- Cleanup of aiccu policy
- initial mock policy
This commit is contained in:
parent
f651bb6fdc
commit
f2403c5b4f
@ -968,6 +968,13 @@ miscfiles = base
|
||||
#
|
||||
mls = base
|
||||
|
||||
# Layer: services
|
||||
# Module: mock
|
||||
#
|
||||
# Policy for mock rpm builder
|
||||
#
|
||||
mock = base
|
||||
|
||||
# Layer: system
|
||||
# Module: modutils
|
||||
#
|
||||
|
@ -968,6 +968,13 @@ miscfiles = base
|
||||
#
|
||||
mls = base
|
||||
|
||||
# Layer: services
|
||||
# Module: mock
|
||||
#
|
||||
# Policy for mock rpm builder
|
||||
#
|
||||
mock = base
|
||||
|
||||
# Layer: system
|
||||
# Module: modutils
|
||||
#
|
||||
|
607
policy-F14.patch
607
policy-F14.patch
@ -602,8 +602,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
|
||||
+/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.3/policy/modules/admin/netutils.te
|
||||
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/admin/netutils.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@@ -144,15 +144,27 @@
|
||||
+++ serefpolicy-3.8.3/policy/modules/admin/netutils.te 2010-06-10 08:42:54.000000000 -0400
|
||||
@@ -52,6 +52,8 @@
|
||||
|
||||
kernel_search_proc(netutils_t)
|
||||
kernel_read_all_sysctls(netutils_t)
|
||||
+kernel_read_network_state(netutils_t)
|
||||
+kernel_request_load_module(netutils_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(netutils_t)
|
||||
corenet_all_recvfrom_netlabel(netutils_t)
|
||||
@@ -144,15 +146,27 @@
|
||||
init_dontaudit_use_fds(ping_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -631,9 +640,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
|
||||
pcmcia_use_cardmgr_fds(ping_t)
|
||||
')
|
||||
|
||||
@@ -213,3 +225,10 @@
|
||||
@@ -212,4 +226,12 @@
|
||||
#rules needed for nmap
|
||||
dev_read_rand(traceroute_t)
|
||||
dev_read_urand(traceroute_t)
|
||||
+dev_read_usbmon_dev(netutils_t)
|
||||
files_read_usr_files(traceroute_t)
|
||||
+
|
||||
+term_use_all_terms(traceroute_t)
|
||||
@ -763,7 +774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
|
||||
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.8.3/policy/modules/admin/rpm.if
|
||||
--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/admin/rpm.if 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/admin/rpm.if 2010-06-09 17:43:12.000000000 -0400
|
||||
@@ -13,11 +13,36 @@
|
||||
interface(`rpm_domtrans',`
|
||||
gen_require(`
|
||||
@ -883,7 +894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -556,3 +626,48 @@
|
||||
@@ -556,3 +626,66 @@
|
||||
|
||||
files_pid_filetrans($1, rpm_var_run_t, file)
|
||||
')
|
||||
@ -932,6 +943,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Make rpm_exec_t an entry point for
|
||||
+## the specified domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rpm_entry_type',`
|
||||
+ gen_require(`
|
||||
+ type rpm_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domain_entry_file($1, rpm_exec_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.8.3/policy/modules/admin/rpm.te
|
||||
--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/admin/rpm.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -1119,8 +1148,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
|
||||
java_domtrans_unconfined(rpm_script_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.3/policy/modules/admin/shorewall.te
|
||||
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/admin/shorewall.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@@ -87,7 +87,11 @@
|
||||
+++ serefpolicy-3.8.3/policy/modules/admin/shorewall.te 2010-06-11 10:56:42.000000000 -0400
|
||||
@@ -81,13 +81,18 @@
|
||||
|
||||
init_rw_utmp(shorewall_t)
|
||||
|
||||
+logging_read_generic_logs(shorewall_t)
|
||||
logging_send_syslog_msg(shorewall_t)
|
||||
|
||||
miscfiles_read_localization(shorewall_t)
|
||||
|
||||
sysnet_domtrans_ifconfig(shorewall_t)
|
||||
|
||||
@ -4986,7 +5022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc
|
||||
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.8.3/policy/modules/apps/qemu.if
|
||||
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500
|
||||
+++ serefpolicy-3.8.3/policy/modules/apps/qemu.if 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/apps/qemu.if 2010-06-09 17:41:04.000000000 -0400
|
||||
@@ -127,12 +127,14 @@
|
||||
template(`qemu_role',`
|
||||
gen_require(`
|
||||
@ -6678,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in 2010-06-11 11:15:13.000000000 -0400
|
||||
@@ -25,6 +25,7 @@
|
||||
#
|
||||
type tun_tap_device_t;
|
||||
@ -6774,8 +6810,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
