* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
- PolicyKit path has changed - Allow httpd connect to dirsrv socket - Allow tuned to write generic kernel sysctls - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Make condor_startd and rgmanager as initrc domain - Allow virsh to read /etc/passwd - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm - Fix files_filetrans_named_content() interface - Add new attribute - initrc_domain - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files
This commit is contained in:
parent
4415dfa1a8
commit
c8f96d3d71
File diff suppressed because it is too large
Load Diff
@ -2453,7 +2453,7 @@ index 6480167..d0bf548 100644
|
|||||||
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
||||||
')
|
')
|
||||||
diff --git a/apache.te b/apache.te
|
diff --git a/apache.te b/apache.te
|
||||||
index a36a01d..777623e 100644
|
index a36a01d..f6aad32 100644
|
||||||
--- a/apache.te
|
--- a/apache.te
|
||||||
+++ b/apache.te
|
+++ b/apache.te
|
||||||
@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
|
@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
|
||||||
@ -3072,10 +3072,16 @@ index a36a01d..777623e 100644
|
|||||||
cobbler_search_lib(httpd_t)
|
cobbler_search_lib(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -540,6 +832,18 @@ optional_policy(`
|
@@ -540,6 +832,24 @@ optional_policy(`
|
||||||
daemontools_service_domain(httpd_t, httpd_exec_t)
|
daemontools_service_domain(httpd_t, httpd_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
+optional_policy(`
|
||||||
|
+ # needed by FreeIPA
|
||||||
|
+ dirsrv_stream_connect(httpd_t)
|
||||||
|
+ ldap_stream_connect(httpd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dirsrv_manage_config(httpd_t)
|
+ dirsrv_manage_config(httpd_t)
|
||||||
+ dirsrv_manage_log(httpd_t)
|
+ dirsrv_manage_log(httpd_t)
|
||||||
@ -3091,7 +3097,7 @@ index a36a01d..777623e 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(httpd_t)
|
dbus_system_bus_client(httpd_t)
|
||||||
|
|
||||||
@@ -549,12 +853,21 @@ optional_policy(`
|
@@ -549,12 +859,21 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -3114,7 +3120,7 @@ index a36a01d..777623e 100644
|
|||||||
kerberos_keytab_template(httpd, httpd_t)
|
kerberos_keytab_template(httpd, httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -568,7 +881,21 @@ optional_policy(`
|
@@ -568,7 +887,21 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -3136,7 +3142,7 @@ index a36a01d..777623e 100644
|
|||||||
mysql_stream_connect(httpd_t)
|
mysql_stream_connect(httpd_t)
|
||||||
mysql_rw_db_sockets(httpd_t)
|
mysql_rw_db_sockets(httpd_t)
|
||||||
|
|
||||||
@@ -579,6 +906,7 @@ optional_policy(`
|
@@ -579,6 +912,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nagios_read_config(httpd_t)
|
nagios_read_config(httpd_t)
|
||||||
@ -3144,7 +3150,7 @@ index a36a01d..777623e 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -589,6 +917,33 @@ optional_policy(`
|
@@ -589,6 +923,33 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -3178,7 +3184,7 @@ index a36a01d..777623e 100644
|
|||||||
# Allow httpd to work with postgresql
|
# Allow httpd to work with postgresql
|
||||||
postgresql_stream_connect(httpd_t)
|
postgresql_stream_connect(httpd_t)
|
||||||
postgresql_unpriv_client(httpd_t)
|
postgresql_unpriv_client(httpd_t)
|
||||||
@@ -603,6 +958,11 @@ optional_policy(`
|
@@ -603,6 +964,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -3190,7 +3196,7 @@ index a36a01d..777623e 100644
|
|||||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -615,6 +975,12 @@ optional_policy(`
|
@@ -615,6 +981,12 @@ optional_policy(`
|
||||||
yam_read_content(httpd_t)
|
yam_read_content(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -3203,7 +3209,7 @@ index a36a01d..777623e 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache helper local policy
|
# Apache helper local policy
|
||||||
@@ -628,7 +994,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
|
@@ -628,7 +1000,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
|
||||||
|
|
||||||
logging_send_syslog_msg(httpd_helper_t)
|
logging_send_syslog_msg(httpd_helper_t)
|
||||||
|
|
||||||
@ -3216,7 +3222,7 @@ index a36a01d..777623e 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -666,28 +1036,30 @@ libs_exec_lib_files(httpd_php_t)
|
@@ -666,28 +1042,30 @@ libs_exec_lib_files(httpd_php_t)
|
||||||
userdom_use_unpriv_users_fds(httpd_php_t)
|
userdom_use_unpriv_users_fds(httpd_php_t)
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect_db',`
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
@ -3260,7 +3266,7 @@ index a36a01d..777623e 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -697,6 +1069,7 @@ optional_policy(`
|
@@ -697,6 +1075,7 @@ optional_policy(`
|
||||||
|
|
||||||
allow httpd_suexec_t self:capability { setuid setgid };
|
allow httpd_suexec_t self:capability { setuid setgid };
|
||||||
allow httpd_suexec_t self:process signal_perms;
|
allow httpd_suexec_t self:process signal_perms;
|
||||||
@ -3268,7 +3274,7 @@ index a36a01d..777623e 100644
|
|||||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
||||||
@@ -711,14 +1084,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
@@ -711,14 +1090,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||||
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||||
|
|
||||||
@ -3292,7 +3298,7 @@ index a36a01d..777623e 100644
|
|||||||
# for shell scripts
|
# for shell scripts
|
||||||
corecmd_exec_bin(httpd_suexec_t)
|
corecmd_exec_bin(httpd_suexec_t)
|
||||||
corecmd_exec_shell(httpd_suexec_t)
|
corecmd_exec_shell(httpd_suexec_t)
|
||||||
@@ -752,13 +1134,31 @@ tunable_policy(`httpd_can_network_connect',`
|
@@ -752,13 +1140,31 @@ tunable_policy(`httpd_can_network_connect',`
|
||||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -3325,7 +3331,7 @@ index a36a01d..777623e 100644
|
|||||||
fs_read_nfs_files(httpd_suexec_t)
|
fs_read_nfs_files(httpd_suexec_t)
|
||||||
fs_read_nfs_symlinks(httpd_suexec_t)
|
fs_read_nfs_symlinks(httpd_suexec_t)
|
||||||
fs_exec_nfs_files(httpd_suexec_t)
|
fs_exec_nfs_files(httpd_suexec_t)
|
||||||
@@ -781,6 +1181,25 @@ optional_policy(`
|
@@ -781,6 +1187,25 @@ optional_policy(`
|
||||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -3351,7 +3357,7 @@ index a36a01d..777623e 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache system script local policy
|
# Apache system script local policy
|
||||||
@@ -801,12 +1220,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
|
@@ -801,12 +1226,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(httpd_sys_script_t)
|
kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||||
|
|
||||||
@ -3369,7 +3375,7 @@ index a36a01d..777623e 100644
|
|||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
|
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
|
||||||
')
|
')
|
||||||
@@ -815,18 +1239,50 @@ tunable_policy(`httpd_can_sendmail',`
|
@@ -815,18 +1245,50 @@ tunable_policy(`httpd_can_sendmail',`
|
||||||
mta_send_mail(httpd_sys_script_t)
|
mta_send_mail(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -3426,7 +3432,7 @@ index a36a01d..777623e 100644
|
|||||||
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
|
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
|
||||||
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
|
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
|
||||||
corenet_tcp_connect_all_ports(httpd_sys_script_t)
|
corenet_tcp_connect_all_ports(httpd_sys_script_t)
|
||||||
@@ -834,14 +1290,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
@@ -834,14 +1296,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs',`
|
tunable_policy(`httpd_enable_homedirs',`
|
||||||
@ -3467,7 +3473,7 @@ index a36a01d..777623e 100644
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -854,10 +1335,20 @@ optional_policy(`
|
@@ -854,10 +1341,20 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_sys_script_t)
|
mysql_stream_connect(httpd_sys_script_t)
|
||||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||||
@ -3488,7 +3494,7 @@ index a36a01d..777623e 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -903,11 +1394,146 @@ optional_policy(`
|
@@ -903,11 +1400,146 @@ optional_policy(`
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||||
allow httpd_user_script_t httpdcontent:file entrypoint;
|
allow httpd_user_script_t httpdcontent:file entrypoint;
|
||||||
@ -10086,10 +10092,10 @@ index 0000000..168f664
|
|||||||
+')
|
+')
|
||||||
diff --git a/condor.te b/condor.te
|
diff --git a/condor.te b/condor.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4eb7bd9
|
index 0000000..1bba4b7
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/condor.te
|
+++ b/condor.te
|
||||||
@@ -0,0 +1,231 @@
|
@@ -0,0 +1,232 @@
|
||||||
+policy_module(condor, 1.0.0)
|
+policy_module(condor, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -10308,6 +10314,7 @@ index 0000000..4eb7bd9
|
|||||||
+auth_use_nsswitch(condor_startd_t)
|
+auth_use_nsswitch(condor_startd_t)
|
||||||
+
|
+
|
||||||
+init_domtrans_script(condor_startd_t)
|
+init_domtrans_script(condor_startd_t)
|
||||||
|
+init_initrc_domain(condor_startd_t)
|
||||||
+
|
+
|
||||||
+libs_exec_lib_files(condor_startd_t)
|
+libs_exec_lib_files(condor_startd_t)
|
||||||
+
|
+
|
||||||
@ -13263,7 +13270,7 @@ index c43ff4c..5da88b5 100644
|
|||||||
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
|
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
diff --git a/cvs.te b/cvs.te
|
diff --git a/cvs.te b/cvs.te
|
||||||
index 88e7e97..1c723fb 100644
|
index 88e7e97..08d7ec0 100644
|
||||||
--- a/cvs.te
|
--- a/cvs.te
|
||||||
+++ b/cvs.te
|
+++ b/cvs.te
|
||||||
@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
|
@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
|
||||||
@ -13298,8 +13305,12 @@ index 88e7e97..1c723fb 100644
|
|||||||
logging_send_syslog_msg(cvs_t)
|
logging_send_syslog_msg(cvs_t)
|
||||||
logging_send_audit_msgs(cvs_t)
|
logging_send_audit_msgs(cvs_t)
|
||||||
|
|
||||||
@@ -90,7 +92,7 @@ mta_send_mail(cvs_t)
|
@@ -88,9 +90,11 @@ miscfiles_read_localization(cvs_t)
|
