- Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t - Add sysv file system - Turn unconfined domains to permissive to find additional avcs
This commit is contained in:
Dan Walsh
parent
3cacc01467
commit
cc138e86b5
372
policy-F14.patch
372
policy-F14.patch
|
|
@ -4846,7 +4846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||
## </summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te
|
||||
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-23 18:10:04.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-24 10:04:03.000000000 -0400
|
||||
@@ -25,6 +25,7 @@
|
||||
type mozilla_home_t;
|
||||
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
|
||||
|
|
@ -4910,7 +4910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||
pulseaudio_exec(mozilla_t)
|
||||
pulseaudio_stream_connect(mozilla_t)
|
||||
pulseaudio_manage_home_files(mozilla_t)
|
||||
@@ -266,3 +284,42 @@
|
||||
@@ -266,3 +284,46 @@
|
||||
optional_policy(`
|
||||
thunderbird_domtrans(mozilla_t)
|
||||
')
|
||||
|
|
@ -4924,10 +4924,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||
+allow mozilla_plugin_t self:sem create_sem_perms;
|
||||
+allow mozilla_plugin_t self:shm create_shm_perms;
|
||||
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
|
||||
+allow mozilla_plugin_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
+
|
||||
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
|
||||
+
|
||||
+kernel_read_kernel_sysctls(mozilla_plugin_t)
|
||||
+kernel_read_system_state(mozilla_plugin_t)
|
||||
+kernel_request_load_module(mozilla_plugin_t)
|
||||
+
|
||||
+corecmd_exec_bin(mozilla_plugin_t)
|
||||
|
|
@ -4942,16 +4944,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||
+files_read_usr_files(mozilla_plugin_t)
|
||||
+
|
||||
+miscfiles_read_localization(mozilla_plugin_t)
|
||||
+allow mozilla_plugin_t self:process setsched;
|
||||
+
|
||||
+allow mozilla_plugin_t self:unix_stream_socket connectto;
|
||||
+term_getattr_all_ttys(mozilla_plugin_t)
|
||||
+term_getattr_all_ptys(mozilla_plugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nsplugin_domtrans(mozilla_plugin_t)
|
||||
+ nsplugin_rw_exec(mozilla_plugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_read_xdm_pid(mozilla_plugin_t)
|
||||
+ xserver_stream_connect(mozilla_plugin_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.8.8/policy/modules/apps/mplayer.if
|
||||
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-07-27 16:06:04.000000000 -0400
|
||||
|
|
@ -5051,7 +5055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.8.8/policy/modules/apps/nsplugin.if
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-23 17:57:01.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-24 10:00:03.000000000 -0400
|
||||
@@ -0,0 +1,391 @@
|
||||
+
|
||||
+## <summary>policy for nsplugin</summary>
|
||||
|
|
@ -6544,8 +6548,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te
|
||||
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-23 17:16:41.000000000 -0400
|
||||
@@ -0,0 +1,400 @@
|
||||
+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-23 18:24:37.000000000 -0400
|
||||
@@ -0,0 +1,401 @@
|
||||
+policy_module(sandbox,1.0.0)
|
||||
+dbus_stub()
|
||||
+attribute sandbox_domain;
|
||||
|
|
@ -6826,6 +6830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
|
|||
+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
|
||||
+
|
||||
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
|
||||
+kernel_request_load_module(sandbox_web_type)
|
||||
+
|
||||
+dev_read_rand(sandbox_web_type)
|
||||
+dev_write_sound(sandbox_web_type)
|
||||
|
|
@ -9690,7 +9695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.8.8/policy/modules/kernel/filesystem.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-08-24 10:24:43.000000000 -0400
|
||||
@@ -52,6 +52,7 @@
|
||||
fs_type(anon_inodefs_t)
|
||||
files_mountpoint(anon_inodefs_t)
|
||||
|
|
@ -9724,7 +9729,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
type inotifyfs_t;
|
||||
fs_type(inotifyfs_t)
|
||||
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
|
||||
@@ -248,6 +258,7 @@
|
||||
@@ -148,6 +158,12 @@
|
||||
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
|
||||
files_mountpoint(squash_t)
|
||||
|
||||
+type sysv_t;
|
||||
+fs_noxattr_type(sysv_t)
|
||||
+files_mountpoint(sysv_t)
