|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/global_tunables.denyexecmem serefpolicy-3.10.0/policy/global_tunables
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/global_tunables.denyexecmem 2011-11-08 16:11:51.764047705 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/global_tunables 2011-11-08 16:11:52.028047558 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -20,10 +20,10 @@ gen_tunable(allow_execheap,false)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
## <desc>
|
|
Dan Walsh |
6b27a2 |
##
|
|
Dan Walsh |
6b27a2 |
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
|
|
Dan Walsh |
6b27a2 |
+## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
|
|
Dan Walsh |
6b27a2 |
##
|
|
Dan Walsh |
6b27a2 |
## </desc>
|
|
Dan Walsh |
6b27a2 |
-gen_tunable(allow_execmem,false)
|
|
Dan Walsh |
6b27a2 |
+gen_tunable(deny_execmem,false)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
## <desc>
|
|
Dan Walsh |
6b27a2 |
##
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.denyexecmem serefpolicy-3.10.0/policy/modules/admin/rpm.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.denyexecmem 2011-11-08 16:11:51.771047703 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-11-08 16:11:52.030047557 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -382,7 +382,7 @@ ifdef(`distro_redhat',`
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
allow rpm_script_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/apps/games.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/games.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/apps/games.te.denyexecmem 2011-06-27 14:18:04.000000000 -0400
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/apps/games.te 2011-11-08 16:11:52.031047556 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -166,7 +166,7 @@ userdom_manage_user_tmp_sockets(games_t)
|
|
Dan Walsh |
6b27a2 |
# Suppress .icons denial until properly implemented
|
|
Dan Walsh |
6b27a2 |
userdom_dontaudit_read_user_home_content_files(games_t)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`', `
|
|
Dan Walsh |
6b27a2 |
allow games_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/mozilla.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.denyexecmem 2011-11-08 16:11:51.786047693 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-11-08 16:11:52.032047555 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -178,8 +178,12 @@ xserver_user_x_domain_template(mozilla,
|
|
Dan Walsh |
6b27a2 |
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
|
Dan Walsh |
6b27a2 |
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
- allow mozilla_t self:process { execmem execstack };
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`allow_execstack',`
|
|
Dan Walsh |
6b27a2 |
+ allow mozilla_t self:process execstack;
|
|
Dan Walsh |
6b27a2 |
+')
|
|
Dan Walsh |
6b27a2 |
+
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
+ allow mozilla_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
tunable_policy(`use_nfs_home_dirs',`
|
|
Dan Walsh |
6b27a2 |
@@ -410,12 +414,12 @@ userdom_read_user_home_content_symlinks(
|
|
Dan Walsh |
6b27a2 |
userdom_read_home_certs(mozilla_plugin_t)
|
|
Dan Walsh |
6b27a2 |
userdom_dontaudit_write_home_certs(mozilla_plugin_t)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
- allow mozilla_plugin_t self:process { execmem execstack };
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`', `
|
|
Dan Walsh |
6b27a2 |
+ allow mozilla_plugin_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
tunable_policy(`allow_execstack',`
|
|
Dan Walsh |
6b27a2 |
- allow mozilla_plugin_t self:process { execstack };
|
|
Dan Walsh |
6b27a2 |
+ allow mozilla_plugin_t self:process execstack;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
tunable_policy(`use_nfs_home_dirs',`
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/apps/mplayer.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/mplayer.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/apps/mplayer.te.denyexecmem 2011-11-08 16:11:51.048048110 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/apps/mplayer.te 2011-11-08 16:11:53.818046549 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -92,7 +92,7 @@ ifndef(`enable_mls',`
|
|
Dan Walsh |
6b27a2 |
fs_read_removable_symlinks(mencoder_t)
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
allow mencoder_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
@@ -252,7 +252,7 @@ ifdef(`enable_mls',`',`
|
|
Dan Walsh |
6b27a2 |
fs_read_removable_symlinks(mplayer_t)
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
allow mplayer_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/kernel/corecommands.te.denyexecmem serefpolicy-3.10.0/policy/modules/kernel/corecommands.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/kernel/corecommands.te.denyexecmem 2011-06-27 14:18:04.000000000 -0400
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/kernel/corecommands.te 2011-11-08 16:11:52.033047554 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -13,7 +13,7 @@ attribute exec_type;
