- Turn on deny_ptrace boolean for the Rawhide run, so we can t
- Cups exchanges dbus messages with init - udisk2 needs to send syslog messages - certwatch needs to read /etc/passwd
This commit is contained in:
parent
a2e8b9ca5d
commit
0c0b390b07
@ -859,10 +859,18 @@ index 9a62a1d..eb017ef 100644
|
|||||||
kernel_read_network_state(brctl_t)
|
kernel_read_network_state(brctl_t)
|
||||||
kernel_read_sysctl(brctl_t)
|
kernel_read_sysctl(brctl_t)
|
||||||
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
|
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
|
||||||
index 6b02433..1e28e62 100644
|
index 6b02433..575a8d2 100644
|
||||||
--- a/policy/modules/admin/certwatch.te
|
--- a/policy/modules/admin/certwatch.te
|
||||||
+++ b/policy/modules/admin/certwatch.te
|
+++ b/policy/modules/admin/certwatch.te
|
||||||
@@ -34,8 +34,8 @@ logging_send_syslog_msg(certwatch_t)
|
@@ -27,6 +27,7 @@ files_list_tmp(certwatch_t)
|
||||||
|
fs_list_inotifyfs(certwatch_t)
|
||||||
|
|
||||||
|
auth_manage_cache(certwatch_t)
|
||||||
|
+auth_read_passwd(certwatch_t)
|
||||||
|
auth_var_filetrans_cache(certwatch_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(certwatch_t)
|
||||||
|
@@ -34,8 +35,8 @@ logging_send_syslog_msg(certwatch_t)
|
||||||
miscfiles_read_all_certs(certwatch_t)
|
miscfiles_read_all_certs(certwatch_t)
|
||||||
miscfiles_read_localization(certwatch_t)
|
miscfiles_read_localization(certwatch_t)
|
||||||
|
|
||||||
@ -34385,7 +34393,7 @@ index 305ddf4..c9de648 100644
|
|||||||
|
|
||||||
admin_pattern($1, ptal_etc_t)
|
admin_pattern($1, ptal_etc_t)
|
||||||
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
|
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
|
||||||
index 0f28095..0172ea8 100644
|
index 0f28095..f4f2dc5 100644
|
||||||
--- a/policy/modules/services/cups.te
|
--- a/policy/modules/services/cups.te
|
||||||
+++ b/policy/modules/services/cups.te
|
+++ b/policy/modules/services/cups.te
|
||||||
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
|
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
|
||||||
@ -34465,7 +34473,16 @@ index 0f28095..0172ea8 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
apm_domtrans_client(cupsd_t)
|
apm_domtrans_client(cupsd_t)
|
||||||
')
|
')
|
||||||
@@ -297,8 +297,10 @@ optional_policy(`
|
@@ -287,6 +287,8 @@ optional_policy(`
|
||||||
|
optional_policy(`
|
||||||
|
dbus_system_bus_client(cupsd_t)
|
||||||
|
|
||||||
|
+ init_dbus_chat(cupsd_t)
|
||||||
|
+
|
||||||
|
userdom_dbus_send_all_users(cupsd_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
@@ -297,8 +299,10 @@ optional_policy(`
|
||||||
hal_dbus_chat(cupsd_t)
|
hal_dbus_chat(cupsd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -34476,7 +34493,7 @@ index 0f28095..0172ea8 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -311,10 +313,22 @@ optional_policy(`
|
@@ -311,10 +315,22 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34499,7 +34516,7 @@ index 0f28095..0172ea8 100644
|
|||||||
mta_send_mail(cupsd_t)
|
mta_send_mail(cupsd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -371,8 +385,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
|
@@ -371,8 +387,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
|
||||||
|
|
||||||
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
|
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
|
||||||
|
|
||||||
@ -34510,7 +34527,7 @@ index 0f28095..0172ea8 100644
|
|||||||
|
|
||||||
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
|
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
|
||||||
|
|
||||||
@@ -393,6 +408,10 @@ dev_read_sysfs(cupsd_config_t)
|
@@ -393,6 +410,10 @@ dev_read_sysfs(cupsd_config_t)
|
||||||
dev_read_urand(cupsd_config_t)
|
dev_read_urand(cupsd_config_t)
|
||||||
dev_read_rand(cupsd_config_t)
|
dev_read_rand(cupsd_config_t)
|
||||||
dev_rw_generic_usb_dev(cupsd_config_t)
|
dev_rw_generic_usb_dev(cupsd_config_t)
|
||||||
@ -34521,7 +34538,7 @@ index 0f28095..0172ea8 100644
|
|||||||
|
|
||||||
files_search_all_mountpoints(cupsd_config_t)
|
files_search_all_mountpoints(cupsd_config_t)
|
||||||
|
|
||||||
@@ -425,11 +444,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
|
@@ -425,11 +446,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
||||||
@ -34535,7 +34552,7 @@ index 0f28095..0172ea8 100644
|
|||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_read_db(cupsd_config_t)
|
rpm_read_db(cupsd_config_t)
|
||||||
@@ -453,6 +472,10 @@ optional_policy(`
|
@@ -453,6 +474,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34546,7 +34563,7 @@ index 0f28095..0172ea8 100644
|
|||||||
hal_domtrans(cupsd_config_t)
|
hal_domtrans(cupsd_config_t)
|
||||||
hal_read_tmp_files(cupsd_config_t)
|
hal_read_tmp_files(cupsd_config_t)
|
||||||
hal_dontaudit_use_fds(hplip_t)
|
hal_dontaudit_use_fds(hplip_t)
|
||||||
@@ -467,6 +490,10 @@ optional_policy(`
|
@@ -467,6 +492,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34557,7 +34574,7 @@ index 0f28095..0172ea8 100644
|
|||||||
policykit_dbus_chat(cupsd_config_t)
|
policykit_dbus_chat(cupsd_config_t)
|
||||||
userdom_read_all_users_state(cupsd_config_t)
|
userdom_read_all_users_state(cupsd_config_t)
|
||||||
')
|
')
|
||||||
@@ -587,23 +614,22 @@ auth_use_nsswitch(cups_pdf_t)
|
@@ -587,23 +616,22 @@ auth_use_nsswitch(cups_pdf_t)
|
||||||
|
|
||||||
miscfiles_read_localization(cups_pdf_t)
|
miscfiles_read_localization(cups_pdf_t)
|
||||||
miscfiles_read_fonts(cups_pdf_t)
|
miscfiles_read_fonts(cups_pdf_t)
|
||||||
@ -34590,7 +34607,7 @@ index 0f28095..0172ea8 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -639,7 +665,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
||||||
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
||||||
|
|
||||||
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
|
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
|
||||||
@ -34599,7 +34616,7 @@ index 0f28095..0172ea8 100644
|
|||||||
|
|
||||||
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
||||||
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
||||||
@@ -685,6 +711,7 @@ domain_use_interactive_fds(hplip_t)
|
@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t)
|
||||||
files_read_etc_files(hplip_t)
|
files_read_etc_files(hplip_t)
|
||||||
files_read_etc_runtime_files(hplip_t)
|
files_read_etc_runtime_files(hplip_t)
|
||||||
files_read_usr_files(hplip_t)
|
files_read_usr_files(hplip_t)
|
||||||
@ -34607,7 +34624,7 @@ index 0f28095..0172ea8 100644
|
|||||||
|
|
||||||
logging_send_syslog_msg(hplip_t)
|
logging_send_syslog_msg(hplip_t)
|
||||||
|
|
||||||
@@ -696,8 +723,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
|
@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(hplip_t)
|
userdom_dontaudit_search_user_home_dirs(hplip_t)
|
||||||
userdom_dontaudit_search_user_home_content(hplip_t)
|
userdom_dontaudit_search_user_home_content(hplip_t)
|
||||||
|
|
||||||
@ -36014,7 +36031,7 @@ index f706b99..d41e4fe 100644
|
|||||||
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
|
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
|
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
|
||||||
index f231f17..f277ea6 100644
|
index f231f17..4f7e166 100644
|
||||||
--- a/policy/modules/services/devicekit.te
|
--- a/policy/modules/services/devicekit.te
|
||||||
+++ b/policy/modules/services/devicekit.te
|
+++ b/policy/modules/services/devicekit.te
|
||||||
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
|
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
|
||||||
@ -36078,7 +36095,7 @@ index f231f17..f277ea6 100644
|
|||||||
fs_list_inotifyfs(devicekit_disk_t)
|
fs_list_inotifyfs(devicekit_disk_t)
|
||||||
fs_manage_fusefs_dirs(devicekit_disk_t)
|
fs_manage_fusefs_dirs(devicekit_disk_t)
|
||||||
fs_mount_all_fs(devicekit_disk_t)
|
fs_mount_all_fs(devicekit_disk_t)
|
||||||
@@ -127,7 +138,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
|
@@ -127,10 +138,12 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
|
||||||
storage_raw_read_removable_device(devicekit_disk_t)
|
storage_raw_read_removable_device(devicekit_disk_t)
|
||||||
storage_raw_write_removable_device(devicekit_disk_t)
|
storage_raw_write_removable_device(devicekit_disk_t)
|
||||||
|
|
||||||
@ -36087,7 +36104,12 @@ index f231f17..f277ea6 100644
|
|||||||
|
|
||||||
auth_use_nsswitch(devicekit_disk_t)
|
auth_use_nsswitch(devicekit_disk_t)
|
||||||
|
|
||||||
@@ -178,55 +189,84 @@ optional_policy(`
|
+logging_send_syslog_msg(devicekit_disk_t)
|
||||||
|
+
|
||||||
|
miscfiles_read_localization(devicekit_disk_t)
|
||||||
|
|
||||||
|
userdom_read_all_users_state(devicekit_disk_t)
|
||||||
|
@@ -178,55 +191,84 @@ optional_policy(`
|
||||||
virt_manage_images(devicekit_disk_t)
|
virt_manage_images(devicekit_disk_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -36177,7 +36199,7 @@ index f231f17..f277ea6 100644
|
|||||||
|
|
||||||
userdom_read_all_users_state(devicekit_power_t)
|
userdom_read_all_users_state(devicekit_power_t)
|
||||||
|
|
||||||
@@ -235,7 +275,12 @@ optional_policy(`
|
@@ -235,7 +277,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36190,7 +36212,7 @@ index f231f17..f277ea6 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -261,14 +306,21 @@ optional_policy(`
|
@@ -261,14 +308,21 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36213,7 +36235,7 @@ index f231f17..f277ea6 100644
|
|||||||
policykit_dbus_chat(devicekit_power_t)
|
policykit_dbus_chat(devicekit_power_t)
|
||||||
policykit_domtrans_auth(devicekit_power_t)
|
policykit_domtrans_auth(devicekit_power_t)
|
||||||
policykit_read_lib(devicekit_power_t)
|
policykit_read_lib(devicekit_power_t)
|
||||||
@@ -276,9 +328,30 @@ optional_policy(`
|
@@ -276,9 +330,30 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -80325,10 +80347,10 @@ index ce2fbb9..8b34dbc 100644
|
|||||||
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||||
-')
|
-')
|
||||||
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
|
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
|
||||||
index 416e668..3d4780b 100644
|
index 416e668..bb3d52b 100644
|
||||||
--- a/policy/modules/system/unconfined.if
|
--- a/policy/modules/system/unconfined.if
|
||||||
+++ b/policy/modules/system/unconfined.if
|
+++ b/policy/modules/system/unconfined.if
|
||||||
@@ -12,27 +12,34 @@
|
@@ -12,53 +12,63 @@
|
||||||
#
|
#
|
||||||
interface(`unconfined_domain_noaudit',`
|
interface(`unconfined_domain_noaudit',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -80370,7 +80392,10 @@ index 416e668..3d4780b 100644
|
|||||||
|
|
||||||
kernel_unconfined($1)
|
kernel_unconfined($1)
|
||||||
corenet_unconfined($1)
|
corenet_unconfined($1)
|
||||||
@@ -43,22 +50,27 @@ interface(`unconfined_domain_noaudit',`
|
dev_unconfined($1)
|
||||||
|
domain_unconfined($1)
|
||||||
|
- domain_dontaudit_read_all_domains_state($1)
|
||||||
|
- domain_dontaudit_ptrace_all_domains($1)
|
||||||
files_unconfined($1)
|
files_unconfined($1)
|
||||||
fs_unconfined($1)
|
fs_unconfined($1)
|
||||||
selinux_unconfined($1)
|
selinux_unconfined($1)
|
||||||
@ -80402,7 +80427,7 @@ index 416e668..3d4780b 100644
|
|||||||
# auditallow $1 self:process execstack;
|
# auditallow $1 self:process execstack;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -69,6 +81,7 @@ interface(`unconfined_domain_noaudit',`
|
@@ -69,6 +79,7 @@ interface(`unconfined_domain_noaudit',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# Communicate via dbusd.
|
# Communicate via dbusd.
|
||||||
dbus_system_bus_unconfined($1)
|
dbus_system_bus_unconfined($1)
|
||||||
@ -80410,7 +80435,7 @@ index 416e668..3d4780b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -122,6 +135,10 @@ interface(`unconfined_domain_noaudit',`
|
@@ -122,6 +133,10 @@ interface(`unconfined_domain_noaudit',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`unconfined_domain',`
|
interface(`unconfined_domain',`
|
||||||
@ -80421,7 +80446,7 @@ index 416e668..3d4780b 100644
|
|||||||
unconfined_domain_noaudit($1)
|
unconfined_domain_noaudit($1)
|
||||||
|
|
||||||
tunable_policy(`allow_execheap',`
|
tunable_policy(`allow_execheap',`
|
||||||
@@ -150,7 +167,7 @@ interface(`unconfined_domain',`
|
@@ -150,7 +165,7 @@ interface(`unconfined_domain',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`unconfined_alias_domain',`
|
interface(`unconfined_alias_domain',`
|
||||||
@ -80430,7 +80455,7 @@ index 416e668..3d4780b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -176,414 +193,5 @@ interface(`unconfined_alias_domain',`
|
@@ -176,414 +191,5 @@ interface(`unconfined_alias_domain',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`unconfined_execmem_alias_program',`
|
interface(`unconfined_execmem_alias_program',`
|
||||||
|
@ -16,7 +16,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.10.0
|
||||||
Release: 78%{?dist}
|
Release: 79%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -471,6 +471,12 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jan 24 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-79
|
||||||
|
- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out
|
||||||
|
- Cups exchanges dbus messages with init
|
||||||
|
- udisk2 needs to send syslog messages
|
||||||
|
- certwatch needs to read /etc/passwd
|
||||||
|
|
||||||
* Mon Jan 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-78
|
* Mon Jan 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-78
|
||||||
- Add labeling for udisks2
|
- Add labeling for udisks2
|
||||||
- Allow fsadmin to communicate with the systemd process
|
- Allow fsadmin to communicate with the systemd process
|
||||||
|
Loading…
Reference in New Issue
Block a user