trunk: 10 patches from dan.
This commit is contained in:
parent
ef659a476e
commit
cdf98fedc0
@ -12,7 +12,7 @@ If you want to share files anonymously, you must label the files and directories
|
||||
.TP
|
||||
chcon -R -t public_content_t /var/ftp
|
||||
.TP
|
||||
If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
|
||||
If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
|
||||
.TP
|
||||
chcon -t public_content_rw_t /var/ftp/incoming
|
||||
.TP
|
||||
|
@ -30,7 +30,7 @@ httpd_sys_script_exec_t
|
||||
.EX
|
||||
httpd_sys_script_ro_t
|
||||
.EE
|
||||
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
|
||||
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access.
|
||||
.EX
|
||||
httpd_sys_script_rw_t
|
||||
.EE
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dmidecode,1.2.1)
|
||||
policy_module(dmidecode,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,6 +18,7 @@ role system_r types dmidecode_t;
|
||||
|
||||
allow dmidecode_t self:capability sys_rawio;
|
||||
|
||||
dev_read_sysfs(dmidecode_t)
|
||||
# Allow dmidecode to read /dev/mem
|
||||
dev_read_raw_memory(dmidecode_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.2.11)
|
||||
policy_module(corenetwork,1.2.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -164,6 +164,7 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined por
|
||||
network_port(uucpd, tcp,540,s0)
|
||||
network_port(vnc, tcp,5900,s0)
|
||||
network_port(xen, tcp,8002,s0)
|
||||
network_port(xfs, tcp,7100,s0)
|
||||
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
||||
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
|
||||
network_port(zope, tcp,8021,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ktalk,1.5.1)
|
||||
policy_module(ktalk,1.5.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -68,6 +68,10 @@ fs_getattr_xattr_fs(ktalkd_t)
|
||||
|
||||
files_read_etc_files(ktalkd_t)
|
||||
|
||||
term_search_ptys(ktalkd_t)
|
||||
|
||||
auth_use_nsswitch(ktalkd_t)
|
||||
|
||||
init_read_utmp(ktalkd_t)
|
||||
|
||||
libs_use_ld_so(ktalkd_t)
|
||||
@ -75,13 +79,3 @@ libs_use_shared_libs(ktalkd_t)
|
||||
logging_send_syslog_msg(ktalkd_t)
|
||||
|
||||
miscfiles_read_localization(ktalkd_t)
|
||||
|
||||
sysnet_read_config(ktalkd_t)
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(ktalkd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(ktalkd_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rsync,1.5.0)
|
||||
policy_module(rsync,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -17,6 +17,7 @@ gen_tunable(allow_rsync_anon_write,false)
|
||||
type rsync_t;
|
||||
type rsync_exec_t;
|
||||
init_daemon_domain(rsync_t,rsync_exec_t)
|
||||
application_executable_file(rsync_exec_t)
|
||||
role system_r types rsync_t;
|
||||
|
||||
type rsync_data_t;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(setroubleshoot,1.5.1)
|
||||
policy_module(setroubleshoot,1.5.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -67,6 +67,7 @@ corenet_tcp_connect_smtp_port(setroubleshootd_t)
|
||||
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
|
||||
|
||||
dev_read_urand(setroubleshootd_t)
|
||||
dev_read_sysfs(setroubleshootd_t)
|
||||
|
||||
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
|
||||
|
||||
@ -106,6 +107,12 @@ sysnet_read_config(setroubleshootd_t)
|
||||
|
||||
userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
|
||||
dbus_send_system_bus(setroubleshootd_t)
|
||||
dbus_connect_system_bus(setroubleshootd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_read_db(setroubleshootd_t)
|
||||
rpm_dontaudit_manage_db(setroubleshootd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tftp,1.5.1)
|
||||
policy_module(tftp,1.5.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,6 +26,7 @@ allow tftpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow tftpd_t self:udp_socket create_socket_perms;
|
||||
allow tftpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
dontaudit tftpd_t self:capability sys_tty_config;
|
||||
|
||||
allow tftpd_t tftpdir_t:dir { getattr read search };
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xfs,1.2.1)
|
||||
policy_module(xfs,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -37,6 +37,15 @@ files_pid_filetrans(xfs_t,xfs_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(xfs_t)
|
||||
kernel_read_system_state(xfs_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(xfs_t)
|
||||
corenet_all_recvfrom_netlabel(xfs_t)
|
||||
corenet_tcp_sendrecv_generic_if(xfs_t)
|
||||
corenet_tcp_sendrecv_all_nodes(xfs_t)
|
||||
corenet_tcp_sendrecv_all_ports(xfs_t)
|
||||
corenet_tcp_bind_all_nodes(xfs_t)
|
||||
corenet_tcp_bind_xfs_port(xfs_t)
|
||||
corenet_sendrecv_xfs_server_packets(xfs_t)
|
||||
|
||||
corecmd_list_bin(xfs_t)
|
||||
|
||||
dev_read_sysfs(xfs_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ipsec,1.4.1)
|
||||
policy_module(ipsec,1.4.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -321,6 +321,7 @@ libs_use_shared_libs(racoon_t)
|
||||
locallogin_use_fds(racoon_t)
|
||||
|
||||
logging_send_syslog_msg(racoon_t)
|
||||
logging_send_audit_msgs(racoon_t)
|
||||
|
||||
miscfiles_read_localization(racoon_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user