rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- update storage_filetrans_all_named_dev for sg* devices 

- Allow auditctl_t  to getattr on all removeable devices
- Allow nsswitch_domains to stream connect to nmbd
- Allow rasdaemon to rw /dev/cpu//msr
- fix /var/log/pki file spec
- make bacula_t as auth_nsswitch domain
- Allow certmonger to manage ipa lib files
- Add support for /var/lib/ipa
This commit is contained in:
Miroslav Grepl 2014-03-26 10:51:19 +01:00
parent 8ad9144b00
commit 1f53e62396
3 changed files with 207 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

275
policy-rawhide-base.patch
View File

@ -3224,7 +3224,7 @@ index 7590165..fb30c11 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 33e0f8d..7238b9d 100644
index 33e0f8d..d3434a9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@ -3538,7 +3538,7 @@ index 33e0f8d..7238b9d 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
@@ -387,11 +462,15 @@ ifdef(`distro_suse', `
@@ -387,11 +462,16 @@ ifdef(`distro_suse', `
#
# /var
#
@ -3548,6 +3548,7 @@ index 33e0f8d..7238b9d 100644
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -3555,7 +3556,7 @@ index 33e0f8d..7238b9d 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
@@ -401,3 +480,12 @@ ifdef(`distro_suse', `
@@ -401,3 +481,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@ -26981,7 +26982,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791d..8e6648e 100644
index 09b791d..1a3d5b3 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -27284,7 +27285,7 @@ index 09b791d..8e6648e 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
@@ -456,6 +499,8 @@ optional_policy(`
@@ -456,10 +499,145 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@ -27293,7 +27294,8 @@ index 09b791d..8e6648e 100644
')
optional_policy(`
@@ -463,3 +508,135 @@ optional_policy(`
samba_stream_connect_winbind(nsswitch_domain)
+ samba_stream_connect_nmbd(nsswitch_domain)
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@ -33210,7 +33212,7 @@ index 4e94884..b144ffe 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1..19dc9ce 100644
index 59b04c1..cdc1c76 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -33286,16 +33288,18 @@ index 59b04c1..19dc9ce 100644
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
@@ -111,7 +137,7 @@ domain_use_interactive_fds(auditctl_t)
@@ -111,7 +137,9 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
-term_use_all_terms(auditctl_t)
+storage_getattr_removable_dev(auditctl_t)
+
+term_use_all_inherited_terms(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
@@ -148,6 +174,7 @@ kernel_read_kernel_sysctls(auditd_t)
@@ -148,6 +176,7 @@ kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)
@ -33303,7 +33307,7 @@ index 59b04c1..19dc9ce 100644
dev_read_sysfs(auditd_t)
@@ -155,9 +182,6 @@ fs_getattr_all_fs(auditd_t)
@@ -155,9 +184,6 @@ fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)
@ -33313,7 +33317,7 @@ index 59b04c1..19dc9ce 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
@@ -183,16 +207,17 @@ logging_send_syslog_msg(auditd_t)
@@ -183,16 +209,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@ -33335,7 +33339,7 @@ index 59b04c1..19dc9ce 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
@@ -237,19 +262,29 @@ corecmd_exec_shell(audisp_t)
@@ -237,19 +264,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@ -33366,7 +33370,7 @@ index 59b04c1..19dc9ce 100644
')
########################################
@@ -268,7 +303,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
@@ -268,7 +305,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t)
@ -33374,7 +33378,7 @@ index 59b04c1..19dc9ce 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
@@ -280,10 +314,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
@@ -280,10 +316,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@ -33394,7 +33398,7 @@ index 59b04c1..19dc9ce 100644
sysnet_dns_name_resolve(audisp_remote_t)
@@ -326,7 +368,6 @@ files_read_etc_files(klogd_t)
@@ -326,7 +370,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@ -33402,7 +33406,7 @@ index 59b04c1..19dc9ce 100644
mls_file_read_all_levels(klogd_t)
@@ -355,13 +396,12 @@ optional_policy(`
@@ -355,13 +398,12 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
@ -33419,7 +33423,7 @@ index 59b04c1..19dc9ce 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -371,6 +411,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
@@ -371,6 +413,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
@ -33427,7 +33431,7 @@ index 59b04c1..19dc9ce 100644
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
@@ -389,30 +430,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
@@ -389,30 +432,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -33477,7 +33481,7 @@ index 59b04c1..19dc9ce 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
@@ -422,6 +479,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
@@ -422,6 +481,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@ -33486,7 +33490,7 @@ index 59b04c1..19dc9ce 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
