- add ptrace_child access to process
- remove files_read_etc_files() calling from all policies which hav - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - Add support for boinc.log - Allow mozilla_plugin execmod on mozilla home files if allow_ex - Allow dovecot_deliver_t to read dovecot_var_run_t - Allow ldconfig and insmod to manage kdumpctl tmp files - Move thin policy out from cloudform.pp and add a new thin poli - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_c - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users hom - rhsmcertd reads the rpm database - Add support for lightdm
This commit is contained in:
Miroslav Grepl
parent
52ac61da45
commit
1de5de6450
@ -58144,10 +58144,18 @@ index 3a45f23..f4754f0 100644
|
|||||||
# fork
|
# fork
|
||||||
# setexec
|
# setexec
|
||||||
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
|
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
|
||||||
index f462e95..e8f76cb 100644
|
index f462e95..20fb556 100644
|
||||||
--- a/policy/flask/access_vectors
|
--- a/policy/flask/access_vectors
|
||||||
+++ b/policy/flask/access_vectors
|
+++ b/policy/flask/access_vectors
|
||||||
@@ -393,6 +393,10 @@ class system
|
@@ -329,6 +329,7 @@ class process
|
||||||
|
execheap
|
||||||
|
setkeycreate
|
||||||
|
setsockcreate
|
||||||
|
+ ptrace_child
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@@ -393,6 +394,10 @@ class system
|
||||||
syslog_mod
|
syslog_mod
|
||||||
syslog_console
|
syslog_console
|
||||||
module_request
|
module_request
|
||||||
@ -58158,7 +58166,7 @@ index f462e95..e8f76cb 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -445,6 +449,8 @@ class capability2
|
@@ -445,6 +450,8 @@ class capability2
|
||||||
mac_override # unused by SELinux
|
mac_override # unused by SELinux
|
||||||
mac_admin # unused by SELinux
|
mac_admin # unused by SELinux
|
||||||
syslog
|
syslog
|
||||||
@ -58167,7 +58175,7 @@ index f462e95..e8f76cb 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -860,3 +866,20 @@ inherits database
|
@@ -860,3 +867,20 @@ inherits database
|
||||||
implement
|
implement
|
||||||
execute
|
execute
|
||||||
}
|
}
|
||||||
@ -73296,7 +73304,7 @@ index b17e27a..d193a52 100644
|
|||||||
+ ssh_rw_dgram_sockets(chroot_user_t)
|
+ ssh_rw_dgram_sockets(chroot_user_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
||||||
index fc86b7c..7da0fde 100644
|
index fc86b7c..f393f76 100644
|
||||||
--- a/policy/modules/services/xserver.fc
|
--- a/policy/modules/services/xserver.fc
|
||||||
+++ b/policy/modules/services/xserver.fc
|
+++ b/policy/modules/services/xserver.fc
|
||||||
@@ -2,13 +2,35 @@
|
@@ -2,13 +2,35 @@
|
||||||
@ -73354,7 +73362,7 @@ index fc86b7c..7da0fde 100644
|
|||||||
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||||
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||||
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
|
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
|
||||||
@@ -46,23 +75,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
@@ -46,23 +75,25 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
# /tmp
|
# /tmp
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -73376,6 +73384,7 @@ index fc86b7c..7da0fde 100644
|
|||||||
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||||
/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||||
-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||||
|
+/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||||
+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||||
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||||
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
||||||
@ -73385,21 +73394,24 @@ index fc86b7c..7da0fde 100644
|
|||||||
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||||
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
|
|
||||||
@@ -90,24 +120,43 @@ ifndef(`distro_debian',`
|
@@ -90,24 +121,47 @@ ifndef(`distro_debian',`
|
||||||
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
|
|
||||||
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
|
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||||
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
|
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
|
||||||
+
|
+
|
||||||
|
+/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
+/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
+/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
|
|
||||||
-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
|
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
@ -73412,6 +73424,7 @@ index fc86b7c..7da0fde 100644
|
|||||||
+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||||
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
|
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||||
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||||
|
+/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||||
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||||
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||||
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.11.0
|
Version: 3.11.0
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -491,6 +491,26 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7
|
||||||
|
- add ptrace_child access to process
|
||||||
|
- remove files_read_etc_files() calling from all policies which have auth_use_nsswith()
|
||||||
|
- Allow boinc domains to manage boinc_lib_t lnk_files
|
||||||
|
- Add support for boinc-client.service unit file
|
||||||
|
- Add support for boinc.log
|
||||||
|
- Allow mozilla_plugin execmod on mozilla home files if allow_ex
|
||||||
|
- Allow dovecot_deliver_t to read dovecot_var_run_t
|
||||||
|
- Allow ldconfig and insmod to manage kdumpctl tmp files
|
||||||
|
- Move thin policy out from cloudform.pp and add a new thin poli
|
||||||
|
- pacemaker needs to communicate with corosync streams
|
||||||
|
- abrt is now started on demand by dbus
|
||||||
|
- Allow certmonger to talk directly to Dogtag servers
|
||||||
|
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c
|
||||||
|
- Allow mozila_plugin to execute gstreamer home files
|
||||||
|
- Allow useradd to delete all file types stored in the users hom
|
||||||
|
- rhsmcertd reads the rpm database
|
||||||
|
- Add support for lightdm
|
||||||
|
|
||||||
|
|
||||||
* Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6
|
* Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6
|
||||||
- Add tomcat policy
|
- Add tomcat policy
|
||||||
- Remove pyzor/razor policy
|
- Remove pyzor/razor policy
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user