- Update to upstream release
This commit is contained in:
parent
1cc0574824
commit
b253d7866a
123
policy-F13.patch
123
policy-F13.patch
@ -3562,7 +3562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.4/policy/modules/apps/mozilla.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.4/policy/modules/apps/mozilla.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500
|
||||||
+++ serefpolicy-3.7.4/policy/modules/apps/mozilla.te 2009-12-04 12:39:47.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/apps/mozilla.te 2009-12-10 15:39:39.000000000 -0500
|
||||||
@@ -91,6 +91,7 @@
|
@@ -91,6 +91,7 @@
|
||||||
corenet_raw_sendrecv_generic_node(mozilla_t)
|
corenet_raw_sendrecv_generic_node(mozilla_t)
|
||||||
corenet_tcp_sendrecv_http_port(mozilla_t)
|
corenet_tcp_sendrecv_http_port(mozilla_t)
|
||||||
@ -3606,7 +3606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ pulseaudio_exec(mozilla_t)
|
+ pulseaudio_exec(mozilla_t)
|
||||||
+ pulseaudio_stream_connect(mozilla_t)
|
+ pulseaudio_stream_connect(mozilla_t)
|
||||||
+ pulseaudio_manage_config(mozilla_t)
|
+ pulseaudio_manage_home(mozilla_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -3965,7 +3965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.4/policy/modules/apps/nsplugin.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.4/policy/modules/apps/nsplugin.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.7.4/policy/modules/apps/nsplugin.te 2009-12-04 12:33:34.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/apps/nsplugin.te 2009-12-10 15:42:06.000000000 -0500
|
||||||
@@ -0,0 +1,296 @@
|
@@ -0,0 +1,296 @@
|
||||||
+
|
+
|
||||||
+policy_module(nsplugin, 1.0.0)
|
+policy_module(nsplugin, 1.0.0)
|
||||||
@ -4255,7 +4255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ pulseaudio_exec(nsplugin_t)
|
+ pulseaudio_exec(nsplugin_t)
|
||||||
+ pulseaudio_stream_connect(nsplugin_t)
|
+ pulseaudio_stream_connect(nsplugin_t)
|
||||||
+ pulseaudio_manage_config(nsplugin_t)
|
+ pulseaudio_manage_home(nsplugin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -4498,7 +4498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.4/policy/modules/apps/pulseaudio.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.4/policy/modules/apps/pulseaudio.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500
|
||||||
+++ serefpolicy-3.7.4/policy/modules/apps/pulseaudio.te 2009-12-04 12:33:34.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/apps/pulseaudio.te 2009-12-10 15:49:17.000000000 -0500
|
||||||
@@ -11,6 +11,9 @@
|
@@ -11,6 +11,9 @@
|
||||||
application_domain(pulseaudio_t, pulseaudio_exec_t)
|
application_domain(pulseaudio_t, pulseaudio_exec_t)
|
||||||
role system_r types pulseaudio_t;
|
role system_r types pulseaudio_t;
|
||||||
@ -4534,7 +4534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ bluetooth_stream_connect(pulseaudio_t)
|
+ bluetooth_stream_connect(pulseaudio_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
+userdom_search_user_home_dirs($1)
|
+userdom_search_user_home_dirs(pulseaudio_t)
|
||||||
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
|
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
|
||||||
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
|
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
|
||||||
+
|
+
|
||||||
