- Merge systemd patch
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online - Allow deltacloudd dac_override, setuid, setgid caps - Allow aisexec to execute shell - Add use_nfs_home_dirs boolean for ssh-keygen
This commit is contained in:
parent
e9660551a3
commit
153cc80f87
360
policy-F16.patch
360
policy-F16.patch
@ -14902,23 +14902,31 @@ index 6cf8784..2354089 100644
|
||||
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||
index f820f3b..d5892cc 100644
|
||||
index f820f3b..85b04c0 100644
|
||||
--- a/policy/modules/kernel/devices.if
|
||||
+++ b/policy/modules/kernel/devices.if
|
||||
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
relabelfrom_dirs_pattern($1, device_t, device_node)
|
||||
relabelfrom_files_pattern($1, device_t, device_node)
|
||||
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
|
||||
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
type device_t;
|
||||
')
|
||||
|
||||
- relabelfrom_dirs_pattern($1, device_t, device_node)
|
||||
- relabelfrom_files_pattern($1, device_t, device_node)
|
||||
- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
|
||||
- relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
||||
- relabelfrom_sock_files_pattern($1, device_t, device_node)
|
||||
+ relabel_fifo_files_pattern($1, device_t, { device_t device_node })
|
||||
+ relabel_sock_files_pattern($1, device_t, { device_t device_node })
|
||||
relabel_blk_files_pattern($1, device_t, { device_t device_node })
|
||||
relabel_chr_files_pattern($1, device_t, { device_t device_node })
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
- relabel_blk_files_pattern($1, device_t, { device_t device_node })
|
||||
- relabel_chr_files_pattern($1, device_t, { device_t device_node })
|
||||
+ relabel_dirs_pattern($1, device_t, device_node)
|
||||
+ relabel_files_pattern($1, device_t, device_node)
|
||||
+ relabel_lnk_files_pattern($1, device_t, device_node)
|
||||
+ relabel_fifo_files_pattern($1, device_t, device_node)
|
||||
+ relabel_sock_files_pattern($1, device_t, device_node)
|
||||
+ relabel_blk_files_pattern($1, device_t, device_node)
|
||||
+ relabel_chr_files_pattern($1, device_t, device_node)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow full relabeling (to and from) of all device files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -14934,13 +14942,9 @@ index f820f3b..d5892cc 100644
|
||||
+ ')
|
||||
+
|
||||
+ relabel_files_pattern($1, device_t, device_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## List all of the device nodes in a device directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
|
||||
|
||||
########################################
|
||||
@ -15416,7 +15420,7 @@ index f820f3b..d5892cc 100644
|
||||
list_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||
')
|
||||
|
||||
@@ -3902,21 +4177,26 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
|
||||
@@ -3902,23 +4177,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15437,18 +15441,40 @@ index f820f3b..d5892cc 100644
|
||||
#
|
||||
-interface(`dev_manage_sysfs_dirs',`
|
||||
+interface(`dev_read_cpu_online',`
|
||||
gen_require(`
|
||||
- type sysfs_t;
|
||||
+ gen_require(`
|
||||
+ type cpu_online_t;
|
||||
+ ')
|
||||
+
|
||||
+ dev_search_sysfs($1)
|
||||
+ read_files_pattern($1, cpu_online_t, cpu_online_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Relabel cpu online hardware state information.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_relabel_cpu_online',`
|
||||
gen_require(`
|
||||
+ type cpu_online_t;
|
||||
type sysfs_t;
|
||||
')
|
||||
|
||||
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||
+ dev_search_sysfs($1)
|
||||
+ read_files_pattern($1, cpu_online_t, cpu_online_t)
|
||||
+ allow $1 cpu_online_t:file relabel_file_perms;
|
||||
')
|
||||
|
||||
+
|
||||
########################################
|
||||
@@ -3972,6 +4252,42 @@ interface(`dev_rw_sysfs',`
|
||||
## <summary>
|
||||
## Read hardware state information.
|
||||
@@ -3972,6 +4273,62 @@ interface(`dev_rw_sysfs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15470,6 +15496,26 @@ index f820f3b..d5892cc 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Relabel hardware state files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_relabel_all_sysfs',`
|
||||
+ gen_require(`
|
||||
+ type sysfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||
+ relabel_files_pattern($1, sysfs_t, sysfs_t)
|
||||
+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow caller to modify hardware state information.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -15491,7 +15537,7 @@ index f820f3b..d5892cc 100644
|
||||
## Read and write the TPM device.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4069,6 +4385,25 @@ interface(`dev_write_urand',`
|
||||
@@ -4069,6 +4426,25 @@ interface(`dev_write_urand',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15517,7 +15563,7 @@ index f820f3b..d5892cc 100644
|
||||
## Getattr generic the USB devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4103,6 +4438,24 @@ interface(`dev_setattr_generic_usb_dev',`
|
||||
@@ -4103,6 +4479,24 @@ interface(`dev_setattr_generic_usb_dev',`
|
||||
setattr_chr_files_pattern($1, device_t, usb_device_t)
|
||||
')
|
||||
|
||||
@ -15542,7 +15588,7 @@ index f820f3b..d5892cc 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Read generic the USB devices.
|
||||
@@ -4495,6 +4848,24 @@ interface(`dev_rw_vhost',`
|
||||
@@ -4495,6 +4889,24 @@ interface(`dev_rw_vhost',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15567,7 +15613,7 @@ index f820f3b..d5892cc 100644
|
||||
## Read and write VMWare devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4695,6 +5066,26 @@ interface(`dev_rw_xserver_misc',`
|
||||
@@ -4695,6 +5107,26 @@ interface(`dev_rw_xserver_misc',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15594,7 +15640,7 @@ index f820f3b..d5892cc 100644
|
||||
## Read and write to the zero device (/dev/zero).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4784,3 +5175,822 @@ interface(`dev_unconfined',`
|
||||
@@ -4784,3 +5216,822 @@ interface(`dev_unconfined',`
|
||||
|
||||
typeattribute $1 devices_unconfined_type;
|
||||
')
|
||||
@ -21894,7 +21940,7 @@ index be4de58..7e8b6ec 100644
|
||||
init_exec(secadm_t)
|
||||
|
||||
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
|
||||
index 2be17d2..8ea3385 100644
|
||||
index 2be17d2..cdcc621 100644
|
||||
--- a/policy/modules/roles/staff.te
|
||||
+++ b/policy/modules/roles/staff.te
|
||||
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
|
||||
@ -21953,13 +21999,17 @@ index 2be17d2..8ea3385 100644
|
||||
optional_policy(`
|
||||
apache_role(staff_r, staff_t)
|
||||
')
|
||||
@@ -23,23 +66,115 @@ optional_policy(`
|
||||
@@ -23,23 +66,119 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ blueman_dbus_chat(staff_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ bluetooth_role(staff_r, staff_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
dbadm_role_change(staff_r)
|
||||
')
|
||||
@ -22071,7 +22121,7 @@ index 2be17d2..8ea3385 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -48,10 +183,52 @@ optional_policy(`
|
||||
@@ -48,10 +187,52 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22124,6 +22174,17 @@ index 2be17d2..8ea3385 100644
|
||||
xserver_role(staff_r, staff_t)
|
||||
')
|
||||
|
||||
@@ -61,10 +242,6 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- bluetooth_role(staff_r, staff_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
cdrecord_role(staff_r, staff_t)
|
||||
')
|
||||
|
||||
@@ -89,18 +266,10 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
@ -23672,10 +23733,10 @@ index 0000000..692ef0d
|
||||
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
+
|
||||
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
|
||||
index e5bfdd4..77967bd 100644
|
||||
index e5bfdd4..7e0ea58 100644
|
||||
--- a/policy/modules/roles/unprivuser.te
|
||||
+++ b/policy/modules/roles/unprivuser.te
|
||||
@@ -12,15 +12,101 @@ role user_r;
|
||||
@@ -12,15 +12,105 @@ role user_r;
|
||||
|
||||
userdom_unpriv_user_template(user)
|
||||
|
||||
@ -23702,6 +23763,10 @@ index e5bfdd4..77967bd 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ bluetooth_role(user_r, user_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ colord_dbus_chat(user_t)
|
||||
+')
|
||||
+
|
||||
@ -23777,7 +23842,7 @@ index e5bfdd4..77967bd 100644
|
||||
vlock_run(user_t, user_r)
|
||||
')
|
||||
|
||||
@@ -62,19 +148,11 @@ ifndef(`distro_redhat',`
|
||||
@@ -62,19 +152,11 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23798,7 +23863,7 @@ index e5bfdd4..77967bd 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -98,10 +176,6 @@ ifndef(`distro_redhat',`
