- Update an readd modules
This commit is contained in:
parent
7f9951d4d3
commit
e8b5993e52
@ -124,3 +124,4 @@ serefpolicy-3.0.3.tgz
|
||||
serefpolicy-3.0.4.tgz
|
||||
serefpolicy-3.0.5.tgz
|
||||
serefpolicy-3.0.6.tgz
|
||||
serefpolicy-3.0.7.tgz
|
||||
|
@ -1298,10 +1298,17 @@ usernetctl = module
|
||||
# Layer: system
|
||||
# Module: xen
|
||||
#
|
||||
# TCP/IP encryption
|
||||
# virtualization software
|
||||
#
|
||||
xen = base
|
||||
|
||||
# Layer: system
|
||||
# Module: virt
|
||||
#
|
||||
# Virtualization libraries
|
||||
#
|
||||
virt = base
|
||||
|
||||
# Layer: system
|
||||
# Module: brctl
|
||||
#
|
||||
|
@ -313,7 +313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
|
||||
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.6/policy/modules/admin/alsa.te
|
||||
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/admin/alsa.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/admin/alsa.te 2007-08-24 16:06:03.000000000 -0400
|
||||
@@ -19,20 +19,24 @@
|
||||
# Local policy
|
||||
#
|
||||
@ -342,7 +342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
|
||||
|
||||
libs_use_ld_so(alsa_t)
|
||||
libs_use_shared_libs(alsa_t)
|
||||
@@ -43,7 +47,14 @@
|
||||
@@ -43,7 +47,13 @@
|
||||
|
||||
userdom_manage_unpriv_user_semaphores(alsa_t)
|
||||
userdom_manage_unpriv_user_shared_mem(alsa_t)
|
||||
@ -356,7 +356,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
|
||||
+ hal_use_fds(alsa_t)
|
||||
+ hal_write_log(alsa_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.6/policy/modules/admin/anaconda.te
|
||||
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-05-29 14:10:59.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/admin/anaconda.te 2007-08-22 08:03:53.000000000 -0400
|
||||
@ -389,6 +388,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.0.6/policy/modules/admin/certwatch.if
|
||||
--- nsaserefpolicy/policy/modules/admin/certwatch.if 2007-05-29 14:10:59.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/admin/certwatch.if 2007-08-25 06:42:08.000000000 -0400
|
||||
@@ -44,7 +44,7 @@
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
-interface(`certwatach_run',`
|
||||
+interface(`certwatch_run',`
|
||||
gen_require(`
|
||||
type certwatch_t;
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.6/policy/modules/admin/consoletype.te
|
||||
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/admin/consoletype.te 2007-08-22 08:03:53.000000000 -0400
|
||||
@ -1213,7 +1224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.6/policy/modules/admin/vbetool.te
|
||||
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-05-29 14:10:59.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te 2007-08-24 16:33:17.000000000 -0400
|
||||
@@ -32,4 +32,5 @@
|
||||
|
||||
optional_policy(`
|
||||
@ -1500,6 +1511,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
|
||||
-
|
||||
type gconfd_exec_t;
|
||||
application_executable_file(gconfd_exec_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.6/policy/modules/apps/java.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-29 14:10:48.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/apps/java.fc 2007-08-27 09:51:03.000000000 -0400
|
||||
@@ -11,6 +11,7 @@
|
||||
#
|
||||
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.6/policy/modules/apps/java.if
|
||||
--- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/apps/java.if 2007-08-22 08:03:53.000000000 -0400
|
||||
@ -2567,7 +2589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.6/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/kernel/files.if 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/kernel/files.if 2007-08-27 09:57:19.000000000 -0400
|
||||
@@ -343,8 +343,7 @@
|
||||
|
||||
########################################
|
||||
@ -2652,10 +2674,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
## List the contents of the root directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3323,6 +3359,24 @@
|
||||
@@ -3323,6 +3359,42 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## dontaudit Add and remove entries from /usr directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_dontaudit_rw_usr_dirs',`
|
||||
+ gen_require(`
|
||||
+ type usr_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 usr_t:dir rw_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete files in the /usr directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -2677,7 +2717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
## Get the attributes of files in /usr.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3381,7 +3435,7 @@
|
||||
@@ -3381,7 +3453,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -2686,7 +2726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3389,17 +3443,17 @@
|
||||
@@ -3389,17 +3461,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2707,7 +2747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3407,12 +3461,12 @@
|
||||
@@ -3407,12 +3479,12 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2722,7 +2762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4043,7 +4097,7 @@
|
||||
@@ -4043,7 +4115,7 @@
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -2731,7 +2771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4560,6 +4614,8 @@
|
||||
@@ -4560,6 +4632,8 @@
|
||||
# Need to give access to /selinux/member
|
||||
selinux_compute_member($1)
|
||||
|
||||
@ -2740,7 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
# Need sys_admin capability for mounting
|
||||
allow $1 self:capability { chown fsetid sys_admin };
|
||||
|
||||
@@ -4582,6 +4638,11 @@
|
||||
@@ -4582,6 +4656,11 @@
|
||||
# Default type for mountpoints
|
||||
allow $1 poly_t:dir { create mounton };
|
||||
fs_unmount_xattr_fs($1)
|
||||
@ -2752,7 +2792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4619,3 +4680,28 @@
|
||||
@@ -4619,3 +4698,28 @@
|
||||
|
||||
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
|
||||
')
|
||||
@ -2903,6 +2943,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||
+ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.6/policy/modules/kernel/filesystem.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-08-22 07:14:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/kernel/filesystem.te 2007-08-27 09:16:03.000000000 -0400
|
||||
@@ -80,6 +80,7 @@
|
||||
type fusefs_t;
|
||||
fs_noxattr_type(fusefs_t)
|
||||
allow fusefs_t self:filesystem associate;
|
||||
+allow fusefs_t fs_t:filesystem associate;
|
||||
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
|
||||
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.6/policy/modules/kernel/kernel.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/kernel/kernel.if 2007-08-22 08:03:53.000000000 -0400
|
||||
@ -3385,7 +3436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.6/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/apache.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/apache.te 2007-08-27 17:32:31.000000000 -0400
|
||||
@@ -30,6 +30,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -3466,7 +3517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
# for apache2 memory mapped files
|
||||
type httpd_var_lib_t;
|
||||
files_type(httpd_var_lib_t)
|
||||
@@ -202,7 +245,7 @@
|
||||
@@ -202,9 +245,11 @@
|
||||
# Apache server local policy
|
||||
#
|
||||
|
||||
@ -3474,8 +3525,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
|
||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
+dontaudit httpd_t self:process setfscreate;
|
||||
+
|
||||
allow httpd_t self:fd use;
|
||||
@@ -244,6 +287,7 @@
|
||||
allow httpd_t self:sock_file read_sock_file_perms;
|
||||
allow httpd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -244,6 +289,7 @@
|
||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
|
||||
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
|
||||
@ -3483,7 +3538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
apache_domtrans_rotatelogs(httpd_t)
|
||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||
@@ -284,6 +328,7 @@
|
||||
@@ -284,6 +330,7 @@
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
@ -3491,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_t)
|
||||
@@ -330,6 +375,9 @@
|
||||
@@ -330,6 +377,9 @@
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
@ -3501,7 +3556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
libs_use_ld_so(httpd_t)
|
||||
libs_use_shared_libs(httpd_t)
|
||||
@@ -348,7 +396,9 @@
|
||||
@@ -348,7 +398,9 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
@ -3512,7 +3567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
tunable_policy(`allow_httpd_anon_write',`
|
||||
miscfiles_manage_public_files(httpd_t)
|
||||
@@ -360,6 +410,7 @@
|
||||
@@ -360,6 +412,7 @@
|
||||
#
|
||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
auth_domtrans_chk_passwd(httpd_t)
|
||||
@ -3520,7 +3575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
')
|
||||
|
||||
@@ -367,6 +418,16 @@
|
||||
@@ -367,6 +420,16 @@
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
@ -3537,7 +3592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
corenet_tcp_connect_postgresql_port(httpd_t)
|
||||
@@ -387,6 +448,17 @@
|
||||
@@ -387,6 +450,17 @@
|
||||
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
||||
')
|
||||
|
||||
@ -3555,7 +3610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||
|
||||
@@ -404,11 +476,21 @@
|
||||
@@ -404,11 +478,21 @@
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
@ -3577,7 +3632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -430,6 +512,12 @@
|
||||
@@ -430,6 +514,12 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -3590,7 +3645,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
calamaris_read_www_files(httpd_t)
|
||||
')
|
||||
|
||||
@@ -461,7 +549,6 @@
|
||||
@@ -442,6 +532,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ dbus_system_bus_client_template(httpd,httpd_t)
|
||||
+ dbus_send_system_bus(httpd_t)
|
||||
+ tunable_policy(`allow_httpd_dbus_avahi',`
|
||||
+ avahi_dbus_chat(httpd_t)
|
||||
+ ')
|
||||
+')
|
||||
+optional_policy(`
|
||||
kerberos_use(httpd_t)
|
||||
kerberos_read_kdc_config(httpd_t)
|
||||
')
|
||||
@@ -461,7 +558,6 @@
|
||||
|
||||
optional_policy(`
|
||||
nagios_read_config(httpd_t)
|
||||
@ -3598,7 +3667,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -512,10 +599,16 @@
|
||||
@@ -481,6 +577,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ files_dontaudit_rw_usr_dirs(httpd_t)
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -512,10 +609,16 @@
|
||||
tunable_policy(`httpd_tty_comm',`
|
||||
# cjp: this is redundant:
|
||||
term_use_controlling_term(httpd_helper_t)
|
||||
@ -3616,7 +3693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -567,7 +660,6 @@
|
||||
@@ -567,7 +670,6 @@
|
||||
allow httpd_suexec_t self:capability { setuid setgid };
|
||||
allow httpd_suexec_t self:process signal_perms;
|
||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -3624,7 +3701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
||||
|
||||
@@ -581,6 +673,10 @@
|
||||
@@ -581,6 +683,10 @@
|
||||
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
@ -3635,7 +3712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@@ -606,6 +702,10 @@
|
||||
@@ -606,6 +712,10 @@
|
||||
|
||||
miscfiles_read_localization(httpd_suexec_t)
|
||||
|
||||
@ -3646,7 +3723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_suexec_t self:udp_socket create_socket_perms;
|
||||
@@ -620,10 +720,13 @@
|
||||
@@ -620,10 +730,13 @@
|
||||
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
|
||||
corenet_tcp_connect_all_ports(httpd_suexec_t)
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
@ -3661,7 +3738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||
')
|
||||
@@ -634,6 +737,12 @@
|
||||
@@ -634,6 +747,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -3674,7 +3751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -651,18 +760,6 @@
|
||||
@@ -651,18 +770,6 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -3693,7 +3770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
@@ -672,7 +769,8 @@
|
||||
@@ -672,7 +779,8 @@
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
@ -3703,7 +3780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
||||
@@ -686,15 +784,66 @@
|
||||
@@ -686,15 +794,66 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -3719,15 +3796,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`httpd_use_nfs', `
|
||||
fs_read_nfs_files(httpd_sys_script_t)
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
|
||||
+ fs_read_nfs_files(httpd_sys_script_t)
|
||||
+ fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
|
||||
fs_read_nfs_files(httpd_sys_script_t)
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
||||
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
||||
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
||||
@ -3771,7 +3848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -711,6 +860,19 @@
|
||||
@@ -711,6 +870,19 @@
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -3791,7 +3868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@@ -728,3 +890,27 @@
|
||||
@@ -728,3 +900,20 @@
|
||||
logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
@ -3802,6 +3879,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+
|
||||
+files_search_var_lib(httpd_bugzilla_script_t)
|
||||
+
|
||||
+mta_send_mail(httpd_bugzilla_script_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mysql_search_db(httpd_bugzilla_script_t)
|
||||
+ mysql_stream_connect(httpd_bugzilla_script_t)
|
||||
@ -3810,15 +3889,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+optional_policy(`
|
||||
+ postgresql_stream_connect(httpd_bugzilla_script_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client_template(httpd,httpd_t)
|
||||
+ dbus_send_system_bus(httpd_t)
|
||||
+ tunable_policy(`allow_httpd_dbus_avahi',`
|
||||
+ avahi_dbus_chat(httpd_t)
|
||||
+ ')
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.6/policy/modules/services/apcupsd.fc
|
||||
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/apcupsd.fc 2007-08-22 08:03:53.000000000 -0400
|
||||
@ -5028,6 +5098,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.6/policy/modules/services/dnsmasq.te
|
||||
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/dnsmasq.te 2007-08-27 10:56:52.000000000 -0400
|
||||
@@ -94,3 +94,8 @@
|
||||
optional_policy(`
|
||||
udev_read_db(dnsmasq_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ virt_read_lib_files(dnsmasq_t)
|
||||
+ virt_append_lib_files(dnsmasq_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.6/policy/modules/services/dovecot.fc
|
||||
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/dovecot.fc 2007-08-22 08:03:53.000000000 -0400
|
||||
@ -6255,7 +6337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.6/policy/modules/services/ntp.te
|
||||
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/ntp.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/ntp.te 2007-08-24 16:30:03.000000000 -0400
|
||||
@@ -25,6 +25,12 @@
|
||||
type ntpdate_exec_t;
|
||||
init_system_domain(ntpd_t,ntpdate_exec_t)
|
||||
@ -6304,7 +6386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
|
||||
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
|
||||
userdom_list_sysadm_home_dirs(ntpd_t)
|
||||
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
|
||||
@@ -126,9 +139,14 @@
|
||||
@@ -122,6 +135,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6312,9 +6394,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
seutil_sigchld_newrole(ntpd_t)
|
||||
logrotate_exec(ntpd_t)
|
||||
')
|
||||
|
||||
@@ -132,3 +149,4 @@
|
||||
optional_policy(`
|
||||
udev_read_db(ntpd_t)
|
||||
')
|
||||
@ -7822,7 +7905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.6/policy/modules/services/soundserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/soundserver.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/soundserver.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/soundserver.te 2007-08-24 16:10:39.000000000 -0400
|
||||
@@ -10,9 +10,6 @@
|
||||
type soundd_exec_t;
|
||||
init_daemon_domain(soundd_t,soundd_exec_t)
|
||||
@ -7833,7 +7916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
|
||||
type soundd_state_t;
|
||||
files_type(soundd_state_t)
|
||||
|
||||
@@ -28,20 +25,28 @@
|
||||
@@ -28,20 +25,24 @@
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -7852,10 +7935,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
|
||||
+allow soundd_t self:capability { dac_override };
|
||||
+
|
||||
+fs_getattr_all_fs(soundd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ alsa_domtrans(soundd_t)
|
||||
+')
|
||||
+
|
||||
# for yiff
|
||||
allow soundd_t self:shm create_shm_perms;
|
||||
@ -7867,7 +7946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
|
||||
manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
|
||||
manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
|
||||
|
||||
@@ -55,8 +60,10 @@
|
||||
@@ -55,8 +56,10 @@
|
||||
manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
|
||||
fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
@ -7879,6 +7958,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
|
||||
|
||||
kernel_read_kernel_sysctls(soundd_t)
|
||||
kernel_list_proc(soundd_t)
|
||||
@@ -99,6 +102,10 @@
|
||||
userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
|
||||
|
||||
optional_policy(`
|
||||
+ alsa_domtrans(soundd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
seutil_sigchld_newrole(soundd_t)
|
||||
')
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.6/policy/modules/services/spamassassin.fc
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-06-11 16:05:30.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/spamassassin.fc 2007-08-22 08:03:53.000000000 -0400
|
||||
@ -9189,8 +9279,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.6/policy/modules/system/brctl.te
|
||||
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/brctl.te 2007-08-22 08:03:53.000000000 -0400
|
||||
@@ -0,0 +1,50 @@
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/brctl.te 2007-08-27 10:44:36.000000000 -0400
|
||||
@@ -0,0 +1,51 @@
|
||||
+policy_module(brctl,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -9213,6 +9303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
|
||||
+allow brctl_t self:tcp_socket create_socket_perms;
|
||||
+allow brctl_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+dev_write_sysfs_dirs(brctl_t)
|
||||
+dev_rw_sysfs(brctl_t)
|
||||
+
|
||||
+# Init script handling
|
||||
@ -9409,7 +9500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.6/policy/modules/system/getty.te
|
||||
--- nsaserefpolicy/policy/modules/system/getty.te 2007-08-22 07:14:13.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/getty.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/getty.te 2007-08-27 10:45:03.000000000 -0400
|
||||
@@ -33,7 +33,8 @@
|
||||
#
|
||||
|
||||
@ -9803,7 +9894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
|
||||
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.6/policy/modules/system/iptables.te
|
||||
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-08-22 07:14:11.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/iptables.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/iptables.te 2007-08-27 10:45:25.000000000 -0400
|
||||
@@ -44,6 +44,8 @@
|
||||
|
||||
corenet_relabelto_all_packets(iptables_t)
|
||||
@ -9821,20 +9912,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
|
||||
|
||||
libs_use_ld_so(iptables_t)
|
||||
libs_use_shared_libs(iptables_t)
|
||||
@@ -96,10 +99,6 @@
|
||||
@@ -96,11 +99,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_socket_use(iptables_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
ppp_dontaudit_use_fds(iptables_t)
|
||||
+ ppp_dontaudit_use_fds(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- ppp_dontaudit_use_fds(iptables_t)
|
||||
+ rhgb_dontaudit_use_ptys(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.6/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-08-02 08:17:28.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/libraries.fc 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/libraries.fc 2007-08-27 10:58:43.000000000 -0400
|
||||
@@ -65,11 +65,12 @@
|
||||
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
||||
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -9867,7 +9961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
# vmware
|
||||
@@ -284,3 +289,7 @@
|
||||
@@ -284,3 +289,8 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
@ -9875,6 +9969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
+/usr/lib64/mozilla/plugins/libvlcplugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
|
||||
+/usr/lib/libtheora\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.6/policy/modules/system/libraries.te
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/libraries.te 2007-08-22 08:03:53.000000000 -0400
|
||||
@ -10437,7 +10532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
|
||||
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.6/policy/modules/system/modutils.te
|
||||
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/modutils.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/modutils.te 2007-08-24 16:32:27.000000000 -0400
|
||||
@@ -42,7 +42,7 @@
|
||||
# insmod local policy
|
||||
#
|
||||
@ -10544,7 +10639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
||||
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.6/policy/modules/system/mount.te
|
||||
--- nsaserefpolicy/policy/modules/system/mount.te 2007-08-22 07:14:13.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/mount.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/mount.te 2007-08-24 16:33:07.000000000 -0400
|
||||
@@ -8,6 +8,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -11695,7 +11790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
+
|
||||
+corecmd_exec_all_executables(unconfined_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.6/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-22 07:14:12.000000000 -0400
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.if 2007-08-22 08:03:53.000000000 -0400
|
||||
@@ -62,6 +62,10 @@
|
||||
|
||||
@ -11719,22 +11814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -183,14 +191,6 @@
|
||||
read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
|
||||
files_list_home($1_t)
|
||||
|
||||
- # privileged home directory writers
|
||||
- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
|
||||
-
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_list_nfs_dirs($1_t)
|
||||
fs_read_nfs_files($1_t)
|
||||
@@ -323,13 +323,19 @@
|
||||
@@ -315,13 +323,19 @@
|
||||
## <rolebase/>
|
||||
#
|
||||
template(`userdom_exec_home_template',`
|
||||
@ -11757,7 +11837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
fs_exec_cifs_files($1_t)
|
||||
')
|
||||
')
|
||||
@@ -403,7 +409,9 @@
|
||||
@@ -395,7 +409,9 @@
|
||||
## <rolebase/>
|
||||
#
|
||||
template(`userdom_exec_tmp_template',`
|
||||
@ -11768,7 +11848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -517,10 +525,6 @@
|
||||
@@ -509,10 +525,6 @@
|
||||
## <rolebase/>
|
||||
#
|
||||
template(`userdom_exec_generic_pgms_template',`
|
||||
@ -11779,7 +11859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
corecmd_exec_bin($1_t)
|
||||
')
|
||||
|
||||
@@ -538,9 +542,6 @@
|
||||
@@ -530,9 +542,6 @@
|
||||
## <rolebase/>
|
||||
#
|
||||
template(`userdom_basic_networking_template',`
|
||||
@ -11789,7 +11869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
|
||||
allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_t self:udp_socket create_socket_perms;
|
||||
@@ -571,32 +572,29 @@
|
||||
@@ -563,32 +572,29 @@
|
||||
#
|
||||
template(`userdom_xwindows_client_template',`
|
||||
gen_require(`
|
||||
@ -11843,7 +11923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -672,67 +670,39 @@
|
||||
@@ -664,67 +670,39 @@
|
||||
attribute unpriv_userdomain;
|
||||
')
|
||||
|
||||
@ -11914,7 +11994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
files_exec_etc_files($1_t)
|
||||
files_search_locks($1_t)
|
||||
# Check to see if cdrom is mounted
|
||||
@@ -745,12 +715,6 @@
|
||||
@@ -737,12 +715,6 @@
|
||||
# Stat lost+found.
|
||||
files_getattr_lost_found_dirs($1_t)
|
||||
|
||||
@ -11927,7 +12007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
# cjp: some of this probably can be removed
|
||||
selinux_get_fs_mount($1_t)
|
||||
selinux_validate_context($1_t)
|
||||
@@ -763,31 +727,16 @@
|
||||
@@ -755,31 +727,16 @@
|
||||
storage_getattr_fixed_disk_dev($1_t)
|
||||
|
||||
auth_read_login_records($1_t)
|
||||
@ -11961,7 +12041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
seutil_exec_checkpolicy($1_t)
|
||||
seutil_exec_setfiles($1_t)
|
||||
@@ -802,19 +751,12 @@
|
||||
@@ -794,19 +751,12 @@
|
||||
files_read_default_symlinks($1_t)
|
||||
files_read_default_sockets($1_t)
|
||||
files_read_default_pipes($1_t)
|
||||
@ -11981,7 +12061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
optional_policy(`
|
||||
alsa_read_rw_config($1_t)
|
||||
')
|
||||
@@ -829,11 +771,6 @@
|
||||
@@ -821,11 +771,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11993,7 +12073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
allow $1_t self:dbus send_msg;
|
||||
dbus_system_bus_client_template($1,$1_t)
|
||||
|
||||
@@ -842,21 +779,18 @@
|
||||
@@ -834,21 +779,18 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12019,7 +12099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -884,17 +818,17 @@
|
||||
@@ -876,17 +818,17 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12045,7 +12125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -908,16 +842,6 @@
|
||||
@@ -900,16 +842,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12062,7 +12142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
resmgr_stream_connect($1_t)
|
||||
')
|
||||
|
||||
@@ -927,11 +851,6 @@
|
||||
@@ -919,11 +851,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12074,7 +12154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
samba_stream_connect_winbind($1_t)
|
||||
')
|
||||
|
||||
@@ -962,21 +881,162 @@
|
||||
@@ -954,21 +881,162 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -12243,7 +12323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
domain_interactive_fd($1_t)
|
||||
|
||||
typeattribute $1_devpts_t user_ptynode;
|
||||
@@ -985,15 +1045,51 @@
|
||||
@@ -977,23 +1045,51 @@
|
||||
typeattribute $1_tmp_t user_tmpfile;
|
||||
typeattribute $1_tty_device_t user_ttynode;
|
||||
|
||||
@ -12288,10 +12368,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+ # Declarations
|
||||
#
|
||||
|
||||
- corecmd_exec_all_executables($1_t)
|
||||
- # privileged home directory writers
|
||||
- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
|
||||
+ # Inherit rules for ordinary users.
|
||||
+ userdom_common_user_template($1)
|
||||
+
|
||||
|
||||
- corecmd_exec_all_executables($1_t)
|
||||
+ ##############################
|
||||
+ #
|
||||
+ # Local policy
|
||||
@ -12718,7 +12805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.6/policy/modules/system/userdomain.te
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-08-22 07:14:11.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.te 2007-08-27 17:33:50.000000000 -0400
|
||||
@@ -74,6 +74,9 @@
|
||||
# users home directory contents
|
||||
attribute home_type;
|
||||
@ -12766,6 +12853,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
||||
#apache_run_all_scripts(sysadm_t,sysadm_r)
|
||||
#apache_domtrans_sys_script(sysadm_t)
|
||||
@@ -278,7 +283,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- certwatach_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
+ certwatch_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -286,14 +291,6 @@
|
||||
')
|
||||
|
||||
@ -12816,6 +12912,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+tunable_policy(`allow_console_login', `
|
||||
+ term_use_console(userdomain)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.6/policy/modules/system/virt.fc
|
||||
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/virt.fc 2007-08-27 10:52:37.000000000 -0400
|
||||
@@ -0,0 +1 @@
|
||||
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.6/policy/modules/system/virt.if
|
||||
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/virt.if 2007-08-27 10:53:48.000000000 -0400
|
||||
@@ -0,0 +1,58 @@
|
||||
+## <summary>Virtualization </summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read virt library files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virt_read_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type virt_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_list_var_lib($1)
|
||||
+ read_files_pattern($1, virt_var_lib_t,virt_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## append virt library files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virt_append_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type virt_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 virt_var_lib_t:file append;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to read/write
|
||||
+## virt library files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virt_rw_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type virt_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_list_var_lib($1)
|
||||
+ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.6/policy/modules/system/virt.te
|
||||
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/virt.te 2007-08-27 10:52:32.000000000 -0400
|
||||
@@ -0,0 +1,3 @@
|
||||
+# var/lib files
|
||||
+type virt_var_lib_t;
|
||||
+files_type(virt_var_lib_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.6/policy/modules/system/xen.if
|
||||
--- nsaserefpolicy/policy/modules/system/xen.if 2007-07-03 07:06:32.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/xen.if 2007-08-22 08:03:53.000000000 -0400
|
||||
|
@ -16,8 +16,8 @@
|
||||
%define CHECKPOLICYVER 2.0.3-1
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.6
|
||||
Release: 3%{?dist}
|
||||
Version: 3.0.7
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -82,8 +82,8 @@ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic}
|
||||
cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
|
||||
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
|
||||
|
||||
%define moduleList() %([ -f $RPM_SOURCE_DIR/modules-%{1}.conf ] && \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' $RPM_SOURCE_DIR/modules-%{1}.conf )
|
||||
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
|
||||
|
||||
%define installCmds() \
|
||||
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
|
||||
@ -289,6 +289,7 @@ semodule -s targeted -r moilscanner 2>/dev/null
|
||||
%loadpolicy targeted
|
||||
%relabel targeted
|
||||
if [ $1 = 0 ]; then
|
||||
semanage login -m -s "system_u" __default__ 2> /dev/null
|
||||
semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u
|
||||
semanage user -a -P guest -R guest_r guest_u
|
||||
semanage user -a -P xguest -R xguest_r xguest_u
|
||||
@ -361,6 +362,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 27 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-1
|
||||
- Update an readd modules
|
||||
|
||||
* Fri Aug 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-3
|
||||
- Cleanup spec file
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user