- dontaudit mrtg reading /proc
- Allow iscsi to signal itself - Allow gnomeclock sys_ptrace
This commit is contained in:
parent
b912a6e25d
commit
a6a82aec79
@ -12096,7 +12096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-08 11:43:01.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-15 15:47:56.000000000 -0400
|
||||||
@@ -43,14 +43,13 @@
|
@@ -43,14 +43,13 @@
|
||||||
|
|
||||||
type cupsd_var_run_t;
|
type cupsd_var_run_t;
|
||||||
@ -12438,7 +12438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
|||||||
+
|
+
|
||||||
+lpd_manage_spool(cups_pdf_t)
|
+lpd_manage_spool(cups_pdf_t)
|
||||||
+
|
+
|
||||||
+rw_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if
|
||||||
--- nsaserefpolicy/policy/modules/services/cvs.if 2007-01-02 12:57:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cvs.if 2007-01-02 12:57:43.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-04-04 12:06:55.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-04-04 12:06:55.000000000 -0400
|
||||||
@ -15048,7 +15048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
|
||||||
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-07 22:47:29.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-15 15:52:42.000000000 -0400
|
||||||
@@ -0,0 +1,53 @@
|
@@ -0,0 +1,53 @@
|
||||||
+policy_module(gnomeclock,1.0.0)
|
+policy_module(gnomeclock,1.0.0)
|
||||||
+########################################
|
+########################################
|
||||||
@ -15064,7 +15064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
|
|||||||
+#
|
+#
|
||||||
+# gnomeclock local policy
|
+# gnomeclock local policy
|
||||||
+#
|
+#
|
||||||
+allow gnomeclock_t self:capability { sys_nice sys_time };
|
+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
|
||||||
+allow gnomeclock_t self:process getsched;
|
+allow gnomeclock_t self:process getsched;
|
||||||
+
|
+
|
||||||
+# internal communication is often done using fifo and unix sockets.
|
+# internal communication is often done using fifo and unix sockets.
|
||||||
@ -15826,7 +15826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.3.1/policy/modules/services/kerberos.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.3.1/policy/modules/services/kerberos.te
|
||||||
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-04-04 12:06:55.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-04-15 15:36:38.000000000 -0400
|
||||||
@@ -54,6 +54,12 @@
|
@@ -54,6 +54,12 @@
|
||||||
type krb5kdc_var_run_t;
|
type krb5kdc_var_run_t;
|
||||||
files_pid_file(krb5kdc_var_run_t)
|
files_pid_file(krb5kdc_var_run_t)
|
||||||
@ -15857,17 +15857,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(kadmind_t)
|
corenet_all_recvfrom_unlabeled(kadmind_t)
|
||||||
corenet_all_recvfrom_netlabel(kadmind_t)
|
corenet_all_recvfrom_netlabel(kadmind_t)
|
||||||
@@ -118,6 +125,9 @@
|
@@ -118,6 +125,12 @@
|
||||||
domain_use_interactive_fds(kadmind_t)
|
domain_use_interactive_fds(kadmind_t)
|
||||||
|
|
||||||
files_read_etc_files(kadmind_t)
|
files_read_etc_files(kadmind_t)
|
||||||
+files_read_usr_symlinks(kadmind_t)
|
+files_read_usr_symlinks(kadmind_t)
|
||||||
+files_read_usr_files(kadmind_t)
|
+files_read_usr_files(kadmind_t)
|
||||||
+files_read_var_files(kadmind_t)
|
+files_read_var_files(kadmind_t)
|
||||||
|
+
|
||||||
|
+selinux_validate_context(kadmind_t)
|
||||||
|
+seutil_read_file_contexts(kadmind_t)
|
||||||
|
|
||||||
libs_use_ld_so(kadmind_t)
|
libs_use_ld_so(kadmind_t)
|
||||||
libs_use_shared_libs(kadmind_t)
|
libs_use_shared_libs(kadmind_t)
|
||||||
@@ -127,6 +137,7 @@
|
@@ -127,6 +140,7 @@
|
||||||
miscfiles_read_localization(kadmind_t)
|
miscfiles_read_localization(kadmind_t)
|
||||||
|
|
||||||
sysnet_read_config(kadmind_t)
|
sysnet_read_config(kadmind_t)
|
||||||
@ -15875,7 +15878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
|
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
|
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
|
||||||
@@ -137,6 +148,7 @@
|
@@ -137,6 +151,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(kadmind_t)
|
seutil_sigchld_newrole(kadmind_t)
|
||||||
@ -15883,7 +15886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -151,7 +163,7 @@
|
@@ -151,7 +166,7 @@
|
||||||
# Use capabilities. Surplus capabilities may be allowed.
|
# Use capabilities. Surplus capabilities may be allowed.
|
||||||
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
|
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
|
||||||
dontaudit krb5kdc_t self:capability sys_tty_config;
|
dontaudit krb5kdc_t self:capability sys_tty_config;
|
||||||
@ -15892,7 +15895,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
|
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
|
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow krb5kdc_t self:udp_socket create_socket_perms;
|
allow krb5kdc_t self:udp_socket create_socket_perms;
|
||||||
@@ -223,6 +235,7 @@
|
@@ -215,6 +230,9 @@
|
||||||
|
files_read_usr_symlinks(krb5kdc_t)
|
||||||
|
files_read_var_files(krb5kdc_t)
|
||||||
|
|
||||||
|
+selinux_validate_context(krb5kdc_t)
|
||||||
|
+seutil_read_file_contexts(krb5kdc_t)
|
||||||
|
+
|
||||||
|
libs_use_ld_so(krb5kdc_t)
|
||||||
|
libs_use_shared_libs(krb5kdc_t)
|
||||||
|
|
||||||
|
@@ -223,6 +241,7 @@
|
||||||
miscfiles_read_localization(krb5kdc_t)
|
miscfiles_read_localization(krb5kdc_t)
|
||||||
|
|
||||||
sysnet_read_config(krb5kdc_t)
|
sysnet_read_config(krb5kdc_t)
|
||||||
@ -15900,7 +15913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
|
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
|
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
|
||||||
@@ -233,8 +246,10 @@
|
@@ -233,8 +252,10 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(krb5kdc_t)
|
seutil_sigchld_newrole(krb5kdc_t)
|
||||||
@ -16296,7 +16309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te
|
||||||
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-04-04 12:06:55.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-04-15 14:13:13.000000000 -0400
|
||||||
@@ -53,10 +53,9 @@
|
@@ -53,10 +53,9 @@
|
||||||
apache_use_fds(mailman_cgi_t)
|
apache_use_fds(mailman_cgi_t)
|
||||||
apache_dontaudit_append_log(mailman_cgi_t)
|
apache_dontaudit_append_log(mailman_cgi_t)
|
||||||
@ -16310,7 +16323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -65,8 +64,14 @@
|
@@ -65,8 +64,15 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
|
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
|
||||||
@ -16319,6 +16332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
|
|||||||
+allow mailman_mail_t self:capability { setuid setgid };
|
+allow mailman_mail_t self:capability { setuid setgid };
|
||||||
+
|
+
|
||||||
+files_search_spool(mailman_mail_t)
|
+files_search_spool(mailman_mail_t)
|
||||||
|
+fs_rw_anon_inodefs_files(mailman_mail_t)
|
||||||
|
|
||||||
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
|
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
|
||||||
+mta_dontaudit_rw_queue(mailman_mail_t)
|
+mta_dontaudit_rw_queue(mailman_mail_t)
|
||||||
@ -19078,8 +19092,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
|||||||
# Local Policy
|
# Local Policy
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-04 12:06:55.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-15 16:03:04.000000000 -0400
|
||||||
@@ -38,3 +38,5 @@
|
@@ -31,6 +31,7 @@
|
||||||
|
/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||||
|
|
||||||
|
/var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||||
|
+/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||||
|
/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||||
|
|
||||||
|
ifdef(`distro_redhat', `
|
||||||
|
@@ -38,3 +39,5 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
|
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.3.1
|
Version: 3.3.1
|
||||||
Release: 35%{?dist}
|
Release: 36%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -383,7 +383,10 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Apr 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-35
|
* Mon Apr 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-36
|
||||||
|
- dontaudit mrtg reading /proc
|
||||||
|
- Allow iscsi to signal itself
|
||||||
|
- Allow gnomeclock sys_ptrace
|
||||||
|
|
||||||
* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-33
|
* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-33
|
||||||
- Allow dhcpd to read kernel network state
|
- Allow dhcpd to read kernel network state
|
||||||
|
Loading…
Reference in New Issue
Block a user