|
||||
@@ -98,10 +180,6 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23809,7 +23874,7 @@ index e5bfdd4..77967bd 100644
|
||||
postgresql_role(user_r, user_t)
|
||||
')
|
||||
|
||||
@@ -118,11 +192,7 @@ ifndef(`distro_redhat',`
|
||||
@@ -118,11 +196,7 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23822,7 +23887,7 @@ index e5bfdd4..77967bd 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -157,3 +227,4 @@ ifndef(`distro_redhat',`
|
||||
@@ -157,3 +231,4 @@ ifndef(`distro_redhat',`
|
||||
wireshark_role(user_r, user_t)
|
||||
')
|
||||
')
|
||||
@ -24945,10 +25010,18 @@ index 0370dba..feea7e5 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 aisexec_initrc_exec_t system_r;
|
||||
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
|
||||
index 64953f7..99a750b 100644
|
||||
index 64953f7..244259f 100644
|
||||
--- a/policy/modules/services/aisexec.te
|
||||
+++ b/policy/modules/services/aisexec.te
|
||||
@@ -89,6 +89,10 @@ optional_policy(`
|
||||
@@ -64,6 +64,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
|
||||
kernel_read_system_state(aisexec_t)
|
||||
|
||||
corecmd_exec_bin(aisexec_t)
|
||||
+corecmd_exec_shell(aisexec_t)
|
||||
|
||||
corenet_udp_bind_netsupport_port(aisexec_t)
|
||||
corenet_tcp_bind_reserved_port(aisexec_t)
|
||||
@@ -89,6 +90,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25227,7 +25300,7 @@ index deca9d3..ae8c579 100644
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
|
||||
index 9e39aa5..90a9e33 100644
|
||||
index 9e39aa5..13de2fb 100644
|
||||
--- a/policy/modules/services/apache.fc
|
||||
+++ b/policy/modules/services/apache.fc
|
||||
@@ -1,13 +1,18 @@
|
||||
@ -25348,7 +25421,7 @@ index 9e39aa5..90a9e33 100644
|
||||
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
@@ -104,8 +127,24 @@ ifdef(`distro_debian', `
|
||||
@@ -104,8 +127,26 @@ ifdef(`distro_debian', `
|
||||
/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
||||
|
||||
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
@ -25366,6 +25439,8 @@ index 9e39aa5..90a9e33 100644
|
||||
+
|
||||
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+
|
||||
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+
|
||||
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
@ -28307,10 +28382,10 @@ index 0000000..d694c0a
|
||||
+')
|
||||
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
|
||||
new file mode 100644
|
||||
index 0000000..12ef44c
|
||||
index 0000000..bccefc9
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/blueman.te
|
||||
@@ -0,0 +1,38 @@
|
||||
@@ -0,0 +1,42 @@
|
||||
+policy_module(blueman, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -28349,6 +28424,10 @@ index 0000000..12ef44c
|
||||
+optional_policy(`
|
||||
+ avahi_domtrans(blueman_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_search_gconf(blueman_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
|
||||
index 3e45431..a726c09 100644
|
||||
--- a/policy/modules/services/bluetooth.if
|
||||
@ -31022,10 +31101,10 @@ index 0000000..7f55959
|
||||
+')
|
||||
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
|
||||
new file mode 100644
|
||||
index 0000000..4f0bd8d
|
||||
index 0000000..2be12fd
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/cloudform.te
|
||||
@@ -0,0 +1,218 @@
|
||||
@@ -0,0 +1,220 @@
|
||||
+policy_module(cloudform, 1.0)
|
||||
+########################################
|
||||
+#
|
||||
@ -31098,6 +31177,8 @@ index 0000000..4f0bd8d
|
||||
+# deltacloudd local policy
|
||||
+#
|
||||
+
|
||||
+allow deltacloudd_t self:capability { dac_override setuid setgid };
|
||||
+
|
||||
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+allow deltacloudd_t self:udp_socket create_socket_perms;
|
||||
+
|
||||
@ -36170,7 +36251,7 @@ index 5e2cea8..8eec089 100644
|
||||
+ dhcpd_systemctl($1)
|
||||
')
|
||||
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
|
||||
index d4424ad..f90959a 100644
|
||||
index d4424ad..5d01064 100644
|
||||
--- a/policy/modules/services/dhcp.te
|
||||
+++ b/policy/modules/services/dhcp.te
|
||||
@@ -12,6 +12,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
|
||||
@ -36188,7 +36269,7 @@ index d4424ad..f90959a 100644
|
||||
#
|
||||
|
||||
-allow dhcpd_t self:capability { net_raw sys_resource };
|
||||
+allow dhcpd_t self:capability { sys_chroot net_raw setgid setuid sys_resource };
|
||||
+allow dhcpd_t self:capability { dac_override sys_chroot net_raw setgid setuid sys_resource };
|
||||
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
|
||||
-allow dhcpd_t self:process signal_perms;
|
||||
+allow dhcpd_t self:process { getcap setcap signal_perms };
|
||||
@ -38336,10 +38417,10 @@ index 0000000..67906f0
|
||||
+## <summary>Generate entropy from audio input</summary>
|
||||
diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
