rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   2eeb528e2a364cf0ab89421f4f9780b2009c344d
  2.   policy-20090521.patch
Blob Blame History Raw 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te	2009-05-22 10:14:07.000000000 -0400
@@ -38,3 +38,6 @@
 miscfiles_read_localization(sandbox_t)
 
 userdom_use_user_ptys(sandbox_t)
+
+kernel_dontaudit_read_system_state(sandbox_t)
+corecmd_exec_all_executables(sandbox_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-04-07 15:54:49.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc	2009-05-26 08:07:56.000000000 -0400
@@ -63,6 +63,7 @@
 ')
 
 /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.*		--	gen_context(system_u:object_r:vmware_log_t,s0)
 
 /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
 /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-05-22 08:57:14.000000000 -0400
@@ -5224,6 +5224,7 @@
 		attribute file_type;
 	')
 
+	allow $1 file_type:dir search_dir_perms;
 	allow $1 file_type:file { getattr read write append lock };
 	allow $1 file_type:fifo_file { getattr read write append ioctl lock };
 	allow $1 file_type:sock_file { getattr read write append ioctl lock };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-05-22 08:57:53.000000000 -0400
@@ -817,7 +817,7 @@
 		type proc_t;
 	')
 
-	dontaudit $1 proc_t:file { getattr read };
+	dontaudit $1 proc_t:file { open getattr read };
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-05-21 15:11:07.000000000 -0400
@@ -334,6 +334,10 @@
 ')
 
 optional_policy(`
+	virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
 	yam_run(sysadm_t, sysadm_r)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-05-22 05:49:21.000000000 -0400
@@ -52,6 +52,8 @@
 init_system_domain(unconfined_execmem_t, execmem_exec_t)
 role unconfined_r types unconfined_execmem_t;
 typealias execmem_exec_t alias unconfined_execmem_exec_t;
+userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
 
 type unconfined_notrans_t;
 type unconfined_notrans_exec_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc	2009-05-26 09:24:52.000000000 -0400
@@ -98,4 +98,6 @@
 
 /var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 
-/var/www/svn(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cron.if	2009-05-26 08:38:15.000000000 -0400
@@ -163,27 +163,14 @@
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
-		type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
+		type unconfined_cronjob_t;
 	')
 
-	role $1 types { unconfined_cronjob_t admin_crontab_t };
+	role $1 types unconfined_cronjob_t;
 
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
 
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-
-	# crontab shows up in user ps
-	ps_process_pattern($2, admin_crontab_t)
-	allow $2 admin_crontab_t:process signal;
-
-	# Run helper programs as the user domain
-	#corecmd_bin_domtrans(admin_crontab_t, $2)
-	#corecmd_shell_domtrans(admin_crontab_t, $2)
-	corecmd_exec_bin(admin_crontab_t)
-	corecmd_exec_shell(admin_crontab_t)
-
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te	2009-05-21 12:57:07.000000000 -0400
@@ -55,7 +55,7 @@
 #
 # DeviceKit-Power local policy
 #
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice };
+allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc	2009-05-21 08:32:24.000000000 -0400
@@ -3,6 +3,8 @@
 
 HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
 HOME_DIR/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
 
 /usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
 /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc	2009-05-21 08:31:58.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 
 /etc/rc\.d/init\.d/spamd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-05-21 12:58:18.000000000 -0400
@@ -183,6 +183,7 @@
 seutil_read_default_contexts(virtd_t)
 
 term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
 term_use_ptmx(virtd_t)
 
 auth_use_nsswitch(virtd_t)
@@ -323,9 +324,13 @@
 userdom_read_all_users_state(svirt_t)
 
 append_files_pattern(svirt_t, virt_log_t, virt_log_t)
+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t)
 
 allow svirt_t self:udp_socket create_socket_perms;
 
+corecmd_exec_bin(svirt_t)
+corecmd_exec_shell(svirt_t)
+
 corenet_udp_sendrecv_generic_if(svirt_t)
 corenet_udp_sendrecv_generic_node(svirt_t)
 corenet_udp_sendrecv_all_ports(svirt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-05-26 08:17:11.000000000 -0400
@@ -538,6 +538,7 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
 userdom_manage_user_tmp_sockets(xdm_t)
 userdom_manage_tmpfs_role(system_r, xdm_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-05-26 08:43:32.000000000 -0400
@@ -77,6 +77,8 @@
 
 	# for SSP/ProPolice
 	dev_read_urand($1)
+	# for encrypted homedir
+	dev_read_sysfs($1)
 	# for fingerprint readers
 	dev_rw_input_dev($1)
 	dev_rw_generic_usb_dev($1)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/init.fc	2009-05-26 09:15:52.000000000 -0400
@@ -6,6 +6,8 @@
 /etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
+/etc/sysconfig/network-scripts/ifup-ipsec  	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
 /etc/rc\.d/init\.d/.*	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /etc/X11/prefdm		--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-05-26 09:17:39.000000000 -0400
@@ -348,6 +348,7 @@
 files_read_etc_files(setkey_t)
 
 init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
 
 # allow setkey to set the context for ipsec SAs and policy.
 ipsec_setcontext_default_spd(setkey_t)
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.