- Allow postgresql to manage rgmanager pid files
- Allow postgresql to read ccs data - Allow systemd_domain to send dbus messages to policykit - Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create - All systemd domains that create content are reading the file_context file and setfscreat - Systemd domains need to search through init_var_run_t - Allow sshd to communicate with libvirt to set containers labels - Add interface to manage pid files - Allow NetworkManger_t to read /etc/hostname - Dontaudit leaked locked files into openshift_domains - Add fixes for oo-cgroup-read - it nows creates tmp files - Allow gluster to manage all directories as well as files - Dontaudit chrome_sandbox_nacl_t using user terminals - Allow sysstat to manage its own log files - Allow virtual machines to setrlimit and send itself signals. - Add labeling for /var/run/hplip
This commit is contained in:
parent
e30ef5a20a
commit
06b84e3300
@ -7634,7 +7634,7 @@ index 6a1e4d1..adafd25 100644
|
|||||||
+ dontaudit $1 domain:socket_class_set { read write };
|
+ dontaudit $1 domain:socket_class_set { read write };
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||||
index cf04cb5..8601a3e 100644
|
index cf04cb5..431baa5 100644
|
||||||
--- a/policy/modules/kernel/domain.te
|
--- a/policy/modules/kernel/domain.te
|
||||||
+++ b/policy/modules/kernel/domain.te
|
+++ b/policy/modules/kernel/domain.te
|
||||||
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
|
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
|
||||||
@ -7760,7 +7760,7 @@ index cf04cb5..8601a3e 100644
|
|||||||
|
|
||||||
# Create/access any System V IPC objects.
|
# Create/access any System V IPC objects.
|
||||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||||
@@ -166,5 +227,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
@@ -166,5 +227,261 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||||
# act on all domains keys
|
# act on all domains keys
|
||||||
allow unconfined_domain_type domain:key *;
|
allow unconfined_domain_type domain:key *;
|
||||||
|
|
||||||
@ -8022,7 +8022,6 @@ index cf04cb5..8601a3e 100644
|
|||||||
+ prelink_exec(domain)
|
+ prelink_exec(domain)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
||||||
index c2c6e05..d0e6d1c 100644
|
index c2c6e05..d0e6d1c 100644
|
||||||
--- a/policy/modules/kernel/files.fc
|
--- a/policy/modules/kernel/files.fc
|
||||||
@ -17466,7 +17465,7 @@ index 9d2f311..9e87525 100644
|
|||||||
+ postgresql_filetrans_named_content($1)
|
+ postgresql_filetrans_named_content($1)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
|
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
|
||||||
index 346d011..d84cfd8 100644
|
index 346d011..a00f4ea 100644
|
||||||
--- a/policy/modules/services/postgresql.te
|
--- a/policy/modules/services/postgresql.te
|
||||||
+++ b/policy/modules/services/postgresql.te
|
+++ b/policy/modules/services/postgresql.te
|
||||||
@@ -19,25 +19,32 @@ gen_require(`
|
@@ -19,25 +19,32 @@ gen_require(`
|
||||||
@ -17479,15 +17478,15 @@ index 346d011..d84cfd8 100644
|
|||||||
+## <p>
|
+## <p>
|
||||||
+## Allow postgresql to use ssh and rsync for point-in-time recovery
|
+## Allow postgresql to use ssh and rsync for point-in-time recovery
|
||||||
+## </p>
|
+## </p>
|
||||||
## </desc>
|
+## </desc>
|
||||||
-gen_tunable(sepgsql_enable_users_ddl, false)
|
|
||||||
+gen_tunable(postgresql_can_rsync, false)
|
+gen_tunable(postgresql_can_rsync, false)
|
||||||
+
|
+
|
||||||
+## <desc>
|
+## <desc>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow unprivileged users to execute DDL statement
|
+## Allow unprivileged users to execute DDL statement
|
||||||
+## </p>
|
+## </p>
|
||||||
+## </desc>
|
## </desc>
|
||||||
|
-gen_tunable(sepgsql_enable_users_ddl, false)
|
||||||
+gen_tunable(postgresql_selinux_users_ddl, true)
|
+gen_tunable(postgresql_selinux_users_ddl, true)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -17566,16 +17565,27 @@ index 346d011..d84cfd8 100644
|
|||||||
|
|
||||||
seutil_libselinux_linked(postgresql_t)
|
seutil_libselinux_linked(postgresql_t)
|
||||||
seutil_read_default_contexts(postgresql_t)
|
seutil_read_default_contexts(postgresql_t)
|
||||||
@@ -367,7 +373,7 @@ optional_policy(`
|
@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t)
|
||||||
|
userdom_dontaudit_use_user_terminals(postgresql_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ ccs_read_config(postgresql_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
mta_getattr_spool(postgresql_t)
|
mta_getattr_spool(postgresql_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
-tunable_policy(`allow_execmem',`
|
-tunable_policy(`allow_execmem',`
|
||||||
|
+optional_policy(`
|
||||||
|
+ rgmanager_manage_pid_files(postgresql_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+tunable_policy(`deny_execmem',`',`
|
+tunable_policy(`deny_execmem',`',`
|
||||||
allow postgresql_t self:process execmem;
|
allow postgresql_t self:process execmem;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -485,10 +491,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
|
@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
|
||||||
# It is always allowed to operate temporary objects for any database client.
|
# It is always allowed to operate temporary objects for any database client.
|
||||||
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
|
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
|
||||||
|
|
||||||
@ -17632,7 +17642,7 @@ index 346d011..d84cfd8 100644
|
|||||||
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
|
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -536,7 +584,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
|
@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
|
||||||
|
|
||||||
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
|
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
|
||||||
|
|
||||||
@ -17641,7 +17651,7 @@ index 346d011..d84cfd8 100644
|
|||||||
allow sepgsql_admin_type sepgsql_database_type:db_database *;
|
allow sepgsql_admin_type sepgsql_database_type:db_database *;
|
||||||
|
|
||||||
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
|
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
|
||||||
@@ -589,3 +637,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
|
@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
|
||||||
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
|
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
|
||||||
|
|
||||||
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
|
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
|
||||||
@ -18323,7 +18333,7 @@ index fe0c682..da12170 100644
|
|||||||
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
|
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||||
index 5fc0391..8d190be 100644
|
index 5fc0391..ab68072 100644
|
||||||
--- a/policy/modules/services/ssh.te
|
--- a/policy/modules/services/ssh.te
|
||||||
+++ b/policy/modules/services/ssh.te
|
+++ b/policy/modules/services/ssh.te
|
||||||
@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3)
|
@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3)
|
||||||
@ -18651,7 +18661,7 @@ index 5fc0391..8d190be 100644
|
|||||||
rpm_use_script_fds(sshd_t)
|
rpm_use_script_fds(sshd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -279,6 +335,32 @@ optional_policy(`
|
@@ -279,13 +335,68 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -18684,7 +18694,13 @@ index 5fc0391..8d190be 100644
|
|||||||
unconfined_shell_domtrans(sshd_t)
|
unconfined_shell_domtrans(sshd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -286,6 +368,29 @@ optional_policy(`
|
optional_policy(`
|
||||||
|
+ kernel_write_proc_files(sshd_t)
|
||||||
|
+ virt_transition_svirt_lxc(sshd_t, system_r)
|
||||||
|
+ virt_stream_connect(sshd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
xserver_domtrans_xauth(sshd_t)
|
xserver_domtrans_xauth(sshd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -18714,7 +18730,7 @@ index 5fc0391..8d190be 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# ssh_keygen local policy