@@ -432,9 +491,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
@@ -432,9 +493,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -33514,7 +33518,7 @@ index 59b04c1..19dc9ce 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -448,13 +524,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
@@ -448,13 +526,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@ -33532,7 +33536,7 @@ index 59b04c1..19dc9ce 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
@@ -466,11 +546,11 @@ init_use_fds(syslogd_t)
@@ -466,11 +548,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@ -33547,7 +33551,7 @@ index 59b04c1..19dc9ce 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
@@ -507,15 +587,40 @@ optional_policy(`
@@ -507,15 +589,40 @@ optional_policy(`
')
optional_policy(`
@ -33588,7 +33592,7 @@ index 59b04c1..19dc9ce 100644
')
optional_policy(`
@@ -526,3 +631,26 @@ optional_policy(`
@@ -526,3 +633,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@ -41777,7 +41781,7 @@ index db75976..e4eb903 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..858bd7a 100644
index 9dc60c6..b921b57 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -42476,7 +42480,7 @@ index 9dc60c6..858bd7a 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
@@ -546,93 +747,128 @@ template(`userdom_common_user_template',`
@@ -546,93 +747,132 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@ -42593,6 +42597,10 @@ index 9dc60c6..858bd7a 100644
+ kde_dbus_chat_backlighthelper($1_usertype)
')
+ optional_policy(`
+ memcached_stream_connect($1_usertype)
+ ')
+
optional_policy(`
- cups_dbus_chat_config($1_t)
+ modemmanager_dbus_chat($1_usertype)
@ -42619,31 +42627,31 @@ index 9dc60c6..858bd7a 100644
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ git_role($1_r, $1_t)
+ ')
+
+ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
+ inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype)
')
optional_policy(`
- kerberos_manage_krb5_home_files($1_t)
- kerberos_relabel_krb5_home_files($1_t)
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
+ inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype)
+ ')
+
+ optional_policy(`
+ lircd_stream_connect($1_usertype)
')
optional_policy(`
@@ -642,23 +878,21 @@ template(`userdom_common_user_template',`
@@ -642,23 +882,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@ -42672,7 +42680,7 @@ index 9dc60c6..858bd7a 100644
mysql_stream_connect($1_t)
')
')
@@ -671,7 +905,7 @@ template(`userdom_common_user_template',`
@@ -671,7 +909,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@ -42681,7 +42689,7 @@ index 9dc60c6..858bd7a 100644
')
optional_policy(`
@@ -680,9 +914,9 @@ template(`userdom_common_user_template',`
@@ -680,9 +918,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@ -42694,45 +42702,45 @@ index 9dc60c6..858bd7a 100644
')
')
@@ -693,32 +927,35 @@ template(`userdom_common_user_template',`
@@ -693,32 +931,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
+ rpc_dontaudit_getattr_exports($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
- samba_stream_connect_winbind($1_t)
+ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
- slrnpull_search_spool($1_t)
+ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
+ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- virt_home_filetrans_virt_home($1_t, dir, ".libvirt")
- virt_home_filetrans_virt_home($1_t, dir, ".virtinst")
- virt_home_filetrans_virt_content($1_t, dir, "isos")
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
+ seunshare_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
+ ')
+
@ -42741,7 +42749,7 @@ index 9dc60c6..858bd7a 100644
')
')
@@ -743,17 +980,33 @@ template(`userdom_common_user_template',`
@@ -743,17 +984,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@ -42758,12 +42766,12 @@ index 9dc60c6..858bd7a 100644
- userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
+
+ tunable_policy(`$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@ -42779,7 +42787,7 @@ index 9dc60c6..858bd7a 100644
userdom_change_password_template($1)
@@ -761,83 +1014,107 @@ template(`userdom_login_user_template', `
@@ -761,83 +1018,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@ -42873,7 +42881,8 @@ index 9dc60c6..858bd7a 100644
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
+
- seutil_read_config($1_t)
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@ -42884,8 +42893,7 @@ index 9dc60c6..858bd7a 100644
+ kerberos_use($1_usertype)
+ init_write_key($1_usertype)
+ ')
- seutil_read_config($1_t)
+
+ optional_policy(`
+ mysql_filetrans_named_content($1_usertype)
+ ')
@ -42923,7 +42931,7 @@ index 9dc60c6..858bd7a 100644
')
#######################################
@@ -868,6 +1145,12 @@ template(`userdom_restricted_user_template',`
@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@ -42936,7 +42944,7 @@ index 9dc60c6..858bd7a 100644
##############################
#
# Local policy
@@ -907,53 +1190,137 @@ template(`userdom_restricted_xwindows_user_template',`
@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@ -42990,11 +42998,8 @@ index 9dc60c6..858bd7a 100644