@ -8755,8 +8755,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.4/policy/modules/roles/unconfineduser.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.4/policy/modules/roles/unconfineduser.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.7.4/policy/modules/roles/unconfineduser.te 2009-12-09 10:12:48.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/roles/unconfineduser.te 2009-12-10 15:25:41.000000000 -0500
|
||||||
@@ -0,0 +1,459 @@
|
@@ -0,0 +1,460 @@
|
||||||
+policy_module(unconfineduser, 1.0.0)
|
+policy_module(unconfineduser, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -8930,6 +8930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ xserver_rw_shm(unconfined_usertype)
|
+ xserver_rw_shm(unconfined_usertype)
|
||||||
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
|
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
|
||||||
|
+ xserver_xdm_dbus_chat(unconfined_usertype)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -14465,7 +14466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_tcp_sendrecv_generic_if(fetchmail_t)
|
corenet_tcp_sendrecv_generic_if(fetchmail_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.4/policy/modules/services/fprintd.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.4/policy/modules/services/fprintd.te
|
||||||
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400
|
||||||
+++ serefpolicy-3.7.4/policy/modules/services/fprintd.te 2009-12-05 06:04:00.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/services/fprintd.te 2009-12-10 15:34:41.000000000 -0500
|
||||||
@@ -37,6 +37,8 @@
|
@@ -37,6 +37,8 @@
|
||||||
files_read_etc_files(fprintd_t)
|
files_read_etc_files(fprintd_t)
|
||||||
files_read_usr_files(fprintd_t)
|
files_read_usr_files(fprintd_t)
|
||||||
@ -14475,12 +14476,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
auth_use_nsswitch(fprintd_t)
|
auth_use_nsswitch(fprintd_t)
|
||||||
|
|
||||||
miscfiles_read_localization(fprintd_t)
|
miscfiles_read_localization(fprintd_t)
|
||||||
@@ -51,5 +53,9 @@
|
@@ -51,5 +53,8 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
policykit_read_reload(fprintd_t)
|
policykit_read_reload(fprintd_t)
|
||||||
policykit_read_lib(fprintd_t)
|
policykit_read_lib(fprintd_t)
|
||||||
+ policykit_dbus_chat(fprintd_t)
|
+ policykit_dbus_chat(fprintd_t)
|
||||||
+ policykit_auth_dbus_chat(fprintd_t)
|
|
||||||
policykit_domtrans_auth(fprintd_t)
|
policykit_domtrans_auth(fprintd_t)
|
||||||
+ policykit_dbus_chat_auth(fprintd_t)
|
+ policykit_dbus_chat_auth(fprintd_t)
|
||||||
')
|
')
|
||||||
@ -17906,8 +17906,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
|
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.4/policy/modules/services/plymouth.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.4/policy/modules/services/plymouth.if
|
||||||
--- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.7.4/policy/modules/services/plymouth.if 2009-12-04 12:33:34.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/services/plymouth.if 2009-12-10 15:27:39.000000000 -0500
|
||||||
@@ -0,0 +1,286 @@
|
@@ -0,0 +1,304 @@
|
||||||
+## <summary>policy for plymouthd</summary>
|
+## <summary>policy for plymouthd</summary>
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -17930,6 +17930,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Execute a plymoth in the current domain
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`plymouth_exec', `
|
||||||
|
+ gen_require(`
|
||||||
|
+ type plymouthd_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ can_exec($1, plymouthd_exec_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Execute a domain transition to run plymouthd.