|
||||
+genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
|
||||
+genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
|
||||
+
|
||||
type vmblock_t;
|
||||
fs_noxattr_type(vmblock_t)
|
||||
files_mountpoint(vmblock_t)
|
||||
@@ -248,6 +264,7 @@
|
||||
type removable_t;
|
||||
allow removable_t noxattrfs:filesystem associate;
|
||||
fs_noxattr_type(removable_t)
|
||||
|
|
@ -10027,7 +10045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
|
|||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.8.8/policy/modules/kernel/terminal.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-07-27 16:12:33.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-03 13:44:23.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-24 10:01:21.000000000 -0400
|
||||
@@ -292,9 +292,11 @@
|
||||
interface(`term_dontaudit_use_console',`
|
||||
gen_require(`
|
||||
|
|
@ -13745,7 +13763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
|
|||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.8.8/policy/modules/services/apm.te
|
||||
--- nsaserefpolicy/policy/modules/services/apm.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-08-24 15:48:30.000000000 -0400
|
||||
@@ -62,6 +62,7 @@
|
||||
dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
|
||||
allow apmd_t self:process { signal_perms getsession };
|
||||
|
|
@ -13773,6 +13791,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
|
|||
sysnet_domtrans_ifconfig(apmd_t)
|
||||
')
|
||||
|
||||
@@ -218,9 +224,13 @@
|
||||
udev_read_state(apmd_t) #necessary?
|
||||
')
|
||||
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
unconfined_domain(apmd_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive apmd_t;
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
vbetool_domtrans(apmd_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.8.8/policy/modules/services/arpwatch.te
|
||||
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te 2010-08-03 09:15:01.000000000 -0400
|
||||
|
|
@ -14223,7 +14255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te
|
||||
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-23 09:55:03.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-24 22:47:01.000000000 -0400
|
||||
@@ -0,0 +1,152 @@
|
||||
+policy_module(boinc,1.0.0)
|
||||
+
|
||||
|
|
@ -14281,7 +14313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
|
|||
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
+files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
|
||||
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
|
||||
+
|
||||
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||
|
|
@ -16315,7 +16347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te
|
||||
--- nsaserefpolicy/policy/modules/services/cron.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-13 11:29:11.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-24 09:31:07.000000000 -0400
|
||||
@@ -63,9 +63,12 @@
|
||||
|
||||
type crond_tmp_t;
|
||||
|
|
@ -16601,14 +16633,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||
unconfined_domain(system_cronjob_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
|
||||
')
|
||||
@@ -590,6 +675,7 @@
|
||||
@@ -590,7 +675,9 @@
|
||||
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
|
||||
|
||||
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||||
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||||
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||||
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
allow crond_t user_cron_spool_t:file manage_file_perms;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.8.8/policy/modules/services/cups.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cups.fc 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/cups.fc 2010-07-30 14:06:53.000000000 -0400
|
||||
|
|
@ -17031,7 +17065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.8/policy/modules/services/devicekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-10 11:09:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-24 15:48:30.000000000 -0400
|
||||
@@ -75,10 +75,12 @@
|
||||
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
|
||||
|
|
@ -17057,15 +17091,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
|
|||
files_manage_isid_type_dirs(devicekit_disk_t)
|
||||
files_manage_mnt_dirs(devicekit_disk_t)
|
||||
files_read_etc_files(devicekit_disk_t)
|
||||
@@ -178,13 +182,19 @@
|
||||
@@ -178,13 +182,25 @@
|
||||
virt_manage_images(devicekit_disk_t)
|
||||
')
|
||||
|
||||
+ifdef(`enforcing',`
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(devicekit_t)
|
||||
+ unconfined_domain(devicekit_power_t)
|
||||
+ unconfined_domain(devicekit_disk_t)
|
||||
+')
|
||||
+', `
|
||||
+ permissive devicekit_t;
|
||||
+ permissive devicekit_power_t;
|
||||
+ permissive devicekit_disk_t;
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
|
|
@ -17212,7 +17252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te
|
||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-16 07:30:39.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-24 10:17:59.000000000 -0400
|
||||
@@ -18,7 +18,7 @@
|
||||
files_tmp_file(dovecot_auth_tmp_t)
|
||||
|
||||
|
|
@ -17254,7 +17294,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||
|
||||
kernel_read_kernel_sysctls(dovecot_t)
|
||||
kernel_read_system_state(dovecot_t)
|
||||
@@ -242,6 +244,7 @@
|
||||
@@ -159,6 +161,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ postfix_manage_private_sockets(dovecot_t)
|
||||
+ postfix_search_spool(dovecot_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
postgresql_stream_connect(dovecot_t)
|
||||
')
|
||||
|
||||
@@ -242,6 +249,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -17262,7 +17314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||
postfix_search_spool(dovecot_auth_t)
|
||||
')
|
||||
|
||||
@@ -253,19 +256,26 @@
|
||||
@@ -253,19 +261,26 @@
|
||||
|
||||
allow dovecot_deliver_t dovecot_t:process signull;
|
||||
|
||||
|
|
@ -17291,7 +17343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
|||
|
||||
miscfiles_read_localization(dovecot_deliver_t)
|
||||
|
||||
@@ -302,4 +312,5 @@
|
||||
@@ -302,4 +317,5 @@
|
||||
|
||||
optional_policy(`
|
||||
mta_manage_spool(dovecot_deliver_t)
|
||||
|
|
@ -23675,6 +23727,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
|
|||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.8.8/policy/modules/services/remotelogin.te
|
||||
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/remotelogin.te 2010-08-24 09:11:29.000000000 -0400
|
||||
@@ -114,7 +114,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- unconfined_domain(remote_login_t)
|
||||
unconfined_shell_domtrans(remote_login_t)
|
||||
')
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.8.8/policy/modules/services/rgmanager.fc
|
||||
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.fc 2010-07-30 14:06:53.000000000 -0400
|
||||
|
|
@ -23754,7 +23817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.8/policy/modules/services/rgmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-08-24 09:12:13.000000000 -0400
|
||||
@@ -17,6 +17,9 @@
|
||||
domain_type(rgmanager_t)
|
||||
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
|
||||
|
|
@ -23814,6 +23877,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
|
|||
mysql_domtrans_mysql_safe(rgmanager_t)
|
||||
mysql_stream_connect(rgmanager_t)
|
||||
')
|
||||
@@ -193,9 +209,13 @@
|
||||
virt_stream_connect(rgmanager_t)
|
||||
')
|
||||
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
unconfined_domain(rgmanager_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive rgmanager_t;
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
xen_domtrans_xm(rgmanager_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.8.8/policy/modules/services/rhcs.fc
|
||||
--- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/rhcs.fc 2010-08-10 11:56:57.000000000 -0400
|
||||
|
|
@ -24224,7 +24301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.8.8/policy/modules/services/ricci.te
|
||||
--- nsaserefpolicy/policy/modules/services/ricci.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-10 05:23:35.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-24 09:12:28.000000000 -0400
|
||||
@@ -10,6 +10,9 @@
|
||||
domain_type(ricci_t)
|
||||
init_daemon_domain(ricci_t, ricci_exec_t)
|
||||
|
|
@ -24264,18 +24341,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
|
|||
unconfined_use_fds(ricci_t)
|
||||
')
|
||||
|
||||
@@ -241,6 +252,10 @@
|
||||
@@ -241,8 +252,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- # XXX This has got to go.
