From: Daniel J Walsh <dwalsh@redhat.com>
To: jwcart2@epoch.ncsc.mil
Cc: SELinux ML <selinux@tycho.nsa.gov>
Subject: Latest patch
Date: Thu, 16 Dec 2004 11:50:55 -0500 [thread overview]
Message-ID: <41C1BCEF.7090508@redhat.com> (raw)
In-Reply-To: <1103143388.31218.33.camel@moss-lions.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 447 bytes --]
Add winbind policy
Add transitionbool attribute. to indicate whether a domain should have a
disable_trans boolean created for that domain.
(Mozilla and games in strict policy, All network domains in targeted)
Added can_secsecparam
Fix httpd_sys_script_t to allow access to mysql sock file.
Began adding user configuration changes, to allow adding users in
different roles without policy sources installed.
Remove user_can_mount tunable.
[-- Attachment #2: policy-20041216.patch --]
[-- Type: text/x-patch, Size: 20202 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.19.14/attrib.te
--- nsapolicy/attrib.te 2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.14/attrib.te 2004-12-16 11:48:36.939342542 -0500
@@ -390,3 +390,6 @@
# For labeling of content for httpd
attribute httpdcontent;
+# For labeling of domains whos transition can be disabled
+attribute transitionbool;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.19.14/domains/admin.te
--- nsapolicy/domains/admin.te 2004-09-23 15:08:58.000000000 -0400
+++ policy-1.19.14/domains/admin.te 2004-12-16 11:48:36.940342432 -0500
@@ -23,6 +23,9 @@
# Allow administrator domains to set policy booleans.
can_setbool(sysadm_t)
+# Allow administrator domains to set security parameters
+can_setsecparam(sysadm_t)
+
# for su
allow sysadm_t userdomain:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.14/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2004-12-11 06:31:18.000000000 -0500
+++ policy-1.19.14/domains/program/initrc.te 2004-12-16 11:48:36.941342321 -0500
@@ -137,11 +137,6 @@
# Update /etc/ld.so.cache.
allow initrc_t ld_so_cache_t:file rw_file_perms;
-ifdef(`sendmail.te', `
-# Update /etc/mail.
-allow initrc_t etc_mail_t:file { setattr rw_file_perms };
-')
-
ifdef(`xfs.te', `
# Unlink the xfs socket.
allow initrc_t xfs_tmp_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.14/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2004-12-11 06:31:18.000000000 -0500
+++ policy-1.19.14/domains/program/unused/apache.te 2004-12-16 11:48:36.941342321 -0500
@@ -243,11 +243,12 @@
ifdef(`mysqld.te', `
can_unix_connect(httpd_php_t, mysqld_t)
can_unix_connect(httpd_t, mysqld_t)
+can_unix_connect(httpd_sys_script_t, mysqld_t)
allow httpd_php_t mysqld_var_run_t:dir search;
allow httpd_php_t mysqld_var_run_t:sock_file write;
-allow httpd_t mysqld_db_t:dir search;
-allow httpd_t mysqld_db_t:sock_file rw_file_perms;
-allow httpd_t mysqld_var_run_t:sock_file rw_file_perms;
+allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
+allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
+allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
')
allow httpd_t bin_t:dir search;
allow httpd_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.14/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.14/domains/program/unused/nscd.te 2004-12-16 11:48:36.942342210 -0500
@@ -59,7 +59,10 @@
#
# Handle winbind for samba, Might only be needed for targeted policy
#
-dontaudit nscd_t var_run_t:sock_file rw_file_perms;
+allow nscd_t winbind_var_run_t:sock_file { read write getattr };
+can_unix_connect(nscd_t, winbind_t)
+allow nscd_t samba_var_t:dir search;
+allow nscd_t winbind_var_run_t:dir { getattr search };
r_dir_file(nscd_t, selinux_config_t)
can_getsecurity(nscd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openvpn.te policy-1.19.14/domains/program/unused/openvpn.te
--- nsapolicy/domains/program/unused/openvpn.te 2004-12-02 14:11:42.000000000 -0500
+++ policy-1.19.14/domains/program/unused/openvpn.te 2004-12-16 11:48:36.943342100 -0500
@@ -21,7 +21,7 @@
allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
allow openvpn_t self:unix_dgram_socket sendto;
allow openvpn_t self:unix_stream_socket connectto;
-allow openvpn_t self:capability net_admin;
+allow openvpn_t self:capability { net_admin setgid setuid };
r_dir_file(openvpn_t, sysctl_net_t)
can_network_server(openvpn_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.19.14/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.14/domains/program/unused/sendmail.te 2004-12-16 11:48:36.943342100 -0500
