- Allow gdm to read rpm database
- Allow nsplugin to read mplayer config files
This commit is contained in:
Daniel J Walsh
parent
50eeedfd33
commit
ca51529d6b
@ -284,18 +284,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
|
|||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.4.2/policy/modules/admin/amanda.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.4.2/policy/modules/admin/amanda.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-06-12 23:25:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-06-12 23:25:08.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/admin/amanda.te 2008-06-12 23:37:53.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/admin/amanda.te 2008-06-29 08:00:12.000000000 -0400
|
||||||
@@ -82,8 +82,7 @@
|
@@ -82,8 +82,9 @@
|
||||||
allow amanda_t amanda_config_t:file { getattr read };
|
allow amanda_t amanda_config_t:file { getattr read };
|
||||||
|
|
||||||
# access to amandas data structure
|
# access to amandas data structure
|
||||||
-allow amanda_t amanda_data_t:dir { read search write };
|
-allow amanda_t amanda_data_t:dir { read search write };
|
||||||
-allow amanda_t amanda_data_t:file manage_file_perms;
|
-allow amanda_t amanda_data_t:file manage_file_perms;
|
||||||
|
+manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
||||||
+manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
+manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
||||||
|
+filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
|
||||||
|
|
||||||
# access to amanda_dumpdates_t
|
# access to amanda_dumpdates_t
|
||||||
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
|
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
|
||||||
@@ -220,6 +219,7 @@
|
@@ -220,6 +221,7 @@
|
||||||
auth_use_nsswitch(amanda_recover_t)
|
auth_use_nsswitch(amanda_recover_t)
|
||||||
|
|
||||||
fstools_domtrans(amanda_t)
|
fstools_domtrans(amanda_t)
|
||||||
@ -700,6 +702,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
|
|||||||
- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
|
- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
|
||||||
- dontaudit mrtg_t root_t:lnk_file getattr;
|
- dontaudit mrtg_t root_t:lnk_file getattr;
|
||||||
-')
|
-')
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.4.2/policy/modules/admin/netutils.if
|
||||||
|
--- nsaserefpolicy/policy/modules/admin/netutils.if 2008-06-12 23:25:08.000000000 -0400
|
||||||
|
+++ serefpolicy-3.4.2/policy/modules/admin/netutils.if 2008-06-30 13:16:57.000000000 -0400
|
||||||
|
@@ -124,6 +124,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Send generic signals to netutils.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`netutils_signal',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type netutils_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 netutils_t:process signal;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Execute ping in the ping domain, and
|
||||||
|
## allow the specified role the ping domain.
|
||||||
|
## </summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:25:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:25:08.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/admin/netutils.te 2008-06-12 23:37:53.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/admin/netutils.te 2008-06-12 23:37:53.000000000 -0400
|
||||||
@ -4543,8 +4573,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.4.2/policy/modules/apps/nsplugin.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.4.2/policy/modules/apps/nsplugin.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.4.2/policy/modules/apps/nsplugin.te 2008-06-12 23:37:51.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/apps/nsplugin.te 2008-06-29 08:22:17.000000000 -0400
|
||||||
@@ -0,0 +1,215 @@
|
@@ -0,0 +1,217 @@
|
||||||
+
|
+
|
||||||
+policy_module(nsplugin,1.0.0)
|
+policy_module(nsplugin,1.0.0)
|
||||||
+
|
+
|
||||||
@ -4577,189 +4607,191 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+userdom_user_home_content(user,nsplugin_home_t)
|
+userdom_user_home_content(user,nsplugin_home_t)
|
||||||
+typealias nsplugin_home_t alias user_nsplugin_home_t;
|
+typealias nsplugin_home_t alias user_nsplugin_home_t;
|
||||||
+
|
+
|
||||||
+ type nsplugin_t;
|
+type nsplugin_t;
|
||||||
+ type nsplugin_config_t;
|
+type nsplugin_config_t;
|
||||||
+ application_domain(nsplugin_t, nsplugin_exec_t)
|
+application_domain(nsplugin_t, nsplugin_exec_t)
|
||||||
+ application_domain(nsplugin_config_t, nsplugin_config_exec_t)
|
+application_domain(nsplugin_config_t, nsplugin_config_exec_t)
|
||||||
+
|
+
|
||||||
+ ########################################
|
+########################################
|
||||||
+ #
|
+#
|
||||||