|
||||
- unconfined_domain(ricci_modcluster_t)
|
||||
+ rgmanager_stream_connect(ricci_modclusterd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
# XXX This has got to go.
|
||||
unconfined_domain(ricci_modcluster_t)
|
||||
')
|
||||
@@ -261,6 +276,10 @@
|
||||
|
||||
########################################
|
||||
@@ -261,6 +271,10 @@
|
||||
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
|
||||
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
|
||||
|
||||
|
|
@ -24286,7 +24362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
|
|||
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
|
||||
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
|
||||
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
|
||||
@@ -272,6 +291,7 @@
|
||||
@@ -272,6 +286,7 @@
|
||||
|
||||
kernel_read_kernel_sysctls(ricci_modclusterd_t)
|
||||
kernel_read_system_state(ricci_modclusterd_t)
|
||||
|
|
@ -24294,7 +24370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
|
|||
|
||||
corecmd_exec_bin(ricci_modclusterd_t)
|
||||
|
||||
@@ -444,6 +464,12 @@
|
||||
@@ -444,6 +459,12 @@
|
||||
files_read_usr_files(ricci_modstorage_t)
|
||||
files_read_kernel_modules(ricci_modstorage_t)
|
||||
|
||||
|
|
@ -27185,7 +27261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-10 05:23:35.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-24 09:12:59.000000000 -0400
|
||||
@@ -4,6 +4,7 @@
|
||||
#
|
||||
# Declarations
|
||||
|
|
@ -27433,7 +27509,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -402,6 +459,19 @@
|
||||
@@ -385,9 +442,13 @@
|
||||
udev_read_db(virtd_t)
|
||||
')
|
||||
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
unconfined_domain(virtd_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive virtd_t;
|
||||
+')
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -402,6 +463,19 @@
|
||||
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow virt_domain self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
|
|
@ -27453,7 +27543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
|
|||
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
|
||||
|
||||
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
||||
@@ -422,6 +492,7 @@
|
||||
@@ -422,6 +496,7 @@
|
||||
corenet_tcp_bind_virt_migration_port(virt_domain)
|
||||
corenet_tcp_connect_virt_migration_port(virt_domain)
|
||||
|
||||
|
|
@ -27461,7 +27551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
|
|||
dev_read_rand(virt_domain)
|
||||
dev_read_sound(virt_domain)
|
||||
dev_read_urand(virt_domain)
|
||||
@@ -429,10 +500,12 @@
|
||||
@@ -429,10 +504,12 @@
|
||||
dev_rw_ksm(virt_domain)
|
||||
dev_rw_kvm(virt_domain)
|
||||
dev_rw_qemu(virt_domain)
|
||||
|
|
@ -27474,7 +27564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
|
|||
files_read_usr_files(virt_domain)
|
||||
files_read_var_files(virt_domain)
|
||||
files_search_all(virt_domain)
|
||||
@@ -440,6 +513,11 @@
|
||||
@@ -440,6 +517,11 @@
|
||||
fs_getattr_tmpfs(virt_domain)
|
||||
fs_rw_anon_inodefs_files(virt_domain)
|
||||
fs_rw_tmpfs_files(virt_domain)
|
||||
|
|
@ -27486,7 +27576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
|
|||
|
||||
term_use_all_terms(virt_domain)
|
||||
term_getattr_pty_fs(virt_domain)
|
||||
@@ -457,8 +535,121 @@
|
||||
@@ -457,8 +539,121 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27762,7 +27852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.8/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-08-23 17:59:07.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-08-24 10:28:17.000000000 -0400
|
||||
@@ -19,9 +19,10 @@
|
||||
interface(`xserver_restricted_role',`
|
||||
gen_require(`
|
||||
|
|
@ -28375,7 +28465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-11 08:03:36.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-24 10:03:23.000000000 -0400
|
||||
@@ -35,6 +35,13 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -29177,7 +29267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
userdom_search_user_home_dirs(xserver_t)
|
||||
userdom_use_user_ttys(xserver_t)
|
||||
@@ -775,12 +1072,28 @@
|
||||
@@ -775,14 +1072,34 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -29202,12 +29292,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+ udev_read_db(xserver_t)
