- Update to upstream
This commit is contained in:
parent
fa0d1c8884
commit
d50690ad8f
@ -104,7 +104,7 @@ httpd_ssi_exec = false
|
|||||||
|
|
||||||
# Allow http daemon to communicate with the TTY
|
# Allow http daemon to communicate with the TTY
|
||||||
#
|
#
|
||||||
httpd_tty_comm = false
|
httpd_tty_comm = true
|
||||||
|
|
||||||
# Run CGI in the main httpd domain
|
# Run CGI in the main httpd domain
|
||||||
#
|
#
|
||||||
|
@ -705,8 +705,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
|
|||||||
class key
|
class key
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.1.0/policy/global_tunables
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.1.0/policy/global_tunables
|
||||||
--- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400
|
--- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/global_tunables 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/global_tunables 2007-10-23 23:27:45.000000000 -0400
|
||||||
@@ -132,3 +132,19 @@
|
@@ -132,3 +132,12 @@
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(write_untrusted_content,false)
|
gen_tunable(write_untrusted_content,false)
|
||||||
@ -719,13 +719,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
|
|||||||
+gen_tunable(allow_console_login,false)
|
+gen_tunable(allow_console_login,false)
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
+## <desc>
|
|
||||||
+## <p>
|
|
||||||
+## Allow xen to manage nfs files
|
|
||||||
+## </p>
|
|
||||||
+## </desc>
|
|
||||||
+gen_tunable(xen_use_nfs,false)
|
|
||||||
+
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.1.0/policy/modules/admin/alsa.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.1.0/policy/modules/admin/alsa.fc
|
||||||
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2006-11-16 17:15:26.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2006-11-16 17:15:26.000000000 -0500
|
||||||
+++ serefpolicy-3.1.0/policy/modules/admin/alsa.fc 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/admin/alsa.fc 2007-10-23 18:51:10.000000000 -0400
|
||||||
@ -4623,7 +4616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.1.0/policy/modules/services/apache.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.1.0/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-23 07:37:52.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-23 07:37:52.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-10-23 23:15:09.000000000 -0400
|
||||||
@@ -20,6 +20,8 @@
|
@@ -20,6 +20,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -4647,30 +4640,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
## Allow Apache to use mod_auth_pam
|
## Allow Apache to use mod_auth_pam
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
@@ -47,6 +56,13 @@
|
@@ -44,6 +53,13 @@
|
||||||
## Allow http daemon to tcp connect
|
|
||||||
## </p>
|
## <desc>
|
||||||
## </desc>
|
## <p>
|
||||||
|
+## Allow http daemon to send mail
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
+gen_tunable(httpd_can_sendmail,false)
|
+gen_tunable(httpd_can_sendmail,false)
|
||||||
+
|
+
|
||||||
+## <desc>
|
+## <desc>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow http daemon to tcp connect
|
## Allow http daemon to tcp connect
|
||||||
+## </p>
|
|
||||||
+## </desc>
|
|
||||||
gen_tunable(httpd_can_network_connect,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
@@ -97,7 +113,7 @@
|
|
||||||
## Allow http daemon to communicate with the TTY
|
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
-gen_tunable(httpd_tty_comm,false)
|
@@ -106,6 +122,27 @@
|
