- Fixes for svirt
This commit is contained in:
parent
6130d52b7c
commit
cb51c2687c
@ -4771,7 +4771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-26 21:12:48.000000000 -0400
|
||||||
@@ -110,6 +110,11 @@
|
@@ -110,6 +110,11 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -5179,7 +5179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.10/policy/modules/kernel/kernel.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.10/policy/modules/kernel/kernel.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/kernel/kernel.if 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/kernel/kernel.if 2009-03-26 21:08:51.000000000 -0400
|
||||||
@@ -1197,6 +1197,26 @@
|
@@ -1197,6 +1197,26 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -5580,8 +5580,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+gen_user(guest_u, user, guest_r, s0, s0)
|
+gen_user(guest_u, user, guest_r, s0, s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.10/policy/modules/roles/staff.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.10/policy/modules/roles/staff.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/roles/staff.te 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/roles/staff.te 2009-03-26 20:39:03.000000000 -0400
|
||||||
@@ -15,156 +15,88 @@
|
@@ -15,156 +15,90 @@
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -5596,15 +5596,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- auditadm_role_change(staff_r)
|
- auditadm_role_change(staff_r)
|
||||||
-')
|
-')
|
||||||
-
|
+kernel_read_ring_buffer(staff_t)
|
||||||
|
+kernel_getattr_core_if(staff_t)
|
||||||
|
+kernel_getattr_message_if(staff_t)
|
||||||
|
+kernel_read_software_raid_state(staff_t)
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- bluetooth_role(staff_r, staff_t)
|
- bluetooth_role(staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
-
|
+auth_domtrans_pam_console(staff_t)
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- cdrecord_role(staff_r, staff_t)
|
- cdrecord_role(staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
-
|
+libs_manage_shared_libs(staff_t)
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- cron_role(staff_r, staff_t)
|
- cron_role(staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
@ -5612,8 +5618,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- dbus_role_template(staff, staff_r, staff_t)
|
- dbus_role_template(staff, staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
-
|
+seutil_run_newrole(staff_t, staff_r)
|
||||||
-optional_policy(`
|
+netutils_run_ping(staff_t, staff_r)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
- ethereal_role(staff_r, staff_t)
|
- ethereal_role(staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
-
|
-
|
||||||
@ -5644,107 +5652,100 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- java_role(staff_r, staff_t)
|
- java_role(staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
+kernel_read_ring_buffer(staff_t)
|
-
|
||||||
+kernel_getattr_core_if(staff_t)
|
|
||||||
+kernel_getattr_message_if(staff_t)
|
|
||||||
+kernel_read_software_raid_state(staff_t)
|
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- lockdev_role(staff_r, staff_t)
|
- lockdev_role(staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
+auth_domtrans_pam_console(staff_t)
|
-
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- lpd_role(staff_r, staff_t)
|
- lpd_role(staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
+libs_manage_shared_libs(staff_t)
|
-
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- mozilla_role(staff_r, staff_t)
|
- mozilla_role(staff_r, staff_t)
|
||||||
-')
|
|
||||||
+seutil_run_newrole(staff_t, staff_r)
|
|
||||||
+netutils_run_ping(staff_t, staff_r)
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- mplayer_role(staff_r, staff_t)
|
|
||||||
+ sudo_role_template(staff, staff_r, staff_t)
|
+ sudo_role_template(staff, staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- mta_role(staff_r, staff_t)
|
- mplayer_role(staff_r, staff_t)
|
||||||
+ auditadm_role_change(staff_r)
|
+ auditadm_role_change(staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- mta_role(staff_r, staff_t)
