Daniel J Walsh
parent
8866315d40
commit
a9f0953822
|
|
@ -173,3 +173,4 @@ serefpolicy-3.6.15.tgz
|
|||
serefpolicy-3.6.16.tgz
|
||||
serefpolicy-3.6.17.tgz
|
||||
serefpolicy-3.6.18.tgz
|
||||
serefpolicy-3.6.19.tgz
|
||||
|
|
|
|||
547
policy-F12.patch
547
policy-F12.patch
|
|
@ -1,3 +1,14 @@
|
|||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.6.18/Changelog
|
||||
--- nsaserefpolicy/Changelog 2009-06-22 17:07:19.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/Changelog 2009-06-20 06:26:58.000000000 -0400
|
||||
@@ -29,7 +29,6 @@
|
||||
pingd (Dan Walsh)
|
||||
psad (Dan Walsh)
|
||||
portreserve (Dan Walsh)
|
||||
- sssd (Dan Walsh)
|
||||
ulogd (Dan Walsh)
|
||||
webadm (Dan Walsh)
|
||||
xguest (Dan Walsh)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.18/config/appconfig-mcs/default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500
|
||||
+++ serefpolicy-3.6.18/config/appconfig-mcs/default_contexts 2009-06-20 06:49:47.000000000 -0400
|
||||
|
|
@ -742,13 +753,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
miscfiles_read_localization(readahead_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.18/policy/modules/admin/rpm.fc
|
||||
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/admin/rpm.fc 2009-06-20 06:55:20.000000000 -0400
|
||||
@@ -9,9 +9,12 @@
|
||||
/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+++ serefpolicy-3.6.18/policy/modules/admin/rpm.fc 2009-06-22 16:05:55.000000000 -0400
|
||||
@@ -4,14 +4,12 @@
|
||||
|
||||
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
|
||||
-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
|
||||
-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
+
|
||||
|
||||
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
-
|
||||
|
|
@ -757,7 +772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
@@ -21,15 +24,22 @@
|
||||
@@ -21,15 +19,22 @@
|
||||
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
|
@ -5380,7 +5395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+corecmd_executable_file(wm_exec_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.18/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-06-12 09:08:48.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/kernel/corecommands.fc 2009-06-20 06:49:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/kernel/corecommands.fc 2009-06-22 16:05:49.000000000 -0400
|
||||
@@ -139,6 +139,9 @@
|
||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
|
@ -5762,18 +5777,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
type lvm_control_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.18/policy/modules/kernel/domain.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-06-12 09:08:48.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/kernel/domain.if 2009-06-20 06:49:47.000000000 -0400
|
||||
@@ -65,7 +65,8 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+++ serefpolicy-3.6.18/policy/modules/kernel/domain.if 2009-06-22 17:30:27.000000000 -0400
|
||||
@@ -44,34 +44,6 @@
|
||||
interface(`domain_type',`
|
||||
# start with basic domain
|
||||
domain_base_type($1)
|
||||
-
|
||||
- ifdef(`distro_redhat',`
|
||||
- optional_policy(`
|
||||
- unconfined_use_fds($1)
|
||||
- ')
|
||||
- ')
|
||||
-
|
||||
- # send init a sigchld and signull
|
||||
- optional_policy(`
|
||||
- init_sigchld($1)
|
||||
- init_signull($1)
|
||||
- ')
|
||||
-
|
||||
- # these seem questionable:
|
||||
-
|
||||
- optional_policy(`
|
||||
- rpm_use_fds($1)
|
||||
- rpm_read_pipes($1)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- selinux_dontaudit_getattr_fs($1)
|
||||
+ selinux_getattr_fs($1)
|
||||
+ selinux_search_fs($1)
|
||||
selinux_dontaudit_read_fs($1)
|
||||
')
|
||||
- selinux_dontaudit_read_fs($1)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- seutil_dontaudit_read_config($1)
|
||||
- ')
|
||||
')
|
||||
|
||||
@@ -1248,18 +1249,34 @@
|
||||
########################################
|
||||
@@ -1248,18 +1220,34 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -5811,7 +5851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## Allow specified type to receive labeled
|
||||
## networking packets from all domains, over
|
||||
## all protocols (TCP, UDP, etc)
|
||||
@@ -1280,6 +1297,24 @@
|
||||
@@ -1280,6 +1268,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -5838,7 +5878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.18/policy/modules/kernel/domain.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-12 09:08:48.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/kernel/domain.te 2009-06-20 06:49:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/kernel/domain.te 2009-06-22 17:32:55.000000000 -0400
