- Fix transition to nsplugin
This commit is contained in:
parent
f0375d509e
commit
d86efe56b9
@ -79,13 +79,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul
|
||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.8/config/appconfig-mcs/default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/default_contexts 2008-09-17 08:49:08.000000000 -0400
|
||||
@@ -1,15 +0,0 @@
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/default_contexts 2008-09-22 15:25:07.000000000 -0400
|
||||
@@ -1,15 +1,6 @@
|
||||
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
|
||||
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
|
||||
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
-system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
|
||||
+system_r:crond_t:s0 system_r:system_crond_t:s0
|
||||
+system_r:local_login_t:s0 user_r:user_t:s0
|
||||
+system_r:remote_login_t:s0 user_r:user_t:s0
|
||||
+system_r:sshd_t:s0 user_r:user_t:s0
|
||||
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
|
||||
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
-
|
||||
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
@ -96,6 +100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
||||
-
|
||||
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
|
||||
+system_r:xdm_t:s0 user_r:user_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.8/config/appconfig-mcs/failsafe_context
|
||||
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/failsafe_context 2008-09-17 08:49:08.000000000 -0400
|
||||
@ -104,19 +109,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
||||
+system_r:unconfined_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/guest_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/guest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/guest_u_default_contexts 2008-09-22 15:33:55.000000000 -0400
|
||||
@@ -0,0 +1,6 @@
|
||||
+system_r:local_login_t:s0 guest_r:guest_t:s0
|
||||
+system_r:remote_login_t:s0 guest_r:guest_t:s0
|
||||
+system_r:sshd_t:s0 guest_r:guest_t:s0
|
||||
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
|
||||
+system_r:crond_t:s0 guest_r:guest_t:s0
|
||||
+system_r:initrc_su_t:s0 guest_r:guest_t:s0
|
||||
+guest_r:guest_t:s0 guest_r:guest_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/root_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/root_default_contexts 2008-09-17 08:49:08.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/root_default_contexts 2008-09-22 15:36:05.000000000 -0400
|
||||
@@ -1,11 +1,7 @@
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
|
||||
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
|
||||
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
|
||||
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
@ -130,8 +136,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
||||
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/staff_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/staff_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
|
||||
@@ -5,6 +5,8 @@
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/staff_u_default_contexts 2008-09-22 15:33:36.000000000 -0400
|
||||
@@ -1,10 +1,12 @@
|
||||
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
-system_r:crond_t:s0 staff_r:staff_crond_t:s0
|
||||
+system_r:crond_t:s0 staff_r:staff_t:s0
|
||||
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||
@ -152,8 +163,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
||||
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/user_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/user_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
|
||||
@@ -5,4 +5,5 @@
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/user_u_default_contexts 2008-09-22 15:33:49.000000000 -0400
|
||||
@@ -1,8 +1,9 @@
|
||||
system_r:local_login_t:s0 user_r:user_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0
|
||||
-system_r:crond_t:s0 user_r:user_crond_t:s0
|
||||
+system_r:crond_t:s0 user_r:user_t:s0
|
||||
system_r:xdm_t:s0 user_r:user_t:s0
|
||||
user_r:user_su_t:s0 user_r:user_t:s0
|
||||
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||
@ -168,23 +184,103 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
||||
+system_u:system_r:unconfined_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/xguest_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/xguest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mcs/xguest_u_default_contexts 2008-09-22 15:34:01.000000000 -0400
