* Fri Oct 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96

- Add missing permission checks for nscd
This commit is contained in:
Miroslav Grepl 2013-11-01 19:24:30 +01:00
parent d11521e32b
commit 18a1acac8d
2 changed files with 73 additions and 55 deletions

View File

@ -689,7 +689,7 @@ index 3a45f23..f4754f0 100644
# fork # fork
# setexec # setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 28802c5..ee01d6e 100644 index 28802c5..88519a9 100644
--- a/policy/flask/access_vectors --- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors +++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process @@ -329,6 +329,7 @@ class process
@ -728,7 +728,16 @@ index 28802c5..ee01d6e 100644
} }
# #
@@ -827,6 +837,9 @@ class kernel_service @@ -690,6 +700,8 @@ class nscd
shmemhost
getserv
shmemserv
+ getnetgrp
+ shmemnetgrp
}
# Define the access vector interpretation for controlling
@@ -827,6 +839,9 @@ class kernel_service
class tun_socket class tun_socket
inherits socket inherits socket
@ -738,7 +747,7 @@ index 28802c5..ee01d6e 100644
class x_pointer class x_pointer
inherits x_device inherits x_device
@@ -862,3 +875,20 @@ inherits database @@ -862,3 +877,20 @@ inherits database
implement implement
execute execute
} }
@ -28014,7 +28023,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" ) + files_etc_filetrans($1, machineid_t, file, "machine-id" )
+') +')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd3be8d..e9ab9ba 100644 index dd3be8d..d145ffc 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(` @@ -11,10 +11,31 @@ gen_require(`
@ -28202,7 +28211,7 @@ index dd3be8d..e9ab9ba 100644
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t) files_dontaudit_rw_root_chr_files(init_t)
@@ -156,28 +230,51 @@ fs_list_inotifyfs(init_t) @@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t) fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t) mcs_process_set_categories(init_t)
@ -28230,6 +28239,7 @@ index dd3be8d..e9ab9ba 100644
+term_use_unallocated_ttys(init_t) +term_use_unallocated_ttys(init_t)
+term_use_console(init_t) +term_use_console(init_t)
+term_use_all_inherited_terms(init_t) +term_use_all_inherited_terms(init_t)
+term_use_generic_ptys(init_t)
# Run init scripts. # Run init scripts.
init_domtrans_script(init_t) init_domtrans_script(init_t)
@ -28257,7 +28267,7 @@ index dd3be8d..e9ab9ba 100644
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap }; allow init_t self:process { getcap setcap };
@@ -186,29 +283,204 @@ ifdef(`distro_gentoo',` @@ -186,29 +284,204 @@ ifdef(`distro_gentoo',`
') ')
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@ -28287,19 +28297,19 @@ index dd3be8d..e9ab9ba 100644
+ +
+optional_policy(` +optional_policy(`
+ chronyd_read_keys(init_t) + chronyd_read_keys(init_t)
') +')
+
optional_policy(` +optional_policy(`
- auth_rw_login_records(init_t)
+ kdump_read_crash(init_t) + kdump_read_crash(init_t)
') ')
optional_policy(` optional_policy(`
- auth_rw_login_records(init_t)
+ gnome_filetrans_home_content(init_t) + gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t) + gnome_manage_data(init_t)
+') ')
+
+optional_policy(` optional_policy(`
+ iscsi_read_lib_files(init_t) + iscsi_read_lib_files(init_t)
+') +')
+ +
@ -28470,7 +28480,7 @@ index dd3be8d..e9ab9ba 100644
') ')
optional_policy(` optional_policy(`
@@ -216,7 +488,30 @@ optional_policy(` @@ -216,7 +489,30 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -28501,7 +28511,7 @@ index dd3be8d..e9ab9ba 100644
') ')
######################################## ########################################
@@ -225,8 +520,9 @@ optional_policy(` @@ -225,8 +521,9 @@ optional_policy(`
# #
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -28513,7 +28523,7 @@ index dd3be8d..e9ab9ba 100644
allow initrc_t self:passwd rootok; allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms; allow initrc_t self:key manage_key_perms;
@@ -257,12 +553,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) @@ -257,12 +554,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms; allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file) files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -28530,7 +28540,7 @@ index dd3be8d..e9ab9ba 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -278,23 +578,36 @@ kernel_change_ring_buffer_level(initrc_t) @@ -278,23 +579,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t) kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t) kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t) kernel_read_all_sysctls(initrc_t)
