- Fix munin log,
- Eliminate duplicate mozilla file context - fix wpa_supplicant spec
This commit is contained in:
Daniel J Walsh
parent
88ae3f5e0c
commit
e0c99a57ed
@ -3463,8 +3463,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2007-12-19 05:38:08.000000000 -0500
|
||||
@@ -127,6 +127,8 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2007-12-31 11:50:26.000000000 -0500
|
||||
@@ -7,6 +7,7 @@
|
||||
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
+/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@@ -58,6 +59,8 @@
|
||||
|
||||
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
+/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -127,6 +130,8 @@
|
||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
@ -3473,7 +3490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@@ -147,7 +149,7 @@
|
||||
@@ -147,7 +152,7 @@
|
||||
/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3482,7 +3499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
|
||||
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -186,6 +188,8 @@
|
||||
@@ -186,6 +191,8 @@
|
||||
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -3504,16 +3521,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2007-12-19 05:38:08.000000000 -0500
|
||||
@@ -122,6 +122,7 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2007-12-31 07:12:10.000000000 -0500
|
||||
@@ -122,6 +122,8 @@
|
||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||
network_port(monopd, tcp,1234,s0)
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
+network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||
+network_port(mythtv, tcp,6543,s0, udp,6543,s0)
|
||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
@@ -133,6 +134,7 @@
|
||||
@@ -133,6 +135,7 @@
|
||||
network_port(pegasus_http, tcp,5988,s0)
|
||||
network_port(pegasus_https, tcp,5989,s0)
|
||||
network_port(postfix_policyd, tcp,10031,s0)
|
||||
@ -3523,7 +3541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
network_port(postgresql, tcp,5432,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2007-12-19 05:38:08.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2007-12-31 08:18:04.000000000 -0500
|
||||
@@ -22,6 +22,7 @@
|
||||
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
|
||||
@ -3532,7 +3550,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
@@ -33,6 +34,7 @@
|
||||
@@ -29,10 +30,13 @@
|
||||
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
|
||||
+/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
|
||||
+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
|
||||
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
||||
@ -3702,8 +3726,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.5/policy/modules/kernel/devices.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-12-19 05:32:07.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.te 2007-12-19 05:38:08.000000000 -0500
|
||||
@@ -72,6 +72,13 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.te 2007-12-31 08:18:37.000000000 -0500
|
||||
@@ -66,12 +66,25 @@
|
||||
dev_node(framebuf_device_t)
|
||||
|
||||
#
|
||||
+# Type for /dev/ipmi/0
|
||||
+#
|
||||
+type ipmi_device_t;
|
||||
+dev_node(ipmi_device_t)
|
||||
+
|
||||
+#
|
||||
# Type for /dev/kmsg
|
||||
#
|
||||
type kmsg_device_t;
|
||||
dev_node(kmsg_device_t)
|
||||
|
||||
#
|
||||
@ -4137,7 +4173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.5/policy/modules/services/apache.if
|
||||
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/apache.if 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/apache.if 2007-12-31 07:06:22.000000000 -0500
|
||||
@@ -18,10 +18,6 @@
|
||||
attribute httpd_script_exec_type;
|
||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||
@ -4166,7 +4202,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
|
||||
@@ -120,10 +115,6 @@
|
||||
@@ -96,6 +91,7 @@
|
||||
dev_read_urand(httpd_$1_script_t)
|
||||
|
||||
corecmd_exec_all_executables(httpd_$1_script_t)
|
||||
+ application_exec_all(httpd_$1_script_t)
|
||||
|
||||
files_exec_etc_files(httpd_$1_script_t)
|
||||
files_read_etc_files(httpd_$1_script_t)
|
||||
@@ -120,10 +116,6 @@
|
||||
can_exec(httpd_$1_script_t, httpdcontent)
|
||||
')
|
||||
|
||||
@ -4177,7 +4221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
# Allow the web server to run scripts and serve pages
|
||||
tunable_policy(`httpd_builtin_scripting',`
|
||||
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
||||
@@ -177,48 +168,6 @@
|
||||
@@ -177,48 +169,6 @@
|
||||
miscfiles_read_localization(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
@ -4226,7 +4270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
optional_policy(`
|
||||
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||
nis_use_ypbind_uncond(httpd_$1_script_t)
|
||||
@@ -267,7 +216,7 @@
|
||||
@@ -267,7 +217,7 @@
|
||||
attribute httpdcontent, httpd_script_domains;
|
||||
attribute httpd_exec_scripts, httpd_user_content_type;
|
||||
attribute httpd_user_script_exec_type;
|
||||
@ -4235,7 +4279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
