- add ptrace_child access to process
- remove files_read_etc_files() calling from all policies which hav - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - Add support for boinc.log - Allow mozilla_plugin execmod on mozilla home files if allow_ex - Allow dovecot_deliver_t to read dovecot_var_run_t - Allow ldconfig and insmod to manage kdumpctl tmp files - Move thin policy out from cloudform.pp and add a new thin poli - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_c - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users hom - rhsmcertd reads the rpm database - Add support for lightdm
This commit is contained in:
Miroslav Grepl
parent
52ac61da45
commit
1de5de6450
|
|
@ -58144,10 +58144,18 @@ index 3a45f23..f4754f0 100644
|
|||
# fork
|
||||
# setexec
|
||||
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
|
||||
index f462e95..e8f76cb 100644
|
||||
index f462e95..20fb556 100644
|
||||
--- a/policy/flask/access_vectors
|
||||
+++ b/policy/flask/access_vectors
|
||||
@@ -393,6 +393,10 @@ class system
|
||||
@@ -329,6 +329,7 @@ class process
|
||||
execheap
|
||||
setkeycreate
|
||||
setsockcreate
|
||||
+ ptrace_child
|
||||
}
|
||||
|
||||
|
||||
@@ -393,6 +394,10 @@ class system
|
||||
syslog_mod
|
||||
syslog_console
|
||||
module_request
|
||||
|
|
@ -58158,7 +58166,7 @@ index f462e95..e8f76cb 100644
|
|||
}
|
||||
|
||||
#
|
||||
@@ -445,6 +449,8 @@ class capability2
|
||||
@@ -445,6 +450,8 @@ class capability2
|
||||
mac_override # unused by SELinux
|
||||
mac_admin # unused by SELinux
|
||||
syslog
|
||||
|
|
@ -58167,7 +58175,7 @@ index f462e95..e8f76cb 100644
|
|||
}
|
||||
|
||||
#
|
||||
@@ -860,3 +866,20 @@ inherits database
|
||||
@@ -860,3 +867,20 @@ inherits database
|
||||
implement
|
||||
execute
|
||||
}
|
||||
|
|
@ -73296,7 +73304,7 @@ index b17e27a..d193a52 100644
|
|||
+ ssh_rw_dgram_sockets(chroot_user_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
||||
index fc86b7c..7da0fde 100644
|
||||
index fc86b7c..f393f76 100644
|
||||
--- a/policy/modules/services/xserver.fc
|
||||
+++ b/policy/modules/services/xserver.fc
|
||||
@@ -2,13 +2,35 @@
|
||||
|
|
@ -73354,7 +73362,7 @@ index fc86b7c..7da0fde 100644
|
|||
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
|
||||
@@ -46,23 +75,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
@@ -46,23 +75,25 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
# /tmp
|
||||
#
|
||||
|
||||
|
|
@ -73376,6 +73384,7 @@ index fc86b7c..7da0fde 100644
|
|||
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
+/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
||||
|
|
@ -73385,21 +73394,24 @@ index fc86b7c..7da0fde 100644
|
|||
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
|
||||
@@ -90,24 +120,43 @@ ifndef(`distro_debian',`
|
||||
@@ -90,24 +121,47 @@ ifndef(`distro_debian',`
|
||||
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
|
||||
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
|
||||
+
|
||||
+/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
+/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
|
||||
-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
|
|
@ -73412,6 +73424,7 @@ index fc86b7c..7da0fde 100644
|
|||
+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
+/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.11.0
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -491,6 +491,26 @@ SELinux Reference policy mls base module.
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7
|
||||
- add ptrace_child access to process
|
||||
- remove files_read_etc_files() calling from all policies which have auth_use_nsswith()
|
||||
- Allow boinc domains to manage boinc_lib_t lnk_files
|
||||
- Add support for boinc-client.service unit file
|
||||
- Add support for boinc.log
|
||||
- Allow mozilla_plugin execmod on mozilla home files if allow_ex
|
||||
- Allow dovecot_deliver_t to read dovecot_var_run_t
|
||||
- Allow ldconfig and insmod to manage kdumpctl tmp files
|
||||
- Move thin policy out from cloudform.pp and add a new thin poli
|
||||
- pacemaker needs to communicate with corosync streams
|
||||
- abrt is now started on demand by dbus
|
||||
- Allow certmonger to talk directly to Dogtag servers
|
||||
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c
|
||||
- Allow mozila_plugin to execute gstreamer home files
|
||||
- Allow useradd to delete all file types stored in the users hom
|
||||
- rhsmcertd reads the rpm database
|
||||
- Add support for lightdm
|
||||
|
||||
|
||||
* Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6
|
||||
- Add tomcat policy
|
||||
- Remove pyzor/razor policy
|
||||
|
|
|
|||
Loading…
Reference in New Issue