|
||||
@@ -5,6 +5,13 @@
|
||||
#
|
||||
# Declarations
|
||||
|
|
@ -5909,11 +5949,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
# Act upon any other process.
|
||||
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
||||
|
||||
@@ -153,3 +174,50 @@
|
||||
@@ -153,3 +174,73 @@
|
||||
|
||||
# receive from all domains over labeled networking
|
||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||
+
|
||||
+selinux_getattr_fs(domain)
|
||||
+selinux_search_fs(domain)
|
||||
+selinux_dontaudit_read_fs(domain)
|
||||
+
|
||||
+seutil_dontaudit_read_config(domain)
|
||||
+
|
||||
+init_sigchld(domain)
|
||||
+init_signull(domain)
|
||||
+
|
||||
+ifdef(`distro_redhat',`
|
||||
+ optional_policy(`
|
||||
+ unconfined_use_fds(domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+# these seem questionable:
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_use_fds(domain)
|
||||
+ rpm_read_pipes(domain)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+tunable_policy(`allow_domain_fd_use',`
|
||||
+ # Allow all domains to use fds past to them
|
||||
+ allow domain domain:fd use;
|
||||
|
|
@ -6512,7 +6575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+permissive kernel_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.18/policy/modules/kernel/selinux.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500
|
||||
+++ serefpolicy-3.6.18/policy/modules/kernel/selinux.if 2009-06-20 06:49:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/kernel/selinux.if 2009-06-22 17:16:37.000000000 -0400
|
||||
@@ -40,7 +40,7 @@
|
||||
|
||||
# because of this statement, any module which
|
||||
|
|
@ -12744,8 +12807,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.18/policy/modules/services/devicekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/devicekit.te 2009-06-20 06:49:47.000000000 -0400
|
||||
@@ -0,0 +1,235 @@
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/devicekit.te 2009-06-21 08:58:27.000000000 -0400
|
||||
@@ -0,0 +1,237 @@
|
||||
+policy_module(devicekit,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -12893,6 +12956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
|
||||
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+
|
||||
+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
|
||||
+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
|
||||
|
|
@ -12945,6 +13009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ polkit_dbus_chat(devicekit_disk_t)
|
||||
+ polkit_domtrans_auth(devicekit_disk_t)
|
||||
+ polkit_read_lib(devicekit_disk_t)
|
||||
+ polkit_read_reload(devicekit_disk_t)
|
||||
|
|
@ -15087,6 +15152,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
||||
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.18/policy/modules/services/mysql.te
|
||||
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-05-21 08:43:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/mysql.te 2009-06-22 17:04:01.000000000 -0400
|
||||
@@ -136,6 +136,8 @@
|
||||
|
||||
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
|
||||
|
||||
+allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
|
||||
+
|
||||
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
|
||||
@@ -152,7 +154,7 @@
|
||||
|
||||
miscfiles_read_localization(mysqld_safe_t)
|
||||
|
||||
-mysql_append_db_files(mysqld_safe_t)
|
||||
+mysql_manage_db_files(mysqld_safe_t)
|
||||
mysql_read_config(mysqld_safe_t)
|
||||
mysql_search_pid_files(mysqld_safe_t)
|
||||
mysql_write_log(mysqld_safe_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.18/policy/modules/services/nagios.fc
|
||||
--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/nagios.fc 2009-06-20 06:49:47.000000000 -0400
|
||||
|
|
@ -22119,41 +22205,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.18/policy/modules/services/sssd.fc
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-06-22 17:07:19.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/sssd.fc 2009-06-20 06:49:47.000000000 -0400
|
||||
@@ -0,0 +1,6 @@
|
||||
+
|
||||
+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
+
|
||||
@@ -1,6 +1,6 @@
|
||||
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
|
||||
-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
|
||||
+/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
|
||||
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||
+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.18/policy/modules/services/sssd.if
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-06-22 17:07:19.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/sssd.if 2009-06-20 06:49:47.000000000 -0400
|
||||
@@ -0,0 +1,249 @@
|
||||
@@ -1,4 +1,5 @@
|
||||
-## <summary>System Security Services Daemon</summary>
|
||||
+
|
||||
+## <summary>policy for sssd</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run sssd.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_domtrans',`
|
||||
+ gen_require(`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -12,12 +13,32 @@
|
||||
#
|
||||
interface(`sssd_domtrans',`
|
||||
gen_require(`
|
||||
- type sssd_t, sssd_exec_t;
|
||||
+ type sssd_t;
|
||||
+ type sssd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1,sssd_exec_t,sssd_t)
|
||||
+')
|
||||
+
|
||||
')
|
||||
|
||||
domtrans_pattern($1, sssd_exec_t, sssd_t)
|
||||
')
|
||||
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
|
|
@ -22173,106 +22257,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ init_labeled_script_domtrans($1,sssd_initrc_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read sssd PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_read_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ allow $1 sssd_var_run_t:file read_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage sssd var_run files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
########################################
|
||||
## <summary>
|
||||
## Read sssd PID files.
|
||||
@@ -47,15 +68,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`sssd_manage_pids',`
|
||||
+interface(`sssd_manage_var_run',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t)
|
||||
+ manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
|
||||
gen_require(`
|
||||
type sssd_var_run_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
|
||||
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
|
||||
+ manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
|
||||
+')
|
||||
')
|
||||
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search sssd lib directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_search_lib',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sssd_var_lib_t:dir search_dir_perms;
|
||||
+ files_search_var_lib($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read sssd lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_read_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete
|
||||
+## sssd lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_manage_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type sssd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
########################################
|
||||
## <summary>
|
||||
## Search sssd lib directories.
|
||||
@@ -116,6 +139,27 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Manage sssd var_lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
|
@ -22294,125 +22304,58 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send and receive messages from
|
||||
+## sssd over dbus.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_dbus_chat',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t;
|
||||
+ class dbus send_msg;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sssd_t:dbus send_msg;
|
||||
+ allow sssd_t $1:dbus send_msg;
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect to sssd over an unix stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t, sssd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
## Send and receive messages from
|
||||
## sssd over dbus.
|
||||
## </summary>
|
||||
@@ -151,7 +196,8 @@
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
- stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
|
||||
+ write_sock_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+ allow $1 sssd_t:unix_stream_socket connectto;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an sssd environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed to manage the sssd domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="terminal">
|
||||
+## <summary>
|
||||
+## The type of the user terminal.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`sssd_admin',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sssd_t:process { ptrace signal_perms getattr };
|
||||
+ read_files_pattern($1, sssd_t, sssd_t)
|
||||
+
|
||||
+
|
||||
+ gen_require(`
|
||||
+ type sssd_initrc_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ # Allow sssd_t to restart the apache service
|
||||
+ sssd_initrc_domtrans($1)
|
||||
+ domain_system_change_exemption($1)
|
||||
+ role_transition $2 sssd_initrc_exec_t system_r;
|
||||
+ allow $2 system_r;
|
||||
+
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -194,7 +241,9 @@
|
||||
role_transition $2 sssd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
- sssd_manage_pids($1)
|
||||
+ sssd_manage_var_run($1)
|
||||
+
|
||||
+ sssd_manage_var_lib($1)
|
||||
+
|
||||
+')
|
||||
|
||||
- sssd_manage_lib_files($1)
|
||||
')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.18/policy/modules/services/sssd.te
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.te 2009-06-22 17:07:19.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/sssd.te 2009-06-20 06:49:47.000000000 -0400
|
||||
@@ -0,0 +1,74 @@
|
||||
+policy_module(sssd,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type sssd_t;
|
||||
+type sssd_exec_t;
|
||||
+init_daemon_domain(sssd_t, sssd_exec_t)
|
||||
+
|
||||
@@ -10,43 +9,54 @@
|
||||
type sssd_exec_t;
|
||||
init_daemon_domain(sssd_t, sssd_exec_t)
|
||||
|
||||
+permissive sssd_t;
|
||||
+
|
||||
