- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Make tuned_t as unconfined domain for RHEL7.0 - Allow ABRT to read puppet certs - Add sys_time capability for virt-ga - Allow gemu-ga to domtrans to hwclock_t - Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages - Fix some AVCs in pcp policy - Add to bacula capability setgid and setuid and allow to bind to bacula ports - Changed label from rhnsd_rw_conf_t to rhnsd_conf_t - Add access rhnsd and osad to /etc/sysconfig/rhn - drbdadm executes drbdmeta - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - Allow init_t to manage pluto.ctl because of init_t instead of initrc_t - Allow systemd_tmpfiles_t to manage all non security files on the system - Added labels for bacula ports - Fix label on /dev/vfio/vfio - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi
This commit is contained in:
parent
6383860028
commit
05a36cdcd0
@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||
|
||||
define(`create_packet_interfaces',``
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index b191055..b60c687 100644
|
||||
index b191055..b64c141 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
|
||||
@ -5484,7 +5484,7 @@ index b191055..b60c687 100644
|
||||
# reserved_port_t is the type of INET port numbers below 1024.
|
||||
#
|
||||
type reserved_port_t, port_type, reserved_port_type;
|
||||
@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
|
||||
@@ -84,55 +107,66 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
|
||||
network_port(amavisd_recv, tcp,10024,s0)
|
||||
network_port(amavisd_send, tcp,10025,s0)
|
||||
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
|
||||
@ -5497,7 +5497,9 @@ index b191055..b60c687 100644
|
||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
|
||||
network_port(audit, tcp,60,s0)
|
||||
network_port(auth, tcp,113,s0)
|
||||
@@ -96,43 +119,53 @@ network_port(boinc, tcp,31416,s0)
|
||||
+network_port(bacula, tcp,9103,s0, udp,9103,s0)
|
||||
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
||||
network_port(boinc, tcp,31416,s0)
|
||||
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
|
||||
network_port(biff) # no defined portcon
|
||||
network_port(certmaster, tcp,51235,s0)
|
||||
@ -5556,7 +5558,7 @@ index b191055..b60c687 100644
|
||||
network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||
network_port(gpsd, tcp,2947,s0)
|
||||
network_port(hadoop_datanode, tcp,50010,s0)
|
||||
@@ -140,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
|
||||
@@ -140,45 +174,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
|
||||
network_port(hddtemp, tcp,7634,s0)
|
||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
|
||||
@ -5623,7 +5625,7 @@ index b191055..b60c687 100644
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
|
||||
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
|
||||
@@ -186,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||
@@ -186,26 +227,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||
network_port(mxi, tcp,8005,s0, udp,8005,s0)
|
||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
|
||||
network_port(mysqlmanagerd, tcp,2273,s0)
|
||||
@ -5663,7 +5665,7 @@ index b191055..b60c687 100644
|
||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
network_port(postfix_policyd, tcp,10031,s0)
|
||||
network_port(postgresql, tcp,5432,s0)
|
||||
@@ -215,39 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
@@ -215,39 +265,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
|
||||
network_port(printer, tcp,515,s0)
|
||||
network_port(ptal, tcp,5703,s0)
|
||||
@ -5716,7 +5718,7 @@ index b191055..b60c687 100644
|
||||
network_port(ssh, tcp,22,s0)
|
||||
network_port(stunnel) # no defined portcon
|
||||
network_port(svn, tcp,3690,s0, udp,3690,s0)
|
||||
@@ -259,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
@@ -259,8 +315,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
network_port(tcs, tcp, 30003, s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
@ -5727,7 +5729,7 @@ index b191055..b60c687 100644
|
||||
network_port(transproxy, tcp,8081,s0)
|
||||
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
|
||||
network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
|
||||
@@ -271,10 +327,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
||||
@@ -271,10 +328,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
||||
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
||||
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
|
||||
network_port(virt_migration, tcp,49152-49216,s0)
|
||||
@ -5740,7 +5742,7 @@ index b191055..b60c687 100644
|
||||
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
|
||||
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
|
||||
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
|
||||
@@ -288,19 +344,23 @@ network_port(zabbix_agent, tcp,10050,s0)
|
||||
@@ -288,19 +345,23 @@ network_port(zabbix_agent, tcp,10050,s0)
|
||||
network_port(zookeeper_client, tcp,2181,s0)
|
||||
network_port(zookeeper_election, tcp,3888,s0)
|
||||
network_port(zookeeper_leader, tcp,2888,s0)
|
||||
@ -5767,7 +5769,7 @@ index b191055..b60c687 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -333,6 +393,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
@@ -333,6 +394,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
|
||||
build_option(`enable_mls',`
|
||||
network_interface(lo, lo, s0 - mls_systemhigh)
|
||||
@ -5776,7 +5778,7 @@ index b191055..b60c687 100644
|
||||
',`
|
||||
typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
')
|
||||
@@ -345,9 +407,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
@@ -345,9 +408,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
allow corenet_unconfined_type node_type:node *;
|
||||
allow corenet_unconfined_type netif_type:netif *;
|
||||
allow corenet_unconfined_type packet_type:packet *;
|
||||
@ -24233,7 +24235,7 @@ index 6bf0ecc..115c533 100644
|
||||
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index 8b40377..39c8bbb 100644
|
||||
index 8b40377..787bc72 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,28 +26,59 @@ gen_require(`
|
||||
@ -24572,13 +24574,13 @@ index 8b40377..39c8bbb 100644
|
||||
+ifdef(`hide_broken_symptoms',`
|
||||
+ term_dontaudit_use_unallocated_ttys(xauth_t)
|
||||
+ dev_dontaudit_rw_dri(xauth_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ssh_use_ptys(xauth_t)
|
||||
ssh_sigchld(xauth_t)
|
||||
ssh_read_pipes(xauth_t)
|
||||
@ -24613,8 +24615,7 @@ index 8b40377..39c8bbb 100644
|
||||
+allow xdm_t self:dbus { send_msg acquire_svc };
|
||||
+
|
||||
+allow xdm_t xauth_home_t:file manage_file_perms;
|
||||
|
||||
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||
+
|
||||
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
|
||||
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
@ -24623,7 +24624,8 @@ index 8b40377..39c8bbb 100644
|
||||
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
|
||||
+xserver_filetrans_home_content(xdm_t)
|
||||
+xserver_filetrans_admin_home_content(xdm_t)
|
||||
+
|
||||
|
||||
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||
+#Handle mislabeled files in homedir
|
||||
+userdom_delete_user_home_content_files(xdm_t)
|
||||
+userdom_signull_unpriv_users(xdm_t)
|
||||
@ -24880,7 +24882,7 @@ index 8b40377..39c8bbb 100644
|
||||
+
|
||||
+#userdom_home_manager(xdm_t)
|
||||
+tunable_policy(`xdm_write_home',`
|
||||
+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
|
||||
+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
|
||||
+',`
|
||||
+ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
|
||||
+')
|
||||
@ -25070,14 +25072,14 @@ index 8b40377..39c8bbb 100644
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ hal_dbus_chat(xdm_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ gnomeclock_dbus_chat(xdm_t)
|
||||
+ ')
|
||||
|
||||
optional_policy(`
|
||||
- accountsd_dbus_chat(xdm_t)
|
||||
+ gnomeclock_dbus_chat(xdm_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ networkmanager_dbus_chat(xdm_t)
|
||||
')
|
||||
')
|
||||
@ -25324,13 +25326,10 @@ index 8b40377..39c8bbb 100644
|
||||
|
||||
# brought on by rhgb
|
||||
files_search_mnt(xserver_t)
|
||||
@@ -704,7 +1179,16 @@ fs_getattr_xattr_fs(xserver_t)
|
||||
fs_search_nfs(xserver_t)
|
||||
@@ -705,6 +1180,14 @@ fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
-
|
||||
+fs_rw_tmpfs_files(xserver_t)
|
||||
+
|
||||
|
||||
+mls_file_read_to_clearance(xserver_t)
|
||||
+mls_file_write_all_levels(xserver_t)
|
||||
+mls_file_upgrade(xserver_t)
|
||||
@ -25342,7 +25341,7 @@ index 8b40377..39c8bbb 100644
|
||||
mls_xwin_read_to_clearance(xserver_t)
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
@@ -718,20 +1202,18 @@ init_getpgid(xserver_t)
|
||||
@@ -718,20 +1201,18 @@ init_getpgid(xserver_t)
|
||||
term_setattr_unallocated_ttys(xserver_t)
|
||||
term_use_unallocated_ttys(xserver_t)
|
||||
|
||||
@ -25366,7 +25365,7 @@ index 8b40377..39c8bbb 100644
|
||||
|
||||
userdom_search_user_home_dirs(xserver_t)
|
||||
userdom_use_user_ttys(xserver_t)
|
||||
@@ -739,8 +1221,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
@@ -739,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
userdom_read_user_tmp_files(xserver_t)
|
||||
userdom_rw_user_tmpfs_files(xserver_t)
|
||||
|
||||
@ -25375,7 +25374,7 @@ index 8b40377..39c8bbb 100644
|
||||
ifndef(`distro_redhat',`
|
||||
allow xserver_t self:process { execmem execheap execstack };
|
||||
domain_mmap_low_uncond(xserver_t)
|
||||
@@ -785,17 +1265,44 @@ optional_policy(`
|
||||
@@ -785,17 +1264,44 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25422,7 +25421,7 @@ index 8b40377..39c8bbb 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -803,6 +1310,10 @@ optional_policy(`
|
||||
@@ -803,6 +1309,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25433,7 +25432,7 @@ index 8b40377..39c8bbb 100644
|
||||
xfs_stream_connect(xserver_t)
|
||||
')
|
||||
|
||||
@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
@ -25447,7 +25446,7 @@ index 8b40377..39c8bbb 100644
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
|
||||
# Run xkbcomp.
|
||||
@ -25456,7 +25455,7 @@ index 8b40377..39c8bbb 100644
|
||||
can_exec(xserver_t, xkb_var_lib_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
@@ -842,26 +1353,21 @@ init_use_fds(xserver_t)
|
||||
@@ -842,26 +1352,21 @@ init_use_fds(xserver_t)
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -25491,7 +25490,7 @@ index 8b40377..39c8bbb 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
@ -25500,7 +25499,7 @@ index 8b40377..39c8bbb 100644
|
||||
# operations allowed on all windows
|
||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||
|
||||
@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write };
|
||||
@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write };
|
||||
# can mess with the screensaver
|
||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||
|
||||
@ -25532,7 +25531,7 @@ index 8b40377..39c8bbb 100644
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',`
|
||||
@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
@ -27421,10 +27420,10 @@ index 016a770..1effeb4 100644
|
||||
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
|
||||
+')
|
||||
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
|
||||
index 3f48d30..3701405 100644
|
||||
index 3f48d30..90a20cf 100644
|
||||
--- a/policy/modules/system/fstools.te
|
||||
+++ b/policy/modules/system/fstools.te
|
||||
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
|
||||
@@ -13,9 +13,15 @@ role system_r types fsadm_t;
|
||||
type fsadm_log_t;
|
||||
logging_log_file(fsadm_log_t)
|
||||
|
||||
@ -27434,23 +27433,37 @@ index 3f48d30..3701405 100644
|
||||
type fsadm_tmp_t;
|
||||
files_tmp_file(fsadm_tmp_t)
|
||||
|
||||
@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive };
|
||||
+type fsadm_tmpfs_t;
|
||||
+files_tmpfs_file(fsadm_tmpfs_t)
|
||||
+
|
||||
type swapfile_t; # customizable
|
||||
files_type(swapfile_t)
|
||||
|
||||
@@ -41,10 +47,21 @@ allow fsadm_t self:msg { send receive };
|
||||
|
||||
can_exec(fsadm_t, fsadm_exec_t)
|
||||
|
||||
-allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
|
||||
-allow fsadm_t fsadm_tmp_t:file manage_file_perms;
|
||||
+manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
|
||||
+manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
|
||||
+files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file })
|
||||
+
|
||||
allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
|
||||
allow fsadm_t fsadm_tmp_t:file manage_file_perms;
|
||||
+manage_dirs_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
|
||||
+manage_files_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
|
||||
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
|
||||
|
||||
+manage_dirs_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
|
||||
+manage_files_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(fsadm_t, fsadm_tmpfs_t, { file dir })
|
||||
+
|
||||
+files_create_boot_flag(fsadm_t)
|
||||
+files_setattr_root_dirs(fsadm_t)
|
||||
|
||||
+
|
||||
# log files
|
||||
allow fsadm_t fsadm_log_t:dir setattr;
|
||||
@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
|
||||
manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
|
||||
@@ -53,6 +70,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
|
||||
# Enable swapping to files
|
||||
allow fsadm_t swapfile_t:file { rw_file_perms swapon };
|
||||
|
||||
@ -27458,7 +27471,7 @@ index 3f48d30..3701405 100644
|
||||
kernel_read_system_state(fsadm_t)
|
||||
kernel_read_kernel_sysctls(fsadm_t)
|
||||
kernel_request_load_module(fsadm_t)
|
||||
@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
|
||||
@@ -101,6 +119,8 @@ files_read_usr_files(fsadm_t)
|
||||
files_read_etc_files(fsadm_t)
|
||||
files_manage_lost_found(fsadm_t)
|
||||
files_manage_isid_type_dirs(fsadm_t)
|
||||
@ -27467,7 +27480,15 @@ index 3f48d30..3701405 100644
|
||||
# Write to /etc/mtab.
|
||||
files_manage_etc_runtime_files(fsadm_t)
|
||||
files_etc_filetrans_etc_runtime(fsadm_t, file)
|
||||
@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
|
||||
@@ -112,7 +132,6 @@ files_read_isid_type_files(fsadm_t)
|
||||
fs_search_auto_mountpoints(fsadm_t)
|
||||
fs_getattr_xattr_fs(fsadm_t)
|
||||
fs_rw_ramfs_pipes(fsadm_t)
|
||||
-fs_rw_tmpfs_files(fsadm_t)
|
||||
# remount file system to apply changes
|
||||
fs_remount_xattr_fs(fsadm_t)
|
||||
# for /dev/shm
|
||||
@@ -120,6 +139,9 @@ fs_list_auto_mountpoints(fsadm_t)
|
||||
fs_search_tmpfs(fsadm_t)
|
||||
fs_getattr_tmpfs_dirs(fsadm_t)
|
||||
fs_read_tmpfs_symlinks(fsadm_t)
|
||||
@ -27477,7 +27498,7 @@ index 3f48d30..3701405 100644
|
||||
# Recreate /mnt/cdrom.
|
||||
files_manage_mnt_dirs(fsadm_t)
|
||||
# for tune2fs
|
||||
@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
|
||||
@@ -133,21 +155,27 @@ storage_raw_write_fixed_disk(fsadm_t)
|
||||
storage_raw_read_removable_device(fsadm_t)
|
||||
storage_raw_write_removable_device(fsadm_t)
|
||||
storage_read_scsi_generic(fsadm_t)
|
||||
@ -27507,7 +27528,7 @@ index 3f48d30..3701405 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -166,6 +187,11 @@ optional_policy(`
|
||||
@@ -166,6 +194,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27519,7 +27540,7 @@ index 3f48d30..3701405 100644
|
||||
hal_dontaudit_write_log(fsadm_t)
|
||||
')
|
||||
|
||||
@@ -179,6 +205,10 @@ optional_policy(`
|
||||
@@ -179,6 +212,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27530,7 +27551,7 @@ index 3f48d30..3701405 100644
|
||||
nis_use_ypbind(fsadm_t)
|
||||
')
|
||||
|
||||
@@ -192,6 +222,10 @@ optional_policy(`
|
||||
@@ -192,6 +229,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29307,7 +29328,7 @@ index 79a45f6..9a14d49 100644
|
||||
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda24..17932ac 100644
|
||||
index 17eda24..afe80c5 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
@ -29555,7 +29576,7 @@ index 17eda24..17932ac 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
@@ -186,29 +286,213 @@ ifdef(`distro_gentoo',`
|
||||
@@ -186,29 +286,214 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -29736,6 +29757,7 @@ index 17eda24..17932ac 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ipsec_read_config(init_t)
|
||||
+ ipsec_manage_pid(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -29777,7 +29799,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +500,30 @@ optional_policy(`
|
||||
@@ -216,7 +501,30 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29808,7 +29830,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -225,9 +532,9 @@ optional_policy(`
|
||||
@@ -225,9 +533,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -29820,7 +29842,7 @@ index 17eda24..17932ac 100644
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -258,12 +565,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -258,12 +566,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -29837,7 +29859,7 @@ index 17eda24..17932ac 100644
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -279,23 +590,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -279,23 +591,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -29880,7 +29902,7 @@ index 17eda24..17932ac 100644
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -303,9 +627,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -303,9 +628,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
@ -29892,7 +29914,7 @@ index 17eda24..17932ac 100644
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -313,8 +639,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -313,8 +640,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
@ -29903,7 +29925,7 @@ index 17eda24..17932ac 100644
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +650,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +651,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -29913,7 +29935,7 @@ index 17eda24..17932ac 100644
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -332,7 +659,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -332,7 +660,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -29921,7 +29943,7 @@ index 17eda24..17932ac 100644
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -340,6 +666,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -340,6 +667,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
@ -29929,7 +29951,7 @@ index 17eda24..17932ac 100644
|
||||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -347,14 +674,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -347,14 +675,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -29947,7 +29969,7 @@ index 17eda24..17932ac 100644
