- Allow confined users to manace virt_content_t, since this is home dir
content
- Allow all domains to read rpm_script_tmp_t which is what shell creates on
redirection
This commit is contained in:
Daniel J Walsh
parent
b0991a2dfd
commit
b11dbbb323
@ -782,7 +782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
-/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-24 13:45:16.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-27 11:01:26.000000000 -0400
|
||||||
@@ -11,8 +11,8 @@
|
@@ -11,8 +11,8 @@
|
||||||
init_daemon_domain(readahead_t, readahead_exec_t)
|
init_daemon_domain(readahead_t, readahead_exec_t)
|
||||||
application_domain(readahead_t, readahead_exec_t)
|
application_domain(readahead_t, readahead_exec_t)
|
||||||
@ -808,7 +808,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
|
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
|
||||||
files_pid_filetrans(readahead_t, readahead_var_run_t, file)
|
files_pid_filetrans(readahead_t, readahead_var_run_t, file)
|
||||||
@@ -58,6 +60,7 @@
|
@@ -46,6 +48,7 @@
|
||||||
|
storage_raw_read_fixed_disk(readahead_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds(readahead_t)
|
||||||
|
+domain_read_all_domains_state(readahead_t)
|
||||||
|
|
||||||
|
files_dontaudit_getattr_all_sockets(readahead_t)
|
||||||
|
files_list_non_security(readahead_t)
|
||||||
|
@@ -58,6 +61,7 @@
|
||||||
fs_dontaudit_search_ramfs(readahead_t)
|
fs_dontaudit_search_ramfs(readahead_t)
|
||||||
fs_dontaudit_read_ramfs_pipes(readahead_t)
|
fs_dontaudit_read_ramfs_pipes(readahead_t)
|
||||||
fs_dontaudit_read_ramfs_files(readahead_t)
|
fs_dontaudit_read_ramfs_files(readahead_t)
|
||||||
@ -816,7 +824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
fs_read_tmpfs_symlinks(readahead_t)
|
fs_read_tmpfs_symlinks(readahead_t)
|
||||||
fs_list_inotifyfs(readahead_t)
|
fs_list_inotifyfs(readahead_t)
|
||||||
|
|
||||||
@@ -72,6 +75,7 @@
|
@@ -72,6 +76,7 @@
|
||||||
init_getattr_initctl(readahead_t)
|
init_getattr_initctl(readahead_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(readahead_t)
|
logging_send_syslog_msg(readahead_t)
|
||||||
@ -5184,7 +5192,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-27 11:30:40.000000000 -0400
|
||||||
@@ -5,6 +5,13 @@
|
@@ -5,6 +5,13 @@
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@ -5255,7 +5263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||||
|
|
||||||
# act on all domains keys
|
# act on all domains keys
|
||||||
@@ -153,3 +172,45 @@
|
@@ -153,3 +172,46 @@
|
||||||
|
|
||||||
# receive from all domains over labeled networking
|
# receive from all domains over labeled networking
|
||||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||||
@ -5280,6 +5288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ rpm_rw_pipes(domain)
|
+ rpm_rw_pipes(domain)
|
||||||
+ rpm_dontaudit_use_script_fds(domain)
|
+ rpm_dontaudit_use_script_fds(domain)
|
||||||
+ rpm_dontaudit_write_pid_files(domain)
|
+ rpm_dontaudit_write_pid_files(domain)
|
||||||
|
+ rpm_read_script_tmp_files(domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -14839,8 +14848,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
|
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 10:00:53.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 11:46:55.000000000 -0400
|
||||||
@@ -1,6 +1,8 @@
|
@@ -1,6 +1,9 @@
|
||||||
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
||||||
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||||
|
|
||||||
@ -14849,6 +14858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
||||||
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
||||||
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
||||||
|
+/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
||||||
+
|
+
|
||||||
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if
|
||||||
@ -21885,7 +21895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
|
||||||
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-24 08:31:39.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-27 11:45:25.000000000 -0400
|
||||||
@@ -20,6 +20,35 @@
|
@@ -20,6 +20,35 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(spamd_enable_home_dirs, true)
|
gen_tunable(spamd_enable_home_dirs, true)
|
||||||
@ -21982,7 +21992,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(spamc_t)
|
