* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions. - Remove /usr/lib/modules/[^/]+/modules\..+ labeling - Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t. - Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
This commit is contained in:
parent
61514837cc
commit
0927e3f742
@ -10876,7 +10876,7 @@ index b876c48..03f9342 100644
|
||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index f962f76..7c3c35b 100644
|
||||
index f962f76..9cb7e98 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -19,6 +19,136 @@
|
||||
@ -12776,19 +12776,20 @@ index f962f76..7c3c35b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4012,6 +4834,11 @@ interface(`files_read_kernel_modules',`
|
||||
@@ -4012,6 +4834,12 @@ interface(`files_read_kernel_modules',`
|
||||
allow $1 modules_object_t:dir list_dir_perms;
|
||||
read_files_pattern($1, modules_object_t, modules_object_t)
|
||||
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
|
||||
+
|
||||
+ # allow to read module deps because of labeling changed to modules_dep_t
|
||||
+ # FIXME:
|
||||
+ # needed for already labeled module deps by modules_dep_t
|
||||
+ optional_policy(`
|
||||
+ modutils_read_module_deps($1)
|
||||
+ modutils_read_module_deps_files($1)
|
||||
+ ')
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4217,6 +5044,175 @@ interface(`files_read_world_readable_sockets',`
|
||||
@@ -4217,6 +5045,175 @@ interface(`files_read_world_readable_sockets',`
|
||||
allow $1 readable_t:sock_file read_sock_file_perms;
|
||||
')
|
||||
|
||||
@ -12964,7 +12965,7 @@ index f962f76..7c3c35b 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified type to associate
|
||||
@@ -4239,6 +5235,26 @@ interface(`files_associate_tmp',`
|
||||
@@ -4239,6 +5236,26 @@ interface(`files_associate_tmp',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -12991,7 +12992,7 @@ index f962f76..7c3c35b 100644
|
||||
## Get the attributes of the tmp directory (/tmp).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4252,17 +5268,37 @@ interface(`files_getattr_tmp_dirs',`
|
||||
@@ -4252,17 +5269,37 @@ interface(`files_getattr_tmp_dirs',`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
@ -13030,7 +13031,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -4289,6 +5325,8 @@ interface(`files_search_tmp',`
|
||||
@@ -4289,6 +5326,8 @@ interface(`files_search_tmp',`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
@ -13039,7 +13040,7 @@ index f962f76..7c3c35b 100644
|
||||
allow $1 tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
@@ -4325,6 +5363,7 @@ interface(`files_list_tmp',`
|
||||
@@ -4325,6 +5364,7 @@ interface(`files_list_tmp',`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
@ -13047,7 +13048,7 @@ index f962f76..7c3c35b 100644
|
||||
allow $1 tmp_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
@@ -4334,7 +5373,7 @@ interface(`files_list_tmp',`
|
||||
@@ -4334,7 +5374,7 @@ interface(`files_list_tmp',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -13056,7 +13057,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -4346,21 +5385,41 @@ interface(`files_dontaudit_list_tmp',`
|
||||
@@ -4346,14 +5386,33 @@ interface(`files_dontaudit_list_tmp',`
|
||||
dontaudit $1 tmp_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
@ -13073,9 +13074,8 @@ index f962f76..7c3c35b 100644
|
||||
+## <summary>
|
||||
+## Domain not to audit.
|
||||
+## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`files_delete_tmp_dir_entry',`
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_rw_generic_tmp_dir',`
|
||||
+ gen_require(`
|
||||
+ type tmp_t;
|
||||
@ -13093,10 +13093,10 @@ index f962f76..7c3c35b 100644
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_delete_tmp_dir_entry',`
|
||||
gen_require(`
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_tmp_dir_entry',`
|
||||
@@ -4361,6 +5420,7 @@ interface(`files_delete_tmp_dir_entry',`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
@ -13104,7 +13104,7 @@ index f962f76..7c3c35b 100644
|
||||
allow $1 tmp_t:dir del_entry_dir_perms;
|
||||
')
|
||||
|
||||
@@ -4402,6 +5461,32 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||
@@ -4402,6 +5462,32 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13137,7 +13137,7 @@ index f962f76..7c3c35b 100644
|
||||
## Manage temporary files and directories in /tmp.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4456,6 +5541,42 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
@@ -4456,6 +5542,42 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13180,7 +13180,7 @@ index f962f76..7c3c35b 100644
|
||||
## Set the attributes of all tmp directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4474,6 +5595,60 @@ interface(`files_setattr_all_tmp_dirs',`
|
||||
@@ -4474,6 +5596,60 @@ interface(`files_setattr_all_tmp_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13241,7 +13241,7 @@ index f962f76..7c3c35b 100644
|
||||
## List all tmp directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4519,7 +5694,7 @@ interface(`files_relabel_all_tmp_dirs',`
|
||||
@@ -4519,7 +5695,7 @@ interface(`files_relabel_all_tmp_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -13250,7 +13250,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -4579,7 +5754,7 @@ interface(`files_relabel_all_tmp_files',`
|
||||
@@ -4579,7 +5755,7 @@ interface(`files_relabel_all_tmp_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -13259,7 +13259,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -4611,6 +5786,44 @@ interface(`files_read_all_tmp_files',`
|
||||
@@ -4611,6 +5787,44 @@ interface(`files_read_all_tmp_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13304,7 +13304,7 @@ index f962f76..7c3c35b 100644
|
||||
## Create an object in the tmp directories, with a private
|
||||
## type using a type transition.
|
||||
## </summary>
|
||||
@@ -4664,6 +5877,16 @@ interface(`files_purge_tmp',`
|
||||
@@ -4664,6 +5878,16 @@ interface(`files_purge_tmp',`
|
||||
delete_lnk_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_fifo_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_sock_files_pattern($1, tmpfile, tmpfile)
|
||||
@ -13321,7 +13321,7 @@ index f962f76..7c3c35b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5112,6 +6335,24 @@ interface(`files_create_kernel_symbol_table',`
|
||||
@@ -5112,6 +6336,24 @@ interface(`files_create_kernel_symbol_table',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13346,7 +13346,7 @@ index f962f76..7c3c35b 100644
|
||||
## Read system.map in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5241,6 +6482,24 @@ interface(`files_list_var',`
|
||||
@@ -5241,6 +6483,24 @@ interface(`files_list_var',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13371,7 +13371,7 @@ index f962f76..7c3c35b 100644
|
||||
## Create, read, write, and delete directories
|
||||
## in the /var directory.
|
||||
## </summary>
|
||||
@@ -5328,7 +6587,7 @@ interface(`files_dontaudit_rw_var_files',`
|
||||
@@ -5328,7 +6588,7 @@ interface(`files_dontaudit_rw_var_files',`
|
||||
type var_t;
|
||||
')
|
||||
|
||||
@ -13380,7 +13380,7 @@ index f962f76..7c3c35b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5527,6 +6786,25 @@ interface(`files_rw_var_lib_dirs',`
|
||||
@@ -5527,6 +6787,25 @@ interface(`files_rw_var_lib_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13406,7 +13406,7 @@ index f962f76..7c3c35b 100644
|
||||
## Create objects in the /var/lib directory
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5596,6 +6874,25 @@ interface(`files_read_var_lib_symlinks',`
|
||||
@@ -5596,6 +6875,25 @@ interface(`files_read_var_lib_symlinks',`
|
||||
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
|
||||
')
|
||||
|
||||
@ -13432,7 +13432,7 @@ index f962f76..7c3c35b 100644
|
||||
# cjp: the next two interfaces really need to be fixed
|
||||
# in some way. They really neeed their own types.
|
||||
|
||||
@@ -5641,7 +6938,7 @@ interface(`files_manage_mounttab',`
|
||||
@@ -5641,7 +6939,7 @@ interface(`files_manage_mounttab',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13441,7 +13441,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5649,12 +6946,13 @@ interface(`files_manage_mounttab',`
|
||||
@@ -5649,12 +6947,13 @@ interface(`files_manage_mounttab',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -13457,7 +13457,7 @@ index f962f76..7c3c35b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5672,6 +6970,7 @@ interface(`files_search_locks',`
|
||||
@@ -5672,6 +6971,7 @@ interface(`files_search_locks',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -13465,7 +13465,7 @@ index f962f76..7c3c35b 100644
|
||||
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
|
||||
search_dirs_pattern($1, var_t, var_lock_t)
|
||||
')
|
||||
@@ -5698,7 +6997,26 @@ interface(`files_dontaudit_search_locks',`
|
||||
@@ -5698,7 +6998,26 @@ interface(`files_dontaudit_search_locks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13493,7 +13493,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5706,13 +7024,12 @@ interface(`files_dontaudit_search_locks',`
|
||||
@@ -5706,13 +7025,12 @@ interface(`files_dontaudit_search_locks',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -13510,7 +13510,7 @@ index f962f76..7c3c35b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5731,7 +7048,7 @@ interface(`files_rw_lock_dirs',`
|
||||
@@ -5731,7 +7049,7 @@ interface(`files_rw_lock_dirs',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -13519,7 +13519,7 @@ index f962f76..7c3c35b 100644
|
||||
rw_dirs_pattern($1, var_t, var_lock_t)
|
||||
')
|
||||
|
||||
@@ -5764,7 +7081,6 @@ interface(`files_create_lock_dirs',`
|
||||
@@ -5764,7 +7082,6 @@ interface(`files_create_lock_dirs',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -13527,7 +13527,7 @@ index f962f76..7c3c35b 100644
|
||||
#
|
||||
interface(`files_relabel_all_lock_dirs',`
|
||||
gen_require(`
|
||||
@@ -5779,7 +7095,7 @@ interface(`files_relabel_all_lock_dirs',`
|
||||
@@ -5779,7 +7096,7 @@ interface(`files_relabel_all_lock_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13536,7 +13536,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5787,13 +7103,33 @@ interface(`files_relabel_all_lock_dirs',`
|
||||
@@ -5787,13 +7104,33 @@ interface(`files_relabel_all_lock_dirs',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -13571,7 +13571,7 @@ index f962f76..7c3c35b 100644
|
||||
allow $1 var_lock_t:dir list_dir_perms;
|
||||
getattr_files_pattern($1, var_lock_t, var_lock_t)
|
||||
')
|
||||
@@ -5809,13 +7145,12 @@ interface(`files_getattr_generic_locks',`
|
||||
@@ -5809,13 +7146,12 @@ interface(`files_getattr_generic_locks',`
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_generic_locks',`
|
||||
@ -13589,7 +13589,7 @@ index f962f76..7c3c35b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5834,9 +7169,7 @@ interface(`files_manage_generic_locks',`
|
||||
@@ -5834,9 +7170,7 @@ interface(`files_manage_generic_locks',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -13600,7 +13600,7 @@ index f962f76..7c3c35b 100644
|
||||
manage_files_pattern($1, var_lock_t, var_lock_t)
|
||||
')
|
||||
|
||||
@@ -5878,8 +7211,7 @@ interface(`files_read_all_locks',`
|
||||
@@ -5878,8 +7212,7 @@ interface(`files_read_all_locks',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -13610,7 +13610,7 @@ index f962f76..7c3c35b 100644
|
||||
allow $1 lockfile:dir list_dir_perms;
|
||||
read_files_pattern($1, lockfile, lockfile)
|
||||
read_lnk_files_pattern($1, lockfile, lockfile)
|
||||
@@ -5901,8 +7233,7 @@ interface(`files_manage_all_locks',`
|
||||
@@ -5901,8 +7234,7 @@ interface(`files_manage_all_locks',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -13620,7 +13620,7 @@ index f962f76..7c3c35b 100644
|
||||
manage_dirs_pattern($1, lockfile, lockfile)
|
||||
manage_files_pattern($1, lockfile, lockfile)
|
||||
manage_lnk_files_pattern($1, lockfile, lockfile)
|
||||
@@ -5939,8 +7270,7 @@ interface(`files_lock_filetrans',`
|
||||
@@ -5939,8 +7271,7 @@ interface(`files_lock_filetrans',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -13630,7 +13630,7 @@ index f962f76..7c3c35b 100644
|
||||
filetrans_pattern($1, var_lock_t, $2, $3, $4)
|
||||
')
|
||||
|
||||
@@ -5979,7 +7309,7 @@ interface(`files_setattr_pid_dirs',`
|
||||
@@ -5979,7 +7310,7 @@ interface(`files_setattr_pid_dirs',`
|
||||
type var_run_t;
|
||||
')
|
||||
|
||||
@ -13639,7 +13639,7 @@ index f962f76..7c3c35b 100644
|
||||
allow $1 var_run_t:dir setattr;
|
||||
')
|
||||
|
||||
@@ -5999,10 +7329,48 @@ interface(`files_search_pids',`
|
||||
@@ -5999,10 +7330,48 @@ interface(`files_search_pids',`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -13688,7 +13688,7 @@ index f962f76..7c3c35b 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search
|
||||
@@ -6025,6 +7393,43 @@ interface(`files_dontaudit_search_pids',`
|
||||
@@ -6025,6 +7394,43 @@ interface(`files_dontaudit_search_pids',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13732,7 +13732,7 @@ index f962f76..7c3c35b 100644
|
||||
## List the contents of the runtime process
|
||||
## ID directories (/var/run).
|
||||
## </summary>
|
||||
@@ -6039,7 +7444,7 @@ interface(`files_list_pids',`
|
||||
@@ -6039,7 +7445,7 @@ interface(`files_list_pids',`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -13741,7 +13741,7 @@ index f962f76..7c3c35b 100644
|
||||
list_dirs_pattern($1, var_t, var_run_t)
|
||||
')
|
||||
|
||||
@@ -6058,7 +7463,7 @@ interface(`files_read_generic_pids',`
|
||||
@@ -6058,7 +7464,7 @@ interface(`files_read_generic_pids',`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -13750,7 +13750,7 @@ index f962f76..7c3c35b 100644
|
||||
list_dirs_pattern($1, var_t, var_run_t)
|
||||
read_files_pattern($1, var_run_t, var_run_t)
|
||||
')
|
||||
@@ -6078,7 +7483,7 @@ interface(`files_write_generic_pid_pipes',`
|
||||
@@ -6078,7 +7484,7 @@ interface(`files_write_generic_pid_pipes',`
|
||||
type var_run_t;
|
||||
')
|
||||
|
||||
@ -13759,7 +13759,7 @@ index f962f76..7c3c35b 100644
|
||||
allow $1 var_run_t:fifo_file write;
|
||||
')
|
||||
|
||||
@@ -6140,7 +7545,6 @@ interface(`files_pid_filetrans',`
|
||||
@@ -6140,7 +7546,6 @@ interface(`files_pid_filetrans',`
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
@ -13767,7 +13767,7 @@ index f962f76..7c3c35b 100644
|
||||
filetrans_pattern($1, var_run_t, $2, $3, $4)
|
||||
')
|
||||
|
||||
@@ -6169,6 +7573,24 @@ interface(`files_pid_filetrans_lock_dir',`
|
||||
@@ -6169,6 +7574,24 @@ interface(`files_pid_filetrans_lock_dir',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13792,7 +13792,7 @@ index f962f76..7c3c35b 100644
|
||||
## Read and write generic process ID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -6182,7 +7604,7 @@ interface(`files_rw_generic_pids',`
|
||||
@@ -6182,7 +7605,7 @@ interface(`files_rw_generic_pids',`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -13801,7 +13801,7 @@ index f962f76..7c3c35b 100644
|
||||
list_dirs_pattern($1, var_t, var_run_t)
|
||||
rw_files_pattern($1, var_run_t, var_run_t)
|
||||
')
|
||||
@@ -6249,55 +7671,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||
@@ -6249,55 +7672,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13864,7 +13864,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6305,42 +7715,35 @@ interface(`files_delete_all_pids',`
|
||||
@@ -6305,42 +7716,35 @@ interface(`files_delete_all_pids',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -13914,7 +13914,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6348,18 +7751,18 @@ interface(`files_manage_all_pids',`
|
||||
@@ -6348,18 +7752,18 @@ interface(`files_manage_all_pids',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -13938,7 +13938,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6367,37 +7770,40 @@ interface(`files_mounton_all_poly_members',`
|
||||
@@ -6367,37 +7771,40 @@ interface(`files_mounton_all_poly_members',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -13990,7 +13990,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6405,18 +7811,17 @@ interface(`files_dontaudit_search_spool',`
|
||||
@@ -6405,18 +7812,17 @@ interface(`files_dontaudit_search_spool',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -14013,7 +14013,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6424,18 +7829,18 @@ interface(`files_list_spool',`
|
||||
@@ -6424,18 +7830,18 @@ interface(`files_list_spool',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -14037,7 +14037,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6443,19 +7848,18 @@ interface(`files_manage_generic_spool_dirs',`
|
||||
@@ -6443,19 +7849,18 @@ interface(`files_manage_generic_spool_dirs',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -14062,7 +14062,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6463,109 +7867,62 @@ interface(`files_read_generic_spool',`
|
||||
@@ -6463,109 +7868,62 @@ interface(`files_read_generic_spool',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -14193,7 +14193,7 @@ index f962f76..7c3c35b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6573,10 +7930,944 @@ interface(`files_polyinstantiate_all',`
|
||||
@@ -6573,10 +7931,944 @@ interface(`files_polyinstantiate_all',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -39078,10 +39078,19 @@ index 1361961..be6b7fc 100644