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -364,8 +692,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -364,8 +693,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -29961,7 +29983,7 @@ index 17eda24..17932ac 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -375,10 +707,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -375,10 +708,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -29975,7 +29997,7 @@ index 17eda24..17932ac 100644
|
||||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -387,8 +720,10 @@ mls_process_read_up(initrc_t)
|
||||
@@ -387,8 +721,10 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -29986,7 +30008,7 @@ index 17eda24..17932ac 100644
|
||||
|
||||
storage_getattr_fixed_disk_dev(initrc_t)
|
||||
storage_setattr_fixed_disk_dev(initrc_t)
|
||||
@@ -398,6 +733,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -398,6 +734,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
@ -29994,7 +30016,7 @@ index 17eda24..17932ac 100644
|
||||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -416,20 +752,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -416,20 +753,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
@ -30018,7 +30040,7 @@ index 17eda24..17932ac 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -451,7 +785,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -451,7 +786,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
@ -30026,7 +30048,7 @@ index 17eda24..17932ac 100644
|
||||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -486,6 +819,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -486,6 +820,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -30037,7 +30059,7 @@ index 17eda24..17932ac 100644
|
||||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -506,7 +843,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -506,7 +844,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -30046,7 +30068,7 @@ index 17eda24..17932ac 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -521,6 +858,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -521,6 +859,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
@ -30054,7 +30076,7 @@ index 17eda24..17932ac 100644
|
||||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -541,6 +879,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -541,6 +880,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
@ -30062,7 +30084,7 @@ index 17eda24..17932ac 100644
|
||||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -550,8 +889,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -550,8 +890,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30107,7 +30129,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -559,14 +934,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -559,14 +935,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -30139,7 +30161,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -577,6 +969,39 @@ ifdef(`distro_suse',`
|
||||
@@ -577,6 +970,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -30179,7 +30201,7 @@ index 17eda24..17932ac 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -589,6 +1014,8 @@ optional_policy(`
|
||||
@@ -589,6 +1015,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -30188,7 +30210,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -610,6 +1037,7 @@ optional_policy(`
|
||||
@@ -610,6 +1038,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -30196,7 +30218,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -626,6 +1054,17 @@ optional_policy(`
|
||||
@@ -626,6 +1055,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30214,7 +30236,7 @@ index 17eda24..17932ac 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -642,9 +1081,13 @@ optional_policy(`
|
||||
@@ -642,9 +1082,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -30228,7 +30250,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -657,15 +1100,11 @@ optional_policy(`
|
||||
@@ -657,15 +1101,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30246,7 +30268,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -686,6 +1125,15 @@ optional_policy(`
|
||||
@@ -686,6 +1126,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30262,7 +30284,7 @@ index 17eda24..17932ac 100644
|
||||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -726,6 +1174,7 @@ optional_policy(`
|
||||
@@ -726,6 +1175,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
@ -30270,7 +30292,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,7 +1192,13 @@ optional_policy(`
|
||||
