- Fix dovecot access
This commit is contained in:
parent
49f48f4a99
commit
b9e15d9766
@ -3883,8 +3883,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+typealias mozilla_tmp_t alias user_mozilla_tmp_t;
|
+typealias mozilla_tmp_t alias user_mozilla_tmp_t;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.13/policy/modules/apps/mplayer.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.13/policy/modules/apps/mplayer.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2008-10-17 10:31:26.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2008-10-20 14:00:46.000000000 -0400
|
||||||
@@ -1,13 +1,8 @@
|
@@ -1,13 +1,9 @@
|
||||||
#
|
#
|
||||||
-# /etc
|
-# /etc
|
||||||
-#
|
-#
|
||||||
@ -3893,6 +3893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-#
|
-#
|
||||||
# /usr
|
# /usr
|
||||||
#
|
#
|
||||||
|
+/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||||
/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||||
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
|
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
|
||||||
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||||
@ -4070,8 +4071,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-17 16:15:42.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-20 09:36:38.000000000 -0400
|
||||||
@@ -0,0 +1,295 @@
|
@@ -0,0 +1,297 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for nsplugin</summary>
|
+## <summary>policy for nsplugin</summary>
|
||||||
+
|
+
|
||||||
@ -4172,10 +4173,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
|
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
|
||||||
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
|
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
|
||||||
+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
|
+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
|
||||||
|
+ dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms;
|
||||||
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
|
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
|
||||||
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
|
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
|
||||||
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
|
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
|
||||||
+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
|
+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
|
||||||
|
+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
|
||||||
+ allow nsplugin_t $2:unix_stream_socket connectto;
|
+ allow nsplugin_t $2:unix_stream_socket connectto;
|
||||||
+ dontaudit nsplugin_t $2:process ptrace;
|
+ dontaudit nsplugin_t $2:process ptrace;
|
||||||
+
|
+
|
||||||
@ -7417,7 +7420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#
|
#
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-20 11:19:32.000000000 -0400
|
||||||
@@ -535,6 +535,24 @@
|
@@ -535,6 +535,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -7726,7 +7729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3644,3 +3823,123 @@
|
@@ -3644,3 +3823,142 @@
|
||||||
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
|
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
|
||||||
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
|
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
|
||||||
')
|
')
|
||||||
@ -7813,6 +7816,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Read, a FUSEFS filesystem.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`fs_read_fusefs_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type fusefs_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ read_files_pattern($1,fusefs_t,fusefs_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Read symbolic links on a FUSEFS filesystem.
|
+## Read symbolic links on a FUSEFS filesystem.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -7891,7 +7913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#
|
#
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-17 10:56:51.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-20 14:00:25.000000000 -0400
|
||||||
@@ -1198,6 +1198,7 @@
|
@@ -1198,6 +1198,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10477,7 +10499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-20 15:37:58.000000000 -0400
|
||||||
@@ -20,6 +20,8 @@
|
@@ -20,6 +20,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -10571,17 +10593,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type httpd_lock_t;
|
type httpd_lock_t;
|
||||||
files_lock_file(httpd_lock_t)
|
files_lock_file(httpd_lock_t)
|
||||||
|
|
||||||
@@ -180,6 +220,9 @@
|
@@ -180,6 +220,10 @@
|
||||||
|
|
||||||
# setup the system domain for system CGI scripts
|
# setup the system domain for system CGI scripts
|
||||||
apache_content_template(sys)
|
apache_content_template(sys)
|
||||||
|
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||||
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
|
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
|
||||||
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
|
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
|
||||||
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
|
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
|
||||||
|
|
||||||
type httpd_tmp_t;
|
type httpd_tmp_t;
|
||||||
files_tmp_file(httpd_tmp_t)
|
files_tmp_file(httpd_tmp_t)
|
||||||
@@ -202,12 +245,16 @@
|
@@ -202,12 +246,16 @@
|
||||||
prelink_object_file(httpd_modules_t)
|
prelink_object_file(httpd_modules_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10599,7 +10622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow httpd_t self:fd use;
|
allow httpd_t self:fd use;
|
||||||
@@ -249,6 +296,7 @@
|
@@ -249,6 +297,7 @@
|
||||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||||
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||||
@ -10607,7 +10630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
apache_domtrans_rotatelogs(httpd_t)
|
apache_domtrans_rotatelogs(httpd_t)
|
||||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||||
@@ -260,9 +308,9 @@
|
@@ -260,9 +309,9 @@
|
||||||
|
|
||||||
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||||
|
|
||||||
@ -10620,7 +10643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||||
@@ -289,6 +337,7 @@
|
@@ -289,6 +338,7 @@
|
||||||
kernel_read_kernel_sysctls(httpd_t)
|
kernel_read_kernel_sysctls(httpd_t)
|
||||||
# for modules that want to access /proc/meminfo
|
# for modules that want to access /proc/meminfo
|
||||||
kernel_read_system_state(httpd_t)
|
kernel_read_system_state(httpd_t)
|
||||||
@ -10628,7 +10651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||||
corenet_all_recvfrom_netlabel(httpd_t)
|
corenet_all_recvfrom_netlabel(httpd_t)
|
||||||
@@ -299,6 +348,7 @@
|
@@ -299,6 +349,7 @@
|
||||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||||
corenet_tcp_bind_all_nodes(httpd_t)
|
corenet_tcp_bind_all_nodes(httpd_t)
|
||||||
@ -10636,7 +10659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_tcp_bind_http_port(httpd_t)
|
corenet_tcp_bind_http_port(httpd_t)
|
||||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||||
corenet_sendrecv_http_server_packets(httpd_t)
|
corenet_sendrecv_http_server_packets(httpd_t)
|
||||||
@@ -312,12 +362,11 @@
|
@@ -312,12 +363,11 @@
|
||||||
|
|
||||||
fs_getattr_all_fs(httpd_t)
|
fs_getattr_all_fs(httpd_t)
|
||||||
fs_search_auto_mountpoints(httpd_t)
|
fs_search_auto_mountpoints(httpd_t)
|
||||||
@ -10651,7 +10674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
domain_use_interactive_fds(httpd_t)
|
domain_use_interactive_fds(httpd_t)
|
||||||
|
|
||||||
@@ -335,6 +384,10 @@
|
@@ -335,6 +385,10 @@
|
||||||
files_read_var_lib_symlinks(httpd_t)
|
files_read_var_lib_symlinks(httpd_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||||
@ -10662,7 +10685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
libs_use_ld_so(httpd_t)
|
libs_use_ld_so(httpd_t)
|
||||||
libs_use_shared_libs(httpd_t)
|
libs_use_shared_libs(httpd_t)
|
||||||
@@ -351,18 +404,33 @@
|
@@ -351,18 +405,33 @@
|
||||||
|
|
||||||
userdom_use_unpriv_users_fds(httpd_t)
|
userdom_use_unpriv_users_fds(httpd_t)
|
||||||
|
|
||||||
@ -10700,7 +10723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -370,20 +438,45 @@
|
@@ -370,20 +439,45 @@
|
||||||
corenet_tcp_connect_all_ports(httpd_t)
|
corenet_tcp_connect_all_ports(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10747,7 +10770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||||
@@ -394,11 +487,12 @@
|
@@ -394,11 +488,12 @@
|
||||||
corenet_tcp_bind_ftp_port(httpd_t)
|
corenet_tcp_bind_ftp_port(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10763,7 +10786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
fs_read_nfs_files(httpd_t)
|
fs_read_nfs_files(httpd_t)
|
||||||
fs_read_nfs_symlinks(httpd_t)
|
fs_read_nfs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -408,6 +502,11 @@
|
@@ -408,6 +503,11 @@
|
||||||
fs_read_cifs_symlinks(httpd_t)
|
fs_read_cifs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10775,7 +10798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_ssi_exec',`
|
tunable_policy(`httpd_ssi_exec',`
|
||||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||||
allow httpd_sys_script_t httpd_t:fd use;
|
allow httpd_sys_script_t httpd_t:fd use;
|
||||||
@@ -441,8 +540,13 @@
|
@@ -441,8 +541,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10791,7 +10814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -454,18 +558,13 @@
|
@@ -454,18 +559,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10811,7 +10834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -475,6 +574,12 @@
|
@@ -475,6 +575,12 @@
|
||||||
openca_kill(httpd_t)
|
openca_kill(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10824,7 +10847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
# Allow httpd to work with postgresql
|
# Allow httpd to work with postgresql
|
||||||
postgresql_stream_connect(httpd_t)
|
postgresql_stream_connect(httpd_t)
|
||||||
@@ -482,6 +587,7 @@
|
@@ -482,6 +588,7 @@
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect_db',`
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
postgresql_tcp_connect(httpd_t)
|
postgresql_tcp_connect(httpd_t)
|
||||||
@ -10832,7 +10855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -490,6 +596,7 @@
|
@@ -490,6 +597,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10840,7 +10863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -519,9 +626,28 @@
|
@@ -519,9 +627,28 @@
|
||||||
logging_send_syslog_msg(httpd_helper_t)
|
logging_send_syslog_msg(httpd_helper_t)
|
||||||
|
|
||||||
tunable_policy(`httpd_tty_comm',`
|
tunable_policy(`httpd_tty_comm',`
|
||||||
@ -10869,7 +10892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache PHP script local policy
|
# Apache PHP script local policy
|
||||||
@@ -551,22 +677,27 @@
|
@@ -551,22 +678,27 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_php_t)
|
fs_search_auto_mountpoints(httpd_php_t)
|
||||||
|
|
||||||
@ -10903,7 +10926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -584,12 +715,14 @@
|
@@ -584,12 +716,14 @@
|
||||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
@ -10919,7 +10942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||||
kernel_list_proc(httpd_suexec_t)
|
kernel_list_proc(httpd_suexec_t)
|
||||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||||
@@ -598,9 +731,7 @@
|
@@ -598,9 +732,7 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||||
|
|
||||||
@ -10930,7 +10953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_read_etc_files(httpd_suexec_t)
|
files_read_etc_files(httpd_suexec_t)
|
||||||
files_read_usr_files(httpd_suexec_t)
|
files_read_usr_files(httpd_suexec_t)
|
||||||
@@ -633,12 +764,25 @@
|
@@ -633,12 +765,25 @@
|
||||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10959,7 +10982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -647,6 +791,12 @@
|
@@ -647,6 +792,12 @@
|
||||||
fs_exec_nfs_files(httpd_suexec_t)
|
fs_exec_nfs_files(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10972,7 +10995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_suexec_t)
|
fs_read_cifs_files(httpd_suexec_t)
|
||||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||||
@@ -664,10 +814,6 @@
|
@@ -664,10 +815,6 @@
|
||||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10983,7 +11006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache system script local policy
|
# Apache system script local policy
|
||||||
@@ -677,7 +823,8 @@
|
@@ -677,7 +824,8 @@
|
||||||
|
|
||||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||||
|
|
||||||
@ -10993,7 +11016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||||
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||||
@@ -691,12 +838,15 @@
|
@@ -691,12 +839,15 @@
|
||||||
# Should we add a boolean?
|
# Should we add a boolean?
|
||||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||||
|
|
||||||
@ -11011,7 +11034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -704,6 +854,30 @@
|
@@ -704,6 +855,30 @@
|
||||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11042,7 +11065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -716,10 +890,10 @@
|
@@ -716,10 +891,10 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_sys_script_t)
|
mysql_stream_connect(httpd_sys_script_t)
|
||||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||||
@ -11057,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -727,6 +901,8 @@
|
@@ -727,6 +902,8 @@
|
||||||
# httpd_rotatelogs local policy
|
# httpd_rotatelogs local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -11066,7 +11089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||||
@@ -741,3 +917,56 @@
|
@@ -741,3 +918,56 @@
|
||||||
logging_search_logs(httpd_rotatelogs_t)
|
logging_search_logs(httpd_rotatelogs_t)
|
||||||
|
|
||||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||||
@ -14677,7 +14700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.13/policy/modules/services/dovecot.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.13/policy/modules/services/dovecot.te
|
||||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2008-10-20 13:04:49.000000000 -0400
|
||||||
@@ -15,12 +15,21 @@
|
@@ -15,12 +15,21 @@
|
||||||
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
|
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
|
||||||
role system_r types dovecot_auth_t;
|
role system_r types dovecot_auth_t;
|
||||||
@ -14754,7 +14777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
|
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
|
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
|
||||||
+allow dovecot_auth_t dovecot_t:unix_stream_socket rw_socket_perms;
|
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
||||||
|
|
||||||
allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
|
allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
|
||||||
|
|
||||||
@ -20387,9 +20410,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type roundup_var_run_t;
|
type roundup_var_run_t;
|
||||||
files_pid_file(roundup_var_run_t)
|
files_pid_file(roundup_var_run_t)
|
||||||
|
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.5.13/policy/modules/services/rpc.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/services/rpc.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.13/policy/modules/services/rpc.fc 2008-10-20 14:39:31.000000000 -0400
|
||||||
|
@@ -13,6 +13,7 @@
|
||||||
|
# /usr
|
||||||
|
#
|
||||||
|
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||||
|
+/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||||
|
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
||||||
|
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||||
|
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.13/policy/modules/services/rpc.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.13/policy/modules/services/rpc.if
|
||||||
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/rpc.if 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/rpc.if 2008-10-20 14:35:39.000000000 -0400
|
||||||
@@ -88,8 +88,11 @@
|
@@ -88,8 +88,11 @@
|
||||||
# bind to arbitary unused ports
|
# bind to arbitary unused ports
|
||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
@ -20428,6 +20462,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Read NFS exported content.
|
## Read NFS exported content.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
|
@@ -338,3 +359,22 @@
|
||||||
|
files_search_var_lib($1)
|
||||||
|
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage NFS state data in /var/lib/nfs.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`rpc_manage_nfs_state_data',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type var_lib_nfs_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t)
|
||||||
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2008-10-17 10:31:27.000000000 -0400
|
||||||
@ -26256,7 +26313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te
|
||||||
--- nsaserefpolicy/policy/modules/system/init.te 2008-10-14 11:58:09.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/init.te 2008-10-14 11:58:09.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-20 14:36:54.000000000 -0400
|
||||||
@@ -17,6 +17,20 @@
|
@@ -17,6 +17,20 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(init_upstart,false)
|
gen_tunable(init_upstart,false)
|
||||||
@ -26368,6 +26425,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dev_delete_lvm_control_dev(initrc_t)
|
dev_delete_lvm_control_dev(initrc_t)
|
||||||
dev_manage_generic_symlinks(initrc_t)
|
dev_manage_generic_symlinks(initrc_t)
|
||||||
dev_manage_generic_files(initrc_t)
|
dev_manage_generic_files(initrc_t)
|
||||||
|
@@ -330,7 +359,7 @@
|
||||||
|
domain_sigchld_all_domains(initrc_t)
|
||||||
|
domain_read_all_domains_state(initrc_t)
|
||||||
|
domain_getattr_all_domains(initrc_t)
|
||||||
|
-domain_dontaudit_ptrace_all_domains(initrc_t)
|
||||||
|
+domain_ptrace_all_domains(initrc_t)
|
||||||
|
domain_getsession_all_domains(initrc_t)
|
||||||
|
domain_use_interactive_fds(initrc_t)
|
||||||
|
# for lsof which is used by alsa shutdown:
|
||||||
@@ -371,6 +400,7 @@
|
@@ -371,6 +400,7 @@
|
||||||
libs_use_shared_libs(initrc_t)
|
libs_use_shared_libs(initrc_t)
|
||||||
libs_exec_lib_files(initrc_t)
|
libs_exec_lib_files(initrc_t)
|
||||||
