- Fix to add xguest account when inititial install
- Allow mono, java, wine to run in userdomains
This commit is contained in:
Daniel J Walsh
parent
a9d4b80f50
commit
c003dbaafb
@ -5184,7 +5184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-20 12:01:41.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-20 15:31:09.000000000 -0400
|
||||||
@@ -50,6 +50,12 @@
|
@@ -50,6 +50,12 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -5206,6 +5206,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
allow $1_dbusd_t self:file { getattr read write };
|
allow $1_dbusd_t self:file { getattr read write };
|
||||||
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
|
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
|
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
|
||||||
|
@@ -86,7 +93,7 @@
|
||||||
|
# SE-DBus specific permissions
|
||||||
|
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
||||||
|
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
|
||||||
|
- allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
|
||||||
|
+ allow $2 system_dbusd_t:dbus { send_msg acquire_svc };
|
||||||
|
|
||||||
|
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
||||||
|
read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
|
||||||
@@ -135,7 +142,21 @@
|
@@ -135,7 +142,21 @@
|
||||||
selinux_compute_relabel_context($1_dbusd_t)
|
selinux_compute_relabel_context($1_dbusd_t)
|
||||||
selinux_compute_user_contexts($1_dbusd_t)
|
selinux_compute_user_contexts($1_dbusd_t)
|
||||||
@ -5213,12 +5222,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
|
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
|
||||||
+ allow $1_dbusd_t $1_t:process sigkill;
|
+ allow $1_dbusd_t $1_t:process sigkill;
|
||||||
+
|
+
|
||||||
+ allow $1_t $1_dbusd_t:fd use;
|
+ allow $2 $1_dbusd_t:fd use;
|
||||||
+ allow $1_t $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
+ allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
||||||
+ allow $1_t $1_dbusd_t:process sigchld;
|
+ allow $2 $1_dbusd_t:process sigchld;
|
||||||
+
|
+
|
||||||
+ ifdef(`hide_broken_symptoms', `
|
+ ifdef(`hide_broken_symptoms', `
|
||||||
+ dontaudit $1_t $1_dbusd_t:netlink_selinux_socket { read write };
|
+ dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
|
||||||
+ ');
|
+ ');
|
||||||
+
|
+
|
||||||
+ userdom_read_user_home_content_files($1, $1_dbusd_t)
|
+ userdom_read_user_home_content_files($1, $1_dbusd_t)
|
||||||
@ -9530,7 +9539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 12:07:15.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 15:27:25.000000000 -0400
|
||||||
@@ -126,6 +126,8 @@
|
@@ -126,6 +126,8 @@
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev($1_xserver_t)
|
dev_rw_input_dev($1_xserver_t)
|
||||||
@ -9611,7 +9620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# for when /tmp/.X11-unix is created by the system
|
||||||
allow $2 xdm_t:fd use;
|
allow $2 xdm_t:fd use;
|
||||||
@@ -555,25 +559,52 @@
|
@@ -555,25 +559,53 @@
|
||||||
allow $2 xdm_tmp_t:sock_file { read write };
|
allow $2 xdm_tmp_t:sock_file { read write };
|
||||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||||
|
|
||||||
@ -9649,6 +9658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ userdom_read_all_users_home_content_files(xdm_t)
|
+ userdom_read_all_users_home_content_files(xdm_t)
|
||||||
+ userdom_read_all_users_home_content_files(xdm_xserver_t)
|
+ userdom_read_all_users_home_content_files(xdm_xserver_t)
|
||||||
|
+ userdom_rw_user_tmpfs_files($1, xdm_xserver_t)
|
||||||
+#Compiler is broken so these wont work
|
+#Compiler is broken so these wont work
|
||||||
+ gnome_read_user_gnome_config($1, xdm_t)
|
+ gnome_read_user_gnome_config($1, xdm_t)
|
||||||
+ gnome_read_user_gnome_config($1, xdm_xserver_t)
|
+ gnome_read_user_gnome_config($1, xdm_xserver_t)
|
||||||
@ -9672,7 +9682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -626,6 +657,24 @@
|
@@ -626,6 +658,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -9697,7 +9707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -659,6 +708,73 @@
|
@@ -659,6 +709,73 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -9771,7 +9781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -927,6 +1043,7 @@
|
@@ -927,6 +1044,7 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||||
@ -9779,7 +9789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -987,6 +1104,37 @@
|
@@ -987,6 +1105,37 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -9817,7 +9827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Make an X session script an entrypoint for the specified domain.
