rpms/selinux-policy/F-8 policy-20070703.patch,1.231,1.232
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Nov 13 19:26:56 UTC 2008
- Previous message: rpms/selinux-policy/F-8 modules-targeted.conf, 1.78, 1.79 selinux-policy.spec, 1.652, 1.653
- Next message: rpms/gnash/F-10 gnash-kde4-no-excessive-linkage.patch, NONE, 1.1 gnash-kde4-x11embed-resize.patch, NONE, 1.1 gnash-kde4-x11embed.patch, NONE, 1.1 gnash.spec, 1.42, 1.43
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24268
Modified Files:
policy-20070703.patch
Log Message:
* Thu Nov 13 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-125
- Add pki policy
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.231
retrieving revision 1.232
diff -u -r1.231 -r1.232
--- policy-20070703.patch 13 Nov 2008 15:49:40 -0000 1.231
+++ policy-20070703.patch 13 Nov 2008 19:26:55 -0000 1.232
@@ -4968,7 +4968,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:37:56.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-10-20 16:22:16.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-11-13 14:23:10.000000000 -0500
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -5031,10 +5031,16 @@
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -122,10 +136,12 @@
+@@ -122,10 +136,18 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
++network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
++network_port(pki_ospc, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
++network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
++network_port(pki_ra, tcp, 12888, s0, tcp, 12889, s0)
++network_port(pki_tps, tcp, 7888, s0, tcp, 7889, s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
@@ -5044,7 +5050,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -137,16 +153,16 @@
+@@ -137,16 +159,16 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -5064,7 +5070,7 @@
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -154,19 +170,26 @@
+@@ -154,19 +176,26 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -15218,6 +15224,818 @@
rpm_exec(pegasus_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.0.8/policy/modules/services/pki.fc
+--- nsaserefpolicy/policy/modules/services/pki.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/pki.fc 2008-11-13 14:23:53.000000000 -0500
+@@ -0,0 +1,66 @@
++
++/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0)
++
++/etc/init.d/pki-ca -- gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
++
++/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
++/etc/pki-ca/tomcat5.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
++
++/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
++
++/var/run/pki-ca.pid gen_context(system_u:object_r:pki_ca_var_run_t,s0)
++
++/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0)
++
++/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0)
++
++/etc/init.d/pki-kra -- gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
++
++/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
++/etc/pki-kra/tomcat5.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
++
++/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
++
++/var/run/pki-kra.pid gen_context(system_u:object_r:pki_kra_var_run_t,s0)
++
++/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0)
++
++/usr/bin/dtomcat5-pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
++
++/etc/init.d/pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
++
++/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
++/etc/pki-ocsp/tomcat5.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
++
++/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
++
++/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
++
++/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_log_t,s0)
++
++/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
++/etc/init.d/pki-ra -- gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
++/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
++/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
++/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
++
++
++/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0)
++
++/etc/init.d/pki-tks -- gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
++
++/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
++/etc/pki-tks/tomcat5.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
++
++/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
++
++/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tks_var_run_t,s0)
++
++/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_log_t,s0)
++
++/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
++/etc/init.d/pki-tps -- gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
++/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
++/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
++/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.0.8/policy/modules/services/pki.if
+--- nsaserefpolicy/policy/modules/services/pki.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/pki.if 2008-11-13 14:23:53.000000000 -0500
+@@ -0,0 +1,643 @@
++
++## <summary>policy for pki</summary>
++
++########################################
++## <summary>
++## Execute pki_ca server in the pki_ca domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_ca_script_domtrans',`
++ gen_require(`
++ attribute pki_ca_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_ca_script)
++')
++
++########################################
++## <summary>
++## Create a set of derived types for apache
++## web content.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++#
++template(`pki_ca_template',`
++ gen_require(`
++ attribute pki_ca_process;
++ attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
++ attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
++ type pki_ca_tomcat_exec_t;
++ type $1_port_t;
++ ')
++ ########################################
++ #
++ # Declarations
++ #
++
++ type $1_t, pki_ca_process;
++ type $1_exec_t, pki_ca_executable;
++ domain_type($1_t)
++ init_daemon_domain($1_t, $1_exec_t)
++
++ type $1_script_exec_t, pki_ca_script;
++ init_script_file($1_script_exec_t)
++
++ type $1_etc_rw_t, pki_ca_config;
++ files_type($1_etc_rw_t)
++
++ type $1_var_run_t, pki_ca_var_run;
++ files_pid_file($1_var_run_t)
++
++ type $1_var_lib_t, pki_ca_var_lib;
++ files_type($1_var_lib_t)
++
++ type $1_log_t, pki_ca_var_log;
++ logging_log_file($1_log_t)
++
++ ########################################
++ #
++ # $1 local policy
++ #
++
++ # Execstack/execmem caused by java app.
++ allow $1_t self:process { execstack execmem getsched setsched };
++
++ ## internal communication is often done using fifo and unix sockets.
++ allow $1_t self:fifo_file rw_file_perms;
++ allow $1_t self:unix_stream_socket create_stream_socket_perms;
++ allow $1_t self:tcp_socket create_stream_socket_perms;
++ allow $1_t self:process signull;
++
++ allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
++
++ corenet_all_recvfrom_unlabeled($1_t)
++ corenet_tcp_sendrecv_all_if($1_t)
++ corenet_tcp_sendrecv_all_nodes($1_t)
++ corenet_tcp_sendrecv_all_ports($1_t)
++
++ corenet_tcp_bind_all_nodes($1_t)
++ corenet_tcp_bind_ocsp_port($1_t)
++ corenet_tcp_connect_ocsp_port($1_t)
++
++ # This is for /etc/$1/tomcat.conf:
++ can_exec($1_t, pki_ca_tomcat_exec_t)
++
++ # Init script handling
++ domain_use_interactive_fds($1_t)
++
++ files_read_etc_files($1_t)
++
++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
++
++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
++ manage_files_pattern($1_t, $1_log_t, $1_log_t)
++ logging_log_filetrans($1_t, $1_log_t, { file dir } )
++
++ corecmd_exec_bin($1_t)
++ corecmd_read_bin_symlinks($1_t)
++ corecmd_exec_shell($1_t)
++
++ dev_list_sysfs($1_t)
++ dev_read_rand($1_t)
++ dev_read_urand($1_t)
++
++ # Java is looking in /tmp for some reason...:
++ files_manage_generic_tmp_dirs($1_t)
++ files_manage_generic_tmp_files($1_t)
++ files_read_usr_files($1_t)
++ files_read_usr_symlinks($1_t)
++ # These are used to read tomcat class files in /var/lib/tomcat
++ files_read_var_lib_files($1_t)
++ files_read_var_lib_symlinks($1_t)
++
++ kernel_read_network_state($1_t)
++ kernel_read_system_state($1_t)
++ kernel_search_network_state($1_t)
++ # audit2allow
++ kernel_signull_unlabeled($1_t)
++
++ auth_use_nsswitch($1_t)
++
++ init_dontaudit_write_utmp($1_t)
++
++ libs_use_ld_so($1_t)
++ libs_use_shared_libs($1_t)
++
++ miscfiles_read_localization($1_t)
++
++ ifdef(`targeted_policy',`
++ term_dontaudit_use_unallocated_ttys($1_t)
++ term_dontaudit_use_generic_ptys($1_t)
++ ')
++
++#This is broken in selinux-policy we need java_exec defined, Will add to policy
++ gen_require(`
++ type java_exec_t;
++ ')
++ can_exec($1_t, java_exec_t)
++
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_ca environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ca_admin',`
++ gen_require(`
++ type pki_ca_tomcat_exec_t;
++ attribute pki_ca_process;
++ attribute pki_ca_config;
++ attribute pki_ca_executable;
++ attribute pki_ca_var_lib;
++ attribute pki_ca_var_log;
++ attribute pki_ca_var_run;
++ attribute pki_ca_pidfiles;
++ attribute pki_ca_script;
++ ')
++
++ allow $1 pki_ca_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_ca_t)
++
++ # Allow pki_ca_t to restart the service
++ pki_ca_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_ca_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_ca_config)
++ manage_all_pattern($1, pki_ca_var_run)
++ manage_all_pattern($1, pki_ca_var_lib)
++ manage_all_pattern($1, pki_ca_var_log)
++ manage_all_pattern($1, pki_ca_config)
++ manage_all_pattern($1, pki_ca_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++## Execute pki_kra server in the pki_kra domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_kra_script_domtrans',`
++ gen_require(`
++ attribute pki_kra_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_kra_script)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_kra environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_kra_admin',`
++ gen_require(`
++ type pki_kra_tomcat_exec_t;
++ attribute pki_kra_process;
++ attribute pki_kra_config;
++ attribute pki_kra_executable;
++ attribute pki_kra_var_lib;
++ attribute pki_kra_var_log;
++ attribute pki_kra_var_run;
++ attribute pki_kra_pidfiles;
++ attribute pki_kra_script;
++ ')
++
++ allow $1 pki_kra_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_kra_t)
++
++ # Allow pki_kra_t to restart the service
++ pki_kra_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_kra_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_kra_config)
++ manage_all_pattern($1, pki_kra_var_run)
++ manage_all_pattern($1, pki_kra_var_lib)
++ manage_all_pattern($1, pki_kra_var_log)
++ manage_all_pattern($1, pki_kra_config)
++ manage_all_pattern($1, pki_kra_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++## Execute pki_ocsp server in the pki_ocsp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_ocsp_script_domtrans',`
++ gen_require(`
++ attribute pki_ocsp_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_ocsp_script)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_ocsp environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ocsp_admin',`
++ gen_require(`
++ type pki_ocsp_tomcat_exec_t;
++ attribute pki_ocsp_process;
++ attribute pki_ocsp_config;
++ attribute pki_ocsp_executable;
++ attribute pki_ocsp_var_lib;
++ attribute pki_ocsp_var_log;
++ attribute pki_ocsp_var_run;
++ attribute pki_ocsp_pidfiles;
++ attribute pki_ocsp_script;
++ ')
++
++ allow $1 pki_ocsp_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_ocsp_t)
++
++ # Allow pki_ocsp_t to restart the service
++ pki_ocsp_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_ocsp_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_ocsp_config)
++ manage_all_pattern($1, pki_ocsp_var_run)
++ manage_all_pattern($1, pki_ocsp_var_lib)
++ manage_all_pattern($1, pki_ocsp_var_log)
++ manage_all_pattern($1, pki_ocsp_config)
++ manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++## Execute pki_ra server in the pki_ra domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_ra_script_domtrans',`
++ gen_require(`
++ attribute pki_ra_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_ra_script)
++')
++
++########################################
++## <summary>
++## Create a set of derived types for apache
++## web content.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++#
++template(`pki_ra_template',`
++ gen_require(`
++ attribute pki_ra_process;
++ attribute pki_ra_config, pki_ra_var_lib;
++ attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
++ ')
++ ########################################
++ #
++ # Declarations
++ #
++
++ type $1_t, pki_ra_process;
++ type $1_exec_t, pki_ra_executable;
++ domain_type($1_t)
++ init_daemon_domain($1_t, $1_exec_t)
++
++ type $1_script_exec_t, pki_ra_script;
++ init_script_file($1_script_exec_t)
++
++ type $1_etc_rw_t, pki_ra_config;
++ files_type($1_etc_rw_t)
++
++ type $1_var_lib_t, pki_ra_var_lib;
++ files_type($1_var_lib_t)
++
++ type $1_log_t, pki_ra_var_log;
++ logging_log_file($1_log_t)
++
++ ########################################
++ #
++ # $1 local policy
++ #
++
++ ## internal communication is often done using fifo and unix sockets.
++ allow $1_t self:fifo_file rw_file_perms;
++ allow $1_t self:unix_stream_socket create_stream_socket_perms;
++
++ # Init script handling
++ domain_use_interactive_fds($1_t)
++
++ files_read_etc_files($1_t)
++
++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
++
++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
++ manage_files_pattern($1_t, $1_log_t, $1_log_t)
++ logging_log_filetrans($1_t, $1_log_t, { file dir } )
++
++ init_dontaudit_write_utmp($1_t)
++
++ libs_use_ld_so($1_t)
++ libs_use_shared_libs($1_t)
++
++ miscfiles_read_localization($1_t)
++
++ ifdef(`targeted_policy',`
++ term_dontaudit_use_unallocated_ttys($1_t)
++ term_dontaudit_use_generic_ptys($1_t)
++ ')
++
++ gen_require(`
++ type httpd_t;
++ ')
++
++ allow httpd_t pki_ra_etc_rw_t:file { read getattr };
++ allow httpd_t pki_ra_log_t:file read;
++ allow httpd_t pki_ra_var_lib_t:lnk_file read;
++
++
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_ra environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ra_admin',`
++ gen_require(`
++ attribute pki_ra_process;
++ attribute pki_ra_config;
++ attribute pki_ra_executable;
++ attribute pki_ra_var_lib;
++ attribute pki_ra_var_log;
++ attribute pki_ra_script;
++ ')
++
++ allow $1 pki_ra_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_ra_t)
++
++ # Allow pki_ra_t to restart the service
++ pki_ra_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_ra_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_ra_config)
++ manage_all_pattern($1, pki_ra_var_lib)
++ manage_all_pattern($1, pki_ra_var_log)
++ manage_all_pattern($1, pki_ra_config)
++')
++
++########################################
++## <summary>
++## Execute pki_tks server in the pki_tks domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_tks_script_domtrans',`
++ gen_require(`
++ attribute pki_tks_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_tks_script)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_tks environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_tks_admin',`
++ gen_require(`
++ type pki_tks_tomcat_exec_t;
++ attribute pki_tks_process;
++ attribute pki_tks_config;
++ attribute pki_tks_executable;
++ attribute pki_tks_var_lib;
++ attribute pki_tks_var_log;
++ attribute pki_tks_var_run;
++ attribute pki_tks_pidfiles;
++ attribute pki_tks_script;
++ ')
++
++ allow $1 pki_tks_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_tks_t)
++
++ # Allow pki_tks_t to restart the service
++ pki_tks_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_tks_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_tks_config)
++ manage_all_pattern($1, pki_tks_var_run)
++ manage_all_pattern($1, pki_tks_var_lib)
++ manage_all_pattern($1, pki_tks_var_log)
++ manage_all_pattern($1, pki_tks_config)
++ manage_all_pattern($1, pki_tks_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++## Execute pki_tps server in the pki_tps domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_tps_script_domtrans',`
++ gen_require(`
++ attribute pki_tps_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_tps_script)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_tps environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_tps_admin',`
++ gen_require(`
++ attribute pki_tps_process;
++ attribute pki_tps_config;
++ attribute pki_tps_executable;
++ attribute pki_tps_var_lib;
++ attribute pki_tps_var_log;
++ attribute pki_tps_script;
++ ')
++
++ allow $1 pki_tps_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_tps_t)
++
++ # Allow pki_tps_t to restart the service
++ pki_tps_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_tps_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_tps_config)
++ manage_all_pattern($1, pki_tps_var_lib)
++ manage_all_pattern($1, pki_tps_var_log)
++ manage_all_pattern($1, pki_tps_config)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.0.8/policy/modules/services/pki.te
+--- nsaserefpolicy/policy/modules/services/pki.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/pki.te 2008-11-13 14:23:53.000000000 -0500
+@@ -0,0 +1,91 @@
++policy_module(pki,1.0.0)
++
++attribute pki_ca_config;
++attribute pki_ca_executable;
++attribute pki_ca_var_lib;
++attribute pki_ca_var_log;
++attribute pki_ca_var_run;
++attribute pki_ca_pidfiles;
++attribute pki_ca_script;
++attribute pki_ca_process;
++
++type pki_ca_tomcat_exec_t;
++files_type(pki_ca_tomcat_exec_t)
++
++pki_ca_template(pki_ca)
++
++attribute pki_kra_config;
++attribute pki_kra_executable;
++attribute pki_kra_var_lib;
++attribute pki_kra_var_log;
++attribute pki_kra_var_run;
++attribute pki_kra_pidfiles;
++attribute pki_kra_script;
++attribute pki_kra_process;
++
++type pki_kra_tomcat_exec_t;
++files_type(pki_kra_tomcat_exec_t)
++
++pki_ca_template(pki_kra)
++
++
++attribute pki_ocsp_config;
++attribute pki_ocsp_executable;
++attribute pki_ocsp_var_lib;
++attribute pki_ocsp_var_log;
++attribute pki_ocsp_var_run;
++attribute pki_ocsp_pidfiles;
++attribute pki_ocsp_script;
++attribute pki_ocsp_process;
++
++type pki_ocsp_tomcat_exec_t;
++files_type(pki_ocsp_tomcat_exec_t)
++
++pki_ca_template(pki_ocsp)
++
++
++attribute pki_ra_config;
++attribute pki_ra_executable;
++attribute pki_ra_var_lib;
++attribute pki_ra_var_log;
++attribute pki_ra_var_run;
++attribute pki_ra_pidfiles;
++attribute pki_ra_script;
++attribute pki_ra_process;
++
++type pki_ra_tomcat_exec_t;
++files_type(pki_ra_tomcat_exec_t)
++
++pki_ra_template(pki_ra)
++
++
++attribute pki_tks_config;
++attribute pki_tks_executable;
++attribute pki_tks_var_lib;
++attribute pki_tks_var_log;
++attribute pki_tks_var_run;
++attribute pki_tks_pidfiles;
++attribute pki_tks_script;
++attribute pki_tks_process;
++
++type pki_tks_tomcat_exec_t;
++files_type(pki_tks_tomcat_exec_t)
++
++pki_ca_template(pki_tks)
++
++
++attribute pki_tps_config;
++attribute pki_tps_executable;
++attribute pki_tps_var_lib;
++attribute pki_tps_var_log;
++attribute pki_tps_var_run;
++attribute pki_tps_pidfiles;
++attribute pki_tps_script;
++attribute pki_tps_process;
++
++type pki_tps_tomcat_exec_t;
++files_type(pki_tps_tomcat_exec_t)
++
++pki_ra_template(pki_tps)
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.0.8/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/polkit.fc 2008-10-20 16:22:16.000000000 -0400
- Previous message: rpms/selinux-policy/F-8 modules-targeted.conf, 1.78, 1.79 selinux-policy.spec, 1.652, 1.653
- Next message: rpms/gnash/F-10 gnash-kde4-no-excessive-linkage.patch, NONE, 1.1 gnash-kde4-x11embed-resize.patch, NONE, 1.1 gnash-kde4-x11embed.patch, NONE, 1.1 gnash.spec, 1.42, 1.43
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list