- Fix to add xguest account when inititial install
- Allow mono, java, wine to run in userdomains
This commit is contained in:
parent
c67a1217e2
commit
a9d4b80f50
@ -1618,7 +1618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
|
||||
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 08:56:35.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 11:42:05.000000000 -0400
|
||||
@@ -18,3 +18,102 @@
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, mono_exec_t, mono_t)
|
||||
@ -1714,7 +1714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
|
||||
+
|
||||
+ userdom_unpriv_usertype($1, $1_mono_t)
|
||||
+
|
||||
+ allow $1_mono_t self:process { execheap execmem };
|
||||
+ allow $1_mono_t self:process { signal getsched execheap execmem };
|
||||
+
|
||||
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
|
||||
+
|
||||
@ -1724,7 +1724,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.0.8/policy/modules/apps/mono.te
|
||||
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-05-29 14:10:48.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-17 16:20:18.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-20 11:41:50.000000000 -0400
|
||||
@@ -15,7 +15,7 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow mono_t self:process { execheap execmem };
|
||||
+allow mono_t self:process { signal getsched execheap execmem };
|
||||
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
|
||||
|
||||
@@ -46,3 +46,7 @@
|
||||
unconfined_dbus_chat(mono_t)
|
||||
unconfined_dbus_connect(mono_t)
|
||||
@ -4206,6 +4215,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
|
||||
dev_read_sound(entropyd_t)
|
||||
|
||||
fs_getattr_all_fs(entropyd_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.0.8/policy/modules/services/automount.if
|
||||
--- nsaserefpolicy/policy/modules/services/automount.if 2007-05-29 14:10:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/automount.if 2007-09-20 11:17:32.000000000 -0400
|
||||
@@ -74,3 +74,21 @@
|
||||
|
||||
dontaudit $1 automount_tmp_t:dir getattr;
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to file descriptors for automount.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`automount_dontaudit_use_fds',`
|
||||
+ gen_require(`
|
||||
+ type automount_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 automount_t:fd use;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te
|
||||
--- nsaserefpolicy/policy/modules/services/automount.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/automount.te 2007-09-17 16:20:18.000000000 -0400
|
||||
@ -5150,7 +5184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-17 16:20:18.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-20 12:01:41.000000000 -0400
|
||||
@@ -50,6 +50,12 @@
|
||||
## </param>
|
||||
#
|
||||
@ -5172,7 +5206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
allow $1_dbusd_t self:file { getattr read write };
|
||||
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
@@ -135,6 +142,19 @@
|
||||
@@ -135,7 +142,21 @@
|
||||
selinux_compute_relabel_context($1_dbusd_t)
|
||||
selinux_compute_user_contexts($1_dbusd_t)
|
||||
|
||||
@ -5190,9 +5224,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
+ userdom_read_user_home_content_files($1, $1_dbusd_t)
|
||||
+
|
||||
auth_read_pam_console_data($1_dbusd_t)
|
||||
+ auth_use_nsswitch($1_dbusd_t)
|
||||
|
||||
libs_use_ld_so($1_dbusd_t)
|
||||
@@ -193,6 +213,7 @@
|
||||
libs_use_shared_libs($1_dbusd_t)
|
||||
@@ -193,6 +214,7 @@
|
||||
gen_require(`
|
||||
type system_dbusd_t, system_dbusd_t;
|
||||
type system_dbusd_var_run_t;
|
||||
@ -5200,7 +5236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
@@ -202,9 +223,12 @@
|
||||
@@ -202,9 +224,12 @@
|
||||
# SE-DBus specific permissions
|
||||
allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
|
||||
|
||||
@ -5213,7 +5249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -271,6 +295,32 @@
|
||||
@@ -271,6 +296,32 @@
|
||||
allow $2 $1_dbusd_t:dbus send_msg;
|
||||
')
