- Fix role transition from unconfined_r to system_r when running rpm
- Allow unconfined_domains to communicate with user dbus instances
This commit is contained in:
parent
5d13344539
commit
ed3c8b6ddb
@ -2437,7 +2437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||||||
# /bin
|
# /bin
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
|
||||||
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2007-12-24 06:47:25.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2007-12-26 18:15:18.000000000 -0500
|
||||||
@@ -35,7 +35,10 @@
|
@@ -35,7 +35,10 @@
|
||||||
template(`mozilla_per_role_template',`
|
template(`mozilla_per_role_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -4446,7 +4446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-26 19:16:19.000000000 -0500
|
||||||
@@ -20,6 +20,8 @@
|
@@ -20,6 +20,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -4643,7 +4643,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
tunable_policy(`httpd_ssi_exec',`
|
tunable_policy(`httpd_ssi_exec',`
|
||||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||||
allow httpd_sys_script_t httpd_t:fd use;
|
allow httpd_sys_script_t httpd_t:fd use;
|
||||||
@@ -437,8 +505,14 @@
|
@@ -425,6 +493,10 @@
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ application_exec(httpd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
calamaris_read_www_files(httpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -437,8 +509,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -4659,7 +4670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -450,19 +524,13 @@
|
@@ -450,19 +528,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -4680,7 +4691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -472,13 +540,14 @@
|
@@ -472,13 +544,14 @@
|
||||||
openca_kill(httpd_t)
|
openca_kill(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4699,7 +4710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -486,6 +555,7 @@
|
@@ -486,6 +559,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -4707,7 +4718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -521,6 +591,13 @@
|
@@ -521,6 +595,13 @@
|
||||||
userdom_use_sysadm_terms(httpd_helper_t)
|
userdom_use_sysadm_terms(httpd_helper_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4721,7 +4732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache PHP script local policy
|
# Apache PHP script local policy
|
||||||
@@ -550,18 +627,24 @@
|
@@ -550,18 +631,24 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_php_t)
|
fs_search_auto_mountpoints(httpd_php_t)
|
||||||
|
|
||||||
@ -4749,7 +4760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -585,6 +668,8 @@
|
@@ -585,6 +672,8 @@
|
||||||
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
||||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||||
|
|
||||||
@ -4758,7 +4769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||||
kernel_list_proc(httpd_suexec_t)
|
kernel_list_proc(httpd_suexec_t)
|
||||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||||
@@ -638,6 +723,12 @@
|
@@ -638,6 +727,12 @@
|
||||||
fs_exec_nfs_files(httpd_suexec_t)
|
fs_exec_nfs_files(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4771,7 +4782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_suexec_t)
|
fs_read_cifs_files(httpd_suexec_t)
|
||||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||||
@@ -655,10 +746,6 @@
|
@@ -655,10 +750,6 @@
|
||||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4782,7 +4793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache system script local policy
|
# Apache system script local policy
|
||||||
@@ -668,7 +755,8 @@
|
@@ -668,7 +759,8 @@
|
||||||
|
|
||||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||||
|
|
||||||
@ -4792,7 +4803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
|
|
||||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||||
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
||||||
@@ -682,15 +770,44 @@
|
@@ -682,15 +774,44 @@
|
||||||
# Should we add a boolean?
|
# Should we add a boolean?
|
||||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||||
|
|
||||||
@ -4804,15 +4815,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
|
|
||||||
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
+tunable_policy(`httpd_use_nfs', `
|
+tunable_policy(`httpd_use_nfs', `
|
||||||
+ fs_read_nfs_files(httpd_sys_script_t)
|
|
||||||
+ fs_read_nfs_symlinks(httpd_sys_script_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
|
|
||||||
fs_read_nfs_files(httpd_sys_script_t)
|
fs_read_nfs_files(httpd_sys_script_t)
|
||||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
|
||||||
|
+ fs_read_nfs_files(httpd_sys_script_t)
|
||||||
|
+ fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||||
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
||||||
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
||||||
@ -4838,7 +4849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -700,9 +817,15 @@
|
@@ -700,9 +821,15 @@
|
||||||
clamav_domtrans_clamscan(httpd_sys_script_t)
|
clamav_domtrans_clamscan(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -4854,7 +4865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -724,3 +847,46 @@
|
@@ -724,3 +851,46 @@
|
||||||
logging_search_logs(httpd_rotatelogs_t)
|
logging_search_logs(httpd_rotatelogs_t)
|
||||||
|
|
||||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||||
@ -5473,7 +5484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.5/policy/modules/services/cron.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.5/policy/modules/services/cron.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/cron.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/cron.te 2007-12-27 07:19:39.000000000 -0500
|
||||||
@@ -50,6 +50,7 @@
|
@@ -50,6 +50,7 @@
|
||||||
|
|
||||||
type crond_tmp_t;
|
type crond_tmp_t;
|
||||||
@ -5532,7 +5543,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
|
|
||||||
files_read_etc_files(crond_t)
|
files_read_etc_files(crond_t)
|
||||||
files_read_generic_spool(crond_t)
|
files_read_generic_spool(crond_t)
|
||||||
@@ -148,7 +156,9 @@
|
@@ -142,13 +150,16 @@
|
||||||
|
files_search_default(crond_t)
|
||||||
|
|
||||||
|
init_rw_utmp(crond_t)
|
||||||
|
+init_spec_domtrans_script(crond_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(crond_t)
|
||||||
|
|
||||||
libs_use_ld_so(crond_t)
|
libs_use_ld_so(crond_t)
|
||||||
libs_use_shared_libs(crond_t)
|
libs_use_shared_libs(crond_t)
|
||||||
|
|
||||||
@ -5542,7 +5560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
|
|
||||||
seutil_read_config(crond_t)
|
seutil_read_config(crond_t)
|
||||||
seutil_read_default_contexts(crond_t)
|
seutil_read_default_contexts(crond_t)
|
||||||
@@ -163,9 +173,6 @@
|
@@ -163,9 +174,6 @@
|
||||||
mta_send_mail(crond_t)
|
mta_send_mail(crond_t)
|
||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
@ -5552,7 +5570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
# Debian logcheck has the home dir set to its cache
|
# Debian logcheck has the home dir set to its cache
|
||||||
logwatch_search_cache_dir(crond_t)
|
logwatch_search_cache_dir(crond_t)
|
||||||
@@ -180,21 +187,45 @@
|
@@ -180,21 +188,45 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -5599,7 +5617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -267,9 +298,16 @@
|
@@ -267,9 +299,16 @@
|
||||||
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
|
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
|
||||||
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
|
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
|
||||||
|
|
||||||
@ -5617,7 +5635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
|
|
||||||
kernel_read_kernel_sysctls(system_crond_t)
|
kernel_read_kernel_sysctls(system_crond_t)
|
||||||
kernel_read_system_state(system_crond_t)
|
kernel_read_system_state(system_crond_t)
|
||||||
@@ -323,7 +361,7 @@
|
@@ -323,7 +362,7 @@
|
||||||
init_read_utmp(system_crond_t)
|
init_read_utmp(system_crond_t)
|
||||||
init_dontaudit_rw_utmp(system_crond_t)
|
init_dontaudit_rw_utmp(system_crond_t)
|
||||||
# prelink tells init to restart it self, we either need to allow or dontaudit
|
# prelink tells init to restart it self, we either need to allow or dontaudit
|
||||||
@ -5626,7 +5644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
|
|
||||||
auth_use_nsswitch(system_crond_t)
|
auth_use_nsswitch(system_crond_t)
|
||||||
|
|
||||||
@@ -333,6 +371,7 @@
|
@@ -333,6 +372,7 @@
|
||||||
libs_exec_ld_so(system_crond_t)
|
libs_exec_ld_so(system_crond_t)
|
||||||
|
|
||||||
logging_read_generic_logs(system_crond_t)
|
logging_read_generic_logs(system_crond_t)
|
||||||
@ -5634,7 +5652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
logging_send_syslog_msg(system_crond_t)
|
logging_send_syslog_msg(system_crond_t)
|
||||||
|
|
||||||
miscfiles_read_localization(system_crond_t)
|
miscfiles_read_localization(system_crond_t)
|
||||||
@@ -383,6 +422,14 @@
|
@@ -383,6 +423,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -5649,7 +5667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
mrtg_append_create_logs(system_crond_t)
|
mrtg_append_create_logs(system_crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -415,8 +462,7 @@
|
@@ -415,8 +463,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -5659,7 +5677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -424,8 +470,13 @@
|
@@ -424,8 +471,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -6031,8 +6049,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
|
|||||||
-')
|
-')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-24 06:16:06.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-30 09:53:47.000000000 -0500
|
||||||
@@ -91,7 +91,9 @@
|
@@ -53,6 +53,7 @@
|
||||||
|
gen_require(`
|
||||||
|
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
||||||
|
class dbus { send_msg acquire_svc };
|
||||||
|
+ attribute dbusd_unconfined;
|
||||||
|
')
|
||||||
|
|
||||||
|
##############################
|
||||||
|
@@ -84,6 +85,9 @@
|
||||||
|
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
|
||||||
|
|
||||||
|
+ allow dbusd_unconfined $1_dbusd_t:dbus { send_msg acquire_svc };
|
||||||
|
+ allow $1_dbusd_t dbusd_unconfined:dbus send_msg;
|
||||||
|
+
|
||||||
|
# For connecting to the bus
|
||||||
|
allow $2 $1_dbusd_t:unix_stream_socket connectto;
|
||||||
|
type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
|
||||||
|
@@ -91,7 +95,9 @@
|
||||||
# SE-DBus specific permissions
|
# SE-DBus specific permissions
|
||||||
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
||||||
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
|
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
|
||||||
@ -6043,7 +6079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
|
|
||||||
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
||||||
read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
|
read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
|
||||||
@@ -104,8 +106,7 @@
|
@@ -104,8 +110,7 @@
|
||||||
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
|
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
|
||||||
allow $2 $1_dbusd_t:process { sigkill signal };
|
allow $2 $1_dbusd_t:process { sigkill signal };
|
||||||
|
|
||||||
@ -6053,7 +6089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
allow $1_dbusd_t $2:process sigkill;
|
allow $1_dbusd_t $2:process sigkill;
|
||||||
allow $2 $1_dbusd_t:fd use;
|
allow $2 $1_dbusd_t:fd use;
|
||||||
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
||||||
@@ -161,7 +162,9 @@
|
@@ -161,7 +166,9 @@
|
||||||
seutil_read_config($1_dbusd_t)
|
seutil_read_config($1_dbusd_t)
|
||||||
seutil_read_default_contexts($1_dbusd_t)
|
seutil_read_default_contexts($1_dbusd_t)
|
||||||
|
|
||||||
@ -6064,7 +6100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
|
|
||||||
ifdef(`hide_broken_symptoms', `
|
ifdef(`hide_broken_symptoms', `
|
||||||
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
|
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
|
||||||
@@ -214,7 +217,7 @@
|
@@ -214,7 +221,7 @@
|
||||||
|
|
||||||
# SE-DBus specific permissions
|
# SE-DBus specific permissions
|
||||||
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
|
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
|
||||||
@ -6073,7 +6109,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
|
|
||||||
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||||
files_search_var_lib($2)
|
files_search_var_lib($2)
|
||||||
@@ -263,6 +266,7 @@
|
@@ -251,6 +258,7 @@
|
||||||
|
template(`dbus_user_bus_client_template',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_dbusd_t;
|
||||||
|
+ attribute dbusd_unconfined;
|
||||||
|
class dbus send_msg;
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -263,6 +271,7 @@
|
||||||
|
|
||||||
# For connecting to the bus
|
# For connecting to the bus
|
||||||
allow $3 $1_dbusd_t:unix_stream_socket connectto;
|
allow $3 $1_dbusd_t:unix_stream_socket connectto;
|
||||||
@ -6081,7 +6125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -292,6 +296,59 @@
|
@@ -292,6 +301,59 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -6141,7 +6185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
