- ricci_modclusterd_t needs to bind to rpc ports 500-1023
- Allow dbus to use setrlimit to increase resoueces - Mozilla_plugin is leaking to sandbox - Allow confined users to connect to lircd over unix domain stream socket whic - Allow awstats to read squid logs - seunshare needs to manage tmp_t - apcupsd cgi scripts have a new directory
This commit is contained in:
parent
73e5debe55
commit
ebce355dea
318
policy-F15.patch
318
policy-F15.patch
@ -2196,6 +2196,21 @@ index ebf4b26..f663276 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(vpnc_t)
|
dbus_system_bus_client(vpnc_t)
|
||||||
|
diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
|
||||||
|
index 1f42250..3d36ae2 100644
|
||||||
|
--- a/policy/modules/apps/awstats.te
|
||||||
|
+++ b/policy/modules/apps/awstats.te
|
||||||
|
@@ -70,6 +70,10 @@ optional_policy(`
|
||||||
|
nscd_dontaudit_search_pid(awstats_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
+optional_policy(`
|
||||||
|
+ squid_read_log(awstats_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# awstats cgi script policy
|
||||||
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
|
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
|
||||||
index 1403835..2e9a72c 100644
|
index 1403835..2e9a72c 100644
|
||||||
--- a/policy/modules/apps/cdrecord.te
|
--- a/policy/modules/apps/cdrecord.te
|
||||||
@ -4697,7 +4712,7 @@ index 93ac529..aafece7 100644
|
|||||||
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||||
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
||||||
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
|
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
|
||||||
index 9a6d67d..76caa60 100644
|
index 9a6d67d..dba7755 100644
|
||||||
--- a/policy/modules/apps/mozilla.if
|
--- a/policy/modules/apps/mozilla.if
|
||||||
+++ b/policy/modules/apps/mozilla.if
|
+++ b/policy/modules/apps/mozilla.if
|
||||||
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
|
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
|
||||||
@ -4828,7 +4843,7 @@ index 9a6d67d..76caa60 100644
|
|||||||
## Send and receive messages from
|
## Send and receive messages from
|
||||||
## mozilla over dbus.
|
## mozilla over dbus.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -204,3 +295,22 @@ interface(`mozilla_rw_tcp_sockets',`
|
@@ -204,3 +295,40 @@ interface(`mozilla_rw_tcp_sockets',`
|
||||||
|
|
||||||
allow $1 mozilla_t:tcp_socket rw_socket_perms;
|
allow $1 mozilla_t:tcp_socket rw_socket_perms;
|
||||||
')
|
')
|
||||||
@ -4851,6 +4866,24 @@ index 9a6d67d..76caa60 100644
|
|||||||
+ allow $1 mozilla_plugin_tmpfs_t:file unlink;
|
+ allow $1 mozilla_plugin_tmpfs_t:file unlink;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Dontaudit read/write to a mozilla_plugin leaks
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`mozilla_plugin_dontaudit_leaks',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type mozilla_plugin_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
||||||
index 2a91fa8..2fad053 100644
|
index 2a91fa8..2fad053 100644
|
||||||
--- a/policy/modules/apps/mozilla.te
|
--- a/policy/modules/apps/mozilla.te
|
||||||
@ -7064,10 +7097,10 @@ index 0000000..5f09eb9
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
|
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..5259647
|
index 0000000..f29f417
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/sandbox.te
|
+++ b/policy/modules/apps/sandbox.te
|
||||||
@@ -0,0 +1,451 @@
|
@@ -0,0 +1,452 @@
|
||||||
+policy_module(sandbox,1.0.0)
|
+policy_module(sandbox,1.0.0)
|
||||||
+dbus_stub()
|
+dbus_stub()
|
||||||
+attribute sandbox_domain;
|
+attribute sandbox_domain;
|
||||||
@ -7517,6 +7550,7 @@ index 0000000..5259647
|
|||||||
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
|
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
|
||||||
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
|
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
|
||||||
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
|
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
|