|
+## Execute a domain transition to run plymouthd.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -18196,8 +18214,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.4/policy/modules/services/plymouth.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.4/policy/modules/services/plymouth.te
|
||||||
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.7.4/policy/modules/services/plymouth.te 2009-12-04 12:33:34.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/services/plymouth.te 2009-12-10 15:30:43.000000000 -0500
|
||||||
@@ -0,0 +1,101 @@
|
@@ -0,0 +1,102 @@
|
||||||
+policy_module(plymouthd, 1.0.0)
|
+policy_module(plymouthd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -18256,6 +18274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+files_read_usr_files(plymouthd_t)
|
+files_read_usr_files(plymouthd_t)
|
||||||
+
|
+
|
||||||
+miscfiles_read_localization(plymouthd_t)
|
+miscfiles_read_localization(plymouthd_t)
|
||||||
|
+miscfiles_read_fonts(plymouthd_t)
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
|
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
|
||||||
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
|
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
|
||||||
@ -18319,7 +18338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.4/policy/modules/services/policykit.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.4/policy/modules/services/policykit.if
|
||||||
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400
|
||||||
+++ serefpolicy-3.7.4/policy/modules/services/policykit.if 2009-12-05 06:04:03.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/services/policykit.if 2009-12-10 15:31:44.000000000 -0500
|
||||||
@@ -17,12 +17,37 @@
|
@@ -17,12 +17,37 @@
|
||||||
class dbus send_msg;
|
class dbus send_msg;
|
||||||
')
|
')
|
||||||
@ -24046,8 +24065,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.4/policy/modules/services/vhostmd.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.4/policy/modules/services/vhostmd.te
|
||||||
--- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.7.4/policy/modules/services/vhostmd.te 2009-12-09 13:28:27.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/services/vhostmd.te 2009-12-10 16:06:39.000000000 -0500
|
||||||
@@ -0,0 +1,91 @@
|
@@ -0,0 +1,86 @@
|
||||||
+
|
+
|
||||||
+policy_module(vhostmd,1.0.0)
|
+policy_module(vhostmd,1.0.0)
|
||||||
+
|
+
|
||||||
@ -24134,11 +24153,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ xen_stream_connect_xenstore(vhostmd_t)
|
+ xen_stream_connect_xenstore(vhostmd_t)
|
||||||
+ xen_stream_connect_xm(vhostmd_t)
|
+ xen_stream_connect_xm(vhostmd_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ xm_stream_connect(vhostmd_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.4/policy/modules/services/virt.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.4/policy/modules/services/virt.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.7.4/policy/modules/services/virt.fc 2009-12-04 12:33:34.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/services/virt.fc 2009-12-04 12:33:34.000000000 -0500
|
||||||
@ -25964,7 +25978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.4/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.4/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
|
||||||
+++ serefpolicy-3.7.4/policy/modules/services/xserver.te 2009-12-09 11:40:20.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/services/xserver.te 2009-12-10 15:28:09.000000000 -0500
|
||||||
@@ -1,5 +1,5 @@
|
@@ -1,5 +1,5 @@
|
||||||
|
|
||||||
-policy_module(xserver, 3.3.1)
|
-policy_module(xserver, 3.3.1)
|
||||||
@ -26581,7 +26595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -547,6 +675,38 @@
|
@@ -547,6 +675,39 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26598,6 +26612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ plymouth_search_spool(xdm_t)
|
+ plymouth_search_spool(xdm_t)
|
||||||
|
+ plymouth_exec(xdm_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -26620,7 +26635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
seutil_sigchld_newrole(xdm_t)
|
seutil_sigchld_newrole(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -555,8 +715,9 @@
|
@@ -555,8 +716,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26632,7 +26647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -565,7 +726,6 @@
|
@@ -565,7 +727,6 @@
|
||||||
ifdef(`distro_rhel4',`
|
ifdef(`distro_rhel4',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
')
|
')
|
||||||
@ -26640,7 +26655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
userhelper_dontaudit_search_config(xdm_t)
|
userhelper_dontaudit_search_config(xdm_t)
|
||||||
@@ -576,6 +736,10 @@
|
@@ -576,6 +737,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26651,7 +26666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -584,14 +748,6 @@
|
@@ -584,14 +749,6 @@
|
||||||
# X server local policy
|
# X server local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -26666,7 +26681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# setuid/setgid for the wrapper program to change UID
|
# setuid/setgid for the wrapper program to change UID
|
||||||
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
||||||
# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
|
# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
|
||||||
@@ -600,10 +756,9 @@
|
@@ -600,10 +757,9 @@
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -26678,7 +26693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow xserver_t self:sock_file read_sock_file_perms;
|
allow xserver_t self:sock_file read_sock_file_perms;
|
||||||
@@ -615,13 +770,31 @@
|
@@ -615,13 +771,31 @@
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -26711,7 +26726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -634,12 +807,19 @@
|
@@ -634,12 +808,19 @@
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -26733,7 +26748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -673,7 +853,6 @@
|
@@ -673,7 +854,6 @@
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
@ -26741,7 +26756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dev_create_generic_dirs(xserver_t)
|
dev_create_generic_dirs(xserver_t)
|
||||||
dev_setattr_generic_dirs(xserver_t)
|
dev_setattr_generic_dirs(xserver_t)
|
||||||
# raw memory access is needed if not using the frame buffer
|
# raw memory access is needed if not using the frame buffer
|
||||||
@@ -683,9 +862,12 @@
|
@@ -683,9 +863,12 @@
|
||||||
dev_rw_xserver_misc(xserver_t)
|
dev_rw_xserver_misc(xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
@ -26755,7 +26770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
files_read_etc_runtime_files(xserver_t)
|
files_read_etc_runtime_files(xserver_t)
|
||||||
@@ -700,8 +882,12 @@
|
@@ -700,8 +883,12 @@
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -26768,7 +26783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -723,6 +909,7 @@
|
@@ -723,6 +910,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
@ -26776,7 +26791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
modutils_domtrans_insmod(xserver_t)
|
modutils_domtrans_insmod(xserver_t)
|
||||||
|
|
||||||
@@ -745,7 +932,7 @@
|
@@ -745,7 +933,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
@ -26785,7 +26800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -754,17 +941,15 @@
|
@@ -754,17 +942,15 @@
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
|
|
||||||
allow xserver_t xserver_t:x_server *;
|
allow xserver_t xserver_t:x_server *;
|
||||||
@ -26806,7 +26821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow xserver_t xextension_type:x_extension *;
|
allow xserver_t xextension_type:x_extension *;
|
||||||
allow xserver_t { x_domain xserver_t }:x_resource *;
|
allow xserver_t { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
|
||||||
@@ -779,12 +964,20 @@
|
@@ -779,12 +965,20 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26828,7 +26843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -811,12 +1004,12 @@
|
@@ -811,12 +1005,12 @@
|
||||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -26845,7 +26860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Run xkbcomp.
|
# Run xkbcomp.
|
||||||
allow xserver_t xkb_var_lib_t:lnk_file read;
|
allow xserver_t xkb_var_lib_t:lnk_file read;
|
||||||
@@ -832,9 +1025,14 @@
|
@@ -832,9 +1026,14 @@
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -26860,7 +26875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -849,11 +1047,14 @@
|
@@ -849,11 +1048,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -26876,7 +26891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -867,150 +1068,163 @@
|
@@ -867,150 +1069,163 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# Hacks
|
# Hacks
|
||||||
@ -31923,7 +31938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.4/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.4/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
|
||||||
+++ serefpolicy-3.7.4/policy/modules/system/userdomain.if 2009-12-09 09:46:14.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/system/userdomain.if 2009-12-10 15:29:06.000000000 -0500
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -33625,7 +33640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3064,3 +3390,638 @@
|
@@ -3064,3 +3390,656 @@
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
@ -34264,6 +34279,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ read_files_pattern($1, home_cert_t, home_cert_t)
|
+ read_files_pattern($1, home_cert_t, home_cert_t)
|
||||||
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
|
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## dontaudit Search getatrr /root files
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_dontaudit_getattr_admin_home_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type admin_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 admin_home_t:file getattr;
|
||||||
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.4/policy/modules/system/userdomain.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.4/policy/modules/system/userdomain.te
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-11-17 10:54:26.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-11-17 10:54:26.000000000 -0500
|
||||||
+++ serefpolicy-3.7.4/policy/modules/system/userdomain.te 2009-12-04 12:33:34.000000000 -0500
|
+++ serefpolicy-3.7.4/policy/modules/system/userdomain.te 2009-12-04 12:33:34.000000000 -0500
|
||||||
|
Loading…
Reference in New Issue
Block a user