- Allow sshd to write to proc_t for afs login
This commit is contained in:
Daniel J Walsh
parent
b9b19aea97
commit
b4ae7d845a
|
|
@ -2388,6 +2388,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
|||
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.5/policy/modules/kernel/corenetwork.if.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/kernel/corenetwork.if.in 2007-08-20 18:15:26.000000000 -0400
|
||||
@@ -1449,6 +1449,43 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Connect TCP sockets to rpc ports.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## The type of the process performing this action.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_tcp_connect_all_rpc_ports',`
|
||||
+ gen_require(`
|
||||
+ attribute rpc_port_type;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 rpc_port_type:tcp_socket name_connect;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to connect TCP sockets
|
||||
+## all rpc ports.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
|
||||
+ gen_require(`
|
||||
+ attribute rpc_port_type;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 rpc_port_type:tcp_socket name_connect;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read and write the TUN/TAP virtual network device.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.5/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/kernel/corenetwork.te.in 2007-08-07 09:39:49.000000000 -0400
|
||||
|
|
@ -5249,7 +5296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.5/policy/modules/services/dovecot.te
|
||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/dovecot.te 2007-08-14 08:15:55.000000000 -0400
|
||||
+++ serefpolicy-3.0.5/policy/modules/services/dovecot.te 2007-08-20 17:56:52.000000000 -0400
|
||||
@@ -15,6 +15,12 @@
|
||||
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
||||
role system_r types dovecot_auth_t;
|
||||
|
|
@ -5311,7 +5358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||
seutil_sigchld_newrole(dovecot_t)
|
||||
')
|
||||
|
||||
@@ -145,33 +144,39 @@
|
||||
@@ -145,33 +144,40 @@
|
||||
# dovecot auth local policy
|
||||
#
|
||||
|
||||
|
|
@ -5333,6 +5380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||
+files_read_var_symlinks(dovecot_t)
|
||||
|
||||
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
|
||||
+dovecot_auth_stream_connect(dovecot_auth_t)
|
||||
|
||||
kernel_read_all_sysctls(dovecot_auth_t)
|
||||
kernel_read_system_state(dovecot_auth_t)
|
||||
|
|
@ -5353,7 +5401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||
files_read_usr_symlinks(dovecot_auth_t)
|
||||
files_search_tmp(dovecot_auth_t)
|
||||
files_read_var_lib_files(dovecot_t)
|
||||
@@ -185,12 +190,46 @@
|
||||
@@ -185,12 +191,46 @@
|
||||
|
||||
seutil_dontaudit_search_config(dovecot_auth_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.5
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: GPL
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -360,6 +360,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Aug 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-9
|
||||
- Allow sshd to write to proc_t for afs login
|
||||
|
||||
* Sat Aug 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-8
|
||||
- Allow xserver access to urand
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue