- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it. - systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
This commit is contained in:
Miroslav Grepl
parent
0a89ba84bd
commit
02b374489f
Binary file not shown.
@ -33741,7 +33741,7 @@ index 79a45f6..9769b64 100644
|
|||||||
+ read_files_pattern($1, init_var_lib_t, init_var_lib_t)
|
+ read_files_pattern($1, init_var_lib_t, init_var_lib_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||||
index 17eda24..6e6454d 100644
|
index 17eda24..34affdd 100644
|
||||||
--- a/policy/modules/system/init.te
|
--- a/policy/modules/system/init.te
|
||||||
+++ b/policy/modules/system/init.te
|
+++ b/policy/modules/system/init.te
|
||||||
@@ -11,10 +11,31 @@ gen_require(`
|
@@ -11,10 +11,31 @@ gen_require(`
|
||||||
@ -33966,7 +33966,7 @@ index 17eda24..6e6454d 100644
|
|||||||
# file descriptors inherited from the rootfs:
|
# file descriptors inherited from the rootfs:
|
||||||
files_dontaudit_rw_root_files(init_t)
|
files_dontaudit_rw_root_files(init_t)
|
||||||
files_dontaudit_rw_root_chr_files(init_t)
|
files_dontaudit_rw_root_chr_files(init_t)
|
||||||
@@ -156,28 +257,55 @@ fs_list_inotifyfs(init_t)
|
@@ -156,28 +257,62 @@ fs_list_inotifyfs(init_t)
|
||||||
fs_write_ramfs_sockets(init_t)
|
fs_write_ramfs_sockets(init_t)
|
||||||
|
|
||||||
mcs_process_set_categories(init_t)
|
mcs_process_set_categories(init_t)
|
||||||
@ -33986,11 +33986,18 @@ index 17eda24..6e6454d 100644
|
|||||||
+mls_rangetrans_source(init_t)
|
+mls_rangetrans_source(init_t)
|
||||||
|
|
||||||
selinux_set_all_booleans(init_t)
|
selinux_set_all_booleans(init_t)
|
||||||
|
-
|
||||||
|
-term_use_all_terms(init_t)
|
||||||
+selinux_load_policy(init_t)
|
+selinux_load_policy(init_t)
|
||||||
+selinux_mounton_fs(init_t)
|
+selinux_mounton_fs(init_t)
|
||||||
+allow init_t security_t:security load_policy;
|
+allow init_t security_t:security load_policy;
|
||||||
|
+
|
||||||
-term_use_all_terms(init_t)
|
+selinux_compute_access_vector(init_t)
|
||||||
|
+selinux_compute_create_context(init_t)
|
||||||
|
+selinux_compute_user_contexts(init_t)
|
||||||
|
+selinux_validate_context(init_t)
|
||||||
|
+selinux_unmount_fs(init_t)
|
||||||
|
+
|
||||||
+term_create_pty_dir(init_t)
|
+term_create_pty_dir(init_t)
|
||||||
+term_use_unallocated_ttys(init_t)
|
+term_use_unallocated_ttys(init_t)
|
||||||
+term_use_console(init_t)
|
+term_use_console(init_t)
|
||||||
@ -34010,6 +34017,7 @@ index 17eda24..6e6454d 100644
|
|||||||
+logging_manage_audit_config(init_t)
|
+logging_manage_audit_config(init_t)
|
||||||
|
|
||||||
seutil_read_config(init_t)
|
seutil_read_config(init_t)
|
||||||
|
+seutil_read_default_contexts(init_t)
|
||||||
+seutil_read_module_store(init_t)
|
+seutil_read_module_store(init_t)
|
||||||
+
|
+
|
||||||
+miscfiles_manage_localization(init_t)
|
+miscfiles_manage_localization(init_t)
|
||||||
@ -34018,15 +34026,15 @@ index 17eda24..6e6454d 100644
|
|||||||
+userdom_use_user_ttys(init_t)
|
+userdom_use_user_ttys(init_t)
|
||||||
+userdom_manage_tmp_dirs(init_t)
|
+userdom_manage_tmp_dirs(init_t)
|
||||||
+userdom_manage_tmp_sockets(init_t)
|
+userdom_manage_tmp_sockets(init_t)
|
||||||
+
|
|
||||||
+userdom_transition_login_userdomain(init_t)
|
|
||||||
|
|
||||||
-miscfiles_read_localization(init_t)
|
-miscfiles_read_localization(init_t)
|
||||||
|
+userdom_transition_login_userdomain(init_t)
|
||||||
|
+
|
||||||
+allow init_t self:process setsched;
|
+allow init_t self:process setsched;
|
||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
allow init_t self:process { getcap setcap };
|
allow init_t self:process { getcap setcap };
|
||||||
@@ -186,29 +314,242 @@ ifdef(`distro_gentoo',`
|
@@ -186,29 +321,238 @@ ifdef(`distro_gentoo',`
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
@ -34067,26 +34075,26 @@ index 17eda24..6e6454d 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ kdump_read_crash(init_t)
|
+ kdump_read_crash(init_t)
|
||||||
+ kdump_read_config(init_t)
|
+ kdump_read_config(init_t)
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gnome_filetrans_home_content(init_t)
|
|
||||||
+ gnome_manage_data(init_t)
|
|
||||||
+ gnome_manage_config(init_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ iscsi_read_lib_files(init_t)
|
|
||||||
+ iscsi_manage_lock(init_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- auth_rw_login_records(init_t)
|
- auth_rw_login_records(init_t)
|
||||||
+ modutils_domtrans_insmod(init_t)
|
+ gnome_filetrans_home_content(init_t)
|
||||||
+ modutils_list_module_config(init_t)
|
+ gnome_manage_data(init_t)
|
||||||
|
+ gnome_manage_config(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ iscsi_read_lib_files(init_t)
|
||||||
|
+ iscsi_manage_lock(init_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ modutils_domtrans_insmod(init_t)
|
||||||
|
+ modutils_list_module_config(init_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ postfix_exec(init_t)
|
+ postfix_exec(init_t)
|
||||||
+ postfix_list_spool(init_t)
|
+ postfix_list_spool(init_t)
|
||||||
+ mta_read_config(init_t)
|
+ mta_read_config(init_t)