@ -26376,7 +26442,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
logging_send_syslog_msg(initrc_t)
|
logging_send_syslog_msg(initrc_t)
|
||||||
logging_manage_generic_logs(initrc_t)
|
logging_manage_generic_logs(initrc_t)
|
||||||
logging_read_all_logs(initrc_t)
|
logging_read_all_logs(initrc_t)
|
||||||
@@ -521,6 +551,31 @@
|
@@ -503,6 +533,7 @@
|
||||||
|
optional_policy(`
|
||||||
|
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
||||||
|
rpc_write_exports(initrc_t)
|
||||||
|
+ rpc_manage_nfs_state_data(initrc_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
@@ -521,6 +552,31 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26408,7 +26482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_search_lib(initrc_t)
|
amavis_search_lib(initrc_t)
|
||||||
amavis_setattr_pid_files(initrc_t)
|
amavis_setattr_pid_files(initrc_t)
|
||||||
@@ -536,6 +591,10 @@
|
@@ -536,6 +592,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26419,7 +26493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
bind_read_config(initrc_t)
|
bind_read_config(initrc_t)
|
||||||
|
|
||||||
# for chmod in start script
|
# for chmod in start script
|
||||||
@@ -575,6 +634,10 @@
|
@@ -575,6 +635,10 @@
|
||||||
dbus_read_config(initrc_t)
|
dbus_read_config(initrc_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26430,7 +26504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
networkmanager_dbus_chat(initrc_t)
|
networkmanager_dbus_chat(initrc_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@@ -660,12 +723,6 @@
|
@@ -660,12 +724,6 @@
|
||||||
mta_read_config(initrc_t)
|
mta_read_config(initrc_t)
|
||||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||||
')
|
')
|
||||||
@ -26443,7 +26517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
@@ -726,6 +783,9 @@
|
@@ -726,6 +784,9 @@
|
||||||
|
|
||||||
# why is this needed:
|
# why is this needed:
|
||||||
rpm_manage_db(initrc_t)
|
rpm_manage_db(initrc_t)
|
||||||
@ -26453,7 +26527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -738,10 +798,12 @@
|
@@ -738,10 +799,12 @@
|
||||||
squid_manage_logs(initrc_t)
|
squid_manage_logs(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26466,7 +26540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
ssh_dontaudit_read_server_keys(initrc_t)
|
||||||
@@ -759,6 +821,11 @@
|
@@ -759,6 +822,11 @@
|
||||||
uml_setattr_util_sockets(initrc_t)
|
uml_setattr_util_sockets(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26478,7 +26552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(initrc_t)
|
unconfined_domain(initrc_t)
|
||||||
|
|
||||||
@@ -773,6 +840,10 @@
|
@@ -773,6 +841,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26489,7 +26563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
vmware_read_system_config(initrc_t)
|
vmware_read_system_config(initrc_t)
|
||||||
vmware_append_system_config(initrc_t)
|
vmware_append_system_config(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -795,3 +866,11 @@
|
@@ -795,3 +867,11 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@ -26647,7 +26721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-10-17 17:21:31.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-10-20 14:06:44.000000000 -0400
|
||||||
@@ -60,12 +60,15 @@
|
@@ -60,12 +60,15 @@
|
||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
@ -26674,16 +26748,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -118,6 +122,8 @@
|
@@ -115,9 +119,16 @@
|
||||||
|
|
||||||
|
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
|
+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
|
+/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+
|
||||||
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
+
|
+
|
||||||
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -133,6 +139,7 @@
|
@@ -133,6 +144,7 @@
|
||||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -26691,7 +26773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
@@ -168,7 +175,8 @@
|
@@ -168,7 +180,8 @@
|
||||||
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
||||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||||
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -26701,7 +26783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -187,6 +195,7 @@
|
@@ -187,6 +200,7 @@
|
||||||
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -26709,7 +26791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -246,7 +255,7 @@
|
@@ -246,7 +260,7 @@
|
||||||
|
|
||||||
# Flash plugin, Macromedia
|
# Flash plugin, Macromedia
|
||||||
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -26718,7 +26800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -267,6 +276,8 @@
|
@@ -267,6 +281,8 @@
|
||||||
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
@ -26727,7 +26809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Java, Sun Microsystems (JPackage SRPM)
|
# Java, Sun Microsystems (JPackage SRPM)
|
||||||
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -291,6 +302,8 @@
|
@@ -291,6 +307,8 @@
|
||||||
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -26736,7 +26818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
') dnl end distro_redhat
|
') dnl end distro_redhat
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -310,3 +323,15 @@
|
@@ -310,3 +328,15 @@
|
||||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
@ -27331,7 +27413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
samba_run_smbmount($1, $2, $3)
|
samba_run_smbmount($1, $2, $3)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
|
||||||
--- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-20 11:20:42.000000000 -0400
|
||||||
@@ -18,17 +18,18 @@
|
@@ -18,17 +18,18 @@
|
||||||
init_system_domain(mount_t,mount_exec_t)
|
init_system_domain(mount_t,mount_exec_t)
|
||||||
role system_r types mount_t;
|
role system_r types mount_t;
|
||||||
@ -27382,7 +27464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dev_rw_lvm_control(mount_t)
|
dev_rw_lvm_control(mount_t)
|
||||||
dev_dontaudit_getattr_all_chr_files(mount_t)
|
dev_dontaudit_getattr_all_chr_files(mount_t)
|
||||||
dev_dontaudit_getattr_memory_dev(mount_t)
|
dev_dontaudit_getattr_memory_dev(mount_t)
|
||||||
@@ -62,16 +69,18 @@
|
@@ -62,16 +69,19 @@
|
||||||
storage_raw_write_fixed_disk(mount_t)
|
storage_raw_write_fixed_disk(mount_t)
|
||||||
storage_raw_read_removable_device(mount_t)
|
storage_raw_read_removable_device(mount_t)
|
||||||
storage_raw_write_removable_device(mount_t)
|
storage_raw_write_removable_device(mount_t)
|
||||||
@ -27400,11 +27482,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
fs_rw_tmpfs_chr_files(mount_t)
|
fs_rw_tmpfs_chr_files(mount_t)
|
||||||
+fs_manage_tmpfs_dirs(mount_t)
|
+fs_manage_tmpfs_dirs(mount_t)
|
||||||
fs_read_tmpfs_symlinks(mount_t)
|
fs_read_tmpfs_symlinks(mount_t)
|
||||||
|
+fs_read_fusefs_files(mount_t)
|
||||||
+fs_manage_nfs_dirs(mount_t)
|
+fs_manage_nfs_dirs(mount_t)
|
||||||
|
|
||||||
term_use_all_terms(mount_t)
|
term_use_all_terms(mount_t)
|
||||||
|
|
||||||
@@ -79,6 +88,7 @@
|
@@ -79,6 +89,7 @@
|
||||||
corecmd_exec_bin(mount_t)
|
corecmd_exec_bin(mount_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(mount_t)
|
domain_use_interactive_fds(mount_t)
|
||||||
@ -27412,7 +27495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_search_all(mount_t)
|
files_search_all(mount_t)
|
||||||
files_read_etc_files(mount_t)
|
files_read_etc_files(mount_t)
|
||||||
@@ -100,6 +110,8 @@
|
@@ -100,6 +111,8 @@
|
||||||
init_use_fds(mount_t)
|
init_use_fds(mount_t)
|
||||||
init_use_script_ptys(mount_t)
|
init_use_script_ptys(mount_t)
|
||||||
init_dontaudit_getattr_initctl(mount_t)
|
init_dontaudit_getattr_initctl(mount_t)
|
||||||
@ -27421,7 +27504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
auth_use_nsswitch(mount_t)
|
auth_use_nsswitch(mount_t)
|
||||||
|
|
||||||
@@ -119,6 +131,8 @@
|
@@ -119,6 +132,8 @@
|
||||||
seutil_read_config(mount_t)
|
seutil_read_config(mount_t)
|
||||||
|
|
||||||
userdom_use_all_users_fds(mount_t)
|
userdom_use_all_users_fds(mount_t)
|
||||||
@ -27430,7 +27513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -167,6 +181,8 @@
|
@@ -167,6 +182,8 @@
|
||||||
fs_search_rpc(mount_t)
|
fs_search_rpc(mount_t)
|
||||||
|
|
||||||
rpc_stub(mount_t)
|
rpc_stub(mount_t)
|
||||||
@ -27439,7 +27522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -181,6 +197,11 @@
|
@@ -181,6 +198,11 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27451,7 +27534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# for kernel package installation
|
# for kernel package installation
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_rw_pipes(mount_t)
|
rpm_rw_pipes(mount_t)
|
||||||
@@ -188,6 +209,7 @@
|
@@ -188,6 +210,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_domtrans_smbmount(mount_t)
|
samba_domtrans_smbmount(mount_t)
|
||||||
@ -27459,7 +27542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -198,4 +220,26 @@
|
@@ -198,4 +221,26 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
||||||
unconfined_domain(unconfined_mount_t)
|
unconfined_domain(unconfined_mount_t)
|
||||||
@ -28624,6 +28707,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
kernel_read_xen_state(ifconfig_t)
|
kernel_read_xen_state(ifconfig_t)
|
||||||
kernel_write_xen_state(ifconfig_t)
|
kernel_write_xen_state(ifconfig_t)
|
||||||
xen_append_log(ifconfig_t)
|
xen_append_log(ifconfig_t)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.5.13/policy/modules/system/udev.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/system/udev.fc 2008-08-07 11:15:12.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-10-20 11:58:43.000000000 -0400
|
||||||
|
@@ -13,6 +13,7 @@
|
||||||
|
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
+/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.13/policy/modules/system/udev.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.13/policy/modules/system/udev.if
|
||||||
--- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-10-17 10:31:27.000000000 -0400
|
||||||
@ -28730,8 +28824,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.13/policy/modules/system/unconfined.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.13/policy/modules/system/unconfined.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-10-20 09:52:45.000000000 -0400
|
||||||
@@ -2,15 +2,27 @@
|
@@ -2,15 +2,28 @@
|
||||||
# e.g.:
|
# e.g.:
|
||||||
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
||||||
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
|
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
|
||||||
@ -28766,6 +28860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
+/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.13/policy/modules/system/unconfined.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.13/policy/modules/system/unconfined.if
|
||||||
@ -32313,7 +32408,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
|
||||||
--- nsaserefpolicy/policy/modules/system/xen.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/xen.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-10-20 09:29:14.000000000 -0400
|
||||||
@@ -6,6 +6,13 @@
|
@@ -6,6 +6,13 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -32478,7 +32573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# var/lib files for xenstored
|
# var/lib files for xenstored
|
||||||
manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
|
manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
|
||||||
manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
|
manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
|
||||||
@@ -321,6 +352,7 @@
|
@@ -321,18 +352,21 @@
|
||||||
|
|
||||||
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
||||||
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
||||||
@ -32486,7 +32581,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
files_search_var_lib(xm_t)
|
files_search_var_lib(xm_t)
|
||||||
|
|
||||||
allow xm_t xen_image_t:dir rw_dir_perms;
|
allow xm_t xen_image_t:dir rw_dir_perms;
|
||||||
@@ -333,6 +365,7 @@
|
allow xm_t xen_image_t:file read_file_perms;
|
||||||
|
allow xm_t xen_image_t:blk_file read_blk_file_perms;
|
||||||
|
|
||||||
|
-kernel_read_system_state(xm_t)
|
||||||
|
kernel_read_kernel_sysctls(xm_t)
|
||||||
|
+kernel_read_sysctl(xm_t)
|
||||||
|
+kernel_read_system_state(xm_t)
|
||||||
|
kernel_read_xen_state(xm_t)
|
||||||
kernel_write_xen_state(xm_t)
|
kernel_write_xen_state(xm_t)
|
||||||
|
|
||||||
corecmd_exec_bin(xm_t)
|
corecmd_exec_bin(xm_t)
|
||||||
@ -32494,7 +32596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_tcp_sendrecv_generic_if(xm_t)
|
corenet_tcp_sendrecv_generic_if(xm_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(xm_t)
|
corenet_tcp_sendrecv_all_nodes(xm_t)
|
||||||
@@ -348,8 +381,11 @@
|
@@ -348,8 +382,11 @@
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(xm_t)
|
storage_raw_read_fixed_disk(xm_t)
|
||||||
|
|
||||||
@ -32506,7 +32608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
init_rw_script_stream_sockets(xm_t)
|
init_rw_script_stream_sockets(xm_t)
|
||||||
init_use_fds(xm_t)
|
init_use_fds(xm_t)
|
||||||
|
|
||||||
@@ -360,6 +396,23 @@
|
@@ -360,6 +397,23 @@
|
||||||
|
|
||||||
sysnet_read_config(xm_t)
|
sysnet_read_config(xm_t)
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.5.13
|
Version: 3.5.13
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -461,6 +461,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 20 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-2
|
||||||
|
- Fix dovecot access
|
||||||
|
|
||||||
* Fri Oct 17 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-1
|
* Fri Oct 17 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-1
|
||||||
- Policy cleanup
|
- Policy cleanup
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user