- Fix labeling on /var/lib/misc/prelink*
- Allow xserver to rw_shm_perms with all x_clients - Allow prelink to execute files in the users home directory
This commit is contained in:
parent
89c9c9ae6a
commit
b0991a2dfd
|
@ -663,16 +663,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.12/policy/modules/admin/prelink.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.12/policy/modules/admin/prelink.fc
|
||||||
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2008-08-07 11:15:13.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2008-08-07 11:15:13.000000000 -0400
|
||||||
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.fc 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.fc 2009-04-27 08:28:48.000000000 -0400
|
||||||
@@ -5,3 +5,5 @@
|
@@ -5,3 +5,5 @@
|
||||||
|
|
||||||
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
|
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
|
||||||
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
|
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
|
||||||
+
|
+
|
||||||
+/var/lib/misc/prelink\* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
+/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.12/policy/modules/admin/prelink.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.12/policy/modules/admin/prelink.if
|
||||||
--- nsaserefpolicy/policy/modules/admin/prelink.if 2008-11-11 16:13:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/prelink.if 2008-11-11 16:13:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.if 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.if 2009-04-27 09:47:06.000000000 -0400
|
||||||
@@ -120,3 +120,23 @@
|
@@ -120,3 +120,23 @@
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
manage_files_pattern($1, prelink_log_t, prelink_log_t)
|
manage_files_pattern($1, prelink_log_t, prelink_log_t)
|
||||||
|
@ -699,7 +699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-04-27 08:32:37.000000000 -0400
|
||||||
@@ -21,12 +21,15 @@
|
@@ -21,12 +21,15 @@
|
||||||
type prelink_tmp_t;
|
type prelink_tmp_t;
|
||||||
files_tmp_file(prelink_tmp_t)
|
files_tmp_file(prelink_tmp_t)
|
||||||
|
@ -750,17 +750,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
fs_getattr_xattr_fs(prelink_t)
|
fs_getattr_xattr_fs(prelink_t)
|
||||||
|
|
||||||
@@ -81,6 +89,9 @@
|
@@ -81,6 +89,10 @@
|
||||||
|
|
||||||
userdom_use_user_terminals(prelink_t)
|
userdom_use_user_terminals(prelink_t)
|
||||||
|
|
||||||
+# prelink executables in the user homedir
|
+# prelink executables in the user homedir
|
||||||
+userdom_manage_home_role(system_r, prelink_t)
|
+userdom_manage_home_role(system_r, prelink_t)
|
||||||
|
+userdom_exec_user_home_content_files(prelink_t)
|
||||||
+
|
+
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
amanda_manage_lib(prelink_t)
|
amanda_manage_lib(prelink_t)
|
||||||
')
|
')
|
||||||
@@ -88,3 +99,7 @@
|
@@ -88,3 +100,7 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_system_entry(prelink_t, prelink_exec_t)
|
cron_system_entry(prelink_t, prelink_exec_t)
|
||||||
')
|
')
|
||||||
|
@ -6425,7 +6426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## requiring the caller to use setexeccon().
|
## requiring the caller to use setexeccon().
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-24 00:02:59.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-27 09:47:43.000000000 -0400
|
||||||
@@ -15,7 +15,7 @@
|
@@ -15,7 +15,7 @@
|
||||||
|
|
||||||
role sysadm_r;
|
role sysadm_r;
|
||||||
|
@ -6578,18 +6579,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
pcmcia_run_cardctl(sysadm_t, sysadm_r)
|
pcmcia_run_cardctl(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -308,10 +250,6 @@
|
@@ -308,7 +250,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- pyzor_role(sysadm_r, sysadm_t)
|
- pyzor_role(sysadm_r, sysadm_t)
|
||||||
-')
|
+ prelink_run(sysadm_t, sysadm_r)
|
||||||
-
|
|
||||||
-optional_policy(`
|
|
||||||
quota_run(sysadm_t, sysadm_r)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -320,10 +258,6 @@
|
optional_policy(`
|
||||||
|
@@ -320,10 +262,6 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -6600,7 +6599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
rpc_domtrans_nfsd(sysadm_t)
|
rpc_domtrans_nfsd(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -332,10 +266,6 @@
|
@@ -332,10 +270,6 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -6611,7 +6610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
rsync_exec(sysadm_t)
|
rsync_exec(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -345,10 +275,6 @@
|
@@ -345,10 +279,6 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -6622,7 +6621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
secadm_role_change(sysadm_r)
|
secadm_role_change(sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -358,35 +284,15 @@
