- Allow openoffice execstack/execmem privs
This commit is contained in:
Daniel J Walsh
parent
4fa9db787c
commit
a3e038c1a1
|
|
@ -355,6 +355,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
|||
+system_r:sshd_t xguest_r:xguest_t
|
||||
+system_r:crond_t xguest_r:xguest_crond_t
|
||||
+system_r:xdm_t xguest_r:xguest_t
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.5.13/man/man8/httpd_selinux.8
|
||||
--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-08-25 09:12:31.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/man/man8/httpd_selinux.8 2008-10-27 10:41:03.000000000 -0400
|
||||
@@ -57,8 +57,7 @@
|
||||
.EE
|
||||
|
||||
.SH BOOLEANS
|
||||
-SELinux policy is customizable based on least access required. So by
|
||||
-default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
|
||||
+SELinux policy can be customizable based on least access required. So SElinux can prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
|
||||
.PP
|
||||
httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
|
||||
|
||||
@@ -75,7 +74,7 @@
|
||||
.EE
|
||||
|
||||
.PP
|
||||
-httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
|
||||
+httpd by can be configured to not allow access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_tty_comm 1
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.13/policy/flask/access_vectors
|
||||
--- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/flask/access_vectors 2008-10-17 10:31:26.000000000 -0400
|
||||
|
|
@ -4375,8 +4397,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-23 14:17:48.000000000 -0400
|
||||
@@ -0,0 +1,255 @@
|
||||
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-27 10:05:44.000000000 -0400
|
||||
@@ -0,0 +1,256 @@
|
||||
+
|
||||
+policy_module(nsplugin, 1.0.0)
|
||||
+
|
||||
|
|
@ -4571,6 +4593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+fs_list_inotifyfs(nsplugin_config_t)
|
||||
+fs_search_auto_mountpoints(nsplugin_config_t)
|
||||
+
|
||||
+can_exec(nsplugin_config_t, nsplugin_rw_t)
|
||||
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
|
|
@ -6169,6 +6192,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ allow $1 self:capability sys_chroot;
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-10-27 09:53:12.000000000 -0400
|
||||
@@ -1441,10 +1441,11 @@
|
||||
#
|
||||
interface(`corenet_tcp_bind_all_unreserved_ports',`
|
||||
gen_require(`
|
||||
- attribute port_type, reserved_port_type;
|
||||
+ attribute port_type;
|
||||
+ type reserved_port_t;
|
||||
')
|
||||
|
||||
- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
|
||||
+ allow $1 { port_type -reserved_port_t }:tcp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1459,10 +1460,11 @@
|
||||
#
|
||||
interface(`corenet_udp_bind_all_unreserved_ports',`
|
||||
gen_require(`
|
||||
- attribute port_type, reserved_port_type;
|
||||
+ attribute port_type;
|
||||
+ type reserved_port_t;
|
||||
')
|
||||
|
||||
- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
|
||||
+ allow $1 { port_type -reserved_port_t }:udp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
|
||||
|
|
@ -10595,7 +10649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-23 10:30:58.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-27 16:11:48.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -11259,7 +11313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+# Removal of fastcgi, will cause problems without the following
|
||||
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
|
||||
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
|
||||
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_content_rw_t;
|
||||
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
|
||||
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
|
||||
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
|
||||
|
|
@ -11812,8 +11866,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.13/policy/modules/services/bind.te
|
||||
--- nsaserefpolicy/policy/modules/services/bind.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-17 10:31:27.000000000 -0400
|
||||
@@ -247,6 +247,8 @@
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-27 09:51:11.000000000 -0400
|
||||
@@ -118,6 +118,7 @@
|
||||
corenet_tcp_bind_dns_port(named_t)
|
||||
corenet_udp_bind_dns_port(named_t)
|
||||
corenet_tcp_bind_rndc_port(named_t)
|
||||
+corenet_udp_bind_all_ports(named_t)
|
||||
corenet_tcp_connect_all_ports(named_t)
|
||||
corenet_sendrecv_dns_server_packets(named_t)
|
||||
corenet_sendrecv_dns_client_packets(named_t)
|
||||
@@ -247,6 +248,8 @@
|
||||
sysnet_read_config(ndc_t)
|
||||
sysnet_dns_name_resolve(ndc_t)
|
||||
|
||||
|
|
@ -11909,7 +11971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.13/policy/modules/services/bluetooth.te
|
||||
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-27 12:54:15.000000000 -0400
|
||||
@@ -20,6 +20,9 @@
|
||||
type bluetooth_helper_exec_t;
|
||||
application_executable_file(bluetooth_helper_exec_t)
|
||||
|
|
@ -11967,20 +12029,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
sysadm_dontaudit_use_ptys(bluetooth_t)
|
||||
sysadm_dontaudit_search_home_dirs(bluetooth_t)
|
||||
|
||||
@@ -126,12 +130,13 @@
|
||||
sysadm_dontaudit_search_home_dirs(bluetooth_t)
|
||||
|
||||
@@ -128,10 +132,15 @@
|
||||
optional_policy(`
|
||||
- dbus_system_bus_client_template(bluetooth, bluetooth_t)
|
||||
- dbus_connect_system_bus(bluetooth_t)
|
||||
+ cups_dbus_chat(bluetooth_t)
|
||||
dbus_system_bus_client_template(bluetooth, bluetooth_t)
|
||||
dbus_connect_system_bus(bluetooth_t)
|
||||
+ dbus_system_domain(bluetooth_t, bluetooth_exec_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ cups_dbus_chat(bluetooth_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_use_ypbind(bluetooth_t)
|
||||
+ dbus_system_bus_client_template(bluetooth, bluetooth_t)
|
||||
+ dbus_connect_system_bus(bluetooth_t)
|
||||
+ dbus_system_domain(bluetooth_t, bluetooth_exec_t)
|
||||
+ hal_dbus_chat(bluetooth_t)
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -29644,7 +29706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-24 10:26:04.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-27 09:05:47.000000000 -0400
|
||||
@@ -6,35 +6,76 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -29941,7 +30003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -229,14 +295,50 @@
|
||||
@@ -229,14 +295,57 @@
|
||||
|
||||
allow unconfined_execmem_t self:process { execstack execmem };
|
||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||
|
|
@ -29966,7 +30028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
+optional_policy(`
|
||||
+ xserver_rw_xdm_xserver_shm(unconfined_execmem_t)
|
||||
+')
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
|
|
@ -29983,7 +30045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type mplayer_exec_t;
|
||||
')
|
||||
+ ')
|
||||
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -29994,6 +30056,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type openoffice_exec_t;
|
||||
+ ')
|
||||
+ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t)
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.fc 2008-10-17 10:31:27.000000000 -0400
|
||||
|
|
@ -30009,7 +30078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-17 17:49:05.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-27 09:43:09.000000000 -0400
|
||||
@@ -28,10 +28,14 @@
|
||||
class context contains;
|
||||
')
|
||||
|
|
@ -31135,6 +31204,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## </p>
|
||||
## <p>
|
||||
## This template creates a user domain, types, and
|
||||
@@ -1158,7 +1152,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
- userdom_restricted_user_template($1)
|
||||
+ userdom_restricted_xwindows_user_template($1)
|
||||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -1167,11 +1161,10 @@
|
||||
#
|
||||
|
||||
|
|
@ -31148,7 +31226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -1189,36 +1182,45 @@
|
||||
@@ -1189,36 +1182,41 @@
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -31165,33 +31243,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
corenet_tcp_bind_all_nodes($1_t)
|
||||
- corenet_tcp_bind_generic_port($1_t)
|
||||
+ corenet_tcp_bind_all_unreserved_ports($1_t)
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
+ # Run pppd in pppd_t by default for user
|
||||
+ optional_policy(`
|
||||
optional_policy(`
|
||||
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
+ ppp_run_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
+ games_rw_data($1_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- postgresql_userdom_template($1,$1_t,$1_r)
|
||||
+ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
|
||||
+ games_rw_data($1_usertype)
|
||||
')
|
||||
|
||||
- # Run pppd in pppd_t by default for user
|
||||
optional_policy(`
|
||||
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
+ cron_per_role_template($1, $1_t, $1_r)
|
||||
+ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- setroubleshoot_stream_connect($1_t)
|
||||
+ polkit_per_role_template($1, $1_usertype, $1_r)
|
||||
+ cron_per_role_template($1, $1_t, $1_r)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
|
|
@ -31207,7 +31281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
')
|
||||
|
||||
@@ -1295,8 +1297,6 @@
|
||||
@@ -1295,8 +1293,6 @@
|
||||
# Manipulate other users crontab.
|
||||
allow $1_t self:passwd crontab;
|
||||
|
||||
|
|
@ -31216,7 +31290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
@@ -1318,8 +1318,6 @@
|
||||
@@ -1318,8 +1314,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
|
|
@ -31225,7 +31299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1374,13 +1372,6 @@
|
||||
@@ -1374,13 +1368,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
|
|
@ -31239,7 +31313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1432,6 +1423,7 @@
|
||||
@@ -1432,6 +1419,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
|
|
@ -31247,7 +31321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1461,10 +1453,6 @@
|
||||
@@ -1461,10 +1449,6 @@
|
||||
seutil_run_semanage($1,$2,$3)
|
||||
seutil_run_setfiles($1, $2, $3)
|
||||
|
||||
|
|
@ -31258,7 +31332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
optional_policy(`
|
||||
aide_run($1,$2, $3)
|
||||
')
|
||||
@@ -1484,6 +1472,14 @@
|
||||
@@ -1484,6 +1468,14 @@
|
||||
optional_policy(`
|
||||
netlabel_run_mgmt($1,$2, $3)
|
||||
')
|
||||
|
|
@ -31273,7 +31347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1741,11 +1737,15 @@
|
||||
@@ -1741,11 +1733,15 @@
|
||||
#
|
||||
template(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
|
|
@ -31292,7 +31366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1841,11 +1841,11 @@
|
||||
@@ -1841,11 +1837,11 @@
|
||||
#
|
||||
template(`userdom_search_user_home_dirs',`
|
||||
gen_require(`
|
||||
|
|
@ -31306,7 +31380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1875,11 +1875,11 @@
|
||||
@@ -1875,11 +1871,11 @@
|
||||
#
|
||||
template(`userdom_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
|
|
@ -31320,7 +31394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1923,12 +1923,12 @@
|
||||
@@ -1923,12 +1919,12 @@
|
||||
#
|
||||
template(`userdom_user_home_domtrans',`
|
||||
gen_require(`
|
||||
|
|
@ -31336,7 +31410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1958,10 +1958,11 @@
|
||||
@@ -1958,10 +1954,11 @@
|
||||
#
|
||||
template(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
|
|
@ -31350,7 +31424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1993,11 +1994,47 @@
|
||||
@@ -1993,11 +1990,47 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
|
|
@ -31400,7 +31474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2029,10 +2066,10 @@
|
||||
@@ -2029,10 +2062,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_setattr_user_home_content_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31413,7 +31487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2062,11 +2099,11 @@
|
||||
@@ -2062,11 +2095,11 @@
|
||||
#
|
||||
template(`userdom_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31427,7 +31501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2096,11 +2133,11 @@
|
||||
@@ -2096,11 +2129,11 @@
|
||||
#
|
||||
template(`userdom_dontaudit_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31442,7 +31516,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2130,10 +2167,14 @@
|
||||
@@ -2130,10 +2163,14 @@
|
||||
#
|
||||
template(`userdom_dontaudit_write_user_home_content_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31459,7 +31533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2163,11 +2204,11 @@
|
||||
@@ -2163,11 +2200,11 @@
|
||||
#
|
||||
template(`userdom_read_user_home_content_symlinks',`
|
||||
gen_require(`
|
||||
|
|
@ -31473,7 +31547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2197,11 +2238,11 @@
|
||||
@@ -2197,11 +2234,11 @@
|
||||
#
|
||||
template(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31487,7 +31561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2231,10 +2272,10 @@
|
||||
@@ -2231,10 +2268,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31500,7 +31574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2266,12 +2307,12 @@
|
||||
@@ -2266,12 +2303,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31516,7 +31590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2303,10 +2344,10 @@
|
||||
@@ -2303,10 +2340,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
|
|
@ -31529,7 +31603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2338,12 +2379,12 @@
|
||||
@@ -2338,12 +2375,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_symlinks',`
|
||||
gen_require(`
|
||||
|
|
@ -31545,7 +31619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2375,12 +2416,12 @@
|
||||
@@ -2375,12 +2412,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_pipes',`
|
||||
gen_require(`
|
||||
|
|
@ -31561,7 +31635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2412,12 +2453,12 @@
|
||||
@@ -2412,12 +2449,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_sockets',`
|
||||
gen_require(`
|
||||
|
|
@ -31577,7 +31651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2462,11 +2503,11 @@
|
||||
@@ -2462,11 +2499,11 @@
|
||||
#
|
||||
template(`userdom_user_home_dir_filetrans',`
|
||||
gen_require(`
|
||||
|
|
@ -31591,7 +31665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2511,11 +2552,11 @@
|
||||
@@ -2511,11 +2548,11 @@
|
||||
#
|
||||
template(`userdom_user_home_content_filetrans',`
|
||||
gen_require(`
|
||||
|
|
@ -31605,7 +31679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2555,11 +2596,11 @@