|
||||||
|
+ kerneloops_manage_tmp_files(staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- oident_manage_user_content(staff_t)
|
- oident_manage_user_content(staff_t)
|
||||||
- oident_relabel_user_content(staff_t)
|
- oident_relabel_user_content(staff_t)
|
||||||
+ kerneloops_manage_tmp_files(staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- pyzor_role(staff_r, staff_t)
|
|
||||||
+ logadm_role_change(staff_r)
|
+ logadm_role_change(staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- razor_role(staff_r, staff_t)
|
- pyzor_role(staff_r, staff_t)
|
||||||
+ secadm_role_change(staff_r)
|
+ secadm_role_change(staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- rssh_role(staff_r, staff_t)
|
- razor_role(staff_r, staff_t)
|
||||||
+ ssh_role_template(staff, staff_r, staff_t)
|
+ ssh_role_template(staff, staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- screen_role_template(staff, staff_r, staff_t)
|
- rssh_role(staff_r, staff_t)
|
||||||
+ sysadm_role_change(staff_r)
|
+ sysadm_role_change(staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- secadm_role_change(staff_r)
|
- screen_role_template(staff, staff_r, staff_t)
|
||||||
+ usernetctl_run(staff_t, staff_r)
|
+ usernetctl_run(staff_t, staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- spamassassin_role(staff_r, staff_t)
|
- secadm_role_change(staff_r)
|
||||||
+ unconfined_role_change(staff_r)
|
+ unconfined_role_change(staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- ssh_role_template(staff, staff_r, staff_t)
|
- spamassassin_role(staff_r, staff_t)
|
||||||
+ webadm_role_change(staff_r)
|
+ webadm_role_change(staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- su_role_template(staff, staff_r, staff_t)
|
- ssh_role_template(staff, staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
+domain_read_all_domains_state(staff_t)
|
+domain_read_all_domains_state(staff_t)
|
||||||
+domain_getattr_all_domains(staff_t)
|
+domain_getattr_all_domains(staff_t)
|
||||||
+domain_obj_id_change_exemption(staff_t)
|
+domain_obj_id_change_exemption(staff_t)
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- sudo_role_template(staff, staff_r, staff_t)
|
- su_role_template(staff, staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
+files_read_kernel_modules(staff_t)
|
+files_read_kernel_modules(staff_t)
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- sudo_role_template(staff, staff_r, staff_t)
|
||||||
|
-')
|
||||||
|
+kernel_read_fs_sysctls(staff_t)
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- sysadm_role_change(staff_r)
|
- sysadm_role_change(staff_r)
|
||||||
- userdom_dontaudit_use_user_terminals(staff_t)
|
- userdom_dontaudit_use_user_terminals(staff_t)
|
||||||
-')
|
-')
|
||||||
+kernel_read_fs_sysctls(staff_t)
|
|
||||||
|
|
||||||
-optional_policy(`
|
|
||||||
- thunderbird_role(staff_r, staff_t)
|
|
||||||
-')
|
|
||||||
+modutils_read_module_config(staff_t)
|
+modutils_read_module_config(staff_t)
|
||||||
+modutils_read_module_deps(staff_t)
|
+modutils_read_module_deps(staff_t)
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- tvtime_role(staff_r, staff_t)
|
- thunderbird_role(staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
+miscfiles_read_hwdata(staff_t)
|
+miscfiles_read_hwdata(staff_t)
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- tvtime_role(staff_r, staff_t)
|
||||||
|
-')
|
||||||
|
+term_use_unallocated_ttys(staff_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- uml_role(staff_r, staff_t)
|
- uml_role(staff_r, staff_t)
|
||||||
+ gnomeclock_dbus_chat(staff_t)
|
+ gnomeclock_dbus_chat(staff_t)
|
||||||
@ -9800,7 +9801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.10/policy/modules/services/cups.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.10/policy/modules/services/cups.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/services/cups.te 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/services/cups.te 2009-03-26 21:16:37.000000000 -0400
|
||||||
@@ -20,9 +20,18 @@
|
@@ -20,9 +20,18 @@
|
||||||
type cupsd_etc_t;
|
type cupsd_etc_t;
|
||||||
files_config_file(cupsd_etc_t)
|
files_config_file(cupsd_etc_t)