||||||
+gen_tunable(httpd_tty_comm,true)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
@@ -106,14 +122,33 @@
|
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(httpd_unified,false)
|
gen_tunable(httpd_unified,false)
|
||||||
|
|
||||||
@ -4696,17 +4680,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
+gen_tunable(allow_httpd_sys_script_anon_write,false)
|
+gen_tunable(allow_httpd_sys_script_anon_write,false)
|
||||||
+
|
+
|
||||||
attribute httpdcontent;
|
attribute httpdcontent;
|
||||||
-attribute httpd_user_content_type;
|
attribute httpd_user_content_type;
|
||||||
|
|
||||||
# domains that can exec all users scripts
|
@@ -144,6 +181,9 @@
|
||||||
attribute httpd_exec_scripts;
|
|
||||||
|
|
||||||
attribute httpd_script_exec_type;
|
|
||||||
-attribute httpd_user_script_exec_type;
|
|
||||||
|
|
||||||
# user script domains
|
|
||||||
attribute httpd_script_domains;
|
|
||||||
@@ -144,6 +179,9 @@
|
|
||||||
type httpd_log_t;
|
type httpd_log_t;
|
||||||
logging_log_file(httpd_log_t)
|
logging_log_file(httpd_log_t)
|
||||||
|
|
||||||
@ -4716,22 +4692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
# httpd_modules_t is the type given to module files (libraries)
|
# httpd_modules_t is the type given to module files (libraries)
|
||||||
# that come with Apache /etc/httpd/modules and /usr/lib/apache
|
# that come with Apache /etc/httpd/modules and /usr/lib/apache
|
||||||
type httpd_modules_t;
|
type httpd_modules_t;
|
||||||
@@ -184,6 +222,14 @@
|
@@ -204,7 +244,7 @@
|
||||||
type httpd_tmpfs_t;
|
|
||||||
files_tmpfs_file(httpd_tmpfs_t)
|
|
||||||
|
|
||||||
+# Unconfined domain for apache scripts.
|
|
||||||
+# Only to be used as a last resort
|
|
||||||
+type httpd_unconfined_script_t;
|
|
||||||
+type httpd_unconfined_script_exec_t; # customizable
|
|
||||||
+domain_type(httpd_unconfined_script_t)
|
|
||||||
+domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
|
|
||||||
+role system_r types httpd_unconfined_script_t;
|
|
||||||
+
|
|
||||||
# for apache2 memory mapped files
|
|
||||||
type httpd_var_lib_t;
|
|
||||||
files_type(httpd_var_lib_t)
|
|
||||||
@@ -204,9 +250,11 @@
|
|
||||||
# Apache server local policy
|
# Apache server local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -4739,12 +4700,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
|
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
|
||||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
+dontaudit httpd_t self:process setfscreate;
|
|
||||||
+
|
|
||||||
allow httpd_t self:fd use;
|
allow httpd_t self:fd use;
|
||||||
allow httpd_t self:sock_file read_sock_file_perms;
|
@@ -246,6 +286,7 @@
|
||||||
allow httpd_t self:fifo_file rw_fifo_file_perms;
|
|
||||||
@@ -246,6 +294,7 @@
|
|
||||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||||
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
|
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
|
||||||
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
|
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
|
||||||
@ -4752,7 +4709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
|
|
||||||
apache_domtrans_rotatelogs(httpd_t)
|
apache_domtrans_rotatelogs(httpd_t)
|
||||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||||
@@ -286,6 +335,7 @@
|
@@ -286,6 +327,7 @@
|
||||||
kernel_read_kernel_sysctls(httpd_t)
|
kernel_read_kernel_sysctls(httpd_t)
|
||||||
# for modules that want to access /proc/meminfo
|
# for modules that want to access /proc/meminfo
|
||||||
kernel_read_system_state(httpd_t)
|
kernel_read_system_state(httpd_t)
|
||||||
@ -4760,7 +4717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||||
corenet_all_recvfrom_netlabel(httpd_t)
|
corenet_all_recvfrom_netlabel(httpd_t)
|
||||||
@@ -332,6 +382,10 @@
|
@@ -332,6 +374,10 @@
|
||||||
files_read_var_lib_symlinks(httpd_t)
|
files_read_var_lib_symlinks(httpd_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||||
@ -4771,18 +4728,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
|
|
||||||
libs_use_ld_so(httpd_t)
|
libs_use_ld_so(httpd_t)
|
||||||
libs_use_shared_libs(httpd_t)
|
libs_use_shared_libs(httpd_t)
|
||||||
@@ -350,7 +404,9 @@
|
@@ -346,12 +392,8 @@
|
||||||
|
|
||||||
|
seutil_dontaudit_search_config(httpd_t)
|
||||||
|
|
||||||
|
-sysnet_read_config(httpd_t)
|
||||||
|
-
|
||||||
userdom_use_unpriv_users_fds(httpd_t)
|
userdom_use_unpriv_users_fds(httpd_t)
|
||||||
|
|
||||||
-mta_send_mail(httpd_t)
|
-mta_send_mail(httpd_t)
|
||||||
+tunable_policy(`httpd_enable_homedirs',`
|
-
|
||||||
+ userdom_search_generic_user_home_dirs(httpd_t)
|
|
||||||
+')
|
|
||||||
|
|
||||||
tunable_policy(`allow_httpd_anon_write',`
|
tunable_policy(`allow_httpd_anon_write',`
|
||||||
miscfiles_manage_public_files(httpd_t)
|
miscfiles_manage_public_files(httpd_t)
|
||||||
@@ -362,6 +418,7 @@
|
')
|
||||||
|
@@ -362,6 +404,7 @@
|
||||||
#
|
#
|
||||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||||
auth_domtrans_chk_passwd(httpd_t)
|
auth_domtrans_chk_passwd(httpd_t)
|
||||||
@ -4790,7 +4749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -369,6 +426,16 @@
|
@@ -369,6 +412,16 @@
|
||||||
corenet_tcp_connect_all_ports(httpd_t)
|
corenet_tcp_connect_all_ports(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4807,7 +4766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
tunable_policy(`httpd_can_network_connect_db',`
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
# allow httpd to connect to mysql/posgresql
|
# allow httpd to connect to mysql/posgresql
|
||||||
corenet_tcp_connect_postgresql_port(httpd_t)
|
corenet_tcp_connect_postgresql_port(httpd_t)
|
||||||
@@ -389,6 +456,17 @@
|
@@ -389,6 +442,17 @@
|
||||||
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4825,7 +4784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||||
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||||
|
|
||||||
@@ -406,11 +484,21 @@
|
@@ -406,11 +470,21 @@
|
||||||
fs_read_nfs_symlinks(httpd_t)
|
fs_read_nfs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4847,7 +4806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
tunable_policy(`httpd_ssi_exec',`
|
tunable_policy(`httpd_ssi_exec',`
|
||||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||||
allow httpd_sys_script_t httpd_t:fd use;
|
allow httpd_sys_script_t httpd_t:fd use;
|
||||||
@@ -432,6 +520,12 @@
|
@@ -432,6 +506,12 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -4860,7 +4819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
calamaris_read_www_files(httpd_t)
|
calamaris_read_www_files(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -444,8 +538,15 @@
|
@@ -444,8 +524,15 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -4877,7 +4836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -459,11 +560,11 @@
|
@@ -459,11 +546,11 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_t)
|
mysql_stream_connect(httpd_t)
|
||||||
mysql_rw_db_sockets(httpd_t)
|
mysql_rw_db_sockets(httpd_t)
|
||||||
@ -4890,7 +4849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -483,6 +584,7 @@
|
