- Allow svirt images to create sock_file in svirt_var_run_t
This commit is contained in:
parent
4673269d66
commit
f3b436ca6a
288
policy-F12.patch
288
policy-F12.patch
@ -1008,7 +1008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
java_domtrans_unconfined(rpm_script_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.26/policy/modules/admin/sudo.if
|
||||
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-07-28 13:28:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/admin/sudo.if 2009-07-30 15:33:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/admin/sudo.if 2009-08-05 07:57:19.000000000 -0400
|
||||
@@ -66,8 +66,8 @@
|
||||
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_sudo_t self:unix_dgram_socket sendto;
|
||||
@ -1041,6 +1041,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files($1_sudo_t)
|
||||
@@ -147,6 +149,11 @@
|
||||
optional_policy(`
|
||||
dbus_system_bus_client($1_sudo_t)
|
||||
')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ fprintd_dbus_chat($1_sudo_t)
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.26/policy/modules/admin/tmpreaper.te
|
||||
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-07-28 13:28:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/admin/tmpreaper.te 2009-07-30 15:33:08.000000000 -0400
|
||||
@ -2575,8 +2587,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.26/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te 2009-07-30 15:33:08.000000000 -0400
|
||||
@@ -0,0 +1,287 @@
|
||||
+++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te 2009-08-05 07:20:45.000000000 -0400
|
||||
@@ -0,0 +1,285 @@
|
||||
+
|
||||
+policy_module(nsplugin, 1.0.0)
|
||||
+
|
||||
@ -2769,12 +2781,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ xserver_common_app(nsplugin_t)
|
||||
+ xserver_rw_shm(nsplugin_t)
|
||||
+ xserver_read_xdm_tmp_files(nsplugin_t)
|
||||
+ xserver_read_xdm_pid(nsplugin_t)
|
||||
+ xserver_read_user_xauth(nsplugin_t)
|
||||
+ xserver_read_user_iceauth(nsplugin_t)
|
||||
+ xserver_use_user_fonts(nsplugin_t)
|
||||
+ xserver_manage_home_fonts(nsplugin_t)
|
||||
+ xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -3948,8 +3958,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.26/policy/modules/apps/screen.if
|
||||
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-07-23 14:11:04.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/apps/screen.if 2009-07-30 15:33:08.000000000 -0400
|
||||
@@ -157,3 +157,24 @@
|
||||
+++ serefpolicy-3.6.26/policy/modules/apps/screen.if 2009-08-05 07:38:57.000000000 -0400
|
||||
@@ -61,6 +61,8 @@
|
||||
manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t)
|
||||
manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
|
||||
filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file)
|
||||
+ dontaudit $3 $1_var_run_t:fifo_file read;
|
||||
+
|
||||
files_pid_filetrans($1_screen_t, screen_dir_t, dir)
|
||||
|
||||
allow $1_screen_t screen_home_t:dir list_dir_perms;
|
||||
@@ -91,6 +93,7 @@
|
||||
# Revert to the user domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_screen_t, $3)
|
||||
corecmd_bin_domtrans($1_screen_t, $3)
|
||||
+ allow $3 $1_screen_t:process sigchld;
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1_screen_t)
|
||||
corenet_all_recvfrom_netlabel($1_screen_t)
|
||||
@@ -157,3 +160,24 @@
|
||||
nscd_socket_use($1_screen_t)
|
||||
')
|
||||
')
|
||||
@ -4561,7 +4588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.26/policy/modules/kernel/domain.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-08-03 08:04:07.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-08-05 08:03:44.000000000 -0400
|
||||
@@ -44,34 +44,6 @@
|
||||
interface(`domain_type',`
|
||||
# start with basic domain
|
||||
@ -4744,7 +4771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.26/policy/modules/kernel/domain.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/kernel/domain.te 2009-07-30 15:33:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/kernel/domain.te 2009-08-05 07:21:34.000000000 -0400
|
||||
@@ -5,6 +5,13 @@
|
||||
#
|
||||
# Declarations
|
||||
@ -4802,7 +4829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
xserver_dontaudit_use_xdm_fds(domain)
|
||||
xserver_dontaudit_rw_xdm_pipes(domain)
|
||||
+ xserver_dontaudit_rw_xdm_home_files(domain)
|
||||
