- Allow confined users to login with dbus
This commit is contained in:
parent
a80e7ac6a3
commit
ed32c64290
|
@ -14730,7 +14730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.8/policy/modules/services/dbus.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.8/policy/modules/services/dbus.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/services/dbus.if 2008-09-17 08:49:08.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/services/dbus.if 2008-09-23 15:34:03.000000000 -0400
|
||||||
@@ -53,6 +53,7 @@
|
@@ -53,6 +53,7 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
||||||
|
@ -14748,7 +14748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
type $1_dbusd_tmp_t;
|
type $1_dbusd_tmp_t;
|
||||||
files_tmp_file($1_dbusd_tmp_t)
|
files_tmp_file($1_dbusd_tmp_t)
|
||||||
|
|
||||||
@@ -84,14 +83,18 @@
|
@@ -84,14 +83,19 @@
|
||||||
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
|
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
|
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
|
||||||
|
|
||||||
|
@ -14760,6 +14760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
|
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
|
||||||
+ allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
|
+ allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
|
||||||
+ allow $2 $1_dbusd_t:unix_dgram_socket getattr;
|
+ allow $2 $1_dbusd_t:unix_dgram_socket getattr;
|
||||||
|
+ allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
|
||||||
|
|
||||||
# SE-DBus specific permissions
|
# SE-DBus specific permissions
|
||||||
- allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
- allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
||||||
|
@ -14771,7 +14772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
||||||
read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
|
read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
|
||||||
@@ -102,10 +105,9 @@
|
@@ -102,10 +106,9 @@
|
||||||
files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
|
files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
|
||||||
|
|
||||||
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
|
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
|
||||||
|
@ -14784,7 +14785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
allow $1_dbusd_t $2:process sigkill;
|
allow $1_dbusd_t $2:process sigkill;
|
||||||
allow $2 $1_dbusd_t:fd use;
|
allow $2 $1_dbusd_t:fd use;
|
||||||
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
||||||
@@ -115,8 +117,8 @@
|
@@ -115,8 +118,8 @@
|
||||||
kernel_read_kernel_sysctls($1_dbusd_t)
|
kernel_read_kernel_sysctls($1_dbusd_t)
|
||||||
|
|
||||||
corecmd_list_bin($1_dbusd_t)
|
corecmd_list_bin($1_dbusd_t)
|
||||||
|
@ -14794,7 +14795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
corecmd_read_bin_pipes($1_dbusd_t)
|
corecmd_read_bin_pipes($1_dbusd_t)
|
||||||
corecmd_read_bin_sockets($1_dbusd_t)
|
corecmd_read_bin_sockets($1_dbusd_t)
|
||||||
|
|
||||||
@@ -139,6 +141,7 @@
|
@@ -139,6 +142,7 @@
|
||||||
|
|
||||||
fs_getattr_romfs($1_dbusd_t)
|
fs_getattr_romfs($1_dbusd_t)
|
||||||
fs_getattr_xattr_fs($1_dbusd_t)
|
fs_getattr_xattr_fs($1_dbusd_t)
|
||||||
|
@ -14802,7 +14803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
selinux_get_fs_mount($1_dbusd_t)
|
selinux_get_fs_mount($1_dbusd_t)
|
||||||
selinux_validate_context($1_dbusd_t)
|
selinux_validate_context($1_dbusd_t)
|
||||||
@@ -161,12 +164,24 @@
|
@@ -161,12 +165,24 @@
|
||||||
seutil_read_config($1_dbusd_t)
|
seutil_read_config($1_dbusd_t)
|
||||||
seutil_read_default_contexts($1_dbusd_t)
|
seutil_read_default_contexts($1_dbusd_t)
|
||||||
|
|
||||||
|
@ -14828,7 +14829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
tunable_policy(`read_default_t',`
|
tunable_policy(`read_default_t',`
|
||||||
files_list_default($1_dbusd_t)
|
files_list_default($1_dbusd_t)
|
||||||
files_read_default_files($1_dbusd_t)
|
files_read_default_files($1_dbusd_t)
|
||||||
@@ -180,8 +195,15 @@
|
@@ -180,9 +196,17 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -14842,9 +14843,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+ xserver_dontaudit_xdm_lib_search($1_dbusd_t)
|
+ xserver_dontaudit_xdm_lib_search($1_dbusd_t)
|
||||||
+ xserver_rw_xdm_home_files($1_dbusd_t)
|
+ xserver_rw_xdm_home_files($1_dbusd_t)
|
||||||
')
|
')
|
||||||
|
+
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -207,14 +229,12 @@
|
#######################################
|
||||||
|
@@ -207,14 +231,12 @@
|
||||||
type system_dbusd_t, system_dbusd_t;
|
type system_dbusd_t, system_dbusd_t;
|
||||||