||||||
|
|
||||||
|
mta_send_mail(cvs_t)
|
||||||
|
|
||||||
|
+userdom_dontaudit_search_user_home_dirs(cvs_t)
|
||||||
|
+
|
||||||
# cjp: typeattribute doesnt work in conditionals yet
|
# cjp: typeattribute doesnt work in conditionals yet
|
||||||
auth_can_read_shadow_passwords(cvs_t)
|
auth_can_read_shadow_passwords(cvs_t)
|
||||||
-tunable_policy(`allow_cvs_read_shadow',`
|
-tunable_policy(`allow_cvs_read_shadow',`
|
||||||
@ -13307,7 +13318,7 @@ index 88e7e97..1c723fb 100644
|
|||||||
allow cvs_t self:capability dac_override;
|
allow cvs_t self:capability dac_override;
|
||||||
auth_tunable_read_shadow(cvs_t)
|
auth_tunable_read_shadow(cvs_t)
|
||||||
')
|
')
|
||||||
@@ -112,4 +114,5 @@ optional_policy(`
|
@@ -112,4 +116,5 @@ optional_policy(`
|
||||||
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
||||||
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
||||||
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
||||||
@ -16520,7 +16531,7 @@ index e1d7dc5..df96c0d 100644
|
|||||||
admin_pattern($1, dovecot_var_run_t)
|
admin_pattern($1, dovecot_var_run_t)
|
||||||
|
|
||||||
diff --git a/dovecot.te b/dovecot.te
|
diff --git a/dovecot.te b/dovecot.te
|
||||||
index 2df7766..ef8b0d7 100644
|
index 2df7766..53efc0b 100644
|
||||||
--- a/dovecot.te
|
--- a/dovecot.te
|
||||||
+++ b/dovecot.te
|
+++ b/dovecot.te
|
||||||
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
|
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
|
||||||
@ -16751,7 +16762,7 @@ index 2df7766..ef8b0d7 100644
|
|||||||
|
|
||||||
miscfiles_read_localization(dovecot_deliver_t)
|
miscfiles_read_localization(dovecot_deliver_t)
|
||||||
|
|
||||||
@@ -283,24 +338,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
|
@@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
|
||||||
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
|
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
|
||||||
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
|
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
|
||||||
|
|
||||||
@ -16779,6 +16790,7 @@ index 2df7766..ef8b0d7 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
mta_manage_spool(dovecot_deliver_t)
|
mta_manage_spool(dovecot_deliver_t)
|
||||||
+ mta_read_queue(dovecot_deliver_t)
|
+ mta_read_queue(dovecot_deliver_t)
|
||||||
|
+ mta_read_home_rw(dovecot_deliver_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -20106,16 +20118,17 @@ index 4afb81f..842165a 100644
|
|||||||
-
|
-
|
||||||
-libs_exec_ldconfig(glance_api_t)
|
-libs_exec_ldconfig(glance_api_t)
|
||||||
diff --git a/gnome.fc b/gnome.fc
|
diff --git a/gnome.fc b/gnome.fc
|
||||||
index 00a19e3..d776f66 100644
|
index 00a19e3..17006fc 100644
|
||||||
--- a/gnome.fc
|
--- a/gnome.fc
|
||||||
+++ b/gnome.fc
|
+++ b/gnome.fc
|
||||||
@@ -1,9 +1,53 @@
|
@@ -1,9 +1,54 @@
|
||||||
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
|
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
|
||||||
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
|
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
|
||||||
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
|
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
|
||||||
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
|
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
|
||||||
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
||||||
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
||||||
|
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
|
||||||
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
||||||
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
||||||
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
|
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
|
||||||
@ -20166,7 +20179,7 @@ index 00a19e3..d776f66 100644
|
|||||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
diff --git a/gnome.if b/gnome.if
|
diff --git a/gnome.if b/gnome.if
|
||||||
index f5afe78..581c9dd 100644
|
index f5afe78..e283f63 100644
|
||||||
--- a/gnome.if
|
--- a/gnome.if
|
||||||
+++ b/gnome.if
|
+++ b/gnome.if
|
||||||
@@ -1,44 +1,937 @@
|
@@ -1,44 +1,937 @@
|
||||||
@ -21276,7 +21289,7 @@ index f5afe78..581c9dd 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -122,17 +1068,62 @@ interface(`gnome_stream_connect_gconf',`
|
@@ -122,17 +1068,80 @@ interface(`gnome_stream_connect_gconf',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -21292,6 +21305,24 @@ index f5afe78..581c9dd 100644
|
|||||||
+ gnome_filetrans_gstreamer_home_content($1)
|
+ gnome_filetrans_gstreamer_home_content($1)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow to execute gstreamer home content files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gnome_exec_gstreamer_home_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gstreamer_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ can_exec($1, gstreamer_home_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## file name transition gstreamer home content files.
|
+## file name transition gstreamer home content files.
|
||||||
@ -21343,7 +21374,7 @@ index f5afe78..581c9dd 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -140,51 +1131,306 @@ interface(`gnome_domtrans_gconfd',`
|
@@ -140,51 +1149,307 @@ interface(`gnome_domtrans_gconfd',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -21564,6 +21595,7 @@ index f5afe78..581c9dd 100644
|
|||||||
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
|
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
|
||||||
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
|
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
|
||||||
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
|
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
|
||||||
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
|
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
|
||||||
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
|
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
|
||||||
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
|
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
|
||||||
@ -26044,10 +26076,10 @@ index 0000000..8bc2c6d
|
|||||||
+')
|
+')
|
||||||
diff --git a/l2tpd.te b/l2tpd.te
|
diff --git a/l2tpd.te b/l2tpd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4786fde
|
index 0000000..1b720ad
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/l2tpd.te
|
+++ b/l2tpd.te
|
||||||
@@ -0,0 +1,99 @@
|
@@ -0,0 +1,101 @@
|
||||||
+policy_module(l2tpd, 1.0.0)
|
+policy_module(l2tpd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -26136,6 +26168,8 @@ index 0000000..4786fde
|
|||||||
+
|
+
|
||||||
+term_use_ptmx(l2tpd_t)
|
+term_use_ptmx(l2tpd_t)
|
||||||
+
|
+
|
||||||
|
+auth_read_passwd(l2tpd_t)
|
||||||
|
+
|
||||||
+logging_send_syslog_msg(l2tpd_t)
|
+logging_send_syslog_msg(l2tpd_t)
|
||||||
+
|
+
|
||||||
+miscfiles_read_localization(l2tpd_t)
|
+miscfiles_read_localization(l2tpd_t)
|
||||||
@ -27129,7 +27163,7 @@ index 3c7b1e8..1e155f5 100644
|
|||||||
+
|
+
|
||||||
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
|
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
|
||||||
diff --git a/logwatch.te b/logwatch.te
|
diff --git a/logwatch.te b/logwatch.te
|
||||||
index 75ce30f..671d4e1 100644
|
index 75ce30f..47aa9f5 100644
|
||||||
--- a/logwatch.te
|
--- a/logwatch.te
|
||||||
+++ b/logwatch.te
|
+++ b/logwatch.te
|
||||||
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
|
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
|
||||||
@ -27171,16 +27205,18 @@ index 75ce30f..671d4e1 100644
|
|||||||
files_read_usr_files(logwatch_t)
|
files_read_usr_files(logwatch_t)
|
||||||
files_search_spool(logwatch_t)
|
files_search_spool(logwatch_t)
|
||||||
files_search_mnt(logwatch_t)
|
files_search_mnt(logwatch_t)
|
||||||
@@ -70,6 +81,8 @@ fs_getattr_all_fs(logwatch_t)
|
@@ -70,6 +81,10 @@ fs_getattr_all_fs(logwatch_t)
|
||||||
fs_dontaudit_list_auto_mountpoints(logwatch_t)
|
fs_dontaudit_list_auto_mountpoints(logwatch_t)
|
||||||
fs_list_inotifyfs(logwatch_t)
|
fs_list_inotifyfs(logwatch_t)
|
||||||
|
|
||||||
|
+storage_dontaudit_getattr_fixed_disk_dev(logwatch_t)
|
||||||
|
+
|
||||||
+mls_file_read_to_clearance(logwatch_t)
|
+mls_file_read_to_clearance(logwatch_t)
|
||||||
+
|
+
|
||||||
term_dontaudit_getattr_pty_dirs(logwatch_t)
|
term_dontaudit_getattr_pty_dirs(logwatch_t)
|
||||||
term_dontaudit_list_ptys(logwatch_t)
|
term_dontaudit_list_ptys(logwatch_t)
|
||||||
|
|
||||||
@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t)
|
@@ -92,11 +107,14 @@ sysnet_dns_name_resolve(logwatch_t)
|
||||||
sysnet_exec_ifconfig(logwatch_t)
|
sysnet_exec_ifconfig(logwatch_t)
|
||||||
|
|
||||||
userdom_dontaudit_search_user_home_dirs(logwatch_t)
|
userdom_dontaudit_search_user_home_dirs(logwatch_t)
|
||||||
@ -27196,7 +27232,7 @@ index 75ce30f..671d4e1 100644
|
|||||||
files_getattr_all_file_type_fs(logwatch_t)
|
files_getattr_all_file_type_fs(logwatch_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -145,3 +161,24 @@ optional_policy(`
|
@@ -145,3 +163,24 @@ optional_policy(`
|
||||||
samba_read_log(logwatch_t)
|
samba_read_log(logwatch_t)
|
||||||
samba_read_share_files(logwatch_t)
|
samba_read_share_files(logwatch_t)
|
||||||
')
|
')
|
||||||
@ -28700,7 +28736,7 @@ index ee72cbe..bf5fc09 100644
|
|||||||
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
|
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/milter.te b/milter.te
|
diff --git a/milter.te b/milter.te
|
||||||
index 26101cb..db61a30 100644
|
index 26101cb..7393387 100644
|
||||||
--- a/milter.te
|
--- a/milter.te
|
||||||
+++ b/milter.te
|
+++ b/milter.te
|
||||||
@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
|
@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
|
||||||
@ -28717,7 +28753,7 @@ index 26101cb..db61a30 100644
|
|||||||
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
|
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
|
||||||
milter_template(greylist)
|
milter_template(greylist)
|
||||||
milter_template(regex)
|
milter_template(regex)
|
||||||
@@ -20,6 +27,23 @@ milter_template(spamass)
|
@@ -20,6 +27,24 @@ milter_template(spamass)
|
||||||
type spamass_milter_state_t;
|
type spamass_milter_state_t;
|
||||||
files_type(spamass_milter_state_t)
|
files_type(spamass_milter_state_t)
|
||||||
|
|
||||||
@ -28728,6 +28764,7 @@ index 26101cb..db61a30 100644
|
|||||||
+
|
+
|
||||||
+allow dkim_milter_t self:capability { kill setgid setuid };
|
+allow dkim_milter_t self:capability { kill setgid setuid };
|
||||||
+allow dkim_milter_t self:process signal;
|
+allow dkim_milter_t self:process signal;
|
||||||
|
+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
|
||||||
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
|
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+
|
+
|
||||||
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
|
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
|
||||||
@ -28741,7 +28778,7 @@ index 26101cb..db61a30 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# milter-greylist local policy
|
# milter-greylist local policy
|
||||||
@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t)
|
@@ -33,11 +58,19 @@ files_type(spamass_milter_state_t)
|
||||||
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
|
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
|
||||||
allow greylist_milter_t self:process { setsched getsched };
|
allow greylist_milter_t self:process { setsched getsched };
|
||||||
|
|
||||||
@ -32982,7 +33019,7 @@ index a648982..59f096b 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/ncftool.te b/ncftool.te
|
diff --git a/ncftool.te b/ncftool.te
|
||||||
index f19ca0b..8c48c33 100644
|
index f19ca0b..dfc1ba2 100644
|
||||||
--- a/ncftool.te
|
--- a/ncftool.te
|
||||||
+++ b/ncftool.te
|
+++ b/ncftool.te
|
||||||
@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
|
@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
|
||||||
@ -33058,7 +33095,7 @@ index f19ca0b..8c48c33 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
consoletype_exec(ncftool_t)
|
consoletype_exec(ncftool_t)
|
||||||
')
|
')
|
||||||
@@ -69,13 +83,17 @@ optional_policy(`
|
@@ -69,13 +83,18 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
iptables_initrc_domtrans(ncftool_t)
|
iptables_initrc_domtrans(ncftool_t)
|
||||||
@ -33066,6 +33103,7 @@ index f19ca0b..8c48c33 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ modutils_list_module_config(ncftool_t)
|
||||||
modutils_read_module_config(ncftool_t)
|
modutils_read_module_config(ncftool_t)
|
||||||
- modutils_run_insmod(ncftool_t, ncftool_roles)
|
- modutils_run_insmod(ncftool_t, ncftool_roles)
|
||||||
+ modutils_domtrans_insmod(ncftool_t)
|
+ modutils_domtrans_insmod(ncftool_t)
|
||||||
@ -38034,16 +38072,17 @@ index 4cffb07..3436696 100644
|
|||||||
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
|
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow podsleuth_t self:sem create_sem_perms;
|
allow podsleuth_t self:sem create_sem_perms;
|
||||||
diff --git a/policykit.fc b/policykit.fc
|
diff --git a/policykit.fc b/policykit.fc
|
||||||
index 63d0061..c65d18f 100644
|
index 63d0061..4718a93 100644
|
||||||
--- a/policykit.fc
|
--- a/policykit.fc
|
||||||
+++ b/policykit.fc
|
+++ b/policykit.fc
|
||||||
@@ -1,16 +1,18 @@
|
@@ -1,16 +1,20 @@
|
||||||
/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
||||||
-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
||||||
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
||||||
/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
|
/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
|
||||||
/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
||||||
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
||||||
|
+/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
||||||
|
|
||||||
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
||||||
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
||||||
@ -38051,11 +38090,12 @@ index 63d0061..c65d18f 100644
|
|||||||
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
||||||
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
||||||
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
||||||
|
+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
||||||
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
||||||
|
|
||||||
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
|
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
|
||||||
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
||||||
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
||||||
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
||||||
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
|
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
|
||||||
|
|
||||||
@ -38203,7 +38243,7 @@ index 48ff1e8..be00a65 100644
|
|||||||
+ allow $1 policykit_auth_t:process signal;
|
+ allow $1 policykit_auth_t:process signal;
|
||||||
')
|
')
|
||||||
diff --git a/policykit.te b/policykit.te
|
diff --git a/policykit.te b/policykit.te
|
||||||
index 44db896..67a2c44 100644
|
index 44db896..11800bb 100644
|
||||||
--- a/policykit.te
|
--- a/policykit.te
|
||||||
+++ b/policykit.te
|
+++ b/policykit.te
|
||||||
@@ -1,51 +1,73 @@
|
@@ -1,51 +1,73 @@
|
||||||
@ -38293,7 +38333,7 @@ index 44db896..67a2c44 100644
|
|||||||
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
|
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
|
||||||
|
|
||||||
policykit_domtrans_resolve(policykit_t)
|
policykit_domtrans_resolve(policykit_t)
|
||||||
@@ -56,56 +78,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
|
@@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
|
||||||
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
|
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
|
||||||
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
|
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
|
||||||
|
|
||||||
@ -38337,6 +38377,10 @@ index 44db896..67a2c44 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ kerberos_manage_host_rcache(policykit_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ gnome_read_config(policykit_t)
|
+ gnome_read_config(policykit_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -38413,10 +38457,14 @@ index 44db896..67a2c44 100644
|
|||||||
dbus_session_bus_client(policykit_auth_t)
|
dbus_session_bus_client(policykit_auth_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -118,14 +191,21 @@ optional_policy(`
|
@@ -118,14 +195,25 @@ optional_policy(`
|
||||||
hal_read_state(policykit_auth_t)
|
hal_read_state(policykit_auth_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
+optional_policy(`
|
||||||
|
+ kerberos_manage_host_rcache(policykit_auth_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ xserver_stream_connect(policykit_auth_t)
|
+ xserver_stream_connect(policykit_auth_t)
|
||||||
+ xserver_xdm_append_log(policykit_auth_t)
|
+ xserver_xdm_append_log(policykit_auth_t)
|
||||||
@ -38437,7 +38485,7 @@ index 44db896..67a2c44 100644
|
|||||||
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
@@ -145,19 +225,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
|
@@ -145,19 +233,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
|
||||||
files_read_etc_files(policykit_grant_t)
|
files_read_etc_files(policykit_grant_t)
|
||||||
files_read_usr_files(policykit_grant_t)
|
files_read_usr_files(policykit_grant_t)
|
||||||
|
|
||||||
@ -38462,7 +38510,7 @@ index 44db896..67a2c44 100644
|
|||||||
consolekit_dbus_chat(policykit_grant_t)
|
consolekit_dbus_chat(policykit_grant_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@@ -167,9 +246,8 @@ optional_policy(`
|
@@ -167,9 +254,8 @@ optional_policy(`
|
||||||
# polkit_resolve local policy
|
# polkit_resolve local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -38474,7 +38522,7 @@ index 44db896..67a2c44 100644
|
|||||||
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
|
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
|
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
@@ -185,14 +263,8 @@ corecmd_search_bin(policykit_resolve_t)
|
@@ -185,14 +271,8 @@ corecmd_search_bin(policykit_resolve_t)
|
||||||
files_read_etc_files(policykit_resolve_t)
|
files_read_etc_files(policykit_resolve_t)
|
||||||
files_read_usr_files(policykit_resolve_t)
|
files_read_usr_files(policykit_resolve_t)
|
||||||
|
|
||||||
@ -38489,7 +38537,7 @@ index 44db896..67a2c44 100644
|
|||||||
userdom_read_all_users_state(policykit_resolve_t)
|
userdom_read_all_users_state(policykit_resolve_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -207,4 +279,3 @@ optional_policy(`
|
@@ -207,4 +287,3 @@ optional_policy(`
|
||||||
kernel_search_proc(policykit_resolve_t)
|
kernel_search_proc(policykit_resolve_t)
|
||||||
hal_read_state(policykit_resolve_t)
|
hal_read_state(policykit_resolve_t)
|
||||||
')
|
')
|
||||||
@ -44832,7 +44880,7 @@ index 7dc38d1..808f9c6 100644
|
|||||||
+ admin_pattern($1, rgmanager_var_run_t)
|
+ admin_pattern($1, rgmanager_var_run_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/rgmanager.te b/rgmanager.te
|
diff --git a/rgmanager.te b/rgmanager.te
|
||||||
index 07333db..53bff36 100644
|
index 07333db..91ef567 100644
|
||||||
--- a/rgmanager.te
|
--- a/rgmanager.te
|
||||||
+++ b/rgmanager.te
|
+++ b/rgmanager.te
|
||||||
@@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false)
|
@@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false)
|
||||||
@ -44882,7 +44930,7 @@ index 07333db..53bff36 100644
|
|||||||
|
|
||||||
# need to write to /dev/misc/dlm-control
|
# need to write to /dev/misc/dlm-control
|
||||||
dev_rw_dlm_control(rgmanager_t)
|
dev_rw_dlm_control(rgmanager_t)
|
||||||
@@ -76,31 +78,36 @@ dev_search_sysfs(rgmanager_t)
|
@@ -76,31 +78,37 @@ dev_search_sysfs(rgmanager_t)
|
||||||
|
|
||||||
domain_read_all_domains_state(rgmanager_t)
|
domain_read_all_domains_state(rgmanager_t)
|
||||||
domain_getattr_all_domains(rgmanager_t)
|
domain_getattr_all_domains(rgmanager_t)
|
||||||
@ -44914,6 +44962,7 @@ index 07333db..53bff36 100644
|
|||||||
auth_use_nsswitch(rgmanager_t)
|
auth_use_nsswitch(rgmanager_t)
|
||||||
|
|
||||||
+init_domtrans_script(rgmanager_t)
|
+init_domtrans_script(rgmanager_t)
|
||||||
|
+init_initrc_domain(rgmanager_t)
|
||||||
+
|
+
|
||||||
logging_send_syslog_msg(rgmanager_t)
|
logging_send_syslog_msg(rgmanager_t)
|
||||||
|
|
||||||
@ -44924,7 +44973,7 @@ index 07333db..53bff36 100644
|
|||||||
|
|
||||||
tunable_policy(`rgmanager_can_network_connect',`
|
tunable_policy(`rgmanager_can_network_connect',`
|
||||||
corenet_tcp_connect_all_ports(rgmanager_t)
|
corenet_tcp_connect_all_ports(rgmanager_t)
|
||||||
@@ -118,6 +125,14 @@ optional_policy(`
|
@@ -118,6 +126,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -44939,7 +44988,7 @@ index 07333db..53bff36 100644
|
|||||||
fstools_domtrans(rgmanager_t)
|
fstools_domtrans(rgmanager_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -140,6 +155,16 @@ optional_policy(`
|
@@ -140,6 +156,16 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -44956,7 +45005,7 @@ index 07333db..53bff36 100644
|
|||||||
mysql_domtrans_mysql_safe(rgmanager_t)
|
mysql_domtrans_mysql_safe(rgmanager_t)
|
||||||
mysql_stream_connect(rgmanager_t)
|
mysql_stream_connect(rgmanager_t)
|
||||||
')
|
')
|
||||||
@@ -165,6 +190,8 @@ optional_policy(`
|
@@ -165,6 +191,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpc_initrc_domtrans_nfsd(rgmanager_t)
|
rpc_initrc_domtrans_nfsd(rgmanager_t)
|
||||||
rpc_initrc_domtrans_rpcd(rgmanager_t)
|
rpc_initrc_domtrans_rpcd(rgmanager_t)
|
||||||
@ -47948,19 +47997,20 @@ index a07b2f4..36b4903 100644
|
|||||||
+
|
+
|
||||||
+userdom_getattr_user_terminals(rwho_t)
|
+userdom_getattr_user_terminals(rwho_t)
|
||||||
diff --git a/samba.fc b/samba.fc
|
diff --git a/samba.fc b/samba.fc
|
||||||
index 69a6074..3d65472 100644
|
index 69a6074..c9dbc93 100644
|
||||||
--- a/samba.fc
|
--- a/samba.fc
|
||||||
+++ b/samba.fc
|
+++ b/samba.fc
|
||||||
@@ -14,6 +14,8 @@
|
@@ -14,6 +14,9 @@
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
#
|
#
|
||||||
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
|
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
|
||||||
|
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
|
||||||
+
|
+
|
||||||
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
|
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
|
||||||
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
|
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
|
||||||
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
|
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
|
||||||
@@ -36,6 +38,10 @@
|
@@ -36,6 +39,10 @@
|
||||||
|
|
||||||
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
|
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
|
||||||
|
|
||||||
@ -47971,7 +48021,7 @@ index 69a6074..3d65472 100644
|
|||||||
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
||||||
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
||||||
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
||||||
@@ -48,6 +54,11 @@
|
@@ -48,6 +55,11 @@
|
||||||
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
||||||
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
||||||
|
|
||||||
@ -54328,7 +54378,7 @@ index 0000000..9127cec
|
|||||||
+')
|
+')
|
||||||
diff --git a/thumb.te b/thumb.te
|
diff --git a/thumb.te b/thumb.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..a0d188c
|
index 0000000..7eea9cd
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/thumb.te
|
+++ b/thumb.te
|
||||||
@@ -0,0 +1,105 @@
|
@@ -0,0 +1,105 @@
|
||||||
@ -54435,7 +54485,7 @@ index 0000000..a0d188c
|
|||||||
+ gnome_read_generic_data_home_files(thumb_t)
|
+ gnome_read_generic_data_home_files(thumb_t)
|
||||||
+ gnome_manage_gstreamer_home_files(thumb_t)
|
+ gnome_manage_gstreamer_home_files(thumb_t)
|
||||||
+ gnome_manage_gstreamer_home_dirs(thumb_t)
|
+ gnome_manage_gstreamer_home_dirs(thumb_t)
|
||||||
+ #gnome_exec_gstreamer_home_files(thumb_t)
|
+ gnome_exec_gstreamer_home_files(thumb_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/thunderbird.te b/thunderbird.te
|
diff --git a/thunderbird.te b/thunderbird.te
|
||||||
index bf37d98..204ac7e 100644
|
index bf37d98..204ac7e 100644
|
||||||
@ -54764,7 +54814,7 @@ index 54b8605..a04f013 100644
|
|||||||
admin_pattern($1, tuned_var_run_t)
|
admin_pattern($1, tuned_var_run_t)
|
||||||
')
|
')
|
||||||
diff --git a/tuned.te b/tuned.te
|
diff --git a/tuned.te b/tuned.te
|
||||||
index db9d2a5..da20967 100644
|
index db9d2a5..c7b09c0 100644
|
||||||
--- a/tuned.te
|
--- a/tuned.te
|
||||||
+++ b/tuned.te
|
+++ b/tuned.te
|