+ xserver_dontaudit_append_xdm_home_files(domain)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -5643,31 +5670,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+gen_user(guest_u, user, guest_r, s0, s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.26/policy/modules/roles/staff.te
|
||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/roles/staff.te 2009-07-30 15:33:08.000000000 -0400
|
||||
@@ -15,156 +15,105 @@
|
||||
+++ serefpolicy-3.6.26/policy/modules/roles/staff.te 2009-08-05 07:37:10.000000000 -0400
|
||||
@@ -15,156 +15,110 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-optional_policy(`
|
||||
- apache_role(staff_r, staff_t)
|
||||
-')
|
||||
+kernel_read_ring_buffer(staff_t)
|
||||
+kernel_getattr_core_if(staff_t)
|
||||
+kernel_getattr_message_if(staff_t)
|
||||
+kernel_read_software_raid_state(staff_t)
|
||||
|
||||
-
|
||||
-optional_policy(`
|
||||
- auth_role(staff_r, staff_t)
|
||||
-')
|
||||
+auth_domtrans_pam_console(staff_t)
|
||||
|
||||
-
|
||||
-optional_policy(`
|
||||
- auditadm_role_change(staff_r)
|
||||
-')
|
||||
+seutil_run_newrole(staff_t, staff_r)
|
||||
+netutils_run_ping(staff_t, staff_r)
|
||||
|
||||
optional_policy(`
|
||||
-
|
||||
-optional_policy(`
|
||||
- bluetooth_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
@ -5682,7 +5702,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-optional_policy(`
|
||||
- dbus_role_template(staff, staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
+kernel_read_ring_buffer(staff_t)
|
||||
+kernel_getattr_core_if(staff_t)
|
||||
+kernel_getattr_message_if(staff_t)
|
||||
+kernel_read_software_raid_state(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- ethereal_role(staff_r, staff_t)
|
||||
-')
|
||||
@ -5694,113 +5718,117 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-optional_policy(`
|
||||
- games_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
+auth_domtrans_pam_console(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- gift_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
+seutil_run_newrole(staff_t, staff_r)
|
||||
+netutils_run_ping(staff_t, staff_r)
|
||||
|
||||
optional_policy(`
|
||||
- gnome_role(staff_r, staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- gpg_role(staff_r, staff_t)
|
||||
+ sudo_role_template(staff, staff_r, staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- irc_role(staff_r, staff_t)
|
||||
- gpg_role(staff_r, staff_t)
|
||||
+ auditadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- java_role(staff_r, staff_t)
|
||||
- irc_role(staff_r, staff_t)
|
||||
+ kerneloops_manage_tmp_files(staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- lockdev_role(staff_r, staff_t)
|
||||
- java_role(staff_r, staff_t)
|
||||
+ logadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- lpd_role(staff_r, staff_t)
|
||||
- lockdev_role(staff_r, staff_t)
|
||||
+ postgresql_role(staff_r, staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mozilla_role(staff_r, staff_t)
|
||||
- lpd_role(staff_r, staff_t)
|
||||
+ rtkit_daemon_system_domain(staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mplayer_role(staff_r, staff_t)
|
||||
- mozilla_role(staff_r, staff_t)
|
||||
+ secadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mta_role(staff_r, staff_t)
|
||||
- mplayer_role(staff_r, staff_t)
|
||||
+ ssh_role_template(staff, staff_r, staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mta_role(staff_r, staff_t)
|
||||
+ sysadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- oident_manage_user_content(staff_t)
|
||||
- oident_relabel_user_content(staff_t)
|
||||
+ sysadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- pyzor_role(staff_r, staff_t)
|
||||
+ usernetctl_run(staff_t, staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- razor_role(staff_r, staff_t)
|
||||
- pyzor_role(staff_r, staff_t)
|
||||
+ unconfined_role_change(staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- rssh_role(staff_r, staff_t)
|
||||
- razor_role(staff_r, staff_t)
|
||||
+ webadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- screen_role_template(staff, staff_r, staff_t)
|
||||
- rssh_role(staff_r, staff_t)
|
||||
-')
|
||||
+domain_read_all_domains_state(staff_t)
|
||||
+domain_getattr_all_domains(staff_t)
|
||||
+domain_obj_id_change_exemption(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- secadm_role_change(staff_r)
|
||||
- screen_role_template(staff, staff_r, staff_t)
|
||||
-')
|
||||
+files_read_kernel_modules(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- spamassassin_role(staff_r, staff_t)
|
||||
- secadm_role_change(staff_r)
|
||||
-')
|
||||
+kernel_read_fs_sysctls(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- ssh_role_template(staff, staff_r, staff_t)
|
||||
- spamassassin_role(staff_r, staff_t)
|
||||
-')
|
||||
+modutils_read_module_config(staff_t)
|
||||
+modutils_read_module_deps(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- su_role_template(staff, staff_r, staff_t)
|
||||
- ssh_role_template(staff, staff_r, staff_t)
|
||||
-')
|
||||
+miscfiles_read_hwdata(staff_t)
|
||||
|
||||
-optional_policy(`
|
||||
- sudo_role_template(staff, staff_r, staff_t)
|
||||
- su_role_template(staff, staff_r, staff_t)
|
||||
-')
|
||||
+term_use_unallocated_ttys(staff_t)
|
||||
|
||||
optional_policy(`
|
||||
- sudo_role_template(staff, staff_r, staff_t)
|
||||
+ gnomeclock_dbus_chat(staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- sysadm_role_change(staff_r)
|
||||
- userdom_dontaudit_use_user_terminals(staff_t)
|
||||
+ gnomeclock_dbus_chat(staff_t)
|
||||
+ lpd_list_spool(staff_t
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -5820,6 +5848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
- userhelper_role_template(staff, staff_r, staff_t)
|
||||
+ screen_role_template(staff, staff_r, staff_t)
|
||||
+ screen_manage_var_run(staff_t)
|
||||
')
|
||||
|
||||
@ -9828,7 +9857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.26/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/dbus.if 2009-07-30 15:33:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/dbus.if 2009-08-05 07:49:49.000000000 -0400
|
||||
@@ -42,8 +42,10 @@
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
@ -9867,7 +9896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_read_user_home_content_files($1_dbusd_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
@@ -153,6 +157,10 @@
|
||||
@@ -153,12 +157,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9878,7 +9907,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
hal_dbus_chat($1_dbusd_t)
|
||||
')
|
||||
|
||||
@@ -178,10 +186,12 @@
|
||||
optional_policy(`
|
||||
- xserver_use_xdm_fds($1_dbusd_t)
|
||||
- xserver_rw_xdm_pipes($1_dbusd_t)
|
||||
+ xserver_use_xdm($1_dbusd_t)
|
||||
')
|
||||
')
|
||||
|
||||
@@ -178,10 +185,12 @@
|
||||
type system_dbusd_t, system_dbusd_t;
|
||||
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
|
||||
class dbus send_msg;
|
||||
@ -9892,7 +9928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
files_search_var_lib($1)
|
||||
@@ -190,6 +200,10 @@
|
||||
@@ -190,6 +199,10 @@
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
|
||||
dbus_read_config($1)
|
||||
@ -9903,7 +9939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -256,7 +270,7 @@
|
||||
@@ -256,7 +269,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -10959,8 +10995,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.26/policy/modules/services/modemmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/modemmanager.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/modemmanager.te 2009-07-30 15:33:08.000000000 -0400
|
||||
@@ -0,0 +1,41 @@
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/modemmanager.te 2009-08-05 15:31:50.000000000 -0400
|
||||
@@ -0,0 +1,46 @@
|
||||
+policy_module(ModemManager,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -10992,6 +11028,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+files_read_etc_files(ModemManager_t)
|
||||
+
|
||||
+term_use_unallocated_ttys(ModemManager_t)
|
||||
+
|
||||
+miscfiles_read_localization(ModemManager_t)
|
||||
+
|
||||
+logging_send_syslog_msg(ModemManager_t)
|
||||
@ -11000,8 +11038,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ networkmanager_dbus_chat(ModemManager_t)
|
||||
+')
|
||||
+
|
||||
+permissive ModemManager_t;
|
||||
+optional_policy(`
|
||||
+ udev_read_db(ModemManager_t)
|
||||
+')
|
||||
+
|
||||
+permissive ModemManager_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.26/policy/modules/services/mta.fc
|
||||
--- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/mta.fc 2009-07-30 15:33:09.000000000 -0400
|
||||
@ -11536,7 +11577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.26/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te 2009-07-30 15:33:09.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te 2009-08-05 08:04:33.000000000 -0400
|
||||
@@ -19,6 +19,9 @@
|
||||
type NetworkManager_tmp_t;
|
||||
files_tmp_file(NetworkManager_tmp_t)
|
||||
@ -11564,20 +11605,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
|
||||
allow NetworkManager_t self:udp_socket create_socket_perms;
|
||||
allow NetworkManager_t self:packet_socket create_socket_perms;
|
||||
@@ -51,8 +55,10 @@
|
||||
@@ -51,8 +55,11 @@
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
|
||||
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
|
||||
|
||||
-rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
-files_search_tmp(NetworkManager_t)
|
||||
+manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
|
||||
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
|
||||
+
|
||||
+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||
|
||||
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
@@ -63,6 +69,8 @@
|
||||
@@ -63,6 +70,8 @@
|
||||
kernel_read_network_state(NetworkManager_t)
|
||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||
kernel_load_module(NetworkManager_t)
|
||||
@ -11586,7 +11628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(NetworkManager_t)
|
||||
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
||||
@@ -81,13 +89,18 @@
|
||||
@@ -81,13 +90,18 @@
|
||||
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_all_client_packets(NetworkManager_t)
|
||||
@ -11605,7 +11647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
mls_file_read_all_levels(NetworkManager_t)
|
||||
|
||||
@@ -98,15 +111,20 @@
|
||||
@@ -98,15 +112,20 @@
|
||||
|
||||
domain_use_interactive_fds(NetworkManager_t)
|
||||
domain_read_confined_domains_state(NetworkManager_t)
|
||||
@ -11627,7 +11669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(NetworkManager_t)
|
||||
|
||||
miscfiles_read_localization(NetworkManager_t)
|
||||
@@ -116,25 +134,40 @@
|
||||
@@ -116,25 +135,40 @@
|
||||
|
||||
seutil_read_config(NetworkManager_t)
|
||||
|
||||
@ -11675,7 +11717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -146,8 +179,25 @@
|
||||
@@ -146,8 +180,25 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11703,7 +11745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -155,23 +205,51 @@
|
||||
@@ -155,23 +206,51 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11757,7 +11799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -179,12 +257,15 @@
|
||||
@@ -179,12 +258,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12592,7 +12634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te
|
||||
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-03 06:50:17.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-05 15:36:05.000000000 -0400
|
||||
@@ -38,9 +38,10 @@
|
||||
|
||||
allow policykit_t self:capability { setgid setuid };
|
||||
@ -12650,7 +12692,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
|
||||
|
||||
@@ -104,6 +119,7 @@
|
||||
@@ -96,6 +111,7 @@
|
||||
files_read_usr_files(policykit_auth_t)
|
||||
|
||||
auth_use_nsswitch(policykit_auth_t)
|
||||
+auth_domtrans_chk_passwd(policykit_auth_t)
|
||||
|
||||
logging_send_syslog_msg(policykit_auth_t)
|
||||
|
||||
@@ -104,6 +120,7 @@
|
||||
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -12658,7 +12708,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dbus_session_bus_client(policykit_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -116,6 +132,13 @@
|
||||
@@ -116,6 +133,13 @@
|
||||
hal_read_state(policykit_auth_t)
|
||||
')
|
||||
|
||||
@ -12672,7 +12722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# polkit_grant local policy
|
||||
@@ -123,7 +146,8 @@
|
||||
@@ -123,7 +147,8 @@
|
||||
|
||||
allow policykit_grant_t self:capability setuid;
|
||||
allow policykit_grant_t self:process getattr;
|
||||
@ -12682,7 +12732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
||||
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@@ -153,9 +177,12 @@
|
||||
@@ -153,9 +178,12 @@
|
||||
userdom_read_all_users_state(policykit_grant_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -12696,7 +12746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
consolekit_dbus_chat(policykit_grant_t)
|
||||
')
|
||||
')
|
||||
@@ -167,7 +194,8 @@
|
||||
@@ -167,7 +195,8 @@
|
||||
|
||||
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
|
||||
allow policykit_resolve_t self:process getattr;
|
||||
@ -14979,7 +15029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.26/policy/modules/services/setroubleshoot.te
|
||||
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/setroubleshoot.te 2009-07-30 15:33:09.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/setroubleshoot.te 2009-08-05 08:03:58.000000000 -0400
|
||||
@@ -22,13 +22,19 @@
|
||||
type setroubleshoot_var_run_t;
|
||||
files_pid_file(setroubleshoot_var_run_t)
|
||||
@ -15013,7 +15063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_bin(setroubleshootd_t)
|
||||
corecmd_exec_shell(setroubleshootd_t)
|
||||
@@ -68,16 +77,25 @@
|
||||
@@ -68,16 +77,26 @@
|
||||
|
||||
dev_read_urand(setroubleshootd_t)
|
||||
dev_read_sysfs(setroubleshootd_t)
|
||||
@ -15021,6 +15071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+dev_getattr_all_chr_files(setroubleshootd_t)
|
||||
|
||||
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
|
||||
+domain_signull_all_domains(setroubleshootd_t)
|
||||
|
||||
files_read_usr_files(setroubleshootd_t)
|
||||
files_read_etc_files(setroubleshootd_t)
|
||||
@ -15040,7 +15091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
selinux_get_enforce_mode(setroubleshootd_t)
|
||||
selinux_validate_context(setroubleshootd_t)
|
||||
@@ -94,23 +112,54 @@
|
||||
@@ -94,23 +113,54 @@
|
||||
|
||||
locallogin_dontaudit_use_fds(setroubleshootd_t)
|
||||
|
||||
@ -16637,7 +16688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.26/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-04 05:06:14.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-05 15:13:13.000000000 -0400
|
||||
@@ -20,6 +20,28 @@
|
||||
## </desc>
|
||||
gen_tunable(virt_use_samba, false)
|
||||
@ -16855,7 +16906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -195,8 +290,154 @@
|
||||
@@ -195,8 +290,155 @@
|
||||
|
||||
xen_stream_connect(virtd_t)
|
||||
xen_stream_connect_xenstore(virtd_t)
|
||||
@ -16885,6 +16936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
|
||||
+manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
|
||||
+manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
|
||||
+manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
|
||||
+files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
|
||||
+stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t)
|
||||
@ -17107,7 +17159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-03 06:49:41.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-05 07:48:30.000000000 -0400
|
||||
@@ -90,7 +90,7 @@
|
||||
allow $2 xauth_home_t:file manage_file_perms;
|
||||
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||
@ -17418,7 +17470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
domtrans_pattern($1, xserver_exec_t, xserver_t)
|
||||
')
|
||||
|
||||
@@ -1159,6 +1281,276 @@
|
||||
@@ -1159,6 +1281,278 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -17541,7 +17593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Dontaudit write to .xsession-errors file
|
||||
+## Dontaudit append to .xsession-errors file
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
@ -17549,7 +17601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`xserver_dontaudit_rw_xdm_home_files',`
|
||||
+interface(`xserver_dontaudit_append_xdm_home_files',`
|
||||
+ gen_require(`
|
||||
+ type xdm_home_t;
|
||||
+ ')
|
||||
@ -17574,6 +17626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ gen_require(`
|
||||
+ type xdm_t, xdm_tmp_t;
|
||||
+ type xdm_xproperty_t;
|
||||
+ type xdm_home_t;
|
||||
+ class x_client all_x_client_perms;
|
||||
+ class x_drawable all_x_drawable_perms;
|
||||
+ class x_property all_x_property_perms;
|
||||
@ -17589,11 +17642,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ xserver_xdm_stream_connect($1)
|
||||
+ xserver_setattr_xdm_tmp_dirs($1)
|
||||
+ xserver_read_xdm_pid($1)
|
||||
+ xserver_search_xdm_lib($1)
|
||||
+
|
||||
+ allow $1 xdm_t:x_client { getattr destroy };
|
||||
+ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
|
||||
+ allow $1 xdm_xproperty_t:x_property { write read };
|
||||
+
|
||||
+ allow $1 xdm_home_t:file append_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -17695,7 +17749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
## an X client domain. Gives the domain complete control over the
|
||||
## display.
|
||||
@@ -1172,7 +1564,103 @@
|
||||
@@ -1172,7 +1566,103 @@
|
||||
interface(`xserver_unconfined',`
|
||||
gen_require(`
|
||||
attribute xserver_unconfined_type;
|
||||
@ -19251,7 +19305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.26/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2009-07-30 09:44:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-07-30 15:33:09.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-05 07:18:15.000000000 -0400
|
||||
@@ -17,6 +17,20 @@
|
||||
## </desc>
|
||||
gen_tunable(init_upstart, false)
|
||||
@ -19641,7 +19695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_rw_xdm_home_files(daemon)
|
||||
+ xserver_dontaudit_append_xdm_home_files(daemon)
|
||||
+ tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_dontaudit_rw_nfs_files(daemon)
|
||||
+ ')
|
||||
@ -22990,7 +23044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.26/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-07-30 15:33:09.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-05 07:54:48.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
@ -23900,7 +23954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_dontaudit_send_audit_msgs($1_t)
|
||||
|
||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||
@@ -891,28 +953,43 @@
|
||||
@@ -891,28 +953,47 @@
|
||||
selinux_get_enforce_mode($1_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -23916,6 +23970,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ devicekit_dbus_chat($1_usertype)
|
||||
+ devicekit_dbus_chat_disk($1_usertype)
|
||||
+ devicekit_dbus_chat_power($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ fprintd_dbus_chat($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23951,7 +24009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -946,8 +1023,8 @@
|
||||
@@ -946,8 +1027,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -23961,7 +24019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -956,11 +1033,12 @@
|
||||
@@ -956,11 +1037,12 @@
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
@ -23976,7 +24034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -978,37 +1056,55 @@
|
||||
@@ -978,37 +1060,55 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -24046,7 +24104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -1042,7 +1138,7 @@
|
||||
@@ -1042,7 +1142,7 @@
|
||||
#
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
@ -24055,7 +24113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -1051,8 +1147,7 @@
|
||||
@@ -1051,8 +1151,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
@ -24065,7 +24123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
role system_r types $1_t;
|
||||
@@ -1075,7 +1170,8 @@
|
||||
@@ -1075,7 +1174,8 @@
|
||||
# Skip authentication when pam_rootok is specified.
|
||||
allow $1_t self:passwd rootok;
|
||||
|
||||
@ -24075,7 +24133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1091,6 +1187,7 @@
|
||||
@@ -1091,6 +1191,7 @@
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
@ -24083,7 +24141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
@@ -1098,8 +1195,6 @@
|
||||
@@ -1098,8 +1199,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
@ -24092,7 +24150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1154,20 +1249,6 @@
|
||||
@@ -1154,20 +1253,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
@ -24113,7 +24171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1213,6 +1294,7 @@
|
||||
@@ -1213,6 +1298,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -24121,7 +24179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1278,11 +1360,15 @@
|
||||
@@ -1278,11 +1364,15 @@
|
||||
interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
@ -24137,7 +24195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1374,12 +1460,13 @@
|
||||
@@ -1374,12 +1464,13 @@
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
@ -24152,7 +24210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1412,6 +1499,14 @@
|
||||
@@ -1412,6 +1503,14 @@
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
@ -24167,7 +24225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1427,9 +1522,11 @@
|
||||
@@ -1427,9 +1526,11 @@
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
@ -24179,7 +24237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1486,6 +1583,25 @@
|
||||
@@ -1486,6 +1587,25 @@
|
||||
allow $1 user_home_dir_t:dir relabelto;
|
||||
')
|
||||
|
||||
@ -24205,7 +24263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
## <summary>
|
||||
## Create directories in the home dir root with
|
||||
@@ -1560,6 +1676,8 @@
|
||||
@@ -1560,6 +1680,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
@ -24214,7 +24272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1653,6 +1771,7 @@
|
||||
@@ -1653,6 +1775,7 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
@ -24222,7 +24280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
@@ -1780,19 +1899,32 @@
|
||||
@@ -1780,19 +1903,32 @@
|
||||
#
|
||||
interface(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -24262,7 +24320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1827,6 +1959,7 @@
|
||||
@@ -1827,6 +1963,7 @@
|
||||
interface(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
@ -24270,7 +24328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
manage_files_pattern($1, user_home_t, user_home_t)
|
||||
@@ -2374,7 +2507,7 @@
|
||||
@@ -2374,7 +2511,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24279,7 +24337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2728,11 +2861,32 @@
|
||||
@@ -2728,11 +2865,32 @@
|
||||
#
|
||||
interface(`userdom_search_user_home_content',`
|
||||
gen_require(`
|
||||
@ -24314,7 +24372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2860,7 +3014,25 @@
|
||||
@@ -2860,7 +3018,25 @@
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
@ -24341,7 +24399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2897,6 +3069,7 @@
|
||||
@@ -2897,6 +3073,7 @@
|
||||
')
|
||||
|
||||
read_files_pattern($1, userdomain, userdomain)
|
||||
@ -24349,7 +24407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -3027,3 +3200,501 @@
|
||||
@@ -3027,3 +3204,501 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user