corenet_all_recvfrom_unlabeled(spamc_t)
|
||||||
corenet_all_recvfrom_netlabel(spamc_t)
|
corenet_all_recvfrom_netlabel(spamc_t)
|
||||||
@@ -255,9 +308,15 @@
|
@@ -239,6 +292,7 @@
|
||||||
|
corenet_sendrecv_all_client_packets(spamc_t)
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints(spamc_t)
|
||||||
|
+fs_list_inotifyfs(spamc_t)
|
||||||
|
|
||||||
|
# cjp: these should probably be removed:
|
||||||
|
corecmd_list_bin(spamc_t)
|
||||||
|
@@ -255,9 +309,15 @@
|
||||||
files_dontaudit_search_var(spamc_t)
|
files_dontaudit_search_var(spamc_t)
|
||||||
# cjp: this may be removable:
|
# cjp: this may be removable:
|
||||||
files_list_home(spamc_t)
|
files_list_home(spamc_t)
|
||||||
@ -21998,7 +22016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
miscfiles_read_localization(spamc_t)
|
miscfiles_read_localization(spamc_t)
|
||||||
|
|
||||||
# cjp: this should probably be removed:
|
# cjp: this should probably be removed:
|
||||||
@@ -265,13 +324,16 @@
|
@@ -265,13 +325,16 @@
|
||||||
|
|
||||||
sysnet_read_config(spamc_t)
|
sysnet_read_config(spamc_t)
|
||||||
|
|
||||||
@ -22022,7 +22040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -280,16 +342,21 @@
|
@@ -280,16 +343,21 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -22046,7 +22064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -301,7 +368,7 @@
|
@@ -301,7 +369,7 @@
|
||||||
# setuids to the user running spamc. Comment this if you are not
|
# setuids to the user running spamc. Comment this if you are not
|
||||||
# using this ability.
|
# using this ability.
|
||||||
|
|
||||||
@ -22055,7 +22073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit spamd_t self:capability sys_tty_config;
|
dontaudit spamd_t self:capability sys_tty_config;
|
||||||
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow spamd_t self:fd use;
|
allow spamd_t self:fd use;
|
||||||
@@ -317,10 +384,13 @@
|
@@ -317,10 +385,13 @@
|
||||||
allow spamd_t self:unix_stream_socket connectto;
|
allow spamd_t self:unix_stream_socket connectto;
|
||||||
allow spamd_t self:tcp_socket create_stream_socket_perms;
|
allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow spamd_t self:udp_socket create_socket_perms;
|
allow spamd_t self:udp_socket create_socket_perms;
|
||||||
@ -22070,7 +22088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
|
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
|
||||||
|
|
||||||
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
||||||
@@ -329,10 +399,11 @@
|
@@ -329,10 +400,11 @@
|
||||||
|
|
||||||
# var/lib files for spamd
|
# var/lib files for spamd
|
||||||
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
||||||
@ -22083,7 +22101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
|
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
|
||||||
|
|
||||||
kernel_read_all_sysctls(spamd_t)
|
kernel_read_all_sysctls(spamd_t)
|
||||||
@@ -382,22 +453,27 @@
|
@@ -382,22 +454,27 @@
|
||||||
|
|
||||||
init_dontaudit_rw_utmp(spamd_t)
|
init_dontaudit_rw_utmp(spamd_t)
|
||||||
|
|
||||||
@ -22115,7 +22133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
fs_manage_cifs_files(spamd_t)
|
fs_manage_cifs_files(spamd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -415,6 +491,7 @@
|
@@ -415,6 +492,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dcc_domtrans_client(spamd_t)
|
dcc_domtrans_client(spamd_t)
|
||||||
@ -22123,7 +22141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dcc_stream_connect_dccifd(spamd_t)
|
dcc_stream_connect_dccifd(spamd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -424,10 +501,6 @@
|
@@ -424,10 +502,6 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -22134,7 +22152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
postfix_read_config(spamd_t)
|
postfix_read_config(spamd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -442,6 +515,10 @@
|
@@ -442,6 +516,10 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
razor_domtrans(spamd_t)
|
razor_domtrans(spamd_t)
|
||||||
@ -22145,7 +22163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -454,5 +531,9 @@
|
@@ -454,5 +532,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23420,7 +23438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
|
||||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-27 11:40:19.000000000 -0400
|
||||||
@@ -8,19 +8,24 @@
|