|
@@ -358,35 +288,15 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -6658,7 +6657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
tripwire_run_siggen(sysadm_t, sysadm_r)
|
tripwire_run_siggen(sysadm_t, sysadm_r)
|
||||||
tripwire_run_tripwire(sysadm_t, sysadm_r)
|
tripwire_run_tripwire(sysadm_t, sysadm_r)
|
||||||
tripwire_run_twadmin(sysadm_t, sysadm_r)
|
tripwire_run_twadmin(sysadm_t, sysadm_r)
|
||||||
@@ -394,18 +300,10 @@
|
@@ -394,18 +304,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -6677,7 +6676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
unconfined_domtrans(sysadm_t)
|
unconfined_domtrans(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -418,20 +316,12 @@
|
@@ -418,20 +320,12 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -6698,7 +6697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
vpn_run(sysadm_t, sysadm_r)
|
vpn_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -440,13 +330,7 @@
|
@@ -440,13 +334,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -14840,7 +14839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
|
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-24 07:20:31.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 10:00:53.000000000 -0400
|
||||||
@@ -1,6 +1,8 @@
|
@@ -1,6 +1,8 @@
|
||||||
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
||||||
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||||
|
@ -20707,7 +20706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te
|
||||||
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-04-27 08:59:49.000000000 -0400
|
||||||
@@ -66,6 +66,13 @@
|
@@ -66,6 +66,13 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(samba_share_nfs, false)
|
gen_tunable(samba_share_nfs, false)
|
||||||
|
@ -20833,7 +20832,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
|
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||||
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||||
@@ -256,7 +278,7 @@
|
@@ -250,13 +272,14 @@
|
||||||
|
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
|
||||||
|
|
||||||
|
allow smbd_t nmbd_var_run_t:file rw_file_perms;
|
||||||
|
+allow smbd_t nmbd_t:process { signal signull };
|
||||||
|
|
||||||
|
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
||||||
|
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
||||||
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
||||||
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
|
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
|
||||||
|
|
||||||
|
@ -20842,7 +20848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
kernel_getattr_core_if(smbd_t)
|
kernel_getattr_core_if(smbd_t)
|
||||||
kernel_getattr_message_if(smbd_t)
|
kernel_getattr_message_if(smbd_t)
|
||||||
@@ -298,6 +320,7 @@
|
@@ -298,6 +321,7 @@
|
||||||
|
|
||||||
auth_use_nsswitch(smbd_t)
|
auth_use_nsswitch(smbd_t)
|
||||||
auth_domtrans_chk_passwd(smbd_t)
|
auth_domtrans_chk_passwd(smbd_t)
|
||||||
|
@ -20850,7 +20856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
domain_use_interactive_fds(smbd_t)
|
domain_use_interactive_fds(smbd_t)
|
||||||
domain_dontaudit_list_all_domains_state(smbd_t)
|
domain_dontaudit_list_all_domains_state(smbd_t)
|
||||||
@@ -321,6 +344,10 @@
|
@@ -321,6 +345,10 @@
|
||||||
userdom_use_unpriv_users_fds(smbd_t)
|
userdom_use_unpriv_users_fds(smbd_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(smbd_t)
|
userdom_dontaudit_search_user_home_dirs(smbd_t)
|
||||||
|
|
||||||
|
@ -20861,7 +20867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
ifdef(`hide_broken_symptoms', `
|
ifdef(`hide_broken_symptoms', `
|
||||||
files_dontaudit_getattr_default_dirs(smbd_t)
|
files_dontaudit_getattr_default_dirs(smbd_t)
|
||||||
files_dontaudit_getattr_boot_dirs(smbd_t)
|
files_dontaudit_getattr_boot_dirs(smbd_t)
|
||||||
@@ -333,25 +360,33 @@
|
@@ -333,25 +361,33 @@
|
||||||
|
|
||||||
tunable_policy(`samba_domain_controller',`
|
tunable_policy(`samba_domain_controller',`
|
||||||
usermanage_domtrans_passwd(smbd_t)
|
usermanage_domtrans_passwd(smbd_t)
|
||||||
|
@ -20901,7 +20907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cups_read_rw_config(smbd_t)
|
cups_read_rw_config(smbd_t)
|
||||||
cups_stream_connect(smbd_t)
|
cups_stream_connect(smbd_t)
|
||||||
@@ -359,6 +394,16 @@
|
@@ -359,6 +395,16 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(smbd_t)
|
kerberos_use(smbd_t)
|
||||||
|
@ -20918,7 +20924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -376,13 +421,15 @@
|
@@ -376,13 +422,15 @@
|
||||||
tunable_policy(`samba_create_home_dirs',`
|
tunable_policy(`samba_create_home_dirs',`
|
||||||
allow smbd_t self:capability chown;
|
allow smbd_t self:capability chown;
|
||||||
userdom_create_user_home_dirs(smbd_t)
|
userdom_create_user_home_dirs(smbd_t)
|
||||||
|
@ -20935,7 +20941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
auth_read_all_files_except_shadow(nmbd_t)
|
auth_read_all_files_except_shadow(nmbd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -391,8 +438,8 @@
|
@@ -391,8 +439,8 @@
|
||||||
auth_manage_all_files_except_shadow(smbd_t)
|
auth_manage_all_files_except_shadow(smbd_t)
|
||||||
fs_read_noxattr_fs_files(nmbd_t)
|
fs_read_noxattr_fs_files(nmbd_t)
|
||||||
auth_manage_all_files_except_shadow(nmbd_t)
|
auth_manage_all_files_except_shadow(nmbd_t)
|
||||||
|
@ -20945,7 +20951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -417,14 +464,11 @@
|
@@ -417,14 +465,11 @@
|
||||||
files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
|
files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
|
||||||
|
|
||||||
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||||
|
@ -20961,7 +20967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
||||||
|
|
||||||
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
|
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
|
||||||
@@ -454,6 +498,7 @@
|
@@ -454,6 +499,7 @@
|
||||||
dev_getattr_mtrr_dev(nmbd_t)
|
dev_getattr_mtrr_dev(nmbd_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(nmbd_t)
|
fs_getattr_all_fs(nmbd_t)
|
||||||
|
@ -20969,7 +20975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
fs_search_auto_mountpoints(nmbd_t)
|
fs_search_auto_mountpoints(nmbd_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(nmbd_t)
|
domain_use_interactive_fds(nmbd_t)
|
||||||
@@ -553,21 +598,36 @@
|
@@ -553,21 +599,36 @@
|
||||||
userdom_use_user_terminals(smbmount_t)
|
userdom_use_user_terminals(smbmount_t)
|
||||||
userdom_use_all_users_fds(smbmount_t)
|
userdom_use_all_users_fds(smbmount_t)
|
||||||
|
|
||||||
|
@ -21009,7 +21015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
append_files_pattern(swat_t, samba_log_t, samba_log_t)
|
append_files_pattern(swat_t, samba_log_t, samba_log_t)
|
||||||
|
|
||||||
@@ -585,6 +645,9 @@
|
@@ -585,6 +646,9 @@
|
||||||
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
||||||
|
|
||||||
allow swat_t winbind_exec_t:file mmap_file_perms;
|
allow swat_t winbind_exec_t:file mmap_file_perms;
|
||||||
|
@ -21019,7 +21025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(swat_t)
|
kernel_read_kernel_sysctls(swat_t)
|
||||||
kernel_read_system_state(swat_t)
|
kernel_read_system_state(swat_t)
|
||||||
@@ -609,15 +672,18 @@
|
@@ -609,15 +673,18 @@
|
||||||
|
|
||||||
dev_read_urand(swat_t)
|
dev_read_urand(swat_t)
|
||||||
|
|
||||||
|
@ -21038,7 +21044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
logging_search_logs(swat_t)
|
logging_search_logs(swat_t)
|
||||||
|
|
||||||
miscfiles_read_localization(swat_t)
|
miscfiles_read_localization(swat_t)
|
||||||
@@ -635,6 +701,17 @@
|
@@ -635,6 +702,17 @@
|
||||||
kerberos_use(swat_t)
|
kerberos_use(swat_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -21056,7 +21062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Winbind local policy
|
# Winbind local policy
|
||||||
@@ -642,7 +719,7 @@
|
@@ -642,7 +720,7 @@
|
||||||
|
|
||||||
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
||||||
dontaudit winbind_t self:capability sys_tty_config;
|
dontaudit winbind_t self:capability sys_tty_config;
|
||||||
|
@ -21065,7 +21071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@@ -683,9 +760,10 @@
|
@@ -683,9 +761,10 @@
|
||||||
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
||||||
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
|
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
|
||||||
|
|
||||||
|
@ -21078,7 +21084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(winbind_t)
|
corenet_all_recvfrom_unlabeled(winbind_t)
|
||||||
corenet_all_recvfrom_netlabel(winbind_t)
|
corenet_all_recvfrom_netlabel(winbind_t)
|
||||||
@@ -709,10 +787,12 @@
|
@@ -709,10 +788,12 @@
|
||||||
|
|
||||||
auth_domtrans_chk_passwd(winbind_t)
|
auth_domtrans_chk_passwd(winbind_t)
|
||||||
auth_use_nsswitch(winbind_t)
|
auth_use_nsswitch(winbind_t)
|
||||||
|
@ -21091,7 +21097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
logging_send_syslog_msg(winbind_t)
|
logging_send_syslog_msg(winbind_t)
|
||||||
|
|
||||||
@@ -768,8 +848,13 @@
|
@@ -768,8 +849,13 @@
|
||||||
userdom_use_user_terminals(winbind_helper_t)
|
userdom_use_user_terminals(winbind_helper_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -21105,7 +21111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -778,6 +863,16 @@
|
@@ -778,6 +864,16 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -21122,7 +21128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
type samba_unconfined_script_t;
|
type samba_unconfined_script_t;
|
||||||
type samba_unconfined_script_exec_t;
|
type samba_unconfined_script_exec_t;
|
||||||