|
||||
|
||||
@ -5246,7 +5282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
########################################
|
||||
## <summary>
|
||||
## Read dbus configuration.
|
||||
@@ -286,6 +336,7 @@
|
||||
@@ -286,6 +337,7 @@
|
||||
type dbusd_etc_t;
|
||||
')
|
||||
|
||||
@ -5254,7 +5290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
allow $1 dbusd_etc_t:file read_file_perms;
|
||||
')
|
||||
|
||||
@@ -346,3 +397,23 @@
|
||||
@@ -346,3 +398,23 @@
|
||||
|
||||
allow $1 system_dbusd_t:dbus *;
|
||||
')
|
||||
@ -5280,7 +5316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-17 16:20:18.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-20 12:01:29.000000000 -0400
|
||||
@@ -23,6 +23,9 @@
|
||||
type system_dbusd_var_run_t;
|
||||
files_pid_file(system_dbusd_var_run_t)
|
||||
@ -7986,7 +8022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-09-17 16:20:18.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-09-20 11:18:24.000000000 -0400
|
||||
@@ -59,10 +59,14 @@
|
||||
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
|
||||
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
|
||||
@ -8002,7 +8038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
||||
|
||||
fs_list_rpc(rpcd_t)
|
||||
fs_read_rpc_files(rpcd_t)
|
||||
@@ -76,9 +80,11 @@
|
||||
@@ -76,9 +80,16 @@
|
||||
miscfiles_read_certs(rpcd_t)
|
||||
|
||||
seutil_dontaudit_search_config(rpcd_t)
|
||||
@ -8011,10 +8047,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
||||
optional_policy(`
|
||||
nis_read_ypserv_config(rpcd_t)
|
||||
+ nis_use_ypbind(rpcd_t)
|
||||
+')
|
||||
+
|
||||
+# automount -> mount -> rpcd
|
||||
+optional_policy(`
|
||||
+ automount_dontaudit_use_fds(rpcd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -91,9 +97,13 @@
|
||||
@@ -91,9 +102,13 @@
|
||||
allow nfsd_t exports_t:file { getattr read };
|
||||
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
||||
|
||||
@ -8028,7 +8069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
||||
|
||||
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
||||
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
||||
@@ -123,6 +133,7 @@
|
||||
@@ -123,6 +138,7 @@
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
@ -8036,7 +8077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -143,6 +154,9 @@
|
||||
@@ -143,6 +159,9 @@
|
||||
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
|
||||
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
||||
|
||||
@ -8046,7 +8087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
||||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
kernel_search_network_sysctl(gssd_t)
|
||||
@@ -158,6 +172,9 @@
|
||||
@@ -158,6 +177,9 @@
|
||||
|
||||
miscfiles_read_certs(gssd_t)
|
||||
|
||||
@ -9489,7 +9530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 10:52:36.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 12:07:15.000000000 -0400
|
||||
@@ -126,6 +126,8 @@
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev($1_xserver_t)
|
||||
@ -9512,7 +9553,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
term_setattr_unallocated_ttys($1_xserver_t)
|
||||
term_use_unallocated_ttys($1_xserver_t)
|
||||
|
||||
@@ -353,12 +356,6 @@
|
||||
@@ -282,6 +285,7 @@
|
||||
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||
|
||||
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
||||
+ allow xdm_t $1_xauth_home_t:file append_file_perms;
|
||||
|
||||
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
|
||||
allow $1_xserver_t $2:process signal;
|
||||
@@ -353,12 +357,6 @@
|
||||
# allow ps to show xauth
|
||||
ps_process_pattern($2,$1_xauth_t)
|
||||
|
||||
@ -9525,7 +9574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
domain_use_interactive_fds($1_xauth_t)
|
||||
|
||||
files_read_etc_files($1_xauth_t)
|
||||
@@ -387,6 +384,14 @@
|
||||
@@ -387,6 +385,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9540,16 +9589,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
nis_use_ypbind($1_xauth_t)
|
||||
')
|
||||
|
||||
@@ -537,16 +542,14 @@
|
||||
@@ -537,16 +543,14 @@
|
||||
|
||||
gen_require(`
|
||||
type xdm_t, xdm_tmp_t;
|
||||
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
|
||||
')
|
||||
|
||||
allow $2 self:shm create_shm_perms;
|
||||
allow $2 self:unix_dgram_socket create_socket_perms;
|
||||
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
- allow $2 self:shm create_shm_perms;
