- Remove Multiple spec
- Add include - Fix makefile to not call per_role_expansion
This commit is contained in:
parent
6115689216
commit
b4cab5a3eb
|
@ -1538,6 +1538,59 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+ xserver_exec_pid(vbetool_t)
|
+ xserver_exec_pid(vbetool_t)
|
||||||
+ xserver_write_pid(vbetool_t)
|
+ xserver_write_pid(vbetool_t)
|
||||||
+')
|
+')
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.12/policy/modules/admin/vpn.if
|
||||||
|
--- nsaserefpolicy/policy/modules/admin/vpn.if 2008-10-08 19:00:27.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.12/policy/modules/admin/vpn.if 2008-10-16 14:46:43.000000000 -0400
|
||||||
|
@@ -53,6 +53,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Send sigkill to VPN clients.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`vpn_sigkill',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type vpnc_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 vpnc_t:process sigkill;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Send generic signals to VPN clients.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -71,6 +89,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Send signull to VPN clients.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`vpn_signull',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type vpnc_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 vpnc_t:process signull;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Send and receive messages from
|
||||||
|
## Vpnc over dbus.
|
||||||
|
## </summary>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.12/policy/modules/apps/ethereal.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.12/policy/modules/apps/ethereal.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-08-07 11:15:03.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-08-07 11:15:03.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/apps/ethereal.fc 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/apps/ethereal.fc 2008-10-14 15:00:15.000000000 -0400
|
||||||
|
@ -8034,6 +8087,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
|
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
|
||||||
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
|
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
|
||||||
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.12/policy/modules/kernel/storage.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.12/policy/modules/kernel/storage.fc 2008-10-16 14:21:31.000000000 -0400
|
||||||
|
@@ -36,7 +36,7 @@
|
||||||
|
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
|
/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
|
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
|
-/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
|
+/dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
|
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
|
ifdef(`distro_redhat', `
|
||||||
|
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.12/policy/modules/kernel/terminal.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.12/policy/modules/kernel/terminal.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/kernel/terminal.if 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/kernel/terminal.if 2008-10-14 15:00:15.000000000 -0400
|
||||||
|
@ -11245,8 +11310,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
|
+/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.12/policy/modules/services/avahi.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.12/policy/modules/services/avahi.if
|
||||||
--- nsaserefpolicy/policy/modules/services/avahi.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/avahi.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/services/avahi.if 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/services/avahi.if 2008-10-16 14:48:40.000000000 -0400
|
||||||
@@ -2,6 +2,84 @@
|
@@ -2,6 +2,103 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -11290,25 +11355,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Send avahi a signal
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## The type of the process performing this action.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+#
|
|
||||||
+interface(`avahi_signal',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type avahi_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ allow $1 avahi_t:process signal;
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Send avahi a sigkill
|
+## Send avahi a sigkill
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
|
@ -11327,11 +11373,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send avahi a signal
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the process performing this action.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+interface(`avahi_signal',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type avahi_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 avahi_t:process signal;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send avahi a signull
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the process performing this action.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+interface(`avahi_signull',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type avahi_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 avahi_t:process signull;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
## Send and receive messages from
|
## Send and receive messages from
|
||||||
## avahi over dbus.
|
## avahi over dbus.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -57,3 +135,38 @@
|
@@ -57,3 +154,38 @@
|
||||||
|
|
||||||
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
|
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
@ -11433,8 +11517,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.12/policy/modules/services/bind.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.12/policy/modules/services/bind.if
|
||||||
--- nsaserefpolicy/policy/modules/services/bind.if 2008-10-14 11:58:09.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/bind.if 2008-10-14 11:58:09.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/services/bind.if 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/services/bind.if 2008-10-16 14:45:01.000000000 -0400
|
||||||
@@ -257,6 +257,25 @@
|
@@ -38,6 +38,42 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Send signulls to BIND.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`bind_signull',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type named_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 named_t:process signull;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send sigkills to BIND.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`bind_sigkill',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type named_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 named_t:process sigkill;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Execute ndc in the ndc domain, and
|
||||||
|
## allow the specified role the ndc domain.
|
||||||
|
## </summary>
|
||||||
|
@@ -257,6 +293,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -11460,7 +11587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## All of the rules required to administrate
|
## All of the rules required to administrate
|
||||||
## an bind environment
|
## an bind environment
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -267,19 +286,18 @@
|
@@ -267,19 +322,18 @@
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -11486,7 +11613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 named_t:process { ptrace signal_perms };
|
allow $1 named_t:process { ptrace signal_perms };
|
||||||
@@ -289,4 +307,28 @@
|
@@ -289,4 +343,28 @@
|
||||||
ps_process_pattern($1, ndc_t)
|
ps_process_pattern($1, ndc_t)
|
||||||
|
|
||||||
bind_run_ndc($1, $2, $3)
|
bind_run_ndc($1, $2, $3)
|
||||||
|
@ -14149,8 +14276,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.12/policy/modules/services/dnsmasq.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.12/policy/modules/services/dnsmasq.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/services/dnsmasq.if 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/services/dnsmasq.if 2008-10-16 14:44:18.000000000 -0400
|
||||||
@@ -1 +1,117 @@
|
@@ -1 +1,137 @@
|
||||||
## <summary>dnsmasq DNS forwarder and DHCP server</summary>
|
## <summary>dnsmasq DNS forwarder and DHCP server</summary>
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -14212,6 +14339,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+ allow $1 dnsmasq_t:process signal;
|
+ allow $1 dnsmasq_t:process signal;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send dnsmasq a signull
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+interface(`dnsmasq_signull',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type dnsmasq_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 dnsmasq_t:process signull;
|
||||||
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Send dnsmasq a sigkill
|
+## Send dnsmasq a sigkill
|
||||||
|
@ -16465,7 +16612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.12/policy/modules/services/networkmanager.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.12/policy/modules/services/networkmanager.te
|
||||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-14 11:58:09.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-14 11:58:09.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/services/networkmanager.te 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/services/networkmanager.te 2008-10-16 14:35:40.000000000 -0400
|
||||||
@@ -33,9 +33,9 @@
|
@@ -33,9 +33,9 @@
|
||||||
|
|
||||||
# networkmanager will ptrace itself if gdb is installed
|
# networkmanager will ptrace itself if gdb is installed
|
||||||
|
@ -16525,7 +16672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
libs_use_ld_so(NetworkManager_t)
|
libs_use_ld_so(NetworkManager_t)
|
||||||
libs_use_shared_libs(NetworkManager_t)
|
libs_use_shared_libs(NetworkManager_t)
|
||||||
|
|
||||||
@@ -119,23 +128,33 @@
|
@@ -119,27 +128,40 @@
|
||||||
|
|
||||||
seutil_read_config(NetworkManager_t)
|
seutil_read_config(NetworkManager_t)
|
||||||
|
|
||||||
|
@ -16558,14 +16705,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ avahi_domtrans(NetworkManager_t)
|
+ avahi_domtrans(NetworkManager_t)
|
||||||
+ avahi_signal(NetworkManager_t)
|
|
||||||
+ avahi_sigkill(NetworkManager_t)
|
+ avahi_sigkill(NetworkManager_t)
|
||||||
|
+ avahi_signal(NetworkManager_t)
|
||||||
|
+ avahi_signull(NetworkManager_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
bind_domtrans(NetworkManager_t)
|
bind_domtrans(NetworkManager_t)
|
||||||
bind_manage_cache(NetworkManager_t)
|
bind_manage_cache(NetworkManager_t)
|
||||||
@@ -151,8 +170,17 @@
|
bind_signal(NetworkManager_t)
|
||||||
|
+ bind_signull(NetworkManager_t)
|
||||||
|
+ bind_sigkill(NetworkManager_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
@@ -151,8 +173,18 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -16578,6 +16732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+ dnsmasq_initrc_domtrans(NetworkManager_t)
|
+ dnsmasq_initrc_domtrans(NetworkManager_t)
|
||||||
+ dnsmasq_signal(NetworkManager_t)
|
+ dnsmasq_signal(NetworkManager_t)
|
||||||
+ dnsmasq_sigkill(NetworkManager_t)
|
+ dnsmasq_sigkill(NetworkManager_t)
|
||||||
|
+ dnsmasq_signull(NetworkManager_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
@ -16585,7 +16740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -160,12 +188,18 @@
|
@@ -160,23 +192,48 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -16597,6 +16752,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
- nscd_socket_use(NetworkManager_t)
|
- nscd_socket_use(NetworkManager_t)
|
||||||
+ nscd_domtrans(NetworkManager_t)
|
+ nscd_domtrans(NetworkManager_t)
|
||||||
nscd_signal(NetworkManager_t)
|
nscd_signal(NetworkManager_t)
|
||||||
|
+ nscd_signull(NetworkManager_t)
|
||||||
|
+ nscd_sigkill(NetworkManager_t)
|
||||||
+ nscd_initrc_domtrans(NetworkManager_t)
|
+ nscd_initrc_domtrans(NetworkManager_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -16606,15 +16763,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -174,9 +208,24 @@
|
openvpn_domtrans(NetworkManager_t)
|
||||||
')
|
openvpn_signal(NetworkManager_t)
|
||||||
|
+ openvpn_signull(NetworkManager_t)
|
||||||
optional_policy(`
|
+ openvpn_sigkill(NetworkManager_t)
|
||||||
+ polkit_domtrans_auth(NetworkManager_t)
|
|
||||||
+ polkit_read_lib(NetworkManager_t)
|
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ polkit_domtrans_auth(NetworkManager_t)
|
||||||
|
+ polkit_read_lib(NetworkManager_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
+ ppp_initrc_domtrans(NetworkManager_t)
|
+ ppp_initrc_domtrans(NetworkManager_t)
|
||||||
ppp_domtrans(NetworkManager_t)
|
ppp_domtrans(NetworkManager_t)
|
||||||
ppp_read_pid_files(NetworkManager_t)
|
ppp_read_pid_files(NetworkManager_t)
|
||||||
|
@ -16631,35 +16791,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -221,3 +270,28 @@
|
@@ -194,7 +251,9 @@
|
||||||
miscfiles_read_localization(wpa_cli_t)
|
|
||||||
|
|
||||||
term_dontaudit_use_console(wpa_cli_t)
|
optional_policy(`
|
||||||
+
|
vpn_domtrans(NetworkManager_t)
|
||||||
+########################################
|
+ vpn_sigkill(NetworkManager_t)
|
||||||
+#
|
vpn_signal(NetworkManager_t)
|
||||||
+# wpa_cli local policy
|
+ vpn_signull(NetworkManager_t)
|
||||||
+#
|
')
|
||||||
+allow wpa_cli_t self:capability dac_override;
|
|
||||||
+allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
|
########################################
|
||||||
+
|
|
||||||
+allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
|
|
||||||
+
|
|
||||||
+manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
|
||||||
+files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
|
|
||||||
+
|
|
||||||
+list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
|
||||||
+rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
|
||||||
+
|
|
||||||
+init_dontaudit_use_fds(wpa_cli_t)
|
|
||||||
+init_use_script_ptys(wpa_cli_t)
|
|
||||||
+
|
|
||||||
+libs_use_ld_so(wpa_cli_t)
|
|
||||||
+libs_use_shared_libs(wpa_cli_t)
|
|
||||||
+
|
|
||||||
+miscfiles_read_localization(wpa_cli_t)
|
|
||||||
+
|
|
||||||
+term_dontaudit_use_console(wpa_cli_t)
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.12/policy/modules/services/nis.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.12/policy/modules/services/nis.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/services/nis.fc 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/services/nis.fc 2008-10-14 15:00:15.000000000 -0400
|
||||||
|
@ -16891,8 +17032,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.12/policy/modules/services/nscd.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.12/policy/modules/services/nscd.if
|
||||||
--- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/services/nscd.if 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/services/nscd.if 2008-10-16 14:11:03.000000000 -0400
|
||||||
@@ -70,15 +70,14 @@
|
@@ -20,6 +20,42 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Send signulls to NSCD.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`nscd_signull',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type nscd_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 nscd_t:process signull;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send sigkills to NSCD.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`nscd_sigkill',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type nscd_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 nscd_t:process sigkill;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Execute NSCD in the nscd domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -70,15 +106,14 @@
|
||||||
interface(`nscd_socket_use',`
|
interface(`nscd_socket_use',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type nscd_t, nscd_var_run_t;
|
type nscd_t, nscd_var_run_t;
|
||||||
|
@ -16910,7 +17094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
|
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
|
||||||
dontaudit $1 nscd_var_run_t:file { getattr read };
|
dontaudit $1 nscd_var_run_t:file { getattr read };
|
||||||
@@ -204,3 +203,60 @@
|
@@ -204,3 +239,60 @@
|
||||||
role $2 types nscd_t;
|
role $2 types nscd_t;
|
||||||
dontaudit nscd_t $3:chr_file rw_term_perms;
|
dontaudit nscd_t $3:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
@ -17236,6 +17420,59 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
# Add/remove user home directories
|
# Add/remove user home directories
|
||||||
unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
|
unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.5.12/policy/modules/services/openvpn.if
|
||||||
|
--- nsaserefpolicy/policy/modules/services/openvpn.if 2008-10-08 19:00:27.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.12/policy/modules/services/openvpn.if 2008-10-16 14:45:47.000000000 -0400
|
||||||
|
@@ -52,6 +52,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Send sigkills to OPENVPN clients.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`openvpn_sigkill',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type openvpn_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 openvpn_t:process sigkill;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Send generic signals to OPENVPN clients.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -70,6 +88,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Send signulls to OPENVPN clients.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`openvpn_signull',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type openvpn_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 openvpn_t:process signull;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Allow the specified domain to read
|
||||||
|
## OpenVPN configuration files.
|
||||||
|
## </summary>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.12/policy/modules/services/openvpn.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.12/policy/modules/services/openvpn.te
|
||||||
--- nsaserefpolicy/policy/modules/services/openvpn.te 2008-10-14 11:58:09.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/openvpn.te 2008-10-14 11:58:09.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/services/openvpn.te 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/services/openvpn.te 2008-10-14 15:00:15.000000000 -0400
|
||||||
|
@ -21046,7 +21283,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.12/policy/modules/services/sendmail.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.12/policy/modules/services/sendmail.if
|
||||||
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/services/sendmail.if 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/services/sendmail.if 2008-10-16 13:51:54.000000000 -0400
|
||||||
|
@@ -89,7 +89,7 @@
|
||||||
|
type sendmail_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- allow $1 sendmail_t:unix_stream_socket { read write };
|
||||||
|
+ allow $1 sendmail_t:unix_stream_socket { getattr read write };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
@@ -149,3 +149,104 @@
|
@@ -149,3 +149,104 @@
|
||||||
|
|
||||||
logging_log_filetrans($1, sendmail_log_t, file)
|
logging_log_filetrans($1, sendmail_log_t, file)
|
||||||
|
@ -27088,7 +27334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.12/policy/modules/system/selinuxutil.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.12/policy/modules/system/selinuxutil.if
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-10-10 15:53:03.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-10-10 15:53:03.000000000 -0400
|
||||||
+++ serefpolicy-3.5.12/policy/modules/system/selinuxutil.if 2008-10-14 15:00:15.000000000 -0400
|
+++ serefpolicy-3.5.12/policy/modules/system/selinuxutil.if 2008-10-16 13:47:47.000000000 -0400
|
||||||
@@ -555,6 +555,59 @@
|
@@ -555,6 +555,59 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -91,9 +91,6 @@ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%
|
||||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \
|
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \
|
||||||
cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
|
cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
|
||||||
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
|
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
|
||||||
# Always create policy module package directories
|
|
||||||
mkdir -p %{buildroot}%{_usr}/share/selinux/%1
|
|
||||||
ln -s %{_usr}/share/selinux/devel/include %{buildroot}%{_usr}/share/selinux/%1/include
|
|
||||||
|
|
||||||
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
|
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
|
||||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
|
||||||
|
@ -127,7 +124,6 @@ bzip2 %{buildroot}/%{_usr}/share/selinux/%1/*.pp
|
||||||
%defattr(-,root,root) \
|
%defattr(-,root,root) \
|
||||||
%dir %{_usr}/share/selinux/%1 \
|
%dir %{_usr}/share/selinux/%1 \
|
||||||
%{_usr}/share/selinux/%1/*.pp.bz2 \
|
%{_usr}/share/selinux/%1/*.pp.bz2 \
|
||||||
%{_usr}/share/selinux/%1/include \
|
|
||||||
%dir %{_sysconfdir}/selinux/%1 \
|
%dir %{_sysconfdir}/selinux/%1 \
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
||||||
%ghost %{_sysconfdir}/selinux/%1/seusers \
|
%ghost %{_sysconfdir}/selinux/%1/seusers \
|
||||||
|
@ -217,6 +213,9 @@ mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
||||||
touch %{buildroot}%{_sysconfdir}/selinux/config
|
touch %{buildroot}%{_sysconfdir}/selinux/config
|
||||||
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
|
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
|
||||||
|
|
||||||
|
# Always create policy module package directories
|
||||||
|
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls}/
|
||||||
|
|
||||||
# Install devel
|
# Install devel
|
||||||
make clean
|
make clean
|
||||||
%if %{BUILD_TARGETED}
|
%if %{BUILD_TARGETED}
|
||||||
|
@ -312,6 +311,7 @@ Obsoletes: selinux-policy-targeted-sources < 2
|
||||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||||
Requires(pre): coreutils
|
Requires(pre): coreutils
|
||||||
Requires(pre): selinux-policy = %{version}-%{release}
|
Requires(pre): selinux-policy = %{version}-%{release}
|
||||||
|
Conflicts: audispd-plugins <= 1.7.7-1
|
||||||
|
|
||||||
%description targeted
|
%description targeted
|
||||||
SELinux Reference policy targeted base module.
|
SELinux Reference policy targeted base module.
|
||||||
|
|
Loading…
Reference in New Issue