This commit is contained in:
parent
50b70e6d39
commit
5791105ca8
@ -1,22 +0,0 @@
|
||||
commit b3a95b4aeb4ecc3ce5125aac2f114224fcead5b9
|
||||
Author: Jason Zaman <jason@perfinion.com>
|
||||
Date: Sun Oct 11 18:35:20 2015 +0800
|
||||
|
||||
Add overlayfs as an XATTR capable fs
|
||||
|
||||
The module is called "overlay" in the kernel
|
||||
|
||||
---
|
||||
policy/modules/kernel/filesystem.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/policy/modules/kernel/filesystem.te
|
||||
+++ b/policy/modules/kernel/filesystem.te
|
||||
@@ -33,6 +33,7 @@ fs_use_xattr gpfs gen_context(system_u:o
|
||||
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
|
||||
+fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
|
@ -1,12 +0,0 @@
|
||||
Index: serefpolicy-3.12.1/policy/modules/system/locallogin.te
|
||||
===================================================================
|
||||
--- serefpolicy-3.12.1.orig/policy/modules/system/locallogin.te 2013-10-23 11:44:16.815098321 +0200
|
||||
+++ serefpolicy-3.12.1/policy/modules/system/locallogin.te 2013-10-23 11:44:16.848098676 +0200
|
||||
@@ -126,6 +126,7 @@ term_setattr_unallocated_ttys(local_logi
|
||||
term_relabel_all_ptys(local_login_t)
|
||||
term_setattr_generic_ptys(local_login_t)
|
||||
|
||||
+auth_read_shadow(local_login_t)
|
||||
auth_rw_login_records(local_login_t)
|
||||
auth_rw_faillog(local_login_t)
|
||||
auth_manage_pam_console_data(local_login_t)
|
File diff suppressed because it is too large
Load Diff
1854
booleans-mls.conf
1854
booleans-mls.conf
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,49 +0,0 @@
|
||||
allow_auditadm_exec_content auditadm_exec_content
|
||||
allow_console_login login_console_enabled
|
||||
allow_cvs_read_shadow cvs_read_shadow
|
||||
allow_daemons_dump_core daemons_dump_core
|
||||
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
|
||||
allow_daemons_use_tty daemons_use_tty
|
||||
allow_domain_fd_use domain_fd_use
|
||||
allow_execheap selinuxuser_execheap
|
||||
allow_execmod selinuxuser_execmod
|
||||
allow_execstack selinuxuser_execstack
|
||||
allow_ftpd_anon_write ftpd_anon_write
|
||||
allow_ftpd_full_access ftpd_full_access
|
||||
allow_ftpd_use_cifs ftpd_use_cifs
|
||||
allow_ftpd_use_nfs ftpd_use_nfs
|
||||
allow_gssd_read_tmp gssd_read_tmp
|
||||
allow_guest_exec_content guest_exec_content
|
||||
allow_httpd_anon_write httpd_anon_write
|
||||
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
|
||||
allow_httpd_mod_auth_pam httpd_mod_auth_pam
|
||||
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
|
||||
allow_kerberos kerberos_enabled
|
||||
allow_mplayer_execstack mplayer_execstack
|
||||
allow_mount_anyfile mount_anyfile
|
||||
allow_nfsd_anon_write nfsd_anon_write
|
||||
allow_polyinstantiation polyinstantiation_enabled
|
||||
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
|
||||
allow_rsync_anon_write rsync_anon_write
|
||||
allow_saslauthd_read_shadow saslauthd_read_shadow
|
||||
allow_secadm_exec_content secadm_exec_content
|
||||
allow_smbd_anon_write smbd_anon_write
|
||||
allow_ssh_keysign ssh_keysign
|
||||
allow_staff_exec_content staff_exec_content
|
||||
allow_sysadm_exec_content sysadm_exec_content
|
||||
allow_user_exec_content user_exec_content
|
||||
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
|
||||
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
|
||||
allow_write_xshm xserver_clients_write_xshm
|
||||
allow_xguest_exec_content xguest_exec_content
|
||||
allow_xserver_execmem xserver_execmem
|
||||
allow_ypbind nis_enabled
|
||||
allow_zebra_write_config zebra_write_config
|
||||
user_direct_dri selinuxuser_direct_dri_enabled
|
||||
user_ping selinuxuser_ping
|
||||
user_share_music selinuxuser_share_music
|
||||
user_tcp_server selinuxuser_tcp_server
|
||||
sepgsql_enable_pitr_implementation postgresql_can_rsync
|
||||
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
|
||||
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
|
||||
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
|
@ -1,14 +0,0 @@
|
||||
Index: serefpolicy-20140730/Makefile
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/Makefile 2014-07-30 16:48:48.379896000 +0200
|
||||
+++ serefpolicy-20140730/Makefile 2015-02-25 12:37:11.262844720 +0100
|
||||
@@ -431,9 +431,6 @@ $(polxml): $(layerxml) $(tunxml) $(boolx
|
||||
$(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
|
||||
$(verbose) cat $(tunxml) $(boolxml) >> $@
|
||||
$(verbose) echo '</policy>' >> $@
|
||||
- $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
|
||||
- $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
|
||||
- fi
|
||||
|
||||
xml: $(polxml)
|
||||
|
@ -1,12 +0,0 @@
|
||||
Index: serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc
|
||||
===================================================================
|
||||
--- serefpolicy-3.12.1.orig/policy/modules/system/selinuxutil.fc 2013-10-23 11:44:16.817098343 +0200
|
||||
+++ serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc 2013-10-23 11:44:16.836098547 +0200
|
||||
@@ -4,6 +4,7 @@
|
||||
# /etc
|
||||
#
|
||||
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
||||
+/etc/sysconfig/selinux-policy gen_context(system_u:object_r:selinux_config_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
|
12
label_sysconfig.selinux.patch
Normal file
12
label_sysconfig.selinux.patch
Normal file
@ -0,0 +1,12 @@
|
||||
Index: refpolicy/policy/modules/system/selinuxutil.fc
|
||||
===================================================================
|
||||
--- refpolicy.orig/policy/modules/system/selinuxutil.fc 2018-11-27 11:44:18.621994420 +0100
|
||||
+++ refpolicy/policy/modules/system/selinuxutil.fc 2018-11-27 11:45:11.406831098 +0100
|
||||
@@ -13,6 +13,7 @@
|
||||
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
+/etc/sysconfig/selinux-policy -- gen_context(system_u:object_r:selinux_config_t,s0)
|
||||
|
||||
#
|
||||
# /root
|
@ -1,23 +1,12 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/logging.fc
|
||||
Index: refpolicy/policy/modules/system/logging.fc
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/logging.fc
|
||||
+++ serefpolicy-20140730/policy/modules/system/logging.fc
|
||||
@@ -83,6 +83,7 @@ ifdef(`distro_redhat',`
|
||||
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
+/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
--- refpolicy.orig/policy/modules/system/logging.fc 2018-11-27 11:50:10.755599120 +0100
|
||||
+++ refpolicy/policy/modules/system/logging.fc 2018-11-27 11:50:32.611949480 +0100
|
||||
@@ -60,6 +60,7 @@ ifdef(`distro_suse', `
|
||||
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
+/var/log/syslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
|
||||
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
|
||||
Index: serefpolicy-20140730/policy/modules/system/init.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/init.te
|
||||
+++ serefpolicy-20140730/policy/modules/system/init.te
|
||||
@@ -1676,3 +1676,6 @@ optional_policy(`
|
||||
ccs_read_config(daemon)
|
||||
')
|
||||
')
|
||||
+
|
||||
+# relabel /var/run/rsyslog
|
||||
+filetrans_pattern(init_t, var_run_t, syslogd_var_run_t, dir, "rsyslog")
|
||||
ifndef(`distro_gentoo',`
|
||||
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
|
1
modules-minimum-disable.lst
Normal file
1
modules-minimum-disable.lst
Normal file
@ -0,0 +1 @@
|
||||
abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nscd nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
110647
policy-rawhide-contrib.patch
110647
policy-rawhide-contrib.patch
File diff suppressed because it is too large
Load Diff
3
refpolicy-2.20180701.tar.bz2
Normal file
3
refpolicy-2.20180701.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:dca99ee829b41f216474170c0e38aae99b01a0406a841bdc7347b49aa24f6c7d
|
||||
size 753050
|
2
rpmlintrc
Normal file
2
rpmlintrc
Normal file
@ -0,0 +1,2 @@
|
||||
# this is intentional
|
||||
addFilter("W: files-duplicate")
|
10
segenxml_interpreter.patch
Normal file
10
segenxml_interpreter.patch
Normal file
@ -0,0 +1,10 @@
|
||||
Index: refpolicy/support/segenxml.py
|
||||
===================================================================
|
||||
--- refpolicy.orig/support/segenxml.py 2018-06-10 19:32:41.000000000 +0200
|
||||
+++ refpolicy/support/segenxml.py 2018-11-27 16:52:00.196329793 +0100
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python3
|
||||
+#! /usr/bin/python3
|
||||
|
||||
# Author(s): Donald Miner <dminer@tresys.com>
|
||||
# Dave Sugar <dsugar@tresys.com>
|
@ -1,10 +1,44 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 27 15:20:03 UTC 2018 - jsegitz@suse.com
|
||||
|
||||
- Use refpolicy 20180701 as a base
|
||||
- Dropped patches
|
||||
* allow-local_login_t-read-shadow.patch
|
||||
* dont_use_xmllint_in_make_conf.patch
|
||||
* label_sysconfig.selinux-policy.patch
|
||||
* policy-rawhide-base.patch
|
||||
* policy-rawhide-contrib.patch
|
||||
* suse_modifications_authlogin.patch
|
||||
* suse_modifications_dbus.patch
|
||||
* suse_modifications_glusterfs.patch
|
||||
* suse_modifications_ipsec.patch
|
||||
* suse_modifications_passenger.patch
|
||||
* suse_modifications_policykit.patch
|
||||
* suse_modifications_postfix.patch
|
||||
* suse_modifications_rtkit.patch
|
||||
* suse_modifications_selinuxutil.patch
|
||||
* suse_modifications_ssh.patch
|
||||
* suse_modifications_staff.patch
|
||||
* suse_modifications_stapserver.patch
|
||||
* suse_modifications_systemd.patch
|
||||
* suse_modifications_unconfined.patch
|
||||
* suse_modifications_unconfineduser.patch
|
||||
* suse_modifications_unprivuser.patch
|
||||
* systemd-tmpfiles.patch
|
||||
* type_transition_contrib.patch
|
||||
* type_transition_file_class.patch
|
||||
* useradd-netlink_selinux_socket.patch
|
||||
* xconsole.patch
|
||||
Rebased the other patches to apply to refpolicy
|
||||
- Added segenxml_interpreter.patch to not use env in shebang
|
||||
- Added rpmlintrc to surpress duplicate file warnings
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 26 13:18:34 UTC 2018 - rgoldwyn@suse.com
|
||||
|
||||
- Add overlayfs as xattr capable (bsc#1073741)
|
||||
* add-overlayfs-as-xattr-capable.patch
|
||||
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 12 09:07:31 UTC 2017 - jsegitz@suse.com