+type sssd_initrc_exec_t;
|
||||
+init_script_file(sssd_initrc_exec_t)
|
||||
+
|
||||
+type sssd_var_run_t;
|
||||
+files_pid_file(sssd_var_run_t)
|
||||
+
|
||||
type sssd_initrc_exec_t;
|
||||
init_script_file(sssd_initrc_exec_t)
|
||||
|
||||
-type sssd_var_lib_t;
|
||||
-files_type(sssd_var_lib_t)
|
||||
-
|
||||
type sssd_var_run_t;
|
||||
files_pid_file(sssd_var_run_t)
|
||||
|
||||
+type sssd_var_lib_t;
|
||||
+files_type(sssd_var_lib_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# sssd local policy
|
||||
+#
|
||||
+allow sssd_t self:capability { sys_nice setuid };
|
||||
+allow sssd_t self:process { setsched signal getsched };
|
||||
########################################
|
||||
#
|
||||
# sssd local policy
|
||||
#
|
||||
allow sssd_t self:capability { sys_nice setuid };
|
||||
allow sssd_t self:process { setsched signal getsched };
|
||||
+allow sssd_t tmp_t:dir { read getattr open };
|
||||
+
|
||||
+# Init script handling
|
||||
|
|
@ -22420,45 +22363,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
+# internal communication is often done using fifo and unix sockets.
|
||||
+allow sssd_t self:process signal;
|
||||
+allow sssd_t self:fifo_file rw_file_perms;
|
||||
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
+
|
||||
+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
+files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir })
|
||||
+
|
||||
allow sssd_t self:fifo_file rw_file_perms;
|
||||
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
|
||||
-manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
-manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
-manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
|
||||
-
|
||||
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
|
||||
|
||||
-kernel_read_system_state(sssd_t)
|
||||
+manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
|
||||
+
|
||||
+corecmd_exec_bin(sssd_t)
|
||||
+
|
||||
+dev_read_urand(sssd_t)
|
||||
+
|
||||
|
||||
corecmd_exec_bin(sssd_t)
|
||||
|
||||
dev_read_urand(sssd_t)
|
||||
|
||||
+kernel_read_system_state(sssd_t)
|
||||
+
|
||||
+files_list_tmp(sssd_t)
|
||||
+files_read_etc_files(sssd_t)
|
||||
+files_read_usr_files(sssd_t)
|
||||
+
|
||||
files_list_tmp(sssd_t)
|
||||
files_read_etc_files(sssd_t)
|
||||
files_read_usr_files(sssd_t)
|
||||
|
||||
+fs_list_inotifyfs(sssd_t)
|
||||
+
|
||||
+auth_use_nsswitch(sssd_t)
|
||||
+auth_domtrans_chk_passwd(sssd_t)
|
||||
+auth_domtrans_upd_passwd(sssd_t)
|
||||
+
|
||||
+init_read_utmp(sssd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(sssd_t)
|
||||
+logging_send_audit_msgs(sssd_t)
|
||||
+
|
||||
+miscfiles_read_localization(sssd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(sssd_t)
|
||||
+ dbus_connect_system_bus(sssd_t)
|
||||
+')
|
||||
auth_use_nsswitch(sssd_t)
|
||||
auth_domtrans_chk_passwd(sssd_t)
|
||||
auth_domtrans_upd_passwd(sssd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.18/policy/modules/services/uucp.te
|
||||
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/uucp.te 2009-06-20 06:49:47.000000000 -0400
|
||||
|
|
@ -23036,7 +22973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.18/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/virt.te 2009-06-20 06:49:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/services/virt.te 2009-06-22 18:01:06.000000000 -0400
|
||||
@@ -8,19 +8,38 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -23248,9 +23185,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+optional_policy(`
|
||||
+ kerberos_keytab_template(virtd, virtd_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
- qemu_domtrans(virtd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ lvm_domtrans(virtd_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -23259,8 +23195,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+ polkit_domtrans_resolve(virtd_t)
|
||||
+ polkit_read_lib(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
- qemu_domtrans(virtd_t)
|
||||
+ qemu_spec_domtrans(virtd_t, svirt_t)
|
||||
qemu_read_state(virtd_t)
|
||||
qemu_signal(virtd_t)
|
||||
|
|
@ -23269,7 +23206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -195,8 +287,92 @@
|
||||
@@ -195,8 +287,94 @@
