forked from pool/selinux-policy
Accepting request 781805 from home:jsegitz:branches:security:SELinux
- Update to version 20200219 Refreshed fix_hadoop.patch Updated * fix_dbus.patch * fix_hadoop.patch * fix_nscd.patch * fix_xserver.patch Renamed postfix_paths.patch to fix_postfix.patch Added * fix_init.patch * fix_locallogin.patch * fix_policykit.patch * fix_iptables.patch * fix_irqbalance.patch * fix_ntp.patch * fix_fwupd.patch * fix_firewalld.patch * fix_logrotate.patch * fix_selinuxutil.patch * fix_corecommand.patch * fix_snapper.patch * fix_systemd.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * xdm_entrypoint_pam.patch - Removed modules minimum_temp_fixes and targeted_temp_fixes from the corresponding policies - Reduced default module list of minimum policy by removing OBS-URL: https://build.opensuse.org/request/show/781805 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=74
This commit is contained in:
Johannes Segitz
Git OBS Bridge
parent
cbd186764a
commit
1fd70ac29b
@ -246,3 +246,8 @@ init_upstart = true
|
||||
# Allow mount to mount any file/dir
|
||||
#
|
||||
allow_mount_anyfile = true
|
||||
|
||||
# Allow all domains to mmap files
|
||||
#
|
||||
domain_can_mmap_files = true
|
||||
|
||||
|
||||
@ -7,14 +7,11 @@ nfs_export_all_ro = true
|
||||
nfs_export_all_rw = true
|
||||
nscd_use_shm = true
|
||||
openvpn_enable_homedirs = true
|
||||
postfix_local_write_mail_spool=true
|
||||
postfix_local_write_mail_spool= true
|
||||
pppd_can_insmod = false
|
||||
privoxy_connect_any = true
|
||||
selinuxuser_direct_dri_enabled = true
|
||||
selinuxuser_execmem = true
|
||||
selinuxuser_execmod = true
|
||||
selinuxuser_execstack = true
|
||||
selinuxuser_rw_noexattrfile=true
|
||||
selinuxuser_rw_noexattrfile = true
|
||||
selinuxuser_ping = true
|
||||
squid_connect_any = true
|
||||
telepathy_tcp_connect_generic_network_ports=true
|
||||
@ -22,3 +19,5 @@ unconfined_chrome_sandbox_transition=true
|
||||
unconfined_mozilla_plugin_transition=true
|
||||
xguest_exec_content = true
|
||||
mozilla_plugin_can_network_connect = true
|
||||
# Allow all domains to mmap files
|
||||
domain_can_mmap_files = true
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:3ff2142bd458599826f79aa85344da39a6ef833e5c644d0da46dfc686baf9bd3
|
||||
size 730294
|
||||
3
fedora-policy.20200219.tar.bz2
Normal file
3
fedora-policy.20200219.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:62cd90fa977ee00fd42a249690e13ad8fb87de95d06a1f12e86d05695544844d
|
||||
size 735114
|
||||
@ -11,3 +11,4 @@
|
||||
/run/systemd/system /usr/lib/systemd/system
|
||||
/run/systemd/generator /usr/lib/systemd/system
|
||||
/var/lib/xguest/home /home
|
||||
/var/run/netconfig /etc
|
||||
|
||||
15
fix_chronyd.patch
Normal file
15
fix_chronyd.patch
Normal file
@ -0,0 +1,15 @@
|
||||
Index: fedora-policy/policy/modules/contrib/chronyd.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/chronyd.te 2020-02-19 09:36:31.776283304 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/chronyd.te 2020-02-25 10:33:09.169920838 +0000
|
||||
@@ -136,6 +136,10 @@ systemd_exec_systemctl(chronyd_t)
|
||||
userdom_dgram_send(chronyd_t)
|
||||
|
||||
optional_policy(`
|
||||
+ networkmanager_read_pid_files(chronyd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
cron_dgram_send(chronyd_t)
|
||||
')
|
||||
|
||||
34
fix_corecommand.patch
Normal file
34
fix_corecommand.patch
Normal file
@ -0,0 +1,34 @@
|
||||
Index: fedora-policy/policy/modules/kernel/corecommands.fc
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/kernel/corecommands.fc 2020-02-24 08:46:26.205153437 +0000
|
||||
+++ fedora-policy/policy/modules/kernel/corecommands.fc 2020-02-24 13:44:00.711915017 +0000
|
||||
@@ -251,6 +251,21 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-settings-daemon-3.0/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-calculator-search-provider -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-control-center-search-provider -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-photos-thumbnailer -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-rr-debug -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-session-binary -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-session-check-accelerated -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-session-check-accelerated-gles-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-session-check-accelerated-gl-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-session-failed -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-software-cmd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-software-restarter -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-terminal-migration -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-terminal-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/gnome-tweak-tool-lid-inhibitor -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -391,6 +406,7 @@ ifdef(`distro_debian',`
|
||||
/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
+/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -1,35 +1,12 @@
|
||||
Index: fedora-policy/policy/modules/contrib/evolution.te
|
||||
Index: fedora-policy/policy/modules/contrib/dbus.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/evolution.te 2019-08-05 09:39:48.641670181 +0200
|
||||
+++ fedora-policy/policy/modules/contrib/evolution.te 2019-08-05 09:57:29.695474175 +0200
|
||||
@@ -228,7 +228,6 @@ optional_policy(`
|
||||
--- fedora-policy.orig/policy/modules/contrib/dbus.te 2020-02-25 08:22:02.846623845 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/dbus.te 2020-02-25 08:22:31.991108418 +0000
|
||||
@@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d
|
||||
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
|
||||
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
|
||||
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
||||
+allow system_dbusd_t system_dbusd_tmp_t:file execute;
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(evolution_t)
|
||||
- dbus_all_session_bus_client(evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -309,10 +308,6 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- dbus_all_session_bus_client(evolution_alarm_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
gnome_stream_connect_gconf(evolution_alarm_t)
|
||||
')
|
||||
|
||||
Index: fedora-policy/policy/modules/contrib/thunderbird.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/thunderbird.te 2019-08-05 09:39:48.681670851 +0200
|
||||
