[patch 20/35] rpc policy update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Partial merge of RedHat rpc changes (mostly a few read permissions and
a couple of dontaudit rules).

Depends on policy_modules_kernel_storage.patch

Index: refpolicy/policy/modules/services/rpc.te
===================================================================
--- refpolicy.orig/policy/modules/services/rpc.te	2008-08-03 18:18:31.000000000 +0200
+++ refpolicy/policy/modules/services/rpc.te	2008-08-04 13:18:47.000000000 +0200
@@ -62,10 +62,10 @@
 
 # rpc.statd executes sm-notify
 can_exec(rpcd_t, rpcd_exec_t)
-corecmd_search_bin(rpcd_t)
+corecmd_exec_bin(rpcd_t)
 
 kernel_read_system_state(rpcd_t) 
-kernel_search_network_state(rpcd_t) 
+kernel_read_network_state(rpcd_t)
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)  
 kernel_rw_fs_sysctls(rpcd_t)
@@ -82,6 +82,7 @@
 miscfiles_read_certs(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
+selinux_dontaudit_read_fs(rpcd_t)
 
 optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
@@ -97,6 +98,12 @@
 allow nfsd_t exports_t:file { getattr read };
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+
+dev_rw_lvm_control(nfsd_t)
+storage_dontaudit_raw_read_fixed_disk(nfsd_t)
+
 # for /proc/fs/nfs/exports - should we have a new type?
 kernel_read_system_state(nfsd_t) 
 kernel_read_network_state(nfsd_t) 
@@ -107,6 +114,7 @@
 fs_mount_nfsd_fs(nfsd_t) 
 fs_search_nfsd_fs(nfsd_t) 
 fs_getattr_all_fs(nfsd_t) 
+fs_getattr_all_dirs(nfsd_t)
 fs_rw_nfsd_fs(nfsd_t) 
 
 term_use_controlling_term(nfsd_t) 
@@ -149,6 +157,7 @@
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
+kernel_read_system_state(gssd_t)
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
@@ -162,6 +171,9 @@
 files_list_tmp(gssd_t) 
 files_read_usr_symlinks(gssd_t) 
 
+auth_use_nsswitch(gssd_t)
+auth_manage_cache(gssd_t)
+
 miscfiles_read_certs(gssd_t)
 
 tunable_policy(`allow_gssd_read_tmp',`

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux