- Add capability setting to dhcpc and gpm
This commit is contained in:
parent
080ce6f2c8
commit
d6f79017f2
178
policy-F12.patch
178
policy-F12.patch
@ -11114,7 +11114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.28/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/services/dbus.if 2009-08-21 18:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/services/dbus.if 2009-08-23 12:50:58.000000000 -0400
|
||||
@@ -42,8 +42,10 @@
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
@ -11215,6 +11215,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
|
||||
')
|
||||
@@ -405,3 +421,24 @@
|
||||
|
||||
typeattribute $1 dbusd_unconfined;
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete
|
||||
+## system dbus lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dbus_manage_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type system_dbus_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, system_dbus_var_lib_t, system_dbus_var_lib_t)
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.28/policy/modules/services/dbus.te
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-08-18 18:39:50.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/services/dbus.te 2009-08-21 18:56:07.000000000 -0400
|
||||
@ -17533,7 +17558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.28/policy/modules/services/ssh.if
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/services/ssh.if 2009-08-21 18:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/services/ssh.if 2009-08-23 12:58:23.000000000 -0400
|
||||
@@ -36,6 +36,7 @@
|
||||
gen_require(`
|
||||
attribute ssh_server;
|
||||
@ -17770,7 +17795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -603,3 +638,63 @@
|
||||
@@ -603,3 +638,83 @@
|
||||
|
||||
dontaudit $1 sshd_key_t:file { getattr read };
|
||||
')
|
||||
@ -17834,6 +17859,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Set the attributes of sshd key files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ssh_setattr_key_files',`
|
||||
+ gen_require(`
|
||||
+ type sshd_key_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sshd_key_t:file setattr;
|
||||
+ files_search_pids($1)
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.28/policy/modules/services/ssh.te
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/services/ssh.te 2009-08-21 18:56:07.000000000 -0400
|
||||
@ -18030,7 +18075,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.28/policy/modules/services/sssd.if
|
||||
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/services/sssd.if 2009-08-21 18:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/services/sssd.if 2009-08-23 12:49:30.000000000 -0400
|
||||
@@ -12,12 +12,32 @@
|
||||
#
|
||||
interface(`sssd_domtrans',`
|
||||
@ -21231,7 +21276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.28/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/system/init.te 2009-08-21 18:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/system/init.te 2009-08-23 13:00:32.000000000 -0400
|
||||
@@ -17,6 +17,20 @@
|
||||
## </desc>
|
||||
gen_tunable(init_upstart, false)
|
||||
@ -21515,7 +21560,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(initrc_t)
|
||||
logging_manage_generic_logs(initrc_t)
|
||||
logging_read_all_logs(initrc_t)
|
||||
@@ -422,8 +478,6 @@
|
||||
@@ -374,13 +430,14 @@
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
# slapd needs to read cert files from its initscript
|
||||
-miscfiles_read_certs(initrc_t)
|
||||
+miscfiles_manage_cert_files(initrc_t)
|
||||
|
||||
modutils_read_module_config(initrc_t)
|
||||
modutils_domtrans_insmod(initrc_t)
|
||||
|
||||
seutil_read_config(initrc_t)
|
||||
|
||||
+userdom_read_admin_home_files(initrc_t)
|
||||
userdom_read_user_home_content_files(initrc_t)
|
||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||
@@ -422,8 +479,6 @@
|
||||
# init scripts touch this
|
||||
clock_dontaudit_write_adjtime(initrc_t)
|
||||
|
||||
@ -21524,7 +21585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# for integrated run_init to read run_init_type.
|
||||
# happens during boot (/sbin/rc execs init scripts)
|
||||
seutil_read_default_contexts(initrc_t)
|
||||
@@ -450,11 +504,9 @@
|
||||
@@ -450,11 +505,9 @@
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -21537,7 +21598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# These seem to be from the initrd
|
||||
# during device initialization:
|
||||
dev_create_generic_dirs(initrc_t)
|
||||
@@ -464,6 +516,7 @@
|
||||
@@ -464,6 +517,7 @@
|
||||
storage_raw_read_fixed_disk(initrc_t)
|
||||
storage_raw_write_fixed_disk(initrc_t)
|
||||
|
||||
@ -21545,7 +21606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
# wants to read /.fonts directory
|
||||
@@ -492,11 +545,13 @@
|
||||
@@ -492,11 +546,13 @@
|
||||
optional_policy(`
|
||||
bind_manage_config_dirs(initrc_t)
|
||||
bind_write_config(initrc_t)
|
||||
@ -21559,7 +21620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -515,6 +570,33 @@
|
||||
@@ -515,6 +571,33 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -21593,14 +21654,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -569,8 +651,16 @@
|
||||
@@ -567,10 +650,19 @@
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
+ consolekit_dbus_chat(initrc_t)
|
||||
+ ')
|
||||
+ dbus_manage_lib_files(initrc_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ consolekit_dbus_chat(initrc_t)
|
||||
+ ')
|
||||
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(initrc_t)
|
||||
')
|
||||
+
|
||||
@ -21610,7 +21674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -590,6 +680,10 @@
|
||||
@@ -590,6 +682,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21621,7 +21685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_usbfs(initrc_t)
|
||||
|
||||
# init scripts run /etc/hotplug/usb.rc
|
||||
@@ -646,20 +740,20 @@
|
||||
@@ -646,20 +742,20 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21648,7 +21712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ifdef(`distro_redhat',`
|
||||
@@ -668,6 +762,7 @@
|
||||
@@ -668,6 +764,7 @@
|
||||
|
||||
mysql_stream_connect(initrc_t)
|
||||
mysql_write_log(initrc_t)
|
||||
@ -21656,7 +21720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -696,7 +791,6 @@
|
||||
@@ -696,7 +793,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21664,7 +21728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -718,8 +812,6 @@
|
||||
@@ -718,8 +814,6 @@
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -21673,7 +21737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -732,10 +824,12 @@
|
||||
@@ -732,13 +826,16 @@
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -21686,7 +21750,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -754,6 +848,15 @@
|
||||
+ ssh_setattr_key_files(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -747,6 +844,7 @@
|
||||
|
||||
optional_policy(`
|
||||
udev_rw_db(initrc_t)
|
||||
+ udev_manage_pid_files(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -754,6 +852,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21702,7 +21778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@@ -764,6 +867,13 @@
|
||||
@@ -764,6 +871,13 @@
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
@ -21716,7 +21792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -789,3 +899,31 @@
|
||||
@@ -789,3 +903,31 @@
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -24985,6 +25061,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.28/policy/modules/system/udev.if
|
||||
--- nsaserefpolicy/policy/modules/system/udev.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/system/udev.if 2009-08-23 12:54:42.000000000 -0400
|
||||
@@ -168,4 +168,25 @@
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 udev_tbl_t:file rw_file_perms;
|
||||
+ allow $1 udev_tbl_t:file unlink;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete
|
||||
+## udev pid files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`udev_manage_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type udev_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.28/policy/modules/system/udev.te
|
||||
--- nsaserefpolicy/policy/modules/system/udev.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/system/udev.te 2009-08-21 18:56:07.000000000 -0400
|
||||
@ -25872,7 +25977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.28/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/system/userdomain.if 2009-08-21 18:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/system/userdomain.if 2009-08-23 13:00:14.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
@ -27238,7 +27343,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -3027,3 +3207,540 @@
|
||||
@@ -3027,3 +3207,559 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
@ -27525,7 +27630,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute user home files.
|
||||
+## Read admin home files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`userdom_read_admin_home_files',`
|
||||
+ gen_require(`
|
||||
+ type admin_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1, admin_home_t, admin_home_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute admin home files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
|
Loading…
Reference in New Issue
Block a user