|
||||
- allow $2 self:unix_dgram_socket create_socket_perms;
|
||||
- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
+ allow $2 $2:shm create_shm_perms;
|
||||
+ allow $2 $2:unix_dgram_socket create_socket_perms;
|
||||
+ allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
- # Read .Xauthority file
|
||||
- allow $2 $1_xauth_home_t:file { getattr read };
|
||||
@ -9559,7 +9611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@@ -555,25 +558,52 @@
|
||||
@@ -555,25 +559,52 @@
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
|
||||
@ -9620,7 +9672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
')
|
||||
|
||||
@@ -626,6 +656,24 @@
|
||||
@@ -626,6 +657,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -9645,7 +9697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -659,6 +707,73 @@
|
||||
@@ -659,6 +708,73 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -9719,7 +9771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -927,6 +1042,7 @@
|
||||
@@ -927,6 +1043,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||
@ -9727,7 +9779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -987,6 +1103,37 @@
|
||||
@@ -987,6 +1104,37 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -9765,7 +9817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1136,7 +1283,7 @@
|
||||
@@ -1136,7 +1284,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
@ -9774,7 +9826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1325,3 +1472,62 @@
|
||||
@@ -1325,3 +1473,62 @@
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||
')
|
||||
@ -10057,7 +10109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 09:08:43.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 11:14:45.000000000 -0400
|
||||
@@ -26,7 +26,8 @@
|
||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
||||
@ -10088,7 +10140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
|
||||
domain_type($1)
|
||||
domain_subj_id_change_exemption($1)
|
||||
@@ -176,11 +177,23 @@
|
||||
@@ -176,11 +177,24 @@
|
||||
domain_obj_id_change_exemption($1)
|
||||
role system_r types $1;
|
||||
|
||||
@ -10098,6 +10150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
+
|
||||
+ auth_keyring_domain($1)
|
||||
+ allow $1 keyring_type:key { search link };
|
||||
+ auth_domtrans_chk_passwd($1)
|
||||
+
|
||||
+ files_list_var_lib($1)
|
||||
+ manage_files_pattern($1, var_auth_t, var_auth_t)
|
||||
@ -10112,7 +10165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
selinux_get_fs_mount($1)
|
||||
selinux_validate_context($1)
|
||||
selinux_compute_access_vector($1)
|
||||
@@ -196,22 +209,33 @@
|
||||
@@ -196,22 +210,33 @@
|
||||
mls_fd_share_all_levels($1)
|
||||
|
||||
auth_domtrans_chk_passwd($1)
|
||||
@ -10147,7 +10200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
')
|
||||
')
|
||||
|
||||
@@ -309,9 +333,6 @@
|
||||
@@ -309,9 +334,6 @@
|
||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||
')
|
||||
|
||||
@ -10157,7 +10210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
||||
|
||||
@@ -329,6 +350,7 @@
|
||||
@@ -329,6 +351,7 @@
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1)
|
||||
@ -10165,7 +10218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -347,6 +369,37 @@
|
||||
@@ -347,6 +370,37 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -10203,7 +10256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
## Get the attributes of the shadow passwords file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -695,6 +748,24 @@
|
||||
@@ -695,6 +749,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -10228,7 +10281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
## Execute pam programs in the PAM domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1318,14 +1389,9 @@
|
||||
@@ -1318,14 +1390,9 @@
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_use_nsswitch',`
|
||||
@ -10243,7 +10296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
files_list_var_lib($1)
|
||||
|
||||
miscfiles_read_certs($1)
|
||||
@@ -1381,3 +1447,163 @@
|
||||
@@ -1381,3 +1448,163 @@
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
@ -12135,7 +12188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 09:37:08.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 11:56:27.000000000 -0400
|
||||
@@ -432,6 +432,7 @@
|
||||
role $2 types run_init_t;
|
||||
allow run_init_t $3:chr_file rw_term_perms;
