Navigation

← Previous Changeset
Next Changeset →

Changeset 2654

Timestamp:

03/31/08 09:04:13 (8 months ago)

Author:

pebenito

Message:

xselinux: update to trunk 2653.

Files:

branches/xselinux/Changelog (modified) (1 diff)
branches/xselinux/policy/modules/apps/slocate.te (modified) (2 diffs)
branches/xselinux/policy/modules/apps/wireshark.fc (copied) (copied from trunk/policy/modules/apps/wireshark.fc)
branches/xselinux/policy/modules/apps/wireshark.if (copied) (copied from trunk/policy/modules/apps/wireshark.if)
branches/xselinux/policy/modules/apps/wireshark.te (copied) (copied from trunk/policy/modules/apps/wireshark.te)
branches/xselinux/policy/modules/kernel/selinux.te (modified) (2 diffs)
branches/xselinux/policy/modules/services/lpd.if (modified) (1 diff)
branches/xselinux/policy/modules/services/lpd.te (modified) (1 diff)
branches/xselinux/policy/modules/services/mysql.te (modified) (2 diffs)
branches/xselinux/policy/modules/services/nx.fc (modified) (1 diff)
branches/xselinux/policy/modules/services/nx.te (modified) (1 diff)
branches/xselinux/policy/modules/services/pcscd.te (modified) (2 diffs)
branches/xselinux/policy/modules/services/samba.if (modified) (1 diff)
branches/xselinux/policy/modules/services/samba.te (modified) (1 diff)
branches/xselinux/policy/modules/system/getty.te (modified) (2 diffs)
branches/xselinux/policy/modules/system/hotplug.te (modified) (2 diffs)
branches/xselinux/policy/modules/system/init.te (modified) (2 diffs)
branches/xselinux/policy/modules/system/logging.fc (modified) (1 diff)
branches/xselinux/policy/modules/system/logging.te (modified) (1 diff)
branches/xselinux/policy/modules/system/sysnetwork.if (modified) (3 diffs)
branches/xselinux/policy/modules/system/sysnetwork.te (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/xselinux/Changelog

r2634	r2654
	1	- Fix winbind socket connection interface for default location of the
	2	sock_file.
	3	- Add wireshark module based on ethereal module.
1	4	- Revise upstart support in init module to use a tunable, as upstart is now
2	5	used in Fedora too.

branches/xselinux/policy/modules/apps/slocate.te

r2435	r2654
1	1
2		policy_module(slocate,1.6.0)
	2	policy_module(slocate,1.6.1)
3	3
4	4	#################################
…	…
40	40	files_list_all(locate_t)
41	41	files_getattr_all_files(locate_t)
	42	files_getattr_all_pipes(locate_t)
42	43	files_getattr_all_sockets(locate_t)
43	44	files_read_etc_runtime_files(locate_t)

branches/xselinux/policy/modules/kernel/selinux.te

r2573	r2654
1	1
2		policy_module(selinux,1.5.0)
	2	policy_module(selinux,1.5.1)
3	3
4	4	########################################
…	…
22	22	sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
23	23	genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
	24	genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
24	25
25	26	neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;

branches/xselinux/policy/modules/services/lpd.if

r2548	r2654
337	337
338	338	files_search_spool($1)
339		manage_files_pattern($1,print_spool_t,print_spool_t)
340
341		# cjp: cups wants setattr
342		allow $1 print_spool_t:dir setattr;
	339	manage_dirs_pattern($1, print_spool_t, print_spool_t)
	340	manage_files_pattern($1, print_spool_t, print_spool_t)
343	341	')
344	342

branches/xselinux/policy/modules/services/lpd.te

r2573 r2654

1 1
2 policy_module(lpd,1.8.0)
2 policy_module(lpd,1.8.1)
3 3
4 4 ########################################

branches/xselinux/policy/modules/services/mysql.te

r2573	r2654
1	1
2		policy_module(mysql,1.6.0)
	2	policy_module(mysql,1.6.1)
3	3
4	4	########################################
…	…
55	55	files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
56	56
57		manage_files_pattern(mysqld_t,~~mysqld_var_run_t,~~mysqld_var_run_t)
58		manage_sock_files_pattern(mysqld_t,~~mysqld_var_run_t,~~mysqld_var_run_t)
59		files_pid_filetrans(mysqld_t,~~mysqld_var_run_t,file~~)
	57	manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
	58	manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
	59	files_pid_filetrans(mysqld_t, mysqld_var_run_t,{ file sock_file })
60	60
61	61	kernel_read_system_state(mysqld_t)

branches/xselinux/policy/modules/services/nx.fc

r1799	r2654
4	4
5	5	/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
	6
	7	/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)

branches/xselinux/policy/modules/services/nx.te

r2360 r2654

1 1
2 policy_module(nx,1.2.0)
2 policy_module(nx,1.2.1)
3 3
4 4 ########################################

branches/xselinux/policy/modules/services/pcscd.te

r2573	r2654
1	1
2		policy_module(pcscd,1.3.0)
	2	policy_module(pcscd,1.3.1)
3	3
4	4	########################################
…	…
46	46	files_read_etc_runtime_files(pcscd_t)
47	47
	48	term_use_unallocated_ttys(pcscd_t)
48	49	term_dontaudit_getattr_pty_dirs(pcscd_t)
49	50

branches/xselinux/policy/modules/services/samba.if

r2463	r2654
485	485	#
486	486	interface(`samba_stream_connect_winbind',`
487		gen_require(`
488		type samba_var_t, winbind_t, winbind_var_run_t;
489		')
490
491		files_search_pids($1)
492		allow $1 samba_var_t:dir search_dir_perms;
493		stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
494		')
	487	ifdef(`distro_redhat',`
	488	gen_require(`
	489	type samba_var_t, winbind_t, winbind_var_run_t;
	490	')
	491
	492	files_search_pids($1)
	493	allow $1 samba_var_t:dir search_dir_perms;
	494	stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
	495	',`
	496	gen_require(`
	497	type winbind_t, winbind_tmp_t;
	498	')
	499
	500	# the default for the socket is (poorly named):
	501	# /tmp/.winbindd/pipe
	502	files_search_tmp($1)
	503	stream_connect_pattern($1,winbind_tmp_t,winbind_tmp_t,winbind_t)
	504	')
	505	')

branches/xselinux/policy/modules/services/samba.te

r2634 r2654

1 1
2 policy_module(samba,1.7.1)
2 policy_module(samba,1.7.2)
3 3
4 4 #################################

branches/xselinux/policy/modules/system/getty.te

r2613	r2654
1	1
2		policy_module(getty,1.5.1)
	2	policy_module(getty,1.5.2)
3	3
4	4	########################################
…	…
104	104	# Gentoo default /etc/issue makes agetty
105	105	# do a DNS lookup for the hostname
106		dontaudit getty_t self:udp_socket create_socket_perms;
107
108		corenet_dontaudit_all_recvfrom_unlabeled(getty_t)
109		corenet_dontaudit_udp_sendrecv_generic_if(getty_t)
110		corenet_dontaudit_udp_sendrecv_all_nodes(getty_t)
111		corenet_dontaudit_udp_sendrecv_dns_port(getty_t)
112		corenet_dontaudit_sendrecv_dns_client_packets(getty_t)
113
114		sysnet_dontaudit_read_config(getty_t)
	106	sysnet_dns_name_resolve(getty_t)
115	107	')
116	108

branches/xselinux/policy/modules/system/hotplug.te

r2573	r2654
1	1
2		policy_module(hotplug,1.7.0)
	2	policy_module(hotplug,1.7.1)
3	3
4	4	########################################
…	…
180	180	sysnet_rw_dhcp_config(hotplug_t)
181	181	sysnet_domtrans_ifconfig(hotplug_t)
	182	sysnet_signal_ifconfig(hotplug_t)
182	183	')
183	184

branches/xselinux/policy/modules/system/init.te

r2634	r2654
1	1
2		policy_module(init,1.9.2)
	2	policy_module(init,1.9.3)
3	3
4	4	gen_require(`
…	…
428	428	seutil_read_default_contexts(initrc_t)
429	429
	430	# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
	431	sysnet_create_config(initrc_t)
	432	sysnet_write_config(initrc_t)
	433	sysnet_setattr_config(initrc_t)
	434
430	435	optional_policy(`
431	436	arpwatch_manage_data_files(initrc_t)

