- Allow confined users to use postgres
- Allow system_mail_t to exec other mail clients - Label mogrel_rails as an apache server
This commit is contained in:
Daniel J Walsh
parent
547aa2a382
commit
f86ed5a437
|
|
@ -642,7 +642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
|
|||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.4.2/policy/modules/admin/mrtg.te
|
||||
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-06-12 23:25:08.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te 2008-06-12 23:37:53.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te 2008-06-24 06:26:50.000000000 -0400
|
||||
@@ -78,6 +78,7 @@
|
||||
dev_read_urand(mrtg_t)
|
||||
|
||||
|
|
@ -651,6 +651,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
|
|||
|
||||
files_read_usr_files(mrtg_t)
|
||||
files_search_var(mrtg_t)
|
||||
@@ -101,6 +102,8 @@
|
||||
init_read_utmp(mrtg_t)
|
||||
init_dontaudit_write_utmp(mrtg_t)
|
||||
|
||||
+auth_use_nsswitch(mrtg_t)
|
||||
+
|
||||
libs_read_lib_files(mrtg_t)
|
||||
libs_use_ld_so(mrtg_t)
|
||||
libs_use_shared_libs(mrtg_t)
|
||||
@@ -111,12 +114,10 @@
|
||||
|
||||
selinux_dontaudit_getattr_dir(mrtg_t)
|
||||
|
||||
-# Use the network.
|
||||
-sysnet_read_config(mrtg_t)
|
||||
-
|
||||
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
|
||||
|
||||
sysadm_use_terms(mrtg_t)
|
||||
+sysadm_dontaudit_read_home_content_files(mrtg_t)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
corenet_udp_sendrecv_lo_if(mrtg_t)
|
||||
@@ -140,14 +141,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_use_ypbind(mrtg_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- nscd_dontaudit_search_pid(mrtg_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
seutil_sigchld_newrole(mrtg_t)
|
||||
')
|
||||
|
||||
@@ -162,10 +155,3 @@
|
||||
optional_policy(`
|
||||
udev_read_db(mrtg_t)
|
||||
')
|
||||
-
|
||||
-ifdef(`TODO',`
|
||||
- # should not need this!
|
||||
- dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
|
||||
- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
|
||||
- dontaudit mrtg_t root_t:lnk_file getattr;
|
||||
-')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te
|
||||
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:25:08.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/admin/netutils.te 2008-06-12 23:37:53.000000000 -0400
|
||||
|
|
@ -7923,8 +7972,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.4.2/policy/modules/roles/staff.te
|
||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-06-12 23:25:06.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/roles/staff.te 2008-06-12 23:37:52.000000000 -0400
|
||||
@@ -8,18 +8,30 @@
|
||||
+++ serefpolicy-3.4.2/policy/modules/roles/staff.te 2008-06-24 07:05:16.000000000 -0400
|
||||
@@ -8,18 +8,34 @@
|
||||
|
||||
role staff_r;
|
||||
|
||||
|
|
@ -7952,11 +8001,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
|
|||
+ logadm_role_change_template(staff)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ postgresql_userdom_template(staff,staff_t,staff_r)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
secadm_role_change_template(staff)
|
||||
')
|
||||
|
||||
@@ -28,3 +40,14 @@
|
||||
@@ -28,3 +44,14 @@
|
||||
sysadm_dontaudit_use_terms(staff_t)
|
||||
')
|
||||
|
||||
|
|
@ -7973,7 +8026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.4.2/policy/modules/roles/sysadm.if
|
||||
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-06-12 23:25:06.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if 2008-06-14 07:13:35.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if 2008-06-24 06:22:32.000000000 -0400
|
||||
@@ -334,10 +334,10 @@
|
||||
#
|
||||
interface(`sysadm_getattr_home_dirs',`
|
||||
|
|
@ -8135,7 +8188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
|||
## <summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.4.2/policy/modules/roles/unprivuser.if
|
||||
--- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-06-12 23:25:06.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if 2008-06-12 23:37:52.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if 2008-06-24 05:57:35.000000000 -0400
|
||||
@@ -62,6 +62,26 @@
|
||||
files_home_filetrans($1,user_home_dir_t,dir)
|
||||
')
|
||||
|
|
@ -8805,8 +8858,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.4.2/policy/modules/roles/unprivuser.te
|
||||
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-06-12 23:25:06.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te 2008-06-12 23:37:52.000000000 -0400
|
||||
@@ -13,3 +13,19 @@
|
||||
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te 2008-06-24 07:05:40.000000000 -0400
|
||||
@@ -13,3 +13,23 @@
|
||||
|
||||
userdom_unpriv_user_template(user)
|
||||
|
||||
|
|
@ -8819,6 +8872,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
|
|||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ postgresql_userdom_template(user,user_t,user_r)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_dontaudit_dbus_chat(user_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -9322,14 +9379,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
|
|||
# amavis local policy
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.4.2/policy/modules/services/apache.fc
|
||||
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:25:05.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/apache.fc 2008-06-12 23:37:52.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/apache.fc 2008-06-24 07:09:51.000000000 -0400
|
||||
@@ -1,4 +1,4 @@
|
||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
|
||||
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
|
||||
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
@@ -16,7 +16,6 @@
|
||||
@@ -16,13 +16,13 @@
|
||||
|
||||
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
|
|
@ -9337,7 +9394,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
@@ -33,6 +32,7 @@
|
||||
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
|
||||
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
@@ -33,6 +33,7 @@
|
||||
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
')
|
||||
|
||||
|
|
@ -9345,7 +9409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
@@ -48,11 +48,14 @@
|
||||
@@ -48,11 +49,14 @@
|
||||
|
||||
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
|
|
@ -9360,7 +9424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
|||
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
@@ -66,10 +69,21 @@
|
||||
@@ -66,10 +70,21 @@
|
||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
|
||||
|
|
@ -16036,8 +16100,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
|
|||
+/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.4.2/policy/modules/services/gamin.if
|
||||
--- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/gamin.if 2008-06-12 23:37:52.000000000 -0400
|
||||
@@ -0,0 +1,39 @@
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/gamin.if 2008-06-24 06:34:46.000000000 -0400
|
||||
@@ -0,0 +1,57 @@
|
||||
+
|
||||
+## <summary>policy for gamin</summary>
|
||||
+
|
||||
|
|
@ -16062,6 +16126,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute gamin.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`gamin_exec',`
|
||||
+ gen_require(`
|
||||
+ type gamin_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ can_exec($1,gamin_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect to gamin over an unix stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
|
@ -17707,7 +17789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||
## </summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
|
||||
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:25:05.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-12 23:37:52.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-24 05:41:16.000000000 -0400
|
||||
@@ -6,6 +6,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -17725,13 +17807,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||
|
||||
mta_base_mail_template(system)
|
||||
role system_r types system_mail_t;
|
||||
@@ -37,30 +40,50 @@
|
||||
@@ -37,30 +40,52 @@
|
||||
#
|
||||
|
||||
# newalias required this, not sure if it is needed in 'if' file
|
||||
-allow system_mail_t self:capability { dac_override };
|
||||
+allow system_mail_t self:capability { dac_override fowner };
|
||||
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
|
||||
+
|
||||
+can_exec(system_mail_t, mailclient_exec_type)
|
||||
|
||||
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
|
||||
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
|
||||
|
|
@ -17777,7 +17861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -73,7 +96,10 @@
|
||||
@@ -73,7 +98,10 @@
|
||||
|
||||
optional_policy(`
|
||||
cron_read_system_job_tmp_files(system_mail_t)
|
||||
|
|
@ -17788,7 +17872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -81,6 +107,11 @@
|
||||
@@ -81,6 +109,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -17800,7 +17884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||
logrotate_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -136,11 +167,38 @@
|
||||
@@ -136,11 +169,38 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -17840,7 +17924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
|||
optional_policy(`
|
||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||
arpwatch_search_data(mailserver_delivery)
|
||||
@@ -154,3 +212,4 @@
|
||||
@@ -154,3 +214,4 @@
|
||||
cron_read_system_job_tmp_files(mta_user_agent)
|
||||
')
|
||||
')
|
||||
|
|
@ -21027,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.4.2/policy/modules/services/prelude.if
|
||||
--- nsaserefpolicy/policy/modules/services/prelude.if 2008-06-12 23:25:06.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/prelude.if 2008-06-23 08:18:26.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/prelude.if 2008-06-24 06:33:22.000000000 -0400
|
||||
@@ -42,7 +42,7 @@
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
|
@ -21037,7 +21121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -56,6 +56,80 @@
|
||||
@@ -56,6 +56,81 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -21074,6 +21158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
+ ')
|
||||
+
|
||||
+ files_search_spool($1)
|
||||
+ list_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
|
||||
+ rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -21118,7 +21203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
## All of the rules required to administrate
|
||||
## an prelude environment
|
||||
## </summary>
|
||||
@@ -64,6 +138,16 @@
|
||||
@@ -64,6 +139,16 @@
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
|
|
@ -21135,7 +21220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
## <rolecap/>
|
||||
#
|
||||
interface(`prelude_admin',`
|
||||
@@ -71,6 +155,11 @@
|
||||
@@ -71,6 +156,11 @@
|
||||
type prelude_t, prelude_spool_t;
|
||||
type prelude_var_run_t, prelude_var_lib_t;
|
||||
type prelude_audisp_t, prelude_audisp_var_run_t;
|
||||
|
|
@ -21147,7 +21232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
')
|
||||
|
||||
allow $1 prelude_t:process { ptrace signal_perms };
|
||||
@@ -79,11 +168,23 @@
|
||||
@@ -79,11 +169,23 @@
|
||||
allow $1 prelude_audisp_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, prelude_audisp_t)
|
||||
|
||||
|
|
@ -21179,7 +21264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
|
||||
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-23 08:09:53.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-24 06:34:11.000000000 -0400
|
||||
@@ -19,12 +19,31 @@
|
||||
type prelude_var_lib_t;
|
||||
files_type(prelude_var_lib_t)
|
||||
|
|
@ -21238,7 +21323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
|
||||
dev_read_rand(prelude_audisp_t)
|
||||
dev_read_urand(prelude_audisp_t)
|
||||
@@ -126,6 +150,76 @@
|
||||
@@ -126,6 +150,80 @@
|
||||
|
||||
miscfiles_read_localization(prelude_audisp_t)
|
||||
|
||||
|
|
@ -21309,13 +21394,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
|||
+miscfiles_read_localization(prelude_lml_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gamin_exec(prelude_lml_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ apache_read_log(prelude_lml_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# prewikka_cgi Declarations
|
||||
@@ -135,6 +229,10 @@
|
||||
@@ -135,6 +233,10 @@
|
||||
apache_content_template(prewikka)
|
||||
files_read_etc_files(httpd_prewikka_script_t)
|
||||
|
||||
|
|
@ -28016,6 +28105,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
|
|||
kernel_read_kernel_sysctls(zebra_t)
|
||||
kernel_rw_net_sysctls(zebra_t)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.4.2/policy/modules/system/application.te
|
||||
--- nsaserefpolicy/policy/modules/system/application.te 2008-06-12 23:25:07.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/system/application.te 2008-06-24 05:58:09.000000000 -0400
|
||||
@@ -7,6 +7,9 @@
|
||||
# Executables to be run by user
|
||||
attribute application_exec_type;
|
||||
|
||||
+unprivuser_append_home_content_files(application_domain_type)
|
||||
+unprivuser_write_tmp_files(application_domain_type)
|
||||
+
|
||||
optional_policy(`
|
||||
ssh_sigchld(application_domain_type)
|
||||
ssh_rw_stream_sockets(application_domain_type)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.4.2/policy/modules/system/authlogin.fc
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-06-12 23:25:07.000000000 -0400
|
||||
+++ serefpolicy-3.4.2/policy/modules/system/authlogin.fc 2008-06-12 23:37:52.000000000 -0400
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.4.2
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -375,6 +375,11 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-7
|
||||
- Allow confined users to use postgres
|
||||
- Allow system_mail_t to exec other mail clients
|
||||
- Label mogrel_rails as an apache server
|
||||
|
||||
* Mon Jun 23 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-6
|
||||
- Apply unconfined_execmem_exec_t to haskell programs
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue