* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files - Fixes for passenger running within openshift. - Add labeling for all tomcat6 dirs - Add support for tomcat6 - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow cgclear to read cgconfig config files - Fix bcf2g.fc - Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other - Allow dbomatic to execute ruby - abrt_watch_log should be abrt_domain - Allow mozilla_plugin to connect to gatekeeper port
This commit is contained in:
parent
1de5de6450
commit
0f07ba7f55
@ -60457,7 +60457,7 @@ index db981df..b77f19f 100644
|
|||||||
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
|
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
|
||||||
index 9e9263a..ba59ffd 100644
|
index 9e9263a..c4dc1b6 100644
|
||||||
--- a/policy/modules/kernel/corecommands.if
|
--- a/policy/modules/kernel/corecommands.if
|
||||||
+++ b/policy/modules/kernel/corecommands.if
|
+++ b/policy/modules/kernel/corecommands.if
|
||||||
@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
|
@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
|
||||||
@ -60534,7 +60534,18 @@ index 9e9263a..ba59ffd 100644
|
|||||||
read_sock_files_pattern($1, bin_t, bin_t)
|
read_sock_files_pattern($1, bin_t, bin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -362,6 +385,7 @@ interface(`corecmd_manage_bin_files',`
|
@@ -345,6 +368,10 @@ interface(`corecmd_exec_bin',`
|
||||||
|
read_lnk_files_pattern($1, bin_t, bin_t)
|
||||||
|
list_dirs_pattern($1, bin_t, bin_t)
|
||||||
|
can_exec($1, bin_t)
|
||||||
|
+ #ifdef(`enable_mls',`',`
|
||||||
|
+ # files_exec_usr_files($1)
|
||||||
|
+ # libs_exec_lib_files($1)
|
||||||
|
+ #')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -362,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -60542,7 +60553,7 @@ index 9e9263a..ba59ffd 100644
|
|||||||
manage_files_pattern($1, bin_t, bin_t)
|
manage_files_pattern($1, bin_t, bin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -398,6 +422,7 @@ interface(`corecmd_mmap_bin_files',`
|
@@ -398,6 +426,7 @@ interface(`corecmd_mmap_bin_files',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -60550,7 +60561,7 @@ index 9e9263a..ba59ffd 100644
|
|||||||
mmap_files_pattern($1, bin_t, bin_t)
|
mmap_files_pattern($1, bin_t, bin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -954,6 +979,24 @@ interface(`corecmd_exec_chroot',`
|
@@ -954,6 +983,24 @@ interface(`corecmd_exec_chroot',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -60575,7 +60586,7 @@ index 9e9263a..ba59ffd 100644
|
|||||||
## Get the attributes of all executable files.
|
## Get the attributes of all executable files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1049,6 +1092,7 @@ interface(`corecmd_manage_all_executables',`
|
@@ -1049,6 +1096,7 @@ interface(`corecmd_manage_all_executables',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -76848,7 +76859,7 @@ index 6ce867a..ee79c5a 100644
|
|||||||
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
|
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||||
index f12b8ff..2293c1b 100644
|
index f12b8ff..3b80e52 100644
|
||||||
--- a/policy/modules/system/authlogin.te
|
--- a/policy/modules/system/authlogin.te
|
||||||
+++ b/policy/modules/system/authlogin.te
|
+++ b/policy/modules/system/authlogin.te
|
||||||
@@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1)
|
@@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1)
|
||||||
@ -76957,7 +76968,7 @@ index f12b8ff..2293c1b 100644
|
|||||||
# Allow utemper to write to /tmp/.xses-*
|
# Allow utemper to write to /tmp/.xses-*
|
||||||
userdom_write_user_tmp_files(utempter_t)
