- New labels for ghc http content
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev - pm-suspend now creates log file for append access so we remove devicekit_wri - Change authlogin_use_sssd to authlogin_nsswitch_use_ldap - Fixes for greylist_milter policy
This commit is contained in:
parent
c68e37c2c7
commit
ef836a9861
157
policy-F15.patch
157
policy-F15.patch
@ -5109,10 +5109,10 @@ index 0000000..4f9cb05
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
|
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..aedbcbe
|
index 0000000..ae1d09b
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/nsplugin.te
|
+++ b/policy/modules/apps/nsplugin.te
|
||||||
@@ -0,0 +1,315 @@
|
@@ -0,0 +1,316 @@
|
||||||
+policy_module(nsplugin, 1.0.0)
|
+policy_module(nsplugin, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -5343,6 +5343,7 @@ index 0000000..aedbcbe
|
|||||||
+allow nsplugin_config_t self:fifo_file rw_file_perms;
|
+allow nsplugin_config_t self:fifo_file rw_file_perms;
|
||||||
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+
|
+
|
||||||
|
+dev_read_urand(nsplugin_config_t)
|
||||||
+dev_dontaudit_read_rand(nsplugin_config_t)
|
+dev_dontaudit_read_rand(nsplugin_config_t)
|
||||||
+dev_dontaudit_rw_dri(nsplugin_config_t)
|
+dev_dontaudit_rw_dri(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
@ -7846,7 +7847,7 @@ index 82842a0..4111a1d 100644
|
|||||||
dbus_system_bus_client($1_wm_t)
|
dbus_system_bus_client($1_wm_t)
|
||||||
dbus_session_bus_client($1_wm_t)
|
dbus_session_bus_client($1_wm_t)
|
||||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||||
index 34c9d01..93e0ee8 100644
|
index 34c9d01..d858795 100644
|
||||||
--- a/policy/modules/kernel/corecommands.fc
|
--- a/policy/modules/kernel/corecommands.fc
|
||||||
+++ b/policy/modules/kernel/corecommands.fc
|
+++ b/policy/modules/kernel/corecommands.fc
|
||||||
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
|
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
|
||||||
@ -7887,7 +7888,11 @@ index 34c9d01..93e0ee8 100644
|
|||||||
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -319,6 +324,7 @@ ifdef(`distro_redhat', `
|
@@ -316,9 +321,11 @@ ifdef(`distro_redhat', `
|
||||||
|
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
+/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -8003,7 +8008,7 @@ index b06df19..c0763c2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||||
index edefaf3..e00278f 100644
|
index edefaf3..7548158 100644
|
||||||
--- a/policy/modules/kernel/corenetwork.te.in
|
--- a/policy/modules/kernel/corenetwork.te.in
|
||||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||||
@@ -15,6 +15,7 @@ attribute rpc_port_type;
|
@@ -15,6 +15,7 @@ attribute rpc_port_type;
|
||||||
@ -8094,7 +8099,7 @@ index edefaf3..e00278f 100644
|
|||||||
network_port(i18n_input, tcp,9010,s0)
|
network_port(i18n_input, tcp,9010,s0)
|
||||||
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||||
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||||
@@ -125,30 +147,34 @@ network_port(iscsi, tcp,3260,s0)
|
@@ -125,30 +147,35 @@ network_port(iscsi, tcp,3260,s0)
|
||||||
network_port(isns, tcp,3205,s0, udp,3205,s0)
|
network_port(isns, tcp,3205,s0, udp,3205,s0)
|
||||||
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
||||||
network_port(jabber_interserver, tcp,5269,s0)
|
network_port(jabber_interserver, tcp,5269,s0)
|
||||||
@ -8116,6 +8121,7 @@ index edefaf3..e00278f 100644
|
|||||||
network_port(memcache, tcp,11211,s0, udp,11211,s0)
|
network_port(memcache, tcp,11211,s0, udp,11211,s0)
|
||||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||||
network_port(monopd, tcp,1234,s0)
|
network_port(monopd, tcp,1234,s0)
|
||||||
|
+network_port(movaz_ssc, tcp,5252,s0)
|
||||||
+network_port(mpd, tcp,6600,s0)
|
+network_port(mpd, tcp,6600,s0)
|
||||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||||
-network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
|
-network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
|
||||||
@ -8133,7 +8139,7 @@ index edefaf3..e00278f 100644
|
|||||||
network_port(ntp, udp,123,s0)
|
network_port(ntp, udp,123,s0)
|
||||||
network_port(ocsp, tcp,9080,s0)
|
network_port(ocsp, tcp,9080,s0)
|
||||||
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
|
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
|
||||||
@@ -156,12 +182,20 @@ network_port(pegasus_http, tcp,5988,s0)
|
@@ -156,12 +183,20 @@ network_port(pegasus_http, tcp,5988,s0)
|
||||||
network_port(pegasus_https, tcp,5989,s0)
|
network_port(pegasus_https, tcp,5989,s0)
|
||||||
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
|
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
|
||||||
network_port(pingd, tcp,9125,s0)
|
network_port(pingd, tcp,9125,s0)
|
||||||
@ -8154,7 +8160,7 @@ index edefaf3..e00278f 100644
|
|||||||
network_port(printer, tcp,515,s0)
|
network_port(printer, tcp,515,s0)
|
||||||
network_port(ptal, tcp,5703,s0)
|
network_port(ptal, tcp,5703,s0)
|
||||||
network_port(pulseaudio, tcp,4713,s0)
|
network_port(pulseaudio, tcp,4713,s0)
|
||||||
@@ -176,43 +210,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
|
@@ -176,43 +211,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
|
||||||
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
||||||
network_port(rlogind, tcp,513,s0)
|
network_port(rlogind, tcp,513,s0)
|
||||||
network_port(rndc, tcp,953,s0)
|
network_port(rndc, tcp,953,s0)
|
||||||
@ -14200,7 +14206,7 @@ index c3a1903..b0e48c6 100644
|
|||||||
corenet_all_recvfrom_unlabeled(amavis_t)
|
corenet_all_recvfrom_unlabeled(amavis_t)
|
||||||
corenet_all_recvfrom_netlabel(amavis_t)
|
corenet_all_recvfrom_netlabel(amavis_t)
|
||||||
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
|
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
|
||||||
index 9e39aa5..3bfac20 100644
|
index 9e39aa5..7ba3b11 100644
|
||||||
--- a/policy/modules/services/apache.fc
|
--- a/policy/modules/services/apache.fc
|
||||||
+++ b/policy/modules/services/apache.fc
|
+++ b/policy/modules/services/apache.fc
|
||||||
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
|
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
|
||||||
@ -14220,17 +14226,19 @@ index 9e39aa5..3bfac20 100644
|
|||||||
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||||
@@ -43,8 +42,7 @@ ifdef(`distro_suse', `
|
@@ -43,8 +42,9 @@ ifdef(`distro_suse', `
|
||||||
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
|
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
|
+
|
||||||
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
@@ -74,7 +72,8 @@ ifdef(`distro_suse', `
|
@@ -74,7 +74,8 @@ ifdef(`distro_suse', `
|
||||||
|
|
||||||
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||||
@ -14240,7 +14248,7 @@ index 9e39aa5..3bfac20 100644
|
|||||||
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||||
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||||
@@ -86,7 +85,6 @@ ifdef(`distro_suse', `
|
@@ -86,7 +87,6 @@ ifdef(`distro_suse', `
|
||||||
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
@ -14248,7 +14256,7 @@ index 9e39aa5..3bfac20 100644
|
|||||||
|
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
@@ -109,3 +107,22 @@ ifdef(`distro_debian', `
|
@@ -109,3 +109,22 @@ ifdef(`distro_debian', `
|
||||||
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||||
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||||
@ -20208,7 +20216,7 @@ index 418a5a0..28d9e41 100644
|
|||||||
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
||||||
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
||||||
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
|
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
|
||||||
index f706b99..20efe4a 100644
|
index f706b99..22b862e 100644
|
||||||
--- a/policy/modules/services/devicekit.if
|
--- a/policy/modules/services/devicekit.if
|
||||||
+++ b/policy/modules/services/devicekit.if
|
+++ b/policy/modules/services/devicekit.if
|
||||||
@@ -5,9 +5,9 @@
|
@@ -5,9 +5,9 @@
|
||||||
@ -20223,29 +20231,10 @@ index f706b99..20efe4a 100644
|
|||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`devicekit_domtrans',`
|
interface(`devicekit_domtrans',`
|
||||||
@@ -118,6 +118,63 @@ interface(`devicekit_dbus_chat_power',`
|
@@ -118,6 +118,44 @@ interface(`devicekit_dbus_chat_power',`
|
||||||
allow devicekit_power_t $1:dbus send_msg;
|
allow devicekit_power_t $1:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
|
||||||
+######################################
|
|
||||||
+## <summary>
|
|
||||||
+## Allow to write the devicekit
|
|
||||||
+## log files.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain to not audit.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+interface(`devicekit_write_log',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type devicekit_var_log_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ allow $1 devicekit_var_log_t:file { write };
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+#######################################
|
+#######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Do not audit attempts to write the devicekit
|
+## Do not audit attempts to write the devicekit
|
||||||
@ -20287,7 +20276,7 @@ index f706b99..20efe4a 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read devicekit PID files.
|
## Read devicekit PID files.
|
||||||
@@ -139,22 +196,52 @@ interface(`devicekit_read_pid_files',`
|
@@ -139,22 +177,52 @@ interface(`devicekit_read_pid_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -20347,7 +20336,7 @@ index f706b99..20efe4a 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
@@ -165,21 +252,22 @@ interface(`devicekit_admin',`
|
@@ -165,21 +233,21 @@ interface(`devicekit_admin',`
|
||||||
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
|
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -20375,7 +20364,6 @@ index f706b99..20efe4a 100644
|
|||||||
- files_search_pids($1)
|
- files_search_pids($1)
|
||||||
+ files_list_pids($1)
|
+ files_list_pids($1)
|
||||||
')
|
')
|
||||||
+
|
|
||||||
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
|
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
|
||||||
index f231f17..4ecd4b7 100644
|
index f231f17..4ecd4b7 100644
|
||||||
--- a/policy/modules/services/devicekit.te
|
--- a/policy/modules/services/devicekit.te
|
||||||
@ -24961,7 +24949,7 @@ index ed1af3c..40b5f0e 100644
|
|||||||
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
|
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
|
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
|
||||||
index 47e3612..98801a7 100644
|
index 47e3612..ece07ab 100644
|
||||||
--- a/policy/modules/services/milter.te
|
--- a/policy/modules/services/milter.te
|
||||||
+++ b/policy/modules/services/milter.te
|
+++ b/policy/modules/services/milter.te
|
||||||
@@ -9,6 +9,13 @@ policy_module(milter, 1.3.0)
|
@@ -9,6 +9,13 @@ policy_module(milter, 1.3.0)
|
||||||
@ -25009,7 +24997,27 @@ index 47e3612..98801a7 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
# It removes any existing socket (not owned by root) whilst running as root,
|
# It removes any existing socket (not owned by root) whilst running as root,
|
||||||
@@ -52,8 +76,8 @@ mta_read_config(greylist_milter_t)
|
@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t)
|
||||||
|
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
|
||||||
|
allow greylist_milter_t self:process { setsched getsched };
|
||||||
|
|
||||||
|
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
+
|
||||||
|
# It creates a pid file /var/run/milter-greylist.pid
|
||||||
|
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
|
||||||
|
|
||||||
|
kernel_read_kernel_sysctls(greylist_milter_t)
|
||||||
|
|
||||||
|
+corecmd_exec_bin(greylist_milter_t)
|
||||||
|
+corecmd_exec_shell(greylist_milter_t)
|
||||||
|
+
|
||||||
|
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
|
||||||
|
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
|
||||||
|
+
|
||||||
|
# Allow the milter to read a GeoIP database in /usr/share
|
||||||
|
files_read_usr_files(greylist_milter_t)
|
||||||
|
# The milter runs from /var/lib/milter-greylist and maintains files there
|
||||||
|
@@ -52,8 +84,8 @@ mta_read_config(greylist_milter_t)
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# milter-regex local policy
|
# milter-regex local policy
|
||||||
@ -25020,7 +25028,7 @@ index 47e3612..98801a7 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
# It removes any existing socket (not owned by root) whilst running as root
|
# It removes any existing socket (not owned by root) whilst running as root
|
||||||
@@ -72,8 +96,8 @@ mta_read_config(regex_milter_t)
|
@@ -72,8 +104,8 @@ mta_read_config(regex_milter_t)
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# spamass-milter local policy
|
# spamass-milter local policy
|
||||||
@ -41253,7 +41261,7 @@ index 1c4b1e7..ffa4134 100644
|
|||||||
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||||
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
||||||
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
||||||
index bea0ade..cbd62c5 100644
|
index bea0ade..a0feb45 100644
|
||||||
--- a/policy/modules/system/authlogin.if
|
--- a/policy/modules/system/authlogin.if
|
||||||
+++ b/policy/modules/system/authlogin.if
|
+++ b/policy/modules/system/authlogin.if
|
||||||
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
|
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
|
||||||
@ -41580,7 +41588,7 @@ index bea0ade..cbd62c5 100644
|
|||||||
## Read login records files (/var/log/wtmp).
|
## Read login records files (/var/log/wtmp).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1500,28 +1692,38 @@ interface(`auth_manage_login_records',`
|
@@ -1500,28 +1692,36 @@ interface(`auth_manage_login_records',`
|
||||||
#
|
#
|
||||||
interface(`auth_use_nsswitch',`
|
interface(`auth_use_nsswitch',`
|
||||||
|
|
||||||
@ -41594,7 +41602,7 @@ index bea0ade..cbd62c5 100644
|
|||||||
sysnet_dns_name_resolve($1)
|
sysnet_dns_name_resolve($1)
|
||||||
- sysnet_use_ldap($1)
|
- sysnet_use_ldap($1)
|
||||||
+
|
+
|
||||||
+ tunable_policy(`authlogin_use_sssd',`', `
|
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||||
+ files_list_var_lib($1)
|
+ files_list_var_lib($1)
|
||||||
+
|
+
|
||||||
+ miscfiles_read_generic_certs($1)
|
+ miscfiles_read_generic_certs($1)
|
||||||
@ -41604,61 +41612,45 @@ index bea0ade..cbd62c5 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- avahi_stream_connect($1)
|
- avahi_stream_connect($1)
|
||||||
+ tunable_policy(`authlogin_use_sssd',`', `
|
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||||
+ dirsrv_stream_connect($1)
|
+ dirsrv_stream_connect($1)
|
||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- ldap_stream_connect($1)
|
- ldap_stream_connect($1)
|
||||||
+ tunable_policy(`authlogin_use_sssd',`', `
|
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||||
+ ldap_stream_connect($1)
|
+ ldap_stream_connect($1)
|
||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- likewise_stream_connect_lsassd($1)
|
likewise_stream_connect_lsassd($1)
|
||||||
+ tunable_policy(`authlogin_use_sssd',`', `
|
|
||||||
+ likewise_stream_connect_lsassd($1)
|
|
||||||
+ ')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
+ # can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
|
+ # can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use($1)
|
kerberos_use($1)
|
||||||
')
|
')