@@ -14,7 +14,7 @@
#
# etc_mail_t is the type of /etc/mail.
-type etc_mail_t, file_type, sysadmfile;
+type etc_mail_t, file_type, sysadmfile, usercanread;
daemon_domain(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.19.14/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.14/domains/program/unused/winbind.te 2004-12-16 11:48:36.944341989 -0500
@@ -0,0 +1,34 @@
+#DESC winbind - Name Service Switch daemon for resolving names from NT servers
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for winbind
+#
+
+daemon_domain(winbind, `, privhome, auth_chkpwd')
+allow winbind_t self:capability net_admin;
+log_domain(winbind)
+allow winbind_t etc_t:file r_file_perms;
+allow winbind_t etc_t:lnk_file read;
+can_network(winbind_t)
+ifdef(`samba.te', `', `
+type samba_etc_t, file_type, sysadmfile, usercanread;
+type samba_log_t, file_type, sysadmfile, logfile;
+type samba_var_t, file_type, sysadmfile;
+type samba_secrets_t, file_type, sysadmfile;
+')
+rw_dir_file(winbind_t, samba_etc_t)
+rw_dir_file(winbind_t, samba_log_t)
+allow winbind_t samba_secrets_t:file rw_file_perms;
+allow winbind_t self:unix_dgram_socket create_socket_perms;
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t urandom_device_t:chr_file { getattr read };
+allow winbind_t self:fifo_file { read write };
+rw_dir_file(winbind_t, samba_var_t)
+allow winbind_t krb5_conf_t:file { getattr read };
+dontaudit winbind_t krb5_conf_t:file { write };
+allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow winbind_t winbind_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.14/domains/user.te
--- nsapolicy/domains/user.te 2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.14/domains/user.te 2004-12-16 11:48:36.944341989 -0500
@@ -27,9 +27,6 @@
# Allow users to control network interfaces (also needs USERCTL=true)
bool user_net_control false;
-# Disable games transitions
-bool disable_games false;
-
# Allow regular users direct mouse access
bool user_direct_mouse false;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.14/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2004-12-09 10:26:09.000000000 -0500
+++ policy-1.19.14/file_contexts/distros.fc 2004-12-16 11:48:36.945341878 -0500
@@ -34,6 +34,7 @@
/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t
/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t
/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
+/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
')
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.19.14/file_contexts/program/samba.fc
--- nsapolicy/file_contexts/program/samba.fc 2004-12-11 06:31:20.000000000 -0500
+++ policy-1.19.14/file_contexts/program/samba.fc 2004-12-16 11:48:36.945341878 -0500
@@ -19,5 +19,3 @@
/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t
/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t
/var/spool/samba(/.*)? system_u:object_r:samba_var_t
-/usr/sbin/winbindd -- system_u:object_r:smbd_exec_t
-/var/run/winbindd(/.*)? system_u:object_r:smbd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.19.14/file_contexts/program/winbind.fc
--- nsapolicy/file_contexts/program/winbind.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.14/file_contexts/program/winbind.fc 2004-12-16 11:48:36.946341768 -0500
@@ -0,0 +1,10 @@
+/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t
+/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t
+ifdef(`samba.te', `', `
+/var/log/samba(/.*)? system_u:object_r:samba_log_t
+/etc/samba(/.*)? system_u:object_r:samba_etc_t
+/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t
+/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t
+/var/cache/samba(/.*)? system_u:object_r:samba_var_t
+')
+/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/local.users policy-1.19.14/local.users
--- nsapolicy/local.users 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.14/local.users 2004-12-16 11:48:36.946341768 -0500
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the users.system file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity. The syntax of a user declaration is:
+#
+# user username roles role_set [ ranges MLS_range_set ];
+#
+# The MLS range set should only be specified if MLS was enabled
+# for the module and checkpolicy.
+
+# sample for administrative user
+user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
+
+# sample for regular user
+#user jdoe roles { user_r };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.19.14/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2004-12-09 10:26:10.000000000 -0500
+++ policy-1.19.14/macros/core_macros.te 2004-12-16 11:48:36.947341657 -0500
@@ -332,6 +332,26 @@
##################################
#
+# can_setsecparam(domain)
+#
+# Authorize a domain to set security parameters.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_setsecparam',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security setsecparam;
+auditallow $1 security_t:security setsecparam;
+')
+
+##################################
+#
# can_loadpol(domain)
#
# Authorize a domain to load a policy configuration.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.14/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/global_macros.te 2004-12-16 11:48:36.948341546 -0500
@@ -296,13 +296,13 @@
#
# Allows user to define a tunable to disable domain transition
#
-ifdef(`targeted_policy', `
+ifelse(index(`$2',`transitionbool'), -1, `', `
bool $1_disable_trans false;
if ($1_disable_trans) {
can_exec(initrc_t, $1_exec_t)
can_exec(sysadm_t, $1_exec_t)
} else {
-') dnl targeted_policy
+') dnl transitionbool
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
ifdef(`direct_sysadm_daemon', `
@@ -311,10 +311,9 @@
allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
')dnl end direct_sysadm_daemon
')dnl end nosysadm
-ifdef(`targeted_policy', `
+ifelse(index(`$2', `transitionbool'), -1, `', `
}
-') dnl targeted_policy
-
+') dnl end transitionbool
ifdef(`direct_sysadm_daemon', `
ifelse(`$3', `nosysadm', `', `
role_transition sysadm_r $1_exec_t system_r;
@@ -340,9 +339,12 @@
allow $1_t var_t:dir search;
allow $1_t $1_var_run_t:dir rw_dir_perms;
')
-
define(`daemon_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `$2, transitionbool', $3)
+', `
daemon_base_domain($1, `$2', $3)
+')
# Create pid file.
allow $1_t var_t:dir { getattr search };
var_run_domain($1)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.19.14/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/program/cdrecord_macros.te 2004-12-16 11:48:36.949341436 -0500
@@ -35,6 +35,7 @@
if (use_nfs_home_dirs) {
r_dir_file($1_cdrecord_t, nfs_t)
}
+allow $1_cdrecord_t etc_t:file { getattr read };
# allow searching for cdrom-drive
allow $1_cdrecord_t device_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.19.14/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te 2004-12-02 14:11:43.000000000 -0500
+++ policy-1.19.14/macros/program/games_domain.te 2004-12-16 11:48:36.949341436 -0500
@@ -10,7 +10,7 @@
#
#
define(`games_domain', `
-x_client_domain($1, `games')
+x_client_domain($1, `games', `, transitionbool')
allow $1_games_t var_t:dir { search getattr };
rw_dir_create_file($1_games_t, games_data_t)
allow $1_games_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.14/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/program/mozilla_macros.te 2004-12-16 11:48:36.950341325 -0500
@@ -16,7 +16,7 @@
# provided separately in domains/program/mozilla.te.
#
define(`mozilla_domain',`
-x_client_domain($1, mozilla, `, web_client_domain, privlog')
+x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool')
allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.19.14/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te 2004-11-30 05:59:40.000000000 -0500
+++ policy-1.19.14/macros/program/x_client_macros.te 2004-12-16 11:48:36.951341214 -0500
@@ -29,15 +29,19 @@
# Type for files that are read-only for this domain
type $1_$2_ro_t, file_type, $1_file_type, sysadmfile;
-# Transition from the user domain to the derived domain.
-ifelse($2, games, `
-if (! disable_games) {
+ifelse(index(`$3', `transitionbool'), -1, `
domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
can_exec($1_$2_t, $2_exec_t)
-}
', `
+# Only do it once
+ifelse($1, user, `
+bool disable_$2 false;
+')
+# Transition from the user domain to the derived domain.
+if (! disable_$2) {
domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
can_exec($1_$2_t, $2_exec_t)
+}
')
# The user role is authorized for this domain.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.19.14/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/program/xserver_macros.te 2004-12-16 11:48:36.951341214 -0500
@@ -247,6 +247,10 @@
# Allow xserver to read events - the synaptics touchpad
# driver reads raw events
allow $1_xserver_t event_device_t:chr_file rw_file_perms;
+ifdef(`pamconsole.te', `
+allow $1_xserver_t pam_var_console_t:dir search;
+')
+dontaudit $1_xserver_t selinux_config_t:dir search;
allow $1_xserver_t var_lib_t:dir search;
rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.19.14/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/user_macros.te 2004-12-16 11:49:34.659954788 -0500
@@ -218,22 +218,6 @@
dontaudit $1_t init_t:fd use;
dontaudit $1_t initrc_t:fd use;
allow $1_t initrc_t:fifo_file write;
-ifdef(`user_can_mount', `
-#
-# Allow users to mount file systems like floppies and cdrom
-#
-mount_domain($1, $1_mount, `, fs_domain')
-r_dir_file($1_t, mnt_t)
-allow $1_mount_t device_t:lnk_file read;
-allow $1_mount_t removable_device_t:blk_file read;
-allow $1_mount_t iso9660_t:filesystem relabelfrom;
-allow $1_mount_t removable_t:filesystem { mount relabelto };
-allow $1_mount_t removable_t:dir mounton;
-ifdef(`xdm.te', `
-allow $1_mount_t xdm_t:fd use;
-allow $1_mount_t xdm_t:fifo_file { read write };
-')
-')
#
# Rules used to associate a homedir as a mountpoint
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.14/Makefile
--- nsapolicy/Makefile 2004-12-11 06:31:17.000000000 -0500
+++ policy-1.19.14/Makefile 2004-12-16 11:48:36.953340993 -0500
@@ -26,6 +26,7 @@
INSTALLDIR = $(DESTDIR)/etc/selinux/strict
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLICYVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
@@ -37,13 +38,13 @@
ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
TE_RBAC_FILES := $(ALLTEFILES) rbac
ALL_TUNABLES := $(wildcard tunables/*.tun )
-
+USER_FILES := users serviceusers
POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ifeq ($(MLS),y)
POLICYFILES += mls
endif
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
-POLICYFILES += users serviceusers
+POLICYFILES += $(USER_FILES)
POLICYFILES += constraints initial_sid_contexts fs_use genfs_contexts net_contexts
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
@@ -54,9 +55,24 @@
APPDIR=$(CONTEXTPATH)
APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
+$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
+ @mkdir -p $(USERPATH)
+ @echo "# " > tmp/system.users
+ @echo "# Do not edit this file. " >> tmp/system.users
+ @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
+ @echo "# Please edit local.users to make local changes." >> tmp/system.users
+ @echo "#" >> tmp/system.users
+ m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
+ install -m 644 tmp/system.users $@
+
+$(USERPATH)/local.users: local.users
+ @mkdir -p $(USERPATH)
+ m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USERPATH)/local.users | sed 's/^user/#user/g' >> tmp/local.users
+ install -m 644 tmp/local.users $@
+
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
-install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH)
+install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
@echo "Validating file_contexts ..."
$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.14/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.14/tunables/distro.tun 2004-12-16 11:48:36.953340993 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.14/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-12-11 06:31:22.000000000 -0500
+++ policy-1.19.14/tunables/tunable.tun 2004-12-16 11:48:36.954340882 -0500
@@ -1,27 +1,24 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
next prev parent reply other threads:[~2004-12-16 16:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-09 17:46 patch: add policy for gpg helpers Thomas Bleher
2004-12-15 20:43 ` James Carter
2004-12-16 16:50 ` Daniel J Walsh [this message]
2004-12-20 21:43 ` Latest patch James Carter
[not found] <4256D267.7050403@comcast.net>
2005-04-14 14:04 ` Latest Patch James Carter
-- strict thread matches above, loose matches on Subject: below --
2004-12-17 1:22 [patch] misc. policy updates Greg Norris
2004-12-20 1:01 ` Russell Coker
2004-12-20 21:54 ` James Carter
2004-12-28 22:29 ` Latest patch Daniel J Walsh
2004-10-18 19:31 Adding alternate root patch to restorecon (setfiles?) Daniel J Walsh
2004-10-25 15:38 ` Russell Coker
2004-10-25 21:31 ` Thomas Bleher
2004-10-26 14:36 ` Russell Coker
2004-11-05 21:39 ` James Carter
2004-11-10 23:11 ` Patches without the can_network patch Daniel J Walsh
2004-11-17 20:15 ` James Carter
2004-11-18 14:33 ` Daniel J Walsh
2004-11-23 18:52 ` James Carter
2004-11-24 16:22 ` Daniel J Walsh
2004-11-24 19:48 ` James Carter
2004-11-30 21:19 ` Reissue previous patch Daniel J Walsh
2004-12-02 13:54 ` James Carter
2004-12-02 14:16 ` Daniel J Walsh
2004-12-02 17:51 ` James Carter
2004-12-02 19:27 ` Latest patch Daniel J Walsh
2004-12-03 13:40 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41C1BCEF.7090508@redhat.com \
--to=dwalsh@redhat.com \
--cc=jwcart2@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.