|
||||
#
|
||||
# Base type for the tests directory.
|
||||
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
|
||||
index 9933677..0b9c20a 100644
|
||||
index 9933677..7875b79 100644
|
||||
--- a/policy/modules/system/modutils.fc
|
||||
+++ b/policy/modules/system/modutils.fc
|
||||
@@ -23,3 +23,17 @@ ifdef(`distro_gentoo',`
|
||||
@@ -10,8 +10,6 @@ ifdef(`distro_gentoo',`
|
||||
/etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0)
|
||||
')
|
||||
|
||||
-/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
|
||||
-
|
||||
/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
|
||||
|
||||
/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
|
||||
@@ -23,3 +21,15 @@ ifdef(`distro_gentoo',`
|
||||
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
|
||||
|
||||
/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
|
||||
@ -39094,16 +39103,14 @@ index 9933677..0b9c20a 100644
|
||||
+/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
|
||||
+/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
|
||||
+
|
||||
+/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
|
||||
+
|
||||
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
|
||||
index 7449974..f32a37c 100644
|
||||
index 7449974..b792900 100644
|
||||
--- a/policy/modules/system/modutils.if
|
||||
+++ b/policy/modules/system/modutils.if
|
||||
@@ -12,7 +12,7 @@
|
||||
@@ -12,11 +12,28 @@
|
||||
#
|
||||
interface(`modutils_getattr_module_deps',`
|
||||
gen_require(`
|
||||
@ -39112,7 +39119,34 @@ index 7449974..f32a37c 100644
|
||||
')
|
||||
|
||||
getattr_files_pattern($1, modules_object_t, modules_dep_t)
|
||||
@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',`
|
||||
')
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read the dependencies of kernel modules.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`modutils_read_module_deps_files',`
|
||||
+ gen_require(`
|
||||
+ type modules_dep_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 modules_dep_t:file read_file_perms;
|
||||
+')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -34,11 +51,50 @@ interface(`modutils_read_module_deps',`
|
||||
')
|
||||
|
||||
files_list_kernel_modules($1)
|
||||
+ files_read_kernel_modules($1)
|
||||
allow $1 modules_dep_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -39157,7 +39191,7 @@ index 7449974..f32a37c 100644
|
||||
## Read the configuration options used when
|
||||
## loading modules.
|
||||
## </summary>
|
||||
@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
|
||||
@@ -163,6 +219,24 @@ interface(`modutils_domtrans_insmod',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -39182,7 +39216,7 @@ index 7449974..f32a37c 100644
|
||||
## Execute insmod in the insmod domain, and
|
||||
## allow the specified role the insmod domain,
|
||||
## and use the caller's terminal. Has a sigchld
|
||||
@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
|
||||
@@ -208,6 +282,24 @@ interface(`modutils_exec_insmod',`
|
||||
can_exec($1, insmod_exec_t)
|
||||
')
|
||||
|
||||
@ -39207,7 +39241,7 @@ index 7449974..f32a37c 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute depmod in the depmod domain.
|
||||
@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
|
||||
@@ -308,11 +400,18 @@ interface(`modutils_domtrans_update_mods',`
|
||||
#
|
||||
interface(`modutils_run_update_mods',`
|
||||
gen_require(`
|
||||
@ -39228,7 +39262,7 @@ index 7449974..f32a37c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -333,3 +414,43 @@ interface(`modutils_exec_update_mods',`
|
||||
@@ -333,3 +432,39 @@ interface(`modutils_exec_update_mods',`
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, update_modules_exec_t)
|
||||
')
|
||||
@ -39252,25 +39286,21 @@ index 7449974..f32a37c 100644
|
||||
+ files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
|
||||
+ files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
|
||||
+
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
|
||||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
|
||||
+')
|
||||
+
|
||||
+
|
||||
+
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
|
||||
+')
|
||||
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
|
||||
index 7a363b8..3f02a36 100644
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 150%{?dist}
|
||||
Release: 151%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -656,6 +656,12 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
|
||||
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
|
||||
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
|
||||
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
|
||||
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
|
||||
|
||||
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
|
||||
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
|
||||
- Clean up pkcs11proxyd policy.
|
||||
|
Loading…
Reference in New Issue
Block a user