|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-05-29 11:08:06.000000000 -0400
|
|
|
036370c |
@@ -72,6 +72,8 @@
|
|
|
036370c |
files_read_etc_runtime_files(prelink_t)
|
|
|
036370c |
files_dontaudit_read_all_symlinks(prelink_t)
|
|
|
036370c |
files_manage_usr_files(prelink_t)
|
|
|
036370c |
+# Delta RPMS
|
|
|
036370c |
+files_manage_var_files(prelink_t)
|
|
|
036370c |
files_relabelfrom_usr_files(prelink_t)
|
|
|
036370c |
|
|
|
036370c |
fs_getattr_xattr_fs(prelink_t)
|
|
|
036370c |
@@ -102,5 +104,9 @@
|
|
|
036370c |
')
|
|
|
036370c |
|
|
|
036370c |
optional_policy(`
|
|
|
036370c |
+ rpm_manage_tmp_files(prelink_t)
|
|
|
036370c |
+')
|
|
|
036370c |
+
|
|
|
036370c |
+optional_policy(`
|
|
|
036370c |
unconfined_domain(prelink_t)
|
|
|
036370c |
')
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-05-29 11:02:56.000000000 -0400
|
|
|
036370c |
@@ -470,6 +470,24 @@
|
|
|
036370c |
|
|
|
036370c |
########################################
|
|
|
036370c |
## <summary>
|
|
|
036370c |
+## Manage RPM tmp files
|
|
|
036370c |
+## </summary>
|
|
|
036370c |
+## <param name="domain">
|
|
|
036370c |
+## <summary>
|
|
|
036370c |
+## Domain to not audit.
|
|
|
036370c |
+## </summary>
|
|
|
036370c |
+## </param>
|
|
|
036370c |
+#
|
|
|
036370c |
+interface(`rpm_manage_tmp_files',`
|
|
|
036370c |
+ gen_require(`
|
|
|
036370c |
+ type rpm_tmp_t;
|
|
|
036370c |
+ ')
|
|
|
036370c |
+
|
|
|
036370c |
+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
|
|
|
036370c |
+')
|
|
|
036370c |
+
|
|
|
036370c |
+########################################
|
|
|
036370c |
+## <summary>
|
|
|
036370c |
## Do not audit attempts to read,
|
|
|
036370c |
## write RPM tmp files
|
|
|
036370c |
## </summary>
|
|
|
82c950a |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
|
|
|
82c950a |
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
82c950a |
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te 2009-05-26 13:02:40.000000000 -0400
|
|
|
82c950a |
@@ -209,6 +209,7 @@
|
|
|
82c950a |
files_manage_etc_files(groupadd_t)
|
|
|
82c950a |
files_relabel_etc_files(groupadd_t)
|
|
|
82c950a |
files_read_etc_runtime_files(groupadd_t)
|
|
|
82c950a |
+files_read_usr_symlinks(groupadd_t)
|
|
|
82c950a |
|
|
|
82c950a |
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
|
|
82c950a |
corecmd_exec_bin(groupadd_t)
|
|
|
070ff23 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
|
|
|
070ff23 |
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
070ff23 |
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-05-22 10:14:07.000000000 -0400
|
|
|
070ff23 |
@@ -38,3 +38,6 @@
|
|
|
070ff23 |
miscfiles_read_localization(sandbox_t)
|
|
|
070ff23 |
|
|
|
070ff23 |
userdom_use_user_ptys(sandbox_t)
|
|
|
070ff23 |
+
|
|
|
070ff23 |
+kernel_dontaudit_read_system_state(sandbox_t)
|
|
|
070ff23 |
+corecmd_exec_all_executables(sandbox_t)
|
|
|
2eeb528 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
|
|
|
2eeb528 |
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 15:54:49.000000000 -0400
|
|
|
2eeb528 |
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-05-26 08:07:56.000000000 -0400
|
|
|
2eeb528 |
@@ -63,6 +63,7 @@
|
|
|
2eeb528 |
')
|
|
|
2eeb528 |
|
|
|
2eeb528 |
/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
|
|
|
2eeb528 |
+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
|
|
|
2eeb528 |
|
|
|
2eeb528 |
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
|
|
|
2eeb528 |
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-05-21 08:27:59.000000000 -0400
|
|
|
70a0fb8 |