|
userdom_write_user_tmp_files(utempter_t)
|
||||||
|
|
||||||
@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
|
@@ -388,10 +416,79 @@ ifdef(`distro_ubuntu',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -76978,6 +76989,11 @@ index f12b8ff..2293c1b 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+######################################
|
||||||
|
+#
|
||||||
|
+# nsswitch_domain local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
+auth_read_passwd(nsswitch_domain)
|
+auth_read_passwd(nsswitch_domain)
|
||||||
+
|
+
|
||||||
+# read /etc/nsswitch.conf
|
+# read /etc/nsswitch.conf
|
||||||
@ -78579,7 +78595,7 @@ index d26fe81..3ff8fef 100644
|
|||||||
+ allow $1 init_t:system undefined;
|
+ allow $1 init_t:system undefined;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||||
index 5fb9683..0721079 100644
|
index 5fb9683..a2c2556 100644
|
||||||
--- a/policy/modules/system/init.te
|
--- a/policy/modules/system/init.te
|
||||||
+++ b/policy/modules/system/init.te
|
+++ b/policy/modules/system/init.te
|
||||||
@@ -16,6 +16,34 @@ gen_require(`
|
@@ -16,6 +16,34 @@ gen_require(`
|
||||||
@ -79001,7 +79017,7 @@ index 5fb9683..0721079 100644
|
|||||||
|
|
||||||
init_write_initctl(initrc_t)
|
init_write_initctl(initrc_t)
|
||||||
|
|
||||||
@@ -265,20 +494,34 @@ kernel_change_ring_buffer_level(initrc_t)
|
@@ -265,20 +494,35 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||||
kernel_clear_ring_buffer(initrc_t)
|
kernel_clear_ring_buffer(initrc_t)
|
||||||
kernel_get_sysvipc_info(initrc_t)
|
kernel_get_sysvipc_info(initrc_t)
|
||||||
kernel_read_all_sysctls(initrc_t)
|
kernel_read_all_sysctls(initrc_t)
|
||||||
@ -79024,6 +79040,7 @@ index 5fb9683..0721079 100644
|
|||||||
+fs_manage_tmpfs_symlinks(initrc_t)
|
+fs_manage_tmpfs_symlinks(initrc_t)
|
||||||
+fs_delete_tmpfs_files(initrc_t)
|
+fs_delete_tmpfs_files(initrc_t)
|
||||||
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
|
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
|
||||||
|
+fs_read_nfsd_files(initrc_t)
|
||||||
|
|
||||||
corecmd_exec_all_executables(initrc_t)
|
corecmd_exec_all_executables(initrc_t)
|
||||||
|
|
||||||
@ -79040,7 +79057,7 @@ index 5fb9683..0721079 100644
|
|||||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_tcp_connect_all_ports(initrc_t)
|
corenet_tcp_connect_all_ports(initrc_t)
|
||||||
@@ -286,6 +529,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
@@ -286,6 +530,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||||
|
|
||||||
dev_read_rand(initrc_t)
|
dev_read_rand(initrc_t)
|
||||||
dev_read_urand(initrc_t)
|
dev_read_urand(initrc_t)
|
||||||
@ -79048,7 +79065,7 @@ index 5fb9683..0721079 100644
|
|||||||
dev_write_kmsg(initrc_t)
|
dev_write_kmsg(initrc_t)
|
||||||
dev_write_rand(initrc_t)
|
dev_write_rand(initrc_t)
|
||||||
dev_write_urand(initrc_t)
|
dev_write_urand(initrc_t)
|
||||||
@@ -296,8 +540,10 @@ dev_write_framebuffer(initrc_t)
|
@@ -296,8 +541,10 @@ dev_write_framebuffer(initrc_t)
|
||||||
dev_read_realtime_clock(initrc_t)
|
dev_read_realtime_clock(initrc_t)
|
||||||
dev_read_sound_mixer(initrc_t)
|
dev_read_sound_mixer(initrc_t)
|
||||||
dev_write_sound_mixer(initrc_t)
|
dev_write_sound_mixer(initrc_t)
|
||||||
@ -79059,7 +79076,7 @@ index 5fb9683..0721079 100644
|
|||||||
dev_delete_lvm_control_dev(initrc_t)
|
dev_delete_lvm_control_dev(initrc_t)
|
||||||
dev_manage_generic_symlinks(initrc_t)
|
dev_manage_generic_symlinks(initrc_t)
|
||||||
dev_manage_generic_files(initrc_t)
|
dev_manage_generic_files(initrc_t)
|
||||||
@@ -305,17 +551,16 @@ dev_manage_generic_files(initrc_t)
|
@@ -305,17 +552,16 @@ dev_manage_generic_files(initrc_t)