@@ -8,19 +8,24 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -23449,7 +23467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
type virt_etc_t;
|
type virt_etc_t;
|
||||||
files_config_file(virt_etc_t)
|
files_config_file(virt_etc_t)
|
||||||
@@ -29,8 +34,12 @@
|
@@ -29,8 +34,13 @@
|
||||||
files_type(virt_etc_rw_t)
|
files_type(virt_etc_rw_t)
|
||||||
|
|
||||||
# virt Image files
|
# virt Image files
|
||||||
@ -23461,10 +23479,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+# virt Image files
|
+# virt Image files
|
||||||
+type virt_content_t;
|
+type virt_content_t;
|
||||||
+virtual_image(virt_content_t)
|
+virtual_image(virt_content_t)
|
||||||
|
+userdom_user_home_content(virt_content_t)
|
||||||
|
|
||||||
type virt_log_t;
|
type virt_log_t;
|
||||||
logging_log_file(virt_log_t)
|
logging_log_file(virt_log_t)
|
||||||
@@ -48,17 +57,39 @@
|
@@ -48,17 +58,39 @@
|
||||||
type virtd_initrc_exec_t;
|
type virtd_initrc_exec_t;
|
||||||
init_script_file(virtd_initrc_exec_t)
|
init_script_file(virtd_initrc_exec_t)
|
||||||
|
|
||||||
@ -23506,7 +23525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
|
|
||||||
@@ -67,7 +98,11 @@
|
@@ -67,7 +99,11 @@
|
||||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||||
|
|
||||||
@ -23519,7 +23538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||||
@@ -86,6 +121,7 @@
|
@@ -86,6 +122,7 @@
|
||||||
kernel_read_network_state(virtd_t)
|
kernel_read_network_state(virtd_t)
|
||||||
kernel_rw_net_sysctls(virtd_t)
|
kernel_rw_net_sysctls(virtd_t)
|
||||||
kernel_load_module(virtd_t)
|
kernel_load_module(virtd_t)
|
||||||
@ -23527,7 +23546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_t)
|
corecmd_exec_bin(virtd_t)
|
||||||
corecmd_exec_shell(virtd_t)
|
corecmd_exec_shell(virtd_t)
|
||||||
@@ -96,7 +132,7 @@
|
@@ -96,7 +133,7 @@
|
||||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||||
corenet_tcp_sendrecv_all_ports(virtd_t)
|
corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||||
corenet_tcp_bind_generic_node(virtd_t)
|
corenet_tcp_bind_generic_node(virtd_t)
|
||||||
@ -23536,7 +23555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_tcp_bind_vnc_port(virtd_t)
|
corenet_tcp_bind_vnc_port(virtd_t)
|
||||||
corenet_tcp_connect_vnc_port(virtd_t)
|
corenet_tcp_connect_vnc_port(virtd_t)
|
||||||
corenet_tcp_connect_soundd_port(virtd_t)
|
corenet_tcp_connect_soundd_port(virtd_t)
|
||||||
@@ -104,21 +140,39 @@
|
@@ -104,21 +141,39 @@
|
||||||
|
|
||||||
dev_read_sysfs(virtd_t)
|
dev_read_sysfs(virtd_t)
|
||||||
dev_read_rand(virtd_t)
|
dev_read_rand(virtd_t)
|
||||||
@ -23577,7 +23596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
term_getattr_pty_fs(virtd_t)
|
term_getattr_pty_fs(virtd_t)
|
||||||
term_use_ptmx(virtd_t)
|
term_use_ptmx(virtd_t)
|
||||||
|
|
||||||
@@ -129,6 +183,13 @@
|
@@ -129,6 +184,13 @@
|
||||||
|
|
||||||
logging_send_syslog_msg(virtd_t)
|
logging_send_syslog_msg(virtd_t)
|
||||||
|
|
||||||
@ -23591,7 +23610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
userdom_read_all_users_state(virtd_t)
|
userdom_read_all_users_state(virtd_t)
|
||||||
|
|
||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
@@ -167,22 +228,34 @@
|
@@ -167,22 +229,34 @@
|
||||||
dnsmasq_domtrans(virtd_t)
|
dnsmasq_domtrans(virtd_t)
|
||||||
dnsmasq_signal(virtd_t)
|
dnsmasq_signal(virtd_t)
|
||||||
dnsmasq_kill(virtd_t)
|
dnsmasq_kill(virtd_t)
|
||||||
@ -23631,7 +23650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -198,5 +271,80 @@
|
@@ -198,5 +272,80 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|||||||
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.12
|
Version: 3.6.12
|
||||||
Release: 20%{?dist}
|
Release: 21%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -446,6 +446,10 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-21
|
||||||
|
- Allow confined users to manace virt_content_t, since this is home dir content
|
||||||
|
- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection
|
||||||
|
|
||||||
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20
|
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20
|
||||||
- Fix labeling on /var/lib/misc/prelink*
|
- Fix labeling on /var/lib/misc/prelink*
|
||||||
- Allow xserver to rw_shm_perms with all x_clients
|
- Allow xserver to rw_shm_perms with all x_clients
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user