- Allow confined users to use postgres
- Allow system_mail_t to exec other mail clients - Label mogrel_rails as an apache server
This commit is contained in:
parent
547aa2a382
commit
f86ed5a437
|
@ -642,7 +642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
|
||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.4.2/policy/modules/admin/mrtg.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.4.2/policy/modules/admin/mrtg.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-06-12 23:25:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-06-12 23:25:08.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te 2008-06-12 23:37:53.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te 2008-06-24 06:26:50.000000000 -0400
|
||||||
@@ -78,6 +78,7 @@
|
@@ -78,6 +78,7 @@
|
||||||
dev_read_urand(mrtg_t)
|
dev_read_urand(mrtg_t)
|
||||||
|
|
||||||
|
@ -651,6 +651,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
|
||||||
|
|
||||||
files_read_usr_files(mrtg_t)
|
files_read_usr_files(mrtg_t)
|
||||||
files_search_var(mrtg_t)
|
files_search_var(mrtg_t)
|
||||||
|
@@ -101,6 +102,8 @@
|
||||||
|
init_read_utmp(mrtg_t)
|
||||||
|
init_dontaudit_write_utmp(mrtg_t)
|
||||||
|
|
||||||
|
+auth_use_nsswitch(mrtg_t)
|
||||||
|
+
|
||||||
|
libs_read_lib_files(mrtg_t)
|
||||||
|
libs_use_ld_so(mrtg_t)
|
||||||
|
libs_use_shared_libs(mrtg_t)
|
||||||
|
@@ -111,12 +114,10 @@
|
||||||
|
|
||||||
|
selinux_dontaudit_getattr_dir(mrtg_t)
|
||||||
|
|
||||||
|
-# Use the network.
|
||||||
|
-sysnet_read_config(mrtg_t)
|
||||||
|
-
|
||||||
|
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
|
||||||
|
|
||||||
|
sysadm_use_terms(mrtg_t)
|
||||||
|
+sysadm_dontaudit_read_home_content_files(mrtg_t)
|
||||||
|
|
||||||
|
ifdef(`enable_mls',`
|
||||||
|
corenet_udp_sendrecv_lo_if(mrtg_t)
|
||||||
|
@@ -140,14 +141,6 @@
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- nis_use_ypbind(mrtg_t)
|
||||||
|
-')
|
||||||
|
-
|
||||||
|
-optional_policy(`
|
||||||
|
- nscd_dontaudit_search_pid(mrtg_t)
|
||||||
|
-')
|
||||||
|
-
|
||||||
|
-optional_policy(`
|
||||||
|
seutil_sigchld_newrole(mrtg_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -162,10 +155,3 @@
|
||||||
|
optional_policy(`
|
||||||
|
udev_read_db(mrtg_t)
|
||||||
|
')
|
||||||
|
-
|
||||||
|
-ifdef(`TODO',`
|
||||||
|
- # should not need this!
|
||||||
|
- dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
|
||||||
|
- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
|
||||||
|
- dontaudit mrtg_t root_t:lnk_file getattr;
|
||||||
|
-')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:25:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:25:08.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/admin/netutils.te 2008-06-12 23:37:53.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/admin/netutils.te 2008-06-12 23:37:53.000000000 -0400
|
||||||
|
@ -7923,8 +7972,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
|
||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.4.2/policy/modules/roles/staff.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.4.2/policy/modules/roles/staff.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/roles/staff.te 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/roles/staff.te 2008-06-24 07:05:16.000000000 -0400
|
||||||
@@ -8,18 +8,30 @@
|
@@ -8,18 +8,34 @@
|
||||||
|
|
||||||
role staff_r;
|
role staff_r;
|
||||||
|
|
||||||
|
@ -7952,11 +8001,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
|
||||||
+ logadm_role_change_template(staff)
|
+ logadm_role_change_template(staff)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ postgresql_userdom_template(staff,staff_t,staff_r)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
secadm_role_change_template(staff)
|
secadm_role_change_template(staff)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -28,3 +40,14 @@
|
@@ -28,3 +44,14 @@
|
||||||
sysadm_dontaudit_use_terms(staff_t)
|
sysadm_dontaudit_use_terms(staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -7973,7 +8026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
|
||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.4.2/policy/modules/roles/sysadm.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.4.2/policy/modules/roles/sysadm.if
|
||||||
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if 2008-06-14 07:13:35.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if 2008-06-24 06:22:32.000000000 -0400
|
||||||
@@ -334,10 +334,10 @@
|
@@ -334,10 +334,10 @@
|
||||||
#
|
#
|
||||||
interface(`sysadm_getattr_home_dirs',`
|
interface(`sysadm_getattr_home_dirs',`
|
||||||
|
@ -8135,7 +8188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
|
||||||
## <summary>
|
## <summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.4.2/policy/modules/roles/unprivuser.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.4.2/policy/modules/roles/unprivuser.if
|
||||||
--- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if 2008-06-24 05:57:35.000000000 -0400
|
||||||
@@ -62,6 +62,26 @@
|
@@ -62,6 +62,26 @@
|
||||||
files_home_filetrans($1,user_home_dir_t,dir)
|
files_home_filetrans($1,user_home_dir_t,dir)
|
||||||
')
|
')
|
||||||
|
@ -8805,8 +8858,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.4.2/policy/modules/roles/unprivuser.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.4.2/policy/modules/roles/unprivuser.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te 2008-06-24 07:05:40.000000000 -0400
|
||||||
@@ -13,3 +13,19 @@
|
@@ -13,3 +13,23 @@
|
||||||
|
|
||||||
userdom_unpriv_user_template(user)
|
userdom_unpriv_user_template(user)
|
||||||
|
|
||||||
|
@ -8819,6 +8872,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ postgresql_userdom_template(user,user_t,user_r)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ rpm_dontaudit_dbus_chat(user_t)
|
+ rpm_dontaudit_dbus_chat(user_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -9322,14 +9379,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
|
||||||
# amavis local policy
|
# amavis local policy
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.4.2/policy/modules/services/apache.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.4.2/policy/modules/services/apache.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/apache.fc 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/apache.fc 2008-06-24 07:09:51.000000000 -0400
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
|
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
|
||||||
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||||
|
|
||||||
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||||
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||||
@@ -16,7 +16,6 @@
|
@@ -16,13 +16,13 @@
|
||||||
|
|
||||||
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||||
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||||
|
@ -9337,7 +9394,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||||
@@ -33,6 +32,7 @@
|
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||||
|
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
|
|
||||||
|
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||||
|
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||||
|
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||||
|
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||||
|
@@ -33,6 +33,7 @@
|
||||||
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -9345,7 +9409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
@@ -48,11 +48,14 @@
|
@@ -48,11 +49,14 @@
|
||||||
|
|
||||||
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||||
|
@ -9360,7 +9424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
@@ -66,10 +69,21 @@
|
@@ -66,10 +70,21 @@
|
||||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||||
|
|
||||||
|
@ -16036,8 +16100,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
|
||||||
+/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0)
|
+/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.4.2/policy/modules/services/gamin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.4.2/policy/modules/services/gamin.if
|
||||||
--- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/gamin.if 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/gamin.if 2008-06-24 06:34:46.000000000 -0400
|
||||||
@@ -0,0 +1,39 @@
|
@@ -0,0 +1,57 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for gamin</summary>
|
+## <summary>policy for gamin</summary>
|
||||||
+
|
+
|
||||||
|
@ -16062,6 +16126,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Execute gamin.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gamin_exec',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gamin_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ can_exec($1,gamin_exec_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Connect to gamin over an unix stream socket.
|
+## Connect to gamin over an unix stream socket.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
|
@ -17707,7 +17789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
## </summary>
|
## </summary>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:25:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:25:05.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-24 05:41:16.000000000 -0400
|
||||||
@@ -6,6 +6,8 @@
|
@@ -6,6 +6,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
@ -17725,13 +17807,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
|
|
||||||
mta_base_mail_template(system)
|
mta_base_mail_template(system)
|
||||||
role system_r types system_mail_t;
|
role system_r types system_mail_t;
|
||||||
@@ -37,30 +40,50 @@
|
@@ -37,30 +40,52 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# newalias required this, not sure if it is needed in 'if' file
|
# newalias required this, not sure if it is needed in 'if' file
|
||||||
-allow system_mail_t self:capability { dac_override };
|
-allow system_mail_t self:capability { dac_override };
|
||||||
+allow system_mail_t self:capability { dac_override fowner };
|
+allow system_mail_t self:capability { dac_override fowner };
|
||||||
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
|
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
+
|
||||||
|
+can_exec(system_mail_t, mailclient_exec_type)
|
||||||
|
|
||||||
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
|
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
|
||||||
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
|
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
|
||||||
|
@ -17777,7 +17861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -73,7 +96,10 @@
|
@@ -73,7 +98,10 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_read_system_job_tmp_files(system_mail_t)
|
cron_read_system_job_tmp_files(system_mail_t)
|
||||||
|
@ -17788,7 +17872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -81,6 +107,11 @@
|
@@ -81,6 +109,11 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -17800,7 +17884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
logrotate_read_tmp_files(system_mail_t)
|
logrotate_read_tmp_files(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -136,11 +167,38 @@
|
@@ -136,11 +169,38 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -17840,7 +17924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||||
arpwatch_search_data(mailserver_delivery)
|
arpwatch_search_data(mailserver_delivery)
|
||||||
@@ -154,3 +212,4 @@
|
@@ -154,3 +214,4 @@
|
||||||
cron_read_system_job_tmp_files(mta_user_agent)
|
cron_read_system_job_tmp_files(mta_user_agent)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
@ -21027,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||||
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
|
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.4.2/policy/modules/services/prelude.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.4.2/policy/modules/services/prelude.if
|
||||||
--- nsaserefpolicy/policy/modules/services/prelude.if 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/prelude.if 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/prelude.if 2008-06-23 08:18:26.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/prelude.if 2008-06-24 06:33:22.000000000 -0400
|
||||||
@@ -42,7 +42,7 @@
|
@@ -42,7 +42,7 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
|
@ -21037,7 +21121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -56,6 +56,80 @@
|
@@ -56,6 +56,81 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -21074,6 +21158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_spool($1)
|
+ files_search_spool($1)
|
||||||
|
+ list_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
|
||||||
+ rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
|
+ rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -21118,7 +21203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||||
## All of the rules required to administrate
|
## All of the rules required to administrate
|
||||||
## an prelude environment
|
## an prelude environment
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -64,6 +138,16 @@
|
@@ -64,6 +139,16 @@
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
@ -21135,7 +21220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`prelude_admin',`
|
interface(`prelude_admin',`
|
||||||
@@ -71,6 +155,11 @@
|
@@ -71,6 +156,11 @@
|
||||||
type prelude_t, prelude_spool_t;
|
type prelude_t, prelude_spool_t;
|
||||||
type prelude_var_run_t, prelude_var_lib_t;
|
type prelude_var_run_t, prelude_var_lib_t;
|
||||||
type prelude_audisp_t, prelude_audisp_var_run_t;
|
type prelude_audisp_t, prelude_audisp_var_run_t;
|
||||||
|
@ -21147,7 +21232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 prelude_t:process { ptrace signal_perms };
|
allow $1 prelude_t:process { ptrace signal_perms };
|
||||||
@@ -79,11 +168,23 @@
|
@@ -79,11 +169,23 @@
|
||||||
allow $1 prelude_audisp_t:process { ptrace signal_perms };
|
allow $1 prelude_audisp_t:process { ptrace signal_perms };
|
||||||
ps_process_pattern($1, prelude_audisp_t)
|
ps_process_pattern($1, prelude_audisp_t)
|
||||||
|
|
||||||
|
@ -21179,7 +21264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
|
||||||
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-23 08:09:53.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-24 06:34:11.000000000 -0400
|
||||||
@@ -19,12 +19,31 @@
|
@@ -19,12 +19,31 @@
|
||||||
type prelude_var_lib_t;
|
type prelude_var_lib_t;
|
||||||
files_type(prelude_var_lib_t)
|
files_type(prelude_var_lib_t)
|
||||||
|
@ -21238,7 +21323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||||
|
|
||||||
dev_read_rand(prelude_audisp_t)
|
dev_read_rand(prelude_audisp_t)
|
||||||
dev_read_urand(prelude_audisp_t)
|
dev_read_urand(prelude_audisp_t)
|
||||||
@@ -126,6 +150,76 @@
|
@@ -126,6 +150,80 @@
|
||||||
|
|
||||||
miscfiles_read_localization(prelude_audisp_t)
|
miscfiles_read_localization(prelude_audisp_t)
|
||||||
|
|
||||||
|
@ -21309,13 +21394,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
|
||||||
+miscfiles_read_localization(prelude_lml_t)
|
+miscfiles_read_localization(prelude_lml_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ gamin_exec(prelude_lml_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ apache_read_log(prelude_lml_t)
|
+ apache_read_log(prelude_lml_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# prewikka_cgi Declarations
|
# prewikka_cgi Declarations
|
||||||
@@ -135,6 +229,10 @@
|
@@ -135,6 +233,10 @@
|
||||||
apache_content_template(prewikka)
|
apache_content_template(prewikka)
|
||||||
files_read_etc_files(httpd_prewikka_script_t)
|
files_read_etc_files(httpd_prewikka_script_t)
|
||||||
|
|
||||||
|
@ -28016,6 +28105,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
|
||||||
kernel_read_kernel_sysctls(zebra_t)
|
kernel_read_kernel_sysctls(zebra_t)
|
||||||
kernel_rw_net_sysctls(zebra_t)
|
kernel_rw_net_sysctls(zebra_t)
|
||||||
|
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.4.2/policy/modules/system/application.te
|
||||||
|
--- nsaserefpolicy/policy/modules/system/application.te 2008-06-12 23:25:07.000000000 -0400
|
||||||
|
+++ serefpolicy-3.4.2/policy/modules/system/application.te 2008-06-24 05:58:09.000000000 -0400
|
||||||
|
@@ -7,6 +7,9 @@
|
||||||
|
# Executables to be run by user
|
||||||
|
attribute application_exec_type;
|
||||||
|
|
||||||
|
+unprivuser_append_home_content_files(application_domain_type)
|
||||||
|
+unprivuser_write_tmp_files(application_domain_type)
|
||||||
|
+
|
||||||
|
optional_policy(`
|
||||||
|
ssh_sigchld(application_domain_type)
|
||||||
|
ssh_rw_stream_sockets(application_domain_type)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.4.2/policy/modules/system/authlogin.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.4.2/policy/modules/system/authlogin.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-06-12 23:25:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-06-12 23:25:07.000000000 -0400
|
||||||
+++ serefpolicy-3.4.2/policy/modules/system/authlogin.fc 2008-06-12 23:37:52.000000000 -0400
|
+++ serefpolicy-3.4.2/policy/modules/system/authlogin.fc 2008-06-12 23:37:52.000000000 -0400
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.4.2
|
Version: 3.4.2
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -375,6 +375,11 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-7
|
||||||
|
- Allow confined users to use postgres
|
||||||
|
- Allow system_mail_t to exec other mail clients
|
||||||
|
- Label mogrel_rails as an apache server
|
||||||
|
|
||||||
* Mon Jun 23 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-6
|
* Mon Jun 23 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-6
|
||||||
- Apply unconfined_execmem_exec_t to haskell programs
|
- Apply unconfined_execmem_exec_t to haskell programs
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue