* Fri Feb 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-29
- Make docker as permissive domain
This commit is contained in:
parent
4aa43e264a
commit
18bb7ec6a3
@ -18132,7 +18132,7 @@ index 3023be7..20e370b 100644
|
|||||||
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
||||||
')
|
')
|
||||||
diff --git a/cups.te b/cups.te
|
diff --git a/cups.te b/cups.te
|
||||||
index c91813c..3598e62 100644
|
index c91813c..2230476 100644
|
||||||
--- a/cups.te
|
--- a/cups.te
|
||||||
+++ b/cups.te
|
+++ b/cups.te
|
||||||
@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
|
@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
|
||||||
@ -18265,7 +18265,7 @@ index c91813c..3598e62 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
|
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
|
||||||
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
|
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
|
||||||
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
|
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
|
||||||
allow cupsd_t self:capability2 block_suspend;
|
allow cupsd_t self:capability2 block_suspend;
|
||||||
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
|
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
|
||||||
@ -26403,7 +26403,7 @@ index 5010f04..3b73741 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --git a/fprintd.te b/fprintd.te
|
diff --git a/fprintd.te b/fprintd.te
|
||||||
index 92a6479..064f58e 100644
|
index 92a6479..e37a473 100644
|
||||||
--- a/fprintd.te
|
--- a/fprintd.te
|
||||||
+++ b/fprintd.te
|
+++ b/fprintd.te
|
||||||
@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
|
@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
|
||||||
@ -26433,7 +26433,7 @@ index 92a6479..064f58e 100644
|
|||||||
|
|
||||||
userdom_use_user_ptys(fprintd_t)
|
userdom_use_user_ptys(fprintd_t)
|
||||||
userdom_read_all_users_state(fprintd_t)
|
userdom_read_all_users_state(fprintd_t)
|
||||||
@@ -54,8 +55,13 @@ optional_policy(`
|
@@ -54,8 +55,17 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26446,6 +26446,10 @@ index 92a6479..064f58e 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ udev_read_db(fprintd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ xserver_read_state_xdm(fprintd_t)
|
+ xserver_read_state_xdm(fprintd_t)
|
||||||
')
|
')
|
||||||
diff --git a/freeipmi.fc b/freeipmi.fc
|
diff --git a/freeipmi.fc b/freeipmi.fc
|
||||||
@ -51881,7 +51885,7 @@ index ba64485..429bd79 100644
|
|||||||
+
|
+
|
||||||
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
|
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
|
||||||
diff --git a/nscd.if b/nscd.if
|
diff --git a/nscd.if b/nscd.if
|
||||||
index 8f2ab09..6ab4ea1 100644
|
index 8f2ab09..bc2c7fe 100644
|
||||||
--- a/nscd.if
|
--- a/nscd.if
|
||||||
+++ b/nscd.if
|
+++ b/nscd.if
|
||||||
@@ -1,8 +1,8 @@
|
@@ -1,8 +1,8 @@
|
||||||
@ -52037,7 +52041,7 @@ index 8f2ab09..6ab4ea1 100644
|
|||||||
+interface(`nscd_shm_use',`
|
+interface(`nscd_shm_use',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type nscd_t, nscd_var_run_t;
|
+ type nscd_t, nscd_var_run_t;
|
||||||
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
|
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
+ allow $1 nscd_var_run_t:dir list_dir_perms;
|
+ allow $1 nscd_var_run_t:dir list_dir_perms;
|
||||||
@ -58881,7 +58885,7 @@ index 0000000..9b8cb6b
|
|||||||
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
|
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||||
diff --git a/pcp.if b/pcp.if
|
diff --git a/pcp.if b/pcp.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ba24b40
|
index 0000000..d9296b1
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pcp.if
|
+++ b/pcp.if
|
||||||
@@ -0,0 +1,139 @@
|
@@ -0,0 +1,139 @@
|
||||||
@ -58926,7 +58930,7 @@ index 0000000..ba24b40
|
|||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type pcp_var_lib_t;
|
+ type pcp_var_lib_t;
|
||||||
+ ')
|
+ ')
|
||||||
+ libs_search_lib($1)
|
+ files_search_var_lib($1)
|
||||||
+ read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
|
+ read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -105702,7 +105706,7 @@ index 0000000..ceaa219
|
|||||||
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
|
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
|
||||||
diff --git a/zoneminder.if b/zoneminder.if
|
diff --git a/zoneminder.if b/zoneminder.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..e0604c7
|
index 0000000..fb0519e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/zoneminder.if
|
+++ b/zoneminder.if
|
||||||
@@ -0,0 +1,374 @@
|
@@ -0,0 +1,374 @@
|
||||||
@ -105915,7 +105919,7 @@ index 0000000..e0604c7
|
|||||||
+#
|
+#
|
||||||
+interface(`zoneminder_manage_lib_sock_files',`
|
+interface(`zoneminder_manage_lib_sock_files',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type zoneminder_sock_var_lib_t;
|
+ type zoneminder_var_lib_t;
|
||||||
+ ')
|
+ ')
|
||||||
+ files_search_var_lib($1)
|
+ files_search_var_lib($1)
|
||||||
+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
||||||
|
@ -580,6 +580,9 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-29
|
||||||
|
- Make docker as permissive domain
|
||||||
|
|
||||||
* Thu Feb 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-28
|
* Thu Feb 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-28
|
||||||
- Allow bumblebeed to send signal to insmod
|
- Allow bumblebeed to send signal to insmod
|
||||||
- Dontaudit attempts by crond_t net_admin caused by journald
|
- Dontaudit attempts by crond_t net_admin caused by journald
|
||||||
|
Loading…
Reference in New Issue
Block a user