- init reload from systemd_localed_t
- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd - Allow systemd_localed_t to ask systemd to reload the locale. - Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory - Allow readahead to read /dev/urand - Fix lots of avcs about tuned - Any file names xenstored in /var/log should be treated as xenstored_var_log_t - Allow tuned to inderact with hugepages - Allow condor domains to list etc rw dirs
This commit is contained in:
Miroslav Grepl
parent
824da7f0f1
commit
17233e7dc0
|
|
@ -13395,7 +13395,7 @@ index 3fe3cb8..5fe84a6 100644
|
|||
+ ')
|
||||
')
|
||||
diff --git a/condor.te b/condor.te
|
||||
index 3f2b672..39f85e7 100644
|
||||
index 3f2b672..ff94f23 100644
|
||||
--- a/condor.te
|
||||
+++ b/condor.te
|
||||
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
|
||||
|
|
@ -13418,7 +13418,7 @@ index 3f2b672..39f85e7 100644
|
|||
condor_domain_template(collector)
|
||||
condor_domain_template(negotiator)
|
||||
condor_domain_template(procd)
|
||||
@@ -57,15 +63,20 @@ condor_domain_template(startd)
|
||||
@@ -57,15 +63,21 @@ condor_domain_template(startd)
|
||||
# Global local policy
|
||||
#
|
||||
|
||||
|
|
@ -13434,6 +13434,7 @@ index 3f2b672..39f85e7 100644
|
|||
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
|
||||
+
|
||||
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
|
||||
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
|
||||
|
||||
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
|
||||
|
|
@ -13444,7 +13445,7 @@ index 3f2b672..39f85e7 100644
|
|||
logging_log_filetrans(condor_domain, condor_log_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
|
||||
@@ -86,13 +97,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
|
||||
@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
|
||||
|
||||
kernel_read_kernel_sysctls(condor_domain)
|
||||
kernel_read_network_state(condor_domain)
|
||||
|
|
@ -13458,7 +13459,7 @@ index 3f2b672..39f85e7 100644
|
|||
corenet_tcp_sendrecv_generic_if(condor_domain)
|
||||
corenet_tcp_sendrecv_generic_node(condor_domain)
|
||||
|
||||
@@ -106,9 +114,9 @@ dev_read_rand(condor_domain)
|
||||
@@ -106,9 +115,9 @@ dev_read_rand(condor_domain)
|
||||
dev_read_sysfs(condor_domain)
|
||||
dev_read_urand(condor_domain)
|
||||
|
||||
|
|
@ -13470,7 +13471,7 @@ index 3f2b672..39f85e7 100644
|
|||
|
||||
tunable_policy(`condor_tcp_network_connect',`
|
||||
corenet_sendrecv_all_client_packets(condor_domain)
|
||||
@@ -125,7 +133,7 @@ optional_policy(`
|
||||
@@ -125,7 +134,7 @@ optional_policy(`
|
||||
# Master local policy
|
||||
#
|
||||
|
||||
|
|
@ -13479,7 +13480,7 @@ index 3f2b672..39f85e7 100644
|
|||
|
||||
allow condor_master_t condor_domain:process { sigkill signal };
|
||||
|
||||
@@ -133,6 +141,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
|
||||
@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
|
||||
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
|
||||
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
|
||||
|
||||
|
|
@ -13490,7 +13491,7 @@ index 3f2b672..39f85e7 100644
|
|||
corenet_udp_sendrecv_generic_if(condor_master_t)
|
||||
corenet_udp_sendrecv_generic_node(condor_master_t)
|
||||
corenet_tcp_bind_generic_node(condor_master_t)
|
||||
@@ -152,6 +164,8 @@ domain_read_all_domains_state(condor_master_t)
|
||||
@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t)
|
||||
|
||||
auth_use_nsswitch(condor_master_t)
|
||||
|
||||
|
|
@ -13499,7 +13500,7 @@ index 3f2b672..39f85e7 100644
|
|||
optional_policy(`
|
||||
mta_send_mail(condor_master_t)
|
||||
mta_read_config(condor_master_t)
|
||||
@@ -169,6 +183,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
|
||||
@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
|
||||
|
||||
kernel_read_network_state(condor_collector_t)
|
||||
|
||||
|
|
@ -13508,7 +13509,7 @@ index 3f2b672..39f85e7 100644
|
|||
#####################################
|
||||
#
|
||||
# Negotiator local policy
|
||||
@@ -178,6 +194,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
|
||||
@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
|
||||
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
|
||||
allow condor_negotiator_t condor_master_t:udp_socket getattr;
|
||||
|
||||
|
|
@ -13517,7 +13518,7 @@ index 3f2b672..39f85e7 100644
|
|||
######################################
|
||||
#
|
||||
# Procd local policy
|
||||
@@ -185,7 +203,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
|
||||
@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
|
||||
|
||||
allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
|
||||
|
||||
|
|
@ -13527,7 +13528,7 @@ index 3f2b672..39f85e7 100644
|
|||
|
||||