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
')
- optional_policy(`
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
+ ')
+
+ # cjp: needed by KDE apps
+ # bug: #682499
+ optional_policy(`
@ -43005,9 +43010,11 @@ index 9dc60c6..858bd7a 100644
+
+ optional_policy(`
+ obex_role($1_r, $1_t, $1)
+ ')
+
+ optional_policy(`
')
optional_policy(`
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
@ -43088,7 +43095,7 @@ index 9dc60c6..858bd7a 100644
')
#######################################
@@ -987,27 +1354,33 @@ template(`userdom_unpriv_user_template', `
@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@ -43126,7 +43133,7 @@ index 9dc60c6..858bd7a 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
@@ -1018,23 +1391,60 @@ template(`userdom_unpriv_user_template', `
@@ -1018,23 +1395,60 @@ template(`userdom_unpriv_user_template', `
')
')
@ -43178,16 +43185,16 @@ index 9dc60c6..858bd7a 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
@ -43197,7 +43204,7 @@ index 9dc60c6..858bd7a 100644
')
# Run pppd in pppd_t by default for user
@@ -1043,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
@@ -1043,7 +1457,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@ -43208,7 +43215,7 @@ index 9dc60c6..858bd7a 100644
')
')
@@ -1079,7 +1491,9 @@ template(`userdom_unpriv_user_template', `
@@ -1079,7 +1495,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@ -43219,7 +43226,7 @@ index 9dc60c6..858bd7a 100644
')
##############################
@@ -1095,6 +1509,7 @@ template(`userdom_admin_user_template',`
@@ -1095,6 +1513,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@ -43227,7 +43234,7 @@ index 9dc60c6..858bd7a 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
@@ -1105,14 +1520,8 @@ template(`userdom_admin_user_template',`
@@ -1105,14 +1524,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@ -43244,7 +43251,7 @@ index 9dc60c6..858bd7a 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
@@ -1128,6 +1537,7 @@ template(`userdom_admin_user_template',`
@@ -1128,6 +1541,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@ -43252,7 +43259,7 @@ index 9dc60c6..858bd7a 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
@@ -1145,10 +1555,14 @@ template(`userdom_admin_user_template',`
@@ -1145,10 +1559,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@ -43267,7 +43274,7 @@ index 9dc60c6..858bd7a 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
@@ -1159,29 +1573,38 @@ template(`userdom_admin_user_template',`
@@ -1159,29 +1577,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@ -43310,7 +43317,7 @@ index 9dc60c6..858bd7a 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
@@ -1191,6 +1614,8 @@ template(`userdom_admin_user_template',`
@@ -1191,6 +1618,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@ -43319,7 +43326,7 @@ index 9dc60c6..858bd7a 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
@@ -1198,13 +1623,17 @@ template(`userdom_admin_user_template',`
@@ -1198,13 +1627,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@ -43338,7 +43345,7 @@ index 9dc60c6..858bd7a 100644
optional_policy(`
postgresql_unconfined($1_t)
')
@@ -1240,7 +1669,7 @@ template(`userdom_admin_user_template',`
@@ -1240,7 +1673,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@ -43347,7 +43354,7 @@ index 9dc60c6..858bd7a 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
@@ -1250,6 +1679,8 @@ template(`userdom_security_admin_template',`
@@ -1250,6 +1683,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@ -43356,7 +43363,7 @@ index 9dc60c6..858bd7a 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1262,8 +1693,10 @@ template(`userdom_security_admin_template',`
@@ -1262,8 +1697,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@ -43368,7 +43375,7 @@ index 9dc60c6..858bd7a 100644
auth_relabel_shadow($1)
init_exec($1)
@@ -1274,29 +1707,31 @@ template(`userdom_security_admin_template',`
@@ -1274,29 +1711,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@ -43411,7 +43418,7 @@ index 9dc60c6..858bd7a 100644
')
optional_policy(`
@@ -1357,14 +1792,17 @@ interface(`userdom_user_home_content',`
@@ -1357,14 +1796,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@ -43430,7 +43437,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -1405,6 +1843,51 @@ interface(`userdom_user_tmpfs_file',`
@@ -1405,6 +1847,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@ -43482,7 +43489,7 @@ index 9dc60c6..858bd7a 100644
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -1509,11 +1992,31 @@ interface(`userdom_search_user_home_dirs',`
@@ -1509,11 +1996,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@ -43514,7 +43521,7 @@ index 9dc60c6..858bd7a 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
@@ -1555,6 +2058,14 @@ interface(`userdom_list_user_home_dirs',`
@@ -1555,6 +2062,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@ -43529,7 +43536,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -1570,9 +2081,11 @@ interface(`userdom_list_user_home_dirs',`