|
||||
+')
|
||||
+
|
||||
+ifdef(`enforcing',`
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(xserver_t)
|
||||
unconfined_domtrans(xserver_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive xserver_t;
|
||||
+')
|
||||
|
||||
@@ -804,10 +1117,10 @@
|
||||
optional_policy(`
|
||||
userhelper_search_config(xserver_t)
|
||||
@@ -804,10 +1121,10 @@
|
||||
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
|
|
@ -29220,7 +29316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -828,6 +1141,13 @@
|
||||
@@ -828,6 +1145,13 @@
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
|
|
@ -29234,7 +29330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
@@ -843,11 +1163,14 @@
|
||||
@@ -843,11 +1167,14 @@
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
|
|
@ -29251,7 +29347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -993,3 +1316,33 @@
|
||||
@@ -993,3 +1320,33 @@
|
||||
allow xserver_unconfined_type xextension_type:x_extension *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
|
@ -30108,7 +30204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
|
|||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.8.8/policy/modules/system/fstools.te
|
||||
--- nsaserefpolicy/policy/modules/system/fstools.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-08-23 08:25:15.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-08-24 15:48:29.000000000 -0400
|
||||
@@ -55,6 +55,7 @@
|
||||
|
||||
kernel_read_system_state(fsadm_t)
|
||||
|
|
@ -30126,7 +30222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
|
|||
# Recreate /mnt/cdrom.
|
||||
files_manage_mnt_dirs(fsadm_t)
|
||||
# for tune2fs
|
||||
@@ -147,7 +150,7 @@
|
||||
@@ -147,12 +150,16 @@
|
||||
|
||||
seutil_read_config(fsadm_t)
|
||||
|
||||
|
|
@ -30134,8 +30230,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
|
|||
+term_use_all_terms(fsadm_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
@@ -166,6 +169,14 @@
|
||||
unconfined_domain(fsadm_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive fsadm_t;
|
||||
+')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -166,6 +173,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -32032,7 +32137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.8.8/policy/modules/system/libraries.te
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-08-24 09:14:30.000000000 -0400
|
||||
@@ -61,7 +61,7 @@
|
||||
|
||||
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
|
||||
|
|
@ -32069,6 +32174,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
ifdef(`hide_broken_symptoms',`
|
||||
ifdef(`distro_gentoo',`
|
||||
# leaked fds from portage
|
||||
@@ -141,6 +147,10 @@
|
||||
rpm_manage_script_tmp_files(ldconfig_t)
|
||||
')
|
||||
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
unconfined_domain(ldconfig_t)
|
||||
+')'
|
||||
+, `
|
||||
+ permissive ldconfig_t;
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.fc serefpolicy-3.8.8/policy/modules/system/locallogin.fc
|
||||
--- nsaserefpolicy/policy/modules/system/locallogin.fc 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/locallogin.fc 2010-07-30 14:06:53.000000000 -0400
|
||||
|
|
@ -32490,20 +32606,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
|
|||
## <rolecap/>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.8.8/policy/modules/system/lvm.te
|
||||
--- nsaserefpolicy/policy/modules/system/lvm.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-08-23 18:10:53.000000000 -0400
|
||||
@@ -141,6 +141,11 @@
|
||||
')
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-08-24 15:48:29.000000000 -0400
|
||||
@@ -135,9 +135,18 @@
|
||||
lvm_read_config(clvmd_t)
|
||||
|
||||
optional_policy(`
|
||||
+ aisexec_stream_connect(clvmd_t)
|
||||
+ corosync_stream_connect(clvmd_t)
|
||||
ifdef(`distro_redhat',`
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
unconfined_domain(clvmd_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive clvmd_t;
|
||||
+')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
ccs_stream_connect(clvmd_t)
|
||||
+ aisexec_stream_connect(clvmd_t)
|
||||
+ corosync_stream_connect(clvmd_t)
|
||||
')