@@ -743,7 +1193,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30285,7 +30307,7 @@ index 17eda24..17932ac 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -766,6 +1221,10 @@ optional_policy(`
|
||||
@@ -766,6 +1222,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30296,7 +30318,7 @@ index 17eda24..17932ac 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -775,10 +1234,20 @@ optional_policy(`
|
||||
@@ -775,10 +1235,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30317,7 +30339,7 @@ index 17eda24..17932ac 100644
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1256,10 @@ optional_policy(`
|
||||
@@ -787,6 +1257,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30328,7 +30350,7 @@ index 17eda24..17932ac 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -808,8 +1281,6 @@ optional_policy(`
|
||||
@@ -808,8 +1282,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -30337,7 +30359,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -818,6 +1289,10 @@ optional_policy(`
|
||||
@@ -818,6 +1290,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30348,7 +30370,7 @@ index 17eda24..17932ac 100644
|
||||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -827,10 +1302,12 @@ optional_policy(`
|
||||
@@ -827,10 +1303,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -30361,7 +30383,7 @@ index 17eda24..17932ac 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -857,21 +1334,60 @@ optional_policy(`
|
||||
@@ -857,21 +1335,60 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30423,7 +30445,7 @@ index 17eda24..17932ac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -887,6 +1403,10 @@ optional_policy(`
|
||||
@@ -887,6 +1404,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30434,7 +30456,7 @@ index 17eda24..17932ac 100644
|
||||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -897,3 +1417,218 @@ optional_policy(`
|
||||
@@ -897,3 +1418,218 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -32894,7 +32916,7 @@ index 4e94884..b144ffe 100644
|
||||
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
|
||||
+')
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 59b04c1..7b0ef85 100644
|
||||
index 59b04c1..19dc9ce 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
|
||||
@ -32945,7 +32967,15 @@ index 59b04c1..7b0ef85 100644
|
||||
|
||||
type syslogd_initrc_exec_t;
|
||||
init_script_file(syslogd_initrc_exec_t)
|
||||
@@ -76,6 +96,7 @@ files_type(syslogd_var_lib_t)
|
||||
@@ -71,11 +91,15 @@ init_script_file(syslogd_initrc_exec_t)
|
||||
type syslogd_tmp_t;
|
||||
files_tmp_file(syslogd_tmp_t)
|
||||
|
||||
+type syslogd_tmpfs_t;
|
||||
+files_tmpfs_file(syslogd_tmpfs_t)
|
||||
+
|
||||
type syslogd_var_lib_t;
|
||||
files_type(syslogd_var_lib_t)
|
||||
|
||||
type syslogd_var_run_t;
|
||||
files_pid_file(syslogd_var_run_t)
|
||||
@ -32953,7 +32983,7 @@ index 59b04c1..7b0ef85 100644
|
||||
|
||||
type var_log_t;
|
||||
logging_log_file(var_log_t)
|
||||
@@ -94,6 +115,8 @@ ifdef(`enable_mls',`
|
||||
@@ -94,6 +118,8 @@ ifdef(`enable_mls',`
|
||||
allow auditctl_t self:capability { fsetid dac_read_search dac_override };
|
||||
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
|
||||
|
||||
@ -32962,7 +32992,7 @@ index 59b04c1..7b0ef85 100644
|
||||
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
|
||||
allow auditctl_t auditd_etc_t:dir list_dir_perms;
|
||||
|
||||
@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t)
|
||||
@@ -111,7 +137,7 @@ domain_use_interactive_fds(auditctl_t)
|
||||
|
||||
mls_file_read_all_levels(auditctl_t)
|
||||
|
||||
@ -32971,7 +33001,7 @@ index 59b04c1..7b0ef85 100644
|
||||
|
||||
init_dontaudit_use_fds(auditctl_t)
|
||||
|
||||
@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t)
|
||||
@@ -148,6 +174,7 @@ kernel_read_kernel_sysctls(auditd_t)
|
||||
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
||||
# Probably want a transition, and a new auditd_helper app
|
||||
kernel_read_system_state(auditd_t)
|
||||
@ -32979,7 +33009,7 @@ index 59b04c1..7b0ef85 100644
|
||||
|
||||
dev_read_sysfs(auditd_t)
|
||||
|
||||
@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t)
|
||||
@@ -155,9 +182,6 @@ fs_getattr_all_fs(auditd_t)
|
||||
fs_search_auto_mountpoints(auditd_t)
|
||||
fs_rw_anon_inodefs_files(auditd_t)
|
||||
|
||||
@ -32989,7 +33019,7 @@ index 59b04c1..7b0ef85 100644
|
||||
corenet_all_recvfrom_netlabel(auditd_t)
|
||||
corenet_tcp_sendrecv_generic_if(auditd_t)
|
||||
corenet_tcp_sendrecv_generic_node(auditd_t)
|
||||
@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t)
|
||||
@@ -183,16 +207,17 @@ logging_send_syslog_msg(auditd_t)
|
||||
logging_domtrans_dispatcher(auditd_t)
|
||||
