- Make auditd working if audit is configured to perform SINGLE action on disk error
- Add interfaces to handle systemd units - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t - Instead of having all unconfined domains get all of the named transition rules, - Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. - Add definition for the salt ports - Allow xdm_t to create link files in xdm_var_run_t - Dontaudit reads of blk files or chr files leaked into ldconfig_t - Allow sys_chroot for useradd_t - Allow net_raw cap for ipsec_t - Allow sysadm_t to reload services - Add additional fixes to make strongswan working with a simple conf - Allow sysadm_t to enable/disable init_t services - Add additional glusterd perms - Allow apache to read lnk files in the /mnt directory - Allow glusterd to ask the kernel to load a module - Fix description of ftpd_use_fusefs boolean - Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process contro - Allow glusterds to request load a kernel module - Allow boinc to stream connect to xserver_t - Allow sblim domains to read /etc/passwd - Allow mdadm to read usb devices - Allow collectd to use ping plugin - Make foghorn working with SNMP - Allow sssd to read ldap certs - Allow haproxy to connect to RTP media ports - Add additional trans rules for aide_db - Add labeling for /usr/lib/pcsd/pcsd - Add labeling for /var/log/pcsd
This commit is contained in:
Miroslav Grepl
parent
7a0f028107
commit
0ab4f2d651
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
|
@ -1,854 +0,0 @@
|
|||
commit f53f820fe366940d4fdecaef80de4e5b1178fac6
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 01:38:59 2012 +0200
|
||||
|
||||
roleattribute patch
|
||||
|
||||
diff --git a/livecd.if b/livecd.if
|
||||
index bfbf676..fb7869e 100644
|
||||
--- a/livecd.if
|
||||
+++ b/livecd.if
|
||||
@@ -38,12 +38,19 @@ interface(`livecd_run',`
|
||||
gen_require(`
|
||||
type livecd_t;
|
||||
type livecd_exec_t;
|
||||
- attribute_role livecd_roles;
|
||||
+ #attribute_role livecd_roles;
|
||||
')
|
||||
|
||||
livecd_domtrans($1)
|
||||
- roleattribute $2 livecd_roles;
|
||||
+ #roleattribute $2 livecd_roles;
|
||||
+ role $2 types livecd_t;
|
||||
role_transition $2 livecd_exec_t system_r;
|
||||
+
|
||||
+ seutil_run_setfiles_mac(livecd_t, system_r)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ mount_run(livecd_t, $2)
|
||||
+ ')
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/livecd.te b/livecd.te
|
||||
index 65efdae..7a944b5 100644
|
||||
--- a/livecd.te
|
||||
+++ b/livecd.te
|
||||
@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role livecd_roles;
|
||||
-roleattribute system_r livecd_roles;
|
||||
+#attribute_role livecd_roles;
|
||||
+#roleattribute system_r livecd_roles;
|
||||
|
||||
type livecd_t;
|
||||
type livecd_exec_t;
|
||||
application_domain(livecd_t, livecd_exec_t)
|
||||
-role livecd_roles types livecd_t;
|
||||
+role system_r types livecd_t;
|
||||
+#role livecd_roles types livecd_t;
|
||||
|
||||
type livecd_tmp_t;
|
||||
files_tmp_file(livecd_tmp_t)
|
||||
@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t)
|
||||
|
||||
sysnet_filetrans_named_content(livecd_t)
|
||||
|
||||
-optional_policy(`
|
||||
- mount_run(livecd_t, livecd_roles)
|
||||
- seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# mount_run(livecd_t, livecd_roles)
|
||||
+# seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
ssh_filetrans_admin_home_content(livecd_t)
|
||||
diff --git a/mozilla.if b/mozilla.if
|
||||
index 30b0241..30bfefb 100644
|
||||
--- a/mozilla.if
|
||||
+++ b/mozilla.if
|
||||
@@ -18,10 +18,11 @@
|
||||
interface(`mozilla_role',`
|
||||
gen_require(`
|
||||
type mozilla_t, mozilla_exec_t, mozilla_home_t;
|
||||
- attribute_role mozilla_roles;
|
||||
+ #attribute_role mozilla_roles;
|
||||
')
|
||||
|
||||
- roleattribute $1 mozilla_roles;
|
||||
+ #roleattribute $1 mozilla_roles;
|
||||
+ role $1 types mozilla_t;
|
||||
|
||||
domain_auto_trans($2, mozilla_exec_t, mozilla_t)
|
||||
# Unrestricted inheritance from the caller.
|
||||
@@ -47,6 +48,8 @@ interface(`mozilla_role',`
|
||||
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||
|
||||
+ #should be remove then with adding of roleattribute
|
||||
+ mozilla_run_plugin(mozilla_t, $1)
|
||||
mozilla_dbus_chat($2)
|
||||
|
||||
userdom_manage_tmp_role($1, mozilla_t)
|
||||
@@ -63,7 +66,6 @@ interface(`mozilla_role',`
|
||||
|
||||
mozilla_filetrans_home_content($2)
|
||||
|
||||
- mozilla_dbus_chat($2)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 7bf56bf..56700a4 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false)
|
||||
## </desc>
|
||||
gen_tunable(mozilla_plugin_enable_homedirs, false)
|
||||
|
||||
-attribute_role mozilla_roles;
|
||||
+#attribute_role mozilla_roles;
|
||||
|
||||
type mozilla_t;
|
||||
type mozilla_exec_t;
|
||||
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
|
||||
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
|
||||
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
|
||||
-role mozilla_roles types mozilla_t;
|
||||
+#role mozilla_roles types mozilla_t;
|
||||
+role system_r types mozilla_t;
|
||||
|
||||
type mozilla_conf_t;
|
||||
files_config_file(mozilla_conf_t)
|
||||
@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t)
|
||||
type mozilla_plugin_t;
|
||||
type mozilla_plugin_exec_t;
|
||||
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
|
||||
-role mozilla_roles types mozilla_plugin_t;
|
||||
+#role mozilla_roles types mozilla_plugin_t;
|
||||
+role system_r types mozilla_plugin_t;
|
||||
|
||||
type mozilla_plugin_tmp_t;
|
||||
userdom_user_tmp_content(mozilla_plugin_tmp_t)
|
||||
@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t)
|
||||
type mozilla_plugin_config_t;
|
||||
type mozilla_plugin_config_exec_t;
|
||||
application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
|
||||
-role mozilla_roles types mozilla_plugin_config_t;
|
||||
+#role mozilla_roles types mozilla_plugin_config_t;
|
||||
+role system_r types mozilla_plugin_config_t;
|
||||
|
||||
type mozilla_tmp_t;
|
||||
userdom_user_tmp_file(mozilla_tmp_t)
|
||||
@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t)
|
||||
|
||||
userdom_use_inherited_user_ptys(mozilla_t)
|
||||
|
||||
-mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||
|
||||
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
|
||||
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
||||
@@ -298,7 +301,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- pulseaudio_role(mozilla_roles, mozilla_t)
|
||||
+ #pulseaudio_role(mozilla_roles, mozilla_t)
|
||||
+ pulseaudio_exec(mozilla_t)
|
||||
pulseaudio_stream_connect(mozilla_t)
|
||||
pulseaudio_manage_home_files(mozilla_t)
|
||||
')
|
||||
@@ -476,9 +480,9 @@ optional_policy(`
|
||||
java_exec(mozilla_plugin_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
mplayer_exec(mozilla_plugin_t)
|
||||
diff --git a/ncftool.if b/ncftool.if
|
||||
index 1520b6c..3a4455f 100644
|
||||
--- a/ncftool.if
|
||||
+++ b/ncftool.if
|
||||
@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',`
|
||||
#
|
||||
interface(`ncftool_run',`
|
||||
gen_require(`
|
||||
- attribute_role ncftool_roles;
|
||||
+ type ncftool_t;
|
||||
+ #attribute_role ncftool_roles;
|
||||
')
|
||||
|
||||
- ncftool_domtrans($1)
|
||||
- roleattribute $2 ncftool_roles;
|
||||
+ #ncftool_domtrans($1)
|
||||
+ #roleattribute $2 ncftool_roles;
|
||||
+
|
||||
+ role $1 types ncftool_t;
|
||||
+
|
||||
+ ncftool_domtrans($2)
|
||||
+
|
||||
+ ps_process_pattern($2, ncftool_t)
|
||||
+ allow $2 ncftool_t:process signal;
|
||||
')
|
||||
|
||||
diff --git a/ncftool.te b/ncftool.te
|
||||
index 91ab36d..8c48c33 100644
|
||||
--- a/ncftool.te
|
||||
+++ b/ncftool.te
|
||||
@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role ncftool_roles;
|
||||
-roleattribute system_r ncftool_roles;
|
||||
+#attribute_role ncftool_roles;
|
||||
+#roleattribute system_r ncftool_roles;
|
||||
|
||||
type ncftool_t;
|
||||
type ncftool_exec_t;
|
||||
application_domain(ncftool_t, ncftool_exec_t)
|
||||
domain_obj_id_change_exemption(ncftool_t)
|
||||
domain_system_change_exemption(ncftool_t)
|
||||
-role ncftool_roles types ncftool_t;
|
||||
+#role ncftool_roles types ncftool_t;
|
||||
+role system_r types ncftool_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t)
|
||||
|
||||
miscfiles_read_localization(ncftool_t)
|
||||
sysnet_delete_dhcpc_pid(ncftool_t)
|
||||
-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||||
-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||||
+sysnet_domtrans_dhcpc(ncftool_t)
|
||||
+sysnet_domtrans_ifconfig(ncftool_t)
|
||||
+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||||
+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||||
sysnet_etc_filetrans_config(ncftool_t)
|
||||
sysnet_manage_config(ncftool_t)
|
||||
sysnet_read_dhcpc_state(ncftool_t)
|
||||
@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t)
|
||||
userdom_use_user_terminals(ncftool_t)
|
||||
userdom_read_user_tmp_files(ncftool_t)
|
||||
|
||||
-optional_policy(`
|
||||
- brctl_run(ncftool_t, ncftool_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# brctl_run(ncftool_t, ncftool_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ncftool_t)
|
||||
@@ -85,9 +88,12 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
modutils_read_module_config(ncftool_t)
|
||||
- modutils_run_insmod(ncftool_t, ncftool_roles)
|
||||
+ modutils_domtrans_insmod(ncftool_t)
|
||||
+ #modutils_run_insmod(ncftool_t, ncftool_roles)
|
||||
+
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- netutils_run(ncftool_t, ncftool_roles)
|
||||
+ netutils_domtrans(ncftool_t)
|
||||
+ #netutils_run(ncftool_t, ncftool_roles)
|
||||
')
|
||||
diff --git a/ppp.if b/ppp.if
|
||||
index c174b05..a4cad0b 100644
|
||||
--- a/ppp.if
|
||||
+++ b/ppp.if
|
||||
@@ -175,11 +175,18 @@ interface(`ppp_run_cond',`
|
||||
#
|
||||
interface(`ppp_run',`
|
||||
gen_require(`
|
||||
- attribute_role pppd_roles;
|
||||
+ #attribute_role pppd_roles;
|
||||
+ type pppd_t;
|
||||
')
|
||||
|
||||
- ppp_domtrans($1)
|
||||
- roleattribute $2 pppd_roles;
|
||||
+ #ppp_domtrans($1)
|
||||
+ #roleattribute $2 pppd_roles;
|
||||
+
|
||||
+ role $2 types pppd_t;
|
||||
+
|
||||
+ tunable_policy(`pppd_for_user',`
|
||||
+ ppp_domtrans($1)
|
||||
+ ')
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/ppp.te b/ppp.te
|
||||
index 17e10a2..92cec2b 100644
|
||||
--- a/ppp.te
|
||||
+++ b/ppp.te
|
||||
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
|
||||
## </desc>
|
||||
gen_tunable(pppd_for_user, false)
|
||||
|
||||
-attribute_role pppd_roles;
|
||||
+#attribute_role pppd_roles;
|
||||
|
||||
# pppd_t is the domain for the pppd program.
|
||||
# pppd_exec_t is the type of the pppd executable.
|
||||
type pppd_t;
|
||||
type pppd_exec_t;
|
||||
init_daemon_domain(pppd_t, pppd_exec_t)
|
||||
-role pppd_roles types pppd_t;
|
||||
+#role pppd_roles types pppd_t;
|
||||
+role system_r types pppd_t;
|
||||
|
||||
type pppd_devpts_t;
|
||||
term_pty(pppd_devpts_t)
|
||||
@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t)
|
||||
type pptp_t;
|
||||
type pptp_exec_t;
|
||||
init_daemon_domain(pptp_t, pptp_exec_t)
|
||||
-role pppd_roles types pptp_t;
|
||||
+#role pppd_roles types pptp_t;
|
||||
+role system_r types pptp_t;
|
||||
|
||||
type pptp_log_t;
|
||||
logging_log_file(pptp_log_t)
|
||||
@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t)
|
||||
init_signal_script(pppd_t)
|
||||
|
||||
auth_use_nsswitch(pppd_t)
|
||||
-auth_run_chk_passwd(pppd_t,pppd_roles)
|
||||
+auth_domtrans_chk_passwd(pppd_t)
|
||||
+#auth_run_chk_passwd(pppd_t,pppd_roles)
|
||||
auth_write_login_records(pppd_t)
|
||||
|
||||
logging_send_syslog_msg(pppd_t)
|
||||
@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t)
|
||||
ppp_exec(pppd_t)
|
||||
|
||||
optional_policy(`
|
||||
- ddclient_run(pppd_t, pppd_roles)
|
||||
+ #ddclient_run(pppd_t, pppd_roles)
|
||||
+ ddclient_domtrans(pppd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/usernetctl.if b/usernetctl.if
|
||||
index d45c715..2d4f1ba 100644
|
||||
--- a/usernetctl.if
|
||||
+++ b/usernetctl.if
|
||||
@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
|
||||
#
|
||||
interface(`usernetctl_run',`
|
||||
gen_require(`
|
||||
- attribute_role usernetctl_roles;
|
||||
+ type usernetctl_t;
|
||||
+ #attribute_role usernetctl_roles;
|
||||
')
|
||||
|
||||
- usernetctl_domtrans($1)
|
||||
- roleattribute $2 usernetctl_roles;
|
||||
+ #usernetctl_domtrans($1)
|
||||
+ #roleattribute $2 usernetctl_roles;
|
||||
+
|
||||
+ sysnet_run_ifconfig(usernetctl_t, $2)
|
||||
+ sysnet_run_dhcpc(usernetctl_t, $2)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ iptables_run(usernetctl_t, $2)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ modutils_run_insmod(usernetctl_t, $2)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ ppp_run(usernetctl_t, $2)
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
diff --git a/usernetctl.te b/usernetctl.te
|
||||
index 8604c1c..35b12a6 100644
|
||||
--- a/usernetctl.te
|
||||
+++ b/usernetctl.te
|
||||
@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role usernetctl_roles;
|
||||
+#attribute_role usernetctl_roles;
|
||||
|
||||
type usernetctl_t;
|
||||
type usernetctl_exec_t;
|
||||
application_domain(usernetctl_t, usernetctl_exec_t)
|
||||
domain_interactive_fd(usernetctl_t)
|
||||
-role usernetctl_roles types usernetctl_t;
|
||||
+#role usernetctl_roles types usernetctl_t;
|
||||
+role system_r types usernetctl_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t)
|
||||
|
||||
userdom_use_inherited_user_terminals(usernetctl_t)
|
||||
|
||||
-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||||
-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||||
+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||||
+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_run(usernetctl_t, usernetctl_roles)
|
||||
+ #consoletype_run(usernetctl_t, usernetctl_roles)
|
||||
+ consoletype_exec(usernetctl_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(usernetctl_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- iptables_run(usernetctl_t, usernetctl_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# iptables_run(usernetctl_t, usernetctl_roles)
|
||||
+#')
|
||||
|
||||
-optional_policy(`
|
||||
- modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(usernetctl_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- ppp_run(usernetctl_t, usernetctl_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# ppp_run(usernetctl_t, usernetctl_roles)
|
||||
+#')
|
||||
diff --git a/vpn.if b/vpn.if
|
||||