|
||||
@ -12249,7 +12302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
## Full management of the semanage
|
||||
## module store.
|
||||
## </summary>
|
||||
@@ -1058,3 +1134,124 @@
|
||||
@@ -1058,3 +1134,133 @@
|
||||
files_search_etc($1)
|
||||
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
|
||||
')
|
||||
@ -12300,6 +12353,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
+ corecmd_search_bin($2)
|
||||
+ domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t)
|
||||
+ seutil_semanage_policy($1_setsebool_t)
|
||||
+
|
||||
+ # Need to define per type booleans
|
||||
+ selinux_set_boolean($1_setsebool_t)
|
||||
+
|
||||
+ # Bug in semanage
|
||||
+ seutil_domtrans_setfiles($1_setsebool_t)
|
||||
+ seutil_manage_file_contexts($1_setsebool_t)
|
||||
+ seutil_manage_default_contexts($1_setsebool_t)
|
||||
+ seutil_manage_selinux_config($1_setsebool_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
@ -12376,7 +12438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 09:31:29.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 11:55:54.000000000 -0400
|
||||
@@ -76,7 +76,6 @@
|
||||
type restorecond_exec_t;
|
||||
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
||||
@ -12506,7 +12568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
auth_dontaudit_read_shadow(run_init_t)
|
||||
|
||||
corecmd_exec_bin(run_init_t)
|
||||
@@ -423,77 +426,50 @@
|
||||
@@ -423,77 +426,53 @@
|
||||
nscd_socket_use(run_init_t)
|
||||
')
|
||||
|
||||
@ -12520,6 +12582,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
+selinux_set_boolean(setsebool_t)
|
||||
+# Bug in semanage
|
||||
+seutil_domtrans_setfiles(setsebool_t)
|
||||
+seutil_manage_file_contexts(setsebool_t)
|
||||
+seutil_manage_default_contexts(setsebool_t)
|
||||
+seutil_manage_selinux_config(setsebool_t)
|
||||
|
||||
-allow semanage_t self:capability { dac_override audit_write };
|
||||
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -12610,7 +12675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
# cjp: need a more general way to handle this:
|
||||
ifdef(`enable_mls',`
|
||||
# read secadm tmp files
|
||||
@@ -521,6 +497,8 @@
|
||||
@@ -521,6 +500,8 @@
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
@ -12619,7 +12684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
kernel_read_system_state(setfiles_t)
|
||||
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
|
||||
kernel_relabelfrom_unlabeled_files(setfiles_t)
|
||||
@@ -537,6 +515,7 @@
|
||||
@@ -537,6 +518,7 @@
|
||||
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
fs_list_all(setfiles_t)
|
||||
@ -12627,7 +12692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
fs_search_auto_mountpoints(setfiles_t)
|
||||
fs_relabelfrom_noxattr_fs(setfiles_t)
|
||||
|
||||
@@ -592,6 +571,10 @@
|
||||
@@ -592,6 +574,10 @@
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
@ -13163,7 +13228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 10:55:37.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 12:06:52.000000000 -0400
|
||||
@@ -29,8 +29,9 @@
|
||||
')
|
||||
|
||||
@ -13503,26 +13568,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
- # Needed for escd, remove if we get escd policy
|
||||
- xserver_manage_xdm_tmp_files($1_t)
|
||||
- ')
|
||||
+ dev_rw_xserver_misc($1_t)
|
||||
+ dev_rw_power_management($1_t)
|
||||
+ dev_read_input($1_t)
|
||||
+ dev_read_misc($1_t)
|
||||
+ dev_write_misc($1_t)
|
||||
+ dev_rw_xserver_misc($1_usertype)
|
||||
+ dev_rw_power_management($1_usertype)
|
||||
+ dev_read_input($1_usertype)
|
||||
+ dev_read_misc($1_usertype)
|
||||
+ dev_write_misc($1_usertype)
|
||||
+ # open office is looking for the following
|
||||
+ dev_getattr_agp_dev($1_t)
|
||||
+ dev_dontaudit_rw_dri($1_t)
|
||||
+ dev_getattr_agp_dev($1_usertype)
|
||||
+ dev_dontaudit_rw_dri($1_usertype)
|
||||
+ # GNOME checks for usb and other devices:
|
||||
+ dev_rw_usbfs($1_t)
|
||||
+ xserver_user_client_template($1,$1_t,$1_tmpfs_t)
|
||||
+ xserver_xsession_entry_type($1_t)
|
||||
+ xserver_dontaudit_write_log($1_t)
|
||||
+ xserver_stream_connect_xdm($1_t)
|
||||
+ dev_rw_usbfs($1_usertype)
|
||||
+ xserver_user_client_template($1,$1_usertype,$1_tmpfs_t)
|
||||
+ xserver_xsession_entry_type($1_usertype)
|
||||
+ xserver_dontaudit_write_log($1_usertype)
|
||||
+ xserver_stream_connect_xdm($1_usertype)
|
||||
+ # certain apps want to read xdm.pid file
|
||||
+ xserver_read_xdm_pid($1_t)
|
||||
+ xserver_read_xdm_pid($1_usertype)
|
||||
+ # gnome-session creates socket under /tmp/.ICE-unix/
|
||||
+ xserver_create_xdm_tmp_sockets($1_t)
|
||||
+ xserver_create_xdm_tmp_sockets($1_usertype)
|
||||
+ # Needed for escd, remove if we get escd policy
|
||||
+ xserver_manage_xdm_tmp_files($1_t)
|
||||
+ xserver_manage_xdm_tmp_files($1_usertype)
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -14056,10 +14121,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1902,6 +1987,41 @@
|
||||
@@ -1894,10 +1979,46 @@
|
||||
template(`userdom_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
type $1_home_dir_t, $1_home_t;
|
||||
+ attribute user_home_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
files_search_home($2)
|
||||
- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
+ manage_dirs_pattern($2,{ $1_home_dir_t user_home_type },$1_home_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## dontaudit attemps to Create files
|
||||
+## in a user home subdirectory.
|
||||
+## </summary>
|
||||
@ -14091,14 +14166,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $2 $1_home_dir_t:file create;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts to set the
|
||||
## attributes of user home files.
|
||||
## </summary>
|
||||
@@ -3078,7 +3198,7 @@
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3078,7 +3199,7 @@
|
||||
#
|
||||
template(`userdom_tmp_filetrans_user_tmp',`
|
||||
gen_require(`
|
||||
@ -14107,7 +14178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
files_tmp_filetrans($2,$1_tmp_t,$3)
|
||||
@@ -4615,6 +4735,24 @@
|
||||
@@ -4615,6 +4736,24 @@
|
||||
files_list_home($1)
|
||||
allow $1 home_dir_type:dir search_dir_perms;
|
||||
')
|
||||
@ -14132,7 +14203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -4633,6 +4771,14 @@
|
||||
@@ -4633,6 +4772,14 @@
|
||||
|
||||
files_list_home($1)
|
||||
allow $1 home_dir_type:dir list_dir_perms;
|
||||
@ -14147,7 +14218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5323,7 +5469,7 @@
|
||||
@@ -5323,7 +5470,7 @@
|
||||
attribute user_tmpfile;
|
||||
')
|
||||
|
||||
@ -14156,7 +14227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5559,3 +5705,375 @@
|
||||
@@ -5559,3 +5706,375 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.8
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -364,6 +364,7 @@ exit 0
|
||||
%changelog
|
||||
* Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-4
|
||||
- Fix to add xguest account when inititial install
|
||||
- Allow mono, java, wine to run in userdomains
|
||||
|
||||
* Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-3
|
||||
- Allow xserver to search devpts_t
|
||||
|
Loading…
Reference in New Issue
Block a user