+ # nsplugin local policy
|
+# nsplugin local policy
|
||||||
+ #
|
+#
|
||||||
+ allow nsplugin_t self:fifo_file rw_file_perms;
|
+allow nsplugin_t self:fifo_file rw_file_perms;
|
||||||
+ allow nsplugin_t self:process { ptrace getsched setsched signal_perms };
|
+allow nsplugin_t self:process { ptrace getsched setsched signal_perms };
|
||||||
+
|
+
|
||||||
+ allow nsplugin_t self:sem create_sem_perms;
|
+allow nsplugin_t self:sem create_sem_perms;
|
||||||
+ allow nsplugin_t self:shm create_shm_perms;
|
+allow nsplugin_t self:shm create_shm_perms;
|
||||||
+ allow nsplugin_t self:msgq create_msgq_perms;
|
+allow nsplugin_t self:msgq create_msgq_perms;
|
||||||
+ allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
+
|
+
|
||||||
+ tunable_policy(`allow_nsplugin_execmem',`
|
+tunable_policy(`allow_nsplugin_execmem',`
|
||||||
+ allow nsplugin_t self:process { execstack execmem };
|
+ allow nsplugin_t self:process { execstack execmem };
|
||||||
+ allow nsplugin_config_t self:process { execstack execmem };
|
+ allow nsplugin_config_t self:process { execstack execmem };
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||||
+ exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||||
+ manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||||
+ manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||||
+ userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
|
+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
|
||||||
+ unprivuser_dontaudit_write_home_content_files(nsplugin_t)
|
+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ corecmd_exec_bin(nsplugin_t)
|
+corecmd_exec_bin(nsplugin_t)
|
||||||
+ corecmd_exec_shell(nsplugin_t)
|
+corecmd_exec_shell(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ corenet_all_recvfrom_unlabeled(nsplugin_t)
|
+corenet_all_recvfrom_unlabeled(nsplugin_t)
|
||||||
+ corenet_all_recvfrom_netlabel(nsplugin_t)
|
+corenet_all_recvfrom_netlabel(nsplugin_t)
|
||||||
+ corenet_tcp_connect_flash_port(nsplugin_t)
|
+corenet_tcp_connect_flash_port(nsplugin_t)
|
||||||
+ corenet_tcp_connect_pulseaudio_port(nsplugin_t)
|
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
|
||||||
+ corenet_tcp_connect_http_port(nsplugin_t)
|
+corenet_tcp_connect_http_port(nsplugin_t)
|
||||||
+ corenet_tcp_sendrecv_generic_if(nsplugin_t)
|
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
|
||||||
+ corenet_tcp_sendrecv_all_nodes(nsplugin_t)
|
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ domain_dontaudit_read_all_domains_state(nsplugin_t)
|
+domain_dontaudit_read_all_domains_state(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ dev_read_rand(nsplugin_t)
|
+dev_read_rand(nsplugin_t)
|
||||||
+ dev_read_sound(nsplugin_t)
|
+dev_read_sound(nsplugin_t)
|
||||||
+ dev_write_sound(nsplugin_t)
|
+dev_write_sound(nsplugin_t)
|
||||||
+ dev_read_video_dev(nsplugin_t)
|
+dev_read_video_dev(nsplugin_t)
|
||||||
+ dev_write_video_dev(nsplugin_t)
|
+dev_write_video_dev(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ kernel_read_kernel_sysctls(nsplugin_t)
|
+kernel_read_kernel_sysctls(nsplugin_t)
|
||||||
+ kernel_read_system_state(nsplugin_t)
|
+kernel_read_system_state(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ files_read_usr_files(nsplugin_t)
|
+files_read_usr_files(nsplugin_t)
|
||||||
+ files_read_etc_files(nsplugin_t)
|
+files_read_etc_files(nsplugin_t)
|
||||||
|
+files_read_config_files(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ fs_list_inotifyfs(nsplugin_t)
|
+fs_list_inotifyfs(nsplugin_t)
|
||||||
+ fs_manage_tmpfs_files(nsplugin_t)
|
+fs_manage_tmpfs_files(nsplugin_t)
|
||||||
+ fs_getattr_tmpfs(nsplugin_t)
|
+fs_getattr_tmpfs(nsplugin_t)
|
||||||
+ fs_getattr_xattr_fs(nsplugin_t)
|
+fs_getattr_xattr_fs(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ term_dontaudit_getattr_all_user_ptys(nsplugin_t)
|
+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
|
||||||
+ term_dontaudit_getattr_all_user_ttys(nsplugin_t)
|
+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ auth_use_nsswitch(nsplugin_t)
|
+auth_use_nsswitch(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ libs_use_ld_so(nsplugin_t)
|
+libs_use_ld_so(nsplugin_t)
|
||||||
+ libs_use_shared_libs(nsplugin_t)
|
+libs_use_shared_libs(nsplugin_t)
|
||||||
+ libs_exec_ld_so(nsplugin_t)
|
+libs_exec_ld_so(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ miscfiles_read_localization(nsplugin_t)
|
+miscfiles_read_localization(nsplugin_t)
|
||||||
+ miscfiles_read_fonts(nsplugin_t)
|
+miscfiles_read_fonts(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ unprivuser_manage_tmp_dirs(nsplugin_t)
|
+unprivuser_manage_tmp_dirs(nsplugin_t)
|
||||||
+ unprivuser_manage_tmp_files(nsplugin_t)
