This commit is contained in:
Daniel J Walsh
parent
08f4abfd6d
commit
c3c4a525c2
|
|
@ -2662,16 +2662,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
|
|||
#######################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
|
||||
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-04 12:06:55.000000000 -0400
|
||||
@@ -28,6 +28,7 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-06 07:10:39.000000000 -0400
|
||||
@@ -26,8 +26,10 @@
|
||||
files_read_etc_files(tmpreaper_t)
|
||||
files_read_var_lib_files(tmpreaper_t)
|
||||
files_purge_tmp(tmpreaper_t)
|
||||
+
|
||||
# why does it need setattr?
|
||||
files_setattr_all_tmp_dirs(tmpreaper_t)
|
||||
+files_dontaudit_getattr_lost_found_dirs(tmpreaper_t)
|
||||
|
||||
mls_file_read_all_levels(tmpreaper_t)
|
||||
mls_file_write_all_levels(tmpreaper_t)
|
||||
@@ -42,6 +43,22 @@
|
||||
@@ -42,6 +44,22 @@
|
||||
|
||||
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
|
||||
|
||||
|
|
@ -3644,8 +3647,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
|
|||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.3.1/policy/modules/apps/gpg.te
|
||||
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/gpg.te 2008-04-04 12:06:55.000000000 -0400
|
||||
@@ -7,15 +7,229 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/gpg.te 2008-04-05 08:04:41.000000000 -0400
|
||||
@@ -7,15 +7,230 @@
|
||||
#
|
||||
|
||||
# Type for gpg or pgp executables.
|
||||
|
|
@ -3693,6 +3696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
|
|||
+manage_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
|
||||
+manage_lnk_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
|
||||
+allow gpg_t user_gpg_secret_t:dir create_dir_perms;
|
||||
+userdom_user_home_dir_filetrans_user_home_content(user, gpg_t, file)
|
||||
+userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir)
|
||||
+userdom_manage_user_home_content_files(user,gpg_t)
|
||||
+userdom_manage_user_tmp_files(user,gpg_t)
|
||||
|
|
@ -5464,8 +5468,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-05 07:52:00.000000000 -0400
|
||||
@@ -0,0 +1,186 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-06 06:06:06.000000000 -0400
|
||||
@@ -0,0 +1,187 @@
|
||||
+
|
||||
+policy_module(nsplugin,1.0.0)
|
||||
+
|
||||
|
|
@ -5577,6 +5581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+userdom_tmp_filetrans_user_tmp(user,nsplugin_t, { file dir sock_file })
|
||||
+userdom_read_user_tmpfs_files(user,nsplugin_t)
|
||||
+
|
||||
+userdom_read_user_home_content_symlinks(user, nsplugin_t)
|
||||
+userdom_read_user_home_content_files(user, nsplugin_t)
|
||||
+userdom_read_user_tmp_files(user, nsplugin_t)
|
||||
+userdom_write_user_tmp_sockets(user, nsplugin_t)
|
||||
|
|
@ -6632,8 +6637,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-04 12:06:55.000000000 -0400
|
||||
@@ -82,6 +82,7 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-05 15:02:25.000000000 -0400
|
||||
@@ -75,6 +75,7 @@
|
||||
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
|
||||
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
||||
+network_port(audit, tcp,60,s0)
|
||||
network_port(auth, tcp,113,s0)
|
||||
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
||||
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
||||
@@ -82,6 +83,7 @@
|
||||
network_port(clockspeed, udp,4041,s0)
|
||||
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
||||
network_port(comsat, udp,512,s0)
|
||||
|
|
@ -6641,7 +6654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
||||
network_port(dcc, udp,6276,s0, udp,6277,s0)
|
||||
network_port(dbskkd, tcp,1178,s0)
|
||||
@@ -91,6 +92,7 @@
|
||||
@@ -91,6 +93,7 @@
|
||||
network_port(distccd, tcp,3632,s0)
|
||||
network_port(dns, udp,53,s0, tcp,53,s0)
|
||||
network_port(fingerd, tcp,79,s0)
|
||||
|
|
@ -6649,7 +6662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
network_port(ftp_data, tcp,20,s0)
|
||||
network_port(ftp, tcp,21,s0)