||||||
|
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
|
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
|
||||||
@ -7629,10 +7663,10 @@ index 1dc7a85..7455c19 100644
|
|||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
|
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
|
||||||
index 7590165..e5ef7b3 100644
|
index 7590165..63db4fd 100644
|
||||||
--- a/policy/modules/apps/seunshare.te
|
--- a/policy/modules/apps/seunshare.te
|
||||||
+++ b/policy/modules/apps/seunshare.te
|
+++ b/policy/modules/apps/seunshare.te
|
||||||
@@ -5,40 +5,45 @@ policy_module(seunshare, 1.1.0)
|
@@ -5,40 +5,47 @@ policy_module(seunshare, 1.1.0)
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -7668,6 +7702,7 @@ index 7590165..e5ef7b3 100644
|
|||||||
+files_search_all(seunshare_domain)
|
+files_search_all(seunshare_domain)
|
||||||
+files_read_etc_files(seunshare_domain)
|
+files_read_etc_files(seunshare_domain)
|
||||||
+files_mounton_all_poly_members(seunshare_domain)
|
+files_mounton_all_poly_members(seunshare_domain)
|
||||||
|
+files_manage_generic_tmp_dirs(seunshare_domain)
|
||||||
|
|
||||||
-auth_use_nsswitch(seunshare_t)
|
-auth_use_nsswitch(seunshare_t)
|
||||||
+fs_manage_cgroup_dirs(seunshare_domain)
|
+fs_manage_cgroup_dirs(seunshare_domain)
|
||||||
@ -7692,6 +7727,7 @@ index 7590165..e5ef7b3 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
- mozilla_dontaudit_manage_user_home_files(seunshare_t)
|
- mozilla_dontaudit_manage_user_home_files(seunshare_t)
|
||||||
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
|
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
|
||||||
|
+ mozilla_plugin_dontaudit_leaks(seunshare_domain)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
@ -16690,6 +16726,15 @@ index 08dfa0c..61f340d 100644
|
|||||||
+ userdom_read_user_home_content_files(httpd_suexec_t)
|
+ userdom_read_user_home_content_files(httpd_suexec_t)
|
||||||
+ userdom_read_user_home_content_files(httpd_user_script_t)
|
+ userdom_read_user_home_content_files(httpd_user_script_t)
|
||||||
')
|
')
|
||||||
|
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
|
||||||
|
index cd07b96..a87d1dd 100644
|
||||||
|
--- a/policy/modules/services/apcupsd.fc
|
||||||
|
+++ b/policy/modules/services/apcupsd.fc
|
||||||
|
@@ -13,3 +13,4 @@
|
||||||
|
/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
||||||
|
/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
||||||
|
/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
||||||
|
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
||||||
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
|
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
|
||||||
index d052bf0..8478eca 100644
|
index d052bf0..8478eca 100644
|
||||||
--- a/policy/modules/services/apcupsd.te
|
--- a/policy/modules/services/apcupsd.te
|
||||||
@ -21077,9 +21122,18 @@ index 0d5711c..bbc1a8f 100644
|
|||||||
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
|
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
|
||||||
index 98e5af6..3c13628 100644
|
index 98e5af6..a7472fc 100644
|
||||||
--- a/policy/modules/services/dbus.te
|
--- a/policy/modules/services/dbus.te
|
||||||
+++ b/policy/modules/services/dbus.te
|
+++ b/policy/modules/services/dbus.te
|
||||||
|
@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
|
||||||
|
|
||||||
|
# dac_override: /var/run/dbus is owned by messagebus on Debian
|
||||||
|
# cjp: dac_override should probably go in a distro_debian
|
||||||
|
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
|
||||||
|
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
|
||||||
|
dontaudit system_dbusd_t self:capability sys_tty_config;
|
||||||
|
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
|
||||||
|
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
||||||
|
|
||||||
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||||
@ -34881,7 +34935,7 @@ index f7826f9..3128dd8 100644
|
|||||||
+ admin_pattern($1, ricci_var_run_t)
|
+ admin_pattern($1, ricci_var_run_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