## Read dbus configuration.
|
## Read dbus configuration.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -366,3 +423,53 @@
|
@@ -366,3 +428,53 @@
|
||||||
|
|
||||||
allow $1 system_dbusd_t:dbus *;
|
allow $1 system_dbusd_t:dbus *;
|
||||||
')
|
')
|
||||||
@ -7328,7 +7372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
|
|||||||
+files_type(mailscanner_spool_t)
|
+files_type(mailscanner_spool_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2007-12-27 11:44:00.000000000 -0500
|
||||||
@@ -133,6 +133,12 @@
|
@@ -133,6 +133,12 @@
|
||||||
sendmail_create_log($1_mail_t)
|
sendmail_create_log($1_mail_t)
|
||||||
')
|
')
|
||||||
@ -7415,7 +7459,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -438,20 +491,18 @@
|
@@ -422,6 +475,7 @@
|
||||||
|
# apache should set close-on-exec
|
||||||
|
apache_dontaudit_rw_stream_sockets($1)
|
||||||
|
apache_dontaudit_rw_sys_script_stream_sockets($1)
|
||||||
|
+ apache_append_log($1)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -438,20 +492,18 @@
|
||||||
interface(`mta_send_mail',`
|
interface(`mta_send_mail',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute mta_user_agent;
|
attribute mta_user_agent;
|
||||||
@ -7442,7 +7494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -586,6 +637,25 @@
|
@@ -586,6 +638,25 @@
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 etc_aliases_t:file { rw_file_perms setattr };
|
allow $1 etc_aliases_t:file { rw_file_perms setattr };
|
||||||
')
|
')
|
||||||
@ -7468,6 +7520,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@@ -837,6 +908,25 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## read mail queue files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`mta_read_queue',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type mqueue_spool_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_spool($1)
|
||||||
|
+ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Create, read, write, and delete
|
||||||
|
## mail queue files.
|
||||||
|
## </summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500
|
||||||
@ -7878,13 +7956,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
|||||||
+/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
+/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
|
||||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500
|
||||||
@@ -13,6 +13,9 @@
|
@@ -13,6 +13,9 @@
|
||||||
type NetworkManager_var_run_t;
|
type NetworkManager_var_run_t;
|
||||||
files_pid_file(NetworkManager_var_run_t)
|
files_pid_file(NetworkManager_var_run_t)
|
||||||
|
|
||||||
+type NetworkManager_log_t;
|
+type NetworkManager_log_t;
|
||||||
+files_pid_file(NetworkManager_log_t)
|
+logging_log_file(NetworkManager_log_t)
|
||||||
+
|
+
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -8891,8 +8969,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
|
||||||
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-26 18:16:54.000000000 -0500
|
||||||
@@ -133,3 +133,7 @@
|
@@ -129,7 +129,12 @@
|
||||||
|
corenet_udp_bind_generic_port(procmail_t)
|
||||||
|
corenet_dontaudit_udp_bind_all_ports(procmail_t)
|
||||||
|
|
||||||
|
+ spamassassin_read_user_home_files(procmail_t)
|
||||||
|
spamassassin_exec(procmail_t)
|
||||||
spamassassin_exec_client(procmail_t)
|
spamassassin_exec_client(procmail_t)
|
||||||
spamassassin_read_lib_files(procmail_t)
|
spamassassin_read_lib_files(procmail_t)
|
||||||
')
|
')
|
||||||
@ -8942,7 +9025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
|
|||||||
########################################
|
########################################
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te
|
||||||
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-27 11:44:33.000000000 -0500
|
||||||
@@ -28,6 +28,9 @@
|
@@ -28,6 +28,9 @@
|
||||||
type pyzor_var_lib_t;
|
type pyzor_var_lib_t;
|
||||||
files_type(pyzor_var_lib_t)
|
files_type(pyzor_var_lib_t)
|
||||||
@ -8953,6 +9036,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Pyzor local policy
|
# Pyzor local policy
|
||||||
|
@@ -68,6 +71,8 @@
|
||||||
|
|
||||||
|
miscfiles_read_localization(pyzor_t)
|
||||||
|
|
||||||
|
+mta_read_queue(pyzor_t)
|
||||||
|
+
|
||||||
|
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500
|
||||||
@ -10149,7 +10241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||||||
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
|
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
|
||||||
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2007-12-26 18:16:14.000000000 -0500
|
||||||
@@ -38,6 +38,8 @@
|
@@ -38,6 +38,8 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type spamc_exec_t, spamassassin_exec_t;
|
type spamc_exec_t, spamassassin_exec_t;
|
||||||
@ -10253,7 +10345,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||||||
|
|
||||||
kernel_read_kernel_sysctls($1_spamassassin_t)
|
kernel_read_kernel_sysctls($1_spamassassin_t)
|
||||||
|
|
||||||
@@ -528,3 +526,21 @@
|
@@ -407,6 +405,40 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Read spamassassin per user homedir
|
||||||
|
+## </summary>
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Read spamassassin per user homedir
|
||||||
|
+## </p>
|
||||||
|
+## <p>
|
||||||
|
+## This is a templated interface, and should only
|
||||||
|
+## be called from a per-userdomain template.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+## <param name="userdomain_prefix">
|
||||||
|
+## <summary>
|
||||||
|
+## The prefix of the user domain (e.g., user
|
||||||
|
+## is the prefix for user_t).
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+template(`spamassassin_read_user_home_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type user_spamassassin_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 user_spamassassin_home_t:dir list_dir_perms;
|
||||||
|
+ allow $1 user_spamassassin_home_t:file read_file_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Execute the spamassassin client
|
||||||
|
## program in the caller directory.
|
||||||
|
## </summary>
|
||||||
|
@@ -469,6 +501,7 @@
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
+ read_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
|
||||||
|
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -528,3 +561,22 @@
|
||||||
|
|
||||||
dontaudit $1 spamd_tmp_t:sock_file getattr;
|
dontaudit $1 spamd_tmp_t:sock_file getattr;
|
||||||
')
|
')
|
||||||
@ -10275,6 +10416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||||||
+
|
+
|
||||||
+ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
|
+ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
|
||||||
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2007-12-19 05:38:09.000000000 -0500
|
||||||
@ -10812,7 +10954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2007-12-27 11:37:04.000000000 -0500
|
||||||
@@ -45,7 +45,7 @@
|
@@ -45,7 +45,7 @@
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
@ -10822,7 +10964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dontaudit $1_xserver_t self:capability chown;
|
dontaudit $1_xserver_t self:capability chown;
|
||||||
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow $1_xserver_t self:memprotect mmap_zero;
|
allow $1_xserver_t self:memprotect mmap_zero;
|
||||||
@@ -115,8 +115,7 @@
|
@@ -115,18 +115,23 @@
|
||||||
dev_rw_agp($1_xserver_t)
|
dev_rw_agp($1_xserver_t)
|
||||||
dev_rw_framebuffer($1_xserver_t)
|
dev_rw_framebuffer($1_xserver_t)
|
||||||
dev_manage_dri_dev($1_xserver_t)
|
dev_manage_dri_dev($1_xserver_t)
|
||||||
@ -10832,7 +10974,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# raw memory access is needed if not using the frame buffer
|
# raw memory access is needed if not using the frame buffer
|
||||||
dev_read_raw_memory($1_xserver_t)
|
dev_read_raw_memory($1_xserver_t)
|
||||||
dev_wx_raw_memory($1_xserver_t)
|
dev_wx_raw_memory($1_xserver_t)
|
||||||
@@ -125,8 +124,13 @@
|
# for other device nodes such as the NVidia binary-only driver
|
||||||
|
dev_rw_xserver_misc($1_xserver_t)
|
||||||
|
+ dev_setattr_xserver_misc_dev($1_xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev($1_xserver_t)
|
dev_rw_input_dev($1_xserver_t)
|
||||||
dev_rwx_zero($1_xserver_t)
|
dev_rwx_zero($1_xserver_t)
|
||||||
@ -10846,7 +10990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
files_read_etc_files($1_xserver_t)
|
files_read_etc_files($1_xserver_t)
|
||||||
files_read_etc_runtime_files($1_xserver_t)
|
files_read_etc_runtime_files($1_xserver_t)
|
||||||
@@ -140,12 +144,16 @@
|
@@ -140,12 +145,16 @@
|
||||||
fs_getattr_xattr_fs($1_xserver_t)
|
fs_getattr_xattr_fs($1_xserver_t)
|
||||||
fs_search_nfs($1_xserver_t)
|
fs_search_nfs($1_xserver_t)
|
||||||
fs_search_auto_mountpoints($1_xserver_t)
|
fs_search_auto_mountpoints($1_xserver_t)
|
||||||
@ -10864,7 +11008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
term_setattr_unallocated_ttys($1_xserver_t)
|
term_setattr_unallocated_ttys($1_xserver_t)
|
||||||
term_use_unallocated_ttys($1_xserver_t)
|
term_use_unallocated_ttys($1_xserver_t)
|
||||||
|
|
||||||
@@ -232,39 +240,26 @@
|
@@ -232,39 +241,26 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -10911,7 +11055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# $1_xserver_t Local policy
|
# $1_xserver_t Local policy
|
||||||
@@ -272,12 +267,15 @@
|
@@ -272,12 +268,15 @@
|
||||||
|
|
||||||
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||||
|
|
||||||
@ -10928,7 +11072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
|
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
|
||||||
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
|
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
|
||||||
@@ -307,6 +305,7 @@
|
@@ -307,6 +306,7 @@
|
||||||
userdom_use_user_ttys($1,$1_xserver_t)
|
userdom_use_user_ttys($1,$1_xserver_t)
|
||||||
userdom_setattr_user_ttys($1,$1_xserver_t)
|
userdom_setattr_user_ttys($1,$1_xserver_t)
|
||||||
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
|
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
|
||||||
@ -10936,7 +11080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
xserver_use_user_fonts($1,$1_xserver_t)
|
xserver_use_user_fonts($1,$1_xserver_t)
|
||||||
xserver_rw_xdm_tmp_files($1_xauth_t)
|
xserver_rw_xdm_tmp_files($1_xauth_t)
|
||||||
@@ -330,12 +329,12 @@
|
@@ -330,12 +330,12 @@
|
||||||
allow $1_xauth_t self:process signal;
|
allow $1_xauth_t self:process signal;
|
||||||
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
|
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
@ -10954,7 +11098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||||
|
|
||||||
@@ -344,12 +343,6 @@
|
@@ -344,12 +344,6 @@
|
||||||
# allow ps to show xauth
|
# allow ps to show xauth
|
||||||
ps_process_pattern($2,$1_xauth_t)
|
ps_process_pattern($2,$1_xauth_t)
|
||||||
|
|
||||||
@ -10967,7 +11111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
domain_use_interactive_fds($1_xauth_t)
|
domain_use_interactive_fds($1_xauth_t)
|
||||||
|
|
||||||
files_read_etc_files($1_xauth_t)
|
files_read_etc_files($1_xauth_t)
|
||||||
@@ -378,6 +371,14 @@
|
@@ -378,6 +372,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10982,7 +11126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
ssh_sigchld($1_xauth_t)
|
ssh_sigchld($1_xauth_t)
|
||||||
ssh_read_pipes($1_xauth_t)
|
ssh_read_pipes($1_xauth_t)
|
||||||
ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
|
ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
|
||||||
@@ -390,16 +391,16 @@
|
@@ -390,16 +392,16 @@
|
||||||
|
|
||||||
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
|
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
|
||||||
|
|
||||||
@ -11004,7 +11148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
fs_search_auto_mountpoints($1_iceauth_t)
|
fs_search_auto_mountpoints($1_iceauth_t)
|
||||||
|
|
||||||
@@ -523,17 +524,16 @@
|
@@ -523,17 +525,16 @@
|
||||||
template(`xserver_user_client_template',`
|
template(`xserver_user_client_template',`
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -11029,7 +11173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# for when /tmp/.X11-unix is created by the system
|
||||||
allow $2 xdm_t:fd use;
|
allow $2 xdm_t:fd use;
|
||||||
@@ -542,25 +542,55 @@
|
@@ -542,25 +543,55 @@
|
||||||
allow $2 xdm_tmp_t:sock_file { read write };
|
allow $2 xdm_tmp_t:sock_file { read write };
|
||||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||||
|
|
||||||
@ -11093,7 +11237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -613,6 +643,24 @@
|
@@ -613,6 +644,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11118,7 +11262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -646,6 +694,73 @@
|
@@ -646,6 +695,73 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11192,7 +11336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -671,10 +786,10 @@
|
@@ -671,10 +787,10 @@
|
||||||
#
|
#
|
||||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -11205,7 +11349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -760,7 +875,7 @@
|
@@ -760,7 +876,7 @@
|
||||||
type xconsole_device_t;
|
type xconsole_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11214,7 +11358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -860,6 +975,25 @@
|
@@ -860,6 +976,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11240,7 +11384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Read xdm-writable configuration files.
|
## Read xdm-writable configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -914,6 +1048,7 @@
|
@@ -914,6 +1049,7 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||||
@ -11248,7 +11392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -974,6 +1109,37 @@
|
@@ -974,6 +1110,37 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11286,7 +11430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Make an X session script an entrypoint for the specified domain.
|
## Make an X session script an entrypoint for the specified domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1123,7 +1289,7 @@
|
@@ -1123,7 +1290,7 @@
|
||||||
type xdm_xserver_tmp_t;
|
type xdm_xserver_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11295,7 +11439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1312,3 +1478,45 @@
|
@@ -1312,3 +1479,45 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
')
|
')
|
||||||
@ -12467,8 +12611,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
|
|||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-27 11:40:35.000000000 -0500
|
||||||
@@ -292,6 +292,8 @@
|
@@ -183,6 +183,7 @@
|
||||||
|
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
@@ -242,7 +243,8 @@
|
||||||
|
|
||||||
|
# Flash plugin, Macromedia
|
||||||
|
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
@@ -292,6 +294,8 @@
|
||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
#
|
#
|
||||||
@ -12477,6 +12639,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||||||
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
|
|
||||||
|
@@ -304,3 +308,4 @@
|
||||||
|
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
|
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
|
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||||
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2007-12-19 05:38:09.000000000 -0500
|
||||||
@ -12710,7 +12877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.5/policy/modules/system/logging.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.5/policy/modules/system/logging.te
|
||||||
--- nsaserefpolicy/policy/modules/system/logging.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/logging.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/logging.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/logging.te 2007-12-25 07:00:24.000000000 -0500
|
||||||
@@ -61,6 +61,12 @@
|
@@ -61,6 +61,12 @@
|
||||||
logging_log_file(var_log_t)
|
logging_log_file(var_log_t)
|
||||||
files_mountpoint(var_log_t)
|
files_mountpoint(var_log_t)
|
||||||
@ -12724,7 +12891,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
|
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
|
||||||
')
|
')
|
||||||
@@ -202,6 +208,7 @@
|
@@ -165,6 +171,10 @@
|
||||||
|
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ mta_send_mail(auditd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
seutil_sigchld_newrole(auditd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -202,6 +212,7 @@
|
||||||
|
|
||||||
fs_getattr_all_fs(klogd_t)
|
fs_getattr_all_fs(klogd_t)
|
||||||
fs_search_auto_mountpoints(klogd_t)
|
fs_search_auto_mountpoints(klogd_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user