- Gnome apps list config_home_t
- mpd creates lnk files in homedir - apache leaks write to mail apps on tmp files - /var/stockmaniac/templates_cache contains log files - Abrt list the connects of mount_tmp_t dirs - passwd agent reads files under /dev and reads utmp file - squid apache script connects to the squid port - fix name of plymouth log file - teamviewer is a wine app - allow dmesg to read system state - Stop labeling files under /var/lib/mock so restorecon will not go into this - nsplugin needs to read network state for google talk
This commit is contained in:
Dan Walsh
parent
ef836a9861
commit
b96903aaa0
@ -178,6 +178,10 @@ spamd_enable_home_dirs = false
|
||||
#
|
||||
user_direct_mouse = false
|
||||
|
||||
# Allow all X apps to use /dev/dri
|
||||
#
|
||||
user_direct_dri = true
|
||||
|
||||
# Allow users to read system messages.
|
||||
#
|
||||
user_dmesg = false
|
||||
@ -279,3 +283,7 @@ fenced_can_network_connect=false
|
||||
## allow sshd to forward port connections
|
||||
#
|
||||
sshd_forward_ports=true
|
||||
|
||||
## On upgrades we want this true, Want it false on fresh installs
|
||||
#
|
||||
authlogin_nsswitch_use_ldap=true
|
||||
|
||||
@ -1371,6 +1371,13 @@ radius = module
|
||||
#
|
||||
radvd = module
|
||||
|
||||
# Layer: services
|
||||
# Module: razor
|
||||
#
|
||||
# A distributed, collaborative, spam detection and filtering network.
|
||||
#
|
||||
razor = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: readahead
|
||||
#
|
||||
|
||||
290
policy-F15.patch
290
policy-F15.patch
@ -451,10 +451,18 @@ index cd5e005..7f3f992 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
|
||||
index 72bc6d8..5421065 100644
|
||||
index 72bc6d8..ed02103 100644
|
||||
--- a/policy/modules/admin/dmesg.te
|
||||
+++ b/policy/modules/admin/dmesg.te
|
||||
@@ -50,6 +50,12 @@ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
|
||||
@@ -19,6 +19,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
|
||||
|
||||
allow dmesg_t self:process signal_perms;
|
||||
|
||||
+kernel_read_system_state(dmesg_t)
|
||||
kernel_read_kernel_sysctls(dmesg_t)
|
||||
kernel_read_ring_buffer(dmesg_t)
|
||||
kernel_clear_ring_buffer(dmesg_t)
|
||||
@@ -50,6 +51,12 @@ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
|
||||
userdom_use_user_terminals(dmesg_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -2670,7 +2678,7 @@ index 00a19e3..46db5ff 100644
|
||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
|
||||
index f5afe78..2c8f94a 100644
|
||||
index f5afe78..c4df4b9 100644
|
||||
--- a/policy/modules/apps/gnome.if
|
||||
+++ b/policy/modules/apps/gnome.if
|
||||
@@ -37,8 +37,7 @@ interface(`gnome_role',`
|
||||
@ -3092,7 +3100,7 @@ index f5afe78..2c8f94a 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -151,40 +453,173 @@ interface(`gnome_setattr_config_dirs',`
|
||||
@@ -151,40 +453,174 @@ interface(`gnome_setattr_config_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -3219,6 +3227,7 @@ index f5afe78..2c8f94a 100644
|
||||
+ type config_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ list_dirs_pattern($1, config_home_t, config_home_t)
|
||||
+ read_files_pattern($1, config_home_t, config_home_t)
|
||||
+')
|
||||
+
|
||||
@ -4157,7 +4166,7 @@ index 93ac529..aafece7 100644
|
||||
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
||||
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
|
||||
index 9a6d67d..b0c1197 100644
|
||||
index 9a6d67d..5ac3ea5 100644
|
||||
--- a/policy/modules/apps/mozilla.if
|
||||
+++ b/policy/modules/apps/mozilla.if
|
||||
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
|
||||
@ -4216,7 +4225,7 @@ index 9a6d67d..b0c1197 100644
|
||||
## Execmod mozilla home directory content.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -168,6 +194,70 @@ interface(`mozilla_domtrans',`
|
||||
@@ -168,6 +194,71 @@ interface(`mozilla_domtrans',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -4261,7 +4270,8 @@ index 9a6d67d..b0c1197 100644
|
||||
+
|
||||
+ mozilla_domtrans_plugin($1)
|
||||
+ role $2 types mozilla_plugin_t;
|
||||
+ allow $1 mozilla_plugin_t:unix_stream_socket connectto;
|
||||
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
+ allow $1 mozilla_plugin_t:process { signal sigkill };
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -5109,10 +5119,10 @@ index 0000000..4f9cb05
|
||||
+')
|
||||
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
|
||||
new file mode 100644
|
||||
index 0000000..ae1d09b
|
||||
index 0000000..a353718
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/nsplugin.te
|
||||
@@ -0,0 +1,316 @@
|
||||
@@ -0,0 +1,317 @@
|
||||
+policy_module(nsplugin, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -5234,6 +5244,7 @@ index 0000000..ae1d09b
|
||||
+
|
||||
+kernel_read_kernel_sysctls(nsplugin_t)
|
||||
+kernel_read_system_state(nsplugin_t)
|
||||
+kernel_read_network_state(nsplugin_t)
|
||||
+
|
||||
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
|
||||
+files_dontaudit_list_home(nsplugin_t)
|
||||
@ -7149,10 +7160,10 @@ index 0000000..46368cc
|
||||
+')
|
||||
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
|
||||
new file mode 100644
|
||||
index 0000000..2ace399
|
||||
index 0000000..24f8037
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/telepathy.te
|
||||
@@ -0,0 +1,328 @@
|
||||
@@ -0,0 +1,329 @@
|
||||
+
|
||||
+policy_module(telepathy, 1.0.0)
|
||||
+
|
||||
@ -7401,6 +7412,7 @@ index 0000000..2ace399
|
||||
+
|
||||
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
|
||||
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
|
||||
+corenet_udp_bind_all_ports(telepathy_sofiasip_t)
|
||||
+
|
||||
+kernel_request_load_module(telepathy_sofiasip_t)
|
||||
+
|
||||
@ -7690,7 +7702,7 @@ index c76ceb2..d7df452 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
|
||||
index 9d24449..9782698 100644
|
||||
index 9d24449..2666317 100644
|
||||
--- a/policy/modules/apps/wine.fc
|
||||
+++ b/policy/modules/apps/wine.fc
|
||||
@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
@ -7701,6 +7713,14 @@ index 9d24449..9782698 100644
|
||||
/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
@@ -10,6 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
+/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
|
||||
/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
|
||||
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
|
||||
index 0440b4c..4b055c1 100644
|
||||
--- a/policy/modules/apps/wine.if
|
||||
@ -20526,6 +20546,21 @@ index f231f17..4ecd4b7 100644
|
||||
+optional_policy(`
|
||||
vbetool_domtrans(devicekit_power_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
|
||||
index 767e0c7..7956248 100644
|
||||
--- a/policy/modules/services/dhcp.fc
|
||||
+++ b/policy/modules/services/dhcp.fc
|
||||
@@ -1,8 +1,8 @@
|
||||
-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
|
||||
|
||||
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
|
||||
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
|
||||
|
||||
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
|
||||
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
|
||||
index 5e2cea8..7e129ff 100644
|
||||
--- a/policy/modules/services/dhcp.if
|
||||
@ -25041,15 +25076,15 @@ index 47e3612..ece07ab 100644
|
||||
# The milter runs from /var/lib/spamass-milter
|
||||
diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
|
||||
new file mode 100644
|
||||
index 0000000..42bb2a3
|
||||
index 0000000..68ad33f
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/mock.fc
|
||||
@@ -0,0 +1,6 @@
|
||||
+
|
||||
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
|
||||
+
|
||||
+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
|
||||
+
|
||||
+/var/lib/mock -d gen_context(system_u:object_r:mock_var_lib_t,s0)
|
||||
+/var/lib/mock(/.*)? <<none>>
|
||||
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
|
||||
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
|
||||
new file mode 100644
|
||||
@ -25815,10 +25850,10 @@ index 0000000..311aaed
|
||||
+')
|
||||
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
|
||||
new file mode 100644
|
||||
index 0000000..f2e8836
|
||||
index 0000000..92e86a2
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/mpd.te
|
||||
@@ -0,0 +1,126 @@
|
||||
@@ -0,0 +1,127 @@
|
||||
+policy_module(mpd, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -25872,6 +25907,7 @@ index 0000000..f2e8836
|
||||
+
|
||||
+manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
|
||||
+manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
|
||||
+manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
|
||||
+
|
||||
+manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
|
||||
+manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
|
||||
@ -26220,7 +26256,7 @@ index 343cee3..2f948ad 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
|
||||
index 64268e4..ce7924b 100644
|
||||
index 64268e4..8974c28 100644
|
||||
--- a/policy/modules/services/mta.te
|
||||
+++ b/policy/modules/services/mta.te
|
||||
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
|
||||
@ -26275,7 +26311,7 @@ index 64268e4..ce7924b 100644
|
||||
apache_dontaudit_rw_stream_sockets(system_mail_t)
|
||||
apache_dontaudit_rw_tcp_sockets(system_mail_t)
|
||||
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
|
||||
+ apache_dontaudit_write_tmp_files(system_mail_t)
|
||||
+ apache_dontaudit_rw_tmp_files(system_mail_t)
|
||||
+
|
||||
+ # apache should set close-on-exec
|
||||
+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
|
||||
@ -29053,7 +29089,7 @@ index 5702ca4..5df5316 100644
|
||||
+
|
||||
+/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0)
|
||||
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
|
||||
index 9759ed8..07dd3ff 100644
|
||||
index 9759ed8..48a5431 100644
|
||||
--- a/policy/modules/services/plymouthd.if
|
||||
+++ b/policy/modules/services/plymouthd.if
|
||||
@@ -5,12 +5,12 @@
|
||||
@ -29192,7 +29228,56 @@ index 9759ed8..07dd3ff 100644
|
||||
gen_require(`
|
||||
type plymouthd_var_run_t;
|
||||
')
|
||||
@@ -243,18 +243,20 @@ interface(`plymouthd_read_pid_files', `
|
||||
@@ -228,6 +228,48 @@ interface(`plymouthd_read_pid_files', `
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Allow the specified domain to read
|
||||
+## to plymouthd log files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`plymouthd_read_log',`
|
||||
+ gen_require(`
|
||||
+ type plymouthd_var_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to manage
|
||||
+## to plymouthd log files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`plymouthd_manage_log',`
|
||||
+ gen_require(`
|
||||
+ type plymouthd_var_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
|
||||
+ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
|
||||
+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an plymouthd environment
|
||||
## </summary>
|
||||
@@ -243,18 +285,20 @@ interface(`plymouthd_read_pid_files', `
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
@ -31885,6 +31970,18 @@ index 0000000..d9c56d4
|
||||
+ corosync_stream_connect(qpidd_t)
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
|
||||
index b1ed1bf..21e2d95 100644
|
||||
--- a/policy/modules/services/radius.te
|
||||
+++ b/policy/modules/services/radius.te
|
||||
@@ -77,6 +77,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
|
||||
corenet_udp_bind_generic_node(radiusd_t)
|
||||
corenet_udp_bind_radacct_port(radiusd_t)
|
||||
corenet_udp_bind_radius_port(radiusd_t)
|
||||
+corenet_tcp_connect_postgresql_port(radiusd_t)
|
||||
corenet_tcp_connect_mysqld_port(radiusd_t)
|
||||
corenet_tcp_connect_snmp_port(radiusd_t)
|
||||
corenet_sendrecv_radius_server_packets(radiusd_t)
|
||||
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
|
||||
index be05bff..2bd662a 100644
|
||||
--- a/policy/modules/services/radvd.if
|
||||
@ -35559,7 +35656,7 @@ index d2496bd..1d0c078 100644
|
||||
|
||||
allow $1 squid_t:process { ptrace signal_perms };
|
||||
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
|
||||
index 4b2230e..a8fa2a0 100644
|
||||
index 4b2230e..d45dc67 100644
|
||||
--- a/policy/modules/services/squid.te
|
||||
+++ b/policy/modules/services/squid.te
|
||||
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
|
||||
@ -35606,6 +35703,14 @@ index 4b2230e..a8fa2a0 100644
|
||||
')
|
||||
|
||||
tunable_policy(`squid_use_tproxy',`
|
||||
@@ -185,6 +186,7 @@ optional_policy(`
|
||||
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
|
||||
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
|
||||
+ corenet_tcp_connect_squid_port(httpd_squid_script_t)
|
||||
|
||||
sysnet_dns_name_resolve(httpd_squid_script_t)
|
||||
|
||||
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
|
||||
index 078bcd7..06da5f7 100644
|
||||
--- a/policy/modules/services/ssh.fc
|
||||
@ -39595,7 +39700,7 @@ index da2601a..6b12229 100644
|
||||
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index 145fc4b..05cbefe 100644
|
||||
index 145fc4b..d1f5057 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,27 +26,50 @@ gen_require(`
|
||||
@ -40286,7 +40391,7 @@ index 145fc4b..05cbefe 100644
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -539,28 +796,63 @@ optional_policy(`
|
||||
@@ -539,28 +796,64 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40305,6 +40410,7 @@ index 145fc4b..05cbefe 100644
|
||||
+ plymouthd_search_spool(xdm_t)
|
||||
+ plymouthd_exec_plymouth(xdm_t)
|
||||
+ plymouthd_stream_connect(xdm_t)
|
||||
+ plymouthd_read_log(xdm_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -40359,7 +40465,7 @@ index 145fc4b..05cbefe 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -572,6 +864,10 @@ optional_policy(`
|
||||
@@ -572,6 +865,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40370,7 +40476,7 @@ index 145fc4b..05cbefe 100644
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -596,7 +892,7 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
@@ -596,7 +893,7 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
@ -40379,7 +40485,7 @@ index 145fc4b..05cbefe 100644
|
||||
dontaudit xserver_t self:capability chown;
|
||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow xserver_t self:fd use;
|
||||
@@ -610,6 +906,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
@@ -610,6 +907,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
@ -40394,7 +40500,7 @@ index 145fc4b..05cbefe 100644
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
@@ -629,12 +933,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
@@ -629,12 +934,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -40416,7 +40522,7 @@ index 145fc4b..05cbefe 100644
|
||||
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
@@ -642,6 +953,7 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||
@@ -642,6 +954,7 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||
# Xorg wants to check if kernel is tainted
|
||||
kernel_read_kernel_sysctls(xserver_t)
|
||||
kernel_write_proc_files(xserver_t)
|
||||
@ -40424,7 +40530,7 @@ index 145fc4b..05cbefe 100644
|
||||
|
||||
# Run helper programs in xserver_t.
|
||||
corecmd_exec_bin(xserver_t)
|
||||
@@ -668,7 +980,6 @@ dev_rw_apm_bios(xserver_t)
|
||||
@@ -668,7 +981,6 @@ dev_rw_apm_bios(xserver_t)
|
||||
dev_rw_agp(xserver_t)
|
||||
dev_rw_framebuffer(xserver_t)
|
||||
dev_manage_dri_dev(xserver_t)
|
||||
@ -40432,7 +40538,7 @@ index 145fc4b..05cbefe 100644
|
||||
dev_create_generic_dirs(xserver_t)
|
||||
dev_setattr_generic_dirs(xserver_t)
|
||||
# raw memory access is needed if not using the frame buffer
|
||||
@@ -678,11 +989,17 @@ dev_wx_raw_memory(xserver_t)
|
||||
@@ -678,11 +990,17 @@ dev_wx_raw_memory(xserver_t)
|
||||
dev_rw_xserver_misc(xserver_t)
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev(xserver_t)
|
||||
@ -40450,7 +40556,7 @@ index 145fc4b..05cbefe 100644
|
||||
|
||||
# brought on by rhgb
|
||||
files_search_mnt(xserver_t)
|
||||
@@ -693,8 +1010,13 @@ fs_getattr_xattr_fs(xserver_t)
|
||||
@@ -693,8 +1011,13 @@ fs_getattr_xattr_fs(xserver_t)
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
@ -40464,7 +40570,7 @@ index 145fc4b..05cbefe 100644
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
selinux_compute_access_vector(xserver_t)
|
||||
@@ -716,11 +1038,14 @@ logging_send_audit_msgs(xserver_t)
|
||||
@@ -716,11 +1039,14 @@ logging_send_audit_msgs(xserver_t)
|
||||
|
||||
miscfiles_read_localization(xserver_t)
|
||||
miscfiles_read_fonts(xserver_t)
|
||||
@ -40479,7 +40585,7 @@ index 145fc4b..05cbefe 100644
|
||||
|
||||
userdom_search_user_home_dirs(xserver_t)
|
||||
userdom_use_user_ttys(xserver_t)
|
||||
@@ -773,12 +1098,28 @@ optional_policy(`
|
||||
@@ -773,12 +1099,28 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40509,7 +40615,7 @@ index 145fc4b..05cbefe 100644
|
||||
unconfined_domtrans(xserver_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1128,10 @@ optional_policy(`
|
||||
@@ -787,6 +1129,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40520,7 +40626,7 @@ index 145fc4b..05cbefe 100644
|
||||
xfs_stream_connect(xserver_t)
|
||||
')
|
||||
|
||||
@@ -802,10 +1147,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
@@ -802,10 +1148,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
@ -40534,7 +40640,7 @@ index 145fc4b..05cbefe 100644
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -813,7 +1158,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -813,7 +1159,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
|
||||
# Run xkbcomp.
|
||||
@ -40543,7 +40649,7 @@ index 145fc4b..05cbefe 100644
|
||||
can_exec(xserver_t, xkb_var_lib_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
@@ -826,6 +1171,9 @@ init_use_fds(xserver_t)
|
||||
@@ -826,6 +1172,9 @@ init_use_fds(xserver_t)
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -40553,7 +40659,7 @@ index 145fc4b..05cbefe 100644
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
@@ -833,6 +1181,11 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
@@ -833,6 +1182,11 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_symlinks(xserver_t)
|
||||
')
|
||||
|
||||
@ -40565,7 +40671,7 @@ index 145fc4b..05cbefe 100644
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(xserver_t)
|
||||
fs_manage_cifs_files(xserver_t)
|
||||
@@ -841,11 +1194,14 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -841,11 +1195,14 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
@ -40582,7 +40688,7 @@ index 145fc4b..05cbefe 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -853,6 +1209,10 @@ optional_policy(`
|
||||
@@ -853,6 +1210,10 @@ optional_policy(`
|
||||
rhgb_rw_tmpfs_files(xserver_t)
|
||||
')
|
||||
|
||||
@ -40593,7 +40699,7 @@ index 145fc4b..05cbefe 100644
|
||||
########################################
|
||||
#
|
||||
# Rules common to all X window domains
|
||||
@@ -896,7 +1256,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
@@ -896,7 +1257,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
@ -40602,7 +40708,7 @@ index 145fc4b..05cbefe 100644
|
||||
# operations allowed on all windows
|
||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||
|
||||
@@ -950,11 +1310,31 @@ allow x_domain self:x_resource { read write };
|
||||
@@ -950,11 +1311,31 @@ allow x_domain self:x_resource { read write };
|
||||
# can mess with the screensaver
|
||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||
|
||||
@ -40634,7 +40740,7 @@ index 145fc4b..05cbefe 100644
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@@ -976,18 +1356,32 @@ tunable_policy(`! xserver_object_manager',`
|
||||
@@ -976,18 +1357,32 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
@ -44287,7 +44393,7 @@ index 3fb1915..26e9f79 100644
|
||||
- nscd_socket_use(sulogin_t)
|
||||
-')
|
||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||
index 571599b..17dd196 100644
|
||||
index 571599b..3644f0f 100644
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -17,6 +17,10 @@
|
||||
@ -44309,7 +44415,7 @@ index 571599b..17dd196 100644
|
||||
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
@@ -54,14 +59,16 @@ ifdef(`distro_redhat',`
|
||||
@@ -54,18 +59,24 @@ ifdef(`distro_redhat',`
|
||||
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
')
|
||||
|
||||
@ -44330,9 +44436,11 @@ index 571599b..17dd196 100644
|
||||
|
||||
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
|
||||
@@ -69,3 +76,5 @@ ifdef(`distro_redhat',`
|
||||
/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
||||
+/var/stockmaniac/templates_cache gen_context(system_u:object_r:var_log_t,s0)
|
||||
+
|
||||
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
+
|
||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
@ -44476,7 +44584,7 @@ index c7cfb62..ee9809d 100644
|
||||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 9b5a9ed..2b30dd6 100644
|
||||
index 9b5a9ed..d3fb3f6 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -55,11 +55,12 @@ type klogd_var_run_t;
|
||||
@ -44588,7 +44696,18 @@ index 9b5a9ed..2b30dd6 100644
|
||||
|
||||
domain_use_interactive_fds(syslogd_t)
|
||||
|
||||
@@ -488,6 +519,10 @@ optional_policy(`
|
||||
@@ -480,6 +511,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ plymouthd_manage_log(syslogd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
postgresql_stream_connect(syslogd_t)
|
||||
')
|
||||
|
||||
@@ -488,6 +523,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -45042,7 +45161,7 @@ index 72c746e..e3d06fd 100644
|
||||
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
|
||||
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
|
||||
index 8b5c196..b195f9d 100644
|
||||
index 8b5c196..83107f9 100644
|
||||
--- a/policy/modules/system/mount.if
|
||||
+++ b/policy/modules/system/mount.if
|
||||
@@ -16,6 +16,16 @@ interface(`mount_domtrans',`
|
||||
@ -45062,7 +45181,7 @@ index 8b5c196..b195f9d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -45,12 +55,58 @@ interface(`mount_run',`
|
||||
@@ -45,8 +55,54 @@ interface(`mount_run',`
|
||||
role $2 types mount_t;
|
||||
|
||||
optional_policy(`
|
||||
@ -45085,11 +45204,11 @@ index 8b5c196..b195f9d 100644
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ samba_run_smbmount(mount_t, $2)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute fusermount in the mount domain, and
|
||||
+## allow the specified role the mount domain,
|
||||
+## and use the caller's terminal.
|
||||
@ -45109,19 +45228,15 @@ index 8b5c196..b195f9d 100644
|
||||
+interface(`mount_run_fusermount',`
|
||||
+ gen_require(`
|
||||
+ type mount_t;
|
||||
+ ')
|
||||
')
|
||||
+
|
||||
+ mount_domtrans_fusermount($1)
|
||||
+ role $2 types mount_t;
|
||||
+
|
||||
+ fstools_run(mount_t, $2)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Execute mount in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -84,9 +140,11 @@ interface(`mount_exec',`
|
||||
interface(`mount_signal',`
|
||||
gen_require(`
|
||||
@ -45143,7 +45258,32 @@ index 8b5c196..b195f9d 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -176,4 +234,109 @@ interface(`mount_run_unconfined',`
|
||||
@@ -135,6 +193,24 @@ interface(`mount_send_nfs_client_request',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Read the mount tmp directory
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mount_list_tmp',`
|
||||
+ gen_require(`
|
||||
+ type mount_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 mount_tmp_t:dir list_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Execute mount in the unconfined mount domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -176,4 +252,109 @@ interface(`mount_run_unconfined',`
|
||||
|
||||
mount_domtrans_unconfined($1)
|
||||
role $2 types unconfined_mount_t;
|
||||
@ -46519,12 +46659,17 @@ index 1447687..cdc0223 100644
|
||||
type setrans_initrc_exec_t;
|
||||
init_script_file(setrans_initrc_exec_t)
|
||||
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
||||
index 726619b..36426f7 100644
|
||||
index 726619b..ece1edf 100644
|
||||
--- a/policy/modules/system/sysnetwork.fc
|
||||
+++ b/policy/modules/system/sysnetwork.fc
|
||||
@@ -13,7 +13,7 @@
|
||||
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
@@ -10,10 +10,10 @@
|
||||
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
-/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
-/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
+/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
+/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
-/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
@ -47094,10 +47239,10 @@ index 0000000..5f0352b
|
||||
+
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..24f8c6f
|
||||
index 0000000..52a952b
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,98 @@
|
||||
@@ -0,0 +1,101 @@
|
||||
+
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
@ -47141,9 +47286,12 @@ index 0000000..24f8c6f
|
||||
+files_read_etc_files(systemd_passwd_agent_t)
|
||||
+
|
||||
+dev_create_generic_dirs(systemd_passwd_agent_t)
|
||||
+dev_read_generic_files(systemd_passwd_agent_t)
|
||||
+
|
||||
+auth_use_nsswitch(systemd_passwd_agent_t)
|
||||
+
|
||||
+init_read_utmp(systemd_passwd_agent_t)
|
||||
+
|
||||
+miscfiles_read_localization(systemd_passwd_agent_t)
|
||||
+
|
||||
+#######################################
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.12
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -333,7 +333,7 @@ if [ $1 -eq 1 ]; then
|
||||
%loadpolicy targeted $packages
|
||||
restorecon -R /root /var/log /var/run /var/lib 2> /dev/null
|
||||
else
|
||||
semodule -n -s targeted -r pyzor -r razor -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
|
||||
semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
|
||||
%loadpolicy targeted $packages
|
||||
%relabel targeted
|
||||
fi
|
||||
@ -452,7 +452,7 @@ SELinux Reference policy mls base module.
|
||||
%saveFileContext mls
|
||||
|
||||
%post mls
|
||||
semodule -n -s mls -r pyzor -r razor -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
|
||||
semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
|
||||
packages=`cat /usr/share/selinux/mls/modules.lst`
|
||||
%loadpolicy mls $packages
|
||||
|
||||
@ -471,6 +471,25 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Dec 28 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-4
|
||||
- Gnome apps list config_home_t
|
||||
- mpd creates lnk files in homedir
|
||||
- apache leaks write to mail apps on tmp files
|
||||
- /var/stockmaniac/templates_cache contains log files
|
||||
- Abrt list the connects of mount_tmp_t dirs
|
||||
- passwd agent reads files under /dev and reads utmp file
|
||||
- squid apache script connects to the squid port
|
||||
- fix name of plymouth log file
|
||||
- teamviewer is a wine app
|
||||
- allow dmesg to read system state
|
||||
- Stop labeling files under /var/lib/mock so restorecon will not go into this
|
||||
- nsplugin needs to read network state for google talk
|
||||
|
||||
* Thu Dec 23 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-3
|
||||
- Allow xdm and syslog to use /var/log/boot.log
|
||||
- Allow users to communicate with mozilla_plugin and kill it
|
||||
- Add labeling for ipv6 and dhcp
|
||||
|
||||
* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-2
|
||||
- New labels for ghc http content
|
||||
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
|
||||
|
||||
Loading…
Reference in New Issue
Block a user