|
+unprivuser_manage_tmp_files(nsplugin_t)
|
||||||
+ unprivuser_manage_tmp_sockets(nsplugin_t)
|
+unprivuser_manage_tmp_sockets(nsplugin_t)
|
||||||
+ userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file })
|
+userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file })
|
||||||
+ unprivuser_read_tmpfs_files(nsplugin_t)
|
+unprivuser_read_tmpfs_files(nsplugin_t)
|
||||||
+ unprivuser_rw_semaphores(nsplugin_t)
|
+unprivuser_rw_semaphores(nsplugin_t)
|
||||||
+ unprivuser_delete_tmpfs_files(nsplugin_t)
|
+unprivuser_delete_tmpfs_files(nsplugin_t)
|
||||||
+
|
+
|
||||||
+ unprivuser_read_home_content_symlinks(nsplugin_t)
|
+unprivuser_read_home_content_symlinks(nsplugin_t)
|
||||||
+ unprivuser_read_home_content_files(nsplugin_t)
|
+unprivuser_read_home_content_files(nsplugin_t)
|
||||||
+ unprivuser_read_tmp_files(nsplugin_t)
|
+unprivuser_read_tmp_files(nsplugin_t)
|
||||||
+ userdom_write_user_tmp_sockets(user, nsplugin_t)
|
+userdom_write_user_tmp_sockets(user, nsplugin_t)
|
||||||
+ unprivuser_dontaudit_append_home_content_files(nsplugin_t)
|
+unprivuser_dontaudit_append_home_content_files(nsplugin_t)
|
||||||
+ userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
|
+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+optional_policy(`
|
||||||
+ alsa_read_rw_config(nsplugin_t)
|
+ alsa_read_rw_config(nsplugin_t)
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+optional_policy(`
|
||||||
+ gnome_exec_gconf(nsplugin_t)
|
+ gnome_exec_gconf(nsplugin_t)
|
||||||
+ gnome_manage_user_gnome_config(user, nsplugin_t)
|
+ gnome_manage_user_gnome_config(user, nsplugin_t)
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+optional_policy(`
|
||||||
+ mozilla_read_user_home_files(user, nsplugin_t)
|
+ mozilla_read_user_home_files(user, nsplugin_t)
|
||||||
+ mozilla_write_user_home_files(user, nsplugin_t)
|
+ mozilla_write_user_home_files(user, nsplugin_t)
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+optional_policy(`
|
||||||
+ mplayer_exec(nsplugin_t)
|
+ mplayer_exec(nsplugin_t)
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+optional_policy(`
|
||||||
+ unconfined_execmem_signull(nsplugin_t)
|
+ unconfined_execmem_signull(nsplugin_t)
|
||||||
+ unconfined_delete_tmpfs_files(nsplugin_t)
|
+ unconfined_delete_tmpfs_files(nsplugin_t)
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+optional_policy(`
|
||||||
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
|
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
|
||||||
+ xserver_xdm_rw_shm(nsplugin_t)
|
+ xserver_xdm_rw_shm(nsplugin_t)
|
||||||
+ xserver_read_xdm_tmp_files(nsplugin_t)
|
+ xserver_read_xdm_tmp_files(nsplugin_t)
|
||||||
+ xserver_read_xdm_pid(nsplugin_t)
|
+ xserver_read_xdm_pid(nsplugin_t)
|
||||||
+ xserver_read_user_xauth(user, nsplugin_t)
|
+ xserver_read_user_xauth(user, nsplugin_t)
|
||||||
+ xserver_use_user_fonts(user, nsplugin_t)
|
+ xserver_use_user_fonts(user, nsplugin_t)
|
||||||
+ xserver_manage_home_fonts(nsplugin_t)
|
+ xserver_manage_home_fonts(nsplugin_t)
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ ########################################
|
+########################################
|
||||||
+ #
|
+#
|
||||||
+ # nsplugin_config local policy
|
+# nsplugin_config local policy
|
||||||
+ #
|
+#
|
||||||
+
|
+
|
||||||
+ allow nsplugin_config_t self:capability { sys_nice setuid setgid };
|
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
|
||||||
+ allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
|
+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
|
||||||
+
|
+
|
||||||
+ allow nsplugin_config_t self:fifo_file rw_file_perms;
|
+allow nsplugin_config_t self:fifo_file rw_file_perms;
|
||||||
+ allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+
|
+
|
||||||
+ fs_list_inotifyfs(nsplugin_config_t)
|
+fs_list_inotifyfs(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+ can_exec(nsplugin_config_t, nsplugin_rw_t)
|
+can_exec(nsplugin_config_t, nsplugin_rw_t)
|
||||||
+ manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+ manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+ manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+
|
+
|
||||||
+ manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||||
+ manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||||
+ manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||||
+
|
+
|
||||||
+ corecmd_exec_bin(nsplugin_config_t)
|
+corecmd_exec_bin(nsplugin_config_t)
|
||||||
+ corecmd_exec_shell(nsplugin_config_t)
|
+corecmd_exec_shell(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+ kernel_read_system_state(nsplugin_config_t)
|
+kernel_read_system_state(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+ files_read_etc_files(nsplugin_config_t)