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
|
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
|
||||||
class dbus send_msg;
|
class dbus send_msg;
|
||||||
|
@ -14862,7 +14865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||||
files_search_var_lib($2)
|
files_search_var_lib($2)
|
||||||
@@ -223,6 +243,10 @@
|
@@ -223,6 +245,10 @@
|
||||||
files_search_pids($2)
|
files_search_pids($2)
|
||||||
stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
|
stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
|
||||||
dbus_read_config($2)
|
dbus_read_config($2)
|
||||||
|
@ -14873,7 +14876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -251,18 +275,16 @@
|
@@ -251,18 +277,16 @@
|
||||||
template(`dbus_user_bus_client_template',`
|
template(`dbus_user_bus_client_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type $1_dbusd_t;
|
type $1_dbusd_t;
|
||||||
|
@ -14894,7 +14897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -292,6 +314,55 @@
|
@@ -292,6 +316,55 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -14950,7 +14953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## Read dbus configuration.
|
## Read dbus configuration.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -366,3 +437,75 @@
|
@@ -366,3 +439,75 @@
|
||||||
|
|
||||||
allow $1 system_dbusd_t:dbus *;
|
allow $1 system_dbusd_t:dbus *;
|
||||||
')
|
')
|
||||||
|
@ -15028,7 +15031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.8/policy/modules/services/dbus.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.8/policy/modules/services/dbus.te
|
||||||
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/services/dbus.te 2008-09-17 08:49:08.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/services/dbus.te 2008-09-23 15:32:31.000000000 -0400
|
||||||
@@ -9,9 +9,10 @@
|
@@ -9,9 +9,10 @@
|
||||||
#
|
#
|
||||||
# Delcarations
|
# Delcarations
|
||||||
|
@ -15115,6 +15118,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ consolekit_dbus_chat(system_dbusd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ gnome_exec_gconf(system_dbusd_t)
|
+ gnome_exec_gconf(system_dbusd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -15136,10 +15143,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ consolekit_dbus_chat(system_dbusd_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type unconfined_dbusd_t;
|
+ type unconfined_dbusd_t;
|
||||||
+ ')
|
+ ')
|
||||||
|
@ -19515,7 +19518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.8/policy/modules/services/networkmanager.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.8/policy/modules/services/networkmanager.if
|
||||||
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.if 2008-09-17 08:49:08.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.if 2008-09-23 11:18:34.000000000 -0400
|
||||||
@@ -118,6 +118,24 @@
|
@@ -118,6 +118,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -19543,13 +19546,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.8/policy/modules/services/networkmanager.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.8/policy/modules/services/networkmanager.te
|
||||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-11 11:28:34.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-11 11:28:34.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-22 09:09:30.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-23 16:02:33.000000000 -0400
|
||||||
@@ -29,9 +29,9 @@
|
@@ -29,9 +29,9 @@
|
||||||
|
|
||||||
# networkmanager will ptrace itself if gdb is installed
|
# networkmanager will ptrace itself if gdb is installed
|
||||||
# and it receives a unexpected signal (rh bug #204161)
|
# and it receives a unexpected signal (rh bug #204161)
|
||||||
-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
|
-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
|
||||||
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
|
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
|
||||||
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
|
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
|
||||||
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
|
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
|
||||||
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
|
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
|
||||||
|
@ -21909,7 +21912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.8/policy/modules/services/ppp.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.8/policy/modules/services/ppp.if
|
||||||
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-09-11 11:28:34.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-09-11 11:28:34.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/services/ppp.if 2008-09-17 08:49:08.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/services/ppp.if 2008-09-23 15:53:43.000000000 -0400
|
||||||
@@ -310,6 +310,24 @@
|
@@ -310,6 +310,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -26773,7 +26776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.8/policy/modules/services/squid.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.8/policy/modules/services/squid.te
|
||||||
--- nsaserefpolicy/policy/modules/services/squid.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/squid.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/services/squid.te 2008-09-17 08:49:09.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/services/squid.te 2008-09-23 15:23:35.000000000 -0400
|
||||||
@@ -31,12 +31,15 @@
|
@@ -31,12 +31,15 @@
|
||||||
type squid_var_run_t;
|
type squid_var_run_t;
|
||||||
files_pid_file(squid_var_run_t)
|
files_pid_file(squid_var_run_t)
|
||||||
|
@ -26829,7 +26832,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
libs_use_ld_so(squid_t)
|
libs_use_ld_so(squid_t)
|
||||||
libs_use_shared_libs(squid_t)
|
libs_use_shared_libs(squid_t)
|
||||||
@@ -149,11 +158,7 @@
|
@@ -146,14 +155,11 @@
|
||||||
|
|
||||||
|
tunable_policy(`squid_connect_any',`
|
||||||
|
corenet_tcp_connect_all_ports(squid_t)
|
||||||
|
+ corenet_tcp_bind_all_ports(squid_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -26842,7 +26849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -168,7 +173,12 @@
|
@@ -168,7 +174,12 @@
|
||||||
udev_read_db(squid_t)
|
udev_read_db(squid_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -30107,7 +30114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
#
|
#
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.8/policy/modules/system/init.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.8/policy/modules/system/init.if
|
||||||
--- nsaserefpolicy/policy/modules/system/init.if 2008-09-12 10:48:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/init.if 2008-09-12 10:48:05.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/system/init.if 2008-09-17 08:49:09.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/system/init.if 2008-09-23 11:15:16.000000000 -0400
|
||||||
@@ -278,6 +278,27 @@
|
@@ -278,6 +278,27 @@
|
||||||
kernel_dontaudit_use_fds($1)
|
kernel_dontaudit_use_fds($1)
|
||||||
')
|
')
|
||||||
|
@ -30320,7 +30327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.8/policy/modules/system/init.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.8/policy/modules/system/init.te
|
||||||
--- nsaserefpolicy/policy/modules/system/init.te 2008-09-12 10:48:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/init.te 2008-09-12 10:48:05.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/system/init.te 2008-09-17 08:49:09.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/system/init.te 2008-09-23 15:44:50.000000000 -0400
|
||||||
@@ -17,6 +17,20 @@
|
@@ -17,6 +17,20 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(init_upstart,false)
|
gen_tunable(init_upstart,false)
|
||||||
|
@ -30393,7 +30400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
nscd_socket_use(init_t)
|
nscd_socket_use(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -204,7 +230,7 @@
|
@@ -204,9 +230,10 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||||
|
@ -30401,8 +30408,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
|
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
|
||||||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||||
allow initrc_t self:passwd rootok;
|
allow initrc_t self:passwd rootok;
|
||||||
|
+allow initrc_t self:key { search };
|
||||||
|
|
||||||
@@ -219,7 +245,8 @@
|
# Allow IPC with self
|
||||||
|
allow initrc_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
@@ -219,7 +246,8 @@
|
||||||
term_create_pty(initrc_t,initrc_devpts_t)
|
term_create_pty(initrc_t,initrc_devpts_t)
|
||||||
|
|
||||||
# Going to single user mode
|
# Going to single user mode
|
||||||
|
@ -30412,7 +30422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
can_exec(initrc_t, init_script_file_type)
|
can_exec(initrc_t, init_script_file_type)
|
||||||
|
|
||||||
@@ -232,6 +259,7 @@
|
@@ -232,6 +260,7 @@
|
||||||
|
|
||||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||||
files_pid_filetrans(initrc_t,initrc_var_run_t,file)
|
files_pid_filetrans(initrc_t,initrc_var_run_t,file)
|
||||||
|
@ -30420,7 +30430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
can_exec(initrc_t,initrc_tmp_t)
|
can_exec(initrc_t,initrc_tmp_t)
|
||||||
allow initrc_t initrc_tmp_t:file manage_file_perms;
|
allow initrc_t initrc_tmp_t:file manage_file_perms;
|
||||||
@@ -276,7 +304,7 @@
|
@@ -276,7 +305,7 @@
|
||||||
dev_read_sound_mixer(initrc_t)
|
dev_read_sound_mixer(initrc_t)
|
||||||
dev_write_sound_mixer(initrc_t)
|
dev_write_sound_mixer(initrc_t)
|
||||||
dev_setattr_all_chr_files(initrc_t)
|
dev_setattr_all_chr_files(initrc_t)
|
||||||
|
@ -30429,7 +30439,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
dev_delete_lvm_control_dev(initrc_t)
|
dev_delete_lvm_control_dev(initrc_t)
|
||||||
dev_manage_generic_symlinks(initrc_t)
|
dev_manage_generic_symlinks(initrc_t)
|
||||||
dev_manage_generic_files(initrc_t)
|
dev_manage_generic_files(initrc_t)
|
||||||
@@ -521,6 +549,31 @@
|
@@ -371,6 +400,7 @@
|
||||||
|
libs_use_shared_libs(initrc_t)
|
||||||
|
libs_exec_lib_files(initrc_t)
|
||||||
|
|
||||||
|
+logging_send_audit_msgs(initrc_t)
|
||||||
|
logging_send_syslog_msg(initrc_t)
|
||||||
|
logging_manage_generic_logs(initrc_t)
|
||||||
|
logging_read_all_logs(initrc_t)
|
||||||
|
@@ -521,6 +551,31 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -30461,7 +30479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_search_lib(initrc_t)
|
amavis_search_lib(initrc_t)
|
||||||
amavis_setattr_pid_files(initrc_t)
|
amavis_setattr_pid_files(initrc_t)
|
||||||
@@ -579,6 +632,10 @@
|
@@ -579,6 +634,10 @@
|
||||||
dbus_read_config(initrc_t)
|
dbus_read_config(initrc_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -30472,7 +30490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
networkmanager_dbus_chat(initrc_t)
|
networkmanager_dbus_chat(initrc_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@@ -664,12 +721,6 @@
|
@@ -664,12 +723,6 @@
|
||||||
mta_read_config(initrc_t)
|
mta_read_config(initrc_t)
|
||||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||||
')
|
')
|
||||||
|
@ -30485,7 +30503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
@@ -730,6 +781,9 @@
|
@@ -730,6 +783,9 @@
|
||||||
|
|
||||||
# why is this needed:
|
# why is this needed:
|
||||||
rpm_manage_db(initrc_t)
|
rpm_manage_db(initrc_t)
|
||||||
|
@ -30495,7 +30513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -742,10 +796,12 @@
|
@@ -742,10 +798,12 @@
|
||||||
squid_manage_logs(initrc_t)
|
squid_manage_logs(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -30508,7 +30526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
ssh_dontaudit_read_server_keys(initrc_t)
|
||||||
@@ -763,6 +819,11 @@
|
@@ -763,6 +821,11 @@
|
||||||
uml_setattr_util_sockets(initrc_t)
|
uml_setattr_util_sockets(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -30520,7 +30538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(initrc_t)
|
unconfined_domain(initrc_t)
|
||||||
|
|
||||||
@@ -777,6 +838,10 @@
|
@@ -777,6 +840,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -30531,7 +30549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
vmware_read_system_config(initrc_t)
|
vmware_read_system_config(initrc_t)
|
||||||
vmware_append_system_config(initrc_t)
|
vmware_append_system_config(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -799,3 +864,11 @@
|
@@ -799,3 +866,11 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
@ -32469,8 +32487,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400
|
||||||
+++ serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc 2008-09-17 08:49:09.000000000 -0400
|
+++ serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc 2008-09-23 14:00:14.000000000 -0400
|
||||||
@@ -57,3 +57,5 @@
|
@@ -11,6 +11,7 @@
|
||||||
|
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||||
|
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||||
|
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||||
|
+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||||
|
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||||
|
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||||
|
|
||||||
|
@@ -57,3 +58,5 @@
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||||
')
|
')
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.5.8
|
Version: 3.5.8
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -381,6 +381,9 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Sep 23 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-7
|
||||||
|
- Allow confined users to login with dbus
|
||||||
|
|
||||||
* Mon Sep 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-6
|
* Mon Sep 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-6
|
||||||
- Fix transition to nsplugin
|
- Fix transition to nsplugin
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue