Fix kdump_admi() interface
This commit is contained in:
parent
3b361c5061
commit
0b215e82ae
@ -18672,7 +18672,7 @@ index afcf3a2..8c49f40 100644
|
||||
+ dontaudit system_bus_type $1:dbus send_msg;
|
||||
')
|
||||
diff --git a/dbus.te b/dbus.te
|
||||
index 2c2e7e1..78bbb7d 100644
|
||||
index 2c2e7e1..493ab48 100644
|
||||
--- a/dbus.te
|
||||
+++ b/dbus.te
|
||||
@@ -1,20 +1,18 @@
|
||||
@ -18797,7 +18797,7 @@ index 2c2e7e1..78bbb7d 100644
|
||||
mls_fd_use_all_levels(system_dbusd_t)
|
||||
mls_rangetrans_target(system_dbusd_t)
|
||||
mls_file_read_all_levels(system_dbusd_t)
|
||||
@@ -123,66 +118,155 @@ term_dontaudit_use_console(system_dbusd_t)
|
||||
@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t)
|
||||
auth_use_nsswitch(system_dbusd_t)
|
||||
auth_read_pam_console_data(system_dbusd_t)
|
||||
|
||||
@ -18855,6 +18855,11 @@ index 2c2e7e1..78bbb7d 100644
|
||||
+optional_policy(`
|
||||
+ gnome_exec_gconf(system_dbusd_t)
|
||||
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- seutil_sigchld_newrole(system_dbusd_t)
|
||||
+ nis_use_ypbind(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -18870,10 +18875,9 @@ index 2c2e7e1..78bbb7d 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sysnet_domtrans_dhcpc(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- seutil_sigchld_newrole(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ systemd_use_fds_logind(system_dbusd_t)
|
||||
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
|
||||
+ systemd_write_inhibit_pipes(system_dbusd_t)
|
||||
@ -18911,7 +18915,7 @@ index 2c2e7e1..78bbb7d 100644
|
||||
+init_rw_stream_sockets(system_bus_type)
|
||||
+
|
||||
+ps_process_pattern(system_dbusd_t, system_bus_type)
|
||||
|
||||
+
|
||||
+userdom_dontaudit_search_admin_dir(system_bus_type)
|
||||
+userdom_read_all_users_state(system_bus_type)
|
||||
+
|
||||
@ -18926,7 +18930,7 @@ index 2c2e7e1..78bbb7d 100644
|
||||
+optional_policy(`
|
||||
+ unconfined_dbus_send(system_bus_type)
|
||||
+')
|
||||
+
|
||||
|
||||
+ifdef(`hide_broken_symptoms',`
|
||||
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
|
||||
+')
|
||||
@ -18967,7 +18971,7 @@ index 2c2e7e1..78bbb7d 100644
|
||||
kernel_read_kernel_sysctls(session_bus_type)
|
||||
|
||||
corecmd_list_bin(session_bus_type)
|
||||
@@ -191,23 +275,18 @@ corecmd_read_bin_files(session_bus_type)
|
||||
@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type)
|
||||
corecmd_read_bin_pipes(session_bus_type)
|
||||
corecmd_read_bin_sockets(session_bus_type)
|
||||
|
||||
@ -18992,7 +18996,7 @@ index 2c2e7e1..78bbb7d 100644
|
||||
files_dontaudit_search_var(session_bus_type)
|
||||
|
||||
fs_getattr_romfs(session_bus_type)
|
||||
@@ -215,7 +294,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
||||
@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
||||
fs_list_inotifyfs(session_bus_type)
|
||||
fs_dontaudit_list_nfs(session_bus_type)
|
||||
|
||||
@ -19000,7 +19004,7 @@ index 2c2e7e1..78bbb7d 100644
|
||||
selinux_validate_context(session_bus_type)
|
||||
selinux_compute_access_vector(session_bus_type)
|
||||
selinux_compute_create_context(session_bus_type)
|
||||
@@ -225,18 +303,36 @@ selinux_compute_user_contexts(session_bus_type)
|
||||
@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type)
|
||||
auth_read_pam_console_data(session_bus_type)
|
||||
|
||||
logging_send_audit_msgs(session_bus_type)
|
||||
@ -19042,7 +19046,7 @@ index 2c2e7e1..78bbb7d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -244,5 +340,6 @@ optional_policy(`
|
||||
@@ -244,5 +344,6 @@ optional_policy(`
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
@ -31423,7 +31427,7 @@ index a49ae4e..913a0e3 100644
|
||||
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
||||
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
|
||||
diff --git a/kdump.if b/kdump.if
|
||||
index 3a00b3a..f6402dc 100644
|
||||
index 3a00b3a..b835e95 100644
|
||||
--- a/kdump.if
|
||||
+++ b/kdump.if
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -31494,7 +31498,7 @@ index 3a00b3a..f6402dc 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -56,10 +100,65 @@ interface(`kdump_read_config',`
|
||||
@@ -56,10 +100,66 @@ interface(`kdump_read_config',`
|
||||
allow $1 kdump_etc_t:file read_file_perms;
|
||||
')
|
||||
|
||||
@ -31517,6 +31521,7 @@ index 3a00b3a..f6402dc 100644
|
||||
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+#####################################
|
||||
+## <summary>
|
||||
+## Read kdump crash files.
