patch from dan.
This commit is contained in:
parent
5a35c02f94
commit
a77e65240b
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(readahead,1.0.0)
|
policy_module(readahead,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -27,6 +27,7 @@ files_create_pid(readahead_t,readahead_var_run_t)
|
|||||||
|
|
||||||
kernel_read_kernel_sysctl(readahead_t)
|
kernel_read_kernel_sysctl(readahead_t)
|
||||||
kernel_read_system_state(readahead_t)
|
kernel_read_system_state(readahead_t)
|
||||||
|
kernel_getattr_core(readahead_t)
|
||||||
|
|
||||||
dev_read_sysfs(readahead_t)
|
dev_read_sysfs(readahead_t)
|
||||||
dev_getattr_generic_chr_file(readahead_t)
|
dev_getattr_generic_chr_file(readahead_t)
|
||||||
@ -43,6 +44,8 @@ files_read_non_security_files(readahead_t)
|
|||||||
|
|
||||||
fs_getattr_all_fs(readahead_t)
|
fs_getattr_all_fs(readahead_t)
|
||||||
fs_search_auto_mountpoints(readahead_t)
|
fs_search_auto_mountpoints(readahead_t)
|
||||||
|
fs_getattr_all_pipes(readahead_t)
|
||||||
|
fs_getattr_all_files(readahead_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(readahead_t)
|
term_dontaudit_use_console(readahead_t)
|
||||||
|
|
||||||
@ -50,6 +53,7 @@ auth_dontaudit_read_shadow(readahead_t)
|
|||||||
|
|
||||||
init_use_fd(readahead_t)
|
init_use_fd(readahead_t)
|
||||||
init_use_script_pty(readahead_t)
|
init_use_script_pty(readahead_t)
|
||||||
|
init_getattr_initctl(readahead_t)
|
||||||
|
|
||||||
libs_use_ld_so(readahead_t)
|
libs_use_ld_so(readahead_t)
|
||||||
libs_use_shared_libs(readahead_t)
|
libs_use_shared_libs(readahead_t)
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
|
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||||
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||||
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(rpm,1.1.2)
|
policy_module(rpm,1.1.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -193,7 +193,9 @@ template(`su_per_userdomain_template',`
|
|||||||
domain_use_wide_inherit_fd($1_su_t)
|
domain_use_wide_inherit_fd($1_su_t)
|
||||||
|
|
||||||
files_read_etc_files($1_su_t)
|
files_read_etc_files($1_su_t)
|
||||||
|
files_read_etc_runtime_files($1_su_t)
|
||||||
files_search_var_lib($1_su_t)
|
files_search_var_lib($1_su_t)
|
||||||
|
files_dontaudit_getattr_tmp_dir($1_su_t)
|
||||||
|
|
||||||
init_dontaudit_use_fd($1_su_t)
|
init_dontaudit_use_fd($1_su_t)
|
||||||
# Write to utmp.
|
# Write to utmp.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(su,1.1.2)
|
policy_module(su,1.1.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -5,15 +5,12 @@
|
|||||||
## Execute VPN clients in the vpnc domain.
|
## Execute VPN clients in the vpnc domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The type of the process performing this action.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`vpn_domtrans',`
|
interface(`vpn_domtrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type vpnc_t, vpnc_exec_t;
|
type vpnc_t, vpnc_exec_t;
|
||||||
class process sigchld;
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
domain_auto_trans($1,vpnc_exec_t,vpnc_t)
|
domain_auto_trans($1,vpnc_exec_t,vpnc_t)
|
||||||
@ -30,7 +27,7 @@ interface(`vpn_domtrans',`
|
|||||||
## allow the specified role the vpnc domain.
|
## allow the specified role the vpnc domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The type of the process performing this action.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## The role to be allowed the vpnc domain.
|
## The role to be allowed the vpnc domain.
|
||||||
@ -42,10 +39,25 @@ interface(`vpn_domtrans',`
|
|||||||
interface(`vpn_run',`
|
interface(`vpn_run',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type vpnc_t;
|
type vpnc_t;
|
||||||
class chr_file rw_term_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
vpn_domtrans($1)
|
vpn_domtrans($1)
|
||||||
role $2 types vpnc_t;
|
role $2 types vpnc_t;
|
||||||
allow vpnc_t $3:chr_file rw_term_perms;
|
allow vpnc_t $3:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send generic signals to VPN clients.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`vpn_signal',`
|
||||||
|
gen_require(`
|
||||||
|
type vpnc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 vpnc_t:process signal;
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(vpnc,1.0.0)
|
policy_module(vpnc,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -24,6 +24,7 @@ files_pid_file(vpnc_var_run_t)
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow vpnc_t self:capability { net_admin ipc_lock net_raw };
|
allow vpnc_t self:capability { net_admin ipc_lock net_raw };
|
||||||
|
allow vpnc_t self:process getsched;
|
||||||
allow vpnc_t self:fifo_file { getattr ioctl read write };
|
allow vpnc_t self:fifo_file { getattr ioctl read write };
|
||||||
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
|
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||||
allow vpnc_t self:tcp_socket create_stream_socket_perms;
|
allow vpnc_t self:tcp_socket create_stream_socket_perms;
|
||||||
@ -88,6 +89,8 @@ libs_exec_lib_files(vpnc_t)
|
|||||||
libs_use_ld_so(vpnc_t)
|
libs_use_ld_so(vpnc_t)
|
||||||
libs_use_shared_libs(vpnc_t)
|
libs_use_shared_libs(vpnc_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(vpnc_t)
|
||||||
|
|
||||||
miscfiles_read_localization(vpnc_t)
|
miscfiles_read_localization(vpnc_t)
|
||||||
|
|
||||||
seutil_dontaudit_search_config(vpnc_t)
|
seutil_dontaudit_search_config(vpnc_t)
|
||||||
@ -99,6 +102,10 @@ sysnet_manage_config(vpnc_t)
|
|||||||
userdom_use_all_user_fd(vpnc_t)
|
userdom_use_all_user_fd(vpnc_t)
|
||||||
userdom_dontaudit_search_all_users_home(vpnc_t)
|
userdom_dontaudit_search_all_users_home(vpnc_t)
|
||||||
|
|
||||||
|
optional_policy(`dbus',`
|
||||||
|
dbus_system_bus_client_template(vpnc,vpnc_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`mount',`
|
optional_policy(`mount',`
|
||||||
mount_send_nfs_client_request(vpnc_t)
|
mount_send_nfs_client_request(vpnc_t)
|
||||||
')
|
')
|
||||||
|
@ -134,6 +134,7 @@ ifdef(`distro_gentoo',`
|
|||||||
|
|
||||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
@ -3241,3 +3241,20 @@ interface(`files_unconfined',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow attempts to modify any directory
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to allow
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_write_non_security_dir',`
|
||||||
|
gen_require(`
|
||||||
|
attribute file_type, security_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 file_type:dir write;
|
||||||
|
')
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(automount,1.0.3)
|
policy_module(automount,1.0.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -28,7 +28,7 @@ files_mountpoint(automount_tmp_t)
|
|||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow automount_t self:capability { sys_nice dac_override };
|
allow automount_t self:capability { net_bind_service sys_nice dac_override };
|
||||||
dontaudit automount_t self:capability sys_tty_config;
|
dontaudit automount_t self:capability sys_tty_config;
|
||||||
allow automount_t self:process { signal_perms getpgid setpgid setsched };
|
allow automount_t self:process { signal_perms getpgid setpgid setsched };
|
||||||
allow automount_t self:fifo_file rw_file_perms;
|
allow automount_t self:fifo_file rw_file_perms;
|
||||||
@ -81,6 +81,7 @@ corenet_udp_sendrecv_all_ports(automount_t)
|
|||||||
corenet_tcp_bind_all_nodes(automount_t)
|
corenet_tcp_bind_all_nodes(automount_t)
|
||||||
corenet_udp_bind_all_nodes(automount_t)
|
corenet_udp_bind_all_nodes(automount_t)
|
||||||
corenet_tcp_connect_portmap_port(automount_t)
|
corenet_tcp_connect_portmap_port(automount_t)
|
||||||
|
corenet_tcp_connect_all_ports(automount_t)
|
||||||
corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
|
corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
|
||||||
|
|
||||||
dev_read_sysfs(automount_t)
|
dev_read_sysfs(automount_t)
|
||||||
@ -139,6 +140,10 @@ optional_policy(`apm',`
|
|||||||
corecmd_exec_bin(automount_t)
|
corecmd_exec_bin(automount_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`bind',`
|
||||||
|
bind_search_cache(automount_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`fstools',`
|
optional_policy(`fstools',`
|
||||||
fstools_domtrans(automount_t)
|
fstools_domtrans(automount_t)
|
||||||
')
|
')
|
||||||
|
@ -151,6 +151,24 @@ interface(`bind_manage_config_dir',`
|
|||||||
allow $1 named_conf_t:dir create_dir_perms;
|
allow $1 named_conf_t:dir create_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search the BIND cache directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`bind_search_cache',`
|
||||||
|
gen_require(`
|
||||||
|
type named_cache_t, named_zone_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var($1)
|
||||||
|
allow $1 named_zone_t:dir search_dir_perms;
|
||||||
|
allow $1 named_cache_t:dir search_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete
|
## Create, read, write, and delete
|
||||||
|
@ -382,6 +382,22 @@ interface(`cron_read_pipe',`
|
|||||||
allow $1 crond_t:fifo_file r_file_perms;
|
allow $1 crond_t:fifo_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to write cron daemon unnamed pipes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`cron_dontaudit_write_pipe',`
|
||||||
|
gen_require(`
|
||||||
|
type crond_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 crond_t:fifo_file write;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write a cron daemon unnamed pipe.
|
## Read and write a cron daemon unnamed pipe.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cron,1.1.2)
|
policy_module(cron,1.1.3)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -410,40 +410,13 @@ ifdef(`targeted_policy',`
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
dontaudit userdomain system_crond_t:fd use;
|
dontaudit userdomain system_crond_t:fd use;
|
||||||
|
|
||||||
# Do not audit attempts to search unlabeled directories (e.g. slocate).
|
|
||||||
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
|
|
||||||
dontaudit system_crond_t unlabeled_t:file r_file_perms;
|
|
||||||
|
|
||||||
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
|
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
|
||||||
|
|
||||||
# Write to /var/lib/slocate.db.
|
|
||||||
allow system_crond_t var_lib_t:dir rw_dir_perms;
|
|
||||||
allow system_crond_t var_lib_t:file create_file_perms;
|
|
||||||
|
|
||||||
# for if /var/mail is a symlink
|
# for if /var/mail is a symlink
|
||||||
allow system_crond_t mail_spool_t:lnk_file read;
|
allow system_crond_t mail_spool_t:lnk_file read;
|
||||||
|
|
||||||
#
|
|
||||||
# These rules are here to allow system cron jobs to su
|
|
||||||
#
|
|
||||||
ifdef(`su.te', `
|
|
||||||
su_restricted_domain(system_crond,system)
|
|
||||||
role system_r types system_crond_su_t;
|
|
||||||
allow system_crond_su_t crond_t:fifo_file ioctl;
|
|
||||||
')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Required for webalizer
|
|
||||||
#
|
|
||||||
ifdef(`apache.te', `
|
|
||||||
allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`mta.te', `
|
ifdef(`mta.te', `
|
||||||
mta_send_mail_transition(system_crond_t)
|
mta_send_mail_transition(system_crond_t)
|
||||||
|
|
||||||
# system_mail_t should only be reading from the cron fifo not needing to write
|
|
||||||
dontaudit system_mail_t crond_t:fifo_file write;
|
|
||||||
allow mta_user_agent system_crond_t:fd use;
|
allow mta_user_agent system_crond_t:fd use;
|
||||||
r_dir_file(system_mail_t, crond_tmp_t)
|
r_dir_file(system_mail_t, crond_tmp_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(hal,1.1.4)
|
policy_module(hal,1.1.5)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -47,6 +47,7 @@ files_create_pid(hald_t,hald_var_run_t)
