- Fixes for podsleuth
This commit is contained in:
Daniel J Walsh
parent
dc00fc32b6
commit
d982e7e091
@ -8,7 +8,7 @@ allow_execmod = false
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
allow_execstack = true
|
||||
allow_execstack = false
|
||||
|
||||
# Allow ftpd to read cifs directories.
|
||||
#
|
||||
@ -56,7 +56,7 @@ allow_ypbind = false
|
||||
|
||||
# Allow zebra to write it own configuration files
|
||||
#
|
||||
allow_zebra_write_config = true
|
||||
allow_zebra_write_config = false
|
||||
|
||||
# Enable extra rules in the cron domainto support fcron.
|
||||
#
|
||||
@ -96,7 +96,7 @@ httpd_enable_ftp_server = false
|
||||
|
||||
# Allow httpd to read home directories
|
||||
#
|
||||
httpd_enable_homedirs = true
|
||||
httpd_enable_homedirs = false
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
#
|
||||
@ -104,11 +104,11 @@ httpd_ssi_exec = false
|
||||
|
||||
# Allow http daemon to communicate with the TTY
|
||||
#
|
||||
httpd_tty_comm = true
|
||||
httpd_tty_comm = false
|
||||
|
||||
# Run CGI in the main httpd domain
|
||||
#
|
||||
httpd_unified = true
|
||||
httpd_unified = false
|
||||
|
||||
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
||||
#
|
||||
@ -128,7 +128,7 @@ pppd_can_insmod = false
|
||||
|
||||
# Allow reading of default_t files.
|
||||
#
|
||||
read_default_t = true
|
||||
read_default_t = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
@ -148,7 +148,7 @@ use_samba_home_dirs = false
|
||||
|
||||
# Control users use of ping and traceroute
|
||||
#
|
||||
user_ping = true
|
||||
user_ping = false
|
||||
|
||||
# allow host key based authentication
|
||||
#
|
||||
@ -164,7 +164,7 @@ read_untrusted_content = false
|
||||
|
||||
# Allow spamd to write to users homedirs
|
||||
#
|
||||
spamd_enable_home_dirs = true
|
||||
spamd_enable_home_dirs = false
|
||||
|
||||
# Allow regular users direct mouse access
|
||||
#
|
||||
@ -192,7 +192,7 @@ write_untrusted_content = false
|
||||
|
||||
# Allow all domains to talk to ttys
|
||||
#
|
||||
allow_daemons_use_tty = true
|
||||
allow_daemons_use_tty = false
|
||||
|
||||
# Allow login domains to polyinstatiate directories
|
||||
#
|
||||
@ -208,11 +208,11 @@ samba_domain_controller = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_run_unconfined = true
|
||||
samba_run_unconfined = false
|
||||
|
||||
# Allows XServer to execute writable memory
|
||||
#
|
||||
allow_xserver_execmem = true
|
||||
allow_xserver_execmem = false
|
||||
|
||||
# disallow guest accounts to execute files that they can create
|
||||
#
|
||||
@ -225,7 +225,7 @@ browser_confine_xguest=false
|
||||
|
||||
# Allow postfix locat to write to mail spool
|
||||
#
|
||||
allow_postfix_local_write_mail_spool=true
|
||||
allow_postfix_local_write_mail_spool=false
|
||||
|
||||
# Allow common users to read/write noexattrfile systems
|
||||
#
|
||||
|
||||
@ -8,7 +8,7 @@ allow_execmod = false
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
allow_execstack = true
|
||||
allow_execstack = false
|
||||
|
||||
# Allow ftpd to read cifs directories.
|
||||
#
|
||||
@ -56,7 +56,7 @@ allow_ypbind = false
|
||||
|
||||
# Allow zebra to write it own configuration files
|
||||
#
|
||||
allow_zebra_write_config = true
|
||||
allow_zebra_write_config = false
|
||||
|
||||
# Enable extra rules in the cron domainto support fcron.
|
||||
#
|
||||
@ -96,7 +96,7 @@ httpd_enable_ftp_server = false
|
||||
|
||||
# Allow httpd to read home directories
|
||||
#
|
||||
httpd_enable_homedirs = true
|
||||
httpd_enable_homedirs = false
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
#
|
||||
@ -104,11 +104,11 @@ httpd_ssi_exec = false
|
||||
|
||||
# Allow http daemon to communicate with the TTY
|
||||
#
|
||||
httpd_tty_comm = true
|
||||
httpd_tty_comm = false
|
||||
|
||||
# Run CGI in the main httpd domain
|
||||
#
|
||||
httpd_unified = true
|
||||
httpd_unified = false
|
||||
|
||||
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
||||
#
|
||||
@ -128,7 +128,7 @@ pppd_can_insmod = false
|
||||
|
||||
# Allow reading of default_t files.
|
||||
#
|
||||
read_default_t = true
|
||||
read_default_t = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
@ -148,7 +148,7 @@ use_samba_home_dirs = false
|
||||
|
||||
# Control users use of ping and traceroute
|
||||
#
|
||||
user_ping = true
|
||||
user_ping = false
|
||||
|
||||
# allow host key based authentication
|
||||
#
|
||||
@ -164,7 +164,7 @@ read_untrusted_content = false
|
||||
|
||||
# Allow spamd to write to users homedirs
|
||||
#
|
||||
spamd_enable_home_dirs = true
|
||||
spamd_enable_home_dirs = false
|
||||
|
||||
# Allow regular users direct mouse access
|
||||
#
|
||||
@ -192,7 +192,7 @@ write_untrusted_content = false
|
||||
|
||||
# Allow all domains to talk to ttys
|
||||
#
|
||||
allow_daemons_use_tty = true
|
||||
allow_daemons_use_tty = false
|
||||
|
||||
# Allow login domains to polyinstatiate directories
|
||||
#
|
||||
@ -208,11 +208,11 @@ samba_domain_controller = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_run_unconfined = true
|
||||
samba_run_unconfined = false
|
||||
|
||||
# Allows XServer to execute writable memory
|
||||
#
|
||||
allow_xserver_execmem = true
|
||||
allow_xserver_execmem = false
|
||||
|
||||
# disallow guest accounts to execute files that they can create
|
||||
#
|
||||
@ -225,7 +225,7 @@ browser_confine_xguest=false
|
||||
|
||||
# Allow postfix locat to write to mail spool
|
||||
#
|
||||
allow_postfix_local_write_mail_spool=true
|
||||
allow_postfix_local_write_mail_spool=false
|
||||
|
||||
# Allow common users to read/write noexattrfile systems
|
||||
#
|
||||
|
||||
@ -3001,8 +3001,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-07 16:01:44.000000000 -0400
|
||||
@@ -0,0 +1,292 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-17 11:13:07.000000000 -0400
|
||||
@@ -0,0 +1,293 @@
|
||||
+
|
||||
+policy_module(nsplugin, 1.0.0)
|
||||
+
|
||||
@ -3138,6 +3138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+miscfiles_read_localization(nsplugin_t)
|
||||
+miscfiles_read_fonts(nsplugin_t)
|
||||
+miscfiles_dontaudit_write_fonts(nsplugin_t)
|
||||
+
|
||||
+userdom_manage_user_tmp_dirs(nsplugin_t)
|
||||
+userdom_manage_user_tmp_files(nsplugin_t)
|
||||
@ -3462,8 +3463,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.12/policy/modules/apps/podsleuth.te
|
||||
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te 2009-04-07 16:01:44.000000000 -0400
|
||||
@@ -11,21 +11,68 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te 2009-04-18 06:04:47.000000000 -0400
|
||||
@@ -11,25 +11,80 @@
|
||||
application_domain(podsleuth_t, podsleuth_exec_t)
|
||||
role system_r types podsleuth_t;
|
||||
|
||||
@ -3483,7 +3484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
-
|
||||
-allow podsleuth_t self:process { signal getsched execheap execmem };
|
||||
+allow podsleuth_t self:capability { sys_admin sys_rawio };
|
||||
+allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
|
||||
+allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
|
||||
allow podsleuth_t self:fifo_file rw_file_perms;
|
||||
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -3533,7 +3534,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
miscfiles_read_localization(podsleuth_t)
|
||||
|
||||
dbus_system_bus_client(podsleuth_t)
|
||||
-dbus_system_bus_client(podsleuth_t)
|
||||
+userdom_signal_all_users(podsleuth_t)
|
||||
|
||||
-mono_exec(podsleuth_t)
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(podsleuth_t)
|
||||
+')
|
||||
|
||||
+optional_policy(`
|
||||
hal_dbus_chat(podsleuth_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mono_exec(podsleuth_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc 2009-04-07 16:01:44.000000000 -0400
|
||||
@ -4923,7 +4938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type urandom_device_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-15 08:01:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-18 06:12:57.000000000 -0400
|
||||
@@ -525,7 +525,7 @@
|
||||
')
|
||||
|
||||
@ -6552,7 +6567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-14 14:12:12.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-18 06:06:56.000000000 -0400
|
||||
@@ -0,0 +1,638 @@
|
||||
+## <summary>Unconfiend user role</summary>
|
||||
+
|
||||
@ -22979,7 +22994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-07 16:01:44.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-17 11:32:56.000000000 -0400
|
||||
@@ -8,19 +8,24 @@
|
||||
|
||||
## <desc>
|
||||
@ -23190,7 +23205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,5 +271,78 @@
|
||||
@@ -198,5 +271,80 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23226,6 +23241,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
|
||||
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
|
||||
+dontaudit svirt_t virt_content_t:file write_file_perms;
|
||||
+dontaudit svirt_t virt_content_t:dir write;
|
||||
+
|
||||
+storage_raw_write_removable_device(svirt_t)
|
||||
+storage_raw_read_removable_device(svirt_t)
|
||||
@ -25303,8 +25320,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
|
||||
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-16 10:03:08.000000000 -0400
|
||||
@@ -280,6 +280,29 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-17 11:04:53.000000000 -0400
|
||||
@@ -280,6 +280,36 @@
|
||||
kernel_dontaudit_use_fds($1)
|
||||
')
|
||||
')
|
||||
@ -25330,11 +25347,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ optional_policy(`
|
||||
+ xserver_rw_xdm_home_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ unconfined_dontaudit_rw_pipes($1)
|
||||
+ unconfined_dontaudit_rw_stream($1)
|
||||
+ userdom_dontaudit_read_user_tmp_files($1)
|
||||
+ ')
|
||||
+
|
||||
+ init_rw_script_stream_sockets($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -546,7 +569,7 @@
|
||||
@@ -546,7 +576,7 @@
|
||||
|
||||
# upstart uses a datagram socket instead of initctl pipe
|
||||
allow $1 self:unix_dgram_socket create_socket_perms;
|
||||
@ -25343,7 +25367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -619,18 +642,19 @@
|
||||
@@ -619,18 +649,19 @@
|
||||
#
|
||||
interface(`init_spec_domtrans_script',`
|
||||
gen_require(`
|
||||
@ -25367,7 +25391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -646,23 +670,43 @@
|
||||
@@ -646,23 +677,43 @@
|
||||
#
|
||||
interface(`init_domtrans_script',`
|
||||
gen_require(`
|
||||
@ -25415,7 +25439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Execute a init script in a specified domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -1291,6 +1335,25 @@
|
||||
@@ -1291,6 +1342,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -25441,7 +25465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Create files in a init script
|
||||
## temporary data directory.
|
||||
## </summary>
|
||||
@@ -1521,3 +1584,51 @@
|
||||
@@ -1521,3 +1591,51 @@
|
||||
')
|
||||
corenet_udp_recvfrom_labeled($1, daemon)
|
||||
')
|
||||
@ -25495,7 +25519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 07:33:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 11:41:15.000000000 -0400
|
||||
@@ -17,6 +17,20 @@
|
||||
## </desc>
|
||||
gen_tunable(init_upstart,false)
|
||||
@ -25714,7 +25738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -516,6 +560,31 @@
|
||||
@@ -516,6 +560,33 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -25741,12 +25765,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_dontaudit_rw_pipes(daemon)
|
||||
+ unconfined_dontaudit_rw_stream(daemon)
|
||||
+ userdom_dontaudit_read_user_tmp_files(daemon)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -570,6 +639,10 @@
|
||||
@@ -570,6 +641,10 @@
|
||||
dbus_read_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -25757,7 +25783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
networkmanager_dbus_chat(initrc_t)
|
||||
')
|
||||
')
|
||||
@@ -591,6 +664,10 @@
|
||||
@@ -591,6 +666,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25768,7 +25794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_usbfs(initrc_t)
|
||||
|
||||
# init scripts run /etc/hotplug/usb.rc
|
||||
@@ -647,6 +724,11 @@
|
||||
@@ -647,6 +726,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25780,7 +25806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
mailman_list_data(initrc_t)
|
||||
mailman_read_data_symlinks(initrc_t)
|
||||
')
|
||||
@@ -655,12 +737,6 @@
|
||||
@@ -655,12 +739,6 @@
|
||||
mta_read_config(initrc_t)
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
@ -25793,7 +25819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ifdef(`distro_redhat',`
|
||||
@@ -721,6 +797,9 @@
|
||||
@@ -721,6 +799,9 @@
|
||||
|
||||
# why is this needed:
|
||||
rpm_manage_db(initrc_t)
|
||||
@ -25803,7 +25829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -733,10 +812,12 @@
|
||||
@@ -733,10 +814,12 @@
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -25816,7 +25842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -754,6 +835,11 @@
|
||||
@@ -754,6 +837,11 @@
|
||||
uml_setattr_util_sockets(initrc_t)
|
||||
')
|
||||
|
||||
@ -25828,7 +25854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
@@ -761,6 +847,8 @@
|
||||
@@ -761,6 +849,8 @@
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
unconfined_dontaudit_rw_pipes(daemon)
|
||||
')
|
||||
@ -25837,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
@@ -768,6 +856,10 @@
|
||||
@@ -768,6 +858,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25848,7 +25874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
vmware_read_system_config(initrc_t)
|
||||
vmware_append_system_config(initrc_t)
|
||||
')
|
||||
@@ -790,3 +882,25 @@
|
||||
@@ -790,3 +884,25 @@
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -29135,7 +29161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-16 11:03:07.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-18 06:14:35.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
@ -30542,7 +30568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -2981,3 +3187,482 @@
|
||||
@@ -2981,3 +3187,481 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
@ -31024,7 +31050,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.12/policy/modules/system/userdomain.te
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-04-07 16:01:44.000000000 -0400
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.12
|
||||
Release: 6%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -311,9 +311,9 @@ SELinux Reference policy targeted base module.
|
||||
%saveFileContext targeted
|
||||
|
||||
%post targeted
|
||||
set -x
|
||||
if [ $1 -eq 1 ]; then
|
||||
%loadpolicy targeted "unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
%loadpolicy targeted $packages
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
else
|
||||
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
|
||||
@ -401,7 +401,7 @@ SELinux Reference policy olpc base module.
|
||||
%saveFileContext olpc
|
||||
|
||||
%post olpc
|
||||
%loadpolicy olpc
|
||||
%loadpolicy olpc ""
|
||||
|
||||
if [ $1 -ne 1 ]; then
|
||||
%relabel olpc
|
||||
@ -432,7 +432,7 @@ SELinux Reference policy mls base module.
|
||||
|
||||
%post mls
|
||||
semodule -n -s mls -r mailscanner 2>/dev/null
|
||||
%loadpolicy mls
|
||||
%loadpolicy mls ""
|
||||
|
||||
if [ $1 != 1 ]; then
|
||||
%relabel mls
|
||||
@ -446,6 +446,12 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Apr 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-8
|
||||
- Fixes for podsleuth
|
||||
|
||||
* Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-7
|
||||
- Turn off nsplugin transition
|
||||
- Remove Konsole leaked file descriptors for release
|
||||
|
||||
* Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-6
|
||||
- Allow cupsd_t to create link files in print_spool_t
|
||||
|
||||
Loading…
Reference in New Issue
Block a user