jpokorny / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

  1.   e0dd172282cc8546da3d54886758ad516d36344a
  2.   policy-20100106.patch
Blob Blame History Raw 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2010-01-08 14:42:10.000000000 +0100
@@ -96,6 +96,7 @@
 corenet_tcp_connect_ftp_port(abrt_t)
 corenet_tcp_connect_all_ports(abrt_t)
 
+dev_getattr_all_chr_files(abrt_t)
 dev_read_urand(abrt_t)
 dev_rw_sysfs(abrt_t)
 dev_dontaudit_read_memory_dev(abrt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-01-06 15:16:37.000000000 +0100
@@ -16,6 +16,7 @@
 		attribute httpd_exec_scripts;
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
+        type httpd_sys_content_t;
 	')
 	#This type is for webpages
 	type httpd_$1_content_t;
@@ -123,6 +124,8 @@
 		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
 		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
 		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+
+        allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te	2010-01-06 13:06:31.000000000 +0100
@@ -31,7 +31,7 @@
 #
 
 allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
-allow apcupsd_t self:process signal;
+allow apcupsd_t self:process { signal signull };
 allow apcupsd_t self:fifo_file rw_file_perms;
 allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
 allow apcupsd_t self:tcp_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cups.te	2010-01-08 20:32:23.000000000 +0100
@@ -555,6 +555,7 @@
 logging_send_syslog_msg(cupsd_lpd_t)
 
 miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
 
 cups_stream_connect(cupsd_lpd_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2010-01-08 14:24:25.000000000 +0100
@@ -276,7 +276,11 @@
 	mta_manage_spool(dovecot_deliver_t)
 ')
 
+
+
 tunable_policy(`use_nfs_home_dirs',`
+    fs_manage_nfs_dirs(dovecot_deliver_t)
+    fs_manage_nfs_dirs(dovecot_t)
 	fs_manage_nfs_files(dovecot_deliver_t)
 	fs_manage_nfs_symlinks(dovecot_deliver_t)
 	fs_manage_nfs_files(dovecot_t)
@@ -284,6 +288,8 @@
 ')
 
 tunable_policy(`use_samba_home_dirs',`
+    fs_manage_cifs_dirs(dovecot_deliver_t)
+    fs_manage_cifs_dirs(dovecot_t)
 	fs_manage_cifs_files(dovecot_deliver_t)
 	fs_manage_cifs_symlinks(dovecot_deliver_t)
 	fs_manage_cifs_files(dovecot_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if	2010-01-08 16:30:32.000000000 +0100
@@ -138,6 +138,24 @@
 	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 ')
 
+#######################################
+## <summary>
+## Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+    gen_require(`
+        type fail2ban_t;
+    ')
+
+    allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
+     
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc	2010-01-08 15:00:18.000000000 +0100
@@ -27,26 +27,59 @@
 
 # check disk plugins
 /usr/lib(64)?/nagios/plugins/check_disk  	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb     --      gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_ide_smart 	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid   --      gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 
 # system plugins
-/usr/lib(64)?/nagios/plugins/check_users	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_breeze       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_file_age  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm       --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus     --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load         --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_log		--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mailq        --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg         --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf     --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_nagios    	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat       --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr       --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_procs  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_sensors	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap         --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users	    --  	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave         --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 
 # services plugins
 /usr/lib(64)?/nagios/plugins/check_cluster   	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_dhcp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_dns		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping      --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_http      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_mysql     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt         --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_ntp.*     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle     --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql      --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_ping      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius     --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_real		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_rpc       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ssh       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_tcp		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_time		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.*     --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te	2010-01-08 15:01:28.000000000 +0100
@@ -118,6 +118,10 @@
 corenet_udp_sendrecv_all_ports(nagios_t)
 corenet_tcp_connect_all_ports(nagios_t)
 
+# neede by rpcinfo
+corenet_dontaudit_tcp_bind_all_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_ports(nagios_t)
+
 dev_read_sysfs(nagios_t)
 dev_read_urand(nagios_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te	2010-01-08 20:27:51.000000000 +0100
@@ -443,6 +443,7 @@
 
 optional_policy(`
 	spamassassin_domtrans_client(postfix_pipe_t)
+    spamassassin_kill_client(postfix_pipe_t)
 ')
 
 optional_policy(`
@@ -486,7 +487,7 @@
 ')
 
 optional_policy(`
-	sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
+	sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
 ')
 
 optional_policy(`
@@ -573,6 +574,8 @@
 # Postfix smtp delivery local policy
 #
 
+allow postfix_smtp_t self:capability { sys_chroot };
+
 # connect to master process
 stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-01-06 13:55:09.000000000 +0100
@@ -286,6 +286,8 @@
 
 allow smbd_t winbind_t:process { signal signull };
 
+allow smbd_t swat_t:process signal;  
+
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
 kernel_read_network_state(smbd_t)
@@ -485,6 +487,8 @@
 
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 
+allow nmbd_t swat_t:process signal;
+
 allow nmbd_t smbcontrol_t:process signal;
 
 allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -661,6 +665,7 @@
 allow swat_t self:udp_socket create_socket_perms;
 allow swat_t self:unix_stream_socket connectto;
 
+samba_domtrans_nmbd(swat_t)
 allow swat_t nmbd_t:process { signal signull };
 
 allow swat_t nmbd_exec_t:file mmap_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te	2010-01-08 16:31:13.000000000 +0100
@@ -136,6 +136,8 @@
 
 optional_policy(`
 	fail2ban_read_lib_files(sendmail_t)
+    fail2ban_rw_stream_sockets(sendmail_t)
+
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te	2010-01-06 15:41:37.000000000 +0100
@@ -27,7 +27,7 @@
 #
 allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
 dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:process { signal signal_perms getsched setsched };
 allow snmpd_t self:fifo_file rw_fifo_file_perms;
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if	2010-01-06 15:40:10.000000000 +0100
@@ -267,6 +267,24 @@
 	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
 ')
 
+######################################
+## <summary>
+##  Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+    gen_require(`
+        type spamc_t;
+    ')
+
+    allow $1 spamc_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te	2010-01-06 16:09:14.000000000 +0100
@@ -430,6 +430,8 @@
 corenet_tcp_connect_virt_migration_port(virt_domain)
 
 dev_read_sound(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_urand(virt_domain)
 dev_write_sound(virt_domain)
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc	2010-01-08 14:49:31.000000000 +0100
@@ -65,6 +65,8 @@
 /usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/lxdm       --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -105,6 +107,7 @@
 /var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
 /var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
 
 /var/spool/gdm(/.*)?	 	gen_context(system_u:object_r:xdm_spool_t,s0)
@@ -116,6 +119,7 @@
 /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid   -- gen_context(system_u:object_r:xdm_var_run_t,s0)  
 /var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 /var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-01-08 14:07:19.000000000 +0100
@@ -301,6 +301,8 @@
 manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
 files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 
+allow xauth_t xserver_t:unix_stream_socket connectto;  
+
 domain_use_interactive_fds(xauth_t)
 
 dev_rw_xserver_misc(xauth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc	2010-01-08 20:06:50.000000000 +0100
@@ -245,6 +245,7 @@
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* --  gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -433,8 +434,13 @@
 /usr/lib(64)?/octagaplayer/libapplication\.so		     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /opt/AutoScan/usr/lib/libvte\.so.*			     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.*                    -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.*          -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/bin/bsnes		     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib/firefox/plugins/libractrl\.so	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLcore\.so.*	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.*      --   gen_context(system_u:object_r:textrel_shlib_t,s0)  
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if	2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if	2010-01-08 20:32:11.000000000 +0100
@@ -618,3 +618,22 @@
 	manage_lnk_files_pattern($1, locale_t, locale_t)
 ')
 
+#######################################
+## <summary>
+## Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+    gen_require(`
+        type fonts_cache_t;
+    ')
+
+    allow $1 fonts_cache_t:dir setattr;    
+')
+     
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if	2010-01-08 16:35:49.000000000 +0100
@@ -21,6 +21,8 @@
 	allow $1 self:capability all_capabilities;
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
+    allow $1 self:socket_class_set create_socket_perms;
+
 	# Transition to myself, to make get_ordered_context_list happy.
 	allow $1 self:process transition;
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc	2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc	2010-01-07 16:46:35.000000000 +0100
@@ -6,4 +6,5 @@
 /dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
 /dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)?    gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.gvfs(/.*)?	<<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/xen.te	2010-01-08 14:14:45.000000000 +0100
@@ -248,10 +248,11 @@
 #
 
 allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
 allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
 
-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+allow xenconsoled_t xen_devpts_t:chr_file manage_term_perms;
 
 # pid file
 manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
@@ -268,6 +269,7 @@
 
 domain_dontaudit_ptrace_all_domains(xenconsoled_t)
 
+files_read_etc_files(xenconsoled_t)
 files_read_usr_files(xenconsoled_t)
 
 fs_list_tmpfs(xenconsoled_t)
@@ -286,6 +288,10 @@
 xen_manage_log(xenconsoled_t)
 xen_stream_connect_xenstore(xenconsoled_t)
 
+optional_policy(`
+   ptchown_domtrans(xenconsoled_t)
+')
+
 ########################################
 #
 # Xen store local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt	2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt	2010-01-08 20:35:13.000000000 +0100
@@ -310,7 +310,7 @@
 #
 define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
 define(`rw_term_perms', `{ open rw_inherited_term_perms }')
-
+define(`manage_term_perms',`{ create open setattr rename link unlink rw_inherited_term_perms }')
 #
 # Sockets
 #
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.