branches/xselinux/policy/modules/system/logging.fc

r2634	r2654
20	20	/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
21	21	/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
	22
	23	/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
22	24
23	25	ifdef(`distro_suse', `

branches/xselinux/policy/modules/system/logging.te

r2634 r2654

1 1
2 policy_module(logging,1.9.1)
2 policy_module(logging,1.9.2)
3 3
4 4 ########################################

branches/xselinux/policy/modules/system/sysnetwork.if

r2352	r2654
204	204	#######################################
205	205	## <summary>
206		## Allow network init to read network config files.
207		## </summary>
208		## <param name="domain">
209		## <summary>
210		## The type of the process performing this action.
	206	## Set the attributes of network config files.
	207	## </summary>
	208	## <param name="domain">
	209	## <summary>
	210	## Domain allowed access.
	211	## </summary>
	212	## </param>
	213	#
	214	interface(`sysnet_setattr_config',`
	215	gen_require(`
	216	type net_conf_t;
	217	')
	218
	219	files_search_etc($1)
	220	allow $1 net_conf_t:file setattr;
	221	')
	222
	223	#######################################
	224	## <summary>
	225	## Read network config files.
	226	## </summary>
	227	## <param name="domain">
	228	## <summary>
	229	## Domain allowed access.
211	230	## </summary>
212	231	## </param>
…	…
237	256
238	257	dontaudit $1 net_conf_t:file read_file_perms;
	258	')
	259
	260	#######################################
	261	## <summary>
	262	## Write network config files.
	263	## </summary>
	264	## <param name="domain">
	265	## <summary>
	266	## Domain allowed access.
	267	## </summary>
	268	## </param>
	269	#
	270	interface(`sysnet_write_config',`
	271	gen_require(`
	272	type net_conf_t;
	273	')
	274
	275	files_search_etc($1)
	276	allow $1 net_conf_t:file write_file_perms;
	277	')
	278
	279	#######################################
	280	## <summary>
	281	## Create network config files.
	282	## </summary>
	283	## <param name="domain">
	284	## <summary>
	285	## Domain allowed access.
	286	## </summary>
	287	## </param>
	288	#
	289	interface(`sysnet_create_config',`
	290	gen_require(`
	291	type net_conf_t;
	292	')
	293
	294	files_search_etc($1)
	295	allow $1 net_conf_t:file create_file_perms;
239	296	')
240	297
…	…
383	440	corecmd_search_bin($1)
384	441	can_exec($1,ifconfig_exec_t)
	442	')
	443
	444	########################################
	445	## <summary>
	446	## Send a generic signal to ifconfig.
	447	## </summary>
	448	## <param name="domain">
	449	## <summary>
	450	## Domain allowed access.
	451	## </summary>
	452	## </param>
	453	## <rolecap/>
	454	#
	455	interface(`sysnet_signal_ifconfig',`
	456	gen_require(`
	457	type ifconfig_t;
	458	')
	459
	460	allow $1 ifconfig_t:process signal;
385	461	')
386	462

branches/xselinux/policy/modules/system/sysnetwork.te

r2613	r2654
1	1
2		policy_module(sysnetwork,1.5.0)
	2	policy_module(sysnetwork,1.5.2)
3	3
4	4	########################################
…	…
51	51	allow dhcpc_t self:udp_socket create_socket_perms;
52	52	allow dhcpc_t self:packet_socket create_socket_perms;
53		allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
	53	allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
54	54
55	55	allow dhcpc_t dhcp_etc_t:dir list_dir_perms;

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r2573	r2654
1	1
2		policy_module(lpd,1.8.0)
	2	policy_module(lpd,1.8.1)
3	3
4	4	########################################

r2360	r2654
1	1
2		policy_module(nx,1.2.0)
	2	policy_module(nx,1.2.1)
3	3
4	4	########################################

r2634	r2654
1	1
2		policy_module(samba,1.7.1)
	2	policy_module(samba,1.7.2)
3	3
4	4	#################################

r2634	r2654
1	1
2		policy_module(logging,1.9.1)
	2	policy_module(logging,1.9.2)
3	3
4	4	########################################