rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow vpnc to run ifconfig

Browse Source
This commit is contained in:
Daniel J Walsh 2008-06-26 12:12:35 +00:00
parent f86ed5a437
commit c18681476b
2 changed files with 128 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
policy-20080509.patch
View File

@ -1670,9 +1670,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool
+ xserver_exec_pid(vbetool_t) + xserver_exec_pid(vbetool_t)
+ xserver_write_pid(vbetool_t) + xserver_write_pid(vbetool_t)
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.4.2/policy/modules/admin/vpn.if
--- nsaserefpolicy/policy/modules/admin/vpn.if 2008-06-12 23:25:08.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/admin/vpn.if 2008-06-26 07:40:44.000000000 -0400
@@ -48,6 +48,7 @@
vpn_domtrans($1)
role $2 types vpnc_t;
allow vpnc_t $3:chr_file rw_term_perms;
+ sysnet_run_ifconfig(vpnc_t, $2, $3)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.4.2/policy/modules/admin/vpn.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.4.2/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2008-06-12 23:25:08.000000000 -0400 --- nsaserefpolicy/policy/modules/admin/vpn.te 2008-06-12 23:25:08.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/admin/vpn.te 2008-06-12 23:37:53.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/admin/vpn.te 2008-06-26 07:39:30.000000000 -0400
@@ -24,7 +24,8 @@ @@ -24,7 +24,8 @@
allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw }; allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
@ -1683,6 +1694,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
allow vpnc_t self:tcp_socket create_stream_socket_perms; allow vpnc_t self:tcp_socket create_stream_socket_perms;
allow vpnc_t self:udp_socket create_socket_perms; allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms; allow vpnc_t self:rawip_socket create_socket_perms;
@@ -102,7 +103,6 @@
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
-sysnet_domtrans_ifconfig(vpnc_t)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.4.2/policy/modules/apps/ethereal.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.4.2/policy/modules/apps/ethereal.fc
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-06-12 23:25:03.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-06-12 23:25:03.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/apps/ethereal.fc 2008-06-12 23:37:51.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/apps/ethereal.fc 2008-06-12 23:37:51.000000000 -0400
@ -13994,7 +14013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.4.2/policy/modules/services/dbus.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.4.2/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-06-12 23:25:05.000000000 -0400 --- nsaserefpolicy/policy/modules/services/dbus.if 2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/dbus.if 2008-06-22 20:49:35.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/services/dbus.if 2008-06-26 07:23:57.000000000 -0400
@@ -53,6 +53,7 @@ @@ -53,6 +53,7 @@
gen_require(` gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -14106,8 +14125,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
') ')
') ')
@@ -209,12 +229,9 @@ @@ -207,14 +227,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg; class dbus send_msg;
+ attribute dbusd_unconfined;
') ')
-# type $1_dbusd_system_t; -# type $1_dbusd_system_t;
@ -14116,12 +14138,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
# SE-DBus specific permissions # SE-DBus specific permissions
-# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; -# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
- allow $2 { system_dbusd_t self }:dbus send_msg; - allow $2 { system_dbusd_t self }:dbus send_msg;
+ allow $2 { system_dbusd_t $2 }:dbus send_msg; + allow $2 { system_dbusd_t $2 dbusd_unconfined }:dbus send_msg;
+ allow system_dbusd_t $2:dbus send_msg; + allow { system_dbusd_t dbusd_unconfined } $2:dbus send_msg;
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2) files_search_var_lib($2)
@@ -223,6 +240,10 @@ @@ -223,6 +241,10 @@
files_search_pids($2) files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
dbus_read_config($2) dbus_read_config($2)
@ -14132,7 +14154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
') ')
####################################### #######################################
@@ -251,18 +272,16 @@ @@ -251,18 +273,16 @@
template(`dbus_user_bus_client_template',` template(`dbus_user_bus_client_template',`
gen_require(` gen_require(`
type $1_dbusd_t; type $1_dbusd_t;
@ -14153,7 +14175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
') ')
######################################## ########################################
@@ -292,6 +311,55 @@ @@ -292,6 +312,55 @@
######################################## ########################################
## <summary> ## <summary>
@ -14209,7 +14231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## Read dbus configuration. ## Read dbus configuration.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -366,3 +434,55 @@ @@ -366,3 +435,55 @@
allow $1 system_dbusd_t:dbus *; allow $1 system_dbusd_t:dbus *;
') ')
@ -14267,7 +14289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.4.2/policy/modules/services/dbus.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.4.2/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-06-12 23:25:05.000000000 -0400 --- nsaserefpolicy/policy/modules/services/dbus.te 2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/dbus.te 2008-06-22 20:51:20.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/services/dbus.te 2008-06-26 07:22:31.000000000 -0400