|
|
Dan Walsh |
6b27a2 |
#
|
|
Dan Walsh |
6b27a2 |
# bin_t is the type of files in the system bin/sbin directories.
|
|
Dan Walsh |
6b27a2 |
#
|
|
Dan Walsh |
6b27a2 |
-type bin_t alias { ls_exec_t sbin_t };
|
|
Dan Walsh |
6b27a2 |
+type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t };
|
|
Dan Walsh |
6b27a2 |
corecmd_executable_file(bin_t)
|
|
Dan Walsh |
6b27a2 |
dev_associate(bin_t) #For /dev/MAKEDEV
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.denyexecmem serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.denyexecmem 2011-11-08 16:11:51.729047726 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-11-08 16:11:52.034047554 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -104,11 +104,11 @@ unconfined_domain_noaudit(unconfined_t)
|
|
Dan Walsh |
6b27a2 |
usermanage_run_passwd(unconfined_t, unconfined_r)
|
|
Dan Walsh |
6b27a2 |
usermanage_run_chfn(unconfined_t, unconfined_r)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
allow unconfined_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem && allow_execstack',`
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`allow_execstack',`
|
|
Dan Walsh |
6b27a2 |
allow unconfined_t self:process execstack;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
@@ -230,7 +230,6 @@ optional_policy(`
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
optional_policy(`
|
|
Dan Walsh |
6b27a2 |
unconfined_domain(unconfined_dbusd_t)
|
|
Dan Walsh |
6b27a2 |
- unconfined_execmem_domtrans(unconfined_dbusd_t)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
optional_policy(`
|
|
Dan Walsh |
6b27a2 |
xserver_rw_shm(unconfined_dbusd_t)
|
|
Dan Walsh |
6b27a2 |
@@ -389,48 +388,5 @@ optional_policy(`
|
|
Dan Walsh |
6b27a2 |
xserver_manage_home_fonts(unconfined_t)
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-########################################
|
|
Dan Walsh |
6b27a2 |
-#
|
|
Dan Walsh |
6b27a2 |
-# Unconfined Execmem Local policy
|
|
Dan Walsh |
6b27a2 |
-#
|
|
Dan Walsh |
6b27a2 |
-
|
|
Dan Walsh |
6b27a2 |
-optional_policy(`
|
|
Dan Walsh |
6b27a2 |
- execmem_role_template(unconfined, unconfined_r, unconfined_t)
|
|
Dan Walsh |
6b27a2 |
- typealias unconfined_execmem_t alias execmem_t;
|
|
Dan Walsh |
6b27a2 |
- typealias unconfined_execmem_t alias unconfined_openoffice_t;
|
|
Dan Walsh |
6b27a2 |
- unconfined_domain_noaudit(unconfined_execmem_t)
|
|
Dan Walsh |
6b27a2 |
- allow unconfined_execmem_t unconfined_t:process transition;
|
|
Dan Walsh |
6b27a2 |
- rpm_transition_script(unconfined_execmem_t)
|
|
Dan Walsh |
6b27a2 |
- role system_r types unconfined_execmem_t;
|
|
Dan Walsh |
6b27a2 |
-
|
|
Dan Walsh |
6b27a2 |
- optional_policy(`
|
|
Dan Walsh |
6b27a2 |
- init_dbus_chat_script(unconfined_execmem_t)
|
|
Dan Walsh |
6b27a2 |
- dbus_system_bus_client(unconfined_execmem_t)
|
|
Dan Walsh |
6b27a2 |
- unconfined_dbus_chat(unconfined_execmem_t)
|
|
Dan Walsh |
6b27a2 |
- unconfined_dbus_connect(unconfined_execmem_t)
|
|
Dan Walsh |
6b27a2 |
- ')
|
|
Dan Walsh |
6b27a2 |
-
|
|
Dan Walsh |
6b27a2 |
- optional_policy(`
|
|
Dan Walsh |
6b27a2 |
- tunable_policy(`allow_unconfined_nsplugin_transition',`', `
|
|
Dan Walsh |
6b27a2 |
- nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
|
|
Dan Walsh |
6b27a2 |
- ')
|
|
Dan Walsh |
6b27a2 |
- ')
|
|
Dan Walsh |
6b27a2 |
-
|
|
Dan Walsh |
6b27a2 |
- optional_policy(`
|
|
Dan Walsh |
6b27a2 |
- tunable_policy(`unconfined_login',`
|
|
Dan Walsh |
6b27a2 |
- mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