index 7b93e07..a4e2f60 100644
|
||||
--- a/vpn.if
|
||||
+++ b/vpn.if
|
||||
@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
|
||||
#
|
||||
interface(`vpn_run',`
|
||||
gen_require(`
|
||||
- attribute_role vpnc_roles;
|
||||
+ #attribute_role vpnc_roles;
|
||||
+ type vpnc_t;
|
||||
')
|
||||
|
||||
+ #vpn_domtrans($1)
|
||||
+ #roleattribute $2 vpnc_roles;
|
||||
+
|
||||
vpn_domtrans($1)
|
||||
- roleattribute $2 vpnc_roles;
|
||||
+ role $2 types vpnc_t;
|
||||
+ sysnet_run_ifconfig(vpnc_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/vpn.te b/vpn.te
|
||||
index 99fd457..d2585bb 100644
|
||||
--- a/vpn.te
|
||||
+++ b/vpn.te
|
||||
@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role vpnc_roles;
|
||||
-roleattribute system_r vpnc_roles;
|
||||
+#attribute_role vpnc_roles;
|
||||
+#roleattribute system_r vpnc_roles;
|
||||
|
||||
type vpnc_t;
|
||||
type vpnc_exec_t;
|
||||
init_system_domain(vpnc_t, vpnc_exec_t)
|
||||
application_domain(vpnc_t, vpnc_exec_t)
|
||||
-role vpnc_roles types vpnc_t;
|
||||
+#role vpnc_roles types vpnc_t;
|
||||
+role system_r types vpnc_t;
|
||||
|
||||
type vpnc_tmp_t;
|
||||
files_tmp_file(vpnc_tmp_t)
|
||||
@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t)
|
||||
seutil_dontaudit_search_config(vpnc_t)
|
||||
seutil_use_newrole_fds(vpnc_t)
|
||||
|
||||
-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||||
+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||||
sysnet_etc_filetrans_config(vpnc_t)
|
||||
sysnet_manage_config(vpnc_t)
|
||||
|
||||
commit 88b64bdd71ef734271b9370fc37e02785f354f7f
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 02:33:40 2012 +0200
|
||||
|
||||
Fix ncftool.if
|
||||
|
||||
diff --git a/ncftool.if b/ncftool.if
|
||||
index 3a4455f..59f096b 100644
|
||||
--- a/ncftool.if
|
||||
+++ b/ncftool.if
|
||||
@@ -43,11 +43,12 @@ interface(`ncftool_run',`
|
||||
#ncftool_domtrans($1)
|
||||
#roleattribute $2 ncftool_roles;
|
||||
|
||||
- role $1 types ncftool_t;
|
||||
+ ncftool_domtrans($1)
|
||||
+ role $2 types ncftool_t;
|
||||
|
||||
- ncftool_domtrans($2)
|
||||
+ optional_policy(`
|
||||
+ brctl_run(ncftool_t, $2)
|
||||
+ ')
|
||||
|
||||
- ps_process_pattern($2, ncftool_t)
|
||||
- allow $2 ncftool_t:process signal;
|
||||
')
|
||||
|
||||
commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 10:47:57 2012 +0200
|
||||
|
||||
roleattriburte temp fixes for portage and dpkg
|
||||
|
||||
diff --git a/dpkg.if b/dpkg.if
|
||||
index 4d32b42..d945bd0 100644
|
||||
--- a/dpkg.if
|
||||
+++ b/dpkg.if
|
||||
@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
|
||||
#
|
||||
interface(`dpkg_run',`
|
||||
gen_require(`
|
||||
- attribute_role dpkg_roles;
|
||||
+ #attribute_role dpkg_roles;
|
||||
+ type dpkg_t, dpkg_script_t
|
||||
')
|
||||
|
||||
+ #dpkg_domtrans($1)
|
||||
+ #roleattribute $2 dpkg_roles;
|
||||
+
|
||||
dpkg_domtrans($1)
|
||||
- roleattribute $2 dpkg_roles;
|
||||
+ role $2 types dpkg_t;
|
||||
+ role $2 types dpkg_script_t;
|
||||
+ seutil_run_loadpolicy(dpkg_script_t, $2)
|
||||
+
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/dpkg.te b/dpkg.te
|
||||
index a1b8f92..9ac1b80 100644
|
||||
--- a/dpkg.te
|
||||
+++ b/dpkg.te
|
||||
@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role dpkg_roles;
|
||||
-roleattribute system_r dpkg_roles;
|
||||
+#attribute_role dpkg_roles;
|
||||
+#roleattribute system_r dpkg_roles;
|
||||
|
||||
type dpkg_t;
|
||||
type dpkg_exec_t;
|
||||
@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
|
||||
domain_role_change_exemption(dpkg_t)
|
||||
domain_system_change_exemption(dpkg_t)
|
||||
domain_interactive_fd(dpkg_t)
|
||||
-role dpkg_roles types dpkg_t;
|
||||
+#role dpkg_roles types dpkg_t;
|
||||
+role system_r types dpkg_t;
|
||||
|
||||
# lockfile
|
||||
type dpkg_lock_t;
|
||||
@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
|
||||
domain_obj_id_change_exemption(dpkg_script_t)
|
||||
domain_system_change_exemption(dpkg_script_t)
|
||||
domain_interactive_fd(dpkg_script_t)