|
||||
|
||||
@@ -170,6 +175,7 @@
|
||||
optional_policy(`
|
||||
@@ -170,6 +179,7 @@
|
||||
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
|
||||
# LVM will complain a lot if it cannot set its priority.
|
||||
allow lvm_t self:process setsched;
|
||||
|
|
@ -32511,7 +32634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
|||
allow lvm_t self:file rw_file_perms;
|
||||
allow lvm_t self:fifo_file manage_fifo_file_perms;
|
||||
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -210,12 +216,15 @@
|
||||
@@ -210,12 +220,15 @@
|
||||
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
|
||||
files_search_mnt(lvm_t)
|
||||
|
||||
|
|
@ -32527,7 +32650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
|||
kernel_search_debugfs(lvm_t)
|
||||
|
||||
corecmd_exec_bin(lvm_t)
|
||||
@@ -242,6 +251,7 @@
|
||||
@@ -242,6 +255,7 @@
|
||||
dev_dontaudit_getattr_generic_blk_files(lvm_t)
|
||||
dev_dontaudit_getattr_generic_pipes(lvm_t)
|
||||
dev_create_generic_dirs(lvm_t)
|
||||
|
|
@ -32535,7 +32658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
|||
|
||||
domain_use_interactive_fds(lvm_t)
|
||||
domain_read_all_domains_state(lvm_t)
|
||||
@@ -251,8 +261,9 @@
|
||||
@@ -251,8 +265,9 @@
|
||||
files_read_etc_runtime_files(lvm_t)
|
||||
# for when /usr is not mounted:
|
||||
files_dontaudit_search_isid_type_dirs(lvm_t)
|
||||
|
|
@ -32546,7 +32669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
|||
fs_search_auto_mountpoints(lvm_t)
|
||||
fs_list_tmpfs(lvm_t)
|
||||
fs_read_tmpfs_symlinks(lvm_t)
|
||||
@@ -262,6 +273,7 @@
|
||||
@@ -262,6 +277,7 @@
|
||||
|
||||
mls_file_read_all_levels(lvm_t)
|
||||
mls_file_write_to_clearance(lvm_t)
|
||||
|
|
@ -32554,19 +32677,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
|||
|
||||
selinux_get_fs_mount(lvm_t)
|
||||
selinux_validate_context(lvm_t)
|
||||
@@ -309,6 +321,11 @@
|
||||
')
|
||||
@@ -303,9 +319,18 @@
|
||||
# this is from the initrd:
|
||||
files_rw_isid_type_dirs(lvm_t)
|
||||
|
||||
optional_policy(`
|
||||
+ aisexec_stream_connect(lvm_t)
|
||||
+ corosync_stream_connect(lvm_t)
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
unconfined_domain(lvm_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive lvm_t;
|
||||
+')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
bootloader_rw_tmp_files(lvm_t)
|
||||
+ aisexec_stream_connect(lvm_t)
|
||||
+ corosync_stream_connect(lvm_t)
|
||||
')
|
||||
|
||||
@@ -329,6 +346,10 @@
|
||||
optional_policy(`
|
||||
@@ -329,6 +354,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -32727,7 +32857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
|||
## </summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.8.8/policy/modules/system/modutils.te
|
||||
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-08-24 09:16:21.000000000 -0400
|
||||
@@ -18,6 +18,7 @@
|
||||
type insmod_exec_t;
|
||||
application_domain(insmod_t, insmod_exec_t)
|
||||
|
|
@ -32759,7 +32889,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
|||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
@@ -104,7 +108,7 @@
|
||||
@@ -94,17 +98,21 @@
|
||||
rpm_manage_script_tmp_files(depmod_t)
|
||||
')