|
|
Dan Walsh |
6b27a2 |
- ')
|
|
Dan Walsh |
6b27a2 |
- ')
|
|
Dan Walsh |
6b27a2 |
-
|
|
Dan Walsh |
6b27a2 |
- optional_policy(`
|
|
Dan Walsh |
6b27a2 |
- openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
|
|
Dan Walsh |
6b27a2 |
- ')
|
|
Dan Walsh |
6b27a2 |
-')
|
|
Dan Walsh |
6b27a2 |
-
|
|
Dan Walsh |
6b27a2 |
-########################################
|
|
Dan Walsh |
6b27a2 |
-#
|
|
Dan Walsh |
6b27a2 |
-# Unconfined mount local policy
|
|
Dan Walsh |
6b27a2 |
-#
|
|
Dan Walsh |
6b27a2 |
-
|
|
Dan Walsh |
6b27a2 |
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.te.denyexecmem serefpolicy-3.10.0/policy/modules/services/postgresql.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/services/postgresql.te.denyexecmem 2011-11-08 16:11:51.439047890 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/services/postgresql.te 2011-11-08 16:11:52.035047553 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -329,7 +329,7 @@ userdom_dontaudit_use_user_terminals(pos
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
mta_getattr_spool(postgresql_t)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
allow postgresql_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.denyexecmem serefpolicy-3.10.0/policy/modules/services/xserver.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.denyexecmem 2011-11-08 16:11:51.969047589 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-08 16:11:52.037047551 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -1412,7 +1412,7 @@ tunable_policy(`allow_xserver_execmem',`
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
# Hack to handle the problem of using the nvidia blobs
|
|
Dan Walsh |
6b27a2 |
-tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
allow xdm_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.denyexecmem serefpolicy-3.10.0/policy/modules/system/unconfined.if
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.denyexecmem 2011-11-08 16:11:51.983047584 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-11-08 16:11:52.038047550 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -63,16 +63,14 @@ interface(`unconfined_domain_noaudit',`
|
|
Dan Walsh |
6b27a2 |
allow $1 self:process execheap;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
- tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
+ tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
# Allow making anonymous memory executable, e.g.
|
|
Dan Walsh |
6b27a2 |
# for runtime-code generation or executable stack.
|
|
Dan Walsh |
6b27a2 |
allow $1 self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
tunable_policy(`allow_execstack',`
|
|
Dan Walsh |
6b27a2 |
- # Allow making the stack executable via mprotect;
|
|
Dan Walsh |
6b27a2 |
- # execstack implies execmem;
|
|
Dan Walsh |
6b27a2 |
- allow $1 self:process { execstack execmem };
|
|
Dan Walsh |
6b27a2 |
+ allow $1 self:process execstack;
|
|
Dan Walsh |
6b27a2 |
# auditallow $1 self:process execstack;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.denyexecmem serefpolicy-3.10.0/policy/modules/system/userdomain.if
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.denyexecmem 2011-11-08 16:11:51.986047581 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-08 16:11:52.041047550 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -149,12 +149,12 @@ template(`userdom_base_user_template',`
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
systemd_dbus_chat_logind($1_usertype)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
- tunable_policy(`allow_execmem',`
|
|
Dan Walsh |
6b27a2 |
+ tunable_policy(`deny_execmem',`', `
|
|
Dan Walsh |
6b27a2 |
# Allow loading DSOs that require executable stack.
|
|
Dan Walsh |
6b27a2 |
allow $1_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
- tunable_policy(`allow_execmem && allow_execstack',`
|
|
Dan Walsh |
6b27a2 |
+ tunable_policy(`allow_execstack',`
|
|
Dan Walsh |
6b27a2 |
# Allow making the stack executable via mprotect.
|
|
Dan Walsh |
6b27a2 |
allow $1_t self:process execstack;
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/apps/mplayer.te~ serefpolicy-3.10.0/policy/modules/apps/mplayer.te
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/apps/sandbox.te~ serefpolicy-3.10.0/policy/modules/apps/sandbox.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/apps/sandbox.te~ 2011-11-08 16:12:17.701033064 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/apps/sandbox.te 2011-11-08 16:24:21.364582225 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -40,7 +40,12 @@ files_type(sandbox_devpts_t)
|
|
Dan Walsh |
6b27a2 |
#
|
|
Dan Walsh |
6b27a2 |
# sandbox xserver policy
|
|
Dan Walsh |
6b27a2 |
#
|
|
Dan Walsh |
6b27a2 |
-allow sandbox_xserver_t self:process { execmem execstack };
|
|
Dan Walsh |
6b27a2 |
+allow sandbox_xserver_t self:process execstack;
|
|
Dan Walsh |
6b27a2 |
+
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
+ allow sandbox_xserver_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
+')
|
|
Dan Walsh |
6b27a2 |
+
|
|
Dan Walsh |
6b27a2 |
allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
|
|
Dan Walsh |
6b27a2 |
allow sandbox_xserver_t self:shm create_shm_perms;
|
|
Dan Walsh |
6b27a2 |
allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
|
|
Dan Walsh |
6b27a2 |
@@ -119,7 +124,11 @@ optional_policy(`
|
|
Dan Walsh |
6b27a2 |
# sandbox local policy
|
|
Dan Walsh |
6b27a2 |
#
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
|
|
Dan Walsh |
6b27a2 |
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
+ allow sandbox_domain self:process execmem;
|
|
Dan Walsh |
6b27a2 |
+')
|
|
Dan Walsh |
6b27a2 |
+
|
|
Dan Walsh |
6b27a2 |
allow sandbox_domain self:fifo_file manage_file_perms;
|
|
Dan Walsh |
6b27a2 |
allow sandbox_domain self:sem create_sem_perms;
|
|
Dan Walsh |
6b27a2 |
allow sandbox_domain self:shm create_shm_perms;
|
|
Dan Walsh |
6b27a2 |
@@ -168,7 +177,11 @@ mta_dontaudit_read_spool_symlinks(sandbo
|
|
Dan Walsh |
6b27a2 |
#
|
|
Dan Walsh |
6b27a2 |
# sandbox_x_domain local policy
|
|
Dan Walsh |
6b27a2 |
#
|
|
Dan Walsh |
6b27a2 |
-allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
|
|
Dan Walsh |
6b27a2 |
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
+ allow sandbox_x_domain self:process execmem;
|
|
Dan Walsh |
6b27a2 |
+')
|
|
Dan Walsh |
6b27a2 |
+
|
|
Dan Walsh |
6b27a2 |
allow sandbox_x_domain self:fifo_file manage_file_perms;
|
|
Dan Walsh |
6b27a2 |
allow sandbox_x_domain self:sem create_sem_perms;
|
|
Dan Walsh |
6b27a2 |
allow sandbox_x_domain self:shm create_shm_perms;
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/apps/thumb.te~ serefpolicy-3.10.0/policy/modules/apps/thumb.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/apps/thumb.te~ 2011-11-08 16:12:17.709033060 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/apps/thumb.te 2011-11-08 16:23:18.017395117 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -19,7 +19,12 @@ ubac_constrained(thumb_tmp_t)
|
|
Dan Walsh |
6b27a2 |
# thumb local policy
|
|
Dan Walsh |
6b27a2 |
#
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-allow thumb_t self:process { setsched signal setrlimit execmem };
|
|
Dan Walsh |
6b27a2 |
+allow thumb_t self:process { setsched signal setrlimit };
|
|
Dan Walsh |
6b27a2 |
+
|
|
Dan Walsh |
6b27a2 |
+tunable_policy(`deny_execmem',`',`
|
|
Dan Walsh |
6b27a2 |
+ allow thumb_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
+')
|
|
Dan Walsh |
6b27a2 |
+
|
|
Dan Walsh |
6b27a2 |
allow thumb_t self:fifo_file manage_fifo_file_perms;
|
|
Dan Walsh |
6b27a2 |
allow thumb_t self:unix_stream_socket create_stream_socket_perms;
|
|
Dan Walsh |
6b27a2 |
allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Dan Walsh |
6b27a2 |
diff -up serefpolicy-3.10.0/policy/modules/roles/xguest.te~ serefpolicy-3.10.0/policy/modules/roles/xguest.te
|
|
Dan Walsh |
6b27a2 |
--- serefpolicy-3.10.0/policy/modules/roles/xguest.te~ 2011-11-08 16:12:18.349032697 -0500
|
|
Dan Walsh |
6b27a2 |
+++ serefpolicy-3.10.0/policy/modules/roles/xguest.te 2011-11-08 16:21:44.303111563 -0500
|
|
Dan Walsh |
6b27a2 |
@@ -54,7 +54,6 @@ optional_policy(`
|
|
Dan Walsh |
6b27a2 |
mount_dontaudit_exec_fusermount(xguest_t)
|
|
Dan Walsh |
6b27a2 |
')
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
-allow xguest_t self:process execmem;
|
|
Dan Walsh |
6b27a2 |
kernel_dontaudit_request_load_module(xguest_t)
|
|
Dan Walsh |
6b27a2 |
|
|
Dan Walsh |
6b27a2 |
tunable_policy(`allow_execstack',`
|