logging_signal_dispatcher(auditd_t)
|
||||
|
||||
@ -33011,7 +33041,7 @@ index 59b04c1..7b0ef85 100644
|
||||
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(auditd_t)
|
||||
|
||||
@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t)
|
||||
@@ -237,19 +262,29 @@ corecmd_exec_shell(audisp_t)
|
||||
|
||||
domain_use_interactive_fds(audisp_t)
|
||||
|
||||
@ -33042,7 +33072,7 @@ index 59b04c1..7b0ef85 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
|
||||
@@ -268,7 +303,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
|
||||
|
||||
corecmd_exec_bin(audisp_remote_t)
|
||||
|
||||
@ -33050,7 +33080,7 @@ index 59b04c1..7b0ef85 100644
|
||||
corenet_all_recvfrom_netlabel(audisp_remote_t)
|
||||
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
|
||||
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
|
||||
@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
|
||||
@@ -280,10 +314,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
|
||||
|
||||
files_read_etc_files(audisp_remote_t)
|
||||
|
||||
@ -33070,7 +33100,7 @@ index 59b04c1..7b0ef85 100644
|
||||
|
||||
sysnet_dns_name_resolve(audisp_remote_t)
|
||||
|
||||
@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t)
|
||||
@@ -326,7 +368,6 @@ files_read_etc_files(klogd_t)
|
||||
|
||||
logging_send_syslog_msg(klogd_t)
|
||||
|
||||
@ -33078,7 +33108,7 @@ index 59b04c1..7b0ef85 100644
|
||||
|
||||
mls_file_read_all_levels(klogd_t)
|
||||
|
||||
@@ -355,13 +393,12 @@ optional_policy(`
|
||||
@@ -355,13 +396,12 @@ optional_policy(`
|
||||
# sys_admin for the integrated klog of syslog-ng and metalog
|
||||
# sys_nice for rsyslog
|
||||
# cjp: why net_admin!
|
||||
@ -33095,7 +33125,7 @@ index 59b04c1..7b0ef85 100644
|
||||
# receive messages to be logged
|
||||
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -371,6 +408,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
|
||||
@@ -371,6 +411,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
|
||||
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow syslogd_t syslog_conf_t:file read_file_perms;
|
||||
@ -33103,10 +33133,14 @@ index 59b04c1..7b0ef85 100644
|
||||
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||
@@ -389,30 +427,42 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
@@ -389,30 +430,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
||||
|
||||
+manage_dirs_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
|
||||
+manage_files_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(syslogd_t, syslogd_tmpfs_t, { dir file })
|
||||
+
|
||||
+manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
||||
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
||||
files_search_var_lib(syslogd_t)
|
||||
@ -33149,7 +33183,7 @@ index 59b04c1..7b0ef85 100644
|
||||
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
||||
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
||||
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
||||
@@ -422,6 +472,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
||||
@@ -422,6 +479,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
||||
corenet_tcp_connect_rsh_port(syslogd_t)
|
||||
# Allow users to define additional syslog ports to connect to
|
||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||
@ -33158,7 +33192,7 @@ index 59b04c1..7b0ef85 100644
|
||||
corenet_tcp_connect_syslogd_port(syslogd_t)
|
||||
corenet_tcp_connect_postgresql_port(syslogd_t)
|
||||
corenet_tcp_connect_mysqld_port(syslogd_t)
|
||||
@@ -432,9 +484,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
@@ -432,9 +491,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
||||
|
||||
@ -33186,11 +33220,9 @@ index 59b04c1..7b0ef85 100644
|
||||
domain_use_interactive_fds(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
@@ -447,14 +516,19 @@ files_read_kernel_symbol_table(syslogd_t)
|
||||
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||
@@ -448,13 +524,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||
|
||||
fs_getattr_all_fs(syslogd_t)
|
||||
+fs_rw_tmpfs_files(syslogd_t)
|
||||
fs_search_auto_mountpoints(syslogd_t)
|
||||
+fs_search_cgroup_dirs(syslogd_t)
|
||||
|
||||
@ -33206,7 +33238,7 @@ index 59b04c1..7b0ef85 100644
|
||||
# for sending messages to logged in users
|
||||
init_read_utmp(syslogd_t)
|
||||
init_dontaudit_write_utmp(syslogd_t)
|
||||
@@ -466,11 +540,11 @@ init_use_fds(syslogd_t)
|
||||
@@ -466,11 +546,11 @@ init_use_fds(syslogd_t)
|
||||
|
||||
# cjp: this doesnt make sense
|
||||
logging_send_syslog_msg(syslogd_t)
|
||||
@ -33221,7 +33253,7 @@ index 59b04c1..7b0ef85 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
# default gentoo syslog-ng config appends kernel
|
||||
@@ -507,15 +581,40 @@ optional_policy(`
|
||||
@@ -507,15 +587,40 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33262,7 +33294,7 @@ index 59b04c1..7b0ef85 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -526,3 +625,26 @@ optional_policy(`
|
||||
@@ -526,3 +631,26 @@ optional_policy(`
|
||||
# log to the xconsole
|
||||
xserver_rw_console(syslogd_t)
|
||||
')
|
||||
@ -39202,10 +39234,10 @@ index 0000000..1d9bdfd
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..1605309
|
||||
index 0000000..9785384
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,659 @@
|
||||
@@ -0,0 +1,635 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -39491,32 +39523,8 @@ index 0000000..1605309
|
||||
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
|
||||
+fs_list_all(systemd_tmpfiles_t)
|
||||
+
|
||||
+files_getattr_all_dirs(systemd_tmpfiles_t)
|
||||
+files_getattr_all_files(systemd_tmpfiles_t)
|
||||
+files_getattr_all_sockets(systemd_tmpfiles_t)
|
||||
+files_getattr_all_symlinks(systemd_tmpfiles_t)
|
||||
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
|
||||
+files_relabel_all_lock_files(systemd_tmpfiles_t)
|
||||
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
|
||||
+files_relabel_all_pid_files(systemd_tmpfiles_t)
|
||||
+files_relabel_all_spool_dirs(systemd_tmpfiles_t)
|
||||
+files_manage_all_pids(systemd_tmpfiles_t)
|
||||
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
|
||||
+files_manage_all_locks(systemd_tmpfiles_t)
|
||||
+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
|
||||
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
|
||||
+files_delete_boot_flag(systemd_tmpfiles_t)
|
||||
+files_delete_all_non_security_dirs(systemd_tmpfiles_t)
|
||||
+files_delete_all_non_security_files(systemd_tmpfiles_t)
|
||||
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
|
||||
+files_delete_all_pid_pipes(systemd_tmpfiles_t)
|
||||
+files_purge_tmp(systemd_tmpfiles_t)
|
||||
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
|
||||
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
|
||||
+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
|
||||
+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
|
||||
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
|
||||
+files_relabel_all_tmp_files(systemd_tmpfiles_t)
|
||||
+files_manage_non_auth_files(systemd_tmpfiles_t)
|
||||
+files_relabel_non_auth_files(systemd_tmpfiles_t)
|
||||
+files_list_lost_found(systemd_tmpfiles_t)
|
||||
+
|
||||
+mls_file_read_all_levels(systemd_tmpfiles_t)
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 22%{?dist}
|
||||
Release: 23%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -578,6 +578,40 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-23
|
||||
- Addopt corenet rules for unbound-anchor to rpm_script_t
|
||||
- Allow runuser to send send audit messages.
|
||||
- Allow postfix-local to search .forward in munin lib dirs
|
||||
- Allow udisks to connect to D-Bus
|
||||
- Allow spamd to connect to spamd port
|
||||
- Fix syntax error in snapper.te
|
||||
- Dontaudit osad to search gconf home files
|
||||
- Allow rhsmcertd to manage /etc/sysconf/rhn director
|
||||
- Fix pcp labeling to accept /usr/bin for all daemon binaries
|
||||
- Fix mcelog_read_log() interface
|
||||
- Allow iscsid to manage iscsi lib files
|
||||
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
|
||||
- Make tuned_t as unconfined domain for RHEL7.0
|
||||
- Allow ABRT to read puppet certs
|
||||
- Add sys_time capability for virt-ga
|
||||
- Allow gemu-ga to domtrans to hwclock_t
|
||||
- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
|
||||
- Fix some AVCs in pcp policy
|
||||
- Add to bacula capability setgid and setuid and allow to bind to bacula ports
|
||||
- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
|
||||
- Add access rhnsd and osad to /etc/sysconfig/rhn
|
||||
- drbdadm executes drbdmeta
|
||||
- Fixes needed for docker
|
||||
- Allow epmd to manage /var/log/rabbitmq/startup_err file
|
||||
- Allow beam.smp connect to amqp port
|
||||
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
|
||||
- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
|
||||
- Allow systemd_tmpfiles_t to manage all non security files on the system
|
||||
- Added labels for bacula ports
|
||||
- Fix label on /dev/vfio/vfio
|
||||
- Add kernel_mounton_messages() interface
|
||||
- init wants to manage lock files for iscsi
|
||||
|
||||
* Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-22
|
||||
- Fix /dev/vfio/vfio labeling
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user