- Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context - Add /etc/localtime as locale file context
This commit is contained in:
parent
991ee5f4d3
commit
b1cbbd0768
143
policy-F14.patch
143
policy-F14.patch
@ -149,7 +149,7 @@ index 0000000..e9c43b1
|
|||||||
+.SH "SEE ALSO"
|
+.SH "SEE ALSO"
|
||||||
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
|
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
|
||||||
diff --git a/policy/global_tunables b/policy/global_tunables
|
diff --git a/policy/global_tunables b/policy/global_tunables
|
||||||
index 3316f6e..f85244d 100644
|
index 3316f6e..6e82b1e 100644
|
||||||
--- a/policy/global_tunables
|
--- a/policy/global_tunables
|
||||||
+++ b/policy/global_tunables
|
+++ b/policy/global_tunables
|
||||||
@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
|
@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
|
||||||
@ -193,7 +193,20 @@ index 3316f6e..f85244d 100644
|
|||||||
## Allow any files/directories to be exported read/write via NFS.
|
## Allow any files/directories to be exported read/write via NFS.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
@@ -104,3 +95,11 @@ gen_tunable(use_samba_home_dirs,false)
|
@@ -98,9 +89,24 @@ gen_tunable(use_samba_home_dirs,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
+## Support fusefs home directories
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(use_fusefs_home_dirs,false)
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
## Allow users to run TCP servers (bind to ports and accept connection from
|
||||||
|
## the same domain and outside users) disabling this forces FTP passive mode
|
||||||
|
## and may change other protocols.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(user_tcp_server,false)
|
gen_tunable(user_tcp_server,false)
|
||||||
@ -3790,7 +3803,7 @@ index 9a6d67d..dfac7cc 100644
|
|||||||
## mozilla over dbus.
|
## mozilla over dbus.
|
||||||
## </summary>
|
## </summary>
|
||||||
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
||||||
index cbf4bec..cc87b60 100644
|
index cbf4bec..d4cb9c4 100644
|
||||||
--- a/policy/modules/apps/mozilla.te
|
--- a/policy/modules/apps/mozilla.te
|
||||||
+++ b/policy/modules/apps/mozilla.te
|
+++ b/policy/modules/apps/mozilla.te
|
||||||
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
|
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
|
||||||
@ -3863,7 +3876,7 @@ index cbf4bec..cc87b60 100644
|
|||||||
pulseaudio_exec(mozilla_t)
|
pulseaudio_exec(mozilla_t)
|
||||||
pulseaudio_stream_connect(mozilla_t)
|
pulseaudio_stream_connect(mozilla_t)
|
||||||
pulseaudio_manage_home_files(mozilla_t)
|
pulseaudio_manage_home_files(mozilla_t)
|
||||||
@@ -266,3 +291,124 @@ optional_policy(`
|
@@ -266,3 +291,125 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
thunderbird_domtrans(mozilla_t)
|
thunderbird_domtrans(mozilla_t)
|
||||||
')
|
')
|
||||||
@ -3945,6 +3958,7 @@ index cbf4bec..cc87b60 100644
|
|||||||
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
|
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
|
||||||
+
|
+
|
||||||
+userdom_list_user_tmp(mozilla_plugin_t)
|
+userdom_list_user_tmp(mozilla_plugin_t)
|
||||||
|
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
|
||||||
+userdom_read_user_tmp_files(mozilla_plugin_t)
|
+userdom_read_user_tmp_files(mozilla_plugin_t)
|
||||||
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
|
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
|
||||||
+userdom_read_user_home_content_files(mozilla_plugin_t)
|
+userdom_read_user_home_content_files(mozilla_plugin_t)
|
||||||
@ -36128,7 +36142,7 @@ index da2601a..f963642 100644
|
|||||||
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
|
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index e226da4..f37e8ae 100644
|
