fixes just so sediff is easier to handle
This commit is contained in:
parent
b488014fd7
commit
73ef293bc5
|
@ -206,6 +206,18 @@ template(`su_per_userdomain_template',`
|
|||
userdom_use_user_terminals($1,$1_su_t)
|
||||
userdom_search_user_home($1,$1_su_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
corecmd_exec_bin($1_su_t)
|
||||
userdom_manage_all_user_files($1_su_t)
|
||||
userdom_manage_all_user_symlinks($1_su_t)
|
||||
|
||||
# newrole does not make any sense in
|
||||
# the targeted policy. This is to
|
||||
# make sediff easier.
|
||||
if(!secure_mode) {
|
||||
unconfined_domtrans($1_su_t)
|
||||
}
|
||||
',`
|
||||
if(secure_mode) {
|
||||
# Only allow transitions to unprivileged user domains.
|
||||
userdom_spec_domtrans_unpriv_users($1_su_t)
|
||||
|
@ -213,11 +225,6 @@ template(`su_per_userdomain_template',`
|
|||
# Allow transitions to all user domains
|
||||
userdom_spec_domtrans_all_users($1_su_t)
|
||||
}
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
corecmd_exec_bin($1_su_t)
|
||||
userdom_manage_all_user_files($1_su_t)
|
||||
userdom_manage_all_user_symlinks($1_su_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
|
|
|
@ -660,7 +660,7 @@ interface(`fs_execute_cifs_files',`
|
|||
## The type of the domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_read_cifs_files',`
|
||||
interface(`fs_dontaudit_read_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class file { read write };
|
||||
|
|
|
@ -184,6 +184,8 @@ optional_policy(`inetd.te',`
|
|||
# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
|
||||
#')
|
||||
|
||||
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
|
||||
|
||||
optional_policy(`tcpd.te',`
|
||||
tunable_policy(`! ftpd_is_daemon',`
|
||||
tcpd_domtrans(tcpd_t)
|
||||
|
|
|
@ -263,13 +263,22 @@ userdom_use_unpriv_users_fd(newrole_t)
|
|||
# for some PAM modules and for cwd
|
||||
userdom_dontaudit_search_all_users_home(newrole_t)
|
||||
|
||||
# if secure mode is enabled, then newrole
|
||||
# can only transition to unprivileged users
|
||||
if(secure_mode) {
|
||||
ifdef(`targeted_policy',`
|
||||
# newrole does not make any sense in
|
||||
# the targeted policy. This is to
|
||||
# make sediff easier.
|
||||
if(!secure_mode) {
|
||||
unconfined_domtrans(newrole_t)
|
||||
}
|
||||
',`
|
||||
# if secure mode is enabled, then newrole
|
||||
# can only transition to unprivileged users
|
||||
if(secure_mode) {
|
||||
userdom_spec_domtrans_unpriv_users(newrole_t)
|
||||
} else {
|
||||
} else {
|
||||
userdom_spec_domtrans_all_users(newrole_t)
|
||||
}
|
||||
}
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(newrole_t)
|
||||
|
|
Loading…
Reference in New Issue