domain_type(samba_unconfined_script_t)
|
domain_type(samba_unconfined_script_t)
|
||||||
@@ -788,9 +883,43 @@
|
@@ -788,9 +884,43 @@
|
||||||
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||||
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||||
|
|
||||||
|
@ -24450,7 +24456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-27 08:35:28.000000000 -0400
|
||||||
@@ -34,6 +34,13 @@
|
@@ -34,6 +34,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
|
@ -24946,7 +24952,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||||
|
|
||||||
@@ -622,7 +746,7 @@
|
@@ -616,13 +740,14 @@
|
||||||
|
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
||||||
|
|
||||||
|
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
||||||
|
+allow xserver_t x_domain:shm rw_shm_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||||
|
|
||||||
|
@ -24955,7 +24968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -635,9 +759,19 @@
|
@@ -635,9 +760,19 @@
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
|
@ -24975,7 +24988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -680,9 +814,14 @@
|
@@ -680,9 +815,14 @@
|
||||||
dev_rw_xserver_misc(xserver_t)
|
dev_rw_xserver_misc(xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
|
@ -24990,7 +25003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
files_read_etc_runtime_files(xserver_t)
|
files_read_etc_runtime_files(xserver_t)
|
||||||
@@ -697,8 +836,13 @@
|
@@ -697,8 +837,13 @@
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
|
@ -25004,7 +25017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -720,6 +864,7 @@
|
@@ -720,6 +865,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
|
@ -25012,7 +25025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
modutils_domtrans_insmod(xserver_t)
|
modutils_domtrans_insmod(xserver_t)
|
||||||
|
|
||||||
@@ -742,7 +887,7 @@
|
@@ -742,7 +888,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
|
@ -25021,7 +25034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -774,12 +919,16 @@
|
@@ -774,12 +920,16 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -25039,7 +25052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -806,7 +955,7 @@
|
@@ -806,7 +956,7 @@
|
||||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
|
@ -25048,7 +25061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -827,9 +976,14 @@
|
@@ -827,9 +977,14 @@
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
|
@ -25063,7 +25076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -844,11 +998,14 @@
|
@@ -844,11 +999,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
|
@ -25079,7 +25092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -856,6 +1013,11 @@
|
@@ -856,6 +1014,11 @@
|
||||||
rhgb_rw_tmpfs_files(xserver_t)
|
rhgb_rw_tmpfs_files(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -25091,7 +25104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -881,6 +1043,8 @@
|
@@ -881,6 +1044,8 @@
|
||||||
# X Server
|
# X Server
|
||||||
# can read server-owned resources
|
# can read server-owned resources
|
||||||
allow x_domain xserver_t:x_resource read;
|
allow x_domain xserver_t:x_resource read;
|
||||||
|
@ -25100,7 +25113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
# can mess with own clients
|
# can mess with own clients
|
||||||
allow x_domain self:x_client { manage destroy };
|
allow x_domain self:x_client { manage destroy };
|
||||||
|
|
||||||
@@ -905,6 +1069,8 @@
|
@@ -905,6 +1070,8 @@
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
|
|
||||||
|
@ -25109,7 +25122,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
# X Colormaps
|
# X Colormaps
|
||||||
# can use the default colormap
|
# can use the default colormap
|
||||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||||
@@ -972,17 +1138,49 @@
|
@@ -972,17 +1139,49 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
|
@ -29642,7 +29655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-23 23:55:27.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-27 08:32:47.000000000 -0400
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.12
|
Version: 3.6.12
|
||||||
Release: 19%{?dist}
|
Release: 20%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -446,6 +446,11 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20
|
||||||
|
- Fix labeling on /var/lib/misc/prelink*
|
||||||
|
- Allow xserver to rw_shm_perms with all x_clients
|
||||||
|
- Allow prelink to execute files in the users home directory
|
||||||
|
|
||||||
* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-19
|
* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-19
|
||||||
- Allow initrc_t to delete dev_null
|
- Allow initrc_t to delete dev_null
|
||||||
- Allow readahead to configure auditing
|
- Allow readahead to configure auditing
|
||||||
|
|
Loading…
Reference in New Issue