@@ -1570,9 +2085,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@ -43541,7 +43548,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -1629,6 +2142,42 @@ interface(`userdom_relabelto_user_home_dirs',`
@@ -1629,6 +2146,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@ -43584,7 +43591,7 @@ index 9dc60c6..858bd7a 100644
########################################
## <summary>
## Create directories in the home dir root with
@@ -1708,6 +2257,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
@@ -1708,6 +2261,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@ -43593,7 +43600,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -1741,10 +2292,12 @@ interface(`userdom_list_all_user_home_content',`
@@ -1741,10 +2296,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@ -43608,7 +43615,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -1769,7 +2322,25 @@ interface(`userdom_manage_user_home_content_dirs',`
@@ -1769,7 +2326,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@ -43635,7 +43642,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1779,53 +2350,70 @@ interface(`userdom_manage_user_home_content_dirs',`
@@ -1779,53 +2354,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@ -43718,7 +43725,7 @@ index 9dc60c6..858bd7a 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
@@ -1845,6 +2433,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
@@ -1845,6 +2437,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@ -43744,7 +43751,7 @@ index 9dc60c6..858bd7a 100644
## Mmap user home files.
## </summary>
## <param name="domain">
@@ -1875,15 +2482,18 @@ interface(`userdom_mmap_user_home_content_files',`
@@ -1875,15 +2486,18 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@ -43765,7 +43772,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1891,18 +2501,18 @@ interface(`userdom_read_user_home_content_files',`
@@ -1891,18 +2505,18 @@ interface(`userdom_read_user_home_content_files',`
## </summary>
## </param>
#
@ -43789,7 +43796,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1910,17 +2520,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
@@ -1910,17 +2524,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
## </summary>
## </param>
#
@ -43815,7 +43822,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1928,7 +2542,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
@@ -1928,7 +2546,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
## </summary>
## </param>
#
@ -43842,7 +43849,7 @@ index 9dc60c6..858bd7a 100644
gen_require(`
type user_home_t;
')
@@ -1938,7 +2570,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
@@ -1938,7 +2574,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@ -43851,7 +43858,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1946,10 +2578,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
@@ -1946,10 +2582,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@ -43864,7 +43871,7 @@ index 9dc60c6..858bd7a 100644
')
userdom_search_user_home_content($1)
@@ -1958,7 +2589,7 @@ interface(`userdom_delete_all_user_home_content_files',`
@@ -1958,7 +2593,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@ -43873,7 +43880,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1966,12 +2597,66 @@ interface(`userdom_delete_all_user_home_content_files',`
@@ -1966,12 +2601,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@ -43942,7 +43949,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -2007,8 +2692,7 @@ interface(`userdom_read_user_home_content_symlinks',`
@@ -2007,8 +2696,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@ -43952,7 +43959,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -2024,20 +2708,14 @@ interface(`userdom_read_user_home_content_symlinks',`
@@ -2024,20 +2712,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@ -43977,7 +43984,7 @@ index 9dc60c6..858bd7a 100644
########################################
## <summary>
@@ -2120,7 +2798,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
@@ -2120,7 +2802,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@ -43986,7 +43993,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2128,19 +2806,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
@@ -2128,19 +2810,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@ -44010,7 +44017,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2148,12 +2824,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
@@ -2148,12 +2828,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@ -44026,7 +44033,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -2390,11 +3066,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
@@ -2390,11 +3070,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@ -44041,7 +44048,7 @@ index 9dc60c6..858bd7a 100644
files_search_tmp($1)
')
@@ -2414,7 +3090,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
@@ -2414,7 +3094,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@ -44050,7 +44057,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -2661,6 +3337,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
@@ -2661,6 +3341,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@ -44076,7 +44083,7 @@ index 9dc60c6..858bd7a 100644