network_port(printer, tcp,515,s0)
|
||||
network_port(ptal, tcp,5703,s0)
|
||||
network_port(pulseaudio, tcp,4713,s0)
|
||||
@@ -184,15 +202,17 @@
|
||||
@@ -182,17 +200,20 @@
|
||||
network_port(sap, tcp,9875,s0, udp,9875,s0)
|
||||
network_port(sieve, tcp,4190,s0)
|
||||
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
|
||||
+network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
|
||||
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
|
||||
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
||||
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
|
||||
@ -6793,7 +6832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
network_port(syslogd, udp,514,s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
@@ -205,13 +225,13 @@
|
||||
@@ -205,13 +226,13 @@
|
||||
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
|
||||
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
||||
network_port(virt_migration, tcp,49152-49216,s0)
|
||||
@ -10880,19 +10919,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
|
||||
corenet_tcp_sendrecv_generic_if(afs_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.8.3/policy/modules/services/aiccu.fc
|
||||
--- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.fc 2010-06-08 11:32:10.000000000 -0400
|
||||
@@ -0,0 +1,5 @@
|
||||
+
|
||||
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
|
||||
+
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.fc 2010-06-11 11:16:28.000000000 -0400
|
||||
@@ -0,0 +1,6 @@
|
||||
+/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
|
||||
+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
|
||||
+/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
|
||||
+
|
||||
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
|
||||
+
|
||||
+/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.8.3/policy/modules/services/aiccu.if
|
||||
--- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.if 2010-06-08 11:32:10.000000000 -0400
|
||||
@@ -0,0 +1,119 @@
|
||||
+
|
||||
+## <summary>policy for aiccu</summary>
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.if 2010-06-11 11:15:13.000000000 -0400
|
||||
@@ -0,0 +1,118 @@
|
||||
+## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
@ -10910,6 +10949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
|
||||
+ corecmd_search_bin($1)
|
||||
+')
|
||||
+
|
||||
+
|
||||
@ -10919,7 +10959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## The type of the process performing this action.
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
@ -10946,13 +10986,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
|
||||
+ type aiccu_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ allow $1 aiccu_var_run_t:file read_file_perms;
|
||||
+ files_search_pids($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage aiccu var_run files.
|
||||
+## Manage aiccu PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
@ -10965,15 +11005,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
|
||||
+ type aiccu_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
|
||||
+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
|
||||
+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
|
||||
+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
|
||||
+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
|
||||
+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
|
||||
+ files_search_pids($1)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## All of the rules required to administrate
|
||||
+## an aiccu environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -10990,31 +11031,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
|
||||
+#
|
||||
+interface(`aiccu_admin',`
|
||||
+ gen_require(`
|
||||
+ type aiccu_t;
|
||||
+ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
|
||||
+ type aiccu_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 aiccu_t:process { ptrace signal_perms getattr };
|
||||
+ read_files_pattern($1, aiccu_t, aiccu_t)
|
||||
+
|
||||
+ allow $1 aiccu_t:process { ptrace signal_perms };
|
||||
+ ps_process_pattern($1, aiccu_t)
|
||||
+
|
||||
+ gen_require(`
|
||||
+ type aiccu_initrc_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ # Allow aiccu_t to restart the apache service
|
||||
+ aiccu_initrc_domtrans($1)
|
||||
+ domain_system_change_exemption($1)
|
||||
+ role_transition $2 aiccu_initrc_exec_t system_r;
|
||||
+ allow $2 system_r;
|
||||
+
|
||||
+ aiccu_manage_var_run($1)
|
||||
+ admin_pattern($1, aiccu_etc_t)
|
||||
+ files_search_etc($1)
|
||||
+
|
||||
+ admin_pattern($1, aiccu_var_run_t)
|
||||
+ files_search_pids($1)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.3/policy/modules/services/aiccu.te
|
||||
--- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@@ -0,0 +1,42 @@
|
||||
+policy_module(aiccu,1.0.0)
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.te 2010-06-11 11:20:20.000000000 -0400
|
||||
@@ -0,0 +1,71 @@
|
||||
+
|
||||
+policy_module(aiccu, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
@ -11028,6 +11068,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
|
||||
+type aiccu_initrc_exec_t;
|
||||
+init_script_file(aiccu_initrc_exec_t)
|
||||
+
|
||||
+type aiccu_etc_t;
|
||||
+files_config_file(aiccu_etc_t)
|
||||
+
|
||||
+type aiccu_var_run_t;
|
||||
+files_pid_file(aiccu_var_run_t)
|
||||
+
|
||||
@ -11036,26 +11079,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
|
||||
+# aiccu local policy
|
||||
+#
|
||||
+
|
||||
+allow aiccu_t self:capability { kill };
|
||||
+allow aiccu_t self:process { fork signal };
|
||||
+
|
||||
+# Init script handling
|
||||
+domain_use_interactive_fds(aiccu_t)
|
||||
+
|
||||
+# internal communication is often done using fifo and unix sockets.
|
||||
+allow aiccu_t self:capability { kill net_admin };
|
||||
+allow aiccu_t self:process signal;
|
||||
+allow aiccu_t self:fifo_file rw_file_perms;
|
||||
+allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
+allow aiccu_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow aiccu_t self:tun_socket create_socket_perms;
|
||||
+allow aiccu_t self:udp_socket create_stream_socket_perms;
|
||||
+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+files_read_etc_files(aiccu_t)
|
||||
+
|
||||
+corenet_rw_tun_tap_dev(aiccu_t)
|
||||
+
|
||||
+miscfiles_read_localization(aiccu_t)
|
||||
+allow aiccu_t aiccu_etc_t:file read_file_perms;
|
||||
+
|
||||
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
|
||||
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
|
||||
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
|
||||
+
|
||||
+kernel_read_system_state(aiccu_t)
|
||||
+
|
||||
+corecmd_exec_shell(aiccu_t)
|
||||
+
|
||||
+corenet_all_recvfrom_netlabel(aiccu_t)
|
||||
+corenet_all_recvfrom_unlabeled(aiccu_t)
|
||||
+corenet_tcp_bind_generic_node(aiccu_t)
|
||||
+corenet_tcp_sendrecv_generic_if(aiccu_t)
|
||||
+corenet_tcp_sendrecv_generic_node(aiccu_t)
|
||||
+corenet_tcp_sendrecv_generic_port(aiccu_t)
|
||||
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
|
||||
+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
|
||||
+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
|
||||
+corenet_rw_tun_tap_dev(aiccu_t)
|
||||
+
|
||||
+domain_use_interactive_fds(aiccu_t)
|
||||
+
|
||||
+dev_read_rand(aiccu_t)
|
||||
+dev_read_urand(aiccu_t)
|
||||
+
|
||||
+files_read_etc_files(aiccu_t)
|
||||
+
|
||||
+logging_send_syslog_msg(aiccu_t)
|
||||
+
|
||||
+miscfiles_read_localization(aiccu_t)
|
||||
+
|
||||
+modutils_domtrans_insmod(aiccu_t)
|
||||
+
|
||||
+sysnet_domtrans_ifconfig(aiccu_t)
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.8.3/policy/modules/services/aisexec.te
|
||||
--- nsaserefpolicy/policy/modules/services/aisexec.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/aisexec.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -12987,7 +13055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
|
||||
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.3/policy/modules/services/cmirrord.if
|
||||
--- nsaserefpolicy/policy/modules/services/cmirrord.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/cmirrord.if 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/cmirrord.if 2010-06-10 08:52:34.000000000 -0400
|
||||
@@ -0,0 +1,118 @@
|
||||
+
|
||||
+## <summary>policy for cmirrord</summary>
|
||||
@ -13060,14 +13128,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
|
||||
+interface(`cmirrord_rw_shm',`
|
||||
+ gen_require(`
|
||||
+ type cmirrord_t;
|
||||
+ type cmirrord_tmpfs_t;
|
||||
+ type cmirrord_tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
|
||||
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
|
||||
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
|
||||
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
|
||||
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
|
||||
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
|
||||
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
|
||||
+ fs_search_tmpfs($1)
|
||||
+')
|
||||
+
|
||||
@ -13320,7 +13388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.3/policy/modules/services/corosync.te
|
||||
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-11 11:31:01.000000000 -0400
|
||||
@@ -33,8 +33,8 @@
|
||||
# corosync local policy
|
||||
#
|
||||
@ -13368,17 +13436,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
|
||||
userdom_rw_user_tmpfs_files(corosync_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -91,6 +97,10 @@
|
||||
@@ -91,12 +97,12 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- # to communication with RHCS
|
||||
- rhcs_rw_dlm_controld_semaphores(corosync_t)
|
||||
-
|
||||
- rhcs_rw_fenced_semaphores(corosync_t)
|
||||
+ cmirrord_rw_shm(corosync_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
# to communication with RHCS
|
||||
rhcs_rw_dlm_controld_semaphores(corosync_t)
|
||||
|
||||
- rhcs_rw_gfs_controld_semaphores(corosync_t)
|
||||
+optional_policy(`
|
||||
+ # to communication with RHCS
|
||||
+ rhcs_rw_cluster_shm(corosync_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.3/policy/modules/services/cron.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/cron.fc 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -15791,6 +15866,301 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
|
||||
## Manage spamassassin milter state
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.fc serefpolicy-3.8.3/policy/modules/services/mock.fc
|
||||
--- nsaserefpolicy/policy/modules/services/mock.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/mock.fc 2010-06-09 17:38:11.000000000 -0400
|
||||
@@ -0,0 +1,6 @@
|
||||
+
|
||||
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
|
||||
+
|
||||
+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
|
||||
+
|
||||
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.if serefpolicy-3.8.3/policy/modules/services/mock.if
|
||||
--- nsaserefpolicy/policy/modules/services/mock.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/mock.if 2010-06-09 17:38:11.000000000 -0400
|
||||
@@ -0,0 +1,183 @@
|
||||
+
|
||||
+## <summary>policy for mock</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run mock.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mock_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type mock_t, mock_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, mock_exec_t, mock_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search mock lib directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mock_search_lib',`
|
||||
+ gen_require(`
|
||||
+ type mock_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 mock_var_lib_t:dir search_dir_perms;
|
||||
+ files_search_var_lib($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read mock lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mock_read_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type mock_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete
|
||||
+## mock lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mock_manage_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type mock_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage mock lib dirs files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mock_manage_lib_dirs',`
|
||||
+ gen_require(`
|
||||
+ type mock_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute mock in the mock domain, and
|
||||
+## allow the specified role the mock domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed the mock domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mock_run',`
|
||||
+ gen_require(`
|
||||
+ type mock_t;
|
||||
+ ')
|
||||
+
|
||||
+ mock_domtrans($1)
|
||||
+ role $2 types mock_t;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Role access for mock
|
||||
+## </summary>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## User domain for the role
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mock_role',`
|
||||
+ gen_require(`
|
||||
+ type mock_t;
|
||||
+ ')
|
||||
+
|
||||
+ role $1 types mock_t;
|
||||
+
|
||||
+ mock_domtrans($2)
|
||||
+
|
||||
+ ps_process_pattern($2, mock_t)
|
||||
+ allow $2 mock_t:process signal;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an mock environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`mock_admin',`
|
||||
+ gen_require(`
|
||||
+ type mock_t;
|
||||
+ type mock_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 mock_t:process { ptrace signal_perms };
|
||||
+ ps_process_pattern($1, mock_t)
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ admin_pattern($1, mock_var_lib_t)
|
||||
+
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.3/policy/modules/services/mock.te
|
||||
--- nsaserefpolicy/policy/modules/services/mock.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/mock.te 2010-06-09 17:44:30.000000000 -0400
|
||||
@@ -0,0 +1,94 @@
|
||||
+policy_module(mock,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type mock_t;
|
||||
+type mock_exec_t;
|
||||
+application_domain(mock_t, mock_exec_t)
|
||||
+domain_role_change_exemption(mock_t)
|
||||
+domain_system_change_exemption(mock_t)
|
||||
+role system_r types mock_t;
|
||||
+
|
||||
+permissive mock_t;
|
||||
+
|
||||
+type mock_cache_t;
|
||||
+files_type(mock_cache_t)
|
||||
+
|
||||
+type mock_tmp_t;
|
||||
+files_tmp_file(mock_tmp_t)
|
||||
+
|
||||
+type mock_var_lib_t;
|
||||
+files_type(mock_var_lib_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# mock local policy
|
||||
+#
|
||||
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
|
||||
+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid };
|
||||
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
|
||||
+allow mock_t self:fifo_file manage_fifo_file_perms;
|
||||
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow mock_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
|
||||
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
|
||||
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
|
||||
+
|
||||
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
|
||||
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
|
||||
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } )
|
||||
+can_exec(mock_t, mock_tmp_t)
|
||||
+
|
||||
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
||||
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
||||
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
||||
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
||||
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } )
|
||||
+can_exec(mock_t, mock_var_lib_t)
|
||||
+allow mock_t mock_var_lib_t:dir mounton;
|
||||
+
|
||||
+kernel_list_proc(mock_t)
|
||||
+kernel_read_irq_sysctls(mock_t)
|
||||
+kernel_read_system_state(mock_t)
|
||||
+kernel_read_kernel_sysctls(mock_t)
|
||||
+
|
||||
+corecmd_exec_bin(mock_t)
|
||||
+corecmd_exec_shell(mock_t)
|
||||
+
|
||||
+corenet_tcp_connect_http_port(mock_t)
|
||||
+
|
||||
+dev_read_urand(mock_t)
|
||||
+
|
||||
+domain_poly(mock_t)
|
||||
+domain_read_all_domains_state(mock_t)
|
||||
+domain_use_interactive_fds(mock_t)
|
||||
+
|
||||
+files_read_etc_files(mock_t)
|
||||
+files_read_usr_files(mock_t)
|
||||
+
|
||||
+fs_getattr_all_fs(mock_t)
|
||||
+
|
||||
+selinux_get_enforce_mode(mock_t)
|
||||
+
|
||||
+auth_use_nsswitch(mock_t)
|
||||
+
|
||||
+init_exec(mock_t)
|
||||
+
|
||||
+libs_domtrans_ldconfig(mock_t)
|
||||
+
|
||||
+logging_send_audit_msgs(mock_t)
|
||||
+logging_send_syslog_msg(mock_t)
|
||||
+
|
||||
+miscfiles_read_localization(mock_t)
|
||||
+
|
||||
+mount_domtrans(mock_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_exec(mock_t)
|
||||
+ rpm_manage_db(mock_t)
|
||||
+ rpm_entry_type(mock_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.8.3/policy/modules/services/modemmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/modemmanager.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -19103,10 +19473,89 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
|
||||
mysql_domtrans_mysql_safe(rgmanager_t)
|
||||
mysql_stream_connect(rgmanager_t)
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.3/policy/modules/services/rhcs.if
|
||||
--- nsaserefpolicy/policy/modules/services/rhcs.if 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/rhcs.if 2010-06-11 11:30:32.000000000 -0400
|
||||
@@ -14,6 +14,7 @@
|
||||
template(`rhcs_domain_template',`
|
||||
gen_require(`
|
||||
attribute cluster_domain;
|
||||
+ attribute cluster_tmpfs;
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -25,7 +26,7 @@
|
||||
type $1_exec_t;
|
||||
init_daemon_domain($1_t, $1_exec_t)
|
||||
|
||||
- type $1_tmpfs_t;
|
||||
+ type $1_tmpfs_t, cluster_tmpfs;
|
||||
files_tmpfs_file($1_tmpfs_t)
|
||||
|
||||
type $1_var_log_t;
|
||||
@@ -335,6 +336,28 @@
|
||||
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write to group shared memory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rhcs_rw_cluster_shm',`
|
||||
+ gen_require(`
|
||||
+ attribute cluster_domain;
|
||||
+ attribute cluster_tmpfs;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
|
||||
+
|
||||
+ fs_search_tmpfs($1)
|
||||
+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
|
||||
+')
|
||||
+
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run qdiskd.
|
||||
@@ -353,3 +376,21 @@
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow domain to read qdiskd tmpfs files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rhcs_read_qdiskd_tmpfs_files',`
|
||||
+ gen_require(`
|
||||
+ type qdiskd_tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.8.3/policy/modules/services/rhcs.te
|
||||
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/rhcs.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@@ -56,17 +56,13 @@
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/rhcs.te 2010-06-11 11:31:16.000000000 -0400
|
||||
@@ -14,6 +14,7 @@
|
||||
gen_tunable(fenced_can_network_connect, false)
|
||||
|
||||
attribute cluster_domain;
|
||||
+attribute cluster_tmpfs;
|
||||
|
||||
rhcs_domain_template(dlm_controld)
|
||||
|
||||
@@ -56,17 +57,13 @@
|
||||
|
||||
init_rw_script_tmp_files(dlm_controld_t)
|
||||
|
||||
@ -19125,7 +19574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
|
||||
|
||||
allow fenced_t self:tcp_socket create_stream_socket_perms;
|
||||
allow fenced_t self:udp_socket create_socket_perms;
|
||||
@@ -83,7 +79,10 @@
|
||||
@@ -83,7 +80,10 @@
|
||||
|
||||
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
||||
|
||||
@ -19136,7 +19585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
|
||||
|
||||
corenet_tcp_connect_http_port(fenced_t)
|
||||
|
||||
@@ -107,7 +106,6 @@
|
||||
@@ -107,7 +107,6 @@
|
||||
|
||||
optional_policy(`
|
||||
ccs_read_config(fenced_t)
|
||||
@ -19144,7 +19593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -140,10 +138,6 @@
|
||||
@@ -140,10 +139,6 @@
|
||||
init_rw_script_tmp_files(gfs_controld_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -19155,7 +19604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
|
||||
lvm_exec(gfs_controld_t)
|
||||
dev_rw_lvm_control(gfs_controld_t)
|
||||
')
|
||||
@@ -169,7 +163,7 @@
|
||||
@@ -169,7 +164,7 @@
|
||||
# qdiskd local policy
|
||||
#
|
||||
|
||||
@ -19164,7 +19613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
|
||||
|
||||
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow qdiskd_t self:udp_socket create_socket_perms;
|
||||
@@ -208,10 +202,6 @@
|
||||
@@ -208,10 +203,6 @@
|
||||
auth_use_nsswitch(qdiskd_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -19175,7 +19624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
|
||||
netutils_domtrans_ping(qdiskd_t)
|
||||
')
|
||||
|
||||
@@ -237,5 +227,9 @@
|
||||
@@ -237,5 +228,9 @@
|
||||
miscfiles_read_localization(cluster_domain)
|
||||
|
||||
optional_policy(`
|
||||
@ -21127,6 +21576,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read varnish logs.
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.3/policy/modules/services/vhostmd.if
|
||||
--- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-03-29 15:04:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/vhostmd.if 2010-06-10 08:52:54.000000000 -0400
|
||||
@@ -42,7 +42,7 @@
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain to not audit.
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.3/policy/modules/services/vhostmd.te
|
||||
--- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-03-29 15:04:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/vhostmd.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -23631,7 +24092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
|
||||
# /var
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if
|
||||
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 16:31:07.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 17:42:17.000000000 -0400
|
||||
@@ -193,8 +193,10 @@
|
||||
gen_require(`
|
||||
attribute direct_run_init, direct_init, direct_init_entry;
|
||||
@ -28117,7 +28578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.3/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-06-08 10:35:48.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/userdomain.if 2010-06-08 11:56:33.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/userdomain.if 2010-06-10 09:12:21.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.8.3
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -469,6 +469,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-3
|
||||
- Cleanup of aiccu policy
|
||||
- initial mock policy
|
||||
|
||||
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2
|
||||
- Lots of random fixes
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user