@@ -9,9 +9,10 @@ @@ -9,9 +9,10 @@
# #
# Delcarations # Delcarations
@ -14349,7 +14371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
libs_use_ld_so(system_dbusd_t) libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t) libs_use_shared_libs(system_dbusd_t)
@@ -122,9 +140,40 @@ @@ -122,9 +140,38 @@
') ')
optional_policy(` optional_policy(`
@ -14380,10 +14402,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+optional_policy(` +optional_policy(`
+ gen_require(` + gen_require(`
+ type unconfined_dbusd_t; + type unconfined_dbusd_t;
+ attribute domain;
+ ') + ')
+ unconfined_domain(unconfined_dbusd_t) + unconfined_domain(unconfined_dbusd_t)
+ allow dbusd_unconfined domain:dbus send_msg;
+ unconfined_execmem_domtrans(unconfined_dbusd_t) + unconfined_execmem_domtrans(unconfined_dbusd_t)
+ +
+ optional_policy(` + optional_policy(`
@ -25716,7 +25736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.4.2/policy/modules/services/squid.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.4.2/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2008-06-12 23:25:06.000000000 -0400 --- nsaserefpolicy/policy/modules/services/squid.te 2008-06-12 23:25:06.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/squid.te 2008-06-12 23:37:52.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/services/squid.te 2008-06-25 07:54:09.000000000 -0400
@@ -31,12 +31,15 @@ @@ -31,12 +31,15 @@
type squid_var_run_t; type squid_var_run_t;
files_pid_file(squid_var_run_t) files_pid_file(squid_var_run_t)
@ -25730,7 +25750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
# #
-allow squid_t self:capability { setgid setuid dac_override sys_resource }; -allow squid_t self:capability { setgid setuid dac_override sys_resource };
+allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; +allow squid_t self:capability { setgid killa setuid dac_override sys_resource };
dontaudit squid_t self:capability sys_tty_config; dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms; allow squid_t self:fifo_file rw_fifo_file_perms;
@ -25742,7 +25762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
corenet_tcp_bind_http_cache_port(squid_t) corenet_tcp_bind_http_cache_port(squid_t)
corenet_udp_bind_http_cache_port(squid_t) corenet_udp_bind_http_cache_port(squid_t)
corenet_tcp_bind_ftp_port(squid_t) corenet_tcp_bind_ftp_port(squid_t)
@@ -92,6 +96,7 @@ @@ -92,10 +96,12 @@
corenet_udp_bind_gopher_port(squid_t) corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_bind_squid_port(squid_t) corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t) corenet_udp_bind_squid_port(squid_t)
@ -25750,7 +25770,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
corenet_tcp_connect_ftp_port(squid_t) corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t) corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t) corenet_tcp_connect_http_port(squid_t)
@@ -109,6 +114,8 @@ corenet_tcp_connect_http_cache_port(squid_t)
+corenet_tcp_connect_pgpkeyserver_port(squid_t)
corenet_sendrecv_http_client_packets(squid_t)
corenet_sendrecv_ftp_client_packets(squid_t)
corenet_sendrecv_gopher_client_packets(squid_t)
@@ -109,6 +115,8 @@
fs_getattr_all_fs(squid_t) fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t) fs_search_auto_mountpoints(squid_t)
@ -25759,7 +25784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
selinux_dontaudit_getattr_dir(squid_t) selinux_dontaudit_getattr_dir(squid_t)
@@ -128,6 +135,7 @@ @@ -128,6 +136,7 @@
files_getattr_home_dir(squid_t) files_getattr_home_dir(squid_t)
auth_use_nsswitch(squid_t) auth_use_nsswitch(squid_t)
@ -25767,7 +25792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
libs_use_ld_so(squid_t) libs_use_ld_so(squid_t)
libs_use_shared_libs(squid_t) libs_use_shared_libs(squid_t)
@@ -149,11 +157,7 @@ @@ -149,11 +158,7 @@
') ')
optional_policy(` optional_policy(`
@ -25780,7 +25805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
') ')
optional_policy(` optional_policy(`
@@ -168,7 +172,12 @@ @@ -168,7 +173,12 @@
udev_read_db(squid_t) udev_read_db(squid_t)
') ')
@ -29263,6 +29288,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
vmware_read_system_config(initrc_t) vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t) vmware_append_system_config(initrc_t)
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.4.2/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/ipsec.if 2008-06-26 07:50:38.000000000 -0400
@@ -150,6 +150,26 @@
manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
')
+
+########################################
+## <summary>
+## write the ipsec_var_run_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_write_pid',`
+ gen_require(`
+ type ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ write_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
+')
+
########################################
## <summary>
## Execute racoon in the racoon domain.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.4.2/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/ipsec.te 2008-06-26 07:46:57.000000000 -0400
@@ -69,8 +69,8 @@
read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
-allow ipsec_t ipsec_var_run_t:file manage_file_perms;
-allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
can_exec(ipsec_t, ipsec_mgmt_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.4.2/policy/modules/system/iptables.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.4.2/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-06-12 23:25:07.000000000 -0400 --- nsaserefpolicy/policy/modules/system/iptables.te 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/iptables.te 2008-06-12 23:37:52.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/iptables.te 2008-06-12 23:37:52.000000000 -0400
@ -32174,7 +32243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.4.2/policy/modules/system/sysnetwork.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.4.2/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-06-12 23:25:07.000000000 -0400 --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/sysnetwork.te 2008-06-12 23:37:52.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/sysnetwork.te 2008-06-26 07:51:07.000000000 -0400
@@ -20,6 +20,10 @@ @@ -20,6 +20,10 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t) init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t; role system_r types dhcpc_t;
@ -32317,7 +32386,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
optional_policy(` optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t) dev_dontaudit_rw_cardmgr(ifconfig_t)
@@ -332,6 +351,14 @@ @@ -324,6 +343,10 @@
')
optional_policy(`
+ ipsec_write_pid(ifconfig_t)
+')
+
+optional_policy(`
nis_use_ypbind(ifconfig_t)
')
@@ -332,6 +355,14 @@
') ')
optional_policy(` optional_policy(`
@ -32448,14 +32528,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.4.2/policy/modules/system/unconfined.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.4.2/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-06-12 23:25:07.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/unconfined.fc 2008-06-23 06:28:00.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/unconfined.fc 2008-06-26 07:24:15.000000000 -0400
@@ -2,15 +2,26 @@ @@ -2,15 +2,28 @@
# e.g.: # e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@ -32480,6 +32561,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.4.2/policy/modules/system/unconfined.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.4.2/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-06-12 23:25:07.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/unconfined.if 2008-06-22 20:50:34.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/unconfined.if 2008-06-22 20:50:34.000000000 -0400
@ -33212,7 +33295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.4.2/policy/modules/system/userdomain.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.4.2/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:25:07.000000000 -0400 --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/userdomain.if 2008-06-14 07:13:36.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/userdomain.if 2008-06-26 08:07:11.000000000 -0400
@@ -28,10 +28,14 @@ @@ -28,10 +28,14 @@
class context contains; class context contains;
') ')
@ -35304,7 +35387,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
@@ -4710,6 +4823,25 @@ @@ -4666,6 +4779,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
+ fs_dontaudit_list_nfs($2)
+ fs_dontaudit_list_cifs($2)
')
########################################
@@ -4710,6 +4825,25 @@
######################################## ########################################
## <summary> ## <summary>
@ -35330,7 +35422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files ## Create, read, write, and delete all files
## in all users home directories. ## in all users home directories.
## </summary> ## </summary>
@@ -4935,7 +5067,7 @@ @@ -4935,7 +5069,7 @@
######################################## ########################################
## <summary> ## <summary>
@ -35339,7 +35431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -5307,6 +5439,42 @@ @@ -5307,6 +5441,42 @@
######################################## ########################################
## <summary> ## <summary>
@ -35382,7 +35474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys. ## Read and write unprivileged user ttys.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -5357,7 +5525,7 @@ @@ -5357,7 +5527,7 @@
attribute userdomain; attribute userdomain;
') ')
@ -35391,7 +35483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1) kernel_search_proc($1)
') ')
@@ -5472,6 +5640,42 @@ @@ -5472,6 +5642,42 @@
######################################## ########################################
## <summary> ## <summary>
@ -35434,7 +35526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains. ## Send a dbus message to all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -5502,3 +5706,525 @@ @@ -5502,3 +5708,525 @@
interface(`userdom_unconfined',` interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')

5
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.4.2 Version: 3.4.2
Release: 7%{?dist} Release: 8%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -375,6 +375,9 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Jun 26 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-8
- Allow vpnc to run ifconfig
* Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-7 * Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-7
- Allow confined users to use postgres - Allow confined users to use postgres
- Allow system_mail_t to exec other mail clients - Allow system_mail_t to exec other mail clients