|
# ssh_keygen local policy
|
||||||
@@ -294,19 +399,26 @@ optional_policy(`
|
@@ -294,19 +405,26 @@ optional_policy(`
|
||||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||||
# and by sysadm_t
|
# and by sysadm_t
|
||||||
|
|
||||||
@ -18742,7 +18758,7 @@ index 5fc0391..8d190be 100644
|
|||||||
dev_read_urand(ssh_keygen_t)
|
dev_read_urand(ssh_keygen_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(ssh_keygen_t)
|
term_dontaudit_use_console(ssh_keygen_t)
|
||||||
@@ -323,6 +435,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
@@ -323,6 +441,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||||
logging_send_syslog_msg(ssh_keygen_t)
|
logging_send_syslog_msg(ssh_keygen_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||||
@ -18755,7 +18771,7 @@ index 5fc0391..8d190be 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(ssh_keygen_t)
|
seutil_sigchld_newrole(ssh_keygen_t)
|
||||||
@@ -331,3 +449,138 @@ optional_policy(`
|
@@ -331,3 +455,138 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(ssh_keygen_t)
|
udev_read_db(ssh_keygen_t)
|
||||||
')
|
')
|
||||||
@ -26319,10 +26335,10 @@ index 9e54bf9..35992c7 100644
|
|||||||
+userdom_read_user_tmp_files(setkey_t)
|
+userdom_read_user_tmp_files(setkey_t)
|
||||||
|
|
||||||
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
|
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
|
||||||
index 1b93eb7..5effebe 100644
|
index 1b93eb7..b2532aa 100644
|
||||||
--- a/policy/modules/system/iptables.fc
|
--- a/policy/modules/system/iptables.fc
|
||||||
+++ b/policy/modules/system/iptables.fc
|
+++ b/policy/modules/system/iptables.fc
|
||||||
@@ -1,7 +1,8 @@
|
@@ -1,21 +1,27 @@
|
||||||
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
|
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
|
||||||
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
|
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
|
||||||
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
|
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
|
||||||
@ -26334,7 +26350,15 @@ index 1b93eb7..5effebe 100644
|
|||||||
|
|
||||||
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
@@ -14,8 +15,13 @@
|
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
-/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
-/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
-/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
+/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
+/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
+/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
|
||||||
@ -26345,9 +26369,9 @@ index 1b93eb7..5effebe 100644
|
|||||||
-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
+/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
+/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
+/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
+/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
+/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
+/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
@ -29642,7 +29666,7 @@ index 4584457..300c3f7 100644
|
|||||||
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
|
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
||||||
index 6a50270..b78f6a9 100644
|
index 6a50270..bfb146f 100644
|
||||||
--- a/policy/modules/system/mount.te
|
--- a/policy/modules/system/mount.te
|
||||||
+++ b/policy/modules/system/mount.te
|
+++ b/policy/modules/system/mount.te
|
||||||
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
|
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
|
||||||
@ -29839,7 +29863,7 @@ index 6a50270..b78f6a9 100644
|
|||||||
term_dontaudit_manage_pty_dirs(mount_t)
|
term_dontaudit_manage_pty_dirs(mount_t)
|
||||||
|
|
||||||
auth_use_nsswitch(mount_t)
|
auth_use_nsswitch(mount_t)
|
||||||
@@ -121,16 +187,20 @@ auth_use_nsswitch(mount_t)
|
@@ -121,16 +187,19 @@ auth_use_nsswitch(mount_t)
|
||||||
init_use_fds(mount_t)
|
init_use_fds(mount_t)
|
||||||
init_use_script_ptys(mount_t)
|
init_use_script_ptys(mount_t)
|
||||||
init_dontaudit_getattr_initctl(mount_t)
|
init_dontaudit_getattr_initctl(mount_t)
|
||||||
@ -29849,7 +29873,7 @@ index 6a50270..b78f6a9 100644
|
|||||||
logging_send_syslog_msg(mount_t)
|
logging_send_syslog_msg(mount_t)
|
||||||
|
|
||||||
-miscfiles_read_localization(mount_t)
|
-miscfiles_read_localization(mount_t)
|
||||||
|
-
|
||||||
sysnet_use_portmap(mount_t)
|
sysnet_use_portmap(mount_t)
|
||||||
|
|
||||||
seutil_read_config(mount_t)
|
seutil_read_config(mount_t)
|
||||||
@ -29861,7 +29885,7 @@ index 6a50270..b78f6a9 100644
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -146,26 +216,27 @@ ifdef(`distro_ubuntu',`
|
@@ -146,26 +215,27 @@ ifdef(`distro_ubuntu',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -29901,7 +29925,7 @@ index 6a50270..b78f6a9 100644
|
|||||||
corenet_tcp_bind_generic_port(mount_t)
|
corenet_tcp_bind_generic_port(mount_t)
|
||||||
corenet_udp_bind_generic_port(mount_t)
|
corenet_udp_bind_generic_port(mount_t)
|
||||||
corenet_tcp_bind_reserved_port(mount_t)
|
corenet_tcp_bind_reserved_port(mount_t)
|
||||||
@@ -179,6 +250,8 @@ optional_policy(`
|
@@ -179,6 +249,8 @@ optional_policy(`
|
||||||
fs_search_rpc(mount_t)
|
fs_search_rpc(mount_t)
|
||||||
|
|
||||||
rpc_stub(mount_t)
|
rpc_stub(mount_t)
|
||||||
@ -29910,7 +29934,7 @@ index 6a50270..b78f6a9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -186,6 +259,32 @@ optional_policy(`
|
@@ -186,6 +258,36 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -29934,6 +29958,10 @@ index 6a50270..b78f6a9 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ glusterd_domtrans(mount_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ hal_write_log(mount_t)
|
+ hal_write_log(mount_t)
|
||||||
+ hal_use_fds(mount_t)
|
+ hal_use_fds(mount_t)
|
||||||
+ hal_dontaudit_rw_pipes(mount_t)
|
+ hal_dontaudit_rw_pipes(mount_t)
|
||||||
@ -29943,7 +29971,7 @@ index 6a50270..b78f6a9 100644
|
|||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
# for a bug in the X server
|
# for a bug in the X server
|
||||||
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
||||||
@@ -194,24 +293,124 @@ optional_policy(`
|
@@ -194,24 +296,124 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30002,22 +30030,22 @@ index 6a50270..b78f6a9 100644
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ usbmuxd_stream_connect(mount_t)
|
+ usbmuxd_stream_connect(mount_t)
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ userhelper_exec_console(mount_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ virt_read_blk_images(mount_t)
|
|
||||||
+')
|
+')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
|
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
|
||||||
- unconfined_domain(unconfined_mount_t)
|
- unconfined_domain(unconfined_mount_t)
|
||||||
+ vmware_exec_host(mount_t)
|
+ userhelper_exec_console(mount_t)
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ virt_read_blk_images(mount_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ vmware_exec_host(mount_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+######################################
|
+######################################
|
||||||
+#
|
+#
|
||||||
+# showmount local policy
|
+# showmount local policy
|
||||||
@ -30147,7 +30175,7 @@ index d43f3b1..c4182e8 100644
|
|||||||
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
|
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
|
||||||
index 3822072..2639601 100644
|
index 3822072..1029e3b 100644
|
||||||
--- a/policy/modules/system/selinuxutil.if
|
--- a/policy/modules/system/selinuxutil.if
|
||||||
+++ b/policy/modules/system/selinuxutil.if
|
+++ b/policy/modules/system/selinuxutil.if
|
||||||
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
|
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
|
||||||
@ -30516,7 +30544,17 @@ index 3822072..2639601 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete the default_contexts files.
|
## Create, read, write, and delete the default_contexts files.
|
||||||
@@ -999,6 +1270,26 @@ interface(`seutil_domtrans_semanage',`
|
@@ -784,7 +1055,9 @@ interface(`seutil_read_file_contexts',`
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
|
||||||
|
+ list_dirs_pattern($1, file_context_t, file_context_t)
|
||||||
|
read_files_pattern($1, file_context_t, file_context_t)
|
||||||
|
+ read_lnk_files_pattern($1, file_context_t, file_context_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -999,6 +1272,26 @@ interface(`seutil_domtrans_semanage',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -30543,7 +30581,7 @@ index 3822072..2639601 100644
|
|||||||
## Execute semanage in the semanage domain, and
|
## Execute semanage in the semanage domain, and
|
||||||
## allow the specified role the semanage domain,
|
## allow the specified role the semanage domain,
|
||||||
## and use the caller's terminal.
|
## and use the caller's terminal.
|
||||||
@@ -1017,11 +1308,66 @@ interface(`seutil_domtrans_semanage',`
|
@@ -1017,11 +1310,66 @@ interface(`seutil_domtrans_semanage',`
|
||||||
#
|
#
|
||||||
interface(`seutil_run_semanage',`
|
interface(`seutil_run_semanage',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -30612,7 +30650,7 @@ index 3822072..2639601 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1044,6 +1390,9 @@ interface(`seutil_manage_module_store',`
|
@@ -1044,6 +1392,9 @@ interface(`seutil_manage_module_store',`
|
||||||
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
|
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
|
||||||
manage_files_pattern($1, semanage_store_t, semanage_store_t)
|
manage_files_pattern($1, semanage_store_t, semanage_store_t)
|
||||||
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
|
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
|
||||||
@ -30622,7 +30660,7 @@ index 3822072..2639601 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -1137,3 +1486,98 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
@@ -1137,3 +1488,98 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
||||||
selinux_dontaudit_get_fs_mount($1)
|
selinux_dontaudit_get_fs_mount($1)
|
||||||
seutil_dontaudit_read_config($1)
|
seutil_dontaudit_read_config($1)
|
||||||
')
|
')
|
||||||
@ -32229,10 +32267,13 @@ index b7686d5..9a50b11 100644
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..595f756
|
index 0000000..4e12420
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.fc
|
+++ b/policy/modules/system/systemd.fc
|
||||||
@@ -0,0 +1,39 @@
|
@@ -0,0 +1,42 @@
|
||||||
|
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
||||||
|
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
||||||
|
+
|
||||||
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
|
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
|
||||||
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
|
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
|
||||||
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||||
@ -32274,10 +32315,10 @@ index 0000000..595f756
|
|||||||
+/var/run/initramfs(/.*)? <<none>>
|
+/var/run/initramfs(/.*)? <<none>>
|
||||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..2961157
|
index 0000000..fc080a1
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.if
|
+++ b/policy/modules/system/systemd.if
|
||||||
@@ -0,0 +1,1042 @@
|
@@ -0,0 +1,1064 @@
|
||||||
+## <summary>SELinux policy for systemd components</summary>
|
+## <summary>SELinux policy for systemd components</summary>
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -33068,6 +33109,25 @@ index 0000000..2961157
|
|||||||
+ files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
|
+ files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow process to read hostname config file.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`systemd_hostnamed_read_config',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type hostname_etc_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_etc($1)
|
||||||
|
+ allow $1 hostname_etc_t:file read_file_perms;
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -33083,11 +33143,14 @@ index 0000000..2961157
|
|||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type systemd_passwd_var_run_t;
|
+ type systemd_passwd_var_run_t;
|
||||||
+ type systemd_logind_var_run_t;
|
+ type systemd_logind_var_run_t;
|
||||||
|
+ type hostname_etc_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
|
+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
|
||||||
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
|
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
|
||||||
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
|
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
|
||||||
|
+ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
|
||||||
|
+ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -33322,10 +33385,10 @@ index 0000000..2961157
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ac0a395
|
index 0000000..90e063a
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,624 @@
|
@@ -0,0 +1,632 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -33400,6 +33463,9 @@ index 0000000..ac0a395
|
|||||||
+type systemd_hostnamed_exec_t;
|
+type systemd_hostnamed_exec_t;
|
||||||
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
|
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
|
||||||
+
|
+
|
||||||
|
+type hostname_etc_t;
|
||||||
|
+files_config_file(hostname_etc_t)
|
||||||
|
+
|
||||||
+type systemd_timedated_t, systemd_domain;
|
+type systemd_timedated_t, systemd_domain;
|
||||||
+type systemd_timedated_exec_t;
|
+type systemd_timedated_exec_t;
|
||||||
+init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
|
+init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
|
||||||
@ -33538,10 +33604,6 @@ index 0000000..ac0a395
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ policykit_dbus_chat(systemd_logind_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ rpm_dbus_chat(systemd_logind_t)
|
+ rpm_dbus_chat(systemd_logind_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -33556,7 +33618,7 @@ index 0000000..ac0a395
|
|||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
|
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
|
||||||
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
|
+allow systemd_passwd_agent_t self:process { setsockcreate };
|
||||||
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
|
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||||||
@ -33671,9 +33733,6 @@ index 0000000..ac0a395
|
|||||||
+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
|
+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
|
||||||
+miscfiles_delete_man_pages(systemd_tmpfiles_t)
|
+miscfiles_delete_man_pages(systemd_tmpfiles_t)
|
||||||
+
|
+
|
||||||
+seutil_read_config(systemd_tmpfiles_t)
|
|
||||||
+seutil_read_file_contexts(systemd_tmpfiles_t)
|
|
||||||
+
|
|
||||||
+ifdef(`distro_redhat',`
|
+ifdef(`distro_redhat',`
|
||||||
+ userdom_list_user_home_content(systemd_tmpfiles_t)
|
+ userdom_list_user_home_content(systemd_tmpfiles_t)
|
||||||
+ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
|
+ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
|
||||||
@ -33799,10 +33858,8 @@ index 0000000..ac0a395
|
|||||||
+
|
+
|
||||||
+dev_write_kmsg(systemd_localed_t)
|
+dev_write_kmsg(systemd_localed_t)
|
||||||
+
|
+
|
||||||
+seutil_read_config(systemd_localed_t)
|
|
||||||
+seutil_read_file_contexts(systemd_localed_t)
|
|
||||||
+
|
|
||||||
+logging_stream_connect_syslog(systemd_localed_t)
|
+logging_stream_connect_syslog(systemd_localed_t)
|
||||||
|
+logging_send_syslog_msg(systemd_localed_t)
|
||||||
+
|
+
|
||||||
+miscfiles_manage_localization(systemd_localed_t)
|
+miscfiles_manage_localization(systemd_localed_t)
|
||||||
+miscfiles_etc_filetrans_localization(systemd_localed_t)
|
+miscfiles_etc_filetrans_localization(systemd_localed_t)
|
||||||
@ -33818,12 +33875,17 @@ index 0000000..ac0a395
|
|||||||
+#
|
+#
|
||||||
+# Hostnamed policy
|
+# Hostnamed policy
|
||||||
+#
|
+#
|
||||||
+dontaudit systemd_hostnamed_t self:capability sys_ptrace;
|
+dontaudit systemd_hostnamed_t self:capability { sys_admin sys_ptrace };
|
||||||
+
|
+
|
||||||
+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
|
+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
|
+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
|
+allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
|
+manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
|
||||||
|
+manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
|
||||||
|
+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" )
|
||||||
|
+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
|
||||||
|
+
|
||||||
+kernel_dgram_send(systemd_hostnamed_t)
|
+kernel_dgram_send(systemd_hostnamed_t)
|
||||||
+
|
+
|
||||||
+dev_write_kmsg(systemd_hostnamed_t)
|
+dev_write_kmsg(systemd_hostnamed_t)
|
||||||
@ -33835,6 +33897,9 @@ index 0000000..ac0a395
|
|||||||
+
|
+
|
||||||
+logging_send_syslog_msg(systemd_hostnamed_t)
|
+logging_send_syslog_msg(systemd_hostnamed_t)
|
||||||
+
|
+
|
||||||
|
+userdom_read_all_users_state(systemd_hostnamed_t)
|
||||||
|
+userdom_dbus_send_all_users(systemd_hostnamed_t)
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_system_bus_client(systemd_hostnamed_t)
|
+ dbus_system_bus_client(systemd_hostnamed_t)
|
||||||
+ dbus_connect_system_bus(systemd_hostnamed_t)
|
+ dbus_connect_system_bus(systemd_hostnamed_t)
|
||||||
@ -33845,7 +33910,7 @@ index 0000000..ac0a395
|
|||||||
+# Timedated policy
|
+# Timedated policy
|
||||||
+#
|
+#
|
||||||
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
|
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
|
||||||
+allow systemd_timedated_t self:process { getattr getsched signal setfscreate };
|
+allow systemd_timedated_t self:process { getattr getsched setfscreate };
|
||||||
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
|
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
|
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
|
+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
|
||||||
@ -33875,8 +33940,6 @@ index 0000000..ac0a395
|
|||||||
+miscfiles_manage_localization(systemd_timedated_t)
|
+miscfiles_manage_localization(systemd_timedated_t)
|
||||||
+miscfiles_etc_filetrans_localization(systemd_timedated_t)
|
+miscfiles_etc_filetrans_localization(systemd_timedated_t)
|
||||||
+
|
+
|
||||||
+seutil_read_file_contexts(systemd_timedated_t)
|
|
||||||
+
|
|
||||||
+userdom_read_all_users_state(systemd_timedated_t)
|
+userdom_read_all_users_state(systemd_timedated_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -33915,7 +33978,6 @@ index 0000000..ac0a395
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ policykit_dbus_chat(systemd_timedated_t)
|
|
||||||
+ policykit_domtrans_auth(systemd_timedated_t)
|
+ policykit_domtrans_auth(systemd_timedated_t)
|
||||||
+ policykit_read_lib(systemd_timedated_t)
|
+ policykit_read_lib(systemd_timedated_t)
|
||||||
+ policykit_read_reload(systemd_timedated_t)
|
+ policykit_read_reload(systemd_timedated_t)
|
||||||
@ -33943,13 +34005,22 @@ index 0000000..ac0a395
|
|||||||
+#
|
+#
|
||||||
+# Common rules for systemd domains
|
+# Common rules for systemd domains
|
||||||
+#
|
+#
|
||||||
+
|
+allow systemd_domain self:process { setfscreate signal_perms };
|
||||||
+files_read_etc_files(systemd_domain)
|
+files_read_etc_files(systemd_domain)
|
||||||
+files_read_etc_runtime_files(systemd_domain)
|
+files_read_etc_runtime_files(systemd_domain)
|
||||||
+files_read_usr_files(systemd_domain)
|
+files_read_usr_files(systemd_domain)
|
||||||
+
|
+
|
||||||
|
+init_search_pid_dirs(systemd_domain)
|
||||||
|
+
|
||||||
+logging_stream_connect_syslog(systemd_domain)
|
+logging_stream_connect_syslog(systemd_domain)
|
||||||
+
|
+
|
||||||
|
+seutil_read_config(systemd_domain)
|
||||||
|
+seutil_read_file_contexts(systemd_domain)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ policykit_dbus_chat(systemd_domain)
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
|
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
|
||||||
index 40928d8..49fd32e 100644
|
index 40928d8..49fd32e 100644
|
||||||
--- a/policy/modules/system/udev.fc
|
--- a/policy/modules/system/udev.fc
|
||||||
@ -35321,7 +35392,7 @@ index db75976..65191bd 100644
|
|||||||
+
|
+
|
||||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 3c5dba7..ba7a400 100644
|
index 3c5dba7..05bc969 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||||
@ -37987,10 +38058,12 @@ index 3c5dba7..ba7a400 100644
|
|||||||
## Create keys for all user domains.
|
## Create keys for all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3439,3 +4197,1355 @@ interface(`userdom_dbus_send_all_users',`
|
@@ -3438,4 +4196,1357 @@ interface(`userdom_dbus_send_all_users',`
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
+ ps_process_pattern($1, userdomain)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -39342,7 +39415,7 @@ index 3c5dba7..ba7a400 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
|
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
|
||||||
+')
|
')
|
||||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||||
index e2b538b..6371ed6 100644
|
index e2b538b..6371ed6 100644
|
||||||
--- a/policy/modules/system/userdomain.te
|
--- a/policy/modules/system/userdomain.te
|
||||||
|
@ -10091,10 +10091,10 @@ index 0000000..efebae7
|
|||||||
+')
|
+')
|
||||||
diff --git a/chrome.te b/chrome.te
|
diff --git a/chrome.te b/chrome.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..2cce501
|
index 0000000..a54bf63
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/chrome.te
|
+++ b/chrome.te
|
||||||
@@ -0,0 +1,203 @@
|
@@ -0,0 +1,204 @@
|
||||||
+policy_module(chrome,1.0.0)
|
+policy_module(chrome,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -10293,6 +10293,7 @@ index 0000000..2cce501
|
|||||||
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
|
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
|
||||||
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
|
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
|
||||||
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
|
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
|
||||||
|
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
|
+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
|
||||||
@ -11596,10 +11597,10 @@ index 954309e..f4db2ca 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/collectd.te b/collectd.te
|
diff --git a/collectd.te b/collectd.te
|
||||||
index 6471fa8..45f1622 100644
|
index 6471fa8..afeb58c 100644
|
||||||
--- a/collectd.te
|
--- a/collectd.te
|
||||||
+++ b/collectd.te
|
+++ b/collectd.te
|
||||||
@@ -26,6 +26,9 @@ files_type(collectd_var_lib_t)
|
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
|
||||||
type collectd_var_run_t;
|
type collectd_var_run_t;
|
||||||
files_pid_file(collectd_var_run_t)
|
files_pid_file(collectd_var_run_t)
|
||||||
|
|
||||||
@ -11608,8 +11609,21 @@ index 6471fa8..45f1622 100644
|
|||||||
+
|
+
|
||||||
apache_content_template(collectd)
|
apache_content_template(collectd)
|
||||||
|
|
||||||
|
+type httpd_collectd_script_tmp_t;
|
||||||
|
+files_tmp_file(httpd_collectd_script_tmp_t)
|
||||||
|
+
|
||||||
########################################
|
########################################
|
||||||
@@ -48,21 +51,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
|
#
|
||||||
|
# Local policy
|
||||||
|
@@ -38,6 +44,7 @@ allow collectd_t self:process { getsched setsched signal };
|
||||||
|
allow collectd_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow collectd_t self:packet_socket create_socket_perms;
|
||||||
|
allow collectd_t self:unix_stream_socket { accept listen };
|
||||||
|
+allow collectd_t self:netlink_tcpdiag_socket create_socket_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
|
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
|
@@ -48,21 +55,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
|
||||||
|
|
||||||
domain_use_interactive_fds(collectd_t)
|
domain_use_interactive_fds(collectd_t)
|
||||||
|
|
||||||
@ -11634,14 +11648,30 @@ index 6471fa8..45f1622 100644
|
|||||||
|
|
||||||
logging_send_syslog_msg(collectd_t)
|
logging_send_syslog_msg(collectd_t)
|
||||||
|
|
||||||
@@ -87,4 +87,7 @@ optional_policy(`
|
@@ -80,11 +84,17 @@ optional_policy(`
|
||||||
read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
||||||
list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
########################################
|
||||||
miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
|
#
|
||||||
+
|
-# Web local policy
|
||||||
+ auth_read_passwd(httpd_collectd_script_t)
|
+# Web collectd local policy
|
||||||
')
|
#
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
|
- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
|
- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
|
||||||
|
-')
|
||||||
+
|
+
|
||||||
|
+files_search_var_lib(httpd_collectd_script_t)
|
||||||
|
+read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
|
+list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
|
+miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
|
||||||
|
+manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
|
||||||
|
+files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })
|
||||||
|
+
|
||||||
|
+auth_read_passwd(httpd_collectd_script_t)
|
||||||
diff --git a/colord.fc b/colord.fc
|
diff --git a/colord.fc b/colord.fc
|
||||||
index 717ea0b..22e0385 100644
|
index 717ea0b..22e0385 100644
|
||||||
--- a/colord.fc
|
--- a/colord.fc
|
||||||
@ -15640,10 +15670,10 @@ index 6ce66e7..1d0337a 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --git a/cups.fc b/cups.fc
|
diff --git a/cups.fc b/cups.fc
|
||||||
index 949011e..85b210b 100644
|
index 949011e..0332f88 100644
|
||||||
--- a/cups.fc
|
--- a/cups.fc
|
||||||
+++ b/cups.fc
|
+++ b/cups.fc
|
||||||
@@ -1,77 +1,85 @@
|
@@ -1,77 +1,86 @@
|
||||||
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
|
|
||||||
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
||||||
@ -15760,6 +15790,7 @@ index 949011e..85b210b 100644
|
|||||||
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||||
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||||
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
|
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
|
||||||
|
+/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||||
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||||
+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||||
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
||||||
@ -23526,7 +23557,7 @@ index 9eacb2c..229782f 100644
|
|||||||
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
|
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
diff --git a/glance.te b/glance.te
|
diff --git a/glance.te b/glance.te
|
||||||
index e0a4f46..70277e8 100644
|
index e0a4f46..0a1aec6 100644
|
||||||
--- a/glance.te
|
--- a/glance.te
|
||||||
+++ b/glance.te
|
+++ b/glance.te
|
||||||
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
|
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
|
||||||
@ -23560,7 +23591,7 @@ index e0a4f46..70277e8 100644
|
|||||||
allow glance_domain self:fifo_file rw_fifo_file_perms;
|
allow glance_domain self:fifo_file rw_fifo_file_perms;
|
||||||
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
|
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow glance_domain self:tcp_socket { accept listen };
|
allow glance_domain self:tcp_socket { accept listen };
|
||||||
@@ -56,10 +58,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
|
@@ -56,27 +58,21 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
|
||||||
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
||||||
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
||||||
|
|
||||||
@ -23571,7 +23602,11 @@ index e0a4f46..70277e8 100644
|
|||||||
corenet_tcp_sendrecv_generic_if(glance_domain)
|
corenet_tcp_sendrecv_generic_if(glance_domain)
|
||||||
corenet_tcp_sendrecv_generic_node(glance_domain)
|
corenet_tcp_sendrecv_generic_node(glance_domain)
|
||||||
corenet_tcp_sendrecv_all_ports(glance_domain)
|
corenet_tcp_sendrecv_all_ports(glance_domain)
|
||||||
@@ -70,13 +68,10 @@ corecmd_exec_shell(glance_domain)
|
corenet_tcp_bind_generic_node(glance_domain)
|
||||||
|
+corenet_tcp_connect_mysqld_port(glance_domain)
|
||||||
|
|
||||||
|
corecmd_exec_bin(glance_domain)
|
||||||
|
corecmd_exec_shell(glance_domain)
|
||||||
|
|
||||||
dev_read_urand(glance_domain)
|
dev_read_urand(glance_domain)
|
||||||
|
|
||||||
@ -23586,7 +23621,7 @@ index e0a4f46..70277e8 100644
|
|||||||
sysnet_dns_name_resolve(glance_domain)
|
sysnet_dns_name_resolve(glance_domain)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -88,8 +83,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
|
@@ -88,8 +84,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
|
||||||
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
|
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
|
||||||
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
|
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
|
||||||
|
|
||||||
@ -23597,12 +23632,11 @@ index e0a4f46..70277e8 100644
|
|||||||
+corenet_tcp_bind_generic_node(glance_registry_t)
|
+corenet_tcp_bind_generic_node(glance_registry_t)
|
||||||
corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
|
corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
|
||||||
corenet_tcp_bind_glance_registry_port(glance_registry_t)
|
corenet_tcp_bind_glance_registry_port(glance_registry_t)
|
||||||
+corenet_tcp_connect_mysqld_port(glance_registry_t)
|
|
||||||
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
|
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(glance_registry_t)
|
logging_send_syslog_msg(glance_registry_t)
|
||||||
|
|
||||||
@@ -108,13 +110,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
@@ -108,13 +110,20 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||||
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
|
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
|
||||||
can_exec(glance_api_t, glance_tmp_t)
|
can_exec(glance_api_t, glance_tmp_t)
|
||||||
|
|
||||||
@ -23616,12 +23650,13 @@ index e0a4f46..70277e8 100644
|
|||||||
+corenet_tcp_bind_glance_port(glance_api_t)
|
+corenet_tcp_bind_glance_port(glance_api_t)
|
||||||
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
|
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
|
||||||
corenet_tcp_connect_glance_registry_port(glance_api_t)
|
corenet_tcp_connect_glance_registry_port(glance_api_t)
|
||||||
|
+corenet_tcp_connect_mysqld_port(glance_api_t)
|
||||||
|
+
|
||||||
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
|
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
|
||||||
+
|
+
|
||||||
+corenet_sendrecv_hplip_server_packets(glance_api_t)
|
+corenet_sendrecv_hplip_server_packets(glance_api_t)
|
||||||
+corenet_tcp_bind_hplip_port(glance_api_t)
|
+corenet_tcp_bind_hplip_port(glance_api_t)
|
||||||
+
|
|
||||||
fs_getattr_xattr_fs(glance_api_t)
|
fs_getattr_xattr_fs(glance_api_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -23807,7 +23842,7 @@ index 0000000..1ed97fe
|
|||||||
+
|
+
|
||||||
diff --git a/glusterd.te b/glusterd.te
|
diff --git a/glusterd.te b/glusterd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..643f4bd
|
index 0000000..190dcb1
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/glusterd.te
|
+++ b/glusterd.te
|
||||||
@@ -0,0 +1,146 @@
|
@@ -0,0 +1,146 @@
|
||||||
@ -23954,9 +23989,9 @@ index 0000000..643f4bd
|
|||||||
+
|
+
|
||||||
+tunable_policy(`gluster_export_all_rw',`
|
+tunable_policy(`gluster_export_all_rw',`
|
||||||
+ fs_manage_noxattr_fs_files(glusterd_t)
|
+ fs_manage_noxattr_fs_files(glusterd_t)
|
||||||
|
+ files_manage_non_security_dirs(glusterd_t)
|
||||||
+ files_manage_non_security_files(glusterd_t)
|
+ files_manage_non_security_files(glusterd_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
diff --git a/glusterfs.fc b/glusterfs.fc
|
diff --git a/glusterfs.fc b/glusterfs.fc
|
||||||
deleted file mode 100644
|
deleted file mode 100644
|
||||||
index 4bd6ade..0000000
|
index 4bd6ade..0000000
|
||||||
@ -31400,7 +31435,7 @@ index d3e7fc9..f20248c 100644
|
|||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
diff --git a/keystone.te b/keystone.te
|
diff --git a/keystone.te b/keystone.te
|
||||||
index 3494d9b..343535a 100644
|
index 3494d9b..124a2ab 100644
|
||||||
--- a/keystone.te
|
--- a/keystone.te
|
||||||
+++ b/keystone.te
|
