- Lots of random fixes
This commit is contained in:
parent
b39ccca147
commit
f651bb6fdc
196
policy-F14.patch
196
policy-F14.patch
@ -556,6 +556,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
|
||||
|
||||
cron_system_entry(logrotate_t, logrotate_exec_t)
|
||||
cron_search_spool(logrotate_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.fc serefpolicy-3.8.3/policy/modules/admin/logwatch.fc
|
||||
--- nsaserefpolicy/policy/modules/admin/logwatch.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/admin/logwatch.fc 2010-06-09 16:17:01.000000000 -0400
|
||||
@@ -1,7 +1,9 @@
|
||||
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
|
||||
+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
|
||||
|
||||
/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
|
||||
|
||||
/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
|
||||
/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
|
||||
+/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
|
||||
/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.8.3/policy/modules/admin/mcelog.te
|
||||
--- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-03-18 06:48:09.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/admin/mcelog.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -6810,7 +6823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.3/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-06-08 10:35:48.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/kernel/devices.if 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/kernel/devices.if 2010-06-09 16:40:03.000000000 -0400
|
||||
@@ -606,6 +606,24 @@
|
||||
|
||||
########################################
|
||||
@ -6904,11 +6917,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
## Get the attributes of sysfs directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4166,6 +4238,7 @@
|
||||
@@ -4161,11 +4233,10 @@
|
||||
#
|
||||
interface(`dev_rw_vhost',`
|
||||
gen_require(`
|
||||
- type vhost_device_t;
|
||||
+ type device_t, vhost_device_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, vhost_device_t, vhost_device_t)
|
||||
rw_files_pattern($1, vhost_device_t, vhost_device_t)
|
||||
+ read_lnk_files_pattern($1, vhost_device_t, vhost_device_t)
|
||||
- list_dirs_pattern($1, vhost_device_t, vhost_device_t)
|
||||
- rw_files_pattern($1, vhost_device_t, vhost_device_t)
|
||||
+ rw_chr_files_pattern($1, device_t, vhost_device_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -10715,7 +10734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
|
||||
## All of the rules required to administrate
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.3/policy/modules/services/abrt.te
|
||||
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-09 15:57:41.000000000 -0400
|
||||
@@ -70,16 +70,19 @@
|
||||
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
@ -11102,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.3/policy/modules/services/apache.if
|
||||
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-09 16:00:04.000000000 -0400
|
||||
@@ -13,17 +13,13 @@
|
||||
#
|
||||
template(`apache_content_template',`
|
||||
@ -12096,6 +12115,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
|
||||
allow $1 avahi_t:dbus send_msg;
|
||||
allow avahi_t $1:dbus send_msg;
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.8.3/policy/modules/services/bitlbee.te
|
||||
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/bitlbee.te 2010-06-09 16:59:35.000000000 -0400
|
||||
@@ -28,6 +28,7 @@
|
||||
# Local policy
|
||||
#
|
||||
#
|
||||
+allow bitlbee_t self:capability { setgid setuid };
|
||||
|
||||
allow bitlbee_t self:udp_socket create_socket_perms;
|
||||
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
|
||||
@@ -81,6 +82,10 @@
|
||||
|
||||
libs_legacy_use_shared_libs(bitlbee_t)
|
||||
|
||||
+auth_use_nsswitch(bitlbee_t)
|
||||
+
|
||||
+logging_send_syslog_msg(bitlbee_t)
|
||||
+
|
||||
miscfiles_read_localization(bitlbee_t)
|
||||
|
||||
sysnet_dns_name_resolve(bitlbee_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.8.3/policy/modules/services/bluetooth.if
|
||||
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-01-07 14:53:53.000000000 -0500
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/bluetooth.if 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -14348,7 +14389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.3/policy/modules/services/ftp.te
|
||||
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/ftp.te 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/ftp.te 2010-06-09 15:55:42.000000000 -0400
|
||||
@@ -41,6 +41,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -14394,7 +14435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
|
||||
#
|
||||
|
||||
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
|
||||
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource };
|
||||
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
|
||||
dontaudit ftpd_t self:capability sys_tty_config;
|
||||
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
|
||||
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -15296,7 +15337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.8.3/policy/modules/services/hal.te
|
||||
--- nsaserefpolicy/policy/modules/services/hal.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/hal.te 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/hal.te 2010-06-08 15:41:48.000000000 -0400
|
||||
@@ -55,6 +55,9 @@
|
||||
type hald_var_lib_t;
|
||||
files_type(hald_var_lib_t)
|
||||
@ -15324,7 +15365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
dev_rw_generic_usb_dev(hald_t)
|
||||
dev_setattr_generic_usb_dev(hald_t)
|
||||
dev_setattr_usbfs_files(hald_t)
|
||||
@@ -212,10 +216,12 @@
|
||||
@@ -212,10 +216,13 @@
|
||||
seutil_read_default_contexts(hald_t)
|
||||
seutil_read_file_contexts(hald_t)
|
||||
|
||||
@ -15335,10 +15376,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
+sysnet_read_config(hald_t)
|
||||
sysnet_read_dhcp_config(hald_t)
|
||||
+sysnet_read_dhcpc_pid(hald_t)
|
||||
+sysnet_signal_dhcpc(hald_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||
userdom_dontaudit_search_user_home_dirs(hald_t)
|
||||
@@ -269,6 +275,10 @@
|
||||
@@ -269,6 +276,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -15349,7 +15391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
gpm_dontaudit_getattr_gpmctl(hald_t)
|
||||
')
|
||||
|
||||
@@ -319,6 +329,10 @@
|
||||
@@ -319,6 +330,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -15360,7 +15402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
udev_domtrans(hald_t)
|
||||
udev_read_db(hald_t)
|
||||
')
|
||||
@@ -339,6 +353,10 @@
|
||||
@@ -339,6 +354,10 @@
|
||||
virt_manage_images(hald_t)
|
||||
')
|
||||
|
||||
@ -15371,7 +15413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
########################################
|
||||
#
|
||||
# Hal acl local policy
|
||||
@@ -359,6 +377,7 @@
|
||||
@@ -359,6 +378,7 @@
|
||||
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
|
||||
@ -15379,7 +15421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
|
||||
corecmd_exec_bin(hald_acl_t)
|
||||
|
||||
@@ -471,6 +490,10 @@
|
||||
@@ -471,6 +491,10 @@
|
||||
|
||||
miscfiles_read_localization(hald_keymap_t)
|
||||
|
||||
@ -15401,6 +15443,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddt
|
||||
# read hddtemp db file
|
||||
files_read_usr_files(hddtemp_t)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.8.3/policy/modules/services/icecast.te
|
||||
--- nsaserefpolicy/policy/modules/services/icecast.te 2010-03-23 10:55:15.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/icecast.te 2010-06-09 16:01:05.000000000 -0400
|
||||
@@ -38,6 +38,8 @@
|
||||
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
||||
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
|
||||
|
||||
+kernel_read_system_state(icecast_t)
|
||||
+
|
||||
corenet_tcp_bind_soundd_port(icecast_t)
|
||||
|
||||
# Init script handling
|
||||
@@ -52,5 +54,9 @@
|
||||
sysnet_dns_name_resolve(icecast_t)
|
||||
|
||||
optional_policy(`
|
||||
+ apache_read_sys_content(icecast_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
rtkit_scheduled(icecast_t)
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.3/policy/modules/services/inn.te
|
||||
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/inn.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -15439,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.3/policy/modules/services/kerberos.te
|
||||
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/kerberos.te 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/kerberos.te 2010-06-08 16:40:37.000000000 -0400
|
||||
@@ -127,10 +127,13 @@
|
||||
corenet_tcp_bind_generic_node(kadmind_t)
|
||||
corenet_udp_bind_generic_node(kadmind_t)
|
||||
@ -15454,6 +15518,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
|
||||
dev_read_sysfs(kadmind_t)
|
||||
dev_read_rand(kadmind_t)
|
||||
@@ -199,8 +202,7 @@
|
||||
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
|
||||
|
||||
-allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
|
||||
-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
|
||||
+allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
|
||||
|
||||
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.8.3/policy/modules/services/ksmtuned.fc
|
||||
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-03-29 15:04:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/ksmtuned.fc 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -16636,7 +16710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.8.3/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/networkmanager.te 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/networkmanager.te 2010-06-09 16:09:47.000000000 -0400
|
||||
@@ -36,7 +36,7 @@
|
||||
|
||||
# networkmanager will ptrace itself if gdb is installed
|
||||
@ -16705,7 +16779,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -264,6 +275,7 @@
|
||||
@@ -203,6 +214,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ ipsec_domtrans_mgmt(NetworkManager_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
iptables_domtrans(NetworkManager_t)
|
||||
')
|
||||
|
||||
@@ -264,6 +279,7 @@
|
||||
vpn_kill(NetworkManager_t)
|
||||
vpn_signal(NetworkManager_t)
|
||||
vpn_signull(NetworkManager_t)
|
||||
@ -19234,6 +19319,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
|
||||
|
||||
remotelogin_domtrans(rlogind_t)
|
||||
remotelogin_signal(rlogind_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.8.3/policy/modules/services/rpcbind.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/rpcbind.te 2010-06-09 16:49:41.000000000 -0400
|
||||
@@ -72,3 +72,7 @@
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit rpcbind_t self:udp_socket listen;
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nis_use_ypbind(rpcbind_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.8.3/policy/modules/services/rpc.if
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-06 15:15:38.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/services/rpc.if 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -23535,7 +23631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
|
||||
# /var
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if
|
||||
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 16:31:07.000000000 -0400
|
||||
@@ -193,8 +193,10 @@
|
||||
gen_require(`
|
||||
attribute direct_run_init, direct_init, direct_init_entry;
|
||||
@ -24228,6 +24324,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
|
||||
+optional_policy(`
|
||||
+ fail2ban_read_lib_files(daemon)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.3/policy/modules/system/ipsec.if
|
||||
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-03-18 06:48:09.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/ipsec.if 2010-06-09 16:06:08.000000000 -0400
|
||||
@@ -20,6 +20,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Execute ipsec in the ipsec mgmt domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## The type of the process performing this action.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ipsec_domtrans_mgmt',`
|
||||
+ gen_require(`
|
||||
+ type ipsec_mgmt_t, ipsec_mgmt_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Connect to IPSEC using a unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.3/policy/modules/system/ipsec.te
|
||||
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/ipsec.te 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -24457,6 +24581,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
|
||||
+
|
||||
+ allow $1 iscsid_t:sem create_sem_perms;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.8.3/policy/modules/system/iscsi.te
|
||||
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/iscsi.te 2010-06-09 16:41:53.000000000 -0400
|
||||
@@ -77,6 +77,8 @@
|
||||
|
||||
dev_rw_sysfs(iscsid_t)
|
||||
dev_rw_userio_dev(iscsid_t)
|
||||
+dev_read_raw_memory(iscsid_t)
|
||||
+dev_write_raw_memory(iscsid_t)
|
||||
|
||||
domain_use_interactive_fds(iscsid_t)
|
||||
domain_dontaudit_read_all_domains_state(iscsid_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.3/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/libraries.fc 2010-06-08 11:32:10.000000000 -0400
|
||||
@ -24919,7 +25055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
domain_system_change_exemption($1)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.3/policy/modules/system/logging.te
|
||||
--- nsaserefpolicy/policy/modules/system/logging.te 2010-05-25 16:28:22.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-08 11:32:10.000000000 -0400
|
||||
+++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-09 16:35:41.000000000 -0400
|
||||
@@ -61,6 +61,7 @@
|
||||
type syslogd_t;
|
||||
type syslogd_exec_t;
|
||||
@ -24960,7 +25096,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -268,6 +279,8 @@
|
||||
@@ -252,6 +263,7 @@
|
||||
# Audit remote logger local policy
|
||||
#
|
||||
|
||||
+allow audisp_remote_t self:process { getcap setcap };
|
||||
allow audisp_remote_t self:tcp_socket create_socket_perms;
|
||||
|
||||
corenet_all_recvfrom_unlabeled(audisp_remote_t)
|
||||
@@ -268,8 +280,12 @@
|
||||
|
||||
logging_send_syslog_msg(audisp_remote_t)
|
||||
|
||||
@ -24968,8 +25112,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
+
|
||||
miscfiles_read_localization(audisp_remote_t)
|
||||
|
||||
+init_telinit(audisp_remote_t)
|
||||
+
|
||||
sysnet_dns_name_resolve(audisp_remote_t)
|
||||
@@ -373,8 +386,10 @@
|
||||
|
||||
########################################
|
||||
@@ -373,8 +389,10 @@
|
||||
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
||||
files_search_var_lib(syslogd_t)
|
||||
|
||||
@ -24982,7 +25130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
|
||||
|
||||
# manage pid file
|
||||
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
@@ -492,6 +507,10 @@
|
||||
@@ -492,6 +510,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.8.3
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -469,6 +469,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2
|
||||
- Lots of random fixes
|
||||
|
||||
* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-1
|
||||
- Update to upstream
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user