|
||||||
@ -34171,10 +34179,6 @@ index 17eda24..6e6454d 100644
|
|||||||
+fs_rw_tmpfs_files(init_t)
|
+fs_rw_tmpfs_files(init_t)
|
||||||
+fs_relabel_cgroup_dirs(init_t)
|
+fs_relabel_cgroup_dirs(init_t)
|
||||||
+fs_search_cgroup_dirs(init_t)
|
+fs_search_cgroup_dirs(init_t)
|
||||||
+selinux_compute_access_vector(init_t)
|
|
||||||
+selinux_compute_create_context(init_t)
|
|
||||||
+selinux_validate_context(init_t)
|
|
||||||
+selinux_unmount_fs(init_t)
|
|
||||||
+
|
+
|
||||||
+storage_getattr_removable_dev(init_t)
|
+storage_getattr_removable_dev(init_t)
|
||||||
+
|
+
|
||||||
@ -34278,7 +34282,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -216,7 +557,31 @@ optional_policy(`
|
@@ -216,7 +560,31 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34310,7 +34314,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -225,9 +590,9 @@ optional_policy(`
|
@@ -225,9 +593,9 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||||
@ -34322,7 +34326,7 @@ index 17eda24..6e6454d 100644
|
|||||||
allow initrc_t self:passwd rootok;
|
allow initrc_t self:passwd rootok;
|
||||||
allow initrc_t self:key manage_key_perms;
|
allow initrc_t self:key manage_key_perms;
|
||||||
|
|
||||||
@@ -258,12 +623,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
@@ -258,12 +626,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||||
|
|
||||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||||
@ -34339,7 +34343,7 @@ index 17eda24..6e6454d 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||||
@@ -279,23 +648,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
@@ -279,23 +651,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||||
kernel_clear_ring_buffer(initrc_t)
|
kernel_clear_ring_buffer(initrc_t)
|
||||||
kernel_get_sysvipc_info(initrc_t)
|
kernel_get_sysvipc_info(initrc_t)
|
||||||
kernel_read_all_sysctls(initrc_t)
|
kernel_read_all_sysctls(initrc_t)
|
||||||
@ -34382,7 +34386,7 @@ index 17eda24..6e6454d 100644
|
|||||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_tcp_connect_all_ports(initrc_t)
|
corenet_tcp_connect_all_ports(initrc_t)
|
||||||
@@ -303,9 +685,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
@@ -303,9 +688,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||||
|
|
||||||
dev_read_rand(initrc_t)
|
dev_read_rand(initrc_t)
|
||||||
dev_read_urand(initrc_t)
|
dev_read_urand(initrc_t)
|
||||||
@ -34394,7 +34398,7 @@ index 17eda24..6e6454d 100644
|
|||||||
dev_rw_sysfs(initrc_t)
|
dev_rw_sysfs(initrc_t)
|
||||||
dev_list_usbfs(initrc_t)
|
dev_list_usbfs(initrc_t)
|
||||||
dev_read_framebuffer(initrc_t)
|
dev_read_framebuffer(initrc_t)
|
||||||
@@ -313,8 +697,10 @@ dev_write_framebuffer(initrc_t)
|
@@ -313,8 +700,10 @@ dev_write_framebuffer(initrc_t)
|
||||||
dev_read_realtime_clock(initrc_t)
|
dev_read_realtime_clock(initrc_t)
|
||||||
dev_read_sound_mixer(initrc_t)
|
dev_read_sound_mixer(initrc_t)
|
||||||
dev_write_sound_mixer(initrc_t)
|
dev_write_sound_mixer(initrc_t)
|
||||||
@ -34405,7 +34409,7 @@ index 17eda24..6e6454d 100644
|
|||||||
dev_delete_lvm_control_dev(initrc_t)
|
dev_delete_lvm_control_dev(initrc_t)
|
||||||
dev_manage_generic_symlinks(initrc_t)
|
dev_manage_generic_symlinks(initrc_t)
|
||||||
dev_manage_generic_files(initrc_t)
|
dev_manage_generic_files(initrc_t)
|
||||||
@@ -322,8 +708,7 @@ dev_manage_generic_files(initrc_t)
|
@@ -322,8 +711,7 @@ dev_manage_generic_files(initrc_t)
|
||||||
dev_delete_generic_symlinks(initrc_t)
|
dev_delete_generic_symlinks(initrc_t)
|
||||||
dev_getattr_all_blk_files(initrc_t)
|
dev_getattr_all_blk_files(initrc_t)
|
||||||
dev_getattr_all_chr_files(initrc_t)
|
dev_getattr_all_chr_files(initrc_t)
|
||||||
@ -34415,7 +34419,7 @@ index 17eda24..6e6454d 100644
|
|||||||
|
|
||||||
domain_kill_all_domains(initrc_t)
|
domain_kill_all_domains(initrc_t)
|
||||||
domain_signal_all_domains(initrc_t)
|
domain_signal_all_domains(initrc_t)
|
||||||
@@ -332,7 +717,6 @@ domain_sigstop_all_domains(initrc_t)
|
@@ -332,7 +720,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||||
domain_sigchld_all_domains(initrc_t)
|
domain_sigchld_all_domains(initrc_t)
|
||||||
domain_read_all_domains_state(initrc_t)
|
domain_read_all_domains_state(initrc_t)
|
||||||
domain_getattr_all_domains(initrc_t)
|
domain_getattr_all_domains(initrc_t)
|
||||||
@ -34423,7 +34427,7 @@ index 17eda24..6e6454d 100644
|
|||||||
domain_getsession_all_domains(initrc_t)
|
domain_getsession_all_domains(initrc_t)
|
||||||
domain_use_interactive_fds(initrc_t)
|
domain_use_interactive_fds(initrc_t)
|
||||||
# for lsof which is used by alsa shutdown:
|
# for lsof which is used by alsa shutdown:
|
||||||
@@ -340,6 +724,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
@@ -340,6 +727,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||||
@ -34431,7 +34435,7 @@ index 17eda24..6e6454d 100644
|
|||||||
|
|
||||||
files_getattr_all_dirs(initrc_t)
|
files_getattr_all_dirs(initrc_t)
|
||||||
files_getattr_all_files(initrc_t)
|
files_getattr_all_files(initrc_t)
|
||||||
@@ -347,14 +732,15 @@ files_getattr_all_symlinks(initrc_t)
|
@@ -347,14 +735,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||||
files_getattr_all_pipes(initrc_t)
|
files_getattr_all_pipes(initrc_t)
|
||||||
files_getattr_all_sockets(initrc_t)
|
files_getattr_all_sockets(initrc_t)
|
||||||
files_purge_tmp(initrc_t)
|
files_purge_tmp(initrc_t)
|
||||||
@ -34449,7 +34453,7 @@ index 17eda24..6e6454d 100644
|
|||||||
files_read_usr_files(initrc_t)
|
files_read_usr_files(initrc_t)
|
||||||
files_manage_urandom_seed(initrc_t)
|
files_manage_urandom_seed(initrc_t)
|
||||||
files_manage_generic_spool(initrc_t)
|
files_manage_generic_spool(initrc_t)
|
||||||
@@ -364,8 +750,12 @@ files_list_isid_type_dirs(initrc_t)
|
@@ -364,8 +753,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||||
files_mounton_isid_type_dirs(initrc_t)
|
files_mounton_isid_type_dirs(initrc_t)
|
||||||
files_list_default(initrc_t)
|
files_list_default(initrc_t)
|
||||||
files_mounton_default(initrc_t)
|
files_mounton_default(initrc_t)
|
||||||
@ -34463,7 +34467,7 @@ index 17eda24..6e6454d 100644
|
|||||||
fs_list_inotifyfs(initrc_t)
|
fs_list_inotifyfs(initrc_t)
|
||||||
fs_register_binary_executable_type(initrc_t)
|
fs_register_binary_executable_type(initrc_t)
|
||||||
# rhgb-console writes to ramfs
|
# rhgb-console writes to ramfs
|
||||||
@@ -375,10 +765,11 @@ fs_mount_all_fs(initrc_t)
|
@@ -375,10 +768,11 @@ fs_mount_all_fs(initrc_t)
|
||||||
fs_unmount_all_fs(initrc_t)
|
fs_unmount_all_fs(initrc_t)
|
||||||
fs_remount_all_fs(initrc_t)
|
fs_remount_all_fs(initrc_t)
|
||||||
fs_getattr_all_fs(initrc_t)
|
fs_getattr_all_fs(initrc_t)
|
||||||
@ -34477,7 +34481,7 @@ index 17eda24..6e6454d 100644
|
|||||||
mcs_process_set_categories(initrc_t)
|
mcs_process_set_categories(initrc_t)
|
||||||
|
|
||||||
mls_file_read_all_levels(initrc_t)
|
mls_file_read_all_levels(initrc_t)
|
||||||
@@ -387,8 +778,10 @@ mls_process_read_up(initrc_t)
|
@@ -387,8 +781,10 @@ mls_process_read_up(initrc_t)
|
||||||
mls_process_write_down(initrc_t)
|
mls_process_write_down(initrc_t)
|
||||||
mls_rangetrans_source(initrc_t)
|
mls_rangetrans_source(initrc_t)
|
||||||
mls_fd_share_all_levels(initrc_t)
|
mls_fd_share_all_levels(initrc_t)
|
||||||
@ -34488,7 +34492,7 @@ index 17eda24..6e6454d 100644
|
|||||||
|
|
||||||
storage_getattr_fixed_disk_dev(initrc_t)
|
storage_getattr_fixed_disk_dev(initrc_t)
|
||||||
storage_setattr_fixed_disk_dev(initrc_t)
|
storage_setattr_fixed_disk_dev(initrc_t)
|
||||||
@@ -398,6 +791,7 @@ term_use_all_terms(initrc_t)
|
@@ -398,6 +794,7 @@ term_use_all_terms(initrc_t)
|
||||||
term_reset_tty_labels(initrc_t)
|
term_reset_tty_labels(initrc_t)
|
||||||
|
|
||||||
auth_rw_login_records(initrc_t)
|
auth_rw_login_records(initrc_t)
|
||||||
@ -34496,7 +34500,7 @@ index 17eda24..6e6454d 100644
|
|||||||
auth_setattr_login_records(initrc_t)
|
auth_setattr_login_records(initrc_t)
|
||||||
auth_rw_lastlog(initrc_t)
|
auth_rw_lastlog(initrc_t)
|
||||||
auth_read_pam_pid(initrc_t)
|
auth_read_pam_pid(initrc_t)
|
||||||
@@ -416,20 +810,18 @@ logging_read_all_logs(initrc_t)
|
@@ -416,20 +813,18 @@ logging_read_all_logs(initrc_t)
|
||||||
logging_append_all_logs(initrc_t)
|
logging_append_all_logs(initrc_t)
|
||||||
logging_read_audit_config(initrc_t)
|
logging_read_audit_config(initrc_t)
|
||||||
|
|
||||||
@ -34520,7 +34524,7 @@ index 17eda24..6e6454d 100644
|
|||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
dev_setattr_generic_dirs(initrc_t)
|
dev_setattr_generic_dirs(initrc_t)
|
||||||
@@ -451,7 +843,6 @@ ifdef(`distro_gentoo',`
|
@@ -451,7 +846,6 @@ ifdef(`distro_gentoo',`
|
||||||
allow initrc_t self:process setfscreate;
|
allow initrc_t self:process setfscreate;
|
||||||
dev_create_null_dev(initrc_t)
|
dev_create_null_dev(initrc_t)
|
||||||
dev_create_zero_dev(initrc_t)
|
dev_create_zero_dev(initrc_t)
|
||||||
@ -34528,7 +34532,7 @@ index 17eda24..6e6454d 100644
|
|||||||
term_create_console_dev(initrc_t)
|
term_create_console_dev(initrc_t)
|
||||||
|
|
||||||
# unfortunately /sbin/rc does stupid tricks
|
# unfortunately /sbin/rc does stupid tricks
|
||||||
@@ -486,6 +877,10 @@ ifdef(`distro_gentoo',`
|
@@ -486,6 +880,10 @@ ifdef(`distro_gentoo',`
|
||||||
sysnet_setattr_config(initrc_t)
|
sysnet_setattr_config(initrc_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34539,7 +34543,7 @@ index 17eda24..6e6454d 100644
|
|||||||
alsa_read_lib(initrc_t)
|
alsa_read_lib(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -506,7 +901,7 @@ ifdef(`distro_redhat',`
|
@@ -506,7 +904,7 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
@ -34548,7 +34552,7 @@ index 17eda24..6e6454d 100644
|
|||||||
files_dontaudit_read_root_files(initrc_t)
|
files_dontaudit_read_root_files(initrc_t)
|
||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
@@ -521,6 +916,7 @@ ifdef(`distro_redhat',`
|
@@ -521,6 +919,7 @@ ifdef(`distro_redhat',`
|
||||||
files_create_boot_dirs(initrc_t)
|
files_create_boot_dirs(initrc_t)
|
||||||
files_create_boot_flag(initrc_t)
|
files_create_boot_flag(initrc_t)
|
||||||
files_rw_boot_symlinks(initrc_t)
|
files_rw_boot_symlinks(initrc_t)
|
||||||
@ -34556,7 +34560,7 @@ index 17eda24..6e6454d 100644