apache_content_template($1)
|
||||
@@ -331,6 +280,7 @@
|
||||
@@ -331,6 +281,7 @@
|
||||
userdom_search_user_home_dirs($1,httpd_t)
|
||||
userdom_search_user_home_dirs($1,httpd_suexec_t)
|
||||
userdom_search_user_home_dirs($1,httpd_$1_script_t)
|
||||
@ -4243,7 +4287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
')
|
||||
|
||||
@@ -352,12 +302,11 @@
|
||||
@@ -352,12 +303,11 @@
|
||||
#
|
||||
template(`apache_read_user_scripts',`
|
||||
gen_require(`
|
||||
@ -4260,7 +4304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -378,12 +327,12 @@
|
||||
@@ -378,12 +328,12 @@
|
||||
#
|
||||
template(`apache_read_user_content',`
|
||||
gen_require(`
|
||||
@ -4277,7 +4321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -761,6 +710,7 @@
|
||||
@@ -761,6 +711,7 @@
|
||||
')
|
||||
|
||||
allow $1 httpd_modules_t:dir list_dir_perms;
|
||||
@ -4285,7 +4329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -845,6 +795,10 @@
|
||||
@@ -845,6 +796,10 @@
|
||||
type httpd_sys_script_t;
|
||||
')
|
||||
|
||||
@ -4296,7 +4340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
|
||||
')
|
||||
@@ -932,7 +886,7 @@
|
||||
@@ -932,7 +887,7 @@
|
||||
type httpd_squirrelmail_t;
|
||||
')
|
||||
|
||||
@ -4305,7 +4349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1088,3 +1042,138 @@
|
||||
@@ -1088,3 +1043,138 @@
|
||||
|
||||
allow httpd_t $1:process signal;
|
||||
')
|
||||
@ -4446,7 +4490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-26 19:16:19.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-31 07:20:25.000000000 -0500
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -4559,7 +4603,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_t)
|
||||
@@ -335,6 +370,10 @@
|
||||
@@ -315,9 +350,7 @@
|
||||
|
||||
auth_use_nsswitch(httpd_t)
|
||||
|
||||
-# execute perl
|
||||
-corecmd_exec_bin(httpd_t)
|
||||
-corecmd_exec_shell(httpd_t)
|
||||
+application_exec_all(httpd_t)
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
@@ -335,6 +368,10 @@
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
@ -4570,7 +4625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
libs_use_ld_so(httpd_t)
|
||||
libs_use_shared_libs(httpd_t)
|
||||
@@ -351,8 +390,6 @@
|
||||
@@ -351,8 +388,6 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
@ -4579,7 +4634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`allow_httpd_anon_write',`
|
||||
miscfiles_manage_public_files(httpd_t)
|
||||
')
|
||||
@@ -361,6 +398,13 @@
|
||||
@@ -361,6 +396,13 @@
|
||||
#
|
||||
# We need optionals to be able to be within booleans to make this work
|
||||
#
|
||||
@ -4593,7 +4648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
auth_domtrans_chk_passwd(httpd_t)
|
||||
')
|
||||
@@ -370,6 +414,16 @@
|
||||
@@ -370,6 +412,16 @@
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
@ -4610,7 +4665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_can_network_relay',`
|
||||
# allow httpd to work as a relay
|
||||
corenet_tcp_connect_gopher_port(httpd_t)
|
||||
@@ -382,6 +436,10 @@
|
||||
@@ -382,6 +434,10 @@
|
||||
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
||||
')
|
||||
|
||||
@ -4621,7 +4676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||
|
||||
@@ -399,11 +457,21 @@
|
||||
@@ -399,11 +455,21 @@
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
@ -4643,18 +4698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -425,6 +493,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ application_exec(httpd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
calamaris_read_www_files(httpd_t)
|
||||
')
|
||||
|
||||
@@ -437,8 +509,14 @@
|
||||
@@ -437,8 +503,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -4670,7 +4714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -450,19 +528,13 @@
|
||||
@@ -450,19 +522,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -4691,7 +4735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -472,13 +544,14 @@
|
||||
@@ -472,13 +538,14 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
@ -4710,7 +4754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -486,6 +559,7 @@
|
||||
@@ -486,6 +553,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -4718,7 +4762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -521,6 +595,13 @@
|
||||
@@ -521,6 +589,13 @@
|
||||
userdom_use_sysadm_terms(httpd_helper_t)
|
||||
')
|
||||
|
||||
@ -4732,7 +4776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -550,18 +631,24 @@
|
||||
@@ -550,18 +625,24 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -4760,7 +4804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -585,6 +672,8 @@
|
||||
@@ -585,6 +666,8 @@
|
||||
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
@ -4769,7 +4813,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@@ -638,6 +727,12 @@
|
||||
@@ -593,9 +676,7 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||
|
||||
-# for shell scripts
|
||||
-corecmd_exec_bin(httpd_suexec_t)
|
||||
-corecmd_exec_shell(httpd_suexec_t)
|
||||
+application_exec_all(httpd_suexec_t)
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -638,6 +719,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -4782,7 +4837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -655,10 +750,6 @@
|
||||
@@ -655,10 +742,6 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -4793,7 +4848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
@@ -668,7 +759,8 @@
|
||||
@@ -668,7 +751,8 @@
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
@ -4803,7 +4858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
||||
@@ -682,15 +774,44 @@
|
||||
@@ -682,15 +766,44 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -4815,15 +4870,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
+tunable_policy(`httpd_use_nfs', `
|
||||
fs_read_nfs_files(httpd_sys_script_t)
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
|
||||
+ fs_read_nfs_files(httpd_sys_script_t)
|
||||
+ fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
|
||||
fs_read_nfs_files(httpd_sys_script_t)
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
||||
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
||||
@ -4849,7 +4904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -700,9 +821,15 @@
|
||||
@@ -700,9 +813,15 @@
|
||||
clamav_domtrans_clamscan(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -4865,7 +4920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -724,3 +851,46 @@
|
||||
@@ -724,3 +843,46 @@
|
||||
logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
@ -5091,7 +5146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.5/policy/modules/services/clamav.fc
|
||||
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/clamav.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/clamav.fc 2007-12-31 09:05:46.000000000 -0500
|
||||
@@ -5,16 +5,18 @@
|
||||
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
|
||||
|
||||
@ -5108,9 +5163,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
|
||||
|
||||
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
+/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
|
||||
+/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
|
||||
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.5/policy/modules/services/clamav.te
|
||||
@ -5208,7 +5263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
||||
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
|
||||
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/cron.if 2007-12-20 14:02:12.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/cron.if 2007-12-31 15:17:06.000000000 -0500
|
||||
@@ -35,38 +35,23 @@
|
||||
#
|
||||
template(`cron_per_role_template',`
|
||||
@ -7254,9 +7309,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if
|
||||
--- nsaserefpolicy/policy/modules/services/lpd.if 2007-11-16 13:45:14.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/lpd.if 2007-12-31 06:40:50.000000000 -0500
|
||||
@@ -336,10 +336,8 @@
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
+ manage_dirs_pattern($1,print_spool_t,print_spool_t)
|
||||
manage_files_pattern($1,print_spool_t,print_spool_t)
|
||||
-
|
||||
- # cjp: cups wants setattr
|
||||
- allow $1 print_spool_t:dir setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-31 14:18:13.000000000 -0500
|
||||
@@ -211,6 +211,7 @@
|
||||
type mailman_data_t;
|
||||
')
|
||||
@ -7265,6 +7335,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
|
||||
manage_files_pattern($1,mailman_data_t,mailman_data_t)
|
||||
')
|
||||
|
||||
@@ -252,6 +253,25 @@
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
+## read
|
||||
+## mailman logs.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mailman_read_log',`
|
||||
+ gen_require(`
|
||||
+ type mailman_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1,mailman_log_t,mailman_log_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
## Append to mailman logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mailman.te 2007-12-19 05:38:09.000000000 -0500
|
||||
@ -7644,18 +7740,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc
|
||||
--- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
@@ -8,4 +8,5 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500
|
||||
@@ -6,6 +6,7 @@
|
||||
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
||||
|
||||
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
||||
/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
|
||||
-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
|
||||
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
|
||||
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
|
||||
-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
||||
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
|
||||
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te
|
||||
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-19 05:38:09.000000000 -0500
|
||||
@@ -37,6 +37,9 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500
|
||||
@@ -37,14 +37,18 @@
|
||||
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow munin_t self:tcp_socket create_stream_socket_perms;
|
||||
allow munin_t self:udp_socket create_socket_perms;
|
||||
@ -7665,7 +7764,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
|
||||
allow munin_t munin_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
|
||||
@@ -73,6 +76,7 @@
|
||||
read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t)
|
||||
files_search_etc(munin_t)
|
||||
|
||||
-allow munin_t munin_log_t:file manage_file_perms;
|
||||
-logging_log_filetrans(munin_t,munin_log_t,file)
|
||||
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
|
||||
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
|
||||
+logging_log_filetrans(munin_t,munin_log_t,{ file dir })
|
||||
|
||||
manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
|
||||
manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
|
||||
@@ -73,6 +77,7 @@
|
||||
corenet_udp_sendrecv_all_nodes(munin_t)
|
||||
corenet_tcp_sendrecv_all_ports(munin_t)
|
||||
corenet_udp_sendrecv_all_ports(munin_t)
|
||||
@ -7673,7 +7783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
|
||||
dev_read_sysfs(munin_t)
|
||||
dev_read_urand(munin_t)
|
||||
@@ -91,6 +95,7 @@
|
||||
@@ -91,6 +96,7 @@
|
||||
|
||||
logging_send_syslog_msg(munin_t)
|
||||
|
||||
@ -7681,7 +7791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
|
||||
miscfiles_read_localization(munin_t)
|
||||
|
||||
sysnet_read_config(munin_t)
|
||||
@@ -118,3 +123,9 @@
|
||||
@@ -118,3 +124,9 @@
|
||||
optional_policy(`
|
||||
udev_read_db(munin_t)
|
||||
')
|
||||
@ -7785,8 +7895,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te
|
||||
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-19 05:38:09.000000000 -0500
|
||||
@@ -25,6 +25,9 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-31 06:59:38.000000000 -0500
|
||||
@@ -1,4 +1,3 @@
|
||||
-
|
||||
policy_module(mysql,1.6.0)
|
||||
|
||||
########################################
|
||||
@@ -25,6 +24,9 @@
|
||||
type mysqld_tmp_t;
|
||||
files_tmp_file(mysqld_tmp_t)
|
||||
|
||||
@ -7796,6 +7911,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -33,7 +35,8 @@
|
||||
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
|
||||
dontaudit mysqld_t self:capability sys_tty_config;
|
||||
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
|
||||
-allow mysqld_t self:fifo_file { read write };
|
||||
+allow mysqld_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow mysqld_t self:shm create_shm_file_perms;
|
||||
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow mysqld_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mysqld_t self:udp_socket create_socket_perms;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc
|
||||
--- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
@ -7948,12 +8073,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
@@ -5,3 +5,4 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-31 08:48:44.000000000 -0500
|
||||
@@ -1,7 +1,9 @@
|
||||
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
|
||||
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
+/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
||||
+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if 2007-12-31 08:55:52.000000000 -0500
|
||||
@@ -97,3 +97,21 @@
|
||||
allow $1 NetworkManager_t:dbus send_msg;
|
||||
allow NetworkManager_t $1:dbus send_msg;
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send a generic signal to NetworkManager
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`networkmanager_signal',`
|
||||
+ gen_require(`
|
||||
+ type NetworkManager_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 NetworkManager_t:process signal;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500
|
||||
@ -8687,7 +8842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
## </summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500
|
||||
@@ -6,6 +6,14 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -8758,15 +8913,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
mta_read_aliases(postfix_local_t)
|
||||
mta_delete_spool(postfix_local_t)
|
||||
# For reading spamassasin
|
||||
@@ -285,6 +306,7 @@
|
||||
@@ -285,6 +306,8 @@
|
||||
optional_policy(`
|
||||
# for postalias
|
||||
mailman_manage_data_files(postfix_local_t)
|
||||
+ mailman_append_log(postfix_local_t)
|
||||
+ mailman_read_log(postfix_local_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -295,8 +317,7 @@
|
||||
@@ -295,8 +318,7 @@
|
||||
#
|
||||
# Postfix map local policy
|
||||
#
|
||||
@ -8776,7 +8932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -346,8 +367,6 @@
|
||||
@@ -346,8 +368,6 @@
|
||||
|
||||
miscfiles_read_localization(postfix_map_t)
|
||||
|
||||
@ -8785,7 +8941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(postfix_map_t)
|
||||
files_read_default_files(postfix_map_t)
|
||||
@@ -360,6 +379,11 @@
|
||||
@@ -360,6 +380,11 @@
|
||||
locallogin_dontaudit_use_fds(postfix_map_t)
|
||||
')
|
||||
|
||||
@ -8797,7 +8953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
########################################
|
||||
#
|
||||
# Postfix pickup local policy
|
||||
@@ -392,6 +416,10 @@
|
||||
@@ -392,6 +417,10 @@
|
||||
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -8808,7 +8964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
