- Allow login programs to set ioctl on /proc
This commit is contained in:
parent
c0aebeb268
commit
d770c53fe9
@ -3112,8 +3112,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-09-25 11:01:00.000000000 -0400
|
||||||
@@ -1867,6 +1867,27 @@
|
@@ -352,6 +352,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## dontaudit search the kernel key ring.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kernel_dontaudit_search_key',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type kernel_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 kernel_t:key search;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Allow link to the kernel key ring.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -1867,6 +1885,27 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -6440,7 +6465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
|
||||||
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-09-25 10:30:36.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-09-25 11:00:13.000000000 -0400
|
||||||
@@ -42,6 +42,10 @@
|
@@ -42,6 +42,10 @@
|
||||||
dontaudit $1 krb5_conf_t:file write;
|
dontaudit $1 krb5_conf_t:file write;
|
||||||
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
|
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
|
||||||
@ -6452,7 +6477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
|
|
||||||
tunable_policy(`allow_kerberos',`
|
tunable_policy(`allow_kerberos',`
|
||||||
allow $1 self:tcp_socket create_socket_perms;
|
allow $1 self:tcp_socket create_socket_perms;
|
||||||
@@ -172,3 +176,26 @@
|
@@ -172,3 +176,47 @@
|
||||||
allow $1 krb5kdc_conf_t:file read_file_perms;
|
allow $1 krb5kdc_conf_t:file read_file_perms;
|
||||||
|
|
||||||
')
|
')
|
||||||
@ -6479,6 +6504,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
+ seutil_read_file_contexts($1)
|
+ seutil_read_file_contexts($1)
|
||||||
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
|
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Connect to krb524 service
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kerberos_524_connect',`
|
||||||
|
+ tunable_policy(`allow_kerberos',`
|
||||||
|
+ allow $1 self:udp_socket create_socket_perms;
|
||||||
|
+ corenet_non_ipsec_sendrecv($1)
|
||||||
|
+ corenet_udp_sendrecv_all_if($1)
|
||||||
|
+ corenet_udp_sendrecv_all_nodes($1)
|
||||||
|
+ corenet_udp_sendrecv_kerberos_master_port($1)
|
||||||
|
+ corenet_udp_bind_all_nodes($1)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.8/policy/modules/services/kerberos.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.8/policy/modules/services/kerberos.te
|
||||||
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-25 10:37:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-25 10:37:42.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.te 2007-09-17 16:20:18.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.te 2007-09-17 16:20:18.000000000 -0400
|
||||||
@ -10456,7 +10502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-25 10:32:38.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-25 10:59:20.000000000 -0400
|
||||||
@@ -26,7 +26,8 @@
|
@@ -26,7 +26,8 @@
|
||||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||||
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
application_domain($1_chkpwd_t,chkpwd_exec_t)
|
||||||
@ -13900,7 +13946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||||
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-21 19:20:56.000000000 -0400
|
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-25 10:59:50.000000000 -0400
|
||||||
@@ -29,8 +29,9 @@
|
@@ -29,8 +29,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -14494,7 +14540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
samba_stream_connect_winbind($1_t)
|
samba_stream_connect_winbind($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -954,21 +882,164 @@
|
@@ -954,21 +882,165 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -14617,6 +14663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ kerberos_use($1_usertype)
|
+ kerberos_use($1_usertype)
|
||||||
|
+ kerberos_524_connect($1_usertype)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
@ -14665,7 +14712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
domain_interactive_fd($1_t)
|
domain_interactive_fd($1_t)
|
||||||
|
|
||||||
typeattribute $1_devpts_t user_ptynode;
|
typeattribute $1_devpts_t user_ptynode;
|
||||||
@@ -977,23 +1048,51 @@
|
@@ -977,23 +1049,51 @@
|
||||||
typeattribute $1_tmp_t user_tmpfile;
|
typeattribute $1_tmp_t user_tmpfile;
|
||||||
typeattribute $1_tty_device_t user_ttynode;
|
typeattribute $1_tty_device_t user_ttynode;
|
||||||
|
|
||||||
@ -14728,7 +14775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||||
@@ -1029,15 +1128,7 @@
|
@@ -1029,15 +1129,7 @@
|
||||||
# and may change other protocols
|
# and may change other protocols
|
||||||
tunable_policy(`user_tcp_server',`
|
tunable_policy(`user_tcp_server',`
|
||||||
corenet_tcp_bind_all_nodes($1_t)
|
corenet_tcp_bind_all_nodes($1_t)
|
||||||
@ -14745,7 +14792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1054,17 +1145,6 @@
|
@@ -1054,17 +1146,6 @@
|
||||||
setroubleshoot_stream_connect($1_t)
|
setroubleshoot_stream_connect($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -14763,7 +14810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -1102,6 +1182,8 @@
|
@@ -1102,6 +1183,8 @@
|
||||||
class passwd { passwd chfn chsh rootok crontab };
|
class passwd { passwd chfn chsh rootok crontab };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -14772,7 +14819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@@ -1127,7 +1209,7 @@
|
@@ -1127,7 +1210,7 @@
|
||||||
# $1_t local policy
|
# $1_t local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -14781,7 +14828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
allow $1_t self:process { setexec setfscreate };
|
allow $1_t self:process { setexec setfscreate };
|
||||||
|
|
||||||
# Set password information for other users.
|
# Set password information for other users.
|
||||||
@@ -1139,7 +1221,11 @@
|
@@ -1139,7 +1222,11 @@
|
||||||
# Manipulate other users crontab.
|
# Manipulate other users crontab.
|
||||||
allow $1_t self:passwd crontab;
|
allow $1_t self:passwd crontab;
|
||||||
|
|
||||||
@ -14794,7 +14841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
kernel_read_software_raid_state($1_t)
|
kernel_read_software_raid_state($1_t)
|
||||||
kernel_getattr_core_if($1_t)
|
kernel_getattr_core_if($1_t)
|
||||||
@@ -1642,9 +1728,11 @@
|
@@ -1642,9 +1729,11 @@
|
||||||
template(`userdom_user_home_content',`
|
template(`userdom_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute $1_file_type;
|
attribute $1_file_type;
|
||||||
@ -14806,7 +14853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
files_type($2)
|
files_type($2)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1894,10 +1982,46 @@
|
@@ -1894,10 +1983,46 @@
|
||||||
template(`userdom_manage_user_home_content_dirs',`
|
template(`userdom_manage_user_home_content_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type $1_home_dir_t, $1_home_t;
|
type $1_home_dir_t, $1_home_t;
|
||||||
@ -14854,7 +14901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3078,7 +3202,7 @@
|
@@ -3078,7 +3203,7 @@
|
||||||
#
|
#
|
||||||
template(`userdom_tmp_filetrans_user_tmp',`
|
template(`userdom_tmp_filetrans_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -14863,7 +14910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_tmp_filetrans($2,$1_tmp_t,$3)
|
files_tmp_filetrans($2,$1_tmp_t,$3)
|
||||||
@@ -4615,6 +4739,24 @@
|
@@ -4615,6 +4740,24 @@
|
||||||
files_list_home($1)
|
files_list_home($1)
|
||||||
allow $1 home_dir_type:dir search_dir_perms;
|
allow $1 home_dir_type:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
@ -14888,7 +14935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -4633,6 +4775,14 @@
|
@@ -4633,6 +4776,14 @@
|
||||||
|
|
||||||
files_list_home($1)
|
files_list_home($1)
|
||||||
allow $1 home_dir_type:dir list_dir_perms;
|
allow $1 home_dir_type:dir list_dir_perms;
|
||||||
@ -14903,7 +14950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5323,7 +5473,7 @@
|
@@ -5323,7 +5474,7 @@
|
||||||
attribute user_tmpfile;
|
attribute user_tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -14912,7 +14959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5559,3 +5709,376 @@
|
@@ -5559,3 +5710,376 @@
|
||||||
interface(`userdom_unconfined',`
|
interface(`userdom_unconfined',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.0.8
|
Version: 3.0.8
|
||||||
Release: 12%{?dist}
|
Release: 13%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -365,6 +365,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-13
|
||||||
|
- Allow login programs to set ioctl on /proc
|
||||||
|
|
||||||
* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-12
|
* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-12
|
||||||
- Allow nsswitch apps to read samba_var_t
|
- Allow nsswitch apps to read samba_var_t
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user