
|
||||
@@ -779,6 +800,50 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24819,7 +24945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -872,6 +936,27 @@
|
||||
@@ -872,6 +937,27 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24847,7 +24973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Do not audit attempts to write the X server
|
||||
## log files.
|
||||
## </summary>
|
||||
@@ -1018,10 +1103,11 @@
|
||||
@@ -1018,10 +1104,11 @@
|
||||
#
|
||||
interface(`xserver_domtrans',`
|
||||
gen_require(`
|
||||
@ -24860,7 +24986,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
domtrans_pattern($1, xserver_exec_t, xserver_t)
|
||||
')
|
||||
|
||||
@@ -1159,6 +1245,275 @@
|
||||
@@ -1136,6 +1223,7 @@
|
||||
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||
+ xserver_common_app($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1159,6 +1247,275 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -25136,7 +25270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
## an X client domain. Gives the domain complete control over the
|
||||
## display.
|
||||
@@ -1172,7 +1527,102 @@
|
||||
@@ -1172,7 +1529,102 @@
|
||||
interface(`xserver_unconfined',`
|
||||
gen_require(`
|
||||
attribute xserver_unconfined_type;
|
||||
@ -26753,7 +26887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-24 08:59:22.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-05-07 14:39:32.000000000 -0400
|
||||
@@ -17,6 +17,20 @@
|
||||
## </desc>
|
||||
gen_tunable(init_upstart,false)
|
||||
@ -27030,7 +27164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_usbfs(initrc_t)
|
||||
|
||||
# init scripts run /etc/hotplug/usb.rc
|
||||
@@ -647,6 +728,11 @@
|
||||
@@ -647,20 +728,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27042,8 +27176,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
mailman_list_data(initrc_t)
|
||||
mailman_read_data_symlinks(initrc_t)
|
||||
')
|
||||
@@ -655,12 +741,6 @@
|
||||
|
||||
optional_policy(`
|
||||
mta_read_config(initrc_t)
|
||||
+ mta_write_config(initrc_t)
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
-# cjp: require doesnt work in the else of optionals :\
|
||||
@ -27055,7 +27191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ifdef(`distro_redhat',`
|
||||
@@ -719,8 +799,6 @@
|
||||
@@ -719,8 +800,6 @@
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -27064,7 +27200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -733,10 +811,12 @@
|
||||
@@ -733,10 +812,12 @@
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -27077,7 +27213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -754,6 +834,11 @@
|
||||
@@ -754,6 +835,11 @@
|
||||
uml_setattr_util_sockets(initrc_t)
|
||||
')
|
||||
|
||||
@ -27089,7 +27225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
@@ -765,6 +850,13 @@
|
||||
@@ -765,6 +851,13 @@
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
@ -27103,7 +27239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -790,3 +882,35 @@
|
||||
@@ -790,3 +883,35 @@
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -30479,7 +30615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-06 08:49:37.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-07 10:23:04.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
@ -32506,8 +32642,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+# No application file contexts.
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.12/policy/modules/system/virtual.if
|
||||
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-23 09:44:57.000000000 -0400
|
||||
@@ -0,0 +1,114 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-05-07 10:24:35.000000000 -0400
|
||||
@@ -0,0 +1,135 @@
|
||||
+## <summary>Virtual machine emulator and virtualizer</summary>
|
||||
+
|
||||
+########################################
|
||||
@ -32622,6 +32758,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ allow $1 virtualdomain:process { setsched transition signal signull sigkill };
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read the process state of all virtual domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virtual_read_all_domains_state',`
|
||||
+ gen_require(`
|
||||
+ attribute virtualdomain;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1,virtualdomain,virtualdomain)
|
||||
+ read_lnk_files_pattern($1,virtualdomain,virtualdomain)
|
||||
+ kernel_search_proc($1)
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
|
||||
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -33122,7 +33279,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.12/policy/support/obj_perm_sets.spt
|
||||
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-03-12 11:16:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-30 18:02:45.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-05-07 10:32:41.000000000 -0400
|
||||
@@ -201,7 +201,7 @@
|
||||
define(`setattr_file_perms',`{ setattr }')
|
||||
define(`read_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
|
||||
-define(`exec_file_perms',`{ getattr open read execute execute_no_trans }')
|
||||
+define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
|
||||
define(`append_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_file_perms',`{ getattr open write append lock ioctl }')
|
||||
define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
|
||||
@@ -225,7 +225,7 @@
|
||||
define(`create_lnk_file_perms',`{ create getattr }')
|
||||
define(`rename_lnk_file_perms',`{ getattr rename }')
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.12
|
||||
Release: 30%{?dist}
|
||||
Release: 31%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -477,6 +477,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu May 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-31
|
||||
- Add policy for /var/lib/fprint
|
||||
|
||||
* Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-30
|
||||
-Remove duplicate line
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user