- Dontaudit binds to ports < 1024 for named

- Upgrade to latest upstream
2009-04-07 11:29:08 +00:00 · 2009-04-07 11:29:08 +00:00 · a50819e6dd
commit a50819e6dd
parent 0e78af1c39
1 changed files with 55 additions and 11 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -5392,7 +5392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.11/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/kernel/kernel.if	2009-04-06 12:59:54.000000000 -0400
+++ serefpolicy-3.6.11/policy/modules/kernel/kernel.if	2009-04-07 07:25:16.000000000 -0400
@@ -1197,6 +1197,26 @@
 	')
@ -10869,7 +10869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.11/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/services/devicekit.te	2009-04-06 12:59:54.000000000 -0400
+++ serefpolicy-3.6.11/policy/modules/services/devicekit.te	2009-04-07 07:01:32.000000000 -0400
@@ -0,0 +1,211 @@
 +policy_module(devicekit,1.0.0)
 +
@ -11019,7 +11019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# DeviceKit disk local policy
 +#
 +
-+allow devicekit_disk_t self:capability sys_nice;
+allow devicekit_disk_t self:capability { sys_nice sys_ptrace };
 +
 +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 +
@ -18331,7 +18331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ccs_read_config(ricci_modstorage_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.11/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.11/policy/modules/services/rpc.te	2009-04-06 15:25:10.000000000 -0400
+++ serefpolicy-3.6.11/policy/modules/services/rpc.te	2009-04-07 07:27:16.000000000 -0400
@@ -23,7 +23,7 @@
 gen_tunable(allow_nfsd_anon_write, false)
@ -18341,7 +18341,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 rpc_domain_template(gssd)
-@@ -141,6 +141,7 @@
+@@ -79,16 +79,25 @@
 fs_read_rpc_symlinks(rpcd_t)
 fs_rw_rpc_sockets(rpcd_t) 
 +kernel_signal(rpcd_t) 
 +
 selinux_dontaudit_read_fs(rpcd_t)
 miscfiles_read_certs(rpcd_t)
 seutil_dontaudit_search_config(rpcd_t)
 +userdom_signal_unpriv_users(rpcd_t)
 +
 optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
 ')
 +optional_policy(`
 +	unconfined_execmem_signal(rpcd_t)
 +	unconfined_signal(rpcd_t)
 +')
 +
 ########################################
 #
 # NFSD local policy
@@ -141,6 +150,7 @@
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
 ')
@ -18349,7 +18375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`nfs_export_all_ro',`
 	dev_getattr_all_blk_files(nfsd_t)
-@@ -183,9 +184,12 @@
+@@ -183,9 +193,12 @@
 files_read_usr_symlinks(gssd_t) 
 auth_use_nsswitch(gssd_t)
@ -26803,7 +26829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.11/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/system/unconfined.if	2009-04-06 12:59:54.000000000 -0400
+++ serefpolicy-3.6.11/policy/modules/system/unconfined.if	2009-04-07 07:26:40.000000000 -0400
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -26879,7 +26905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -367,6 +374,24 @@
+@@ -367,6 +374,42 @@
 ########################################
 ## <summary>
@ -26900,11 +26926,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +########################################
 +## <summary>
 +##	Send a signal to the unconfined execmem domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`unconfined_execmem_signal',`
 +	gen_require(`
 +		type unconfined_execmem_t;
 +	')
 +
 +	allow $1 unconfined_execmem_t:process signal;
 +')
 +
 +########################################
 +## <summary>
 ##	Send generic signals to the unconfined domain.
 ## </summary>
 ## <param name="domain">
-@@ -458,6 +483,25 @@
+@@ -458,6 +501,25 @@
 ########################################
 ## <summary>
@ -26930,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Connect to the unconfined domain using
 ##	a unix domain stream socket.
 ## </summary>
-@@ -581,3 +625,150 @@
+@@ -581,3 +643,150 @@
 	allow $1 unconfined_t:dbus acquire_svc;
 ')
@ -27460,7 +27504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.11/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/system/userdomain.if	2009-04-06 12:59:54.000000000 -0400
+++ serefpolicy-3.6.11/policy/modules/system/userdomain.if	2009-04-07 07:23:04.000000000 -0400
@@ -30,8 +30,9 @@
 	')