|
||||||
dev_delete_generic_symlinks(initrc_t)
|
dev_delete_generic_symlinks(initrc_t)
|
||||||
dev_getattr_all_blk_files(initrc_t)
|
dev_getattr_all_blk_files(initrc_t)
|
||||||
dev_getattr_all_chr_files(initrc_t)
|
dev_getattr_all_chr_files(initrc_t)
|
||||||
@ -79079,7 +79096,7 @@ index 5fb9683..0721079 100644
|
|||||||
domain_getsession_all_domains(initrc_t)
|
domain_getsession_all_domains(initrc_t)
|
||||||
domain_use_interactive_fds(initrc_t)
|
domain_use_interactive_fds(initrc_t)
|
||||||
# for lsof which is used by alsa shutdown:
|
# for lsof which is used by alsa shutdown:
|
||||||
@@ -323,6 +568,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
@@ -323,6 +569,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||||
@ -79087,7 +79104,7 @@ index 5fb9683..0721079 100644
|
|||||||
|
|
||||||
files_getattr_all_dirs(initrc_t)
|
files_getattr_all_dirs(initrc_t)
|
||||||
files_getattr_all_files(initrc_t)
|
files_getattr_all_files(initrc_t)
|
||||||
@@ -330,8 +576,10 @@ files_getattr_all_symlinks(initrc_t)
|
@@ -330,8 +577,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||||
files_getattr_all_pipes(initrc_t)
|
files_getattr_all_pipes(initrc_t)
|
||||||
files_getattr_all_sockets(initrc_t)
|
files_getattr_all_sockets(initrc_t)
|
||||||
files_purge_tmp(initrc_t)
|
files_purge_tmp(initrc_t)
|
||||||
@ -79099,7 +79116,7 @@ index 5fb9683..0721079 100644
|
|||||||
files_delete_all_pids(initrc_t)
|
files_delete_all_pids(initrc_t)
|
||||||
files_delete_all_pid_dirs(initrc_t)
|
files_delete_all_pid_dirs(initrc_t)
|
||||||
files_read_etc_files(initrc_t)
|
files_read_etc_files(initrc_t)
|
||||||
@@ -347,8 +595,12 @@ files_list_isid_type_dirs(initrc_t)
|
@@ -347,8 +596,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||||
files_mounton_isid_type_dirs(initrc_t)
|
files_mounton_isid_type_dirs(initrc_t)
|
||||||
files_list_default(initrc_t)
|
files_list_default(initrc_t)
|
||||||
files_mounton_default(initrc_t)
|
files_mounton_default(initrc_t)
|
||||||
@ -79113,7 +79130,7 @@ index 5fb9683..0721079 100644
|
|||||||
fs_list_inotifyfs(initrc_t)
|
fs_list_inotifyfs(initrc_t)
|
||||||
fs_register_binary_executable_type(initrc_t)
|
fs_register_binary_executable_type(initrc_t)
|
||||||
# rhgb-console writes to ramfs
|
# rhgb-console writes to ramfs
|
||||||
@@ -358,9 +610,12 @@ fs_mount_all_fs(initrc_t)
|
@@ -358,9 +611,12 @@ fs_mount_all_fs(initrc_t)
|
||||||
fs_unmount_all_fs(initrc_t)
|
fs_unmount_all_fs(initrc_t)
|
||||||
fs_remount_all_fs(initrc_t)
|
fs_remount_all_fs(initrc_t)
|
||||||
fs_getattr_all_fs(initrc_t)
|
fs_getattr_all_fs(initrc_t)
|
||||||
@ -79127,7 +79144,7 @@ index 5fb9683..0721079 100644
|
|||||||
mcs_killall(initrc_t)
|
mcs_killall(initrc_t)
|
||||||
mcs_process_set_categories(initrc_t)
|
mcs_process_set_categories(initrc_t)
|
||||||
|
|
||||||
@@ -370,6 +625,7 @@ mls_process_read_up(initrc_t)
|
@@ -370,6 +626,7 @@ mls_process_read_up(initrc_t)
|
||||||
mls_process_write_down(initrc_t)
|
mls_process_write_down(initrc_t)
|
||||||
mls_rangetrans_source(initrc_t)
|
mls_rangetrans_source(initrc_t)
|
||||||
mls_fd_share_all_levels(initrc_t)
|
mls_fd_share_all_levels(initrc_t)
|
||||||
@ -79135,7 +79152,7 @@ index 5fb9683..0721079 100644
|
|||||||
|
|
||||||
selinux_get_enforce_mode(initrc_t)
|
selinux_get_enforce_mode(initrc_t)
|
||||||
|
|
||||||
@@ -381,6 +637,7 @@ term_use_all_terms(initrc_t)
|
@@ -381,6 +638,7 @@ term_use_all_terms(initrc_t)
|
||||||
term_reset_tty_labels(initrc_t)
|
term_reset_tty_labels(initrc_t)
|
||||||
|
|
||||||
auth_rw_login_records(initrc_t)
|
auth_rw_login_records(initrc_t)
|
||||||
