- Fix request_module line to module_request
This commit is contained in:
Daniel J Walsh
parent
d53d158d2b
commit
da08b5716a
@ -1944,7 +1944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.32/policy/modules/apps/java.te
|
||||
--- nsaserefpolicy/policy/modules/apps/java.te 2009-08-18 11:41:14.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/apps/java.te 2009-09-16 10:03:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/apps/java.te 2009-09-18 17:16:51.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
|
||||
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
|
||||
@ -1970,17 +1970,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
|
||||
')
|
||||
|
||||
@@ -147,4 +151,12 @@
|
||||
@@ -143,8 +147,18 @@
|
||||
# execheap is needed for itanium/BEA jrocket
|
||||
allow unconfined_java_t self:process { execstack execmem execheap };
|
||||
|
||||
+ files_execmod_all_files(unconfined_java_t)
|
||||
+
|
||||
init_dbus_chat_script(unconfined_java_t)
|
||||
|
||||
unconfined_domain_noaudit(unconfined_java_t)
|
||||
unconfined_dbus_chat(unconfined_java_t)
|
||||
+ optional_policy(`
|
||||
+ hal_dbus_chat(unconfined_java_t)
|
||||
')
|
||||
+')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ rpm_domtrans(unconfined_java_t)
|
||||
+ ')
|
||||
')
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.32/policy/modules/apps/kdumpgui.fc
|
||||
@ -5313,7 +5319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-09-18 11:28:35.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-09-18 17:16:00.000000000 -0400
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
@ -13566,15 +13572,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
|
||||
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-08-18 11:41:14.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-09-16 10:03:09.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-09-18 17:05:02.000000000 -0400
|
||||
@@ -36,11 +36,12 @@
|
||||
# policykit local policy
|
||||
#
|
||||
|
||||
-allow policykit_t self:capability { setgid setuid };
|
||||
+allow policykit_t self:capability { setgid setuid sys_ptrace };
|
||||
allow policykit_t self:process getattr;
|
||||
-allow policykit_t self:process getattr;
|
||||
-allow policykit_t self:fifo_file rw_file_perms;
|
||||
+allow policykit_t self:capability { setgid setuid sys_ptrace };
|
||||
+allow policykit_t self:process { getsched getattr };
|
||||
+allow policykit_t self:fifo_file rw_fifo_file_perms;
|
||||
+
|
||||
allow policykit_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -17793,7 +17800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-16 10:03:09.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-18 17:38:09.000000000 -0400
|
||||
@@ -41,6 +41,9 @@
|
||||
files_tmp_file(sshd_tmp_t)
|
||||
files_poly_parent(sshd_tmp_t)
|
||||
@ -17831,8 +17838,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Allow the ssh program to communicate with ssh-agent.
|
||||
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
|
||||
@@ -131,6 +134,7 @@
|
||||
read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
|
||||
@@ -126,11 +129,12 @@
|
||||
read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
|
||||
|
||||
# ssh servers can read the user keys and config
|
||||
-allow ssh_server home_ssh_t:dir list_dir_perms;
|
||||
-read_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
|
||||
-read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
|
||||
+manage_dirs_pattern(ssh_server, home_ssh_t, home_ssh_t)
|
||||
+manage_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
|
||||
+userdom_user_home_dir_filetrans(ssh_server, home_ssh_t, dir)
|
||||
|
||||
kernel_read_kernel_sysctls(ssh_t)
|
||||
+kernel_read_system_state(ssh_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user