- Fix prelink to handle execmod
This commit is contained in:
parent
0f8f545d1a
commit
fc4c7497a7
@ -1754,7 +1754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400
|
||||||
+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-24 10:14:15.000000000 -0400
|
+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-24 15:39:13.000000000 -0400
|
||||||
@@ -36,6 +36,8 @@
|
@@ -36,6 +36,8 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type mozilla_conf_t, mozilla_exec_t;
|
type mozilla_conf_t, mozilla_exec_t;
|
||||||
@ -1824,7 +1824,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||||||
# Unrestricted inheritance from the caller.
|
# Unrestricted inheritance from the caller.
|
||||||
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
|
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
|
||||||
|
|
||||||
@@ -171,6 +203,8 @@
|
@@ -116,8 +148,9 @@
|
||||||
|
kernel_read_kernel_sysctls($1_mozilla_t)
|
||||||
|
kernel_read_network_state($1_mozilla_t)
|
||||||
|
# Access /proc, sysctl
|
||||||
|
- kernel_read_system_state($1_mozilla_t)
|
||||||
|
- kernel_read_net_sysctls($1_mozilla_t)
|
||||||
|
+ kernel_dontaudit_read_system_state($1_mozilla_t)
|
||||||
|
+# kernel_read_system_state($1_mozilla_t)
|
||||||
|
+# kernel_read_net_sysctls($1_mozilla_t)
|
||||||
|
|
||||||
|
# Look for plugins
|
||||||
|
corecmd_list_bin($1_mozilla_t)
|
||||||
|
@@ -166,11 +199,20 @@
|
||||||
|
files_read_var_files($1_mozilla_t)
|
||||||
|
files_read_var_symlinks($1_mozilla_t)
|
||||||
|
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
|
||||||
|
+ files_dontaudit_list_non_security($1_mozilla_t)
|
||||||
|
+ files_dontaudit_getattr_non_security_files($1_mozilla_t)
|
||||||
|
+ files_dontaudit_getattr_non_security_symlinks($1_mozilla_t)
|
||||||
|
+ files_dontaudit_getattr_non_security_pipes($1_mozilla_t)
|
||||||
|
+ files_dontaudit_getattr_non_security_sockets($1_mozilla_t)
|
||||||
|
+ files_dontaudit_getattr_non_security_blk_files($1_mozilla_t)
|
||||||
|
+ files_dontaudit_getattr_non_security_chr_files($1_mozilla_t)
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints($1_mozilla_t)
|
||||||
fs_list_inotifyfs($1_mozilla_t)
|
fs_list_inotifyfs($1_mozilla_t)
|
||||||
fs_rw_tmpfs_files($1_mozilla_t)
|
fs_rw_tmpfs_files($1_mozilla_t)
|
||||||
|
|
||||||
@ -1833,7 +1857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||||||
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
|
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
|
||||||
|
|
||||||
libs_use_ld_so($1_mozilla_t)
|
libs_use_ld_so($1_mozilla_t)
|
||||||
@@ -186,12 +220,9 @@
|
@@ -186,16 +228,14 @@
|
||||||
sysnet_dns_name_resolve($1_mozilla_t)
|
sysnet_dns_name_resolve($1_mozilla_t)
|
||||||
sysnet_read_config($1_mozilla_t)
|
sysnet_read_config($1_mozilla_t)
|
||||||
|
|
||||||
@ -1849,7 +1873,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||||||
|
|
||||||
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
|
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
|
||||||
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
|
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
|
||||||
@@ -213,131 +244,8 @@
|
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
|
||||||
|
+ xserver_xdm_sigchld($1_mozilla_t)
|
||||||
|
|
||||||
|
tunable_policy(`allow_execmem',`
|
||||||
|
allow $1_mozilla_t self:process { execmem execstack };
|
||||||
|
@@ -213,131 +253,8 @@
|
||||||
fs_manage_cifs_symlinks($1_mozilla_t)
|
fs_manage_cifs_symlinks($1_mozilla_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -1983,7 +2012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -352,21 +260,28 @@
|
@@ -352,21 +269,28 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cups_read_rw_config($1_mozilla_t)
|
cups_read_rw_config($1_mozilla_t)
|
||||||
cups_dbus_chat($1_mozilla_t)
|
cups_dbus_chat($1_mozilla_t)
|
||||||
@ -2015,7 +2044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -386,25 +301,6 @@
|
@@ -386,25 +310,6 @@
|
||||||
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
|
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2041,7 +2070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -577,3 +473,27 @@
|
@@ -577,3 +482,27 @@
|
||||||
|
|
||||||
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
|
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
|
||||||
')
|
')
|
||||||
@ -2424,7 +2453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.3/policy/modules/kernel/files.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.3/policy/modules/kernel/files.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
|
||||||
+++ serefpolicy-3.0.3/policy/modules/kernel/files.if 2007-07-17 15:46:25.000000000 -0400
|
+++ serefpolicy-3.0.3/policy/modules/kernel/files.if 2007-07-24 13:47:36.000000000 -0400
|
||||||
@@ -343,8 +343,7 @@
|
@@ -343,8 +343,7 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2563,16 +2592,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||||||
# Need sys_admin capability for mounting
|
# Need sys_admin capability for mounting
|
||||||
allow $1 self:capability { chown fsetid sys_admin };
|
allow $1 self:capability { chown fsetid sys_admin };
|
||||||
|
|
||||||
@@ -4582,6 +4618,8 @@
|
@@ -4582,6 +4618,11 @@
|
||||||
# Default type for mountpoints
|
# Default type for mountpoints
|
||||||
allow $1 poly_t:dir { create mounton };
|
allow $1 poly_t:dir { create mounton };
|
||||||
fs_unmount_xattr_fs($1)
|
fs_unmount_xattr_fs($1)
|
||||||
+ corecmd_exec_bin($1)
|
+ corecmd_exec_bin($1)
|
||||||
|
+ seutil_domtrans_setfiles($1)
|
||||||
|
+ fs_mount_tmpfs($1)
|
||||||
|
+ fs_unmount_tmpfs($1)
|
||||||
+
|
+
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4619,3 +4657,28 @@
|
@@ -4619,3 +4660,28 @@
|
||||||
|
|
||||||
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
|
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
|
||||||
')
|
')
|
||||||
@ -2603,7 +2635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.3/policy/modules/kernel/filesystem.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.3/policy/modules/kernel/filesystem.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-03 07:05:38.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-03 07:05:38.000000000 -0400
|
||||||
+++ serefpolicy-3.0.3/policy/modules/kernel/filesystem.te 2007-07-23 10:44:40.000000000 -0400
|
+++ serefpolicy-3.0.3/policy/modules/kernel/filesystem.te 2007-07-24 13:44:42.000000000 -0400
|
||||||
@@ -43,6 +43,12 @@
|
@@ -43,6 +43,12 @@
|
||||||
#
|
#
|
||||||
# Non-persistent/pseudo filesystems
|
# Non-persistent/pseudo filesystems
|
||||||
@ -2617,9 +2649,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||||||
type bdev_t;
|
type bdev_t;
|
||||||
fs_type(bdev_t)
|
fs_type(bdev_t)
|
||||||
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
|
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
|
||||||
|
@@ -139,6 +145,7 @@
|
||||||
|
fs_type(tmpfs_t)
|
||||||
|
files_type(tmpfs_t)
|
||||||
|
files_mountpoint(tmpfs_t)
|
||||||
|
+files_poly_parent(tmpfs_t)
|
||||||
|
|
||||||
|
# Use a transition SID based on the allocating task SID and the
|
||||||
|
# filesystem SID to label inodes in the following filesystem types,
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.3/policy/modules/kernel/kernel.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.3/policy/modules/kernel/kernel.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400
|
||||||
+++ serefpolicy-3.0.3/policy/modules/kernel/kernel.if 2007-07-17 15:46:25.000000000 -0400
|
+++ serefpolicy-3.0.3/policy/modules/kernel/kernel.if 2007-07-24 13:50:13.000000000 -0400
|
||||||
@@ -1848,6 +1848,27 @@
|
@@ -1848,6 +1848,27 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -3871,7 +3911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.3/policy/modules/services/consolekit.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.3/policy/modules/services/consolekit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-05-29 14:10:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-05-29 14:10:57.000000000 -0400
|
||||||
+++ serefpolicy-3.0.3/policy/modules/services/consolekit.te 2007-07-17 15:46:25.000000000 -0400
|
+++ serefpolicy-3.0.3/policy/modules/services/consolekit.te 2007-07-24 15:38:28.000000000 -0400
|
||||||
@@ -10,7 +10,6 @@
|
@@ -10,7 +10,6 @@
|
||||||
type consolekit_exec_t;
|
type consolekit_exec_t;
|
||||||
init_daemon_domain(consolekit_t, consolekit_exec_t)
|
init_daemon_domain(consolekit_t, consolekit_exec_t)
|
||||||
@ -4354,7 +4394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
|||||||
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
|
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.3/policy/modules/services/cups.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.3/policy/modules/services/cups.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cups.te 2007-07-03 07:06:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/cups.te 2007-07-03 07:06:27.000000000 -0400
|
||||||
+++ serefpolicy-3.0.3/policy/modules/services/cups.te 2007-07-20 09:22:00.000000000 -0400
|
+++ serefpolicy-3.0.3/policy/modules/services/cups.te 2007-07-24 15:38:39.000000000 -0400
|
||||||
@@ -81,12 +81,11 @@
|
@@ -81,12 +81,11 @@
|
||||||
# /usr/lib/cups/backend/serial needs sys_admin(?!)
|
# /usr/lib/cups/backend/serial needs sys_admin(?!)
|
||||||
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
|
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
|
||||||
@ -4396,6 +4436,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
|
|||||||
auth_dontaudit_read_pam_pid(cupsd_t)
|
auth_dontaudit_read_pam_pid(cupsd_t)
|
||||||
|
|
||||||
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
|
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
|
||||||
|
@@ -189,7 +192,7 @@
|
||||||
|
# read python modules
|
||||||
|
files_read_usr_files(cupsd_t)
|
||||||
|
# for /var/lib/defoma
|
||||||
|
-files_search_var_lib(cupsd_t)
|
||||||
|
+files_read_var_lib(cupsd_t)
|
||||||
|
files_list_world_readable(cupsd_t)
|
||||||
|
files_read_world_readable_files(cupsd_t)
|
||||||
|
files_read_world_readable_symlinks(cupsd_t)
|
||||||
@@ -223,21 +226,45 @@
|
@@ -223,21 +226,45 @@
|
||||||
|
|
||||||
sysnet_read_config(cupsd_t)
|
sysnet_read_config(cupsd_t)
|
||||||
@ -5379,7 +5428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
|
|||||||
+files_type(mailscanner_spool_t)
|
+files_type(mailscanner_spool_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.3/policy/modules/services/mta.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.3/policy/modules/services/mta.if
|
||||||
--- nsaserefpolicy/policy/modules/services/mta.if 2007-07-03 07:06:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mta.if 2007-07-03 07:06:27.000000000 -0400
|
||||||
+++ serefpolicy-3.0.3/policy/modules/services/mta.if 2007-07-17 15:46:25.000000000 -0400
|
+++ serefpolicy-3.0.3/policy/modules/services/mta.if 2007-07-24 15:41:08.000000000 -0400
|
||||||
@@ -393,6 +393,7 @@
|
@@ -393,6 +393,7 @@
|
||||||
allow $1 mail_spool_t:dir list_dir_perms;
|
allow $1 mail_spool_t:dir list_dir_perms;
|
||||||
create_files_pattern($1,mail_spool_t,mail_spool_t)
|
create_files_pattern($1,mail_spool_t,mail_spool_t)
|
||||||
@ -7114,7 +7163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.3/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.3/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
|
||||||
+++ serefpolicy-3.0.3/policy/modules/services/xserver.if 2007-07-23 11:02:03.000000000 -0400
|
+++ serefpolicy-3.0.3/policy/modules/services/xserver.if 2007-07-24 13:48:58.000000000 -0400
|
||||||
@@ -353,12 +353,6 @@
|
@@ -353,12 +353,6 @@
|
||||||
# allow ps to show xauth
|
# allow ps to show xauth
|
||||||
ps_process_pattern($2,$1_xauth_t)
|
ps_process_pattern($2,$1_xauth_t)
|
||||||
@ -7326,13 +7375,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1325,3 +1431,44 @@
|
@@ -1325,3 +1431,62 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Sigchld XDM
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_xdm_sigchld',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type xdm_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 xdm_t:process sigchld;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Connect to apmd over an unix stream socket.
|
+## Connect to apmd over an unix stream socket.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -10422,7 +10489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+corecmd_exec_all_executables(unconfined_t)
|
+corecmd_exec_all_executables(unconfined_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
|
||||||
+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-24 10:14:54.000000000 -0400
|
+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-24 15:42:37.000000000 -0400
|
||||||
@@ -62,6 +62,10 @@
|
@@ -62,6 +62,10 @@
|
||||||
|
|
||||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
||||||
@ -10781,7 +10848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -908,45 +838,170 @@
|
@@ -908,45 +838,176 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10900,6 +10967,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+ dev_read_sysfs($1_t)
|
+ dev_read_sysfs($1_t)
|
||||||
+ dev_read_urand($1_t)
|
+ dev_read_urand($1_t)
|
||||||
+
|
+
|
||||||
|
+ kernel_dontaudit_read_system_state($1_t)
|
||||||
|
+
|
||||||
+ domain_use_interactive_fds($1_t)
|
+ domain_use_interactive_fds($1_t)
|
||||||
+ # Command completion can fire hundreds of denials
|
+ # Command completion can fire hundreds of denials
|
||||||
+ domain_dontaudit_exec_all_entry_files($1_t)
|
+ domain_dontaudit_exec_all_entry_files($1_t)
|
||||||
@ -10948,6 +11017,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||||
|
+ mta_dontaudit_read_spool_symlinks($1_t)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
+ quota_dontaudit_getattr_db($1_t)
|
+ quota_dontaudit_getattr_db($1_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
@ -10965,7 +11038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
@@ -962,11 +1017,58 @@
|
@@ -962,11 +1023,58 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -11026,7 +11099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -976,25 +1078,11 @@
|
@@ -976,25 +1084,11 @@
|
||||||
# Inherit rules for ordinary users.
|
# Inherit rules for ordinary users.
|
||||||
userdom_common_user_template($1)
|
userdom_common_user_template($1)
|
||||||
|
|
||||||
@ -11052,7 +11125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||||
# Need the following rule to allow users to run vpnc
|
# Need the following rule to allow users to run vpnc
|
||||||
@@ -1033,14 +1121,6 @@
|
@@ -1033,14 +1127,6 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -11067,7 +11140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
')
|
')
|
||||||
@@ -1054,17 +1134,6 @@
|
@@ -1054,17 +1140,6 @@
|
||||||
setroubleshoot_stream_connect($1_t)
|
setroubleshoot_stream_connect($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11085,7 +11158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -1102,6 +1171,8 @@
|
@@ -1102,6 +1177,8 @@
|
||||||
class passwd { passwd chfn chsh rootok crontab };
|
class passwd { passwd chfn chsh rootok crontab };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11094,7 +11167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@@ -1127,7 +1198,7 @@
|
@@ -1127,7 +1204,7 @@
|
||||||
# $1_t local policy
|
# $1_t local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -11103,7 +11176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
allow $1_t self:process { setexec setfscreate };
|
allow $1_t self:process { setexec setfscreate };
|
||||||
|
|
||||||
# Set password information for other users.
|
# Set password information for other users.
|
||||||
@@ -1139,7 +1210,11 @@
|
@@ -1139,7 +1216,11 @@
|
||||||
# Manipulate other users crontab.
|
# Manipulate other users crontab.
|
||||||
allow $1_t self:passwd crontab;
|
allow $1_t self:passwd crontab;
|
||||||
|
|
||||||
@ -11116,7 +11189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
kernel_read_software_raid_state($1_t)
|
kernel_read_software_raid_state($1_t)
|
||||||
kernel_getattr_core_if($1_t)
|
kernel_getattr_core_if($1_t)
|
||||||
@@ -1902,6 +1977,41 @@
|
@@ -1902,6 +1983,41 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11158,7 +11231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Do not audit attempts to set the
|
## Do not audit attempts to set the
|
||||||
## attributes of user home files.
|
## attributes of user home files.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -3078,7 +3188,7 @@
|
@@ -3078,7 +3194,7 @@
|
||||||
#
|
#
|
||||||
template(`userdom_tmp_filetrans_user_tmp',`
|
template(`userdom_tmp_filetrans_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -11167,7 +11240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_tmp_filetrans($2,$1_tmp_t,$3)
|
files_tmp_filetrans($2,$1_tmp_t,$3)
|
||||||
@@ -5323,7 +5433,7 @@
|
@@ -5323,7 +5439,7 @@
|
||||||
attribute user_tmpfile;
|
attribute user_tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11176,7 +11249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5548,6 +5658,26 @@
|
@@ -5548,6 +5664,26 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11203,7 +11276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Unconfined access to user domains. (Deprecated)
|
## Unconfined access to user domains. (Deprecated)
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -5559,3 +5689,233 @@
|
@@ -5559,3 +5695,233 @@
|
||||||
interface(`userdom_unconfined',`
|
interface(`userdom_unconfined',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user