- Fix dovecot access
This commit is contained in:
parent
49f48f4a99
commit
b9e15d9766
@ -3883,8 +3883,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+typealias mozilla_tmp_t alias user_mozilla_tmp_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.13/policy/modules/apps/mplayer.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2008-10-17 10:31:26.000000000 -0400
|
||||
@@ -1,13 +1,8 @@
|
||||
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2008-10-20 14:00:46.000000000 -0400
|
||||
@@ -1,13 +1,9 @@
|
||||
#
|
||||
-# /etc
|
||||
-#
|
||||
@ -3893,6 +3893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-#
|
||||
# /usr
|
||||
#
|
||||
+/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||
/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
|
||||
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||
@ -4070,8 +4071,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-17 16:15:42.000000000 -0400
|
||||
@@ -0,0 +1,295 @@
|
||||
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-20 09:36:38.000000000 -0400
|
||||
@@ -0,0 +1,297 @@
|
||||
+
|
||||
+## <summary>policy for nsplugin</summary>
|
||||
+
|
||||
@ -4172,10 +4173,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms;
|
||||
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
|
||||
+ allow nsplugin_t $2:unix_stream_socket connectto;
|
||||
+ dontaudit nsplugin_t $2:process ptrace;
|
||||
+
|
||||
@ -7417,7 +7420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-20 11:19:32.000000000 -0400
|
||||
@@ -535,6 +535,24 @@
|
||||
|
||||
########################################
|
||||
@ -7726,7 +7729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3644,3 +3823,123 @@
|
||||
@@ -3644,3 +3823,142 @@
|
||||
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
|
||||
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
|
||||
')
|
||||
@ -7813,6 +7816,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read, a FUSEFS filesystem.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`fs_read_fusefs_files',`
|
||||
+ gen_require(`
|
||||
+ type fusefs_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1,fusefs_t,fusefs_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read symbolic links on a FUSEFS filesystem.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -7891,7 +7913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-17 10:56:51.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-20 14:00:25.000000000 -0400
|
||||
@@ -1198,6 +1198,7 @@
|
||||
')
|
||||
|
||||
@ -10477,7 +10499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-20 15:37:58.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -10571,17 +10593,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type httpd_lock_t;
|
||||
files_lock_file(httpd_lock_t)
|
||||
|
||||
@@ -180,6 +220,9 @@
|
||||
@@ -180,6 +220,10 @@
|
||||
|
||||
# setup the system domain for system CGI scripts
|
||||
apache_content_template(sys)
|
||||
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
|
||||
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
|
||||
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
|
||||
|
||||
type httpd_tmp_t;
|
||||
files_tmp_file(httpd_tmp_t)
|
||||
@@ -202,12 +245,16 @@
|
||||
@@ -202,12 +246,16 @@
|
||||
prelink_object_file(httpd_modules_t)
|
||||
')
|
||||
|
||||
@ -10599,7 +10622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow httpd_t self:fd use;
|
||||
@@ -249,6 +296,7 @@
|
||||
@@ -249,6 +297,7 @@
|
||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
@ -10607,7 +10630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
apache_domtrans_rotatelogs(httpd_t)
|
||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||
@@ -260,9 +308,9 @@
|
||||
@@ -260,9 +309,9 @@
|
||||
|
||||
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||
|
||||
@ -10620,7 +10643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
@@ -289,6 +337,7 @@
|
||||
@@ -289,6 +338,7 @@
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
@ -10628,7 +10651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_t)
|
||||
@@ -299,6 +348,7 @@
|
||||
@@ -299,6 +349,7 @@
|
||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||
corenet_tcp_bind_all_nodes(httpd_t)
|
||||
@ -10636,7 +10659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_http_port(httpd_t)
|
||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||
corenet_sendrecv_http_server_packets(httpd_t)
|
||||
@@ -312,12 +362,11 @@
|
||||
@@ -312,12 +363,11 @@
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
@ -10651,7 +10674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
@@ -335,6 +384,10 @@
|
||||
@@ -335,6 +385,10 @@
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
@ -10662,7 +10685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
libs_use_ld_so(httpd_t)
|
||||
libs_use_shared_libs(httpd_t)
|
||||
@@ -351,18 +404,33 @@
|
||||
@@ -351,18 +405,33 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
@ -10700,7 +10723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -370,20 +438,45 @@
|
||||
@@ -370,20 +439,45 @@
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
@ -10747,7 +10770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
@@ -394,11 +487,12 @@
|
||||
@@ -394,11 +488,12 @@
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
')
|
||||
|
||||
@ -10763,7 +10786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_read_nfs_files(httpd_t)