|
+files_read_etc_files(nsplugin_config_t)
|
||||||
+ files_read_usr_files(nsplugin_config_t)
|
+files_read_usr_files(nsplugin_config_t)
|
||||||
+ files_dontaudit_search_home(nsplugin_config_t)
|
+files_dontaudit_search_home(nsplugin_config_t)
|
||||||
|
+files_list_tmp(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+ auth_use_nsswitch(nsplugin_config_t)
|
+auth_use_nsswitch(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+ libs_use_ld_so(nsplugin_config_t)
|
+libs_use_ld_so(nsplugin_config_t)
|
||||||
+ libs_use_shared_libs(nsplugin_config_t)
|
+libs_use_shared_libs(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+ miscfiles_read_localization(nsplugin_config_t)
|
+miscfiles_read_localization(nsplugin_config_t)
|
||||||
+ miscfiles_read_fonts(nsplugin_config_t)
|
+miscfiles_read_fonts(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+ userdom_search_all_users_home_content(nsplugin_config_t)
|
+userdom_search_all_users_home_content(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+ tunable_policy(`use_nfs_home_dirs',`
|
+tunable_policy(`use_nfs_home_dirs',`
|
||||||
+ fs_manage_nfs_dirs(nsplugin_t)
|
+ fs_manage_nfs_dirs(nsplugin_t)
|
||||||
+ fs_manage_nfs_files(nsplugin_t)
|
+ fs_manage_nfs_files(nsplugin_t)
|
||||||
+ fs_manage_nfs_dirs(nsplugin_config_t)
|
+ fs_manage_nfs_dirs(nsplugin_config_t)
|
||||||
+ fs_manage_nfs_files(nsplugin_config_t)
|
+ fs_manage_nfs_files(nsplugin_config_t)
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ tunable_policy(`use_samba_home_dirs',`
|
+tunable_policy(`use_samba_home_dirs',`
|
||||||
+ fs_manage_cifs_dirs(nsplugin_t)
|
+ fs_manage_cifs_dirs(nsplugin_t)
|
||||||
+ fs_manage_cifs_files(nsplugin_t)
|
+ fs_manage_cifs_files(nsplugin_t)
|
||||||
+ fs_manage_cifs_dirs(nsplugin_config_t)
|
+ fs_manage_cifs_dirs(nsplugin_config_t)
|
||||||
+ fs_manage_cifs_files(nsplugin_config_t)
|
+ fs_manage_cifs_files(nsplugin_config_t)
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
|
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+optional_policy(`
|
||||||
+ xserver_read_home_fonts(nsplugin_config_t)
|
+ xserver_read_home_fonts(nsplugin_config_t)
|
||||||
+ ')
|
+')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+optional_policy(`
|
||||||
+ mozilla_read_user_home_files(user, nsplugin_config_t)
|
+ mozilla_read_user_home_files(user, nsplugin_config_t)
|
||||||
+ ')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.4.2/policy/modules/apps/openoffice.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.4.2/policy/modules/apps/openoffice.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.4.2/policy/modules/apps/openoffice.fc 2008-06-12 23:37:51.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/apps/openoffice.fc 2008-06-12 23:37:51.000000000 -0400
|
||||||
@ -9278,7 +9310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.4.2/policy/modules/services/aide.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.4.2/policy/modules/services/aide.if
|
||||||
--- nsaserefpolicy/policy/modules/services/aide.if 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/aide.if 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/aide.if 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/aide.if 2008-06-30 16:04:01.000000000 -0400
|
||||||
@@ -70,9 +70,11 @@
|
@@ -70,9 +70,11 @@
|
||||||
allow $1 aide_t:process { ptrace signal_perms };
|
allow $1 aide_t:process { ptrace signal_perms };
|
||||||
ps_process_pattern($1, aide_t)
|
ps_process_pattern($1, aide_t)
|
||||||
@ -12440,7 +12472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
|
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.4.2/policy/modules/services/cron.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.4.2/policy/modules/services/cron.if
|
||||||
--- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/cron.if 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/cron.if 2008-06-30 08:30:16.000000000 -0400
|
||||||
@@ -35,38 +35,23 @@
|
@@ -35,38 +35,23 @@
|
||||||
#
|
#
|
||||||
template(`cron_per_role_template',`
|
template(`cron_per_role_template',`
|
||||||
@ -13655,10 +13687,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
|||||||
+
|
+
|
||||||
+sysadm_dontaudit_read_home_content_files(cups_pdf_t)
|
+sysadm_dontaudit_read_home_content_files(cups_pdf_t)
|
||||||
+
|
+
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.4.2/policy/modules/services/cvs.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/services/cvs.fc 2008-06-12 23:25:05.000000000 -0400
|
||||||
|
+++ serefpolicy-3.4.2/policy/modules/services/cvs.fc 2008-06-30 16:00:10.000000000 -0400
|
||||||
|
@@ -5,3 +5,6 @@
|
||||||
|
|
||||||
|
/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
|
||||||
|
|
||||||
|
+#CVSWeb file context
|
||||||
|
+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
|
||||||
|
+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.4.2/policy/modules/services/cvs.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.4.2/policy/modules/services/cvs.if
|
||||||
--- nsaserefpolicy/policy/modules/services/cvs.if 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/cvs.if 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/cvs.if 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/cvs.if 2008-06-30 16:04:16.000000000 -0400
|
||||||
@@ -36,3 +36,72 @@
|
@@ -36,3 +36,70 @@
|
||||||
|
|
||||||
can_exec($1,cvs_exec_t)
|
can_exec($1,cvs_exec_t)
|
||||||
')
|
')
|
||||||
@ -13706,15 +13748,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
|
|||||||
+#
|
+#
|
||||||
+interface(`cvs_admin',`
|
+interface(`cvs_admin',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type cvs_t;
|
+ type cvs_t, cvs_tmp_t;
|
||||||
|
+ type cvs_data_t, cvs_var_run_t;
|
||||||
+ type cvs_script_exec_t;
|
+ type cvs_script_exec_t;
|
||||||
+ type cvs_tmp_t;
|
|
||||||
+ type cvs_data_t;
|
|
||||||
+ type cvs_var_run_t;
|
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 cvs_t:process { ptrace signal_perms getattr };
|
+ allow $1 cvs_t:process { ptrace signal_perms };
|
||||||
+ read_files_pattern($1, cvs_t, cvs_t)
|
+ ps_process_pattern($1, cvs_t)
|
||||||
+
|
+
|
||||||
+ # Allow cvs_t to restart the apache service
|
+ # Allow cvs_t to restart the apache service
|
||||||
+ cvs_script_domtrans($1)
|
+ cvs_script_domtrans($1)
|
||||||
@ -13733,7 +13773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.4.2/policy/modules/services/cvs.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.4.2/policy/modules/services/cvs.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cvs.te 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/cvs.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/cvs.te 2008-06-12 23:37:51.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/cvs.te 2008-06-30 16:00:42.000000000 -0400
|
||||||
@@ -28,6 +28,9 @@
|
@@ -28,6 +28,9 @@
|
||||||
type cvs_var_run_t;
|
type cvs_var_run_t;
|
||||||
files_pid_file(cvs_var_run_t)
|
files_pid_file(cvs_var_run_t)
|
||||||
@ -13761,15 +13801,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
|
|||||||
mta_send_mail(cvs_t)
|
mta_send_mail(cvs_t)
|
||||||
|
|
||||||
# cjp: typeattribute doesnt work in conditionals yet
|
# cjp: typeattribute doesnt work in conditionals yet
|
||||||
@@ -102,11 +104,3 @@
|
@@ -103,10 +105,13 @@
|
||||||
kerberos_read_config(cvs_t)
|
|
||||||
kerberos_dontaudit_write_config(cvs_t)
|
kerberos_dontaudit_write_config(cvs_t)
|
||||||
')
|
')
|
||||||
-
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- nis_use_ypbind(cvs_t)
|
- nis_use_ypbind(cvs_t)
|
||||||
-')
|
-')
|
||||||
-
|
+########################################
|
||||||
|
+# CVSWeb policy
|
||||||
|
+
|
||||||
|
+apache_content_template(cvs)
|
||||||
|
+
|
||||||
|
+read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
||||||
|
+manage_dirs_pattern(httpd_cvs_script_t_t,cvs_tmp_t,cvs_tmp_t)
|
||||||
|
+manage_files_pattern(httpd_cvs_script_t,cvs_tmp_t,cvs_tmp_t)
|
||||||
|
+files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- nscd_socket_use(cvs_t)
|
- nscd_socket_use(cvs_t)
|
||||||
-')
|
-')
|
||||||
@ -15531,7 +15579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
|
|||||||
## </summary>
|
## </summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.4.2/policy/modules/services/exim.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.4.2/policy/modules/services/exim.te
|
||||||
--- nsaserefpolicy/policy/modules/services/exim.te 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/exim.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/exim.te 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/exim.te 2008-06-30 13:59:08.000000000 -0400
|
||||||
@@ -21,9 +21,20 @@
|
@@ -21,9 +21,20 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(exim_manage_user_files,false)
|
gen_tunable(exim_manage_user_files,false)
|
||||||
@ -15621,7 +15669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
|
|||||||
files_read_etc_files(exim_t)
|
files_read_etc_files(exim_t)
|
||||||
|
|
||||||
auth_use_nsswitch(exim_t)
|
auth_use_nsswitch(exim_t)
|
||||||
@@ -99,23 +125,90 @@
|
@@ -99,23 +125,95 @@
|
||||||
logging_send_syslog_msg(exim_t)
|
logging_send_syslog_msg(exim_t)
|
||||||
|
|
||||||
miscfiles_read_localization(exim_t)
|
miscfiles_read_localization(exim_t)
|
||||||
@ -15671,7 +15719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
|
|||||||
+ tunable_policy(`exim_can_connect_db',`
|
+ tunable_policy(`exim_can_connect_db',`
|
||||||
+ mysql_stream_connect(exim_t)
|
+ mysql_stream_connect(exim_t)
|
||||||
+ ')
|
+ ')
|
||||||
')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ tunable_policy(`exim_can_connect_db',`
|
+ tunable_policy(`exim_can_connect_db',`
|
||||||
@ -15686,13 +15734,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ procmail_domtrans(exim_t)
|
+ procmail_domtrans(exim_t)
|
||||||
+')
|
')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ sasl_connect(exim_t)
|
+ sasl_connect(exim_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ cron_read_pipes(exim_t)
|
||||||
|
+ cron_rw_system_job_pipes(exim_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ cyrus_stream_connect(exim_t)
|
+ cyrus_stream_connect(exim_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -17602,18 +17655,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
|
|||||||
+files_type(mailscanner_spool_t)
|
+files_type(mailscanner_spool_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.4.2/policy/modules/services/mta.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.4.2/policy/modules/services/mta.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/mta.fc 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/mta.fc 2008-06-30 13:24:59.000000000 -0400
|
||||||
@@ -11,8 +11,10 @@
|
@@ -11,6 +11,7 @@
|
||||||
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
|
|
||||||
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
+/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
+/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
||||||
|
|
||||||
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
|
||||||
|
|
||||||
|
@@ -21,7 +22,3 @@
|
||||||
|
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||||
|
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
||||||
|
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||||
|
-
|
||||||
|
-#ifdef(`postfix.te', `', `
|
||||||
|
-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||||
|
-#')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.4.2/policy/modules/services/mta.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.4.2/policy/modules/services/mta.if
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.if 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mta.if 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/mta.if 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/mta.if 2008-06-12 23:37:52.000000000 -0400
|
||||||
@ -17809,7 +17867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
## </summary>
|
## </summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-24 05:41:16.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-30 08:33:53.000000000 -0400
|
||||||
@@ -6,6 +6,8 @@
|
@@ -6,6 +6,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -17944,11 +18002,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||||
arpwatch_search_data(mailserver_delivery)
|
arpwatch_search_data(mailserver_delivery)
|
||||||
@@ -154,3 +214,4 @@
|
@@ -154,3 +214,5 @@
|
||||||
cron_read_system_job_tmp_files(mta_user_agent)
|
cron_read_system_job_tmp_files(mta_user_agent)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.4.2/policy/modules/services/munin.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.4.2/policy/modules/services/munin.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/munin.fc 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/munin.fc 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/munin.fc 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/munin.fc 2008-06-12 23:37:52.000000000 -0400
|
||||||
@ -20071,8 +20130,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.4.2/policy/modules/services/polkit.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.4.2/policy/modules/services/polkit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/polkit.te 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/polkit.te 2008-06-30 10:21:36.000000000 -0400
|
||||||
@@ -0,0 +1,219 @@
|
@@ -0,0 +1,221 @@
|
||||||
+policy_module(polkit_auth,1.0.0)
|
+policy_module(polkit_auth,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -20229,6 +20288,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
|||||||
+
|
+
|
||||||
+polkit_domtrans_auth(polkit_grant_t)
|
+polkit_domtrans_auth(polkit_grant_t)
|
||||||
+
|
+
|
||||||
|
+manage_files_pattern(polkit_grant_t,polkit_var_run_t,polkit_var_run_t)
|
||||||
|
+
|
||||||
+manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
|
+manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
|
||||||
+userdom_read_all_users_state(polkit_grant_t)
|
+userdom_read_all_users_state(polkit_grant_t)
|
||||||
+
|
+
|
||||||
@ -21284,7 +21345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
|
||||||
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-24 06:34:11.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-30 15:20:18.000000000 -0400
|
||||||
@@ -19,12 +19,31 @@
|
@@ -19,12 +19,31 @@
|
||||||
type prelude_var_lib_t;
|
type prelude_var_lib_t;
|
||||||
files_type(prelude_var_lib_t)
|
files_type(prelude_var_lib_t)
|
||||||
@ -21343,11 +21404,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||||||
|
|
||||||
dev_read_rand(prelude_audisp_t)
|
dev_read_rand(prelude_audisp_t)
|
||||||
dev_read_urand(prelude_audisp_t)
|
dev_read_urand(prelude_audisp_t)
|
||||||
@@ -126,6 +150,80 @@
|
@@ -123,9 +147,84 @@
|
||||||
|
libs_use_shared_libs(prelude_audisp_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(prelude_audisp_t)
|
||||||
|
+logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t)
|
||||||
|
|
||||||
miscfiles_read_localization(prelude_audisp_t)
|
miscfiles_read_localization(prelude_audisp_t)
|
||||||
|
|
||||||
+logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t)
|
+sysnet_dns_name_resolve(prelude_audisp_t)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -21424,7 +21489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# prewikka_cgi Declarations
|
# prewikka_cgi Declarations
|
||||||
@@ -135,6 +233,10 @@
|
@@ -135,6 +234,10 @@
|
||||||
apache_content_template(prewikka)
|
apache_content_template(prewikka)
|
||||||
files_read_etc_files(httpd_prewikka_script_t)
|
files_read_etc_files(httpd_prewikka_script_t)
|
||||||
|
|
||||||
@ -23779,7 +23844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.4.2/policy/modules/services/sendmail.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.4.2/policy/modules/services/sendmail.te
|
||||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/sendmail.te 2008-06-12 23:37:51.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/sendmail.te 2008-06-30 08:31:37.000000000 -0400
|
||||||
@@ -20,13 +20,17 @@
|
@@ -20,13 +20,17 @@
|
||||||
mta_mailserver_delivery(sendmail_t)
|
mta_mailserver_delivery(sendmail_t)
|
||||||
mta_mailserver_sender(sendmail_t)
|
mta_mailserver_sender(sendmail_t)
|
||||||
@ -27522,7 +27587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.2/policy/modules/services/xserver.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.2/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/xserver.te 2008-06-14 07:13:56.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/xserver.te 2008-06-29 08:15:37.000000000 -0400
|
||||||
@@ -8,6 +8,14 @@
|
@@ -8,6 +8,14 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -27803,7 +27868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# Talk to the console mouse server.
|
# Talk to the console mouse server.
|
||||||
gpm_stream_connect(xdm_t)
|
gpm_stream_connect(xdm_t)
|
||||||
gpm_setattr_gpmctl(xdm_t)
|
gpm_setattr_gpmctl(xdm_t)
|
||||||
@@ -382,16 +472,26 @@
|
@@ -382,16 +472,32 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27811,6 +27876,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+ polkit_read_lib(xdm_t)
|
+ polkit_read_lib(xdm_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+# On crash gdm execs gdb to dump stack
|
||||||
|
+optional_policy(`
|
||||||
|
+ rpm_read_db(xdm_t)
|
||||||
|
+ rpm_dontaudit_manage_db(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
seutil_sigchld_newrole(xdm_t)
|
seutil_sigchld_newrole(xdm_t)
|
||||||
')
|
')
|
||||||
@ -27831,7 +27902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -427,7 +527,7 @@
|
@@ -427,7 +533,7 @@
|
||||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -27840,7 +27911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
@@ -439,6 +539,15 @@
|
@@ -439,6 +545,15 @@
|
||||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xdm_xserver_t)
|
files_search_var_lib(xdm_xserver_t)
|
||||||
|
|
||||||
@ -27856,7 +27927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||||
|
|
||||||
@@ -450,10 +559,19 @@
|
@@ -450,10 +565,19 @@
|
||||||
# xdm_xserver_t may no longer have any reason
|
# xdm_xserver_t may no longer have any reason
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
@ -27877,7 +27948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||||
fs_manage_nfs_files(xdm_xserver_t)
|
fs_manage_nfs_files(xdm_xserver_t)
|
||||||
@@ -468,7 +586,18 @@
|
@@ -468,7 +592,18 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
|
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
|
||||||
@ -27897,7 +27968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -481,16 +610,32 @@
|
@@ -481,16 +616,32 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27938,7 +28009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -544,3 +689,10 @@
|
@@ -544,3 +695,10 @@
|
||||||
#
|
#
|
||||||