|
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
|
||||||
index 33e72e8..29e7311 100644
|
index 33e72e8..052a1ff 100644
|
||||||
--- a/policy/modules/services/ricci.te
|
--- a/policy/modules/services/ricci.te
|
||||||
+++ b/policy/modules/services/ricci.te
|
+++ b/policy/modules/services/ricci.te
|
||||||
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
|
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
|
||||||
@ -34938,6 +34992,15 @@ index 33e72e8..29e7311 100644
|
|||||||
unconfined_use_fds(ricci_t)
|
unconfined_use_fds(ricci_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@@ -193,7 +202,7 @@ corecmd_exec_shell(ricci_modcluster_t)
|
||||||
|
corecmd_exec_bin(ricci_modcluster_t)
|
||||||
|
|
||||||
|
corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
|
||||||
|
-corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
|
||||||
|
+corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
|
||||||
|
|
||||||
|
domain_read_all_domains_state(ricci_modcluster_t)
|
||||||
|
|
||||||
@@ -241,8 +250,7 @@ optional_policy(`
|
@@ -241,8 +250,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -50195,7 +50258,7 @@ index db75976..392d1ee 100644
|
|||||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||||
+HOME_DIR/\.debug(/.*)? <<none>>
|
+HOME_DIR/\.debug(/.*)? <<none>>
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 28b88de..97b04f2 100644
|
index 28b88de..bc98180 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
|
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
|
||||||
@ -50763,7 +50826,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`user_ttyfile_stat',`
|
tunable_policy(`user_ttyfile_stat',`
|
||||||
@@ -574,67 +647,110 @@ template(`userdom_common_user_template',`
|
@@ -574,67 +647,114 @@ template(`userdom_common_user_template',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -50872,6 +50935,10 @@ index 28b88de..97b04f2 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- locate_read_lib_files($1_t)
|
- locate_read_lib_files($1_t)
|
||||||
|
+ lircd_stream_connect($1_usertype)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
+ locate_read_lib_files($1_usertype)
|
+ locate_read_lib_files($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -50879,20 +50946,20 @@ index 28b88de..97b04f2 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
- modutils_read_module_config($1_t)
|
- modutils_read_module_config($1_t)
|
||||||
+ modutils_read_module_config($1_usertype)
|
+ modutils_read_module_config($1_usertype)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ mta_rw_spool($1_usertype)
|
||||||
|
+ mta_manage_queue($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- mta_rw_spool($1_t)
|
- mta_rw_spool($1_t)
|
||||||
+ mta_rw_spool($1_usertype)
|
|
||||||
+ mta_manage_queue($1_usertype)
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ nsplugin_role($1_r, $1_usertype)
|
+ nsplugin_role($1_r, $1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -650,41 +766,50 @@ template(`userdom_common_user_template',`
|
@@ -650,41 +770,50 @@ template(`userdom_common_user_template',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# to allow monitoring of pcmcia status
|
# to allow monitoring of pcmcia status
|
||||||
@ -50954,7 +51021,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -712,13 +837,26 @@ template(`userdom_login_user_template', `
|
@@ -712,13 +841,26 @@ template(`userdom_login_user_template', `
|
||||||
|
|
||||||
userdom_base_user_template($1)
|
userdom_base_user_template($1)
|
||||||
|
|
||||||
@ -50963,12 +51030,12 @@ index 28b88de..97b04f2 100644
|
|||||||
+
|
+
|
||||||
+ userdom_manage_tmp_role($1_r, $1_usertype)
|
+ userdom_manage_tmp_role($1_r, $1_usertype)
|
||||||
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
|
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
|
||||||
+
|
|
||||||
+ ifelse(`$1',`unconfined',`',`
|
|
||||||
+ gen_tunable(allow_$1_exec_content, true)
|
|
||||||
|
|
||||||
- userdom_manage_tmp_role($1_r, $1_t)
|
- userdom_manage_tmp_role($1_r, $1_t)
|
||||||
- userdom_manage_tmpfs_role($1_r, $1_t)
|
- userdom_manage_tmpfs_role($1_r, $1_t)
|
||||||
|
+ ifelse(`$1',`unconfined',`',`
|
||||||
|
+ gen_tunable(allow_$1_exec_content, true)
|
||||||
|
+
|
||||||
+ tunable_policy(`allow_$1_exec_content',`
|
+ tunable_policy(`allow_$1_exec_content',`
|
||||||
+ userdom_exec_user_tmp_files($1_usertype)
|
+ userdom_exec_user_tmp_files($1_usertype)
|
||||||
+ userdom_exec_user_home_content_files($1_usertype)
|
+ userdom_exec_user_home_content_files($1_usertype)
|
||||||
@ -50986,7 +51053,7 @@ index 28b88de..97b04f2 100644
|
|||||||
|
|
||||||
userdom_change_password_template($1)
|
userdom_change_password_template($1)
|
||||||
|
|
||||||
@@ -736,72 +874,71 @@ template(`userdom_login_user_template', `
|
@@ -736,72 +878,71 @@ template(`userdom_login_user_template', `
|
||||||
|
|
||||||
allow $1_t self:context contains;
|
allow $1_t self:context contains;
|
||||||
|
|
||||||
@ -51053,49 +51120,49 @@ index 28b88de..97b04f2 100644
|
|||||||
- miscfiles_exec_tetex_data($1_t)
|
- miscfiles_exec_tetex_data($1_t)
|
||||||
+ miscfiles_read_tetex_data($1_usertype)
|
+ miscfiles_read_tetex_data($1_usertype)
|
||||||
+ miscfiles_exec_tetex_data($1_usertype)
|
+ miscfiles_exec_tetex_data($1_usertype)
|
||||||
|
+
|
||||||
|
+ seutil_read_config($1_usertype)
|
||||||
|
|
||||||
- seutil_read_config($1_t)
|
- seutil_read_config($1_t)
|
||||||
+ seutil_read_config($1_usertype)
|
+ optional_policy(`
|
||||||
|
+ cups_read_config($1_usertype)
|
||||||
|
+ cups_stream_connect($1_usertype)
|
||||||
|
+ cups_stream_connect_ptal($1_usertype)
|
||||||
|
+ ')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- cups_read_config($1_t)
|
- cups_read_config($1_t)
|
||||||
- cups_stream_connect($1_t)
|
- cups_stream_connect($1_t)
|
||||||
- cups_stream_connect_ptal($1_t)
|
- cups_stream_connect_ptal($1_t)
|
||||||
+ cups_read_config($1_usertype)
|
|
||||||
+ cups_stream_connect($1_usertype)
|
|
||||||
+ cups_stream_connect_ptal($1_usertype)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- kerberos_use($1_t)
|
|
||||||
+ kerberos_use($1_usertype)
|
+ kerberos_use($1_usertype)
|
||||||
+ kerberos_connect_524($1_usertype)
|
+ kerberos_connect_524($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- mta_dontaudit_read_spool_symlinks($1_t)
|
- kerberos_use($1_t)
|
||||||
+ mta_dontaudit_read_spool_symlinks($1_usertype)
|
+ mta_dontaudit_read_spool_symlinks($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- quota_dontaudit_getattr_db($1_t)
|
- mta_dontaudit_read_spool_symlinks($1_t)
|
||||||
+ quota_dontaudit_getattr_db($1_usertype)
|
+ quota_dontaudit_getattr_db($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- quota_dontaudit_getattr_db($1_t)
|
||||||
|
+ rpm_read_db($1_usertype)
|
||||||
|
+ rpm_dontaudit_manage_db($1_usertype)
|
||||||
|
+ rpm_read_cache($1_usertype)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- rpm_read_db($1_t)
|
- rpm_read_db($1_t)
|
||||||
- rpm_dontaudit_manage_db($1_t)
|
- rpm_dontaudit_manage_db($1_t)
|
||||||
+ rpm_read_db($1_usertype)
|
|
||||||
+ rpm_dontaudit_manage_db($1_usertype)
|
|
||||||
+ rpm_read_cache($1_usertype)
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ oddjob_run_mkhomedir($1_t, $1_r)
|
+ oddjob_run_mkhomedir($1_t, $1_r)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -833,6 +970,9 @@ template(`userdom_restricted_user_template',`
|
@@ -833,6 +974,9 @@ template(`userdom_restricted_user_template',`
|
||||||
typeattribute $1_t unpriv_userdomain;
|
typeattribute $1_t unpriv_userdomain;
|
||||||
domain_interactive_fd($1_t)
|
domain_interactive_fd($1_t)
|
||||||
|
|
||||||
@ -51105,7 +51172,7 @@ index 28b88de..97b04f2 100644
|
|||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
@@ -874,45 +1014,107 @@ template(`userdom_restricted_xwindows_user_template',`
|
@@ -874,45 +1018,107 @@ template(`userdom_restricted_xwindows_user_template',`
|
||||||
#
|
#
|
||||||
|
|
||||||
auth_role($1_r, $1_t)
|
auth_role($1_r, $1_t)
|
||||||
@ -51224,7 +51291,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -947,7 +1149,7 @@ template(`userdom_unpriv_user_template', `
|
@@ -947,7 +1153,7 @@ template(`userdom_unpriv_user_template', `
|
||||||
#
|
#
|
||||||
|
|
||||||
# Inherit rules for ordinary users.
|
# Inherit rules for ordinary users.
|
||||||
@ -51233,7 +51300,7 @@ index 28b88de..97b04f2 100644
|
|||||||
userdom_common_user_template($1)
|
userdom_common_user_template($1)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -956,54 +1158,77 @@ template(`userdom_unpriv_user_template', `
|
@@ -956,54 +1162,77 @@ template(`userdom_unpriv_user_template', `
|
||||||
#
|
#
|
||||||
|
|
||||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||||
@ -51314,20 +51381,20 @@ index 28b88de..97b04f2 100644
|
|||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ java_role_template($1, $1_r, $1_t)
|
+ java_role_template($1, $1_r, $1_t)
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ mono_role_template($1, $1_r, $1_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
- # Run pppd in pppd_t by default for user
|
- # Run pppd in pppd_t by default for user
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- ppp_run_cond($1_t,$1_r)
|
- ppp_run_cond($1_t,$1_r)
|
||||||
+ mount_run_fusermount($1_t, $1_r)
|
+ mono_role_template($1, $1_r, $1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- setroubleshoot_stream_connect($1_t)
|
- setroubleshoot_stream_connect($1_t)
|
||||||
|
+ mount_run_fusermount($1_t, $1_r)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
+ wine_role_template($1, $1_r, $1_t)
|
+ wine_role_template($1, $1_r, $1_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
@ -51341,7 +51408,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1039,7 +1264,7 @@ template(`userdom_unpriv_user_template', `
|
@@ -1039,7 +1268,7 @@ template(`userdom_unpriv_user_template', `
|
||||||
template(`userdom_admin_user_template',`
|
template(`userdom_admin_user_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute admindomain;
|
attribute admindomain;
|
||||||
@ -51350,7 +51417,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -1074,6 +1299,9 @@ template(`userdom_admin_user_template',`
|
@@ -1074,6 +1303,9 @@ template(`userdom_admin_user_template',`
|
||||||
# Skip authentication when pam_rootok is specified.
|
# Skip authentication when pam_rootok is specified.
|
||||||
allow $1_t self:passwd rootok;
|
allow $1_t self:passwd rootok;
|
||||||
|
|
||||||
@ -51360,7 +51427,7 @@ index 28b88de..97b04f2 100644
|
|||||||
kernel_read_software_raid_state($1_t)
|
kernel_read_software_raid_state($1_t)
|
||||||
kernel_getattr_core_if($1_t)
|
kernel_getattr_core_if($1_t)
|
||||||
kernel_getattr_message_if($1_t)
|
kernel_getattr_message_if($1_t)
|
||||||
@@ -1088,6 +1316,7 @@ template(`userdom_admin_user_template',`
|
@@ -1088,6 +1320,7 @@ template(`userdom_admin_user_template',`
|
||||||
kernel_sigstop_unlabeled($1_t)
|
kernel_sigstop_unlabeled($1_t)
|
||||||
kernel_signull_unlabeled($1_t)
|
kernel_signull_unlabeled($1_t)
|
||||||
kernel_sigchld_unlabeled($1_t)
|
kernel_sigchld_unlabeled($1_t)
|
||||||
@ -51368,7 +51435,7 @@ index 28b88de..97b04f2 100644
|
|||||||
|
|
||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
# allow setting up tunnels
|
# allow setting up tunnels
|
||||||
@@ -1119,10 +1348,13 @@ template(`userdom_admin_user_template',`
|
@@ -1119,10 +1352,13 @@ template(`userdom_admin_user_template',`
|
||||||
domain_sigchld_all_domains($1_t)
|
domain_sigchld_all_domains($1_t)
|
||||||
# for lsof
|
# for lsof
|
||||||
domain_getattr_all_sockets($1_t)
|
domain_getattr_all_sockets($1_t)
|
||||||
@ -51382,7 +51449,7 @@ index 28b88de..97b04f2 100644
|
|||||||
fs_set_all_quotas($1_t)
|
fs_set_all_quotas($1_t)
|
||||||
fs_exec_noxattr($1_t)
|
fs_exec_noxattr($1_t)
|
||||||
|
|
||||||
@@ -1142,6 +1374,7 @@ template(`userdom_admin_user_template',`
|
@@ -1142,6 +1378,7 @@ template(`userdom_admin_user_template',`
|
||||||
logging_send_syslog_msg($1_t)
|
logging_send_syslog_msg($1_t)
|
||||||
|
|
||||||
modutils_domtrans_insmod($1_t)
|
modutils_domtrans_insmod($1_t)
|
||||||
@ -51390,7 +51457,7 @@ index 28b88de..97b04f2 100644
|
|||||||
|
|
||||||
# The following rule is temporary until such time that a complete
|
# The following rule is temporary until such time that a complete
|
||||||
# policy management infrastructure is in place so that an administrator
|
# policy management infrastructure is in place so that an administrator
|
||||||
@@ -1210,6 +1443,8 @@ template(`userdom_security_admin_template',`
|
@@ -1210,6 +1447,8 @@ template(`userdom_security_admin_template',`
|
||||||
dev_relabel_all_dev_nodes($1)
|
dev_relabel_all_dev_nodes($1)
|
||||||
|
|
||||||
files_create_boot_flag($1)
|
files_create_boot_flag($1)
|
||||||
@ -51399,7 +51466,7 @@ index 28b88de..97b04f2 100644
|
|||||||
|
|
||||||
# Necessary for managing /boot/efi
|
# Necessary for managing /boot/efi
|
||||||
fs_manage_dos_files($1)
|
fs_manage_dos_files($1)
|
||||||
@@ -1237,6 +1472,7 @@ template(`userdom_security_admin_template',`
|
@@ -1237,6 +1476,7 @@ template(`userdom_security_admin_template',`
|
||||||
seutil_run_checkpolicy($1,$2)
|
seutil_run_checkpolicy($1,$2)
|
||||||
seutil_run_loadpolicy($1,$2)
|
seutil_run_loadpolicy($1,$2)
|
||||||
seutil_run_semanage($1,$2)
|
seutil_run_semanage($1,$2)
|
||||||
@ -51407,7 +51474,7 @@ index 28b88de..97b04f2 100644
|
|||||||
seutil_run_setfiles($1, $2)
|
seutil_run_setfiles($1, $2)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1279,11 +1515,37 @@ template(`userdom_security_admin_template',`
|
@@ -1279,11 +1519,37 @@ template(`userdom_security_admin_template',`
|
||||||
interface(`userdom_user_home_content',`
|
interface(`userdom_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_t;
|
type user_home_t;
|
||||||
@ -51445,7 +51512,7 @@ index 28b88de..97b04f2 100644
|
|||||||
ubac_constrained($1)
|
ubac_constrained($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1395,6 +1657,7 @@ interface(`userdom_search_user_home_dirs',`
|
@@ -1395,6 +1661,7 @@ interface(`userdom_search_user_home_dirs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
@ -51453,7 +51520,7 @@ index 28b88de..97b04f2 100644
|
|||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1441,6 +1704,14 @@ interface(`userdom_list_user_home_dirs',`
|
@@ -1441,6 +1708,14 @@ interface(`userdom_list_user_home_dirs',`
|
||||||
|
|
||||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
@ -51468,7 +51535,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1456,9 +1727,11 @@ interface(`userdom_list_user_home_dirs',`
|
@@ -1456,9 +1731,11 @@ interface(`userdom_list_user_home_dirs',`
|
||||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_dir_t;
|
type user_home_dir_t;
|
||||||
@ -51480,34 +51547,57 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1515,6 +1788,42 @@ interface(`userdom_relabelto_user_home_dirs',`
|
@@ -1515,10 +1792,10 @@ interface(`userdom_relabelto_user_home_dirs',`
|
||||||
allow $1 user_home_dir_t:dir relabelto;
|
allow $1 user_home_dir_t:dir relabelto;
|
||||||
')
|
')
|
||||||
|
|
||||||
+
|
+
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## Create directories in the home dir root with
|
||||||
|
-## the user home directory type.