|
|||||||
kernel_read_system_state(hald_t)
|
kernel_read_system_state(hald_t)
|
||||||
kernel_read_network_state(hald_t)
|
kernel_read_network_state(hald_t)
|
||||||
kernel_read_kernel_sysctl(hald_t)
|
kernel_read_kernel_sysctl(hald_t)
|
||||||
|
kernel_read_fs_sysctl(hald_t)
|
||||||
kernel_write_proc_file(hald_t)
|
kernel_write_proc_file(hald_t)
|
||||||
|
|
||||||
corecmd_exec_bin(hald_t)
|
corecmd_exec_bin(hald_t)
|
||||||
@ -82,6 +83,7 @@ files_exec_etc_files(hald_t)
|
|||||||
files_read_etc_files(hald_t)
|
files_read_etc_files(hald_t)
|
||||||
files_rw_etc_runtime_files(hald_t)
|
files_rw_etc_runtime_files(hald_t)
|
||||||
files_search_mnt(hald_t)
|
files_search_mnt(hald_t)
|
||||||
|
files_manage_mnt_dirs(hald_t)
|
||||||
files_search_var_lib(hald_t)
|
files_search_var_lib(hald_t)
|
||||||
files_read_usr_files(hald_t)
|
files_read_usr_files(hald_t)
|
||||||
# hal is now execing pm-suspend
|
# hal is now execing pm-suspend
|
||||||
@ -91,6 +93,8 @@ fs_getattr_all_fs(hald_t)
|
|||||||
fs_search_all(hald_t)
|
fs_search_all(hald_t)
|
||||||
fs_search_auto_mountpoints(hald_t)
|
fs_search_auto_mountpoints(hald_t)
|
||||||
|
|
||||||
|
mls_file_read_up(hald_t)
|
||||||
|
|
||||||
selinux_get_fs_mount(hald_t)
|
selinux_get_fs_mount(hald_t)
|
||||||
selinux_validate_context(hald_t)
|
selinux_validate_context(hald_t)
|
||||||
selinux_compute_access_vector(hald_t)
|
selinux_compute_access_vector(hald_t)
|
||||||
@ -188,6 +192,10 @@ optional_policy(`pcmcia',`
|
|||||||
pcmcia_manage_runtime_chr(hald_t)
|
pcmcia_manage_runtime_chr(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`rpc',`
|
||||||
|
rpc_search_nfs_state_data(hald_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`selinuxutil',`
|
optional_policy(`selinuxutil',`
|
||||||
seutil_sigchld_newrole(hald_t)
|
seutil_sigchld_newrole(hald_t)
|
||||||
')
|
')
|
||||||
@ -204,7 +212,3 @@ optional_policy(`updfstab',`
|
|||||||
optional_policy(`vbetool',`
|
optional_policy(`vbetool',`
|
||||||
vbetool_domtrans(hald_t)
|
vbetool_domtrans(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
allow hald_t device_t:dir create_dir_perms;
|
|
||||||
') dnl end TODO
|
|
||||||
|
@ -248,9 +248,3 @@ optional_policy(`selinuxutil',`
|
|||||||
optional_policy(`udev',`
|
optional_policy(`udev',`
|
||||||
udev_read_db(krb5kdc_t)
|
udev_read_db(krb5kdc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
# Allow user programs to talk to KDC
|
|
||||||
allow krb5kdc_t userdomain:udp_socket recvfrom;
|
|
||||||
allow userdomain krb5kdc_t:udp_socket recvfrom;
|
|
||||||
') dnl end TODO
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mta,1.1.2)
|
policy_module(mta,1.1.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -114,6 +114,7 @@ optional_policy(`arpwatch',`
|
|||||||
|
|
||||||
optional_policy(`cron',`
|
optional_policy(`cron',`
|
||||||
cron_read_system_job_tmp_files(system_mail_t)
|
cron_read_system_job_tmp_files(system_mail_t)
|
||||||
|
cron_dontaudit_write_pipe(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`cvs',`
|
optional_policy(`cvs',`
|
||||||
@ -128,6 +129,10 @@ optional_policy(`logwatch',`
|
|||||||
logwatch_read_tmp_files(system_mail_t)
|
logwatch_read_tmp_files(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`sendmail',`
|
||||||
|
files_create_etc_config(sendmail_t,etc_aliases_t, file)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`postfix',`
|
optional_policy(`postfix',`
|
||||||
allow system_mail_t etc_aliases_t:dir create_dir_perms;
|
allow system_mail_t etc_aliases_t:dir create_dir_perms;
|
||||||
allow system_mail_t etc_aliases_t:file create_file_perms;
|
allow system_mail_t etc_aliases_t:file create_file_perms;
|
||||||
@ -178,3 +183,9 @@ optional_policy(`arpwatch',`
|
|||||||
cron_read_system_job_tmp_files(mta_user_agent)
|
cron_read_system_job_tmp_files(mta_user_agent)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
# for the start script to run make -C /etc/mail
|
||||||
|
allow initrc_t etc_mail_t:dir rw_dir_perms;
|
||||||
|
allow initrc_t etc_mail_t:file create_file_perms;
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(networkmanager,1.1.0)
|