|
||||
|
||||
|
@ -24,21 +24,14 @@
|
||||
# TODO: This turns on distro-specific policies.
|
||||
# There are almost no SUSE specific modifications available in the policy, so we utilize the
|
||||
# ones used by redhat and include also the SUSE specific ones (see sed statement below)
|
||||
%define distro redhat
|
||||
%define distro suse
|
||||
%define ubac n
|
||||
%define polyinstatiate n
|
||||
%define monolithic n
|
||||
%define BUILD_DOC 1
|
||||
%define BUILD_TARGETED 1
|
||||
%define BUILD_MINIMUM 1
|
||||
%if 0%{suse_version} == 1315 && 0%{is_opensuse} == 0
|
||||
%define BUILD_MLS 0
|
||||
%else
|
||||
%define BUILD_MLS 1
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} >= 1330 || ( 0%{?suse_version} == 1315 && 0%{?sle_version} >= 120200 )
|
||||
%else
|
||||
%endif
|
||||
|
||||
%define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
|
||||
%define CHECKPOLICYVER %POLICYCOREUTILSVER
|
||||
@ -129,21 +122,17 @@ Summary: SELinux policy configuration
|
||||
License: GPL-2.0-or-later
|
||||
Group: System/Management
|
||||
Name: selinux-policy
|
||||
Version: 20140730
|
||||
Version: 20180701
|
||||
Release: 0
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
Source1: serefpolicy-contrib-%{version}.tgz
|
||||
Source: https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_%{version}/refpolicy-2.%{version}.tar.bz2
|
||||
|
||||
Source10: modules-targeted-base.conf
|
||||
Source11: modules-targeted-contrib.conf
|
||||
Source12: modules-mls-base.conf
|
||||
Source13: modules-mls-contrib.conf
|
||||
#Source14: modules-minimum.conf
|
||||
Source13: modules-minimum-disable.lst
|
||||
|
||||
Source20: booleans-targeted.conf
|
||||
Source21: booleans-mls.conf
|
||||
Source22: booleans-minimum.conf
|
||||
Source23: booleans.subs_dist
|
||||
|
||||
Source30: setrans-targeted.conf
|
||||
Source31: setrans-mls.conf
|
||||
@ -166,49 +155,20 @@ Source92: customizable_types
|
||||
Source93: config.tgz
|
||||
Source94: file_contexts.subs_dist
|
||||
|
||||
# base policy patches
|
||||
Patch0001: policy-rawhide-base.patch
|
||||
# The following two patches are a workaround for 812055
|
||||
Patch0002: type_transition_file_class.patch
|
||||
Patch0003: label_sysconfig.selinux-policy.patch
|
||||
Patch0004: sysconfig_network_scripts.patch
|
||||
Patch0005: allow-local_login_t-read-shadow.patch
|
||||
Patch0006: xconsole.patch
|
||||
Patch0007: useradd-netlink_selinux_socket.patch
|
||||
Patch0008: systemd-tmpfiles.patch
|
||||
Patch0009: label_var_run_rsyslog.patch
|
||||
Patch0010: suse_modifications_unconfined.patch
|
||||
Patch0011: suse_modifications_systemd.patch
|
||||
Patch0012: suse_modifications_unconfineduser.patch
|
||||
Patch0013: suse_modifications_selinuxutil.patch
|
||||
Patch0014: suse_modifications_logging.patch
|
||||
Patch0015: suse_modifications_getty.patch
|
||||
Patch0016: suse_modifications_authlogin.patch
|
||||
Patch0017: suse_modifications_xserver.patch
|
||||
Patch0018: suse_modifications_ssh.patch
|
||||
Patch0019: suse_modifications_usermanage.patch
|
||||
Patch0020: suse_modifications_unprivuser.patch
|
||||
Patch0021: dont_use_xmllint_in_make_conf.patch
|
||||
Patch0022: suse_modifications_staff.patch
|
||||
Patch0023: suse_modifications_ipsec.patch
|
||||
Patch0024: add-overlayfs-as-xattr-capable.patch
|
||||
|
||||
# contrib patches
|
||||
Patch1000: policy-rawhide-contrib.patch
|
||||
Patch1001: type_transition_contrib.patch
|
||||
Patch1002: suse_modifications_virt.patch
|
||||
Patch1003: suse_modifications_dbus.patch
|
||||
Patch1004: suse_modifications_policykit.patch
|
||||
Patch1005: suse_modifications_postfix.patch
|
||||
Patch1006: suse_modifications_rtkit.patch
|
||||
Patch1007: suse_modifications_apache.patch
|
||||
Patch1008: suse_modifications_ntp.patch
|
||||
Patch1009: suse_modifications_cron.patch
|
||||
Patch1010: suse_additions_sslh.patch
|
||||
Patch1011: suse_additions_obs.patch
|
||||
Patch1012: suse_modifications_glusterfs.patch
|
||||
Patch1013: suse_modifications_passenger.patch
|
||||
Patch1014: suse_modifications_stapserver.patch
|
||||
Patch001: label_sysconfig.selinux.patch
|
||||
Patch002: label_var_run_rsyslog.patch
|
||||
Patch003: suse_additions_obs.patch
|
||||
Patch004: suse_additions_sslh.patch
|
||||
Patch005: suse_modifications_apache.patch
|
||||
Patch007: suse_modifications_cron.patch
|
||||
Patch009: suse_modifications_getty.patch
|
||||
Patch012: suse_modifications_logging.patch
|
||||
Patch013: suse_modifications_ntp.patch
|
||||
Patch021: suse_modifications_usermanage.patch
|
||||
Patch022: suse_modifications_virt.patch
|
||||
Patch023: suse_modifications_xserver.patch
|
||||
Patch024: sysconfig_network_scripts.patch
|
||||
Patch025: segenxml_interpreter.patch
|
||||
|
||||
Url: http://oss.tresys.com/repos/refpolicy/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -221,7 +181,7 @@ BuildRequires: gawk
|
||||
BuildRequires: libxml2-tools
|
||||
BuildRequires: m4
|
||||
BuildRequires: policycoreutils
|
||||
BuildRequires: policycoreutils-python
|
||||
BuildRequires: python3-policycoreutils
|
||||
BuildRequires: python
|
||||
BuildRequires: python-xml
|
||||
#BuildRequires: selinux-policy-devel
|
||||
@ -232,28 +192,29 @@ Requires(post): /bin/awk /usr/bin/sha512sum
|
||||
Recommends: audit
|
||||
Recommends: selinux-tools
|
||||
# for audit2allow
|
||||
Recommends: policycoreutils-python
|
||||
Recommends: python3-policycoreutils
|
||||
Recommends: policycoreutils
|
||||
|
||||
%global makeCmds() \
|
||||
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
|
||||
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
|
||||
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
|
||||
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
|
||||
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
|
||||
cp -f selinux_config/users-%1 ./policy/users \
|
||||
#cp -f selinux_config/users-%1 ./policy/users \
|
||||
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
|
||||
|
||||
%global makeModulesConf() \
|
||||
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
|
||||
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
|
||||
if [ "%3" = "contrib" ];then \
|
||||
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
|
||||
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
|
||||
fi; \
|
||||
#if [ "%3" = "contrib" ];then \
|
||||
# cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
|
||||
# cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
|
||||
#fi; \
|
||||
|
||||
%global installCmds() \
|
||||
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
|
||||
make validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
|
||||
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
|
||||
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
||||
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
|
||||
make %{?_smp_mflags} validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
|
||||
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
|
||||
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
|
||||
%{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \
|
||||
@ -272,14 +233,11 @@ touch %{buildroot}%{module_store %%{1}}/active/seusers \
|
||||
touch %{buildroot}%{module_store %%{1}}/active/nodes.local \
|
||||
touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \
|
||||
touch %{buildroot}%{module_store %%{1}}/active/users.local \
|
||||
cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
|
||||
%install_pp %%1 \
|
||||
touch %{buildroot}%{module_disabled %%1 sandbox} \
|
||||
/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
|
||||
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
||||
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
|
||||
rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern \
|
||||
ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{module_store %%{1}}/active/policy.kern \
|
||||
%nil
|
||||
|
||||
%global fileList() \
|
||||
@ -304,13 +262,14 @@ ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{modul
|
||||
%verify(not md5 size mtime) %{module_store %%{1}}/active/homedir_template \
|
||||
%{module_store %%{1}}/%{module_dir}/* \
|
||||
%ghost %{module_store %%{1}}/active/*.local \
|
||||
%{module_store %%{1}}/active/*.linked \
|
||||
%{module_store %%{1}}/active/*.homedirs \
|
||||
%{files_dot_bin %%1} \
|
||||
%ghost %{module_store %%{1}}/active/seusers \
|
||||
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \
|
||||
%{_sysconfdir}/selinux/%1/.policy.sha512 \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
|
||||
@ -324,7 +283,8 @@ ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{modul
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/openrc_contexts \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts/files \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
|
||||
@ -332,7 +292,6 @@ ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{modul
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
||||
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
|
||||
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts/users \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/*
|
||||
@ -414,62 +373,27 @@ SELinux Reference Policy. A complete SELinux policy that can be used as the syst
|
||||
systems and used as the basis for creating other policies.
|
||||
|
||||
%prep
|
||||
# contrib modules
|
||||
%setup -n serefpolicy-contrib-%{version} -q -b 1
|
||||
%patch1000 -p1
|
||||
%patch1001 -p1
|
||||
%patch1002 -p1
|
||||
%patch1003 -p1
|
||||
%patch1004 -p1
|
||||
%patch1005 -p1
|
||||
%patch1006 -p1
|
||||
%patch1007 -p1
|
||||
%patch1008 -p1
|
||||
%patch1009 -p1
|
||||
%patch1010 -p1
|
||||
%patch1011 -p1
|
||||
%patch1012 -p1
|
||||
%patch1013 -p1
|
||||
%patch1014 -p1
|
||||
|
||||
# base policy
|
||||
contrib_path=`pwd`
|
||||
%setup -n serefpolicy-%{version} -q
|
||||
cp COPYING ..
|
||||
%patch0001 -p1
|
||||
%patch0002 -p1
|
||||
%patch0003 -p1
|
||||
%patch0004 -p1
|
||||
%patch0005 -p1
|
||||
%patch0006 -p0
|
||||
%patch0007 -p1
|
||||
%patch0008 -p1
|
||||
%patch0009 -p1
|
||||
%patch0010 -p1
|
||||
%patch0011 -p1
|
||||
%patch0012 -p1
|
||||
%patch0013 -p1
|
||||
%patch0014 -p1
|
||||
%patch0015 -p1
|
||||
%patch0016 -p1
|
||||
%patch0017 -p1
|
||||
%patch0018 -p1
|
||||
%patch0019 -p1
|
||||
%patch0020 -p1
|
||||
%patch0021 -p1
|
||||
%patch0022 -p1
|
||||
%patch0023 -p1
|
||||
%patch0024 -p1
|
||||
refpolicy_path=`pwd`
|
||||
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
|
||||
# we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse
|
||||
find "$refpolicy_path" -type f -print0 | xargs -0 sed -i -e 's/ifdef(`distro_suse/ifdef(`distro_redhat/g'
|
||||
%setup -n refpolicy
|
||||
%patch001 -p1
|
||||
%patch002 -p1
|
||||
%patch003 -p1
|
||||
%patch004 -p1
|
||||
%patch005 -p1
|
||||
%patch007 -p1
|
||||
%patch009 -p1
|
||||
%patch012 -p1
|
||||
%patch013 -p1
|
||||
%patch021 -p1
|
||||
%patch022 -p1
|
||||
%patch023 -p1
|
||||
%patch024 -p1
|
||||
%patch025 -p1
|
||||
|
||||
%build
|
||||
|
||||
%install
|
||||
mkdir selinux_config
|
||||
for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do
|
||||
for i in %{SOURCE10} %{SOURCE12} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do
|
||||
cp $i selinux_config
|
||||
done
|
||||
tar zxvf selinux_config/config.tgz
|
||||
@ -498,6 +422,7 @@ mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
|
||||
%makeCmds minimum mcs n allow
|
||||
%makeModulesConf targeted base contrib
|
||||
%installCmds minimum mcs n allow
|
||||
install -m0644 %{SOURCE13} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
|
||||
%modulesList minimum
|
||||
%endif
|
||||
|
||||
@ -513,8 +438,8 @@ mkdir -p %{buildroot}%{_usr}/share/selinux/mls
|
||||
# Install devel
|
||||
mkdir -p %{buildroot}%{_mandir}
|
||||
cp -R man/* %{buildroot}%{_mandir}
|
||||
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
|
||||
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
|
||||
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
|
||||
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
||||
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
|
||||
chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py
|
||||
@ -565,14 +490,8 @@ SELinux policy development and man page package
|
||||
|
||||
%files devel
|
||||
%defattr(-,root,root,-)
|
||||
%{_mandir}/ru/man8/ftpd_selinux.8.gz
|
||||
%{_mandir}/ru/man8/httpd_selinux.8.gz
|
||||
%{_mandir}/ru/man8/kerberos_selinux.8.gz
|
||||
%{_mandir}/ru/man8/named_selinux.8.gz
|
||||
%{_mandir}/ru/man8/nfs_selinux.8.gz
|
||||
%{_mandir}/ru/man8/rsync_selinux.8.gz
|
||||
%{_mandir}/ru/man8/samba_selinux.8.gz
|
||||
%{_mandir}/ru/man8/ypbind_selinux.8.gz
|
||||
%doc /usr/share/man/ru/man8/*
|
||||
%doc /usr/share/man/man8/*
|
||||
%dir %{_usr}/share/selinux/devel
|
||||
%dir %{_usr}/share/selinux/devel/include
|
||||
%{_usr}/share/selinux/devel/include/*
|
||||
@ -617,7 +536,6 @@ exit 0
|
||||
%defattr(-,root,root,-)
|
||||
%fileList targeted
|
||||
%{_usr}/share/selinux/targeted/modules-base.lst
|
||||
%{_usr}/share/selinux/targeted/modules-contrib.lst
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MINIMUM}
|
||||
@ -625,7 +543,7 @@ exit 0
|
||||
Summary: SELinux minimum base policy
|
||||
Group: System/Management
|
||||
Provides: selinux-policy-base = %{version}-%{release}
|
||||
Requires(post): policycoreutils-python = %{POLICYCOREUTILSVER}
|
||||
Requires(post): python3-policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: selinux-policy = %{version}-%{release}
|
||||
@ -641,34 +559,20 @@ if [ $1 -ne 1 ]; then
|
||||
fi
|
||||
|
||||
%post minimum
|
||||
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
|
||||
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
|
||||
contribpackages=`cat /usr/share/selinux/minimum/modules-minimum-disable.lst`
|
||||
if [ $1 -eq 1 ]; then
|
||||
for p in $contribpackages; do
|
||||
touch %{module_disabled minimum $p}
|
||||
done
|
||||
# this is temporarily needed to make minimum policy work without errors. Will be included
|
||||
# into the proper places later on
|
||||
for p in $basepackages plymouthd postfix apache dbus inetd kerberos mta nis nscd cron; do
|
||||
rm -f %{module_disabled minimum $p}
|
||||
done
|
||||
# those are default anyway
|
||||
# /usr/sbin/semanage -S minimum -i - << __eof
|
||||
# login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
|
||||
# login -m -s unconfined_u -r s0-s0:c0.c1023 root
|
||||
# __eof
|
||||
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
/usr/sbin/semodule -B -s minimum
|
||||
for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
|
||||
touch %{module_disabled minimum $p}
|
||||
done
|
||||
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
/usr/sbin/semodule -B -s minimum
|
||||
else
|
||||
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
|
||||
for p in $contribpackages; do
|
||||
touch %{module_disabled minimum $p}
|
||||
done
|
||||
for p in $instpackages apache dbus inetd kerberos mta nis; do
|
||||
rm -f %{module_disabled minimum $p}
|
||||
done
|
||||
/usr/sbin/semodule -B -s minimum
|
||||
%relabel minimum
|
||||
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
|
||||
for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
|
||||
touch %{module_disabled minimum $p}
|
||||
done
|
||||
/usr/sbin/semodule -B -s minimum
|
||||
%relabel minimum
|
||||
fi
|
||||
exit 0
|
||||
|
||||
@ -676,7 +580,7 @@ exit 0
|
||||
%defattr(-,root,root,-)
|
||||
%fileList minimum
|
||||
%{_usr}/share/selinux/minimum/modules-base.lst
|
||||
%{_usr}/share/selinux/minimum/modules-contrib.lst
|
||||
/usr/share/selinux/minimum/modules-minimum-disable.lst
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MLS}
|
||||
@ -685,9 +589,9 @@ Summary: SELinux mls base policy
|
||||
Group: System/Management
|
||||
Provides: selinux-policy-base = %{version}-%{release}
|
||||
Obsoletes: selinux-policy-mls-sources < 2
|
||||
Requires: policycoreutils-newrole = %{POLICYCOREUTILSVER}
|
||||
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER}
|
||||
Requires: setransd
|
||||
Requires(pre): policycoreutils = %{POLICYCOREUTILSVER}
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: selinux-policy = %{version}-%{release}
|
||||
@ -704,10 +608,8 @@ SELinux Reference policy mls base module.
|
||||
|
||||
%files mls
|
||||
%defattr(-,root,root,-)
|
||||
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
|
||||
%fileList mls
|
||||
%{_usr}/share/selinux/mls/modules-base.lst
|
||||
%{_usr}/share/selinux/mls/modules-contrib.lst
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:ef950250ca524c822fff44677af9d061d77e09b02cba2ce6444fb057d35f0dae
|
||||
size 318859
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a717a82690fc2f10de53241471112944cd99eedb1d4ffd05c7c8d6883cf31d11
|
||||
size 467521
|
@ -1,12 +1,12 @@
|
||||
Index: serefpolicy-contrib-20140730/apache.fc
|
||||
Index: refpolicy/policy/modules/services/apache.fc
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/apache.fc
|
||||
+++ serefpolicy-contrib-20140730/apache.fc
|
||||
@@ -64,6 +64,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
|
||||
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
+/usr/sbin/start_apache2 -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
--- refpolicy.orig/policy/modules/services/apache.fc 2018-11-27 13:33:30.059837794 +0100
|
||||
+++ refpolicy/policy/modules/services/apache.fc 2018-11-27 13:34:07.964446972 +0100
|
||||
@@ -84,6 +84,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
|
||||
|
||||
ifdef(`distro_suse',`
|
||||
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
+/usr/sbin/start_apache2 -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
')
|
||||
|
||||
/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
|
@ -1,14 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/authlogin.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/authlogin.te
|
||||
+++ serefpolicy-20140730/policy/modules/system/authlogin.te
|
||||
@@ -152,6 +152,9 @@ seutil_dontaudit_use_newrole_fds(chkpwd_
|
||||
|
||||
userdom_dontaudit_use_user_ttys(chkpwd_t)
|
||||
|
||||
+allow chkpwd_t var_run_t:sock_file write;
|
||||
+files_rw_inherited_generic_pid_files(chkpwd_t)
|
||||
+
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(chkpwd_t)
|
@ -1,21 +1,24 @@
|
||||
Index: serefpolicy-contrib-20140730/cron.fc
|
||||
Index: refpolicy/policy/modules/services/cron.fc
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/cron.fc 2015-08-13 10:13:01.320203530 +0200
|
||||
+++ serefpolicy-contrib-20140730/cron.fc 2015-08-13 10:13:01.620208372 +0200
|
||||
@@ -55,6 +55,8 @@ ifdef(`distro_suse', `
|
||||
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
|
||||
--- refpolicy.orig/policy/modules/services/cron.fc 2018-11-27 13:46:40.344580166 +0100
|
||||
+++ refpolicy/policy/modules/services/cron.fc 2018-11-27 13:47:44.725617173 +0100
|
||||
@@ -68,7 +68,9 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_suse',`
|
||||
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
|
||||
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
|
||||
/var/spool/cron/lastrun/[^/]* -- <<none>>
|
||||
/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
||||
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
||||
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
||||
+/var/spool/cron/tabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
|
||||
+/var/spool/cron/tabs/[^/]* -- gen_context(system_u:object_r:user_cron_spool_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
Index: serefpolicy-contrib-20140730/cron.te
|
||||
Index: refpolicy/policy/modules/services/cron.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/cron.te 2015-08-13 10:13:01.320203530 +0200
|
||||
+++ serefpolicy-contrib-20140730/cron.te 2015-08-13 10:13:01.620208372 +0200
|
||||
@@ -841,3 +841,9 @@ tunable_policy(`cron_userdomain_transiti
|
||||
--- refpolicy.orig/policy/modules/services/cron.te 2018-11-27 13:46:21.396274896 +0100
|
||||
+++ refpolicy/policy/modules/services/cron.te 2018-11-27 13:46:40.344580166 +0100
|
||||
@@ -761,3 +761,9 @@ tunable_policy(`cron_userdomain_transiti
|
||||
optional_policy(`
|
||||
unconfined_domain(unconfined_cronjob_t)
|
||||
')
|
||||
@ -25,33 +28,33 @@ Index: serefpolicy-contrib-20140730/cron.te
|
||||
+ userdom_manage_user_home_dirs(crontab_t)
|
||||
+ xserver_non_drawing_client(crontab_t)
|
||||
+')
|
||||
Index: serefpolicy-contrib-20140730/cron.if
|
||||
Index: refpolicy/policy/modules/services/cron.if
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/cron.if 2015-08-13 10:13:01.320203530 +0200
|
||||
+++ serefpolicy-contrib-20140730/cron.if 2015-08-13 10:14:06.153249993 +0200
|
||||
@@ -158,7 +158,7 @@ interface(`cron_role',`
|
||||
--- refpolicy.orig/policy/modules/services/cron.if 2018-11-27 13:46:40.344580166 +0100
|
||||
+++ refpolicy/policy/modules/services/cron.if 2018-11-27 13:49:17.339129179 +0100
|
||||
@@ -139,7 +139,7 @@ interface(`cron_role',`
|
||||
#
|
||||
interface(`cron_unconfined_role',`
|
||||
gen_require(`
|
||||
- type unconfined_cronjob_t, crontab_t, crontab_exec_t;
|
||||
+ type unconfined_cronjob_t, admin_crontab_t, crontab_t, crontab_exec_t;
|
||||
type crond_t, user_cron_spool_t;
|
||||
bool cron_userdomain_transition;
|
||||
type crond_t, user_cron_spool_t;
|
||||
bool cron_userdomain_transition;
|
||||
')
|
||||
@@ -168,14 +168,14 @@ interface(`cron_unconfined_role',`
|
||||
# Declarations
|
||||
#
|
||||
|
||||
- role $1 types { unconfined_cronjob_t crontab_t };
|
||||
+ role $1 types { unconfined_cronjob_t admin_crontab_t crontab_t };
|
||||
@@ -149,14 +149,14 @@ interface(`cron_unconfined_role',`
|
||||
# Declarations
|
||||
#
|
||||
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
- role $1 types { unconfined_cronjob_t crontab_t };
|
||||
+ role $1 types { unconfined_cronjob_t admin_crontab_t crontab_t };
|
||||
|
||||
- domtrans_pattern($2, crontab_exec_t, crontab_t)
|
||||
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
||||
- domtrans_pattern($2, crontab_exec_t, crontab_t)
|
||||
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
|
||||
|
||||
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
||||
allow $2 crond_t:process sigchld;
|
||||
|
@ -1,61 +0,0 @@
|
||||
Index: serefpolicy-contrib-20140730/dbus.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/dbus.te 2015-07-21 16:39:25.588407411 +0200
|
||||
+++ serefpolicy-contrib-20140730/dbus.te 2015-07-21 16:41:17.738197485 +0200
|
||||
@@ -55,7 +55,7 @@ ifdef(`enable_mls',`
|
||||
# dac_override: /var/run/dbus is owned by messagebus on Debian
|
||||
# cjp: dac_override should probably go in a distro_debian
|
||||
allow system_dbusd_t self:capability2 block_suspend;
|
||||
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
|
||||
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid ipc_lock};
|
||||
dontaudit system_dbusd_t self:capability sys_tty_config;
|
||||
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
|
||||
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -87,6 +87,7 @@ kernel_read_kernel_sysctls(system_dbusd_
|
||||
kernel_stream_connect(system_dbusd_t)
|
||||
|
||||
dev_read_urand(system_dbusd_t)
|
||||
+dev_read_rand(system_dbusd_t)
|
||||
dev_read_sysfs(system_dbusd_t)
|
||||
|
||||
dev_rw_inherited_input_dev(system_dbusd_t)
|
||||
@@ -154,6 +155,8 @@ userdom_dontaudit_search_user_home_dirs(
|
||||
|
||||
userdom_home_reader(system_dbusd_t)
|
||||
|
||||
+allow system_dbusd_t var_run_t:sock_file write;
|
||||
+
|
||||
optional_policy(`
|
||||
bind_domtrans(system_dbusd_t)
|
||||
')
|
||||
Index: serefpolicy-contrib-20140730/dbus.if
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/dbus.if 2015-07-21 16:39:25.588407411 +0200
|
||||
+++ serefpolicy-contrib-20140730/dbus.if 2015-07-21 16:39:28.964461299 +0200
|
||||
@@ -111,6 +111,26 @@ template(`dbus_role_template',`
|
||||
|
||||
logging_send_syslog_msg($1_dbusd_t)
|
||||
|
||||
+ ifdef(`distro_suse',`
|
||||
+ gen_require(`
|
||||
+ type config_home_t, xdm_var_run_t;
|
||||
+ ')
|
||||
+ allow $1_dbusd_t self:unix_stream_socket connectto;
|
||||
+
|
||||
+ # is this firefox mislabeled?
