- Add setrans contains from upstream
This commit is contained in:
parent
4ed140a4b7
commit
bd0db4f147
@ -159,3 +159,4 @@ serefpolicy-3.6.1.tgz
|
||||
serefpolicy-3.6.2.tgz
|
||||
serefpolicy-3.6.3.tgz
|
||||
serefpolicy-3.6.4.tgz
|
||||
serefpolicy-3.6.5.tgz
|
||||
|
@ -284,8 +284,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
|
||||
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.4/man/man8/nfs_selinux.8
|
||||
--- nsaserefpolicy/man/man8/nfs_selinux.8 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.6.4/man/man8/nfs_selinux.8 2009-02-03 22:57:28.000000000 -0500
|
||||
@@ -26,5 +26,5 @@
|
||||
+++ serefpolicy-3.6.4/man/man8/nfs_selinux.8 2009-02-09 10:19:24.000000000 -0500
|
||||
@@ -1,14 +1,12 @@
|
||||
-.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
|
||||
+.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
|
||||
.SH "NAME"
|
||||
nfs_selinux \- Security Enhanced Linux Policy for NFS
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
-Security-Enhanced Linux secures the nfs server via flexible mandatory access
|
||||
+Security Enhanced Linux secures the NFS server via flexible mandatory access
|
||||
control.
|
||||
.SH BOOLEANS
|
||||
-SELinux policy is customizable based on least access required. So by
|
||||
-default SElinux policy does not allow nfs to share files. If you want to
|
||||
-setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean.
|
||||
+SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
|
||||
|
||||
.TP
|
||||
setsebool -P nfs_export_all_ro 1
|
||||
@@ -18,7 +16,10 @@
|
||||
setsebool -P nfs_export_all_rw 1
|
||||
|
||||
.TP
|
||||
-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean.
|
||||
+These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
|
||||
+
|
||||
+.TP
|
||||
+If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
|
||||
.TP
|
||||
setsebool -P use_nfs_home_dirs 1
|
||||
.TP
|
||||
@@ -26,5 +27,5 @@
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
||||
@ -712,7 +742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.4/policy/modules/admin/rpm.fc
|
||||
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400
|
||||
+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-05 13:41:50.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-09 15:39:27.000000000 -0500
|
||||
@@ -3,6 +3,7 @@
|
||||
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
@ -731,7 +761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
@@ -21,14 +23,17 @@
|
||||
@@ -21,14 +23,18 @@
|
||||
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
@ -745,6 +775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
-
|
||||
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
|
||||
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
|
||||
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
|
||||
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
|
||||
@ -8884,7 +8915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.4/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-06 16:08:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-09 15:59:54.000000000 -0500
|
||||
@@ -19,6 +19,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -9105,7 +9136,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+## </desc>
|
||||
+gen_tunable(allow_httpd_mod_auth_pam, false)
|
||||
+
|
||||
+tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
- auth_domtrans_chk_passwd(httpd_t)
|
||||
+ auth_domtrans_chkpwd(httpd_t)
|
||||
+')
|
||||
+
|
||||
@ -9116,8 +9148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+## </desc>
|
||||
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
|
||||
+optional_policy(`
|
||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
- auth_domtrans_chk_passwd(httpd_t)
|
||||
+tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
+ samba_domtrans_winbind_helper(httpd_t)
|
||||
')
|
||||
')
|
||||
@ -9211,7 +9242,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -459,8 +575,13 @@
|
||||
@@ -451,6 +567,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ cvs_read_data(httpd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
cron_system_entry(httpd_t, httpd_exec_t)
|
||||
')
|
||||
|
||||
@@ -459,8 +579,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9227,7 +9269,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -472,18 +593,13 @@
|
||||
@@ -468,22 +593,18 @@
|
||||
mailman_domtrans_cgi(httpd_t)
|
||||
# should have separate types for public and private archives
|
||||
mailman_search_data(httpd_t)
|
||||
+ mailman_read_data_files(httpd_t)
|
||||
mailman_read_archive(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9247,7 +9294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -493,6 +609,12 @@
|
||||
@@ -493,6 +614,12 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
@ -9260,7 +9307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
@@ -500,6 +622,7 @@
|
||||
@@ -500,6 +627,7 @@
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
@ -9268,7 +9315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -508,6 +631,7 @@
|
||||
@@ -508,6 +636,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9276,7 +9323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -535,6 +659,22 @@
|
||||
@@ -535,6 +664,22 @@
|
||||
|
||||
userdom_use_user_terminals(httpd_helper_t)
|
||||
|
||||
@ -9299,7 +9346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -564,20 +704,25 @@
|
||||
@@ -564,20 +709,25 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -9331,7 +9378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -595,23 +740,24 @@
|
||||
@@ -595,23 +745,24 @@
|
||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
@ -9360,7 +9407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -624,6 +770,7 @@
|
||||
@@ -624,6 +775,7 @@
|
||||
logging_send_syslog_msg(httpd_suexec_t)
|
||||
|
||||
miscfiles_read_localization(httpd_suexec_t)
|
||||
@ -9368,7 +9415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -641,12 +788,19 @@
|
||||
@@ -641,12 +793,19 @@
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -9391,7 +9438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -672,15 +826,14 @@
|
||||
@@ -672,15 +831,14 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -9410,7 +9457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
@@ -699,12 +852,24 @@
|
||||
@@ -699,12 +857,24 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -9437,7 +9484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -712,6 +877,35 @@
|
||||
@@ -712,6 +882,35 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -9473,7 +9520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -724,6 +918,10 @@
|
||||
@@ -724,6 +923,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -9484,7 +9531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -735,6 +933,8 @@
|
||||
@@ -735,6 +938,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@ -9493,7 +9540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -754,6 +954,12 @@
|
||||
@@ -754,6 +959,12 @@
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_user_script_t httpdcontent:file entrypoint;
|
||||
@ -9506,7 +9553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
# allow accessing files/dirs below the users home dir
|
||||
@@ -762,3 +968,66 @@
|
||||
@@ -762,3 +973,66 @@
|
||||
userdom_search_user_home_dirs(httpd_suexec_t)
|
||||
userdom_search_user_home_dirs(httpd_user_script_t)
|
||||
')
|
||||
@ -11779,6 +11826,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
||||
+miscfiles_read_fonts(cups_pdf_t)
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.6.4/policy/modules/services/cvs.if
|
||||
--- nsaserefpolicy/policy/modules/services/cvs.if 2008-11-11 16:13:46.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/cvs.if 2009-02-09 16:00:34.000000000 -0500
|
||||
@@ -15,7 +15,9 @@
|
||||
type cvs_data_t;
|
||||
')
|
||||
|
||||
- allow $1 cvs_data_t:file { getattr read };
|
||||
+ list_dirs_pattern($1, cvs_data_t, cvs_data_t)
|
||||
+ read_files_pattern($1, cvs_data_t, cvs_data_t)
|
||||
+ read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.4/policy/modules/services/cvs.te
|
||||
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/cvs.te 2009-02-03 22:57:29.000000000 -0500
|
||||
@ -13170,7 +13231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.4/policy/modules/services/ftp.te
|
||||
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/ftp.te 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/ftp.te 2009-02-09 09:53:23.000000000 -0500
|
||||
@@ -26,7 +26,7 @@
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -13197,17 +13258,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
auth_use_nsswitch(ftpd_t)
|
||||
auth_domtrans_chk_passwd(ftpd_t)
|
||||
@@ -223,6 +224,10 @@
|
||||
@@ -222,8 +223,12 @@
|
||||
userdom_manage_user_home_content_dirs(ftpd_t)
|
||||
userdom_manage_user_home_content_files(ftpd_t)
|
||||
userdom_manage_user_home_content_symlinks(ftpd_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
|
||||
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
|
||||
+
|
||||
+ auth_read_all_dirs_except_shadow(ftpd_t)
|
||||
+ auth_read_all_files_except_shadow(ftpd_t)
|
||||
+ auth_read_all_symlinks_except_shadow(ftpd_t)
|
||||
')
|
||||
+userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
|
||||
|
||||
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files(ftpd_t)
|
||||
@@ -258,7 +263,9 @@
|
||||
')
|
||||
|
||||
@ -14054,7 +14118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.4/policy/modules/services/mailman.if
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/mailman.if 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/mailman.if 2009-02-09 15:34:52.000000000 -0500
|
||||
@@ -31,6 +31,12 @@
|
||||
allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mailman_$1_t self:udp_socket create_socket_perms;
|
||||
@ -14076,7 +14140,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_all_executables(mailman_$1_t)
|
||||
|
||||
@@ -209,6 +216,7 @@
|
||||
@@ -191,6 +198,7 @@
|
||||
')
|
||||
|
||||
read_files_pattern($1, mailman_data_t, mailman_data_t)
|
||||
+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -209,6 +217,7 @@
|
||||
type mailman_data_t;
|
||||
')
|
||||
|
||||
@ -14084,7 +14156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern($1, mailman_data_t, mailman_data_t)
|
||||
')
|
||||
|
||||
@@ -250,6 +258,25 @@
|
||||
@@ -250,6 +259,25 @@
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
@ -18916,7 +18988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.4/policy/modules/services/prelude.te
|
||||
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-04 08:49:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-09 15:50:22.000000000 -0500
|
||||
@@ -13,25 +13,57 @@
|
||||
type prelude_spool_t;
|
||||
files_type(prelude_spool_t)
|
||||
@ -18986,7 +19058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corecmd_search_bin(prelude_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(prelude_t)
|
||||
@@ -56,15 +91,24 @@
|
||||
@@ -56,15 +91,25 @@
|
||||
corenet_tcp_sendrecv_generic_if(prelude_t)
|
||||
corenet_tcp_sendrecv_generic_node(prelude_t)
|
||||
corenet_tcp_bind_generic_node(prelude_t)
|
||||
@ -18997,6 +19069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_rand(prelude_t)
|
||||
dev_read_urand(prelude_t)
|
||||
|
||||
+kernel_read_system_state(prelude_t)
|
||||
+kernel_read_sysctl(prelude_t)
|
||||
+
|
||||
# Init script handling
|
||||
@ -19011,7 +19084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
auth_use_nsswitch(prelude_t)
|
||||
|
||||
@@ -86,7 +130,7 @@
|
||||
@@ -86,7 +131,7 @@
|
||||
#
|
||||
# prelude_audisp local policy
|
||||
#
|
||||
@ -19020,7 +19093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow prelude_audisp_t self:fifo_file rw_file_perms;
|
||||
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -107,6 +151,7 @@
|
||||
@@ -107,6 +152,7 @@
|
||||
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
|
||||
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
|
||||
corenet_tcp_bind_generic_node(prelude_audisp_t)
|
||||
@ -19028,7 +19101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
dev_read_rand(prelude_audisp_t)
|
||||
dev_read_urand(prelude_audisp_t)
|
||||
@@ -114,12 +159,134 @@
|
||||
@@ -114,12 +160,135 @@
|
||||
# Init script handling
|
||||
domain_use_interactive_fds(prelude_audisp_t)
|
||||
|
||||
@ -19127,6 +19200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+dev_read_rand(prelude_lml_t)
|
||||
+dev_read_urand(prelude_lml_t)
|
||||
+
|
||||
+kernel_read_system_state(prelude_lml_t)
|
||||
+kernel_read_sysctl(prelude_lml_t)
|
||||
+
|
||||
+files_list_etc(prelude_lml_t)
|
||||
@ -19163,7 +19237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# prewikka_cgi Declarations
|
||||
@@ -128,6 +295,20 @@
|
||||
@@ -128,6 +297,20 @@
|
||||
optional_policy(`
|
||||
apache_content_template(prewikka)
|
||||
files_read_etc_files(httpd_prewikka_script_t)
|
||||