domain_read_all_domains_state(condor_procd_t)
|
||||
|
||||
@@ -201,6 +220,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
|
||||
@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
|
||||
|
||||
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
|
||||
|
||||
|
|
@ -13536,7 +13537,7 @@ index 3f2b672..39f85e7 100644
|
|||
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
|
||||
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
|
||||
|
||||
@@ -209,6 +230,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
|
||||
@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
|
||||
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
|
||||
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
|
||||
|
||||
|
|
@ -13545,7 +13546,7 @@ index 3f2b672..39f85e7 100644
|
|||
#####################################
|
||||
#
|
||||
# Startd local policy
|
||||
@@ -233,11 +256,10 @@ domain_read_all_domains_state(condor_startd_t)
|
||||
@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t)
|
||||
mcs_process_set_categories(condor_startd_t)
|
||||
|
||||
init_domtrans_script(condor_startd_t)
|
||||
|
|
@ -13558,7 +13559,7 @@ index 3f2b672..39f85e7 100644
|
|||
optional_policy(`
|
||||
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
|
||||
ssh_domtrans(condor_startd_t)
|
||||
@@ -249,3 +271,7 @@ optional_policy(`
|
||||
@@ -249,3 +272,7 @@ optional_policy(`
|
||||
kerberos_use(condor_startd_ssh_t)
|
||||
')
|
||||
')
|
||||
|
|
@ -39226,10 +39227,10 @@ index 4462c0e..84944d1 100644
|
|||
|
||||
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
|
||||
diff --git a/mozilla.fc b/mozilla.fc
|
||||
index 6ffaba2..154cade 100644
|
||||
index 6ffaba2..adf8fe5 100644
|
||||
--- a/mozilla.fc
|
||||
+++ b/mozilla.fc
|
||||
@@ -1,38 +1,67 @@
|
||||
@@ -1,38 +1,68 @@
|
||||
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
||||
|
|
@ -39260,6 +39261,7 @@ index 6ffaba2..154cade 100644
|
|||
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.webex(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
|
|
@ -39332,7 +39334,7 @@ index 6ffaba2..154cade 100644
|
|||
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
||||
+')
|
||||
diff --git a/mozilla.if b/mozilla.if
|
||||
index 6194b80..bb32d40 100644
|
||||
index 6194b80..37abdbe 100644
|
||||
--- a/mozilla.if
|
||||
+++ b/mozilla.if
|
||||
@@ -1,146 +1,75 @@
|
||||
|
|
@ -40023,7 +40025,7 @@ index 6194b80..bb32d40 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -530,45 +499,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||
@@ -530,45 +499,54 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -40098,6 +40100,7 @@ index 6194b80..bb32d40 100644
|
|||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
|
||||
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
|
||||
')
|
||||
+
|
||||
|
|
@ -68647,7 +68650,7 @@ index 661bb88..06f69c4 100644
|
|||
+')
|
||||
+
|
||||
diff --git a/readahead.te b/readahead.te
|
||||
index f1512d6..bc627d7 100644
|
||||
index f1512d6..8ee7e70 100644
|
||||
--- a/readahead.te
|
||||
+++ b/readahead.te
|
||||
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
|
||||
|
|
@ -68658,7 +68661,7 @@ index f1512d6..bc627d7 100644
|
|||
init_daemon_run_dir(readahead_var_run_t, "readahead")
|
||||
|
||||
########################################
|
||||
@@ -31,13 +32,17 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
|
||||
@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
|
||||
|
||||
manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
|
||||
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
|
||||
|
|
@ -68673,11 +68676,12 @@ index f1512d6..bc627d7 100644
|
|||
-dev_read_sysfs(readahead_t)
|
||||
+dev_rw_sysfs(readahead_t)
|
||||
+dev_read_kmsg(readahead_t)
|
||||
+dev_read_urand(readahead_t)
|
||||
+dev_write_kmsg(readahead_t)
|
||||
dev_getattr_generic_chr_files(readahead_t)
|
||||
dev_getattr_generic_blk_files(readahead_t)
|
||||
dev_getattr_all_chr_files(readahead_t)
|
||||
@@ -51,12 +56,22 @@ domain_use_interactive_fds(readahead_t)
|
||||
@@ -51,12 +57,22 @@ domain_use_interactive_fds(readahead_t)
|
||||
domain_read_all_domains_state(readahead_t)
|
||||
|
||||
files_create_boot_flag(readahead_t)
|
||||
|
|
@ -68700,7 +68704,7 @@ index f1512d6..bc627d7 100644
|
|||
|
||||
fs_getattr_all_fs(readahead_t)
|
||||
fs_search_auto_mountpoints(readahead_t)
|
||||
@@ -66,13 +81,12 @@ fs_read_cgroup_files(readahead_t)
|
||||
@@ -66,13 +82,12 @@ fs_read_cgroup_files(readahead_t)
|
||||
fs_read_tmpfs_files(readahead_t)
|
||||
fs_read_tmpfs_symlinks(readahead_t)
|
||||
fs_list_inotifyfs(readahead_t)
|
||||
|
|
@ -68715,7 +68719,7 @@ index f1512d6..bc627d7 100644
|
|||
mls_file_read_all_levels(readahead_t)
