|
 |
8ad564f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
|
|
|
8ad564f |
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-06 11:05:50.000000000 +0100
|
|
|
8ad564f |
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-11 13:38:03.000000000 +0100
|
|
|
8ad564f |
@@ -45,9 +45,10 @@
|
|
|
8ad564f |
allow sandbox_x_domain $1:process { sigchld signal };
|
|
|
8ad564f |
allow sandbox_x_domain sandbox_x_domain:process signal;
|
|
|
8ad564f |
# Dontaudit leaked file descriptors
|
|
|
8ad564f |
- dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
|
|
|
8ad564f |
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
|
|
|
8ad564f |
dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
|
|
|
8ad564f |
dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
|
|
|
8ad564f |
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
|
|
|
8ad564f |
|
|
|
8ad564f |
manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
|
|
|
8ad564f |
manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
|
|
|
8ad564f |
@@ -103,9 +104,10 @@
|
|
|
8ad564f |
#
|
|
|
8ad564f |
template(`sandbox_x_domain_template',`
|
|
|
8ad564f |
gen_require(`
|
|
|
8ad564f |
- type xserver_exec_t;
|
|
|
8ad564f |
+ type xserver_exec_t, sandbox_devpts_t;
|
|
|
8ad564f |
type sandbox_xserver_t;
|
|
|
8ad564f |
attribute sandbox_domain, sandbox_x_domain;
|
|
|
8ad564f |
+ attribute sandbox_file_type;
|
|
|
8ad564f |
')
|
|
|
8ad564f |
|
|
|
8ad564f |
type $1_t, sandbox_x_domain;
|
|
|
8ad564f |
@@ -163,10 +165,6 @@
|
|
|
8ad564f |
manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
|
|
|
8ad564f |
manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
|
|
|
8ad564f |
manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
|
|
|
8ad564f |
-
|
|
|
8ad564f |
- optional_policy(`
|
|
|
8ad564f |
- xserver_common_app($1_t)
|
|
|
8ad564f |
- ')
|
|
|
8ad564f |
')
|
|
|
8ad564f |
|
|
|
8ad564f |
########################################
|
|
|
8ad564f |
@@ -187,3 +185,39 @@
|
|
|
8ad564f |
|
|
|
8ad564f |
allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
|
|
|
8ad564f |
')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
+########################################
|
|
|
8ad564f |
+## <summary>
|
|
|
8ad564f |
+## allow domain to delete sandbox files
|
|
|
8ad564f |
+## </summary>
|
|
|
8ad564f |
+## <param name="domain">
|
|
|
8ad564f |
+## <summary>
|
|
|
8ad564f |
+## Domain to not audit.
|
|
|
8ad564f |
+## </summary>
|
|
|
8ad564f |
+## </param>
|
|
|
8ad564f |
+#
|
|
|
8ad564f |
+interface(`sandbox_delete_files',`
|
|
|
8ad564f |
+ gen_require(`
|
|
|
8ad564f |
+ attribute sandbox_file_type;
|
|
|
8ad564f |
+ ')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
+ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
|
|
|
8ad564f |
+')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
+########################################
|
|
|
8ad564f |
+## <summary>
|
|
|
8ad564f |
+## allow domain to delete sandbox files
|
|
|
8ad564f |
+## </summary>
|
|
|
8ad564f |
+## <param name="domain">
|
|
|
8ad564f |
+## <summary>
|
|
|
8ad564f |
+## Domain to not audit.
|
|
|
8ad564f |
+## </summary>
|
|
|
8ad564f |
+## </param>
|
|
|
8ad564f |
+#
|
|
|
8ad564f |
+interface(`sandbox_delete_dirs',`
|
|
|
8ad564f |
+ gen_require(`
|
|
|
8ad564f |
+ attribute sandbox_file_type;
|
|
|
8ad564f |
+ ')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
|
|
|
8ad564f |
+')
|
|
|
8ad564f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
|
|
|
8ad564f |
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
8ad564f |
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-11 13:38:03.000000000 +0100
|
|
|
8ad564f |
@@ -10,14 +10,15 @@
|
|
|
8ad564f |
#
|
|
|
8ad564f |
|
|
|
8ad564f |
sandbox_domain_template(sandbox)
|
|
|
8ad564f |
+sandbox_x_domain_template(sandbox_min)
|
|
|
8ad564f |
sandbox_x_domain_template(sandbox_x)
|
|
|
8ad564f |
sandbox_x_domain_template(sandbox_web)
|
|
|
8ad564f |
sandbox_x_domain_template(sandbox_net)
|
|
|
8ad564f |
|
|
|
8ad564f |
type sandbox_xserver_t;
|
|
|
8ad564f |
domain_type(sandbox_xserver_t)
|
|
|
8ad564f |
-xserver_common_app(sandbox_xserver_t)
|
|
|
8ad564f |
permissive sandbox_xserver_t;
|
|
|
8ad564f |
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
|
|
|
8ad564f |
|
|
|
8ad564f |
type sandbox_xserver_tmpfs_t;
|
|
|
8ad564f |
files_tmpfs_file(sandbox_xserver_tmpfs_t)
|
|
|
8ad564f |
@@ -92,10 +93,6 @@
|
|
|
8ad564f |
')
|
|
|
8ad564f |
')
|
|
|
8ad564f |
|
|
|
8ad564f |
-optional_policy(`
|
|
|
8ad564f |
- xserver_common_app(sandbox_xserver_t)
|
|
|
8ad564f |
-')
