- Add boolean to disallow unconfined_t login
This commit is contained in:
parent
574cab47f1
commit
bc2add3885
@ -2875,7 +2875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-02 09:39:29.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-03 10:55:18.000000000 -0500
|
||||||
@@ -0,0 +1,288 @@
|
@@ -0,0 +1,288 @@
|
||||||
+
|
+
|
||||||
+policy_module(nsplugin, 1.0.0)
|
+policy_module(nsplugin, 1.0.0)
|
||||||
@ -2897,7 +2897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+## Allow nsplugin code to connect to unreserved ports
|
+## Allow nsplugin code to connect to unreserved ports
|
||||||
+## </p>
|
+## </p>
|
||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(nsplugin_can_network, True)
|
+gen_tunable(nsplugin_can_network, true)
|
||||||
+
|
+
|
||||||
+type nsplugin_exec_t;
|
+type nsplugin_exec_t;
|
||||||
+application_executable_file(nsplugin_exec_t)
|
+application_executable_file(nsplugin_exec_t)
|
||||||
@ -12453,7 +12453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.3/policy/modules/services/dnsmasq.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.3/policy/modules/services/dnsmasq.te
|
||||||
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te 2009-02-03 14:14:11.000000000 -0500
|
||||||
@@ -69,21 +69,22 @@
|
@@ -69,21 +69,22 @@
|
||||||
|
|
||||||
# allow access to dnsmasq.conf
|
# allow access to dnsmasq.conf
|
||||||
@ -12480,6 +12480,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@@ -96,4 +97,5 @@
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
virt_manage_lib_files(dnsmasq_t)
|
||||||
|
+ virt_read_pid_files(dnsmasq_t)
|
||||||
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.3/policy/modules/services/dovecot.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.3/policy/modules/services/dovecot.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/dovecot.fc 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/dovecot.fc 2009-01-19 13:10:02.000000000 -0500
|
||||||
@ -13022,7 +13028,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.3/policy/modules/services/ftp.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.3/policy/modules/services/ftp.te
|
||||||
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/ftp.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/ftp.te 2009-02-03 11:10:55.000000000 -0500
|
||||||
|
@@ -26,7 +26,7 @@
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow ftp servers to use cifs
|
||||||
|
-## used for public file transfer services.
|
||||||
|
+## for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_ftpd_use_cifs, false)
|
||||||
|
@@ -34,7 +34,7 @@
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow ftp servers to use nfs
|
||||||
|
-## used for public file transfer services.
|
||||||
|
+## for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_ftpd_use_nfs, false)
|
||||||
@@ -160,6 +160,7 @@
|
@@ -160,6 +160,7 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(ftpd_t)
|
fs_search_auto_mountpoints(ftpd_t)
|
||||||
@ -22512,7 +22536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if
|
||||||
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-01-30 09:30:42.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-02-03 14:14:04.000000000 -0500
|
||||||
@@ -293,6 +293,41 @@
|
@@ -293,6 +293,41 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -23335,7 +23359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-02 14:36:35.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-03 10:52:31.000000000 -0500
|
||||||
@@ -34,6 +34,13 @@
|
@@ -34,6 +34,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -23735,7 +23759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
seutil_sigchld_newrole(xdm_t)
|
seutil_sigchld_newrole(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -550,9 +651,11 @@
|
@@ -550,8 +651,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23745,11 +23769,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ unconfined_signal(xdm_t)
|
+ unconfined_signal(xdm_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
+optional_policy(`
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
|
@@ -560,7 +662,6 @@
|
||||||
|
ifdef(`distro_rhel4',`
|
||||||
|
allow xdm_t self:process { execheap execmem };
|
||||||
')
|
')
|
||||||
@@ -571,6 +674,10 @@
|
-')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
userhelper_dontaudit_search_config(xdm_t)
|
||||||
|
@@ -571,6 +672,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23760,7 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -587,7 +694,7 @@
|
@@ -587,7 +692,7 @@
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -23769,7 +23799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit xserver_t self:capability chown;
|
dontaudit xserver_t self:capability chown;
|
||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:memprotect mmap_zero;
|
allow xserver_t self:memprotect mmap_zero;
|
||||||
@@ -602,9 +709,11 @@
|
@@ -602,9 +707,11 @@
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -23781,7 +23811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||||
|
|
||||||
@@ -622,7 +731,7 @@
|
@@ -622,7 +729,7 @@
|
||||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||||
|
|
||||||
@ -23790,7 +23820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -635,6 +744,15 @@
|
@@ -635,6 +742,15 @@
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -23806,7 +23836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Create files in /var/log with the xserver_log_t type.