||||||
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
|
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
|
||||||
@ -54780,7 +54830,7 @@ index db9d2a5..da20967 100644
|
|||||||
type tuned_log_t;
|
type tuned_log_t;
|
||||||
logging_log_file(tuned_log_t)
|
logging_log_file(tuned_log_t)
|
||||||
|
|
||||||
@@ -23,23 +29,38 @@ files_pid_file(tuned_var_run_t)
|
@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
|
||||||
# tuned local policy
|
# tuned local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -54809,10 +54859,12 @@ index db9d2a5..da20967 100644
|
|||||||
|
|
||||||
kernel_read_system_state(tuned_t)
|
kernel_read_system_state(tuned_t)
|
||||||
kernel_read_network_state(tuned_t)
|
kernel_read_network_state(tuned_t)
|
||||||
|
-
|
||||||
+kernel_read_kernel_sysctls(tuned_t)
|
+kernel_read_kernel_sysctls(tuned_t)
|
||||||
|
+kernel_rw_kernel_sysctl(tuned_t)
|
||||||
+kernel_rw_hotplug_sysctls(tuned_t)
|
+kernel_rw_hotplug_sysctls(tuned_t)
|
||||||
+kernel_rw_vm_sysctls(tuned_t)
|
+kernel_rw_vm_sysctls(tuned_t)
|
||||||
|
+
|
||||||
+dev_getattr_all_blk_files(tuned_t)
|
+dev_getattr_all_blk_files(tuned_t)
|
||||||
+dev_getattr_all_chr_files(tuned_t)
|
+dev_getattr_all_chr_files(tuned_t)
|
||||||
+dev_dontaudit_getattr_all(tuned_t)
|
+dev_dontaudit_getattr_all(tuned_t)
|
||||||
@ -54822,7 +54874,7 @@ index db9d2a5..da20967 100644
|
|||||||
# to allow cpu tuning
|
# to allow cpu tuning
|
||||||
dev_rw_netcontrol(tuned_t)
|
dev_rw_netcontrol(tuned_t)
|
||||||
|
|
||||||
@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t)
|
@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
|
||||||
files_read_usr_files(tuned_t)
|
files_read_usr_files(tuned_t)
|
||||||
files_dontaudit_search_home(tuned_t)
|
files_dontaudit_search_home(tuned_t)
|
||||||
|
|
||||||
@ -54833,7 +54885,7 @@ index db9d2a5..da20967 100644
|
|||||||
logging_send_syslog_msg(tuned_t)
|
logging_send_syslog_msg(tuned_t)
|
||||||
|
|
||||||
miscfiles_read_localization(tuned_t)
|
miscfiles_read_localization(tuned_t)
|
||||||
@@ -58,6 +83,14 @@ optional_policy(`
|
@@ -58,6 +84,14 @@ optional_policy(`
|
||||||
fstools_domtrans(tuned_t)
|
fstools_domtrans(tuned_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -56560,7 +56612,7 @@ index 7c5d8d8..85b7d8b 100644
|
|||||||
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
|
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index ad3068a..6713ab0 100644
|
index ad3068a..5759ef5 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
|
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
|
||||||
@ -57154,7 +57206,7 @@ index ad3068a..6713ab0 100644
|
|||||||
files_read_usr_files(virt_domain)
|
files_read_usr_files(virt_domain)
|
||||||
files_read_var_files(virt_domain)
|
files_read_var_files(virt_domain)
|
||||||
files_search_all(virt_domain)
|
files_search_all(virt_domain)
|
||||||
@@ -449,25 +657,428 @@ files_search_all(virt_domain)
|
@@ -449,25 +657,430 @@ files_search_all(virt_domain)
|
||||||
fs_getattr_tmpfs(virt_domain)
|
fs_getattr_tmpfs(virt_domain)
|
||||||
fs_rw_anon_inodefs_files(virt_domain)
|
fs_rw_anon_inodefs_files(virt_domain)
|
||||||
fs_rw_tmpfs_files(virt_domain)
|
fs_rw_tmpfs_files(virt_domain)
|
||||||
@ -57257,6 +57309,8 @@ index ad3068a..6713ab0 100644
|
|||||||
+init_rw_script_stream_sockets(virsh_t)
|
+init_rw_script_stream_sockets(virsh_t)
|
||||||
+init_use_fds(virsh_t)
|
+init_use_fds(virsh_t)
|
||||||
+
|
+
|
||||||
|
+auth_read_passwd(virsh_t)
|
||||||
|
+
|
||||||
+miscfiles_read_localization(virsh_t)
|
+miscfiles_read_localization(virsh_t)
|
||||||
+
|
+
|
||||||
+sysnet_dns_name_resolve(virsh_t)
|
+sysnet_dns_name_resolve(virsh_t)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.11.0
|
Version: 3.11.0
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -491,6 +491,22 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
|
||||||
|
- PolicyKit path has changed
|
||||||
|
- Allow httpd connect to dirsrv socket
|
||||||
|
- Allow tuned to write generic kernel sysctls
|
||||||
|
- Dontaudit logwatch to gettr on /dev/dm-2
|
||||||
|
- Allow policykit-auth to manage kerberos files
|
||||||
|
- Make condor_startd and rgmanager as initrc domain
|
||||||
|
- Allow virsh to read /etc/passwd
|
||||||
|
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
|
||||||
|
- xdm now needs to execute xsession_exec_t
|
||||||
|
- Need labels for /var/lib/gdm
|
||||||
|
- Fix files_filetrans_named_content() interface
|
||||||
|
- Add new attribute - initrc_domain
|
||||||
|
- Allow systemd_logind_t to signal, signull, sigkill all processes
|
||||||
|
- Add filetrans rules for etc_runtime files
|
||||||
|
|
||||||
* Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
|
* Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
|
||||||
- Rename boolean names to remove allow_
|
- Rename boolean names to remove allow_
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user