|
||||
@@ -2555,11 +2592,11 @@
|
||||
#
|
||||
template(`userdom_user_home_dir_filetrans_user_home_content',`
|
||||
gen_require(`
|
||||
|
|
@ -31619,7 +31693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2589,11 +2630,11 @@
|
||||
@@ -2589,11 +2626,11 @@
|
||||
#
|
||||
template(`userdom_write_user_tmp_sockets',`
|
||||
gen_require(`
|
||||
|
|
@ -31633,7 +31707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2623,11 +2664,11 @@
|
||||
@@ -2623,11 +2660,11 @@
|
||||
#
|
||||
template(`userdom_list_user_tmp',`
|
||||
gen_require(`
|
||||
|
|
@ -31647,7 +31721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2659,10 +2700,10 @@
|
||||
@@ -2659,10 +2696,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_list_user_tmp',`
|
||||
gen_require(`
|
||||
|
|
@ -31660,7 +31734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2694,10 +2735,10 @@
|
||||
@@ -2694,10 +2731,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_tmp_dirs',`
|
||||
gen_require(`
|
||||
|
|
@ -31673,7 +31747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2727,12 +2768,12 @@
|
||||
@@ -2727,12 +2764,12 @@
|
||||
#
|
||||
template(`userdom_read_user_tmp_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31689,7 +31763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2764,10 +2805,10 @@
|
||||
@@ -2764,10 +2801,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_read_user_tmp_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31702,7 +31776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2799,10 +2840,10 @@
|
||||
@@ -2799,10 +2836,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_append_user_tmp_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31715,7 +31789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2832,12 +2873,12 @@
|
||||
@@ -2832,12 +2869,12 @@
|
||||
#
|
||||
template(`userdom_rw_user_tmp_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31731,7 +31805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2869,10 +2910,10 @@
|
||||
@@ -2869,10 +2906,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_tmp_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31744,7 +31818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2904,12 +2945,12 @@
|
||||
@@ -2904,12 +2941,12 @@
|
||||
#
|
||||
template(`userdom_read_user_tmp_symlinks',`
|
||||
gen_require(`
|
||||
|
|
@ -31760,7 +31834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2941,11 +2982,11 @@
|
||||
@@ -2941,11 +2978,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_dirs',`
|
||||
gen_require(`
|
||||
|
|
@ -31774,7 +31848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2977,11 +3018,11 @@
|
||||
@@ -2977,11 +3014,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31788,7 +31862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -3013,11 +3054,11 @@
|
||||
@@ -3013,11 +3050,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_symlinks',`
|
||||
gen_require(`
|
||||
|
|
@ -31802,7 +31876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -3049,11 +3090,11 @@
|
||||
@@ -3049,11 +3086,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_pipes',`
|
||||
gen_require(`
|
||||
|
|
@ -31816,7 +31890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -3085,11 +3126,11 @@
|
||||
@@ -3085,11 +3122,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_sockets',`
|
||||
gen_require(`
|
||||
|
|
@ -31830,7 +31904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -3134,10 +3175,10 @@
|
||||
@@ -3134,10 +3171,10 @@
|
||||
#
|
||||
template(`userdom_user_tmp_filetrans',`
|
||||
gen_require(`
|
||||
|
|
@ -31843,7 +31917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
files_search_tmp($2)
|
||||
')
|
||||
|
||||
@@ -3178,19 +3219,19 @@
|
||||
@@ -3178,19 +3215,19 @@
|
||||
#
|
||||
template(`userdom_tmp_filetrans_user_tmp',`
|
||||
gen_require(`
|
||||
|
|
@ -31867,7 +31941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
@@ -3211,13 +3252,13 @@
|
||||
@@ -3211,13 +3248,13 @@
|
||||
#
|
||||
template(`userdom_rw_user_tmpfs_files',`
|
||||
gen_require(`
|
||||
|
|
@ -31885,7 +31959,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4616,11 +4657,11 @@
|
||||
@@ -4616,11 +4653,11 @@
|
||||
#
|
||||
interface(`userdom_search_all_users_home_dirs',`
|
||||
gen_require(`
|
||||
|
|
@ -31899,7 +31973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4640,6 +4681,14 @@
|
||||
@@ -4640,6 +4677,14 @@
|
||||
|
||||
files_list_home($1)
|
||||
allow $1 home_dir_type:dir list_dir_perms;
|
||||
|
|
@ -31914,7 +31988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4677,6 +4726,8 @@
|
||||
@@ -4677,6 +4722,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
|
||||
|
|
@ -31923,7 +31997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4721,6 +4772,25 @@
|
||||
@@ -4721,6 +4768,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -31949,7 +32023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Create, read, write, and delete all files
|
||||
## in all users home directories.
|
||||
## </summary>
|
||||
@@ -4946,7 +5016,7 @@
|
||||
@@ -4946,7 +5012,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -31958,147 +32032,63 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5318,7 +5388,7 @@
|
||||
@@ -5318,6 +5384,42 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write unprivileged user ttys.
|
||||
+## Write all unprivileged users files in /tmp
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5326,18 +5396,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_use_unpriv_users_ttys',`
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_manage_unpriv_users_tmp_files',`
|
||||
gen_require(`
|
||||
- attribute user_ttynode;
|
||||
+ gen_require(`
|
||||
+ type user_tmp_t;
|
||||
')
|
||||
|
||||
- allow $1 user_ttynode:chr_file rw_term_perms;
|
||||
+ ')
|
||||
+
|
||||
+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to use unprivileged
|
||||
-## user ttys.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Write all unprivileged users lnk_files in /tmp
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5345,17 +5414,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_dontaudit_use_unpriv_users_ttys',`
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
|
||||
gen_require(`
|
||||
- attribute user_ttynode;
|
||||
+ gen_require(`
|
||||
+ type user_tmp_t;
|
||||
')
|
||||
|
||||
- dontaudit $1 user_ttynode:chr_file rw_file_perms;
|
||||
+ ')
|
||||
+
|
||||
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read the process state of all user domains.
|
||||
+## Read and write unprivileged user ttys.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read and write unprivileged user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5363,18 +5432,18 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_read_all_users_state',`
|
||||
+interface(`userdom_use_unpriv_users_ttys',`
|
||||
gen_require(`
|
||||
- attribute userdomain;
|
||||
+ attribute user_ttynode;
|
||||
@@ -5368,7 +5470,7 @@
|
||||
attribute userdomain;
|
||||
')
|
||||
|
||||
- read_files_pattern($1,userdomain,userdomain)
|
||||
- kernel_search_proc($1)
|
||||
+ allow $1 user_ttynode:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Get the attributes of all user domains.
|
||||
+## Do not audit attempts to use unprivileged
|
||||
+## user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5382,17 +5451,54 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_getattr_all_users',`
|
||||
+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
|
||||
gen_require(`
|
||||
- attribute userdomain;
|
||||
+ attribute user_ttynode;
|
||||
')
|
||||
|
||||
- allow $1 userdomain:process getattr;
|
||||
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Inherit the file descriptors from all user domains
|
||||
+## Read the process state of all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_read_all_users_state',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ ps_process_pattern($1, userdomain)
|
||||
+ kernel_search_proc($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Get the attributes of all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_getattr_all_users',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 userdomain:process getattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Inherit the file descriptors from all user domains
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5483,6 +5589,42 @@
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -5483,7 +5585,43 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Send a dbus message to all user domains.
|
||||
+## Manage keys for all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
|
@ -32135,10 +32125,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Send a dbus message to all user domains.
|
||||
+## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5513,3 +5655,548 @@
|
||||
## <summary>
|
||||
@@ -5513,3 +5651,548 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
|
@ -32689,7 +32680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-14 11:58:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-27 09:04:14.000000000 -0400
|
||||
@@ -8,13 +8,6 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -32731,7 +32722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# The privhome attribute identifies every domain that can create files under
|
||||
# regular user home directories in the regular context (IE act on behalf of
|
||||
# a user in writing regular files)
|
||||
@@ -81,6 +73,76 @@
|
||||
@@ -81,6 +73,75 @@
|
||||
|
||||
# unprivileged user domains
|
||||
attribute unpriv_userdomain;
|
||||
|
|
@ -32807,7 +32798,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ manage_sock_files_pattern(privhome, cifs_t, cifs_t)
|
||||
+ manage_fifo_files_pattern(privhome, cifs_t, cifs_t)
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.13/policy/modules/system/xen.fc
|
||||
--- nsaserefpolicy/policy/modules/system/xen.fc 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/xen.fc 2008-10-17 10:31:27.000000000 -0400
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.13
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -462,6 +462,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Oct 27 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-9
|
||||
- Allow openoffice execstack/execmem privs
|
||||
|
||||
* Fri Oct 24 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-8
|
||||
- Allow mozilla to run with unconfined_execmem_t
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue