- Update to upstream
- Fix crontab use by unconfined user
This commit is contained in:
Daniel J Walsh
parent
cd8bee594b
commit
d7927ab643
@ -20593,7 +20593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.5/policy/modules/services/postfix.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.5/policy/modules/services/postfix.te
|
||||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.5/policy/modules/services/postfix.te 2008-08-26 13:30:44.000000000 -0400
|
+++ serefpolicy-3.5.5/policy/modules/services/postfix.te 2008-08-29 15:43:57.000000000 -0400
|
||||||
@@ -6,6 +6,14 @@
|
@@ -6,6 +6,14 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -20681,7 +20681,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# allow access to deferred queue and allow removing bogus incoming entries
|
# allow access to deferred queue and allow removing bogus incoming entries
|
||||||
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
||||||
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
||||||
@@ -181,12 +195,17 @@
|
@@ -142,6 +156,7 @@
|
||||||
|
|
||||||
|
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
||||||
|
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
||||||
|
+setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
||||||
|
|
||||||
|
kernel_read_all_sysctls(postfix_master_t)
|
||||||
|
|
||||||
|
@@ -181,12 +196,17 @@
|
||||||
|
|
||||||
mta_rw_aliases(postfix_master_t)
|
mta_rw_aliases(postfix_master_t)
|
||||||
mta_read_sendmail_bin(postfix_master_t)
|
mta_read_sendmail_bin(postfix_master_t)
|
||||||
@ -20699,7 +20707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# for postalias
|
# for postalias
|
||||||
mailman_manage_data_files(postfix_master_t)
|
mailman_manage_data_files(postfix_master_t)
|
||||||
')
|
')
|
||||||
@@ -255,6 +274,10 @@
|
@@ -255,6 +275,10 @@
|
||||||
|
|
||||||
corecmd_exec_bin(postfix_cleanup_t)
|
corecmd_exec_bin(postfix_cleanup_t)
|
||||||
|
|
||||||
@ -20710,7 +20718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Postfix local local policy
|
# Postfix local local policy
|
||||||
@@ -280,18 +303,25 @@
|
@@ -280,18 +304,25 @@
|
||||||
|
|
||||||
files_read_etc_files(postfix_local_t)
|
files_read_etc_files(postfix_local_t)
|
||||||
|
|
||||||
@ -20736,7 +20744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -302,8 +332,7 @@
|
@@ -302,8 +333,7 @@
|
||||||
#
|
#
|
||||||
# Postfix map local policy
|
# Postfix map local policy
|
||||||
#
|
#
|
||||||
@ -20746,7 +20754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -353,8 +382,6 @@
|
@@ -353,8 +383,6 @@
|
||||||
|
|
||||||
miscfiles_read_localization(postfix_map_t)
|
miscfiles_read_localization(postfix_map_t)
|
||||||
|
|
||||||
@ -20755,7 +20763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`read_default_t',`
|
tunable_policy(`read_default_t',`
|
||||||
files_list_default(postfix_map_t)
|
files_list_default(postfix_map_t)
|
||||||
files_read_default_files(postfix_map_t)
|
files_read_default_files(postfix_map_t)
|
||||||
@@ -367,6 +394,11 @@
|
@@ -367,6 +395,11 @@
|
||||||
locallogin_dontaudit_use_fds(postfix_map_t)
|
locallogin_dontaudit_use_fds(postfix_map_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -20767,7 +20775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Postfix pickup local policy
|
# Postfix pickup local policy
|
||||||
@@ -391,6 +423,7 @@
|
@@ -391,6 +424,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
|
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
|
||||||
@ -20775,7 +20783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
|
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
|
||||||
|
|
||||||
@@ -398,6 +431,12 @@
|
@@ -398,6 +432,12 @@
|
||||||
|
|
||||||
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
|
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
|
||||||
|
|
||||||
@ -20788,7 +20796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
procmail_domtrans(postfix_pipe_t)
|
procmail_domtrans(postfix_pipe_t)
|
||||||
')
|
')
|
||||||
@@ -407,6 +446,14 @@
|
@@ -407,6 +447,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20803,7 +20811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
uucp_domtrans_uux(postfix_pipe_t)
|
uucp_domtrans_uux(postfix_pipe_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -443,8 +490,7 @@
|
@@ -443,8 +491,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20813,7 +20821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -470,6 +516,15 @@
|
@@ -470,6 +517,15 @@
|
||||||
init_sigchld_script(postfix_postqueue_t)
|
init_sigchld_script(postfix_postqueue_t)
|
||||||
init_use_script_fds(postfix_postqueue_t)
|
init_use_script_fds(postfix_postqueue_t)
|
||||||
|
|
||||||
@ -20829,7 +20837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Postfix qmgr local policy
|
# Postfix qmgr local policy
|
||||||
@@ -564,6 +619,10 @@
|
@@ -564,6 +620,10 @@
|
||||||
sasl_connect(postfix_smtpd_t)
|
sasl_connect(postfix_smtpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -20840,7 +20848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Postfix virtual local policy
|
# Postfix virtual local policy
|
||||||
@@ -579,7 +638,7 @@
|
@@ -579,7 +639,7 @@
|
||||||
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
|
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
|
||||||
|
|
||||||
# connect to master process
|
# connect to master process
|
||||||
@ -29787,6 +29795,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ xserver_rw_xdm_home_files(daemon)
|
+ xserver_rw_xdm_home_files(daemon)
|
||||||
+')
|
+')
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.5.5/policy/modules/system/iscsi.te
|
||||||
|
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-08-11 11:23:34.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.5/policy/modules/system/iscsi.te 2008-08-29 15:34:11.000000000 -0400
|
||||||
|
@@ -28,7 +28,7 @@
|
||||||
|
# iscsid local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
-allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
|
||||||
|
+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_nice sys_resource };
|
||||||
|
allow iscsid_t self:process { setrlimit setsched signal };
|
||||||
|
allow iscsid_t self:fifo_file { read write };
|
||||||
|
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.5/policy/modules/system/libraries.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.5/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
||||||
+++ serefpolicy-3.5.5/policy/modules/system/libraries.fc 2008-08-25 13:04:38.000000000 -0400
|
+++ serefpolicy-3.5.5/policy/modules/system/libraries.fc 2008-08-25 13:04:38.000000000 -0400
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user