|
||||
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
# Read System.map from home directories.
|
||||
unconfined_domain(depmod_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive depmod_t;
|
||||
+')
|
||||
|
||||
########################################
|
||||
#
|
||||
# insmod local policy
|
||||
#
|
||||
|
||||
|
|
@ -32768,7 +32912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
|||
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow insmod_t self:udp_socket create_socket_perms;
|
||||
@@ -125,6 +129,7 @@
|
||||
@@ -125,6 +133,7 @@
|
||||
kernel_mount_debugfs(insmod_t)
|
||||
kernel_mount_kvmfs(insmod_t)
|
||||
kernel_read_debugfs(insmod_t)
|
||||
|
|
@ -32776,7 +32920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
|||
# Rules for /proc/sys/kernel/tainted
|
||||
kernel_read_kernel_sysctls(insmod_t)
|
||||
kernel_rw_kernel_sysctl(insmod_t)
|
||||
@@ -142,6 +147,7 @@
|
||||
@@ -142,6 +151,7 @@
|
||||
dev_read_sound(insmod_t)
|
||||
dev_write_sound(insmod_t)
|
||||
dev_rw_apm_bios(insmod_t)
|
||||
|
|
@ -32784,7 +32928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
|||
|
||||
domain_signal_all_domains(insmod_t)
|
||||
domain_use_interactive_fds(insmod_t)
|
||||
@@ -160,11 +166,15 @@
|
||||
@@ -160,11 +170,15 @@
|
||||
|
||||
fs_getattr_xattr_fs(insmod_t)
|
||||
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
|
||||
|
|
@ -32800,7 +32944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
|||
|
||||
logging_send_syslog_msg(insmod_t)
|
||||
logging_search_logs(insmod_t)
|
||||
@@ -173,8 +183,7 @@
|
||||
@@ -173,8 +187,7 @@
|
||||
|
||||
seutil_read_file_contexts(insmod_t)
|
||||
|
||||
|
|
@ -32810,17 +32954,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
|
|||
userdom_dontaudit_search_user_home_dirs(insmod_t)
|
||||
|
||||
if( ! secure_mode_insmod ) {
|
||||
@@ -235,6 +244,10 @@
|
||||
@@ -229,10 +242,18 @@
|
||||
rpm_rw_pipes(insmod_t)
|
||||
')
|
||||
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
+ virt_dontaudit_write_pipes(insmod_t)
|
||||
unconfined_domain(insmod_t)
|
||||
unconfined_dontaudit_rw_pipes(insmod_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive insmod_t;
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
# cjp: why is this needed:
|
||||
dev_rw_xserver_misc(insmod_t)
|
||||
+ virt_dontaudit_write_pipes(insmod_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
# cjp: why is this needed:
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.8.8/policy/modules/system/mount.fc
|
||||
--- nsaserefpolicy/policy/modules/system/mount.fc 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/mount.fc 2010-07-30 14:06:53.000000000 -0400
|
||||
|
|
@ -33416,7 +33568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.i
|
|||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.8.8/policy/modules/system/raid.te
|
||||
--- nsaserefpolicy/policy/modules/system/raid.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-08-24 09:17:23.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
allow mdadm_t mdadm_map_t:file manage_file_perms;
|
||||
dev_filetrans(mdadm_t, mdadm_map_t, file)
|
||||
|
|
@ -33436,6 +33588,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
|
|||
|
||||
fs_search_auto_mountpoints(mdadm_t)
|
||||
fs_dontaudit_list_tmpfs(mdadm_t)
|
||||
@@ -95,6 +97,10 @@
|
||||
udev_read_db(mdadm_t)
|
||||
')
|
||||
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
unconfined_domain(mdadm_t)
|
||||
')
|
||||
+', `
|
||||
+ permissive mdadm_t;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc 2010-07-30 14:06:53.000000000 -0400
|
||||
|
|
@ -33859,7 +34022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-13 15:47:08.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-24 09:17:28.000000000 -0400
|
||||
@@ -22,6 +22,9 @@
|
||||
type selinux_config_t;
|
||||
files_type(selinux_config_t)
|
||||
|
|
@ -34098,7 +34261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||
# cjp: need a more general way to handle this:
|
||||
ifdef(`enable_mls',`
|
||||
# read secadm tmp files
|
||||
@@ -498,112 +492,50 @@
|
||||
@@ -498,112 +492,54 @@
|
||||
userdom_read_user_tmp_files(semanage_t)
|
||||
')
|
||||
|
||||
|
|
@ -34239,9 +34402,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||