|
||||
-role dpkg_roles types dpkg_script_t;
|
||||
+#role dpkg_roles types dpkg_script_t;
|
||||
+role system_r types dpkg_script_t;
|
||||
|
||||
type dpkg_script_tmp_t;
|
||||
files_tmp_file(dpkg_script_tmp_t)
|
||||
@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t)
|
||||
init_domtrans_script(dpkg_t)
|
||||
init_use_script_ptys(dpkg_t)
|
||||
|
||||
+#libs_exec_ld_so(dpkg_t)
|
||||
+#libs_exec_lib_files(dpkg_t)
|
||||
+#libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||||
libs_exec_ld_so(dpkg_t)
|
||||
libs_exec_lib_files(dpkg_t)
|
||||
-libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||||
+libs_domtrans_ldconfig(dpkg_t)
|
||||
|
||||
logging_send_syslog_msg(dpkg_t)
|
||||
|
||||
@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t)
|
||||
files_read_etc_runtime_files(dpkg_t)
|
||||
files_exec_usr_files(dpkg_t)
|
||||
miscfiles_read_localization(dpkg_t)
|
||||
-modutils_run_depmod(dpkg_t, dpkg_roles)
|
||||
-modutils_run_insmod(dpkg_t, dpkg_roles)
|
||||
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||||
-seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||||
+#modutils_run_depmod(dpkg_t, dpkg_roles)
|
||||
+#modutils_run_insmod(dpkg_t, dpkg_roles)
|
||||
+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||||
+#seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||||
userdom_use_all_users_fds(dpkg_t)
|
||||
optional_policy(`
|
||||
mta_send_mail(dpkg_t)
|
||||
')
|
||||
+
|
||||
+
|
||||
optional_policy(`
|
||||
- usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||||
- usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||||
+ modutils_domtrans_depmod(dpkg_t)
|
||||
+ modutils_domtrans_insmod(dpkg_t)
|
||||
+ seutil_domtrans_loadpolicy(dpkg_t)
|
||||
+ seutil_domtrans_setfiles(dpkg_t)
|
||||
+ usermanage_domtrans_groupadd(dpkg_t)
|
||||
+ usermanage_domtrans_useradd(dpkg_t)
|
||||
')
|
||||
|
||||
+#optional_policy(`
|
||||
+# usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||||
+# usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||||
+#')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# dpkg-script Local policy
|
||||
@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t)
|
||||
|
||||
miscfiles_read_localization(dpkg_script_t)
|
||||
|
||||
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||||
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||||
+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||||
+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||||
|
||||
-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||||
-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||||
+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||||
+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||||
|
||||
userdom_use_all_users_fds(dpkg_script_t)
|
||||
|
||||
@@ -319,9 +335,9 @@ optional_policy(`
|
||||
apt_use_fds(dpkg_script_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- bootloader_run(dpkg_script_t, dpkg_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# bootloader_run(dpkg_script_t, dpkg_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(dpkg_script_t)
|
||||
@@ -335,7 +351,7 @@ optional_policy(`
|
||||
unconfined_domain(dpkg_script_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||||
- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||||
+# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||||
+#')
|
||||
diff --git a/portage.if b/portage.if
|
||||
index b4bb48a..e5e8f12 100644
|
||||
--- a/portage.if
|
||||
+++ b/portage.if
|
||||
@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
|
||||
#
|
||||
interface(`portage_run',`
|
||||
gen_require(`
|
||||
- attribute_role portage_roles;
|
||||
+ type portage_t, portage_fetch_t, portage_sandbox_t;
|
||||
+ #attribute_role portage_roles;
|
||||
')
|
||||
|
||||
- portage_domtrans($1)
|
||||
- roleattribute $2 portage_roles;
|
||||
+ #portage_domtrans($1)
|
||||
+ #roleattribute $2 portage_roles;
|
||||
+ portage_domtrans($1)
|
||||
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||||
+
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/portage.te b/portage.te
|
||||
index 22bdf7d..f726e1d 100644
|
||||
--- a/portage.te
|
||||
+++ b/portage.te
|
||||
@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
|
||||
## </desc>
|
||||
gen_tunable(portage_use_nfs, false)
|
||||
|
||||
-attribute_role portage_roles;
|
||||
+#attribute_role portage_roles;
|
||||
|
||||
type gcc_config_t;
|
||||
type gcc_config_exec_t;
|
||||
@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
|
||||
domain_obj_id_change_exemption(portage_t)
|
||||
rsync_entry_type(portage_t)
|
||||
corecmd_shell_entry_type(portage_t)
|
||||
-role portage_roles types portage_t;
|
||||
+#role portage_roles types portage_t;
|
||||
+role system_r types portage_t;
|
||||
|
||||
# portage compile sandbox domain
|
||||
type portage_sandbox_t;
|
||||
@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
|
||||
# the shell is the entrypoint if regular sandbox is disabled
|
||||
# portage_exec_t is the entrypoint if regular sandbox is enabled
|
||||
corecmd_shell_entry_type(portage_sandbox_t)
|
||||
-role portage_roles types portage_sandbox_t;
|
||||
+#role portage_roles types portage_sandbox_t;
|
||||
+role system_r types portage_sandbox_t;
|
||||
|
||||
# portage package fetching domain
|
||||
type portage_fetch_t;
|
||||
@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
|
||||
application_domain(portage_fetch_t, portage_fetch_exec_t)
|
||||
corecmd_shell_entry_type(portage_fetch_t)
|
||||
rsync_entry_type(portage_fetch_t)
|
||||
-role portage_roles types portage_fetch_t;
|
||||
+#role portage_roles types portage_fetch_t;
|
||||
+role system_r types portage_fetch_t;
|
||||
|
||||
type portage_devpts_t;
|
||||
term_pty(portage_devpts_t)
|
||||
@@ -115,7 +118,8 @@ files_list_all(gcc_config_t)
|
||||
init_dontaudit_read_script_status_files(gcc_config_t)
|
||||
|
||||
libs_read_lib_files(gcc_config_t)
|
||||
-libs_run_ldconfig(gcc_config_t, portage_roles)
|
||||
+#libs_run_ldconfig(gcc_config_t, portage_roles)
|
||||
+libs_domtrans_ldconfig(gcc_config_t)
|
||||
libs_manage_shared_libs(gcc_config_t)
|
||||
# gcc-config creates a temp dir for the libs
|
||||
libs_manage_lib_dirs(gcc_config_t)
|
||||
@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t)
|
||||
init_exec(portage_t)
|
||||
|
||||
# run setfiles -r
|
||||
-seutil_run_setfiles(portage_t, portage_roles)
|
||||
+#seutil_run_setfiles(portage_t, portage_roles)
|
||||
# run semodule
|
||||
-seutil_run_semanage(portage_t, portage_roles)
|
||||
+#seutil_run_semanage(portage_t, portage_roles)
|
||||
|
||||
-portage_run_gcc_config(portage_t, portage_roles)
|
||||
+#portage_run_gcc_config(portage_t, portage_roles)
|
||||
# if sesandbox is disabled, compiling is performed in this domain
|
||||
portage_compile_domain(portage_t)
|
||||
|
||||
-optional_policy(`
|
||||
- bootloader_run(portage_t, portage_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# bootloader_run(portage_t, portage_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(portage_t, portage_exec_t)
|
||||
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- modutils_run_depmod(portage_t, portage_roles)
|
||||
- modutils_run_update_mods(portage_t, portage_roles)
|
||||
+#optional_policy(`
|
||||
+# modutils_run_depmod(portage_t, portage_roles)
|
||||
+# modutils_run_update_mods(portage_t, portage_roles)
|
||||
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- usermanage_run_groupadd(portage_t, portage_roles)
|
||||
- usermanage_run_useradd(portage_t, portage_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# usermanage_run_groupadd(portage_t, portage_roles)
|
||||
+# usermanage_run_useradd(portage_t, portage_roles)
|
||||
+#')
|
||||
+
|
||||
+seutil_domtrans_setfiles(portage_t)
|
||||
+seutil_domtrans_semanage(portage_t)
|
||||
+bootloader_domtrans(portage_t)
|
||||
+modutils_domtrans_depmod(portage_t)
|
||||
+modutils_domtrans_update_mods(portage_t)
|
||||
+usermanage_domtrans_groupadd(portage_t)