|
|||||||
# wants to read /.fonts directory
|
# wants to read /.fonts directory
|
||||||
files_read_default_files(initrc_t)
|
files_read_default_files(initrc_t)
|
||||||
files_mountpoint(initrc_tmp_t)
|
files_mountpoint(initrc_tmp_t)
|
||||||
@@ -541,6 +937,7 @@ ifdef(`distro_redhat',`
|
@@ -541,6 +940,7 @@ ifdef(`distro_redhat',`
|
||||||
miscfiles_rw_localization(initrc_t)
|
miscfiles_rw_localization(initrc_t)
|
||||||
miscfiles_setattr_localization(initrc_t)
|
miscfiles_setattr_localization(initrc_t)
|
||||||
miscfiles_relabel_localization(initrc_t)
|
miscfiles_relabel_localization(initrc_t)
|
||||||
@ -34564,7 +34568,7 @@ index 17eda24..6e6454d 100644
|
|||||||
|
|
||||||
miscfiles_read_fonts(initrc_t)
|
miscfiles_read_fonts(initrc_t)
|
||||||
miscfiles_read_hwdata(initrc_t)
|
miscfiles_read_hwdata(initrc_t)
|
||||||
@@ -550,8 +947,44 @@ ifdef(`distro_redhat',`
|
@@ -550,8 +950,44 @@ ifdef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34609,7 +34613,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -559,14 +992,31 @@ ifdef(`distro_redhat',`
|
@@ -559,14 +995,31 @@ ifdef(`distro_redhat',`
|
||||||
rpc_write_exports(initrc_t)
|
rpc_write_exports(initrc_t)
|
||||||
rpc_manage_nfs_state_data(initrc_t)
|
rpc_manage_nfs_state_data(initrc_t)
|
||||||
')
|
')
|
||||||
@ -34641,7 +34645,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -577,6 +1027,39 @@ ifdef(`distro_suse',`
|
@@ -577,6 +1030,39 @@ ifdef(`distro_suse',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -34681,7 +34685,7 @@ index 17eda24..6e6454d 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_search_lib(initrc_t)
|
amavis_search_lib(initrc_t)
|
||||||
amavis_setattr_pid_files(initrc_t)
|
amavis_setattr_pid_files(initrc_t)
|
||||||
@@ -589,6 +1072,8 @@ optional_policy(`
|
@@ -589,6 +1075,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_read_config(initrc_t)
|
apache_read_config(initrc_t)
|
||||||
apache_list_modules(initrc_t)
|
apache_list_modules(initrc_t)
|
||||||
@ -34690,7 +34694,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -610,6 +1095,7 @@ optional_policy(`
|
@@ -610,6 +1098,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cgroup_stream_connect_cgred(initrc_t)
|
cgroup_stream_connect_cgred(initrc_t)
|
||||||
@ -34698,7 +34702,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -626,6 +1112,17 @@ optional_policy(`
|
@@ -626,6 +1115,17 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34716,7 +34720,7 @@ index 17eda24..6e6454d 100644
|
|||||||
dev_getattr_printer_dev(initrc_t)
|
dev_getattr_printer_dev(initrc_t)
|
||||||
|
|
||||||
cups_read_log(initrc_t)
|
cups_read_log(initrc_t)
|
||||||
@@ -642,9 +1139,13 @@ optional_policy(`
|
@@ -642,9 +1142,13 @@ optional_policy(`
|
||||||
dbus_connect_system_bus(initrc_t)
|
dbus_connect_system_bus(initrc_t)
|
||||||
dbus_system_bus_client(initrc_t)
|
dbus_system_bus_client(initrc_t)
|
||||||
dbus_read_config(initrc_t)
|
dbus_read_config(initrc_t)
|
||||||
@ -34730,7 +34734,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -657,15 +1158,11 @@ optional_policy(`
|
@@ -657,15 +1161,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34748,7 +34752,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -686,6 +1183,15 @@ optional_policy(`
|
@@ -686,6 +1186,15 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34764,7 +34768,7 @@ index 17eda24..6e6454d 100644
|
|||||||
inn_exec_config(initrc_t)
|
inn_exec_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -726,6 +1232,7 @@ optional_policy(`
|
@@ -726,6 +1235,7 @@ optional_policy(`
|
||||||
lpd_list_spool(initrc_t)
|
lpd_list_spool(initrc_t)
|
||||||
|
|
||||||
lpd_read_config(initrc_t)
|
lpd_read_config(initrc_t)
|
||||||
@ -34772,7 +34776,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -743,7 +1250,13 @@ optional_policy(`
|
@@ -743,7 +1253,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34787,7 +34791,7 @@ index 17eda24..6e6454d 100644
|
|||||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -766,6 +1279,10 @@ optional_policy(`
|
@@ -766,6 +1282,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34798,7 +34802,7 @@ index 17eda24..6e6454d 100644
|
|||||||
postgresql_manage_db(initrc_t)
|
postgresql_manage_db(initrc_t)
|
||||||
postgresql_read_config(initrc_t)
|
postgresql_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -775,10 +1292,20 @@ optional_policy(`
|
@@ -775,10 +1295,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34819,7 +34823,7 @@ index 17eda24..6e6454d 100644
|
|||||||
quota_manage_flags(initrc_t)
|
quota_manage_flags(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -787,6 +1314,10 @@ optional_policy(`
|
@@ -787,6 +1317,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34830,7 +34834,7 @@ index 17eda24..6e6454d 100644
|
|||||||
fs_write_ramfs_sockets(initrc_t)
|
fs_write_ramfs_sockets(initrc_t)
|
||||||
fs_search_ramfs(initrc_t)
|
fs_search_ramfs(initrc_t)
|
||||||
|
|
||||||
@@ -808,8 +1339,6 @@ optional_policy(`
|
@@ -808,8 +1342,6 @@ optional_policy(`
|
||||||
# bash tries ioctl for some reason
|
# bash tries ioctl for some reason
|