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-06-02 08:25:57.000000000 -0400
|
|
|
036370c |
@@ -7,6 +7,7 @@
|
|
|
036370c |
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
+/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
@@ -145,6 +146,7 @@
|
|
|
036370c |
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
036370c |
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
036370c |
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
+/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
|
|
|
036370c |
|
|
|
036370c |
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
@@ -217,8 +219,11 @@
|
|
|
70a0fb8 |
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
-/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
|
|
|
70a0fb8 |
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
70a0fb8 |
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc 2009-06-01 08:22:04.000000000 -0400
|
|
|
036370c |
@@ -48,6 +48,7 @@
|
|
|
036370c |
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
|
|
|
036370c |
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
|
|
|
036370c |
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
|
|
|
036370c |
+/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
|
|
|
036370c |
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
|
|
036370c |
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
|
|
036370c |
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-06-01 08:22:04.000000000 -0400
|
|
|
036370c |
@@ -1725,6 +1725,61 @@
|
|
|
036370c |
rw_chr_files_pattern($1, device_t, kvm_device_t)
|
|
|
036370c |
')
|
|
|
036370c |
|
|
|
036370c |
+######################################
|
|
|
036370c |
+## <summary>
|
|
|
036370c |
+## Read the lirc device.
|
|
|
036370c |
+## </summary>
|
|
|
036370c |
+## <param name="domain">
|
|
|
036370c |
+## <summary>
|
|
|
036370c |
+## Domain allowed access.
|
|
|
036370c |
+## </summary>
|
|
|
036370c |
+## </param>
|
|
|
036370c |
+#
|
|
|
036370c |
+interface(`dev_read_lirc',`
|
|
|
036370c |
+ gen_require(`
|
|
|
036370c |
+ type device_t, lirc_device_t;
|
|
|
036370c |
+ ')
|
|
|
036370c |
+
|
|
|
036370c |
+ read_chr_files_pattern($1, device_t, lirc_device_t)
|
|
|
036370c |
+')
|
|
|
036370c |
+
|
|
|
036370c |
+######################################
|
|
|
036370c |
+## <summary>
|
|
|
036370c |
+## Read and write the lirc device.
|
|
|
036370c |
+## </summary>
|
|
|
036370c |
+## <param name="domain">
|
|
|
036370c |
+## <summary>
|
|
|
036370c |
+## Domain allowed access.
|
|
|
036370c |
+## </summary>
|
|
|
036370c |
+## </param>
|
|
|
036370c |
+#
|
|
|
036370c |
+interface(`dev_rw_lirc',`
|
|
|
036370c |
+ gen_require(`
|
|
|
036370c |
+ type device_t, lirc_device_t;
|
|
|
036370c |
+ ')
|
|
|
036370c |
+
|
|
|
036370c |
+ rw_chr_files_pattern($1, device_t, lirc_device_t)
|
|
|
036370c |
+')
|
|
|
036370c |
+
|
|
|
036370c |
+######################################
|
|
|
036370c |
+## <summary>
|
|
|
036370c |
+## Automatic type transition to the type
|
|
|
036370c |
+## for lirc device nodes when created in /dev.
|
|
|
036370c |
+## </summary>
|
|
|
036370c |
+## <param name="domain">
|
|
|
036370c |
+## <summary>
|
|
|
036370c |
+## Domain allowed access.
|
|
|
036370c |
+## </summary>
|
|
|
036370c |
+## </param>
|
|
|
036370c |
+#
|
|
|
036370c |
+interface(`dev_filetrans_lirc',`
|
|
|
036370c |
+ gen_require(`
|
|
|
036370c |
+ type device_t, lirc_device_t;
|
|
|
036370c |
+ ')
|
|
|
036370c |
+
|
|
|
036370c |
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file)
|
|
|
036370c |
+')