|
||||
@ -31562,7 +31567,7 @@ index 3a00b3a..f6402dc 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -76,10 +175,31 @@ interface(`kdump_manage_config',`
|
||||
@@ -76,10 +176,31 @@ interface(`kdump_manage_config',`
|
||||
allow $1 kdump_etc_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
@ -31596,7 +31601,7 @@ index 3a00b3a..f6402dc 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -88,19 +208,24 @@ interface(`kdump_manage_config',`
|
||||
@@ -88,19 +209,24 @@ interface(`kdump_manage_config',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
@ -31613,7 +31618,7 @@ index 3a00b3a..f6402dc 100644
|
||||
+ type kdump_t, kdump_etc_t;
|
||||
+ type kdump_initrc_exec_t;
|
||||
+ type kdump_unit_file_t;
|
||||
+ type kdump_crash_t
|
||||
+ type kdump_crash_t;
|
||||
')
|
||||
|
||||
- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
|
||||
@ -31626,7 +31631,7 @@ index 3a00b3a..f6402dc 100644
|
||||
|
||||
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
@@ -110,6 +235,10 @@ interface(`kdump_admin',`
|
||||
@@ -110,6 +236,10 @@ interface(`kdump_admin',`
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, kdump_etc_t)
|
||||
|
||||
@ -74999,7 +75004,7 @@ index aee75af..a6bab06 100644
|
||||
+ allow $1 samba_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/samba.te b/samba.te
|
||||
index 57c034b..ea8d79d 100644
|
||||
index 57c034b..aa2be40 100644
|
||||
--- a/samba.te
|
||||
+++ b/samba.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -75973,7 +75978,11 @@ index 57c034b..ea8d79d 100644
|
||||
optional_policy(`
|
||||
cups_read_rw_config(swat_t)
|
||||
cups_stream_connect(swat_t)
|
||||
@@ -837,13 +841,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
|
||||
@@ -834,16 +838,19 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
|
||||
+allow winbind_t self:capability2 block_suspend;
|
||||
dontaudit winbind_t self:capability sys_tty_config;
|
||||
allow winbind_t self:process { signal_perms getsched setsched };
|
||||
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -75993,7 +76002,7 @@ index 57c034b..ea8d79d 100644
|
||||
|
||||
allow winbind_t samba_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
|
||||
@@ -853,9 +859,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
|
||||
@@ -853,9 +860,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
|
||||
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
|
||||
|
||||
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
|
||||
@ -76004,7 +76013,7 @@ index 57c034b..ea8d79d 100644
|
||||
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
||||
|
||||
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||
@@ -866,23 +870,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
|
||||
@@ -866,23 +871,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
|
||||
|
||||
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
|
||||
|
||||
@ -76034,7 +76043,7 @@ index 57c034b..ea8d79d 100644
|
||||
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
|
||||
|
||||
kernel_read_network_state(winbind_t)
|
||||
@@ -891,13 +893,17 @@ kernel_read_system_state(winbind_t)
|
||||
@@ -891,13 +894,17 @@ kernel_read_system_state(winbind_t)
|
||||
|
||||
corecmd_exec_bin(winbind_t)
|
||||
|
||||
@ -76055,7 +76064,7 @@ index 57c034b..ea8d79d 100644
|
||||
corenet_tcp_connect_smbd_port(winbind_t)
|
||||
corenet_tcp_connect_epmap_port(winbind_t)
|
||||
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
@@ -905,10 +911,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
@@ -905,10 +912,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
dev_read_sysfs(winbind_t)
|
||||
dev_read_urand(winbind_t)
|
||||
|
||||
@ -76066,7 +76075,7 @@ index 57c034b..ea8d79d 100644
|
||||
|
||||
fs_getattr_all_fs(winbind_t)
|
||||
fs_search_auto_mountpoints(winbind_t)
|
||||
@@ -917,18 +919,24 @@ auth_domtrans_chk_passwd(winbind_t)
|
||||
@@ -917,18 +920,24 @@ auth_domtrans_chk_passwd(winbind_t)
|
||||
auth_use_nsswitch(winbind_t)
|
||||
auth_manage_cache(winbind_t)
|
||||
|
||||
@ -76093,7 +76102,7 @@ index 57c034b..ea8d79d 100644
|
||||
|
||||
optional_policy(`
|
||||
ctdbd_stream_connect(winbind_t)
|
||||
@@ -936,7 +944,12 @@ optional_policy(`
|
||||
@@ -936,7 +945,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -76106,7 +76115,7 @@ index 57c034b..ea8d79d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -952,31 +965,29 @@ optional_policy(`
|
||||
@@ -952,31 +966,29 @@ optional_policy(`
|
||||
# Winbind helper local policy
|
||||
#
|
||||
|
||||
@ -76144,7 +76153,7 @@ index 57c034b..ea8d79d 100644
|
||||
|
||||
optional_policy(`
|
||||
apache_append_log(winbind_helper_t)
|
||||
@@ -990,25 +1001,38 @@ optional_policy(`
|
||||
@@ -990,25 +1002,38 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -86226,7 +86235,7 @@ index 0000000..92b6843
|
||||
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
||||
diff --git a/thumb.if b/thumb.if
|
||||
new file mode 100644
|
||||
index 0000000..aa424d3
|
||||
index 0000000..8b2dfff
|
||||
--- /dev/null
|
||||
+++ b/thumb.if
|
||||
@@ -0,0 +1,130 @@
|
||||
@ -86283,7 +86292,7 @@ index 0000000..aa424d3
|
||||
+ dontaudit thumb_t $1:file read_file_perms;
|
||||
+ dontaudit thumb_t $1:unix_stream_socket rw_socket_perms;
|
||||
+
|
||||
+ allow thumb_t $1:shm rw_shm_perms;
|
||||
+ allow thumb_t $1:shm create_shm_perms;
|
||||
+ allow thumb_t $1:sem create_sem_perms;
|
||||
+')
|
||||
+
|
||||
|
Loading…
Reference in New Issue
Block a user