|
||||
|
||||
storage_raw_read_fixed_disk(readahead_t)
|
||||
@@ -84,13 +98,15 @@ auth_dontaudit_read_shadow(readahead_t)
|
||||
@@ -84,13 +99,15 @@ auth_dontaudit_read_shadow(readahead_t)
|
||||
init_use_fds(readahead_t)
|
||||
init_use_script_ptys(readahead_t)
|
||||
init_getattr_initctl(readahead_t)
|
||||
|
|
@ -89332,7 +89336,7 @@ index e29db63..061fb98 100644
|
|||
domain_system_change_exemption($1)
|
||||
role_transition $2 tuned_initrc_exec_t system_r;
|
||||
diff --git a/tuned.te b/tuned.te
|
||||
index 7116181..b957a0f 100644
|
||||
index 7116181..935ec1d 100644
|
||||
--- a/tuned.te
|
||||
+++ b/tuned.te
|
||||
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
||||
|
|
@ -89361,7 +89365,7 @@ index 7116181..b957a0f 100644
|
|||
|
||||
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
|
||||
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
|
||||
@@ -41,10 +47,12 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
|
||||
@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
|
||||
files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
|
||||
|
||||
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
||||
|
|
@ -89375,18 +89379,25 @@ index 7116181..b957a0f 100644
|
|||
+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
|
||||
+manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
|
||||
+files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir })
|
||||
+can_exec(tuned_t, tuned_tmp_t)
|
||||
|
||||
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
|
||||
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
|
||||
@@ -57,6 +65,7 @@ kernel_request_load_module(tuned_t)
|
||||
files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
|
||||
+can_exec(tuned_t, tuned_var_run_t)
|
||||
|
||||
kernel_read_system_state(tuned_t)
|
||||
kernel_read_network_state(tuned_t)
|
||||
@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t)
|
||||
kernel_rw_kernel_sysctl(tuned_t)
|
||||
kernel_rw_hotplug_sysctls(tuned_t)
|
||||
kernel_rw_vm_sysctls(tuned_t)
|
||||
+kernel_setsched(tuned_t)
|
||||
+kernel_rw_all_sysctls(tuned_t)
|
||||
|
||||
corecmd_exec_bin(tuned_t)
|
||||
corecmd_exec_shell(tuned_t)
|
||||
@@ -64,31 +73,53 @@ corecmd_exec_shell(tuned_t)
|
||||
@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t)
|
||||
dev_getattr_all_blk_files(tuned_t)
|
||||
dev_getattr_all_chr_files(tuned_t)
|
||||
dev_read_urand(tuned_t)
|
||||
|
|
@ -89395,6 +89406,7 @@ index 7116181..b957a0f 100644
|
|||
dev_rw_netcontrol(tuned_t)
|
||||
|
||||
-files_read_usr_files(tuned_t)
|
||||
+files_dontaudit_all_access_check(tuned_t)
|
||||
files_dontaudit_search_home(tuned_t)
|
||||
-files_dontaudit_list_tmp(tuned_t)
|
||||
+files_list_tmp(tuned_t)
|
||||
|
|
@ -89402,6 +89414,7 @@ index 7116181..b957a0f 100644
|
|||
-fs_getattr_xattr_fs(tuned_t)
|
||||
+fs_getattr_all_fs(tuned_t)
|
||||
+fs_search_all(tuned_t)
|
||||
+fs_rw_hugetlbfs_files(tuned_t)
|
||||
+
|
||||
+auth_use_nsswitch(tuned_t)
|
||||
|
||||
|
|
@ -96042,10 +96055,10 @@ index 7c7f7fa..20ce90b 100644
|
|||
+ xserver_manage_core_devices(wm_domain)
|
||||
+')
|
||||
diff --git a/xen.fc b/xen.fc
|
||||
index 42d83b0..7977c2c 100644
|
||||
index 42d83b0..5f18f6e 100644
|
||||
--- a/xen.fc
|
||||
+++ b/xen.fc
|
||||
@@ -1,38 +1,40 @@
|
||||
@@ -1,38 +1,41 @@
|
||||
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
|
||||
|
||||
-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
||||
|
|
@ -96087,6 +96100,7 @@ index 42d83b0..7977c2c 100644
|
|||
/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
+/var/log/xenstored.* gen_context(system_u:object_r:xenstored_var_log_t,s0)
|
||||
|
||||
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
|
||||
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 86%{?dist}
|
||||
Release: 87%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -571,6 +571,17 @@ SELinux Reference policy mls base module.
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-87
|
||||
- init reload from systemd_localed_t
|
||||
- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd
|
||||
- Allow systemd_localed_t to ask systemd to reload the locale.
|
||||
- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory
|
||||
- Allow readahead to read /dev/urand
|
||||
- Fix lots of avcs about tuned
|
||||
- Any file names xenstored in /var/log should be treated as xenstored_var_log_t
|
||||
- Allow tuned to inderact with hugepages
|
||||
- Allow condor domains to list etc rw dirs
|
||||
|
||||
* Fri Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-86
|
||||
- Fix nscd_shm_use()
|
||||
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.
|
||||
|
|
|
|||
Loading…
Reference in New Issue