|
||||||
+## Relabel to user home files.
|
+## Relabel to user home files.
|
||||||
+## </summary>
|
## </summary>
|
||||||
+## <param name="domain">
|
## <param name="domain">
|
||||||
+## <summary>
|
## <summary>
|
||||||
+## Domain allowed access.
|
@@ -1526,35 +1803,71 @@ interface(`userdom_relabelto_user_home_dirs',`
|
||||||
+## </summary>
|
## </summary>
|
||||||
+## </param>
|
## </param>
|
||||||
+#
|
#
|
||||||
|
-interface(`userdom_home_filetrans_user_home_dir',`
|
||||||
+interface(`userdom_relabelto_user_home_files',`
|
+interface(`userdom_relabelto_user_home_files',`
|
||||||
+ gen_require(`
|
gen_require(`
|
||||||
|
- type user_home_dir_t;
|
||||||
+ type user_home_t;
|
+ type user_home_t;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
|
- files_home_filetrans($1, user_home_dir_t, dir)
|
||||||
+ allow $1 user_home_t:file relabelto;
|
+ allow $1 user_home_t:file relabelto;
|
||||||
+')
|
')
|
||||||
+########################################
|
-
|
||||||
+## <summary>
|
########################################
|
||||||
|
## <summary>
|
||||||
|
-## Do a domain transition to the specified
|
||||||
|
-## domain when executing a program in the
|
||||||
|
-## user home directory.
|
||||||
+## Relabel user home files.
|
+## Relabel user home files.
|
||||||
+## </summary>
|
## </summary>
|
||||||
|
-## <desc>
|
||||||
|
-## <p>
|
||||||
|
-## Do a domain transition to the specified
|
||||||
|
-## domain when executing a program in the
|
||||||
|
-## user home directory.
|
||||||
|
-## </p>
|
||||||
|
-## <p>
|
||||||
|
-## No interprocess communication (signals, pipes,
|
||||||
|
-## etc.) is provided by this interface since
|
||||||
|
-## the domains are not owned by this module.
|
||||||
|
-## </p>
|
||||||
|
-## </desc>
|
||||||
|
-## <param name="source_domain">
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## Domain allowed to transition.
|
||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
@ -51520,10 +51610,50 @@ index 28b88de..97b04f2 100644
|
|||||||
+ allow $1 user_home_t:file relabel_file_perms;
|
+ allow $1 user_home_t:file relabel_file_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
## Create directories in the home dir root with
|
+## Create directories in the home dir root with
|
||||||
@@ -1589,6 +1898,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
+## the user home directory type.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_home_filetrans_user_home_dir',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type user_home_dir_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_home_filetrans($1, user_home_dir_t, dir)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Do a domain transition to the specified
|
||||||
|
+## domain when executing a program in the
|
||||||
|
+## user home directory.
|
||||||
|
+## </summary>
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Do a domain transition to the specified
|
||||||
|
+## domain when executing a program in the
|
||||||
|
+## user home directory.
|
||||||
|
+## </p>
|
||||||
|
+## <p>
|
||||||
|
+## No interprocess communication (signals, pipes,
|
||||||
|
+## etc.) is provided by this interface since
|
||||||
|
+## the domains are not owned by this module.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+## <param name="source_domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="target_domain">
|
||||||
|
@@ -1589,6 +1902,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||||
@ -51532,7 +51662,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1603,10 +1914,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
@@ -1603,10 +1918,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
||||||
#
|
#
|
||||||
interface(`userdom_list_user_home_content',`
|
interface(`userdom_list_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -51547,7 +51677,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1649,6 +1962,25 @@ interface(`userdom_delete_user_home_content_dirs',`
|
@@ -1649,6 +1966,25 @@ interface(`userdom_delete_user_home_content_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -51573,7 +51703,7 @@ index 28b88de..97b04f2 100644