|
||||
+ #allow $1_dbusd_t lib_t:file execute_no_trans;
|
||||
+ allow $1_dbusd_t config_home_t:file { rename unlink create read write getattr };
|
||||
+ allow $1_dbusd_t xdm_var_run_t:file { getattr open read };
|
||||
+
|
||||
+ allow $1_dbusd_t $1_t:dbus send_msg;
|
||||
+
|
||||
+ auth_login_pgm_domain($1_dbusd_t)
|
||||
+ xserver_non_drawing_client($1_dbusd_t)
|
||||
+ gnome_manage_home_config_dirs($1_dbusd_t)
|
||||
+ gnome_delete_home_config_dirs($1_dbusd_t)
|
||||
+ corenet_tcp_connect_xserver_port($1_dbusd_t)
|
||||
+ ')
|
||||
+
|
||||
optional_policy(`
|
||||
mozilla_domtrans_spec($1_dbusd_t, $1_t)
|
||||
')
|
@ -1,10 +1,10 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/getty.te
|
||||
Index: refpolicy/policy/modules/system/getty.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/getty.te
|
||||
+++ serefpolicy-20140730/policy/modules/system/getty.te
|
||||
@@ -109,6 +109,10 @@ locallogin_domtrans(getty_t)
|
||||
logging_send_syslog_msg(getty_t)
|
||||
--- refpolicy.orig/policy/modules/system/getty.te 2017-08-07 00:45:21.000000000 +0200
|
||||
+++ refpolicy/policy/modules/system/getty.te 2018-11-27 14:50:03.798977971 +0100
|
||||
@@ -91,6 +91,10 @@ logging_send_syslog_msg(getty_t)
|
||||
|
||||
miscfiles_read_localization(getty_t)
|
||||
|
||||
+allow getty_t var_run_t:sock_file write;
|
||||
+plymouthd_exec_plymouth(getty_t)
|
||||
|
@ -1,10 +0,0 @@
|
||||
Index: serefpolicy-contrib-20140730/glusterd.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/glusterd.te 2017-12-11 17:38:13.448089663 +0100
|
||||
+++ serefpolicy-contrib-20140730/glusterd.te 2017-12-11 17:38:52.960730655 +0100
|
||||
@@ -1,4 +1,4 @@
|
||||
-policy_module(glusterfs, 1.1.2)
|
||||
+policy_module(glusterd, 1.1.2)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
@ -1,65 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/ipsec.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/ipsec.te 2015-08-10 12:55:56.098645940 +0200
|
||||
+++ serefpolicy-20140730/policy/modules/system/ipsec.te 2015-08-10 14:32:28.542764339 +0200
|
||||
@@ -209,14 +209,18 @@ optional_policy(`
|
||||
# ipsec_mgmt Local policy
|
||||
#
|
||||
|
||||
-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
|
||||
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin net_raw setpcap sys_nice sys_ptrace };
|
||||
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
|
||||
-allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
|
||||
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal setcap };
|
||||
allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
||||
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
||||
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow ipsec_mgmt_t self:netlink_route_socket nlmsg_write;
|
||||
+allow ipsec_mgmt_t self:packet_socket { setopt create read write };
|
||||
+allow ipsec_mgmt_t self:socket { bind create read write };
|
||||
+allow ipsec_mgmt_t self:netlink_xfrm_socket { nlmsg_write write read bind create };
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
||||
@@ -231,6 +235,8 @@ logging_log_filetrans(ipsec_mgmt_t, ipse
|
||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
||||
filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
|
||||
+# temporary fix until the rules above work
|
||||
+allow ipsec_mgmt_t var_run_t:sock_file { write unlink };
|
||||
|
||||
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
@@ -269,6 +275,7 @@ kernel_read_software_raid_state(ipsec_mg
|
||||
kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||
kernel_getattr_core_if(ipsec_mgmt_t)
|
||||
kernel_getattr_message_if(ipsec_mgmt_t)
|
||||
+kernel_request_load_module(ipsec_mgmt_t)
|
||||
|
||||
domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
|
||||
domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
|
||||
@@ -290,6 +297,10 @@ corecmd_exec_bin(ipsec_mgmt_t)
|
||||
corecmd_exec_shell(ipsec_mgmt_t)
|
||||
|
||||
corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
|
||||
+corenet_udp_bind_dhcpc_port(ipsec_mgmt_t)
|
||||
+corenet_udp_bind_isakmp_port(ipsec_mgmt_t)
|
||||
+corenet_udp_bind_generic_node(ipsec_mgmt_t)
|
||||
+corenet_udp_bind_ipsecnat_port(ipsec_mgmt_t)
|
||||
|
||||
dev_read_rand(ipsec_mgmt_t)
|
||||
dev_read_urand(ipsec_mgmt_t)
|
||||
@@ -297,10 +308,7 @@ dev_read_urand(ipsec_mgmt_t)
|
||||
domain_use_interactive_fds(ipsec_mgmt_t)
|
||||
# denials when ps tries to search /proc. Do not audit these denials.
|
||||
domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
|
||||
-# suppress audit messages about unnecessary socket access
|
||||
-# cjp: this seems excessive
|
||||
-domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
|
||||
-domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
||||
+# domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
||||
|
||||
files_read_etc_files(ipsec_mgmt_t)
|
||||
files_exec_etc_files(ipsec_mgmt_t)
|
@ -1,10 +1,10 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/logging.te
|
||||
Index: refpolicy/policy/modules/system/logging.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/logging.te
|
||||
+++ serefpolicy-20140730/policy/modules/system/logging.te
|
||||
@@ -565,6 +565,9 @@ userdom_dontaudit_use_unpriv_user_fds(sy
|
||||
userdom_search_user_home_dirs(syslogd_t)
|
||||
userdom_rw_inherited_user_tmp_files(syslogd_t)
|
||||
--- refpolicy.orig/policy/modules/system/logging.te 2018-07-01 17:02:31.000000000 +0200
|
||||
+++ refpolicy/policy/modules/system/logging.te 2018-11-27 14:51:58.508861896 +0100
|
||||
@@ -554,6 +554,9 @@ ifdef(`init_systemd',`
|
||||
udev_read_pid_files(syslogd_t)
|
||||
')
|
||||
|
||||
+allow syslogd_t var_run_t:file { read getattr open };
|
||||
+allow syslogd_t var_run_t:sock_file write;
|
||||
|
@ -1,56 +1,11 @@
|
||||
Index: serefpolicy-contrib-20140730/ntp.fc
|
||||
Index: refpolicy/policy/modules/services/ntp.fc
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/ntp.fc
|
||||
+++ serefpolicy-contrib-20140730/ntp.fc
|
||||
@@ -1,25 +1,36 @@
|
||||
/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
|
||||
/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
|
||||
|
||||
-/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
|
||||
-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
|
||||
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
|
||||
-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
|
||||
-
|
||||
-/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
|
||||
-
|
||||
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
|
||||
-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
|
||||
-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
|
||||
-
|
||||
-/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
|
||||
-
|
||||
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
-
|
||||
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
-
|
||||
-/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
|
||||
+/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
|
||||
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
|
||||
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
|
||||
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
|
||||
+
|
||||
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
|
||||
+
|
||||
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
|
||||
+/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
|
||||
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
|
||||
+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
|
||||
+
|
||||
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+
|
||||
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
+
|
||||
+/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
|
||||
--- refpolicy.orig/policy/modules/services/ntp.fc 2018-11-27 14:54:54.495739330 +0100
|
||||
+++ refpolicy/policy/modules/services/ntp.fc 2018-11-27 14:55:32.792361276 +0100
|
||||
@@ -37,3 +37,13 @@
|
||||
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
+
|
||||
+# SUSE chroot
|
||||
+/var/lib/ntp/etc/ntpd?.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
|
||||
@ -61,16 +16,3 @@ Index: serefpolicy-contrib-20140730/ntp.fc
|
||||
+/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/var/lib/ntp/var/run/ntp(/.*)? gen_context(system_u:object_r:ntpd_var_run_t,s0)
|
||||
Index: serefpolicy-contrib-20140730/ntp.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/ntp.te
|
||||
+++ serefpolicy-contrib-20140730/ntp.te
|
||||
@@ -76,7 +76,7 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_
|
||||
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
|
||||
|
||||
manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
|
||||
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
|
||||
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file lnk_file } )
|
||||
|
||||
can_exec(ntpd_t, ntpd_exec_t)
|
||||
|
||||
|
@ -1,10 +0,0 @@
|
||||
Index: serefpolicy-contrib-20140730/passenger.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/passenger.te 2017-12-11 17:38:13.276086872 +0100
|
||||
+++ serefpolicy-contrib-20140730/passenger.te 2017-12-11 17:42:24.592161419 +0100
|
||||
@@ -1,4 +1,4 @@
|
||||
-policy_module(passanger, 1.1.1)
|
||||
+policy_module(passenger, 1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
@ -1,14 +0,0 @@
|
||||
Index: serefpolicy-contrib-20140730/policykit.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/policykit.te
|
||||
+++ serefpolicy-contrib-20140730/policykit.te
|
||||
@@ -94,6 +94,9 @@ userdom_getattr_all_users(policykit_t)
|
||||
userdom_read_all_users_state(policykit_t)
|
||||
userdom_dontaudit_search_admin_dir(policykit_t)
|
||||
|
||||
+allow policykit_t var_run_t:sock_file write;
|
||||
+files_rw_inherited_generic_pid_files(policykit_t)
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_system_domain(policykit_t, policykit_exec_t)
|
||||
|
@ -1,49 +0,0 @@
|
||||
Index: serefpolicy-contrib-20140730/postfix.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/postfix.te
|
||||
+++ serefpolicy-contrib-20140730/postfix.te
|
||||
@@ -132,6 +132,9 @@ allow postfix_master_t postfix_map_exec_
|
||||
|
||||
allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
|
||||
|
||||
+allow postfix_master_t var_run_t:sock_file write;
|
||||
+files_rw_inherited_generic_pid_files(postfix_master_t)
|
||||
+
|
||||
manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
||||
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
||||
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
||||
Index: serefpolicy-contrib-20140730/postfix.fc
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/postfix.fc
|
||||
+++ serefpolicy-contrib-20140730/postfix.fc
|
||||
@@ -1,22 +1,6 @@
|
||||
# postfix
|
||||
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
|
||||
/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
|
||||
-ifdef(`distro_redhat', `
|
||||
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
||||
-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
|
||||
-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
|
||||
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
||||
-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
|
||||
-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
||||
-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
||||
-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
|
||||
-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
|
||||
-', `
|
||||
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
||||
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
|
||||
@@ -30,7 +14,6 @@ ifdef(`distro_redhat', `
|
||||
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
||||
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
||||
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
|
||||
-')
|
||||
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
|
||||
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
@ -1,14 +0,0 @@
|
||||
Index: serefpolicy-contrib-20140730/rtkit.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/rtkit.te
|
||||
+++ serefpolicy-contrib-20140730/rtkit.te
|
||||
@@ -20,6 +20,9 @@ init_script_file(rtkit_daemon_initrc_exe
|
||||
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
|
||||
allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
|
||||
|
||||
+allow rtkit_daemon_t var_run_t:sock_file write;
|
||||
+files_rw_inherited_generic_pid_files(rtkit_daemon_t)
|
||||
+
|
||||
kernel_read_system_state(rtkit_daemon_t)
|
||||
|
||||
domain_getsched_all_domains(rtkit_daemon_t)
|
@ -1,13 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/selinuxutil.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/selinuxutil.te
|
||||
+++ serefpolicy-20140730/policy/modules/system/selinuxutil.te
|
||||
@@ -337,6 +337,8 @@ optional_policy(`
|
||||
xserver_dontaudit_exec_xauth(newrole_t)
|
||||
')
|
||||
|
||||
+allow restorecond_t var_run_t:sock_file write;
|
||||
+
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(newrole_t)
|
@ -1,43 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/services/ssh.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/services/ssh.te
|
||||
+++ serefpolicy-20140730/policy/modules/services/ssh.te
|
||||
@@ -27,6 +27,16 @@ gen_tunable(ssh_sysadm_login, false)
|
||||
## </desc>
|
||||
gen_tunable(ssh_chroot_rw_homedirs, false)
|
||||
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow sshd to forward port connections. This should work
|
||||
+## out-of-the-box according to 11b328b4cfa484d55db01a0f127cbc94fa776f48
|
||||
+## but it doesn't
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+##
|
||||
+gen_tunable(sshd_forward_ports, false)
|
||||
+
|
||||
attribute ssh_dyntransition_domain;
|
||||
attribute ssh_server;
|
||||
attribute ssh_agent_type;
|
||||
@@ -291,6 +301,11 @@ corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_tcp_bind_vnc_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
+tunable_policy(`sshd_forward_ports',`
|
||||
+ corenet_tcp_bind_all_unreserved_ports(sshd_t)
|
||||
+ corenet_tcp_connect_all_ports(sshd_t)
|
||||
+')
|
||||
+
|
||||
auth_exec_login_program(sshd_t)
|
||||
|
||||
userdom_read_user_home_content_files(sshd_t)
|
||||
@@ -300,6 +315,9 @@ userdom_spec_domtrans_unpriv_users(sshd_
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
userdom_dyntransition_unpriv_users(sshd_t)
|
||||
|
||||
+allow sshd_t var_run_t:sock_file write;
|
||||
+files_rw_inherited_generic_pid_files(sshd_t)
|
||||
+
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
@ -1,23 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/roles/staff.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/roles/staff.te 2015-05-20 15:15:49.646097573 +0200
|
||||
+++ serefpolicy-20140730/policy/modules/roles/staff.te 2015-05-20 15:59:47.483684401 +0200
|
||||
@@ -388,18 +388,3 @@ ifndef(`distro_redhat',`
|
||||
tunable_policy(`selinuxuser_execmod',`
|
||||
userdom_execmod_user_home_files(staff_t)
|
||||
')
|
||||
-
|
||||
-optional_policy(`
|
||||
- virt_transition_svirt(staff_t, staff_r)
|
||||
- virt_filetrans_home_content(staff_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- tunable_policy(`staff_use_svirt',`
|
||||
- allow staff_t self:fifo_file relabelfrom;
|
||||
- dev_rw_kvm(staff_t)
|
||||
- virt_manage_images(staff_t)
|
||||
- virt_stream_connect_svirt(staff_t)
|
||||
- virt_exec(staff_t)
|
||||
- ')
|
||||
-')
|
@ -1,10 +0,0 @@
|
||||
Index: serefpolicy-contrib-20140730/stapserver.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/stapserver.te 2017-12-11 17:38:13.312087456 +0100
|
||||
+++ serefpolicy-contrib-20140730/stapserver.te 2017-12-11 17:46:03.915729618 +0100
|
||||
@@ -1,4 +1,4 @@
|
||||
-policy_module(systemtap, 1.1.0)
|
||||
+policy_module(stapserver, 1.1.0)
|
||||
|
||||
########################################
|
||||
#
|
@ -1,40 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/systemd.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/systemd.te 2015-06-24 14:42:23.931790867 +0200
|
||||
+++ serefpolicy-20140730/policy/modules/system/systemd.te 2015-06-24 15:34:50.677937166 +0200
|
||||
@@ -189,6 +189,9 @@ userdom_manage_tmpfs_role(system_r, syst
|
||||
|
||||
xserver_dbus_chat(systemd_logind_t)
|
||||
|
||||
+allow systemd_logind_t var_run_t:sock_file write;
|
||||
+files_rw_inherited_generic_pid_files(systemd_logind_t)
|
||||
+
|
||||
optional_policy(`
|
||||
apache_read_tmp_files(systemd_logind_t)
|
||||
')
|
||||
@@ -528,9 +531,14 @@ allow systemd_hostnamed_t self:unix_stre
|
||||
allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
|
||||
+manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
|
||||
manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
|
||||
files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" )
|
||||
files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
|
||||
+# since we have unpredictable filenames for the link file we can't use a named transition
|
||||
+create_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
|
||||
+delete_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
|
||||
+rename_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
|
||||
|
||||
kernel_dgram_send(systemd_hostnamed_t)
|
||||
|
||||
@@ -608,6 +616,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ unconfined_dbus_send(systemd_timedated_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
gnome_manage_usr_config(systemd_timedated_t)
|
||||
gnome_manage_home_config(systemd_timedated_t)
|
||||
gnome_manage_home_config_dirs(systemd_timedated_t)
|
@ -1,15 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/unconfined.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/unconfined.te
|
||||
+++ serefpolicy-20140730/policy/modules/system/unconfined.te
|
||||
@@ -15,6 +15,10 @@ unconfined_domain(unconfined_service_t)
|
||||
corecmd_bin_entry_type(unconfined_service_t)
|
||||
corecmd_shell_entry_type(unconfined_service_t)
|
||||
|
||||
+systemd_dbus_chat_localed(unconfined_service_t)
|
||||
+systemd_dbus_chat_logind(unconfined_service_t)
|
||||
+unconfined_shell_domtrans(unconfined_service_t)
|
||||
+
|
||||
optional_policy(`
|
||||
rpm_transition_script(unconfined_service_t, system_r)
|
||||
')
|
@ -1,16 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/roles/unconfineduser.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/roles/unconfineduser.te
|
||||
+++ serefpolicy-20140730/policy/modules/roles/unconfineduser.te
|
||||
@@ -79,6 +79,11 @@ domain_transition_all(unconfined_t)
|
||||
|
||||
usermanage_run_passwd(unconfined_t, unconfined_r)
|
||||
|
||||
+# FIXME SUSE
|
||||
+#allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
|
||||
+allow unconfined_t init_exec_t:file entrypoint;
|
||||
+allow init_t unconfined_t:process transition;
|
||||
+
|
||||
tunable_policy(`deny_execmem',`',`
|
||||
allow unconfined_t self:process execmem;
|
||||
')
|
@ -1,26 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/roles/unprivuser.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/roles/unprivuser.te 2015-05-20 15:15:49.646097573 +0200
|
||||
+++ serefpolicy-20140730/policy/modules/roles/unprivuser.te 2015-05-20 16:00:16.212137319 +0200
|
||||
@@ -259,17 +259,12 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- vmtools_run_helper(user_t, user_r)
|
||||
+ vmtools_run_helper(user_t, user_r)
|
||||
')
|
||||
|
||||
|
||||
-optional_policy(`
|
||||
- virt_transition_svirt(user_t, user_r)
|
||||
- virt_filetrans_home_content(user_t)
|
||||
+ifdef(`distro_suse',`
|
||||
+ xserver_xsession_entry_type(user_t)
|
||||
+ dbus_system_bus_client(user_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- tunable_policy(`unprivuser_use_svirt',`
|
||||
- virt_manage_images(user_t)
|
||||
- ')
|
||||
-')
|
@ -1,8 +1,8 @@
|
||||
Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
|
||||
Index: refpolicy/policy/modules/admin/usermanage.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te
|
||||
+++ serefpolicy-20140730/policy/modules/admin/usermanage.te
|
||||
@@ -274,6 +274,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
|
||||
--- refpolicy.orig/policy/modules/admin/usermanage.te 2018-02-15 22:52:31.000000000 +0100
|
||||
+++ refpolicy/policy/modules/admin/usermanage.te 2018-11-27 15:03:05.555740143 +0100
|
||||
@@ -251,6 +251,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
|
||||
# for when /root is the cwd
|
||||
userdom_dontaudit_search_user_home_dirs(groupadd_t)
|
||||
|
||||
@ -12,13 +12,13 @@ Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
|
||||
optional_policy(`
|
||||
dpkg_use_fds(groupadd_t)
|
||||
dpkg_rw_pipes(groupadd_t)
|
||||
@@ -572,6 +575,9 @@ userdom_home_filetrans_user_home_dir(use
|
||||
userdom_manage_home_role(system_r, useradd_t)
|
||||
userdom_delete_all_user_home_content(useradd_t)
|
||||
@@ -550,6 +553,9 @@ optional_policy(`
|
||||
puppet_rw_tmp(useradd_t)
|
||||
')
|
||||
|
||||
+allow useradd_t var_run_t:sock_file write;
|
||||
+selinux_compute_access_vector(useradd_t)
|
||||
+
|
||||
optional_policy(`
|
||||
mta_manage_spool(useradd_t)
|
||||
')
|
||||
tunable_policy(`samba_domain_controller',`
|
||||
samba_append_log(useradd_t)
|
||||
|
@ -1,13 +1,13 @@
|
||||
Index: serefpolicy-contrib-20140730/virt.te
|
||||
Index: refpolicy/policy/modules/services/virt.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/virt.te
|
||||
+++ serefpolicy-contrib-20140730/virt.te
|
||||
@@ -280,6 +280,8 @@ corenet_udp_bind_all_ports(svirt_t)
|
||||
corenet_tcp_bind_all_ports(svirt_t)
|
||||
corenet_tcp_connect_all_ports(svirt_t)
|
||||
--- refpolicy.orig/policy/modules/services/virt.te 2018-07-01 17:02:32.000000000 +0200
|
||||
+++ refpolicy/policy/modules/services/virt.te 2018-11-27 15:03:42.792334942 +0100
|
||||
@@ -1235,6 +1235,8 @@ optional_policy(`
|
||||
rpm_read_db(svirt_lxc_net_t)
|
||||
')
|
||||
|
||||
+allow svirt_t qemu_exec_t:file execmod;
|
||||
+
|
||||
#######################################
|
||||
#
|
||||
# svirt_prot_exec local policy
|
||||
# Prot exec local policy
|
||||
|
@ -1,24 +1,24 @@
|
||||
Index: serefpolicy-20140730/policy/modules/services/xserver.fc
|
||||
Index: refpolicy/policy/modules/services/xserver.fc
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/services/xserver.fc
|
||||
+++ serefpolicy-20140730/policy/modules/services/xserver.fc
|
||||
@@ -97,6 +97,9 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
|
||||
/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
--- refpolicy.orig/policy/modules/services/xserver.fc 2018-06-25 01:11:14.000000000 +0200
|
||||
+++ refpolicy/policy/modules/services/xserver.fc 2018-11-27 15:03:58.228581598 +0100
|
||||
@@ -76,6 +76,9 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
|
||||
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
|
||||
+#/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
+
|
||||
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
|
||||
/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
Index: serefpolicy-20140730/policy/modules/services/xserver.te
|
||||
/usr/lib/xorg/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
/usr/lib/xorg/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
Index: refpolicy/policy/modules/services/xserver.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/services/xserver.te
|
||||
+++ serefpolicy-20140730/policy/modules/services/xserver.te
|
||||
@@ -810,6 +810,17 @@ ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
--- refpolicy.orig/policy/modules/services/xserver.te 2018-07-01 17:02:32.000000000 +0200
|
||||
+++ refpolicy/policy/modules/services/xserver.te 2018-11-27 15:03:58.228581598 +0100
|
||||
@@ -893,6 +893,17 @@ corenet_tcp_bind_vnc_port(xserver_t)
|
||||
|
||||
init_use_fds(xserver_t)
|
||||
|
||||
+ifndef(`distro_suse',`
|
||||
+ # this is a neverallow, maybe dontaudit it
|
||||
@ -32,5 +32,5 @@ Index: serefpolicy-20140730/policy/modules/services/xserver.te
|
||||
+')
|
||||
+
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_exec_nfs_files(xdm_t)
|
||||
')
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
|
@ -1,8 +1,8 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
|
||||
Index: refpolicy/policy/modules/system/sysnetwork.fc
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.fc 2015-07-21 16:52:51.913277147 +0200
|
||||
+++ serefpolicy-20140730/policy/modules/system/sysnetwork.fc 2015-07-21 16:52:55.461333779 +0200
|
||||
@@ -11,6 +11,15 @@ ifdef(`distro_debian',`
|
||||
--- refpolicy.orig/policy/modules/system/sysnetwork.fc 2018-11-27 16:09:33.159358187 +0100
|
||||
+++ refpolicy/policy/modules/system/sysnetwork.fc 2018-11-27 16:09:36.851417892 +0100
|
||||
@@ -6,6 +6,15 @@ ifdef(`distro_debian',`
|
||||
/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||
')
|
||||
|
||||
@ -18,8 +18,8 @@ Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
|
||||
#
|
||||
# /etc
|
||||
#
|
||||
@@ -37,6 +46,10 @@ ifdef(`distro_redhat',`
|
||||
/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||
@@ -33,6 +42,10 @@ ifdef(`distro_redhat',`
|
||||
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||
')
|
||||
|
||||
+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||
@ -27,23 +27,23 @@ Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
|
||||
+/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
#
|
||||
# /sbin
|
||||
# /usr
|
||||
#
|
||||
Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te
|
||||
Index: refpolicy/policy/modules/system/sysnetwork.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.te 2015-07-21 16:52:51.913277147 +0200
|
||||
+++ serefpolicy-20140730/policy/modules/system/sysnetwork.te 2015-07-21 16:54:15.998619244 +0200
|
||||
@@ -60,7 +60,8 @@ ifdef(`distro_debian',`
|
||||
--- refpolicy.orig/policy/modules/system/sysnetwork.te 2018-11-27 16:09:33.163358252 +0100
|
||||
+++ refpolicy/policy/modules/system/sysnetwork.te 2018-11-27 16:10:36.920389270 +0100
|
||||
@@ -47,7 +47,8 @@ ifdef(`distro_debian',`
|
||||
#
|
||||
# DHCP client local policy
|
||||
#
|
||||
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
|
||||
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
|
||||
+# need sys_admin to set hostname/domainname
|
||||
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config sys_admin ipc_lock };
|
||||
dontaudit dhcpc_t self:capability sys_tty_config;
|
||||
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config sys_admin };
|
||||
dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
||||
@@ -95,6 +96,12 @@ allow dhcpc_t net_conf_t:file relabel_fi
|
||||
@@ -79,6 +80,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
|
||||
sysnet_manage_config(dhcpc_t)
|
||||
files_etc_filetrans(dhcpc_t, net_conf_t, file)
|
||||
|
||||
@ -56,10 +56,10 @@ Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te
|
||||
# create temp files
|
||||
manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
|
||||
manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
|
||||
Index: serefpolicy-20140730/policy/modules/kernel/devices.fc
|
||||
Index: refpolicy/policy/modules/kernel/devices.fc
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/kernel/devices.fc 2015-07-21 16:52:51.913277147 +0200
|
||||
+++ serefpolicy-20140730/policy/modules/kernel/devices.fc 2015-07-21 16:52:55.461333779 +0200
|
||||
--- refpolicy.orig/policy/modules/kernel/devices.fc 2018-11-27 16:09:33.163358252 +0100
|
||||
+++ refpolicy/policy/modules/kernel/devices.fc 2018-11-27 16:09:36.851417892 +0100
|
||||
@@ -2,6 +2,7 @@
|
||||
/dev -d gen_context(system_u:object_r:device_t,s0)
|
||||
/dev/.* gen_context(system_u:object_r:device_t,s0)
|
||||
|
@ -1,43 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/systemd.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/systemd.te
|
||||
+++ serefpolicy-20140730/policy/modules/system/systemd.te
|
||||
@@ -320,6 +320,11 @@ dev_read_cpu_online(systemd_tmpfiles_t)
|
||||
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
|
||||
dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
|
||||
|
||||
+# allow tmpfiles to create files/dirs in /dev
|
||||
+systemd_tmpfiles_xconsole_create(systemd_tmpfiles_t)
|
||||
+dev_getattr_autofs_dev(systemd_tmpfiles_t);
|
||||
+dev_getattr_lvm_control(systemd_tmpfiles_t);
|
||||
+dev_create_generic_dirs(systemd_tmpfiles_t);
|
||||
domain_obj_id_change_exemption(systemd_tmpfiles_t)
|
||||
|
||||
# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
|
||||
Index: serefpolicy-20140730/policy/modules/system/systemd.if
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/systemd.if
|
||||
+++ serefpolicy-20140730/policy/modules/system/systemd.if
|
||||
@@ -1458,3 +1458,22 @@ interface(`systemd_dontaudit_dbus_chat',
|
||||
|
||||
dontaudit $1 systemd_domain:dbus send_msg;
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow systemd-tmpfiles to create xconsole_device_t
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_tmpfiles_xconsole_create',`
|
||||
+ gen_require(`
|
||||
+ type device_t, xconsole_device_t;
|
||||
+ ')
|
||||
+
|
||||
+ create_fifo_files_pattern($1, device_t, xconsole_device_t);
|
||||
+')
|
||||
+
|
@ -1,13 +0,0 @@
|
||||
Index: serefpolicy-contrib-20140730/glusterd.te
|
||||
===================================================================
|
||||
--- serefpolicy-contrib-20140730.orig/glusterd.te
|
||||
+++ serefpolicy-contrib-20140730/glusterd.te
|
||||
@@ -68,7 +68,7 @@ allow glusterd_t self:unix_stream_socket
|
||||
|
||||
manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
||||
manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
||||
-files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
|
||||
+files_etc_filetrans(glusterd_t, glusterd_conf_t, file, "glusterfs")
|
||||
|
||||
manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
||||
manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
@ -1,24 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/system/miscfiles.if
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/system/miscfiles.if
|
||||
+++ serefpolicy-20140730/policy/modules/system/miscfiles.if
|
||||
@@ -896,7 +896,8 @@ interface(`miscfiles_etc_filetrans_local
|
||||
')
|
||||
|
||||
files_etc_filetrans($1, locale_t, lnk_file)
|
||||
- files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
|
||||
+ files_etc_filetrans($1, locale_t, file, "localtime" )
|
||||
+ files_etc_filetrans($1, locale_t, lnk_file, "localtime" )
|
||||
files_etc_filetrans($1, locale_t, file, "locale.conf" )
|
||||
files_etc_filetrans($1, locale_t, file, "timezone" )
|
||||
files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
|
||||
@@ -938,7 +939,8 @@ interface(`miscfiles_filetrans_locale_na
|
||||
type locale_t;
|
||||
')
|
||||
|
||||
- files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
|
||||
+ files_etc_filetrans($1, locale_t, file, "localtime")
|
||||
+ files_etc_filetrans($1, locale_t, lnk_file, "localtime")
|
||||
files_etc_filetrans($1, locale_t, file, "locale.conf")
|
||||
files_etc_filetrans($1, locale_t, file, "vconsole.conf")
|
||||
files_etc_filetrans($1, locale_t, file, "locale.conf.new")
|
@ -1,12 +0,0 @@
|
||||
Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
|
||||
===================================================================
|
||||
--- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te
|
||||
+++ serefpolicy-20140730/policy/modules/admin/usermanage.te
|
||||
@@ -497,6 +497,7 @@ allow useradd_t self:unix_dgram_socket c
|
||||
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow useradd_t self:unix_dgram_socket sendto;
|
||||
allow useradd_t self:unix_stream_socket connectto;
|
||||
+allow useradd_t self:netlink_selinux_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
|
||||
manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
|
@ -27,12 +27,3 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
@ -27,12 +27,3 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
@ -27,12 +27,3 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
231
xconsole.patch
231
xconsole.patch
@ -1,231 +0,0 @@
|
||||
Basically, /dev/xconsole is a FIFO written to by syslog, and often is
|
||||
present even when there is no X. Therefore, this should go into the
|
||||
logging policy.
|
||||
Patch attached.
|
||||
|
||||
best regards,
|
||||
Erich Schubert
|
||||
--
|
||||
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
|
||||
Nothing prevents happiness like the memory of happiness. --- A. Gide //\
|
||||
Die einzige Hoffnung auf Freude liegt in den menschlichen V_/_
|
||||
Beziehungen. --- Antoine de Saint-Exupéry
|
||||
|
||||
["xconsole" (xconsole)]
|
||||
|
||||
Index: policy/modules/services/xserver.te
|
||||
===================================================================
|
||||
--- policy/modules/services/xserver.te.orig
|
||||
+++ policy/modules/services/xserver.te
|
||||
@@ -189,13 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau
|
||||
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
|
||||
userdom_user_tmp_file(xauth_tmp_t)
|
||||
|
||||
-# this is not actually a device, its a pipe
|
||||
-type xconsole_device_t;
|
||||
-files_type(xconsole_device_t)
|
||||
-dev_associate(xconsole_device_t)
|
||||
-fs_associate_tmpfs(xconsole_device_t)
|
||||
-files_associate_tmp(xconsole_device_t)
|
||||
-
|
||||
type xdm_unconfined_exec_t;
|
||||
application_executable_file(xdm_unconfined_exec_t)
|
||||
|
||||
@@ -437,7 +430,6 @@ allow xdm_t self:dbus { send_msg acquire
|
||||
|
||||
allow xdm_t xauth_home_t:file manage_file_perms;
|
||||
|
||||
-allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
|
||||
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
|
||||
@@ -663,6 +655,10 @@ libs_exec_lib_files(xdm_t)
|
||||
libs_exec_ldconfig(xdm_t)
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
+logging_setattr_xconsole_pipes(xdm_t)
|
||||
+
|
||||
+# allow relabel of /dev/xconsole
|
||||
+dev_associate(xconsole_device_t)
|
||||
|
||||
miscfiles_search_man_pages(xdm_t)
|
||||
miscfiles_read_fonts(xdm_t)
|
||||
Index: policy/modules/services/xserver.fc
|
||||
===================================================================
|
||||
--- policy/modules/services/xserver.fc.orig
|
||||
+++ policy/modules/services/xserver.fc
|
||||
@@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
|
||||
/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
|
||||
#
|
||||
-# /dev
|
||||
-#
|
||||
-/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
|
||||
-
|
||||
-#
|
||||
# /etc
|
||||
#
|
||||
/etc/gdm(3)?/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
Index: policy/modules/system/logging.te
|
||||
===================================================================
|
||||
--- policy/modules/system/logging.te.orig
|
||||
+++ policy/modules/system/logging.te
|
||||
@@ -110,6 +110,12 @@ ifdef(`enable_mls',`
|
||||
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
|
||||
')
|
||||
|
||||
+# this is not actually a device, its a pipe
|
||||
+type xconsole_device_t;
|
||||
+files_type(xconsole_device_t)
|
||||
+fs_associate_tmpfs(xconsole_device_t)
|
||||
+files_associate_tmp(xconsole_device_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Auditctl local policy
|
||||
@@ -173,6 +179,9 @@ manage_files_pattern(auditd_t, auditd_va
|
||||
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
||||
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
|
||||
|
||||
+# log to xconsole
|
||||
+allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
|
||||
+
|
||||
kernel_read_kernel_sysctls(auditd_t)
|
||||
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
||||
# Probably want a transition, and a new auditd_helper app
|
||||
@@ -631,11 +640,6 @@ optional_policy(`
|
||||
udev_read_db(syslogd_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- # log to the xconsole
|
||||
- xserver_rw_console(syslogd_t)
|
||||
-')
|
||||
-
|
||||
#####################################################
|
||||
#
|
||||
# syslog client rules
|
||||
Index: policy/modules/system/logging.if
|
||||
===================================================================
|
||||
--- policy/modules/system/logging.if.orig
|
||||
+++ policy/modules/system/logging.if
|
||||
@@ -1431,3 +1431,40 @@ interface(`logging_filetrans_named_conte
|
||||
|
||||
logging_log_filetrans($1, var_log_t, dir, "anaconda")
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Set the attributes of the xconsole named pipes.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`logging_setattr_xconsole_pipes',`
|
||||
+ gen_require(`
|
||||
+ type xconsole_device_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 xconsole_device_t:fifo_file setattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read the xconsole named pipe.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`logging_r_xconsole',`
|
||||
+ gen_require(`
|
||||
+ type xconsole_device_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 xconsole_device_t:fifo_file { getattr read };
|
||||
+')
|
||||
+
|
||||
Index: policy/modules/system/init.te
|
||||
===================================================================
|
||||
--- policy/modules/system/init.te.orig
|
||||
+++ policy/modules/system/init.te
|
||||
@@ -797,6 +797,7 @@ logging_manage_generic_logs(initrc_t)
|
||||
logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
+logging_setattr_xconsole_pipes(initrc_t)
|
||||
|
||||
# slapd needs to read cert files from its initscript
|
||||
miscfiles_manage_generic_cert_files(initrc_t)
|
||||
@@ -1453,9 +1454,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- # Set device ownerships/modes.
|
||||
- xserver_setattr_console_pipes(initrc_t)
|
||||
-
|
||||
# init script wants to check if it needs to update windowmanagerlist
|
||||
xserver_read_xdm_rw_config(initrc_t)
|
||||
')
|
||||
Index: policy/modules/system/logging.fc
|
||||
===================================================================
|
||||
--- policy/modules/system/logging.fc.orig
|
||||
+++ policy/modules/system/logging.fc
|
||||
@@ -1,4 +1,5 @@
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
+/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
|
||||
|
||||
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
Index: policy/modules/services/xserver.if
|
||||
===================================================================
|
||||
--- policy/modules/services/xserver.if.orig
|
||||
+++ policy/modules/services/xserver.if
|
||||
@@ -635,42 +635,6 @@ interface(`xserver_manage_user_xauth',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Set the attributes of the X windows console named pipes.
|
||||
-## </summary>
|
||||
-## <param name="domain">
|
||||
-## <summary>
|
||||
-## Domain allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-#
|
||||
-interface(`xserver_setattr_console_pipes',`
|
||||
- gen_require(`
|
||||
- type xconsole_device_t;
|
||||
- ')
|
||||
-
|
||||
- allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
|
||||
-')
|
||||
-
|
||||
-########################################
|
||||
-## <summary>
|
||||
-## Read and write the X windows console named pipe.
|
||||
-## </summary>
|
||||
-## <param name="domain">
|
||||
-## <summary>
|
||||
-## Domain allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-#
|
||||
-interface(`xserver_rw_console',`
|
||||
- gen_require(`
|
||||
- type xconsole_device_t;
|
||||
- ')
|
||||
-
|
||||
- allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
|
||||
-')
|
||||
-
|
||||
-########################################
|
||||
-## <summary>
|
||||
## Read XDM state files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
Loading…
Reference in New Issue
Block a user