index e226da4..44cd738 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -26,27 +26,43 @@ gen_require(`
|
@@ -26,27 +26,43 @@ gen_require(`
|
||||||
@ -36315,7 +36329,7 @@ index e226da4..f37e8ae 100644
|
|||||||
files_tmpfs_file(xserver_tmpfs_t)
|
files_tmpfs_file(xserver_tmpfs_t)
|
||||||
ubac_constrained(xserver_tmpfs_t)
|
ubac_constrained(xserver_tmpfs_t)
|
||||||
|
|
||||||
@@ -234,9 +272,13 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
|
@@ -234,9 +272,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
|
||||||
|
|
||||||
allow xdm_t iceauth_home_t:file read_file_perms;
|
allow xdm_t iceauth_home_t:file read_file_perms;
|
||||||
|
|
||||||
@ -36326,10 +36340,14 @@ index e226da4..f37e8ae 100644
|
|||||||
userdom_use_user_terminals(iceauth_t)
|
userdom_use_user_terminals(iceauth_t)
|
||||||
+userdom_read_user_tmp_files(iceauth_t)
|
+userdom_read_user_tmp_files(iceauth_t)
|
||||||
+userdom_read_all_users_state(iceauth_t)
|
+userdom_read_all_users_state(iceauth_t)
|
||||||
|
+
|
||||||
|
+tunable_policy(`use_fusefs_home_dirs',`
|
||||||
|
+ fs_manage_fusefs_files(iceauth_t)
|
||||||
|
+')
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_files(iceauth_t)
|
fs_manage_nfs_files(iceauth_t)
|
||||||
@@ -246,50 +288,105 @@ tunable_policy(`use_samba_home_dirs',`
|
@@ -246,50 +292,110 @@ tunable_policy(`use_samba_home_dirs',`
|
||||||
fs_manage_cifs_files(iceauth_t)
|
fs_manage_cifs_files(iceauth_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -36418,6 +36436,11 @@ index e226da4..f37e8ae 100644
|
|||||||
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
|
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
|
||||||
+ miscfiles_read_fonts(xauth_t)
|
+ miscfiles_read_fonts(xauth_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+tunable_policy(`use_fusefs_home_dirs',`
|
||||||
|
+ fs_manage_fusefs_files(xauth_t)
|
||||||
|
+ fs_read_fusefs_symlinks(xauth_t)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_files(xauth_t)
|
fs_manage_nfs_files(xauth_t)
|
||||||
@ -36440,7 +36463,7 @@ index e226da4..f37e8ae 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_sigchld(xauth_t)
|
ssh_sigchld(xauth_t)
|
||||||
ssh_read_pipes(xauth_t)
|
ssh_read_pipes(xauth_t)
|
||||||
@@ -301,20 +398,32 @@ optional_policy(`
|
@@ -301,20 +407,32 @@ optional_policy(`
|
||||||
# XDM Local policy
|
# XDM Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -36477,7 +36500,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
# Allow gdm to run gdm-binary
|
# Allow gdm to run gdm-binary
|
||||||
can_exec(xdm_t, xdm_exec_t)
|
can_exec(xdm_t, xdm_exec_t)
|
||||||
@@ -322,43 +431,69 @@ can_exec(xdm_t, xdm_exec_t)
|
@@ -322,43 +440,69 @@ can_exec(xdm_t, xdm_exec_t)
|
||||||
allow xdm_t xdm_lock_t:file manage_file_perms;
|
allow xdm_t xdm_lock_t:file manage_file_perms;
|
||||||
files_lock_filetrans(xdm_t, xdm_lock_t, file)
|
files_lock_filetrans(xdm_t, xdm_lock_t, file)
|
||||||
|
|
||||||
@ -36554,7 +36577,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
@@ -367,18 +502,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
@@ -367,18 +511,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
|
|
||||||
@ -36582,7 +36605,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(xdm_t)
|
corenet_all_recvfrom_unlabeled(xdm_t)
|
||||||
corenet_all_recvfrom_netlabel(xdm_t)
|
corenet_all_recvfrom_netlabel(xdm_t)
|
||||||
@@ -390,18 +533,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
@@ -390,18 +542,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_generic_node(xdm_t)
|
corenet_tcp_bind_generic_node(xdm_t)
|
||||||
corenet_udp_bind_generic_node(xdm_t)
|
corenet_udp_bind_generic_node(xdm_t)
|
||||||
@ -36606,7 +36629,7 @@ index e226da4..f37e8ae 100644
|
|||||||
dev_setattr_apm_bios_dev(xdm_t)
|
dev_setattr_apm_bios_dev(xdm_t)
|
||||||
dev_rw_dri(xdm_t)
|
dev_rw_dri(xdm_t)
|
||||||
dev_rw_agp(xdm_t)
|
dev_rw_agp(xdm_t)
|
||||||
@@ -410,18 +557,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
|
@@ -410,18 +566,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
|
||||||
dev_getattr_misc_dev(xdm_t)
|
dev_getattr_misc_dev(xdm_t)
|
||||||
dev_setattr_misc_dev(xdm_t)
|
dev_setattr_misc_dev(xdm_t)
|
||||||
dev_dontaudit_rw_misc(xdm_t)
|
dev_dontaudit_rw_misc(xdm_t)
|
||||||
@ -36633,7 +36656,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -432,9 +584,17 @@ files_list_mnt(xdm_t)
|
@@ -432,9 +593,17 @@ files_list_mnt(xdm_t)
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -36651,7 +36674,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -443,28 +603,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
@@ -443,28 +612,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -36690,7 +36713,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -473,9 +641,25 @@ userdom_read_user_home_content_files(xdm_t)
|
@@ -473,9 +650,32 @@ userdom_read_user_home_content_files(xdm_t)
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -36712,11 +36735,18 @@ index e226da4..f37e8ae 100644
|
|||||||
+
|
+
|
||||||
+ifdef(`distro_rhel4',`
|
+ifdef(`distro_rhel4',`
|
||||||
+ allow xdm_t self:process { execheap execmem };
|
+ allow xdm_t self:process { execheap execmem };
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+tunable_policy(`use_fusefs_home_dirs',`
|
||||||
|
+ fs_manage_fusefs_dirs(xdm_t)
|
||||||
|
+ fs_manage_fusefs_files(xdm_t)
|
||||||
|
+ fs_manage_fusefs_symlinks(xdm_t)
|
||||||
|
+ fs_exec_fusefs_files(xdm_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xdm_t)
|
fs_manage_nfs_dirs(xdm_t)
|
||||||
@@ -504,11 +688,17 @@ tunable_policy(`xdm_sysadm_login',`
|
@@ -504,11 +704,17 @@ tunable_policy(`xdm_sysadm_login',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36734,7 +36764,7 @@ index e226da4..f37e8ae 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -516,12 +706,49 @@ optional_policy(`
|
@@ -516,12 +722,49 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36784,7 +36814,7 @@ index e226da4..f37e8ae 100644
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -539,28 +766,63 @@ optional_policy(`
|
@@ -539,28 +782,63 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36857,7 +36887,7 @@ index e226da4..f37e8ae 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -572,6 +834,10 @@ optional_policy(`
|
@@ -572,6 +850,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36868,7 +36898,7 @@ index e226da4..f37e8ae 100644
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -596,7 +862,7 @@ allow xserver_t input_xevent_t:x_event send;
|
@@ -596,7 +878,7 @@ allow xserver_t input_xevent_t:x_event send;
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -36877,7 +36907,7 @@ index e226da4..f37e8ae 100644
|
|||||||
dontaudit xserver_t self:capability chown;
|
dontaudit xserver_t self:capability chown;
|
||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
@@ -610,6 +876,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
@@ -610,6 +892,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -36892,7 +36922,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -629,12 +903,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
@@ -629,12 +919,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -36914,7 +36944,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -642,6 +923,7 @@ kernel_read_modprobe_sysctls(xserver_t)
|
@@ -642,6 +939,7 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||||
# Xorg wants to check if kernel is tainted
|
# Xorg wants to check if kernel is tainted
|
||||||
kernel_read_kernel_sysctls(xserver_t)
|
kernel_read_kernel_sysctls(xserver_t)
|
||||||
kernel_write_proc_files(xserver_t)
|
kernel_write_proc_files(xserver_t)