|
||||
|
||||
xen_stream_connect(virtd_t)
|
||||
xen_stream_connect_xenstore(virtd_t)
|
||||
|
|
@ -23302,6 +23239,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
|
||||
+files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
|
||||
+
|
||||
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
|
||||
+
|
||||
+allow svirt_t svirt_image_t:dir search_dir_perms;
|
||||
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
|
||||
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
|
||||
|
|
@ -26536,7 +26475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.18/policy/modules/system/logging.te
|
||||
--- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.18/policy/modules/system/logging.te 2009-06-20 06:49:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/system/logging.te 2009-06-22 13:05:34.000000000 -0400
|
||||
@@ -126,7 +126,7 @@
|
||||
allow auditd_t self:process { signal_perms setpgid setsched };
|
||||
allow auditd_t self:file rw_file_perms;
|
||||
|
|
@ -28368,7 +28307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.18/policy/modules/system/udev.te
|
||||
--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/system/udev.te 2009-06-20 06:49:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.18/policy/modules/system/udev.te 2009-06-22 13:05:54.000000000 -0400
|
||||
@@ -50,6 +50,7 @@
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
|
@ -28377,7 +28316,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
allow udev_t udev_exec_t:file write;
|
||||
can_exec(udev_t, udev_exec_t)
|
||||
@@ -140,6 +141,7 @@
|
||||
@@ -111,6 +112,7 @@
|
||||
|
||||
fs_getattr_all_fs(udev_t)
|
||||
fs_list_inotifyfs(udev_t)
|
||||
+fs_rw_anon_inodefs_files(udev_t)
|
||||
|
||||
mcs_ptrace_all(udev_t)
|
||||
|
||||
@@ -140,6 +142,7 @@
|
||||
logging_send_audit_msgs(udev_t)
|
||||
|
||||
miscfiles_read_localization(udev_t)
|
||||
|
|
@ -28385,7 +28332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
modutils_domtrans_insmod(udev_t)
|
||||
# read modules.inputmap:
|
||||
@@ -182,9 +184,11 @@
|
||||
@@ -182,9 +185,11 @@
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
netutils_domtrans(udev_t)
|
||||
|
||||
|
|
@ -28400,7 +28347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -194,6 +198,10 @@
|
||||
@@ -194,6 +199,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -28411,7 +28358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
brctl_domtrans(udev_t)
|
||||
')
|
||||
|
||||
@@ -202,6 +210,10 @@
|
||||
@@ -202,6 +211,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -28422,7 +28369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
consoletype_exec(udev_t)
|
||||
')
|
||||
|
||||
@@ -210,6 +222,11 @@
|
||||
@@ -210,6 +223,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -28434,7 +28381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
lvm_domtrans(udev_t)
|
||||
')
|
||||
|
||||
@@ -219,6 +236,7 @@
|
||||
@@ -219,6 +237,7 @@
|
||||
|
||||
optional_policy(`
|
||||
hal_dgram_send(udev_t)
|
||||
|
|
@ -28442,7 +28389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -228,6 +246,10 @@
|
||||
@@ -228,6 +247,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -28453,7 +28400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
openct_read_pid_files(udev_t)
|
||||
openct_domtrans(udev_t)
|
||||
')
|
||||
@@ -242,6 +264,10 @@
|
||||
@@ -242,6 +265,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
%define CHECKPOLICYVER 2.0.16-3
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.18
|
||||
Version: 3.6.19
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
|
|
@ -183,7 +183,7 @@ fi;
|
|||
|
||||
%description
|
||||
SELinux Reference Policy - modular.
|
||||
Based off of reference policy: Checked out revision 3000.
|
||||
Based off of reference policy: Checked out revision 3002.
|
||||
|
||||
%build
|
||||
|
||||
|
|
@ -473,6 +473,10 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Jun 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-1
|
||||
- Update to upstream
|
||||
* add sssd
|
||||
|
||||
* Sat Jun 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.18-1
|
||||
- Update to upstream
|
||||
* cleanup
|
||||
|
|
|
|||
Loading…
Reference in New Issue