|
|
|
8ad564f |
-
|
|
|
8ad564f |
########################################
|
|
|
8ad564f |
#
|
|
|
8ad564f |
# sandbox local policy
|
|
|
8ad564f |
@@ -104,7 +101,7 @@
|
|
|
8ad564f |
## internal communication is often done using fifo and unix sockets.
|
|
|
8ad564f |
allow sandbox_domain self:fifo_file manage_file_perms;
|
|
|
8ad564f |
allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
8ad564f |
-allow sandbox_domain self:unix_dgram_socket create_socket_perms;
|
|
|
8ad564f |
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|
|
8ad564f |
|
|
|
8ad564f |
gen_require(`
|
|
|
8ad564f |
type usr_t, lib_t, locale_t;
|
|
|
8ad564f |
@@ -161,7 +158,7 @@
|
|
|
8ad564f |
|
|
|
8ad564f |
auth_dontaudit_read_login_records(sandbox_x_domain)
|
|
|
8ad564f |
auth_dontaudit_write_login_records(sandbox_x_domain)
|
|
|
8ad564f |
-#auth_use_nsswitch(sandbox_x_domain)
|
|
|
8ad564f |
+auth_use_nsswitch(sandbox_x_domain)
|
|
|
8ad564f |
auth_search_pam_console_data(sandbox_x_domain)
|
|
|
8ad564f |
|
|
|
8ad564f |
init_read_utmp(sandbox_x_domain)
|
|
|
8ad564f |
@@ -179,12 +176,20 @@
|
|
|
8ad564f |
miscfiles_read_fonts(sandbox_x_domain)
|
|
|
8ad564f |
|
|
|
8ad564f |
optional_policy(`
|
|
|
8ad564f |
+ cups_stream_connect(sandbox_x_domain)
|
|
|
8ad564f |
+ cups_read_rw_config(sandbox_x_domain)
|
|
|
8ad564f |
+')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
+optional_policy(`
|
|
|
8ad564f |
gnome_read_gconf_config(sandbox_x_domain)
|
|
|
8ad564f |
')
|
|
|
8ad564f |
|
|
|
8ad564f |
optional_policy(`
|
|
|
8ad564f |
- cups_stream_connect(sandbox_x_domain)
|
|
|
8ad564f |
- cups_read_rw_config(sandbox_x_domain)
|
|
|
8ad564f |
+ nscd_dontaudit_search_pid(sandbox_x_domain)
|
|
|
8ad564f |
+')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
+optional_policy(`
|
|
|
8ad564f |
+ sssd_dontaudit_search_lib(sandbox_x_domain)
|
|
|
8ad564f |
')
|
|
|
8ad564f |
|
|
|
8ad564f |
userdom_dontaudit_use_user_terminals(sandbox_x_domain)
|
|
|
8ad564f |
@@ -207,7 +212,7 @@
|
|
|
8ad564f |
|
|
|
8ad564f |
corenet_tcp_connect_ipp_port(sandbox_x_client_t)
|
|
|
8ad564f |
|
|
|
8ad564f |
-#auth_use_nsswitch(sandbox_x_client_t)
|
|
|
8ad564f |
+auth_use_nsswitch(sandbox_x_client_t)
|
|
|
8ad564f |
|
|
|
8ad564f |
dbus_system_bus_client(sandbox_x_client_t)
|
|
|
8ad564f |
dbus_read_config(sandbox_x_client_t)
|
|
|
8ad564f |
@@ -267,7 +272,7 @@
|
|
|
8ad564f |
corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
|
|
|
8ad564f |
corenet_tcp_connect_speech_port(sandbox_web_client_t)
|
|
|
8ad564f |
|
|
|
8ad564f |
-#auth_use_nsswitch(sandbox_web_client_t)
|
|
|
8ad564f |
+auth_use_nsswitch(sandbox_web_client_t)
|
|
|
8ad564f |
|
|
|
8ad564f |
dbus_system_bus_client(sandbox_web_client_t)
|
|
|
8ad564f |
dbus_read_config(sandbox_web_client_t)
|
|
|
8ad564f |
@@ -310,7 +315,7 @@
|
|
|
8ad564f |
corenet_tcp_connect_all_ports(sandbox_net_client_t)
|
|
|
8ad564f |
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
|
|
|
8ad564f |
|
|
|
8ad564f |
-#auth_use_nsswitch(sandbox_net_client_t)
|
|
|
8ad564f |
+auth_use_nsswitch(sandbox_net_client_t)
|
|
|
8ad564f |
|
|
|
8ad564f |
dbus_system_bus_client(sandbox_net_client_t)
|
|
|
8ad564f |
dbus_read_config(sandbox_net_client_t)
|
|
|
1fed36a |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
|
|
|
1fed36a |
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-06 11:05:50.000000000 +0100
|
|
|
1fed36a |
+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-01-11 16:01:58.000000000 +0100