|
||||
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
||||
@@ -109,6 +111,7 @@
|
||||
@@ -109,6 +112,7 @@
|
||||
network_port(ircd, tcp,6667,s0)
|
||||
network_port(isakmp, udp,500,s0)
|
||||
network_port(iscsi, tcp,3260,s0)
|
||||
|
|
@ -6657,7 +6670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
||||
network_port(jabber_interserver, tcp,5269,s0)
|
||||
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||
@@ -122,6 +125,8 @@
|
||||
@@ -122,6 +126,8 @@
|
||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||
network_port(monopd, tcp,1234,s0)
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
|
|
@ -6666,7 +6679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
@@ -133,10 +138,12 @@
|
||||
@@ -133,10 +139,12 @@
|
||||
network_port(pegasus_http, tcp,5988,s0)
|
||||
network_port(pegasus_https, tcp,5989,s0)
|
||||
network_port(postfix_policyd, tcp,10031,s0)
|
||||
|
|
@ -6679,7 +6692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
network_port(printer, tcp,515,s0)
|
||||
network_port(ptal, tcp,5703,s0)
|
||||
network_port(pxe, udp,4011,s0)
|
||||
@@ -148,11 +155,11 @@
|
||||
@@ -148,11 +156,11 @@
|
||||
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
||||
network_port(rlogind, tcp,513,s0)
|
||||
network_port(rndc, tcp,953,s0)
|
||||
|
|
@ -6693,7 +6706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
||||
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
||||
network_port(spamd, tcp,783,s0)
|
||||
@@ -170,7 +177,12 @@
|
||||
@@ -170,7 +178,12 @@
|
||||
network_port(transproxy, tcp,8081,s0)
|
||||
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||
network_port(uucpd, tcp,540,s0)
|
||||
|
|
@ -7217,7 +7230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
|||
type lvm_control_t;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-04-05 06:32:29.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-04-05 15:31:46.000000000 -0400
|
||||
@@ -5,6 +5,13 @@
|
||||
#
|
||||
# Declarations
|
||||
|
|
@ -7240,15 +7253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
|||
|
||||
# create child processes in the domain
|
||||
allow domain self:process { fork sigchld };
|
||||
@@ -96,6 +104,7 @@
|
||||
|
||||
# list the root directory
|
||||
files_list_root(domain)
|
||||
+files_getattr_all_dirs(domain)
|
||||
|
||||
tunable_policy(`global_ssp',`
|
||||
# enable reading of urandom for all domains:
|
||||
@@ -140,7 +149,7 @@
|
||||
@@ -140,7 +148,7 @@
|
||||
|
||||
# For /proc/pid
|
||||
allow unconfined_domain_type domain:dir list_dir_perms;
|
||||
|
|
@ -7257,7 +7262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
|||
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
|
||||
# act on all domains keys
|
||||
@@ -148,3 +157,30 @@
|
||||
@@ -148,3 +156,31 @@
|
||||
|
||||
# receive from all domains over labeled networking
|
||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||
|
|
@ -7265,6 +7270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
|||
+tunable_policy(`allow_domain_fd_use',`
|
||||
+ # Allow all domains to use fds past to them
|
||||
+ allow domain domain:fd use;
|
||||
+ files_getattr_all_dirs(domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
|
@ -7290,7 +7296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
|||
+dontaudit can_change_object_identity can_change_object_identity:key link;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-04 12:06:55.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-06 06:52:30.000000000 -0400
|
||||
@@ -1266,6 +1266,24 @@
|
||||
|
||||
########################################
|
||||
|
|
@ -7391,7 +7397,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||
## Create, read, write, and delete symbolic links in /mnt.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4712,12 +4791,14 @@
|
||||
@@ -3357,6 +3436,8 @@
|
||||
delete_lnk_files_pattern($1,tmpfile,tmpfile)
|
||||
delete_fifo_files_pattern($1,tmpfile,tmpfile)
|
||||
delete_sock_files_pattern($1,tmpfile,tmpfile)
|
||||
+ files_delete_isid_type_dirs($1)
|
||||
+ files_delete_isid_type_files($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4712,12 +4793,14 @@
|
||||
allow $1 poly_t:dir { create mounton };
|
||||
fs_unmount_xattr_fs($1)
|
||||
|
||||
|
|
@ -7407,7 +7422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||
')
|
||||
')
|
||||
|
||||
@@ -4756,3 +4837,54 @@
|
||||
@@ -4756,3 +4839,54 @@
|
||||
|
||||
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
|
||||
')
|
||||
|
|
@ -7488,7 +7503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-04 12:06:55.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-06 07:10:46.000000000 -0400
|
||||
@@ -310,6 +310,25 @@
|
||||
|
||||
########################################
|
||||
|
|
@ -7515,7 +7530,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
## Mount an automount pseudo filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1171,6 +1190,25 @@
|
||||
@@ -737,6 +756,7 @@
|
||||
attribute noxattrfs;
|
||||
')
|
||||
|
||||
+ list_dirs_pattern($1,noxattrfs,noxattrfs)
|
||||
read_files_pattern($1,noxattrfs,noxattrfs)
|
||||
')
|
||||
|
||||
@@ -1171,6 +1191,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -7541,7 +7564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
## Create, read, write, and delete files
|
||||
## on a DOS filesystem.
|
||||
## </summary>
|
||||
@@ -1625,7 +1663,7 @@
|
||||
@@ -1625,7 +1664,7 @@
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
|
|
@ -7550,7 +7573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2903,6 +2941,7 @@
|
||||
@@ -2903,6 +2942,7 @@
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
|
|
@ -7558,7 +7581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
dontaudit $1 tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
@@ -3039,6 +3078,25 @@
|
||||
@@ -3039,6 +3079,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -7584,7 +7607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
## Relabel block nodes on tmpfs filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3224,6 +3282,7 @@
|
||||
@@ -3224,6 +3283,7 @@
|
||||
')
|
||||
|
||||
allow $1 filesystem_type:filesystem getattr;
|
||||
|
|
@ -7592,7 +7615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -3551,3 +3610,123 @@
|
||||
@@ -3551,3 +3611,123 @@
|
||||
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
|
||||
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
|
||||
')
|
||||
|
|
@ -10872,7 +10895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-04 12:06:55.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-05 11:51:54.000000000 -0400
|
||||
@@ -13,6 +13,9 @@
|
||||
type consolekit_var_run_t;
|
||||
files_pid_file(consolekit_var_run_t)
|
||||
|
|
@ -10958,7 +10981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
|
|||
|
||||
optional_policy(`
|
||||
+ polkit_domtrans_auth(consolekit_t)
|
||||
+ polkit_search_lib(consolekit_t)
|
||||
+ polkit_read_lib(consolekit_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
|
@ -14354,6 +14377,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc
|
|||
+ files_list_pids($1)
|
||||
+ manage_all_pattern($1,fetchmail_var_run_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.3.1/policy/modules/services/fetchmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/fetchmail.te 2008-04-06 06:16:45.000000000 -0400
|
||||
@@ -90,6 +90,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ sendmail_manage_log(fetchmail_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
seutil_sigchld_newrole(fetchmail_t)
|
||||
')
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.3.1/policy/modules/services/ftp.fc
|
||||
--- nsaserefpolicy/policy/modules/services/ftp.fc 2006-11-16 17:15:20.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/ftp.fc 2008-04-04 12:06:55.000000000 -0400
|
||||
|
|
@ -16495,7 +16532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
|
||||
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-04-04 12:06:55.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-04-06 05:33:44.000000000 -0400
|
||||
@@ -25,26 +25,33 @@
|
||||
type munin_var_run_t alias lrrd_var_run_t;
|
||||
files_pid_file(munin_var_run_t)
|
||||
|
|
@ -16546,7 +16583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
|||
|
||||
corenet_all_recvfrom_unlabeled(munin_t)
|
||||
corenet_all_recvfrom_netlabel(munin_t)
|
||||
@@ -73,27 +82,36 @@
|
||||
@@ -73,27 +82,37 @@
|
||||
corenet_udp_sendrecv_all_nodes(munin_t)
|
||||
corenet_tcp_sendrecv_all_ports(munin_t)
|
||||
corenet_udp_sendrecv_all_ports(munin_t)
|
||||
|
|
@ -16581,10 +16618,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
|||
|
||||
-sysnet_read_config(munin_t)
|
||||
+sysnet_exec_ifconfig(munin_t)
|
||||
+netutils_domtrans_ping(munin_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
|
||||
@@ -108,7 +126,21 @@
|
||||
@@ -108,7 +127,21 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -16607,7 +16645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -118,3 +150,9 @@
|
||||
@@ -118,3 +151,9 @@
|
||||
optional_policy(`
|
||||
udev_read_db(munin_t)
|
||||
')
|
||||
|
|
@ -17020,7 +17058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-04 12:06:55.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-05 15:04:32.000000000 -0400
|
||||
@@ -13,6 +13,9 @@
|
||||
type NetworkManager_var_run_t;
|
||||
files_pid_file(NetworkManager_var_run_t)
|
||||
|
|
@ -17066,8 +17104,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
|||
|
||||
mls_file_read_all_levels(NetworkManager_t)
|
||||
|
||||
@@ -86,6 +94,8 @@
|
||||
@@ -84,8 +92,11 @@
|
||||
files_read_usr_files(NetworkManager_t)
|
||||
|
||||
init_read_utmp(NetworkManager_t)
|
||||
+init_dontaudit_write_utmp(NetworkManager_t)
|
||||
init_domtrans_script(NetworkManager_t)
|
||||
|
||||
+auth_use_nsswitch(NetworkManager_t)
|
||||
|
|
@ -17075,7 +17116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
|||
libs_use_ld_so(NetworkManager_t)
|
||||
libs_use_shared_libs(NetworkManager_t)
|
||||
|
||||
@@ -129,21 +139,21 @@
|
||||
@@ -129,21 +140,21 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -17102,7 +17143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -155,19 +165,20 @@
|
||||
@@ -155,19 +166,20 @@
|
||||
ppp_domtrans(NetworkManager_t)
|
||||
ppp_read_pid_files(NetworkManager_t)
|
||||
ppp_signal(NetworkManager_t)
|
||||
|
|
@ -18002,7 +18043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-04 12:06:55.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-05 11:55:13.000000000 -0400
|
||||
@@ -0,0 +1,189 @@
|
||||
+
|
||||
+## <summary>policy for polkit_auth</summary>
|
||||
|
|
@ -19220,8 +19261,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
|
||||
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-04-04 12:06:55.000000000 -0400
|
||||
@@ -0,0 +1,162 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-04-05 14:48:36.000000000 -0400
|
||||
@@ -0,0 +1,160 @@
|
||||
+policy_module(prelude,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -19363,8 +19404,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
+corenet_tcp_bind_all_nodes(audisp_prelude_t)
|
||||
+corenet_tcp_connect_prelude_port(audisp_prelude_t)
|
||||
+
|
||||
+allow audisp_prelude_t audisp_t:unix_stream_socket rw_socket_perms;
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# prewikka_cgi Declarations
|
||||
|
|
@ -21132,7 +21171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
|
||||
--- nsaserefpolicy/policy/modules/services/samba.te 2008-02-19 17:24:26.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-04-04 16:10:10.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-04-06 07:25:37.000000000 -0400
|
||||
@@ -59,6 +59,13 @@
|
||||
## </desc>
|
||||
gen_tunable(samba_share_nfs,false)
|
||||
|
|
@ -21406,20 +21445,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -774,6 +840,12 @@
|
||||
@@ -774,6 +840,14 @@
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
