- Cleanups from dgrift

This commit is contained in:
Daniel J Walsh 2009-12-23 13:02:27 +00:00
parent f2eafbf4b7
commit e2f53dfaec
4 changed files with 27 additions and 61 deletions

View File

@ -2019,7 +2019,7 @@ cgroup = module
# Layer: services
# Module: denyhosts
#
# script to help thwart ssh server attacks
# script to help thwart ssh server attacks
#
denyhosts = module

View File

@ -2019,7 +2019,7 @@ cgroup = module
# Layer: services
# Module: denyhosts
#
# script to help thwart ssh server attacks
# script to help thwart ssh server attacks
#
denyhosts = module

View File

@ -6274,7 +6274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.5/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te 2009-12-21 13:07:09.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te 2009-12-23 07:50:49.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@ -6969,7 +6969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.5/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-22 10:30:40.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-23 07:46:46.000000000 -0500
@@ -906,7 +906,7 @@
type cifs_t;
')
@ -7014,33 +7014,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#########################################
## <summary>
## Read named sockets on a NFS filesystem.
@@ -4181,3 +4200,216 @@
@@ -4181,3 +4200,175 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
+
+########################################
+## <summary>
+## Search dirs on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ allow $1 cgroup_t:dir search;
+')
+
+########################################
+## <summary>
+## list dirs on cgroup
+## file systems.
+## </summary>
@ -7080,25 +7060,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
+########################################
+## <summary>
+## create dirs on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_create_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ create_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+## Manage dirs on cgroup file systems.
+## </summary>
+## <param name="domain">
@ -7207,7 +7168,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+ ')
+
+ setattr_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_cgroup_dirs($1)
+')
+
+########################################
@ -7228,7 +7188,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_cgroup_dirs($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.5/policy/modules/kernel/filesystem.te
@ -9716,7 +9675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.5/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-22 08:42:16.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-23 07:13:38.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@ -9764,7 +9723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
@@ -75,18 +90,34 @@
@@ -75,18 +90,35 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@ -9795,11 +9754,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
+fs_read_fusefs_files(abrt_t)
+fs_read_nfs_files(abrt_t)
+fs_search_all(abrt_t)
sysnet_read_config(abrt_t)
@@ -96,22 +127,92 @@
@@ -96,22 +128,92 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@ -14634,8 +14594,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.5/policy/modules/services/denyhosts.if
--- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if 2009-12-22 17:05:58.000000000 -0500
@@ -0,0 +1,91 @@
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if 2009-12-23 07:48:54.000000000 -0500
@@ -0,0 +1,90 @@
+## <summary>Deny Hosts.</summary>
+## <desc>
+## <p>
@ -14666,7 +14626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+
+########################################
+## <summary>
+## Execute ksmtuned server in the ksmtuned domain.
+## Execute denyhost server in the denyhost domain.
+## </summary>
+## <param name="domain">
+## <summary>
@ -14708,8 +14668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+ allow $1 denyhosts_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, denyhosts_t, denyhosts_t)
+
+ files_list_pids($1)
+ admin_pattern($1, denyhosts_var_run_t)
+ admin_pattern($1, denyhosts_var_lib_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, denyhosts_var_log_t)
@ -14729,8 +14688,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.5/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te 2009-12-22 10:34:58.000000000 -0500
@@ -0,0 +1,71 @@
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te 2009-12-23 07:47:53.000000000 -0500
@@ -0,0 +1,72 @@
+
+policy_module(denyhosts, 1.0.0)
+
@ -14798,6 +14757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+miscfiles_read_localization(denyhosts_t)
+
+sysnet_manage_config(denyhosts_t)
+sysnet_etc_filetrans_config(denyhosts_t)
+
+optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
@ -16182,13 +16142,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc 2009-12-21 13:07:09.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc 2009-12-23 07:41:58.000000000 -0500
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.5/policy/modules/services/ksmtuned.if
--- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.if 2009-12-21 13:07:09.000000000 -0500
@ -28985,7 +28945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
+permissive kdump_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-22 08:51:29.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-23 07:33:05.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@ -29201,7 +29161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
@@ -307,10 +316,111 @@
@@ -307,10 +316,114 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@ -29313,6 +29273,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/libraries.if 2009-12-21 13:07:09.000000000 -0500

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.5
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -449,6 +449,9 @@ exit 0
%endif
%changelog
* Wed Dec 23 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-4
- Cleanups from dgrift
* Tue Dec 22 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-3
- Add back xserver_manage_home_fonts