||||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||||
|
|
||||||
@ -34839,7 +34843,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -818,6 +1347,10 @@ optional_policy(`
|
@@ -818,6 +1350,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34850,7 +34854,7 @@ index 17eda24..6e6454d 100644
|
|||||||
# shorewall-init script run /var/lib/shorewall/firewall
|
# shorewall-init script run /var/lib/shorewall/firewall
|
||||||
shorewall_lib_domtrans(initrc_t)
|
shorewall_lib_domtrans(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -827,10 +1360,12 @@ optional_policy(`
|
@@ -827,10 +1363,12 @@ optional_policy(`
|
||||||
squid_manage_logs(initrc_t)
|
squid_manage_logs(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -34863,7 +34867,7 @@ index 17eda24..6e6454d 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
ssh_dontaudit_read_server_keys(initrc_t)
|
||||||
@@ -857,21 +1392,60 @@ optional_policy(`
|
@@ -857,21 +1395,60 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34925,7 +34929,7 @@ index 17eda24..6e6454d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -887,6 +1461,10 @@ optional_policy(`
|
@@ -887,6 +1464,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34936,7 +34940,7 @@ index 17eda24..6e6454d 100644
|
|||||||
# Set device ownerships/modes.
|
# Set device ownerships/modes.
|
||||||
xserver_setattr_console_pipes(initrc_t)
|
xserver_setattr_console_pipes(initrc_t)
|
||||||
|
|
||||||
@@ -897,3 +1475,218 @@ optional_policy(`
|
@@ -897,3 +1478,218 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@ -37088,7 +37092,7 @@ index b50c5fe..13da95a 100644
|
|||||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||||
index 4e94884..7ab6191 100644
|
index 4e94884..3c33045 100644
|
||||||
--- a/policy/modules/system/logging.if
|
--- a/policy/modules/system/logging.if
|
||||||
+++ b/policy/modules/system/logging.if
|
+++ b/policy/modules/system/logging.if
|
||||||
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
||||||
@ -37178,7 +37182,7 @@ index 4e94884..7ab6191 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send system log messages.
|
## Send system log messages.
|
||||||
@@ -530,22 +592,105 @@ interface(`logging_log_filetrans',`
|
@@ -530,22 +592,106 @@ interface(`logging_log_filetrans',`
|
||||||
#
|
#
|
||||||
interface(`logging_send_syslog_msg',`
|
interface(`logging_send_syslog_msg',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -37237,6 +37241,7 @@ index 4e94884..7ab6191 100644
|
|||||||
- term_write_console($1)
|
- term_write_console($1)
|
||||||
- term_dontaudit_read_console($1)
|
- term_dontaudit_read_console($1)
|
||||||
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
|
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
|
||||||
|
+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -37296,7 +37301,7 @@ index 4e94884..7ab6191 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -571,6 +716,25 @@ interface(`logging_read_audit_config',`
|
@@ -571,6 +717,25 @@ interface(`logging_read_audit_config',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -37322,7 +37327,7 @@ index 4e94884..7ab6191 100644
|
|||||||
## dontaudit search of auditd configuration files.
|
## dontaudit search of auditd configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -609,6 +773,25 @@ interface(`logging_read_syslog_config',`
|
@@ -609,6 +774,25 @@ interface(`logging_read_syslog_config',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -37348,7 +37353,7 @@ index 4e94884..7ab6191 100644
|
|||||||
## Allows the domain to open a file in the
|
## Allows the domain to open a file in the
|
||||||
## log directory, but does not allow the listing
|
## log directory, but does not allow the listing
|
||||||
## of the contents of the log directory.
|
## of the contents of the log directory.
|
||||||
@@ -722,6 +905,25 @@ interface(`logging_setattr_all_log_dirs',`
|
@@ -722,6 +906,25 @@ interface(`logging_setattr_all_log_dirs',`
|
||||||
allow $1 logfile:dir setattr;
|
allow $1 logfile:dir setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -37374,7 +37379,7 @@ index 4e94884..7ab6191 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to get the attributes
|
## Do not audit attempts to get the attributes
|
||||||
@@ -776,7 +978,25 @@ interface(`logging_append_all_logs',`
|
@@ -776,7 +979,25 @@ interface(`logging_append_all_logs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
@ -37401,7 +37406,7 @@ index 4e94884..7ab6191 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -859,7 +1079,7 @@ interface(`logging_manage_all_logs',`
|
@@ -859,7 +1080,7 @@ interface(`logging_manage_all_logs',`
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
manage_files_pattern($1, logfile, logfile)
|
manage_files_pattern($1, logfile, logfile)
|
||||||
@ -37410,7 +37415,7 @@ index 4e94884..7ab6191 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -885,6 +1105,44 @@ interface(`logging_read_generic_logs',`
|
@@ -885,6 +1106,44 @@ interface(`logging_read_generic_logs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -37455,7 +37460,7 @@ index 4e94884..7ab6191 100644
