* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
- Allow tlp_t domain stream connect to sssd_t domain - Add missing dac_override capability - Add systemd_tmpfiles_t dac_override capability
This commit is contained in:
parent
8587149987
commit
233534cc51
Binary file not shown.
@ -3190,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 1d732f1e7..9823c5a68 100644
|
||||
index 1d732f1e7..ae2fa67f8 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -26,6 +26,7 @@ type chfn_exec_t;
|
||||
@ -3376,7 +3376,7 @@ index 1d732f1e7..9823c5a68 100644
|
||||
#
|
||||
|
||||
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
|
||||
+allow passwd_t self:capability { chown dac_read_search dac_read_search ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
|
||||
+allow passwd_t self:capability { chown dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
|
||||
dontaudit passwd_t self:capability sys_tty_config;
|
||||
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow passwd_t self:process { setrlimit setfscreate };
|
||||
@ -35722,7 +35722,7 @@ index e4376aa98..2c98c5647 100644
|
||||
+ allow $1 getty_unit_file_t:service start;
|
||||
+')
|
||||
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
|
||||
index f6743ea19..abcc39a8c 100644
|
||||
index f6743ea19..8c64a7e19 100644
|
||||
--- a/policy/modules/system/getty.te
|
||||
+++ b/policy/modules/system/getty.te
|
||||
@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
|
||||
@ -35747,7 +35747,7 @@ index f6743ea19..abcc39a8c 100644
|
||||
|
||||
# Use capabilities.
|
||||
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
|
||||
+allow getty_t self:capability { dac_read_search chown setgid sys_resource sys_tty_config fowner fsetid };
|
||||
+allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
|
||||
dontaudit getty_t self:capability sys_tty_config;
|
||||
allow getty_t self:process { getpgid setpgid getsession signal_perms };
|
||||
allow getty_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -41173,7 +41173,7 @@ index 0e3c2a977..ea9bd57dc 100644
|
||||
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
|
||||
+')
|
||||
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
|
||||
index 446fa9908..a0d1b1ff7 100644
|
||||
index 446fa9908..31ffd73ab 100644
|
||||
--- a/policy/modules/system/locallogin.te
|
||||
+++ b/policy/modules/system/locallogin.te
|
||||
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
|
||||
@ -41208,7 +41208,7 @@ index 446fa9908..a0d1b1ff7 100644
|
||||
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
|
||||
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
-allow local_login_t self:process { setrlimit setexec };
|
||||
+allow local_login_t self:capability { dac_read_search chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
|
||||
+allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
|
||||
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
|
||||
allow local_login_t self:fd use;
|
||||
allow local_login_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -50091,10 +50091,10 @@ index 000000000..634d9596a
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 000000000..3660fe1c4
|
||||
index 000000000..e83a61cca
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,1025 @@
|
||||
@@ -0,0 +1,1027 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -50582,7 +50582,7 @@ index 000000000..3660fe1c4
|
||||
+# Local policy
|
||||
+#
|
||||
+
|
||||
+allow systemd_tmpfiles_t self:capability { chown dac_read_search fsetid fowner mknod sys_admin };
|
||||
+allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
|
||||
+allow systemd_tmpfiles_t self:process { setfscreate };
|
||||
+
|
||||
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -51029,6 +51029,8 @@ index 000000000..3660fe1c4
|
||||
+dev_read_sysfs(systemd_resolved_t)
|
||||
+
|
||||
+sysnet_manage_config(systemd_resolved_t)
|
||||
+sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
|
||||
+sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
|
||||
+
|
||||
+userdom_dbus_send_all_users(systemd_resolved_t)
|
||||
+
|
||||
|
@ -111760,10 +111760,10 @@ index 000000000..368e18842
|
||||
+')
|
||||
diff --git a/tlp.te b/tlp.te
|
||||
new file mode 100644
|
||||
index 000000000..761cc35b0
|
||||
index 000000000..1ef713150
|
||||
--- /dev/null
|
||||
+++ b/tlp.te
|
||||
@@ -0,0 +1,80 @@
|
||||
@@ -0,0 +1,84 @@
|
||||
+policy_module(tlp, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -111844,6 +111844,10 @@ index 000000000..761cc35b0
|
||||
+optional_policy(`
|
||||
+ mount_domtrans(tlp_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sssd_stream_connect(tlp_t)
|
||||
+')
|
||||
diff --git a/tmpreaper.te b/tmpreaper.te
|
||||
index 585a77f95..9858c8b8d 100644
|
||||
--- a/tmpreaper.te
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 288%{?dist}
|
||||
Release: 289%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -682,6 +682,11 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
|
||||
- Allow tlp_t domain stream connect to sssd_t domain
|
||||
- Add missing dac_override capability
|
||||
- Add systemd_tmpfiles_t dac_override capability
|
||||
|
||||
* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288
|
||||
- Remove all unnecessary dac_override capability in SELinux modules
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user