|
||||||
@@ -1531,13 +1733,25 @@ interface(`auth_use_nsswitch',`
|
@@ -1531,7 +1731,15 @@ interface(`auth_use_nsswitch',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- nscd_socket_use($1)
|
- nscd_socket_use($1)
|
||||||
+ nscd_use($1)
|
+ nscd_use($1)
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- samba_stream_connect_winbind($1)
|
|
||||||
- samba_read_var_files($1)
|
|
||||||
- samba_dontaudit_write_var_files($1)
|
|
||||||
+ tunable_policy(`authlogin_use_sssd',`', `
|
|
||||||
+ nslcd_stream_connect($1)
|
|
||||||
+ ')
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ nslcd_stream_connect($1)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ sssd_stream_connect($1)
|
+ sssd_stream_connect($1)
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ tunable_policy(`authlogin_use_sssd',`', `
|
|
||||||
+ samba_stream_connect_winbind($1)
|
|
||||||
+ samba_read_var_files($1)
|
|
||||||
+ samba_dontaudit_write_var_files($1)
|
|
||||||
+ ')
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||||
index 54d122b..c2a3970 100644
|
index 54d122b..069790d 100644
|
||||||
--- a/policy/modules/system/authlogin.te
|
--- a/policy/modules/system/authlogin.te
|
||||||
+++ b/policy/modules/system/authlogin.te
|
+++ b/policy/modules/system/authlogin.te
|
||||||
@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
|
@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
|
||||||
@ -41677,7 +41669,7 @@ index 54d122b..c2a3970 100644
|
|||||||
+## Allow users to login using a sssd server
|
+## Allow users to login using a sssd server
|
||||||
+## </p>
|
+## </p>
|
||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(authlogin_use_sssd, false)
|
+gen_tunable(authlogin_nsswitch_use_ldap, false)
|
||||||
+
|
+
|
||||||
attribute can_read_shadow_passwords;
|
attribute can_read_shadow_passwords;
|
||||||
attribute can_write_shadow_passwords;
|
attribute can_write_shadow_passwords;
|
||||||
@ -42553,7 +42545,7 @@ index ed152c4..be3bb8f 100644
|
|||||||
+ allow $1 init_t:unix_dgram_socket sendto;
|
+ allow $1 init_t:unix_dgram_socket sendto;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||||
index 0580e7c..28fd86c 100644
|
index 0580e7c..1618f9d 100644
|
||||||
--- a/policy/modules/system/init.te
|
--- a/policy/modules/system/init.te
|
||||||
+++ b/policy/modules/system/init.te
|
+++ b/policy/modules/system/init.te
|
||||||
@@ -16,6 +16,27 @@ gen_require(`
|
@@ -16,6 +16,27 @@ gen_require(`
|
||||||
@ -43241,7 +43233,7 @@ index 0580e7c..28fd86c 100644
|
|||||||
+userdom_inherit_append_user_tmp_files(daemon)
|
+userdom_inherit_append_user_tmp_files(daemon)
|
||||||
+userdom_dontaudit_rw_stream(daemon)
|
+userdom_dontaudit_rw_stream(daemon)
|
||||||
+
|
+
|
||||||
+logging_append_all_logs(daemon)
|
+logging_inherit_append_all_logs(daemon)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ # sudo service restart causes this
|
+ # sudo service restart causes this
|
||||||
@ -44345,7 +44337,7 @@ index 571599b..17dd196 100644
|
|||||||
+
|
+
|
||||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||||
index c7cfb62..620e0a4 100644
|
index c7cfb62..ee9809d 100644
|
||||||
--- a/policy/modules/system/logging.if
|
--- a/policy/modules/system/logging.if
|
||||||
+++ b/policy/modules/system/logging.if
|
+++ b/policy/modules/system/logging.if
|
||||||
@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
|
@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
|
||||||
@ -44416,7 +44408,7 @@ index c7cfb62..620e0a4 100644
|
|||||||
+ attribute logfile;
|
+ attribute logfile;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 logfile:file { getattr append };
|
+ allow $1 logfile:file { getattr append ioctl lock };
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -44660,7 +44652,7 @@ index 58bc27f..b4f0663 100644
|
|||||||
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
|
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
|
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
|
||||||
index 86ef2da..a251276 100644
|
index 86ef2da..0676045 100644
|
||||||
--- a/policy/modules/system/lvm.te
|
--- a/policy/modules/system/lvm.te
|
||||||
+++ b/policy/modules/system/lvm.te
|
+++ b/policy/modules/system/lvm.te
|
||||||
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
|
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
|
||||||
@ -44705,8 +44697,12 @@ index 86ef2da..a251276 100644
|
|||||||
ccs_stream_connect(clvmd_t)
|
ccs_stream_connect(clvmd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
|
@@ -167,9 +179,10 @@ optional_policy(`
|
||||||
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
|
# net_admin for multipath
|
||||||
|
allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
|
||||||
|
dontaudit lvm_t self:capability sys_tty_config;
|
||||||
|
-allow lvm_t self:process { sigchld sigkill sigstop signull signal };
|
||||||
|
+allow lvm_t self:process { setfscreate sigchld sigkill sigstop signull signal };
|
||||||
# LVM will complain a lot if it cannot set its priority.
|
# LVM will complain a lot if it cannot set its priority.
|
||||||
allow lvm_t self:process setsched;
|
allow lvm_t self:process setsched;
|
||||||
+allow lvm_t self:sem create_sem_perms;
|
+allow lvm_t self:sem create_sem_perms;
|
||||||
@ -46782,7 +46778,7 @@ index 8e71fb7..f1b155a 100644
|
|||||||
+ role_transition $1 dhcpc_exec_t system_r;
|
+ role_transition $1 dhcpc_exec_t system_r;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||||
index dfbe736..d8c6f24 100644
|
index dfbe736..d1f6368 100644
|
||||||
--- a/policy/modules/system/sysnetwork.te
|
--- a/policy/modules/system/sysnetwork.te
|
||||||
+++ b/policy/modules/system/sysnetwork.te
|
+++ b/policy/modules/system/sysnetwork.te
|
||||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
|
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
|
||||||
@ -46944,12 +46940,11 @@ index dfbe736..d8c6f24 100644
|
|||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||||
@@ -325,8 +372,15 @@ ifdef(`hide_broken_symptoms',`
|
@@ -325,8 +372,14 @@ ifdef(`hide_broken_symptoms',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ devicekit_dontaudit_read_pid_files(ifconfig_t)
|
+ devicekit_dontaudit_read_pid_files(ifconfig_t)
|
||||||
+ devicekit_write_log(ifconfig_t)
|
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -46960,7 +46955,7 @@ index dfbe736..d8c6f24 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -334,6 +388,14 @@ optional_policy(`
|
@@ -334,6 +387,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -46975,7 +46970,7 @@ index dfbe736..d8c6f24 100644
|
|||||||
nis_use_ypbind(ifconfig_t)
|
nis_use_ypbind(ifconfig_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -355,3 +417,9 @@ optional_policy(`
|
@@ -355,3 +416,9 @@ optional_policy(`
|
||||||
xen_append_log(ifconfig_t)
|
xen_append_log(ifconfig_t)
|
||||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||||
')
|
')
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.9.12
|
Version: 3.9.12
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -471,6 +471,13 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-2
|
||||||
|
- New labels for ghc http content
|
||||||
|
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
|
||||||
|
- pm-suspend now creates log file for append access so we remove devicekit_wri
|
||||||
|
- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
|
||||||
|
- Fixes for greylist_milter policy
|
||||||
|
|
||||||
* Tue Dec 21 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-1
|
* Tue Dec 21 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-1
|
||||||
- Update to upstream
|
- Update to upstream
|
||||||
- Fixes for systemd policy
|
- Fixes for systemd policy
|
||||||
|
Loading…
Reference in New Issue
Block a user