|
||||
@@ -0,0 +1,7 @@
|
||||
+system_r:local_login_t xguest_r:xguest_t:s0
|
||||
+system_r:remote_login_t xguest_r:xguest_t:s0
|
||||
+system_r:sshd_t xguest_r:xguest_t:s0
|
||||
+system_r:crond_t xguest_r:xguest_crond_t:s0
|
||||
+system_r:crond_t xguest_r:xguest_t:s0
|
||||
+system_r:xdm_t xguest_r:xguest_t:s0
|
||||
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
|
||||
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.8/config/appconfig-mls/default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mls/default_contexts 2008-09-22 15:37:18.000000000 -0400
|
||||
@@ -1,15 +1,6 @@
|
||||
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
|
||||
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
|
||||
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
+system_r:crond_t:s0 system_r:system_crond_t:s0
|
||||
+system_r:local_login_t:s0 user_r:user_t:s0
|
||||
+system_r:remote_login_t:s0 user_r:user_t:s0
|
||||
+system_r:sshd_t:s0 user_r:user_t:s0
|
||||
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
|
||||
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
-
|
||||
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
-
|
||||
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
|
||||
-
|
||||
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
|
||||
+system_r:xdm_t:s0 user_r:user_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/guest_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mls/guest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mls/guest_u_default_contexts 2008-09-22 15:34:31.000000000 -0400
|
||||
@@ -0,0 +1,4 @@
|
||||
+system_r:local_login_t:s0 guest_r:guest_t:s0
|
||||
+system_r:remote_login_t:s0 guest_r:guest_t:s0
|
||||
+system_r:sshd_t:s0 guest_r:guest_t:s0
|
||||
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
|
||||
+system_r:crond_t:s0 guest_r:guest_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.8/config/appconfig-mls/root_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mls/root_default_contexts 2008-09-22 15:47:13.000000000 -0400
|
||||
@@ -1,11 +1,11 @@
|
||||
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
|
||||
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
+system_r:crond_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
|
||||
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
|
||||
#
|
||||
# Uncomment if you want to automatically login as sysadm_r
|
||||
#
|
||||
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/staff_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mls/staff_u_default_contexts 2008-09-22 15:34:13.000000000 -0400
|
||||
@@ -1,7 +1,7 @@
|
||||
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
-system_r:crond_t:s0 staff_r:staff_crond_t:s0
|
||||
+system_r:crond_t:s0 staff_r:staff_t:s0
|
||||
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/user_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mls/user_u_default_contexts 2008-09-22 15:34:21.000000000 -0400
|
||||
@@ -1,7 +1,7 @@
|
||||
system_r:local_login_t:s0 user_r:user_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0
|
||||
-system_r:crond_t:s0 user_r:user_crond_t:s0
|
||||
+system_r:crond_t:s0 user_r:user_t:s0
|
||||
system_r:xdm_t:s0 user_r:user_t:s0
|
||||
user_r:user_su_t:s0 user_r:user_t:s0
|
||||
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/xguest_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/config/appconfig-mls/xguest_u_default_contexts 2008-09-22 15:37:37.000000000 -0400
|
||||
@@ -0,0 +1,7 @@
|
||||
+system_r:local_login_t xguest_r:xguest_t:s0
|
||||
+system_r:remote_login_t xguest_r:xguest_t:s0
|
||||
+system_r:sshd_t xguest_r:xguest_t:s0
|
||||
+system_r:crond_t xguest_r:xguest_t:s0
|
||||
+system_r:xdm_t xguest_r:xguest_t:s0
|
||||
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
|
||||
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/guest_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/config/appconfig-standard/guest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
|
||||
@ -209,6 +305,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
||||
#
|
||||
-#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
|
||||
+system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/staff_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-standard/staff_u_default_contexts 2008-09-22 15:34:45.000000000 -0400
|
||||
@@ -1,7 +1,7 @@
|
||||
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
|
||||
system_r:remote_login_t staff_r:staff_t
|
||||
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
|
||||
-system_r:crond_t staff_r:staff_crond_t
|
||||
+system_r:crond_t staff_r:staff_t
|
||||
system_r:xdm_t staff_r:staff_t
|
||||
staff_r:staff_su_t staff_r:staff_t
|
||||
staff_r:staff_sudo_t staff_r:staff_t
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/user_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/config/appconfig-standard/user_u_default_contexts 2008-09-22 15:34:52.000000000 -0400
|
||||
@@ -1,7 +1,7 @@
|
||||
system_r:local_login_t user_r:user_t
|
||||
system_r:remote_login_t user_r:user_t
|
||||
system_r:sshd_t user_r:user_t
|
||||
-system_r:crond_t user_r:user_crond_t
|
||||
+system_r:crond_t user_r:user_t
|
||||
system_r:xdm_t user_r:user_t
|
||||
user_r:user_su_t user_r:user_t
|
||||
user_r:user_sudo_t user_r:user_t
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/xguest_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/config/appconfig-standard/xguest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
|
||||
@ -4279,8 +4399,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.8/policy/modules/apps/nsplugin.if
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-21 07:27:44.000000000 -0400
|
||||
@@ -0,0 +1,493 @@
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-22 15:35:16.000000000 -0400
|
||||
@@ -0,0 +1,293 @@
|
||||
+
|
||||
+## <summary>policy for nsplugin</summary>
|
||||
+
|
||||
@ -4363,247 +4483,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ type nsplugin_exec_t;
|
||||
+ type nsplugin_config_exec_t;
|
||||
+ type $1_tmpfs_t;
|
||||
+ type nsplugin_t;
|
||||
+ type nsplugin_config_t;
|
||||
+ ')
|
||||
+ type $1_nsplugin_t;
|
||||
+ domain_type($1_nsplugin_t)
|
||||
+ domain_entry_file($1_nsplugin_t, nsplugin_exec_t)
|
||||
+ role $3 types $1_nsplugin_t;
|
||||
+
|
||||
+ type $1_nsplugin_config_t;
|
||||
+ domain_type($1_nsplugin_config_t)
|
||||
+ domain_entry_file($1_nsplugin_config_t, nsplugin_config_exec_t)
|
||||
+ role $3 types $1_nsplugin_config_t;
|
||||
+ role $3 types nsplugin_t;
|
||||
+ role $3 types nsplugin_config_t;
|
||||
+
|
||||
+ role $3 types $1_nsplugin_t;
|
||||
+ role $3 types $1_nsplugin_config_t;
|
||||
+
|
||||
+ allow $1_nsplugin_t $2:process signull;
|
||||
+ allow nsplugin_t $2:process signull;
|
||||
+
|
||||
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+ can_exec($2, nsplugin_rw_t)
|
||||
+
|
||||
+ allow $1_nsplugin_t $1_tmpfs_t:file { read getattr };
|
||||
+
|
||||
+ #Leaked File Descriptors
|
||||
+ dontaudit $1_nsplugin_t $2:tcp_socket rw_socket_perms;
|
||||
+ dontaudit $1_nsplugin_t $2:udp_socket rw_socket_perms;
|
||||
+ dontaudit $1_nsplugin_t $2:unix_stream_socket rw_socket_perms;
|
||||
+ dontaudit $1_nsplugin_t $2:unix_dgram_socket rw_socket_perms;
|
||||
+ dontaudit $1_nsplugin_config_t $2:tcp_socket rw_socket_perms;
|
||||
+ dontaudit $1_nsplugin_config_t $2:udp_socket rw_socket_perms;
|
||||
+ dontaudit $1_nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
|
||||
+ dontaudit $1_nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
|
||||
+ allow $1_nsplugin_t $2:unix_stream_socket connectto;
|
||||
+ dontaudit $1_nsplugin_t $2:process ptrace;
|
||||
+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
|
||||
+ allow nsplugin_t $2:unix_stream_socket connectto;
|
||||
+ dontaudit nsplugin_t $2:process ptrace;
|
||||
+
|
||||
+ allow $2 $1_nsplugin_t:process { getattr ptrace signal_perms };
|
||||
+ allow $2 $1_nsplugin_t:unix_stream_socket connectto;
|
||||
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
|
||||
+ allow $2 nsplugin_t:unix_stream_socket connectto;
|
||||
+
|
||||
+ # Connect to pulseaudit server
|
||||
+ stream_connect_pattern($1_nsplugin_t, user_home_t, user_home_t, $2)
|
||||
+ gnome_stream_connect($1_nsplugin_t, $2)
|
||||
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
|
||||
+ gnome_stream_connect(nsplugin_t, $2)
|
||||
+
|
||||
+ userdom_use_user_terminals($1, $1_nsplugin_t)
|
||||
+ userdom_use_user_terminals($1, $1_nsplugin_config_t)
|
||||
+ allow nsplugin_t $1_tmpfs_t:file { read getattr };
|
||||
+
|
||||
+ xserver_common_app($1, $1_nsplugin_t)
|
||||
+ userdom_use_user_terminals($1, nsplugin_t)
|
||||
+ userdom_use_user_terminals($1, nsplugin_config_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# nsplugin local policy
|
||||
+#
|
||||
+dontaudit $1_nsplugin_t self:capability sys_tty_config;
|
||||
+allow $1_nsplugin_t self:fifo_file rw_file_perms;
|
||||
+allow $1_nsplugin_t self:process { ptrace getsched setsched signal_perms };
|
||||
+
|
||||
+allow $1_nsplugin_t self:sem create_sem_perms;
|
||||
+allow $1_nsplugin_t self:shm create_shm_perms;
|
||||
+allow $1_nsplugin_t self:msgq create_msgq_perms;
|
||||
+allow $1_nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
+
|
||||
+tunable_policy(`allow_nsplugin_execmem',`
|
||||
+ allow $1_nsplugin_t self:process { execstack execmem };
|
||||
+ allow $1_nsplugin_config_t self:process { execstack execmem };
|
||||
+')
|
||||
+
|
||||
+manage_dirs_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+exec_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_lnk_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+userdom_user_home_dir_filetrans(user, $1_nsplugin_t, nsplugin_home_t, {file dir})
|
||||
+unprivuser_dontaudit_write_home_content_files($1_nsplugin_t)
|
||||
+
|
||||
+corecmd_exec_bin($1_nsplugin_t)
|
||||
+corecmd_exec_shell($1_nsplugin_t)
|
||||
+
|
||||
+corenet_all_recvfrom_unlabeled($1_nsplugin_t)
|
||||
+corenet_all_recvfrom_netlabel($1_nsplugin_t)
|
||||
+corenet_tcp_connect_flash_port($1_nsplugin_t)
|
||||
+corenet_tcp_connect_pulseaudio_port($1_nsplugin_t)
|
||||
+corenet_tcp_connect_http_port($1_nsplugin_t)
|
||||
+corenet_tcp_sendrecv_generic_if($1_nsplugin_t)
|
||||
+corenet_tcp_sendrecv_all_nodes($1_nsplugin_t)
|
||||
+
|
||||
+domain_dontaudit_read_all_domains_state($1_nsplugin_t)
|
||||
+
|
||||
+dev_read_rand($1_nsplugin_t)
|
||||
+dev_read_sound($1_nsplugin_t)
|
||||
+dev_write_sound($1_nsplugin_t)
|
||||
+dev_read_video_dev($1_nsplugin_t)
|
||||
+dev_write_video_dev($1_nsplugin_t)
|
||||
+dev_getattr_dri_dev($1_nsplugin_t)
|
||||
+dev_rwx_zero($1_nsplugin_t)
|
||||
+
|
||||
+kernel_read_kernel_sysctls($1_nsplugin_t)
|
||||
+kernel_read_system_state($1_nsplugin_t)
|
||||
+
|
||||
+files_read_usr_files($1_nsplugin_t)
|
||||
+files_read_etc_files($1_nsplugin_t)
|
||||
+files_read_config_files($1_nsplugin_t)
|
||||
+
|
||||
+fs_list_inotifyfs($1_nsplugin_t)
|
||||
+fs_manage_tmpfs_files($1_nsplugin_t)
|
||||
+fs_getattr_tmpfs($1_nsplugin_t)
|
||||
+fs_getattr_xattr_fs($1_nsplugin_t)
|
||||
+
|
||||
+term_dontaudit_getattr_all_user_ptys($1_nsplugin_t)
|
||||
+term_dontaudit_getattr_all_user_ttys($1_nsplugin_t)
|
||||
+
|
||||
+auth_use_nsswitch($1_nsplugin_t)
|
||||
+
|
||||
+libs_use_ld_so($1_nsplugin_t)
|
||||
+libs_use_shared_libs($1_nsplugin_t)
|
||||
+libs_exec_ld_so($1_nsplugin_t)
|
||||
+
|
||||
+miscfiles_read_localization($1_nsplugin_t)
|
||||
+miscfiles_read_fonts($1_nsplugin_t)
|
||||
+
|
||||
+unprivuser_manage_tmp_dirs($1_nsplugin_t)
|
||||
+unprivuser_manage_tmp_files($1_nsplugin_t)
|
||||
+unprivuser_manage_tmp_sockets($1_nsplugin_t)
|
||||
+userdom_tmp_filetrans_user_tmp(user, $1_nsplugin_t, { file dir sock_file })
|
||||
+unprivuser_read_tmpfs_files($1_nsplugin_t)
|
||||
+unprivuser_rw_semaphores($1_nsplugin_t)
|
||||
+unprivuser_delete_tmpfs_files($1_nsplugin_t)
|
||||
+
|
||||
+unprivuser_read_home_content_symlinks($1_nsplugin_t)
|
||||
+unprivuser_read_home_content_files($1_nsplugin_t)
|
||||
+unprivuser_read_tmp_files($1_nsplugin_t)
|
||||
+userdom_write_user_tmp_sockets(user, $1_nsplugin_t)
|
||||
+unprivuser_dontaudit_append_home_content_files($1_nsplugin_t)
|
||||
+userdom_dontaudit_unlink_unpriv_home_content_files($1_nsplugin_t)
|
||||
+userdom_dontaudit_manage_user_tmp_files(user, $1_nsplugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ alsa_read_rw_config($1_nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_exec_gconf($1_nsplugin_t)
|
||||
+ gnome_manage_user_gnome_config(user, $1_nsplugin_t)
|
||||
+ allow $1_nsplugin_t gnome_home_t:sock_file write;
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mozilla_read_user_home_files(user, $1_nsplugin_t)
|
||||
+ mozilla_write_user_home_files(user, $1_nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mplayer_exec($1_nsplugin_t)
|
||||
+ mplayer_read_user_home_files(user, $1_nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_execmem_signull($1_nsplugin_t)
|
||||
+ unconfined_delete_tmpfs_files($1_nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_stream_connect_xdm_xserver($1_nsplugin_t)
|
||||
+ xserver_xdm_rw_shm($1_nsplugin_t)
|
||||
+ xserver_read_xdm_tmp_files($1_nsplugin_t)
|
||||
+ xserver_read_xdm_pid($1_nsplugin_t)
|
||||
+ xserver_read_user_xauth(user, $1_nsplugin_t)
|
||||
+ xserver_read_user_iceauth(user, $1_nsplugin_t)
|
||||
+ xserver_use_user_fonts(user, $1_nsplugin_t)
|
||||
+ xserver_manage_home_fonts($1_nsplugin_t)
|
||||
+ xserver_dontaudit_rw_xdm_home_files($1_nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# $1_nsplugin_config local policy
|
||||
+#
|
||||
+
|
||||
+allow $1_nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
|
||||
+allow $1_nsplugin_config_t self:process { setsched sigkill getsched execmem };
|
||||
+#execing pulseaudio
|
||||
+dontaudit $1_nsplugin_t self:process { getcap setcap };
|
||||
+
|
||||
+allow $1_nsplugin_config_t self:fifo_file rw_file_perms;
|
||||
+allow $1_nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+fs_list_inotifyfs($1_nsplugin_config_t)
|
||||
+
|
||||
+can_exec($1_nsplugin_config_t, nsplugin_rw_t)
|
||||
+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+manage_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+
|
||||
+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+
|
||||
+corecmd_exec_bin($1_nsplugin_config_t)
|
||||
+corecmd_exec_shell($1_nsplugin_config_t)
|
||||
+
|
||||
+kernel_read_system_state($1_nsplugin_config_t)
|
||||
+
|
||||
+files_read_etc_files($1_nsplugin_config_t)
|
||||
+files_read_usr_files($1_nsplugin_config_t)
|
||||
+files_dontaudit_search_home($1_nsplugin_config_t)
|
||||
+files_list_tmp($1_nsplugin_config_t)
|
||||
+
|
||||
+auth_use_nsswitch($1_nsplugin_config_t)
|
||||
+
|
||||
+libs_use_ld_so($1_nsplugin_config_t)
|
||||
+libs_use_shared_libs($1_nsplugin_config_t)
|
||||
+
|
||||
+miscfiles_read_localization($1_nsplugin_config_t)
|
||||
+miscfiles_read_fonts($1_nsplugin_config_t)
|
||||
+
|
||||
+userdom_search_all_users_home_content($1_nsplugin_config_t)
|
||||
+
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_dirs($1_nsplugin_t)
|
||||
+ fs_manage_nfs_files($1_nsplugin_t)
|
||||
+ fs_manage_nfs_dirs($1_nsplugin_config_t)
|
||||
+ fs_manage_nfs_files($1_nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_manage_cifs_dirs($1_nsplugin_t)
|
||||
+ fs_manage_cifs_files($1_nsplugin_t)
|
||||
+ fs_manage_cifs_dirs($1_nsplugin_config_t)
|
||||
+ fs_manage_cifs_files($1_nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+domtrans_pattern($1_nsplugin_config_t, nsplugin_exec_t, $1_nsplugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_read_home_fonts($1_nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mozilla_read_user_home_files(user, $1_nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ openoffice_plugin_per_role_template($1, $1_nsplugin_t)
|
||||
+ ')
|
||||
+ xserver_common_app($1, nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
@ -4642,12 +4560,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ gen_require(`
|
||||
+ type nsplugin_exec_t;
|
||||
+ type nsplugin_config_exec_t;
|
||||
+ type nsplugin_t;
|
||||
+ type nsplugin_config_t;
|
||||
+ ')
|
||||
+
|
||||
+ nsplugin_per_role_template_notrans($1, $2, $3)
|
||||
+
|
||||
+ domtrans_pattern($2, nsplugin_exec_t, $1_nsplugin_t)
|
||||
+ domtrans_pattern($2, nsplugin_config_exec_t, $1_nsplugin_config_t)
|
||||
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
|
||||
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
@ -4680,10 +4600,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+interface(`nsplugin_domtrans_user',`
|
||||
+ gen_require(`
|
||||
+ type nsplugin_exec_t;
|
||||
+ type $1_nsplugin_t;
|
||||
+ type nsplugin_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($2, nsplugin_exec_t, $1_nsplugin_t)
|
||||
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
|
||||
+')
|
||||
+#######################################
|
||||
+## <summary>
|
||||
@ -4715,10 +4635,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+interface(`nsplugin_domtrans_user_config',`
|
||||
+ gen_require(`
|
||||
+ type nsplugin_config_exec_t;
|
||||
+ type $1_nsplugin_config_t;
|
||||
+ type nsplugin_config_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($2, nsplugin_config_exec_t, $1_nsplugin_config_t)
|
||||
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -4776,8 +4696,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.8/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te 2008-09-17 19:06:31.000000000 -0400
|
||||
@@ -0,0 +1,36 @@
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te 2008-09-22 14:52:12.000000000 -0400
|
||||
@@ -0,0 +1,234 @@
|
||||
+
|
||||
+policy_module(nsplugin, 1.0.0)
|
||||
+
|
||||
@ -4810,10 +4730,208 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+userdom_user_home_content(user, nsplugin_home_t)
|
||||