+++ fedora-policy/policy/modules/contrib/thunderbird.te 2019-08-05 09:57:38.503622198 +0200
|
||||
@@ -121,7 +121,6 @@ ifndef(`enable_mls',`
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(thunderbird_t)
|
||||
- dbus_all_session_bus_client(thunderbird_t)
|
||||
|
||||
optional_policy(`
|
||||
cups_dbus_chat(thunderbird_t)
|
||||
manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
|
||||
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
|
||||
|
||||
35
fix_dbus.patch_orig
Normal file
35
fix_dbus.patch_orig
Normal file
@ -0,0 +1,35 @@
|
||||
Index: fedora-policy/policy/modules/contrib/evolution.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/evolution.te 2019-08-05 09:39:48.641670181 +0200
|
||||
+++ fedora-policy/policy/modules/contrib/evolution.te 2019-08-05 09:57:29.695474175 +0200
|
||||
@@ -228,7 +228,6 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(evolution_t)
|
||||
- dbus_all_session_bus_client(evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -309,10 +308,6 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- dbus_all_session_bus_client(evolution_alarm_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
gnome_stream_connect_gconf(evolution_alarm_t)
|
||||
')
|
||||
|
||||
Index: fedora-policy/policy/modules/contrib/thunderbird.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/thunderbird.te 2019-08-05 09:39:48.681670851 +0200
|
||||
+++ fedora-policy/policy/modules/contrib/thunderbird.te 2019-08-05 09:57:38.503622198 +0200
|
||||
@@ -121,7 +121,6 @@ ifndef(`enable_mls',`
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(thunderbird_t)
|
||||
- dbus_all_session_bus_client(thunderbird_t)
|
||||
|
||||
optional_policy(`
|
||||
cups_dbus_chat(thunderbird_t)
|
||||
42
fix_firewalld.patch
Normal file
42
fix_firewalld.patch
Normal file
@ -0,0 +1,42 @@
|
||||
Index: fedora-policy/policy/modules/contrib/firewalld.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/firewalld.te 2020-02-24 08:16:03.798820784 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/firewalld.te 2020-02-24 08:18:03.164764310 +0000
|
||||
@@ -129,6 +129,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ iptables_manage_var_lib_files(firewalld_t)
|
||||
iptables_domtrans(firewalld_t)
|
||||
iptables_read_var_run(firewalld_t)
|
||||
')
|
||||
Index: fedora-policy/policy/modules/system/iptables.if
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/system/iptables.if 2020-02-19 09:36:25.440182406 +0000
|
||||
+++ fedora-policy/policy/modules/system/iptables.if 2020-02-24 08:17:53.076600108 +0000
|
||||
@@ -2,6 +2,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Allow management of iptables_var_lib_t files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to mange files
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`iptables_manage_var_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type iptables_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($1, iptables_var_lib_t, iptables_var_lib_t)
|
||||
+ manage_files_pattern($1, iptables_var_lib_t, iptables_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Execute iptables in the iptables domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
12
fix_fwupd.patch
Normal file
12
fix_fwupd.patch
Normal file
@ -0,0 +1,12 @@
|
||||
Index: fedora-policy/policy/modules/contrib/fwupd.fc
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/fwupd.fc 2020-02-19 09:36:31.784283432 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/fwupd.fc 2020-02-21 14:24:21.739179426 +0000
|
||||
@@ -4,6 +4,7 @@
|
||||
/etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0)
|
||||
|
||||
/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
|
||||
+/usr/lib/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
|
||||
|
||||
/var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
Index: fedora-policy/policy/modules/roles/sysadm.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/roles/sysadm.te 2019-08-05 09:39:39.113510611 +0200
|
||||
+++ fedora-policy/policy/modules/roles/sysadm.te 2019-08-05 14:11:28.416872543 +0200
|
||||
@@ -282,10 +282,6 @@ optional_policy(`
|
||||
--- fedora-policy.orig/policy/modules/roles/sysadm.te 2020-02-19 09:08:50.433854051 +0000
|
||||
+++ fedora-policy/policy/modules/roles/sysadm.te 2020-02-19 09:17:47.026397710 +0000
|
||||
@@ -289,10 +289,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -15,9 +15,9 @@ Index: fedora-policy/policy/modules/roles/sysadm.te
|
||||
|
||||
Index: fedora-policy/policy/modules/roles/unprivuser.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/roles/unprivuser.te 2019-08-05 09:39:39.113510611 +0200
|
||||
+++ fedora-policy/policy/modules/roles/unprivuser.te 2019-08-05 14:11:22.908782828 +0200
|
||||
@@ -192,10 +192,6 @@ ifndef(`distro_redhat',`
|
||||
--- fedora-policy.orig/policy/modules/roles/unprivuser.te 2020-02-19 09:08:50.433854051 +0000
|
||||
+++ fedora-policy/policy/modules/roles/unprivuser.te 2020-02-19 09:17:47.030397773 +0000
|
||||
@@ -197,10 +197,6 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
62
fix_init.patch
Normal file
62
fix_init.patch
Normal file
@ -0,0 +1,62 @@
|
||||
Index: fedora-policy/policy/modules/system/init.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/system/init.te
|
||||
+++ fedora-policy/policy/modules/system/init.te
|
||||
@@ -250,6 +250,7 @@ corecmd_exec_bin(init_t)
|
||||
corenet_all_recvfrom_netlabel(init_t)
|
||||
corenet_tcp_bind_all_ports(init_t)
|
||||
corenet_udp_bind_all_ports(init_t)
|
||||
+corenet_udp_bind_generic_node(init_t)
|
||||
|
||||
dev_create_all_files(init_t)
|
||||
dev_create_all_chr_files(init_t)
|
||||
@@ -419,10 +420,15 @@ ifdef(`distro_redhat',`
|
||||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
|
||||
storage_raw_rw_fixed_disk(init_t)
|
||||
+storage_raw_read_removable_device(init_t)
|
||||
|
||||
sysnet_read_dhcpc_state(init_t)
|
||||
|
||||
optional_policy(`
|
||||
+ networkmanager_initrc_read_lnk_files(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
bootloader_domtrans(init_t)
|
||||
')
|
||||
|
||||
@@ -536,7 +542,7 @@ tunable_policy(`init_create_dirs',`
|
||||
allow init_t self:system all_system_perms;
|
||||
allow init_t self:system module_load;
|
||||
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
-allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
|
||||
+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
|
||||
allow init_t self:process { getcap setcap };
|
||||
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
|
||||
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