+ type samba_unconfined_net_t;
|
||||
+ domain_type(samba_unconfined_net_t)
|
||||
+ unconfined_domain(samba_unconfined_net_t)
|
||||
+ role system_r types samba_unconfined_net_t;
|
||||
+
|
||||
+ manage_files_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t)
|
||||
+ filetrans_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t,file)
|
||||
+
|
||||
type samba_unconfined_script_t;
|
||||
type samba_unconfined_script_exec_t;
|
||||
domain_type(samba_unconfined_script_t)
|
||||
@@ -790,3 +862,40 @@
|
||||
@@ -790,3 +864,40 @@
|
||||
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
|
||||
')
|
||||
')
|
||||
|
|
@ -21552,7 +21593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.3.1/policy/modules/services/sendmail.if
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-04-04 12:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-04-06 06:16:17.000000000 -0400
|
||||
@@ -149,3 +149,85 @@
|
||||
|
||||
logging_log_filetrans($1,sendmail_log_t,file)
|
||||
|
|
@ -25465,7 +25506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-04 12:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-06 06:54:26.000000000 -0400
|
||||
@@ -8,6 +8,14 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -25702,7 +25743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
dev_setattr_apm_bios_dev(xdm_t)
|
||||
dev_rw_dri(xdm_t)
|
||||
dev_rw_agp(xdm_t)
|
||||
@@ -208,8 +328,8 @@
|
||||
@@ -208,14 +328,15 @@
|
||||
dev_setattr_video_dev(xdm_t)
|
||||
dev_getattr_scanner_dev(xdm_t)
|
||||
dev_setattr_scanner_dev(xdm_t)
|
||||
|
|
@ -25713,7 +25754,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
dev_getattr_power_mgmt_dev(xdm_t)
|
||||
dev_setattr_power_mgmt_dev(xdm_t)
|
||||
|
||||
@@ -226,9 +346,12 @@
|
||||
domain_use_interactive_fds(xdm_t)
|
||||
# Do not audit denied probes of /proc.
|
||||
domain_dontaudit_read_all_domains_state(xdm_t)
|
||||
+domain_dontaudit_ptrace_all_domains_state(xdm_t)
|
||||
|
||||
files_read_etc_files(xdm_t)
|
||||
files_read_var_files(xdm_t)
|
||||
@@ -226,9 +347,12 @@
|
||||
files_read_usr_files(xdm_t)
|
||||
# Poweroff wants to create the /poweroff file when run from xdm
|
||||
files_create_boot_flag(xdm_t)
|
||||
|
|
@ -25726,7 +25774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||
@@ -237,6 +360,7 @@
|
||||
@@ -237,6 +361,7 @@
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
|
|
@ -25734,7 +25782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
term_setattr_console(xdm_t)
|
||||
term_use_unallocated_ttys(xdm_t)
|
||||
@@ -245,6 +369,7 @@
|
||||
@@ -245,6 +370,7 @@
|
||||
auth_domtrans_pam_console(xdm_t)
|
||||
auth_manage_pam_pid(xdm_t)
|
||||
auth_manage_pam_console_data(xdm_t)
|
||||
|
|
@ -25742,17 +25790,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
@@ -256,22 +381,28 @@
|
||||
@@ -256,22 +382,28 @@
|
||||
libs_exec_lib_files(xdm_t)
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
+logging_send_audit_msgs(xdm_t)
|
||||
|
||||
miscfiles_read_localization(xdm_t)
|
||||
miscfiles_read_fonts(xdm_t)
|
||||
|
||||
-sysnet_read_config(xdm_t)
|
||||
-miscfiles_read_fonts(xdm_t)
|
||||
-
|
||||
-sysnet_read_config(xdm_t)
|
||||
+miscfiles_manage_fonts(xdm_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
|
|
@ -25773,7 +25822,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_t)
|
||||
@@ -301,10 +432,15 @@
|
||||
@@ -297,14 +429,20 @@
|
||||
# xserver_rw_session_template(xdm,unpriv_userdomain)
|
||||
# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
|
||||
# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
|
||||
+ userdom_dontaudit_write_sysadm_home_dirs(xdm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(xdm_t)
|
||||
|
|
@ -25790,7 +25844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -312,6 +448,23 @@
|
||||
@@ -312,6 +450,23 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25814,7 +25868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