')
|
||||
')
|
||||
|
||||
+ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
- hotplug_use_fds(setfiles_t)
|
||||
+ unconfined_domain(setfiles_mac_t)
|
||||
+')
|
||||
+', `
|
||||
+ permissive lvm_t;
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.8.8/policy/modules/system/setrans.if
|
||||
--- nsaserefpolicy/policy/modules/system/setrans.if 2010-07-27 16:06:06.000000000 -0400
|
||||
|
|
@ -34421,8 +34588,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.8.8/policy/modules/system/sosreport.te
|
||||
--- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-07-30 14:06:53.000000000 -0400
|
||||
@@ -0,0 +1,154 @@
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-08-24 15:48:28.000000000 -0400
|
||||
@@ -0,0 +1,158 @@
|
||||
+policy_module(sosreport,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -34574,9 +34741,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep
|
|||
+ xserver_stream_connect(sosreport_t)
|
||||
+')
|
||||
+
|
||||
+ifdef(`enforcing',`
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(sosreport_t)
|
||||
+')
|
||||
+', `
|
||||
+ permissive sosreport_t;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc 2010-07-30 14:06:53.000000000 -0400
|
||||
|
|
@ -35131,7 +35302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
|
|||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.8.8/policy/modules/system/udev.te
|
||||
--- nsaserefpolicy/policy/modules/system/udev.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-08-24 09:18:25.000000000 -0400
|
||||
@@ -52,6 +52,7 @@
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
|
@ -35163,7 +35334,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
|
|||
|
||||
mcs_ptrace_all(udev_t)
|
||||
|
||||
@@ -216,6 +220,10 @@
|
||||
@@ -192,9 +196,13 @@
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
netutils_domtrans(udev_t)
|
||||
|
||||
+ ifdef(`enforcing',`
|
||||
optional_policy(`
|
||||
unconfined_domain(udev_t)
|
||||
')
|
||||
+ ', `
|
||||
+ permissive udev_t;
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,6 +224,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -35174,7 +35359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
|
|||
consoletype_exec(udev_t)
|
||||
')
|
||||
|
||||
@@ -259,6 +267,10 @@
|
||||
@@ -259,6 +271,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -35185,7 +35370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
|
|||
openct_read_pid_files(udev_t)
|
||||
openct_domtrans(udev_t)
|
||||
')
|
||||
@@ -273,6 +285,10 @@
|
||||
@@ -273,6 +289,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38524,7 +38709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.8.8/policy/modules/system/xen.te
|
||||
--- nsaserefpolicy/policy/modules/system/xen.te 2010-07-27 16:06:06.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-07-30 14:06:53.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-08-24 09:18:35.000000000 -0400
|
||||
@@ -4,6 +4,7 @@
|
||||
#
|
||||
# Declarations
|
||||
|
|
@ -38680,6 +38865,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||
#Should have a boolean wrapping these
|
||||
fs_list_auto_mountpoints(xend_t)
|
||||
files_search_mnt(xend_t)
|
||||
@@ -469,8 +380,4 @@
|
||||
fs_manage_nfs_files(xend_t)
|
||||
fs_read_nfs_symlinks(xend_t)
|
||||
')
|
||||
-
|
||||
- optional_policy(`
|
||||
- unconfined_domain(xend_t)
|
||||
- ')
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.8.8/policy/support/misc_patterns.spt
|
||||
--- nsaserefpolicy/policy/support/misc_patterns.spt 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.8/policy/support/misc_patterns.spt 2010-07-30 14:06:53.000000000 -0400
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.8.8
|
||||
Release: 19%{?dist}
|
||||
Release: 20%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -469,6 +469,12 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-20
|
||||
- Allow cron to look at user_cron_spool links
|
||||
- Lots of fixes for mozilla_plugin_t
|
||||
- Add sysv file system
|
||||
- Turn unconfined domains to permissive to find additional avcs
|
||||
|
||||
* Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-19
|
||||
- Update policy for mozilla_plugin_t
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue