- Lots of random fixes
This commit is contained in:
Daniel J Walsh
parent
b39ccca147
commit
f651bb6fdc
196
policy-F14.patch
196
policy-F14.patch
@ -556,6 +556,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
|
|||||||
|
|
||||||
cron_system_entry(logrotate_t, logrotate_exec_t)
|
cron_system_entry(logrotate_t, logrotate_exec_t)
|
||||||
cron_search_spool(logrotate_t)
|
cron_search_spool(logrotate_t)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.fc serefpolicy-3.8.3/policy/modules/admin/logwatch.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/admin/logwatch.fc 2009-07-14 14:19:57.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.3/policy/modules/admin/logwatch.fc 2010-06-09 16:17:01.000000000 -0400
|
||||||
|
@@ -1,7 +1,9 @@
|
||||||
|
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
|
||||||
|
+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
|
||||||
|
|
||||||
|
/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
|
||||||
|
/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
|
||||||
|
+/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
|
||||||
|
/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.8.3/policy/modules/admin/mcelog.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.8.3/policy/modules/admin/mcelog.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-03-18 06:48:09.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-03-18 06:48:09.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/admin/mcelog.te 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/admin/mcelog.te 2010-06-08 11:32:10.000000000 -0400
|
||||||
@ -6810,7 +6823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
|||||||
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.3/policy/modules/kernel/devices.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.3/policy/modules/kernel/devices.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-06-08 10:35:48.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-06-08 10:35:48.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/kernel/devices.if 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/kernel/devices.if 2010-06-09 16:40:03.000000000 -0400
|
||||||
@@ -606,6 +606,24 @@
|
@@ -606,6 +606,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -6904,11 +6917,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
|||||||
## Get the attributes of sysfs directories.
|
## Get the attributes of sysfs directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4166,6 +4238,7 @@
|
@@ -4161,11 +4233,10 @@
|
||||||
|
#
|
||||||
|
interface(`dev_rw_vhost',`
|
||||||
|
gen_require(`
|
||||||
|
- type vhost_device_t;
|
||||||
|
+ type device_t, vhost_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
list_dirs_pattern($1, vhost_device_t, vhost_device_t)
|
- list_dirs_pattern($1, vhost_device_t, vhost_device_t)
|
||||||
rw_files_pattern($1, vhost_device_t, vhost_device_t)
|
- rw_files_pattern($1, vhost_device_t, vhost_device_t)
|
||||||
+ read_lnk_files_pattern($1, vhost_device_t, vhost_device_t)
|
+ rw_chr_files_pattern($1, device_t, vhost_device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -10715,7 +10734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
|
|||||||
## All of the rules required to administrate
|
## All of the rules required to administrate
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.3/policy/modules/services/abrt.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.3/policy/modules/services/abrt.te
|
||||||
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-05-25 16:28:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-09 15:57:41.000000000 -0400
|
||||||
@@ -70,16 +70,19 @@
|
@@ -70,16 +70,19 @@
|
||||||
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
@ -11102,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.3/policy/modules/services/apache.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.3/policy/modules/services/apache.if
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-09 16:00:04.000000000 -0400
|
||||||
@@ -13,17 +13,13 @@
|
@@ -13,17 +13,13 @@
|
||||||
#
|
#
|
||||||
template(`apache_content_template',`
|
template(`apache_content_template',`
|
||||||
@ -12096,6 +12115,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
|
|||||||
allow $1 avahi_t:dbus send_msg;
|
allow $1 avahi_t:dbus send_msg;
|
||||||
allow avahi_t $1:dbus send_msg;
|
allow avahi_t $1:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.8.3/policy/modules/services/bitlbee.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.3/policy/modules/services/bitlbee.te 2010-06-09 16:59:35.000000000 -0400
|
||||||
|
@@ -28,6 +28,7 @@
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
#
|
||||||
|
+allow bitlbee_t self:capability { setgid setuid };
|
||||||
|
|
||||||
|
allow bitlbee_t self:udp_socket create_socket_perms;
|
||||||
|
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
|
||||||
|
@@ -81,6 +82,10 @@
|
||||||
|
|
||||||
|
libs_legacy_use_shared_libs(bitlbee_t)
|
||||||
|
|
||||||
|
+auth_use_nsswitch(bitlbee_t)
|
||||||
|
+
|
||||||
|
+logging_send_syslog_msg(bitlbee_t)
|
||||||
|
+
|
||||||
|
miscfiles_read_localization(bitlbee_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve(bitlbee_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.8.3/policy/modules/services/bluetooth.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.8.3/policy/modules/services/bluetooth.if
|
||||||
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-01-07 14:53:53.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-01-07 14:53:53.000000000 -0500
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/bluetooth.if 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/bluetooth.if 2010-06-08 11:32:10.000000000 -0400
|
||||||
@ -14348,7 +14389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
|
|||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.3/policy/modules/services/ftp.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.3/policy/modules/services/ftp.te
|
||||||
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-05-25 16:28:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/ftp.te 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/ftp.te 2010-06-09 15:55:42.000000000 -0400
|
||||||
@@ -41,6 +41,13 @@
|
@@ -41,6 +41,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -14394,7 +14435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
|
|||||||
#
|
#
|
||||||
|
|
||||||
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
|
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
|
||||||
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource };
|
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
|
||||||
dontaudit ftpd_t self:capability sys_tty_config;
|
dontaudit ftpd_t self:capability sys_tty_config;
|
||||||
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
|
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
|
||||||
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
||||||
@ -15296,7 +15337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.8.3/policy/modules/services/hal.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.8.3/policy/modules/services/hal.te
|
||||||
--- nsaserefpolicy/policy/modules/services/hal.te 2010-05-25 16:28:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/hal.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/hal.te 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/hal.te 2010-06-08 15:41:48.000000000 -0400
|
||||||
@@ -55,6 +55,9 @@
|
@@ -55,6 +55,9 @@
|
||||||
type hald_var_lib_t;
|
type hald_var_lib_t;
|
||||||
files_type(hald_var_lib_t)
|
files_type(hald_var_lib_t)
|
||||||
@ -15324,7 +15365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
dev_rw_generic_usb_dev(hald_t)
|
dev_rw_generic_usb_dev(hald_t)
|
||||||
dev_setattr_generic_usb_dev(hald_t)
|
dev_setattr_generic_usb_dev(hald_t)
|
||||||
dev_setattr_usbfs_files(hald_t)
|
dev_setattr_usbfs_files(hald_t)
|
||||||
@@ -212,10 +216,12 @@
|
@@ -212,10 +216,13 @@
|
||||||
seutil_read_default_contexts(hald_t)
|
seutil_read_default_contexts(hald_t)
|
||||||
seutil_read_file_contexts(hald_t)
|
seutil_read_file_contexts(hald_t)
|
||||||
|
|
||||||
@ -15335,10 +15376,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
+sysnet_read_config(hald_t)
|
+sysnet_read_config(hald_t)
|
||||||
sysnet_read_dhcp_config(hald_t)
|
sysnet_read_dhcp_config(hald_t)
|
||||||
+sysnet_read_dhcpc_pid(hald_t)
|
+sysnet_read_dhcpc_pid(hald_t)
|
||||||
|
+sysnet_signal_dhcpc(hald_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(hald_t)
|
userdom_dontaudit_search_user_home_dirs(hald_t)
|
||||||
@@ -269,6 +275,10 @@
|
@@ -269,6 +276,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -15349,7 +15391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
gpm_dontaudit_getattr_gpmctl(hald_t)
|
gpm_dontaudit_getattr_gpmctl(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -319,6 +329,10 @@
|
@@ -319,6 +330,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -15360,7 +15402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
udev_domtrans(hald_t)
|
udev_domtrans(hald_t)
|
||||||
udev_read_db(hald_t)
|
udev_read_db(hald_t)
|
||||||
')
|
')
|
||||||
@@ -339,6 +353,10 @@
|
@@ -339,6 +354,10 @@
|
||||||
virt_manage_images(hald_t)
|
virt_manage_images(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -15371,7 +15413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Hal acl local policy
|
# Hal acl local policy
|
||||||
@@ -359,6 +377,7 @@
|
@@ -359,6 +378,7 @@
|
||||||
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||||
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||||
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
|
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
|
||||||
@ -15379,7 +15421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
|||||||
|
|
||||||
corecmd_exec_bin(hald_acl_t)
|
corecmd_exec_bin(hald_acl_t)
|
||||||
|
|
||||||
@@ -471,6 +490,10 @@
|
@@ -471,6 +491,10 @@
|
||||||
|
|
||||||
miscfiles_read_localization(hald_keymap_t)
|
miscfiles_read_localization(hald_keymap_t)
|
||||||
|
|
||||||
@ -15401,6 +15443,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddt
|
|||||||
# read hddtemp db file
|
# read hddtemp db file
|
||||||
files_read_usr_files(hddtemp_t)
|
files_read_usr_files(hddtemp_t)
|
||||||
|
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.8.3/policy/modules/services/icecast.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/icecast.te 2010-03-23 10:55:15.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.3/policy/modules/services/icecast.te 2010-06-09 16:01:05.000000000 -0400
|
||||||
|
@@ -38,6 +38,8 @@
|
||||||
|
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
||||||
|
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
|
||||||
|
|
||||||
|
+kernel_read_system_state(icecast_t)
|
||||||
|
+
|
||||||
|
corenet_tcp_bind_soundd_port(icecast_t)
|
||||||
|
|
||||||
|
# Init script handling
|
||||||
|
@@ -52,5 +54,9 @@
|
||||||
|
sysnet_dns_name_resolve(icecast_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ apache_read_sys_content(icecast_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
rtkit_scheduled(icecast_t)
|
||||||
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.3/policy/modules/services/inn.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.3/policy/modules/services/inn.te
|
||||||
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/inn.te 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/inn.te 2010-06-08 11:32:10.000000000 -0400
|
||||||
@ -15439,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
########################################
|
########################################
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.3/policy/modules/services/kerberos.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.3/policy/modules/services/kerberos.te
|
||||||
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-05-25 16:28:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/kerberos.te 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/kerberos.te 2010-06-08 16:40:37.000000000 -0400
|
||||||
@@ -127,10 +127,13 @@
|
@@ -127,10 +127,13 @@
|
||||||
corenet_tcp_bind_generic_node(kadmind_t)
|
corenet_tcp_bind_generic_node(kadmind_t)
|
||||||
corenet_udp_bind_generic_node(kadmind_t)
|
corenet_udp_bind_generic_node(kadmind_t)
|
||||||
@ -15454,6 +15518,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
|||||||
|
|
||||||
dev_read_sysfs(kadmind_t)
|
dev_read_sysfs(kadmind_t)
|
||||||
dev_read_rand(kadmind_t)
|
dev_read_rand(kadmind_t)
|
||||||
|
@@ -199,8 +202,7 @@
|
||||||
|
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
|
||||||
|
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
|
||||||
|
|
||||||
|
-allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
|
||||||
|
-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
|
||||||
|
+allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||||
|
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.8.3/policy/modules/services/ksmtuned.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.8.3/policy/modules/services/ksmtuned.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-03-29 15:04:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-03-29 15:04:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/ksmtuned.fc 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/ksmtuned.fc 2010-06-08 11:32:10.000000000 -0400
|
||||||
@ -16636,7 +16710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.8.3/policy/modules/services/networkmanager.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.8.3/policy/modules/services/networkmanager.te
|
||||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-05-25 16:28:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/networkmanager.te 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/networkmanager.te 2010-06-09 16:09:47.000000000 -0400
|
||||||
@@ -36,7 +36,7 @@
|
@@ -36,7 +36,7 @@
|
||||||
|
|
||||||
# networkmanager will ptrace itself if gdb is installed
|
# networkmanager will ptrace itself if gdb is installed
|
||||||
@ -16705,7 +16779,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -264,6 +275,7 @@
|
@@ -203,6 +214,10 @@
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ ipsec_domtrans_mgmt(NetworkManager_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
iptables_domtrans(NetworkManager_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -264,6 +279,7 @@
|
||||||
vpn_kill(NetworkManager_t)
|
vpn_kill(NetworkManager_t)
|
||||||
vpn_signal(NetworkManager_t)
|
vpn_signal(NetworkManager_t)
|
||||||
vpn_signull(NetworkManager_t)
|
vpn_signull(NetworkManager_t)
|
||||||
@ -19234,6 +19319,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
|
|||||||
|
|
||||||
remotelogin_domtrans(rlogind_t)
|
remotelogin_domtrans(rlogind_t)
|
||||||
remotelogin_signal(rlogind_t)
|
remotelogin_signal(rlogind_t)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.8.3/policy/modules/services/rpcbind.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.3/policy/modules/services/rpcbind.te 2010-06-09 16:49:41.000000000 -0400
|
||||||
|
@@ -72,3 +72,7 @@
|
||||||
|
ifdef(`hide_broken_symptoms',`
|
||||||
|
dontaudit rpcbind_t self:udp_socket listen;
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ nis_use_ypbind(rpcbind_t)
|
||||||
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.8.3/policy/modules/services/rpc.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.8.3/policy/modules/services/rpc.if
|
||||||
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-06 15:15:38.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-06 15:15:38.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/services/rpc.if 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/services/rpc.if 2010-06-08 11:32:10.000000000 -0400
|
||||||
@ -23535,7 +23631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
|
|||||||
# /var
|
# /var
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if
|
||||||
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 16:31:07.000000000 -0400
|
||||||
@@ -193,8 +193,10 @@
|
@@ -193,8 +193,10 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute direct_run_init, direct_init, direct_init_entry;
|
attribute direct_run_init, direct_init, direct_init_entry;
|
||||||
@ -24228,6 +24324,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ fail2ban_read_lib_files(daemon)
|
+ fail2ban_read_lib_files(daemon)
|
||||||
+')
|
+')
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.3/policy/modules/system/ipsec.if
|
||||||
|
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-03-18 06:48:09.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.3/policy/modules/system/ipsec.if 2010-06-09 16:06:08.000000000 -0400
|
||||||
|
@@ -20,6 +20,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Execute ipsec in the ipsec mgmt domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the process performing this action.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`ipsec_domtrans_mgmt',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type ipsec_mgmt_t, ipsec_mgmt_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Connect to IPSEC using a unix domain stream socket.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.3/policy/modules/system/ipsec.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.3/policy/modules/system/ipsec.te
|
||||||
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-05-25 16:28:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/system/ipsec.te 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/system/ipsec.te 2010-06-08 11:32:10.000000000 -0400
|
||||||
@ -24457,6 +24581,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
|
|||||||
+
|
+
|
||||||
+ allow $1 iscsid_t:sem create_sem_perms;
|
+ allow $1 iscsid_t:sem create_sem_perms;
|
||||||
+')
|
+')
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.8.3/policy/modules/system/iscsi.te
|
||||||
|
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
|
+++ serefpolicy-3.8.3/policy/modules/system/iscsi.te 2010-06-09 16:41:53.000000000 -0400
|
||||||
|
@@ -77,6 +77,8 @@
|
||||||
|
|
||||||
|
dev_rw_sysfs(iscsid_t)
|
||||||
|
dev_rw_userio_dev(iscsid_t)
|
||||||
|
+dev_read_raw_memory(iscsid_t)
|
||||||
|
+dev_write_raw_memory(iscsid_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds(iscsid_t)
|
||||||
|
domain_dontaudit_read_all_domains_state(iscsid_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.3/policy/modules/system/libraries.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.3/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/system/libraries.fc 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/system/libraries.fc 2010-06-08 11:32:10.000000000 -0400
|
||||||
@ -24919,7 +25055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.3/policy/modules/system/logging.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.3/policy/modules/system/logging.te
|
||||||
--- nsaserefpolicy/policy/modules/system/logging.te 2010-05-25 16:28:22.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/logging.te 2010-05-25 16:28:22.000000000 -0400
|
||||||
+++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-08 11:32:10.000000000 -0400
|
+++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-09 16:35:41.000000000 -0400
|
||||||
@@ -61,6 +61,7 @@
|
@@ -61,6 +61,7 @@
|
||||||
type syslogd_t;
|
type syslogd_t;
|
||||||
type syslogd_exec_t;
|
type syslogd_exec_t;
|
||||||
@ -24960,7 +25096,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -268,6 +279,8 @@
|
@@ -252,6 +263,7 @@
|
||||||
|
# Audit remote logger local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
+allow audisp_remote_t self:process { getcap setcap };
|
||||||
|
allow audisp_remote_t self:tcp_socket create_socket_perms;
|
||||||
|
|
||||||
|
corenet_all_recvfrom_unlabeled(audisp_remote_t)
|
||||||
|
@@ -268,8 +280,12 @@
|
||||||
|
|
||||||
logging_send_syslog_msg(audisp_remote_t)
|
logging_send_syslog_msg(audisp_remote_t)
|
||||||
|
|
||||||
@ -24968,8 +25112,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
+
|
+
|
||||||
miscfiles_read_localization(audisp_remote_t)
|
miscfiles_read_localization(audisp_remote_t)
|
||||||
|
|
||||||
|
+init_telinit(audisp_remote_t)
|
||||||
|
+
|
||||||
sysnet_dns_name_resolve(audisp_remote_t)
|
sysnet_dns_name_resolve(audisp_remote_t)
|
||||||
@@ -373,8 +386,10 @@
|
|
||||||
|
########################################
|
||||||
|
@@ -373,8 +389,10 @@
|
||||||
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
||||||
files_search_var_lib(syslogd_t)
|
files_search_var_lib(syslogd_t)
|
||||||
|
|
||||||
@ -24982,7 +25130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
|||||||
|
|
||||||
# manage pid file
|
# manage pid file
|
||||||
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||||
@@ -492,6 +507,10 @@
|
@@ -492,6 +510,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|||||||
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.8.3
|
Version: 3.8.3
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -469,6 +469,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2
|
||||||
|
- Lots of random fixes
|
||||||
|
|
||||||
* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-1
|
* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-1
|
||||||
- Update to upstream
|
- Update to upstream
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user