- Allow setroubelshoot exec* privs to prevent crash from bad libraries
- add cpufreqselector
This commit is contained in:
Daniel J Walsh
parent
90ea5b3fef
commit
f49c57d5e6
@ -32,6 +32,13 @@ alsa = base
|
|||||||
#
|
#
|
||||||
ada = module
|
ada = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: cpufreqselector
|
||||||
|
#
|
||||||
|
# cpufreqselector executable
|
||||||
|
#
|
||||||
|
cpufreqselector = module
|
||||||
|
|
||||||
# Layer: modules
|
# Layer: modules
|
||||||
# Module: awstats
|
# Module: awstats
|
||||||
#
|
#
|
||||||
|
|||||||
@ -32,6 +32,13 @@ alsa = base
|
|||||||
#
|
#
|
||||||
ada = module
|
ada = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: cpufreqselector
|
||||||
|
#
|
||||||
|
# cpufreqselector executable
|
||||||
|
#
|
||||||
|
cpufreqselector = module
|
||||||
|
|
||||||
# Layer: modules
|
# Layer: modules
|
||||||
# Module: awstats
|
# Module: awstats
|
||||||
#
|
#
|
||||||
|
|||||||
@ -32,6 +32,13 @@ alsa = base
|
|||||||
#
|
#
|
||||||
ada = module
|
ada = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: cpufreqselector
|
||||||
|
#
|
||||||
|
# cpufreqselector executable
|
||||||
|
#
|
||||||
|
cpufreqselector = module
|
||||||
|
|
||||||
# Layer: modules
|
# Layer: modules
|
||||||
# Module: awstats
|
# Module: awstats
|
||||||
#
|
#
|
||||||
|
|||||||
@ -1593,8 +1593,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te 2009-04-02 10:05:45.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te 2009-04-03 10:09:12.000000000 -0400
|
||||||
@@ -0,0 +1,47 @@
|
@@ -0,0 +1,44 @@
|
||||||
+policy_module(cpufreqselector,1.0.0)
|
+policy_module(cpufreqselector,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -1624,9 +1624,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+fs_list_inotifyfs(cpufreqselector_t)
|
+fs_list_inotifyfs(cpufreqselector_t)
|
||||||
+
|
+
|
||||||
+libs_use_ld_so(cpufreqselector_t)
|
|
||||||
+libs_use_shared_libs(cpufreqselector_t)
|
|
||||||
+
|
|
||||||
+userdom_read_all_users_state(cpufreqselector_t)
|
+userdom_read_all_users_state(cpufreqselector_t)
|
||||||
+
|
+
|
||||||
+nscd_dontaudit_search_pid(cpufreqselector_t)
|
+nscd_dontaudit_search_pid(cpufreqselector_t)
|
||||||
@ -10987,8 +10984,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.10/policy/modules/services/devicekit.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.10/policy/modules/services/devicekit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/services/devicekit.te 2009-03-30 10:09:41.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/services/devicekit.te 2009-04-03 08:12:27.000000000 -0400
|
||||||
@@ -0,0 +1,210 @@
|
@@ -0,0 +1,211 @@
|
||||||
+policy_module(devicekit,1.0.0)
|
+policy_module(devicekit,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -11150,6 +11147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+dev_read_sysfs(devicekit_disk_t)
|
+dev_read_sysfs(devicekit_disk_t)
|
||||||
+dev_read_urand(devicekit_disk_t)
|
+dev_read_urand(devicekit_disk_t)
|
||||||
+dev_getattr_usbfs_dirs(devicekit_disk_t)
|
+dev_getattr_usbfs_dirs(devicekit_disk_t)
|
||||||
|
+dev_manage_generic_files(devicekit_disk_t)
|
||||||
+
|
+
|
||||||
+kernel_read_software_raid_state(devicekit_disk_t)
|
+kernel_read_software_raid_state(devicekit_disk_t)
|
||||||
+
|
+
|
||||||
@ -19761,7 +19759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te
|
||||||
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te 2009-03-30 10:09:41.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te 2009-04-03 10:25:52.000000000 -0400
|
||||||
@@ -11,6 +11,9 @@
|
@@ -11,6 +11,9 @@
|
||||||
domain_type(setroubleshootd_t)
|
domain_type(setroubleshootd_t)
|
||||||
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
|
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
|
||||||
@ -19772,7 +19770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type setroubleshoot_var_lib_t;
|
type setroubleshoot_var_lib_t;
|
||||||
files_type(setroubleshoot_var_lib_t)
|
files_type(setroubleshoot_var_lib_t)
|
||||||
|
|
||||||
@@ -27,8 +30,8 @@
|
@@ -27,8 +30,10 @@
|
||||||
# setroubleshootd local policy
|
# setroubleshootd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -19780,10 +19778,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-allow setroubleshootd_t self:process { signull signal getattr getsched };
|
-allow setroubleshootd_t self:process { signull signal getattr getsched };
|
||||||
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
|
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
|
||||||
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
|
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
|
||||||
|
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
|
||||||
|
+allow setroubleshootd_t self:process { execmem execstack };
|
||||||
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
|
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
|
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
@@ -52,7 +55,10 @@
|
@@ -52,7 +57,10 @@
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(setroubleshootd_t)
|
kernel_read_kernel_sysctls(setroubleshootd_t)
|
||||||
kernel_read_system_state(setroubleshootd_t)
|
kernel_read_system_state(setroubleshootd_t)
|
||||||
@ -19794,7 +19794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corecmd_exec_bin(setroubleshootd_t)
|
corecmd_exec_bin(setroubleshootd_t)
|
||||||
corecmd_exec_shell(setroubleshootd_t)
|
corecmd_exec_shell(setroubleshootd_t)
|
||||||
@@ -68,16 +74,24 @@
|
@@ -68,16 +76,24 @@
|
||||||
|
|
||||||
dev_read_urand(setroubleshootd_t)
|
dev_read_urand(setroubleshootd_t)
|
||||||
dev_read_sysfs(setroubleshootd_t)
|
dev_read_sysfs(setroubleshootd_t)
|
||||||
@ -19820,7 +19820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
selinux_get_enforce_mode(setroubleshootd_t)
|
selinux_get_enforce_mode(setroubleshootd_t)
|
||||||
selinux_validate_context(setroubleshootd_t)
|
selinux_validate_context(setroubleshootd_t)
|
||||||
@@ -94,22 +108,24 @@
|
@@ -94,22 +110,24 @@
|
||||||
|
|
||||||
locallogin_dontaudit_use_fds(setroubleshootd_t)
|
locallogin_dontaudit_use_fds(setroubleshootd_t)
|
||||||
|
|
||||||
@ -27011,7 +27011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-04-01 14:58:39.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-04-03 10:28:13.000000000 -0400
|
||||||
@@ -12,14 +12,13 @@
|
@@ -12,14 +12,13 @@
|
||||||
#
|
#
|
||||||
interface(`unconfined_domain_noaudit',`
|
interface(`unconfined_domain_noaudit',`
|
||||||
@ -27130,7 +27130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ type unconfined_t;
|
+ type unconfined_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ dontaudit $1 unconfined_t:unix_stream_socket rw_file_perms;
|
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -27668,7 +27668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-01 14:59:58.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-03 10:26:58.000000000 -0400
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -29532,7 +29532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ attribute userdomain;
|
+ attribute userdomain;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ dontaudit $1 userdomain:unix_stream_socket rw_file_perms;
|
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te
|
||||||
|
|||||||
@ -15,12 +15,12 @@
|
|||||||
%endif
|
%endif
|
||||||
%define POLICYVER 23
|
%define POLICYVER 23
|
||||||
%define libsepolver 2.0.20-1
|
%define libsepolver 2.0.20-1
|
||||||
%define POLICYCOREUTILSVER 2.0.61-7
|
%define POLICYCOREUTILSVER 2.0.62-7
|
||||||
%define CHECKPOLICYVER 2.0.16-3
|
%define CHECKPOLICYVER 2.0.16-3
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.10
|
Version: 3.6.10
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -444,6 +444,10 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-7
|
||||||
|
- Allow setroubelshoot exec* privs to prevent crash from bad libraries
|
||||||
|
- add cpufreqselector
|
||||||
|
|
||||||
* Thu Apr 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-6
|
* Thu Apr 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-6
|
||||||
- Dontaudit listing of /root directory for cron system jobs
|
- Dontaudit listing of /root directory for cron system jobs
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user