- Merge upstream changes
- Add Xavier Toth patches
This commit is contained in:
Daniel J Walsh
parent
8a482d67b3
commit
ceb150c168
@ -284,8 +284,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.8/policy/modules/admin/alsa.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.8/policy/modules/admin/alsa.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/alsa.te 2008-08-07 11:15:13.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/alsa.te 2008-08-07 11:15:13.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/admin/alsa.te 2008-09-12 10:59:28.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/admin/alsa.te 2008-09-15 14:54:22.000000000 -0400
|
||||||
@@ -51,6 +51,8 @@
|
@@ -48,9 +48,12 @@
|
||||||
|
|
||||||
|
files_search_home(alsa_t)
|
||||||
|
files_read_etc_files(alsa_t)
|
||||||
|
+files_read_usr_files(alsa_t)
|
||||||
|
|
||||||
auth_use_nsswitch(alsa_t)
|
auth_use_nsswitch(alsa_t)
|
||||||
|
|
||||||
@ -1162,7 +1166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.8/policy/modules/admin/rpm.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.8/policy/modules/admin/rpm.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/rpm.te 2008-08-07 11:15:13.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/rpm.te 2008-08-07 11:15:13.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/admin/rpm.te 2008-09-12 10:59:28.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/admin/rpm.te 2008-09-16 09:14:33.000000000 -0400
|
||||||
@@ -31,6 +31,9 @@
|
@@ -31,6 +31,9 @@
|
||||||
files_type(rpm_var_lib_t)
|
files_type(rpm_var_lib_t)
|
||||||
typealias rpm_var_lib_t alias var_lib_rpm_t;
|
typealias rpm_var_lib_t alias var_lib_rpm_t;
|
||||||
@ -1173,7 +1177,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type rpm_script_t;
|
type rpm_script_t;
|
||||||
type rpm_script_exec_t;
|
type rpm_script_exec_t;
|
||||||
domain_obj_id_change_exemption(rpm_script_t)
|
domain_obj_id_change_exemption(rpm_script_t)
|
||||||
@@ -89,6 +92,9 @@
|
@@ -52,7 +55,8 @@
|
||||||
|
# rpm Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
|
||||||
|
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
|
||||||
|
+
|
||||||
|
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
|
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
|
||||||
|
allow rpm_t self:fd use;
|
||||||
|
@@ -89,8 +93,12 @@
|
||||||
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
|
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
|
||||||
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
|
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
|
||||||
|
|
||||||
@ -1182,8 +1196,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
kernel_read_system_state(rpm_t)
|
kernel_read_system_state(rpm_t)
|
||||||
kernel_read_kernel_sysctls(rpm_t)
|
kernel_read_kernel_sysctls(rpm_t)
|
||||||
|
+kernel_read_network_state_symlinks(rpm_t)
|
||||||
|
|
||||||
@@ -179,10 +185,20 @@
|
corecmd_exec_all_executables(rpm_t)
|
||||||
|
|
||||||
|
@@ -117,6 +125,7 @@
|
||||||
|
fs_manage_nfs_symlinks(rpm_t)
|
||||||
|
fs_getattr_all_fs(rpm_t)
|
||||||
|
fs_search_auto_mountpoints(rpm_t)
|
||||||
|
+fs_list_inotifyfs(rpm_t)
|
||||||
|
|
||||||
|
mls_file_read_all_levels(rpm_t)
|
||||||
|
mls_file_write_all_levels(rpm_t)
|
||||||
|
@@ -179,10 +188,20 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -1204,7 +1229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
prelink_domtrans(rpm_t)
|
prelink_domtrans(rpm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -190,6 +206,7 @@
|
@@ -190,6 +209,7 @@
|
||||||
unconfined_domain(rpm_t)
|
unconfined_domain(rpm_t)
|
||||||
# yum-updatesd requires this
|
# yum-updatesd requires this
|
||||||
unconfined_dbus_chat(rpm_t)
|
unconfined_dbus_chat(rpm_t)
|
||||||
@ -1212,16 +1237,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@@ -216,7 +233,7 @@
|
@@ -215,8 +235,8 @@
|
||||||
|
# rpm-script Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
|
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
|
||||||
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
|
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_nice mknod kill };
|
||||||
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
|
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
|
||||||
allow rpm_script_t self:fd use;
|
allow rpm_script_t self:fd use;
|
||||||
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
|
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
|
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
|
||||||
@@ -317,6 +334,7 @@
|
@@ -227,12 +247,15 @@
|
||||||
|
allow rpm_script_t self:sem create_sem_perms;
|
||||||
|
allow rpm_script_t self:msgq create_msgq_perms;
|
||||||
|
allow rpm_script_t self:msg { send receive };
|
||||||
|
+allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
|
|
||||||
|
allow rpm_script_t rpm_tmp_t:file read_file_perms;
|
||||||
|
|
||||||
|
allow rpm_script_t rpm_script_tmp_t:dir mounton;
|
||||||
|
manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
|
||||||
|
manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
|
||||||
|
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
|
||||||
|
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
|
||||||
|
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
|
||||||
|
|
||||||
|
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
||||||
|
@@ -298,6 +321,7 @@
|
||||||
|
files_exec_etc_files(rpm_script_t)
|
||||||
|
files_read_etc_runtime_files(rpm_script_t)
|
||||||
|
files_exec_usr_files(rpm_script_t)
|
||||||
|
+files_relabel_all_files(rpm_script_t)
|
||||||
|
|
||||||
|
init_domtrans_script(rpm_script_t)
|
||||||
|
|
||||||
|
@@ -317,6 +341,7 @@
|
||||||
seutil_domtrans_loadpolicy(rpm_script_t)
|
seutil_domtrans_loadpolicy(rpm_script_t)
|
||||||
seutil_domtrans_setfiles(rpm_script_t)
|
seutil_domtrans_setfiles(rpm_script_t)
|
||||||
seutil_domtrans_semanage(rpm_script_t)
|
seutil_domtrans_semanage(rpm_script_t)
|
||||||
@ -1229,7 +1280,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
userdom_use_all_users_fds(rpm_script_t)
|
userdom_use_all_users_fds(rpm_script_t)
|
||||||
|
|
||||||
@@ -342,6 +360,7 @@
|
@@ -335,6 +360,10 @@
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ lvm_domtrans(rpm_script_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
tzdata_domtrans(rpm_t)
|
||||||
|
tzdata_domtrans(rpm_script_t)
|
||||||
|
')
|
||||||
|
@@ -342,6 +371,7 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(rpm_script_t)
|
unconfined_domain(rpm_script_t)
|
||||||
unconfined_domtrans(rpm_script_t)
|
unconfined_domtrans(rpm_script_t)
|
||||||
@ -1237,7 +1299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
java_domtrans(rpm_script_t)
|
java_domtrans(rpm_script_t)
|
||||||
@@ -352,6 +371,11 @@
|
@@ -352,6 +382,11 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -1933,7 +1995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+HOME_DIR/.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
+HOME_DIR/.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.8/policy/modules/apps/gnome.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.8/policy/modules/apps/gnome.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-08-07 11:15:02.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-08-07 11:15:02.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/apps/gnome.if 2008-09-12 10:59:28.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/apps/gnome.if 2008-09-15 14:57:34.000000000 -0400
|
||||||
@@ -36,6 +36,7 @@
|
@@ -36,6 +36,7 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type gconfd_exec_t, gconf_etc_t;
|
type gconfd_exec_t, gconf_etc_t;
|
||||||
@ -2081,7 +2143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="userdomain_prefix">
|
## <param name="userdomain_prefix">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -183,11 +200,95 @@
|
@@ -183,11 +200,96 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -2117,6 +2179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ manage_dirs_pattern($2, gnome_home_t, gnome_home_t)
|
+ manage_dirs_pattern($2, gnome_home_t, gnome_home_t)
|
||||||
+ manage_files_pattern($2, gnome_home_t, gnome_home_t)
|
+ manage_files_pattern($2, gnome_home_t, gnome_home_t)
|
||||||
|
+ manage_lnk_files_pattern($2, gnome_home_t, gnome_home_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -4464,8 +4527,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.8/policy/modules/apps/nsplugin.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.8/policy/modules/apps/nsplugin.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te 2008-09-12 10:59:28.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te 2008-09-15 13:09:59.000000000 -0400
|
||||||
@@ -0,0 +1,226 @@
|
@@ -0,0 +1,228 @@
|
||||||
+
|
+
|
||||||
+policy_module(nsplugin, 1.0.0)
|
+policy_module(nsplugin, 1.0.0)
|
||||||
+
|
+
|
||||||
@ -4547,6 +4610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+dev_read_video_dev(nsplugin_t)
|
+dev_read_video_dev(nsplugin_t)
|
||||||
+dev_write_video_dev(nsplugin_t)
|
+dev_write_video_dev(nsplugin_t)
|
||||||
+dev_getattr_dri_dev(nsplugin_t)
|
+dev_getattr_dri_dev(nsplugin_t)
|
||||||
|
+dev_rwx_zero(nsplugin_t)
|
||||||
+
|
+
|
||||||
+kernel_read_kernel_sysctls(nsplugin_t)
|
+kernel_read_kernel_sysctls(nsplugin_t)
|
||||||
+kernel_read_system_state(nsplugin_t)
|
+kernel_read_system_state(nsplugin_t)
|
||||||
@ -4605,6 +4669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mplayer_exec(nsplugin_t)
|
+ mplayer_exec(nsplugin_t)
|
||||||
|
+ mplayer_read_user_home_files(user, nsplugin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -4629,7 +4694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+# nsplugin_config local policy
|
+# nsplugin_config local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
|
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
|
||||||
+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
|
+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
|
||||||
+#execing pulseaudio
|
+#execing pulseaudio
|
||||||
+dontaudit nsplugin_t self:process { getcap setcap };
|
+dontaudit nsplugin_t self:process { getcap setcap };
|
||||||
@ -7091,7 +7156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# /emul
|
# /emul
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.8/policy/modules/kernel/files.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.8/policy/modules/kernel/files.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/kernel/files.if 2008-09-12 10:59:28.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/kernel/files.if 2008-09-16 09:05:30.000000000 -0400
|
||||||
@@ -110,6 +110,11 @@
|
@@ -110,6 +110,11 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8453,8 +8518,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
|
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.8/policy/modules/roles/staff.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.8/policy/modules/roles/staff.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/roles/staff.te 2008-09-12 10:59:28.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/roles/staff.te 2008-09-15 14:58:31.000000000 -0400
|
||||||
@@ -8,23 +8,52 @@
|
@@ -8,23 +8,55 @@
|
||||||
|
|
||||||
role staff_r;
|
role staff_r;
|
||||||
|
|
||||||
@ -8467,6 +8532,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#
|
#
|
||||||
|
|
||||||
+kernel_read_ring_buffer(staff_t)
|
+kernel_read_ring_buffer(staff_t)
|
||||||
|
+kernel_getattr_core_if(staff_t)
|
||||||
|
+kernel_getattr_message_if(staff_t)
|
||||||
|
+kernel_read_software_raid_state(staff_t)
|
||||||
+
|
+
|
||||||
+auth_domtrans_pam_console(staff_t)
|
+auth_domtrans_pam_console(staff_t)
|
||||||
+
|
+
|
||||||
@ -20147,7 +20215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.8/policy/modules/services/pads.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.8/policy/modules/services/pads.te
|
||||||
--- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.8/policy/modules/services/pads.te 2008-09-12 10:59:28.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/services/pads.te 2008-09-15 13:00:58.000000000 -0400
|
||||||
@@ -0,0 +1,66 @@
|
@@ -0,0 +1,66 @@
|
||||||
+
|
+
|
||||||
+policy_module(pads, 0.0.1)
|
+policy_module(pads, 0.0.1)
|
||||||
@ -20163,7 +20231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+role system_r types pads_t;
|
+role system_r types pads_t;
|
||||||
+
|
+
|
||||||
+type pads_script_exec_t;
|
+type pads_script_exec_t;
|
||||||
+init_script_type(pads_script_exec_t)
|
+init_script_file(pads_script_exec_t)
|
||||||
+
|
+
|
||||||
+type pads_config_t;
|
+type pads_config_t;
|
||||||
+files_config_file(pads_config_t)
|
+files_config_file(pads_config_t)
|
||||||
@ -20213,7 +20281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+sysnet_dns_name_resolve(pads_t)
|
+sysnet_dns_name_resolve(pads_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ prelude_rw_spool(pads_t)
|
+ prelude_manage_spool(pads_t)
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.8/policy/modules/services/pcscd.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.8/policy/modules/services/pcscd.te
|
||||||
--- nsaserefpolicy/policy/modules/services/pcscd.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/pcscd.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
@ -20880,7 +20948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.8/policy/modules/services/postfix.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.8/policy/modules/services/postfix.te
|
||||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/services/postfix.te 2008-09-12 10:59:28.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/services/postfix.te 2008-09-15 10:53:20.000000000 -0400
|
||||||
@@ -6,6 +6,14 @@
|
@@ -6,6 +6,14 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -21098,17 +21166,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
uucp_domtrans_uux(postfix_pipe_t)
|
uucp_domtrans_uux(postfix_pipe_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -443,8 +491,7 @@
|
@@ -443,8 +491,11 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- ppp_use_fds(postfix_postqueue_t)
|
- ppp_use_fds(postfix_postqueue_t)
|
||||||
- ppp_sigchld(postfix_postqueue_t)
|
- ppp_sigchld(postfix_postqueue_t)
|
||||||
|
+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ uucp_manage_spool(postfix_postdrop_t)
|
+ uucp_manage_spool(postfix_postdrop_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -470,6 +517,15 @@
|
@@ -470,6 +521,15 @@
|
||||||
init_sigchld_script(postfix_postqueue_t)
|
init_sigchld_script(postfix_postqueue_t)
|
||||||
init_use_script_fds(postfix_postqueue_t)
|
init_use_script_fds(postfix_postqueue_t)
|
||||||
|
|
||||||
@ -21124,18 +21196,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Postfix qmgr local policy
|
# Postfix qmgr local policy
|
||||||
@@ -564,6 +620,10 @@
|
@@ -553,6 +613,10 @@
|
||||||
sasl_connect(postfix_smtpd_t)
|
mta_read_aliases(postfix_smtpd_t)
|
||||||
')
|
|
||||||
|
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
+ dovecot_auth_stream_connect(postfix_smtpd_t)
|
+ dovecot_auth_stream_connect(postfix_smtpd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
########################################
|
+optional_policy(`
|
||||||
#
|
mailman_read_data_files(postfix_smtpd_t)
|
||||||
# Postfix virtual local policy
|
')
|
||||||
@@ -579,7 +639,7 @@
|
|
||||||
|
@@ -579,7 +643,7 @@
|
||||||
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
|
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
|
||||||
|
|
||||||
# connect to master process
|
# connect to master process
|
||||||
@ -24891,8 +24963,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.8/policy/modules/services/snmp.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.8/policy/modules/services/snmp.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/services/snmp.fc 2008-09-12 10:59:29.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/services/snmp.fc 2008-09-15 12:30:27.000000000 -0400
|
||||||
@@ -17,3 +17,6 @@
|
@@ -8,6 +8,7 @@
|
||||||
|
#
|
||||||
|
# /var
|
||||||
|
#
|
||||||
|
+/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
||||||
|
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
||||||
|
/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
||||||
|
|
||||||
|
@@ -17,3 +18,6 @@
|
||||||
|
|
||||||
/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0)
|
/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0)
|
||||||
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
|
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
|
||||||
@ -30587,7 +30667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.8/policy/modules/system/logging.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.8/policy/modules/system/logging.te
|
||||||
--- nsaserefpolicy/policy/modules/system/logging.te 2008-09-03 10:17:00.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/logging.te 2008-09-03 10:17:00.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/system/logging.te 2008-09-12 10:59:29.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/system/logging.te 2008-09-15 13:03:25.000000000 -0400
|
||||||
@@ -72,6 +72,12 @@
|
@@ -72,6 +72,12 @@
|
||||||
logging_log_file(var_log_t)
|
logging_log_file(var_log_t)
|
||||||
files_mountpoint(var_log_t)
|
files_mountpoint(var_log_t)
|
||||||
@ -30601,7 +30681,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
|
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
|
||||||
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
|
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
|
||||||
@@ -145,6 +151,7 @@
|
@@ -124,6 +130,7 @@
|
||||||
|
allow auditd_t self:file { getattr read write };
|
||||||
|
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
allow auditd_t self:fifo_file rw_file_perms;
|
||||||
|
+allow auditd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
allow auditd_t auditd_etc_t:dir list_dir_perms;
|
||||||
|
allow auditd_t auditd_etc_t:file read_file_perms;
|
||||||
|
@@ -145,9 +152,18 @@
|
||||||
|
|
||||||
fs_getattr_all_fs(auditd_t)
|
fs_getattr_all_fs(auditd_t)
|
||||||
fs_search_auto_mountpoints(auditd_t)
|
fs_search_auto_mountpoints(auditd_t)
|
||||||
@ -30609,7 +30697,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
selinux_search_fs(auditctl_t)
|
selinux_search_fs(auditctl_t)
|
||||||
|
|
||||||
@@ -241,6 +248,7 @@
|
+corenet_all_recvfrom_unlabeled(auditd_t)
|
||||||
|
+corenet_all_recvfrom_netlabel(auditd_t)
|
||||||
|
+corenet_tcp_sendrecv_all_if(auditd_t)
|
||||||
|
+corenet_tcp_sendrecv_all_nodes(auditd_t)
|
||||||
|
+corenet_tcp_sendrecv_all_ports(auditd_t)
|
||||||
|
+corenet_tcp_bind_all_nodes(auditd_t)
|
||||||
|
+corenet_tcp_bind_audit_port(auditd_t)
|
||||||
|
+
|
||||||
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
||||||
|
# Probably want a transition, and a new auditd_helper app
|
||||||
|
corecmd_exec_bin(auditd_t)
|
||||||
|
@@ -241,6 +257,7 @@
|
||||||
corenet_all_recvfrom_netlabel(audisp_remote_t)
|
corenet_all_recvfrom_netlabel(audisp_remote_t)
|
||||||
corenet_tcp_sendrecv_all_if(audisp_remote_t)
|
corenet_tcp_sendrecv_all_if(audisp_remote_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
|
corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
|
||||||
@ -31625,7 +31724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.8/policy/modules/system/selinuxutil.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.8/policy/modules/system/selinuxutil.te
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/system/selinuxutil.te 2008-09-12 10:59:29.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/system/selinuxutil.te 2008-09-15 11:59:39.000000000 -0400
|
||||||
@@ -23,6 +23,9 @@
|
@@ -23,6 +23,9 @@
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
files_type(selinux_config_t)
|
files_type(selinux_config_t)
|
||||||
@ -31708,17 +31807,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
logging_send_syslog_msg(newrole_t)
|
logging_send_syslog_msg(newrole_t)
|
||||||
|
|
||||||
miscfiles_read_localization(newrole_t)
|
miscfiles_read_localization(newrole_t)
|
||||||
@@ -347,6 +351,9 @@
|
@@ -347,6 +351,8 @@
|
||||||
|
|
||||||
seutil_libselinux_linked(restorecond_t)
|
seutil_libselinux_linked(restorecond_t)
|
||||||
|
|
||||||
+userdom_read_all_users_home_dirs_symlinks(restorecond_t)
|
|
||||||
+userdom_read_all_users_home_content_symlinks(restorecond_t)
|
+userdom_read_all_users_home_content_symlinks(restorecond_t)
|
||||||
+
|
+
|
||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(restorecond_t)
|
unconfined_domain(restorecond_t)
|
||||||
@@ -365,7 +372,7 @@
|
@@ -365,7 +371,7 @@
|
||||||
allow run_init_t self:process setexec;
|
allow run_init_t self:process setexec;
|
||||||
allow run_init_t self:capability setuid;
|
allow run_init_t self:capability setuid;
|
||||||
allow run_init_t self:fifo_file rw_file_perms;
|
allow run_init_t self:fifo_file rw_file_perms;
|
||||||
@ -31727,7 +31825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# often the administrator runs such programs from a directory that is owned
|
# often the administrator runs such programs from a directory that is owned
|
||||||
# by a different user or has restrictive SE permissions, do not want to audit
|
# by a different user or has restrictive SE permissions, do not want to audit
|
||||||
@@ -396,7 +403,6 @@
|
@@ -396,7 +402,6 @@
|
||||||
|
|
||||||
auth_use_nsswitch(run_init_t)
|
auth_use_nsswitch(run_init_t)
|
||||||
auth_domtrans_chk_passwd(run_init_t)
|
auth_domtrans_chk_passwd(run_init_t)
|
||||||
@ -31735,7 +31833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
auth_dontaudit_read_shadow(run_init_t)
|
auth_dontaudit_read_shadow(run_init_t)
|
||||||
|
|
||||||
init_spec_domtrans_script(run_init_t)
|
init_spec_domtrans_script(run_init_t)
|
||||||
@@ -435,64 +441,22 @@
|
@@ -435,64 +440,22 @@
|
||||||
# semodule local policy
|
# semodule local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -31808,7 +31906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# netfilter_contexts:
|
# netfilter_contexts:
|
||||||
seutil_manage_default_contexts(semanage_t)
|
seutil_manage_default_contexts(semanage_t)
|
||||||
|
|
||||||
@@ -501,12 +465,27 @@
|
@@ -501,12 +464,27 @@
|
||||||
files_read_var_lib_symlinks(semanage_t)
|
files_read_var_lib_symlinks(semanage_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -31836,7 +31934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# cjp: need a more general way to handle this:
|
# cjp: need a more general way to handle this:
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
# read secadm tmp files
|
# read secadm tmp files
|
||||||
@@ -514,121 +493,42 @@
|
@@ -514,121 +492,42 @@
|
||||||
# Handle pp files created in homedir and /tmp
|
# Handle pp files created in homedir and /tmp
|
||||||
sysadm_read_home_content_files(semanage_t)
|
sysadm_read_home_content_files(semanage_t)
|
||||||
sysadm_read_tmp_files(semanage_t)
|
sysadm_read_tmp_files(semanage_t)
|
||||||
@ -33142,7 +33240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-12 10:59:29.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-15 11:58:54.000000000 -0400
|
||||||
@@ -28,10 +28,14 @@
|
@@ -28,10 +28,14 @@
|
||||||
class context contains;
|
class context contains;
|
||||||
')
|
')
|
||||||
@ -36115,7 +36213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.5.8/policy/support/file_patterns.spt
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.5.8/policy/support/file_patterns.spt
|
||||||
--- nsaserefpolicy/policy/support/file_patterns.spt 2008-08-07 11:15:13.000000000 -0400
|
--- nsaserefpolicy/policy/support/file_patterns.spt 2008-08-07 11:15:13.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/support/file_patterns.spt 2008-09-12 10:59:29.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/support/file_patterns.spt 2008-09-16 09:08:28.000000000 -0400
|
||||||
@@ -537,3 +537,18 @@
|
@@ -537,3 +537,18 @@
|
||||||
allow $1 $2:dir rw_dir_perms;
|
allow $1 $2:dir rw_dir_perms;
|
||||||
type_transition $1 $2:$4 $3;
|
type_transition $1 $2:$4 $3;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user