policy_module(networkmanager,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -28,8 +28,6 @@ allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
|
|||||||
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
|
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow NetworkManager_t self:udp_socket create_socket_perms;
|
allow NetworkManager_t self:udp_socket create_socket_perms;
|
||||||
allow NetworkManager_t self:packet_socket create_socket_perms;
|
allow NetworkManager_t self:packet_socket create_socket_perms;
|
||||||
# allow vpnc connections
|
|
||||||
allow NetworkManager_t self:rawip_socket create_socket_perms;
|
|
||||||
|
|
||||||
allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
|
allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
|
||||||
allow NetworkManager_t NetworkManager_var_run_t:dir rw_dir_perms;
|
allow NetworkManager_t NetworkManager_var_run_t:dir rw_dir_perms;
|
||||||
@ -54,8 +52,6 @@ corenet_udp_bind_all_nodes(NetworkManager_t)
|
|||||||
corenet_tcp_connect_all_ports(NetworkManager_t)
|
corenet_tcp_connect_all_ports(NetworkManager_t)
|
||||||
corenet_udp_bind_isakmp_port(NetworkManager_t)
|
corenet_udp_bind_isakmp_port(NetworkManager_t)
|
||||||
corenet_udp_bind_dhcpc_port(NetworkManager_t)
|
corenet_udp_bind_dhcpc_port(NetworkManager_t)
|
||||||
# vpn connections
|
|
||||||
corenet_use_tun_tap_device(NetworkManager_t)
|
|
||||||
|
|
||||||
dev_read_sysfs(NetworkManager_t)
|
dev_read_sysfs(NetworkManager_t)
|
||||||
dev_read_rand(NetworkManager_t)
|
dev_read_rand(NetworkManager_t)
|
||||||
@ -170,4 +166,5 @@ optional_policy(`udev',`
|
|||||||
|
|
||||||
optional_policy(`vpn',`
|
optional_policy(`vpn',`
|
||||||
vpn_domtrans(NetworkManager_t)
|
vpn_domtrans(NetworkManager_t)
|
||||||
|
vpn_signal(NetworkManager_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(nscd,1.1.0)
|
policy_module(nscd,1.1.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class nscd all_nscd_perms;
|
class nscd all_nscd_perms;
|
||||||
@ -128,7 +128,6 @@ optional_policy(`nis',`
|
|||||||
|
|
||||||
optional_policy(`samba',`
|
optional_policy(`samba',`
|
||||||
samba_connect_winbind(nscd_t)
|
samba_connect_winbind(nscd_t)
|
||||||
samba_search_var(nscd_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev',`
|
optional_policy(`udev',`
|
||||||
|
@ -148,8 +148,6 @@ optional_policy(`nscd',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`samba',`
|
optional_policy(`samba',`
|
||||||
# cjp: the connect was previously missing
|
|
||||||
# so it might be ok to drop this
|
|
||||||
samba_connect_winbind(ntpd_t)
|
samba_connect_winbind(ntpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -338,10 +338,11 @@ interface(`samba_read_winbind_pid',`
|
|||||||
#
|
#
|
||||||
interface(`samba_connect_winbind',`
|
interface(`samba_connect_winbind',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type winbind_t, winbind_var_run_t;
|
type samba_var_t, winbind_t, winbind_var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
|
allow $1 samba_var_t:dir search_dir_perms;
|
||||||
allow $1 winbind_var_run_t:dir search_dir_perms;
|
allow $1 winbind_var_run_t:dir search_dir_perms;
|
||||||
allow $1 winbind_var_run_t:sock_file { getattr read write };
|
allow $1 winbind_var_run_t:sock_file { getattr read write };
|
||||||
allow $1 winbind_t:unix_stream_socket connectto;
|
allow $1 winbind_t:unix_stream_socket connectto;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(samba,1.1.2)
|
policy_module(samba,1.1.3)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(fstools,1.1.0)
|
policy_module(fstools,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -69,6 +69,8 @@ dev_search_usbfs(fsadm_t)
|
|||||||
dev_read_sysfs(fsadm_t)
|
dev_read_sysfs(fsadm_t)
|
||||||
# Access to /initrd devices
|
# Access to /initrd devices
|
||||||
dev_getattr_usbfs_dir(fsadm_t)
|
dev_getattr_usbfs_dir(fsadm_t)
|
||||||
|
# Access to /dev/mapper/control
|
||||||
|
dev_rw_lvm_control(fsadm_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(fsadm_t)
|
fs_search_auto_mountpoints(fsadm_t)
|
||||||
fs_getattr_xattr_fs(fsadm_t)
|
fs_getattr_xattr_fs(fsadm_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(init,1.1.2)
|
policy_module(init,1.1.3)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -449,7 +449,6 @@ ifdef(`distro_redhat',`
|
|||||||
|
|
||||||
# readahead asks for these
|
# readahead asks for these
|
||||||
auth_dontaudit_read_shadow(initrc_t)
|
auth_dontaudit_read_shadow(initrc_t)
|
||||||
mta_read_aliases(initrc_t)
|
|
||||||
|
|
||||||
optional_policy(`bind',`
|
optional_policy(`bind',`
|
||||||
bind_manage_config_dir(initrc_t)
|
bind_manage_config_dir(initrc_t)
|
||||||
@ -579,6 +578,8 @@ optional_policy(`lvm',`
|
|||||||
|
|
||||||
dev_read_lvm_control(initrc_t)
|
dev_read_lvm_control(initrc_t)
|
||||||
dev_create_generic_chr_file(initrc_t)
|
dev_create_generic_chr_file(initrc_t)
|
||||||
|
|
||||||
|
lvm_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`mailman',`
|
optional_policy(`mailman',`
|
||||||
@ -695,24 +696,13 @@ allow initrc_t xconsole_device_t:fifo_file setattr;
|
|||||||
allow initrc_t default_t:dir write;
|
allow initrc_t default_t:dir write;
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
# readahead asks for these
|
|
||||||
allow initrc_t var_lib_nfs_t:file r_file_perms;
|
|
||||||
|
|
||||||
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
|
|
||||||
allow initrc_t device_t:dir create;
|
allow initrc_t device_t:dir create;
|
||||||
|
|
||||||
# wants to delete /poweroff and other files
|
|
||||||
allow initrc_t root_t:file unlink;
|
|
||||||
ifdef(`xserver.te', `
|
ifdef(`xserver.te', `
|
||||||
# wants to cleanup xserver log dir
|
# wants to cleanup xserver log dir
|
||||||
allow initrc_t xserver_log_t:dir rw_dir_perms;
|
allow initrc_t xserver_log_t:dir rw_dir_perms;
|
||||||
allow initrc_t xserver_log_t:file unlink;
|
allow initrc_t xserver_log_t:file unlink;
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rpm',`
|
|
||||||
rpm_stub(initrc_t)
|
|
||||||
#read ahead wants to read this
|
|
||||||
allow initrc_t system_cron_spool_t:file { getattr read };
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
@ -3,14 +3,14 @@
|
|||||||
#
|
#
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
|
/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
|
/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
|
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -55,7 +55,7 @@ ifdef(`distro_redhat',`
|
|||||||
|
|
||||||
/usr(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
/usr/lib/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
|
/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
|
|
||||||
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
|
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
|
|
||||||
@ -76,7 +76,7 @@ ifdef(`distro_redhat',`
|
|||||||
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
/usr/lib/.*/program/.*\.so.* gen_context(system_u:object_r:shlib_t,s0)
|
/usr/lib(64)?/.*/program/.*\.so.* gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
|
/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
|
|
||||||
# The following are libraries with text relocations in need of execmod permissions
|
# The following are libraries with text relocations in need of execmod permissions
|
||||||
@ -84,32 +84,32 @@ ifdef(`distro_redhat',`
|
|||||||
|
|
||||||
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
||||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||||
/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/gstreamer-.*/libgstmms\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/gstreamer-.*/libgstmms\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/helix/plugins/vorbisrend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/plugins/vorbisrend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/helix/codecs/colorcvt\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/codecs/colorcvt\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/helix/codecs/cvt1\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/codecs/cvt1\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/X11R6/lib/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/X11R6/lib/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -122,48 +122,48 @@ ifdef(`distro_redhat',`
|
|||||||