|
|||||||
## Do not audit attempts to set the
|
## Do not audit attempts to set the
|
||||||
## attributes of user home files.
|
## attributes of user home files.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1700,12 +2032,32 @@ interface(`userdom_read_user_home_content_files',`
|
@@ -1700,12 +2036,32 @@ interface(`userdom_read_user_home_content_files',`
|
||||||
type user_home_dir_t, user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -51606,7 +51736,7 @@ index 28b88de..97b04f2 100644
|
|||||||
## Do not audit attempts to read user home files.
|
## Do not audit attempts to read user home files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1716,11 +2068,14 @@ interface(`userdom_read_user_home_content_files',`
|
@@ -1716,11 +2072,14 @@ interface(`userdom_read_user_home_content_files',`
|
||||||
#
|
#
|
||||||
interface(`userdom_dontaudit_read_user_home_content_files',`
|
interface(`userdom_dontaudit_read_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -51624,7 +51754,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1810,8 +2165,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
@@ -1810,8 +2169,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||||
type user_home_dir_t, user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -51634,7 +51764,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1827,20 +2181,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
@@ -1827,20 +2185,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||||
#
|
#
|
||||||
interface(`userdom_exec_user_home_content_files',`
|
interface(`userdom_exec_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -51659,7 +51789,7 @@ index 28b88de..97b04f2 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2182,7 +2530,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
@@ -2182,7 +2534,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -51668,7 +51798,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2435,13 +2783,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
@@ -2435,13 +2787,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||||
@ -51684,7 +51814,7 @@ index 28b88de..97b04f2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2462,26 +2811,6 @@ interface(`userdom_rw_user_tmpfs_files',`
|
@@ -2462,26 +2815,6 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -51711,7 +51841,7 @@ index 28b88de..97b04f2 100644
|
|||||||
## Get the attributes of a user domain tty.
|
## Get the attributes of a user domain tty.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2815,7 +3144,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
@@ -2815,7 +3148,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||||
|
|
||||||
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
||||||
allow unpriv_userdomain $1:fd use;
|
allow unpriv_userdomain $1:fd use;
|
||||||
@ -51720,7 +51850,7 @@ index 28b88de..97b04f2 100644
|
|||||||
allow unpriv_userdomain $1:process sigchld;
|
allow unpriv_userdomain $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -2831,11 +3160,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
@@ -2831,11 +3164,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||||
#
|
#
|
||||||
interface(`userdom_search_user_home_content',`
|
interface(`userdom_search_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -51736,7 +51866,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2917,7 +3248,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
@@ -2917,7 +3252,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||||
type user_devpts_t;
|
type user_devpts_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -51745,7 +51875,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2972,7 +3303,45 @@ interface(`userdom_write_user_tmp_files',`
|
@@ -2972,7 +3307,45 @@ interface(`userdom_write_user_tmp_files',`
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -51792,7 +51922,7 @@ index 28b88de..97b04f2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3009,6 +3378,7 @@ interface(`userdom_read_all_users_state',`
|
@@ -3009,6 +3382,7 @@ interface(`userdom_read_all_users_state',`
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1, userdomain, userdomain)
|
read_files_pattern($1, userdomain, userdomain)
|
||||||
@ -51800,7 +51930,7 @@ index 28b88de..97b04f2 100644
|
|||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3139,3 +3509,1058 @@ interface(`userdom_dbus_send_all_users',`
|
@@ -3139,3 +3513,1058 @@ interface(`userdom_dbus_send_all_users',`
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.9.13
|
Version: 3.9.13
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -472,6 +472,15 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-7
|
||||||
|
- ricci_modclusterd_t needs to bind to rpc ports 500-1023
|
||||||
|
- Allow dbus to use setrlimit to increase resoueces
|
||||||
|
- Mozilla_plugin is leaking to sandbox
|
||||||
|
- Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control
|
||||||
|
- Allow awstats to read squid logs
|
||||||
|
- seunshare needs to manage tmp_t
|
||||||
|
- apcupsd cgi scripts have a new directory
|
||||||
|
|
||||||
* Thu Jan 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-6
|
* Thu Jan 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-6
|
||||||
- Fix xserver_dontaudit_read_xdm_pid
|
- Fix xserver_dontaudit_read_xdm_pid
|
||||||
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
|
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
|
||||||
|
Loading…
Reference in New Issue
Block a user