- Fix staff_t domain
This commit is contained in:
parent
73fe81bbab
commit
bc861e624e
@ -712,8 +712,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.4/policy/modules/admin/rpm.fc
|
||||
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400
|
||||
+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-03 22:57:29.000000000 -0500
|
||||
@@ -11,7 +11,8 @@
|
||||
+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-05 13:41:50.000000000 -0500
|
||||
@@ -3,6 +3,7 @@
|
||||
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -11,7 +12,8 @@
|
||||
|
||||
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
@ -723,7 +731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
@@ -21,14 +22,17 @@
|
||||
@@ -21,14 +23,17 @@
|
||||
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
@ -1706,7 +1714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.4/policy/modules/apps/gnome.if
|
||||
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/apps/gnome.if 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/apps/gnome.if 2009-02-05 15:12:13.000000000 -0500
|
||||
@@ -89,5 +89,154 @@
|
||||
|
||||
allow $1 gnome_home_t:dir manage_dir_perms;
|
||||
@ -6204,7 +6212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.4/policy/modules/kernel/kernel.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/kernel/kernel.if 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/kernel/kernel.if 2009-02-06 11:11:26.000000000 -0500
|
||||
@@ -1197,6 +1197,26 @@
|
||||
')
|
||||
|
||||
@ -6331,6 +6339,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.4/policy/modules/kernel/kernel.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/kernel/kernel.te 2009-02-03 22:57:29.000000000 -0500
|
||||
@@ -1,5 +1,5 @@
|
||||
|
||||
-policy_module(kernel, 1.10.3)
|
||||
+policy_module(kernel, 1.10.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -63,6 +63,15 @@
|
||||
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
|
||||
|
||||
@ -6375,6 +6390,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow kernel_t proc_t:dir list_dir_perms;
|
||||
allow kernel_t proc_t:file read_file_perms;
|
||||
allow kernel_t proc_t:lnk_file read_lnk_file_perms;
|
||||
@@ -221,10 +237,8 @@
|
||||
# connections with invalidated labels:
|
||||
allow kernel_t unlabeled_t:packet send;
|
||||
|
||||
-# Allow unlabeled network traffic
|
||||
+# Forwarded network traffic
|
||||
allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
|
||||
-corenet_in_generic_if(unlabeled_t)
|
||||
-corenet_in_generic_node(unlabeled_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(kernel_t)
|
||||
corenet_all_recvfrom_netlabel(kernel_t)
|
||||
@@ -248,7 +262,8 @@
|
||||
|
||||
selinux_load_policy(kernel_t)
|
||||
@ -7047,16 +7074,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.4/policy/modules/roles/staff.te
|
||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/roles/staff.te 2009-02-03 22:57:29.000000000 -0500
|
||||
@@ -8,112 +8,32 @@
|
||||
|
||||
role staff_r;
|
||||
|
||||
-userdom_unpriv_user_template(staff)
|
||||
+userdom_admin_login_user_template(staff)
|
||||
|
||||
########################################
|
||||
#
|
||||
+++ serefpolicy-3.6.4/policy/modules/roles/staff.te 2009-02-05 13:52:52.000000000 -0500
|
||||
@@ -15,156 +15,87 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
@ -7119,112 +7138,131 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-optional_policy(`
|
||||
- java_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- lockdev_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- lpd_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- mozilla_role(staff_r, staff_t)
|
||||
-')
|
||||
+kernel_read_ring_buffer(staff_t)
|
||||
+kernel_getattr_core_if(staff_t)
|
||||
+kernel_getattr_message_if(staff_t)
|
||||
+kernel_read_software_raid_state(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- mplayer_role(staff_r, staff_t)
|
||||
- lockdev_role(staff_r, staff_t)
|
||||
-')
|
||||
+auth_domtrans_pam_console(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- mta_role(staff_r, staff_t)
|
||||
- lpd_role(staff_r, staff_t)
|
||||
-')
|
||||
+libs_manage_shared_libs(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- mozilla_role(staff_r, staff_t)
|
||||
-')
|
||||
+seutil_run_newrole(staff_t, staff_r)
|
||||
|
||||
optional_policy(`
|
||||
- oident_manage_user_content(staff_t)
|
||||
- oident_relabel_user_content(staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- pyzor_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- razor_role(staff_r, staff_t)
|
||||