|
||||
new file mode 100644
|
||||
index 0000000..b6ac808
|
||||
index 0000000..053caed
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/entropyd.te
|
||||
@@ -0,0 +1,80 @@
|
||||
@@ -0,0 +1,82 @@
|
||||
+policy_module(entropyd, 1.7.0)
|
||||
+
|
||||
+########################################
|
||||
@ -38394,6 +38475,8 @@ index 0000000..b6ac808
|
||||
+
|
||||
+logging_send_syslog_msg(entropyd_t)
|
||||
+
|
||||
+auth_use_nsswitch(entropyd_t)
|
||||
+
|
||||
+miscfiles_read_localization(entropyd_t)
|
||||
+
|
||||
+userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
|
||||
@ -62492,7 +62575,7 @@ index 22adaca..6ec295a 100644
|
||||
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index 2dad3c8..12ad27c 100644
|
||||
index 2dad3c8..cf94c2b 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
|
||||
@ -62897,22 +62980,25 @@ index 2dad3c8..12ad27c 100644
|
||||
dev_read_urand(ssh_keygen_t)
|
||||
|
||||
term_dontaudit_use_console(ssh_keygen_t)
|
||||
@@ -351,15 +408,86 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
@@ -351,9 +408,11 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
logging_send_syslog_msg(ssh_keygen_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||
+userdom_use_user_terminals(ssh_keygen_t)
|
||||
|
||||
optional_policy(`
|
||||
-optional_policy(`
|
||||
- nscd_socket_use(ssh_keygen_t)
|
||||
+ seutil_sigchld_newrole(ssh_keygen_t)
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_files(ssh_keygen_t)
|
||||
+ fs_manage_nfs_dirs(ssh_keygen_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- seutil_sigchld_newrole(ssh_keygen_t)
|
||||
+ udev_read_db(ssh_keygen_t)
|
||||
@@ -363,3 +422,77 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(ssh_keygen_t)
|
||||
')
|
||||
|
||||
+
|
||||
+####################################
|
||||
+#
|
||||
+# ssh_dyntransition domain local policy
|
||||
@ -62922,8 +63008,7 @@ index 2dad3c8..12ad27c 100644
|
||||
+
|
||||
+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
|
||||
+
|
||||
optional_policy(`
|
||||
- udev_read_db(ssh_keygen_t)
|
||||
+optional_policy(`
|
||||
+ ssh_rw_stream_sockets(ssh_dyntransition_domain)
|
||||
+ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
|
||||
+')
|
||||
@ -62986,7 +63071,7 @@ index 2dad3c8..12ad27c 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ssh_rw_dgram_sockets(chroot_user_t)
|
||||
')
|
||||
+')
|
||||
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
|
||||
index 941380a..e1095f0 100644
|
||||
--- a/policy/modules/services/sssd.if
|
||||
@ -64641,7 +64726,7 @@ index 32a3c13..e3d91ad 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
|
||||
index 2124b6a..49c15d1 100644
|
||||
index 2124b6a..246df1a 100644
|
||||
--- a/policy/modules/services/virt.fc
|
||||
+++ b/policy/modules/services/virt.fc
|
||||
@@ -1,5 +1,6 @@
|
||||
@ -64653,7 +64738,7 @@ index 2124b6a..49c15d1 100644
|
||||
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
|
||||
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
|
||||
@@ -12,18 +13,39 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
|
||||
@@ -12,18 +13,43 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
|
||||
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
||||
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
||||
|
||||
@ -64696,6 +64781,10 @@ index 2124b6a..49c15d1 100644
|
||||
+
|
||||
+# support for nova-stack
|
||||
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
|
||||
index 7c5d8d8..e6bb21e 100644
|
||||
--- a/policy/modules/services/virt.if
|
||||
@ -74729,7 +74818,7 @@ index a0b379d..2291a13 100644
|
||||
- nscd_socket_use(sulogin_t)
|
||||
-')
|
||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||
index 02f4c97..170e2e0 100644
|
||||
index 02f4c97..3bdf89f 100644
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -17,12 +17,27 @@
|
||||
@ -74770,7 +74859,15 @@ index 02f4c97..170e2e0 100644
|
||||
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
@@ -66,6 +81,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -46,6 +61,7 @@ ifdef(`distro_suse', `
|
||||
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
+/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
|
||||
ifndef(`distro_gentoo',`
|
||||
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
@@ -66,6 +82,7 @@ ifdef(`distro_redhat',`
|
||||
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
@ -74778,7 +74875,7 @@ index 02f4c97..170e2e0 100644
|
||||
|
||||
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
|
||||
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
@@ -73,4 +89,9 @@ ifdef(`distro_redhat',`
|
||||
@@ -73,4 +90,9 @@ ifdef(`distro_redhat',`
|
||||
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
||||
@ -75044,7 +75141,7 @@ index 831b909..118f708 100644
|
||||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index b6ec597..5684c8a 100644