+typealias nsplugin_home_t alias user_nsplugin_home_t;
|
||||
+
|
||||
+type nsplugin_t;
|
||||
+domain_type(nsplugin_t)
|
||||
+domain_entry_file(nsplugin_t, nsplugin_exec_t)
|
||||
+
|
||||
+type nsplugin_config_t;
|
||||
+domain_type(nsplugin_config_t)
|
||||
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
|
||||
+
|
||||
+application_executable_file(nsplugin_exec_t)
|
||||
+application_executable_file(nsplugin_config_exec_t)
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# nsplugin local policy
|
||||
+#
|
||||
+dontaudit nsplugin_t self:capability sys_tty_config;
|
||||
+allow nsplugin_t self:fifo_file rw_file_perms;
|
||||
+allow nsplugin_t self:process { ptrace getsched setsched signal_perms };
|
||||
+
|
||||
+allow nsplugin_t self:sem create_sem_perms;
|
||||
+allow nsplugin_t self:shm create_shm_perms;
|
||||
+allow nsplugin_t self:msgq create_msgq_perms;
|
||||
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
+
|
||||
+tunable_policy(`allow_nsplugin_execmem',`
|
||||
+ allow nsplugin_t self:process { execstack execmem };
|
||||
+ allow nsplugin_config_t self:process { execstack execmem };
|
||||
+')
|
||||
+
|
||||
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
|
||||
+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
|
||||
+
|
||||
+corecmd_exec_bin(nsplugin_t)
|
||||
+corecmd_exec_shell(nsplugin_t)
|
||||
+
|
||||
+corenet_all_recvfrom_unlabeled(nsplugin_t)
|
||||
+corenet_all_recvfrom_netlabel(nsplugin_t)
|
||||
+corenet_tcp_connect_flash_port(nsplugin_t)
|
||||
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
|
||||
+corenet_tcp_connect_http_port(nsplugin_t)
|
||||
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
|
||||
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
|
||||
+
|
||||
+domain_dontaudit_read_all_domains_state(nsplugin_t)
|
||||
+
|
||||
+dev_read_rand(nsplugin_t)
|
||||
+dev_read_sound(nsplugin_t)
|
||||
+dev_write_sound(nsplugin_t)
|
||||
+dev_read_video_dev(nsplugin_t)
|
||||
+dev_write_video_dev(nsplugin_t)
|
||||
+dev_getattr_dri_dev(nsplugin_t)
|
||||
+dev_rwx_zero(nsplugin_t)
|
||||
+
|
||||
+kernel_read_kernel_sysctls(nsplugin_t)
|
||||
+kernel_read_system_state(nsplugin_t)
|
||||
+
|
||||
+files_read_usr_files(nsplugin_t)
|
||||
+files_read_etc_files(nsplugin_t)
|
||||
+files_read_config_files(nsplugin_t)
|
||||
+
|
||||
+fs_list_inotifyfs(nsplugin_t)
|
||||
+fs_manage_tmpfs_files(nsplugin_t)
|
||||
+fs_getattr_tmpfs(nsplugin_t)
|
||||
+fs_getattr_xattr_fs(nsplugin_t)
|
||||
+
|
||||
+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
|
||||
+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
|
||||
+
|
||||
+auth_use_nsswitch(nsplugin_t)
|
||||
+
|
||||
+libs_use_ld_so(nsplugin_t)
|
||||
+libs_use_shared_libs(nsplugin_t)
|
||||
+libs_exec_ld_so(nsplugin_t)
|
||||
+
|
||||
+miscfiles_read_localization(nsplugin_t)
|
||||
+miscfiles_read_fonts(nsplugin_t)
|
||||
+
|
||||
+unprivuser_manage_tmp_dirs(nsplugin_t)
|
||||
+unprivuser_manage_tmp_files(nsplugin_t)
|
||||
+unprivuser_manage_tmp_sockets(nsplugin_t)
|
||||
+userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file })
|
||||
+unprivuser_read_tmpfs_files(nsplugin_t)
|
||||
+unprivuser_rw_semaphores(nsplugin_t)
|
||||
+unprivuser_delete_tmpfs_files(nsplugin_t)
|
||||
+
|
||||
+unprivuser_read_home_content_symlinks(nsplugin_t)
|
||||
+unprivuser_read_home_content_files(nsplugin_t)
|
||||
+unprivuser_read_tmp_files(nsplugin_t)
|
||||
+userdom_write_user_tmp_sockets(user, nsplugin_t)
|
||||
+unprivuser_dontaudit_append_home_content_files(nsplugin_t)
|
||||
+userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t)
|
||||
+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ alsa_read_rw_config(nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_exec_gconf(nsplugin_t)
|
||||
+ gnome_manage_user_gnome_config(user, nsplugin_t)
|
||||
+ allow nsplugin_t gnome_home_t:sock_file write;
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mozilla_read_user_home_files(user, nsplugin_t)
|
||||
+ mozilla_write_user_home_files(user, nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mplayer_exec(nsplugin_t)
|
||||
+ mplayer_read_user_home_files(user, nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_execmem_signull(nsplugin_t)
|
||||
+ unconfined_delete_tmpfs_files(nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
|
||||
+ xserver_xdm_rw_shm(nsplugin_t)
|
||||
+ xserver_read_xdm_tmp_files(nsplugin_t)
|
||||
+ xserver_read_xdm_pid(nsplugin_t)
|
||||