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
@@ -408,6 +502,11 @@
|
||||
@@ -408,6 +503,11 @@
|
||||
fs_read_cifs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
@ -10775,7 +10798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -441,8 +540,13 @@
|
||||
@@ -441,8 +541,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10791,7 +10814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -454,18 +558,13 @@
|
||||
@@ -454,18 +559,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10811,7 +10834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -475,6 +574,12 @@
|
||||
@@ -475,6 +575,12 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
@ -10824,7 +10847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
@@ -482,6 +587,7 @@
|
||||
@@ -482,6 +588,7 @@
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
@ -10832,7 +10855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -490,6 +596,7 @@
|
||||
@@ -490,6 +597,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10840,7 +10863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -519,9 +626,28 @@
|
||||
@@ -519,9 +627,28 @@
|
||||
logging_send_syslog_msg(httpd_helper_t)
|
||||
|
||||
tunable_policy(`httpd_tty_comm',`
|
||||
@ -10869,7 +10892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -551,22 +677,27 @@
|
||||
@@ -551,22 +678,27 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -10903,7 +10926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -584,12 +715,14 @@
|
||||
@@ -584,12 +716,14 @@
|
||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
@ -10919,7 +10942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@@ -598,9 +731,7 @@
|
||||
@@ -598,9 +732,7 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||
|
||||
@ -10930,7 +10953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -633,12 +764,25 @@
|
||||
@@ -633,12 +765,25 @@
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -10959,7 +10982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -647,6 +791,12 @@
|
||||
@@ -647,6 +792,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -10972,7 +10995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -664,10 +814,6 @@
|
||||
@@ -664,10 +815,6 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -10983,7 +11006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
@@ -677,7 +823,8 @@
|
||||
@@ -677,7 +824,8 @@
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
@ -10993,7 +11016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@@ -691,12 +838,15 @@
|
||||
@@ -691,12 +839,15 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -11011,7 +11034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -704,6 +854,30 @@
|
||||
@@ -704,6 +855,30 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -11042,7 +11065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -716,10 +890,10 @@
|
||||
@@ -716,10 +891,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -11057,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -727,6 +901,8 @@
|
||||
@@ -727,6 +902,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@ -11066,7 +11089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -741,3 +917,56 @@
|
||||
@@ -741,3 +918,56 @@
|
||||
logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
@ -14677,7 +14700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.13/policy/modules/services/dovecot.te
|
||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2008-10-20 13:04:49.000000000 -0400
|
||||
@@ -15,12 +15,21 @@
|
||||
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
|
||||
role system_r types dovecot_auth_t;
|
||||
@ -14754,7 +14777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
|
||||
+allow dovecot_auth_t dovecot_t:unix_stream_socket rw_socket_perms;
|
||||
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
||||
|
||||
allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
|
||||
|
||||
@ -20387,9 +20410,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type roundup_var_run_t;
|
||||
files_pid_file(roundup_var_run_t)
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.5.13/policy/modules/services/rpc.fc
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/rpc.fc 2008-10-20 14:39:31.000000000 -0400
|
||||
@@ -13,6 +13,7 @@
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
+/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
||||
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.13/policy/modules/services/rpc.if
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/rpc.if 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/rpc.if 2008-10-20 14:35:39.000000000 -0400
|
||||
@@ -88,8 +88,11 @@
|
||||
# bind to arbitary unused ports
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
@ -20428,6 +20462,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Read NFS exported content.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -338,3 +359,22 @@
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage NFS state data in /var/lib/nfs.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rpc_manage_nfs_state_data',`
|
||||
+ gen_require(`
|
||||
+ type var_lib_nfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2008-10-17 10:31:27.000000000 -0400
|
||||
@ -26256,7 +26313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2008-10-14 11:58:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-20 14:36:54.000000000 -0400
|
||||
@@ -17,6 +17,20 @@
|
||||
## </desc>
|
||||
gen_tunable(init_upstart,false)
|
||||
@ -26368,6 +26425,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -330,7 +359,7 @@
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
-domain_dontaudit_ptrace_all_domains(initrc_t)
|
||||
+domain_ptrace_all_domains(initrc_t)
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -371,6 +400,7 @@
|
||||
libs_use_shared_libs(initrc_t)
|
||||
libs_exec_lib_files(initrc_t)
|
||||
@ -26376,7 +26442,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(initrc_t)
|
||||
logging_manage_generic_logs(initrc_t)
|
||||
logging_read_all_logs(initrc_t)
|
||||
@@ -521,6 +551,31 @@
|
||||
@@ -503,6 +533,7 @@
|
||||
optional_policy(`
|
||||
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
||||
rpc_write_exports(initrc_t)
|
||||
+ rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -521,6 +552,31 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -26408,7 +26482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -536,6 +591,10 @@
|
||||
@@ -536,6 +592,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26419,7 +26493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
bind_read_config(initrc_t)
|
||||
|
||||
# for chmod in start script
|
||||
@@ -575,6 +634,10 @@
|
||||
@@ -575,6 +635,10 @@
|
||||
dbus_read_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -26430,7 +26504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
networkmanager_dbus_chat(initrc_t)
|
||||
')
|
||||
')
|
||||
@@ -660,12 +723,6 @@
|
||||
@@ -660,12 +724,6 @@
|
||||
mta_read_config(initrc_t)
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
@ -26443,7 +26517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ifdef(`distro_redhat',`
|
||||
@@ -726,6 +783,9 @@
|
||||
@@ -726,6 +784,9 @@
|
||||
|
||||
# why is this needed:
|
||||
rpm_manage_db(initrc_t)
|
||||
@ -26453,7 +26527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -738,10 +798,12 @@
|
||||
@@ -738,10 +799,12 @@
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -26466,7 +26540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -759,6 +821,11 @@
|
||||
@@ -759,6 +822,11 @@
|
||||
uml_setattr_util_sockets(initrc_t)
|
||||
')
|
||||
|
||||
@ -26478,7 +26552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
@@ -773,6 +840,10 @@
|
||||
@@ -773,6 +841,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26489,7 +26563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
vmware_read_system_config(initrc_t)
|
||||
vmware_append_system_config(initrc_t)
|
||||
')
|
||||
@@ -795,3 +866,11 @@
|
||||
@@ -795,3 +867,11 @@
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -26647,7 +26721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-10-17 17:21:31.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-10-20 14:06:44.000000000 -0400
|
||||
@@ -60,12 +60,15 @@
|
||||
#
|
||||
# /opt
|
||||
@ -26674,16 +26748,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -118,6 +122,8 @@
|
||||
@@ -115,9 +119,16 @@
|
||||
|
||||
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
+/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -133,6 +139,7 @@
|
||||
@@ -133,6 +144,7 @@
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -26691,7 +26773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@@ -168,7 +175,8 @@
|
||||
@@ -168,7 +180,8 @@
|
||||
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -26701,7 +26783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -187,6 +195,7 @@
|
||||
@@ -187,6 +200,7 @@
|
||||
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -26709,7 +26791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -246,7 +255,7 @@
|
||||
@@ -246,7 +260,7 @@
|
||||
|
||||
# Flash plugin, Macromedia
|
||||
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -26718,7 +26800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -267,6 +276,8 @@
|
||||
@@ -267,6 +281,8 @@
|
||||
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -26727,7 +26809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Java, Sun Microsystems (JPackage SRPM)
|
||||
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -291,6 +302,8 @@
|
||||
@@ -291,6 +307,8 @@
|
||||
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -26736,7 +26818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
') dnl end distro_redhat
|
||||
|
||||
#
|
||||
@@ -310,3 +323,15 @@
|
||||
@@ -310,3 +328,15 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
@ -27331,7 +27413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
samba_run_smbmount($1, $2, $3)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
|
||||
--- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-20 11:20:42.000000000 -0400
|
||||
@@ -18,17 +18,18 @@
|
||||
init_system_domain(mount_t,mount_exec_t)
|
||||
role system_r types mount_t;
|
||||
@ -27382,7 +27464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_rw_lvm_control(mount_t)
|
||||
dev_dontaudit_getattr_all_chr_files(mount_t)
|
||||
dev_dontaudit_getattr_memory_dev(mount_t)
|
||||
@@ -62,16 +69,18 @@
|
||||
@@ -62,16 +69,19 @@
|
||||
storage_raw_write_fixed_disk(mount_t)
|
||||
storage_raw_read_removable_device(mount_t)
|
||||
storage_raw_write_removable_device(mount_t)
|
||||
@ -27400,11 +27482,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_rw_tmpfs_chr_files(mount_t)
|
||||
