- Cleanups from dgrift
This commit is contained in:
parent
f2eafbf4b7
commit
e2f53dfaec
@ -2019,7 +2019,7 @@ cgroup = module
|
||||
# Layer: services
|
||||
# Module: denyhosts
|
||||
#
|
||||
# script to help thwart ssh server attacks
|
||||
# script to help thwart ssh server attacks
|
||||
#
|
||||
denyhosts = module
|
||||
|
||||
|
@ -2019,7 +2019,7 @@ cgroup = module
|
||||
# Layer: services
|
||||
# Module: denyhosts
|
||||
#
|
||||
# script to help thwart ssh server attacks
|
||||
# script to help thwart ssh server attacks
|
||||
#
|
||||
denyhosts = module
|
||||
|
||||
|
@ -6274,7 +6274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.5/policy/modules/kernel/domain.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te 2009-12-21 13:07:09.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te 2009-12-23 07:50:49.000000000 -0500
|
||||
@@ -5,6 +5,13 @@
|
||||
#
|
||||
# Declarations
|
||||
@ -6969,7 +6969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.5/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-22 10:30:40.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-23 07:46:46.000000000 -0500
|
||||
@@ -906,7 +906,7 @@
|
||||
type cifs_t;
|
||||
')
|
||||
@ -7014,33 +7014,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
#########################################
|
||||
## <summary>
|
||||
## Read named sockets on a NFS filesystem.
|
||||
@@ -4181,3 +4200,216 @@
|
||||
@@ -4181,3 +4200,175 @@
|
||||
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
|
||||
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search dirs on cgroup
|
||||
+## file systems.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_search_cgroup_dirs', `
|
||||
+ gen_require(`
|
||||
+ type cgroup_t;
|
||||
+
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 cgroup_t:dir search;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## list dirs on cgroup
|
||||
+## file systems.
|
||||
+## </summary>
|
||||
@ -7080,25 +7060,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## create dirs on cgroup
|
||||
+## file systems.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_create_cgroup_dirs', `
|
||||
+ gen_require(`
|
||||
+ type cgroup_t;
|
||||
+ ')
|
||||
+
|
||||
+ create_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage dirs on cgroup file systems.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -7207,7 +7168,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
+ ')
|
||||
+
|
||||
+ setattr_files_pattern($1, cgroup_t, cgroup_t)
|
||||
+ fs_search_cgroup_dirs($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -7228,7 +7188,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
+ ')
|
||||
+
|
||||
+ write_files_pattern($1, cgroup_t, cgroup_t)
|
||||
+ fs_search_cgroup_dirs($1)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.5/policy/modules/kernel/filesystem.te
|
||||
@ -9716,7 +9675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
|
||||
## All of the rules required to administrate
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.5/policy/modules/services/abrt.te
|
||||
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-22 08:42:16.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-23 07:13:38.000000000 -0500
|
||||
@@ -33,12 +33,24 @@
|
||||
type abrt_var_run_t;
|
||||
files_pid_file(abrt_var_run_t)
|
||||
@ -9764,7 +9723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
|
||||
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
|
||||
|
||||
kernel_read_ring_buffer(abrt_t)
|
||||
@@ -75,18 +90,34 @@
|
||||
@@ -75,18 +90,35 @@
|
||||
|
||||
corecmd_exec_bin(abrt_t)
|
||||
corecmd_exec_shell(abrt_t)
|
||||
@ -9795,11 +9754,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
|
||||
fs_getattr_all_fs(abrt_t)
|
||||
fs_getattr_all_dirs(abrt_t)
|
||||
+fs_read_fusefs_files(abrt_t)
|
||||
+fs_read_nfs_files(abrt_t)
|
||||
+fs_search_all(abrt_t)
|
||||
|
||||
sysnet_read_config(abrt_t)
|
||||
|
||||
@@ -96,22 +127,92 @@
|
||||
@@ -96,22 +128,92 @@
|
||||
miscfiles_read_certs(abrt_t)
|
||||
miscfiles_read_localization(abrt_t)
|
||||
|
||||
@ -14634,8 +14594,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
|
||||
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.5/policy/modules/services/denyhosts.if
|
||||
--- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if 2009-12-22 17:05:58.000000000 -0500
|
||||
@@ -0,0 +1,91 @@
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if 2009-12-23 07:48:54.000000000 -0500
|
||||
@@ -0,0 +1,90 @@
|
||||
+## <summary>Deny Hosts.</summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
@ -14666,7 +14626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute ksmtuned server in the ksmtuned domain.
|
||||
+## Execute denyhost server in the denyhost domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
@ -14708,8 +14668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
|
||||
+ allow $1 denyhosts_t:process { ptrace signal_perms getattr };
|
||||
+ read_files_pattern($1, denyhosts_t, denyhosts_t)
|
||||
+
|
||||
+ files_list_pids($1)
|
||||
+ admin_pattern($1, denyhosts_var_run_t)
|
||||
+ admin_pattern($1, denyhosts_var_lib_t)
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ admin_pattern($1, denyhosts_var_log_t)
|
||||
@ -14729,8 +14688,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.5/policy/modules/services/denyhosts.te
|
||||
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te 2009-12-22 10:34:58.000000000 -0500
|
||||
@@ -0,0 +1,71 @@
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te 2009-12-23 07:47:53.000000000 -0500
|
||||
@@ -0,0 +1,72 @@
|
||||
+
|
||||
+policy_module(denyhosts, 1.0.0)
|
||||
+
|
||||
@ -14798,6 +14757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
|
||||
+miscfiles_read_localization(denyhosts_t)
|
||||
+
|
||||
+sysnet_manage_config(denyhosts_t)
|
||||
+sysnet_etc_filetrans_config(denyhosts_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
|
||||
@ -16182,13 +16142,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc
|
||||
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc 2009-12-21 13:07:09.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc 2009-12-23 07:41:58.000000000 -0500
|
||||
@@ -0,0 +1,5 @@
|
||||
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
|
||||
+
|
||||
+/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
|
||||
+
|
||||
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
|
||||
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.5/policy/modules/services/ksmtuned.if
|
||||
--- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.if 2009-12-21 13:07:09.000000000 -0500
|
||||
@ -28985,7 +28945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
|
||||
+permissive kdump_t;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-22 08:51:29.000000000 -0500
|
||||
+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-23 07:33:05.000000000 -0500
|
||||
@@ -60,12 +60,15 @@
|
||||
#
|
||||
# /opt
|
||||
@ -29201,7 +29161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
') dnl end distro_redhat
|
||||
|
||||
#
|
||||
@@ -307,10 +316,111 @@
|
||||
@@ -307,10 +316,114 @@
|
||||
|
||||
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
|
||||
|
||||
@ -29313,6 +29273,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.7.5/policy/modules/system/libraries.if 2009-12-21 13:07:09.000000000 -0500
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.7.5
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -449,6 +449,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Dec 23 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-4
|
||||
- Cleanups from dgrift
|
||||
|
||||
* Tue Dec 22 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-3
|
||||
- Add back xserver_manage_home_fonts
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user