- Adopt swift changes from lhh@redhat.com
- Add rhcs_manage_cluster_pid_files() interface - Allow screen domains to configure tty and setup sock_file in ~/.screen direct - ALlow setroubleshoot to read default_context_t, needed to backport to F18 - Label /etc/owncloud as being an apache writable directory - Allow sshd to stream connect to an lxc domain
This commit is contained in:
parent
06b84e3300
commit
00d1b82850
|
@ -17465,7 +17465,7 @@ index 9d2f311..9e87525 100644
|
||||||
+ postgresql_filetrans_named_content($1)
|
+ postgresql_filetrans_named_content($1)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
|
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
|
||||||
index 346d011..a00f4ea 100644
|
index 346d011..3e23acb 100644
|
||||||
--- a/policy/modules/services/postgresql.te
|
--- a/policy/modules/services/postgresql.te
|
||||||
+++ b/policy/modules/services/postgresql.te
|
+++ b/policy/modules/services/postgresql.te
|
||||||
@@ -19,25 +19,32 @@ gen_require(`
|
@@ -19,25 +19,32 @@ gen_require(`
|
||||||
|
@ -17578,7 +17578,7 @@ index 346d011..a00f4ea 100644
|
||||||
|
|
||||||
-tunable_policy(`allow_execmem',`
|
-tunable_policy(`allow_execmem',`
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ rgmanager_manage_pid_files(postgresql_t)
|
+ rhcs_manage_cluster_pid_files(postgresql_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+tunable_policy(`deny_execmem',`',`
|
+tunable_policy(`deny_execmem',`',`
|
||||||
|
@ -18333,7 +18333,7 @@ index fe0c682..da12170 100644
|
||||||
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
|
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||||
index 5fc0391..ab68072 100644
|
index 5fc0391..3540387 100644
|
||||||
--- a/policy/modules/services/ssh.te
|
--- a/policy/modules/services/ssh.te
|
||||||
+++ b/policy/modules/services/ssh.te
|
+++ b/policy/modules/services/ssh.te
|
||||||
@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3)
|
@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3)
|
||||||
|
@ -18661,7 +18661,7 @@ index 5fc0391..ab68072 100644
|
||||||
rpm_use_script_fds(sshd_t)
|
rpm_use_script_fds(sshd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -279,13 +335,68 @@ optional_policy(`
|
@@ -279,13 +335,69 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -18697,6 +18697,7 @@ index 5fc0391..ab68072 100644
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ kernel_write_proc_files(sshd_t)
|
+ kernel_write_proc_files(sshd_t)
|
||||||
+ virt_transition_svirt_lxc(sshd_t, system_r)
|
+ virt_transition_svirt_lxc(sshd_t, system_r)
|
||||||
|
+ virt_stream_connect_lxc(sshd_t)
|
||||||
+ virt_stream_connect(sshd_t)
|
+ virt_stream_connect(sshd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -18730,7 +18731,7 @@ index 5fc0391..ab68072 100644
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# ssh_keygen local policy
|
# ssh_keygen local policy
|
||||||
@@ -294,19 +405,26 @@ optional_policy(`
|
@@ -294,19 +406,26 @@ optional_policy(`
|
||||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||||
# and by sysadm_t
|
# and by sysadm_t
|
||||||
|
|
||||||
|
@ -18758,7 +18759,7 @@ index 5fc0391..ab68072 100644
|
||||||
dev_read_urand(ssh_keygen_t)
|
dev_read_urand(ssh_keygen_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(ssh_keygen_t)
|
term_dontaudit_use_console(ssh_keygen_t)
|
||||||
@@ -323,6 +441,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
@@ -323,6 +442,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||||
logging_send_syslog_msg(ssh_keygen_t)
|
logging_send_syslog_msg(ssh_keygen_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||||
|
@ -18771,7 +18772,7 @@ index 5fc0391..ab68072 100644
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(ssh_keygen_t)
|
seutil_sigchld_newrole(ssh_keygen_t)
|
||||||
@@ -331,3 +455,138 @@ optional_policy(`
|
@@ -331,3 +456,138 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(ssh_keygen_t)
|
udev_read_db(ssh_keygen_t)
|
||||||
')
|
')
|
||||||
|
@ -20444,7 +20445,7 @@ index 6bf0ecc..8a8ed32 100644
|
||||||
+ files_search_tmp($1)
|
+ files_search_tmp($1)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index 2696452..2964047 100644
|
index 2696452..7a3a6c0 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -26,27 +26,50 @@ gen_require(`
|
@@ -26,27 +26,50 @@ gen_require(`
|
||||||
|
@ -20978,7 +20979,7 @@ index 2696452..2964047 100644
|
||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -430,9 +587,26 @@ files_list_mnt(xdm_t)
|
@@ -430,9 +587,27 @@ files_list_mnt(xdm_t)
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
|
@ -20989,6 +20990,7 @@ index 2696452..2964047 100644
|
||||||
+files_dontaudit_getattr_all_symlinks(xdm_t)
|
+files_dontaudit_getattr_all_symlinks(xdm_t)
|
||||||
+files_dontaudit_getattr_all_tmp_sockets(xdm_t)
|
+files_dontaudit_getattr_all_tmp_sockets(xdm_t)
|
||||||
+files_dontaudit_all_access_check(xdm_t)
|
+files_dontaudit_all_access_check(xdm_t)
|
||||||
|
+files_dontaudit_list_non_security(xdm_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(xdm_t)
|
fs_getattr_all_fs(xdm_t)
|
||||||
fs_search_auto_mountpoints(xdm_t)
|
fs_search_auto_mountpoints(xdm_t)
|
||||||
|
@ -21005,7 +21007,7 @@ index 2696452..2964047 100644
|
||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -441,28 +615,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
@@ -441,28 +616,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
|
@ -21049,7 +21051,7 @@ index 2696452..2964047 100644
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -471,24 +657,43 @@ userdom_read_user_home_content_files(xdm_t)
|
@@ -471,24 +658,43 @@ userdom_read_user_home_content_files(xdm_t)
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
|
@ -21099,7 +21101,7 @@ index 2696452..2964047 100644
|
||||||
tunable_policy(`xdm_sysadm_login',`
|
tunable_policy(`xdm_sysadm_login',`
|
||||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||||
# FIXME:
|
# FIXME:
|
||||||
@@ -502,11 +707,26 @@ tunable_policy(`xdm_sysadm_login',`
|
@@ -502,11 +708,26 @@ tunable_policy(`xdm_sysadm_login',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -21126,7 +21128,7 @@ index 2696452..2964047 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -514,12 +734,72 @@ optional_policy(`
|
@@ -514,12 +735,72 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -21199,7 +21201,7 @@ index 2696452..2964047 100644
|
||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -537,28 +817,78 @@ optional_policy(`
|
@@ -537,28 +818,78 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -21287,7 +21289,7 @@ index 2696452..2964047 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -570,6 +900,14 @@ optional_policy(`
|
@@ -570,6 +901,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -21302,7 +21304,7 @@ index 2696452..2964047 100644
|
||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -594,8 +932,11 @@ allow xserver_t input_xevent_t:x_event send;
|
@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
|
@ -21315,7 +21317,7 @@ index 2696452..2964047 100644
|
||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -608,8 +949,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
|
@ -21331,7 +21333,7 @@ index 2696452..2964047 100644