@ -79143,7 +79160,7 @@ index 5fb9683..0721079 100644
|
|||||||
auth_setattr_login_records(initrc_t)
|
auth_setattr_login_records(initrc_t)
|
||||||
auth_rw_lastlog(initrc_t)
|
auth_rw_lastlog(initrc_t)
|
||||||
auth_read_pam_pid(initrc_t)
|
auth_read_pam_pid(initrc_t)
|
||||||
@@ -401,18 +658,17 @@ logging_read_audit_config(initrc_t)
|
@@ -401,18 +659,17 @@ logging_read_audit_config(initrc_t)
|
||||||
|
|
||||||
miscfiles_read_localization(initrc_t)
|
miscfiles_read_localization(initrc_t)
|
||||||
# slapd needs to read cert files from its initscript
|
# slapd needs to read cert files from its initscript
|
||||||
@ -79165,7 +79182,7 @@ index 5fb9683..0721079 100644
|
|||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
dev_setattr_generic_dirs(initrc_t)
|
dev_setattr_generic_dirs(initrc_t)
|
||||||
@@ -465,6 +721,10 @@ ifdef(`distro_gentoo',`
|
@@ -465,6 +722,10 @@ ifdef(`distro_gentoo',`
|
||||||
sysnet_setattr_config(initrc_t)
|
sysnet_setattr_config(initrc_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79176,7 +79193,7 @@ index 5fb9683..0721079 100644
|
|||||||
alsa_read_lib(initrc_t)
|
alsa_read_lib(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -485,7 +745,7 @@ ifdef(`distro_redhat',`
|
@@ -485,7 +746,7 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
@ -79185,7 +79202,7 @@ index 5fb9683..0721079 100644
|
|||||||
files_dontaudit_read_root_files(initrc_t)
|
files_dontaudit_read_root_files(initrc_t)
|
||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
@@ -500,6 +760,7 @@ ifdef(`distro_redhat',`
|
@@ -500,6 +761,7 @@ ifdef(`distro_redhat',`
|
||||||
files_create_boot_dirs(initrc_t)
|
files_create_boot_dirs(initrc_t)
|
||||||
files_create_boot_flag(initrc_t)
|
files_create_boot_flag(initrc_t)
|
||||||
files_rw_boot_symlinks(initrc_t)
|
files_rw_boot_symlinks(initrc_t)
|
||||||
@ -79193,7 +79210,7 @@ index 5fb9683..0721079 100644
|
|||||||
# wants to read /.fonts directory
|
# wants to read /.fonts directory
|
||||||
files_read_default_files(initrc_t)
|
files_read_default_files(initrc_t)
|
||||||
files_mountpoint(initrc_tmp_t)
|
files_mountpoint(initrc_tmp_t)
|
||||||
@@ -520,6 +781,7 @@ ifdef(`distro_redhat',`
|
@@ -520,6 +782,7 @@ ifdef(`distro_redhat',`
|
||||||
miscfiles_rw_localization(initrc_t)
|
miscfiles_rw_localization(initrc_t)
|
||||||
miscfiles_setattr_localization(initrc_t)
|
miscfiles_setattr_localization(initrc_t)
|
||||||
miscfiles_relabel_localization(initrc_t)
|
miscfiles_relabel_localization(initrc_t)
|
||||||
@ -79201,7 +79218,7 @@ index 5fb9683..0721079 100644
|
|||||||
|
|
||||||
miscfiles_read_fonts(initrc_t)
|
miscfiles_read_fonts(initrc_t)
|
||||||
miscfiles_read_hwdata(initrc_t)
|
miscfiles_read_hwdata(initrc_t)
|
||||||
@@ -529,8 +791,35 @@ ifdef(`distro_redhat',`
|
@@ -529,8 +792,35 @@ ifdef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79237,7 +79254,7 @@ index 5fb9683..0721079 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -538,14 +827,27 @@ ifdef(`distro_redhat',`
|
@@ -538,14 +828,27 @@ ifdef(`distro_redhat',`
|
||||||
rpc_write_exports(initrc_t)
|
rpc_write_exports(initrc_t)
|
||||||
rpc_manage_nfs_state_data(initrc_t)
|
rpc_manage_nfs_state_data(initrc_t)
|
||||||
')
|
')
|
||||||
@ -79265,7 +79282,7 @@ index 5fb9683..0721079 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -556,6 +858,39 @@ ifdef(`distro_suse',`
|
@@ -556,6 +859,39 @@ ifdef(`distro_suse',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -79305,7 +79322,7 @@ index 5fb9683..0721079 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_search_lib(initrc_t)
|
amavis_search_lib(initrc_t)
|
||||||
amavis_setattr_pid_files(initrc_t)
|
amavis_setattr_pid_files(initrc_t)
|
||||||
@@ -568,6 +903,8 @@ optional_policy(`
|
@@ -568,6 +904,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_read_config(initrc_t)
|
apache_read_config(initrc_t)
|
||||||
apache_list_modules(initrc_t)
|
apache_list_modules(initrc_t)
|
||||||
@ -79314,7 +79331,7 @@ index 5fb9683..0721079 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -589,6 +926,7 @@ optional_policy(`
|
@@ -589,6 +927,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cgroup_stream_connect_cgred(initrc_t)
|
cgroup_stream_connect_cgred(initrc_t)
|
||||||
@ -79322,7 +79339,7 @@ index 5fb9683..0721079 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -601,6 +939,17 @@ optional_policy(`
|
@@ -601,6 +940,17 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79340,7 +79357,7 @@ index 5fb9683..0721079 100644
|
|||||||
dev_getattr_printer_dev(initrc_t)
|
dev_getattr_printer_dev(initrc_t)
|
||||||
|
|
||||||
cups_read_log(initrc_t)
|
cups_read_log(initrc_t)
|
||||||
@@ -617,9 +966,13 @@ optional_policy(`
|
@@ -617,9 +967,13 @@ optional_policy(`
|
||||||
dbus_connect_system_bus(initrc_t)
|
dbus_connect_system_bus(initrc_t)
|
||||||
dbus_system_bus_client(initrc_t)
|
dbus_system_bus_client(initrc_t)
|
||||||
dbus_read_config(initrc_t)
|
dbus_read_config(initrc_t)
|
||||||
@ -79354,7 +79371,7 @@ index 5fb9683..0721079 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -644,6 +997,10 @@ optional_policy(`
|
@@ -644,6 +998,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79365,7 +79382,7 @@ index 5fb9683..0721079 100644
|
|||||||
gpm_setattr_gpmctl(initrc_t)
|
gpm_setattr_gpmctl(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -661,6 +1018,15 @@ optional_policy(`
|
@@ -661,6 +1019,15 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79381,7 +79398,7 @@ index 5fb9683..0721079 100644
|
|||||||
inn_exec_config(initrc_t)
|
inn_exec_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -701,6 +1067,7 @@ optional_policy(`
|
@@ -701,6 +1068,7 @@ optional_policy(`
|
||||||
lpd_list_spool(initrc_t)
|
lpd_list_spool(initrc_t)
|
||||||
|
|
||||||
lpd_read_config(initrc_t)
|
lpd_read_config(initrc_t)
|
||||||
@ -79389,7 +79406,7 @@ index 5fb9683..0721079 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -718,7 +1085,13 @@ optional_policy(`
|
@@ -718,7 +1086,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79403,7 +79420,7 @@ index 5fb9683..0721079 100644
|
|||||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -741,6 +1114,10 @@ optional_policy(`
|
@@ -741,6 +1115,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79414,7 +79431,7 @@ index 5fb9683..0721079 100644
|
|||||||
postgresql_manage_db(initrc_t)
|
postgresql_manage_db(initrc_t)
|
||||||
postgresql_read_config(initrc_t)
|
postgresql_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -750,10 +1127,20 @@ optional_policy(`
|
@@ -750,10 +1128,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79435,7 +79452,7 @@ index 5fb9683..0721079 100644
|
|||||||
quota_manage_flags(initrc_t)
|
quota_manage_flags(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -762,6 +1149,10 @@ optional_policy(`
|
@@ -762,6 +1150,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79446,7 +79463,7 @@ index 5fb9683..0721079 100644
|
|||||||
fs_write_ramfs_sockets(initrc_t)
|
fs_write_ramfs_sockets(initrc_t)
|
||||||
fs_search_ramfs(initrc_t)
|
fs_search_ramfs(initrc_t)
|
||||||
|
|
||||||
@@ -783,8 +1174,6 @@ optional_policy(`
|
@@ -783,8 +1175,6 @@ optional_policy(`
|
||||||
# bash tries ioctl for some reason
|
# bash tries ioctl for some reason
|
||||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||||
|
|
||||||
@ -79455,7 +79472,7 @@ index 5fb9683..0721079 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -793,6 +1182,10 @@ optional_policy(`
|
@@ -793,6 +1183,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79466,7 +79483,7 @@ index 5fb9683..0721079 100644
|
|||||||
# shorewall-init script run /var/lib/shorewall/firewall
|
# shorewall-init script run /var/lib/shorewall/firewall
|
||||||
shorewall_lib_domtrans(initrc_t)
|
shorewall_lib_domtrans(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -802,10 +1195,12 @@ optional_policy(`
|
@@ -802,10 +1196,12 @@ optional_policy(`
|
||||||
squid_manage_logs(initrc_t)
|
squid_manage_logs(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -79479,7 +79496,7 @@ index 5fb9683..0721079 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
ssh_dontaudit_read_server_keys(initrc_t)
|
||||||
@@ -817,7 +1212,6 @@ optional_policy(`
|
@@ -817,7 +1213,6 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79487,7 +79504,7 @@ index 5fb9683..0721079 100644
|
|||||||
udev_manage_pid_files(initrc_t)
|
udev_manage_pid_files(initrc_t)
|
||||||
udev_manage_rules_files(initrc_t)
|
udev_manage_rules_files(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -827,12 +1221,30 @@ optional_policy(`
|
@@ -827,12 +1222,30 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79520,7 +79537,7 @@ index 5fb9683..0721079 100644
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
# system-config-services causes avc messages that should be dontaudited
|
# system-config-services causes avc messages that should be dontaudited
|
||||||
@@ -842,6 +1254,18 @@ optional_policy(`
|
@@ -842,6 +1255,18 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mono_domtrans(initrc_t)
|
mono_domtrans(initrc_t)
|
||||||
')
|
')
|
||||||
@ -79539,7 +79556,7 @@ index 5fb9683..0721079 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -857,6 +1281,10 @@ optional_policy(`
|
@@ -857,6 +1282,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -79550,7 +79567,7 @@ index 5fb9683..0721079 100644
|
|||||||
# Set device ownerships/modes.
|
# Set device ownerships/modes.
|
||||||
xserver_setattr_console_pipes(initrc_t)
|
xserver_setattr_console_pipes(initrc_t)
|
||||||
|
|
||||||
@@ -867,3 +1295,165 @@ optional_policy(`
|
@@ -867,3 +1296,165 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.11.0
|
Version: 3.11.0
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -491,6 +491,21 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
|
||||||
|
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
|
||||||
|
- Fixes for passenger running within openshift.
|
||||||
|
- Add labeling for all tomcat6 dirs
|
||||||
|
- Add support for tomcat6
|
||||||
|
- Allow cobblerd to read /etc/passwd
|
||||||
|
- Allow jockey to read sysfs and and execute binaries with bin_t
|
||||||
|
- Allow thum to use user terminals
|
||||||
|
- Allow cgclear to read cgconfig config files
|
||||||
|
- Fix bcf2g.fc
|
||||||
|
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains
|
||||||
|
- Allow dbomatic to execute ruby
|
||||||
|
- abrt_watch_log should be abrt_domain
|
||||||
|
- Allow mozilla_plugin to connect to gatekeeper port
|
||||||
|
|
||||||
* Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7
|
* Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7
|
||||||
- add ptrace_child access to process
|
- add ptrace_child access to process
|
||||||
- remove files_read_etc_files() calling from all policies which have auth_use_nsswith()
|
- remove files_read_etc_files() calling from all policies which have auth_use_nsswith()
|
||||||
|
Loading…
Reference in New Issue
Block a user