- Fix transition to nsplugin '
Thu Sep 18 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-3 - Fix labeling on new pm*log - Allow ssh to bind to all nodes
This commit is contained in:
Daniel J Walsh
parent
11ef2470b7
commit
f77dd2c9db
@ -4268,8 +4268,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.8/policy/modules/apps/nsplugin.if
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-17 19:08:43.000000000 -0400
|
||||
@@ -0,0 +1,495 @@
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-21 07:27:44.000000000 -0400
|
||||
@@ -0,0 +1,493 @@
|
||||
+
|
||||
+## <summary>policy for nsplugin</summary>
|
||||
+
|
||||
@ -4348,8 +4348,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+template(`nsplugin_per_role_template_notrans',`
|
||||
+ gen_require(`
|
||||
+ type nsplugin_rw_t;
|
||||
+ type nsplugin_t;
|
||||
+ type nsplugin_config_t;
|
||||
+ type nsplugin_home_t;
|
||||
+ type nsplugin_exec_t;
|
||||
+ type nsplugin_config_exec_t;
|
||||
@ -4419,80 +4417,80 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ allow $1_nsplugin_config_t self:process { execstack execmem };
|
||||
+')
|
||||
+
|
||||
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
|
||||
+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
|
||||
+manage_dirs_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+exec_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_lnk_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+userdom_user_home_dir_filetrans(user, $1_nsplugin_t, nsplugin_home_t, {file dir})
|
||||
+unprivuser_dontaudit_write_home_content_files($1_nsplugin_t)
|
||||
+
|
||||
+corecmd_exec_bin(nsplugin_t)
|
||||
+corecmd_exec_shell(nsplugin_t)
|
||||
+corecmd_exec_bin($1_nsplugin_t)
|
||||
+corecmd_exec_shell($1_nsplugin_t)
|
||||
+
|
||||
+corenet_all_recvfrom_unlabeled(nsplugin_t)
|
||||
+corenet_all_recvfrom_netlabel(nsplugin_t)
|
||||
+corenet_tcp_connect_flash_port(nsplugin_t)
|
||||
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
|
||||
+corenet_tcp_connect_http_port(nsplugin_t)
|
||||
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
|
||||
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
|
||||
+corenet_all_recvfrom_unlabeled($1_nsplugin_t)
|
||||
+corenet_all_recvfrom_netlabel($1_nsplugin_t)
|
||||
+corenet_tcp_connect_flash_port($1_nsplugin_t)
|
||||
+corenet_tcp_connect_pulseaudio_port($1_nsplugin_t)
|
||||
+corenet_tcp_connect_http_port($1_nsplugin_t)
|
||||
+corenet_tcp_sendrecv_generic_if($1_nsplugin_t)
|
||||
+corenet_tcp_sendrecv_all_nodes($1_nsplugin_t)
|
||||
+
|
||||
+domain_dontaudit_read_all_domains_state(nsplugin_t)
|
||||
+domain_dontaudit_read_all_domains_state($1_nsplugin_t)
|
||||
+
|
||||
+dev_read_rand(nsplugin_t)
|
||||
+dev_read_sound(nsplugin_t)
|
||||
+dev_write_sound(nsplugin_t)
|
||||
+dev_read_video_dev(nsplugin_t)
|
||||
+dev_write_video_dev(nsplugin_t)
|
||||
+dev_getattr_dri_dev(nsplugin_t)
|
||||
+dev_rwx_zero(nsplugin_t)
|
||||
+dev_read_rand($1_nsplugin_t)
|
||||
+dev_read_sound($1_nsplugin_t)
|
||||
+dev_write_sound($1_nsplugin_t)
|
||||
+dev_read_video_dev($1_nsplugin_t)
|
||||
+dev_write_video_dev($1_nsplugin_t)
|
||||
+dev_getattr_dri_dev($1_nsplugin_t)
|
||||
+dev_rwx_zero($1_nsplugin_t)
|
||||
+
|
||||
+kernel_read_kernel_sysctls(nsplugin_t)
|
||||
+kernel_read_system_state(nsplugin_t)
|
||||
+kernel_read_kernel_sysctls($1_nsplugin_t)
|
||||
+kernel_read_system_state($1_nsplugin_t)
|
||||
+
|
||||
+files_read_usr_files(nsplugin_t)
|
||||
+files_read_etc_files(nsplugin_t)
|
||||
+files_read_config_files(nsplugin_t)
|
||||
+files_read_usr_files($1_nsplugin_t)
|
||||
+files_read_etc_files($1_nsplugin_t)
|
||||
+files_read_config_files($1_nsplugin_t)
|
||||
+
|
||||
+fs_list_inotifyfs(nsplugin_t)
|
||||
+fs_manage_tmpfs_files(nsplugin_t)
|
||||
+fs_getattr_tmpfs(nsplugin_t)
|
||||
+fs_getattr_xattr_fs(nsplugin_t)
|
||||
+fs_list_inotifyfs($1_nsplugin_t)
|
||||
+fs_manage_tmpfs_files($1_nsplugin_t)
|
||||
+fs_getattr_tmpfs($1_nsplugin_t)
|
||||
+fs_getattr_xattr_fs($1_nsplugin_t)
|
||||
+
|
||||
+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
|
||||
+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
|
||||
+term_dontaudit_getattr_all_user_ptys($1_nsplugin_t)
|
||||
+term_dontaudit_getattr_all_user_ttys($1_nsplugin_t)
|
||||
+
|
||||
+auth_use_nsswitch(nsplugin_t)
|
||||
+auth_use_nsswitch($1_nsplugin_t)
|
||||
+
|
||||
+libs_use_ld_so(nsplugin_t)
|
||||
+libs_use_shared_libs(nsplugin_t)
|
||||
+libs_exec_ld_so(nsplugin_t)
|
||||
+libs_use_ld_so($1_nsplugin_t)
|
||||
+libs_use_shared_libs($1_nsplugin_t)
|
||||
+libs_exec_ld_so($1_nsplugin_t)
|
||||
+
|
||||
+miscfiles_read_localization(nsplugin_t)
|
||||
+miscfiles_read_fonts(nsplugin_t)
|
||||
+miscfiles_read_localization($1_nsplugin_t)
|
||||
+miscfiles_read_fonts($1_nsplugin_t)
|
||||
+
|
||||
+unprivuser_manage_tmp_dirs(nsplugin_t)
|
||||
+unprivuser_manage_tmp_files(nsplugin_t)
|
||||
+unprivuser_manage_tmp_sockets(nsplugin_t)
|
||||
+unprivuser_manage_tmp_dirs($1_nsplugin_t)
|
||||
+unprivuser_manage_tmp_files($1_nsplugin_t)
|
||||
+unprivuser_manage_tmp_sockets($1_nsplugin_t)
|
||||
+userdom_tmp_filetrans_user_tmp(user, $1_nsplugin_t, { file dir sock_file })
|
||||
+unprivuser_read_tmpfs_files(nsplugin_t)
|
||||
+unprivuser_rw_semaphores(nsplugin_t)
|
||||
+unprivuser_delete_tmpfs_files(nsplugin_t)
|
||||
+unprivuser_read_tmpfs_files($1_nsplugin_t)
|
||||
+unprivuser_rw_semaphores($1_nsplugin_t)
|
||||
+unprivuser_delete_tmpfs_files($1_nsplugin_t)
|
||||
+
|
||||
+unprivuser_read_home_content_symlinks(nsplugin_t)
|
||||
+unprivuser_read_home_content_files(nsplugin_t)
|
||||
+unprivuser_read_tmp_files(nsplugin_t)
|
||||
+unprivuser_read_home_content_symlinks($1_nsplugin_t)
|
||||
+unprivuser_read_home_content_files($1_nsplugin_t)
|
||||
+unprivuser_read_tmp_files($1_nsplugin_t)
|
||||
+userdom_write_user_tmp_sockets(user, $1_nsplugin_t)
|
||||
+unprivuser_dontaudit_append_home_content_files(nsplugin_t)
|
||||
+userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t)
|
||||
+unprivuser_dontaudit_append_home_content_files($1_nsplugin_t)
|
||||
+userdom_dontaudit_unlink_unpriv_home_content_files($1_nsplugin_t)
|
||||
+userdom_dontaudit_manage_user_tmp_files(user, $1_nsplugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ alsa_read_rw_config(nsplugin_t)
|
||||
+ alsa_read_rw_config($1_nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_exec_gconf(nsplugin_t)
|
||||
+ gnome_exec_gconf($1_nsplugin_t)
|
||||
+ gnome_manage_user_gnome_config(user, $1_nsplugin_t)
|
||||
+ allow $1_nsplugin_t gnome_home_t:sock_file write;
|
||||
+')
|
||||
@ -4503,25 +4501,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mplayer_exec(nsplugin_t)
|
||||
+ mplayer_exec($1_nsplugin_t)
|
||||
+ mplayer_read_user_home_files(user, $1_nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_execmem_signull(nsplugin_t)
|
||||
+ unconfined_delete_tmpfs_files(nsplugin_t)
|
||||
+ unconfined_execmem_signull($1_nsplugin_t)
|
||||
+ unconfined_delete_tmpfs_files($1_nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
|
||||
+ xserver_xdm_rw_shm(nsplugin_t)
|
||||
+ xserver_read_xdm_tmp_files(nsplugin_t)
|
||||
+ xserver_read_xdm_pid(nsplugin_t)
|
||||
+ xserver_stream_connect_xdm_xserver($1_nsplugin_t)
|
||||
+ xserver_xdm_rw_shm($1_nsplugin_t)
|
||||
+ xserver_read_xdm_tmp_files($1_nsplugin_t)
|
||||
+ xserver_read_xdm_pid($1_nsplugin_t)
|
||||
+ xserver_read_user_xauth(user, $1_nsplugin_t)
|
||||
+ xserver_read_user_iceauth(user, $1_nsplugin_t)
|
||||
+ xserver_use_user_fonts(user, $1_nsplugin_t)
|
||||
+ xserver_manage_home_fonts(nsplugin_t)
|
||||
+ xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
|
||||
+ xserver_manage_home_fonts($1_nsplugin_t)
|
||||
+ xserver_dontaudit_rw_xdm_home_files($1_nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -4537,55 +4535,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+allow $1_nsplugin_config_t self:fifo_file rw_file_perms;
|
||||
+allow $1_nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+fs_list_inotifyfs(nsplugin_config_t)
|
||||
+fs_list_inotifyfs($1_nsplugin_config_t)
|
||||
+
|
||||
+can_exec(nsplugin_config_t, nsplugin_rw_t)
|
||||
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+can_exec($1_nsplugin_config_t, nsplugin_rw_t)
|
||||
+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+manage_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
+
|
||||
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
||||
+
|
||||
+corecmd_exec_bin(nsplugin_config_t)
|
||||
+corecmd_exec_shell(nsplugin_config_t)
|
||||