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -628,12 +976,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
|
@ -21353,7 +21355,7 @@ index 2696452..2964047 100644
|
||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -641,12 +996,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||||
# Xorg wants to check if kernel is tainted
|
# Xorg wants to check if kernel is tainted
|
||||||
kernel_read_kernel_sysctls(xserver_t)
|
kernel_read_kernel_sysctls(xserver_t)
|
||||||
kernel_write_proc_files(xserver_t)
|
kernel_write_proc_files(xserver_t)
|
||||||
|
@ -21367,7 +21369,7 @@ index 2696452..2964047 100644
|
||||||
corenet_all_recvfrom_netlabel(xserver_t)
|
corenet_all_recvfrom_netlabel(xserver_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||||
@@ -667,23 +1022,27 @@ dev_rw_apm_bios(xserver_t)
|
@@ -667,23 +1023,27 @@ dev_rw_apm_bios(xserver_t)
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
|
@ -21398,7 +21400,7 @@ index 2696452..2964047 100644
|
||||||
|
|
||||||
# brought on by rhgb
|
# brought on by rhgb
|
||||||
files_search_mnt(xserver_t)
|
files_search_mnt(xserver_t)
|
||||||
@@ -694,8 +1053,13 @@ fs_getattr_xattr_fs(xserver_t)
|
@@ -694,8 +1054,13 @@ fs_getattr_xattr_fs(xserver_t)
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
|
@ -21412,7 +21414,7 @@ index 2696452..2964047 100644
|
||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -708,20 +1072,18 @@ init_getpgid(xserver_t)
|
@@ -708,20 +1073,18 @@ init_getpgid(xserver_t)
|
||||||
term_setattr_unallocated_ttys(xserver_t)
|
term_setattr_unallocated_ttys(xserver_t)
|
||||||
term_use_unallocated_ttys(xserver_t)
|
term_use_unallocated_ttys(xserver_t)
|
||||||
|
|
||||||
|
@ -21436,7 +21438,7 @@ index 2696452..2964047 100644
|
||||||
|
|
||||||
userdom_search_user_home_dirs(xserver_t)
|
userdom_search_user_home_dirs(xserver_t)
|
||||||
userdom_use_user_ttys(xserver_t)
|
userdom_use_user_ttys(xserver_t)
|
||||||
@@ -729,8 +1091,6 @@ userdom_setattr_user_ttys(xserver_t)
|
@@ -729,8 +1092,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||||
userdom_read_user_tmp_files(xserver_t)
|
userdom_read_user_tmp_files(xserver_t)
|
||||||
userdom_rw_user_tmpfs_files(xserver_t)
|
userdom_rw_user_tmpfs_files(xserver_t)
|
||||||
|
|
||||||
|
@ -21445,7 +21447,7 @@ index 2696452..2964047 100644
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xserver_t self:process { execmem execheap execstack };
|
allow xserver_t self:process { execmem execheap execstack };
|
||||||
domain_mmap_low_uncond(xserver_t)
|
domain_mmap_low_uncond(xserver_t)
|
||||||
@@ -775,16 +1135,44 @@ optional_policy(`
|
@@ -775,16 +1136,44 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -21491,7 +21493,7 @@ index 2696452..2964047 100644
|
||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -793,6 +1181,10 @@ optional_policy(`
|
@@ -793,6 +1182,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -21502,7 +21504,7 @@ index 2696452..2964047 100644
|
||||||
xfs_stream_connect(xserver_t)
|
xfs_stream_connect(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
@@ -808,10 +1201,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
|
@ -21516,7 +21518,7 @@ index 2696452..2964047 100644
|
||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
@@ -819,7 +1212,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
|
|
||||||
# Run xkbcomp.
|
# Run xkbcomp.
|
||||||
|
@ -21525,7 +21527,7 @@ index 2696452..2964047 100644
|
||||||
can_exec(xserver_t, xkb_var_lib_t)
|
can_exec(xserver_t, xkb_var_lib_t)
|
||||||
|
|
||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
@@ -832,26 +1224,21 @@ init_use_fds(xserver_t)
|
@@ -832,26 +1225,21 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
|
@ -21560,7 +21562,7 @@ index 2696452..2964047 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -902,7 +1289,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
@@ -902,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
|
@ -21569,7 +21571,7 @@ index 2696452..2964047 100644
|
||||||
# operations allowed on all windows
|
# operations allowed on all windows
|
||||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||||
|
|
||||||
@@ -956,11 +1343,31 @@ allow x_domain self:x_resource { read write };
|
@@ -956,11 +1344,31 @@ allow x_domain self:x_resource { read write };
|
||||||
# can mess with the screensaver
|
# can mess with the screensaver
|
||||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||||
|
|
||||||
|
@ -21601,7 +21603,7 @@ index 2696452..2964047 100644
|
||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined(x_domain),
|
# should be xserver_unconfined(x_domain),
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
@@ -982,18 +1389,40 @@ tunable_policy(`! xserver_object_manager',`
|
@@ -982,18 +1390,40 @@ tunable_policy(`! xserver_object_manager',`
|
||||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -22638,7 +22640,7 @@ index 3efd5b6..792df83 100644
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||||
index 104037e..fbe9b26 100644
|
index 104037e..a8a2a2d 100644
|
||||||
--- a/policy/modules/system/authlogin.te
|
--- a/policy/modules/system/authlogin.te
|
||||||
+++ b/policy/modules/system/authlogin.te
|
+++ b/policy/modules/system/authlogin.te
|
||||||
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
|
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
|
||||||
|
@ -22903,12 +22905,15 @@ index 104037e..fbe9b26 100644
|
||||||
files_list_var_lib(nsswitch_domain)
|
files_list_var_lib(nsswitch_domain)
|
||||||
|
|
||||||
# read /etc/nsswitch.conf
|
# read /etc/nsswitch.conf
|
||||||
@@ -418,14 +448,18 @@ files_read_etc_files(nsswitch_domain)
|
@@ -417,15 +447,21 @@ files_read_etc_files(nsswitch_domain)
|
||||||
|
|
||||||
sysnet_dns_name_resolve(nsswitch_domain)
|
sysnet_dns_name_resolve(nsswitch_domain)
|
||||||
|
|
||||||
tunable_policy(`authlogin_nsswitch_use_ldap',`
|
-tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||||
- files_list_var_lib(nsswitch_domain)
|
- files_list_var_lib(nsswitch_domain)
|
||||||
-
|
+systemd_hostnamed_read_config(nsswitch_domain)
|
||||||
|
|
||||||
|
+tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||||
miscfiles_read_generic_certs(nsswitch_domain)
|
miscfiles_read_generic_certs(nsswitch_domain)
|
||||||
sysnet_use_ldap(nsswitch_domain)
|
sysnet_use_ldap(nsswitch_domain)
|
||||||
')
|
')
|
||||||
|
@ -22924,7 +22929,7 @@ index 104037e..fbe9b26 100644
|
||||||
ldap_stream_connect(nsswitch_domain)
|
ldap_stream_connect(nsswitch_domain)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@@ -438,6 +472,7 @@ optional_policy(`
|
@@ -438,6 +474,7 @@ optional_policy(`
|
||||||
likewise_stream_connect_lsassd(nsswitch_domain)
|
likewise_stream_connect_lsassd(nsswitch_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -22932,7 +22937,7 @@ index 104037e..fbe9b26 100644
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(nsswitch_domain)
|
kerberos_use(nsswitch_domain)
|
||||||
')
|
')
|
||||||
@@ -456,6 +491,7 @@ optional_policy(`
|
@@ -456,6 +493,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
sssd_stream_connect(nsswitch_domain)
|
sssd_stream_connect(nsswitch_domain)
|
||||||
|
@ -22940,7 +22945,7 @@ index 104037e..fbe9b26 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -463,3 +499,132 @@ optional_policy(`
|
@@ -463,3 +501,132 @@ optional_policy(`
|
||||||
samba_read_var_files(nsswitch_domain)
|
samba_read_var_files(nsswitch_domain)
|
||||||
samba_dontaudit_write_var_files(nsswitch_domain)
|
samba_dontaudit_write_var_files(nsswitch_domain)
|
||||||
')
|
')
|
||||||
|
|
|
@ -2694,7 +2694,7 @@ index 0000000..b334e9a
|
||||||
+ spamassassin_read_pid_files(antivirus_domain)
|
+ spamassassin_read_pid_files(antivirus_domain)
|
||||||
+')
|
+')
|
||||||
diff --git a/apache.fc b/apache.fc
|
diff --git a/apache.fc b/apache.fc
|
||||||
index 550a69e..d2af19f 100644
|
index 550a69e..e714059 100644
|
||||||
--- a/apache.fc
|
--- a/apache.fc
|
||||||
+++ b/apache.fc
|
+++ b/apache.fc
|
||||||
@@ -1,161 +1,184 @@
|
@@ -1,161 +1,184 @@
|
||||||
|
@ -2724,7 +2724,7 @@ index 550a69e..d2af19f 100644
|
||||||
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||||
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||||
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||||
+/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||||
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||||
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||||
|
@ -56417,7 +56417,7 @@ index 20d4697..e6605c1 100644
|
||||||
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
|
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
|
||||||
+')
|
+')
|
||||||
diff --git a/prelink.te b/prelink.te
|
diff --git a/prelink.te b/prelink.te
|
||||||
index c0f047a..e81b5b1 100644
|
index c0f047a..6f22887 100644
|
||||||
--- a/prelink.te
|
--- a/prelink.te
|
||||||
+++ b/prelink.te
|
+++ b/prelink.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
|
@ -56590,19 +56590,20 @@ index c0f047a..e81b5b1 100644
|
||||||
|
|
||||||
kernel_read_system_state(prelink_cron_system_t)
|
kernel_read_system_state(prelink_cron_system_t)
|
||||||
|
|
||||||
@@ -184,8 +168,10 @@ optional_policy(`
|
@@ -184,8 +168,11 @@ optional_policy(`
|
||||||
dev_list_sysfs(prelink_cron_system_t)
|
dev_list_sysfs(prelink_cron_system_t)
|
||||||
dev_read_sysfs(prelink_cron_system_t)
|
dev_read_sysfs(prelink_cron_system_t)
|
||||||
|
|
||||||
- files_rw_etc_dirs(prelink_cron_system_t)
|
- files_rw_etc_dirs(prelink_cron_system_t)
|
||||||
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
|
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
|
||||||
+ files_search_var_lib(prelink_cron_system_t)
|
+ files_search_var_lib(prelink_cron_system_t)
|
||||||
|
+ files_dontaudit_list_non_security(prelink_cron_system_t)
|
||||||
+
|
+
|
||||||
+ fs_search_cgroup_dirs(prelink_cron_system_t)
|
+ fs_search_cgroup_dirs(prelink_cron_system_t)
|
||||||
|
|
||||||
auth_use_nsswitch(prelink_cron_system_t)
|
auth_use_nsswitch(prelink_cron_system_t)
|
||||||
|
|
||||||
@@ -196,11 +182,20 @@ optional_policy(`
|
@@ -196,11 +183,20 @@ optional_policy(`
|
||||||
|
|
||||||
logging_search_logs(prelink_cron_system_t)
|
logging_search_logs(prelink_cron_system_t)
|
||||||
|
|
||||||
|
@ -63844,7 +63845,7 @@ index 47de2d6..1f5dbf8 100644
|
||||||
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
||||||
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
||||||
diff --git a/rhcs.if b/rhcs.if
|
diff --git a/rhcs.if b/rhcs.if
|
||||||
index 56bc01f..f0a05e8 100644
|
index 56bc01f..27c4de4 100644
|
||||||
--- a/rhcs.if
|
--- a/rhcs.if
|
||||||
+++ b/rhcs.if
|
+++ b/rhcs.if
|
||||||
@@ -1,19 +1,19 @@
|
@@ -1,19 +1,19 @@
|
||||||
|
@ -64206,7 +64207,7 @@ index 56bc01f..f0a05e8 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
######################################
|
######################################
|
||||||
@@ -446,52 +456,303 @@ interface(`rhcs_domtrans_qdiskd',`
|
@@ -446,52 +456,322 @@ interface(`rhcs_domtrans_qdiskd',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -64257,7 +64258,11 @@ index 56bc01f..f0a05e8 100644
|
||||||
+ files_search_var_lib($1)
|
+ files_search_var_lib($1)
|
||||||
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
|
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
|
||||||
|
- domain_system_change_exemption($1)
|
||||||
|
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
|
||||||
|
- allow $2 system_r;
|
||||||
+#####################################
|
+#####################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Allow domain to manage cluster lib files
|
+## Allow domain to manage cluster lib files
|
||||||
|
@ -64272,15 +64277,15 @@ index 56bc01f..f0a05e8 100644
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type cluster_var_lib_t;
|
+ type cluster_var_lib_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
|
||||||
|
- files_search_pids($1)
|
||||||
|
- admin_pattern($1, cluster_pid)
|
||||||
+ files_search_var_lib($1)
|
+ files_search_var_lib($1)
|
||||||
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
|
- files_search_locks($1)
|
||||||
- domain_system_change_exemption($1)
|
- admin_pattern($1, fenced_lock_t)
|
||||||
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
|
|
||||||
- allow $2 system_r;
|
|
||||||
+####################################
|
+####################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Allow domain to relabel cluster lib files
|
+## Allow domain to relabel cluster lib files
|
||||||
|
@ -64301,8 +64306,8 @@ index 56bc01f..f0a05e8 100644
|
||||||
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
- files_search_pids($1)
|
- files_search_tmp($1)
|
||||||
- admin_pattern($1, cluster_pid)
|
- admin_pattern($1, fenced_tmp_t)
|
||||||
+######################################
|
+######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Execute a domain transition to run cluster administrative domain.
|
+## Execute a domain transition to run cluster administrative domain.
|
||||||
|
@ -64318,14 +64323,14 @@ index 56bc01f..f0a05e8 100644
|
||||||
+ type cluster_t, cluster_exec_t;
|
+ type cluster_t, cluster_exec_t;
|
||||||
+ ')
|
+ ')
|
||||||
|
|
||||||
- files_search_locks($1)
|
- files_search_var_lib($1)
|
||||||
- admin_pattern($1, fenced_lock_t)
|
- admin_pattern($1, qdiskd_var_lib_t)
|
||||||
+ corecmd_search_bin($1)
|
+ corecmd_search_bin($1)
|
||||||
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
|
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
- files_search_tmp($1)
|
- fs_search_tmpfs($1)
|
||||||
- admin_pattern($1, fenced_tmp_t)
|
- admin_pattern($1, cluster_tmpfs)
|
||||||
+#######################################
|
+#######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Execute cluster init scripts in
|
+## Execute cluster init scripts in
|
||||||
|
@ -64341,14 +64346,10 @@ index 56bc01f..f0a05e8 100644
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type cluster_initrc_exec_t;
|
+ type cluster_initrc_exec_t;
|
||||||
+ ')
|
+ ')
|
||||||
|
+
|
||||||
- files_search_var_lib($1)
|
|
||||||
- admin_pattern($1, qdiskd_var_lib_t)
|
|
||||||
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
|
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
- fs_search_tmpfs($1)
|
|
||||||
- admin_pattern($1, cluster_tmpfs)
|
|
||||||
+#####################################
|
+#####################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Execute cluster in the caller domain.