@@ -483,6 +570,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -4898,11 +4857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -514,10 +616,16 @@
|
@@ -518,6 +606,13 @@
|
||||||
tunable_policy(`httpd_tty_comm',`
|
|
||||||
# cjp: this is redundant:
|
|
||||||
term_use_controlling_term(httpd_helper_t)
|
|
||||||
-
|
|
||||||
userdom_use_sysadm_terms(httpd_helper_t)
|
userdom_use_sysadm_terms(httpd_helper_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4916,7 +4871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache PHP script local policy
|
# Apache PHP script local policy
|
||||||
@@ -555,6 +663,7 @@
|
@@ -555,6 +650,7 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_php_t)
|
mysql_stream_connect(httpd_php_t)
|
||||||
@ -4924,7 +4879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -569,7 +678,6 @@
|
@@ -569,7 +665,6 @@
|
||||||
allow httpd_suexec_t self:capability { setuid setgid };
|
allow httpd_suexec_t self:capability { setuid setgid };
|
||||||
allow httpd_suexec_t self:process signal_perms;
|
allow httpd_suexec_t self:process signal_perms;
|
||||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -4932,7 +4887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
|
|
||||||
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
||||||
|
|
||||||
@@ -583,6 +691,10 @@
|
@@ -583,6 +678,10 @@
|
||||||
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
||||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||||
|
|
||||||
@ -4943,33 +4898,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||||
kernel_list_proc(httpd_suexec_t)
|
kernel_list_proc(httpd_suexec_t)
|
||||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||||
@@ -608,6 +720,10 @@
|
@@ -622,8 +721,10 @@
|
||||||
|
|
||||||
miscfiles_read_localization(httpd_suexec_t)
|
|
||||||
|
|
||||||
+tunable_policy(`httpd_enable_homedirs',`
|
|
||||||
+ userdom_search_generic_user_home_dirs(httpd_suexec_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
tunable_policy(`httpd_can_network_connect',`
|
|
||||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
|
||||||
allow httpd_suexec_t self:udp_socket create_socket_perms;
|
|
||||||
@@ -622,10 +738,13 @@
|
|
||||||
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
|
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
|
||||||
corenet_tcp_connect_all_ports(httpd_suexec_t)
|
corenet_tcp_connect_all_ports(httpd_suexec_t)
|
||||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||||
-
|
+')
|
||||||
sysnet_read_config(httpd_suexec_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
|
- sysnet_read_config(httpd_suexec_t)
|
||||||
+tunable_policy(`httpd_enable_cgi',`
|
+tunable_policy(`httpd_enable_cgi',`
|
||||||
+ domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
+ domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
||||||
+')
|
|
||||||
+
|
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
||||||
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
|
||||||
')
|
')
|
||||||
@@ -636,6 +755,12 @@
|
|
||||||
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||||
|
@@ -636,6 +737,12 @@
|
||||||
fs_exec_nfs_files(httpd_suexec_t)
|
fs_exec_nfs_files(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4982,7 +4923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_suexec_t)
|
fs_read_cifs_files(httpd_suexec_t)
|
||||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||||
@@ -653,18 +778,6 @@
|
@@ -653,18 +760,6 @@
|
||||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -5001,7 +4942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache system script local policy
|
# Apache system script local policy
|
||||||
@@ -674,7 +787,8 @@
|
@@ -674,7 +769,8 @@
|
||||||
|
|
||||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||||
|
|
||||||
@ -5011,7 +4952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
|
|
||||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||||
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
||||||
@@ -688,15 +802,66 @@
|
@@ -688,15 +784,62 @@
|
||||||
# Should we add a boolean?
|
# Should we add a boolean?
|
||||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||||
|
|
||||||
@ -5022,20 +4963,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
|
|
||||||
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
+tunable_policy(`httpd_enable_homedirs',`
|
|
||||||
+ userdom_search_generic_user_home_dirs(httpd_sys_script_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+tunable_policy(`httpd_use_nfs', `
|
+tunable_policy(`httpd_use_nfs', `
|
||||||
fs_read_nfs_files(httpd_sys_script_t)
|
|
||||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
|
|
||||||
+ fs_read_nfs_files(httpd_sys_script_t)
|
+ fs_read_nfs_files(httpd_sys_script_t)
|
||||||
+ fs_read_nfs_symlinks(httpd_sys_script_t)
|
+ fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
|
||||||
|
fs_read_nfs_files(httpd_sys_script_t)
|
||||||
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||||
|
')
|
||||||
|
|
||||||
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
||||||
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
||||||
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
||||||
@ -5079,28 +5016,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -709,6 +874,20 @@
|
@@ -709,6 +852,7 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_sys_script_t)
|
mysql_stream_connect(httpd_sys_script_t)
|
||||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||||
+ mysql_read_config(httpd_sys_script_t)
|
+ mysql_read_config(httpd_sys_script_t)
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+#
|
|
||||||
+# Apache unconfined script local policy
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ nscd_socket_use(httpd_unconfined_script_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ unconfined_domain(httpd_unconfined_script_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -730,3 +909,20 @@
|
@@ -730,3 +874,20 @@
|
||||||
logging_search_logs(httpd_rotatelogs_t)
|
logging_search_logs(httpd_rotatelogs_t)
|
||||||
|
|
||||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||||
@ -6487,7 +6411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
|
|||||||
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.1.0/policy/modules/services/exim.fc 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/services/exim.fc 2007-10-23 18:51:10.000000000 -0400
|
||||||
@@ -0,0 +1,15 @@
|
@@ -0,0 +1,15 @@
|
||||||
+# $Id: policy-20071023.patch,v 1.1 2007/10/23 23:13:09 dwalsh Exp $
|
+# $Id: policy-20071023.patch,v 1.2 2007/10/24 03:29:53 dwalsh Exp $
|
||||||
+# Draft SELinux refpolicy module for the Exim MTA
|
+# Draft SELinux refpolicy module for the Exim MTA
|
||||||
+#
|
+#
|
||||||
+# Devin Carraway <selinux/at/devin.com>
|
+# Devin Carraway <selinux/at/devin.com>
|
||||||
@ -6667,7 +6591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
|
|||||||
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.1.0/policy/modules/services/exim.te 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/services/exim.te 2007-10-23 18:51:10.000000000 -0400
|
||||||
@@ -0,0 +1,232 @@
|
@@ -0,0 +1,232 @@
|
||||||
+# $Id: policy-20071023.patch,v 1.1 2007/10/23 23:13:09 dwalsh Exp $
|
+# $Id: policy-20071023.patch,v 1.2 2007/10/24 03:29:53 dwalsh Exp $
|
||||||
+# Draft SELinux refpolicy module for the Exim MTA
|
+# Draft SELinux refpolicy module for the Exim MTA
|
||||||
+#
|
+#
|
||||||
+# Devin Carraway <selinux/at/devin.com>
|
+# Devin Carraway <selinux/at/devin.com>
|
||||||
@ -11192,7 +11116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.1.0/policy/modules/system/authlogin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.1.0/policy/modules/system/authlogin.if
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-12 08:56:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-12 08:56:08.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/system/authlogin.if 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/system/authlogin.if 2007-10-23 23:15:41.000000000 -0400
|
||||||
@@ -26,7 +26,8 @@
|
@@ -26,7 +26,8 @@
|
||||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||||
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
||||||
@ -11706,9 +11630,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
|
|||||||
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.1.0/policy/modules/system/fstools.if
|
||||||
|
--- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400
|
||||||
|
+++ serefpolicy-3.1.0/policy/modules/system/fstools.if 2007-10-23 23:27:18.000000000 -0400
|
||||||
|
@@ -142,3 +142,20 @@
|
||||||
|
|
||||||
|
allow $1 swapfile_t:file getattr;
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Create, read, write, and delete a nfs files
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Not used
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`fstools_manage_nfs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type fsadm_t;
|
||||||
|
+ ')
|
||||||
|
+ fs_manage_nfs_files(fsadm_t)
|
||||||
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.1.0/policy/modules/system/fstools.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.1.0/policy/modules/system/fstools.te
|
||||||
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-10-12 08:56:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-10-12 08:56:08.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/system/fstools.te 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/system/fstools.te 2007-10-23 23:25:29.000000000 -0400
|
||||||
@@ -109,8 +109,7 @@
|
@@ -109,8 +109,7 @@
|
||||||
|
|
||||||
term_use_console(fsadm_t)
|
term_use_console(fsadm_t)
|
||||||
@ -11719,15 +11667,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
|
|||||||
#RedHat bug #201164
|
#RedHat bug #201164
|
||||||
corecmd_exec_shell(fsadm_t)
|
corecmd_exec_shell(fsadm_t)
|
||||||
|
|
||||||
@@ -183,4 +182,9 @@
|
@@ -183,4 +182,5 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
xen_append_log(fsadm_t)
|
xen_append_log(fsadm_t)
|
||||||
+ xen_rw_image_files(fsadm_t)
|
+ xen_rw_image_files(fsadm_t)
|
||||||
+')
|
|
||||||
+
|
|
||||||
+tunable_policy(`xen_use_nfs',`
|
|
||||||
+ fs_manage_nfs_files(fsadm_t)
|
|
||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.1.0/policy/modules/system/fusermount.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.1.0/policy/modules/system/fusermount.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
@ -13897,7 +13841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.1.0/policy/modules/system/selinuxutil.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.1.0/policy/modules/system/selinuxutil.te
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-12 08:56:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-12 08:56:08.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-10-23 22:51:52.000000000 -0400
|
||||||
@@ -76,7 +76,6 @@
|
@@ -76,7 +76,6 @@
|
||||||
type restorecond_exec_t;
|
type restorecond_exec_t;
|
||||||
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
||||||
@ -13931,7 +13875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ usermanage_dontaudit_useradd_use_fds(load_policy_t)
|
+ usermanage_dontaudit_use_useradd_fds(load_policy_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
@ -14654,7 +14598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.0/policy/modules/system/unconfined.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.0/policy/modules/system/unconfined.te
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-12 08:56:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-12 08:56:08.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/system/unconfined.te 2007-10-23 19:06:14.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/system/unconfined.te 2007-10-23 23:11:40.000000000 -0400
|
||||||
@@ -5,17 +5,23 @@
|
@@ -5,17 +5,23 @@
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@ -14719,7 +14663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
|
|
||||||
@@ -51,14 +67,11 @@
|
@@ -51,13 +67,12 @@
|
||||||
userdom_priveleged_home_dir_manager(unconfined_t)
|
userdom_priveleged_home_dir_manager(unconfined_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -14729,13 +14673,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
- apache_per_role_template(unconfined, unconfined_t, unconfined_r)
|
apache_per_role_template(unconfined, unconfined_t, unconfined_r)
|
||||||
- # this is disallowed usage:
|
- # this is disallowed usage:
|
||||||
- unconfined_domain(httpd_unconfined_script_t)
|
unconfined_domain(httpd_unconfined_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
@@ -107,6 +122,10 @@
|
||||||
@@ -107,6 +120,10 @@
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
oddjob_dbus_chat(unconfined_t)
|
oddjob_dbus_chat(unconfined_t)
|
||||||
')
|
')
|
||||||
@ -14746,7 +14689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -118,11 +135,11 @@
|
@@ -118,11 +137,11 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -14760,7 +14703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -134,11 +151,7 @@
|
@@ -134,11 +153,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -14773,7 +14716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -155,32 +168,23 @@
|
@@ -155,32 +170,23 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
@ -14810,7 +14753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -205,11 +209,22 @@
|
@@ -205,11 +211,22 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -14835,7 +14778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -225,8 +240,21 @@
|
@@ -225,8 +242,19 @@
|
||||||
|
|
||||||
init_dbus_chat_script(unconfined_execmem_t)
|
init_dbus_chat_script(unconfined_execmem_t)
|
||||||
unconfined_dbus_chat(unconfined_execmem_t)
|
unconfined_dbus_chat(unconfined_execmem_t)
|
||||||
@ -14855,8 +14798,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+
|
+
|
||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
+
|
|
||||||
+corecmd_exec_all_executables(unconfined_t)
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.1.0/policy/modules/system/userdomain.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.1.0/policy/modules/system/userdomain.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
|
||||||
+++ serefpolicy-3.1.0/policy/modules/system/userdomain.fc 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/system/userdomain.fc 2007-10-23 18:51:10.000000000 -0400
|
||||||
@ -16460,7 +16401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.1.0/policy/modules/system/userdomain.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.1.0/policy/modules/system/userdomain.te
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-10-12 08:56:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-10-12 08:56:08.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-10-23 19:10:17.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-10-23 19:10:51.000000000 -0400
|
||||||
@@ -24,13 +24,6 @@
|
@@ -24,13 +24,6 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -16573,8 +16514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal)
|
seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal)
|
||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
- userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t })
|
userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t })
|
||||||
+ userdom_security_admin_template(secadm_t,secadm_r, { secadm_tty_device_t sysadm_devpts_t })
|
|
||||||
+# tunable_policy(`allow_sysadm_manage_security',`
|
+# tunable_policy(`allow_sysadm_manage_security',`
|
||||||
+ userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
|
+ userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
|
||||||
+# ')
|
+# ')
|
||||||
@ -16713,8 +16653,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.1.0/policy/modules/system/xen.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.1.0/policy/modules/system/xen.te
|
||||||
--- nsaserefpolicy/policy/modules/system/xen.te 2007-10-12 08:56:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/xen.te 2007-10-12 08:56:08.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/system/xen.te 2007-10-23 18:51:10.000000000 -0400
|
+++ serefpolicy-3.1.0/policy/modules/system/xen.te 2007-10-23 23:28:04.000000000 -0400
|
||||||
@@ -45,9 +45,7 @@
|
@@ -6,6 +6,13 @@
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow xen to manage nfs files
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(xen_use_nfs,false)
|
||||||
|
+
|
||||||
|
# console ptys
|
||||||
|
type xen_devpts_t;
|
||||||
|
term_pty(xen_devpts_t);
|
||||||
|
@@ -45,9 +52,7 @@
|
||||||
|
|
||||||
type xenstored_t;
|
type xenstored_t;
|
||||||
type xenstored_exec_t;
|
type xenstored_exec_t;
|
||||||
@ -16725,7 +16679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
|
|
||||||
# var/lib files
|
# var/lib files
|
||||||
type xenstored_var_lib_t;
|
type xenstored_var_lib_t;
|
||||||
@@ -59,8 +57,7 @@
|
@@ -59,8 +64,7 @@
|
||||||
|
|
||||||
type xenconsoled_t;
|
type xenconsoled_t;
|
||||||
type xenconsoled_exec_t;
|
type xenconsoled_exec_t;
|
||||||
@ -16735,7 +16689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
role system_r types xenconsoled_t;
|
role system_r types xenconsoled_t;
|
||||||
|
|
||||||
# pid files
|
# pid files
|
||||||
@@ -95,7 +92,7 @@
|
@@ -95,7 +99,7 @@
|
||||||
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
|
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
|
||||||
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
|
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
|
||||||
|
|
||||||
@ -16744,7 +16698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
dev_filetrans(xend_t, xenctl_t, fifo_file)
|
dev_filetrans(xend_t, xenctl_t, fifo_file)
|
||||||
|
|
||||||
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
|
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
|
||||||
@@ -122,15 +119,13 @@
|
@@ -122,15 +126,13 @@
|
||||||
manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
|
manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
|
||||||
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
|
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
|
||||||
|
|
||||||
@ -16764,7 +16718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
|
|
||||||
kernel_read_kernel_sysctls(xend_t)
|
kernel_read_kernel_sysctls(xend_t)
|
||||||
kernel_read_system_state(xend_t)
|
kernel_read_system_state(xend_t)
|
||||||
@@ -176,6 +171,7 @@
|
@@ -176,6 +178,7 @@
|
||||||
files_manage_etc_runtime_files(xend_t)
|
files_manage_etc_runtime_files(xend_t)
|
||||||
files_etc_filetrans_etc_runtime(xend_t,file)
|
files_etc_filetrans_etc_runtime(xend_t,file)
|
||||||
files_read_usr_files(xend_t)
|
files_read_usr_files(xend_t)
|
||||||
@ -16772,7 +16726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
|
|
||||||
storage_raw_read_fixed_disk(xend_t)
|
storage_raw_read_fixed_disk(xend_t)
|
||||||
storage_raw_write_fixed_disk(xend_t)
|
storage_raw_write_fixed_disk(xend_t)
|
||||||
@@ -214,6 +210,10 @@
|
@@ -214,6 +217,10 @@
|
||||||
netutils_domtrans(xend_t)
|
netutils_domtrans(xend_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16783,7 +16737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
consoletype_exec(xend_t)
|
consoletype_exec(xend_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -224,7 +224,7 @@
|
@@ -224,7 +231,7 @@
|
||||||
|
|
||||||
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
|
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
|
||||||
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -16792,7 +16746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
|
|
||||||
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
|
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
|
||||||
|
|
||||||
@@ -257,7 +257,7 @@
|
@@ -257,7 +264,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(xenconsoled_t)
|
miscfiles_read_localization(xenconsoled_t)
|
||||||
|
|
||||||
@ -16801,7 +16755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
xen_stream_connect_xenstore(xenconsoled_t)
|
xen_stream_connect_xenstore(xenconsoled_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -265,7 +265,7 @@
|
@@ -265,7 +272,7 @@
|
||||||
# Xen store local policy
|
# Xen store local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -16810,7 +16764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
|
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow xenstored_t self:unix_dgram_socket create_socket_perms;
|
allow xenstored_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
@@ -318,12 +318,13 @@
|
@@ -318,12 +325,13 @@
|
||||||
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
|
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
|
||||||
|
|
||||||
# internal communication is often done using fifo and unix sockets.
|
# internal communication is often done using fifo and unix sockets.
|
||||||
@ -16825,7 +16779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
files_search_var_lib(xm_t)
|
files_search_var_lib(xm_t)
|
||||||
|
|
||||||
allow xm_t xen_image_t:dir rw_dir_perms;
|
allow xm_t xen_image_t:dir rw_dir_perms;
|
||||||
@@ -336,6 +337,7 @@
|
@@ -336,6 +344,7 @@
|
||||||
kernel_write_xen_state(xm_t)
|
kernel_write_xen_state(xm_t)
|
||||||
|
|
||||||
corecmd_exec_bin(xm_t)
|
corecmd_exec_bin(xm_t)
|
||||||
@ -16833,7 +16787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
|
|
||||||
corenet_tcp_sendrecv_generic_if(xm_t)
|
corenet_tcp_sendrecv_generic_if(xm_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(xm_t)
|
corenet_tcp_sendrecv_all_nodes(xm_t)
|
||||||
@@ -351,8 +353,11 @@
|
@@ -351,8 +360,11 @@
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(xm_t)
|
storage_raw_read_fixed_disk(xm_t)
|
||||||
|
|
||||||
@ -16845,7 +16799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
init_rw_script_stream_sockets(xm_t)
|
init_rw_script_stream_sockets(xm_t)
|
||||||
init_use_fds(xm_t)
|
init_use_fds(xm_t)
|
||||||
|
|
||||||
@@ -363,6 +368,19 @@
|
@@ -363,6 +375,20 @@
|
||||||
|
|
||||||
sysnet_read_config(xm_t)
|
sysnet_read_config(xm_t)
|
||||||
|
|
||||||
@ -16864,6 +16818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
|||||||
+tunable_policy(`xen_use_nfs',`
|
+tunable_policy(`xen_use_nfs',`
|
||||||
+ fs_manage_nfs_files(xend_t)
|
+ fs_manage_nfs_files(xend_t)
|
||||||
+ fs_read_nfs_symlinks(xend_t)
|
+ fs_read_nfs_symlinks(xend_t)
|
||||||
|
+ fstools_manage_nfs(xend_t)
|
||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.1.0/policy/modules/users/guest.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.1.0/policy/modules/users/guest.fc
|
||||||
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
Loading…
Reference in New Issue
Block a user