- Update selinux policy to handle new /usr/share/sandbox/start script
This commit is contained in:
parent
b4f1891ade
commit
f3f61efb0b
274
policy-F15.patch
274
policy-F15.patch
@ -1990,9 +1990,18 @@ index 441cf22..e1b55f8 100644
|
|||||||
mta_manage_spool(useradd_t)
|
mta_manage_spool(useradd_t)
|
||||||
|
|
||||||
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
|
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
|
||||||
index ebf4b26..c7cb8c5 100644
|
index ebf4b26..f663276 100644
|
||||||
--- a/policy/modules/admin/vpn.te
|
--- a/policy/modules/admin/vpn.te
|
||||||
+++ b/policy/modules/admin/vpn.te
|
+++ b/policy/modules/admin/vpn.te
|
||||||
|
@@ -21,7 +21,7 @@ files_pid_file(vpnc_var_run_t)
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
|
||||||
|
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
|
||||||
|
allow vpnc_t self:process { getsched signal };
|
||||||
|
allow vpnc_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||||
@@ -106,7 +106,8 @@ sysnet_etc_filetrans_config(vpnc_t)
|
@@ -106,7 +106,8 @@ sysnet_etc_filetrans_config(vpnc_t)
|
||||||
sysnet_manage_config(vpnc_t)
|
sysnet_manage_config(vpnc_t)
|
||||||
|
|
||||||
@ -2249,13 +2258,12 @@ index 0457de1..f702cfe 100644
|
|||||||
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
|
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
|
||||||
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
|
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4ef897d
|
index 0000000..09f0673
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/execmem.fc
|
+++ b/policy/modules/apps/execmem.fc
|
||||||
@@ -0,0 +1,50 @@
|
@@ -0,0 +1,49 @@
|
||||||
+
|
+
|
||||||
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
|
||||||
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
@ -5040,10 +5048,10 @@ index 0000000..4f9cb05
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
|
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..182e476
|
index 0000000..7b483f3
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/nsplugin.te
|
+++ b/policy/modules/apps/nsplugin.te
|
||||||
@@ -0,0 +1,312 @@
|
@@ -0,0 +1,314 @@
|
||||||
+policy_module(nsplugin, 1.0.0)
|
+policy_module(nsplugin, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -5105,8 +5113,10 @@ index 0000000..182e476
|
|||||||
+allow nsplugin_t self:sem create_sem_perms;
|
+allow nsplugin_t self:sem create_sem_perms;
|
||||||
+allow nsplugin_t self:shm create_shm_perms;
|
+allow nsplugin_t self:shm create_shm_perms;
|
||||||
+allow nsplugin_t self:msgq create_msgq_perms;
|
+allow nsplugin_t self:msgq create_msgq_perms;
|
||||||
|
+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
|
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||||
|
+allow nsplugin_t self:tcp_socket create_stream_socket_perms;
|
||||||
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
|
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
|
||||||
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
|
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
|
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
@ -5158,7 +5168,7 @@ index 0000000..182e476
|
|||||||
+dev_write_video_dev(nsplugin_t)
|
+dev_write_video_dev(nsplugin_t)
|
||||||
+dev_getattr_dri_dev(nsplugin_t)
|
+dev_getattr_dri_dev(nsplugin_t)
|
||||||
+dev_rwx_zero(nsplugin_t)
|
+dev_rwx_zero(nsplugin_t)
|
||||||
+dev_search_sysfs(nsplugin_t)
|
+dev_read_sysfs(nsplugin_t)
|
||||||
+
|
+
|
||||||
+kernel_read_kernel_sysctls(nsplugin_t)
|
+kernel_read_kernel_sysctls(nsplugin_t)
|
||||||
+kernel_read_system_state(nsplugin_t)
|
+kernel_read_system_state(nsplugin_t)
|
||||||
@ -5934,17 +5944,18 @@ index 9ec1478..26bb71c 100644
|
|||||||
')
|
')
|
||||||
diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
|
diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..15778fd
|
index 0000000..6caef63
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/sandbox.fc
|
+++ b/policy/modules/apps/sandbox.fc
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1,2 @@
|
||||||
+# No types are sandbox_exec_t
|
+
|
||||||
|
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
|
||||||
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
|
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..0c411b4
|
index 0000000..5f09eb9
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/sandbox.if
|
+++ b/policy/modules/apps/sandbox.if
|
||||||
@@ -0,0 +1,334 @@
|
@@ -0,0 +1,335 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for sandbox</summary>
|
+## <summary>policy for sandbox</summary>
|
||||||
+
|
+
|
||||||
@ -6065,6 +6076,7 @@ index 0000000..0c411b4
|
|||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type xserver_exec_t, sandbox_devpts_t;
|
+ type xserver_exec_t, sandbox_devpts_t;
|
||||||
+ type sandbox_xserver_t;
|
+ type sandbox_xserver_t;
|
||||||
|
+ type sandbox_exec_t;
|
||||||
+ attribute sandbox_domain, sandbox_x_domain;
|
+ attribute sandbox_domain, sandbox_x_domain;
|
||||||
+ attribute sandbox_file_type, sandbox_tmpfs_type;
|
+ attribute sandbox_file_type, sandbox_tmpfs_type;
|
||||||
+ attribute sandbox_type;
|
+ attribute sandbox_type;
|
||||||
@ -6107,8 +6119,8 @@ index 0000000..0c411b4
|
|||||||
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
|
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
|
||||||
+ allow $1_t sandbox_xserver_t:process signal_perms;
|
+ allow $1_t sandbox_xserver_t:process signal_perms;
|
||||||
+
|
+
|
||||||
+ domtrans_pattern($1_t, $1_file_t, $1_client_t)
|
+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
|
||||||
+ domain_entry_file($1_client_t, $1_file_t)
|
+ domain_entry_file($1_client_t, sandbox_exec_t)
|
||||||
+
|
+
|
||||||
+ # Random tmpfs_t that gets created when you run X.
|
+ # Random tmpfs_t that gets created when you run X.
|
||||||
+ fs_rw_tmpfs_files($1_t)
|
+ fs_rw_tmpfs_files($1_t)
|
||||||
@ -6281,10 +6293,10 @@ index 0000000..0c411b4
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
|
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6b46acd
|
index 0000000..5259647
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/sandbox.te
|
+++ b/policy/modules/apps/sandbox.te
|
||||||
@@ -0,0 +1,448 @@
|
@@ -0,0 +1,451 @@
|
||||||
+policy_module(sandbox,1.0.0)
|
+policy_module(sandbox,1.0.0)
|
||||||
+dbus_stub()
|
+dbus_stub()
|
||||||
+attribute sandbox_domain;
|
+attribute sandbox_domain;
|
||||||
@ -6294,6 +6306,9 @@ index 0000000..6b46acd
|
|||||||
+attribute sandbox_tmpfs_type;
|
+attribute sandbox_tmpfs_type;
|
||||||
+attribute sandbox_type;
|
+attribute sandbox_type;
|
||||||
+
|
+
|
||||||
|
+type sandbox_exec_t;
|
||||||
|
+files_type(sandbox_exec_t)
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# Declarations
|
+# Declarations
|
||||||
@ -10919,7 +10934,7 @@ index 3994e57..43aa641 100644
|
|||||||
+
|
+
|
||||||
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
|
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
|
||||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||||
index 492bf76..525563a 100644
|
index 492bf76..00b786e 100644
|
||||||
--- a/policy/modules/kernel/terminal.if
|
--- a/policy/modules/kernel/terminal.if
|
||||||
+++ b/policy/modules/kernel/terminal.if
|
+++ b/policy/modules/kernel/terminal.if
|
||||||
@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
|
@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
|
||||||
@ -10952,7 +10967,33 @@ index 492bf76..525563a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -848,7 +849,7 @@ interface(`term_dontaudit_use_all_ptys',`
|
@@ -651,6 +652,25 @@ interface(`term_use_controlling_term',`
|
||||||
|
allow $1 devtty_t:chr_file { rw_term_perms lock append };
|
||||||
|
')
|
||||||
|
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow attempts to get attributes
|
||||||
|
+## on the pty multiplexor (/dev/ptmx).