|
+## Execute cluster in the caller domain.
|
||||||
|
@ -64462,6 +64463,25 @@ index 56bc01f..f0a05e8 100644
|
||||||
+ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
|
+ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+#####################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow manage cluster pid files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`rhcs_manage_cluster_pid_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type cluster_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Execute cluster server in the cluster domain.
|
+## Execute cluster server in the cluster domain.
|
||||||
|
@ -68941,7 +68961,7 @@ index f1140ef..c5bd83a 100644
|
||||||
+ files_etc_filetrans($1, rsync_etc_t, $2, $3)
|
+ files_etc_filetrans($1, rsync_etc_t, $2, $3)
|
||||||
')
|
')
|
||||||
diff --git a/rsync.te b/rsync.te
|
diff --git a/rsync.te b/rsync.te
|
||||||
index e3e7c96..68cba2d 100644
|
index e3e7c96..0820cb2 100644
|
||||||
--- a/rsync.te
|
--- a/rsync.te
|
||||||
+++ b/rsync.te
|
+++ b/rsync.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
|
@ -68963,40 +68983,24 @@ index e3e7c96..68cba2d 100644
|
||||||
+## </p>
|
+## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
-gen_tunable(rsync_use_cifs, false)
|
-gen_tunable(rsync_use_cifs, false)
|
||||||
-
|
|
||||||
-## <desc>
|
|
||||||
-## <p>
|
|
||||||
-## Determine whether rsync can
|
|
||||||
-## use fuse file systems.
|
|
||||||
-## </p>
|
|
||||||
-## </desc>
|
|
||||||
-gen_tunable(rsync_use_fusefs, false)
|
|
||||||
-
|
|
||||||
-## <desc>
|
|
||||||
-## <p>
|
|
||||||
-## Determine whether rsync can use
|
|
||||||
-## nfs file systems.
|
|
||||||
-## </p>
|
|
||||||
-## </desc>
|
|
||||||
-gen_tunable(rsync_use_nfs, false)
|
|
||||||
+gen_tunable(rsync_client, false)
|
+gen_tunable(rsync_client, false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
-## <p>
|
-## <p>
|
||||||
-## Determine whether rsync can
|
-## Determine whether rsync can
|
||||||
-## run as a client
|
-## use fuse file systems.
|
||||||
-## </p>
|
-## </p>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow rsync to export any files/directories read only.
|
+## Allow rsync to export any files/directories read only.
|
||||||
+## </p>
|
+## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
-gen_tunable(rsync_client, false)
|
-gen_tunable(rsync_use_fusefs, false)
|
||||||
+gen_tunable(rsync_export_all_ro, false)
|
+gen_tunable(rsync_export_all_ro, false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
-## <p>
|
-## <p>
|
||||||
-## Determine whether rsync can
|
-## Determine whether rsync can use
|
||||||
-## export all content read only.
|
-## nfs file systems.
|
||||||
-## </p>
|
-## </p>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow rsync to modify public files
|
+## Allow rsync to modify public files
|
||||||
|
@ -69004,21 +69008,37 @@ index e3e7c96..68cba2d 100644
|
||||||
+## labeled public_content_rw_t.
|
+## labeled public_content_rw_t.
|
||||||
+## </p>
|
+## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
-gen_tunable(rsync_export_all_ro, false)
|
-gen_tunable(rsync_use_nfs, false)
|
||||||
+gen_tunable(rsync_anon_write, false)
|
+gen_tunable(rsync_anon_write, false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
|
-## Determine whether rsync can
|
||||||
|
-## run as a client
|
||||||
|
+## Allow rsync server to manage all files/directories on the system.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
-gen_tunable(rsync_client, false)
|
||||||
|
+gen_tunable(rsync_full_access, false)
|
||||||
|
|
||||||
|
-## <desc>
|
||||||
|
-## <p>
|
||||||
|
-## Determine whether rsync can
|
||||||
|
-## export all content read only.
|
||||||
|
-## </p>
|
||||||
|
-## </desc>
|
||||||
|
-gen_tunable(rsync_export_all_ro, false)
|
||||||
|
-
|
||||||
|
-## <desc>
|
||||||
|
-## <p>
|
||||||
-## Determine whether rsync can modify
|
-## Determine whether rsync can modify
|
||||||
-## public files used for public file
|
-## public files used for public file
|
||||||
-## transfer services. Directories/Files must
|
-## transfer services. Directories/Files must
|
||||||
-## be labeled public_content_rw_t.
|
-## be labeled public_content_rw_t.
|
||||||
+## Allow rsync server to manage all files/directories on the system.
|
-## </p>
|
||||||
## </p>
|
-## </desc>
|
||||||
## </desc>
|
|
||||||
-gen_tunable(allow_rsync_anon_write, false)
|
-gen_tunable(allow_rsync_anon_write, false)
|
||||||
+gen_tunable(rsync_full_access, false)
|
-
|
||||||
|
|
||||||
-attribute_role rsync_roles;
|
-attribute_role rsync_roles;
|
||||||
|
|
||||||
type rsync_t;
|
type rsync_t;
|
||||||
|
@ -69045,14 +69065,14 @@ index e3e7c96..68cba2d 100644
|
||||||
-allow rsync_t self:tcp_socket { accept listen };
|
-allow rsync_t self:tcp_socket { accept listen };
|
||||||
+allow rsync_t self:tcp_socket create_stream_socket_perms;
|
+allow rsync_t self:tcp_socket create_stream_socket_perms;
|
||||||
+allow rsync_t self:udp_socket connected_socket_perms;
|
+allow rsync_t self:udp_socket connected_socket_perms;
|
||||||
|
+
|
||||||
-allow rsync_t rsync_etc_t:file read_file_perms;
|
|
||||||
+# for identd
|
+# for identd
|
||||||
+# cjp: this should probably only be inetd_child_t rules?
|
+# cjp: this should probably only be inetd_child_t rules?
|
||||||
+# search home and kerberos also.
|
+# search home and kerberos also.
|
||||||
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||||
+#end for identd
|
+#end for identd
|
||||||
+
|
|
||||||
|
-allow rsync_t rsync_etc_t:file read_file_perms;
|
||||||
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
|
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
|
||||||
|
|
||||||
allow rsync_t rsync_data_t:dir list_dir_perms;
|
allow rsync_t rsync_data_t:dir list_dir_perms;
|
||||||
|
@ -69069,7 +69089,7 @@ index e3e7c96..68cba2d 100644
|
||||||
logging_log_filetrans(rsync_t, rsync_log_t, file)
|
logging_log_filetrans(rsync_t, rsync_log_t, file)
|
||||||
|
|
||||||
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
|
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
|
||||||
@@ -108,91 +97,76 @@ kernel_read_kernel_sysctls(rsync_t)
|
@@ -108,91 +97,80 @@ kernel_read_kernel_sysctls(rsync_t)
|
||||||
kernel_read_system_state(rsync_t)
|
kernel_read_system_state(rsync_t)
|
||||||
kernel_read_network_state(rsync_t)
|
kernel_read_network_state(rsync_t)
|
||||||
|
|
||||||
|
@ -69192,11 +69212,12 @@ index e3e7c96..68cba2d 100644
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- kerberos_use(rsync_t)
|
- kerberos_use(rsync_t)
|
||||||
-')
|
-')
|
||||||
-
|
|
||||||
-optional_policy(`
|
|
||||||
- inetd_service_domain(rsync_t, rsync_exec_t)
|
|
||||||
-')
|
|
||||||
+auth_can_read_shadow_passwords(rsync_t)
|
+auth_can_read_shadow_passwords(rsync_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- inetd_service_domain(rsync_t, rsync_exec_t)
|
||||||
|
+ swift_manage_data_files(rsync_t)
|
||||||
|
')
|
||||||
diff --git a/rtkit.if b/rtkit.if
|
diff --git a/rtkit.if b/rtkit.if
|
||||||
index bd35afe..051addd 100644
|
index bd35afe..051addd 100644
|
||||||
--- a/rtkit.if
|
--- a/rtkit.if
|
||||||
|
@ -73262,7 +73283,7 @@ index c21ddcc..ee00be2 100644
|
||||||
+ can_exec($1, screen_exec_t)
|
+ can_exec($1, screen_exec_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/screen.te b/screen.te
|
diff --git a/screen.te b/screen.te
|
||||||
index f095081..c0d7b61 100644
|
index f095081..ee69aa7 100644
|
||||||
--- a/screen.te
|
--- a/screen.te
|
||||||
+++ b/screen.te
|
+++ b/screen.te
|
||||||
@@ -1,13 +1,11 @@
|
@@ -1,13 +1,11 @@
|
||||||
|
@ -73293,7 +73314,7 @@ index f095081..c0d7b61 100644
|
||||||
type screen_var_run_t;
|
type screen_var_run_t;
|
||||||
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
|
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
|
||||||
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
|
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
|
||||||
@@ -30,33 +23,33 @@ ubac_constrained(screen_var_run_t)
|
@@ -30,33 +23,35 @@ ubac_constrained(screen_var_run_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -73301,7 +73322,9 @@ index f095081..c0d7b61 100644
|
||||||
+# Local policy
|
+# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow screen_domain self:capability { setuid setgid fsetid };
|
-allow screen_domain self:capability { setuid setgid fsetid };
|
||||||
|
+allow screen_domain self:capability { fsetid setgid setuid sys_tty_config };
|
||||||
|
+dontaudit screen_domain self:capability dac_override;
|
||||||
allow screen_domain self:process signal_perms;
|
allow screen_domain self:process signal_perms;
|
||||||
-allow screen_domain self:fd use;
|
-allow screen_domain self:fd use;
|
||||||
allow screen_domain self:fifo_file rw_fifo_file_perms;
|
allow screen_domain self:fifo_file rw_fifo_file_perms;
|
||||||
|
@ -73329,6 +73352,7 @@ index f095081..c0d7b61 100644
|
||||||
manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
|
manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
|
||||||
-read_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
-read_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
||||||
manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
||||||
|
+manage_sock_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
||||||
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
|
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
|
||||||
+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
|
+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
|
||||||
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
||||||
|
@ -73339,7 +73363,7 @@ index f095081..c0d7b61 100644
|
||||||
kernel_read_kernel_sysctls(screen_domain)
|
kernel_read_kernel_sysctls(screen_domain)
|
||||||
|
|
||||||
corecmd_list_bin(screen_domain)
|
corecmd_list_bin(screen_domain)
|
||||||
@@ -65,55 +58,39 @@ corecmd_read_bin_symlinks(screen_domain)
|
@@ -65,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
|
||||||
corecmd_read_bin_pipes(screen_domain)
|
corecmd_read_bin_pipes(screen_domain)
|
||||||
corecmd_read_bin_sockets(screen_domain)
|
corecmd_read_bin_sockets(screen_domain)
|
||||||
|
|
||||||
|
@ -74272,7 +74296,7 @@ index 3a9a70b..039b0c8 100644
|
||||||
logging_list_logs($1)
|
logging_list_logs($1)
|
||||||
admin_pattern($1, setroubleshoot_var_log_t)
|
admin_pattern($1, setroubleshoot_var_log_t)
|
||||||
diff --git a/setroubleshoot.te b/setroubleshoot.te
|
diff --git a/setroubleshoot.te b/setroubleshoot.te
|
||||||
index 49b12ae..0a0f095 100644
|
index 49b12ae..c6f3302 100644
|
||||||
--- a/setroubleshoot.te
|
--- a/setroubleshoot.te
|
||||||
+++ b/setroubleshoot.te
|
+++ b/setroubleshoot.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
|
@ -74369,7 +74393,7 @@ index 49b12ae..0a0f095 100644
|
||||||
files_list_all(setroubleshootd_t)
|
files_list_all(setroubleshootd_t)
|
||||||
files_getattr_all_files(setroubleshootd_t)
|
files_getattr_all_files(setroubleshootd_t)
|
||||||
files_getattr_all_pipes(setroubleshootd_t)
|
files_getattr_all_pipes(setroubleshootd_t)
|
||||||
@@ -108,13 +113,13 @@ init_dontaudit_write_utmp(setroubleshootd_t)
|
@@ -108,26 +113,23 @@ init_dontaudit_write_utmp(setroubleshootd_t)
|
||||||
|
|
||||||
libs_exec_ld_so(setroubleshootd_t)
|
libs_exec_ld_so(setroubleshootd_t)
|
||||||
|
|
||||||
|
@ -74379,13 +74403,16 @@ index 49b12ae..0a0f095 100644
|
||||||
logging_send_audit_msgs(setroubleshootd_t)
|
logging_send_audit_msgs(setroubleshootd_t)
|
||||||
logging_send_syslog_msg(setroubleshootd_t)
|
logging_send_syslog_msg(setroubleshootd_t)
|
||||||
logging_stream_connect_dispatcher(setroubleshootd_t)
|
logging_stream_connect_dispatcher(setroubleshootd_t)
|
||||||
-
|
|
||||||
-miscfiles_read_localization(setroubleshootd_t)
|
|
||||||
+logging_stream_connect_syslog(setroubleshootd_t)
|
+logging_stream_connect_syslog(setroubleshootd_t)
|
||||||
|
|
||||||
|
-miscfiles_read_localization(setroubleshootd_t)
|
||||||
|
-
|
||||||
|
+seutil_read_bin_policy(setroubleshootd_t)
|
||||||
seutil_read_config(setroubleshootd_t)
|
seutil_read_config(setroubleshootd_t)
|
||||||
|
+seutil_read_default_contexts(setroubleshootd_t)
|
||||||
seutil_read_file_contexts(setroubleshootd_t)
|
seutil_read_file_contexts(setroubleshootd_t)
|
||||||
@@ -123,11 +128,7 @@ seutil_read_bin_policy(setroubleshootd_t)
|
-seutil_read_bin_policy(setroubleshootd_t)
|
||||||
|
|
||||||
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
|
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -74398,7 +74425,7 @@ index 49b12ae..0a0f095 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -135,10 +136,18 @@ optional_policy(`
|
@@ -135,10 +137,18 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -74417,7 +74444,7 @@ index 49b12ae..0a0f095 100644
|
||||||
rpm_exec(setroubleshootd_t)
|
rpm_exec(setroubleshootd_t)
|
||||||
rpm_signull(setroubleshootd_t)
|
rpm_signull(setroubleshootd_t)
|
||||||
rpm_read_db(setroubleshootd_t)
|
rpm_read_db(setroubleshootd_t)
|
||||||
@@ -148,15 +157,17 @@ optional_policy(`
|
@@ -148,15 +158,17 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -74436,7 +74463,7 @@ index 49b12ae..0a0f095 100644
|
||||||
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
|
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
kernel_read_system_state(setroubleshoot_fixit_t)
|
kernel_read_system_state(setroubleshoot_fixit_t)
|
||||||
@@ -165,9 +176,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
|
@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
|
||||||
corecmd_exec_shell(setroubleshoot_fixit_t)
|
corecmd_exec_shell(setroubleshoot_fixit_t)
|
||||||
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
|
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
|
@ -74451,7 +74478,7 @@ index 49b12ae..0a0f095 100644
|
||||||
files_list_tmp(setroubleshoot_fixit_t)
|
files_list_tmp(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
auth_use_nsswitch(setroubleshoot_fixit_t)
|
auth_use_nsswitch(setroubleshoot_fixit_t)
|
||||||
@@ -175,23 +190,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
|
@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
|
||||||
logging_send_audit_msgs(setroubleshoot_fixit_t)
|
logging_send_audit_msgs(setroubleshoot_fixit_t)
|
||||||
logging_send_syslog_msg(setroubleshoot_fixit_t)
|
logging_send_syslog_msg(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
|
@ -78654,10 +78681,21 @@ index c6aaac7..dc3f167 100644
|
||||||
sysnet_dns_name_resolve(svnserve_t)
|
sysnet_dns_name_resolve(svnserve_t)
|
||||||
diff --git a/swift.fc b/swift.fc
|
diff --git a/swift.fc b/swift.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..7917018
|
index 0000000..e5433ad
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/swift.fc
|
+++ b/swift.fc
|
||||||
@@ -0,0 +1,9 @@
|
@@ -0,0 +1,28 @@
|
||||||
|
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
+/usr/bin/swift-account-server -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/usr/bin/swift-container-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
+/usr/bin/swift-container-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
+/usr/bin/swift-container-server -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
+/usr/bin/swift-container-sync -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
+/usr/bin/swift-container-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
+
|
||||||
+/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
|
+/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
+/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0)
|
+/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
+/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
|
+/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
|
||||||
|
@ -78667,12 +78705,20 @@ index 0000000..7917018
|
||||||
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
|
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
|
||||||
+
|
+
|
||||||
+/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0)
|
+/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0)
|
||||||
|
+
|
||||||
|
+# This seems to be a de-facto standard when using swift.
|
||||||
|
+/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
|
||||||
|
+
|
||||||
|
+# This is specific to RHOS's packstack utility
|
||||||
|
+ifdef(`distro_redhat', `
|
||||||
|
+/srv/loopback-device(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
|
||||||
|
+')
|
||||||
diff --git a/swift.if b/swift.if
|
diff --git a/swift.if b/swift.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4ec3f4d
|
index 0000000..ce6e8ae
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/swift.if
|
+++ b/swift.if
|
||||||
@@ -0,0 +1,103 @@
|
@@ -0,0 +1,124 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for swift</summary>
|
+## <summary>policy for swift</summary>
|
||||||
+
|
+
|
||||||
|
@ -78694,6 +78740,7 @@ index 0000000..4ec3f4d
|
||||||
+ corecmd_search_bin($1)
|
+ corecmd_search_bin($1)
|
||||||
+ domtrans_pattern($1, swift_exec_t, swift_t)
|
+ domtrans_pattern($1, swift_exec_t, swift_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Read swift PID files.
|
+## Read swift PID files.
|
||||||
|
@ -78715,6 +78762,26 @@ index 0000000..4ec3f4d
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Manage swift data files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`swift_manage_data_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type swift_data_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ manage_files_pattern($1, swift_data_t, swift_data_t)
|
||||||
|
+ manage_dirs_pattern($1, swift_data_t, swift_data_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Execute swift server in the swift domain.
|
+## Execute swift server in the swift domain.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
|
@ -78778,10 +78845,10 @@ index 0000000..4ec3f4d
|
||||||
+')
|
+')
|
||||||
diff --git a/swift.te b/swift.te
|
diff --git a/swift.te b/swift.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..e3eab32
|
index 0000000..39f1ca1
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/swift.te
|
+++ b/swift.te
|
||||||
@@ -0,0 +1,45 @@
|
@@ -0,0 +1,53 @@
|
||||||
+policy_module(swift, 1.0.0)
|
+policy_module(swift, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -78799,6 +78866,9 @@ index 0000000..e3eab32
|
||||||
+type swift_unit_file_t;
|
+type swift_unit_file_t;
|
||||||
+systemd_unit_file(swift_unit_file_t)
|
+systemd_unit_file(swift_unit_file_t)
|
||||||
+
|
+
|
||||||
|
+type swift_data_t;
|
||||||
|
+files_type(swift_data_t)
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# swift local policy
|
+# swift local policy
|
||||||
|
@ -78813,6 +78883,11 @@ index 0000000..e3eab32
|
||||||
+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
|
+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
|
||||||
+files_pid_filetrans(swift_t, swift_var_run_t, { dir })
|
+files_pid_filetrans(swift_t, swift_var_run_t, { dir })
|
||||||
+
|
+
|
||||||
|
+# swift makes use of rsync, so we need to give rsync permissions
|
||||||
|
+# to edit swift_data_t files as well as swift_t those permissions
|
||||||
|
+manage_dirs_pattern(swift_t, swift_data_t, swift_data_t)
|
||||||
|
+manage_files_pattern(swift_t, swift_data_t, swift_data_t)
|
||||||
|
+
|
||||||
+kernel_dgram_send(swift_t)
|
+kernel_dgram_send(swift_t)
|
||||||
+kernel_read_system_state(swift_t)
|
+kernel_read_system_state(swift_t)
|
||||||
+
|
+
|
||||||
|
@ -83745,7 +83820,7 @@ index c30da4c..014e40c 100644
|
||||||
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
||||||
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||||
diff --git a/virt.if b/virt.if
|
diff --git a/virt.if b/virt.if
|
||||||
index 9dec06c..d8a2b54 100644
|
index 9dec06c..175e66a 100644
|
||||||
--- a/virt.if
|
--- a/virt.if
|
||||||
+++ b/virt.if
|
+++ b/virt.if
|
||||||
@@ -1,120 +1,51 @@
|
@@ -1,120 +1,51 @@
|
||||||
|
@ -84723,7 +84798,7 @@ index 9dec06c..d8a2b54 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -860,115 +603,223 @@ interface(`virt_read_lib_files',`
|
@@ -860,115 +603,244 @@ interface(`virt_read_lib_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -84754,9 +84829,6 @@ index 9dec06c..d8a2b54 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
-## <param name="private type">
|
-## <param name="private type">
|
||||||
-## <summary>
|
|
||||||
-## The type of the object to be created.
|
|
||||||
-## </summary>
|
|
||||||
+#
|
+#
|
||||||
+interface(`virt_manage_images',`
|
+interface(`virt_manage_images',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
|
@ -84781,8 +84853,7 @@ index 9dec06c..d8a2b54 100644
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
## </param>
|
+## </param>
|
||||||
-## <param name="object">
|
|
||||||
+#
|
+#
|
||||||
+interface(`virt_manage_default_image_type',`
|
+interface(`virt_manage_default_image_type',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
|
@ -84802,11 +84873,11 @@ index 9dec06c..d8a2b54 100644
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
-## The object class of the object being created.
|
-## The type of the object to be created.
|
||||||
+## Domain allowed to transition.
|
+## Domain allowed to transition.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
-## <param name="name" optional="true">
|
-## <param name="object">
|
||||||
+#
|
+#
|
||||||
+interface(`virt_systemctl',`
|
+interface(`virt_systemctl',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
|
@ -84827,24 +84898,46 @@ index 9dec06c..d8a2b54 100644
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
-## The name of the object being created.
|
-## The object class of the object being created.
|
||||||
+## Domain allowed to transition.
|
+## Domain allowed to transition.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
-## <param name="name" optional="true">
|
||||||
|
+#
|
||||||
|
+interface(`virt_ptrace',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute virt_domain;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 virt_domain:process ptrace;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Connect to virt over a unix domain stream socket.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
-## The name of the object being created.
|
||||||
|
+## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
-## <infoflow type="write" weight="10"/>
|
-## <infoflow type="write" weight="10"/>
|
||||||
#
|
#
|
||||||
-interface(`virt_pid_filetrans',`
|
-interface(`virt_pid_filetrans',`
|
||||||
+interface(`virt_ptrace',`
|
+interface(`virt_stream_connect_lxc',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type virt_var_run_t;
|
- type virt_var_run_t;
|
||||||
+ attribute virt_domain;
|
+ attribute svirt_lxc_domain;
|
||||||
|
+ type svirt_lxc_file_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
- files_search_pids($1)
|
files_search_pids($1)
|
||||||
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
|
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
|
||||||
+ allow $1 virt_domain:process ptrace;
|
+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
+
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Read virt log files.
|
-## Read virt log files.
|
||||||
|
@ -84987,7 +85080,7 @@ index 9dec06c..d8a2b54 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -976,18 +827,17 @@ interface(`virt_manage_log',`
|
@@ -976,18 +848,17 @@ interface(`virt_manage_log',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -85010,7 +85103,7 @@ index 9dec06c..d8a2b54 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -995,36 +845,17 @@ interface(`virt_search_images',`
|
@@ -995,36 +866,17 @@ interface(`virt_search_images',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -85051,7 +85144,7 @@ index 9dec06c..d8a2b54 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1032,58 +863,57 @@ interface(`virt_read_images',`
|
@@ -1032,58 +884,57 @@ interface(`virt_read_images',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -85131,7 +85224,7 @@ index 9dec06c..d8a2b54 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1091,95 +921,131 @@ interface(`virt_manage_virt_cache',`
|
@@ -1091,95 +942,131 @@ interface(`virt_manage_virt_cache',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -85325,7 +85418,7 @@ index 9dec06c..d8a2b54 100644
|
||||||
+ allow svirt_lxc_domain $1:process sigchld;
|
+ allow svirt_lxc_domain $1:process sigchld;
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index 1f22fba..12f4354 100644
|
index 1f22fba..d5e8852 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,94 +1,98 @@
|
@@ -1,94 +1,98 @@
|
||||||
|
@ -85621,7 +85714,9 @@ index 1f22fba..12f4354 100644
|
||||||
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
||||||
-
|
-
|
||||||
-kernel_read_system_state(virt_domain)
|
-kernel_read_system_state(virt_domain)
|
||||||
-
|
+# it was a part of auth_use_nsswitch
|
||||||
|
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
-fs_getattr_xattr_fs(virt_domain)
|
-fs_getattr_xattr_fs(virt_domain)
|
||||||
-
|
-
|
||||||
-corecmd_exec_bin(virt_domain)
|
-corecmd_exec_bin(virt_domain)
|
||||||
|
@ -85739,15 +85834,17 @@ index 1f22fba..12f4354 100644
|
||||||
- fs_manage_dos_dirs(virt_domain)
|
- fs_manage_dos_dirs(virt_domain)
|
||||||
- fs_manage_dos_files(virt_domain)
|
- fs_manage_dos_files(virt_domain)
|
||||||
-')
|
-')
|
||||||
+# it was a part of auth_use_nsswitch
|
-
|
||||||
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- tunable_policy(`virt_use_xserver',`
|
- tunable_policy(`virt_use_xserver',`
|
||||||
- xserver_read_xdm_pid(virt_domain)
|
- xserver_read_xdm_pid(virt_domain)
|
||||||
- xserver_stream_connect(virt_domain)
|
- xserver_stream_connect(virt_domain)
|
||||||
- ')
|
- ')
|
||||||
-')
|
-')
|
||||||
|
-
|
||||||
|
-optional_policy(`
|
||||||
|
- dbus_read_lib_files(virt_domain)
|
||||||
|
-')
|
||||||
+corenet_udp_sendrecv_generic_if(svirt_t)
|
+corenet_udp_sendrecv_generic_if(svirt_t)
|
||||||
+corenet_udp_sendrecv_generic_node(svirt_t)
|
+corenet_udp_sendrecv_generic_node(svirt_t)
|
||||||
+corenet_udp_sendrecv_all_ports(svirt_t)
|
+corenet_udp_sendrecv_all_ports(svirt_t)
|
||||||
|
@ -85757,24 +85854,20 @@ index 1f22fba..12f4354 100644
|
||||||
+corenet_tcp_connect_all_ports(svirt_t)
|
+corenet_tcp_connect_all_ports(svirt_t)
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- dbus_read_lib_files(virt_domain)
|
- nscd_use(virt_domain)
|
||||||
-')
|
-')
|
||||||
+miscfiles_read_generic_certs(svirt_t)
|
+miscfiles_read_generic_certs(svirt_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- nscd_use(virt_domain)
|
- samba_domtrans_smbd(virt_domain)
|
||||||
+ xen_rw_image_files(svirt_t)
|
+ xen_rw_image_files(svirt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- samba_domtrans_smbd(virt_domain)
|
- xen_rw_image_files(virt_domain)
|
||||||
+ nscd_use(svirt_t)
|
+ nscd_use(svirt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
-optional_policy(`
|
|
||||||
- xen_rw_image_files(virt_domain)
|
|
||||||
-')
|
|
||||||
-
|
|
||||||
-########################################
|
-########################################
|
||||||
+#######################################
|
+#######################################
|
||||||
#
|
#
|
||||||
|
@ -85792,9 +85885,7 @@ index 1f22fba..12f4354 100644
|
||||||
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||||
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||||
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||||
+allow svirt_tcg_t self:process { execmem execstack };
|
-
|
||||||
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
|
|
||||||
|
|
||||||
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
|
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
|
||||||
-
|
-
|
||||||
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
|
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
|
||||||
|
@ -85818,7 +85909,9 @@ index 1f22fba..12f4354 100644
|
||||||
-corenet_sendrecv_all_server_packets(svirt_t)
|
-corenet_sendrecv_all_server_packets(svirt_t)
|
||||||
-corenet_udp_bind_all_ports(svirt_t)
|
-corenet_udp_bind_all_ports(svirt_t)
|
||||||
-corenet_tcp_bind_all_ports(svirt_t)
|
-corenet_tcp_bind_all_ports(svirt_t)
|
||||||
-
|
+allow svirt_tcg_t self:process { execmem execstack };
|
||||||
|
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
-corenet_sendrecv_all_client_packets(svirt_t)
|
-corenet_sendrecv_all_client_packets(svirt_t)
|
||||||
-corenet_tcp_connect_all_ports(svirt_t)
|
-corenet_tcp_connect_all_ports(svirt_t)
|
||||||
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
|
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
|
||||||
|
@ -85946,16 +86039,16 @@ index 1f22fba..12f4354 100644
|
||||||
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||||
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||||
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||||
-
|
|
||||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
|
||||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
|
||||||
-
|
|
||||||
-can_exec(virtd_t, virt_tmp_t)
|
|
||||||
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||||
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||||
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
||||||
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
||||||
|
|
||||||
|
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||||
|
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||||
|
-
|
||||||
|
-can_exec(virtd_t, virt_tmp_t)
|
||||||
|
-
|
||||||
-kernel_read_crypto_sysctls(virtd_t)
|
-kernel_read_crypto_sysctls(virtd_t)
|
||||||
kernel_read_system_state(virtd_t)
|
kernel_read_system_state(virtd_t)
|
||||||
kernel_read_network_state(virtd_t)
|
kernel_read_network_state(virtd_t)
|
||||||
|
@ -86047,13 +86140,13 @@ index 1f22fba..12f4354 100644
|
||||||
+sysnet_read_config(virtd_t)
|
+sysnet_read_config(virtd_t)
|
||||||
|
|
||||||
-userdom_read_all_users_state(virtd_t)
|
-userdom_read_all_users_state(virtd_t)
|
||||||
-
|
|
||||||
-ifdef(`hide_broken_symptoms',`
|
|
||||||
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
|
||||||
-')
|
|
||||||
+systemd_dbus_chat_logind(virtd_t)
|
+systemd_dbus_chat_logind(virtd_t)
|
||||||
+systemd_write_inhibit_pipes(virtd_t)
|
+systemd_write_inhibit_pipes(virtd_t)
|
||||||
|
|
||||||
|
-ifdef(`hide_broken_symptoms',`
|
||||||
|
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
||||||
|
-')
|
||||||
|
-
|
||||||
-tunable_policy(`virt_use_fusefs',`
|
-tunable_policy(`virt_use_fusefs',`
|
||||||
- fs_manage_fusefs_dirs(virtd_t)
|
- fs_manage_fusefs_dirs(virtd_t)
|
||||||
- fs_manage_fusefs_files(virtd_t)
|
- fs_manage_fusefs_files(virtd_t)
|
||||||
|
@ -86084,15 +86177,13 @@ index 1f22fba..12f4354 100644
|
||||||
fs_manage_cifs_files(virtd_t)
|
fs_manage_cifs_files(virtd_t)
|
||||||
fs_read_cifs_symlinks(virtd_t)
|
fs_read_cifs_symlinks(virtd_t)
|
||||||
')
|
')
|
||||||
@@ -646,107 +472,326 @@ optional_policy(`
|
@@ -649,104 +475,323 @@ optional_policy(`
|
||||||
consoletype_exec(virtd_t)
|
optional_policy(`
|
||||||
')
|
dbus_system_bus_client(virtd_t)
|
||||||
|
|
||||||
-optional_policy(`
|
- optional_policy(`
|
||||||
- dbus_system_bus_client(virtd_t)
|
- avahi_dbus_chat(virtd_t)
|
||||||
+optional_policy(`
|
- ')
|
||||||
+ dbus_system_bus_client(virtd_t)
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ avahi_dbus_chat(virtd_t)
|
+ avahi_dbus_chat(virtd_t)
|
||||||
+ ')
|
+ ')
|
||||||
|
@ -86283,10 +86374,7 @@ index 1f22fba..12f4354 100644
|
||||||
+dev_rw_inherited_vhost(virt_domain)
|
+dev_rw_inherited_vhost(virt_domain)
|
||||||
+
|
+
|
||||||
+domain_use_interactive_fds(virt_domain)
|
+domain_use_interactive_fds(virt_domain)
|
||||||
|
+
|
||||||
- optional_policy(`
|
|
||||||
- avahi_dbus_chat(virtd_t)
|
|
||||||
- ')
|
|
||||||
+files_read_mnt_symlinks(virt_domain)
|
+files_read_mnt_symlinks(virt_domain)
|
||||||
+files_read_var_files(virt_domain)
|
+files_read_var_files(virt_domain)
|
||||||
+files_search_all(virt_domain)
|
+files_search_all(virt_domain)
|
||||||
|
@ -86802,7 +86890,7 @@ index 1f22fba..12f4354 100644
|
||||||
auth_dontaudit_read_login_records(svirt_lxc_domain)
|
auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||||
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||||
auth_search_pam_console_data(svirt_lxc_domain)
|
auth_search_pam_console_data(svirt_lxc_domain)
|
||||||
@@ -1063,11 +1109,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
|
@@ -1063,96 +1109,91 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||||
|
|
||||||
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||||
|
|
||||||
|
@ -86816,23 +86904,32 @@ index 1f22fba..12f4354 100644
|
||||||
+userdom_use_inherited_user_terminals(svirt_lxc_domain)
|
+userdom_use_inherited_user_terminals(svirt_lxc_domain)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ apache_exec_modules(svirt_lxc_domain)
|
||||||
|
+ apache_read_sys_content(svirt_lxc_domain)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ ssh_use_ptys(svirt_lxc_net_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_pid_files(svirt_lxc_domain)
|
udev_read_pid_files(svirt_lxc_domain)
|
||||||
@@ -1078,81 +1129,67 @@ optional_policy(`
|
')
|
||||||
apache_read_sys_content(svirt_lxc_domain)
|
|
||||||
|
optional_policy(`
|
||||||
|
- apache_exec_modules(svirt_lxc_domain)
|
||||||
|
- apache_read_sys_content(svirt_lxc_domain)
|
||||||
|
+ userhelper_dontaudit_write_config(svirt_lxc_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
-########################################
|
-########################################
|
||||||
-#
|
-#
|
||||||
-# Lxc net local policy
|
-# Lxc net local policy
|
||||||
-#
|
-#
|
||||||
+optional_policy(`
|
|
||||||
+ userhelper_dontaudit_write_config(svirt_lxc_domain)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+virt_lxc_domain_template(svirt_lxc_net)
|
+virt_lxc_domain_template(svirt_lxc_net)
|
||||||
|
|
||||||
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
||||||
|
@ -86929,7 +87026,7 @@ index 1f22fba..12f4354 100644
|
||||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
@@ -1165,12 +1202,12 @@ dev_read_sysfs(virt_qmf_t)
|
@@ -1165,12 +1206,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||||
dev_read_rand(virt_qmf_t)
|
dev_read_rand(virt_qmf_t)
|
||||||
dev_read_urand(virt_qmf_t)
|
dev_read_urand(virt_qmf_t)
|
||||||
|
|
||||||
|
@ -86944,7 +87041,7 @@ index 1f22fba..12f4354 100644
|
||||||
sysnet_read_config(virt_qmf_t)
|
sysnet_read_config(virt_qmf_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1183,9 +1220,8 @@ optional_policy(`
|
@@ -1183,9 +1224,8 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -86955,7 +87052,7 @@ index 1f22fba..12f4354 100644
|
||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -1198,5 +1234,70 @@ kernel_read_network_state(virt_bridgehelper_t)
|
@@ -1198,5 +1238,70 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 19%{?dist}
|
Release: 20%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -526,6 +526,14 @@ SELinux Reference policy mls base module.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-20
|
||||||
|
- Adopt swift changes from lhh@redhat.com
|
||||||
|
- Add rhcs_manage_cluster_pid_files() interface
|
||||||
|
- Allow screen domains to configure tty and setup sock_file in ~/.screen directory
|
||||||
|
- ALlow setroubleshoot to read default_context_t, needed to backport to F18
|
||||||
|
- Label /etc/owncloud as being an apache writable directory
|
||||||
|
- Allow sshd to stream connect to an lxc domain
|
||||||
|
|
||||||
* Thu Mar 7 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-19
|
* Thu Mar 7 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-19
|
||||||
- Allow postgresql to manage rgmanager pid files
|
- Allow postgresql to manage rgmanager pid files
|
||||||
- Allow postgresql to read ccs data
|
- Allow postgresql to read ccs data
|
||||||
|
|
Loading…
Reference in New Issue