- mplayer_role(staff_r, staff_t)
|
||||
+ sudo_role_template(staff, staff_r, staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mta_role(staff_r, staff_t)
|
||||
+ auditadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- rssh_role(staff_r, staff_t)
|
||||
- oident_manage_user_content(staff_t)
|
||||
- oident_relabel_user_content(staff_t)
|
||||
+ kerneloops_manage_tmp_files(staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- screen_role_template(staff, staff_r, staff_t)
|
||||
- pyzor_role(staff_r, staff_t)
|
||||
+ logadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -121,50 +41,21 @@
|
||||
- razor_role(staff_r, staff_t)
|
||||
+ secadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- spamassassin_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
ssh_role_template(staff, staff_r, staff_t)
|
||||
- rssh_role(staff_r, staff_t)
|
||||
+ ssh_role_template(staff, staff_r, staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- su_role_template(staff, staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- sudo_role_template(staff, staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
sysadm_role_change(staff_r)
|
||||
- userdom_dontaudit_use_user_terminals(staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- thunderbird_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- tvtime_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- uml_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- userhelper_role_template(staff, staff_r, staff_t)
|
||||
- screen_role_template(staff, staff_r, staff_t)
|
||||
+ sysadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- vmware_role(staff_r, staff_t)
|
||||
- secadm_role_change(staff_r)
|
||||
+ usernetctl_run(staff_t, staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- wireshark_role(staff_r, staff_t)
|
||||
- spamassassin_role(staff_r, staff_t)
|
||||
+ unconfined_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- xserver_role(staff_r, staff_t)
|
||||
- ssh_role_template(staff, staff_r, staff_t)
|
||||
+ webadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- su_role_template(staff, staff_r, staff_t)
|
||||
-')
|
||||
+domain_read_all_domains_state(staff_t)
|
||||
+domain_getattr_all_domains(staff_t)
|
||||
+domain_obj_id_change_exemption(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- sudo_role_template(staff, staff_r, staff_t)
|
||||
-')
|
||||
+files_read_kernel_modules(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- sysadm_role_change(staff_r)
|
||||
- userdom_dontaudit_use_user_terminals(staff_t)
|
||||
-')
|
||||
+kernel_read_fs_sysctls(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- thunderbird_role(staff_r, staff_t)
|
||||
-')
|
||||
+modutils_read_module_config(staff_t)
|
||||
+modutils_read_module_deps(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- tvtime_role(staff_r, staff_t)
|
||||
-')
|
||||
+miscfiles_read_hwdata(staff_t)
|
||||
|
||||
optional_policy(`
|
||||
- uml_role(staff_r, staff_t)
|
||||
+ gnomeclock_dbus_chat(staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- userhelper_role_template(staff, staff_r, staff_t)
|
||||
+ kerneloops_dbus_chat(staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- vmware_role(staff_r, staff_t)
|
||||
+ rpm_dbus_chat(staff_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- wireshark_role(staff_r, staff_t)
|
||||
+ setroubleshoot_stream_connect(staff_t)
|
||||
+ setroubleshoot_dbus_chat(staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- xserver_role(staff_r, staff_t)
|
||||
+ virt_stream_connect(staff_t)
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.4/policy/modules/roles/sysadm.if
|
||||
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/roles/sysadm.if 2009-02-03 22:57:29.000000000 -0500
|
||||
@ -7561,7 +7599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.4/policy/modules/roles/unprivuser.te
|
||||
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/roles/unprivuser.te 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/roles/unprivuser.te 2009-02-05 10:45:18.000000000 -0500
|
||||
@@ -14,142 +14,13 @@
|
||||
userdom_unpriv_user_template(user)
|
||||
|
||||
@ -12263,8 +12301,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.4/policy/modules/services/devicekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/devicekit.te 2009-02-04 08:40:38.000000000 -0500
|
||||
@@ -0,0 +1,125 @@
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/devicekit.te 2009-02-06 11:17:45.000000000 -0500
|
||||
@@ -0,0 +1,131 @@
|
||||