|
||||||
@ -10051,7 +10052,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit cupsd_config_t self:capability sys_tty_config;
|
dontaudit cupsd_config_t self:capability sys_tty_config;
|
||||||
allow cupsd_config_t self:process signal_perms;
|
allow cupsd_config_t self:process signal_perms;
|
||||||
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
|
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -311,7 +370,7 @@
|
@@ -302,8 +361,10 @@
|
||||||
|
|
||||||
|
allow cupsd_config_t cupsd_log_t:file rw_file_perms;
|
||||||
|
|
||||||
|
-allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
|
||||||
|
-files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
|
||||||
|
+manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||||
|
+manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||||
|
+manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||||
|
+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
|
||||||
|
|
||||||
|
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
|
||||||
|
|
||||||
|
@@ -311,7 +372,7 @@
|
||||||
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
|
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
|
||||||
|
|
||||||
kernel_read_system_state(cupsd_config_t)
|
kernel_read_system_state(cupsd_config_t)
|
||||||
@ -10060,7 +10074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(cupsd_config_t)
|
corenet_all_recvfrom_unlabeled(cupsd_config_t)
|
||||||
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
||||||
@@ -324,6 +383,7 @@
|
@@ -324,6 +385,7 @@
|
||||||
dev_read_sysfs(cupsd_config_t)
|
dev_read_sysfs(cupsd_config_t)
|
||||||
dev_read_urand(cupsd_config_t)
|
dev_read_urand(cupsd_config_t)
|
||||||
dev_read_rand(cupsd_config_t)
|
dev_read_rand(cupsd_config_t)
|
||||||
@ -10068,7 +10082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
fs_getattr_all_fs(cupsd_config_t)
|
fs_getattr_all_fs(cupsd_config_t)
|
||||||
fs_search_auto_mountpoints(cupsd_config_t)
|
fs_search_auto_mountpoints(cupsd_config_t)
|
||||||
@@ -341,13 +401,14 @@
|
@@ -341,13 +403,14 @@
|
||||||
files_read_var_symlinks(cupsd_config_t)
|
files_read_var_symlinks(cupsd_config_t)
|
||||||
|
|
||||||
# Alternatives asks for this
|
# Alternatives asks for this
|
||||||
@ -10084,7 +10098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
seutil_dontaudit_search_config(cupsd_config_t)
|
seutil_dontaudit_search_config(cupsd_config_t)
|
||||||
|
|
||||||
@@ -359,14 +420,16 @@
|
@@ -359,14 +422,16 @@
|
||||||
lpd_read_config(cupsd_config_t)
|
lpd_read_config(cupsd_config_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
@ -10103,7 +10117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
|
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -382,6 +445,7 @@
|
@@ -382,6 +447,7 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
hal_domtrans(cupsd_config_t)
|
hal_domtrans(cupsd_config_t)
|
||||||
hal_read_tmp_files(cupsd_config_t)
|
hal_read_tmp_files(cupsd_config_t)
|
||||||
@ -10111,7 +10125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -491,7 +555,10 @@
|
@@ -491,7 +557,10 @@
|
||||||
allow hplip_t self:udp_socket create_socket_perms;
|
allow hplip_t self:udp_socket create_socket_perms;
|
||||||
allow hplip_t self:rawip_socket create_socket_perms;
|
allow hplip_t self:rawip_socket create_socket_perms;
|
||||||
|
|
||||||
@ -10123,7 +10137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
cups_stream_connect(hplip_t)
|
cups_stream_connect(hplip_t)
|
||||||
|
|
||||||
@@ -500,6 +567,10 @@
|
@@ -500,6 +569,10 @@
|
||||||
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
|
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
|
||||||
files_search_etc(hplip_t)
|
files_search_etc(hplip_t)
|
||||||
|
|
||||||
@ -10134,7 +10148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
||||||
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
||||||
|
|
||||||
@@ -529,7 +600,8 @@
|
@@ -529,7 +602,8 @@
|
||||||
dev_read_urand(hplip_t)
|
dev_read_urand(hplip_t)
|
||||||
dev_read_rand(hplip_t)
|
dev_read_rand(hplip_t)
|
||||||
dev_rw_generic_usb_dev(hplip_t)
|
dev_rw_generic_usb_dev(hplip_t)
|
||||||
@ -10144,7 +10158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
fs_getattr_all_fs(hplip_t)
|
fs_getattr_all_fs(hplip_t)
|
||||||
fs_search_auto_mountpoints(hplip_t)
|
fs_search_auto_mountpoints(hplip_t)
|
||||||
@@ -553,7 +625,9 @@
|
@@ -553,7 +627,9 @@
|
||||||
userdom_dontaudit_search_user_home_dirs(hplip_t)
|
userdom_dontaudit_search_user_home_dirs(hplip_t)
|
||||||
userdom_dontaudit_search_user_home_content(hplip_t)
|
userdom_dontaudit_search_user_home_content(hplip_t)
|
||||||
|
|
||||||
@ -10155,7 +10169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(hplip_t)
|
dbus_system_bus_client(hplip_t)
|
||||||
@@ -635,3 +709,49 @@
|
@@ -635,3 +711,49 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(ptal_t)
|
udev_read_db(ptal_t)
|
||||||
')
|
')
|
||||||
@ -23802,7 +23816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.10/policy/modules/system/init.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.10/policy/modules/system/init.te
|
||||||
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-03-26 20:09:40.000000000 -0400
|
||||||
@@ -17,6 +17,20 @@
|
@@ -17,6 +17,20 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(init_upstart,false)
|
gen_tunable(init_upstart,false)
|
||||||
@ -24085,7 +24099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
vmware_read_system_config(initrc_t)
|
vmware_read_system_config(initrc_t)
|
||||||
vmware_append_system_config(initrc_t)
|
vmware_append_system_config(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -790,3 +865,11 @@
|
@@ -790,3 +865,17 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@ -24096,6 +24110,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ xserver_rw_xdm_home_files(daemon)
|
+ xserver_rw_xdm_home_files(daemon)
|
||||||
|
+ tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
+ fs_dontaudit_rw_nfs_files(daemon)
|
||||||
|
+ ')
|
||||||
|
+ tunable_policy(`use_samba_home_dirs',`
|
||||||
|
+ fs_dontaudit_rw_cifs_files(daemon)
|
||||||
|
+ ')
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.10/policy/modules/system/ipsec.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.10/policy/modules/system/ipsec.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400
|
||||||
@ -27414,7 +27434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-03-26 20:35:29.000000000 -0400
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -29354,8 +29374,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+# No application file contexts.
|
+# No application file contexts.
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if
|
||||||
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 14:24:01.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 20:45:05.000000000 -0400
|
||||||
@@ -0,0 +1,110 @@
|
@@ -0,0 +1,113 @@
|
||||||
+## <summary>Virtual machine emulator and virtualizer</summary>
|
+## <summary>Virtual machine emulator and virtualizer</summary>
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -29385,6 +29405,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ # start with basic domain
|
+ # start with basic domain
|
||||||
+ domain_type($1)
|
+ domain_type($1)
|
||||||
|
+
|
||||||
|
+ # could be started by libvirt
|
||||||
|
+ domain_user_exemption_target($1)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -29468,8 +29491,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te
|
||||||
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 14:21:16.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 20:44:37.000000000 -0400
|
||||||
@@ -0,0 +1,81 @@
|
@@ -0,0 +1,80 @@
|
||||||
+
|
+
|
||||||
+policy_module(virtualization, 1.1.2)
|
+policy_module(virtualization, 1.1.2)
|
||||||
+
|
+
|
||||||
@ -29513,7 +29536,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+dev_rw_qemu(virtualdomain)
|
+dev_rw_qemu(virtualdomain)
|
||||||
+
|
+
|
||||||
+domain_use_interactive_fds(virtualdomain)
|
+domain_use_interactive_fds(virtualdomain)
|
||||||
+domain_user_exemption_target(virtualdomain)
|
|
||||||
+
|
+
|
||||||
+files_read_etc_files(virtualdomain)
|
+files_read_etc_files(virtualdomain)
|
||||||
+files_read_usr_files(virtualdomain)
|
+files_read_usr_files(virtualdomain)
|
||||||
|
Loading…
Reference in New Issue
Block a user