|
||||
index b6ec597..688f59a 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
|
||||
@ -75162,7 +75259,7 @@ index b6ec597..5684c8a 100644
|
||||
# sys_admin for the integrated klog of syslog-ng and metalog
|
||||
# cjp: why net_admin!
|
||||
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
|
||||
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
|
||||
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
|
||||
dontaudit syslogd_t self:capability sys_tty_config;
|
||||
+allow syslogd_t self:capability2 syslog;
|
||||
# setpgid for metalog
|
||||
@ -75196,7 +75293,7 @@ index b6ec597..5684c8a 100644
|
||||
# manage pid file
|
||||
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
||||
@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
@@ -426,10 +466,21 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
||||
|
||||
@ -75208,6 +75305,7 @@ index b6ec597..5684c8a 100644
|
||||
dev_filetrans(syslogd_t, devlog_t, sock_file)
|
||||
dev_read_sysfs(syslogd_t)
|
||||
+dev_read_rand(syslogd_t)
|
||||
+dev_read_urand(syslogd_t)
|
||||
+# relating to systemd-kmsg-syslogd
|
||||
+dev_write_kmsg(syslogd_t)
|
||||
|
||||
@ -75217,15 +75315,17 @@ index b6ec597..5684c8a 100644
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
files_read_usr_files(syslogd_t)
|
||||
@@ -448,6 +498,7 @@ term_write_console(syslogd_t)
|
||||
@@ -447,7 +498,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
|
||||
term_write_console(syslogd_t)
|
||||
# Allow syslog to a terminal
|
||||
term_write_unallocated_ttys(syslogd_t)
|
||||
+term_use_generic_ptys(syslogd_t)
|
||||
|
||||
+init_stream_connect(syslogd_t)
|
||||
# for sending messages to logged in users
|
||||
init_read_utmp(syslogd_t)
|
||||
init_dontaudit_write_utmp(syslogd_t)
|
||||
@@ -459,6 +510,7 @@ init_use_fds(syslogd_t)
|
||||
@@ -459,6 +512,7 @@ init_use_fds(syslogd_t)
|
||||
|
||||
# cjp: this doesnt make sense
|
||||
logging_send_syslog_msg(syslogd_t)
|
||||
@ -75233,7 +75333,7 @@ index b6ec597..5684c8a 100644
|
||||
|
||||
miscfiles_read_localization(syslogd_t)
|
||||
|
||||
@@ -496,11 +548,20 @@ optional_policy(`
|
||||
@@ -496,11 +550,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -78272,7 +78372,7 @@ index ff80d0a..22c9f0d 100644
|
||||
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
|
||||
+')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index 34d0ec5..8aa3908 100644
|
||||
index 34d0ec5..58f8e6e 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
|
||||
@ -78381,9 +78481,12 @@ index 34d0ec5..8aa3908 100644
|
||||
domain_use_interactive_fds(dhcpc_t)
|
||||
domain_dontaudit_read_all_domains_state(dhcpc_t)
|
||||
|
||||
@@ -130,13 +151,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
|
||||
@@ -129,14 +150,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
|
||||
term_dontaudit_use_unallocated_ttys(dhcpc_t)
|
||||
term_dontaudit_use_generic_ptys(dhcpc_t)
|
||||
|
||||
+auth_use_nsswitch(dhcpc_t)
|
||||
+
|
||||
init_rw_utmp(dhcpc_t)
|
||||
+init_stream_connect(dhcpc_t)
|
||||
+init_stream_send(dhcpc_t)
|
||||
@ -78398,7 +78501,7 @@ index 34d0ec5..8aa3908 100644
|
||||
userdom_use_user_terminals(dhcpc_t)
|
||||
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
|
||||
|
||||
@@ -151,7 +173,18 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -151,7 +175,18 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -78418,7 +78521,7 @@ index 34d0ec5..8aa3908 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -171,6 +204,8 @@ optional_policy(`
|
||||
@@ -171,6 +206,8 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
|
||||
@ -78427,7 +78530,7 @@ index 34d0ec5..8aa3908 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -192,17 +227,31 @@ optional_policy(`
|
||||
@@ -192,17 +229,31 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -78459,7 +78562,7 @@ index 34d0ec5..8aa3908 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -213,6 +262,11 @@ optional_policy(`
|
||||
@@ -213,6 +264,11 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(dhcpc_t)
|
||||
seutil_dontaudit_search_config(dhcpc_t)
|
||||
@ -78471,7 +78574,7 @@ index 34d0ec5..8aa3908 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -255,6 +309,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
@@ -255,6 +311,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
allow ifconfig_t self:msg { send receive };
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
@ -78479,24 +78582,34 @@ index 34d0ec5..8aa3908 100644
|
||||
# for /sbin/ip
|
||||
allow ifconfig_t self:packet_socket create_socket_perms;
|
||||
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
@@ -276,8 +331,11 @@ dev_read_urand(ifconfig_t)
|
||||
@@ -276,8 +333,12 @@ dev_read_urand(ifconfig_t)
|
||||
|
||||
domain_use_interactive_fds(ifconfig_t)
|
||||
|
||||
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
|
||||
+
|
||||
+files_dontaudit_read_root_files(ifconfig_t)
|
||||
files_read_etc_files(ifconfig_t)
|
||||
files_read_etc_runtime_files(ifconfig_t)
|
||||
+files_read_usr_files(ifconfig_t)
|
||||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
@@ -301,11 +359,12 @@ logging_send_syslog_msg(ifconfig_t)
|
||||
@@ -290,7 +351,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
term_dontaudit_use_ptmx(ifconfig_t)
|
||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
-files_dontaudit_read_root_files(ifconfig_t)
|
||||
+auth_use_nsswitch(ifconfig_t)
|
||||
|
||||
init_use_fds(ifconfig_t)
|
||||
init_use_script_ptys(ifconfig_t)
|
||||
@@ -301,11 +362,11 @@ logging_send_syslog_msg(ifconfig_t)
|
||||
|
||||
miscfiles_read_localization(ifconfig_t)
|
||||
|
||||
-modutils_domtrans_insmod(ifconfig_t)
|
||||
|
||||
-
|
||||
seutil_use_runinit_fds(ifconfig_t)
|
||||
|
||||
-userdom_use_user_terminals(ifconfig_t)
|
||||
@ -78506,7 +78619,7 @@ index 34d0ec5..8aa3908 100644
|
||||
userdom_use_all_users_fds(ifconfig_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
@@ -314,7 +373,18 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -314,7 +375,18 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -78525,7 +78638,7 @@ index 34d0ec5..8aa3908 100644
|
||||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
')
|
||||
@@ -325,8 +395,14 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -325,8 +397,14 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -78540,10 +78653,11 @@ index 34d0ec5..8aa3908 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -335,6 +411,18 @@ optional_policy(`
|
||||
@@ -335,7 +413,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_use_ypbind(ifconfig_t)
|
||||
+ kdump_dontaudit_read_config(ifconfig_t)
|
||||
+')
|
||||
+
|
||||
@ -78553,13 +78667,10 @@ index 34d0ec5..8aa3908 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ netutils_domtrans(dhcpc_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
nis_use_ypbind(ifconfig_t)
|
||||
')
|
||||
|
||||
@@ -356,3 +444,9 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