|
|||||||
## Write generic log files.
|
## Write generic log files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -905,6 +1163,24 @@ interface(`logging_write_generic_logs',`
|
@@ -905,6 +1164,24 @@ interface(`logging_write_generic_logs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -37480,7 +37485,7 @@ index 4e94884..7ab6191 100644
|
|||||||
## Dontaudit Write generic log files.
|
## Dontaudit Write generic log files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -984,11 +1260,16 @@ interface(`logging_admin_audit',`
|
@@ -984,11 +1261,16 @@ interface(`logging_admin_audit',`
|
||||||
type auditd_t, auditd_etc_t, auditd_log_t;
|
type auditd_t, auditd_etc_t, auditd_log_t;
|
||||||
type auditd_var_run_t;
|
type auditd_var_run_t;
|
||||||
type auditd_initrc_exec_t;
|
type auditd_initrc_exec_t;
|
||||||
@ -37498,7 +37503,7 @@ index 4e94884..7ab6191 100644
|
|||||||
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||||
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||||
|
|
||||||
@@ -1004,6 +1285,33 @@ interface(`logging_admin_audit',`
|
@@ -1004,6 +1286,33 @@ interface(`logging_admin_audit',`
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 auditd_initrc_exec_t system_r;
|
role_transition $2 auditd_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
@ -37532,7 +37537,7 @@ index 4e94884..7ab6191 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1032,10 +1340,15 @@ interface(`logging_admin_syslog',`
|
@@ -1032,10 +1341,15 @@ interface(`logging_admin_syslog',`
|
||||||
type syslogd_initrc_exec_t;
|
type syslogd_initrc_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -37550,7 +37555,7 @@ index 4e94884..7ab6191 100644
|
|||||||
|
|
||||||
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||||
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||||
@@ -1057,6 +1370,8 @@ interface(`logging_admin_syslog',`
|
@@ -1057,6 +1371,8 @@ interface(`logging_admin_syslog',`
|
||||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||||
|
|
||||||
logging_manage_all_logs($1)
|
logging_manage_all_logs($1)
|
||||||
@ -37559,7 +37564,7 @@ index 4e94884..7ab6191 100644
|
|||||||
|
|
||||||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
@@ -1085,3 +1400,90 @@ interface(`logging_admin',`
|
@@ -1085,3 +1401,90 @@ interface(`logging_admin',`
|
||||||
logging_admin_audit($1, $2)
|
logging_admin_audit($1, $2)
|
||||||
logging_admin_syslog($1, $2)
|
logging_admin_syslog($1, $2)
|
||||||
')
|
')
|
||||||
@ -47179,7 +47184,7 @@ index db75976..c54480a 100644
|
|||||||
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
|
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 9dc60c6..b2ad017 100644
|
index 9dc60c6..14be41c 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||||
@ -48850,7 +48855,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1397,12 +1845,51 @@ interface(`userdom_user_tmp_file',`
|
@@ -1397,12 +1845,52 @@ interface(`userdom_user_tmp_file',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`userdom_user_tmpfs_file',`
|
interface(`userdom_user_tmpfs_file',`
|
||||||
@ -48861,7 +48866,8 @@ index 9dc60c6..b2ad017 100644
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Allow domain to attach to TUN devices created by administrative users.
|
+## Make the specified type usable as
|
||||||
|
+## user temporary content.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="type">
|
+## <param name="type">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -48903,7 +48909,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## Allow domain to attach to TUN devices created by administrative users.
|
## Allow domain to attach to TUN devices created by administrative users.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1509,11 +1996,31 @@ interface(`userdom_search_user_home_dirs',`
|
@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
@ -48935,7 +48941,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## Do not audit attempts to search user home directories.
|
## Do not audit attempts to search user home directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -1555,6 +2062,14 @@ interface(`userdom_list_user_home_dirs',`
|
@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',`
|
||||||
|
|
||||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
@ -48950,7 +48956,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1570,9 +2085,11 @@ interface(`userdom_list_user_home_dirs',`
|
@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',`
|
||||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_dir_t;
|
type user_home_dir_t;
|
||||||
@ -48962,7 +48968,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1613,6 +2130,24 @@ interface(`userdom_manage_user_home_dirs',`
|
@@ -1613,6 +2131,24 @@ interface(`userdom_manage_user_home_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -48987,7 +48993,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## Relabel to user home directories.
|
## Relabel to user home directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1631,6 +2166,59 @@ interface(`userdom_relabelto_user_home_dirs',`
|
@@ -1631,6 +2167,59 @@ interface(`userdom_relabelto_user_home_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -49047,7 +49053,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## Create directories in the home dir root with
|
## Create directories in the home dir root with
|
||||||
## the user home directory type.
|
## the user home directory type.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1704,10 +2292,12 @@ interface(`userdom_user_home_domtrans',`
|
@@ -1704,10 +2293,12 @@ interface(`userdom_user_home_domtrans',`
|
||||||
#
|
#
|
||||||
interface(`userdom_dontaudit_search_user_home_content',`
|
interface(`userdom_dontaudit_search_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -49062,7 +49068,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1741,10 +2331,12 @@ interface(`userdom_list_all_user_home_content',`
|
@@ -1741,10 +2332,12 @@ interface(`userdom_list_all_user_home_content',`
|
||||||
#
|
#
|
||||||
interface(`userdom_list_user_home_content',`
|
interface(`userdom_list_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -49077,7 +49083,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1769,7 +2361,7 @@ interface(`userdom_manage_user_home_content_dirs',`
|
@@ -1769,7 +2362,7 @@ interface(`userdom_manage_user_home_content_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -49086,7 +49092,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1777,19 +2369,17 @@ interface(`userdom_manage_user_home_content_dirs',`
|
@@ -1777,19 +2370,17 @@ interface(`userdom_manage_user_home_content_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49110,7 +49116,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1797,55 +2387,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
|
@@ -1797,55 +2388,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49181,7 +49187,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1853,18 +2443,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
|
@@ -1853,18 +2444,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49209,7 +49215,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1872,17 +2463,167 @@ interface(`userdom_mmap_user_home_content_files',`
|
@@ -1872,17 +2464,167 @@ interface(`userdom_mmap_user_home_content_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49382,7 +49388,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## Do not audit attempts to read user home files.
|
## Do not audit attempts to read user home files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1893,11 +2634,14 @@ interface(`userdom_read_user_home_content_files',`
|
@@ -1893,11 +2635,14 @@ interface(`userdom_read_user_home_content_files',`
|
||||||
#
|
#
|
||||||
interface(`userdom_dontaudit_read_user_home_content_files',`
|
interface(`userdom_dontaudit_read_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -49400,7 +49406,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1938,7 +2682,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
|
@@ -1938,7 +2683,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -49409,7 +49415,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1946,10 +2690,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
|
@@ -1946,10 +2691,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49422,7 +49428,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
userdom_search_user_home_content($1)
|
userdom_search_user_home_content($1)
|
||||||
@@ -1958,7 +2701,7 @@ interface(`userdom_delete_all_user_home_content_files',`
|
@@ -1958,7 +2702,7 @@ interface(`userdom_delete_all_user_home_content_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -49431,7 +49437,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1966,12 +2709,66 @@ interface(`userdom_delete_all_user_home_content_files',`
|
@@ -1966,12 +2710,66 @@ interface(`userdom_delete_all_user_home_content_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49500,7 +49506,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2007,8 +2804,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
@@ -2007,8 +2805,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||||
type user_home_dir_t, user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -49510,7 +49516,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2024,21 +2820,15 @@ interface(`userdom_read_user_home_content_symlinks',`
|
@@ -2024,21 +2821,15 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||||
#
|
#
|
||||||
interface(`userdom_exec_user_home_content_files',`
|
interface(`userdom_exec_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -49536,7 +49542,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to execute user home files.
|
## Do not audit attempts to execute user home files.
|
||||||
@@ -2120,7 +2910,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
|
@@ -2120,7 +2911,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -49545,7 +49551,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2128,19 +2918,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
|
@@ -2128,19 +2919,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49569,7 +49575,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2148,12 +2936,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
|
@@ -2148,12 +2937,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49585,7 +49591,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2388,18 +3176,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
|
@@ -2388,18 +3177,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49643,7 +49649,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## Do not audit attempts to read users
|
## Do not audit attempts to read users
|
||||||
## temporary files.
|
## temporary files.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2414,7 +3238,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
@@ -2414,7 +3239,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -49652,7 +49658,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2455,6 +3279,25 @@ interface(`userdom_rw_user_tmp_files',`
|
@@ -2455,6 +3280,25 @@ interface(`userdom_rw_user_tmp_files',`
|
||||||
rw_files_pattern($1, user_tmp_t, user_tmp_t)
|
rw_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
')
|
')
|
||||||
@ -49678,7 +49684,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2538,7 +3381,7 @@ interface(`userdom_manage_user_tmp_files',`
|
@@ -2538,7 +3382,7 @@ interface(`userdom_manage_user_tmp_files',`
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete user
|
## Create, read, write, and delete user
|
||||||
@ -49687,7 +49693,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2546,18 +3389,59 @@ interface(`userdom_manage_user_tmp_files',`
|
@@ -2546,18 +3390,59 @@ interface(`userdom_manage_user_tmp_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -49749,7 +49755,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## temporary named pipes.
|
## temporary named pipes.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2661,6 +3545,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
@@ -2661,6 +3546,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||||
files_tmp_filetrans($1, user_tmp_t, $2, $3)
|
files_tmp_filetrans($1, user_tmp_t, $2, $3)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -49771,7 +49777,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read user tmpfs files.
|
## Read user tmpfs files.
|
||||||
@@ -2672,18 +3571,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
@@ -2672,18 +3572,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`userdom_read_user_tmpfs_files',`
|
interface(`userdom_read_user_tmpfs_files',`
|
||||||
@ -49793,7 +49799,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2692,19 +3586,13 @@ interface(`userdom_read_user_tmpfs_files',`
|
@@ -2692,19 +3587,13 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`userdom_rw_user_tmpfs_files',`
|
interface(`userdom_rw_user_tmpfs_files',`
|
||||||
@ -49816,7 +49822,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2713,13 +3601,56 @@ interface(`userdom_rw_user_tmpfs_files',`
|
@@ -2713,13 +3602,56 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`userdom_manage_user_tmpfs_files',`
|
interface(`userdom_manage_user_tmpfs_files',`
|
||||||
@ -49877,7 +49883,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2814,6 +3745,24 @@ interface(`userdom_use_user_ttys',`
|
@@ -2814,6 +3746,24 @@ interface(`userdom_use_user_ttys',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -49902,7 +49908,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## Read and write a user domain pty.
|
## Read and write a user domain pty.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2832,22 +3781,34 @@ interface(`userdom_use_user_ptys',`
|
@@ -2832,22 +3782,34 @@ interface(`userdom_use_user_ptys',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -49945,7 +49951,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </desc>
|
## </desc>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2856,14 +3817,33 @@ interface(`userdom_use_user_ptys',`
|
@@ -2856,14 +3818,33 @@ interface(`userdom_use_user_ptys',`
|
||||||
## </param>
|
## </param>
|
||||||
## <infoflow type="both" weight="10"/>
|
## <infoflow type="both" weight="10"/>
|
||||||
#
|
#
|
||||||
@ -49983,7 +49989,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2882,8 +3862,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
|
@@ -2882,8 +3863,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
|
||||||
type user_tty_device_t, user_devpts_t;
|
type user_tty_device_t, user_devpts_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -50013,7 +50019,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2955,69 +3954,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
@@ -2955,69 +3955,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||||
allow unpriv_userdomain $1:process sigchld;
|
allow unpriv_userdomain $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -50114,7 +50120,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3025,12 +4023,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
@@ -3025,12 +4024,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -50129,7 +50135,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3094,7 +4092,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
@@ -3094,7 +4093,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||||
|
|
||||||
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
||||||
allow unpriv_userdomain $1:fd use;
|
allow unpriv_userdomain $1:fd use;
|
||||||
@ -50138,7 +50144,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
allow unpriv_userdomain $1:process sigchld;
|
allow unpriv_userdomain $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3110,29 +4108,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
@@ -3110,29 +4109,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||||
#
|
#
|
||||||
interface(`userdom_search_user_home_content',`
|
interface(`userdom_search_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -50172,7 +50178,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3214,7 +4196,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
@@ -3214,7 +4197,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||||
type user_devpts_t;
|
type user_devpts_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -50199,7 +50205,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3269,12 +4269,13 @@ interface(`userdom_write_user_tmp_files',`
|
@@ -3269,12 +4270,13 @@ interface(`userdom_write_user_tmp_files',`
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -50215,7 +50221,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3282,54 +4283,130 @@ interface(`userdom_write_user_tmp_files',`
|
@@ -3282,54 +4284,130 @@ interface(`userdom_write_user_tmp_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -50361,7 +50367,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3382,6 +4459,42 @@ interface(`userdom_signal_all_users',`
|
@@ -3382,6 +4460,42 @@ interface(`userdom_signal_all_users',`
|
||||||
allow $1 userdomain:process signal;
|
allow $1 userdomain:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -50404,7 +50410,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send a SIGCHLD signal to all user domains.
|
## Send a SIGCHLD signal to all user domains.
|
||||||
@@ -3402,6 +4515,60 @@ interface(`userdom_sigchld_all_users',`
|
@@ -3402,6 +4516,60 @@ interface(`userdom_sigchld_all_users',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -50465,7 +50471,7 @@ index 9dc60c6..b2ad017 100644
|
|||||||
## Create keys for all user domains.
|
## Create keys for all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3435,4 +4602,1727 @@ interface(`userdom_dbus_send_all_users',`
|
@@ -3435,4 +4603,1727 @@ interface(`userdom_dbus_send_all_users',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
|
|||||||
@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/abrt.te b/abrt.te
|
diff --git a/abrt.te b/abrt.te
|
||||||
index eb50f07..e519be5 100644
|
index eb50f07..7ed1072 100644
|
||||||
--- a/abrt.te
|
--- a/abrt.te
|
||||||
+++ b/abrt.te
|
+++ b/abrt.te
|
||||||
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
||||||
@ -1043,7 +1043,7 @@ index eb50f07..e519be5 100644
|
|||||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||||
@@ -365,38 +467,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
@@ -365,38 +467,70 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_worker_t)
|
dev_read_urand(abrt_retrace_worker_t)
|
||||||
|
|
||||||
@ -1066,6 +1066,7 @@ index eb50f07..e519be5 100644
|
|||||||
|
|
||||||
-allow abrt_dump_oops_t self:capability dac_override;
|
-allow abrt_dump_oops_t self:capability dac_override;
|
||||||
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override };
|
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override };
|
||||||
|
+allow abrt_dump_oops_t self:process setfscreate;
|
||||||
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
|
||||||
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
|
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
|
||||||
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
|
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -1100,9 +1101,14 @@ index eb50f07..e519be5 100644
|
|||||||
+domain_ptrace_all_domains(abrt_dump_oops_t)
|
+domain_ptrace_all_domains(abrt_dump_oops_t)
|
||||||
+domain_read_all_domains_state(abrt_dump_oops_t)
|
+domain_read_all_domains_state(abrt_dump_oops_t)
|
||||||
|
|
||||||
|
+files_manage_non_security_dirs(abrt_dump_oops_t)
|
||||||
|
+files_manage_non_security_files(abrt_dump_oops_t)
|
||||||
|
+
|
||||||
+fs_getattr_all_fs(abrt_dump_oops_t)
|
+fs_getattr_all_fs(abrt_dump_oops_t)
|
||||||
fs_list_inotifyfs(abrt_dump_oops_t)
|
fs_list_inotifyfs(abrt_dump_oops_t)
|
||||||
+fs_list_pstorefs(abrt_dump_oops_t)
|
+fs_list_pstorefs(abrt_dump_oops_t)
|
||||||
|
+
|
||||||
|
+selinux_compute_create_context(abrt_dump_oops_t)
|
||||||
|
|
||||||
logging_read_generic_logs(abrt_dump_oops_t)
|
logging_read_generic_logs(abrt_dump_oops_t)
|
||||||
+logging_read_syslog_pid(abrt_dump_oops_t)
|
+logging_read_syslog_pid(abrt_dump_oops_t)
|
||||||
@ -1112,7 +1118,7 @@ index eb50f07..e519be5 100644
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@@ -404,25 +532,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
@@ -404,25 +538,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
||||||
@ -1175,7 +1181,7 @@ index eb50f07..e519be5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -430,10 +593,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
@@ -430,10 +599,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||||
# Global local policy
|
# Global local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 156%{?dist}
|
Release: 157%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -661,6 +661,11 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-157
|
||||||
|
- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
|
||||||
|
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
|
||||||
|
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
|
||||||
|
|
||||||
* Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
|
* Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
|
||||||
- Allow fail2ban-client to execute ldconfig. #1268715
|
- Allow fail2ban-client to execute ldconfig. #1268715
|
||||||
- Add interface virt_sandbox_domain()
|
- Add interface virt_sandbox_domain()
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user