|
|
|
1fed36a |
@@ -143,6 +143,10 @@
|
|
|
1fed36a |
userdom_unpriv_usertype($1, $1_wine_t)
|
|
|
1fed36a |
userdom_manage_tmpfs_role($2, $1_wine_t)
|
|
|
1fed36a |
|
|
|
1fed36a |
+ tunable_policy(`wine_mmap_zero_ignore',`
|
|
|
1fed36a |
+ allow $1_wine_t self:memprotect mmap_zero;
|
|
|
1fed36a |
+ ')
|
|
|
1fed36a |
+
|
|
|
1fed36a |
domain_mmap_low_type($1_wine_t)
|
|
|
1fed36a |
tunable_policy(`mmap_low_allowed',`
|
|
|
1fed36a |
domain_mmap_low($1_wine_t)
|
|
|
1fed36a |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te
|
|
|
1fed36a |
--- nsaserefpolicy/policy/modules/apps/wine.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
1fed36a |
+++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2010-01-11 16:01:03.000000000 +0100
|
|
|
1fed36a |
@@ -6,6 +6,15 @@
|
|
|
1fed36a |
# Declarations
|
|
|
1fed36a |
#
|
|
|
1fed36a |
|
|
|
1fed36a |
+## <desc>
|
|
|
1fed36a |
+##
|
|
|
1fed36a |
+## Ignore wine mmap_zero errors
|
|
|
1fed36a |
+##
|
|
|
1fed36a |
+## </desc>
|
|
|
1fed36a |
+#
|
|
|
1fed36a |
+gen_tunable(wine_mmap_zero_ignore, false)
|
|
|
1fed36a |
+
|
|
|
1fed36a |
+
|
|
|
1fed36a |
type wine_t;
|
|
|
1fed36a |
type wine_exec_t;
|
|
|
1fed36a |
application_domain(wine_t, wine_exec_t)
|
|
|
1fed36a |
@@ -29,6 +38,11 @@
|
|
|
1fed36a |
manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
|
|
|
1fed36a |
files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
|
|
|
1fed36a |
|
|
|
1fed36a |
+tunable_policy(`wine_mmap_zero_ignore',`
|
|
|
1fed36a |
+ allow wine_t self:memprotect mmap_zero;
|
|
|
1fed36a |
+')
|
|
|
1fed36a |
+
|
|
|
1fed36a |
+
|
|
|
1fed36a |
domain_mmap_low_type(wine_t)
|
|
|
1fed36a |
tunable_policy(`mmap_low_allowed',`
|
|
|
1fed36a |
domain_mmap_low(wine_t)
|
|
|
738cdaf |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
|
|
|
738cdaf |
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-06 11:05:50.000000000 +0100
|
|
|
738cdaf |
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-09 20:39:30.000000000 +0100
|
|
|
738cdaf |
@@ -162,6 +162,8 @@
|
|
|
738cdaf |
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
|
|
738cdaf |
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
|
|
738cdaf |
|
|
|
738cdaf |
+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
|
|
|
738cdaf |
+
|
|
|
738cdaf |
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
|
|
|
738cdaf |
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
|
|
738cdaf |
|
|
|
738cdaf |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
|
|
|
738cdaf |
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-06 11:05:50.000000000 +0100
|
|
|
738cdaf |
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-09 20:40:52.000000000 +0100
|
|
|
738cdaf |
@@ -3833,6 +3833,24 @@
|
|
|
738cdaf |
write_chr_files_pattern($1, device_t, v4l_device_t)
|
|
|
738cdaf |
')
|
|
|
738cdaf |
|
|
|
738cdaf |
+#####################################
|
|
|
738cdaf |
+## <summary>
|
|
|
738cdaf |
+## Read or write userio device.
|
|
|
738cdaf |
+## </summary>
|
|
|
738cdaf |
+## <param name="domain">
|
|
|
738cdaf |
+## <summary>
|
|
|
738cdaf |
+## Domain allowed access.
|
|
|
738cdaf |
+## </summary>
|
|
|
738cdaf |
+## </param>
|
|
|
738cdaf |
+#
|
|
|
738cdaf |
+interface(`dev_rw_userio_dev',`
|
|
|
738cdaf |
+ gen_require(`
|
|
|
738cdaf |
+ type device_t, userio_device_t;
|
|
|
738cdaf |
+ ')
|
|
|
738cdaf |
+
|
|
|
738cdaf |
+ rw_chr_files_pattern($1, device_t, userio_device_t)
|
|
|
738cdaf |
+')
|
|
|
738cdaf |
+
|
|
|
738cdaf |
########################################
|
|
|
738cdaf |
## <summary>
|
|
|
738cdaf |
## Read and write VMWare devices.
|
|
|
738cdaf |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
|
|
|
738cdaf |
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
738cdaf |
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-09 20:38:38.000000000 +0100
|
|
|
738cdaf |
@@ -233,6 +233,12 @@
|
|
|
738cdaf |
type usb_device_t;
|
|
|
738cdaf |
dev_node(usb_device_t)
|
|
|
738cdaf |
|
|
|
738cdaf |
+#
|
|
|
738cdaf |
+# userio_device_t is the type for /dev/uio[0-9]+
|
|
|
738cdaf |
+#
|
|
|
738cdaf |
+type userio_device_t;
|
|
|
738cdaf |
+dev_node(userio_device_t)
|
|
|
738cdaf |
+
|
|
|
738cdaf |
type v4l_device_t;
|
|
|
738cdaf |
dev_node(v4l_device_t)
|
|
|
738cdaf |
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-08 14:42:10.000000000 +0100
|
|
|
e0dd172 |
@@ -96,6 +96,7 @@
|
|
|
e0dd172 |
corenet_tcp_connect_ftp_port(abrt_t)
|
|
|
e0dd172 |
corenet_tcp_connect_all_ports(abrt_t)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
+dev_getattr_all_chr_files(abrt_t)
|
|
|
e0dd172 |
dev_read_urand(abrt_t)
|
|
|
e0dd172 |
dev_rw_sysfs(abrt_t)
|
|
|
e0dd172 |
dev_dontaudit_read_memory_dev(abrt_t)
|
|
|
1f5c71f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
|
|
|
1f5c71f |
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-06 11:05:50.000000000 +0100
|
|
|
738cdaf |
+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-10 20:47:24.000000000 +0100
|
|
|
1f5c71f |
@@ -16,6 +16,7 @@
|
|
|
1f5c71f |
attribute httpd_exec_scripts;
|
|
|
1f5c71f |
attribute httpd_script_exec_type;
|
|
|
1f5c71f |
type httpd_t, httpd_suexec_t, httpd_log_t;
|
|
|
738cdaf |
+ type httpd_sys_content_t;
|
|
|
1f5c71f |
')
|
|
|
1f5c71f |
#This type is for webpages
|
|
|
1f5c71f |
type httpd_$1_content_t;
|
|
|
1f5c71f |
@@ -123,6 +124,8 @@
|
|
|
1f5c71f |
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
|
|
1f5c71f |
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
|
1f5c71f |
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
|
1f5c71f |
+
|
|
|
1f5c71f |
+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
|
|
|
1f5c71f |
')
|
|
|
1f5c71f |
|
|
|
1f5c71f |
tunable_policy(`httpd_enable_cgi',`
|
|
|
1f5c71f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
|
|
|
1f5c71f |
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200
|
|
|
1f5c71f |
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-06 13:06:31.000000000 +0100
|
|
|
1f5c71f |
@@ -31,7 +31,7 @@
|
|
|
1f5c71f |
#
|
|
|
1f5c71f |
|
|
|
1f5c71f |
allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
|
|
|
1f5c71f |
-allow apcupsd_t self:process signal;
|
|
|
1f5c71f |
+allow apcupsd_t self:process { signal signull };
|
|
|
1f5c71f |
allow apcupsd_t self:fifo_file rw_file_perms;
|
|
|
1f5c71f |
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
1f5c71f |
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-08 20:32:23.000000000 +0100
|
|
|
e0dd172 |
@@ -555,6 +555,7 @@
|
|
|
e0dd172 |
logging_send_syslog_msg(cupsd_lpd_t)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
miscfiles_read_localization(cupsd_lpd_t)
|
|
|
e0dd172 |
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
cups_stream_connect(cupsd_lpd_t)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
738cdaf |
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-10 20:48:24.000000000 +0100
|
|
|
e0dd172 |
@@ -276,7 +276,11 @@
|
|
|
e0dd172 |
mta_manage_spool(dovecot_deliver_t)
|
|
|
e0dd172 |
')
|
|
|
e0dd172 |
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
tunable_policy(`use_nfs_home_dirs',`
|
|
|
738cdaf |
+ fs_manage_nfs_dirs(dovecot_deliver_t)
|
|
|
738cdaf |
+ fs_manage_nfs_dirs(dovecot_t)
|
|
|
e0dd172 |
fs_manage_nfs_files(dovecot_deliver_t)
|
|
|
e0dd172 |
fs_manage_nfs_symlinks(dovecot_deliver_t)
|
|
|
e0dd172 |
fs_manage_nfs_files(dovecot_t)
|
|
|
e0dd172 |
@@ -284,6 +288,8 @@
|
|
|
e0dd172 |
')
|
|
|
e0dd172 |
|
|
|
e0dd172 |
tunable_policy(`use_samba_home_dirs',`
|
|
|
738cdaf |
+ fs_manage_cifs_dirs(dovecot_deliver_t)
|
|
|
738cdaf |
+ fs_manage_cifs_dirs(dovecot_t)
|
|
|
e0dd172 |
fs_manage_cifs_files(dovecot_deliver_t)
|
|
|
e0dd172 |
fs_manage_cifs_symlinks(dovecot_deliver_t)
|
|
|
e0dd172 |
fs_manage_cifs_files(dovecot_t)
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-06 11:05:50.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-08 16:30:32.000000000 +0100
|
|
|
e0dd172 |
@@ -138,6 +138,24 @@
|
|
|
e0dd172 |
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
|
|
|
e0dd172 |
')
|
|
|
e0dd172 |
|
|
|
e0dd172 |
+#######################################
|
|
|
e0dd172 |
+## <summary>
|
|
|
e0dd172 |
+## Read and write to an fail2ban unix stream socket.
|
|
|
e0dd172 |
+## </summary>
|
|
|
e0dd172 |
+## <param name="domain">
|
|
|
e0dd172 |
+## <summary>
|
|
|
e0dd172 |
+## Domain allowed access.
|
|
|
e0dd172 |
+## </summary>
|
|
|
e0dd172 |
+## </param>
|
|
|
e0dd172 |
+#
|
|
|
e0dd172 |
+interface(`fail2ban_rw_stream_sockets',`
|
|
|
e0dd172 |
+ gen_require(`
|
|
|
e0dd172 |
+ type fail2ban_t;
|
|
|
e0dd172 |
+ ')
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
+ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
|
|
|
e0dd172 |
+')
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
########################################
|
|
|
e0dd172 |
## <summary>
|
|
|
e0dd172 |
## All of the rules required to administrate
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-06 11:05:50.000000000 +0100
|
|
|
8ad564f |
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-11 12:37:36.000000000 +0100
|
|
|
8ad564f |
@@ -27,26 +27,62 @@
|
|
|
e0dd172 |
|
|
|
e0dd172 |
# check disk plugins
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
# system plugins
|
|
|
e0dd172 |
-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
# services plugins
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
738cdaf |
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
e0dd172 |
+
|
|
|
8ad564f |
+# unconfined plugins
|
|
|
8ad564f |
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
|
|
|
8ad564f |
+
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
8ad564f |
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-11 12:27:10.000000000 +0100
|
|
|
8ad564f |
@@ -118,6 +118,9 @@
|
|
|
e0dd172 |
corenet_udp_sendrecv_all_ports(nagios_t)
|
|
|
e0dd172 |
corenet_tcp_connect_all_ports(nagios_t)
|
|
|
e0dd172 |
|
|
|
738cdaf |
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
|
|
|
738cdaf |
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
dev_read_sysfs(nagios_t)
|
|
|
e0dd172 |
dev_read_urand(nagios_t)
|
|
|
e0dd172 |
|
|
|
1fed36a |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
|
|
|
1fed36a |
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
1fed36a |
+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-11 15:49:03.000000000 +0100
|
|
|
1fed36a |
@@ -85,6 +85,7 @@
|
|
|
1fed36a |
corenet_udp_bind_generic_node(openvpn_t)
|
|
|
1fed36a |
corenet_tcp_bind_openvpn_port(openvpn_t)
|
|
|
1fed36a |
corenet_udp_bind_openvpn_port(openvpn_t)
|
|
|
1fed36a |
+corenet_tcp_bind_http_port(openvpn_t)
|
|
|
1fed36a |
corenet_tcp_connect_openvpn_port(openvpn_t)
|
|
|
1fed36a |
corenet_tcp_connect_http_port(openvpn_t)
|
|
|
1fed36a |
corenet_tcp_connect_http_cache_port(openvpn_t)
|
|
|
1f5c71f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
|
|
|
1f5c71f |
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-08 20:27:51.000000000 +0100
|
|
|
1f5c71f |
@@ -443,6 +443,7 @@
|
|
|
1f5c71f |
|
|
|
1f5c71f |
optional_policy(`
|
|
|
1f5c71f |
spamassassin_domtrans_client(postfix_pipe_t)
|
|
|
1f5c71f |
+ spamassassin_kill_client(postfix_pipe_t)
|
|
|
1f5c71f |
')
|
|
|
1f5c71f |
|
|
|
1f5c71f |
optional_policy(`
|
|
|
e0dd172 |
@@ -486,7 +487,7 @@
|
|
|
e0dd172 |
')
|
|
|
e0dd172 |
|
|
|
e0dd172 |
optional_policy(`
|
|
|
e0dd172 |
- sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
|
|
|
e0dd172 |
+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
|
|
|
e0dd172 |
')
|
|
|
e0dd172 |
|
|
|
e0dd172 |
optional_policy(`
|
|
|
1f5c71f |
@@ -573,6 +574,8 @@
|
|
|
1f5c71f |
# Postfix smtp delivery local policy
|
|
|
1f5c71f |
#
|
|
|
1f5c71f |
|
|
|
1f5c71f |
+allow postfix_smtp_t self:capability { sys_chroot };
|
|
|
1f5c71f |
+
|
|
|
1f5c71f |
# connect to master process
|
|
|
1f5c71f |
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
|
|
|
1f5c71f |
|
|
|
1f5c71f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
|
|
|
1f5c71f |
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
1f5c71f |
+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-06 13:55:09.000000000 +0100
|
|
|
1f5c71f |
@@ -286,6 +286,8 @@
|
|
|
1f5c71f |
|
|
|
1f5c71f |
allow smbd_t winbind_t:process { signal signull };
|
|
|
1f5c71f |
|
|
|
1f5c71f |
+allow smbd_t swat_t:process signal;
|
|
|
1f5c71f |
+
|
|
|
1f5c71f |
kernel_getattr_core_if(smbd_t)
|
|
|
1f5c71f |
kernel_getattr_message_if(smbd_t)
|
|
|
1f5c71f |
kernel_read_network_state(smbd_t)
|
|
|
1f5c71f |
@@ -485,6 +487,8 @@
|
|
|
1f5c71f |
|
|
|
1f5c71f |
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
|
|
1f5c71f |
|
|
|
1f5c71f |
+allow nmbd_t swat_t:process signal;
|
|
|
1f5c71f |
+
|
|
|
1f5c71f |
allow nmbd_t smbcontrol_t:process signal;
|
|
|
1f5c71f |
|
|
|
1f5c71f |
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
|
|
|
1f5c71f |
@@ -661,6 +665,7 @@
|
|
|
1f5c71f |
allow swat_t self:udp_socket create_socket_perms;
|
|
|
1f5c71f |
allow swat_t self:unix_stream_socket connectto;
|
|
|
1f5c71f |
|
|
|
1f5c71f |
+samba_domtrans_nmbd(swat_t)
|
|
|
1f5c71f |
allow swat_t nmbd_t:process { signal signull };
|
|
|
1f5c71f |
|
|
|
1f5c71f |
allow swat_t nmbd_exec_t:file mmap_file_perms;
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-08 16:31:13.000000000 +0100
|
|
|
e0dd172 |
@@ -136,6 +136,8 @@
|
|
|
e0dd172 |
|
|
|
e0dd172 |
optional_policy(`
|
|
|
e0dd172 |
fail2ban_read_lib_files(sendmail_t)
|
|
|
e0dd172 |
+ fail2ban_rw_stream_sockets(sendmail_t)
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
')
|
|
|
e0dd172 |
|
|
|
e0dd172 |
optional_policy(`
|
|
|
1f5c71f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
|
|
|
1f5c71f |
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
1f5c71f |
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-06 15:41:37.000000000 +0100
|
|
|
1f5c71f |
@@ -27,7 +27,7 @@
|
|
|
1f5c71f |
#
|
|
|
1f5c71f |
allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
|
|
|
1f5c71f |
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
|
|
|
1f5c71f |
-allow snmpd_t self:process { signal_perms getsched setsched };
|
|
|
1f5c71f |
+allow snmpd_t self:process { signal signal_perms getsched setsched };
|
|
|
1f5c71f |
allow snmpd_t self:fifo_file rw_fifo_file_perms;
|
|
|
1f5c71f |
allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
|
|
1f5c71f |
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
1f5c71f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
|
|
|
1f5c71f |
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-06 11:05:50.000000000 +0100
|
|
|
1f5c71f |
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-06 15:40:10.000000000 +0100
|
|
|
1f5c71f |
@@ -267,6 +267,24 @@
|
|
|
1f5c71f |
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
|
|
|
1f5c71f |
')
|
|
|
1f5c71f |
|
|
|
1f5c71f |
+######################################
|
|
|
1f5c71f |
+## <summary>
|
|
|
1f5c71f |
+## Send kill signal to spamassassin client
|
|
|
1f5c71f |
+## </summary>
|
|
|
1f5c71f |
+## <param name="domain">
|
|
|
1f5c71f |
+## <summary>
|
|
|
1f5c71f |
+## Domain allowed access.
|
|
|
1f5c71f |
+## </summary>
|
|
|
1f5c71f |
+## </param>
|
|
|
1f5c71f |
+#
|
|
|
1f5c71f |
+interface(`spamassassin_kill_client',`
|
|
|
1f5c71f |
+ gen_require(`
|
|
|
1f5c71f |
+ type spamc_t;
|
|
|
1f5c71f |
+ ')
|
|
|
1f5c71f |
+
|
|
|
1f5c71f |
+ allow $1 spamc_t:process sigkill;
|
|
|
1f5c71f |
+')
|
|
|
1f5c71f |
+
|
|
|
1f5c71f |
########################################
|
|
|
1f5c71f |
## <summary>
|
|
|
1f5c71f |
## All of the rules required to administrate
|
|
|
8ad564f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
|
|
|
8ad564f |
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-06 11:05:50.000000000 +0100
|
|
|
8ad564f |
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-11 13:46:50.000000000 +0100
|
|
|
8ad564f |
@@ -95,6 +95,25 @@
|
|
|
8ad564f |
files_search_var_lib($1)
|
|
|
8ad564f |
')
|
|
|
8ad564f |
|
|
|
8ad564f |
+#######################################
|
|
|
8ad564f |
+## <summary>
|
|
|
8ad564f |
+## Dontaudit search sssd lib directories.
|
|
|
8ad564f |
+## </summary>
|
|
|
8ad564f |
+## <param name="domain">
|
|
|
8ad564f |
+## <summary>
|
|
|
8ad564f |
+## Domain allowed access.
|
|
|
8ad564f |
+## </summary>
|
|
|
8ad564f |
+## </param>
|
|
|
8ad564f |
+#
|
|
|
8ad564f |
+interface(`sssd_dontaudit_search_lib',`
|
|
|
8ad564f |
+ gen_require(`
|
|
|
8ad564f |
+ type sssd_var_lib_t;
|
|
|
8ad564f |
+ ')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
|
|
|
8ad564f |
+ files_search_var_lib($1)
|
|
|
8ad564f |
+')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
########################################
|
|
|
8ad564f |
## <summary>
|
|
|
8ad564f |
## Read sssd lib files.
|
|
|
1f5c71f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
|
|
|
1f5c71f |
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
8ad564f |
+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-11 13:32:35.000000000 +0100
|
|
|
8ad564f |
@@ -226,7 +226,7 @@
|
|
|
8ad564f |
sysnet_domtrans_ifconfig(virtd_t)
|
|
|
8ad564f |
sysnet_read_config(virtd_t)
|
|
|
8ad564f |
|
|
|
8ad564f |
-userdom_dontaudit_list_admin_dir(virtd_t)
|
|
|
8ad564f |
+userdom_list_admin_dir(virtd_t)
|
|
|
8ad564f |
userdom_getattr_all_users(virtd_t)
|
|
|
8ad564f |
userdom_list_user_home_content(virtd_t)
|
|
|
8ad564f |
userdom_read_all_users_state(virtd_t)
|
|
|
1f5c71f |
@@ -430,6 +430,8 @@
|
|
|
1f5c71f |
corenet_tcp_connect_virt_migration_port(virt_domain)
|
|
|
1f5c71f |
|
|
|
1f5c71f |
dev_read_sound(virt_domain)
|
|
|
1f5c71f |
+dev_read_rand(virt_domain)
|
|
|
1f5c71f |
+dev_read_urand(virt_domain)
|
|
|
1f5c71f |
dev_write_sound(virt_domain)
|
|
|
1f5c71f |
dev_rw_ksm(virt_domain)
|
|
|
1f5c71f |
dev_rw_kvm(virt_domain)
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-06 11:05:50.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-01-08 14:49:31.000000000 +0100
|
|
|
e0dd172 |
@@ -65,6 +65,8 @@
|
|
|
e0dd172 |
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
|
|
e0dd172 |
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
|
|
e0dd172 |
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
|
|
e0dd172 |
+/usr/bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
|
|
e0dd172 |
+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
|
|
e0dd172 |
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
|
|
e0dd172 |
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
|
|
e0dd172 |
/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
|
|
e0dd172 |
@@ -105,6 +107,7 @@
|
|
|
e0dd172 |
/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
|
|
e0dd172 |
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
|
|
e0dd172 |
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
|
|
e0dd172 |
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
|
|
|
e0dd172 |
/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
|
|
|
e0dd172 |
@@ -116,6 +119,7 @@
|
|
|
e0dd172 |
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
|
|
e0dd172 |
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
|
|
e0dd172 |
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
|
|
e0dd172 |
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
|
|
e0dd172 |
/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-08 14:07:19.000000000 +0100
|
|
|
e0dd172 |
@@ -301,6 +301,8 @@
|
|
|
e0dd172 |
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
|
|
|
e0dd172 |
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
|
|
|
e0dd172 |
|
|
|
e0dd172 |
+allow xauth_t xserver_t:unix_stream_socket connectto;
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
domain_use_interactive_fds(xauth_t)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
dev_rw_xserver_misc(xauth_t)
|
|
|
738cdaf |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
|
|
|
738cdaf |
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
|
|
|
738cdaf |
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-09 20:37:29.000000000 +0100
|
|
|
738cdaf |
@@ -1,3 +1,5 @@
|
|
|
738cdaf |
+
|
|
|
738cdaf |
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
|
|
738cdaf |
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
|
|
738cdaf |
|
|
|
738cdaf |
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
|
|
|
738cdaf |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
|
|
|
738cdaf |
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-06 11:05:50.000000000 +0100
|
|
|
738cdaf |
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-01-09 20:37:11.000000000 +0100
|
|
|
738cdaf |
@@ -35,10 +35,13 @@
|
|
|
738cdaf |
allow iscsid_t self:unix_dgram_socket create_socket_perms;
|
|
|
738cdaf |
allow iscsid_t self:sem create_sem_perms;
|
|
|
738cdaf |
allow iscsid_t self:shm create_shm_perms;
|
|
|
738cdaf |
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
738cdaf |
allow iscsid_t self:netlink_socket create_socket_perms;
|
|
|
738cdaf |
allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
|
738cdaf |
allow iscsid_t self:tcp_socket create_stream_socket_perms;
|
|
|
738cdaf |
|
|
|
738cdaf |
+can_exec(iscsid_t, iscsid_exec_t)
|
|
|
738cdaf |
+
|
|
|
738cdaf |
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
|
|
|
738cdaf |
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
|
|
|
738cdaf |
|
|
|
738cdaf |
@@ -67,6 +70,7 @@
|
|
|
738cdaf |
corenet_tcp_connect_isns_port(iscsid_t)
|
|
|
738cdaf |
|
|
|
738cdaf |
dev_rw_sysfs(iscsid_t)
|
|
|
738cdaf |
+dev_rw_userio_dev(iscsid_t)
|
|
|
738cdaf |
|
|
|
738cdaf |
domain_use_interactive_fds(iscsid_t)
|
|
|
738cdaf |
domain_read_all_domains_state(iscsid_t)
|
|
|
1f5c71f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
|
|
|
1f5c71f |
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-06 11:05:50.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-08 20:06:50.000000000 +0100
|
|
|
1f5c71f |
@@ -245,6 +245,7 @@
|
|
|
1f5c71f |
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
|
|
1f5c71f |
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
1f5c71f |
/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
1f5c71f |
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
1f5c71f |
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
1f5c71f |
|
|
|
1f5c71f |
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
e0dd172 |
@@ -433,8 +434,13 @@
|
|
|
e0dd172 |
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
e0dd172 |
+/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
e0dd172 |
+/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
e0dd172 |
/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-06 11:05:51.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-08 20:32:11.000000000 +0100
|
|
|
e0dd172 |
@@ -618,3 +618,22 @@
|
|
|
e0dd172 |
manage_lnk_files_pattern($1, locale_t, locale_t)
|
|
|
e0dd172 |
')
|
|
|
e0dd172 |
|
|
|
e0dd172 |
+#######################################
|
|
|
e0dd172 |
+## <summary>
|
|
|
e0dd172 |
+## Set the attributes on a fonts cache directory.
|
|
|
e0dd172 |
+## </summary>
|
|
|
e0dd172 |
+## <param name="domain">
|
|
|
e0dd172 |
+## <summary>
|
|
|
e0dd172 |
+## Domain allowed access.
|
|
|
e0dd172 |
+## </summary>
|
|
|
e0dd172 |
+## </param>
|
|
|
e0dd172 |
+## <rolecap/>
|
|
|
e0dd172 |
+#
|
|
|
e0dd172 |
+interface(`miscfiles_setattr_fonts_cache_dirs',`
|
|
|
e0dd172 |
+ gen_require(`
|
|
|
e0dd172 |
+ type fonts_cache_t;
|
|
|
e0dd172 |
+ ')
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
+ allow $1 fonts_cache_t:dir setattr;
|
|
|
e0dd172 |
+')
|
|
|
e0dd172 |
+
|
|
|
1fed36a |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
|
|
|
1fed36a |
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-06 11:05:51.000000000 +0100
|
|
|
1fed36a |
+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-11 15:53:37.000000000 +0100
|
|
|
1fed36a |
@@ -181,6 +181,7 @@
|
|
|
1fed36a |
auth_read_all_dirs_except_shadow(mount_t)
|
|
|
1fed36a |
auth_read_all_files_except_shadow(mount_t)
|
|
|
1fed36a |
files_mounton_non_security(mount_t)
|
|
|
1fed36a |
+ files_rw_all_inherited_files(mount_t)
|
|
|
1fed36a |
')
|
|
|
1fed36a |
|
|
|
1fed36a |
optional_policy(`
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-06 11:05:51.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-08 16:35:49.000000000 +0100
|
|
|
e0dd172 |
@@ -21,6 +21,8 @@
|
|
|
e0dd172 |
allow $1 self:capability all_capabilities;
|
|
|
e0dd172 |
allow $1 self:fifo_file manage_fifo_file_perms;
|
|
|
e0dd172 |
|
|
|
e0dd172 |
+ allow $1 self:socket_class_set create_socket_perms;
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
# Transition to myself, to make get_ordered_context_list happy.
|
|
|
e0dd172 |
allow $1 self:process transition;
|
|
|
e0dd172 |
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-06 11:05:51.000000000 +0100
|
|
|
e0dd172 |
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-07 16:46:35.000000000 +0100
|
|
|
e0dd172 |
@@ -6,4 +6,5 @@
|
|
|
e0dd172 |
/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
|
|
e0dd172 |
/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
|
|
e0dd172 |
HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
|
|
|
e0dd172 |
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
|
|
|
e0dd172 |
HOME_DIR/\.gvfs(/.*)? <<none>>
|
|
|
8ad564f |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
|
|
|
8ad564f |
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-06 11:05:51.000000000 +0100
|
|
|
8ad564f |
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-01-11 13:53:41.000000000 +0100
|
|
|
8ad564f |
@@ -3631,6 +3631,24 @@
|
|
|
8ad564f |
|
|
|
8ad564f |
########################################
|
|
|
8ad564f |
## <summary>
|
|
|
8ad564f |
+## Allow domain to list /root
|
|
|
8ad564f |
+## </summary>
|
|
|
8ad564f |
+## <param name="domain">
|
|
|
8ad564f |
+## <summary>
|
|
|
8ad564f |
+## Domain allowed access.
|
|
|
8ad564f |
+## </summary>
|
|
|
8ad564f |
+## </param>
|
|
|
8ad564f |
+#
|
|
|
8ad564f |
+interface(`userdom_list_admin_dir',`
|
|
|
8ad564f |
+ gen_require(`
|
|
|
8ad564f |
+ type admin_home_t;
|
|
|
8ad564f |
+ ')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
+ allow $1 admin_home_t:dir list_dir_perms;
|
|
|
8ad564f |
+')
|
|
|
8ad564f |
+
|
|
|
8ad564f |
+########################################
|
|
|
8ad564f |
+## <summary>
|
|
|
8ad564f |
## Allow Search /root
|
|
|
8ad564f |
## </summary>
|
|
|
8ad564f |
## <param name="domain">
|
|
|
e0dd172 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
|
|
|
e0dd172 |
--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-06 11:05:51.000000000 +0100
|
|
|
738cdaf |
+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-09 20:35:37.000000000 +0100
|
|
|
738cdaf |
@@ -248,6 +248,7 @@
|
|
|
e0dd172 |
#
|
|
|
e0dd172 |
|
|
|
e0dd172 |
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
|
|
|
e0dd172 |
+allow xenconsoled_t self:process setrlimit;
|
|
|
e0dd172 |
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
e0dd172 |
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
|
|
|
e0dd172 |
|
|
|
e0dd172 |
@@ -268,6 +269,7 @@
|
|
|
e0dd172 |
|
|
|
e0dd172 |
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
+files_read_etc_files(xenconsoled_t)
|
|
|
e0dd172 |
files_read_usr_files(xenconsoled_t)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
fs_list_tmpfs(xenconsoled_t)
|
|
|
e0dd172 |
@@ -286,6 +288,10 @@
|
|
|
e0dd172 |
xen_manage_log(xenconsoled_t)
|
|
|
e0dd172 |
xen_stream_connect_xenstore(xenconsoled_t)
|
|
|
e0dd172 |
|
|
|
e0dd172 |
+optional_policy(`
|
|
|
e0dd172 |
+ ptchown_domtrans(xenconsoled_t)
|
|
|
e0dd172 |
+')
|
|
|
e0dd172 |
+
|
|
|
e0dd172 |
########################################
|
|
|
e0dd172 |
#
|
|
|
e0dd172 |
# Xen store local policy
|