@@ -356,3 +442,9 @@ optional_policy(`
|
||||
xen_append_log(ifconfig_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||
')
|
||||
@ -78605,10 +78716,10 @@ index 0000000..0d3e625
|
||||
+/var/run/initramfs(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
new file mode 100644
|
||||
index 0000000..7581e7d
|
||||
index 0000000..19ba4e1
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -0,0 +1,543 @@
|
||||
@@ -0,0 +1,546 @@
|
||||
+## <summary>SELinux policy for systemd components</summary>
|
||||
+
|
||||
+#######################################
|
||||
@ -78662,6 +78773,9 @@ index 0000000..7581e7d
|
||||
+ init_list_pid_dirs($1)
|
||||
+ init_read_state($1)
|
||||
+ init_stream_send($1)
|
||||
+
|
||||
+ systemd_login_list_pid_dirs($1)
|
||||
+ systemd_login_read_pid_files($1)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
@ -79154,10 +79268,10 @@ index 0000000..7581e7d
|
||||
+
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..9e08125
|
||||
index 0000000..115f05e
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,381 @@
|
||||
@@ -0,0 +1,387 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -79271,6 +79385,7 @@ index 0000000..9e08125
|
||||
+init_dbus_chat_script(systemd_logind_t)
|
||||
+init_read_script_state(systemd_logind_t)
|
||||
+init_read_state(systemd_logind_t)
|
||||
+init_rw_stream_sockets(systemd_logind_t)
|
||||
+
|
||||
+logging_send_syslog_msg(systemd_logind_t)
|
||||
+
|
||||
@ -79358,6 +79473,9 @@ index 0000000..9e08125
|
||||
+files_delete_kernel_modules(systemd_tmpfiles_t)
|
||||
+
|
||||
+dev_write_kmsg(systemd_tmpfiles_t)
|
||||
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
|
||||
+dev_relabel_cpu_online(systemd_tmpfiles_t)
|
||||
+dev_read_cpu_online(systemd_tmpfiles_t)
|
||||
+
|
||||
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
|
||||
+
|
||||
@ -79482,6 +79600,8 @@ index 0000000..9e08125
|
||||
+
|
||||
+auth_use_nsswitch(systemd_notify_t)
|
||||
+
|
||||
+init_rw_stream_sockets(systemd_notify_t)
|
||||
+
|
||||
+miscfiles_read_localization(systemd_notify_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -79780,7 +79900,7 @@ index 025348a..c15e57c 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index d88f7c3..6a93c64 100644
|
||||
index d88f7c3..5ff6beb 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
|
||||
@ -79990,6 +80110,14 @@ index d88f7c3..6a93c64 100644
|
||||
unconfined_signal(udev_t)
|
||||
')
|
||||
|
||||
@@ -285,6 +333,7 @@ optional_policy(`
|
||||
kernel_read_xen_state(udev_t)
|
||||
xen_manage_log(udev_t)
|
||||
xen_read_image_files(udev_t)
|
||||
+ xen_stream_connect_xenstore(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
|
||||
index ce2fbb9..8b34dbc 100644
|
||||
--- a/policy/modules/system/unconfined.fc
|
||||
@ -84528,7 +84656,7 @@ index 9b4a930..ced52ff 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
|
||||
index a865da7..a5ed06e 100644
|
||||
index a865da7..f22f770 100644
|
||||
--- a/policy/modules/system/xen.fc
|
||||
+++ b/policy/modules/system/xen.fc
|
||||
@@ -1,12 +1,10 @@
|
||||
@ -84541,7 +84669,7 @@ index a865da7..a5ed06e 100644
|
||||
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
|
||||
|
||||
-/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
|
||||
+/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
|
||||
+#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
||||
@ -84657,7 +84785,7 @@ index 77d41b6..138efd8 100644
|
||||
|
||||
files_search_pids($1)
|
||||
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
|
||||
index 4350ba0..5d6dbad 100644
|
||||
index 4350ba0..9ab107b 100644
|
||||
--- a/policy/modules/system/xen.te
|
||||
+++ b/policy/modules/system/xen.te
|
||||
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
|
||||
@ -84688,7 +84816,18 @@ index 4350ba0..5d6dbad 100644
|
||||
########################################
|
||||
#
|
||||
# blktap local policy
|
||||
@@ -208,8 +205,7 @@ tunable_policy(`xend_run_qemu',`
|
||||
@@ -170,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
|
||||
#
|
||||
# qemu-dm local policy
|
||||
#
|
||||
+
|
||||
+# TODO: This part of policy should be removed
|
||||
+# qemu-dm should run in xend_t domain
|
||||
+
|
||||
# Do we need to allow execution of qemu-dm?
|
||||
tunable_policy(`xend_run_qemu',`
|
||||
allow qemu_dm_t self:capability sys_resource;
|
||||
@@ -208,9 +209,13 @@ tunable_policy(`xend_run_qemu',`
|
||||
# xend local policy
|
||||
#
|
||||
|
||||
@ -84696,9 +84835,15 @@ index 4350ba0..5d6dbad 100644
|
||||
-dontaudit xend_t self:capability { sys_ptrace };
|
||||
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
|
||||
allow xend_t self:process { signal sigkill };
|
||||
+
|
||||
+# needed by qemu_dm
|
||||
+allow xend_t self:capability sys_resource;
|
||||
+allow xend_t self:process setrlimit;
|
||||
+
|
||||
dontaudit xend_t self:process ptrace;
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
@@ -320,12 +316,9 @@ locallogin_dontaudit_use_fds(xend_t)
|
||||
allow xend_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -320,13 +325,9 @@ locallogin_dontaudit_use_fds(xend_t)
|
||||
|
||||
logging_send_syslog_msg(xend_t)
|
||||
|
||||
@ -84708,10 +84853,11 @@ index 4350ba0..5d6dbad 100644
|
||||
miscfiles_read_hwdata(xend_t)
|
||||
|
||||
-mount_domtrans(xend_t)
|
||||
|
||||
-
|
||||
sysnet_domtrans_dhcpc(xend_t)
|
||||
sysnet_signal_dhcpc(xend_t)
|
||||
@@ -339,8 +332,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
|
||||
sysnet_domtrans_ifconfig(xend_t)
|
||||
@@ -339,8 +340,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
|
||||
|
||||
xen_stream_connect_xenstore(xend_t)
|
||||
|
||||
@ -84720,7 +84866,7 @@ index 4350ba0..5d6dbad 100644
|
||||
optional_policy(`
|
||||
brctl_domtrans(xend_t)
|
||||
')
|
||||
@@ -349,6 +340,22 @@ optional_policy(`
|
||||
@@ -349,6 +348,22 @@ optional_policy(`
|
||||
consoletype_exec(xend_t)
|
||||
')
|
||||
|
||||
@ -84743,7 +84889,7 @@ index 4350ba0..5d6dbad 100644
|
||||
########################################
|
||||
#
|
||||
# Xen console local policy
|
||||
@@ -413,9 +420,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
|
||||
@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
|
||||
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
|
||||
|
||||
# pid file
|
||||
@ -84755,7 +84901,7 @@ index 4350ba0..5d6dbad 100644
|
||||
|
||||
# log files
|
||||
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
|
||||
@@ -442,9 +450,11 @@ files_read_etc_files(xenstored_t)
|
||||
@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t)
|
||||
|
||||
files_read_usr_files(xenstored_t)
|
||||
|
||||
@ -84767,7 +84913,7 @@ index 4350ba0..5d6dbad 100644
|
||||
|
||||
init_use_fds(xenstored_t)
|
||||
init_use_script_ptys(xenstored_t)
|
||||
@@ -457,96 +467,9 @@ xen_append_log(xenstored_t)
|
||||
@@ -457,96 +475,9 @@ xen_append_log(xenstored_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -84864,7 +85010,7 @@ index 4350ba0..5d6dbad 100644
|
||||
#Should have a boolean wrapping these
|
||||
fs_list_auto_mountpoints(xend_t)
|
||||
files_search_mnt(xend_t)
|
||||
@@ -559,8 +482,4 @@ optional_policy(`
|
||||
@@ -559,8 +490,4 @@ optional_policy(`
|
||||
fs_manage_nfs_files(xend_t)
|
||||
fs_read_nfs_symlinks(xend_t)
|
||||
')
|
||||
|
@ -16,13 +16,12 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 74.2%{?dist}
|
||||
Release: 75%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
patch: policy-F16.patch
|
||||
patch1: unconfined_permissive.patch
|
||||
patch2: policy-systemd.patch
|
||||
Source1: modules-targeted.conf
|
||||
Source2: booleans-targeted.conf
|
||||
Source3: Makefile.devel
|
||||
@ -239,7 +238,6 @@ Based off of reference policy: Checked out revision 2.20091117
|
||||
%setup -n serefpolicy-%{version} -q
|
||||
%patch -p1
|
||||
%patch1 -p1 -b .unconfined
|
||||
%patch2 -p1 -b .systemd
|
||||
|
||||
%install
|
||||
mkdir selinux_config
|
||||
@ -473,6 +471,13 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jan 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-75
|
||||
- Merge systemd patch
|
||||
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online
|
||||
- Allow deltacloudd dac_override, setuid, setgid caps
|
||||
- Allow aisexec to execute shell
|
||||
- Add use_nfs_home_dirs boolean for ssh-keygen
|
||||
|
||||
* Fri Jan 13 2012 Dan Walsh <dwalsh@redhat.com> 3.10.0-74.2
|
||||
- Fixes to make rawhide boot in enforcing mode with latest systemd changes
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user