rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Move users file to selection by spec file.

Browse Source 
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
This commit is contained in:
Daniel J Walsh 2010-01-11 22:06:55 +00:00
parent 7723ea3a29
commit fc05ac0660
10 changed files with 1234 additions and 1327 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.cvsignore
View File

@ -197,3 +197,4 @@ serefpolicy-3.7.3.tgz
serefpolicy-3.7.4.tgz serefpolicy-3.7.4.tgz
serefpolicy-3.7.5.tgz serefpolicy-3.7.5.tgz
serefpolicy-3.7.6.tgz serefpolicy-3.7.6.tgz
serefpolicy-3.7.7.tgz

7
modules-minimum.conf
View File

@ -60,6 +60,13 @@ awstats = module
# #
abrt = module abrt = module
# Layer: services
# Module: aiccu
#
# SixXS Automatic IPv6 Connectivity Client Utility
#
aiccu = module
# Layer: admin # Layer: admin
# Module: amanda # Module: amanda
# #

2
nsadiff
View File

@ -1 +1 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.6 > /tmp/diff diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.7 > /tmp/diff

2386
policy-F13.patch
View File

File diff suppressed because it is too large Load Diff

11
selinux-policy.spec
View File

@ -19,7 +19,7 @@
%define CHECKPOLICYVER 2.0.21-1 %define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.7.6 Version: 3.7.7
Release: 1%{?dist} Release: 1%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
@ -45,6 +45,10 @@ Source18: setrans-minimum.conf
Source19: securetty_types-minimum Source19: securetty_types-minimum
Source20: customizable_types Source20: customizable_types
Source21: config.tgz Source21: config.tgz
Source22: users-mls
Source23: users-targeted
Source24: users-olpc
Source25: users-minimum
Url: http://oss.tresys.com/repos/refpolicy/ Url: http://oss.tresys.com/repos/refpolicy/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -98,6 +102,7 @@ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \
cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \ cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
cp -f $RPM_SOURCE_DIR/users-%1 ./policy/users \
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \ %define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf ) awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
@ -450,6 +455,10 @@ exit 0
%endif %endif
%changelog %changelog
* Mon Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-1
- Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.6-1 * Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.6-1
- Update to upstream - Update to upstream

2
sources
View File

@ -1,2 +1,2 @@
3651679c4b12a31d2ba5f4305bba5540 config.tgz 3651679c4b12a31d2ba5f4305bba5540 config.tgz
0e56f0205d64ac083d61ec1d15873df7 serefpolicy-3.7.6.tgz 2cec5f31faaf708d21bbcffabde5533d serefpolicy-3.7.7.tgz

38
users-minimum Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_u, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

38
users-mls Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

38
users-olpc Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_u, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

38
users-targeted Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_u, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)