|
||||||
@ -36922,7 +36952,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
# Run helper programs in xserver_t.
|
# Run helper programs in xserver_t.
|
||||||
corecmd_exec_bin(xserver_t)
|
corecmd_exec_bin(xserver_t)
|
||||||
@@ -668,7 +950,6 @@ dev_rw_apm_bios(xserver_t)
|
@@ -668,7 +966,6 @@ dev_rw_apm_bios(xserver_t)
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
@ -36930,7 +36960,7 @@ index e226da4..f37e8ae 100644
|
|||||||
dev_create_generic_dirs(xserver_t)
|
dev_create_generic_dirs(xserver_t)
|
||||||
dev_setattr_generic_dirs(xserver_t)
|
dev_setattr_generic_dirs(xserver_t)
|
||||||
# raw memory access is needed if not using the frame buffer
|
# raw memory access is needed if not using the frame buffer
|
||||||
@@ -678,11 +959,17 @@ dev_wx_raw_memory(xserver_t)
|
@@ -678,11 +975,17 @@ dev_wx_raw_memory(xserver_t)
|
||||||
dev_rw_xserver_misc(xserver_t)
|
dev_rw_xserver_misc(xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
@ -36948,7 +36978,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
# brought on by rhgb
|
# brought on by rhgb
|
||||||
files_search_mnt(xserver_t)
|
files_search_mnt(xserver_t)
|
||||||
@@ -693,8 +980,13 @@ fs_getattr_xattr_fs(xserver_t)
|
@@ -693,8 +996,13 @@ fs_getattr_xattr_fs(xserver_t)
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -36962,7 +36992,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -716,11 +1008,14 @@ logging_send_audit_msgs(xserver_t)
|
@@ -716,11 +1024,14 @@ logging_send_audit_msgs(xserver_t)
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
@ -36977,7 +37007,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
userdom_search_user_home_dirs(xserver_t)
|
userdom_search_user_home_dirs(xserver_t)
|
||||||
userdom_use_user_ttys(xserver_t)
|
userdom_use_user_ttys(xserver_t)
|
||||||
@@ -773,12 +1068,28 @@ optional_policy(`
|
@@ -773,12 +1084,28 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -37007,7 +37037,7 @@ index e226da4..f37e8ae 100644
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -787,6 +1098,10 @@ optional_policy(`
|
@@ -787,6 +1114,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -37018,7 +37048,7 @@ index e226da4..f37e8ae 100644
|
|||||||
xfs_stream_connect(xserver_t)
|
xfs_stream_connect(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -802,10 +1117,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
@@ -802,10 +1133,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
@ -37032,7 +37062,7 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -813,7 +1128,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
@@ -813,7 +1144,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
|
|
||||||
# Run xkbcomp.
|
# Run xkbcomp.
|
||||||
@ -37041,7 +37071,7 @@ index e226da4..f37e8ae 100644
|
|||||||
can_exec(xserver_t, xkb_var_lib_t)
|
can_exec(xserver_t, xkb_var_lib_t)
|
||||||
|
|
||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
@@ -826,6 +1141,9 @@ init_use_fds(xserver_t)
|
@@ -826,6 +1157,9 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -37051,7 +37081,20 @@ index e226da4..f37e8ae 100644
|
|||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
@@ -841,11 +1159,14 @@ tunable_policy(`use_samba_home_dirs',`
|
@@ -833,6 +1167,12 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
fs_manage_nfs_symlinks(xserver_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
+tunable_policy(`use_fusefs_home_dirs',`
|
||||||
|
+ fs_manage_fusefs_dirs(xserver_t)
|
||||||
|
+ fs_manage_fusefs_files(xserver_t)
|
||||||
|
+ fs_manage_fusefs_symlinks(xserver_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
|
fs_manage_cifs_dirs(xserver_t)
|
||||||
|
fs_manage_cifs_files(xserver_t)
|
||||||
|
@@ -841,11 +1181,14 @@ tunable_policy(`use_samba_home_dirs',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -37068,7 +37111,7 @@ index e226da4..f37e8ae 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -853,6 +1174,10 @@ optional_policy(`
|
@@ -853,6 +1196,10 @@ optional_policy(`
|
||||||
rhgb_rw_tmpfs_files(xserver_t)
|
rhgb_rw_tmpfs_files(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -37079,7 +37122,7 @@ index e226da4..f37e8ae 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -896,7 +1221,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
@@ -896,7 +1243,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
@ -37088,7 +37131,7 @@ index e226da4..f37e8ae 100644
|
|||||||
# operations allowed on all windows
|
# operations allowed on all windows
|
||||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||||
|
|
||||||
@@ -950,11 +1275,31 @@ allow x_domain self:x_resource { read write };
|
@@ -950,11 +1297,31 @@ allow x_domain self:x_resource { read write };
