- Add rules for rtkit-daemon

This commit is contained in:
Daniel J Walsh 2009-06-30 11:46:56 +00:00
parent 7b16d569d8
commit bcc53daced
2 changed files with 62 additions and 13 deletions

View File

@ -1701,8 +1701,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) +/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.20/policy/modules/apps/gitosis.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.20/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/gitosis.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.20/policy/modules/apps/gitosis.if 2009-06-26 14:09:22.000000000 -0400 +++ serefpolicy-3.6.20/policy/modules/apps/gitosis.if 2009-06-29 12:24:01.000000000 -0400
@@ -0,0 +1,94 @@ @@ -0,0 +1,96 @@
+## <summary>gitosis interface</summary> +## <summary>gitosis interface</summary>
+ +
+####################################### +#######################################
@ -1771,6 +1771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+ ') + ')
+ +
+ files_search_var_lib($1)
+ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
@ -1793,6 +1794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+ ') + ')
+ +
+ files_search_var_lib($1)
+ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
@ -5444,7 +5446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.20/policy/modules/kernel/corecommands.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.20/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-06-26 13:59:17.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-06-26 13:59:17.000000000 -0400
+++ serefpolicy-3.6.20/policy/modules/kernel/corecommands.if 2009-06-26 14:09:22.000000000 -0400 +++ serefpolicy-3.6.20/policy/modules/kernel/corecommands.if 2009-06-29 08:33:09.000000000 -0400
@@ -893,6 +893,7 @@ @@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, bin_t)
@ -5791,7 +5793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type lvm_control_t; type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.20/policy/modules/kernel/domain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.20/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-06-12 09:08:48.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-06-12 09:08:48.000000000 -0400
+++ serefpolicy-3.6.20/policy/modules/kernel/domain.if 2009-06-26 14:09:22.000000000 -0400 +++ serefpolicy-3.6.20/policy/modules/kernel/domain.if 2009-06-29 08:19:04.000000000 -0400
@@ -44,34 +44,6 @@ @@ -44,34 +44,6 @@
interface(`domain_type',` interface(`domain_type',`
# start with basic domain # start with basic domain
@ -5827,7 +5829,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1248,18 +1220,34 @@ @@ -791,6 +763,24 @@
########################################
## <summary>
+## Get the scheduler information of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getsched_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process getsched;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## session ID of all domains.
## </summary>
@@ -1248,18 +1238,34 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -5865,7 +5892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow specified type to receive labeled ## Allow specified type to receive labeled
## networking packets from all domains, over ## networking packets from all domains, over
## all protocols (TCP, UDP, etc) ## all protocols (TCP, UDP, etc)
@@ -1280,6 +1268,24 @@ @@ -1280,6 +1286,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -13480,6 +13507,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ mta_manage_spool(dovecot_deliver_t) + mta_manage_spool(dovecot_deliver_t)
+') +')
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.20/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-06-12 15:45:03.000000000 -0400
+++ serefpolicy-3.6.20/policy/modules/services/fetchmail.te 2009-06-29 08:33:22.000000000 -0400
@@ -47,6 +47,8 @@
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
+corecmd_exec_shell(fetchmail_t)
+
corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.20/policy/modules/services/fprintd.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.20/policy/modules/services/fprintd.fc
--- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.20/policy/modules/services/fprintd.fc 2009-06-26 14:09:22.000000000 -0400 +++ serefpolicy-3.6.20/policy/modules/services/fprintd.fc 2009-06-26 14:09:22.000000000 -0400
@ -19453,8 +19492,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.20/policy/modules/services/rtkit_daemon.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.20/policy/modules/services/rtkit_daemon.te
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.20/policy/modules/services/rtkit_daemon.te 2009-06-26 14:09:22.000000000 -0400 +++ serefpolicy-3.6.20/policy/modules/services/rtkit_daemon.te 2009-06-29 08:19:15.000000000 -0400
@@ -0,0 +1,33 @@ @@ -0,0 +1,36 @@
+policy_module(rtkit_daemon,1.0.0) +policy_module(rtkit_daemon,1.0.0)
+ +
+######################################## +########################################
@ -19477,6 +19516,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; +allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
+allow rtkit_daemon_t self:capability sys_nice; +allow rtkit_daemon_t self:capability sys_nice;
+ +
+domain_getsched_all_domains(rtkit_daemon_t)
+domain_read_all_domains_state(rtkit_daemon_t)
+
+fs_rw_anon_inodefs_files(rtkit_daemon_t) +fs_rw_anon_inodefs_files(rtkit_daemon_t)
+ +
+auth_use_nsswitch(rtkit_daemon_t) +auth_use_nsswitch(rtkit_daemon_t)
@ -22020,7 +22062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.20/policy/modules/services/ssh.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.20/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-06-26 13:59:19.000000000 -0400 --- nsaserefpolicy/policy/modules/services/ssh.te 2009-06-26 13:59:19.000000000 -0400
+++ serefpolicy-3.6.20/policy/modules/services/ssh.te 2009-06-26 14:09:22.000000000 -0400 +++ serefpolicy-3.6.20/policy/modules/services/ssh.te 2009-06-29 12:21:20.000000000 -0400
@@ -41,6 +41,9 @@ @@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t) files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t) files_poly_parent(sshd_tmp_t)
@ -22124,7 +22166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -318,16 +314,30 @@ @@ -318,16 +314,34 @@
corenet_tcp_bind_xserver_port(sshd_t) corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t)
@ -22153,11 +22195,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
+ +
+optional_policy(` +optional_policy(`
+ gitosis_manage_var_lib(sshd_t)
+')
+
+optional_policy(`
+ xserver_getattr_xauth(sshd_t) + xserver_getattr_xauth(sshd_t)
') ')
optional_policy(` optional_policy(`
@@ -349,7 +359,11 @@ @@ -349,7 +363,11 @@
') ')
optional_policy(` optional_policy(`
@ -22170,7 +22216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_shell_domtrans(sshd_t) unconfined_shell_domtrans(sshd_t)
') ')
@@ -408,15 +422,13 @@ @@ -408,15 +426,13 @@
init_use_fds(ssh_keygen_t) init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t)

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.20 Version: 3.6.20
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -473,6 +473,9 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Jun 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.20-2
- Add rules for rtkit-daemon
* Thu Jun 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.20-1 * Thu Jun 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.20-1
- Update to upstream - Update to upstream
- Fix nlscd_stream_connect - Fix nlscd_stream_connect