$(MODDIR)/$$i/metadata.xml \
$(HEADERDIR)/$$i ;\
done
- $(verbose) echo "TYPE=$(TYPE)" > $(HEADERDIR)/build.conf
- $(verbose) echo "NAME=$(NAME)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "TYPE ?= $(TYPE)" > $(HEADERDIR)/build.conf
+ $(verbose) echo "NAME ?= $(NAME)" >> $(HEADERDIR)/build.conf
ifneq "$(DISTRO)" ""
- $(verbose) echo "DISTRO=$(DISTRO)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(HEADERDIR)/build.conf
endif
- $(verbose) echo "MONOLITHIC=n" >> $(HEADERDIR)/build.conf
- $(verbose) echo "DIRECT_INITRC=$(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
- $(verbose) echo "POLY=$(POLY)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "MONOLITHIC ?= n" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "POLY ?= $(POLY)" >> $(HEADERDIR)/build.conf
$(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile
########################################
-policy_module(logwatch,1.0.1)
+policy_module(logwatch,1.0.2)
#################################
#
selinux_dontaudit_getattr_dir(logwatch_t)
+sysnet_dns_name_resolve(logwatch_t)
+
userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
-policy_module(vpnc,1.1.1)
+policy_module(vpnc,1.1.2)
########################################
#
libs_use_ld_so(vpnc_t)
libs_use_shared_libs(vpnc_t)
+locallogin_use_fd(vpnc_t)
+
logging_send_syslog_msg(vpnc_t)
miscfiles_read_localization(vpnc_t)
optional_policy(`dbus',`
dbus_system_bus_client_template(vpnc,vpnc_t)
+ dbus_send_system_bus(vpnc_t)
+ optional_policy(`networkmanager',`
+ networkmanager_dbus_chat(vpnc_t)
+ ')
')
optional_policy(`mount',`
# Local policy
#
- allow $1_javaplugin_t self:process { signal_perms getsched setsched };
+ allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
allow $1_javaplugin_t self:fifo_file rw_file_perms;
allow $1_javaplugin_t self:tcp_socket create_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms;
userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
- # libdeploy.so legacy
- tunable_policy(`allow_execmem',`
- allow $1_javaplugin_t self:process execmem;
- ')
-
tunable_policy(`allow_java_execstack',`
- allow $1_javaplugin_t self:process { execmem execstack };
+ allow $1_javaplugin_t self:process execstack;
allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-policy_module(java,1.0.1)
+policy_module(java,1.0.2)
########################################
#
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-policy_module(corecommands,1.2.0)
+policy_module(corecommands,1.2.1)
########################################
#
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
-policy_module(devices,1.0.4)
+policy_module(devices,1.0.5)
########################################
#
-policy_module(files,1.1.1)
+policy_module(files,1.1.2)
########################################
#
# home_root_t is the type for the directory where user home directories
# are created
#
-type home_root_t, file_type, mountpoint; #, polyparent
+type home_root_t, file_type, mountpoint;
fs_associate(home_root_t)
fs_associate_noxattr(home_root_t)
+files_poly_parent(home_root_t)
#
# lost_found_t is the type for the lost+found directories.
#
# root_t is the type for rootfs and the root directory.
#
-type root_t, file_type, mountpoint; #, polyparent
+type root_t, file_type, mountpoint;
fs_associate(root_t)
fs_associate_noxattr(root_t)
+files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
type tmp_t, mountpoint; #, polydir
files_tmp_file(tmp_t)
+files_poly_parent(tmp_t)
#
# usr_t is the type for /usr.
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/lib/cacti(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
# This type is used for executable scripts files
type httpd_$1_script_exec_t; # customizable;
+ corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
# The following three are the only areas that
dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t)
+ fs_read_eventpollfs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t)
allow $1 httpd_squirrelmail_t:file { getattr append };
')
+########################################
+## <summary>
+## Read apache system content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_read_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ allow $1 httpd_sys_content_t:dir r_dir_perms;
+ allow $1 httpd_sys_content_t:file { getattr read };
+')
+
########################################
## <summary>
## Search system script state directory.
-policy_module(apache,1.2.1)
+policy_module(apache,1.2.2)
#
# NOTES:
-policy_module(automount,1.1.3)
+policy_module(automount,1.1.4)
########################################
#
# Local policy
#
-allow automount_t self:capability { net_bind_service sys_nice dac_override };
+allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched };
allow automount_t self:fifo_file rw_file_perms;
corenet_tcp_connect_portmap_port(automount_t)
corenet_tcp_connect_all_ports(automount_t)
corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
+# Automount execs showmount when you browse /net. This is required until
+# Someone writes a showmount policy
+corenet_tcp_bind_reserved_port(automount_t)
dev_read_sysfs(automount_t)
# for SSP
domain_use_interactive_fds(automount_t)
files_dontaudit_write_var_dirs(automount_t)
-files_search_var_lib(automount_t)
+files_getattr_all_dirs(automount_t)
files_list_mnt(automount_t)
files_getattr_home_dir(automount_t)
files_read_etc_files(automount_t)
-policy_module(cron,1.2.2)
+policy_module(cron,1.2.3)
gen_require(`
class passwd rootok;
optional_policy(`apache',`
# Needed for certwatch
apache_exec_modules(system_crond_t)
+ apache_read_config(system_crond_t)
+ apache_read_log(system_crond_t)
+ apache_read_sys_content(system_crond_t)
')
optional_policy(`cyrus',`
-policy_module(hal,1.2.6)
+policy_module(hal,1.2.7)
########################################
#
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
-fs_search_auto_mountpoints(hald_t)
+fs_list_auto_mountpoints(hald_t)
mls_file_read_up(hald_t)
-policy_module(xserver,1.0.3)
+policy_module(xserver,1.0.4)
########################################
#
ifdef(`targeted_policy',`
allow xdm_xserver_t self:process { execheap execmem };
- unconfined_domain(xdm_xserver_t)
+ unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
')
-policy_module(fstools,1.2.2)
+policy_module(fstools,1.2.3)
########################################
#
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
# Enable swapping to files
-allow fsadm_t swapfile_t:file { getattr swapon };
+allow fsadm_t swapfile_t:file { read write getattr swapon };
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
-policy_module(mount,1.2.2)
+policy_module(mount,1.2.3)
########################################
#
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
-fs_search_auto_mountpoints(mount_t)
+fs_list_auto_mountpoints(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)
-policy_module(selinuxutil,1.1.6)
+policy_module(selinuxutil,1.1.7)
gen_require(`
bool secure_mode;
allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
+domain_use_interactive_fds(load_policy_t)
+
+# for mcs.conf
+files_read_etc_files(load_policy_t)
+files_read_etc_runtime_files(load_policy_t)
+
fs_getattr_xattr_fs(load_policy_t)
+mls_file_read_up(load_policy_t)
+
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
selinux_set_boolean(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
-domain_use_interactive_fds(load_policy_t)
-
-# for mcs.conf
-files_read_etc_files(load_policy_t)
-files_read_etc_runtime_files(load_policy_t)
-
libs_use_ld_so(load_policy_t)
libs_use_shared_libs(load_policy_t)
nscd_socket_use(newrole_t)
')
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
-') dnl ifdef TODO
-
########################################
#
# Restorecon local policy