- Update to upstream
This commit is contained in:
parent
4125702a20
commit
e8fc9eec3a
@ -21454,7 +21454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
rpm_use_script_fds(setroubleshootd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.12/policy/modules/services/smartmon.te
|
||||
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-14 11:58:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-14 15:00:15.000000000 -0400
|
||||
+++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-14 21:15:21.000000000 -0400
|
||||
@@ -19,6 +19,10 @@
|
||||
type fsdaemon_tmp_t;
|
||||
files_tmp_file(fsdaemon_tmp_t)
|
||||
@ -21479,7 +21479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_udp_sendrecv_all_nodes(fsdaemon_t)
|
||||
corenet_udp_sendrecv_all_ports(fsdaemon_t)
|
||||
|
||||
+dev_del_generic_dirs(fsdaemon_t)
|
||||
+dev_delete_generic_dirs(fsdaemon_t)
|
||||
dev_read_sysfs(fsdaemon_t)
|
||||
dev_read_urand(fsdaemon_t)
|
||||
|
||||
@ -22982,7 +22982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.12/policy/modules/services/virt.if
|
||||
--- nsaserefpolicy/policy/modules/services/virt.if 2008-10-14 11:58:09.000000000 -0400
|
||||
+++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-14 15:00:15.000000000 -0400
|
||||
+++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-14 21:22:03.000000000 -0400
|
||||
@@ -78,6 +78,24 @@
|
||||
|
||||
########################################
|
||||
@ -23072,19 +23072,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
virt_manage_lib_files($1)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.12/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-14 15:00:15.000000000 -0400
|
||||
@@ -28,9 +28,7 @@
|
||||
+++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-14 21:22:40.000000000 -0400
|
||||
@@ -5,6 +5,7 @@
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
+attribute virt_image_type;
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
@@ -27,10 +28,8 @@
|
||||
files_type(virt_etc_rw_t)
|
||||
|
||||
# virt Image files
|
||||
type virt_image_t; # customizable
|
||||
-type virt_image_t; # customizable
|
||||
-files_type(virt_image_t)
|
||||
-# virt_image_t can be assigned to blk devices
|
||||
-dev_node(virt_image_t)
|
||||
+type virt_image_t, virt_image_type; # customizable
|
||||
+virt_image(virt_image_t)
|
||||
|
||||
type virt_log_t;
|
||||
logging_log_file(virt_log_t)
|
||||
@@ -45,6 +43,9 @@
|
||||
@@ -45,6 +44,9 @@
|
||||
type virtd_exec_t;
|
||||
init_daemon_domain(virtd_t, virtd_exec_t)
|
||||
|
||||
@ -23094,7 +23104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# virtd local policy
|
||||
@@ -49,9 +50,8 @@
|
||||
@@ -49,9 +51,8 @@
|
||||
#
|
||||
# virtd local policy
|
||||
#
|
||||
@ -23105,7 +23115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow virtd_t self:fifo_file rw_file_perms;
|
||||
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow virtd_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -64,7 +64,7 @@
|
||||
@@ -64,7 +65,7 @@
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
@ -23114,7 +23124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
@@ -82,6 +82,8 @@
|
||||
@@ -82,6 +83,8 @@
|
||||
kernel_read_system_state(virtd_t)
|
||||
kernel_read_network_state(virtd_t)
|
||||
kernel_rw_net_sysctls(virtd_t)
|
||||
@ -23123,7 +23133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_load_module(virtd_t)
|
||||
|
||||
corecmd_exec_bin(virtd_t)
|
||||
@@ -93,7 +95,7 @@
|
||||
@@ -93,7 +96,7 @@
|
||||
corenet_tcp_sendrecv_all_nodes(virtd_t)
|
||||
corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||
corenet_tcp_bind_all_nodes(virtd_t)
|
||||
@ -23132,7 +23142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_soundd_port(virtd_t)
|
||||
@@ -107,8 +109,10 @@
|
||||
@@ -107,8 +110,10 @@
|
||||
|
||||
files_read_usr_files(virtd_t)
|
||||
files_read_etc_files(virtd_t)
|
||||
@ -23143,7 +23153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_list_auto_mountpoints(virtd_t)
|
||||
|
||||
@@ -162,26 +166,27 @@
|
||||
@@ -162,26 +167,27 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -23180,7 +23190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -189,9 +194,10 @@
|
||||
@@ -189,9 +195,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23294,7 +23304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.12/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 15:02:15.000000000 -0400
|
||||
+++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 21:00:40.000000000 -0400
|
||||
@@ -16,6 +16,7 @@
|
||||
gen_require(`
|
||||
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
|
||||
@ -23618,7 +23628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@@ -649,13 +571,212 @@
|
||||
@@ -649,13 +571,213 @@
|
||||
|
||||
xserver_read_xdm_tmp_files($2)
|
||||
|
||||
@ -23780,6 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ type clipboard_xselection_t;
|
||||
+ type xproperty_t, focus_xevent_t, info_xproperty_t, manage_xevent_t;
|
||||
+ type manage_xevent_t, output_xext_t, property_xevent_t;
|
||||
+ type debug_xext_t, screensaver_xext_t;
|
||||
+ type shmem_xext_t, xselection_t;
|
||||
+ attribute xevent_type, xextension_type;
|
||||
+ ')
|
||||
@ -23835,7 +23846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#######################################
|
||||
## <summary>
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
@@ -682,7 +803,7 @@
|
||||
@@ -682,7 +804,7 @@
|
||||
#
|
||||
template(`xserver_common_x_domain_template',`
|
||||
gen_require(`
|
||||
@ -23844,7 +23855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
|
||||
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
|
||||
type xevent_t, client_xevent_t;
|
||||
@@ -691,7 +812,6 @@
|
||||
@@ -691,7 +813,6 @@
|
||||
attribute x_server_domain, x_domain;
|
||||
attribute xproperty_type;
|
||||
attribute xevent_type, xextension_type;
|
||||
@ -23852,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
class x_drawable all_x_drawable_perms;
|
||||
class x_screen all_x_screen_perms;
|
||||
@@ -708,6 +828,7 @@
|
||||
@@ -708,6 +829,7 @@
|
||||
class x_resource all_x_resource_perms;
|
||||
class x_event all_x_event_perms;
|
||||
class x_synthetic_event all_x_synthetic_event_perms;
|
||||
@ -23860,7 +23871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -715,20 +836,22 @@
|
||||
@@ -715,20 +837,22 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -23886,7 +23897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
##############################
|
||||
#
|
||||
# Local Policy
|
||||
@@ -746,7 +869,7 @@
|
||||
@@ -746,7 +870,7 @@
|
||||
allow $3 x_server_domain:x_server getattr;
|
||||
# everyone can do override-redirect windows.
|
||||
# this could be used to spoof labels
|
||||
@ -23895,7 +23906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# everyone can receive management events on the root window
|
||||
# allows to know when new windows appear, among other things
|
||||
allow $3 manage_xevent_t:x_event receive;
|
||||
@@ -755,36 +878,30 @@
|
||||
@@ -755,36 +879,30 @@
|
||||
# can read server-owned resources
|
||||
allow $3 x_server_domain:x_resource read;
|
||||
# can mess with own clients
|
||||
@ -23942,7 +23953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# X Input
|
||||
# can receive own events
|
||||
@@ -811,6 +928,12 @@
|
||||
@@ -811,6 +929,12 @@
|
||||
allow $3 manage_xevent_t:x_synthetic_event send;
|
||||
allow $3 client_xevent_t:x_synthetic_event send;
|
||||
|
||||
@ -23955,7 +23966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# X Selections
|
||||
# can use the clipboard
|
||||
allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
|
||||
@@ -819,13 +942,15 @@
|
||||
@@ -819,13 +943,15 @@
|
||||
|
||||
# Other X Objects
|
||||
# can create and use cursors
|
||||
@ -23975,7 +23986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined($3),
|
||||
@@ -885,24 +1010,17 @@
|
||||
@@ -885,24 +1011,17 @@
|
||||
#
|
||||
template(`xserver_user_x_domain_template',`
|
||||
gen_require(`
|
||||
@ -24007,7 +24018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Allow connections to X server.
|
||||
files_search_tmp($3)
|
||||
@@ -917,16 +1035,12 @@
|
||||
@@ -917,16 +1036,12 @@
|
||||
xserver_rw_session_template($1, $3, $4)
|
||||
xserver_use_user_fonts($1, $3)
|
||||
|
||||
@ -24027,7 +24038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -958,26 +1072,43 @@
|
||||
@@ -958,26 +1073,43 @@
|
||||
#
|
||||
template(`xserver_use_user_fonts',`
|
||||
gen_require(`
|
||||
@ -24078,7 +24089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -1003,10 +1134,77 @@
|
||||
@@ -1003,10 +1135,77 @@
|
||||
#
|
||||
template(`xserver_domtrans_user_xauth',`
|
||||
gen_require(`
|
||||
@ -24158,7 +24169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1036,10 +1234,10 @@
|
||||
@@ -1036,10 +1235,10 @@
|
||||
#
|
||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||
gen_require(`
|
||||
@ -24171,7 +24182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1225,6 +1423,25 @@
|
||||
@@ -1225,6 +1424,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24197,7 +24208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Read xdm-writable configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1279,6 +1496,7 @@
|
||||
@@ -1279,6 +1497,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||
@ -24205,7 +24216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1297,7 +1515,7 @@
|
||||
@@ -1297,7 +1516,7 @@
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
@ -24214,7 +24225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1320,6 +1538,24 @@
|
||||
@@ -1320,6 +1539,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24239,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Execute the X server in the XDM X server domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1330,15 +1566,47 @@
|
||||
@@ -1330,15 +1567,47 @@
|
||||
#
|
||||
interface(`xserver_domtrans_xdm_xserver',`
|
||||
gen_require(`
|
||||
@ -24288,7 +24299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1488,7 +1756,7 @@
|
||||
@@ -1488,7 +1757,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
@ -24297,7 +24308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1680,6 +1948,26 @@
|
||||
@@ -1680,6 +1949,26 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24324,7 +24335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## xdm xserver RW shared memory socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1698,6 +1986,24 @@
|
||||
@@ -1698,6 +1987,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24349,7 +24360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
## an X client domain. Gives the domain complete control over the
|
||||
## display.
|
||||
@@ -1710,8 +2016,157 @@
|
||||
@@ -1710,8 +2017,157 @@
|
||||
#
|
||||
interface(`xserver_unconfined',`
|
||||
gen_require(`
|
||||
|
Loading…
Reference in New Issue
Block a user