procmail_domtrans(postfix_pipe_t)
|
||||
')
|
||||
|
||||
@@ -400,6 +428,10 @@
|
||||
@@ -400,6 +429,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8819,7 +8975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
uucp_domtrans_uux(postfix_pipe_t)
|
||||
')
|
||||
|
||||
@@ -532,9 +564,6 @@
|
||||
@@ -532,9 +565,6 @@
|
||||
# connect to master process
|
||||
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
|
||||
|
||||
@ -8829,7 +8985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
# for prng_exch
|
||||
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
||||
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
|
||||
@@ -557,6 +586,10 @@
|
||||
@@ -557,6 +587,10 @@
|
||||
sasl_connect(postfix_smtpd_t)
|
||||
')
|
||||
|
||||
@ -8957,8 +9113,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
|
||||
# Fix pptp sockets
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te
|
||||
--- nsaserefpolicy/policy/modules/services/ppp.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-19 05:38:09.000000000 -0500
|
||||
@@ -194,6 +194,8 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-31 08:54:45.000000000 -0500
|
||||
@@ -162,6 +162,8 @@
|
||||
init_read_utmp(pppd_t)
|
||||
init_dontaudit_write_utmp(pppd_t)
|
||||
|
||||
+auth_use_nsswitch(pppd_t)
|
||||
+
|
||||
libs_use_ld_so(pppd_t)
|
||||
libs_use_shared_libs(pppd_t)
|
||||
|
||||
@@ -194,14 +196,12 @@
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(pppd_t)
|
||||
@ -8967,6 +9132,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_use_ypbind(pppd_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- nscd_socket_use(pppd_t)
|
||||
+ NetworkManager_signal(pppd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if
|
||||
--- nsaserefpolicy/policy/modules/services/procmail.if 2007-01-02 12:57:43.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/procmail.if 2007-12-31 15:18:55.000000000 -0500
|
||||
@@ -39,3 +39,22 @@
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1,procmail_exec_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read procmail tmp files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`procmail_read_tmp_files',`
|
||||
+ gen_require(`
|
||||
+ type procmail_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_tmp($1)
|
||||
+ allow $1 procmail_tmp_t:file read_file_perms;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-26 18:16:54.000000000 -0500
|
||||
@ -9025,7 +9225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
|
||||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te
|
||||
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-27 11:44:33.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-31 15:19:10.000000000 -0500
|
||||
@@ -28,6 +28,9 @@
|
||||
type pyzor_var_lib_t;
|
||||
files_type(pyzor_var_lib_t)
|
||||
@ -9045,6 +9245,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
|
||||
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -76,8 +81,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ procmail_read_tmp_files(pyzor_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
spamassassin_signal_spamd(pyzor_t)
|
||||
spamassassin_read_spamd_tmp_files(pyzor_t)
|
||||
+ userdom_read_user_home_content_files(unconfined,pyzor_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
|
||||
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
@ -9991,8 +10205,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-19 05:38:09.000000000 -0500
|
||||
@@ -20,12 +20,16 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-31 15:42:11.000000000 -0500
|
||||
@@ -20,13 +20,17 @@
|
||||
mta_mailserver_delivery(sendmail_t)
|
||||
mta_mailserver_sender(sendmail_t)
|
||||
|
||||
@ -10006,10 +10220,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
||||
#
|
||||
|
||||
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
|
||||
-allow sendmail_t self:process signal;
|
||||
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
|
||||
allow sendmail_t self:process signal;
|
||||
+allow sendmail_t self:process { signal signull };
|
||||
allow sendmail_t self:fifo_file rw_fifo_file_perms;
|
||||
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow sendmail_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -47,6 +51,7 @@
|
||||
kernel_read_kernel_sysctls(sendmail_t)
|
||||
# for piping mail to a command
|
||||
@ -12611,7 +12827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-27 11:40:35.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-31 05:53:37.000000000 -0500
|
||||
@@ -183,6 +183,7 @@
|
||||
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -12620,17 +12836,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -242,7 +243,8 @@
|
||||
@@ -242,7 +243,7 @@
|
||||
|
||||
# Flash plugin, Macromedia
|
||||
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -292,6 +294,8 @@
|
||||
@@ -292,6 +293,8 @@
|
||||
#
|
||||
# /var
|
||||
#
|
||||
@ -12639,7 +12854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
||||
@@ -304,3 +308,4 @@
|
||||
@@ -304,3 +307,4 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user