- sshd to read network sysctls
- Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla - /var/lib/containers should be labeled as openshift content for now - Allow docker domains to talk to the login programs, to allow a process to login into the container
This commit is contained in:
parent
648f9057dc
commit
0575d649c8
@ -21943,7 +21943,7 @@ index fe0c682..e8dcfa7 100644
|
|||||||
+ ps_process_pattern($1, sshd_t)
|
+ ps_process_pattern($1, sshd_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||||
index cc877c7..07f129b 100644
|
index cc877c7..a8b01bf 100644
|
||||||
--- a/policy/modules/services/ssh.te
|
--- a/policy/modules/services/ssh.te
|
||||||
+++ b/policy/modules/services/ssh.te
|
+++ b/policy/modules/services/ssh.te
|
||||||
@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2)
|
@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2)
|
||||||
@ -22195,7 +22195,7 @@ index cc877c7..07f129b 100644
|
|||||||
|
|
||||||
files_read_etc_files(ssh_keysign_t)
|
files_read_etc_files(ssh_keysign_t)
|
||||||
|
|
||||||
@@ -226,39 +264,56 @@ optional_policy(`
|
@@ -226,39 +264,57 @@ optional_policy(`
|
||||||
# so a tunnel can point to another ssh tunnel
|
# so a tunnel can point to another ssh tunnel
|
||||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
allow sshd_t self:key { search link write };
|
allow sshd_t self:key { search link write };
|
||||||
@ -22210,12 +22210,13 @@ index cc877c7..07f129b 100644
|
|||||||
-
|
-
|
||||||
kernel_search_key(sshd_t)
|
kernel_search_key(sshd_t)
|
||||||
kernel_link_key(sshd_t)
|
kernel_link_key(sshd_t)
|
||||||
|
+kernel_read_net_sysctls(sshd_t)
|
||||||
|
+
|
||||||
+files_search_all(sshd_t)
|
+files_search_all(sshd_t)
|
||||||
+
|
+
|
||||||
+fs_search_cgroup_dirs(sshd_t)
|
+fs_search_cgroup_dirs(sshd_t)
|
||||||
+fs_rw_cgroup_files(sshd_t)
|
+fs_rw_cgroup_files(sshd_t)
|
||||||
+
|
|
||||||
term_use_all_ptys(sshd_t)
|
term_use_all_ptys(sshd_t)
|
||||||
term_setattr_all_ptys(sshd_t)
|
term_setattr_all_ptys(sshd_t)
|
||||||
+term_setattr_all_ttys(sshd_t)
|
+term_setattr_all_ttys(sshd_t)
|
||||||
@ -22264,7 +22265,7 @@ index cc877c7..07f129b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -266,6 +321,15 @@ optional_policy(`
|
@@ -266,6 +322,15 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -22280,7 +22281,7 @@ index cc877c7..07f129b 100644
|
|||||||
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
|
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -275,6 +339,18 @@ optional_policy(`
|
@@ -275,6 +340,18 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -22299,7 +22300,7 @@ index cc877c7..07f129b 100644
|
|||||||
oddjob_domtrans_mkhomedir(sshd_t)
|
oddjob_domtrans_mkhomedir(sshd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -289,13 +365,93 @@ optional_policy(`
|
@@ -289,13 +366,93 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -22393,7 +22394,7 @@ index cc877c7..07f129b 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# ssh_keygen local policy
|
# ssh_keygen local policy
|
||||||
@@ -304,19 +460,29 @@ optional_policy(`
|
@@ -304,19 +461,29 @@ optional_policy(`
|
||||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||||
# and by sysadm_t
|
# and by sysadm_t
|
||||||
|
|
||||||
@ -22424,7 +22425,7 @@ index cc877c7..07f129b 100644
|
|||||||
dev_read_urand(ssh_keygen_t)
|
dev_read_urand(ssh_keygen_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(ssh_keygen_t)
|
term_dontaudit_use_console(ssh_keygen_t)
|
||||||
@@ -333,6 +499,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
@@ -333,6 +500,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||||
logging_send_syslog_msg(ssh_keygen_t)
|
logging_send_syslog_msg(ssh_keygen_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||||
@ -22437,7 +22438,7 @@ index cc877c7..07f129b 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(ssh_keygen_t)
|
seutil_sigchld_newrole(ssh_keygen_t)
|
||||||