@ -28573,7 +28583,7 @@ index dd3be8d..e9ab9ba 100644
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
@@ -302,9 +615,11 @@ corenet_sendrecv_all_client_packets(initrc_t) @@ -302,9 +616,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t) dev_read_rand(initrc_t)
dev_read_urand(initrc_t) dev_read_urand(initrc_t)
@ -28585,7 +28595,7 @@ index dd3be8d..e9ab9ba 100644
dev_rw_sysfs(initrc_t) dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t) dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t) dev_read_framebuffer(initrc_t)
@@ -312,8 +627,10 @@ dev_write_framebuffer(initrc_t) @@ -312,8 +628,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t) dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t) dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t)
@ -28596,7 +28606,7 @@ index dd3be8d..e9ab9ba 100644
dev_delete_lvm_control_dev(initrc_t) dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t) dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t) dev_manage_generic_files(initrc_t)
@@ -321,8 +638,7 @@ dev_manage_generic_files(initrc_t) @@ -321,8 +639,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t) dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t) dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t) dev_getattr_all_chr_files(initrc_t)
@ -28606,7 +28616,7 @@ index dd3be8d..e9ab9ba 100644
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t) domain_signal_all_domains(initrc_t)
@@ -331,7 +647,6 @@ domain_sigstop_all_domains(initrc_t) @@ -331,7 +648,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t) domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t) domain_getattr_all_domains(initrc_t)
@ -28614,7 +28624,7 @@ index dd3be8d..e9ab9ba 100644
domain_getsession_all_domains(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t) domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
@@ -339,6 +654,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) @@ -339,6 +655,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t)
@ -28622,7 +28632,7 @@ index dd3be8d..e9ab9ba 100644
files_getattr_all_dirs(initrc_t) files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t) files_getattr_all_files(initrc_t)
@@ -346,14 +662,15 @@ files_getattr_all_symlinks(initrc_t) @@ -346,14 +663,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t) files_purge_tmp(initrc_t)
@ -28640,7 +28650,7 @@ index dd3be8d..e9ab9ba 100644
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t) files_manage_generic_spool(initrc_t)
@@ -363,8 +680,12 @@ files_list_isid_type_dirs(initrc_t) @@ -363,8 +681,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t) files_list_default(initrc_t)
files_mounton_default(initrc_t) files_mounton_default(initrc_t)
@ -28654,7 +28664,7 @@ index dd3be8d..e9ab9ba 100644
fs_list_inotifyfs(initrc_t) fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t) fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs # rhgb-console writes to ramfs
@@ -374,10 +695,11 @@ fs_mount_all_fs(initrc_t) @@ -374,10 +696,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t) fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t) fs_getattr_all_fs(initrc_t)
@ -28668,7 +28678,7 @@ index dd3be8d..e9ab9ba 100644
mcs_process_set_categories(initrc_t) mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t) mls_file_read_all_levels(initrc_t)
@@ -386,6 +708,7 @@ mls_process_read_up(initrc_t) @@ -386,6 +709,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t) mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t) mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t) mls_fd_share_all_levels(initrc_t)
@ -28676,7 +28686,7 @@ index dd3be8d..e9ab9ba 100644
selinux_get_enforce_mode(initrc_t) selinux_get_enforce_mode(initrc_t)
@@ -397,6 +720,7 @@ term_use_all_terms(initrc_t) @@ -397,6 +721,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t) term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t) auth_rw_login_records(initrc_t)
@ -28684,7 +28694,7 @@ index dd3be8d..e9ab9ba 100644
