- Add conflicts for dirsrv package
This commit is contained in:
parent
3e0b7834a6
commit
fc9bf2f03d
@ -510,6 +510,20 @@ dmidecode = base
|
||||
#
|
||||
domain = base
|
||||
|
||||
# Layer: services
|
||||
# Module: drbd
|
||||
#
|
||||
# DRBD mirrors a block device over the network to another machine.
|
||||
#
|
||||
drbd = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ddclient
|
||||
#
|
||||
# Update dynamic IP address at DynDNS.org
|
||||
#
|
||||
ddclient = module
|
||||
|
||||
# Layer: services
|
||||
# Module: dovecot
|
||||
#
|
||||
|
452
policy-F15.patch
452
policy-F15.patch
@ -7335,70 +7335,27 @@ index 82842a0..369c3b5 100644
|
||||
dbus_system_bus_client($1_wm_t)
|
||||
dbus_session_bus_client($1_wm_t)
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 34c9d01..8b6dc89 100644
|
||||
index 34c9d01..94ec653 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -122,6 +122,8 @@ ifdef(`distro_debian',`
|
||||
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@@ -128,8 +128,8 @@ ifdef(`distro_debian',`
|
||||
|
||||
+/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
#
|
||||
# /lib
|
||||
#
|
||||
@@ -130,6 +132,7 @@ ifdef(`distro_debian',`
|
||||
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@@ -146,6 +149,8 @@ ifdef(`distro_gentoo',`
|
||||
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
+/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
#
|
||||
# /sbin
|
||||
@@ -266,6 +271,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -382,3 +389,25 @@ ifdef(`distro_suse', `
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
+/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
+/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
|
||||
+
|
||||
+/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
+/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -307,6 +307,7 @@ ifdef(`distro_redhat', `
|
||||
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
|
||||
index 9e9263a..24018ce 100644
|
||||
--- a/policy/modules/kernel/corecommands.if
|
||||
@ -8319,7 +8276,7 @@ index 3517db2..bd4c23d 100644
|
||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index 5302dac..5dcb9ad 100644
|
||||
index 5302dac..9b828ee 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
|
||||
@ -8335,7 +8292,32 @@ index 5302dac..5dcb9ad 100644
|
||||
|
||||
# satisfy the assertions:
|
||||
seutil_relabelto_bin_policy($1)
|
||||
@@ -1446,6 +1444,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
|
||||
@@ -1410,6 +1408,24 @@ interface(`files_getattr_all_mountpoints',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Set the attributes of all mount points.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_setattr_all_mountpoints',`
|
||||
+ gen_require(`
|
||||
+ attribute mountpoint;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 mountpoint:dir setattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Search all mount points.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1446,6 +1462,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8396,7 +8378,7 @@ index 5302dac..5dcb9ad 100644
|
||||
## List the contents of the root directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1836,6 +1888,25 @@ interface(`files_relabelfrom_boot_files',`
|
||||
@@ -1836,6 +1906,25 @@ interface(`files_relabelfrom_boot_files',`
|
||||
relabelfrom_files_pattern($1, boot_t, boot_t)
|
||||
')
|
||||
|
||||
@ -8422,7 +8404,7 @@ index 5302dac..5dcb9ad 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write symbolic links
|
||||
@@ -2435,6 +2506,24 @@ interface(`files_delete_etc_files',`
|
||||
@@ -2435,6 +2524,24 @@ interface(`files_delete_etc_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8447,7 +8429,7 @@ index 5302dac..5dcb9ad 100644
|
||||
## Execute generic files in /etc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2605,6 +2694,24 @@ interface(`files_read_etc_runtime_files',`
|
||||
@@ -2605,6 +2712,24 @@ interface(`files_read_etc_runtime_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8472,7 +8454,7 @@ index 5302dac..5dcb9ad 100644
|
||||
## Do not audit attempts to read files
|
||||
## in /etc that are dynamically
|
||||
## created on boot, such as mtab.
|
||||
@@ -3086,6 +3193,7 @@ interface(`files_getattr_home_dir',`
|
||||
@@ -3086,6 +3211,7 @@ interface(`files_getattr_home_dir',`
|
||||
')
|
||||
|
||||
allow $1 home_root_t:dir getattr;
|
||||
@ -8480,7 +8462,7 @@ index 5302dac..5dcb9ad 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3106,6 +3214,7 @@ interface(`files_dontaudit_getattr_home_dir',`
|
||||
@@ -3106,6 +3232,7 @@ interface(`files_dontaudit_getattr_home_dir',`
|
||||
')
|
||||
|
||||
dontaudit $1 home_root_t:dir getattr;
|
||||
@ -8488,7 +8470,7 @@ index 5302dac..5dcb9ad 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3347,6 +3456,24 @@ interface(`files_list_mnt',`
|
||||
@@ -3347,6 +3474,24 @@ interface(`files_list_mnt',`
|
||||
allow $1 mnt_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
@ -8513,7 +8495,7 @@ index 5302dac..5dcb9ad 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a filesystem on /mnt.
|
||||
@@ -3420,6 +3547,24 @@ interface(`files_read_mnt_files',`
|
||||
@@ -3420,6 +3565,24 @@ interface(`files_read_mnt_files',`
|
||||
read_files_pattern($1, mnt_t, mnt_t)
|
||||
')
|
||||
|
||||
@ -8538,7 +8520,7 @@ index 5302dac..5dcb9ad 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete symbolic links in /mnt.
|
||||
@@ -3711,6 +3856,100 @@ interface(`files_read_world_readable_sockets',`
|
||||
@@ -3711,6 +3874,100 @@ interface(`files_read_world_readable_sockets',`
|
||||
allow $1 readable_t:sock_file read_sock_file_perms;
|
||||
')
|
||||
|
||||
@ -8639,7 +8621,7 @@ index 5302dac..5dcb9ad 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified type to associate
|
||||
@@ -3896,6 +4135,32 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||
@@ -3896,6 +4153,32 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8672,7 +8654,7 @@ index 5302dac..5dcb9ad 100644
|
||||
## Manage temporary files and directories in /tmp.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3950,6 +4215,42 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
@@ -3950,6 +4233,42 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8715,7 +8697,7 @@ index 5302dac..5dcb9ad 100644
|
||||
## Set the attributes of all tmp directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4109,6 +4410,13 @@ interface(`files_purge_tmp',`
|
||||
@@ -4109,6 +4428,13 @@ interface(`files_purge_tmp',`
|
||||
delete_lnk_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_fifo_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_sock_files_pattern($1, tmpfile, tmpfile)
|
||||
@ -8729,7 +8711,7 @@ index 5302dac..5dcb9ad 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4718,6 +5026,24 @@ interface(`files_read_var_files',`
|
||||
@@ -4718,6 +5044,24 @@ interface(`files_read_var_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8754,7 +8736,7 @@ index 5302dac..5dcb9ad 100644
|
||||
## Read and write files in the /var directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5053,6 +5379,24 @@ interface(`files_manage_mounttab',`
|
||||
@@ -5053,6 +5397,24 @@ interface(`files_manage_mounttab',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8779,7 +8761,7 @@ index 5302dac..5dcb9ad 100644
|
||||
## Search the locks directory (/var/lock).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5138,12 +5482,12 @@ interface(`files_getattr_generic_locks',`
|
||||
@@ -5138,12 +5500,12 @@ interface(`files_getattr_generic_locks',`
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_generic_locks',`
|
||||
@ -8796,64 +8778,103 @@ index 5302dac..5dcb9ad 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5189,6 +5533,27 @@ interface(`files_delete_all_locks',`
|
||||
@@ -5189,29 +5551,28 @@ interface(`files_delete_all_locks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read all lock files.
|
||||
+## Relabel all lock files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
+## <rolecap/>
|
||||
#
|
||||
-interface(`files_read_all_locks',`
|
||||
+interface(`files_relabel_all_lock_dirs',`
|
||||
gen_require(`
|
||||
attribute lockfile;
|
||||
- type var_t, var_lock_t;
|
||||
+ type var_t;
|
||||
')
|
||||
|
||||
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
|
||||
- allow $1 lockfile:dir list_dir_perms;
|
||||
- read_files_pattern($1, lockfile, lockfile)
|
||||
- read_lnk_files_pattern($1, lockfile, lockfile)
|
||||
+ allow $1 var_t:dir search_dir_perms;
|
||||
+ relabel_dirs_pattern($1, lockfile, lockfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## manage all lock files.
|
||||
+## Read all lock files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5219,15 +5580,37 @@ interface(`files_read_all_locks',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`files_manage_all_locks',`
|
||||
+interface(`files_read_all_locks',`
|
||||
gen_require(`
|
||||
attribute lockfile;
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
allow $1 { var_t var_lock_t }:dir search_dir_perms;
|
||||
- manage_dirs_pattern($1, lockfile, lockfile)
|
||||
- manage_files_pattern($1, lockfile, lockfile)
|
||||
+ allow $1 lockfile:dir list_dir_perms;
|
||||
+ read_files_pattern($1, lockfile, lockfile)
|
||||
+ read_lnk_files_pattern($1, lockfile, lockfile)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## manage all lock files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`files_relabel_all_lock_dirs',`
|
||||
+interface(`files_manage_all_locks',`
|
||||
+ gen_require(`
|
||||
+ attribute lockfile;
|
||||
+ type var_t;
|
||||
+ type var_t, var_lock_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 var_t:dir search_dir_perms;
|
||||
+ relabel_dirs_pattern($1, lockfile, lockfile)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read all lock files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5317,23 +5682,60 @@ interface(`files_search_pids',`
|
||||
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
|
||||
+ manage_dirs_pattern($1, lockfile, lockfile)
|
||||
+ manage_files_pattern($1, lockfile, lockfile)
|
||||
manage_lnk_files_pattern($1, lockfile, lockfile)
|
||||
')
|
||||
|
||||
@@ -5317,6 +5700,43 @@ interface(`files_search_pids',`
|
||||
search_dirs_pattern($1, var_t, var_run_t)
|
||||
')
|
||||
|
||||
-########################################
|
||||
+######################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to search
|
||||
-## the /var/run directory.
|
||||
+## <summary>
|
||||
+## Add and remove entries from pid directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
-## <summary>
|
||||
-## Domain to not audit.
|
||||
-## </summary>
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`files_dontaudit_search_pids',`
|
||||
- gen_require(`
|
||||
- type var_run_t;
|
||||
- ')
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_rw_pid_dirs',`
|
||||
+ gen_require(`
|
||||
+ type var_run_t;
|
||||
+ ')
|
||||
|
||||
- dontaudit $1 var_run_t:dir search_dir_perms;
|
||||
+
|
||||
+ allow $1 var_run_t:dir rw_dir_perms;
|
||||
+')
|
||||
+
|
||||
@ -8876,27 +8897,10 @@ index 5302dac..5dcb9ad 100644
|
||||
+ allow $1 var_run_t:dir create_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to search
|
||||
+## the /var/run directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_dontaudit_search_pids',`
|
||||
+ gen_require(`
|
||||
+ type var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 var_run_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5524,6 +5926,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||
## <summary>
|
||||
## Do not audit attempts to search
|
||||
@@ -5524,6 +5944,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8959,7 +8963,7 @@ index 5302dac..5dcb9ad 100644
|
||||
## Read all process ID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5541,6 +5999,44 @@ interface(`files_read_all_pids',`
|
||||
@@ -5541,6 +6017,44 @@ interface(`files_read_all_pids',`
|
||||
|
||||
list_dirs_pattern($1, var_t, pidfile)
|
||||
read_files_pattern($1, pidfile, pidfile)
|
||||
@ -9004,7 +9008,7 @@ index 5302dac..5dcb9ad 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5826,3 +6322,247 @@ interface(`files_unconfined',`
|
||||
@@ -5826,3 +6340,247 @@ interface(`files_unconfined',`
|
||||
|
||||
typeattribute $1 files_unconfined_type;
|
||||
')
|
||||
@ -12353,7 +12357,7 @@ index 0b827c5..8961dba 100644
|
||||
admin_pattern($1, abrt_tmp_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
||||
index 98646c4..5be7dc8 100644
|
||||
index 98646c4..73ae7f0 100644
|
||||
--- a/policy/modules/services/abrt.te
|
||||
+++ b/policy/modules/services/abrt.te
|
||||
@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1)
|
||||
@ -12397,7 +12401,15 @@ index 98646c4..5be7dc8 100644
|
||||
|
||||
kernel_read_ring_buffer(abrt_t)
|
||||
kernel_read_system_state(abrt_t)
|
||||
@@ -121,6 +130,8 @@ files_read_generic_tmp_files(abrt_t)
|
||||
@@ -114,6 +123,7 @@ domain_signull_all_domains(abrt_t)
|
||||
|
||||
files_getattr_all_files(abrt_t)
|
||||
files_read_etc_files(abrt_t)
|
||||
+files_read_etc_runtime_files(abrt_t)
|
||||
files_read_var_symlinks(abrt_t)
|
||||
files_read_var_lib_files(abrt_t)
|
||||
files_read_usr_files(abrt_t)
|
||||
@@ -121,6 +131,8 @@ files_read_generic_tmp_files(abrt_t)
|
||||
files_read_kernel_modules(abrt_t)
|
||||
files_dontaudit_list_default(abrt_t)
|
||||
files_dontaudit_read_default_files(abrt_t)
|
||||
@ -12406,7 +12418,7 @@ index 98646c4..5be7dc8 100644
|
||||
|
||||
fs_list_inotifyfs(abrt_t)
|
||||
fs_getattr_all_fs(abrt_t)
|
||||
@@ -131,7 +142,7 @@ fs_read_nfs_files(abrt_t)
|
||||
@@ -131,7 +143,7 @@ fs_read_nfs_files(abrt_t)
|
||||
fs_read_nfs_symlinks(abrt_t)
|
||||
fs_search_all(abrt_t)
|
||||
|
||||
@ -12415,7 +12427,7 @@ index 98646c4..5be7dc8 100644
|
||||
|
||||
logging_read_generic_logs(abrt_t)
|
||||
logging_send_syslog_msg(abrt_t)
|
||||
@@ -140,6 +151,15 @@ miscfiles_read_generic_certs(abrt_t)
|
||||
@@ -140,6 +152,15 @@ miscfiles_read_generic_certs(abrt_t)
|
||||
miscfiles_read_localization(abrt_t)
|
||||
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_t)
|
||||
@ -12431,7 +12443,7 @@ index 98646c4..5be7dc8 100644
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_domain(abrt_t, abrt_exec_t)
|
||||
@@ -150,6 +170,11 @@ optional_policy(`
|
||||
@@ -150,6 +171,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12443,7 +12455,7 @@ index 98646c4..5be7dc8 100644
|
||||
policykit_dbus_chat(abrt_t)
|
||||
policykit_domtrans_auth(abrt_t)
|
||||
policykit_read_lib(abrt_t)
|
||||
@@ -178,12 +203,18 @@ optional_policy(`
|
||||
@@ -178,12 +204,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12463,7 +12475,7 @@ index 98646c4..5be7dc8 100644
|
||||
#
|
||||
|
||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||
@@ -203,6 +234,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
@@ -203,6 +235,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
domain_read_all_domains_state(abrt_helper_t)
|
||||
|
||||
files_read_etc_files(abrt_helper_t)
|
||||
@ -12471,7 +12483,7 @@ index 98646c4..5be7dc8 100644
|
||||
|
||||
fs_list_inotifyfs(abrt_helper_t)
|
||||
fs_getattr_all_fs(abrt_helper_t)
|
||||
@@ -216,7 +248,8 @@ miscfiles_read_localization(abrt_helper_t)
|
||||
@@ -216,7 +249,8 @@ miscfiles_read_localization(abrt_helper_t)
|
||||
term_dontaudit_use_all_ttys(abrt_helper_t)
|
||||
term_dontaudit_use_all_ptys(abrt_helper_t)
|
||||
|
||||
@ -12481,7 +12493,7 @@ index 98646c4..5be7dc8 100644
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||
@@ -224,4 +257,18 @@ ifdef(`hide_broken_symptoms', `
|
||||
@@ -224,4 +258,18 @@ ifdef(`hide_broken_symptoms', `
|
||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||
@ -19790,7 +19802,7 @@ index e1d7dc5..ee51a19 100644
|
||||
admin_pattern($1, dovecot_var_run_t)
|
||||
|
||||
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
|
||||
index cbe14e4..dd7fe41 100644
|
||||
index cbe14e4..9e2f6d5 100644
|
||||
--- a/policy/modules/services/dovecot.te
|
||||
+++ b/policy/modules/services/dovecot.te
|
||||
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
|
||||
@ -19865,7 +19877,16 @@ index cbe14e4..dd7fe41 100644
|
||||
allow dovecot_auth_t self:process { signal_perms getcap setcap };
|
||||
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -242,6 +252,7 @@ optional_policy(`
|
||||
@@ -189,6 +199,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
|
||||
|
||||
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
|
||||
|
||||
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
|
||||
+
|
||||
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
||||
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
||||
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
|
||||
@@ -242,6 +254,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -19873,7 +19894,7 @@ index cbe14e4..dd7fe41 100644
|
||||
postfix_search_spool(dovecot_auth_t)
|
||||
')
|
||||
|
||||
@@ -253,19 +264,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -253,19 +266,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow dovecot_deliver_t dovecot_t:process signull;
|
||||
|
||||
@ -19907,7 +19928,7 @@ index cbe14e4..dd7fe41 100644
|
||||
|
||||
miscfiles_read_localization(dovecot_deliver_t)
|
||||
|
||||
@@ -302,4 +325,5 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -302,4 +327,5 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
|
||||
optional_policy(`
|
||||
mta_manage_spool(dovecot_deliver_t)
|
||||
@ -25548,15 +25569,16 @@ index 4876cae..5f2ba87 100644
|
||||
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
|
||||
index 85188dc..99cefb8 100644
|
||||
index 85188dc..76f26dd 100644
|
||||
--- a/policy/modules/services/nscd.if
|
||||
+++ b/policy/modules/services/nscd.if
|
||||
@@ -116,7 +116,25 @@ interface(`nscd_socket_use',`
|
||||
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
|
||||
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
|
||||
- dontaudit $1 nscd_var_run_t:file { getattr read };
|
||||
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
|
||||
+ ps_process_pattern(nscd_t, $1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -25578,7 +25600,7 @@ index 85188dc..99cefb8 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -146,11 +164,14 @@ interface(`nscd_shm_use',`
|
||||
@@ -146,11 +165,14 @@ interface(`nscd_shm_use',`
|
||||
# nscd_socket_domain macro. need to investigate
|
||||
# if they are all actually required
|
||||
allow $1 self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -25596,7 +25618,7 @@ index 85188dc..99cefb8 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -168,7 +189,7 @@ interface(`nscd_dontaudit_search_pid',`
|
||||
@@ -168,7 +190,7 @@ interface(`nscd_dontaudit_search_pid',`
|
||||
type nscd_var_run_t;
|
||||
')
|
||||
|
||||
@ -25605,7 +25627,7 @@ index 85188dc..99cefb8 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -224,6 +245,7 @@ interface(`nscd_unconfined',`
|
||||
@@ -224,6 +246,7 @@ interface(`nscd_unconfined',`
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -26093,7 +26115,7 @@ index 9d0a67b..9197ef0 100644
|
||||
#
|
||||
interface(`openct_domtrans',`
|
||||
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
|
||||
index 8b550f4..cb87bef 100644
|
||||
index 8b550f4..e41ff47 100644
|
||||
--- a/policy/modules/services/openvpn.te
|
||||
+++ b/policy/modules/services/openvpn.te
|
||||
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
|
||||
@ -26155,7 +26177,16 @@ index 8b550f4..cb87bef 100644
|
||||
|
||||
corecmd_exec_bin(openvpn_t)
|
||||
corecmd_exec_shell(openvpn_t)
|
||||
@@ -113,20 +120,20 @@ sysnet_manage_config(openvpn_t)
|
||||
@@ -102,6 +109,8 @@ files_read_etc_runtime_files(openvpn_t)
|
||||
|
||||
auth_use_pam(openvpn_t)
|
||||
|
||||
+init_read_utmp(openvpn_t)
|
||||
+
|
||||
logging_send_syslog_msg(openvpn_t)
|
||||
|
||||
miscfiles_read_localization(openvpn_t)
|
||||
@@ -113,20 +122,20 @@ sysnet_manage_config(openvpn_t)
|
||||
sysnet_etc_filetrans_config(openvpn_t)
|
||||
|
||||
userdom_use_user_terminals(openvpn_t)
|
||||
@ -26183,7 +26214,7 @@ index 8b550f4..cb87bef 100644
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(openvpn_t, openvpn_exec_t)
|
||||
@@ -138,3 +145,7 @@ optional_policy(`
|
||||
@@ -138,3 +147,7 @@ optional_policy(`
|
||||
|
||||
networkmanager_dbus_chat(openvpn_t)
|
||||
')
|
||||
@ -27733,10 +27764,21 @@ index 55e62d2..c114a40 100644
|
||||
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
|
||||
index 46bee12..ff521d5 100644
|
||||
index 46bee12..9c13189 100644
|
||||
--- a/policy/modules/services/postfix.if
|
||||
+++ b/policy/modules/services/postfix.if
|
||||
@@ -50,7 +50,7 @@ template(`postfix_domain_template',`
|
||||
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
|
||||
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
|
||||
role system_r types postfix_$1_t;
|
||||
|
||||
+ allow postfix_$1_t self:capability sys_nice;
|
||||
dontaudit postfix_$1_t self:capability sys_tty_config;
|
||||
- allow postfix_$1_t self:process { signal_perms setpgid };
|
||||
+ allow postfix_$1_t self:process { signal_perms setpgid setsched };
|
||||
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow postfix_$1_t self:unix_stream_socket connectto;
|
||||
@@ -50,7 +51,7 @@ template(`postfix_domain_template',`
|
||||
|
||||
can_exec(postfix_$1_t, postfix_$1_exec_t)
|
||||
|
||||
@ -27745,7 +27787,7 @@ index 46bee12..ff521d5 100644
|
||||
|
||||
allow postfix_$1_t postfix_master_t:process sigchld;
|
||||
|
||||
@@ -77,6 +77,7 @@ template(`postfix_domain_template',`
|
||||
@@ -77,6 +78,7 @@ template(`postfix_domain_template',`
|
||||
|
||||
files_read_etc_files(postfix_$1_t)
|
||||
files_read_etc_runtime_files(postfix_$1_t)
|
||||
@ -27753,7 +27795,7 @@ index 46bee12..ff521d5 100644
|
||||
files_read_usr_symlinks(postfix_$1_t)
|
||||
files_search_spool(postfix_$1_t)
|
||||
files_getattr_tmp_dirs(postfix_$1_t)
|
||||
@@ -272,7 +273,8 @@ interface(`postfix_read_local_state',`
|
||||
@@ -272,7 +274,8 @@ interface(`postfix_read_local_state',`
|
||||
type postfix_local_t;
|
||||
')
|
||||
|
||||
@ -27763,7 +27805,7 @@ index 46bee12..ff521d5 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -290,7 +292,8 @@ interface(`postfix_read_master_state',`
|
||||
@@ -290,7 +293,8 @@ interface(`postfix_read_master_state',`
|
||||
type postfix_master_t;
|
||||
')
|
||||
|
||||
@ -27773,7 +27815,7 @@ index 46bee12..ff521d5 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -376,6 +379,25 @@ interface(`postfix_domtrans_master',`
|
||||
@@ -376,6 +380,25 @@ interface(`postfix_domtrans_master',`
|
||||
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
|
||||
')
|
||||
|
||||
@ -27799,7 +27841,7 @@ index 46bee12..ff521d5 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the master postfix program in the
|
||||
@@ -404,7 +426,6 @@ interface(`postfix_exec_master',`
|
||||
@@ -404,7 +427,6 @@ interface(`postfix_exec_master',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -27807,7 +27849,7 @@ index 46bee12..ff521d5 100644
|
||||
#
|
||||
interface(`postfix_stream_connect_master',`
|
||||
gen_require(`
|
||||
@@ -529,6 +550,25 @@ interface(`postfix_domtrans_smtp',`
|
||||
@@ -529,6 +551,25 @@ interface(`postfix_domtrans_smtp',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -27833,7 +27875,7 @@ index 46bee12..ff521d5 100644
|
||||
## Search postfix mail spool directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -539,10 +579,10 @@ interface(`postfix_domtrans_smtp',`
|
||||
@@ -539,10 +580,10 @@ interface(`postfix_domtrans_smtp',`
|
||||
#
|
||||
interface(`postfix_search_spool',`
|
||||
gen_require(`
|
||||
@ -27846,7 +27888,7 @@ index 46bee12..ff521d5 100644
|
||||
files_search_spool($1)
|
||||
')
|
||||
|
||||
@@ -558,10 +598,10 @@ interface(`postfix_search_spool',`
|
||||
@@ -558,10 +599,10 @@ interface(`postfix_search_spool',`
|
||||
#
|
||||
interface(`postfix_list_spool',`
|
||||
gen_require(`
|
||||
@ -27859,7 +27901,7 @@ index 46bee12..ff521d5 100644
|
||||
files_search_spool($1)
|
||||
')
|
||||
|
||||
@@ -577,11 +617,11 @@ interface(`postfix_list_spool',`
|
||||
@@ -577,11 +618,11 @@ interface(`postfix_list_spool',`
|
||||
#
|
||||
interface(`postfix_read_spool_files',`
|
||||
gen_require(`
|
||||
@ -27873,7 +27915,7 @@ index 46bee12..ff521d5 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -596,11 +636,11 @@ interface(`postfix_read_spool_files',`
|
||||
@@ -596,11 +637,11 @@ interface(`postfix_read_spool_files',`
|
||||
#
|
||||
interface(`postfix_manage_spool_files',`
|
||||
gen_require(`
|
||||
@ -27887,7 +27929,7 @@ index 46bee12..ff521d5 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -621,3 +661,103 @@ interface(`postfix_domtrans_user_mail_handler',`
|
||||
@@ -621,3 +662,103 @@ interface(`postfix_domtrans_user_mail_handler',`
|
||||
|
||||
typeattribute $1 postfix_user_domtrans;
|
||||
')
|
||||
@ -30293,13 +30335,47 @@ index 340a6c0..f24c52e 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
|
||||
index 0a76027..cdd0542 100644
|
||||
index 0a76027..88ac667 100644
|
||||
--- a/policy/modules/services/remotelogin.te
|
||||
+++ b/policy/modules/services/remotelogin.te
|
||||
@@ -114,7 +114,6 @@ optional_policy(`
|
||||
@@ -49,6 +49,7 @@ fs_getattr_xattr_fs(remote_login_t)
|
||||
fs_search_auto_mountpoints(remote_login_t)
|
||||
|
||||
term_relabel_all_ptys(remote_login_t)
|
||||
+term_use_all_ptys(remote_login_t)
|
||||
|
||||
auth_rw_login_records(remote_login_t)
|
||||
auth_rw_faillog(remote_login_t)
|
||||
@@ -77,7 +78,7 @@ files_list_mnt(remote_login_t)
|
||||
# for when /var/mail is a sym-link
|
||||
files_read_var_symlinks(remote_login_t)
|
||||
|
||||
-sysnet_dns_name_resolve(remote_login_t)
|
||||
+auth_use_nsswitch(remote_login_t)
|
||||
|
||||
miscfiles_read_localization(remote_login_t)
|
||||
|
||||
@@ -87,6 +88,7 @@ userdom_search_user_home_content(remote_login_t)
|
||||
# since very weak authentication is used.
|
||||
userdom_signal_unpriv_users(remote_login_t)
|
||||
userdom_spec_domtrans_unpriv_users(remote_login_t)
|
||||
+userdom_use_user_ptys(remote_login_t)
|
||||
|
||||
# Search for mail spool file.
|
||||
mta_getattr_spool(remote_login_t)
|
||||
@@ -106,15 +108,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_use_ypbind(remote_login_t)
|
||||
+ telnet_use_ptys(remote_login_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_socket_use(remote_login_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- unconfined_domain(remote_login_t)
|
||||
unconfined_shell_domtrans(remote_login_t)
|
||||
')
|
||||
@ -34424,6 +34500,30 @@ index 7038b55..4e84f23 100644
|
||||
|
||||
type tcpd_tmp_t;
|
||||
files_tmp_file(tcpd_tmp_t)
|
||||
diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if
|
||||
index 58e7ec0..cf4cc85 100644
|
||||
--- a/policy/modules/services/telnet.if
|
||||
+++ b/policy/modules/services/telnet.if
|
||||
@@ -1 +1,19 @@
|
||||
## <summary>Telnet daemon</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write a telnetd domain pty.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`telnet_use_ptys',`
|
||||
+ gen_require(`
|
||||
+ type telnetd_devpts_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 telnetd_devpts_t:chr_file rw_term_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
|
||||
index f40e67b..34c4c57 100644
|
||||
--- a/policy/modules/services/telnet.te
|
||||
@ -42712,7 +42812,7 @@ index 8b5c196..3490497 100644
|
||||
+ role $2 types showmount_t;
|
||||
')
|
||||
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
||||
index fca6947..43cb923 100644
|
||||
index fca6947..e1f7531 100644
|
||||
--- a/policy/modules/system/mount.te
|
||||
+++ b/policy/modules/system/mount.te
|
||||
@@ -17,8 +17,15 @@ type mount_exec_t;
|
||||
@ -42762,7 +42862,7 @@ index fca6947..43cb923 100644
|
||||
|
||||
allow mount_t mount_loopback_t:file read_file_perms;
|
||||
|
||||
@@ -46,50 +68,83 @@ can_exec(mount_t, mount_exec_t)
|
||||
@@ -46,50 +68,84 @@ can_exec(mount_t, mount_exec_t)
|
||||
|
||||
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
|
||||
|
||||
@ -42814,6 +42914,7 @@ index fca6947..43cb923 100644
|
||||
+# for when /etc/mtab loses its type
|
||||
+files_delete_etc_files(mount_t)
|
||||
files_mounton_all_mountpoints(mount_t)
|
||||