|
## Make an X session script an entrypoint for the specified domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1136,7 +1284,7 @@
|
@@ -1136,7 +1285,7 @@
|
||||||
type xdm_xserver_tmp_t;
|
type xdm_xserver_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -9826,7 +9836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1325,3 +1473,62 @@
|
@@ -1325,3 +1474,62 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
')
|
')
|
||||||
@ -9891,7 +9901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-20 10:44:00.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-20 15:44:32.000000000 -0400
|
||||||
@@ -16,6 +16,13 @@
|
@@ -16,6 +16,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -9951,7 +9961,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
miscfiles_read_localization(xdm_t)
|
miscfiles_read_localization(xdm_t)
|
||||||
miscfiles_read_fonts(xdm_t)
|
miscfiles_read_fonts(xdm_t)
|
||||||
@@ -271,6 +285,10 @@
|
@@ -268,9 +282,14 @@
|
||||||
|
userdom_create_all_users_keys(xdm_t)
|
||||||
|
# for .dmrc
|
||||||
|
userdom_read_unpriv_users_home_content_files(xdm_t)
|
||||||
|
+
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -9962,7 +9976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
||||||
|
|
||||||
@@ -306,6 +324,11 @@
|
@@ -306,6 +325,11 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consolekit_dbus_chat(xdm_t)
|
consolekit_dbus_chat(xdm_t)
|
||||||
@ -9974,7 +9988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -348,12 +371,8 @@
|
@@ -348,12 +372,8 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -9988,7 +10002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
ifdef(`distro_rhel4',`
|
ifdef(`distro_rhel4',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -385,7 +404,7 @@
|
@@ -385,7 +405,7 @@
|
||||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -9997,7 +10011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
@@ -425,6 +444,10 @@
|
@@ -425,6 +445,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10008,7 +10022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
resmgr_stream_connect(xdm_t)
|
resmgr_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -434,47 +457,19 @@
|
@@ -434,47 +458,19 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10109,7 +10123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 11:14:45.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 16:27:52.000000000 -0400
|
||||||
@@ -26,7 +26,8 @@
|
@@ -26,7 +26,8 @@
|
||||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||||
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
||||||
@ -10140,7 +10154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
|
|
||||||
domain_type($1)
|
domain_type($1)
|
||||||
domain_subj_id_change_exemption($1)
|
domain_subj_id_change_exemption($1)
|
||||||
@@ -176,11 +177,24 @@
|
@@ -176,11 +177,23 @@
|
||||||
domain_obj_id_change_exemption($1)
|
domain_obj_id_change_exemption($1)
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
@ -10150,7 +10164,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
+
|
+
|
||||||
+ auth_keyring_domain($1)
|
+ auth_keyring_domain($1)
|
||||||
+ allow $1 keyring_type:key { search link };
|
+ allow $1 keyring_type:key { search link };
|
||||||
+ auth_domtrans_chk_passwd($1)
|
|
||||||
+
|
+
|
||||||
+ files_list_var_lib($1)
|
+ files_list_var_lib($1)
|
||||||
+ manage_files_pattern($1, var_auth_t, var_auth_t)
|
+ manage_files_pattern($1, var_auth_t, var_auth_t)
|
||||||
@ -10165,7 +10178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
selinux_get_fs_mount($1)
|
selinux_get_fs_mount($1)
|
||||||
selinux_validate_context($1)
|
selinux_validate_context($1)
|
||||||
selinux_compute_access_vector($1)
|
selinux_compute_access_vector($1)
|
||||||
@@ -196,22 +210,33 @@
|
@@ -196,22 +209,33 @@
|
||||||
mls_fd_share_all_levels($1)
|
mls_fd_share_all_levels($1)
|
||||||
|
|
||||||
auth_domtrans_chk_passwd($1)
|
auth_domtrans_chk_passwd($1)
|
||||||
@ -10200,7 +10213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -309,9 +334,6 @@
|
@@ -309,9 +333,6 @@
|
||||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10210,7 +10223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
||||||
|
|
||||||
@@ -329,6 +351,7 @@
|
@@ -329,6 +350,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use($1)
|
kerberos_use($1)
|
||||||
@ -10218,7 +10231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -347,6 +370,37 @@
|
@@ -347,6 +369,37 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -10256,7 +10269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
## Get the attributes of the shadow passwords file.
|
## Get the attributes of the shadow passwords file.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -695,6 +749,24 @@
|
@@ -695,6 +748,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -10281,7 +10294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
## Execute pam programs in the PAM domain.
|
## Execute pam programs in the PAM domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1318,14 +1390,9 @@
|
@@ -1318,14 +1389,9 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`auth_use_nsswitch',`
|
interface(`auth_use_nsswitch',`
|
||||||
@ -10296,7 +10309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
files_list_var_lib($1)
|
files_list_var_lib($1)
|
||||||
|
|
||||||
miscfiles_read_certs($1)
|
miscfiles_read_certs($1)
|
||||||
@@ -1381,3 +1448,163 @@
|
@@ -1381,3 +1447,163 @@
|
||||||
typeattribute $1 can_write_shadow_passwords;
|
typeattribute $1 can_write_shadow_passwords;
|
||||||
typeattribute $1 can_relabelto_shadow_passwords;
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
')
|
')
|
||||||
@ -11327,8 +11340,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
|
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
|
||||||
--- nsaserefpolicy/policy/modules/system/logging.if 2007-09-12 10:34:51.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/logging.if 2007-09-12 10:34:51.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-09-20 15:21:10.000000000 -0400
|
||||||
@@ -33,8 +33,13 @@
|
@@ -33,8 +33,27 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`logging_send_audit_msgs',`
|
interface(`logging_send_audit_msgs',`
|
||||||
@ -11340,10 +11353,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
allow $1 self:capability audit_write;
|
allow $1 self:capability audit_write;
|
||||||
- allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
- allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
|
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## dontaudit attempts to send audit messages.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`logging_dontaudit_send_audit_msgs',`
|
||||||
|
+ dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -238,6 +243,63 @@
|
@@ -238,6 +257,63 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11407,7 +11434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
## Create an object in the log directory, with a private
|
## Create an object in the log directory, with a private
|
||||||
## type using a type transition.
|
## type using a type transition.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -470,7 +532,7 @@
|
@@ -470,7 +546,7 @@
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir list_dir_perms;
|
allow $1 var_log_t:dir list_dir_perms;
|
||||||
@ -11416,7 +11443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -514,6 +576,8 @@
|
@@ -514,6 +590,8 @@
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
manage_files_pattern($1,logfile,logfile)
|
manage_files_pattern($1,logfile,logfile)
|
||||||
read_lnk_files_pattern($1,logfile,logfile)
|
read_lnk_files_pattern($1,logfile,logfile)
|
||||||
@ -11425,7 +11452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -597,3 +661,258 @@
|
@@ -597,3 +675,258 @@
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
manage_files_pattern($1,var_log_t,var_log_t)
|
manage_files_pattern($1,var_log_t,var_log_t)
|
||||||
')
|
')
|
||||||
@ -13219,16 +13246,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+corecmd_exec_all_executables(unconfined_t)
|
+corecmd_exec_all_executables(unconfined_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.0.8/policy/modules/system/userdomain.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.0.8/policy/modules/system/userdomain.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-05-29 14:10:58.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-05-29 14:10:58.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.fc 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.fc 2007-09-20 15:47:36.000000000 -0400
|
||||||
@@ -1,4 +1,5 @@
|
@@ -1,4 +1,4 @@
|
||||||
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
|
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
|
||||||
+HOME_DIR -l gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
|
+HOME_DIR -l gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
|
||||||
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
|
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
|
||||||
|
-
|
||||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 12:06:52.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 15:46:46.000000000 -0400
|
||||||
@@ -29,8 +29,9 @@
|
@@ -29,8 +29,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -14121,7 +14148,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
kernel_read_software_raid_state($1_t)
|
kernel_read_software_raid_state($1_t)
|
||||||
kernel_getattr_core_if($1_t)
|
kernel_getattr_core_if($1_t)
|
||||||
@@ -1894,10 +1979,46 @@
|
@@ -1642,9 +1727,11 @@
|
||||||
|
template(`userdom_user_home_content',`
|
||||||
|
gen_require(`
|
||||||
|
attribute $1_file_type;
|
||||||
|
+ attribute user_home_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $2 $1_file_type;
|
||||||
|
+ typeattribute $2 user_home_type;
|
||||||
|
files_type($2)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -1894,10 +1981,46 @@
|
||||||
template(`userdom_manage_user_home_content_dirs',`
|
template(`userdom_manage_user_home_content_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type $1_home_dir_t, $1_home_t;
|
type $1_home_dir_t, $1_home_t;
|
||||||
@ -14169,7 +14208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3078,7 +3199,7 @@
|
@@ -3078,7 +3201,7 @@
|
||||||
#
|
#
|
||||||
template(`userdom_tmp_filetrans_user_tmp',`
|
template(`userdom_tmp_filetrans_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -14178,7 +14217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_tmp_filetrans($2,$1_tmp_t,$3)
|
files_tmp_filetrans($2,$1_tmp_t,$3)
|
||||||
@@ -4615,6 +4736,24 @@
|
@@ -4615,6 +4738,24 @@
|
||||||
files_list_home($1)
|
files_list_home($1)
|
||||||
allow $1 home_dir_type:dir search_dir_perms;
|
allow $1 home_dir_type:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
@ -14203,7 +14242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -4633,6 +4772,14 @@
|
@@ -4633,6 +4774,14 @@
|
||||||
|
|
||||||
files_list_home($1)
|
files_list_home($1)
|
||||||
allow $1 home_dir_type:dir list_dir_perms;
|
allow $1 home_dir_type:dir list_dir_perms;
|
||||||
@ -14218,7 +14257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5323,7 +5470,7 @@
|
@@ -5323,7 +5472,7 @@
|
||||||
attribute user_tmpfile;
|
attribute user_tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -14227,7 +14266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5559,3 +5706,375 @@
|
@@ -5559,3 +5708,376 @@
|
||||||
interface(`userdom_unconfined',`
|
interface(`userdom_unconfined',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
@ -14417,13 +14456,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+# Should be optional but policy will not build because of compiler problems
|
+# Should be optional but policy will not build because of compiler problems
|
||||||
+# Must be before xwindows calls
|
+# Must be before xwindows calls
|
||||||
+#optional_policy(`
|
+#optional_policy(`
|
||||||
+ gnome_per_role_template($1, $1_t, $1_r)
|
+ gnome_per_role_template($1, $1_usertype, $1_r)
|
||||||
+ gnome_exec_gconf($1_t)
|
+ gnome_exec_gconf($1_usertype)
|
||||||
+#')
|
+#')
|
||||||
+
|
+
|
||||||
+userdom_xwindows_client_template($1)
|
+userdom_xwindows_client_template($1)
|
||||||
+
|
+
|
||||||
+logging_send_syslog_msg($1_usertype)
|
+logging_send_syslog_msg($1_usertype)
|
||||||
|
+logging_dontaudit_send_audit_msgs($1_usertype)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ alsa_read_rw_config($1_usertype)
|
+ alsa_read_rw_config($1_usertype)
|
||||||
@ -14448,7 +14488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ consolekit_dontaudit_dbus_chat($1_usertype)
|
+ consolekit_dbus_chat($1_usertype)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user