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`term_getattr_ptmx',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type ptmx_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 ptmx_t:chr_file getattr;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to get attributes
|
||||||
|
@@ -848,7 +868,7 @@ interface(`term_dontaudit_use_all_ptys',`
|
||||||
attribute ptynode;
|
attribute ptynode;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10961,7 +11002,7 @@ index 492bf76..525563a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1116,7 +1117,7 @@ interface(`term_relabel_unallocated_ttys',`
|
@@ -1116,7 +1136,7 @@ interface(`term_relabel_unallocated_ttys',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
@ -10970,7 +11011,7 @@ index 492bf76..525563a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1215,7 +1216,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
@@ -1215,7 +1235,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10979,7 +11020,7 @@ index 492bf76..525563a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1231,11 +1232,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
@@ -1231,11 +1251,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||||
#
|
#
|
||||||
interface(`term_getattr_all_ttys',`
|
interface(`term_getattr_all_ttys',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -10993,7 +11034,7 @@ index 492bf76..525563a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1252,10 +1255,12 @@ interface(`term_getattr_all_ttys',`
|
@@ -1252,10 +1274,12 @@ interface(`term_getattr_all_ttys',`
|
||||||
interface(`term_dontaudit_getattr_all_ttys',`
|
interface(`term_dontaudit_getattr_all_ttys',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
@ -11006,7 +11047,7 @@ index 492bf76..525563a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1294,7 +1299,7 @@ interface(`term_relabel_all_ttys',`
|
@@ -1294,7 +1318,7 @@ interface(`term_relabel_all_ttys',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
@ -11015,7 +11056,7 @@ index 492bf76..525563a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1352,7 +1357,7 @@ interface(`term_dontaudit_use_all_ttys',`
|
@@ -1352,7 +1376,7 @@ interface(`term_dontaudit_use_all_ttys',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11024,7 +11065,7 @@ index 492bf76..525563a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1468,3 +1473,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
|
@@ -1468,3 +1492,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
|
||||||
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
|
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
|
||||||
term_dontaudit_use_all_ttys($1)
|
term_dontaudit_use_all_ttys($1)
|
||||||
')
|
')
|
||||||
@ -11336,7 +11377,7 @@ index 2be17d2..96d3fbf 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||||
index 1ae9a94..27404e7 100644
|
index 4a8d146..a0a91fe 100644
|
||||||
--- a/policy/modules/roles/sysadm.te
|
--- a/policy/modules/roles/sysadm.te
|
||||||
+++ b/policy/modules/roles/sysadm.te
|
+++ b/policy/modules/roles/sysadm.te
|
||||||
@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
|
@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
|
||||||
@ -11508,7 +11549,7 @@ index 1ae9a94..27404e7 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rsync_exec(sysadm_t)
|
rsync_exec(sysadm_t)
|
||||||
@@ -303,7 +326,7 @@ optional_policy(`
|
@@ -307,7 +330,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -11517,7 +11558,7 @@ index 1ae9a94..27404e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -328,10 +351,6 @@ optional_policy(`
|
@@ -332,10 +355,6 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -11528,7 +11569,7 @@ index 1ae9a94..27404e7 100644
|
|||||||
tripwire_run_siggen(sysadm_t, sysadm_r)
|
tripwire_run_siggen(sysadm_t, sysadm_r)
|
||||||
tripwire_run_tripwire(sysadm_t, sysadm_r)
|
tripwire_run_tripwire(sysadm_t, sysadm_r)
|
||||||
tripwire_run_twadmin(sysadm_t, sysadm_r)
|
tripwire_run_twadmin(sysadm_t, sysadm_r)
|
||||||
@@ -339,18 +358,10 @@ optional_policy(`
|
@@ -343,18 +362,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -11547,7 +11588,7 @@ index 1ae9a94..27404e7 100644
|
|||||||
unconfined_domtrans(sysadm_t)
|
unconfined_domtrans(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -363,17 +374,14 @@ optional_policy(`
|
@@ -367,17 +378,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -11567,7 +11608,7 @@ index 1ae9a94..27404e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -385,7 +393,7 @@ optional_policy(`
|
@@ -389,7 +397,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -11576,7 +11617,7 @@ index 1ae9a94..27404e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -400,8 +408,15 @@ optional_policy(`
|
@@ -404,8 +412,15 @@ optional_policy(`
|
||||||
yam_run(sysadm_t, sysadm_r)
|
yam_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11592,7 +11633,7 @@ index 1ae9a94..27404e7 100644
|
|||||||
auth_role(sysadm_r, sysadm_t)
|
auth_role(sysadm_r, sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -448,5 +463,60 @@ ifndef(`distro_redhat',`
|
@@ -452,5 +467,60 @@ ifndef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
java_role(sysadm_r, sysadm_t)
|
java_role(sysadm_r, sysadm_t)
|
||||||
')
|
')
|
||||||
@ -16148,10 +16189,10 @@ index 0000000..fa9b95a
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
|
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..3b58d07
|
index 0000000..6d8fdeb
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/services/boinc.te
|
+++ b/policy/modules/services/boinc.te
|
||||||
@@ -0,0 +1,169 @@
|
@@ -0,0 +1,173 @@
|
||||||
+policy_module(boinc, 1.0.0)
|
+policy_module(boinc, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -16216,6 +16257,7 @@ index 0000000..3b58d07
|
|||||||
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||||
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||||
+
|
+
|
||||||
|
+# needs read /proc/interrupts
|
||||||
+kernel_read_system_state(boinc_t)
|
+kernel_read_system_state(boinc_t)
|
||||||
+
|
+
|
||||||
+files_getattr_all_dirs(boinc_t)
|
+files_getattr_all_dirs(boinc_t)
|
||||||
@ -16253,7 +16295,10 @@ index 0000000..3b58d07
|
|||||||
+
|
+
|
||||||
+fs_getattr_all_fs(boinc_t)
|
+fs_getattr_all_fs(boinc_t)
|
||||||
+
|
+
|
||||||
+term_dontaudit_getattr_ptmx(boinc_t)
|
+term_getattr_all_ptys(boinc_t)
|
||||||
|
+term_getattr_unallocated_ttys(boinc_t)
|
||||||
|
+
|
||||||
|
+init_read_utmp(boinc_t)
|
||||||
+
|
+
|
||||||
+miscfiles_read_localization(boinc_t)
|
+miscfiles_read_localization(boinc_t)
|
||||||
+miscfiles_read_generic_certs(boinc_t)
|
+miscfiles_read_generic_certs(boinc_t)
|
||||||
@ -25485,10 +25530,10 @@ index 0000000..311aaed
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
|
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ba77ba5
|
index 0000000..f2e8836
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/services/mpd.te
|
+++ b/policy/modules/services/mpd.te
|
||||||
@@ -0,0 +1,125 @@
|
@@ -0,0 +1,126 @@
|
||||||
+policy_module(mpd, 1.0.0)
|
+policy_module(mpd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -25570,6 +25615,7 @@ index 0000000..ba77ba5
|
|||||||
+corenet_tcp_bind_mpd_port(mpd_t)
|
+corenet_tcp_bind_mpd_port(mpd_t)
|
||||||
+corenet_tcp_bind_soundd_port(mpd_t)
|
+corenet_tcp_bind_soundd_port(mpd_t)
|
||||||
+
|
+
|
||||||
|
+dev_read_sound(mpd_t)
|
||||||
+dev_read_sysfs(mpd_t)
|
+dev_read_sysfs(mpd_t)
|
||||||
+
|
+
|
||||||
+files_read_usr_files(mpd_t)
|
+files_read_usr_files(mpd_t)
|
||||||
@ -26116,10 +26162,18 @@ index 64268e4..ce7924b 100644
|
|||||||
+ exim_manage_log(user_mail_domain)
|
+ exim_manage_log(user_mail_domain)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
|
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
|
||||||
index fd71d69..bad9920 100644
|
index fd71d69..2e9f2a3 100644
|
||||||
--- a/policy/modules/services/munin.fc
|
--- a/policy/modules/services/munin.fc
|
||||||
+++ b/policy/modules/services/munin.fc
|
+++ b/policy/modules/services/munin.fc
|
||||||
@@ -63,6 +63,7 @@
|
@@ -51,6 +51,7 @@
|
||||||
|
/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||||
|
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||||
|
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||||
|
+/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||||
|
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||||
|
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||||
|
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||||
|
@@ -63,6 +64,7 @@
|
||||||
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||||
|
|
||||||
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
||||||
@ -26216,7 +26270,7 @@ index c358d8f..fec6a97 100644
|
|||||||
|
|
||||||
allow $1 munin_t:process { ptrace signal_perms };
|
allow $1 munin_t:process { ptrace signal_perms };
|
||||||
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
|
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
|
||||||
index f17583b..bdeea89 100644
|
index f17583b..8f01394 100644
|
||||||
--- a/policy/modules/services/munin.te
|
--- a/policy/modules/services/munin.te
|
||||||
+++ b/policy/modules/services/munin.te
|
+++ b/policy/modules/services/munin.te
|
||||||
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
|
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
|
||||||
@ -26333,7 +26387,15 @@ index f17583b..bdeea89 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -255,10 +263,6 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
|
@@ -245,6 +253,7 @@ optional_policy(`
|
||||||
|
# local policy for service plugins
|
||||||
|
#
|
||||||
|
|
||||||
|
+allow services_munin_plugin_t self:sem create_sem_perms;
|
||||||
|
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow services_munin_plugin_t self:udp_socket create_socket_perms;
|
||||||
|
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
@@ -255,13 +264,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
|
||||||
dev_read_urand(services_munin_plugin_t)
|
dev_read_urand(services_munin_plugin_t)
|
||||||
dev_read_rand(services_munin_plugin_t)
|
dev_read_rand(services_munin_plugin_t)
|
||||||
|
|
||||||
@ -26344,7 +26406,11 @@ index f17583b..bdeea89 100644
|
|||||||
sysnet_read_config(services_munin_plugin_t)
|
sysnet_read_config(services_munin_plugin_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -286,6 +290,10 @@ optional_policy(`
|
+ cups_read_config(services_munin_plugin_t)
|
||||||
|
cups_stream_connect(services_munin_plugin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -286,6 +292,10 @@ optional_policy(`
|
||||||
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
|
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26355,7 +26421,13 @@ index f17583b..bdeea89 100644
|
|||||||
##################################
|
##################################
|
||||||
#
|
#
|
||||||
# local policy for system plugins
|
# local policy for system plugins
|
||||||
@@ -298,10 +306,6 @@ rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
@@ -295,13 +305,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
||||||
|
|
||||||
|
+# needed by munin_* plugins
|
||||||
|
+allow system_munin_plugin_t munin_log_t:file r_file_perms;
|
||||||
|
+
|
||||||
kernel_read_network_state(system_munin_plugin_t)
|
kernel_read_network_state(system_munin_plugin_t)
|
||||||
kernel_read_all_sysctls(system_munin_plugin_t)
|
kernel_read_all_sysctls(system_munin_plugin_t)
|
||||||
|
|
||||||
@ -26366,10 +26438,11 @@ index f17583b..bdeea89 100644
|
|||||||
dev_read_sysfs(system_munin_plugin_t)
|
dev_read_sysfs(system_munin_plugin_t)
|
||||||
dev_read_urand(system_munin_plugin_t)
|
dev_read_urand(system_munin_plugin_t)
|
||||||
|
|
||||||
@@ -313,3 +317,30 @@ init_read_utmp(system_munin_plugin_t)
|
@@ -313,3 +322,31 @@ init_read_utmp(system_munin_plugin_t)
|
||||||
sysnet_exec_ifconfig(system_munin_plugin_t)
|
sysnet_exec_ifconfig(system_munin_plugin_t)
|
||||||
|
|
||||||
term_getattr_unallocated_ttys(system_munin_plugin_t)
|
term_getattr_unallocated_ttys(system_munin_plugin_t)
|
||||||
|
+term_getattr_all_ttys(system_munin_plugin_t)
|
||||||
+term_getattr_all_ptys(system_munin_plugin_t)
|
+term_getattr_all_ptys(system_munin_plugin_t)
|
||||||
+
|
+
|
||||||
+################################
|
+################################
|
||||||
@ -26616,10 +26689,18 @@ index 8581040..cfcdf10 100644
|
|||||||
|
|
||||||
allow $1 nagios_t:process { ptrace signal_perms };
|
allow $1 nagios_t:process { ptrace signal_perms };
|
||||||
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
|
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
|
||||||
index bf64a4c..55b3ce7 100644
|
index bf64a4c..86c9cba 100644
|
||||||
--- a/policy/modules/services/nagios.te
|
--- a/policy/modules/services/nagios.te
|
||||||
+++ b/policy/modules/services/nagios.te
|
+++ b/policy/modules/services/nagios.te
|
||||||
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
|
@@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
|
||||||
|
|
||||||
|
kernel_read_system_state(nagios_t)
|
||||||
|
kernel_read_kernel_sysctls(nagios_t)
|
||||||
|
+kernel_read_software_raid_state(nagios_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(nagios_t)
|
||||||
|
corecmd_exec_shell(nagios_t)
|
||||||
|
@@ -107,13 +108,11 @@ files_read_etc_files(nagios_t)
|
||||||
files_read_etc_runtime_files(nagios_t)
|
files_read_etc_runtime_files(nagios_t)
|
||||||
files_read_kernel_symbol_table(nagios_t)
|
files_read_kernel_symbol_table(nagios_t)
|
||||||
files_search_spool(nagios_t)
|
files_search_spool(nagios_t)
|
||||||
@ -26634,7 +26715,7 @@ index bf64a4c..55b3ce7 100644
|
|||||||
auth_use_nsswitch(nagios_t)
|
auth_use_nsswitch(nagios_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(nagios_t)
|
logging_send_syslog_msg(nagios_t)
|
||||||
@@ -124,10 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
|
@@ -124,10 +123,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(nagios_t)
|
userdom_dontaudit_search_user_home_dirs(nagios_t)
|
||||||
|
|
||||||
mta_send_mail(nagios_t)
|
mta_send_mail(nagios_t)
|
||||||
@ -26647,7 +26728,7 @@ index bf64a4c..55b3ce7 100644
|
|||||||
netutils_kill_ping(nagios_t)
|
netutils_kill_ping(nagios_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -143,6 +141,7 @@ optional_policy(`
|
@@ -143,6 +142,7 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
# Nagios CGI local policy
|
# Nagios CGI local policy
|
||||||
#
|
#
|
||||||
@ -26655,7 +26736,7 @@ index bf64a4c..55b3ce7 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_content_template(nagios)
|
apache_content_template(nagios)
|
||||||
typealias httpd_nagios_script_t alias nagios_cgi_t;
|
typealias httpd_nagios_script_t alias nagios_cgi_t;
|
||||||
@@ -180,11 +179,13 @@ optional_policy(`
|
@@ -180,11 +180,13 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow nrpe_t self:capability { setuid setgid };
|
allow nrpe_t self:capability { setuid setgid };
|
||||||
@ -26670,7 +26751,7 @@ index bf64a4c..55b3ce7 100644
|
|||||||
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
|
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
|
||||||
|
|
||||||
read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
|
read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
|
||||||
@@ -201,7 +202,8 @@ corecmd_exec_shell(nrpe_t)
|
@@ -201,7 +203,8 @@ corecmd_exec_shell(nrpe_t)
|
||||||
|
|
||||||
corenet_tcp_bind_generic_node(nrpe_t)
|
corenet_tcp_bind_generic_node(nrpe_t)
|
||||||
corenet_tcp_bind_inetd_child_port(nrpe_t)
|
corenet_tcp_bind_inetd_child_port(nrpe_t)
|
||||||
@ -26680,7 +26761,7 @@ index bf64a4c..55b3ce7 100644
|
|||||||
|
|
||||||
dev_read_sysfs(nrpe_t)
|
dev_read_sysfs(nrpe_t)
|
||||||
dev_read_urand(nrpe_t)
|
dev_read_urand(nrpe_t)
|
||||||
@@ -270,7 +272,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
|
@@ -270,7 +273,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
|
||||||
#
|
#
|
||||||
|
|
||||||
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
|
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
|
||||||
@ -26688,7 +26769,7 @@ index bf64a4c..55b3ce7 100644
|
|||||||
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
|
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
|
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
|
||||||
@@ -299,7 +300,7 @@ optional_policy(`
|
@@ -299,7 +301,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
postfix_stream_connect_master(nagios_mail_plugin_t)
|
postfix_stream_connect_master(nagios_mail_plugin_t)
|
||||||
@ -26697,7 +26778,7 @@ index bf64a4c..55b3ce7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
######################################
|
######################################
|
||||||
@@ -310,6 +311,9 @@ optional_policy(`
|
@@ -310,6 +312,9 @@ optional_policy(`
|
||||||
# needed by ioctl()
|
# needed by ioctl()
|
||||||
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
|
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
|
||||||
|
|
||||||
@ -26707,7 +26788,7 @@ index bf64a4c..55b3ce7 100644
|
|||||||
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
|
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
|
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
|
||||||
@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
|
@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
|
||||||
|
|
||||||
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
|
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
|
||||||
allow nagios_services_plugin_t self:process { signal sigkill };
|
allow nagios_services_plugin_t self:process { signal sigkill };
|
||||||
@ -26715,7 +26796,7 @@ index bf64a4c..55b3ce7 100644
|
|||||||
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
|
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
|
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
|
@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
netutils_domtrans_ping(nagios_services_plugin_t)
|
netutils_domtrans_ping(nagios_services_plugin_t)
|
||||||
@ -28796,14 +28877,16 @@ index 9759ed8..07dd3ff 100644
|
|||||||
admin_pattern($1, plymouthd_var_run_t)
|
admin_pattern($1, plymouthd_var_run_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
|
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
|
||||||
index fb8dc84..cf0e3d1 100644
|
index fb8dc84..56cc327 100644
|
||||||
--- a/policy/modules/services/plymouthd.te
|
--- a/policy/modules/services/plymouthd.te
|
||||||
+++ b/policy/modules/services/plymouthd.te
|
+++ b/policy/modules/services/plymouthd.te
|
||||||
@@ -60,10 +60,18 @@ domain_use_interactive_fds(plymouthd_t)
|
@@ -60,10 +60,20 @@ domain_use_interactive_fds(plymouthd_t)
|
||||||
files_read_etc_files(plymouthd_t)
|
files_read_etc_files(plymouthd_t)
|
||||||
files_read_usr_files(plymouthd_t)
|
files_read_usr_files(plymouthd_t)
|
||||||
|
|
||||||
+term_use_unallocated_ttys(plymouthd_t)
|
+term_use_unallocated_ttys(plymouthd_t)
|
||||||
|
+
|
||||||
|
+logging_delete_generic_logs(plymouthd_t)
|
||||||
+
|
+
|
||||||
miscfiles_read_localization(plymouthd_t)
|
miscfiles_read_localization(plymouthd_t)
|
||||||
miscfiles_read_fonts(plymouthd_t)
|
miscfiles_read_fonts(plymouthd_t)
|
||||||
@ -28818,7 +28901,7 @@ index fb8dc84..cf0e3d1 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Plymouth private policy
|
# Plymouth private policy
|
||||||
@@ -74,6 +82,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
|
@@ -74,6 +84,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
|
||||||
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
|
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
kernel_read_system_state(plymouth_t)
|
kernel_read_system_state(plymouth_t)
|
||||||
@ -28826,15 +28909,7 @@ index fb8dc84..cf0e3d1 100644
|
|||||||
|
|
||||||
domain_use_interactive_fds(plymouth_t)
|
domain_use_interactive_fds(plymouth_t)
|
||||||
|
|
||||||
@@ -81,13 +90,15 @@ files_read_etc_files(plymouth_t)
|
@@ -87,7 +98,7 @@ sysnet_read_config(plymouth_t)
|
||||||
|
|
||||||
term_use_ptmx(plymouth_t)
|
|
||||||
|
|
||||||
+logging_delete_generic_logs(plymouth_t)
|
|
||||||
+
|
|
||||||
miscfiles_read_localization(plymouth_t)
|
|
||||||
|
|
||||||
sysnet_read_config(plymouth_t)
|
|
||||||
|
|
||||||
plymouthd_stream_connect(plymouth_t)
|
plymouthd_stream_connect(plymouth_t)
|
||||||
|
|
||||||
@ -41371,7 +41446,7 @@ index a97a096..ab1e16a 100644
|
|||||||
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
|
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
|
||||||
index a442acc..949f5ff 100644
|
index a442acc..133f7f8 100644
|
||||||
--- a/policy/modules/system/fstools.te
|
--- a/policy/modules/system/fstools.te
|
||||||
+++ b/policy/modules/system/fstools.te
|
+++ b/policy/modules/system/fstools.te
|
||||||
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
|
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
|
||||||
@ -41438,10 +41513,14 @@ index a442acc..949f5ff 100644
|
|||||||
nis_use_ypbind(fsadm_t)
|
nis_use_ypbind(fsadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -175,6 +193,10 @@ optional_policy(`
|
@@ -175,6 +193,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ udev_read_db(fsadm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ virt_read_blk_images(fsadm_t)
|
+ virt_read_blk_images(fsadm_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -45546,7 +45625,7 @@ index 170e2c7..bbaa8cf 100644
|
|||||||
+')
|
+')
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||||
index ff5d72d..9cd171a 100644
|
index ff5d72d..f5fdb63 100644
|
||||||
--- a/policy/modules/system/selinuxutil.te
|
--- a/policy/modules/system/selinuxutil.te
|
||||||
+++ b/policy/modules/system/selinuxutil.te
|
+++ b/policy/modules/system/selinuxutil.te
|
||||||
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
|
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
|
||||||
@ -45626,6 +45705,15 @@ index ff5d72d..9cd171a 100644
|
|||||||
|
|
||||||
miscfiles_read_localization(load_policy_t)
|
miscfiles_read_localization(load_policy_t)
|
||||||
|
|
||||||
|
@@ -204,7 +218,7 @@ ifdef(`hide_broken_symptoms',`
|
||||||
|
# Newrole local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
-allow newrole_t self:capability { fowner setuid setgid dac_override };
|
||||||
|
+allow newrole_t self:capability { fowner setpcap setuid setgid dac_override };
|
||||||
|
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||||
|
allow newrole_t self:process setexec;
|
||||||
|
allow newrole_t self:fd use;
|
||||||
@@ -216,7 +230,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
@@ -216,7 +230,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
||||||
allow newrole_t self:msg { send receive };
|
allow newrole_t self:msg { send receive };
|
||||||
allow newrole_t self:unix_dgram_socket sendto;
|
allow newrole_t self:unix_dgram_socket sendto;
|
||||||
@ -47610,7 +47698,7 @@ index db75976..392d1ee 100644
|
|||||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||||
+HOME_DIR/\.debug(/.*)? <<none>>
|
+HOME_DIR/\.debug(/.*)? <<none>>
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 35f1476..1571559 100644
|
index 28b88de..10340bc 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
|
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
|
||||||
@ -48821,7 +48909,7 @@ index 35f1476..1571559 100644
|
|||||||
seutil_run_setfiles($1, $2)
|
seutil_run_setfiles($1, $2)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1275,12 +1510,15 @@ template(`userdom_security_admin_template',`
|
@@ -1279,12 +1514,15 @@ template(`userdom_security_admin_template',`
|
||||||
interface(`userdom_user_home_content',`
|
interface(`userdom_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_t;
|
type user_home_t;
|
||||||
@ -48838,7 +48926,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1391,6 +1629,7 @@ interface(`userdom_search_user_home_dirs',`
|
@@ -1395,6 +1633,7 @@ interface(`userdom_search_user_home_dirs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
@ -48846,7 +48934,7 @@ index 35f1476..1571559 100644
|
|||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1437,6 +1676,14 @@ interface(`userdom_list_user_home_dirs',`
|
@@ -1441,6 +1680,14 @@ interface(`userdom_list_user_home_dirs',`
|
||||||
|
|
||||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
@ -48861,7 +48949,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1452,9 +1699,11 @@ interface(`userdom_list_user_home_dirs',`
|
@@ -1456,9 +1703,11 @@ interface(`userdom_list_user_home_dirs',`
|
||||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_dir_t;
|
type user_home_dir_t;
|
||||||
@ -48873,7 +48961,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1511,6 +1760,42 @@ interface(`userdom_relabelto_user_home_dirs',`
|
@@ -1515,6 +1764,42 @@ interface(`userdom_relabelto_user_home_dirs',`
|
||||||
allow $1 user_home_dir_t:dir relabelto;
|
allow $1 user_home_dir_t:dir relabelto;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -48916,7 +49004,7 @@ index 35f1476..1571559 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create directories in the home dir root with
|
## Create directories in the home dir root with
|
||||||
@@ -1585,6 +1870,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
@@ -1589,6 +1874,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||||
@ -48925,7 +49013,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1599,10 +1886,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
@@ -1603,10 +1890,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
||||||
#
|
#
|
||||||
interface(`userdom_list_user_home_content',`
|
interface(`userdom_list_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -48940,7 +49028,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1645,30 +1934,49 @@ interface(`userdom_delete_user_home_content_dirs',`
|
@@ -1649,30 +1938,49 @@ interface(`userdom_delete_user_home_content_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -48997,7 +49085,7 @@ index 35f1476..1571559 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -1696,12 +2004,32 @@ interface(`userdom_read_user_home_content_files',`
|
@@ -1700,12 +2008,32 @@ interface(`userdom_read_user_home_content_files',`
|
||||||
type user_home_dir_t, user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -49030,7 +49118,7 @@ index 35f1476..1571559 100644
|
|||||||
## Do not audit attempts to read user home files.
|
## Do not audit attempts to read user home files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1712,11 +2040,14 @@ interface(`userdom_read_user_home_content_files',`
|
@@ -1716,11 +2044,14 @@ interface(`userdom_read_user_home_content_files',`
|
||||||
#
|
#
|
||||||
interface(`userdom_dontaudit_read_user_home_content_files',`
|
interface(`userdom_dontaudit_read_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -49048,7 +49136,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1806,8 +2137,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
@@ -1810,8 +2141,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||||
type user_home_dir_t, user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -49058,7 +49146,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1823,20 +2153,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
@@ -1827,20 +2157,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||||
#
|
#
|
||||||
interface(`userdom_exec_user_home_content_files',`
|
interface(`userdom_exec_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -49083,7 +49171,7 @@ index 35f1476..1571559 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2178,7 +2502,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
@@ -2182,7 +2506,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -49092,7 +49180,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2431,13 +2755,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
@@ -2435,13 +2759,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||||
@ -49108,7 +49196,7 @@ index 35f1476..1571559 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2458,26 +2783,6 @@ interface(`userdom_rw_user_tmpfs_files',`
|
@@ -2462,26 +2787,6 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -49135,7 +49223,7 @@ index 35f1476..1571559 100644
|
|||||||
## Get the attributes of a user domain tty.
|
## Get the attributes of a user domain tty.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2811,7 +3116,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
@@ -2815,7 +3120,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||||
|
|
||||||
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
||||||
allow unpriv_userdomain $1:fd use;
|
allow unpriv_userdomain $1:fd use;
|
||||||
@ -49144,7 +49232,7 @@ index 35f1476..1571559 100644
|
|||||||
allow unpriv_userdomain $1:process sigchld;
|
allow unpriv_userdomain $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -2827,11 +3132,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
@@ -2831,11 +3136,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||||
#
|
#
|
||||||
interface(`userdom_search_user_home_content',`
|
interface(`userdom_search_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -49160,7 +49248,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2913,7 +3220,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
@@ -2917,7 +3224,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||||
type user_devpts_t;
|
type user_devpts_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -49169,7 +49257,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2968,7 +3275,45 @@ interface(`userdom_write_user_tmp_files',`
|
@@ -2972,7 +3279,45 @@ interface(`userdom_write_user_tmp_files',`
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -49216,7 +49304,7 @@ index 35f1476..1571559 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3005,6 +3350,7 @@ interface(`userdom_read_all_users_state',`
|
@@ -3009,6 +3354,7 @@ interface(`userdom_read_all_users_state',`
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1, userdomain, userdomain)
|
read_files_pattern($1, userdomain, userdomain)
|
||||||
@ -49224,7 +49312,7 @@ index 35f1476..1571559 100644
|
|||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3135,3 +3481,873 @@ interface(`userdom_dbus_send_all_users',`
|
@@ -3139,3 +3485,873 @@ interface(`userdom_dbus_send_all_users',`
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.9.11
|
Version: 3.9.11
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -471,6 +471,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.11-2
|
||||||
|
- Update selinux policy to handle new /usr/share/sandbox/start script
|
||||||
|
|
||||||
* Wed Dec 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.11-1
|
* Wed Dec 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.11-1
|
||||||
- Update to upstream
|
- Update to upstream
|
||||||
- Fix version of policy in spec file
|
- Fix version of policy in spec file
|
||||||
|
Loading…
Reference in New Issue
Block a user