auth_setattr_login_records(initrc_t) auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t) auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t) auth_read_pam_pid(initrc_t)
@@ -415,20 +739,18 @@ logging_read_all_logs(initrc_t) @@ -415,20 +740,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t) logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t) logging_read_audit_config(initrc_t)
@ -28708,7 +28718,7 @@ index dd3be8d..e9ab9ba 100644
ifdef(`distro_debian',` ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t) dev_setattr_generic_dirs(initrc_t)
@@ -450,7 +772,6 @@ ifdef(`distro_gentoo',` @@ -450,7 +773,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate; allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t) dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t) dev_create_zero_dev(initrc_t)
@ -28716,7 +28726,7 @@ index dd3be8d..e9ab9ba 100644
term_create_console_dev(initrc_t) term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks # unfortunately /sbin/rc does stupid tricks
@@ -485,6 +806,10 @@ ifdef(`distro_gentoo',` @@ -485,6 +807,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t) sysnet_setattr_config(initrc_t)
optional_policy(` optional_policy(`
@ -28727,7 +28737,7 @@ index dd3be8d..e9ab9ba 100644
alsa_read_lib(initrc_t) alsa_read_lib(initrc_t)
') ')
@@ -505,7 +830,7 @@ ifdef(`distro_redhat',` @@ -505,7 +831,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -28736,7 +28746,7 @@ index dd3be8d..e9ab9ba 100644
files_dontaudit_read_root_files(initrc_t) files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd # These seem to be from the initrd
@@ -520,6 +845,7 @@ ifdef(`distro_redhat',` @@ -520,6 +846,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t) files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
@ -28744,7 +28754,7 @@ index dd3be8d..e9ab9ba 100644
# wants to read /.fonts directory # wants to read /.fonts directory
files_read_default_files(initrc_t) files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t) files_mountpoint(initrc_tmp_t)
@@ -540,6 +866,7 @@ ifdef(`distro_redhat',` @@ -540,6 +867,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t) miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t) miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t) miscfiles_relabel_localization(initrc_t)
@ -28752,7 +28762,7 @@ index dd3be8d..e9ab9ba 100644
miscfiles_read_fonts(initrc_t) miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t) miscfiles_read_hwdata(initrc_t)
@@ -549,8 +876,44 @@ ifdef(`distro_redhat',` @@ -549,8 +877,44 @@ ifdef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -28797,7 +28807,7 @@ index dd3be8d..e9ab9ba 100644
') ')
optional_policy(` optional_policy(`
@@ -558,14 +921,31 @@ ifdef(`distro_redhat',` @@ -558,14 +922,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t) rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t) rpc_manage_nfs_state_data(initrc_t)
') ')
@ -28829,7 +28839,7 @@ index dd3be8d..e9ab9ba 100644
') ')
') ')
@@ -576,6 +956,39 @@ ifdef(`distro_suse',` @@ -576,6 +957,39 @@ ifdef(`distro_suse',`
') ')
') ')
@ -28869,7 +28879,7 @@ index dd3be8d..e9ab9ba 100644
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -588,6 +1001,8 @@ optional_policy(` @@ -588,6 +1002,8 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(initrc_t) apache_read_config(initrc_t)
apache_list_modules(initrc_t) apache_list_modules(initrc_t)
@ -28878,7 +28888,7 @@ index dd3be8d..e9ab9ba 100644
') ')
optional_policy(` optional_policy(`
@@ -609,6 +1024,7 @@ optional_policy(` @@ -609,6 +1025,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cgroup_stream_connect_cgred(initrc_t) cgroup_stream_connect_cgred(initrc_t)
@ -28886,7 +28896,7 @@ index dd3be8d..e9ab9ba 100644
') ')
optional_policy(` optional_policy(`
@@ -625,6 +1041,17 @@ optional_policy(` @@ -625,6 +1042,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -28904,7 +28914,7 @@ index dd3be8d..e9ab9ba 100644
dev_getattr_printer_dev(initrc_t) dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t) cups_read_log(initrc_t)
@@ -641,9 +1068,13 @@ optional_policy(` @@ -641,9 +1069,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t) dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
@ -28918,7 +28928,7 @@ index dd3be8d..e9ab9ba 100644
') ')
optional_policy(` optional_policy(`