+++ b/keystone.te
|
||||||
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
|
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
|
||||||
@ -31418,7 +31453,15 @@ index 3494d9b..343535a 100644
|
|||||||
|
|
||||||
allow keystone_t self:fifo_file rw_fifo_file_perms;
|
allow keystone_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow keystone_t self:unix_stream_socket { accept listen };
|
allow keystone_t self:unix_stream_socket { accept listen };
|
||||||
@@ -62,15 +66,17 @@ corenet_sendrecv_commplex_main_server_packets(keystone_t)
|
@@ -57,20 +61,25 @@ corenet_all_recvfrom_netlabel(keystone_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(keystone_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(keystone_t)
|
||||||
|
corenet_tcp_bind_generic_node(keystone_t)
|
||||||
|
+corenet_tcp_connect_mysqld_port(keystone_t)
|
||||||
|
+
|
||||||
|
+corenet_tcp_connect_mysqld_port(keystone_t)
|
||||||
|
|
||||||
|
corenet_sendrecv_commplex_main_server_packets(keystone_t)
|
||||||
corenet_tcp_bind_commplex_main_port(keystone_t)
|
corenet_tcp_bind_commplex_main_port(keystone_t)
|
||||||
corenet_tcp_sendrecv_commplex_main_port(keystone_t)
|
corenet_tcp_sendrecv_commplex_main_port(keystone_t)
|
||||||
|
|
||||||
@ -39948,7 +39991,7 @@ index b744fe3..4c1b6a8 100644
|
|||||||
init_labeled_script_domtrans($1, munin_initrc_exec_t)
|
init_labeled_script_domtrans($1, munin_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
diff --git a/munin.te b/munin.te
|
diff --git a/munin.te b/munin.te
|
||||||
index 97370e4..f076c38 100644
|
index 97370e4..27d3100 100644
|
||||||
--- a/munin.te
|
--- a/munin.te
|
||||||
+++ b/munin.te
|
+++ b/munin.te
|
||||||
@@ -40,12 +40,15 @@ munin_plugin_template(services)
|
@@ -40,12 +40,15 @@ munin_plugin_template(services)
|
||||||
@ -39968,7 +40011,7 @@ index 97370e4..f076c38 100644
|
|||||||
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
|
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
|
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
|
||||||
@@ -58,24 +61,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
|
@@ -58,23 +61,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
|
||||||
|
|
||||||
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
|
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
|
||||||
|
|
||||||
@ -39989,11 +40032,11 @@ index 97370e4..f076c38 100644
|
|||||||
fs_getattr_all_fs(munin_plugin_domain)
|
fs_getattr_all_fs(munin_plugin_domain)
|
||||||
|
|
||||||
-miscfiles_read_localization(munin_plugin_domain)
|
-miscfiles_read_localization(munin_plugin_domain)
|
||||||
-
|
+auth_read_passwd(munin_plugin_domain)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nscd_use(munin_plugin_domain)
|
nscd_use(munin_plugin_domain)
|
||||||
')
|
@@ -114,7 +111,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
||||||
@@ -114,7 +109,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
|
||||||
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
||||||
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
||||||
|
|
||||||
@ -40002,7 +40045,7 @@ index 97370e4..f076c38 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
||||||
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
||||||
@@ -130,7 +125,6 @@ kernel_read_all_sysctls(munin_t)
|
@@ -130,7 +127,6 @@ kernel_read_all_sysctls(munin_t)
|
||||||
corecmd_exec_bin(munin_t)
|
corecmd_exec_bin(munin_t)
|
||||||
corecmd_exec_shell(munin_t)
|
corecmd_exec_shell(munin_t)
|
||||||
|
|
||||||
@ -40010,7 +40053,7 @@ index 97370e4..f076c38 100644
|
|||||||
corenet_all_recvfrom_netlabel(munin_t)
|
corenet_all_recvfrom_netlabel(munin_t)
|
||||||
corenet_tcp_sendrecv_generic_if(munin_t)
|
corenet_tcp_sendrecv_generic_if(munin_t)
|
||||||
corenet_tcp_sendrecv_generic_node(munin_t)
|
corenet_tcp_sendrecv_generic_node(munin_t)
|
||||||
@@ -153,7 +147,6 @@ domain_use_interactive_fds(munin_t)
|
@@ -153,7 +149,6 @@ domain_use_interactive_fds(munin_t)
|
||||||
domain_read_all_domains_state(munin_t)
|
domain_read_all_domains_state(munin_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(munin_t)
|
files_read_etc_runtime_files(munin_t)
|
||||||
@ -40018,7 +40061,7 @@ index 97370e4..f076c38 100644
|
|||||||
files_list_spool(munin_t)
|
files_list_spool(munin_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(munin_t)
|
fs_getattr_all_fs(munin_t)
|
||||||
@@ -165,7 +158,6 @@ logging_send_syslog_msg(munin_t)
|
@@ -165,7 +160,6 @@ logging_send_syslog_msg(munin_t)
|
||||||
logging_read_all_logs(munin_t)
|
logging_read_all_logs(munin_t)
|
||||||
|
|
||||||
miscfiles_read_fonts(munin_t)
|
miscfiles_read_fonts(munin_t)
|
||||||
@ -40026,7 +40069,7 @@ index 97370e4..f076c38 100644
|
|||||||
miscfiles_setattr_fonts_cache_dirs(munin_t)
|
miscfiles_setattr_fonts_cache_dirs(munin_t)
|
||||||
|
|
||||||
sysnet_exec_ifconfig(munin_t)
|
sysnet_exec_ifconfig(munin_t)
|
||||||
@@ -173,13 +165,6 @@ sysnet_exec_ifconfig(munin_t)
|
@@ -173,13 +167,6 @@ sysnet_exec_ifconfig(munin_t)
|
||||||
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(munin_t)
|
userdom_dontaudit_search_user_home_dirs(munin_t)
|
||||||
|
|
||||||
@ -40040,7 +40083,7 @@ index 97370e4..f076c38 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_system_entry(munin_t, munin_exec_t)
|
cron_system_entry(munin_t, munin_exec_t)
|
||||||
@@ -213,7 +198,6 @@ optional_policy(`
|
@@ -213,7 +200,6 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
postfix_list_spool(munin_t)
|
postfix_list_spool(munin_t)
|
||||||
@ -40048,7 +40091,7 @@ index 97370e4..f076c38 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -246,17 +230,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
|
@@ -246,17 +232,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
|
||||||
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
|
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
|
||||||
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
|
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
|
||||||
|
|
||||||
@ -40070,7 +40113,7 @@ index 97370e4..f076c38 100644
|
|||||||
|
|
||||||
sysnet_read_config(disk_munin_plugin_t)
|
sysnet_read_config(disk_munin_plugin_t)
|
||||||
|
|
||||||
@@ -275,27 +259,36 @@ optional_policy(`
|
@@ -275,27 +261,36 @@ optional_policy(`
|
||||||
|
|
||||||
allow mail_munin_plugin_t self:capability dac_override;
|
allow mail_munin_plugin_t self:capability dac_override;
|
||||||
|
|
||||||
@ -40111,7 +40154,7 @@ index 97370e4..f076c38 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -353,7 +346,11 @@ optional_policy(`
|
@@ -353,7 +348,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -40124,7 +40167,15 @@ index 97370e4..f076c38 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -413,3 +410,30 @@ optional_policy(`
|
@@ -385,6 +384,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
|
||||||
|
|
||||||
|
kernel_read_network_state(system_munin_plugin_t)
|
||||||
|
kernel_read_all_sysctls(system_munin_plugin_t)
|
||||||
|
+kernel_read_fs_sysctls(system_munin_plugin_t)
|
||||||
|
|
||||||
|
dev_read_sysfs(system_munin_plugin_t)
|
||||||
|
dev_read_urand(system_munin_plugin_t)
|
||||||
|
@@ -413,3 +413,31 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(unconfined_munin_plugin_t)
|
unconfined_domain(unconfined_munin_plugin_t)
|
||||||
')
|
')
|
||||||
@ -40146,7 +40197,8 @@ index 97370e4..f076c38 100644
|
|||||||
+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
|
+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
|
||||||
+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
|
+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
|
||||||
+
|
+
|
||||||
+allow httpd_munin_script_t munin_log_t:file read_file_perms;
|
+read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
|
||||||
|
+append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
|
||||||
+
|
+
|
||||||
+files_search_var_lib(httpd_munin_script_t)
|
+files_search_var_lib(httpd_munin_script_t)
|
||||||
+
|
+
|
||||||
@ -42462,7 +42514,7 @@ index 0e8508c..b9c69d2 100644
|
|||||||
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
|
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
|
||||||
')
|
')
|
||||||
diff --git a/networkmanager.te b/networkmanager.te
|
diff --git a/networkmanager.te b/networkmanager.te
|
||||||
index 0b48a30..da4eebb 100644
|
index 0b48a30..0c6cd41 100644
|
||||||
--- a/networkmanager.te
|
--- a/networkmanager.te
|
||||||
+++ b/networkmanager.te
|
+++ b/networkmanager.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -42786,7 +42838,7 @@ index 0b48a30..da4eebb 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -320,13 +342,14 @@ optional_policy(`
|
@@ -320,13 +342,15 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -42795,6 +42847,7 @@ index 0b48a30..da4eebb 100644
|
|||||||
+ systemd_write_inhibit_pipes(NetworkManager_t)
|
+ systemd_write_inhibit_pipes(NetworkManager_t)
|
||||||
+ systemd_read_logind_sessions_files(NetworkManager_t)
|
+ systemd_read_logind_sessions_files(NetworkManager_t)
|
||||||
+ systemd_dbus_chat_logind(NetworkManager_t)
|
+ systemd_dbus_chat_logind(NetworkManager_t)
|
||||||
|
+ systemd_hostnamed_read_config(NetworkManager_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -42805,7 +42858,7 @@ index 0b48a30..da4eebb 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -356,6 +379,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
@@ -356,6 +380,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||||
init_dontaudit_use_fds(wpa_cli_t)
|
init_dontaudit_use_fds(wpa_cli_t)
|
||||||
init_use_script_ptys(wpa_cli_t)
|
init_use_script_ptys(wpa_cli_t)
|
||||||
|
|
||||||
@ -43499,10 +43552,10 @@ index 0000000..7d11148
|
|||||||
+')
|
+')
|
||||||
diff --git a/nova.te b/nova.te
|
diff --git a/nova.te b/nova.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..7ce9e62
|
index 0000000..c3a9a89
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/nova.te
|
+++ b/nova.te
|
||||||
@@ -0,0 +1,326 @@
|
@@ -0,0 +1,325 @@
|
||||||
+policy_module(nova, 1.0.0)
|
+policy_module(nova, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -43558,19 +43611,18 @@ index 0000000..7ce9e62
|
|||||||
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
|
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
|
||||||
+
|
+
|
||||||
+corenet_tcp_connect_amqp_port(nova_domain)
|
+corenet_tcp_connect_amqp_port(nova_domain)
|
||||||
|
+corenet_tcp_connect_mysqld_port(nova_domain)
|
||||||
+
|
+
|
||||||
+corecmd_exec_bin(nova_domain)
|
+corecmd_exec_bin(nova_domain)
|
||||||
+corecmd_exec_shell(nova_domain)
|
+corecmd_exec_shell(nova_domain)
|
||||||
|
+corenet_tcp_connect_mysqld_port(nova_domain)
|
||||||
+
|
+
|
||||||
+dev_read_urand(nova_domain)
|
+dev_read_urand(nova_domain)
|
||||||
+
|
+
|
||||||
+fs_getattr_xattr_fs(nova_domain)
|
+fs_getattr_xattr_fs(nova_domain)
|
||||||
+
|
+
|
||||||
+
|
|
||||||
+libs_exec_ldconfig(nova_domain)
|
+libs_exec_ldconfig(nova_domain)
|
||||||
+
|
+
|
||||||
+
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ sysnet_read_config(nova_domain)
|
+ sysnet_read_config(nova_domain)
|
||||||
+')
|
+')
|
||||||
@ -48042,10 +48094,10 @@ index 0000000..407386d
|
|||||||
+')
|
+')
|
||||||
diff --git a/openshift.te b/openshift.te
|
diff --git a/openshift.te b/openshift.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..a23c70a
|
index 0000000..d859b72
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/openshift.te
|
+++ b/openshift.te
|
||||||
@@ -0,0 +1,472 @@
|
@@ -0,0 +1,481 @@
|
||||||
+policy_module(openshift,1.0.0)
|
+policy_module(openshift,1.0.0)
|
||||||
+
|
+
|
||||||
+gen_require(`
|
+gen_require(`
|
||||||
@ -48112,6 +48164,9 @@ index 0000000..a23c70a
|
|||||||
+type openshift_cgroup_read_exec_t;
|
+type openshift_cgroup_read_exec_t;
|
||||||
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
|
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
|
||||||
+
|
+
|
||||||
|
+type openshift_cgroup_read_tmp_t, openshift_file_type;
|
||||||
|
+files_tmp_file(openshift_cgroup_read_tmp_t)
|
||||||
|
+
|
||||||
+type openshift_cron_t;
|
+type openshift_cron_t;
|
||||||
+type openshift_cron_exec_t;
|
+type openshift_cron_exec_t;
|
||||||
+domain_type(openshift_cron_t)
|
+domain_type(openshift_cron_t)
|
||||||
@ -48281,6 +48336,7 @@ index 0000000..a23c70a
|
|||||||
+files_dontaudit_getattr_non_security_sockets(openshift_domain)
|
+files_dontaudit_getattr_non_security_sockets(openshift_domain)
|
||||||
+files_dontaudit_setattr_non_security_dirs(openshift_domain)
|
+files_dontaudit_setattr_non_security_dirs(openshift_domain)
|
||||||
+files_dontaudit_setattr_non_security_files(openshift_domain)
|
+files_dontaudit_setattr_non_security_files(openshift_domain)
|
||||||
|
+files_dontaudit_rw_inherited_locks(openshift_domain)
|
||||||
+
|
+
|
||||||
+libs_exec_lib_files(openshift_domain)
|
+libs_exec_lib_files(openshift_domain)
|
||||||
+libs_exec_ld_so(openshift_domain)
|
+libs_exec_ld_so(openshift_domain)
|
||||||
@ -48416,6 +48472,10 @@ index 0000000..a23c70a
|
|||||||
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
|
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
|
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
|
||||||
+
|
+
|
||||||
|
+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
|
||||||
|
+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
|
||||||
|
+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
|
||||||
|
+
|
||||||
+kernel_read_system_state(openshift_cgroup_read_t)
|
+kernel_read_system_state(openshift_cgroup_read_t)
|
||||||
+
|
+
|
||||||
+miscfiles_read_localization(openshift_cgroup_read_t)
|
+miscfiles_read_localization(openshift_cgroup_read_t)
|
||||||
@ -48425,12 +48485,12 @@ index 0000000..a23c70a
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+corecmd_exec_bin(openshift_cgroup_read_t)
|
+corecmd_exec_bin(openshift_cgroup_read_t)
|
||||||
|
+corecmd_exec_shell(openshift_cgroup_read_t)
|
||||||
+
|
+
|
||||||
+dev_read_urand(openshift_cgroup_read_t)
|
+dev_read_urand(openshift_cgroup_read_t)
|
||||||
+
|
+
|
||||||
+domain_use_interactive_fds(openshift_cgroup_read_t)
|
+domain_use_interactive_fds(openshift_cgroup_read_t)
|
||||||
+
|
+
|
||||||
+
|
|
||||||
+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
|
+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
|
||||||
+
|
+
|
||||||
+userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
|
+userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
|
||||||
@ -48442,6 +48502,7 @@ index 0000000..a23c70a
|
|||||||
+
|
+
|
||||||
+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
|
+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
|
||||||
+
|
+
|
||||||
|
+fs_list_cgroup_dirs(openshift_cgroup_read_t)
|
||||||
+fs_read_cgroup_files(openshift_cgroup_read_t)
|
+fs_read_cgroup_files(openshift_cgroup_read_t)
|
||||||
+
|
+
|
||||||
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
|
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
|
||||||
@ -63284,7 +63345,7 @@ index 5421af0..91e69b8 100644
|
|||||||
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
||||||
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
||||||
diff --git a/rgmanager.if b/rgmanager.if
|
diff --git a/rgmanager.if b/rgmanager.if
|
||||||
index 1c2f9aa..7d70a46 100644
|
index 1c2f9aa..8af1f78 100644
|
||||||
--- a/rgmanager.if
|
--- a/rgmanager.if
|
||||||
+++ b/rgmanager.if
|
+++ b/rgmanager.if
|
||||||
@@ -1,13 +1,13 @@
|
@@ -1,13 +1,13 @@
|
||||||
@ -63314,8 +63375,29 @@ index 1c2f9aa..7d70a46 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -41,8 +40,7 @@ interface(`rgmanager_stream_connect',`
|
@@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',`
|
||||||
|
stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage rgmanager pid files
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`rgmanager_manage_pid_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type rgmanager_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
######################################
|
######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Create, read, write, and delete
|
-## Create, read, write, and delete
|
||||||
@ -63324,7 +63406,7 @@ index 1c2f9aa..7d70a46 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -61,8 +59,7 @@ interface(`rgmanager_manage_tmp_files',`
|
@@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',`
|
||||||
|
|
||||||
######################################
|
######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -63334,7 +63416,7 @@ index 1c2f9aa..7d70a46 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -79,10 +76,28 @@ interface(`rgmanager_manage_tmpfs_files',`
|
@@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',`
|
||||||
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
|
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -63365,7 +63447,7 @@ index 1c2f9aa..7d70a46 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -91,7 +106,7 @@ interface(`rgmanager_manage_tmpfs_files',`
|
@@ -91,7 +125,7 @@ interface(`rgmanager_manage_tmpfs_files',`
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -63374,7 +63456,7 @@ index 1c2f9aa..7d70a46 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
@@ -102,8 +117,11 @@ interface(`rgmanager_admin',`
|
@@ -102,8 +136,11 @@ interface(`rgmanager_admin',`
|
||||||
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
|
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -63387,7 +63469,7 @@ index 1c2f9aa..7d70a46 100644
|
|||||||
|
|
||||||
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
|
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
@@ -121,3 +139,47 @@ interface(`rgmanager_admin',`
|
@@ -121,3 +158,47 @@ interface(`rgmanager_admin',`
|
||||||
files_list_pids($1)
|
files_list_pids($1)
|
||||||
admin_pattern($1, rgmanager_var_run_t)
|
admin_pattern($1, rgmanager_var_run_t)
|
||||||
')
|
')
|
||||||
@ -78776,10 +78858,21 @@ index c9824cb..1973f71 100644
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
|
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
|
||||||
diff --git a/sysstat.te b/sysstat.te
|
diff --git a/sysstat.te b/sysstat.te
|
||||||
index c8b80b2..e6b8ab8 100644
|
index c8b80b2..f041061 100644
|
||||||
--- a/sysstat.te
|
--- a/sysstat.te
|
||||||
+++ b/sysstat.te
|
+++ b/sysstat.te
|
||||||
@@ -38,6 +38,7 @@ kernel_read_kernel_sysctls(sysstat_t)
|
@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
|
||||||
|
allow sysstat_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
|
||||||
|
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||||
|
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||||
|
-setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||||
|
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||||
|
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
|
||||||
|
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
|
||||||
|
|
||||||
|
@@ -38,6 +36,7 @@ kernel_read_kernel_sysctls(sysstat_t)
|
||||||
kernel_read_fs_sysctls(sysstat_t)
|
kernel_read_fs_sysctls(sysstat_t)
|
||||||
kernel_read_rpc_sysctls(sysstat_t)
|
kernel_read_rpc_sysctls(sysstat_t)
|
||||||
|
|
||||||
@ -78787,7 +78880,7 @@ index c8b80b2..e6b8ab8 100644
|
|||||||
corecmd_exec_bin(sysstat_t)
|
corecmd_exec_bin(sysstat_t)
|
||||||
|
|
||||||
dev_read_sysfs(sysstat_t)
|
dev_read_sysfs(sysstat_t)
|
||||||
@@ -49,8 +50,10 @@ files_read_etc_runtime_files(sysstat_t)
|
@@ -49,8 +48,10 @@ files_read_etc_runtime_files(sysstat_t)
|
||||||
fs_getattr_xattr_fs(sysstat_t)
|
fs_getattr_xattr_fs(sysstat_t)
|
||||||
fs_list_inotifyfs(sysstat_t)
|
fs_list_inotifyfs(sysstat_t)
|
||||||
|
|
||||||
@ -78799,7 +78892,7 @@ index c8b80b2..e6b8ab8 100644
|
|||||||
|
|
||||||
auth_use_nsswitch(sysstat_t)
|
auth_use_nsswitch(sysstat_t)
|
||||||
|
|
||||||
@@ -60,10 +63,9 @@ locallogin_use_fds(sysstat_t)
|
@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(sysstat_t)
|
logging_send_syslog_msg(sysstat_t)
|
||||||
|
|
||||||
@ -81954,7 +82047,7 @@ index e29db63..061fb98 100644
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 tuned_initrc_exec_t system_r;
|
role_transition $2 tuned_initrc_exec_t system_r;
|
||||||
diff --git a/tuned.te b/tuned.te
|
diff --git a/tuned.te b/tuned.te
|
||||||
index 7116181..9815e42 100644
|
index 7116181..0bd0be9 100644
|
||||||
--- a/tuned.te
|
--- a/tuned.te
|
||||||
+++ b/tuned.te
|
+++ b/tuned.te
|
||||||
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
||||||
@ -82000,7 +82093,11 @@ index 7116181..9815e42 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(tuned_t)
|
corecmd_exec_bin(tuned_t)
|
||||||
corecmd_exec_shell(tuned_t)
|
corecmd_exec_shell(tuned_t)
|
||||||
@@ -67,28 +77,44 @@ dev_read_urand(tuned_t)
|
@@ -64,31 +74,48 @@ corecmd_exec_shell(tuned_t)
|
||||||
|
dev_getattr_all_blk_files(tuned_t)
|
||||||
|
dev_getattr_all_chr_files(tuned_t)
|
||||||
|
dev_read_urand(tuned_t)
|
||||||
|
+dev_read_cpuid(tuned_t)
|
||||||
dev_rw_sysfs(tuned_t)
|
dev_rw_sysfs(tuned_t)
|
||||||
dev_rw_netcontrol(tuned_t)
|
dev_rw_netcontrol(tuned_t)
|
||||||
|
|
||||||
@ -85228,7 +85325,7 @@ index 9dec06c..d8a2b54 100644
|
|||||||
+ allow svirt_lxc_domain $1:process sigchld;
|
+ allow svirt_lxc_domain $1:process sigchld;
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index 1f22fba..d984f26 100644
|
index 1f22fba..12f4354 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,94 +1,98 @@
|
@@ -1,94 +1,98 @@
|
||||||
@ -85524,9 +85621,7 @@ index 1f22fba..d984f26 100644
|
|||||||
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
||||||
-
|
-
|
||||||
-kernel_read_system_state(virt_domain)
|
-kernel_read_system_state(virt_domain)
|
||||||
+# it was a part of auth_use_nsswitch
|
-
|
||||||
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
|
||||||
|
|
||||||
-fs_getattr_xattr_fs(virt_domain)
|
-fs_getattr_xattr_fs(virt_domain)
|
||||||
-
|
-
|
||||||
-corecmd_exec_bin(virt_domain)
|
-corecmd_exec_bin(virt_domain)
|
||||||
@ -85644,7 +85739,9 @@ index 1f22fba..d984f26 100644
|
|||||||
- fs_manage_dos_dirs(virt_domain)
|
- fs_manage_dos_dirs(virt_domain)
|
||||||
- fs_manage_dos_files(virt_domain)
|
- fs_manage_dos_files(virt_domain)
|
||||||
-')
|
-')
|
||||||
-
|
+# it was a part of auth_use_nsswitch
|
||||||
|
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- tunable_policy(`virt_use_xserver',`
|
- tunable_policy(`virt_use_xserver',`
|
||||||
- xserver_read_xdm_pid(virt_domain)
|
- xserver_read_xdm_pid(virt_domain)
|
||||||
@ -86097,7 +86194,7 @@ index 1f22fba..d984f26 100644
|
|||||||
+# virtual domains common policy
|
+# virtual domains common policy
|
||||||
+#
|
+#
|
||||||
+allow virt_domain self:capability2 compromise_kernel;
|
+allow virt_domain self:capability2 compromise_kernel;
|
||||||
+allow virt_domain self:process { signal getsched signull };
|
+allow virt_domain self:process { setrlimit signal_perms getsched };
|
||||||
+allow virt_domain self:fifo_file rw_fifo_file_perms;
|
+allow virt_domain self:fifo_file rw_fifo_file_perms;
|
||||||
+allow virt_domain self:shm create_shm_perms;
|
+allow virt_domain self:shm create_shm_perms;
|
||||||
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
|
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 18%{?dist}
|
Release: 19%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -526,6 +526,24 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 7 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-19
|
||||||
|
- Allow postgresql to manage rgmanager pid files
|
||||||
|
- Allow postgresql to read ccs data
|
||||||
|
- Allow systemd_domain to send dbus messages to policykit
|
||||||
|
- Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them
|
||||||
|
- All systemd domains that create content are reading the file_context file and setfscreate
|
||||||
|
- Systemd domains need to search through init_var_run_t
|
||||||
|
- Allow sshd to communicate with libvirt to set containers labels
|
||||||
|
- Add interface to manage pid files
|
||||||
|
- Allow NetworkManger_t to read /etc/hostname
|
||||||
|
- Dontaudit leaked locked files into openshift_domains
|
||||||
|
- Add fixes for oo-cgroup-read - it nows creates tmp files
|
||||||
|
- Allow gluster to manage all directories as well as files
|
||||||
|
- Dontaudit chrome_sandbox_nacl_t using user terminals
|
||||||
|
- Allow sysstat to manage its own log files
|
||||||
|
- Allow virtual machines to setrlimit and send itself signals.
|
||||||
|
- Add labeling for /var/run/hplip
|
||||||
|
|
||||||
* Mon Mar 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-18
|
* Mon Mar 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-18
|
||||||
- Fix POSTIN scriptlet
|
- Fix POSTIN scriptlet
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user