+policy_module(devicekit,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -12309,6 +12347,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ dbus_system_bus_client(devicekit_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ udev_read_db(devicekit_t)
|
||||
+')
|
||||
+
|
||||
+#
|
||||
+# DeviceKit-Power local policy
|
||||
+#
|
||||
@ -12324,7 +12366,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+domain_read_all_domains_state(devicekit_power_t)
|
||||
+
|
||||
+kernel_read_system_state(devicekit_power_t)
|
||||
+kernel_rw_kernel_sysctl(devicekit_power_t)
|
||||
+kernel_rw_hotplug_sysctls(devicekit_power_t)
|
||||
+kernel_write_proc_files(devicekit_power_t)
|
||||
+
|
||||
+dev_rw_generic_usb_dev(devicekit_power_t)
|
||||
+dev_rw_netcontrol(devicekit_power_t)
|
||||
@ -12419,6 +12463,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## All of the rules required to administrate
|
||||
## an dhcp environment
|
||||
## </summary>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.4/policy/modules/services/dnsmasq.fc
|
||||
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-11-18 18:57:20.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.fc 2009-02-06 11:38:55.000000000 -0500
|
||||
@@ -5,3 +5,4 @@
|
||||
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
|
||||
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
|
||||
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||
+/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.4/policy/modules/services/dnsmasq.if
|
||||
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-11-18 18:57:21.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.if 2009-02-03 22:57:29.000000000 -0500
|
||||
@ -12522,7 +12574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.4/policy/modules/services/dnsmasq.te
|
||||
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.te 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.te 2009-02-06 11:39:09.000000000 -0500
|
||||
@@ -69,21 +69,22 @@
|
||||
|
||||
# allow access to dnsmasq.conf
|
||||
@ -12705,7 +12757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.4/policy/modules/services/dovecot.te
|
||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/dovecot.te 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/dovecot.te 2009-02-06 11:32:01.000000000 -0500
|
||||
@@ -15,12 +15,21 @@
|
||||
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
|
||||
role system_r types dovecot_auth_t;
|
||||
@ -12795,12 +12847,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
|
||||
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
||||
|
||||
allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
|
||||
|
||||
-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
|
||||
+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
|
||||
+
|
||||
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
||||
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
||||
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
|
||||
+
|
||||
|
||||
# Allow dovecot to create and read SSL parameters file
|
||||
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
|
||||
files_search_var_lib(dovecot_t)
|
||||
@ -22173,8 +22226,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.4/policy/modules/services/ssh.te
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/ssh.te 2009-02-03 22:57:29.000000000 -0500
|
||||
@@ -75,7 +75,7 @@
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/ssh.te 2009-02-06 12:43:43.000000000 -0500
|
||||
@@ -41,6 +41,9 @@
|
||||
files_tmp_file(sshd_tmp_t)
|
||||
files_poly_parent(sshd_tmp_t)
|
||||
|
||||
+type sshd_tmpfs_t;
|
||||
+files_tmpfs_file(sshd_tmpfs_t)
|
||||
+
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
@@ -75,7 +78,7 @@
|
||||
ubac_constrained(ssh_tmpfs_t)
|
||||
|
||||
type home_ssh_t;
|
||||
@ -22183,7 +22246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
|
||||
files_type(home_ssh_t)
|
||||
userdom_user_home_content(home_ssh_t)
|
||||
@@ -95,7 +95,7 @@
|
||||
@@ -95,7 +98,7 @@
|
||||
allow ssh_t self:sem create_sem_perms;
|
||||
allow ssh_t self:msgq create_msgq_perms;
|
||||
allow ssh_t self:msg { send receive };
|
||||
@ -22192,7 +22255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# Read the ssh key file.
|
||||
@@ -115,6 +115,7 @@
|
||||
@@ -115,6 +118,7 @@
|
||||
manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
|
||||
manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
|
||||
userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
|
||||
@ -22200,7 +22263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Allow the ssh program to communicate with ssh-agent.
|
||||
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
|
||||
@@ -139,6 +140,8 @@
|
||||
@@ -139,6 +143,8 @@
|
||||
corenet_tcp_sendrecv_all_ports(ssh_t)
|
||||
corenet_tcp_connect_ssh_port(ssh_t)
|
||||
corenet_sendrecv_ssh_client_packets(ssh_t)
|
||||
@ -22209,7 +22272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
dev_read_urand(ssh_t)
|
||||
|
||||
@@ -173,6 +176,7 @@
|
||||
@@ -173,6 +179,7 @@
|
||||
userdom_use_user_terminals(ssh_t)
|
||||
# needs to read krb tgt
|
||||
userdom_read_user_tmp_files(ssh_t)
|
||||
@ -22217,7 +22280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`allow_ssh_keysign',`
|
||||
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
|
||||
@@ -202,6 +206,7 @@
|
||||
@@ -202,6 +209,7 @@
|
||||
# for port forwarding
|
||||
tunable_policy(`user_tcp_server',`
|
||||
corenet_tcp_bind_ssh_port(ssh_t)
|
||||
@ -22225,7 +22288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -310,6 +315,8 @@
|
||||
@@ -310,6 +318,8 @@
|
||||
kernel_search_key(sshd_t)
|
||||
kernel_link_key(sshd_t)
|
||||
|
||||
@ -22234,18 +22297,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
term_use_all_user_ptys(sshd_t)
|
||||
term_setattr_all_user_ptys(sshd_t)
|
||||
term_relabelto_all_user_ptys(sshd_t)
|
||||
@@ -318,6 +325,10 @@
|
||||
@@ -318,6 +328,13 @@
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
+userdom_read_user_home_content_files(sshd_t)
|
||||
+userdom_read_user_home_content_symlinks(sshd_t)
|
||||
+userdom_search_admin_dir(sshd_t)
|
||||
+
|
||||
+manage_files_pattern(sshd_t, sshd_tmpfs_t, sshd_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(sshd_t, sshd_tmpfs_t, file)
|
||||
+
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
@@ -331,6 +342,14 @@
|
||||
@@ -331,6 +348,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22260,7 +22326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
daemontools_service_domain(sshd_t, sshd_exec_t)
|
||||
')
|
||||
|
||||
@@ -349,7 +368,11 @@
|
||||
@@ -349,7 +374,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22273,7 +22339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
unconfined_shell_domtrans(sshd_t)
|
||||
')
|
||||
|
||||
@@ -408,6 +431,8 @@
|
||||
@@ -408,6 +437,8 @@
|
||||
init_use_fds(ssh_keygen_t)
|
||||
init_use_script_ptys(ssh_keygen_t)
|
||||
|
||||
@ -22606,8 +22672,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.4/policy/modules/services/virt.if
|
||||
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/virt.if 2009-02-03 22:57:29.000000000 -0500
|
||||
@@ -293,6 +293,41 @@
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/virt.if 2009-02-06 11:23:27.000000000 -0500
|
||||
@@ -117,12 +117,12 @@
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
- allow $1 virt_var_run_t:file read_file_perms;
|
||||
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Manage virt pid files.
|
||||
+## Manage virt PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -135,6 +135,7 @@
|
||||
type virt_var_run_t;
|
||||
')
|
||||
|
||||
+ files_search_pids($1)
|
||||
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
||||
')
|
||||
|
||||
@@ -293,6 +294,41 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -23458,7 +23547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-04 11:20:11.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-05 18:20:04.000000000 -0500
|
||||
@@ -34,6 +34,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -23810,7 +23899,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
@@ -504,10 +569,12 @@
|
||||
@@ -472,6 +537,7 @@
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
+userdom_write_user_tmp_files(xdm_t)
|
||||
|
||||
xserver_rw_session(xdm_t,xdm_tmpfs_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
@@ -504,10 +570,12 @@
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(xdm_t)
|
||||
@ -23823,7 +23920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -515,12 +582,41 @@
|
||||
@@ -515,12 +583,41 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23865,7 +23962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -542,6 +638,19 @@
|
||||
@@ -542,6 +639,19 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23885,7 +23982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
seutil_sigchld_newrole(xdm_t)
|
||||
')
|
||||
|
||||
@@ -550,8 +659,9 @@
|
||||
@@ -550,8 +660,9 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23897,7 +23994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -560,7 +670,6 @@
|
||||
@@ -560,7 +671,6 @@
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
@ -23905,7 +24002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
userhelper_dontaudit_search_config(xdm_t)
|
||||
@@ -571,6 +680,10 @@
|
||||
@@ -571,6 +681,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23916,7 +24013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -587,7 +700,7 @@
|
||||
@@ -587,7 +701,7 @@
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
@ -23925,7 +24022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit xserver_t self:capability chown;
|
||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow xserver_t self:memprotect mmap_zero;
|
||||
@@ -602,9 +715,11 @@
|
||||
@@ -602,9 +716,11 @@
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
@ -23937,7 +24034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||
|
||||
@@ -622,7 +737,7 @@
|
||||
@@ -622,7 +738,7 @@
|
||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||
|
||||
@ -23946,7 +24043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
@@ -635,9 +750,19 @@
|
||||
@@ -635,9 +751,19 @@
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -23966,7 +24063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
@@ -680,9 +805,14 @@
|
||||
@@ -680,9 +806,14 @@
|
||||
dev_rw_xserver_misc(xserver_t)
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev(xserver_t)
|
||||
@ -23981,7 +24078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(xserver_t)
|
||||
files_read_etc_runtime_files(xserver_t)
|
||||
@@ -697,8 +827,13 @@
|
||||
@@ -697,8 +828,13 @@
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
@ -23995,7 +24092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
selinux_compute_access_vector(xserver_t)
|
||||
@@ -720,6 +855,7 @@
|
||||
@@ -720,6 +856,7 @@
|
||||
|
||||
miscfiles_read_localization(xserver_t)
|
||||
miscfiles_read_fonts(xserver_t)
|
||||
@ -24003,7 +24100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
modutils_domtrans_insmod(xserver_t)
|
||||
|
||||
@@ -742,7 +878,7 @@
|
||||
@@ -742,7 +879,7 @@
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
@ -24012,7 +24109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||
')
|
||||
|
||||
@@ -774,6 +910,10 @@
|
||||
@@ -774,6 +911,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24023,7 +24120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
rhgb_getpgid(xserver_t)
|
||||
rhgb_signal(xserver_t)
|
||||
')
|
||||
@@ -806,7 +946,7 @@
|
||||
@@ -806,7 +947,7 @@
|
||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
@ -24032,7 +24129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -827,9 +967,14 @@
|
||||
@@ -827,9 +968,14 @@
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -24047,7 +24144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
@@ -844,11 +989,14 @@
|
||||
@@ -844,11 +990,14 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
@ -24063,7 +24160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -856,6 +1004,11 @@
|
||||
@@ -856,6 +1005,11 @@
|
||||
rhgb_rw_tmpfs_files(xserver_t)
|
||||
')
|
||||
|
||||
@ -24075,7 +24172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Rules common to all X window domains
|
||||
@@ -881,6 +1034,8 @@
|
||||
@@ -881,6 +1035,8 @@
|
||||
# X Server
|
||||
# can read server-owned resources
|
||||
allow x_domain xserver_t:x_resource read;
|
||||
@ -24084,7 +24181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# can mess with own clients
|
||||
allow x_domain self:x_client { manage destroy };
|
||||
|
||||
@@ -905,6 +1060,8 @@
|
||||
@@ -905,6 +1061,8 @@
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
|
||||
@ -24093,7 +24190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# X Colormaps
|
||||
# can use the default colormap
|
||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||
@@ -972,17 +1129,51 @@
|
||||
@@ -972,17 +1130,51 @@
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
@ -28524,7 +28621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-04 10:39:52.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-05 18:26:44.000000000 -0500
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
@ -29435,7 +29532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_dontaudit_send_audit_msgs($1_t)
|
||||
|
||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||
@@ -899,28 +953,28 @@
|
||||
@@ -899,28 +953,29 @@
|
||||
selinux_get_enforce_mode($1_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -29447,12 +29544,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- dbus_role_template($1, $1_r, $1_t)
|
||||
- dbus_system_bus_client($1_t)
|
||||
+ apache_role($1_r, $1_usertype)
|
||||
+ ')
|
||||
+ ')
|
||||
|
||||
optional_policy(`
|
||||
- consolekit_dbus_chat($1_t)
|
||||
+ gnome_manage_config($1_usertype)
|
||||
+ gnome_manage_gconf_home_files($1_usertype)
|
||||
+ gnome_read_gconf_config($1_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29472,7 +29570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -931,8 +985,7 @@
|
||||
@@ -931,8 +986,7 @@
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -29482,7 +29580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </p>
|
||||
## <p>
|
||||
## This template creates a user domain, types, and
|
||||
@@ -954,8 +1007,8 @@
|
||||
@@ -954,8 +1008,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -29492,7 +29590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -964,11 +1017,12 @@
|
||||
@@ -964,11 +1018,12 @@
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
@ -29507,7 +29605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -986,37 +1040,47 @@
|
||||
@@ -986,37 +1041,47 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -29568,7 +29666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -1050,7 +1114,7 @@
|
||||
@@ -1050,7 +1115,7 @@
|
||||
#
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
@ -29577,7 +29675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -1059,8 +1123,7 @@
|
||||
@@ -1059,8 +1124,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
@ -29587,7 +29685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
role system_r types $1_t;
|
||||
@@ -1083,7 +1146,8 @@
|
||||
@@ -1083,7 +1147,8 @@
|
||||
# Skip authentication when pam_rootok is specified.
|
||||
allow $1_t self:passwd rootok;
|
||||
|
||||
@ -29597,7 +29695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1099,6 +1163,7 @@
|
||||
@@ -1099,6 +1164,7 @@
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
@ -29605,7 +29703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
@@ -1106,8 +1171,6 @@
|
||||
@@ -1106,8 +1172,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
@ -29614,7 +29712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1162,20 +1225,6 @@
|
||||
@@ -1162,20 +1226,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
@ -29635,7 +29733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1221,6 +1270,7 @@
|
||||
@@ -1221,6 +1271,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -29643,7 +29741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1286,11 +1336,15 @@
|
||||
@@ -1286,11 +1337,15 @@
|
||||
interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
@ -29659,7 +29757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1387,7 +1441,7 @@
|
||||
@@ -1387,7 +1442,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -29668,7 +29766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1420,6 +1474,14 @@
|
||||
@@ -1420,6 +1475,14 @@
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
@ -29683,7 +29781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1435,9 +1497,11 @@
|
||||
@@ -1435,9 +1498,11 @@
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
@ -29695,7 +29793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1494,6 +1558,25 @@
|
||||
@@ -1494,6 +1559,25 @@
|
||||
allow $1 user_home_dir_t:dir relabelto;
|
||||
')
|
||||
|
||||
@ -29721,7 +29819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
## <summary>
|
||||
## Create directories in the home dir root with
|
||||
@@ -1547,9 +1630,9 @@
|
||||
@@ -1547,9 +1631,9 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
@ -29733,7 +29831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1568,6 +1651,8 @@
|
||||
@@ -1568,6 +1652,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
@ -29742,7 +29840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1643,6 +1728,7 @@
|
||||
@@ -1643,6 +1729,7 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
@ -29750,7 +29848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
@@ -1741,6 +1827,62 @@
|
||||
@@ -1741,6 +1828,62 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -29813,7 +29911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Execute user home files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1757,14 +1899,6 @@
|
||||
@@ -1757,14 +1900,6 @@
|
||||
|
||||
files_search_home($1)
|
||||
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
@ -29828,7 +29926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1787,6 +1921,46 @@
|
||||
@@ -1787,6 +1922,46 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -29875,7 +29973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Create, read, write, and delete files
|
||||
## in a user home subdirectory.
|
||||
## </summary>
|
||||
@@ -1799,6 +1973,7 @@
|
||||
@@ -1799,6 +1974,7 @@
|
||||
interface(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
@ -29883,7 +29981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
manage_files_pattern($1, user_home_t, user_home_t)
|
||||
@@ -1921,7 +2096,7 @@
|
||||
@@ -1921,7 +2097,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -29892,7 +29990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## with an automatic type transition to
|
||||
## a specified private type.
|
||||
## </summary>
|
||||
@@ -1941,28 +2116,58 @@
|
||||
@@ -1941,28 +2117,58 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -29958,10 +30056,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <summary>
|
||||
## The class of the object to be created.
|
||||
## </summary>
|
||||
@@ -2819,6 +3024,24 @@
|
||||
@@ -2814,7 +3020,43 @@
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
- allow $1 user_tmp_t:file write_file_perms;
|
||||
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Write all users files in /tmp
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_write_user_tmp_dirs',`
|
||||
+ gen_require(`
|
||||
+ type user_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Delete all users files in /tmp
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -29976,14 +30098,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 user_tmp_t:file delete_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts to use user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2851,6 +3074,7 @@
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2851,6 +3093,7 @@
|
||||
')
|
||||
|
||||
read_files_pattern($1,userdomain,userdomain)
|
||||
@ -29991,7 +30109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -2965,6 +3189,24 @@
|
||||
@@ -2965,6 +3208,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -30016,7 +30134,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2981,3 +3223,313 @@
|
||||
@@ -2981,3 +3242,313 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.4
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -444,6 +444,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Feb 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-4
|
||||
- Fix staff_t domain
|
||||
|
||||
* Thu Feb 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-3
|
||||
- Grab remainder of network_peer_controls patch
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user