- Allow kerneloops to create tmp files
This commit is contained in:
Daniel J Walsh
parent
5a79419b06
commit
f5bbca8b04
@ -6168,8 +6168,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
|
||||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-17 10:31:26.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-23 08:53:02.000000000 -0400
|
||||||
@@ -93,6 +93,7 @@
|
@@ -79,6 +79,7 @@
|
||||||
|
network_port(auth, tcp,113,s0)
|
||||||
|
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
||||||
|
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
||||||
|
+network_port(certmaster, tcp,51235,s0)
|
||||||
|
network_port(clamd, tcp,3310,s0)
|
||||||
|
network_port(clockspeed, udp,4041,s0)
|
||||||
|
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
||||||
|
@@ -93,6 +94,7 @@
|
||||||
network_port(distccd, tcp,3632,s0)
|
network_port(distccd, tcp,3632,s0)
|
||||||
network_port(dns, udp,53,s0, tcp,53,s0)
|
network_port(dns, udp,53,s0, tcp,53,s0)
|
||||||
network_port(fingerd, tcp,79,s0)
|
network_port(fingerd, tcp,79,s0)
|
||||||
@ -6177,7 +6185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(ftp_data, tcp,20,s0)
|
network_port(ftp_data, tcp,20,s0)
|
||||||
network_port(ftp, tcp,21,s0)
|
network_port(ftp, tcp,21,s0)
|
||||||
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
||||||
@@ -117,6 +118,8 @@
|
@@ -117,6 +119,8 @@
|
||||||
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||||
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
||||||
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
||||||
@ -6186,7 +6194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||||
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
|
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
|
||||||
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
||||||
@@ -126,6 +129,7 @@
|
@@ -126,6 +130,7 @@
|
||||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||||
network_port(monopd, tcp,1234,s0)
|
network_port(monopd, tcp,1234,s0)
|
||||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||||
@ -6194,7 +6202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||||
network_port(nessus, tcp,1241,s0)
|
network_port(nessus, tcp,1241,s0)
|
||||||
@@ -137,11 +141,13 @@
|
@@ -137,11 +142,13 @@
|
||||||
network_port(pegasus_http, tcp,5988,s0)
|
network_port(pegasus_http, tcp,5988,s0)
|
||||||
network_port(pegasus_https, tcp,5989,s0)
|
network_port(pegasus_https, tcp,5989,s0)
|
||||||
network_port(postfix_policyd, tcp,10031,s0)
|
network_port(postfix_policyd, tcp,10031,s0)
|
||||||
@ -6208,7 +6216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(printer, tcp,515,s0)
|
network_port(printer, tcp,515,s0)
|
||||||
network_port(ptal, tcp,5703,s0)
|
network_port(ptal, tcp,5703,s0)
|
||||||
network_port(pxe, udp,4011,s0)
|
network_port(pxe, udp,4011,s0)
|
||||||
@@ -159,9 +165,10 @@
|
@@ -159,9 +166,10 @@
|
||||||
network_port(rwho, udp,513,s0)
|
network_port(rwho, udp,513,s0)
|
||||||
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
|
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
|
||||||
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
||||||
@ -6220,7 +6228,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
|
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
|
||||||
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
||||||
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
||||||
@@ -170,13 +177,16 @@
|
@@ -170,13 +178,16 @@
|
||||||
network_port(syslogd, udp,514,s0)
|
network_port(syslogd, udp,514,s0)
|
||||||
network_port(telnetd, tcp,23,s0)
|
network_port(telnetd, tcp,23,s0)
|
||||||
network_port(tftp, udp,69,s0)
|
network_port(tftp, udp,69,s0)
|
||||||
@ -8480,8 +8488,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
|
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.13/policy/modules/roles/staff.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.13/policy/modules/roles/staff.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/roles/staff.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/roles/staff.te 2008-10-22 16:47:01.000000000 -0400
|
||||||
@@ -8,23 +8,55 @@
|
@@ -8,23 +8,59 @@
|
||||||
|
|
||||||
role staff_r;
|
role staff_r;
|
||||||
|
|
||||||
@ -8507,6 +8515,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ kerneloops_manage_tmp_files(staff_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ logadm_role_change_template(staff)
|
+ logadm_role_change_template(staff)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -10545,7 +10557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-22 09:53:30.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-22 14:38:49.000000000 -0400
|
||||||
@@ -20,6 +20,8 @@
|
@@ -20,6 +20,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -10689,7 +10701,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||||
@@ -289,6 +338,7 @@
|
@@ -278,6 +327,7 @@
|
||||||
|
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
||||||
|
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
|
||||||
|
|
||||||
|
+setattr_dir_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||||
|
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||||
|
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||||
|
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
|
||||||
|
@@ -289,6 +339,7 @@
|
||||||
kernel_read_kernel_sysctls(httpd_t)
|
kernel_read_kernel_sysctls(httpd_t)
|
||||||
# for modules that want to access /proc/meminfo
|
# for modules that want to access /proc/meminfo
|
||||||
kernel_read_system_state(httpd_t)
|
kernel_read_system_state(httpd_t)
|
||||||
@ -10697,7 +10717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||||
corenet_all_recvfrom_netlabel(httpd_t)
|
corenet_all_recvfrom_netlabel(httpd_t)
|
||||||
@@ -299,6 +349,7 @@
|
@@ -299,6 +350,7 @@
|