@ -20094,7 +20168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.4/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:05:45.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:51:37.000000000 -0500
|
||||
@@ -23,7 +23,7 @@
|
||||
gen_tunable(allow_nfsd_anon_write, false)
|
||||
|
||||
@ -20124,10 +20198,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
+ userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
|
||||
+ dev_getattr_all_blk_files(nfsd_t)
|
||||
+ dev_getattr_all_chr_files(nfsd_t)
|
||||
')
|
||||
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
@ -20172,7 +20246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_write_login_records(rshd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.4/policy/modules/services/rsync.te
|
||||
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/rsync.te 2009-02-03 22:57:29.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/rsync.te 2009-02-09 15:32:24.000000000 -0500
|
||||
@@ -119,5 +119,9 @@
|
||||
|
||||
tunable_policy(`rsync_export_all_ro',`
|
||||
@ -20614,7 +20688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.4/policy/modules/services/samba.te
|
||||
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-07 07:19:23.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-09 10:49:17.000000000 -0500
|
||||
@@ -66,6 +66,13 @@
|
||||
## </desc>
|
||||
gen_tunable(samba_share_nfs, false)
|
||||
@ -20825,7 +20899,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -381,8 +426,10 @@
|
||||
@@ -376,13 +421,15 @@
|
||||
tunable_policy(`samba_create_home_dirs',`
|
||||
allow smbd_t self:capability chown;
|
||||
userdom_create_user_home_dirs(smbd_t)
|
||||
- userdom_home_filetrans_user_home_dir(smbd_t)
|
||||
')
|
||||
+userdom_home_filetrans_user_home_dir(smbd_t)
|
||||
|
||||
tunable_policy(`samba_export_all_ro',`
|
||||
fs_read_noxattr_fs_files(smbd_t)
|
||||
@ -20836,6 +20916,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_read_all_files_except_shadow(nmbd_t)
|
||||
')
|
||||
|
||||
@@ -391,8 +438,8 @@
|
||||
auth_manage_all_files_except_shadow(smbd_t)
|
||||
fs_read_noxattr_fs_files(nmbd_t)
|
||||
auth_manage_all_files_except_shadow(nmbd_t)
|
||||
- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
|
||||
')
|
||||
+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -454,6 +501,7 @@
|
||||
dev_getattr_mtrr_dev(nmbd_t)
|
||||
|
||||
@ -21004,7 +21094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`samba_run_unconfined',`
|
||||
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
|
||||
+', `
|
||||
+',`
|
||||
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
|
||||
')
|
||||
-')
|
||||
@ -28666,7 +28756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-08 17:11:31.000000000 -0500
|
||||
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-09 11:05:11.000000000 -0500
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
@ -29664,9 +29754,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# the same domain and outside users) disabling this forces FTP passive mode
|
||||
# and may change other protocols
|
||||
tunable_policy(`user_tcp_server',`
|
||||
corenet_tcp_bind_generic_node($1_t)
|
||||
- corenet_tcp_bind_generic_node($1_t)
|
||||
- corenet_tcp_bind_generic_port($1_t)
|
||||
+ corenet_tcp_bind_all_unreserved_ports($1_t)
|
||||
+ corenet_tcp_bind_all_nodes($1_usertype)
|
||||
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -19,8 +19,8 @@
|
||||
%define CHECKPOLICYVER 2.0.16-3
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.4
|
||||
Release: 5%{?dist}
|
||||
Version: 3.6.5
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -184,7 +184,7 @@ fi;
|
||||
|
||||
%description
|
||||
SELinux Reference Policy - modular.
|
||||
Based off of reference policy: Checked out revision 2907.
|
||||
Based off of reference policy: Checked out revision 2908.
|
||||
|
||||
%build
|
||||
|
||||
@ -444,6 +444,12 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.5-1
|
||||
- Add setrans contains from upstream
|
||||
|
||||
* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-6
|
||||
- Do transitions outside of the booleans
|
||||
|
||||
* Sun Feb 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-5
|
||||
- Allow xdm to create user_tmp_t sockets for switch user to work
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user