@@ -598,6 +604,7 @@ files_delete_all_spool_sockets(init_t)
|
||||
files_create_var_lib_dirs(init_t)
|
||||
files_create_var_lib_symlinks(init_t)
|
||||
files_read_var_lib_symlinks(init_t)
|
||||
+files_read_var_files(init_t)
|
||||
files_manage_urandom_seed(init_t)
|
||||
files_list_locks(init_t)
|
||||
files_list_spool(init_t)
|
||||
@@ -689,6 +696,7 @@ systemd_userdbd_runtime_manage_symlinks(
|
||||
create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
|
||||
|
||||
create_dirs_pattern(init_t, var_log_t, var_log_t)
|
||||
+files_manage_var_files(init_t)
|
||||
|
||||
auth_use_nsswitch(init_t)
|
||||
auth_rw_login_records(init_t)
|
||||
@@ -1525,6 +1533,8 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
postfix_list_spool(initrc_t)
|
||||
+ #allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl };
|
||||
+ postfix_domtrans_map(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
12
fix_iptables.patch
Normal file
12
fix_iptables.patch
Normal file
@ -0,0 +1,12 @@
|
||||
Index: fedora-policy/policy/modules/system/iptables.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/system/iptables.te 2020-02-19 09:36:25.440182406 +0000
|
||||
+++ fedora-policy/policy/modules/system/iptables.te 2020-02-21 12:19:23.060595602 +0000
|
||||
@@ -76,6 +76,7 @@ kernel_read_kernel_sysctls(iptables_t)
|
||||
kernel_read_usermodehelper_state(iptables_t)
|
||||
kernel_use_fds(iptables_t)
|
||||
kernel_rw_net_sysctls(iptables_t)
|
||||
+kernel_rw_pipes(iptables_t)
|
||||
kernel_search_network_sysctl(iptables_t)
|
||||
|
||||
|
||||
13
fix_irqbalance.patch
Normal file
13
fix_irqbalance.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: fedora-policy/policy/modules/contrib/irqbalance.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/irqbalance.te 2020-02-19 09:36:31.792283559 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/irqbalance.te 2020-02-21 12:18:36.155848163 +0000
|
||||
@@ -28,6 +28,8 @@ allow irqbalance_t self:udp_socket creat
|
||||
manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
|
||||
files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
|
||||
|
||||
+init_nnp_daemon_domain(irqbalance_t)
|
||||
+
|
||||
kernel_read_network_state(irqbalance_t)
|
||||
kernel_read_system_state(irqbalance_t)
|
||||
kernel_read_kernel_sysctls(irqbalance_t)
|
||||
12
fix_locallogin.patch
Normal file
12
fix_locallogin.patch
Normal file
@ -0,0 +1,12 @@
|
||||
Index: fedora-policy/policy/modules/system/locallogin.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/system/locallogin.te 2020-02-19 09:36:25.440182406 +0000
|
||||
+++ fedora-policy/policy/modules/system/locallogin.te 2020-02-21 08:52:35.961803038 +0000
|
||||
@@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t)
|
||||
kernel_read_kernel_sysctls(local_login_t)
|
||||
kernel_search_key(local_login_t)
|
||||
kernel_link_key(local_login_t)
|
||||
+kernel_getattr_proc(local_login_t)
|
||||
|
||||
corecmd_list_bin(local_login_t)
|
||||
corecmd_read_bin_symlinks(local_login_t)
|
||||
@ -1,12 +1,21 @@
|
||||
Index: fedora-policy/policy/modules/system/logging.fc
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/system/logging.fc 2019-08-22 11:28:09.250979768 +0200
|
||||
+++ fedora-policy/policy/modules/system/logging.fc 2019-08-22 11:45:28.360015899 +0200
|
||||
@@ -3,6 +3,7 @@
|
||||
--- fedora-policy.orig/policy/modules/system/logging.fc 2020-02-24 08:53:21.924002716 +0000
|
||||
+++ fedora-policy/policy/modules/system/logging.fc 2020-02-24 13:33:16.353371311 +0000
|
||||
@@ -3,6 +3,8 @@
|
||||
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
+/var//run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
+/var/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
+/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
|
||||
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
|
||||
@@ -83,6 +85,7 @@ ifdef(`distro_redhat',`
|
||||
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
+/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
|
||||
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
|
||||
|
||||
12
fix_logrotate.patch
Normal file
12
fix_logrotate.patch
Normal file
@ -0,0 +1,12 @@
|
||||
Index: fedora-policy/policy/modules/contrib/logrotate.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/logrotate.te 2020-02-19 09:36:31.796283623 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/logrotate.te 2020-02-24 07:54:50.138294492 +0000
|
||||
@@ -100,6 +100,7 @@ files_var_lib_filetrans(logrotate_t, log
|
||||
|
||||
kernel_read_system_state(logrotate_t)
|
||||
kernel_read_kernel_sysctls(logrotate_t)
|
||||
+files_manage_mounttab(logrotate_t)
|
||||
|
||||
dev_read_urand(logrotate_t)
|
||||
dev_read_sysfs(logrotate_t)
|
||||
54
fix_networkmanager.patch
Normal file
54
fix_networkmanager.patch
Normal file
@ -0,0 +1,54 @@
|
||||
Index: fedora-policy/policy/modules/contrib/networkmanager.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/networkmanager.te
|
||||
+++ fedora-policy/policy/modules/contrib/networkmanager.te
|
||||
@@ -233,6 +233,9 @@ userdom_read_home_certs(NetworkManager_t
|
||||
userdom_read_user_home_content_files(NetworkManager_t)
|
||||
userdom_dgram_send(NetworkManager_t)
|
||||
|
||||
+hostname_exec(NetworkManager_t)
|
||||
+networkmanager_systemctl(NetworkManager_t)
|
||||
+
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(NetworkManager_t)
|
||||
')
|
||||
@@ -250,6 +253,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ packagekit_dbus_chat(NetworkManager_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
bind_domtrans(NetworkManager_t)
|
||||
bind_manage_cache(NetworkManager_t)
|
||||
bind_kill(NetworkManager_t)
|
||||
Index: fedora-policy/policy/modules/contrib/networkmanager.if
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/networkmanager.if
|
||||
+++ fedora-policy/policy/modules/contrib/networkmanager.if
|
||||
@@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran
|
||||
init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
|
||||
')
|
||||
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Allow reading of NetworkManager link files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to read the links
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`networkmanager_initrc_read_lnk_files',`
|
||||
+ gen_require(`
|
||||
+ type NetworkManager_initrc_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_lnk_files_pattern($1, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute NetworkManager server in the NetworkManager domain.
|
||||
@ -1,7 +1,7 @@
|
||||
Index: fedora-policy/policy/modules/contrib/nscd.fc
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/nscd.fc 2019-08-05 09:39:48.661670516 +0200
|
||||
+++ fedora-policy/policy/modules/contrib/nscd.fc 2019-08-15 14:13:18.681607730 +0200
|
||||
--- fedora-policy.orig/policy/modules/contrib/nscd.fc 2020-02-25 10:33:52.706658487 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/nscd.fc 2020-02-25 10:33:56.314719506 +0000
|
||||
@@ -8,8 +8,10 @@
|
||||
/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
|
||||
|
||||
@ -14,3 +14,18 @@ Index: fedora-policy/policy/modules/contrib/nscd.fc
|
||||
|
||||
/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
|
||||
+
|
||||
Index: fedora-policy/policy/modules/contrib/nscd.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/nscd.te 2020-02-19 09:36:31.804283750 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/nscd.te 2020-02-25 10:34:18.611090097 +0000
|
||||
@@ -127,6 +127,10 @@ userdom_dontaudit_use_unpriv_user_fds(ns
|
||||
userdom_dontaudit_search_user_home_dirs(nscd_t)
|
||||
|
||||
optional_policy(`
|
||||
+ networkmanager_read_pid_files(nscd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
accountsd_dontaudit_rw_fifo_file(nscd_t)
|
||||
')
|
||||
|
||||
|
||||
39
fix_ntp.patch
Normal file
39
fix_ntp.patch
Normal file
@ -0,0 +1,39 @@
|
||||
Index: fedora-policy/policy/modules/contrib/ntp.fc
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/ntp.fc 2020-02-21 15:59:23.349556504 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/ntp.fc 2020-02-21 16:01:41.591761350 +0000
|
||||
@@ -16,7 +16,6 @@
|
||||
|
||||
/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
|
||||
|
||||
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
|
||||
@@ -25,3 +24,26 @@
|
||||
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
|
||||
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
|
||||
+
|
||||
+/var/lib/ntp gen_context(system_u:object_r:root_t,s0)
|
||||
+/var/lib/ntp/kod gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
+/var/lib/ntp/dev gen_context(system_u:object_r:device_t,s0)
|
||||
+/var/lib/ntp/etc gen_context(system_u:object_r:etc_t,s0)
|
||||
+/var/lib/ntp/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
|
||||
+/var/lib/ntp/etc/ntp/crypto(/.*)? -- gen_context(system_u:object_r:ntpd_key_t,s0)
|
||||
+/var/lib/ntp/etc/ntp/data(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
|
||||
+/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
|
||||
+/var/lib/ntp/etc/ntp.conf.iburst -- gen_context(system_u:object_r:ntp_conf_t,s0)
|
||||
+/var/lib/ntp/var gen_context(system_u:object_r:var_t,s0)
|
||||
+/var/lib/ntp/var/lib gen_context(system_u:object_r:var_lib_t,s0)
|
||||
+/var/lib/ntp/var/run gen_context(system_u:object_r:var_run_t,s0)
|
||||
+/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/var/lib/ntp/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/var/lib/ntp/drift gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/var/lib/ntp/drift/ntp.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
|
||||
+/var/lib/ntp/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
+/var/lib/ntp/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
+/var/lib/ntp/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
|
||||
+/var/lib/ntp/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
|
||||
13
fix_policykit.patch
Normal file
13
fix_policykit.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: fedora-policy/policy/modules/contrib/policykit.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/policykit.te 2020-02-21 13:28:23.080385220 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/policykit.te 2020-02-21 13:31:09.023086041 +0000
|
||||
@@ -98,6 +98,8 @@ userdom_getattr_all_users(policykit_t)
|
||||
userdom_read_all_users_state(policykit_t)
|
||||
userdom_dontaudit_search_admin_dir(policykit_t)
|
||||
|
||||
+policykit_dbus_chat(policykit_t)
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_system_domain(policykit_t, policykit_exec_t)
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
Index: fedora-policy/policy/modules/contrib/postfix.fc
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/postfix.fc 2019-08-05 09:39:48.669670650 +0200
|
||||
+++ fedora-policy/policy/modules/contrib/postfix.fc 2019-08-14 11:11:26.195163409 +0200
|
||||
@@ -1,36 +1,19 @@
|
||||
# postfix
|
||||
--- fedora-policy.orig/policy/modules/contrib/postfix.fc 2020-02-25 10:34:35.875376865 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/postfix.fc 2020-02-25 10:34:37.719407494 +0000
|
||||
@@ -2,36 +2,19 @@
|
||||
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
|
||||
/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
|
||||
/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
-ifdef(`distro_redhat', `
|
||||
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
||||
@ -51,7 +51,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
|
||||
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
|
||||
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
@@ -44,6 +27,9 @@ ifdef(`distro_redhat', `
|
||||
@@ -45,6 +28,9 @@ ifdef(`distro_redhat', `
|
||||
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
|
||||
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
|
||||
@ -61,3 +61,20 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
|
||||
/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
|
||||
|
||||
/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
Index: fedora-policy/policy/modules/contrib/postfix.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/postfix.te 2020-02-19 09:36:31.820284005 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/postfix.te 2020-02-25 10:35:55.544700764 +0000
|
||||
@@ -447,6 +447,12 @@ logging_send_syslog_msg(postfix_map_t)
|
||||
|
||||
userdom_use_inherited_user_ptys(postfix_map_t)
|
||||
|
||||
+corecmd_exec_bin(postfix_map_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mta_read_aliases(postfix_map_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
locallogin_dontaudit_use_fds(postfix_map_t)
|
||||
')
|
||||
26
fix_selinuxutil.patch
Normal file
26
fix_selinuxutil.patch
Normal file
@ -0,0 +1,26 @@
|
||||
Index: fedora-policy/policy/modules/system/selinuxutil.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/system/selinuxutil.te 2020-02-19 09:36:25.444182470 +0000
|
||||
+++ fedora-policy/policy/modules/system/selinuxutil.te 2020-02-24 07:57:26.556813139 +0000
|
||||
@@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ packagekit_read_write_fifo(load_policy_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
portage_dontaudit_use_fds(load_policy_t)
|
||||
')
|
||||
|
||||
@@ -613,6 +617,10 @@ logging_send_audit_msgs(setfiles_t)
|
||||
logging_send_syslog_msg(setfiles_t)
|
||||
|
||||
optional_policy(`
|
||||
+ packagekit_read_write_fifo(setfiles_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
cloudform_dontaudit_write_cloud_log(setfiles_t)
|
||||
')
|
||||
|
||||
15
fix_snapper.patch
Normal file
15
fix_snapper.patch
Normal file
@ -0,0 +1,15 @@
|
||||
Index: fedora-policy/policy/modules/contrib/snapper.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/snapper.te 2020-02-19 09:36:31.880284960 +0000
|
||||
+++ fedora-policy/policy/modules/contrib/snapper.te 2020-02-24 10:57:10.311792681 +0000
|
||||
@@ -73,6 +73,10 @@ storage_raw_read_fixed_disk(snapperd_t)
|
||||
auth_use_nsswitch(snapperd_t)
|
||||
|
||||
optional_policy(`
|
||||
+ packagekit_dbus_chat(snapperd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
cron_system_entry(snapperd_t, snapperd_exec_t)
|
||||
')
|
||||
|
||||
15
fix_systemd.patch
Normal file
15
fix_systemd.patch
Normal file
@ -0,0 +1,15 @@
|
||||
Index: fedora-policy/policy/modules/system/systemd.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/system/systemd.te 2020-02-19 09:36:25.444182470 +0000
|
||||
+++ fedora-policy/policy/modules/system/systemd.te 2020-02-24 10:56:11.762848157 +0000
|
||||
@@ -328,6 +328,10 @@ userdom_manage_user_tmp_chr_files(system
|
||||
xserver_dbus_chat(systemd_logind_t)
|
||||
|
||||
optional_policy(`
|
||||
+ packagekit_dbus_chat(systemd_logind_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
apache_read_tmp_files(systemd_logind_t)
|
||||
')
|
||||
|
||||
22
fix_unconfined.patch
Normal file
22
fix_unconfined.patch
Normal file
@ -0,0 +1,22 @@
|
||||
Index: fedora-policy/policy/modules/system/unconfined.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/system/unconfined.te 2020-02-19 09:36:25.444182470 +0000
|
||||
+++ fedora-policy/policy/modules/system/unconfined.te 2020-02-24 15:14:59.222899685 +0000
|
||||
@@ -1,5 +1,10 @@
|
||||
policy_module(unconfined, 3.5.0)
|
||||
|
||||
+require {
|
||||
+ type var_run_t;
|
||||
+ type net_conf_t;
|
||||
+}
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
@@ -39,3 +44,6 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
container_runtime_domtrans(unconfined_service_t)
|
||||
')
|
||||
+
|
||||
+filetrans_pattern(unconfined_service_t, var_run_t, net_conf_t, dir)
|
||||
+
|
||||
15
fix_unconfineduser.patch
Normal file
15
fix_unconfineduser.patch
Normal file
@ -0,0 +1,15 @@
|
||||
Index: fedora-policy/policy/modules/roles/unconfineduser.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/roles/unconfineduser.te 2020-02-19 09:36:25.436182342 +0000
|
||||
+++ fedora-policy/policy/modules/roles/unconfineduser.te 2020-02-25 08:24:07.992702226 +0000
|
||||
@@ -244,6 +244,10 @@ optional_policy(`
|
||||
dbus_stub(unconfined_t)
|
||||
|
||||
optional_policy(`
|
||||
+ systemd_dbus_chat_logind(unconfined_dbusd_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
bluetooth_dbus_chat(unconfined_t)
|
||||
')
|
||||
|
||||
@ -1,8 +1,24 @@
|
||||
Index: fedora-policy/policy/modules/services/xserver.fc
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/services/xserver.fc 2019-08-05 09:39:39.113510611 +0200
|
||||
+++ fedora-policy/policy/modules/services/xserver.fc 2019-08-22 11:44:16.178832073 +0200
|
||||
@@ -133,6 +133,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
|
||||
--- fedora-policy.orig/policy/modules/services/xserver.fc
|
||||
+++ fedora-policy/policy/modules/services/xserver.fc
|
||||
@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
|
||||
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
|
||||
/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
+/etc/X11/xdm/Xsetup -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
|
||||
@@ -102,6 +103,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
|
||||
|
||||
/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
+/usr/lib/sddm/sddm-helper -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
||||
/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
@@ -135,6 +137,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
|
||||
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||
|
||||
@ -10,3 +26,18 @@ Index: fedora-policy/policy/modules/services/xserver.fc
|
||||
ifndef(`distro_debian',`
|
||||
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
')
|
||||
Index: fedora-policy/policy/modules/services/xserver.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/services/xserver.te
|
||||
+++ fedora-policy/policy/modules/services/xserver.te
|
||||
@@ -477,6 +477,10 @@ userdom_delete_user_home_content_files(x
|
||||
userdom_signull_unpriv_users(xdm_t)
|
||||
userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
|
||||
|
||||
+files_manage_generic_pids_symlinks(xdm_t)
|
||||
+userdom_manage_user_home_content_dirs(xdm_t)
|
||||
+userdom_manage_user_home_content_files(xdm_t)
|
||||
+
|
||||
# Allow gdm to run gdm-binary
|
||||
can_exec(xdm_t, xdm_exec_t)
|
||||
can_exec(xdm_t, xsession_exec_t)
|
||||
|
||||
@ -1 +0,0 @@
|
||||
## <summary></summary>
|
||||
@ -1,95 +0,0 @@
|
||||
policy_module(minimum_temp_fixes, 1.0)
|
||||
|
||||
require {
|
||||
type sshd_t;
|
||||
type lib_t;
|
||||
type init_t;
|
||||
type unconfined_t;
|
||||
type systemd_localed_t;
|
||||
type systemd_logind_t;
|
||||
type unconfined_service_t;
|
||||
type chkpwd_t;
|
||||
type bin_t;
|
||||
type fsadm_t;
|
||||
type getty_t;
|
||||
type systemd_tmpfiles_t;
|
||||
type systemd_systemctl_exec_t;
|
||||
type unconfined_dbusd_t;
|
||||
type rtkit_daemon_t;
|
||||
type system_dbusd_t;
|
||||
class dir mounton;
|
||||
class dbus { acquire_svc send_msg };
|
||||
class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv };
|
||||
class process { execmem transition };
|
||||
class file { entrypoint execmod };
|
||||
}
|
||||
|
||||
#============= chkpwd_t ==============
|
||||
allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd };
|
||||
files_map_var_lib_files(chkpwd_t)
|
||||
files_read_var_lib_files(chkpwd_t)
|
||||
files_write_generic_pid_sockets(chkpwd_t)
|
||||
|
||||
#============= fsadm_t ==============
|
||||
allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd };
|
||||
|
||||
#============= getty_t ==============
|
||||
allow getty_t unconfined_service_t:nscd shmemgrp;
|
||||
files_map_var_lib_files(getty_t)
|
||||
files_read_var_lib_files(getty_t)
|
||||
files_write_generic_pid_sockets(getty_t)
|
||||
|
||||
#============= init_t ==============
|
||||
allow init_t bin_t:dir mounton;
|
||||
allow init_t lib_t:dir mounton;
|
||||
allow init_t self:process execmem;
|
||||
allow init_t unconfined_service_t:dbus { acquire_svc send_msg };
|
||||
allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd };
|
||||
files_manage_generic_spool(init_t)
|
||||
corenet_udp_bind_generic_node(init_t)
|
||||
files_map_var_lib_files(init_t)
|
||||
files_read_var_files(init_t)
|
||||
files_manage_var_files(init_t)
|
||||
storage_raw_read_removable_device(init_t)
|
||||
|
||||
#============= sshd_t ==============
|
||||
allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd };
|
||||
files_exec_generic_pid_files(sshd_t)
|
||||
files_map_var_lib_files(sshd_t)
|
||||
files_read_var_lib_files(sshd_t)
|
||||
files_write_generic_pid_sockets(sshd_t)
|
||||
unconfined_server_dbus_chat(sshd_t)
|
||||
|
||||
#============= systemd_localed_t ==============
|
||||
allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg };
|
||||
files_write_generic_pid_sockets(systemd_localed_t)
|
||||
|
||||
#============= systemd_logind_t ==============
|
||||
allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg };
|
||||
allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd };
|
||||
files_map_var_lib_files(systemd_logind_t)
|
||||
files_read_var_lib_files(systemd_logind_t)
|
||||
files_write_generic_pid_sockets(systemd_logind_t)
|
||||
systemd_dbus_chat_logind(systemd_logind_t)
|
||||
|
||||
#============= systemd_tmpfiles_t ==============
|
||||
allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd };
|
||||
files_map_var_lib_files(systemd_tmpfiles_t)
|
||||
|
||||
#============= unconfined_service_t ==============
|
||||
allow unconfined_service_t unconfined_t:process transition;
|
||||
init_dbus_chat(unconfined_service_t)
|
||||
unconfined_server_dbus_chat(unconfined_service_t)
|
||||
|
||||
#============= unconfined_t ==============
|
||||
allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
|
||||
allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv };
|
||||
|
||||
#============= unconfined_dbusd_t ==============
|
||||
allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
|
||||
|
||||
#============= rtkit_daemon_t ==============
|
||||
allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd };
|
||||
|
||||
#============= system_dbusd_t ==============
|
||||
allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
|
||||
@ -406,13 +406,6 @@ kdbus = module
|
||||
#
|
||||
rpm = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: minimum_temp_fixes
|
||||
#
|
||||
# Temporary fixes for the minimum policy.
|
||||
#
|
||||
minimum_temp_fixes = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: packagekit
|
||||
#
|
||||
|
||||
@ -399,13 +399,6 @@ unconfined = module
|
||||
#
|
||||
kdbus = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: targeted_temp_fixes
|
||||
#
|
||||
# Temporary fixes for the targeted policy.
|
||||
#
|
||||
targeted_temp_fixes = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: packagekit
|
||||
#
|
||||
|
||||
@ -1,2 +1,40 @@
|
||||
## <summary>A temporary policy for packagekit.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow reading of fifo files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to mange files
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`packagekit_read_write_fifo',`
|
||||
gen_require(`
|
||||
type packagekit_t;
|
||||
')
|
||||
|
||||
allow $1 packagekit_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## packagekit over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`packagekit_dbus_chat',`
|
||||
gen_require(`
|
||||
type packagekit_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 packagekit_t:dbus send_msg;
|
||||
allow packagekit_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
@ -9,29 +9,30 @@ type packagekit_t;
|
||||
type packagekit_exec_t;
|
||||
init_daemon_domain(packagekit_t,packagekit_exec_t)
|
||||
|
||||
permissive packagekit_t;
|
||||
|
||||
type packagekit_unit_file_t;
|
||||
systemd_unit_file(packagekit_unit_file_t)
|
||||
|
||||
type packagekit_var_lib_t;
|
||||
files_type(packagekit_var_lib_t)
|
||||
|
||||
#allow packagekit_t self:tcp_socket create_stream_socket_perms;
|
||||
#
|
||||
#manage_dirs_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
|
||||
#manage_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
|
||||
#manage_lnk_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
|
||||
#files_var_lib_filetrans(packagekit_t, packagekit_var_lib_t, dir)
|
||||
#
|
||||
#kernel_read_unix_sysctls(packagekit_t)
|
||||
#kernel_read_net_sysctls(packagekit_t)
|
||||
#
|
||||
#corenet_tcp_bind_generic_node(packagekit_t)
|
||||
#
|
||||
#corenet_tcp_bind_kubernetes_port(packagekit_t)
|
||||
#corenet_tcp_bind_afs3_callback_port(packagekit_t)
|
||||
#
|
||||
#fs_getattr_xattr_fs(packagekit_t)
|
||||
#
|
||||
#logging_send_syslog_msg(packagekit_t)
|
||||
unconfined_dbus_chat(packagekit_t)
|
||||
init_dbus_chat(packagekit_t)
|
||||
optional_policy(`
|
||||
policykit_dbus_chat(packagekit_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(packagekit_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
snapper_dbus_chat(packagekit_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_dbus_chat_logind(packagekit_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_transition_script(packagekit_t,system_r)
|
||||
')
|
||||
|
||||
@ -3,16 +3,7 @@ addFilter("W: zero-length /etc/selinux/.*")
|
||||
addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
|
||||
addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
|
||||
addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
|
||||
addFilter("W: files-duplicate /etc/selinux/minimum/seusers /etc/selinux/minimum/modules/active/seusers.final")
|
||||
addFilter("W: files-duplicate /etc/selinux/minimum/contexts/files/file_contexts /etc/selinux/minimum/modules/active/file_contexts")
|
||||
addFilter("W: files-duplicate /etc/selinux/minimum/modules/active/file_contexts.homedirs /etc/selinux/minimum/contexts/files/file_contexts.homedirs")
|
||||
addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/seusers.final /etc/selinux/targeted/seusers")
|
||||
addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/file_contexts /etc/selinux/targeted/contexts/files/file_contexts")
|
||||
addFilter("W: files-duplicate /etc/selinux/targeted/contexts/files/file_contexts.homedirs /etc/selinux/targeted/modules/active/file_contexts.homedirs")
|
||||
addFilter("W: files-duplicate /etc/selinux/mls/modules/active/seusers.final /etc/selinux/mls/seusers")
|
||||
addFilter("W: files-duplicate /etc/selinux/mls/modules/active/file_contexts /etc/selinux/mls/contexts/files/file_contexts")
|
||||
addFilter("W: files-duplicate /etc/selinux/mls/contexts/files/file_contexts.homedirs /etc/selinux/mls/modules/active/file_contexts.homedirs")
|
||||
addFilter("E: files-duplicated-waste")
|
||||
addFilter("E: files-duplicated-waste")
|
||||
addFilter("W: files-duplicate")
|
||||
addFilter("E: files-duplicated-waste")
|
||||
addFilter("W: zero-length")
|
||||
|
||||
|
||||
@ -1,3 +1,42 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 19 09:21:24 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
|
||||
|
||||
- Update to version 20200219
|
||||
Refreshed fix_hadoop.patch
|
||||
Updated
|
||||
* fix_dbus.patch
|
||||
* fix_hadoop.patch
|
||||
* fix_nscd.patch
|
||||
* fix_xserver.patch
|
||||
Renamed postfix_paths.patch to fix_postfix.patch
|
||||
Added
|
||||
* fix_init.patch
|
||||
* fix_locallogin.patch
|
||||
* fix_policykit.patch
|
||||
* fix_iptables.patch
|
||||
* fix_irqbalance.patch
|
||||
* fix_ntp.patch
|
||||
* fix_fwupd.patch
|
||||
* fix_firewalld.patch
|
||||
* fix_logrotate.patch
|
||||
* fix_selinuxutil.patch
|
||||
* fix_corecommand.patch
|
||||
* fix_snapper.patch
|
||||
* fix_systemd.patch
|
||||
* fix_unconfined.patch
|
||||
* fix_unconfineduser.patch
|
||||
* fix_chronyd.patch
|
||||
* fix_networkmanager.patch
|
||||
* xdm_entrypoint_pam.patch
|
||||
- Removed modules minimum_temp_fixes and targeted_temp_fixes
|
||||
from the corresponding policies
|
||||
- Reduced default module list of minimum policy by removing
|
||||
apache inetd nis postfix mta modules
|
||||
- Adding/removing necessary pam config automatically
|
||||
- Minimum and targeted policy: Enable domain_can_mmap_files by default
|
||||
- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and
|
||||
selinuxuser_execstack to have safe defaults
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 9 12:11:28 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
|
||||
|
||||
|
||||
@ -70,9 +70,9 @@ Summary: SELinux policy configuration
|
||||
License: GPL-2.0-or-later
|
||||
Group: System/Management
|
||||
Name: selinux-policy
|
||||
Version: 20190609
|
||||
Version: 20200219
|
||||
Release: 0
|
||||
Source: fedora-policy.20190802.tar.bz2
|
||||
Source: fedora-policy.%{version}.tar.bz2
|
||||
|
||||
Source10: modules-targeted-base.conf
|
||||
Source11: modules-targeted-contrib.conf
|
||||
@ -107,14 +107,6 @@ Source92: customizable_types
|
||||
#Source93: config.tgz
|
||||
Source94: file_contexts.subs_dist
|
||||
|
||||
Source100: minimum_temp_fixes.te
|
||||
Source101: minimum_temp_fixes.if
|
||||
Source102: minimum_temp_fixes.fc
|
||||
|
||||
Source110: targeted_temp_fixes.te
|
||||
Source111: targeted_temp_fixes.if
|
||||
Source112: targeted_temp_fixes.fc
|
||||
|
||||
Source120: packagekit.te
|
||||
Source121: packagekit.if
|
||||
Source122: packagekit.fc
|
||||
@ -125,12 +117,30 @@ Patch003: fix_gift.patch
|
||||
Patch004: fix_java.patch
|
||||
Patch005: fix_hadoop.patch
|
||||
Patch006: fix_thunderbird.patch
|
||||
Patch007: postfix_paths.patch
|
||||
Patch007: fix_postfix.patch
|
||||
Patch008: fix_nscd.patch
|
||||
Patch009: fix_sysnetwork.patch
|
||||
Patch010: fix_logging.patch
|
||||
Patch011: fix_xserver.patch
|
||||
Patch012: fix_miscfiles.patch
|
||||
Patch013: fix_init.patch
|
||||
Patch014: fix_locallogin.patch
|
||||
Patch015: fix_policykit.patch
|
||||
Patch016: fix_iptables.patch
|
||||
Patch017: fix_irqbalance.patch
|
||||
Patch018: fix_ntp.patch
|
||||
Patch019: fix_fwupd.patch
|
||||
Patch020: fix_firewalld.patch
|
||||
Patch021: fix_logrotate.patch
|
||||
Patch022: fix_selinuxutil.patch
|
||||
Patch024: fix_corecommand.patch
|
||||
Patch025: fix_snapper.patch
|
||||
Patch026: fix_systemd.patch
|
||||
Patch027: fix_unconfined.patch
|
||||
Patch028: fix_unconfineduser.patch
|
||||
Patch029: fix_chronyd.patch
|
||||
Patch030: fix_networkmanager.patch
|
||||
Patch031: xdm_entrypoint_pam.patch
|
||||
|
||||
Patch100: sedoctool.patch
|
||||
|
||||
@ -150,8 +160,10 @@ BuildRequires: python
|
||||
BuildRequires: python-xml
|
||||
#BuildRequires: selinux-policy-devel
|
||||
# we need selinuxenabled
|
||||
Requires(post): selinux-tools
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): pam-config
|
||||
Requires(post): pam-config
|
||||
Requires(post): selinux-tools
|
||||
Requires(post): /bin/awk /usr/bin/sha512sum
|
||||
Recommends: audit
|
||||
Recommends: selinux-tools
|
||||
@ -349,6 +361,24 @@ systems and used as the basis for creating other policies.
|
||||
%patch010 -p1
|
||||
%patch011 -p1
|
||||
%patch012 -p1
|
||||
%patch013 -p1
|
||||
%patch014 -p1
|
||||
%patch015 -p1
|
||||
%patch016 -p1
|
||||
%patch017 -p1
|
||||
%patch018 -p1
|
||||
%patch019 -p1
|
||||
%patch020 -p1
|
||||
%patch021 -p1
|
||||
%patch022 -p1
|
||||
%patch024 -p1
|
||||
%patch025 -p1
|
||||
%patch026 -p1
|
||||
%patch027 -p1
|
||||
%patch028 -p1
|
||||
%patch029 -p1
|
||||
%patch030 -p1
|
||||
%patch031 -p1
|
||||
|
||||
%patch100 -p1
|
||||
|
||||
@ -374,16 +404,10 @@ done
|
||||
|
||||
make clean
|
||||
%if %{BUILD_TARGETED}
|
||||
for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
|
||||
cp $i policy/modules/contrib
|
||||
done
|
||||
%makeConfig targeted mcs n deny contrib
|
||||
%installCmds targeted mcs n allow
|
||||
%modulesList targeted
|
||||
%endif
|
||||
for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
|
||||
rm policy/modules/contrib/$(basename $i)
|
||||
done
|
||||
|
||||
%if %{BUILD_MLS}
|
||||
%makeConfig mls mls n deny contrib
|
||||
@ -392,9 +416,6 @@ done
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MINIMUM}
|
||||
for i in %{SOURCE100} %{SOURCE101} %{SOURCE102}; do
|
||||
cp $i policy/modules/contrib
|
||||
done
|
||||
%makeConfig minimum mcs n deny contrib
|
||||
%installCmds minimum mcs n allow
|
||||
install -m0644 %{SOURCE18} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
|
||||
@ -434,6 +455,9 @@ else
|
||||
[ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers
|
||||
fi
|
||||
%tmpfiles_create %_tmpfilesdir/selinux-policy.conf
|
||||
if [ $1 -eq 1 ]; then
|
||||
pam-config -a --selinux
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%global post_un() \
|
||||
@ -443,6 +467,7 @@ if [ $1 -eq 0 ]; then \
|
||||
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
||||
sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \
|
||||
fi \
|
||||
pam-config -d --selinux \
|
||||
fi \
|
||||
exit 0
|
||||
|
||||
@ -534,14 +559,12 @@ fi
|
||||
%post minimum
|
||||
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
|
||||
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
|
||||
if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
|
||||
mkdir /var/lib/selinux/minimum/active/modules/disabled
|
||||
fi
|
||||
mkdir -p /var/lib/selinux/minimum/active/modules/disabled 2>/dev/null
|
||||
if [ $1 -eq 1 ]; then
|
||||
for p in $contribpackages; do
|
||||
touch /var/lib/selinux/minimum/active/modules/disabled/$p
|
||||
done
|
||||
for p in $basepackages apache dbus inetd kerberos mta nis nscd rpm postfix rtkit; do
|
||||
for p in $basepackages dbus kerberos nscd rpm rtkit; do
|
||||
rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
|
||||
done
|
||||
/usr/sbin/semanage import -S minimum -f - << __eof
|
||||
@ -555,7 +578,7 @@ instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
|
||||
for p in $contribpackages; do
|
||||
touch /var/lib/selinux/minimum/active/modules/disabled/$p
|
||||
done
|
||||
for p in $instpackages apache dbus inetd kerberos mta nis nscd postfix rtkit; do
|
||||
for p in $instpackages dbus kerberos nscd rtkit; do
|
||||
rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
|
||||
done
|
||||
/usr/sbin/semodule -B -s minimum
|
||||
|
||||
@ -1 +0,0 @@
|
||||
## <summary></summary>
|
||||
@ -1,54 +0,0 @@
|
||||
policy_module(targeted_temp_fixes, 1.0)
|
||||
|
||||
require {
|
||||
type iptables_t;
|
||||
type nscd_t;
|
||||
type lib_t;
|
||||
type bin_t;
|
||||
type init_t;
|
||||
type irqbalance_t;
|
||||
type iptables_var_lib_t;
|
||||
type postfix_master_t;
|
||||
type firewalld_t;
|
||||
type postfix_map_exec_t;
|
||||
type xdm_t;
|
||||
type groupadd_t;
|
||||
type useradd_t;
|
||||
class netlink_selinux_socket { bind create };
|
||||
class dir { add_name mounton write };
|
||||
class file { create execute execute_no_trans getattr ioctl lock open read };
|
||||
}
|
||||
|
||||
#============= firewalld_t ==============
|
||||
allow firewalld_t iptables_var_lib_t:dir { add_name write };
|
||||
allow firewalld_t iptables_var_lib_t:file { create lock open read };
|
||||
|
||||
#============= init_t ==============
|
||||
allow init_t bin_t:dir mounton;
|
||||
allow init_t lib_t:dir mounton;
|
||||
allow init_t postfix_map_exec_t:file { execute execute_no_trans getattr ioctl open read };
|
||||
files_rw_var_files(init_t)
|
||||
fwupd_manage_cache_dirs(init_t)
|
||||
ntp_read_drift_files(init_t)
|
||||
|
||||
#============= iptables_t ==============
|
||||
kernel_rw_pipes(iptables_t)
|
||||
|
||||
#============= irqbalance_t ==============
|
||||
init_nnp_daemon_domain(irqbalance_t)
|
||||
|
||||
#============= nscd_t ==============
|
||||
files_exec_generic_pid_files(nscd_t)
|
||||
|
||||
#============= postfix_master_t ==============
|
||||
files_read_var_lib_files(postfix_master_t)
|
||||
files_read_var_lib_symlinks(postfix_master_t)
|
||||
|
||||
#============= xdm_t ==============
|
||||
# KDE write to home directories
|
||||
userdom_manage_user_home_content_files(xdm_t)
|
||||
|
||||
#============= groupadd_t ============== allow groupadd_t self:netlink_selinux_socket { bind create };
|
||||
allow useradd_t self:netlink_selinux_socket { bind create };
|
||||
selinux_compute_access_vector(groupadd_t)
|
||||
selinux_compute_access_vector(useradd_t)
|
||||
43
xdm_entrypoint_pam.patch
Normal file
43
xdm_entrypoint_pam.patch
Normal file
@ -0,0 +1,43 @@
|
||||
Index: fedora-policy/policy/modules/roles/unconfineduser.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/roles/unconfineduser.te
|
||||
+++ fedora-policy/policy/modules/roles/unconfineduser.te
|
||||
@@ -126,6 +126,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ xdm_entrypoint(unconfined_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
abrt_dbus_chat(unconfined_t)
|
||||
abrt_run_helper(unconfined_t, unconfined_r)
|
||||
')
|
||||
Index: fedora-policy/policy/modules/services/xserver.if
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/services/xserver.if
|
||||
+++ fedora-policy/policy/modules/services/xserver.if
|
||||
@@ -507,6 +507,23 @@ interface(`xserver_domtrans_xdm',`
|
||||
domtrans_pattern($1, xdm_exec_t, xdm_t)
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow any xdm_exec_t to be an entrypoint of this domain
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`xdm_entrypoint',`
|
||||
+ gen_require(`
|
||||
+ type xdm_exec_t;
|
||||
+ ')
|
||||
+ allow $1 xdm_exec_t:file entrypoint;
|
||||
+')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
Loading…
x
Reference in New Issue
Block a user