* Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
- Fix devicekit_power bug - Allow policykit_auth_t more access.
This commit is contained in:
parent
922cd61e83
commit
b12ede2ac0
164
policy-F14.patch
164
policy-F14.patch
@ -570,7 +570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
|
||||
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.8.8/policy/modules/admin/alsa.if
|
||||
--- nsaserefpolicy/policy/modules/admin/alsa.if 2010-07-27 16:06:04.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/alsa.if 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/alsa.if 2010-08-11 08:22:58.000000000 -0400
|
||||
@@ -1,8 +1,9 @@
|
||||
-## <summary>Ainit ALSA configuration tool</summary>
|
||||
+## <summary>Advanced Linux Sound Architecture.</summary>
|
||||
@ -677,7 +677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
|
||||
+ type alsa_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 also_home_t:file read_file_perms;
|
||||
+ allow $1 alsa_home_t:file read_file_perms;
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.8.8/policy/modules/admin/alsa.te
|
||||
@ -1591,8 +1591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.8/policy/modules/admin/ncftool.te
|
||||
--- nsaserefpolicy/policy/modules/admin/ncftool.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-08-10 05:23:35.000000000 -0400
|
||||
@@ -0,0 +1,87 @@
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-08-11 08:45:52.000000000 -0400
|
||||
@@ -0,0 +1,91 @@
|
||||
+policy_module(ncftool, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -1680,6 +1680,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
|
||||
+optional_policy(`
|
||||
+ iptables_initrc_domtrans(ncftool_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ netutils_domtrans(ncftool_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.8/policy/modules/admin/netutils.te
|
||||
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-07-27 16:06:04.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/netutils.te 2010-07-30 14:06:53.000000000 -0400
|
||||
@ -1767,7 +1771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
|
||||
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-10 07:29:36.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-11 08:24:20.000000000 -0400
|
||||
@@ -59,6 +59,7 @@
|
||||
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
|
||||
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
|
||||
@ -1821,6 +1825,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
|
||||
|
||||
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
|
||||
allow prelink_cron_system_t prelink_t:process noatsecure;
|
||||
@@ -158,6 +169,8 @@
|
||||
|
||||
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
|
||||
|
||||
+ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
|
||||
+
|
||||
optional_policy(`
|
||||
rpm_read_db(prelink_cron_system_t)
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.if serefpolicy-3.8.8/policy/modules/admin/quota.if
|
||||
--- nsaserefpolicy/policy/modules/admin/quota.if 2010-07-27 16:12:33.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/admin/quota.if 2010-07-30 14:06:53.000000000 -0400
|
||||
@ -4405,8 +4418,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te
|
||||
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te 2010-07-30 14:06:53.000000000 -0400
|
||||
@@ -0,0 +1,68 @@
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te 2010-08-11 08:49:51.000000000 -0400
|
||||
@@ -0,0 +1,69 @@
|
||||
+policy_module(kdumpgui,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -4453,6 +4466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
|
||||
+files_manage_boot_symlinks(kdumpgui_t)
|
||||
+# Needed for running chkconfig
|
||||
+files_manage_etc_symlinks(kdumpgui_t)
|
||||
+files_read_usr_files(kdumpgui_t)
|
||||
+
|
||||
+auth_use_nsswitch(kdumpgui_t)
|
||||
+
|
||||
@ -5175,8 +5189,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-10 11:45:49.000000000 -0400
|
||||
@@ -0,0 +1,300 @@
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-11 08:01:15.000000000 -0400
|
||||
@@ -0,0 +1,301 @@
|
||||
+policy_module(nsplugin, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -5241,6 +5255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+allow nsplugin_t self:msgq create_msgq_perms;
|
||||
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
+allow nsplugin_t self:unix_dgram_socket create_socket_perms;
|
||||
+allow nsplugin_t nsplugin_rw_t:dir search_dir_perms;
|
||||
+
|
||||
+tunable_policy(`allow_nsplugin_execmem',`
|
||||
+ allow nsplugin_t self:process { execstack execmem };
|
||||
@ -5640,7 +5655,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.8.8/policy/modules/apps/podsleuth.te
|
||||
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-07-27 16:06:04.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te 2010-08-11 08:27:39.000000000 -0400
|
||||
@@ -27,7 +27,7 @@
|
||||
# podsleuth local policy
|
||||
#
|
||||
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
|
||||
-allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
|
||||
+allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
|
||||
allow podsleuth_t self:fifo_file rw_file_perms;
|
||||
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow podsleuth_t self:sem create_sem_perms;
|
||||
@@ -73,6 +73,7 @@
|
||||
sysnet_dns_name_resolve(podsleuth_t)
|
||||
|
||||
@ -6687,7 +6711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
|
||||
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-07-27 16:06:04.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-06 12:05:20.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-11 08:01:44.000000000 -0400
|
||||
@@ -5,40 +5,45 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -9885,7 +9909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te
|
||||
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-08-11 08:20:53.000000000 -0400
|
||||
@@ -27,17 +27,29 @@
|
||||
|
||||
corecmd_exec_shell(sysadm_t)
|
||||
@ -10022,17 +10046,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
hostname_run(sysadm_t, sysadm_r)
|
||||
@@ -199,6 +230,9 @@
|
||||
@@ -199,6 +230,13 @@
|
||||
ipsec_stream_connect(sysadm_t)
|
||||
# for lsof
|
||||
ipsec_getattr_key_sockets(sysadm_t)
|
||||
+ ipsec_run_setkey(sysadm_t, sysadm_r)
|
||||
+ ipsec_run_racoon(sysadm_t, sysadm_r)
|
||||
+ ipsec_stream_connect_racoon(sysadm_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ ipsec_mgmt_dbus_chat(sysadm_t)
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -206,12 +240,18 @@
|
||||
@@ -206,12 +244,18 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10051,7 +10079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
kudzu_run(sysadm_t, sysadm_r)
|
||||
@@ -221,9 +261,11 @@
|
||||
@@ -221,9 +265,11 @@
|
||||
libs_run_ldconfig(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@ -10063,7 +10091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
logrotate_run(sysadm_t, sysadm_r)
|
||||
@@ -246,8 +288,10 @@
|
||||
@@ -246,8 +292,10 @@
|
||||
|
||||
optional_policy(`
|
||||
mount_run(sysadm_t, sysadm_r)
|
||||
@ -10074,7 +10102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
optional_policy(`
|
||||
mozilla_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
@@ -255,6 +299,7 @@
|
||||
@@ -255,6 +303,7 @@
|
||||
optional_policy(`
|
||||
mplayer_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
@ -10082,7 +10110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
mta_role(sysadm_r, sysadm_t)
|
||||
@@ -269,6 +314,10 @@
|
||||
@@ -269,6 +318,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10093,7 +10121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
netutils_run(sysadm_t, sysadm_r)
|
||||
netutils_run_ping(sysadm_t, sysadm_r)
|
||||
netutils_run_traceroute(sysadm_t, sysadm_r)
|
||||
@@ -302,8 +351,14 @@
|
||||
@@ -302,8 +355,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10108,7 +10136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
quota_run(sysadm_t, sysadm_r)
|
||||
@@ -313,9 +368,11 @@
|
||||
@@ -313,9 +372,11 @@
|
||||
raid_domtrans_mdadm(sysadm_t)
|
||||
')
|
||||
|
||||
@ -10120,7 +10148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
rpc_domtrans_nfsd(sysadm_t)
|
||||
@@ -325,9 +382,11 @@
|
||||
@@ -325,9 +386,11 @@
|
||||
rpm_run(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@ -10132,7 +10160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
rsync_exec(sysadm_t)
|
||||
@@ -352,8 +411,14 @@
|
||||
@@ -352,8 +415,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10147,7 +10175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
ssh_role_template(sysadm, sysadm_r, sysadm_t)
|
||||
@@ -376,9 +441,11 @@
|
||||
@@ -376,9 +445,11 @@
|
||||
sysnet_run_dhcpc(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@ -10159,7 +10187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
tripwire_run_siggen(sysadm_t, sysadm_r)
|
||||
@@ -387,17 +454,21 @@
|
||||
@@ -387,17 +458,21 @@
|
||||
tripwire_run_twprint(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@ -10181,7 +10209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domtrans(sysadm_t)
|
||||
@@ -411,9 +482,11 @@
|
||||
@@ -411,9 +486,11 @@
|
||||
usbmodules_run(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@ -10193,7 +10221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
|
||||
@@ -421,9 +494,15 @@
|
||||
@@ -421,9 +498,15 @@
|
||||
usermanage_run_useradd(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@ -10209,7 +10237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||
|
||||
optional_policy(`
|
||||
vpn_run(sysadm_t, sysadm_r)
|
||||
@@ -434,13 +513,30 @@
|
||||
@@ -434,13 +517,30 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10925,7 +10953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-11 07:44:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-11 08:23:36.000000000 -0400
|
||||
@@ -0,0 +1,453 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
@ -14445,7 +14473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
|
||||
corenet_udp_bind_chronyd_port(chronyd_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
|
||||
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-10 08:26:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-11 08:54:31.000000000 -0400
|
||||
@@ -80,6 +80,7 @@
|
||||
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
|
||||
|
||||
@ -14466,7 +14494,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
|
||||
|
||||
kernel_dontaudit_list_proc(clamd_t)
|
||||
kernel_read_sysctl(clamd_t)
|
||||
@@ -189,6 +191,7 @@
|
||||
@@ -182,6 +184,8 @@
|
||||
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
|
||||
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
|
||||
|
||||
+kernel_read_kernel_sysctls(freshclam_t)
|
||||
+
|
||||
corenet_all_recvfrom_unlabeled(freshclam_t)
|
||||
corenet_all_recvfrom_netlabel(freshclam_t)
|
||||
corenet_tcp_sendrecv_generic_if(freshclam_t)
|
||||
@@ -189,6 +193,7 @@
|
||||
corenet_tcp_sendrecv_all_ports(freshclam_t)
|
||||
corenet_tcp_sendrecv_clamd_port(freshclam_t)
|
||||
corenet_tcp_connect_http_port(freshclam_t)
|
||||
@ -14474,7 +14511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
|
||||
corenet_sendrecv_http_client_packets(freshclam_t)
|
||||
|
||||
dev_read_rand(freshclam_t)
|
||||
@@ -207,6 +210,8 @@
|
||||
@@ -207,6 +212,8 @@
|
||||
|
||||
clamav_stream_connect(freshclam_t)
|
||||
|
||||
@ -15231,6 +15268,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
|
||||
+ # Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
|
||||
+ dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.8.8/policy/modules/services/consolekit.if
|
||||
--- nsaserefpolicy/policy/modules/services/consolekit.if 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/consolekit.if 2010-08-11 08:07:53.000000000 -0400
|
||||
@@ -95,3 +95,22 @@
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## List consolekit PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`consolekit_list_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type consolekit_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.8.8/policy/modules/services/consolekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/consolekit.te 2010-07-30 14:06:53.000000000 -0400
|
||||
@ -16030,7 +16093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.8/policy/modules/services/cups.te
|
||||
--- nsaserefpolicy/policy/modules/services/cups.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/cups.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/cups.te 2010-08-11 08:24:50.000000000 -0400
|
||||
@@ -15,6 +15,7 @@
|
||||
type cupsd_t;
|
||||
type cupsd_exec_t;
|
||||
@ -16109,7 +16172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
hal_domtrans(cupsd_config_t)
|
||||
hal_read_tmp_files(cupsd_config_t)
|
||||
hal_dontaudit_use_fds(hplip_t)
|
||||
@@ -587,13 +599,18 @@
|
||||
@@ -587,13 +599,19 @@
|
||||
|
||||
miscfiles_read_localization(cups_pdf_t)
|
||||
miscfiles_read_fonts(cups_pdf_t)
|
||||
@ -16119,6 +16182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
||||
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
|
||||
userdom_manage_user_home_content_dirs(cups_pdf_t)
|
||||
userdom_manage_user_home_content_files(cups_pdf_t)
|
||||
+userdom_dontaudit_search_admin_dir(cups_pdf_t)
|
||||
|
||||
lpd_manage_spool(cups_pdf_t)
|
||||
|
||||
@ -21232,7 +21296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te
|
||||
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-10 11:37:04.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-11 08:57:21.000000000 -0400
|
||||
@@ -24,6 +24,9 @@
|
||||
type policykit_reload_t alias polkit_reload_t;
|
||||
files_type(policykit_reload_t)
|
||||
@ -21277,7 +21341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
|
||||
auth_use_nsswitch(policykit_t)
|
||||
|
||||
@@ -67,45 +77,84 @@
|
||||
@@ -67,45 +77,89 @@
|
||||
|
||||
miscfiles_read_localization(policykit_t)
|
||||
|
||||
@ -21298,6 +21362,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ consolekit_list_pid_files(policykit_t)
|
||||
+ consolekit_read_pid_files(policykit_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_read_config(policykit_t)
|
||||
+')
|
||||
|
||||
@ -21368,7 +21437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
dbus_session_bus_client(policykit_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -118,6 +167,14 @@
|
||||
@@ -118,6 +172,14 @@
|
||||
hal_read_state(policykit_auth_t)
|
||||
')
|
||||
|
||||
@ -21383,7 +21452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
########################################
|
||||
#
|
||||
# polkit_grant local policy
|
||||
@@ -125,7 +182,8 @@
|
||||
@@ -125,7 +187,8 @@
|
||||
|
||||
allow policykit_grant_t self:capability setuid;
|
||||
allow policykit_grant_t self:process getattr;
|
||||
@ -21393,7 +21462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
||||
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@@ -155,9 +213,12 @@
|
||||
@@ -155,9 +218,12 @@
|
||||
userdom_read_all_users_state(policykit_grant_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -21407,7 +21476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
||||
consolekit_dbus_chat(policykit_grant_t)
|
||||
')
|
||||
')
|
||||
@@ -169,7 +230,8 @@
|
||||
@@ -169,7 +235,8 @@
|
||||
|
||||
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
|
||||
allow policykit_resolve_t self:process getattr;
|
||||
@ -27516,7 +27585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-05 16:01:15.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-11 08:03:36.000000000 -0400
|
||||
@@ -35,6 +35,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -27863,7 +27932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+fs_read_noxattr_fs_files(xdm_t)
|
||||
+fs_dontaudit_list_fusefs(xdm_t)
|
||||
+fs_manage_cgroup_dirs(xdm_t)
|
||||
+fs_rw_cgroup_files(xdm_t)
|
||||
+fs_manage_cgroup_files(xdm_t)
|
||||
+
|
||||
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
|
||||
+
|
||||
@ -29306,7 +29375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
|
||||
## <rolecap/>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.8/policy/modules/system/hotplug.te
|
||||
--- nsaserefpolicy/policy/modules/system/hotplug.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/hotplug.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/hotplug.te 2010-08-11 08:14:12.000000000 -0400
|
||||
@@ -23,7 +23,7 @@
|
||||
#
|
||||
|
||||
@ -29316,7 +29385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit hotplug_t self:capability { dac_override dac_read_search };
|
||||
allow hotplug_t self:process { setpgid getsession getattr signal_perms };
|
||||
@@ -39,12 +39,14 @@
|
||||
@@ -39,14 +39,16 @@
|
||||
|
||||
can_exec(hotplug_t, hotplug_exec_t)
|
||||
|
||||
@ -29330,7 +29399,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
|
||||
kernel_read_system_state(hotplug_t)
|
||||
+kernel_read_network_state(hotplug_t)
|
||||
kernel_read_kernel_sysctls(hotplug_t)
|
||||
kernel_read_net_sysctls(hotplug_t)
|
||||
-kernel_read_net_sysctls(hotplug_t)
|
||||
+kernel_rw_net_sysctls(hotplug_t)
|
||||
|
||||
files_read_kernel_modules(hotplug_t)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc
|
||||
--- nsaserefpolicy/policy/modules/system/init.fc 2010-07-27 16:06:06.000000000 -0400
|
||||
@ -30500,7 +30572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te
|
||||
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-10 11:57:19.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-11 08:20:05.000000000 -0400
|
||||
@@ -72,7 +72,7 @@
|
||||
#
|
||||
|
||||
@ -34939,7 +35011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-11 08:23:58.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user