# Talk to the console mouse server.
|
||||
gpm_stream_connect(xdm_t)
|
||||
gpm_setattr_gpmctl(xdm_t)
|
||||
@@ -322,6 +475,10 @@
|
||||
@@ -322,6 +477,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25825,7 +25879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
loadkeys_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -335,6 +492,11 @@
|
||||
@@ -335,6 +494,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25837,7 +25891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
seutil_sigchld_newrole(xdm_t)
|
||||
')
|
||||
|
||||
@@ -343,8 +505,8 @@
|
||||
@@ -343,8 +507,8 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25847,7 +25901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -380,7 +542,7 @@
|
||||
@@ -380,7 +544,7 @@
|
||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
|
|
@ -25856,7 +25910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||
@@ -392,6 +554,15 @@
|
||||
@@ -392,6 +556,15 @@
|
||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xdm_xserver_t)
|
||||
|
||||
|
|
@ -25872,7 +25926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
# VNC v4 module in X server
|
||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||
|
||||
@@ -404,9 +575,17 @@
|
||||
@@ -404,9 +577,17 @@
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
|
||||
|
|
@ -25890,7 +25944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||
fs_manage_nfs_files(xdm_xserver_t)
|
||||
@@ -420,6 +599,22 @@
|
||||
@@ -420,6 +601,22 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -25913,7 +25967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
resmgr_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -429,47 +624,139 @@
|
||||
@@ -429,47 +626,139 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27024,7 +27078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-04-04 12:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-04-06 06:35:10.000000000 -0400
|
||||
@@ -10,6 +10,20 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -27314,6 +27368,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||
zebra_read_config(initrc_t)
|
||||
')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te
|
||||
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-04-06 05:52:40.000000000 -0400
|
||||
@@ -48,6 +48,7 @@
|
||||
|
||||
fs_getattr_xattr_fs(iptables_t)
|
||||
fs_search_auto_mountpoints(iptables_t)
|
||||
+fs_list_inotifyfs(iptables_t)
|
||||
|
||||
mls_file_read_all_levels(iptables_t)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
|
||||
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-04-04 12:06:56.000000000 -0400
|
||||
|
|
@ -27327,8 +27392,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-05 07:22:08.000000000 -0400
|
||||
@@ -133,6 +133,7 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-05 08:09:49.000000000 -0400
|
||||
@@ -69,8 +69,10 @@
|
||||
ifdef(`distro_gentoo',`
|
||||
# despite the extensions, they are actually libs
|
||||
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
|
||||
+/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
|
||||
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0)
|
||||
/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
|
||||
+/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
|
||||
|
||||
/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -133,6 +135,7 @@
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
|
@ -27336,7 +27412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@@ -165,6 +166,7 @@
|
||||
@@ -165,6 +168,7 @@
|
||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
|
@ -27344,7 +27420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
|
||||
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -183,6 +185,7 @@
|
||||
@@ -183,6 +187,7 @@
|
||||
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
|
@ -27352,7 +27428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -242,7 +245,7 @@
|
||||
@@ -242,7 +247,7 @@
|
||||
|
||||
# Flash plugin, Macromedia
|
||||
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
|
@ -27361,7 +27437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -287,11 +290,15 @@
|
||||
@@ -287,11 +292,15 @@
|
||||
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
|
@ -27377,7 +27453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
||||
@@ -304,3 +311,11 @@
|
||||
@@ -304,3 +313,11 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
|
@ -27391,7 +27467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-02-06 10:33:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-05 07:34:59.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-06 06:36:11.000000000 -0400
|
||||
@@ -23,6 +23,9 @@
|
||||
init_system_domain(ldconfig_t,ldconfig_exec_t)
|
||||
role system_r types ldconfig_t;
|
||||
|
|
@ -27428,7 +27504,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
files_search_var_lib(ldconfig_t)
|
||||
files_read_etc_files(ldconfig_t)
|
||||
files_search_tmp(ldconfig_t)
|
||||
@@ -86,6 +94,10 @@
|
||||
@@ -70,6 +78,7 @@
|
||||
files_delete_etc_files(ldconfig_t)
|
||||
|
||||
init_use_script_ptys(ldconfig_t)
|
||||
+init_read_script_tmp_files(ldconfig_t)
|
||||
|
||||
libs_use_ld_so(ldconfig_t)
|
||||
libs_use_shared_libs(ldconfig_t)
|
||||
@@ -86,6 +95,10 @@
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -27439,7 +27523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