allow pam_t xdm_t:fifo_file { getattr ioctl write };
|
allow pam_t xdm_t:fifo_file { getattr ioctl write };
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
@ -28174,7 +28245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.4.2/policy/modules/system/authlogin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.4.2/policy/modules/system/authlogin.if
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:25:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:25:07.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/system/authlogin.if 2008-06-12 23:37:53.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/system/authlogin.if 2008-06-30 16:47:52.000000000 -0400
|
||||||
@@ -56,10 +56,6 @@
|
@@ -56,10 +56,6 @@
|
||||||
miscfiles_read_localization($1_chkpwd_t)
|
miscfiles_read_localization($1_chkpwd_t)
|
||||||
|
|
||||||
@ -28232,7 +28303,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
# for SSP/ProPolice
|
# for SSP/ProPolice
|
||||||
dev_read_urand($1)
|
dev_read_urand($1)
|
||||||
# for fingerprint readers
|
# for fingerprint readers
|
||||||
@@ -226,8 +239,39 @@
|
@@ -216,6 +229,7 @@
|
||||||
|
auth_rw_faillog($1)
|
||||||
|
auth_exec_pam($1)
|
||||||
|
auth_use_nsswitch($1)
|
||||||
|
+ auth_manage_pam_pid($1)
|
||||||
|
|
||||||
|
init_rw_utmp($1)
|
||||||
|
|
||||||
|
@@ -226,8 +240,39 @@
|
||||||
seutil_read_config($1)
|
seutil_read_config($1)
|
||||||
seutil_read_default_contexts($1)
|
seutil_read_default_contexts($1)
|
||||||
|
|
||||||
@ -28272,7 +28351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -333,19 +377,15 @@
|
@@ -333,19 +378,15 @@
|
||||||
dev_read_rand($1)
|
dev_read_rand($1)
|
||||||
dev_read_urand($1)
|
dev_read_urand($1)
|
||||||
|
|
||||||
@ -28296,7 +28375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -356,6 +396,28 @@
|
@@ -356,6 +397,28 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_stream_connect_winbind($1)
|
samba_stream_connect_winbind($1)
|
||||||
')
|
')
|
||||||
@ -28325,7 +28404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -369,12 +431,12 @@
|
@@ -369,12 +432,12 @@
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -28340,7 +28419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -386,6 +448,7 @@
|
@@ -386,6 +449,7 @@
|
||||||
auth_domtrans_chk_passwd($1)
|
auth_domtrans_chk_passwd($1)
|
||||||
role $2 types system_chkpwd_t;
|
role $2 types system_chkpwd_t;
|
||||||
allow system_chkpwd_t $3:chr_file rw_file_perms;
|
allow system_chkpwd_t $3:chr_file rw_file_perms;
|
||||||
@ -28348,7 +28427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1447,6 +1510,10 @@
|
@@ -1447,6 +1511,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28359,7 +28438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
nis_use_ypbind($1)
|
nis_use_ypbind($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1457,6 +1524,7 @@
|
@@ -1457,6 +1525,7 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_stream_connect_winbind($1)
|
samba_stream_connect_winbind($1)
|
||||||
samba_read_var_files($1)
|
samba_read_var_files($1)
|
||||||
@ -28367,7 +28446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1491,3 +1559,59 @@
|
@@ -1491,3 +1560,59 @@
|
||||||
typeattribute $1 can_write_shadow_passwords;
|
typeattribute $1 can_write_shadow_passwords;
|
||||||
typeattribute $1 can_relabelto_shadow_passwords;
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
')
|
')
|
||||||
@ -28630,6 +28709,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
|
|||||||
role system_r types hostname_t;
|
role system_r types hostname_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.4.2/policy/modules/system/hotplug.te
|
||||||
|
--- nsaserefpolicy/policy/modules/system/hotplug.te 2008-06-12 23:25:07.000000000 -0400
|
||||||
|
+++ serefpolicy-3.4.2/policy/modules/system/hotplug.te 2008-06-30 13:18:01.000000000 -0400
|
||||||
|
@@ -121,6 +121,7 @@
|
||||||
|
optional_policy(`
|
||||||
|
# for arping used for static IP addresses on PCMCIA ethernet
|
||||||
|
netutils_domtrans(hotplug_t)
|
||||||
|
+ netutils_signal(hotplug_t)
|
||||||
|
fs_rw_tmpfs_chr_files(hotplug_t)
|
||||||
|
')
|
||||||
|
files_getattr_generic_locks(hotplug_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.4.2/policy/modules/system/init.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.4.2/policy/modules/system/init.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/init.fc 2008-06-12 23:25:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/init.fc 2008-06-12 23:25:07.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/system/init.fc 2008-06-12 23:37:53.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/system/init.fc 2008-06-12 23:37:53.000000000 -0400
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user