- Fix uml files to be owned by users
This commit is contained in:
Daniel J Walsh
parent
e080bbd4f6
commit
b3ac4a052b
@ -358,24 +358,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
|
|||||||
.SH BOOLEANS
|
.SH BOOLEANS
|
||||||
.TP
|
.TP
|
||||||
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
|
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-3.6.12/policy/global_booleans
|
|
||||||
--- nsaserefpolicy/policy/global_booleans 2008-08-07 11:15:13.000000000 -0400
|
|
||||||
+++ serefpolicy-3.6.12/policy/global_booleans 2009-04-28 09:51:52.000000000 -0400
|
|
||||||
@@ -28,3 +28,11 @@
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_bool(secure_mode_policyload,false)
|
|
||||||
+
|
|
||||||
+## <desc>
|
|
||||||
+## <p>
|
|
||||||
+## Allow unconfined domain to map low memory in the kernel
|
|
||||||
+## </p>
|
|
||||||
+## </desc>
|
|
||||||
+gen_tunable(allow_unconfined_mmap_low, false)
|
|
||||||
+
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables
|
||||||
--- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500
|
--- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/global_tunables 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/global_tunables 2009-04-28 11:36:39.000000000 -0400
|
||||||
@@ -61,15 +61,6 @@
|
@@ -61,15 +61,6 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -392,7 +377,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Allow any files/directories to be exported read/write via NFS.
|
## Allow any files/directories to be exported read/write via NFS.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
@@ -111,3 +102,12 @@
|
@@ -111,3 +102,18 @@
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(user_tcp_server,false)
|
gen_tunable(user_tcp_server,false)
|
||||||
@ -404,6 +389,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(allow_console_login,false)
|
+gen_tunable(allow_console_login,false)
|
||||||
+
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow unconfined domain to map low memory in the kernel
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(allow_unconfined_mmap_low, false)
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
|
||||||
--- nsaserefpolicy/policy/mcs 2009-02-03 22:50:50.000000000 -0500
|
--- nsaserefpolicy/policy/mcs 2009-02-03 22:50:50.000000000 -0500
|
||||||
@ -4474,6 +4465,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+permissive sambagui_t;
|
+permissive sambagui_t;
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
|
||||||
|
--- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.12/policy/modules/apps/uml.te 2009-04-28 11:42:33.000000000 -0400
|
||||||
|
@@ -16,14 +16,12 @@
|
||||||
|
type uml_ro_t;
|
||||||
|
typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
|
||||||
|
typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
|
||||||
|
-files_type(uml_ro_t)
|
||||||
|
-ubac_constrained(uml_ro_t)
|
||||||
|
+userdom_user_home_content(uml_ro_t)
|
||||||
|
|
||||||
|
type uml_rw_t;
|
||||||
|
typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
|
||||||
|
typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
|
||||||
|
-files_type(uml_rw_t)
|
||||||
|
-ubac_constrained(uml_rw_t)
|
||||||
|
+userdom_user_home_content(uml_rw_t)
|
||||||
|
|
||||||
|
type uml_tmp_t;
|
||||||
|
typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-01-19 11:03:28.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-01-19 11:03:28.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-04-23 09:44:57.000000000 -0400
|
||||||
@ -19364,6 +19375,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_search_db(httpd_prewikka_script_t)
|
mysql_search_db(httpd_prewikka_script_t)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.12/policy/modules/services/privoxy.te 2009-04-28 11:40:52.000000000 -0400
|
||||||
|
@@ -6,6 +6,14 @@
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow privoxy to connect to all ports, not just
|
||||||
|
+## HTTP, FTP, and Gopher ports.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(privoxy_connect_any, false)
|
||||||
|
+
|
||||||
|
type privoxy_t; # web_client_domain
|
||||||
|
type privoxy_exec_t;
|
||||||
|
init_daemon_domain(privoxy_t, privoxy_exec_t)
|
||||||
|
@@ -72,21 +80,19 @@
|
||||||
|
|
||||||
|
logging_send_syslog_msg(privoxy_t)
|
||||||
|
|
||||||
|
-miscfiles_read_localization(privoxy_t)
|
||||||
|
+auth_use_nsswitch(privoxy_t)
|
||||||
|
|
||||||
|
-sysnet_dns_name_resolve(privoxy_t)
|
||||||
|
+miscfiles_read_localization(privoxy_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
|
||||||
|
userdom_dontaudit_search_user_home_dirs(privoxy_t)
|
||||||
|
# cjp: this should really not be needed
|
||||||
|
userdom_use_user_terminals(privoxy_t)
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- nis_use_ypbind(privoxy_t)
|
||||||
|
-')
|
||||||
|
-
|
||||||
|
-optional_policy(`
|
||||||
|
- nscd_socket_use(privoxy_t)
|
||||||
|
+tunable_policy(`privoxy_connect_any',`
|
||||||
|
+ corenet_tcp_connect_all_ports(privoxy_t)
|
||||||
|
+ corenet_tcp_bind_all_ports(privoxy_t)
|
||||||
|
+ corenet_sendrecv_all_packets(privoxy_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te
|
||||||
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-04-23 09:44:57.000000000 -0400
|
||||||
@ -22227,7 +22284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
|
||||||
--- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/services/squid.te 2009-04-23 09:44:57.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/services/squid.te 2009-04-28 11:39:57.000000000 -0400
|
||||||
@@ -118,6 +118,9 @@
|
@@ -118,6 +118,9 @@
|
||||||
|
|
||||||
fs_getattr_all_fs(squid_t)
|
fs_getattr_all_fs(squid_t)
|
||||||
|
|||||||
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.12
|
Version: 3.6.12
|
||||||
Release: 22%{?dist}
|
Release: 23%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -480,6 +480,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-23
|
||||||
|
- Fix uml files to be owned by users
|
||||||
|
|
||||||
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-22
|
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-22
|
||||||
- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less
|
- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user