/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
# Fedora Extras packages: ladspa, imlib2, ocaml
|
# Fedora Extras packages: ladspa, imlib2, ocaml
|
||||||
/usr/lib/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/php/modules/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/php/modules/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
||||||
/usr/lib/xmms/Input/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xmms/Input/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libavformat-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libavformat-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libavcodec-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libavcodec-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libavutil-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libavutil-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/xine/plugins/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xine/plugins/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
# Flash plugin, Macromedia
|
# Flash plugin, Macromedia
|
||||||
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
# Jai, Sun Microsystems (Jpackage SPRM)
|
# Jai, Sun Microsystems (Jpackage SPRM)
|
||||||
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libdivxdecore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libdivxdecore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
# Java, Sun Microsystems (JPackage SRPM)
|
# Java, Sun Microsystems (JPackage SRPM)
|
||||||
/usr/.*/jre/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/.*/jre/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -175,7 +175,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
|
|||||||
') dnl end distro_redhat
|
') dnl end distro_redhat
|
||||||
|
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
/usr/lib(64)?/samba/classic/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(libraries,1.1.2)
|
policy_module(libraries,1.1.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(locallogin,1.0.1)
|
policy_module(locallogin,1.0.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -165,6 +165,7 @@ userdom_spec_domtrans_all_users(local_login_t)
|
|||||||
userdom_signal_all_users(local_login_t)
|
userdom_signal_all_users(local_login_t)
|
||||||
userdom_search_all_users_home(local_login_t)
|
userdom_search_all_users_home(local_login_t)
|
||||||
userdom_use_unpriv_users_fd(local_login_t)
|
userdom_use_unpriv_users_fd(local_login_t)
|
||||||
|
userdom_sigchld_all_users(local_login_t)
|
||||||
|
|
||||||
# Search for mail spool file.
|
# Search for mail spool file.
|
||||||
mta_getattr_spool(local_login_t)
|
mta_getattr_spool(local_login_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(unconfined,1.1.3)
|
policy_module(unconfined,1.1.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -125,6 +125,10 @@ ifdef(`targeted_policy',`
|
|||||||
samba_domtrans_winbind_helper(unconfined_t)
|
samba_domtrans_winbind_helper(unconfined_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`sendmail',`
|
||||||
|
sendmail_domtrans(unconfined_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`su',`
|
optional_policy(`su',`
|
||||||
su_per_userdomain_template(sysadm,unconfined_t,system_r)
|
su_per_userdomain_template(sysadm,unconfined_t,system_r)
|
||||||
')
|
')
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
# temporary hack till genhomedircon is fixed
|
# temporary hack till genhomedircon is fixed
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
|
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
|
||||||
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
|
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
|
||||||
',`
|
',`
|
||||||
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0)
|
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
|
||||||
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
|
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,1.1.3)
|
policy_module(userdomain,1.1.4)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r, secadm_r;
|
role sysadm_r, staff_r, user_r, secadm_r;
|
||||||
|
Loading…
Reference in New Issue
Block a user