+files_setattr_all_mountpoints(mount_t)
|
||||
+# ntfs-3g checks whether the mountpoint is writable before mounting
|
||||
+files_write_all_mountpoints(mount_t)
|
||||
files_unmount_rootfs(mount_t)
|
||||
@ -42853,7 +42954,7 @@ index fca6947..43cb923 100644
|
||||
|
||||
mls_file_read_all_levels(mount_t)
|
||||
mls_file_write_all_levels(mount_t)
|
||||
@@ -100,6 +155,7 @@ storage_raw_read_fixed_disk(mount_t)
|
||||
@@ -100,6 +156,7 @@ storage_raw_read_fixed_disk(mount_t)
|
||||
storage_raw_write_fixed_disk(mount_t)
|
||||
storage_raw_read_removable_device(mount_t)
|
||||
storage_raw_write_removable_device(mount_t)
|
||||
@ -42861,7 +42962,7 @@ index fca6947..43cb923 100644
|
||||
|
||||
term_use_all_terms(mount_t)
|
||||
|
||||
@@ -108,6 +164,8 @@ auth_use_nsswitch(mount_t)
|
||||
@@ -108,6 +165,8 @@ auth_use_nsswitch(mount_t)
|
||||
init_use_fds(mount_t)
|
||||
init_use_script_ptys(mount_t)
|
||||
init_dontaudit_getattr_initctl(mount_t)
|
||||
@ -42870,7 +42971,7 @@ index fca6947..43cb923 100644
|
||||
|
||||
logging_send_syslog_msg(mount_t)
|
||||
|
||||
@@ -118,6 +176,12 @@ sysnet_use_portmap(mount_t)
|
||||
@@ -118,6 +177,12 @@ sysnet_use_portmap(mount_t)
|
||||
seutil_read_config(mount_t)
|
||||
|
||||
userdom_use_all_users_fds(mount_t)
|
||||
@ -42883,7 +42984,7 @@ index fca6947..43cb923 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -133,10 +197,17 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -133,10 +198,17 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -42901,7 +43002,7 @@ index fca6947..43cb923 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -166,6 +237,8 @@ optional_policy(`
|
||||
@@ -166,6 +238,8 @@ optional_policy(`
|
||||
fs_search_rpc(mount_t)
|
||||
|
||||
rpc_stub(mount_t)
|
||||
@ -42910,7 +43011,7 @@ index fca6947..43cb923 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -173,6 +246,28 @@ optional_policy(`
|
||||
@@ -173,6 +247,28 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -42939,7 +43040,7 @@ index fca6947..43cb923 100644
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# for a bug in the X server
|
||||
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
||||
@@ -180,13 +275,44 @@ optional_policy(`
|
||||
@@ -180,13 +276,44 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
@ -42984,7 +43085,7 @@ index fca6947..43cb923 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -195,6 +321,42 @@ optional_policy(`
|
||||
@@ -195,6 +322,42 @@ optional_policy(`
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
@ -43932,9 +44033,18 @@ index 0e48679..78b3429 100644
|
||||
type setrans_initrc_exec_t;
|
||||
init_script_file(setrans_initrc_exec_t)
|
||||
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
||||
index 726619b..4bb3158 100644
|
||||
index 726619b..36426f7 100644
|
||||
--- a/policy/modules/system/sysnetwork.fc
|
||||
+++ b/policy/modules/system/sysnetwork.fc
|
||||
@@ -13,7 +13,7 @@
|
||||
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
-/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
@@ -64,3 +64,5 @@ ifdef(`distro_redhat',`
|
||||
ifdef(`distro_gentoo',`
|
||||
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
|
@ -21,7 +21,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.8
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -319,6 +319,7 @@ Conflicts: audispd-plugins <= 1.7.7-1
|
||||
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
|
||||
Obsoletes: cachefilesd-selinux <= 0.10-1
|
||||
Conflicts: seedit
|
||||
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
|
||||
|
||||
%description targeted
|
||||
SELinux Reference policy targeted base module.
|
||||
@ -470,6 +471,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-2
|
||||
- Add conflicts for dirsrv package
|
||||
|
||||
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-1
|
||||
- Update to upstream
|
||||
- Add vlock policy
|
||||
|
Loading…
Reference in New Issue
Block a user