||||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||||
corenet_tcp_bind_all_nodes(httpd_t)
|
corenet_tcp_bind_all_nodes(httpd_t)
|
||||||
@ -10705,7 +10725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_tcp_bind_http_port(httpd_t)
|
corenet_tcp_bind_http_port(httpd_t)
|
||||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||||
corenet_sendrecv_http_server_packets(httpd_t)
|
corenet_sendrecv_http_server_packets(httpd_t)
|
||||||
@@ -312,12 +363,11 @@
|
@@ -312,12 +364,11 @@
|
||||||
|
|
||||||
fs_getattr_all_fs(httpd_t)
|
fs_getattr_all_fs(httpd_t)
|
||||||
fs_search_auto_mountpoints(httpd_t)
|
fs_search_auto_mountpoints(httpd_t)
|
||||||
@ -10720,7 +10740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
domain_use_interactive_fds(httpd_t)
|
domain_use_interactive_fds(httpd_t)
|
||||||
|
|
||||||
@@ -335,6 +385,10 @@
|
@@ -335,6 +386,10 @@
|
||||||
files_read_var_lib_symlinks(httpd_t)
|
files_read_var_lib_symlinks(httpd_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||||
@ -10731,7 +10751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
libs_use_ld_so(httpd_t)
|
libs_use_ld_so(httpd_t)
|
||||||
libs_use_shared_libs(httpd_t)
|
libs_use_shared_libs(httpd_t)
|
||||||
@@ -351,18 +405,33 @@
|
@@ -351,18 +406,33 @@
|
||||||
|
|
||||||
userdom_use_unpriv_users_fds(httpd_t)
|
userdom_use_unpriv_users_fds(httpd_t)
|
||||||
|
|
||||||
@ -10769,7 +10789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -370,20 +439,45 @@
|
@@ -370,20 +440,45 @@
|
||||||
corenet_tcp_connect_all_ports(httpd_t)
|
corenet_tcp_connect_all_ports(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10816,7 +10836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||||
@@ -394,11 +488,12 @@
|
@@ -394,11 +489,12 @@
|
||||||
corenet_tcp_bind_ftp_port(httpd_t)
|
corenet_tcp_bind_ftp_port(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10832,7 +10852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
fs_read_nfs_files(httpd_t)
|
fs_read_nfs_files(httpd_t)
|
||||||
fs_read_nfs_symlinks(httpd_t)
|
fs_read_nfs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -408,6 +503,11 @@
|
@@ -408,6 +504,11 @@
|
||||||
fs_read_cifs_symlinks(httpd_t)
|
fs_read_cifs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10844,7 +10864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_ssi_exec',`
|
tunable_policy(`httpd_ssi_exec',`
|
||||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||||
allow httpd_sys_script_t httpd_t:fd use;
|
allow httpd_sys_script_t httpd_t:fd use;
|
||||||
@@ -441,8 +541,13 @@
|
@@ -441,8 +542,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10860,7 +10880,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -454,18 +559,13 @@
|
@@ -454,18 +560,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10880,7 +10900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -475,6 +575,12 @@
|
@@ -475,6 +576,12 @@
|
||||||
openca_kill(httpd_t)
|
openca_kill(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10893,7 +10913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
# Allow httpd to work with postgresql
|
# Allow httpd to work with postgresql
|
||||||
postgresql_stream_connect(httpd_t)
|
postgresql_stream_connect(httpd_t)
|
||||||
@@ -482,6 +588,7 @@
|
@@ -482,6 +589,7 @@
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect_db',`
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
postgresql_tcp_connect(httpd_t)
|
postgresql_tcp_connect(httpd_t)
|
||||||
@ -10901,7 +10921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -490,6 +597,7 @@
|
@@ -490,6 +598,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10909,7 +10929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -519,9 +627,28 @@
|
@@ -519,9 +628,28 @@
|
||||||
logging_send_syslog_msg(httpd_helper_t)
|
logging_send_syslog_msg(httpd_helper_t)
|
||||||
|
|
||||||
tunable_policy(`httpd_tty_comm',`
|
tunable_policy(`httpd_tty_comm',`
|
||||||
@ -10938,7 +10958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache PHP script local policy
|
# Apache PHP script local policy
|
||||||
@@ -551,22 +678,27 @@
|
@@ -551,22 +679,27 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_php_t)
|
fs_search_auto_mountpoints(httpd_php_t)
|
||||||
|
|
||||||
@ -10972,7 +10992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -584,12 +716,14 @@
|
@@ -584,12 +717,14 @@
|
||||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
@ -10988,7 +11008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||||
kernel_list_proc(httpd_suexec_t)
|
kernel_list_proc(httpd_suexec_t)
|
||||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||||
@@ -598,9 +732,7 @@
|
@@ -598,9 +733,7 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||||
|
|
||||||
@ -10999,7 +11019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_read_etc_files(httpd_suexec_t)
|
files_read_etc_files(httpd_suexec_t)
|
||||||
files_read_usr_files(httpd_suexec_t)
|
files_read_usr_files(httpd_suexec_t)
|
||||||
@@ -633,12 +765,25 @@
|
@@ -633,12 +766,25 @@
|
||||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11028,7 +11048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -647,6 +792,12 @@
|
@@ -647,6 +793,12 @@
|
||||||
fs_exec_nfs_files(httpd_suexec_t)
|
fs_exec_nfs_files(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11041,7 +11061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_suexec_t)
|
fs_read_cifs_files(httpd_suexec_t)
|
||||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||||
@@ -664,10 +815,6 @@
|
@@ -664,20 +816,20 @@
|
||||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11052,7 +11072,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache system script local policy
|
# Apache system script local policy
|
||||||
@@ -677,7 +824,8 @@
|
#
|
||||||
|
|
||||||
|
+auth_use_nsswitch(httpd_sys_script_t)
|
||||||
|
+
|
||||||
|
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
||||||
|
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||||
|
|
||||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||||
|
|
||||||
@ -11062,7 +11087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||||
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||||
@@ -691,12 +839,15 @@
|
@@ -691,12 +843,15 @@
|
||||||
# Should we add a boolean?
|
# Should we add a boolean?
|
||||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||||
|
|
||||||
@ -11080,7 +11105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -704,6 +855,30 @@
|
@@ -704,6 +859,30 @@
|
||||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11111,7 +11136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -716,10 +891,10 @@
|
@@ -716,10 +895,10 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_sys_script_t)
|
mysql_stream_connect(httpd_sys_script_t)
|
||||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||||
@ -11126,7 +11151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -727,6 +902,8 @@
|
@@ -727,6 +906,8 @@
|
||||||
# httpd_rotatelogs local policy
|
# httpd_rotatelogs local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -11135,7 +11160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||||
@@ -741,3 +918,66 @@
|
@@ -741,3 +922,66 @@
|
||||||
logging_search_logs(httpd_rotatelogs_t)
|
logging_search_logs(httpd_rotatelogs_t)
|
||||||
|
|
||||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||||
@ -14928,7 +14953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.13/policy/modules/services/exim.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.13/policy/modules/services/exim.if
|
||||||
--- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/exim.if 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/exim.if 2008-10-22 16:44:31.000000000 -0400
|
||||||
@@ -97,6 +97,26 @@
|
@@ -97,6 +97,26 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -15695,6 +15720,74 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
dev_read_urand(kpropd_t)
|
dev_read_urand(kpropd_t)
|
||||||
|
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.5.13/policy/modules/services/kerneloops.if
|
||||||
|
--- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-10-14 11:58:09.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.13/policy/modules/services/kerneloops.if 2008-10-22 16:51:11.000000000 -0400
|
||||||
|
@@ -63,6 +63,25 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Allow domain to manage kerneloops tmp files
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kerneloops_manage_tmp_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type kerneloops_tmp_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
|
||||||
|
+ files_search_tmp($1)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## All of the rules required to administrate
|
||||||
|
## an kerneloops environment
|
||||||
|
## </summary>
|
||||||
|
@@ -81,6 +100,7 @@
|
||||||
|
interface(`kerneloops_admin',`
|
||||||
|
gen_require(`
|
||||||
|
type kerneloops_t, kerneloops_initrc_exec_t;
|
||||||
|
+ type kerneloops_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 kerneloops_t:process { ptrace signal_perms };
|
||||||
|
@@ -90,4 +110,7 @@
|
||||||
|
domain_system_change_exemption($1)
|
||||||
|
role_transition $2 kerneloops_initrc_exec_t system_r;
|
||||||
|
allow $2 system_r;
|
||||||
|
+
|
||||||
|
+ admin_pattern($1, kerneloops_tmp_t)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.5.13/policy/modules/services/kerneloops.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-10-14 11:58:09.000000000 -0400
|
||||||
|
+++ serefpolicy-3.5.13/policy/modules/services/kerneloops.te 2008-10-22 16:49:44.000000000 -0400
|
||||||
|
@@ -13,6 +13,9 @@
|
||||||
|
type kerneloops_initrc_exec_t;
|
||||||
|
init_script_file(kerneloops_initrc_exec_t)
|
||||||
|
|
||||||
|
+type kerneloops_tmp_t;
|
||||||
|
+files_tmp_file(kerneloops_tmp_t)
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# kerneloops local policy
|
||||||
|
@@ -23,6 +26,9 @@
|
||||||
|
allow kerneloops_t self:fifo_file rw_file_perms;
|
||||||
|
allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
|
+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
|
||||||
|
+files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file)
|
||||||
|
+
|
||||||
|
kernel_read_ring_buffer(kerneloops_t)
|
||||||
|
|
||||||
|
# Init script handling
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.13/policy/modules/services/ldap.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.13/policy/modules/services/ldap.te
|
||||||
--- nsaserefpolicy/policy/modules/services/ldap.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/ldap.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/ldap.te 2008-10-17 10:31:27.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/ldap.te 2008-10-17 10:31:27.000000000 -0400
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user