|
|
|
036370c |
+
|
|
|
036370c |
########################################
|
|
|
036370c |
## <summary>
|
|
|
036370c |
## Read the lvm comtrol device.
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-06-01 08:22:04.000000000 -0400
|
|
|
036370c |
@@ -91,6 +91,12 @@
|
|
|
036370c |
dev_node(kvm_device_t)
|
|
|
036370c |
|
|
|
036370c |
#
|
|
|
036370c |
+# Type for /dev/lirc
|
|
|
036370c |
+#
|
|
|
036370c |
+type lirc_device_t;
|
|
|
036370c |
+dev_node(lirc_device_t)
|
|
|
036370c |
+
|
|
|
036370c |
+#
|
|
|
036370c |
# Type for /dev/mapper/control
|
|
|
036370c |
#
|
|
|
036370c |
type lvm_control_t;
|
|
|
60c6cbd |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
|
|
|
60c6cbd |
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
60c6cbd |
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-06-02 11:40:14.000000000 -0400
|
|
|
60c6cbd |
@@ -65,7 +65,8 @@
|
|
|
60c6cbd |
')
|
|
|
60c6cbd |
|
|
|
60c6cbd |
optional_policy(`
|
|
|
60c6cbd |
- selinux_dontaudit_getattr_fs($1)
|
|
|
60c6cbd |
+ selinux_getattr_fs($1)
|
|
|
60c6cbd |
+ selinux_search_fs($1)
|
|
|
60c6cbd |
selinux_dontaudit_read_fs($1)
|
|
|
60c6cbd |
')
|
|
|
60c6cbd |
|
|
|
070ff23 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
|
|
|
070ff23 |
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-29 11:03:57.000000000 -0400
|
|
|
070ff23 |
@@ -5224,6 +5224,7 @@
|
|
|
070ff23 |
attribute file_type;
|
|
|
070ff23 |
')
|
|
|
070ff23 |
|
|
|
070ff23 |
+ allow $1 file_type:dir search_dir_perms;
|
|
|
070ff23 |
allow $1 file_type:file { getattr read write append lock };
|
|
|
070ff23 |
allow $1 file_type:fifo_file { getattr read write append ioctl lock };
|
|
|
070ff23 |
allow $1 file_type:sock_file { getattr read write append ioctl lock };
|
|
|
070ff23 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
|
|
|
070ff23 |
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
070ff23 |
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-22 08:57:53.000000000 -0400
|
|
|
070ff23 |
@@ -817,7 +817,7 @@
|
|
|
070ff23 |
type proc_t;
|
|
|
070ff23 |
')
|
|
|
070ff23 |
|
|
|
070ff23 |
- dontaudit $1 proc_t:file { getattr read };
|
|
|
070ff23 |
+ dontaudit $1 proc_t:file { open getattr read };
|
|
|
070ff23 |
')
|
|
|
070ff23 |
|
|
|
070ff23 |
########################################
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-06-01 08:41:46.000000000 -0400
|
|
|
036370c |
@@ -44,6 +44,10 @@
|
|
|
036370c |
')
|
|
|
036370c |
|
|
|
036370c |
optional_policy(`
|
|
|
036370c |
+ postgresql_role(staff_r, staff_t)
|
|
|
036370c |
+')
|
|
|
036370c |
+
|
|
|
036370c |
+optional_policy(`
|
|
|
036370c |
secadm_role_change(staff_r)
|
|
|
036370c |
')
|
|
|
036370c |
|
|
|
070ff23 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
|
|
|
070ff23 |
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
070ff23 |
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-05-21 15:11:07.000000000 -0400
|
|
|
070ff23 |
@@ -334,6 +334,10 @@
|
|
|
070ff23 |
')
|
|
|
070ff23 |
|
|
|
070ff23 |
optional_policy(`
|
|
|
070ff23 |
+ virt_stream_connect(sysadm_t)
|
|
|
070ff23 |
+')
|
|
|
070ff23 |
+
|
|
|
070ff23 |
+optional_policy(`
|
|
|
070ff23 |
yam_run(sysadm_t, sysadm_r)
|
|
|
070ff23 |
')
|
|
|
070ff23 |
|
|
|
070ff23 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
|
|
|
070ff23 |
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
070ff23 |
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-22 05:49:21.000000000 -0400
|
|
|
070ff23 |
@@ -52,6 +52,8 @@
|
|
|
070ff23 |
init_system_domain(unconfined_execmem_t, execmem_exec_t)
|
|
|
070ff23 |
role unconfined_r types unconfined_execmem_t;
|
|
|
070ff23 |
typealias execmem_exec_t alias unconfined_execmem_exec_t;
|
|
|
070ff23 |
+userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
|
|
|
070ff23 |
+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
|
|
|
070ff23 |
|
|
|
070ff23 |
type unconfined_notrans_t;
|
|
|
070ff23 |
type unconfined_notrans_exec_t;
|
|
|
2eeb528 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
|
|
|
2eeb528 |
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-05-21 08:27:59.000000000 -0400
|
|
|
82c950a |
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-05-26 15:13:01.000000000 -0400
|
|
|
2eeb528 |
@@ -98,4 +98,6 @@
|
|
|
2eeb528 |
|
|
|
2eeb528 |
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
|
2eeb528 |
|
|
|
2eeb528 |
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
|
|
2eeb528 |
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
|
|
|
82c950a |
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
|
2eeb528 |
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-06-01 06:47:53.000000000 -0400
|
|
|
036370c |
@@ -14,7 +14,7 @@
|
|
|
036370c |
files_pid_file(consolekit_var_run_t)
|
|
|
036370c |
|
|
|
036370c |
type consolekit_log_t;
|
|
|
036370c |
-files_pid_file(consolekit_log_t)
|
|
|
036370c |
+logging_log_file(consolekit_log_t)
|
|
|
036370c |
|
|
|
036370c |
########################################
|
|
|
036370c |
#
|
|
|
036370c |
@@ -50,6 +50,7 @@
|
|
|
036370c |
files_read_usr_files(consolekit_t)
|
|
|
036370c |
# needs to read /var/lib/dbus/machine-id
|
|
|
036370c |
files_read_var_lib_files(consolekit_t)
|
|
|
036370c |
+files_search_all_mountpoints(consolekit_t)
|
|
|
036370c |
|
|
|
036370c |
fs_list_inotifyfs(consolekit_t)
|
|
|
036370c |
|
|
|
2eeb528 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
|
|
|
2eeb528 |
--- nsaserefpolicy/policy/modules/services/cron.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
2eeb528 |
+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-05-26 08:38:15.000000000 -0400
|
|
|
2eeb528 |
@@ -163,27 +163,14 @@
|
|
|
2eeb528 |
#
|
|
|
2eeb528 |
interface(`cron_unconfined_role',`
|
|
|
2eeb528 |
gen_require(`
|
|
|
2eeb528 |
- type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
|
|
|
2eeb528 |
+ type unconfined_cronjob_t;
|
|
|
2eeb528 |
')
|
|
|
2eeb528 |
|
|
|
2eeb528 |
- role $1 types { unconfined_cronjob_t admin_crontab_t };
|
|
|
2eeb528 |
+ role $1 types unconfined_cronjob_t;
|
|
|
2eeb528 |
|
|
|
2eeb528 |
# cronjob shows up in user ps
|
|
|
2eeb528 |
ps_process_pattern($2, unconfined_cronjob_t)
|
|
|
2eeb528 |
|
|
|
2eeb528 |
- # Transition from the user domain to the derived domain.
|
|
|
2eeb528 |
- domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
|
|
|
2eeb528 |
-
|
|
|
2eeb528 |
- # crontab shows up in user ps
|
|
|
2eeb528 |
- ps_process_pattern($2, admin_crontab_t)
|
|
|
2eeb528 |
- allow $2 admin_crontab_t:process signal;
|
|
|
2eeb528 |
-
|
|
|
2eeb528 |
- # Run helper programs as the user domain
|
|
|
2eeb528 |
- #corecmd_bin_domtrans(admin_crontab_t, $2)
|
|
|
2eeb528 |
- #corecmd_shell_domtrans(admin_crontab_t, $2)
|
|
|
2eeb528 |
- corecmd_exec_bin(admin_crontab_t)
|
|
|
2eeb528 |
- corecmd_exec_shell(admin_crontab_t)
|
|
|
2eeb528 |
-
|
|
|
2eeb528 |
optional_policy(`
|
|
|
2eeb528 |
gen_require(`
|
|
|
2eeb528 |
class dbus send_msg;
|
|
|
77eab22 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
|
|
|
77eab22 |
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
77eab22 |
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-05-21 12:57:07.000000000 -0400
|
|
|
77eab22 |
@@ -55,7 +55,7 @@
|
|
|
77eab22 |
#
|
|
|
77eab22 |
# DeviceKit-Power local policy
|
|
|
77eab22 |
#
|
|
|
77eab22 |
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice };
|
|
|
77eab22 |
+allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice };
|
|
|
77eab22 |
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
|
|
|
77eab22 |
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
|
|
|
77eab22 |
|
|
|
82c950a |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
|
|
|
82c950a |
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
82c950a |
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-05-27 07:16:20.000000000 -0400
|
|
|
82c950a |
@@ -22,6 +22,7 @@
|
|
|
82c950a |
|
|
|
82c950a |
corecmd_search_bin(fprintd_t)
|
|
|
82c950a |
|
|
|
82c950a |
+dev_list_usbfs(fprintd_t)
|
|
|
82c950a |
dev_rw_generic_usb_dev(fprintd_t)
|
|
|
82c950a |
dev_read_sysfs(fprintd_t)
|
|
|
82c950a |
|
|
|
82c950a |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
|
|
|
82c950a |
--- nsaserefpolicy/policy/modules/services/hal.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
82c950a |
+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-05-27 07:02:29.000000000 -0400
|
|
|
82c950a |
@@ -162,6 +162,7 @@
|
|
|
82c950a |
fs_mount_dos_fs(hald_t)
|
|
|
82c950a |
fs_unmount_dos_fs(hald_t)
|
|
|
82c950a |
fs_manage_dos_files(hald_t)
|
|
|
82c950a |
+fs_manage_fusefs_dirs(hald_t)
|
|
|
82c950a |
|
|
|
82c950a |
files_getattr_all_mountpoints(hald_t)
|
|
|
82c950a |
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.if 2009-06-01 08:13:05.000000000 -0400
|
|
|
036370c |
@@ -70,6 +70,7 @@
|
|
|
036370c |
interface(`kerberos_use',`
|
|
|
036370c |
gen_require(`
|
|
|
036370c |
type krb5_conf_t, krb5kdc_conf_t;
|
|
|
036370c |
+ type krb5_host_rcache_t;
|
|
|
036370c |
')
|
|
|
036370c |
|
|
|
036370c |
files_search_etc($1)
|
|
|
036370c |
@@ -101,6 +102,7 @@
|
|
|
036370c |
corenet_tcp_connect_ocsp_port($1)
|
|
|
036370c |
corenet_sendrecv_kerberos_client_packets($1)
|
|
|
036370c |
corenet_sendrecv_ocsp_client_packets($1)
|
|
|
036370c |
+ allow $1 krb5_host_rcache_t:file getattr;
|
|
|
036370c |
')
|
|
|
036370c |
|
|
|
036370c |
optional_policy(`
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-06-01 08:22:04.000000000 -0400
|
|
|
036370c |
@@ -45,6 +45,9 @@
|
|
|
036370c |
dev_filetrans(lircd_t, lircd_sock_t, sock_file )
|
|
|
036370c |
dev_read_generic_usb_dev(lircd_t)
|
|
|
036370c |
|
|
|
036370c |
+dev_filetrans_lirc(lircd_t)
|
|
|
036370c |
+dev_rw_lirc(lircd_t)
|
|
|
036370c |
+
|
|
|
036370c |
logging_send_syslog_msg(lircd_t)
|
|
|
036370c |
|
|
|
036370c |
files_read_etc_files(lircd_t)
|
|
|
82c950a |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if
|
|
|
82c950a |
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
82c950a |
+++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2009-05-26 13:53:04.000000000 -0400
|
|
|
82c950a |
@@ -197,6 +197,7 @@
|
|
|
82c950a |
type mailman_data_t;
|
|
|
82c950a |
')
|
|
|
82c950a |
|
|
|
82c950a |
+ list_dirs_pattern($1, mailman_data_t, mailman_data_t)
|
|
|
82c950a |
read_files_pattern($1, mailman_data_t, mailman_data_t)
|
|
|
82c950a |
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
|
|
|
82c950a |
')
|
|
|
77eab22 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
|
|
|
77eab22 |
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-05-21 08:27:59.000000000 -0400
|
|
|
77eab22 |
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-05-21 08:32:24.000000000 -0400
|
|
|
77eab22 |
@@ -3,6 +3,8 @@
|
|
|
77eab22 |
|
|
|
77eab22 |
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
|
|
|
77eab22 |
HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
|
|
|
77eab22 |
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
|
|
|
77eab22 |
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
|
|
|
77eab22 |
|
|
|
77eab22 |
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
|
|
|
77eab22 |
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
|
|
|
77eab22 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
|
|
|
77eab22 |
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-05-21 08:27:59.000000000 -0400
|
|
|
77eab22 |
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-05-21 08:31:58.000000000 -0400
|
|
|
77eab22 |
@@ -1,3 +1,4 @@
|
|
|
77eab22 |
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
|
77eab22 |
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
|
77eab22 |
|
|
|
77eab22 |
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
|
|
|
77eab22 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
|
|
|
77eab22 |
--- nsaserefpolicy/policy/modules/services/virt.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
77eab22 |
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-21 12:58:18.000000000 -0400
|
|
|
77eab22 |
@@ -183,6 +183,7 @@
|
|
|
77eab22 |
seutil_read_default_contexts(virtd_t)
|
|
|
77eab22 |
|
|
|
77eab22 |
term_getattr_pty_fs(virtd_t)
|
|
|
77eab22 |
+term_use_generic_ptys(virtd_t)
|
|
|
77eab22 |
term_use_ptmx(virtd_t)
|
|
|
77eab22 |
|
|
|
77eab22 |
auth_use_nsswitch(virtd_t)
|
|
|
77eab22 |
@@ -323,9 +324,13 @@
|
|
|
77eab22 |
userdom_read_all_users_state(svirt_t)
|
|
|
77eab22 |
|
|
|
77eab22 |
append_files_pattern(svirt_t, virt_log_t, virt_log_t)
|
|
|
77eab22 |
+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t)
|
|
|
77eab22 |
|
|
|
77eab22 |
allow svirt_t self:udp_socket create_socket_perms;
|
|
|
77eab22 |
|
|
|
77eab22 |
+corecmd_exec_bin(svirt_t)
|
|
|
77eab22 |
+corecmd_exec_shell(svirt_t)
|
|
|
77eab22 |
+
|
|
|
77eab22 |
corenet_udp_sendrecv_generic_if(svirt_t)
|
|
|
77eab22 |
corenet_udp_sendrecv_generic_node(svirt_t)
|
|
|
77eab22 |
corenet_udp_sendrecv_all_ports(svirt_t)
|
|
|
2eeb528 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
|
|
|
2eeb528 |
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
2eeb528 |
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-26 08:17:11.000000000 -0400
|
|
|
2eeb528 |
@@ -538,6 +538,7 @@
|
|
|
2eeb528 |
# Search /proc for any user domain processes.
|
|
|
2eeb528 |
userdom_read_all_users_state(xdm_t)
|
|
|
2eeb528 |
userdom_signal_all_users(xdm_t)
|
|
|
2eeb528 |
+userdom_manage_user_tmp_dirs(xdm_t)
|
|
|
2eeb528 |
userdom_manage_user_tmp_sockets(xdm_t)
|
|
|
2eeb528 |
userdom_manage_tmpfs_role(system_r, xdm_t)
|
|
|
2eeb528 |
|
|
|
2eeb528 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
|
|
|
2eeb528 |
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
1e7a475 |
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-06-01 13:14:14.000000000 -0400
|
|
|
2eeb528 |
@@ -77,6 +77,8 @@
|
|
|
2eeb528 |
|
|
|
2eeb528 |
# for SSP/ProPolice
|
|
|
2eeb528 |
dev_read_urand($1)
|
|
|
2eeb528 |
+ # for encrypted homedir
|
|
|
2eeb528 |
+ dev_read_sysfs($1)
|
|
|
2eeb528 |
# for fingerprint readers
|
|
|
2eeb528 |
dev_rw_input_dev($1)
|
|
|
2eeb528 |
dev_rw_generic_usb_dev($1)
|
|
|
1e7a475 |
@@ -147,6 +149,10 @@
|
|
|
1e7a475 |
')
|
|
|
1e7a475 |
|
|
|
1e7a475 |
optional_policy(`
|
|
|
1e7a475 |
+ kerberos_manage_host_rcache($1)
|
|
|
1e7a475 |
+ ')
|
|
|
1e7a475 |
+
|
|
|
1e7a475 |
+ optional_policy(`
|
|
|
1e7a475 |
nis_authenticate($1)
|
|
|
1e7a475 |
')
|
|
|
1e7a475 |
|
|
|
2eeb528 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
|
|
|
2eeb528 |
--- nsaserefpolicy/policy/modules/system/init.fc 2009-05-21 08:27:59.000000000 -0400
|
|
|
2eeb528 |
+++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-05-26 09:15:52.000000000 -0400
|
|
|
2eeb528 |
@@ -6,6 +6,8 @@
|
|
|
2eeb528 |
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
|
|
2eeb528 |
/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
|
|
2eeb528 |
|
|
|
2eeb528 |
+/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
|
|
2eeb528 |
+
|
|
|
2eeb528 |
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
|
|
2eeb528 |
|
|
|
2eeb528 |
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
|
|
2eeb528 |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
|
|
|
2eeb528 |
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
2eeb528 |
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-05-26 09:17:39.000000000 -0400
|
|
|
2eeb528 |
@@ -348,6 +348,7 @@
|
|
|
2eeb528 |
files_read_etc_files(setkey_t)
|
|
|
2eeb528 |
|
|
|
2eeb528 |
init_dontaudit_use_fds(setkey_t)
|
|
|
2eeb528 |
+init_read_script_tmp_files(setkey_t)
|
|
|
2eeb528 |
|
|
|
2eeb528 |
# allow setkey to set the context for ipsec SAs and policy.
|
|
|
2eeb528 |
ipsec_setcontext_default_spd(setkey_t)
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-01 08:37:12.000000000 -0400
|
|
|
036370c |
@@ -139,6 +139,7 @@
|
|
|
036370c |
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
036370c |
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
036370c |
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
036370c |
+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
036370c |
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
036370c |
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
036370c |
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-05-28 21:07:39.000000000 -0400
|
|
|
036370c |
@@ -211,6 +211,7 @@
|
|
|
036370c |
# Sulogin local policy
|
|
|
036370c |
#
|
|
|
036370c |
|
|
|
036370c |
+allow sulogin_t self:capability dac_override;
|
|
|
036370c |
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
|
036370c |
allow sulogin_t self:fd use;
|
|
|
036370c |
allow sulogin_t self:fifo_file rw_file_perms;
|
|
|
036370c |
@@ -258,7 +259,10 @@
|
|
|
036370c |
# suse and debian do not use pam with sulogin...
|
|
|
036370c |
ifdef(`distro_suse', `define(`sulogin_no_pam')')
|
|
|
036370c |
ifdef(`distro_debian', `define(`sulogin_no_pam')')
|
|
|
036370c |
-ifdef(`distro_redhat',`define(`sulogin_no_pam')')
|
|
|
036370c |
+ifdef(`distro_redhat',`
|
|
|
036370c |
+ define(`sulogin_no_pam')
|
|
|
036370c |
+ selinux_compute_user_contexts(sulogin_t)
|
|
|
036370c |
+')
|
|
|
036370c |
|
|
|
036370c |
ifdef(`sulogin_no_pam', `
|
|
|
036370c |
allow sulogin_t self:capability sys_tty_config;
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-06-01 13:01:59.000000000 -0400
|
|
|
036370c |
@@ -45,7 +45,7 @@
|
|
|
036370c |
# DHCP client local policy
|
|
|
036370c |
#
|
|
|
036370c |
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
|
|
|
036370c |
-dontaudit dhcpc_t self:capability sys_tty_config;
|
|
|
036370c |
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
|
|
|
036370c |
# for access("/etc/bashrc", X_OK) on Red Hat
|
|
|
036370c |
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
|
|
036370c |
allow dhcpc_t self:process { setfscreate ptrace signal_perms };
|
|
|
036370c |
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
|
|
|
036370c |
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-05-21 08:27:59.000000000 -0400
|
|
|
036370c |
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-06-01 08:19:34.000000000 -0400
|
|
|
036370c |
@@ -1880,7 +1880,7 @@
|
|
|
036370c |
type user_home_t;
|
|
|
036370c |
')
|
|
|
036370c |
|
|
|
036370c |
- allow $1 user_home_t:dir delete_file_perms;
|
|
|
036370c |
+ allow $1 user_home_t:file delete_file_perms;
|
|
|
036370c |
')
|
|
|
036370c |
|
|
|
036370c |
########################################
|