|
||||||
# can mess with the screensaver
|
# can mess with the screensaver
|
||||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||||
|
|
||||||
@ -37120,7 +37163,7 @@ index e226da4..f37e8ae 100644
|
|||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined(x_domain),
|
# should be xserver_unconfined(x_domain),
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
@@ -976,18 +1321,32 @@ tunable_policy(`! xserver_object_manager',`
|
@@ -976,18 +1343,32 @@ tunable_policy(`! xserver_object_manager',`
|
||||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -37156,8 +37199,8 @@ index e226da4..f37e8ae 100644
|
|||||||
+ fs_append_nfs_files(xdmhomewriter)
|
+ fs_append_nfs_files(xdmhomewriter)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+tunable_policy(`use_samba_home_dirs',`
|
+tunable_policy(`use_nfs_home_dirs',`
|
||||||
+ fs_append_cifs_files(xdmhomewriter)
|
+ fs_append_nfs_files(xdmhomewriter)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -40227,7 +40270,7 @@ index 3fb1915..26e9f79 100644
|
|||||||
- nscd_socket_use(sulogin_t)
|
- nscd_socket_use(sulogin_t)
|
||||||
-')
|
-')
|
||||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||||
index 362614c..a76d2fc 100644
|
index 362614c..ca6409c 100644
|
||||||
--- a/policy/modules/system/logging.fc
|
--- a/policy/modules/system/logging.fc
|
||||||
+++ b/policy/modules/system/logging.fc
|
+++ b/policy/modules/system/logging.fc
|
||||||
@@ -17,6 +17,10 @@
|
@@ -17,6 +17,10 @@
|
||||||
@ -40241,7 +40284,15 @@ index 362614c..a76d2fc 100644
|
|||||||
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
||||||
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||||
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
||||||
@@ -54,14 +58,16 @@ ifdef(`distro_redhat',`
|
@@ -25,6 +29,7 @@
|
||||||
|
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||||
|
+/var/lib/syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||||
|
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||||
|
|
||||||
|
ifdef(`distro_suse', `
|
||||||
|
@@ -54,14 +59,16 @@ ifdef(`distro_redhat',`
|
||||||
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -40262,7 +40313,7 @@ index 362614c..a76d2fc 100644
|
|||||||
|
|
||||||
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
|
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
|
||||||
@@ -69,3 +75,5 @@ ifdef(`distro_redhat',`
|
@@ -69,3 +76,5 @@ ifdef(`distro_redhat',`
|
||||||
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
|
|
||||||
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
@ -40608,18 +40659,20 @@ index 86ef2da..7f649d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
|
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
|
||||||
index 7711464..1f0ccfd 100644
|
index 7711464..a8bd9fe 100644
|
||||||
--- a/policy/modules/system/miscfiles.fc
|
--- a/policy/modules/system/miscfiles.fc
|
||||||
+++ b/policy/modules/system/miscfiles.fc
|
+++ b/policy/modules/system/miscfiles.fc
|
||||||
@@ -11,6 +11,7 @@ ifdef(`distro_gentoo',`
|
@@ -10,7 +10,9 @@ ifdef(`distro_gentoo',`
|
||||||
|
#
|
||||||
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||||
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||||
|
+/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
|
||||||
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||||
+/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
|
+/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
|
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
|
||||||
@@ -75,13 +76,11 @@ ifdef(`distro_redhat',`
|
@@ -75,13 +77,11 @@ ifdef(`distro_redhat',`
|
||||||
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
|
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
|
||||||
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
|
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.9.5
|
Version: 3.9.5
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -470,6 +470,11 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 4 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-10
|
||||||
|
- Start adding support for use_fusefs_home_dirs
|
||||||
|
- Add /var/lib/syslog directory file context
|
||||||
|
- Add /etc/localtime as locale file context
|
||||||
|
|
||||||
* Thu Sep 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-9
|
* Thu Sep 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-9
|
||||||
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
|
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
|
||||||
- Turn off iptables from unconfined user
|
- Turn off iptables from unconfined user
|
||||||
|
Loading…
Reference in New Issue
Block a user