rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fix vpn to bind to port 4500

Browse Source 
- Allow ssh to create shm
- Allow rshd to bind to ports > 1023
This commit is contained in:
Daniel J Walsh 2007-10-18 21:33:00 +00:00
parent bd10e1010b
commit ccf8a72ae3
3 changed files with 39 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
modules-targeted.conf
View File

@ -1514,3 +1514,11 @@ webadm = module
# #
exim = module exim = module
# Layer: admin
# Module: kismet
#
# Wireless sniffing and monitoring
#
kismet = module

81
policy-20070703.patch
View File

@ -1128,8 +1128,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) +/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.0.8/policy/modules/admin/kismet.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.0.8/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/admin/kismet.if 2007-10-18 16:33:14.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/kismet.if 2007-10-18 17:32:20.000000000 -0400
@@ -0,0 +1,328 @@ @@ -0,0 +1,277 @@
+ +
+## <summary>policy for kismet</summary> +## <summary>policy for kismet</summary>
+ +
@ -1297,26 +1297,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Allow the specified domain to manage
+## kismet log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_log',`
+ gen_require(`
+ type var_log_t, kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, kismet_log_t, kismet_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append +## Allow the specified domain to append
+## kismet log files. +## kismet log files.
+## </summary> +## </summary>
@ -1427,37 +1407,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+ +
+') +')
+ +
+########################################
+## <summary>
+## Execute kismet programs in the kismet domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the kismet domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the kismet domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kismet_run',`
+ gen_require(`
+ type kismet_t;
+ ')
+
+ kismet_domtrans($1)
+ role $2 types kismet_t;
+ allow kismet_t $3:chr_file rw_term_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.0.8/policy/modules/admin/kismet.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.0.8/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2007-10-18 16:30:41.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2007-10-18 16:30:41.000000000 -0400
@ -3414,7 +3363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-10-18 17:16:04.000000000 -0400
@@ -36,6 +36,11 @@ @@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@ -3448,7 +3397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -259,3 +265,9 @@ @@ -259,3 +265,18 @@
ifdef(`distro_suse',` ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
') ')
@ -3458,6 +3407,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) +/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0) +/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0) +/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commok -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/masterconnect -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-10-17 16:11:40.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-10-17 16:11:40.000000000 -0400
@ -15366,7 +15324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400 --- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-15 13:54:06.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-18 17:22:34.000000000 -0400
@@ -132,6 +132,7 @@ @@ -132,6 +132,7 @@
init_read_utmp(udev_t) init_read_utmp(udev_t)
@ -15388,6 +15346,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
brctl_domtrans(udev_t) brctl_domtrans(udev_t)
') ')
@@ -220,6 +227,10 @@
')
optional_policy(`
+ raid_domtrans_mdadm(udev_t)
+')
+
+optional_policy(`
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-05-29 14:10:58.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-05-29 14:10:58.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2007-10-03 11:10:25.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2007-10-03 11:10:25.000000000 -0400

7
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.0.8 Version: 3.0.8
Release: 24%{?dist} Release: 25%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -373,6 +373,11 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Oct 16 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-25
- Fix vpn to bind to port 4500
- Allow ssh to create shm
- Allow rshd to bind to ports > 1023
* Tue Oct 16 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-24 * Tue Oct 16 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-24
- Allow rpm to chat with networkmanager - Allow rpm to chat with networkmanager