|
||||
+usermanage_domtrans_useradd(portage_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# seems to work ok without these
|
||||
commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 10:52:09 2012 +0200
|
||||
|
||||
Fix typo
|
||||
|
||||
diff --git a/portage.if b/portage.if
|
||||
index e5e8f12..7098ded 100644
|
||||
--- a/portage.if
|
||||
+++ b/portage.if
|
||||
@@ -50,7 +50,7 @@ interface(`portage_run',`
|
||||
#portage_domtrans($1)
|
||||
#roleattribute $2 portage_roles;
|
||||
portage_domtrans($1)
|
||||
- role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||||
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
|
||||
|
||||
')
|
||||
|
||||
commit cf999ca29d2a4401c481e28c169e10d676d73526
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 10:59:22 2012 +0200
|
||||
|
||||
One more typo
|
||||
|
||||
diff --git a/dpkg.if b/dpkg.if
|
||||
index d945bd0..78736d8 100644
|
||||
--- a/dpkg.if
|
||||
+++ b/dpkg.if
|
||||
@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',`
|
||||
interface(`dpkg_run',`
|
||||
gen_require(`
|
||||
#attribute_role dpkg_roles;
|
||||
- type dpkg_t, dpkg_script_t
|
||||
+ type dpkg_t, dpkg_script_t;
|
||||
')
|
||||
|
||||
#dpkg_domtrans($1)
|
||||
|
|
@ -19,13 +19,12 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 65%{?dist}
|
||||
Release: 66%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
patch: policy-rawhide-base.patch
|
||||
patch1: policy-rawhide-contrib.patch
|
||||
patch2: policy_contrib-rawhide-roleattribute.patch
|
||||
Source1: modules-targeted-base.conf
|
||||
Source31: modules-targeted-contrib.conf
|
||||
Source2: booleans-targeted.conf
|
||||
|
|
@ -539,6 +538,42 @@ SELinux Reference policy mls base module.
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jul 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-66
|
||||
- Allow systemd-tmpfile to handle tmp content in print spool dir
|
||||
- Allow systemd-sysctl to send system log messages
|
||||
- Add support for RTP media ports and fmpro-internal
|
||||
- Make auditd working if audit is configured to perform SINGLE action on disk error
|
||||
- Add interfaces to handle systemd units
|
||||
- Make systemd-notify working if pcsd is used
|
||||
- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t
|
||||
- Instead of having all unconfined domains get all of the named transition rules,
|
||||
- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default.
|
||||
- Add definition for the salt ports
|
||||
- Allow xdm_t to create link files in xdm_var_run_t
|
||||
- Dontaudit reads of blk files or chr files leaked into ldconfig_t
|
||||
- Allow sys_chroot for useradd_t
|
||||
- Allow net_raw cap for ipsec_t
|
||||
- Allow sysadm_t to reload services
|
||||
- Add additional fixes to make strongswan working with a simple conf
|
||||
- Allow sysadm_t to enable/disable init_t services
|
||||
- Add additional glusterd perms
|
||||
- Allow apache to read lnk files in the /mnt directory
|
||||
- Allow glusterd to ask the kernel to load a module
|
||||
- Fix description of ftpd_use_fusefs boolean
|
||||
- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t
|
||||
- Allow glusterds to request load a kernel module
|
||||
- Allow boinc to stream connect to xserver_t
|
||||
- Allow sblim domains to read /etc/passwd
|
||||
- Allow mdadm to read usb devices
|
||||
- Allow collectd to use ping plugin
|
||||
- Make foghorn working with SNMP
|
||||
- Allow sssd to read ldap certs
|
||||
- Allow haproxy to connect to RTP media ports
|
||||
- Add additional trans rules for aide_db
|
||||
- Add labeling for /usr/lib/pcsd/pcsd
|
||||
- Add labeling for /var/log/pcsd
|
||||
- Add support for pcs which is a corosync and pacemaker configuration tool
|
||||
|
||||
* Wed Jul 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-65
|
||||
- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
|
||||
- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
|
||||
|
|
|
|||
Loading…
Reference in New Issue