- Fix /sbin/ip6tables-save context
- Allod udev to transition to mount - Fix loading of mls policy file
This commit is contained in:
Daniel J Walsh
parent
5dd89f3819
commit
c32d79e2c3
@ -655,7 +655,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_udp_sendrecv_lo_if(mrtg_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.12/policy/modules/admin/netutils.te
|
||||
--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-03-12 11:16:47.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/netutils.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/netutils.te 2009-05-04 11:25:11.000000000 -0400
|
||||
@@ -50,7 +50,7 @@
|
||||
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
|
||||
|
||||
kernel_search_proc(netutils_t)
|
||||
-kernel_read_sysctl(netutils_t)
|
||||
+kernel_read_all_sysctls(netutils_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(netutils_t)
|
||||
corenet_all_recvfrom_netlabel(netutils_t)
|
||||
@@ -152,6 +152,10 @@
|
||||
')
|
||||
|
||||
@ -4489,8 +4498,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
|
||||
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-01-19 11:03:28.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/screen.if 2009-05-02 07:49:38.000000000 -0400
|
||||
@@ -165,3 +165,23 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/screen.if 2009-05-04 11:30:29.000000000 -0400
|
||||
@@ -165,3 +165,24 @@
|
||||
nscd_socket_use($1_screen_t)
|
||||
')
|
||||
')
|
||||
@ -4513,6 +4522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ manage_dirs_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+ manage_files_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+ manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
|
||||
--- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500
|
||||
@ -5948,7 +5958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-04 11:25:35.000000000 -0400
|
||||
@@ -1197,6 +1197,26 @@
|
||||
')
|
||||
|
||||
@ -20507,7 +20517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-04 12:28:35.000000000 -0400
|
||||
@@ -23,7 +23,7 @@
|
||||
gen_tunable(allow_nfsd_anon_write, false)
|
||||
|
||||
@ -20517,7 +20527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
rpc_domain_template(gssd)
|
||||
|
||||
@@ -74,21 +74,31 @@
|
||||
@@ -74,21 +74,33 @@
|
||||
|
||||
files_manage_mounttab(rpcd_t)
|
||||
|
||||
@ -20527,6 +20537,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_read_rpc_symlinks(rpcd_t)
|
||||
fs_rw_rpc_sockets(rpcd_t)
|
||||
|
||||
+storage_getattr_fixed_disk_dev(rpcd_t)
|
||||
+
|
||||
+kernel_signal(rpcd_t)
|
||||
+
|
||||
selinux_dontaudit_read_fs(rpcd_t)
|
||||
@ -20549,7 +20561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# NFSD local policy
|
||||
@@ -116,8 +126,9 @@
|
||||
@@ -116,8 +128,9 @@
|
||||
# for exportfs and rpc.mountd
|
||||
files_getattr_tmp_dirs(nfsd_t)
|
||||
# cjp: this should really have its own type
|
||||
@ -20560,7 +20572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_mount_nfsd_fs(nfsd_t)
|
||||
fs_search_nfsd_fs(nfsd_t)
|
||||
fs_getattr_all_fs(nfsd_t)
|
||||
@@ -125,6 +136,7 @@
|
||||
@@ -125,6 +138,7 @@
|
||||
fs_rw_nfsd_fs(nfsd_t)
|
||||
|
||||
storage_dontaudit_read_fixed_disk(nfsd_t)
|
||||
@ -20568,7 +20580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Read access to public_content_t and public_content_rw_t
|
||||
miscfiles_read_public_files(nfsd_t)
|
||||
@@ -141,6 +153,7 @@
|
||||
@@ -141,6 +155,7 @@
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
')
|
||||
@ -20576,7 +20588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
dev_getattr_all_blk_files(nfsd_t)
|
||||
@@ -175,6 +188,7 @@
|
||||
@@ -175,6 +190,7 @@
|
||||
|
||||
corecmd_exec_bin(gssd_t)
|
||||
|
||||
@ -20584,7 +20596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_list_rpc(gssd_t)
|
||||
fs_rw_rpc_sockets(gssd_t)
|
||||
fs_read_rpc_files(gssd_t)
|
||||
@@ -183,9 +197,12 @@
|
||||
@@ -183,9 +199,12 @@
|
||||
files_read_usr_symlinks(gssd_t)
|
||||
|
||||
auth_use_nsswitch(gssd_t)
|
||||
@ -29601,7 +29613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xen_append_log(ifconfig_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
|
||||
--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-05-04 14:15:06.000000000 -0400
|
||||
@@ -50,6 +50,7 @@
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
@ -29638,7 +29650,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -242,6 +250,10 @@
|
||||
@@ -228,6 +236,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ mount_domtrans(udev_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
openct_read_pid_files(udev_t)
|
||||
openct_domtrans(udev_t)
|
||||
')
|
||||
@@ -242,6 +254,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -165,11 +165,6 @@ if [ -s /etc/selinux/config ]; then \
|
||||
fi \
|
||||
fi
|
||||
|
||||
%define loadminpolicy() \
|
||||
( cd /usr/share/selinux/%1; \
|
||||
semodule -b base.pp.bz2 -i unconfined.pp.bz2 unconfineduser.pp.bz2 -s %1; \
|
||||
); \
|
||||
|
||||
%define loadpolicy() \
|
||||
( cd /usr/share/selinux/%1; \
|
||||
semodule -b base.pp.bz2 -i %{expand:%%moduleList %1} %2 -s %1; \
|
||||
@ -351,12 +346,12 @@ echo $packages
|
||||
}
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
packages="%{expand:%%moduleList targeted} unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
%loadpolicy targeted $packages
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
else
|
||||
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
|
||||
packages=`get_unconfined $(semodule -l)`
|
||||
packages="%{expand:%%moduleList targeted} `get_unconfined $(semodule -l)`"
|
||||
%loadpolicy targeted $packages
|
||||
%relabel targeted
|
||||
fi
|
||||
@ -402,7 +397,8 @@ SELinux Reference policy minimum base module.
|
||||
|
||||
%post minimum
|
||||
if [ $1 -eq 1 ]; then
|
||||
%loadminpolicy minimum
|
||||
packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
%loadpolicy minimum $packages
|
||||
semanage -S minimum -i - << __eof
|
||||
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
|
||||
login -m -s unconfined_u -r s0-s0:c0.c1023 root
|
||||
@ -435,7 +431,8 @@ SELinux Reference policy olpc base module.
|
||||
%saveFileContext olpc
|
||||
|
||||
%post olpc
|
||||
%loadpolicy olpc ""
|
||||
packages="%{expand:%%moduleList olpc} unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
%loadpolicy olpc $packages
|
||||
|
||||
if [ $1 -ne 1 ]; then
|
||||
%relabel olpc
|
||||
@ -466,7 +463,8 @@ SELinux Reference policy mls base module.
|
||||
|
||||
%post mls
|
||||
semodule -n -s mls -r mailscanner 2>/dev/null
|
||||
%loadpolicy mls ""
|
||||
packages="%{expand:%%moduleList mls}"
|
||||
%loadpolicy mls $packages
|
||||
|
||||
if [ $1 != 1 ]; then
|
||||
%relabel mls
|
||||
@ -482,6 +480,8 @@ exit 0
|
||||
%changelog
|
||||
* Fri May 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-27
|
||||
- Fix /sbin/ip6tables-save context
|
||||
- Allod udev to transition to mount
|
||||
- Fix loading of mls policy file
|
||||
|
||||
* Thu Apr 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-26
|
||||
- Add shorewall policy
|
||||
|
||||
Loading…
Reference in New Issue
Block a user