@@ -341,3 +513,140 @@ optional_policy(`
|
@@ -341,3 +514,140 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(ssh_keygen_t)
|
udev_read_db(ssh_keygen_t)
|
||||||
')
|
')
|
||||||
|
@ -3109,10 +3109,10 @@ index 0000000..8ba9c95
|
|||||||
+ spamassassin_read_pid_files(antivirus_domain)
|
+ spamassassin_read_pid_files(antivirus_domain)
|
||||||
+')
|
+')
|
||||||
diff --git a/apache.fc b/apache.fc
|
diff --git a/apache.fc b/apache.fc
|
||||||
index 7caefc3..516f7bb 100644
|
index 7caefc3..8434d2f 100644
|
||||||
--- a/apache.fc
|
--- a/apache.fc
|
||||||
+++ b/apache.fc
|
+++ b/apache.fc
|
||||||
@@ -1,162 +1,200 @@
|
@@ -1,162 +1,201 @@
|
||||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||||
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
||||||
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||||
@ -3198,6 +3198,7 @@ index 7caefc3..516f7bb 100644
|
|||||||
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||||
|
+/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||||
|
|
||||||
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
|
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
|
||||||
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||||
@ -23577,10 +23578,10 @@ index 0000000..89401fe
|
|||||||
+')
|
+')
|
||||||
diff --git a/docker.te b/docker.te
|
diff --git a/docker.te b/docker.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..412e818
|
index 0000000..5e91008
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/docker.te
|
+++ b/docker.te
|
||||||
@@ -0,0 +1,256 @@
|
@@ -0,0 +1,260 @@
|
||||||
+policy_module(docker, 1.0.0)
|
+policy_module(docker, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -23808,6 +23809,10 @@ index 0000000..412e818
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_system_bus_client(docker_t)
|
+ dbus_system_bus_client(docker_t)
|
||||||
+ init_dbus_chat(docker_t)
|
+ init_dbus_chat(docker_t)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ systemd_dbus_chat_logind(docker_t)
|
||||||
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -55606,10 +55611,10 @@ index 0000000..a437f80
|
|||||||
+files_read_config_files(openshift_domain)
|
+files_read_config_files(openshift_domain)
|
||||||
diff --git a/openshift.fc b/openshift.fc
|
diff --git a/openshift.fc b/openshift.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..db2369b
|
index 0000000..88c2186
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/openshift.fc
|
+++ b/openshift.fc
|
||||||
@@ -0,0 +1,27 @@
|
@@ -0,0 +1,28 @@
|
||||||
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
||||||
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
||||||
+
|
+
|
||||||
@ -55617,6 +55622,7 @@ index 0000000..db2369b
|
|||||||
+
|
+
|
||||||
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
||||||
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
|
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
|
||||||
|
+/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
||||||
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
||||||
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
|
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
|
||||||
+
|
+
|
||||||
@ -99574,7 +99580,7 @@ index facdee8..fddb027 100644
|
|||||||
+ virt_stream_connect($1)
|
+ virt_stream_connect($1)
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index f03dcf5..7a02075 100644
|
index f03dcf5..1bbfa18 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,150 +1,197 @@
|
@@ -1,150 +1,197 @@
|
||||||
@ -100652,7 +100658,7 @@ index f03dcf5..7a02075 100644
|
|||||||
+fs_rw_inherited_nfs_files(virt_domain)
|
+fs_rw_inherited_nfs_files(virt_domain)
|
||||||
+fs_rw_inherited_cifs_files(virt_domain)
|
+fs_rw_inherited_cifs_files(virt_domain)
|
||||||
+fs_rw_inherited_noxattr_fs_files(virt_domain)
|
+fs_rw_inherited_noxattr_fs_files(virt_domain)
|
||||||
+
|
|
||||||
+# I think we need these for now.
|
+# I think we need these for now.
|
||||||
+miscfiles_read_public_files(virt_domain)
|
+miscfiles_read_public_files(virt_domain)
|
||||||
+miscfiles_read_generic_certs(virt_domain)
|
+miscfiles_read_generic_certs(virt_domain)
|
||||||
@ -100709,7 +100715,7 @@ index f03dcf5..7a02075 100644
|
|||||||
+ term_use_unallocated_ttys(virt_domain)
|
+ term_use_unallocated_ttys(virt_domain)
|
||||||
+ dev_rw_printer(virt_domain)
|
+ dev_rw_printer(virt_domain)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+tunable_policy(`virt_use_fusefs',`
|
+tunable_policy(`virt_use_fusefs',`
|
||||||
+ fs_manage_fusefs_dirs(virt_domain)
|
+ fs_manage_fusefs_dirs(virt_domain)
|
||||||
+ fs_manage_fusefs_files(virt_domain)
|
+ fs_manage_fusefs_files(virt_domain)
|
||||||
@ -100854,10 +100860,10 @@ index f03dcf5..7a02075 100644
|
|||||||
|
|
||||||
-logging_send_syslog_msg(virsh_t)
|
-logging_send_syslog_msg(virsh_t)
|
||||||
+systemd_exec_systemctl(virsh_t)
|
+systemd_exec_systemctl(virsh_t)
|
||||||
+
|
|
||||||
+auth_read_passwd(virsh_t)
|
|
||||||
|
|
||||||
-miscfiles_read_localization(virsh_t)
|
-miscfiles_read_localization(virsh_t)
|
||||||
|
+auth_read_passwd(virsh_t)
|
||||||
|
+
|
||||||
+logging_send_syslog_msg(virsh_t)
|
+logging_send_syslog_msg(virsh_t)
|
||||||
|
|
||||||
sysnet_dns_name_resolve(virsh_t)
|
sysnet_dns_name_resolve(virsh_t)
|
||||||
@ -101050,12 +101056,12 @@ index f03dcf5..7a02075 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ docker_exec_lib(virtd_lxc_t)
|
+ docker_exec_lib(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gnome_read_generic_cache_files(virtd_lxc_t)
|
+ gnome_read_generic_cache_files(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
|
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ setrans_manage_pid_files(virtd_lxc_t)
|
+ setrans_manage_pid_files(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
@ -101163,6 +101169,10 @@ index f03dcf5..7a02075 100644
|
|||||||
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
|
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
|
||||||
+ docker_use_ptys(svirt_sandbox_domain)
|
+ docker_use_ptys(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
||||||
|
+')
|
||||||
|
|
||||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||||
@ -101247,10 +101257,6 @@ index f03dcf5..7a02075 100644
|
|||||||
-
|
-
|
||||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ ssh_use_ptys(svirt_sandbox_domain)
|
+ ssh_use_ptys(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
@ -101289,6 +101295,10 @@ index f03dcf5..7a02075 100644
|
|||||||
-kernel_read_network_state(svirt_lxc_net_t)
|
-kernel_read_network_state(svirt_lxc_net_t)
|
||||||
-kernel_read_irq_sysctls(svirt_lxc_net_t)
|
-kernel_read_irq_sysctls(svirt_lxc_net_t)
|
||||||
+allow svirt_lxc_net_t self:process { execstack execmem };
|
+allow svirt_lxc_net_t self:process { execstack execmem };
|
||||||
|
+
|
||||||
|
+tunable_policy(`virt_sandbox_use_sys_admin',`
|
||||||
|
+ allow svirt_lxc_net_t self:capability sys_admin;
|
||||||
|
+')
|
||||||
|
|
||||||
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
|
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
|
||||||
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
|
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
|
||||||
@ -101300,13 +101310,6 @@ index f03dcf5..7a02075 100644
|
|||||||
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
|
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
|
||||||
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
|
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
|
||||||
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
|
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
|
||||||
+tunable_policy(`virt_sandbox_use_sys_admin',`
|
|
||||||
+ allow svirt_lxc_net_t self:capability sys_admin;
|
|
||||||
+')
|
|
||||||
|
|
||||||
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
|
|
||||||
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
|
|
||||||
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
|
|
||||||
+tunable_policy(`virt_sandbox_use_netlink',`
|
+tunable_policy(`virt_sandbox_use_netlink',`
|
||||||
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
|
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
|
||||||
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||||
@ -101315,11 +101318,14 @@ index f03dcf5..7a02075 100644
|
|||||||
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
|
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
|
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
|
||||||
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
|
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
|
||||||
|
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
|
||||||
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
|
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
|
||||||
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
|
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
|
||||||
+
|
|
||||||
|
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
|
||||||
|
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
|
||||||
+kernel_read_irq_sysctls(svirt_lxc_net_t)
|
+kernel_read_irq_sysctls(svirt_lxc_net_t)
|
||||||
|
|
||||||
+dev_read_sysfs(svirt_lxc_net_t)
|
+dev_read_sysfs(svirt_lxc_net_t)
|
||||||
@ -101395,15 +101401,15 @@ index f03dcf5..7a02075 100644
|
|||||||
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
|
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
|
||||||
+
|
+
|
||||||
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
||||||
|
+
|
||||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
|
||||||
+dev_read_sysfs(svirt_qemu_net_t)
|
+dev_read_sysfs(svirt_qemu_net_t)
|
||||||
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
||||||
+dev_read_rand(svirt_qemu_net_t)
|
+dev_read_rand(svirt_qemu_net_t)
|
||||||
+dev_read_urand(svirt_qemu_net_t)
|
+dev_read_urand(svirt_qemu_net_t)
|
||||||
+
|
+
|
||||||
+files_read_kernel_modules(svirt_qemu_net_t)
|
+files_read_kernel_modules(svirt_qemu_net_t)
|
||||||
+
|
|
||||||
|
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||||
+fs_noxattr_type(svirt_sandbox_file_t)
|
+fs_noxattr_type(svirt_sandbox_file_t)
|
||||||
+fs_mount_cgroup(svirt_qemu_net_t)
|
+fs_mount_cgroup(svirt_qemu_net_t)
|
||||||
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
|
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
|
||||||
@ -101461,7 +101467,7 @@ index f03dcf5..7a02075 100644
|
|||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -1207,5 +1431,206 @@ kernel_read_network_state(virt_bridgehelper_t)
|
@@ -1207,5 +1431,210 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||||
|
|
||||||
@ -101670,6 +101676,10 @@ index f03dcf5..7a02075 100644
|
|||||||
+corenet_udp_bind_all_ports(sandbox_net_domain)
|
+corenet_udp_bind_all_ports(sandbox_net_domain)
|
||||||
+corenet_tcp_bind_all_ports(sandbox_net_domain)
|
+corenet_tcp_bind_all_ports(sandbox_net_domain)
|
||||||
+corenet_tcp_connect_all_ports(sandbox_net_domain)
|
+corenet_tcp_connect_all_ports(sandbox_net_domain)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ systemd_dbus_chat_logind(sandbox_net_domain)
|
||||||
|
+')
|
||||||
diff --git a/vlock.te b/vlock.te
|
diff --git a/vlock.te b/vlock.te
|
||||||
index 6b72968..de409cc 100644
|
index 6b72968..de409cc 100644
|
||||||
--- a/vlock.te
|
--- a/vlock.te
|
||||||
@ -101825,10 +101835,10 @@ index 0000000..7933d80
|
|||||||
+')
|
+')
|
||||||
diff --git a/vmtools.te b/vmtools.te
|
diff --git a/vmtools.te b/vmtools.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ab589a9
|
index 0000000..5ce7d9c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/vmtools.te
|
+++ b/vmtools.te
|
||||||
@@ -0,0 +1,87 @@
|
@@ -0,0 +1,89 @@
|
||||||
+policy_module(vmtools, 1.0.0)
|
+policy_module(vmtools, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -101915,6 +101925,8 @@ index 0000000..ab589a9
|
|||||||
+domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t)
|
+domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t)
|
||||||
+can_exec(vmtools_helper_t, vmtools_helper_exec_t)
|
+can_exec(vmtools_helper_t, vmtools_helper_exec_t)
|
||||||
+
|
+
|
||||||
|
+corecmd_exec_bin(vmtools_helper_t)
|
||||||
|
+
|
||||||
+userdom_stream_connect(vmtools_helper_t)
|
+userdom_stream_connect(vmtools_helper_t)
|
||||||
diff --git a/vmware.if b/vmware.if
|
diff --git a/vmware.if b/vmware.if
|
||||||
index 20a1fb2..470ea95 100644
|
index 20a1fb2..470ea95 100644
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 34%{?dist}
|
Release: 35%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -580,6 +580,13 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-35
|
||||||
|
- sshd to read network sysctls
|
||||||
|
- Allow vmtools_helper_t to execute bin_t
|
||||||
|
- Add support for /usr/share/joomla
|
||||||
|
- /var/lib/containers should be labeled as openshift content for now
|
||||||
|
- Allow docker domains to talk to the login programs, to allow a process to login into the container
|
||||||
|
|
||||||
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-34
|
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-34
|
||||||
- Add install_t for anaconda
|
- Add install_t for anaconda
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user