+corecmd_exec_bin($1_nsplugin_config_t)
|
||||
+corecmd_exec_shell($1_nsplugin_config_t)
|
||||
+
|
||||
+kernel_read_system_state(nsplugin_config_t)
|
||||
+kernel_read_system_state($1_nsplugin_config_t)
|
||||
+
|
||||
+files_read_etc_files(nsplugin_config_t)
|
||||
+files_read_usr_files(nsplugin_config_t)
|
||||
+files_dontaudit_search_home(nsplugin_config_t)
|
||||
+files_list_tmp(nsplugin_config_t)
|
||||
+files_read_etc_files($1_nsplugin_config_t)
|
||||
+files_read_usr_files($1_nsplugin_config_t)
|
||||
+files_dontaudit_search_home($1_nsplugin_config_t)
|
||||
+files_list_tmp($1_nsplugin_config_t)
|
||||
+
|
||||
+auth_use_nsswitch(nsplugin_config_t)
|
||||
+auth_use_nsswitch($1_nsplugin_config_t)
|
||||
+
|
||||
+libs_use_ld_so(nsplugin_config_t)
|
||||
+libs_use_shared_libs(nsplugin_config_t)
|
||||
+libs_use_ld_so($1_nsplugin_config_t)
|
||||
+libs_use_shared_libs($1_nsplugin_config_t)
|
||||
+
|
||||
+miscfiles_read_localization(nsplugin_config_t)
|
||||
+miscfiles_read_fonts(nsplugin_config_t)
|
||||
+miscfiles_read_localization($1_nsplugin_config_t)
|
||||
+miscfiles_read_fonts($1_nsplugin_config_t)
|
||||
+
|
||||
+userdom_search_all_users_home_content(nsplugin_config_t)
|
||||
+userdom_search_all_users_home_content($1_nsplugin_config_t)
|
||||
+
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_dirs(nsplugin_t)
|
||||
+ fs_manage_nfs_files(nsplugin_t)
|
||||
+ fs_manage_nfs_dirs(nsplugin_config_t)
|
||||
+ fs_manage_nfs_files(nsplugin_config_t)
|
||||
+ fs_manage_nfs_dirs($1_nsplugin_t)
|
||||
+ fs_manage_nfs_files($1_nsplugin_t)
|
||||
+ fs_manage_nfs_dirs($1_nsplugin_config_t)
|
||||
+ fs_manage_nfs_files($1_nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_manage_cifs_dirs(nsplugin_t)
|
||||
+ fs_manage_cifs_files(nsplugin_t)
|
||||
+ fs_manage_cifs_dirs(nsplugin_config_t)
|
||||
+ fs_manage_cifs_files(nsplugin_config_t)
|
||||
+ fs_manage_cifs_dirs($1_nsplugin_t)
|
||||
+ fs_manage_cifs_files($1_nsplugin_t)
|
||||
+ fs_manage_cifs_dirs($1_nsplugin_config_t)
|
||||
+ fs_manage_cifs_files($1_nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, $1_nsplugin_t)
|
||||
+domtrans_pattern($1_nsplugin_config_t, nsplugin_exec_t, $1_nsplugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_read_home_fonts(nsplugin_config_t)
|
||||
+ xserver_read_home_fonts($1_nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -10745,7 +10743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.8/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/apache.te 2008-09-17 08:49:08.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/apache.te 2008-09-19 10:06:15.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -10896,7 +10894,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_t)
|
||||
@@ -312,12 +361,11 @@
|
||||
@@ -299,6 +348,7 @@
|
||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||
corenet_tcp_bind_all_nodes(httpd_t)
|
||||
+corenet_udp_bind_all_nodes(httpd_t)
|
||||
corenet_tcp_bind_http_port(httpd_t)
|
||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||
corenet_sendrecv_http_server_packets(httpd_t)
|
||||
@@ -312,12 +362,11 @@
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
@ -10911,7 +10917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
@@ -335,6 +383,10 @@
|
||||
@@ -335,6 +384,10 @@
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
@ -10922,7 +10928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
libs_use_ld_so(httpd_t)
|
||||
libs_use_shared_libs(httpd_t)
|
||||
@@ -351,18 +403,33 @@
|
||||
@@ -351,18 +404,33 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
@ -10960,7 +10966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -370,20 +437,45 @@
|
||||
@@ -370,20 +438,45 @@
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
@ -11007,7 +11013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
@@ -394,11 +486,12 @@
|
||||
@@ -394,11 +487,12 @@
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
')
|
||||
|
||||
@ -11023,7 +11029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_read_nfs_files(httpd_t)
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
@@ -408,6 +501,11 @@
|
||||
@@ -408,6 +502,11 @@
|
||||
fs_read_cifs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
@ -11035,7 +11041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -441,8 +539,13 @@
|
||||
@@ -441,8 +540,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11051,7 +11057,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -454,18 +557,13 @@
|
||||
@@ -454,18 +558,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11071,7 +11077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -475,6 +573,12 @@
|
||||
@@ -475,6 +574,12 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
@ -11084,7 +11090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
@@ -482,6 +586,7 @@
|
||||
@@ -482,6 +587,7 @@
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
@ -11092,7 +11098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -490,6 +595,7 @@
|
||||
@@ -490,6 +596,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11100,7 +11106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -519,9 +625,28 @@
|
||||
@@ -519,9 +626,28 @@
|
||||
logging_send_syslog_msg(httpd_helper_t)
|
||||
|
||||
tunable_policy(`httpd_tty_comm',`
|
||||
@ -11129,7 +11135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -551,22 +676,27 @@
|
||||
@@ -551,22 +677,27 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -11163,7 +11169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -590,6 +720,8 @@
|
||||
@@ -590,6 +721,8 @@
|
||||
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
@ -11172,7 +11178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@@ -598,9 +730,7 @@
|
||||
@@ -598,9 +731,7 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||
|
||||
@ -11183,7 +11189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -633,12 +763,25 @@
|
||||
@@ -633,12 +764,25 @@
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -11212,7 +11218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -647,6 +790,12 @@
|
||||
@@ -647,6 +791,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -11225,7 +11231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -664,10 +813,6 @@
|
||||
@@ -664,10 +814,6 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -11236,7 +11242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
@@ -677,7 +822,8 @@
|
||||
@@ -677,7 +823,8 @@
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
@ -11246,7 +11252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@@ -691,12 +837,15 @@
|
||||
@@ -691,12 +838,15 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -11264,7 +11270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -704,6 +853,28 @@
|
||||
@@ -704,6 +854,30 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -11272,6 +11278,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
||||
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
||||
+
|
||||
+ corenet_tcp_bind_all_nodes(httpd_sys_script_t)
|
||||
+ corenet_udp_bind_all_nodes(httpd_sys_script_t)
|
||||
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
|
||||
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
|
||||
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
|
||||
@ -11293,7 +11301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -716,10 +887,10 @@
|
||||
@@ -716,10 +890,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -11308,7 +11316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -727,6 +898,8 @@
|
||||
@@ -727,6 +901,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@ -11317,7 +11325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -741,3 +914,56 @@
|
||||
@@ -741,3 +917,56 @@
|
||||
logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
@ -16314,6 +16322,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ spamassassin_exec(exim_t)
|
||||
+ spamassassin_exec_client(exim_t)
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.5.8/policy/modules/services/fail2ban.fc
|
||||
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-09-08 10:18:37.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/fail2ban.fc 2008-09-19 11:19:25.000000000 -0400
|
||||
@@ -3,5 +3,5 @@
|
||||
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||
/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
|
||||
-/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||
-/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||
+
|
||||
+/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.8/policy/modules/services/fail2ban.if
|
||||
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/fail2ban.if 2008-09-17 08:49:08.000000000 -0400
|
||||
@ -16385,6 +16404,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ files_list_pids($1)
|
||||
+ admin_pattern($1, fail2ban_var_run_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.5.8/policy/modules/services/fail2ban.te
|
||||
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-09-05 10:28:20.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/fail2ban.te 2008-09-19 11:19:16.000000000 -0400
|
||||
@@ -37,9 +37,10 @@
|
||||
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
|
||||
|
||||
# pid file
|
||||
+manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
-files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file })
|
||||
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
|
||||
|
||||
kernel_read_system_state(fail2ban_t)
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.8/policy/modules/services/fetchmail.if
|
||||
--- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/fetchmail.if 2008-09-17 08:49:08.000000000 -0400
|
||||
@ -18031,8 +18065,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.8/policy/modules/services/mailman.if
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/mailman.if 2008-09-17 08:49:08.000000000 -0400
|
||||
@@ -211,6 +211,7 @@
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/mailman.if 2008-09-19 10:41:48.000000000 -0400
|
||||
@@ -31,6 +31,12 @@
|
||||
allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mailman_$1_t self:udp_socket create_socket_perms;
|
||||
|
||||
+ files_search_spool(mailman_$1_t)
|
||||
+
|
||||
+ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
|
||||
+ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
|
||||
+ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
|
||||
+
|
||||
manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
|
||||
manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
|
||||
manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
|
||||
@@ -211,6 +217,7 @@
|
||||
type mailman_data_t;
|
||||
')
|
||||
|
||||
@ -18040,7 +18087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern($1, mailman_data_t, mailman_data_t)
|
||||
')
|
||||
|
||||
@@ -252,6 +253,25 @@
|
||||
@@ -252,6 +259,25 @@
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
@ -18068,7 +18115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.8/policy/modules/services/mailman.te
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/mailman.te 2008-09-17 08:49:08.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/mailman.te 2008-09-19 10:39:55.000000000 -0400
|
||||
@@ -53,10 +53,9 @@
|
||||
apache_use_fds(mailman_cgi_t)
|
||||
apache_dontaudit_append_log(mailman_cgi_t)
|
||||
@ -18110,11 +18157,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -104,6 +106,7 @@
|
||||
@@ -104,6 +106,11 @@
|
||||
# some of the following could probably be changed to dontaudit, someone who
|
||||
# knows mailman well should test this out and send the changes
|
||||
sysadm_search_home_dirs(mailman_queue_t)
|
||||
+sysadm_getattr_home_dirs(mailman_queue_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ apache_read_config(mailman_queue_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
|
||||
@ -21509,7 +21560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.8/policy/modules/services/postgrey.if
|
||||
--- nsaserefpolicy/policy/modules/services/postgrey.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/postgrey.if 2008-09-17 08:49:08.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/postgrey.if 2008-09-19 10:23:31.000000000 -0400
|
||||
@@ -12,10 +12,80 @@
|
||||
#
|
||||
interface(`postgrey_stream_connect',`
|
||||
@ -21519,8 +21570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
allow $1 postgrey_t:unix_stream_socket connectto;
|
||||
allow $1 postgrey_var_run_t:sock_file write;
|
||||
+ allow $1 postgrey_spool_t:sock_file write;
|
||||
- allow $1 postgrey_var_run_t:sock_file write;
|
||||
+ write_sock_files_pattern($1, postgrey_var_run_t, postgrey_var_run_t)
|
||||
+ write_sock_files_pattern($1, postgrey_spool_t, postgrey_spool_t)
|
||||
files_search_pids($1)
|
||||
')
|
||||
+
|
||||
@ -21954,7 +22006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.8/policy/modules/services/prelude.te
|
||||
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/prelude.te 2008-09-17 08:49:08.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/prelude.te 2008-09-19 10:06:36.000000000 -0400
|
||||
@@ -13,18 +13,56 @@
|
||||
type prelude_spool_t;
|
||||
files_type(prelude_spool_t)
|
||||
@ -22052,7 +22104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
dev_read_rand(prelude_audisp_t)
|
||||
dev_read_urand(prelude_audisp_t)
|
||||
@@ -123,9 +173,119 @@
|
||||
@@ -123,9 +173,122 @@
|
||||
libs_use_shared_libs(prelude_audisp_t)
|
||||
|
||||
logging_send_syslog_msg(prelude_audisp_t)
|
||||
@ -22104,6 +22156,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+# prelude_lml local declarations
|
||||
+#
|
||||
+
|
||||
+allow prelude_lml_t self:capability dac_override;
|
||||
+
|
||||
+# Init script handling
|
||||
+domain_use_interactive_fds(prelude_lml_t)
|
||||
+
|
||||
@ -22166,13 +22220,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+sysnet_dns_name_resolve(prelude_lml_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ apache_search_sys_content(prelude_lml_t)
|
||||
+ apache_read_log(prelude_lml_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# prewikka_cgi Declarations
|
||||
@@ -133,8 +293,19 @@
|
||||
@@ -133,8 +296,19 @@
|
||||
|
||||
optional_policy(`
|
||||
apache_content_template(prewikka)
|
||||
@ -30386,8 +30441,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.8/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/system/libraries.fc 2008-09-17 08:49:09.000000000 -0400
|
||||
@@ -66,6 +66,8 @@
|
||||
+++ serefpolicy-3.5.8/policy/modules/system/libraries.fc 2008-09-21 08:23:42.000000000 -0400
|
||||
@@ -60,12 +60,15 @@
|
||||
#
|
||||
# /opt
|
||||
#
|
||||
+/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
|
||||
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
||||
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
|
||||
|
||||
@ -30396,7 +30458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ifdef(`distro_gentoo',`
|
||||
# despite the extensions, they are actually libs
|
||||
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
|
||||
@@ -84,7 +86,8 @@
|
||||
@@ -84,7 +87,8 @@
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -30406,7 +30468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -133,6 +136,7 @@
|
||||
@@ -133,6 +137,7 @@
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -30414,7 +30476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@@ -168,7 +172,8 @@
|
||||
@@ -168,7 +173,8 @@
|
||||
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -30424,7 +30486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -187,6 +192,7 @@
|
||||
@@ -187,6 +193,7 @@
|
||||
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -30432,7 +30494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -246,7 +252,7 @@
|
||||
@@ -246,7 +253,7 @@
|
||||
|
||||
# Flash plugin, Macromedia
|
||||
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -30441,7 +30503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -267,6 +273,8 @@
|
||||
@@ -267,6 +274,8 @@
|
||||
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -30450,7 +30512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Java, Sun Microsystems (JPackage SRPM)
|
||||
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -291,6 +299,8 @@
|
||||
@@ -291,6 +300,8 @@
|
||||
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -30459,7 +30521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
') dnl end distro_redhat
|
||||
|
||||
#
|
||||
@@ -310,3 +320,13 @@
|
||||
@@ -310,3 +321,13 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
@ -33302,7 +33364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-17 09:11:15.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-21 07:04:00.000000000 -0400
|
||||
@@ -28,10 +28,14 @@
|
||||
class context contains;
|
||||
')
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.8
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -381,6 +381,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sun Sep 21 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-4
|
||||
- Fix transition to nsplugin
|
||||
'
|
||||
* Thu Sep 18 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-3
|
||||
- Fix labeling on new pm*log
|
||||
- Allow ssh to bind to all nodes
|
||||
|
||||
Loading…
Reference in New Issue
Block a user