+fs_manage_tmpfs_dirs(mount_t)
|
||||
fs_read_tmpfs_symlinks(mount_t)
|
||||
+fs_read_fusefs_files(mount_t)
|
||||
+fs_manage_nfs_dirs(mount_t)
|
||||
|
||||
term_use_all_terms(mount_t)
|
||||
|
||||
@@ -79,6 +88,7 @@
|
||||
@@ -79,6 +89,7 @@
|
||||
corecmd_exec_bin(mount_t)
|
||||
|
||||
domain_use_interactive_fds(mount_t)
|
||||
@ -27412,7 +27495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_search_all(mount_t)
|
||||
files_read_etc_files(mount_t)
|
||||
@@ -100,6 +110,8 @@
|
||||
@@ -100,6 +111,8 @@
|
||||
init_use_fds(mount_t)
|
||||
init_use_script_ptys(mount_t)
|
||||
init_dontaudit_getattr_initctl(mount_t)
|
||||
@ -27421,7 +27504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
auth_use_nsswitch(mount_t)
|
||||
|
||||
@@ -119,6 +131,8 @@
|
||||
@@ -119,6 +132,8 @@
|
||||
seutil_read_config(mount_t)
|
||||
|
||||
userdom_use_all_users_fds(mount_t)
|
||||
@ -27430,7 +27513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -167,6 +181,8 @@
|
||||
@@ -167,6 +182,8 @@
|
||||
fs_search_rpc(mount_t)
|
||||
|
||||
rpc_stub(mount_t)
|
||||
@ -27439,7 +27522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -181,6 +197,11 @@
|
||||
@@ -181,6 +198,11 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -27451,7 +27534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# for kernel package installation
|
||||
optional_policy(`
|
||||
rpm_rw_pipes(mount_t)
|
||||
@@ -188,6 +209,7 @@
|
||||
@@ -188,6 +210,7 @@
|
||||
|
||||
optional_policy(`
|
||||
samba_domtrans_smbmount(mount_t)
|
||||
@ -27459,7 +27542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -198,4 +220,26 @@
|
||||
@@ -198,4 +221,26 @@
|
||||
optional_policy(`
|
||||
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
||||
unconfined_domain(unconfined_mount_t)
|
||||
@ -28624,6 +28707,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_xen_state(ifconfig_t)
|
||||
kernel_write_xen_state(ifconfig_t)
|
||||
xen_append_log(ifconfig_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.5.13/policy/modules/system/udev.fc
|
||||
--- nsaserefpolicy/policy/modules/system/udev.fc 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-10-20 11:58:43.000000000 -0400
|
||||
@@ -13,6 +13,7 @@
|
||||
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
+/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.13/policy/modules/system/udev.if
|
||||
--- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-10-17 10:31:27.000000000 -0400
|
||||
@ -28730,8 +28824,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.13/policy/modules/system/unconfined.fc
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-10-17 10:31:27.000000000 -0400
|
||||
@@ -2,15 +2,27 @@
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-10-20 09:52:45.000000000 -0400
|
||||
@@ -2,15 +2,28 @@
|
||||
# e.g.:
|
||||
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
||||
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
|
||||
@ -28766,6 +28860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
+
|
||||
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.13/policy/modules/system/unconfined.if
|
||||
@ -32313,7 +32408,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
|
||||
--- nsaserefpolicy/policy/modules/system/xen.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-10-17 10:31:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-10-20 09:29:14.000000000 -0400
|
||||
@@ -6,6 +6,13 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -32478,7 +32573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# var/lib files for xenstored
|
||||
manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
|
||||
manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
|
||||
@@ -321,6 +352,7 @@
|
||||
@@ -321,18 +352,21 @@
|
||||
|
||||
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
||||
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
||||
@ -32486,7 +32581,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_search_var_lib(xm_t)
|
||||
|
||||
allow xm_t xen_image_t:dir rw_dir_perms;
|
||||
@@ -333,6 +365,7 @@
|
||||
allow xm_t xen_image_t:file read_file_perms;
|
||||
allow xm_t xen_image_t:blk_file read_blk_file_perms;
|
||||
|
||||
-kernel_read_system_state(xm_t)
|
||||
kernel_read_kernel_sysctls(xm_t)
|
||||
+kernel_read_sysctl(xm_t)
|
||||
+kernel_read_system_state(xm_t)
|
||||
kernel_read_xen_state(xm_t)
|
||||
kernel_write_xen_state(xm_t)
|
||||
|
||||
corecmd_exec_bin(xm_t)
|
||||
@ -32494,7 +32596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_tcp_sendrecv_generic_if(xm_t)
|
||||
corenet_tcp_sendrecv_all_nodes(xm_t)
|
||||
@@ -348,8 +381,11 @@
|
||||
@@ -348,8 +382,11 @@
|
||||
|
||||
storage_raw_read_fixed_disk(xm_t)
|
||||
|
||||
@ -32506,7 +32608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
init_rw_script_stream_sockets(xm_t)
|
||||
init_use_fds(xm_t)
|
||||
|
||||
@@ -360,6 +396,23 @@
|
||||
@@ -360,6 +397,23 @@
|
||||
|
||||
sysnet_read_config(xm_t)
|
||||
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.13
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -461,6 +461,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Oct 20 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-2
|
||||
- Fix dovecot access
|
||||
|
||||
* Fri Oct 17 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-1
|
||||
- Policy cleanup
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user