|
# Create files in /var/log with the xserver_log_t type.
|
||||||
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
|
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
|
||||||
logging_log_filetrans(xserver_t, xserver_log_t,file)
|
logging_log_filetrans(xserver_t, xserver_log_t,file)
|
||||||
@@ -680,9 +798,14 @@
|
@@ -680,9 +796,14 @@
|
||||||
dev_rw_xserver_misc(xserver_t)
|
dev_rw_xserver_misc(xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
@ -23821,7 +23851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
files_read_etc_runtime_files(xserver_t)
|
files_read_etc_runtime_files(xserver_t)
|
||||||
@@ -697,8 +820,13 @@
|
@@ -697,8 +818,13 @@
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -23835,7 +23865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -720,6 +848,7 @@
|
@@ -720,6 +846,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
@ -23843,7 +23873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
modutils_domtrans_insmod(xserver_t)
|
modutils_domtrans_insmod(xserver_t)
|
||||||
|
|
||||||
@@ -742,7 +871,7 @@
|
@@ -742,7 +869,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
@ -23852,7 +23882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -774,6 +903,10 @@
|
@@ -774,6 +901,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23863,7 +23893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
rhgb_getpgid(xserver_t)
|
rhgb_getpgid(xserver_t)
|
||||||
rhgb_signal(xserver_t)
|
rhgb_signal(xserver_t)
|
||||||
')
|
')
|
||||||
@@ -806,7 +939,7 @@
|
@@ -806,7 +937,7 @@
|
||||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -23872,7 +23902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -827,9 +960,14 @@
|
@@ -827,9 +958,14 @@
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -23887,7 +23917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -844,11 +982,14 @@
|
@@ -844,11 +980,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -23903,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -856,6 +997,11 @@
|
@@ -856,6 +995,11 @@
|
||||||
rhgb_rw_tmpfs_files(xserver_t)
|
rhgb_rw_tmpfs_files(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -23915,7 +23945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -881,6 +1027,8 @@
|
@@ -881,6 +1025,8 @@
|
||||||
# X Server
|
# X Server
|
||||||
# can read server-owned resources
|
# can read server-owned resources
|
||||||
allow x_domain xserver_t:x_resource read;
|
allow x_domain xserver_t:x_resource read;
|
||||||
@ -23924,7 +23954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# can mess with own clients
|
# can mess with own clients
|
||||||
allow x_domain self:x_client { manage destroy };
|
allow x_domain self:x_client { manage destroy };
|
||||||
|
|
||||||
@@ -905,6 +1053,8 @@
|
@@ -905,6 +1051,8 @@
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
|
|
||||||
@ -23933,7 +23963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# X Colormaps
|
# X Colormaps
|
||||||
# can use the default colormap
|
# can use the default colormap
|
||||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||||
@@ -972,6 +1122,37 @@
|
@@ -972,6 +1120,37 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
@ -23971,7 +24001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
tunable_policy(`allow_polyinstantiation',`
|
tunable_policy(`allow_polyinstantiation',`
|
||||||
# xdm needs access for linking .X11-unix to poly /tmp
|
# xdm needs access for linking .X11-unix to poly /tmp
|
||||||
@@ -986,3 +1167,12 @@
|
@@ -986,3 +1165,12 @@
|
||||||
#
|
#
|
||||||
allow xdm_t user_home_type:file unlink;
|
allow xdm_t user_home_type:file unlink;
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
@ -24810,7 +24840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te
|
||||||
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-28 09:55:56.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-02-03 14:13:10.000000000 -0500
|
||||||
@@ -17,6 +17,20 @@
|
@@ -17,6 +17,20 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(init_upstart,false)
|
gen_tunable(init_upstart,false)
|
||||||
@ -24988,7 +25018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
+domain_dontaudit_use_interactive_fds(daemon)
|
+domain_dontaudit_use_interactive_fds(daemon)
|
||||||
+
|
+
|
||||||
+userdom_dontaudit_search_admin_dir(daemon)
|
+userdom_dontaudit_list_admin_dir(daemon)
|
||||||
+
|
+
|
||||||
+tunable_policy(`allow_daemons_use_tty',`
|
+tunable_policy(`allow_daemons_use_tty',`
|
||||||
+ term_use_unallocated_ttys(daemon)
|
+ term_use_unallocated_ttys(daemon)
|
||||||
@ -25292,7 +25322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.3/policy/modules/system/libraries.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.3/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-01-26 13:53:03.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-02-03 14:11:21.000000000 -0500
|
||||||
@@ -60,12 +60,15 @@
|
@@ -60,12 +60,15 @@
|
||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
@ -25322,7 +25352,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
||||||
/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -115,9 +119,17 @@
|
@@ -103,6 +107,7 @@
|
||||||
|
#
|
||||||
|
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
|
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
||||||
|
@@ -115,9 +120,17 @@
|
||||||
|
|
||||||
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
@ -25340,7 +25378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -127,12 +139,14 @@
|
@@ -127,12 +140,14 @@
|
||||||
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -25355,7 +25393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
@@ -168,7 +182,8 @@
|
@@ -168,7 +183,8 @@
|
||||||
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
||||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||||
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -25365,7 +25403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -187,6 +202,7 @@
|
@@ -187,6 +203,7 @@
|
||||||
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -25373,7 +25411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -246,12 +262,13 @@
|
@@ -246,12 +263,13 @@
|
||||||
|
|
||||||
# Flash plugin, Macromedia
|
# Flash plugin, Macromedia
|
||||||
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -25389,7 +25427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Jai, Sun Microsystems (Jpackage SPRM)
|
# Jai, Sun Microsystems (Jpackage SPRM)
|
||||||
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -267,6 +284,9 @@
|
@@ -267,6 +285,9 @@
|
||||||
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
@ -25399,7 +25437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Java, Sun Microsystems (JPackage SRPM)
|
# Java, Sun Microsystems (JPackage SRPM)
|
||||||
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@@ -291,6 +311,8 @@
|
@@ -291,6 +312,8 @@
|
||||||
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
@ -25408,7 +25446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
') dnl end distro_redhat
|
') dnl end distro_redhat
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -303,6 +325,8 @@
|
@@ -303,6 +326,8 @@
|
||||||
|
|
||||||
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
|
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
|
||||||
|
|
||||||
@ -25417,7 +25455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
|
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
|
||||||
')
|
')
|
||||||
@@ -310,3 +334,20 @@
|
@@ -310,3 +335,20 @@
|
||||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
@ -27721,7 +27759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-02 14:49:54.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-03 10:47:05.000000000 -0500
|
||||||
@@ -12,14 +12,13 @@
|
@@ -12,14 +12,13 @@
|
||||||
#
|
#
|
||||||
interface(`unconfined_domain_noaudit',`
|
interface(`unconfined_domain_noaudit',`
|
||||||
@ -27784,14 +27822,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
interface(`unconfined_shell_domtrans',`
|
interface(`unconfined_shell_domtrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type unconfined_t;
|
- type unconfined_t;
|
||||||
+ type unconfined_login_domain;
|
+ attribute unconfined_login_domain;
|
||||||
')
|
')
|
||||||
-
|
-
|
||||||
- corecmd_shell_domtrans($1,unconfined_t)
|
- corecmd_shell_domtrans($1,unconfined_t)
|
||||||
- allow unconfined_t $1:fd use;
|
- allow unconfined_t $1:fd use;
|
||||||
- allow unconfined_t $1:fifo_file rw_file_perms;
|
- allow unconfined_t $1:fifo_file rw_file_perms;
|
||||||
- allow unconfined_t $1:process sigchld;
|
- allow unconfined_t $1:process sigchld;
|
||||||
+ typeattribute $1 unconfined_login_domain
|
+ typeattribute $1 unconfined_login_domain;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -27973,7 +28011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-02 14:52:21.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-03 15:14:47.000000000 -0500
|
||||||
@@ -5,36 +5,86 @@
|
@@ -5,36 +5,86 @@
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@ -28068,7 +28106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
libs_run_ldconfig(unconfined_t, unconfined_r)
|
libs_run_ldconfig(unconfined_t, unconfined_r)
|
||||||
|
|
||||||
@@ -42,26 +92,39 @@
|
@@ -42,26 +92,46 @@
|
||||||
logging_run_auditctl(unconfined_t, unconfined_r)
|
logging_run_auditctl(unconfined_t, unconfined_r)
|
||||||
|
|
||||||
mount_run_unconfined(unconfined_t, unconfined_r)
|
mount_run_unconfined(unconfined_t, unconfined_r)
|
||||||
@ -28084,6 +28122,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
|
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
|
||||||
|
|
||||||
|
+tunable_policy(`unconfined_login',`
|
||||||
|
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
|
||||||
|
+ allow unconfined_t unconfined_login_domain:fd use;
|
||||||
|
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
|
||||||
|
+ allow unconfined_t unconfined_login_domain:process sigchld;
|
||||||
|
+')
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ nsplugin_role_notrans(unconfined_r, unconfined_t)
|
+ nsplugin_role_notrans(unconfined_r, unconfined_t)
|
||||||
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
|
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
|
||||||
@ -28110,7 +28155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -102,12 +165,24 @@
|
@@ -102,12 +172,24 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28135,7 +28180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -119,31 +194,33 @@
|
@@ -119,31 +201,33 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28176,7 +28221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -155,36 +232,38 @@
|
@@ -155,36 +239,38 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28227,7 +28272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -192,7 +271,7 @@
|
@@ -192,7 +278,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28236,7 +28281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -204,11 +283,12 @@
|
@@ -204,11 +290,12 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28251,7 +28296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -218,14 +298,68 @@
|
@@ -218,14 +305,61 @@
|
||||||
|
|
||||||
allow unconfined_execmem_t self:process { execstack execmem };
|
allow unconfined_execmem_t self:process { execstack execmem };
|
||||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||||
@ -28276,7 +28321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ xserver_rw_shm(unconfined_execmem_t)
|
+ xserver_rw_shm(unconfined_execmem_t)
|
||||||
+')
|
')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -28295,7 +28340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ type mplayer_exec_t;
|
+ type mplayer_exec_t;
|
||||||
+ ')
|
+ ')
|
||||||
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
|
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
|
||||||
')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+tunable_policy(`allow_unconfined_nsplugin_transition',`', `
|
+tunable_policy(`allow_unconfined_nsplugin_transition',`', `
|
||||||
@ -28314,13 +28359,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
+
|
|
||||||
+tunable_policy(`unconfined_login',`
|
|
||||||
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
|
|
||||||
+ allow unconfined_t unconfined_login_domain:fd use;
|
|
||||||
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
|
|
||||||
+ allow unconfined_t unconfined_login_domain:process sigchld;
|
|
||||||
+')
|
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500
|
||||||
|
Loading…
Reference in New Issue
Block a user