########################################
## <summary>
## Read user tmpfs files.
@@ -2677,13 +3372,14 @@ interface(`userdom_read_user_tmpfs_files',`
@@ -2677,13 +3376,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -44092,7 +44099,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2704,7 +3400,7 @@ interface(`userdom_rw_user_tmpfs_files',`
@@ -2704,7 +3404,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@ -44101,7 +44108,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2712,14 +3408,30 @@ interface(`userdom_rw_user_tmpfs_files',`
@@ -2712,14 +3412,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@ -44136,7 +44143,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -2814,6 +3526,24 @@ interface(`userdom_use_user_ttys',`
@@ -2814,6 +3530,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@ -44161,7 +44168,7 @@ index 9dc60c6..858bd7a 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
@@ -2832,22 +3562,34 @@ interface(`userdom_use_user_ptys',`
@@ -2832,22 +3566,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@ -44204,7 +44211,7 @@ index 9dc60c6..858bd7a 100644
## </desc>
## <param name="domain">
## <summary>
@@ -2856,14 +3598,33 @@ interface(`userdom_use_user_ptys',`
@@ -2856,14 +3602,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@ -44242,7 +44249,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -2882,8 +3643,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
@@ -2882,8 +3647,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@ -44272,7 +44279,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -2955,69 +3735,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
@@ -2955,69 +3739,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@ -44373,7 +44380,7 @@ index 9dc60c6..858bd7a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3025,12 +3804,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
@@ -3025,12 +3808,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@ -44388,7 +44395,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -3094,7 +3873,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -3094,7 +3877,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@ -44397,7 +44404,7 @@ index 9dc60c6..858bd7a 100644
allow unpriv_userdomain $1:process sigchld;
')
@@ -3110,29 +3889,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -3110,29 +3893,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@ -44431,7 +44438,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -3214,30 +3977,48 @@ interface(`userdom_dontaudit_use_user_ptys',`
@@ -3214,31 +3981,49 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@ -44464,6 +44471,7 @@ index 9dc60c6..858bd7a 100644
########################################
## <summary>
-## Do not audit attempts to relabel files from
-## user pty types.
+## Relabel files to unprivileged user pty types.
+## </summary>
+## <param name="domain">
@ -44483,10 +44491,11 @@ index 9dc60c6..858bd7a 100644
+########################################
+## <summary>
+## Do not audit attempts to relabel files from
## user pty types.
+## user pty types.
## </summary>
## <param name="domain">
@@ -3269,7 +4050,83 @@ interface(`userdom_write_user_tmp_files',`
## <summary>
@@ -3269,7 +4054,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@ -44571,7 +44580,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -3287,7 +4144,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
@@ -3287,7 +4148,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@ -44580,7 +44589,7 @@ index 9dc60c6..858bd7a 100644
')
########################################
@@ -3306,6 +4163,7 @@ interface(`userdom_read_all_users_state',`
@@ -3306,6 +4167,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@ -44588,7 +44597,7 @@ index 9dc60c6..858bd7a 100644
kernel_search_proc($1)
')
@@ -3382,6 +4240,42 @@ interface(`userdom_signal_all_users',`
@@ -3382,6 +4244,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@ -44631,7 +44640,7 @@ index 9dc60c6..858bd7a 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
@@ -3402,6 +4296,24 @@ interface(`userdom_sigchld_all_users',`
@@ -3402,6 +4300,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@ -44656,7 +44665,7 @@ index 9dc60c6..858bd7a 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -3435,4 +4347,1680 @@ interface(`userdom_dbus_send_all_users',`
@@ -3435,4 +4351,1680 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;

70
policy-rawhide-contrib.patch
View File

@ -8465,7 +8465,7 @@ index dcd774e..c240ffa 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
index f16b000..6cf82b3 100644
index f16b000..941d3fd 100644
--- a/bacula.te
+++ b/bacula.te
@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
@ -8488,7 +8488,15 @@ index f16b000..6cf82b3 100644
corenet_sendrecv_hplip_server_packets(bacula_t)
corenet_tcp_bind_hplip_port(bacula_t)
corenet_udp_bind_hplip_port(bacula_t)
@@ -148,9 +152,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
fs_getattr_xattr_fs(bacula_t)
fs_list_all(bacula_t)
+auth_use_nsswitch(bacula_t)
auth_read_shadow(bacula_t)
logging_send_syslog_msg(bacula_t)
@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
@ -10875,7 +10883,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
index 550b287..b988f57 100644
index 550b287..ad3330f 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@ -10960,7 +10968,7 @@ index 550b287..b988f57 100644
')
optional_policy(`
@@ -92,11 +108,47 @@ optional_policy(`
@@ -92,11 +108,51 @@ optional_policy(`
')
optional_policy(`
@ -10970,6 +10978,10 @@ index 550b287..b988f57 100644
+ dirsrv_signull(certmonger_t)
+')
+
+optional_policy(`
+ ipa_manage_lib(certmonger_t)
+')
+
+optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
@ -33304,20 +33316,22 @@ index d443fee..6cbbf7d 100644
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 0000000..9278f85
index 0000000..48d7322
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,4 @@
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
index 0000000..70c67d3
index 0000000..4095bed
--- /dev/null
+++ b/ipa.if
@@ -0,0 +1,38 @@
@@ -0,0 +1,58 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@ -33356,12 +33370,32 @@ index 0000000..70c67d3
+ allow $1 ipa_otpd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa lib files/dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_manage_lib',`
+ gen_require(`
+ type ipa_var_lib_t;
+ ')
+
+ manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..0fd2678
index 0000000..b60bc5f
--- /dev/null
+++ b/ipa.te
@@ -0,0 +1,40 @@
@@ -0,0 +1,43 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@ -33378,6 +33412,9 @@ index 0000000..0fd2678
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
+type ipa_var_lib_t;
+files_type(ipa_var_lib_t)
+
+########################################
+#
+# ipa_otpd local policy
@ -61065,7 +61102,7 @@ index 8eb3f7b..1ff0fe3 100644
+userdom_read_all_users_state(pkcs_slotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
index 0000000..726d992
index 0000000..e6592ea
--- /dev/null
+++ b/pki.fc
@@ -0,0 +1,56 @@
@ -61074,7 +61111,7 @@ index 0000000..726d992
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
+/var/log/pki(/.*)? gen_context(system_u:object_r:pki_log_t,s0)
+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
@ -61420,7 +61457,7 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
index 0000000..b7dfce7
index 0000000..22f672d
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,274 @@
@ -61453,7 +61490,7 @@ index 0000000..b7dfce7
+files_type(pki_tomcat_etc_rw_t)
+
+type pki_tomcat_cert_t;
+files_type(pki_tomcat_cert_t)
+miscfiles_cert_type(pki_tomcat_cert_t)
+
+tomcat_domain_template(pki_tomcat)
+
@ -91068,10 +91105,10 @@ index 0000000..ddfed09
+')
diff --git a/speech-dispatcher.te b/speech-dispatcher.te
new file mode 100644
index 0000000..57372d0
index 0000000..931fa6c
--- /dev/null
+++ b/speech-dispatcher.te
@@ -0,0 +1,50 @@
@@ -0,0 +1,51 @@
+policy_module(speech-dispatcher, 1.0.0)
+
+########################################
@ -91082,6 +91119,7 @@ index 0000000..57372d0
+type speech-dispatcher_t;
+type speech-dispatcher_exec_t;
+init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t)
+application_executable_file(speech-dispatcher_exec_t)
+
+type speech-dispatcher_log_t;
+logging_log_file(speech-dispatcher_log_t)

12
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 39%{?dist}
Release: 40%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -584,6 +584,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed Mar 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-40
- update storage_filetrans_all_named_dev for sg* devices
- Allow auditctl_t to getattr on all removeable devices
- Allow nsswitch_domains to stream connect to nmbd
- Allow rasdaemon to rw /dev/cpu//msr
- fix /var/log/pki file spec
- make bacula_t as auth_nsswitch domain
- Allow certmonger to manage ipa lib files
- Add support for /var/lib/ipa
* Tue Mar 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-39
- Manage_service_perms should include enable and disable, need backport to RHEL7
- Allow also unpriv user to run vmtools