|
||||
@@ -102,4 +114,10 @@
|
||||
@@ -102,4 +115,10 @@
|
||||
# and executes ldconfig on it. If you dont allow this kernel installs
|
||||
# blow up.
|
||||
rpm_manage_script_tmp_files(ldconfig_t)
|
||||
|
|
@ -27503,16 +27587,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
|
|||
-')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc
|
||||
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-02-26 08:17:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-04-04 12:06:56.000000000 -0400
|
||||
@@ -4,6 +4,7 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-04-05 15:01:37.000000000 -0400
|
||||
@@ -4,6 +4,8 @@
|
||||
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
|
||||
|
||||
+/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
|
||||
+/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
|
||||
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
|
||||
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
|
||||
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
||||
@@ -46,7 +47,7 @@
|
||||
@@ -46,7 +48,7 @@
|
||||
')
|
||||
|
||||
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
|
|
@ -27521,7 +27606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
|
||||
@@ -57,3 +58,8 @@
|
||||
@@ -57,3 +59,8 @@
|
||||
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
|
||||
|
||||
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
|
@ -27532,7 +27617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
|
||||
--- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-04 12:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-05 14:44:00.000000000 -0400
|
||||
@@ -213,12 +213,7 @@
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -27758,8 +27843,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
|
||||
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-04-04 12:06:56.000000000 -0400
|
||||
@@ -61,10 +61,24 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-04-05 15:23:59.000000000 -0400
|
||||
@@ -61,10 +61,29 @@
|
||||
logging_log_file(var_log_t)
|
||||
files_mountpoint(var_log_t)
|
||||
|
||||
|
|
@ -27780,11 +27865,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
+
|
||||
+type audisp_var_run_t;
|
||||
+files_pid_file(audisp_var_run_t)
|
||||
+
|
||||
+type audisp_remote_t;
|
||||
+type audisp_remote_exec_t;
|
||||
+domain_type(audisp_remote_t)
|
||||
+domain_entry_file(audisp_remote_t, audisp_remote_exec_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Auditctl local policy
|
||||
@@ -84,6 +98,7 @@
|
||||
@@ -84,6 +103,7 @@
|
||||
kernel_read_kernel_sysctls(auditctl_t)
|
||||
kernel_read_proc_symlinks(auditctl_t)
|
||||
|
||||
|
|
@ -27792,7 +27882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
domain_read_all_domains_state(auditctl_t)
|
||||
domain_use_interactive_fds(auditctl_t)
|
||||
|
||||
@@ -158,9 +173,12 @@
|
||||
@@ -158,9 +178,12 @@
|
||||
|
||||
mls_file_read_all_levels(auditd_t)
|
||||
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
|
||||
|
|
@ -27805,7 +27895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
|
||||
|
||||
@@ -171,6 +189,10 @@
|
||||
@@ -171,6 +194,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27816,7 +27906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
seutil_sigchld_newrole(auditd_t)
|
||||
')
|
||||
|
||||
@@ -208,6 +230,7 @@
|
||||
@@ -208,6 +235,7 @@
|
||||
|
||||
fs_getattr_all_fs(klogd_t)
|
||||
fs_search_auto_mountpoints(klogd_t)
|
||||
|
|
@ -27824,7 +27914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
|
||||
domain_use_interactive_fds(klogd_t)
|
||||
|
||||
@@ -252,7 +275,6 @@
|
||||
@@ -252,7 +280,6 @@
|
||||
dontaudit syslogd_t self:capability sys_tty_config;
|
||||
# setpgid for metalog
|
||||
allow syslogd_t self:process { signal_perms setpgid };
|
||||
|
|
@ -27832,7 +27922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
# receive messages to be logged
|
||||
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -262,7 +284,7 @@
|
||||
@@ -262,7 +289,7 @@
|
||||
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow syslogd_t syslog_conf_t:file read_file_perms;
|
||||
|
|
@ -27841,7 +27931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
|
||||
@@ -274,6 +296,9 @@
|
||||
@@ -274,6 +301,9 @@
|
||||
# Allow access for syslog-ng
|
||||
allow syslogd_t var_log_t:dir { create setattr };
|
||||
|
||||
|
|
@ -27851,7 +27941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
# manage temporary files
|
||||
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
||||
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
||||
@@ -295,6 +320,7 @@
|
||||
@@ -295,6 +325,7 @@
|
||||
kernel_read_messages(syslogd_t)
|
||||
kernel_clear_ring_buffer(syslogd_t)
|
||||
kernel_change_ring_buffer_level(syslogd_t)
|
||||
|
|
@ -27859,7 +27949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
|
||||
dev_filetrans(syslogd_t,devlog_t,sock_file)
|
||||
dev_read_sysfs(syslogd_t)
|
||||
@@ -327,6 +353,8 @@
|
||||
@@ -327,6 +358,8 @@
|
||||
# Allow users to define additional syslog ports to connect to
|
||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||
corenet_tcp_connect_syslogd_port(syslogd_t)
|
||||
|
|
@ -27868,7 +27958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
|
||||
# syslog-ng can send or receive logs
|
||||
corenet_sendrecv_syslogd_client_packets(syslogd_t)
|
||||
@@ -339,19 +367,20 @@
|
||||
@@ -339,19 +372,20 @@
|
||||
domain_use_interactive_fds(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
|
|
@ -27891,7 +27981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
miscfiles_read_localization(syslogd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
||||
@@ -380,15 +409,11 @@
|
||||
@@ -380,15 +414,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27909,7 +27999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -399,3 +424,37 @@
|
||||
@@ -399,3 +429,64 @@
|
||||
# log to the xconsole
|
||||
xserver_rw_console(syslogd_t)
|
||||
')
|
||||
|
|
@ -27947,6 +28037,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||
+logging_domtrans_audisp(auditd_t)
|
||||
+logging_audisp_signal(auditd_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# audisp_remote local policy
|
||||
+#
|
||||
+
|
||||
+logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
|
||||
+
|
||||
+allow audisp_remote_t self:tcp_socket create_socket_perms;
|
||||
+
|
||||
+corenet_all_recvfrom_unlabeled(audisp_remote_t)
|
||||
+corenet_all_recvfrom_netlabel(audisp_remote_t)
|
||||
+corenet_tcp_sendrecv_all_if(audisp_remote_t)
|
||||
+corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
|
||||
+corenet_tcp_connect_audit_port(audisp_remote_t)
|
||||
+
|
||||
+files_read_etc_files(audisp_remote_t)
|
||||
+
|
||||
+libs_use_ld_so(audisp_remote_t)
|
||||
+libs_use_shared_libs(audisp_remote_t)
|
||||
+
|
||||
+logging_send_syslog_msg(audisp_remote_t)
|
||||
+logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
|
||||
+
|
||||
+miscfiles_read_localization(audisp_remote_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(audisp_remote_t)
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc
|
||||
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/lvm.fc 2008-04-04 12:06:56.000000000 -0400
|
||||
|
|
@ -28136,7 +28253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
|
|||
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.3.1/policy/modules/system/miscfiles.if
|
||||
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-04 12:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-06 06:44:20.000000000 -0400
|
||||
@@ -489,3 +489,44 @@
|
||||
manage_lnk_files_pattern($1,locale_t,locale_t)
|
||||
')
|
||||
|
|
@ -29616,7 +29733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-06 10:33:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-04-04 12:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-04-06 07:09:34.000000000 -0400
|
||||
@@ -45,7 +45,7 @@
|
||||
dontaudit dhcpc_t self:capability sys_tty_config;
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
|
|
@ -30513,7 +30630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-05 07:57:03.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-06 07:10:40.000000000 -0400
|
||||
@@ -29,9 +29,14 @@
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.3.1
|
||||
Release: 28%{?dist}
|
||||
Release: 29%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -387,6 +387,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Apr 5 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-29
|
||||
-
|
||||
|
||||
* Fri Apr 4 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-28
|
||||
- Allow radvd to use fifo_file
|
||||
- dontaudit setfiles reading links
|
||||
|
|
|
|||
Loading…
Reference in New Issue