- Allow sshd to write to proc_t for afs login
This commit is contained in:
parent
b9b19aea97
commit
b4ae7d845a
|
@ -2388,6 +2388,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||||
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.5/policy/modules/kernel/corenetwork.if.in
|
||||||
|
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
|
||||||
|
+++ serefpolicy-3.0.5/policy/modules/kernel/corenetwork.if.in 2007-08-20 18:15:26.000000000 -0400
|
||||||
|
@@ -1449,6 +1449,43 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Connect TCP sockets to rpc ports.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the process performing this action.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`corenet_tcp_connect_all_rpc_ports',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute rpc_port_type;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 rpc_port_type:tcp_socket name_connect;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Do not audit attempts to connect TCP sockets
|
||||||
|
+## all rpc ports.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute rpc_port_type;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 rpc_port_type:tcp_socket name_connect;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Read and write the TUN/TAP virtual network device.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.5/policy/modules/kernel/corenetwork.te.in
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.5/policy/modules/kernel/corenetwork.te.in
|
||||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
|
||||||
+++ serefpolicy-3.0.5/policy/modules/kernel/corenetwork.te.in 2007-08-07 09:39:49.000000000 -0400
|
+++ serefpolicy-3.0.5/policy/modules/kernel/corenetwork.te.in 2007-08-07 09:39:49.000000000 -0400
|
||||||
|
@ -5249,7 +5296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.5/policy/modules/services/dovecot.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.5/policy/modules/services/dovecot.te
|
||||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.5/policy/modules/services/dovecot.te 2007-08-14 08:15:55.000000000 -0400
|
+++ serefpolicy-3.0.5/policy/modules/services/dovecot.te 2007-08-20 17:56:52.000000000 -0400
|
||||||
@@ -15,6 +15,12 @@
|
@@ -15,6 +15,12 @@
|
||||||
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
||||||
role system_r types dovecot_auth_t;
|
role system_r types dovecot_auth_t;
|
||||||
|
@ -5311,7 +5358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||||
seutil_sigchld_newrole(dovecot_t)
|
seutil_sigchld_newrole(dovecot_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -145,33 +144,39 @@
|
@@ -145,33 +144,40 @@
|
||||||
# dovecot auth local policy
|
# dovecot auth local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -5333,6 +5380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||||
+files_read_var_symlinks(dovecot_t)
|
+files_read_var_symlinks(dovecot_t)
|
||||||
|
|
||||||
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
|
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
|
||||||
|
+dovecot_auth_stream_connect(dovecot_auth_t)
|
||||||
|
|
||||||
kernel_read_all_sysctls(dovecot_auth_t)
|
kernel_read_all_sysctls(dovecot_auth_t)
|
||||||
kernel_read_system_state(dovecot_auth_t)
|
kernel_read_system_state(dovecot_auth_t)
|
||||||
|
@ -5353,7 +5401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||||
files_read_usr_symlinks(dovecot_auth_t)
|
files_read_usr_symlinks(dovecot_auth_t)
|
||||||
files_search_tmp(dovecot_auth_t)
|
files_search_tmp(dovecot_auth_t)
|
||||||
files_read_var_lib_files(dovecot_t)
|
files_read_var_lib_files(dovecot_t)
|
||||||
@@ -185,12 +190,46 @@
|
@@ -185,12 +191,46 @@
|
||||||
|
|
||||||
seutil_dontaudit_search_config(dovecot_auth_t)
|
seutil_dontaudit_search_config(dovecot_auth_t)
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.0.5
|
Version: 3.0.5
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
License: GPL
|
License: GPL
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -360,6 +360,9 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Aug 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-9
|
||||||
|
- Allow sshd to write to proc_t for afs login
|
||||||
|
|
||||||
* Sat Aug 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-8
|
* Sat Aug 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-8
|
||||||
- Allow xserver access to urand
|
- Allow xserver access to urand
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue