Navigation

← Previous Changeset
Next Changeset →

Changeset 2772

Timestamp:

08/07/08 09:17:50 (4 months ago)

Author:

cpebenito

Message:

trunk: 11 more cherry picks from fedora policy, by david hardeman.

Files:

trunk/Changelog (modified) (1 diff)
trunk/policy/modules/admin/amanda.fc (modified) (1 diff)
trunk/policy/modules/admin/amanda.te (modified) (3 diffs)
trunk/policy/modules/admin/anaconda.te (modified) (3 diffs)
trunk/policy/modules/admin/kismet.te (modified) (2 diffs)
trunk/policy/modules/admin/netutils.if (modified) (1 diff)
trunk/policy/modules/admin/netutils.te (modified) (1 diff)
trunk/policy/modules/apps/usernetctl.if (modified) (1 diff)
trunk/policy/modules/apps/usernetctl.te (modified) (3 diffs)
trunk/policy/modules/kernel/storage.fc (modified) (2 diffs)
trunk/policy/modules/kernel/storage.if (modified) (1 diff)
trunk/policy/modules/kernel/storage.te (modified) (1 diff)
trunk/policy/modules/services/fetchmail.te (modified) (2 diffs)
trunk/policy/modules/services/oav.te (modified) (3 diffs)
trunk/policy/modules/services/ricci.te (modified) (2 diffs)
trunk/policy/modules/services/rsync.fc (modified) (1 diff)
trunk/policy/modules/services/rsync.te (modified) (6 diffs)
trunk/policy/modules/services/stunnel.if (modified) (1 diff)
trunk/policy/modules/services/stunnel.te (modified) (2 diffs)
trunk/policy/modules/system/hotplug.te (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/Changelog

r2771	r2772
4	4	- Database labeled networking update from KaiGai Kohei.
5	5	- Several misc changes from the Fedora policy, cherry picked by David
6		Hrdeman.
	6	Hardeman.
7	7	- Large whitespace fix from Dominick Grift.
8	8	- Pam_mount fix for local login from Stefan Schulze Frielinghaus.

trunk/policy/modules/admin/amanda.fc

r2009	r2772
4	4	/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
5	5	/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
	6	/etc/amanda/./index(/.)? gen_context(system_u:object_r:amanda_data_t,s0)
6	7
7	8	/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)

trunk/policy/modules/admin/amanda.te

r2763	r2772
1	1
2		policy_module(amanda, 1.9.0)
	2	policy_module(amanda, 1.9.1)
3	3
4	4	#######################################
…	…
83	83
84	84	# access to amandas data structure
85		allow amanda_t amanda_data_t:dir { read search write };
86		allow amanda_t amanda_data_t:file manage_file_perms;
	85	manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
	86	manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
	87	filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
87	88
88	89	# access to amanda_dumpdates_t
…	…
147	148
148	149	storage_raw_read_fixed_disk(amanda_t)
	150	storage_read_tape(amanda_t)
	151	storage_write_tape(amanda_t)
149	152
150	153	# Added for targeted policy

trunk/policy/modules/admin/anaconda.te

r2763	r2772
1	1
2		policy_module(anaconda, 1.3.0)
	2	policy_module(anaconda, 1.3.1)
3	3
4	4	########################################
…	…
33	33	seutil_domtrans_semanage(anaconda_t)
34	34
35		~~unconfined_domain(anaconda_t)~~
36
37	35	unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
38
39		~~optional_policy(`~~
40		~~dmesg_domtrans(anaconda_t)~~
41		')
42	36
43	37	optional_policy(`
…	…
59	53
60	54	optional_policy(`
	55	unconfined_domain(anaconda_t)
	56	')
	57
	58	optional_policy(`
61	59	usermanage_domtrans_admin_passwd(anaconda_t)
62	60	')

trunk/policy/modules/admin/kismet.te

r2764	r2772
1	1
2		policy_module(kismet, 1.0.1)
	2	policy_module(kismet, 1.0.2)
3	3
4	4	########################################
…	…
26	26	#
27	27
28		allow kismet_t self:capability { net_admin setuid setgid };
	28	allow kismet_t self:capability { net_admin net_raw setuid setgid };
29	29	allow kismet_t self:packet_socket create_socket_perms;
30	30

trunk/policy/modules/admin/netutils.if

r2763	r2772
67	67
68	68	can_exec($1, netutils_exec_t)
	69	')
	70
	71	########################################
	72	## <summary>
	73	## Send generic signals to network utilities.
	74	## </summary>
	75	## <param name="domain">
	76	## <summary>
	77	## Domain allowed access.
	78	## </summary>
	79	## </param>
	80	#
	81	interface(`netutils_signal',`
	82	gen_require(`
	83	type netutils_t;
	84	')
	85
	86	allow $1 netutils_t:process signal;
69	87	')
70	88

trunk/policy/modules/admin/netutils.te

r2763 r2772

1 1
2 policy_module(netutils, 1.6.0)
2 policy_module(netutils, 1.6.1)
3 3
4 4 ########################################

trunk/policy/modules/apps/usernetctl.if

r2763	r2772
64	64	modutils_run_insmod(usernetctl_t, $2, $3)
65	65	')
	66
	67
	68	optional_policy(`
	69	ppp_run(usernetctl_t,$2,$3)
	70	')
66	71	')

trunk/policy/modules/apps/usernetctl.te

r2763	r2772
1	1
2		policy_module(usernetctl, 1.3.0)
	2	policy_module(usernetctl, 1.3.1)
3	3
4	4	########################################
…	…
50	50	fs_search_auto_mountpoints(usernetctl_t)
51	51
	52	auth_use_nsswitch(usernetctl_t)
	53
52	54	libs_use_ld_so(usernetctl_t)
53	55	libs_use_shared_libs(usernetctl_t)
	56
	57	logging_send_syslog_msg(usernetctl_t)
54	58
55	59	miscfiles_read_localization(usernetctl_t)
…	…
58	62
59	63	sysnet_read_config(usernetctl_t)
	64
	65	term_search_ptys(usernetctl_t)
60	66
61	67	optional_policy(`

trunk/policy/modules/kernel/storage.fc

r2478	r2772
14	14	/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
15	15	/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
	16	/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
16	17	/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
17	18	/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
…	…
49	50	/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
50	51	/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
	52	/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
51	53	/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
52	54

trunk/policy/modules/kernel/storage.if

r2763	r2772
78	78
79	79	dontaudit $1 fixed_disk_device_t:blk_file setattr;
	80	')
	81
	82	########################################
	83	## <summary>
	84	## dontaudit the caller attempts to read from a fixed disk.
	85	## </summary>
	86	## <param name="domain">
	87	## <summary>
	88	## The type of the process performing this action.
	89	## </summary>
	90	## </param>
	91	#
	92	interface(`storage_dontaudit_raw_read_fixed_disk',`
	93	gen_require(`
	94	attribute fixed_disk_raw_read;
	95	type fixed_disk_device_t;
	96	')
	97
	98	dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
	99	dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
80	100	')
81	101

trunk/policy/modules/kernel/storage.te

r2763 r2772

1 1
2 policy_module(storage, 1.6.0)
2 policy_module(storage, 1.6.1)
3 3
4 4 ########################################

trunk/policy/modules/services/fetchmail.te

r2763	r2772
1	1
2		policy_module(fetchmail, 1.6.0)
	2	policy_module(fetchmail, 1.6.1)
3	3
4	4	########################################
…	…
15	15
16	16	type fetchmail_etc_t;
17		files_~~typ~~e(fetchmail_etc_t)
	17	files_config_file(fetchmail_etc_t)
18	18
19	19	type fetchmail_uidl_cache_t;

trunk/policy/modules/services/oav.te

r2763	r2772
1	1
2		policy_module(oav, 1.6.0)
	2	policy_module(oav, 1.6.1)
3	3
4	4	########################################
…	…
13	13	# cjp: may be collapsable to etc_t
14	14	type oav_update_etc_t;
15		files_~~typ~~e(oav_update_etc_t)
	15	files_config_file(oav_update_etc_t)
16	16
17	17	type oav_update_var_lib_t;
…	…
23	23
24	24	type scannerdaemon_etc_t;
25		files_~~typ~~e(scannerdaemon_etc_t)
	25	files_config_file(scannerdaemon_etc_t)
26	26
27	27	type scannerdaemon_log_t;

trunk/policy/modules/services/ricci.te

r2763	r2772
1	1
2		policy_module(ricci, 1.3.0)
	2	policy_module(ricci, 1.3.1)
3	3
4	4	########################################
…	…
444	444	files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
445	445
	446	corecmd_exec_shell(ricci_modstorage_t)
446	447	corecmd_exec_bin(ricci_modstorage_t)
447	448

trunk/policy/modules/services/rsync.fc

r735	r2772
1	1
2	2	/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
	3
	4	/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
	5
	6	/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0)

trunk/policy/modules/services/rsync.te

r2763	r2772
1	1
2		policy_module(rsync, 1.6.0)
	2	policy_module(rsync, 1.6.1)
3	3
4	4	########################################
…	…
32	32	files_type(rsync_data_t)
33	33
	34	type rsync_log_t;
	35	logging_log_file(rsync_log_t)
	36
34	37	type rsync_tmp_t;
35	38	files_tmp_file(rsync_tmp_t)
…	…
43	46	#
44	47
45		allow rsync_t self:capability ~~sys_chroot~~;
	48	allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
46	49	allow rsync_t self:process signal_perms;
47	50	allow rsync_t self:fifo_file rw_fifo_file_perms;
…	…
53	56	# search home and kerberos also.
54	57	allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
55		~~allow rsync_t self:capability { setuid setgid };~~
56	58	#end for identd
57	59
…	…
96	98
97	99	logging_send_syslog_msg(rsync_t)
98		logging_dontaudit_search_logs(rsync_t)
	100	manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
	101	logging_log_filetrans(rsync_t,rsync_log_t,file)
99	102
100	103	miscfiles_read_localization(rsync_t)
…	…
118	121
119	122	tunable_policy(`rsync_export_all_ro',`
120		~~allow rsync_t self:capability dac_override;~~
121	123	fs_read_noxattr_fs_files(rsync_t)
122	124	auth_read_all_files_except_shadow(rsync_t)

trunk/policy/modules/services/stunnel.if

r676	r2772
1	1	## <summary>SSL Tunneling Proxy</summary>
	2
	3	########################################
	4	## <summary>
	5	## Define the specified domain as a stunnel inetd service.
	6	## </summary>
	7	## <param name="domain">
	8	## <summary>
	9	## The type associated with the stunnel inetd service process.
	10	## </summary>
	11	## </param>
	12	## <param name="entrypoint">
	13	## <summary>
	14	## The type associated with the process program.
	15	## </summary>
	16	## </param>
	17	#
	18	interface(`stunnel_service_domain',`
	19	gen_require(`
	20	type stunnel_t;
	21	')
	22
	23	domtrans_pattern(stunnel_t,$2,$1)
	24	allow $1 stunnel_t:tcp_socket rw_socket_perms;
	25	')

trunk/policy/modules/services/stunnel.te

r2763	r2772
1	1
2		policy_module(stunnel, 1.6.0)
	2	policy_module(stunnel, 1.6.1)
3	3
4	4	########################################
…	…
21	21
22	22	type stunnel_etc_t;
23		files_~~typ~~e(stunnel_etc_t)
	23	files_config_file(stunnel_etc_t)
24	24
25	25	type stunnel_tmp_t;

trunk/policy/modules/system/hotplug.te

r2742	r2772
1	1
2		policy_module(hotplug, 1.9.0)
	2	policy_module(hotplug, 1.9.1)
3	3
4	4	########################################
…	…
122	122	# for arping used for static IP addresses on PCMCIA ethernet
123	123	netutils_domtrans(hotplug_t)
	124	netutils_signal(hotplug_t)
124	125	fs_rw_tmpfs_chr_files(hotplug_t)
125	126	')

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r2763	r2772
1	1
2		policy_module(netutils, 1.6.0)
	2	policy_module(netutils, 1.6.1)
3	3
4	4	########################################

r2763	r2772
1	1
2		policy_module(storage, 1.6.0)
	2	policy_module(storage, 1.6.1)
3	3
4	4	########################################