* Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-185
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895) - Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970) - Add mls support for some db classes
This commit is contained in:
parent
34332645c9
commit
02b9e47960
Binary file not shown.
@ -1279,7 +1279,7 @@ index 216b3d1..064ec83 100644
|
|||||||
+
|
+
|
||||||
') dnl end enable_mcs
|
') dnl end enable_mcs
|
||||||
diff --git a/policy/mls b/policy/mls
|
diff --git a/policy/mls b/policy/mls
|
||||||
index f11e5e2..2d2ab83 100644
|
index f11e5e2..464a121 100644
|
||||||
--- a/policy/mls
|
--- a/policy/mls
|
||||||
+++ b/policy/mls
|
+++ b/policy/mls
|
||||||
@@ -156,15 +156,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
|
@@ -156,15 +156,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
|
||||||
@ -1345,6 +1345,32 @@ index f11e5e2..2d2ab83 100644
|
|||||||
#
|
#
|
||||||
# MLS policy for the process class
|
# MLS policy for the process class
|
||||||
#
|
#
|
||||||
|
@@ -763,13 +763,14 @@ mlsconstrain context contains
|
||||||
|
#
|
||||||
|
|
||||||
|
# make sure these database classes are "single level"
|
||||||
|
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
|
||||||
|
+mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto }
|
||||||
|
( l2 eq h2 );
|
||||||
|
+
|
||||||
|
mlsconstrain { db_tuple } { insert relabelto }
|
||||||
|
( l2 eq h2 );
|
||||||
|
|
||||||
|
# new database labels must be dominated by the relabeling subjects clearance
|
||||||
|
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
|
||||||
|
+mlsconstrain { db_database db_schema db_table db_column } { relabelto }
|
||||||
|
( h1 dom h2 );
|
||||||
|
|
||||||
|
# the database "read" ops (note the check is dominance of the low level)
|
||||||
|
@@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select }
|
||||||
|
( t1 == mlsdbread ) or
|
||||||
|
( t2 == mlstrustedobject ));
|
||||||
|
|
||||||
|
-# the "single level" file "write" ops
|
||||||
|
+# the "single level" database "write" ops
|
||||||
|
mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
|
||||||
|
(( l1 eq l2 ) or
|
||||||
|
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||||
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
|
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
|
||||||
index 2626ebf..5745bb2 100644
|
index 2626ebf..5745bb2 100644
|
||||||
--- a/policy/modules/admin/bootloader.fc
|
--- a/policy/modules/admin/bootloader.fc
|
||||||
@ -31047,7 +31073,7 @@ index 6bf0ecc..e6be63a 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index 8b40377..fe6657c 100644
|
index 8b40377..5d9d50d 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -26,28 +26,66 @@ gen_require(`
|
@@ -26,28 +26,66 @@ gen_require(`
|
||||||
@ -31641,7 +31667,7 @@ index 8b40377..fe6657c 100644
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -442,28 +643,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
@@ -442,28 +643,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -31688,10 +31714,11 @@ index 8b40377..fe6657c 100644
|
|||||||
+systemd_dbus_chat_localed(xdm_t)
|
+systemd_dbus_chat_localed(xdm_t)
|
||||||
+systemd_dbus_chat_hostnamed(xdm_t)
|
+systemd_dbus_chat_hostnamed(xdm_t)
|
||||||
+systemd_start_power_services(xdm_t)
|
+systemd_start_power_services(xdm_t)
|
||||||
|
+systemd_status_power_services(xdm_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -472,24 +690,163 @@ userdom_read_user_home_content_files(xdm_t)
|
@@ -472,24 +691,163 @@ userdom_read_user_home_content_files(xdm_t)
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -31861,7 +31888,7 @@ index 8b40377..fe6657c 100644
|
|||||||
tunable_policy(`xdm_sysadm_login',`
|
tunable_policy(`xdm_sysadm_login',`
|
||||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||||
# FIXME:
|
# FIXME:
|
||||||
@@ -502,12 +859,31 @@ tunable_policy(`xdm_sysadm_login',`
|
@@ -502,12 +860,31 @@ tunable_policy(`xdm_sysadm_login',`
|
||||||
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
|
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -31893,7 +31920,7 @@ index 8b40377..fe6657c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -518,8 +894,36 @@ optional_policy(`
|
@@ -518,8 +895,36 @@ optional_policy(`
|
||||||
dbus_system_bus_client(xdm_t)
|
dbus_system_bus_client(xdm_t)
|
||||||
dbus_connect_system_bus(xdm_t)
|
dbus_connect_system_bus(xdm_t)
|
||||||
|
|
||||||
@ -31931,7 +31958,7 @@ index 8b40377..fe6657c 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -530,6 +934,20 @@ optional_policy(`
|
@@ -530,6 +935,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -31952,7 +31979,7 @@ index 8b40377..fe6657c 100644
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -547,28 +965,78 @@ optional_policy(`
|
@@ -547,28 +966,78 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -32040,7 +32067,7 @@ index 8b40377..fe6657c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -580,6 +1048,14 @@ optional_policy(`
|
@@ -580,6 +1049,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -32055,7 +32082,7 @@ index 8b40377..fe6657c 100644
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -594,7 +1070,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
@@ -594,7 +1071,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
||||||
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
|
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
|
||||||
|
|
||||||
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
|
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
|
||||||
@ -32064,7 +32091,7 @@ index 8b40377..fe6657c 100644
|
|||||||
|
|
||||||
# setuid/setgid for the wrapper program to change UID
|
# setuid/setgid for the wrapper program to change UID
|
||||||
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
||||||
@@ -604,8 +1080,11 @@ allow xserver_t input_xevent_t:x_event send;
|
@@ -604,8 +1081,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -32077,7 +32104,7 @@ index 8b40377..fe6657c 100644
|
|||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -618,8 +1097,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
@@ -618,8 +1098,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -32093,7 +32120,7 @@ index 8b40377..fe6657c 100644
|
|||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -627,6 +1113,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
@@ -627,6 +1114,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||||
|
|
||||||
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
||||||
|
|
||||||
@ -32104,7 +32131,7 @@ index 8b40377..fe6657c 100644
|
|||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -638,25 +1128,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
@@ -638,25 +1129,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -32146,7 +32173,7 @@ index 8b40377..fe6657c 100644
|
|||||||
corenet_all_recvfrom_netlabel(xserver_t)
|
corenet_all_recvfrom_netlabel(xserver_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||||
@@ -677,23 +1179,28 @@ dev_rw_apm_bios(xserver_t)
|
@@ -677,23 +1180,28 @@ dev_rw_apm_bios(xserver_t)
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
@ -32178,7 +32205,7 @@ index 8b40377..fe6657c 100644
|
|||||||
|
|
||||||
# brought on by rhgb
|
# brought on by rhgb
|
||||||
files_search_mnt(xserver_t)
|
files_search_mnt(xserver_t)
|
||||||
@@ -705,6 +1212,14 @@ fs_search_nfs(xserver_t)
|
@@ -705,6 +1213,14 @@ fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
|
|
||||||
@ -32193,7 +32220,7 @@ index 8b40377..fe6657c 100644
|
|||||||
mls_xwin_read_to_clearance(xserver_t)
|
mls_xwin_read_to_clearance(xserver_t)
|
||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
@@ -718,20 +1233,18 @@ init_getpgid(xserver_t)
|
@@ -718,20 +1234,18 @@ init_getpgid(xserver_t)
|
||||||
term_setattr_unallocated_ttys(xserver_t)
|
term_setattr_unallocated_ttys(xserver_t)
|
||||||
term_use_unallocated_ttys(xserver_t)
|
term_use_unallocated_ttys(xserver_t)
|
||||||
|
|
||||||
@ -32217,7 +32244,7 @@ index 8b40377..fe6657c 100644
|
|||||||
|
|
||||||
userdom_search_user_home_dirs(xserver_t)
|
userdom_search_user_home_dirs(xserver_t)
|
||||||
userdom_use_user_ttys(xserver_t)
|
userdom_use_user_ttys(xserver_t)
|
||||||
@@ -739,8 +1252,6 @@ userdom_setattr_user_ttys(xserver_t)
|
@@ -739,8 +1253,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||||
userdom_read_user_tmp_files(xserver_t)
|
userdom_read_user_tmp_files(xserver_t)
|
||||||
userdom_rw_user_tmpfs_files(xserver_t)
|
userdom_rw_user_tmpfs_files(xserver_t)
|
||||||
|
|
||||||
@ -32226,7 +32253,7 @@ index 8b40377..fe6657c 100644
|
|||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xserver_t self:process { execmem execheap execstack };
|
allow xserver_t self:process { execmem execheap execstack };
|
||||||
domain_mmap_low_uncond(xserver_t)
|
domain_mmap_low_uncond(xserver_t)
|
||||||
@@ -785,17 +1296,54 @@ optional_policy(`
|
@@ -785,17 +1297,54 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -32283,7 +32310,7 @@ index 8b40377..fe6657c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -803,6 +1351,10 @@ optional_policy(`
|
@@ -803,6 +1352,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -32294,7 +32321,7 @@ index 8b40377..fe6657c 100644
|
|||||||
xfs_stream_connect(xserver_t)
|
xfs_stream_connect(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -818,18 +1370,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
@@ -818,18 +1371,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
@ -32319,7 +32346,7 @@ index 8b40377..fe6657c 100644
|
|||||||
can_exec(xserver_t, xkb_var_lib_t)
|
can_exec(xserver_t, xkb_var_lib_t)
|
||||||
|
|
||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
@@ -842,26 +1393,21 @@ init_use_fds(xserver_t)
|
@@ -842,26 +1394,21 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -32354,7 +32381,7 @@ index 8b40377..fe6657c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -912,7 +1458,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
@@ -912,7 +1459,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
@ -32363,7 +32390,7 @@ index 8b40377..fe6657c 100644
|
|||||||
# operations allowed on all windows
|
# operations allowed on all windows
|
||||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||||
|
|
||||||
@@ -966,11 +1512,31 @@ allow x_domain self:x_resource { read write };
|
@@ -966,11 +1513,31 @@ allow x_domain self:x_resource { read write };
|
||||||
# can mess with the screensaver
|
# can mess with the screensaver
|
||||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||||
|
|
||||||
@ -32395,7 +32422,7 @@ index 8b40377..fe6657c 100644
|
|||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined(x_domain),
|
# should be xserver_unconfined(x_domain),
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
@@ -992,18 +1558,148 @@ tunable_policy(`! xserver_object_manager',`
|
@@ -992,18 +1559,148 @@ tunable_policy(`! xserver_object_manager',`
|
||||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -5451,7 +5451,7 @@ index f6eb485..ce5dba7 100644
|
|||||||
+ ps_process_pattern(httpd_t, $1)
|
+ ps_process_pattern(httpd_t, $1)
|
||||||
')
|
')
|
||||||
diff --git a/apache.te b/apache.te
|
diff --git a/apache.te b/apache.te
|
||||||
index 6649962..84717e1 100644
|
index 6649962..4cb64e5 100644
|
||||||
--- a/apache.te
|
--- a/apache.te
|
||||||
+++ b/apache.te
|
+++ b/apache.te
|
||||||
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
|
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
|
||||||
@ -6235,7 +6235,7 @@ index 6649962..84717e1 100644
|
|||||||
fs_read_iso9660_files(httpd_t)
|
fs_read_iso9660_files(httpd_t)
|
||||||
-fs_search_auto_mountpoints(httpd_t)
|
-fs_search_auto_mountpoints(httpd_t)
|
||||||
+fs_rw_anon_inodefs_files(httpd_t)
|
+fs_rw_anon_inodefs_files(httpd_t)
|
||||||
+fs_read_hugetlbfs_files(httpd_t)
|
+fs_rw_hugetlbfs_files(httpd_t)
|
||||||
+
|
+
|
||||||
+auth_use_nsswitch(httpd_t)
|
+auth_use_nsswitch(httpd_t)
|
||||||
+
|
+
|
||||||
@ -66071,7 +66071,7 @@ index 9b15730..cb00f20 100644
|
|||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
diff --git a/openvswitch.te b/openvswitch.te
|
diff --git a/openvswitch.te b/openvswitch.te
|
||||||
index 44dbc99..ede6e1c 100644
|
index 44dbc99..370dd38 100644
|
||||||
--- a/openvswitch.te
|
--- a/openvswitch.te
|
||||||
+++ b/openvswitch.te
|
+++ b/openvswitch.te
|
||||||
@@ -9,11 +9,8 @@ type openvswitch_t;
|
@@ -9,11 +9,8 @@ type openvswitch_t;
|
||||||
@ -66103,9 +66103,9 @@ index 44dbc99..ede6e1c 100644
|
|||||||
|
|
||||||
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
|
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
|
||||||
-allow openvswitch_t self:process { setrlimit setsched signal };
|
-allow openvswitch_t self:process { setrlimit setsched signal };
|
||||||
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource };
|
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
|
||||||
+allow openvswitch_t self:capability2 block_suspend;
|
+allow openvswitch_t self:capability2 block_suspend;
|
||||||
+allow openvswitch_t self:process { fork setsched setrlimit signal };
|
+allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
|
||||||
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
|
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
|
||||||
-allow openvswitch_t self:rawip_socket create_socket_perms;
|
-allow openvswitch_t self:rawip_socket create_socket_perms;
|
||||||
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
|
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
|
||||||
@ -66137,12 +66137,15 @@ index 44dbc99..ede6e1c 100644
|
|||||||
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
||||||
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
|
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
|
||||||
|
|
||||||
@@ -65,33 +69,49 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
|
@@ -63,35 +67,51 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
||||||
|
manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
||||||
|
manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
||||||
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
||||||
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
|
-files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
|
||||||
|
|
||||||
-can_exec(openvswitch_t, openvswitch_exec_t)
|
|
||||||
-
|
-
|
||||||
|
-can_exec(openvswitch_t, openvswitch_exec_t)
|
||||||
|
+files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file })
|
||||||
|
|
||||||
+kernel_load_module(openvswitch_t)
|
+kernel_load_module(openvswitch_t)
|
||||||
kernel_read_network_state(openvswitch_t)
|
kernel_read_network_state(openvswitch_t)
|
||||||
kernel_read_system_state(openvswitch_t)
|
kernel_read_system_state(openvswitch_t)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 184%{?dist}
|
Release: 185%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -653,6 +653,12 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-185
|
||||||
|
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
|
||||||
|
- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)
|
||||||
|
- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970)
|
||||||
|
- Add mls support for some db classes
|
||||||
|
|
||||||
* Tue Apr 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-184
|
* Tue Apr 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-184
|
||||||
- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.
|
- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.
|
||||||
- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448
|
- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448
|
||||||
|
Loading…
Reference in New Issue
Block a user