+ xserver_read_user_xauth(user, nsplugin_t)
|
||||
+ xserver_read_user_iceauth(user, nsplugin_t)
|
||||
+ xserver_use_user_fonts(user, nsplugin_t)
|
||||
+ xserver_manage_home_fonts(nsplugin_t)
|
||||
+ xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# nsplugin_config local policy
|
||||
+#
|
||||
+
|
||||
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
|
||||
+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
|
||||
+#execing pulseaudio
|
||||
+dontaudit nsplugin_t self:process { getcap setcap };
|
||||
+
|
||||
+allow nsplugin_config_t self:fifo_file rw_file_perms;
|
||||
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+fs_list_inotifyfs(nsplugin_config_t)
|
||||
+
|
||||
+can_exec(nsplugin_config_t, nsplugin_rw_t)
|
||||
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+
|
||||
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+
|
||||
+corecmd_exec_bin(nsplugin_config_t)
|
||||
+corecmd_exec_shell(nsplugin_config_t)
|
||||
+
|
||||
+kernel_read_system_state(nsplugin_config_t)
|
||||
+
|
||||
+files_read_etc_files(nsplugin_config_t)
|
||||
+files_read_usr_files(nsplugin_config_t)
|
||||
+files_dontaudit_search_home(nsplugin_config_t)
|
||||
+files_list_tmp(nsplugin_config_t)
|
||||
+
|
||||
+auth_use_nsswitch(nsplugin_config_t)
|
||||
+
|
||||
+libs_use_ld_so(nsplugin_config_t)
|
||||
+libs_use_shared_libs(nsplugin_config_t)
|
||||
+
|
||||
+miscfiles_read_localization(nsplugin_config_t)
|
||||
+miscfiles_read_fonts(nsplugin_config_t)
|
||||
+
|
||||
+userdom_search_all_users_home_content(nsplugin_config_t)
|
||||
+
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_dirs(nsplugin_t)
|
||||
+ fs_manage_nfs_files(nsplugin_t)
|
||||
+ fs_manage_nfs_dirs(nsplugin_config_t)
|
||||
+ fs_manage_nfs_files(nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_manage_cifs_dirs(nsplugin_t)
|
||||
+ fs_manage_cifs_files(nsplugin_t)
|
||||
+ fs_manage_cifs_dirs(nsplugin_config_t)
|
||||
+ fs_manage_cifs_files(nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_read_home_fonts(nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mozilla_read_user_home_files(user, nsplugin_config_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.8/policy/modules/apps/openoffice.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/openoffice.fc 2008-09-17 08:49:08.000000000 -0400
|
||||
@ -8292,7 +8410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.8/policy/modules/kernel/storage.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/kernel/storage.fc 2008-09-22 12:22:40.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/kernel/storage.fc 2008-09-22 15:56:42.000000000 -0400
|
||||
@@ -27,6 +27,7 @@
|
||||
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
|
||||
@ -8301,14 +8419,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
@@ -65,6 +66,7 @@
|
||||
|
||||
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
+/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
|
||||
/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.8/policy/modules/roles/guest.fc
|
||||
--- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/policy/modules/roles/guest.fc 2008-09-17 08:49:08.000000000 -0400
|
||||
@ -13976,7 +14086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.8/policy/modules/services/cups.te
|
||||
--- nsaserefpolicy/policy/modules/services/cups.te 2008-09-03 07:59:15.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/cups.te 2008-09-17 08:49:08.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/cups.te 2008-09-22 14:18:53.000000000 -0400
|
||||
@@ -48,6 +48,10 @@
|
||||
type hplip_t;
|
||||
type hplip_exec_t;
|
||||
@ -14058,7 +14168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow cupsd_t hplip_var_run_t:file { read getattr };
|
||||
|
||||
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
|
||||
@@ -149,44 +174,48 @@
|
||||
@@ -149,44 +174,49 @@
|
||||
corenet_tcp_bind_reserved_port(cupsd_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
|
||||
corenet_tcp_connect_all_ports(cupsd_t)
|
||||
@ -14072,6 +14182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_urand(cupsd_t)
|
||||
dev_read_sysfs(cupsd_t)
|
||||
-dev_read_usbfs(cupsd_t)
|
||||
+dev_rw_input_dev(cupsd_t) #447878
|
||||
+dev_rw_generic_usb_dev(cupsd_t)
|
||||
+dev_rw_usbfs(cupsd_t)
|
||||
dev_getattr_printer_dev(cupsd_t)
|
||||
@ -14112,7 +14223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_list_world_readable(cupsd_t)
|
||||
files_read_world_readable_files(cupsd_t)
|
||||
files_read_world_readable_symlinks(cupsd_t)
|
||||
@@ -195,15 +224,16 @@
|
||||
@@ -195,15 +225,16 @@
|
||||
files_read_var_symlinks(cupsd_t)
|
||||
# for /etc/printcap
|
||||
files_dontaudit_write_etc_files(cupsd_t)
|
||||
@ -14133,7 +14244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_use_nsswitch(cupsd_t)
|
||||
|
||||
libs_use_ld_so(cupsd_t)
|
||||
@@ -219,17 +249,22 @@
|
||||
@@ -219,17 +250,22 @@
|
||||
miscfiles_read_fonts(cupsd_t)
|
||||
|
||||
seutil_read_config(cupsd_t)
|
||||
@ -14158,7 +14269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -246,8 +281,16 @@
|
||||
@@ -246,8 +282,16 @@
|
||||
userdom_dbus_send_all_users(cupsd_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -14175,7 +14286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -263,6 +306,10 @@
|
||||
@@ -263,6 +307,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -14186,7 +14297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cups execs smbtool which reads samba_etc_t files
|
||||
samba_read_config(cupsd_t)
|
||||
samba_rw_var_files(cupsd_t)
|
||||
@@ -281,7 +328,7 @@
|
||||
@@ -281,7 +329,7 @@
|
||||
# Cups configuration daemon local policy
|
||||
#
|
||||
|
||||
@ -14195,7 +14306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit cupsd_config_t self:capability sys_tty_config;
|
||||
allow cupsd_config_t self:process signal_perms;
|
||||
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -326,6 +373,7 @@
|
||||
@@ -326,6 +374,7 @@
|
||||
dev_read_sysfs(cupsd_config_t)
|
||||
dev_read_urand(cupsd_config_t)
|
||||
dev_read_rand(cupsd_config_t)
|
||||
@ -14203,7 +14314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_getattr_all_fs(cupsd_config_t)
|
||||
fs_search_auto_mountpoints(cupsd_config_t)
|
||||
@@ -343,7 +391,7 @@
|
||||
@@ -343,7 +392,7 @@
|
||||
files_read_var_symlinks(cupsd_config_t)
|
||||
|
||||
# Alternatives asks for this
|
||||
@ -14212,7 +14323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
auth_use_nsswitch(cupsd_config_t)
|
||||
|
||||
@@ -353,6 +401,7 @@
|
||||
@@ -353,6 +402,7 @@
|
||||
logging_send_syslog_msg(cupsd_config_t)
|
||||
|
||||
miscfiles_read_localization(cupsd_config_t)
|
||||
@ -14220,7 +14331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
seutil_dontaudit_search_config(cupsd_config_t)
|
||||
|
||||
@@ -365,14 +414,16 @@
|
||||
@@ -365,14 +415,16 @@
|
||||
sysadm_dontaudit_search_home_dirs(cupsd_config_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -14239,7 +14350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
|
||||
')
|
||||
|
||||
@@ -388,6 +439,7 @@
|
||||
@@ -388,6 +440,7 @@
|
||||
optional_policy(`
|
||||
hal_domtrans(cupsd_config_t)
|
||||
hal_read_tmp_files(cupsd_config_t)
|
||||
@ -14247,7 +14358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -500,7 +552,7 @@
|
||||
@@ -500,7 +553,7 @@
|
||||
allow hplip_t self:udp_socket create_socket_perms;
|
||||
allow hplip_t self:rawip_socket create_socket_perms;
|
||||
|
||||
@ -14256,7 +14367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
cups_stream_connect(hplip_t)
|
||||
|
||||
@@ -509,6 +561,8 @@
|
||||
@@ -509,6 +562,8 @@
|
||||
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
|
||||
files_search_etc(hplip_t)
|
||||
|
||||
@ -14265,7 +14376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
||||
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
||||
|
||||
@@ -538,7 +592,8 @@
|
||||
@@ -538,7 +593,8 @@
|
||||
dev_read_urand(hplip_t)
|
||||
dev_read_rand(hplip_t)
|
||||
dev_rw_generic_usb_dev(hplip_t)
|
||||
@ -14275,7 +14386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_getattr_all_fs(hplip_t)
|
||||
fs_search_auto_mountpoints(hplip_t)
|
||||
@@ -564,12 +619,14 @@
|
||||
@@ -564,12 +620,14 @@
|
||||
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
|
||||
userdom_dontaudit_search_all_users_home_content(hplip_t)
|
||||
|
||||
@ -14291,7 +14402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -651,3 +708,45 @@
|
||||
@@ -651,3 +709,45 @@
|
||||
optional_policy(`
|
||||
udev_read_db(ptal_t)
|
||||
')
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.8
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -381,6 +381,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Sep 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-6
|
||||
- Fix transition to nsplugin
|
||||
|
||||
* Mon Sep 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-5
|
||||
- Add file context for /dev/mspblk.*
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user