@@ -656,15 +1087,11 @@ optional_policy(` @@ -656,15 +1088,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -28936,7 +28946,7 @@ index dd3be8d..e9ab9ba 100644
') ')
optional_policy(` optional_policy(`
@@ -685,6 +1112,15 @@ optional_policy(` @@ -685,6 +1113,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -28952,7 +28962,7 @@ index dd3be8d..e9ab9ba 100644
inn_exec_config(initrc_t) inn_exec_config(initrc_t)
') ')
@@ -725,6 +1161,7 @@ optional_policy(` @@ -725,6 +1162,7 @@ optional_policy(`
lpd_list_spool(initrc_t) lpd_list_spool(initrc_t)
lpd_read_config(initrc_t) lpd_read_config(initrc_t)
@ -28960,7 +28970,7 @@ index dd3be8d..e9ab9ba 100644
') ')
optional_policy(` optional_policy(`
@@ -742,7 +1179,13 @@ optional_policy(` @@ -742,7 +1180,13 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -28975,7 +28985,7 @@ index dd3be8d..e9ab9ba 100644
mta_dontaudit_read_spool_symlinks(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t)
') ')
@@ -765,6 +1208,10 @@ optional_policy(` @@ -765,6 +1209,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -28986,7 +28996,7 @@ index dd3be8d..e9ab9ba 100644
postgresql_manage_db(initrc_t) postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t) postgresql_read_config(initrc_t)
') ')
@@ -774,10 +1221,20 @@ optional_policy(` @@ -774,10 +1222,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -29007,7 +29017,7 @@ index dd3be8d..e9ab9ba 100644
quota_manage_flags(initrc_t) quota_manage_flags(initrc_t)
') ')
@@ -786,6 +1243,10 @@ optional_policy(` @@ -786,6 +1244,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -29018,7 +29028,7 @@ index dd3be8d..e9ab9ba 100644
fs_write_ramfs_sockets(initrc_t) fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t) fs_search_ramfs(initrc_t)
@@ -807,8 +1268,6 @@ optional_policy(` @@ -807,8 +1269,6 @@ optional_policy(`
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -29027,7 +29037,7 @@ index dd3be8d..e9ab9ba 100644
') ')
optional_policy(` optional_policy(`
@@ -817,6 +1276,10 @@ optional_policy(` @@ -817,6 +1277,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -29038,7 +29048,7 @@ index dd3be8d..e9ab9ba 100644
# shorewall-init script run /var/lib/shorewall/firewall # shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t) shorewall_lib_domtrans(initrc_t)
') ')
@@ -826,10 +1289,12 @@ optional_policy(` @@ -826,10 +1290,12 @@ optional_policy(`
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -29051,10 +29061,15 @@ index dd3be8d..e9ab9ba 100644
optional_policy(` optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
@@ -856,12 +1321,28 @@ optional_policy(` @@ -856,12 +1322,33 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
+ virt_read_config(init_t)
+ virt_stream_connect(init_t)
+')
+
+optional_policy(`
+ virt_manage_pid_dirs(initrc_t) + virt_manage_pid_dirs(initrc_t)
+ virt_manage_cache(initrc_t) + virt_manage_cache(initrc_t)
+ virt_manage_lib_files(initrc_t) + virt_manage_lib_files(initrc_t)
@ -29081,7 +29096,7 @@ index dd3be8d..e9ab9ba 100644
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited # system-config-services causes avc messages that should be dontaudited
@@ -871,6 +1352,18 @@ optional_policy(` @@ -871,6 +1358,18 @@ optional_policy(`
optional_policy(` optional_policy(`
mono_domtrans(initrc_t) mono_domtrans(initrc_t)
') ')
@ -29100,7 +29115,7 @@ index dd3be8d..e9ab9ba 100644
') ')
optional_policy(` optional_policy(`
@@ -886,6 +1379,10 @@ optional_policy(` @@ -886,6 +1385,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -29111,7 +29126,7 @@ index dd3be8d..e9ab9ba 100644
# Set device ownerships/modes. # Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t) xserver_setattr_console_pipes(initrc_t)
@@ -896,3 +1393,218 @@ optional_policy(` @@ -896,3 +1399,218 @@ optional_policy(`
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 95%{?dist} Release: 96%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -573,6 +573,9 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Fri Oct 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
- Add missing permission checks for nscd
* Wed Oct 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-95 * Wed Oct 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-95
- Fix alias decl in corenetwork.te.in - Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs - Add support for fuse.glusterfs