- Allow numad to write scan_sleep_millisecs

- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Fix label on irclogs in the homedir
This commit is contained in:
Miroslav Grepl 2014-03-10 11:51:20 +01:00
parent 2d6801ddad
commit 24a25f20cc
3 changed files with 118 additions and 74 deletions

View File

@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',`` define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b191055..aa16691 100644 index b191055..136b78e 100644
--- a/policy/modules/kernel/corenetwork.te.in --- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5667,7 +5667,7 @@ index b191055..aa16691 100644
network_port(portmap, udp,111,s0, tcp,111,s0) network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0) network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0) network_port(postgresql, tcp,5432,s0)
@@ -215,39 +267,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) @@ -215,52 +267,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0) network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0) network_port(ptal, tcp,5703,s0)
@ -5720,7 +5720,12 @@ index b191055..aa16691 100644
network_port(ssh, tcp,22,s0) network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0) network_port(svn, tcp,3690,s0, udp,3690,s0)
@@ -259,8 +317,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(svrloc, tcp,427,s0, udp,427,s0)
network_port(swat, tcp,901,s0)
network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
-network_port(syslogd, udp,514,s0)
+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0) network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0) network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0) network_port(tftp, udp,69,s0)
@ -20975,7 +20980,7 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1) + postgresql_filetrans_named_content($1)
') ')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0306134..bf53ec7 100644 index 0306134..68598c7 100644
--- a/policy/modules/services/postgresql.te --- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(` @@ -19,25 +19,32 @@ gen_require(`
@ -21067,15 +21072,19 @@ index 0306134..bf53ec7 100644
files_read_etc_runtime_files(postgresql_t) files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t) files_read_usr_files(postgresql_t)
@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t) @@ -354,20 +361,28 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t) logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t) logging_send_audit_msgs(postgresql_t)
-miscfiles_read_localization(postgresql_t) -miscfiles_read_localization(postgresql_t)
-
seutil_libselinux_linked(postgresql_t) seutil_libselinux_linked(postgresql_t)
seutil_read_default_contexts(postgresql_t) seutil_read_default_contexts(postgresql_t)
@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t)
+sysnet_use_ldap(postgresql_t)
+
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
userdom_dontaudit_search_user_home_dirs(postgresql_t)
userdom_dontaudit_use_user_terminals(postgresql_t) userdom_dontaudit_use_user_terminals(postgresql_t)
optional_policy(` optional_policy(`
@ -21095,7 +21104,7 @@ index 0306134..bf53ec7 100644
allow postgresql_t self:process execmem; allow postgresql_t self:process execmem;
') ')
@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin @@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client. # It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@ -21152,7 +21161,7 @@ index 0306134..bf53ec7 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
') ')
@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; @@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@ -21161,7 +21170,7 @@ index 0306134..bf53ec7 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; @@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@ -29510,7 +29519,7 @@ index 79a45f6..89b43aa 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" ) + files_etc_filetrans($1, machineid_t, file, "machine-id" )
+') +')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..e8e4114 100644 index 17eda24..9f7264a 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(` @@ -11,10 +11,31 @@ gen_require(`
@ -29612,7 +29621,15 @@ index 17eda24..e8e4114 100644
type initrc_exec_t, init_script_file_type; type initrc_exec_t, init_script_file_type;
domain_type(initrc_t) domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t) domain_entry_file(initrc_t, initrc_exec_t)
@@ -98,7 +144,9 @@ ifdef(`enable_mls',` @@ -66,6 +112,7 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
+corecmd_bin_entry_type(initrc_t)
type initrc_devpts_t;
term_pty(initrc_devpts_t)
@@ -98,7 +145,9 @@ ifdef(`enable_mls',`
# #
# Use capabilities. old rule: # Use capabilities. old rule:
@ -29623,7 +29640,7 @@ index 17eda24..e8e4114 100644
# is ~sys_module really needed? observed: # is ~sys_module really needed? observed:
# sys_boot # sys_boot
# sys_tty_config # sys_tty_config
@@ -108,14 +156,42 @@ allow init_t self:capability ~sys_module; @@ -108,14 +157,42 @@ allow init_t self:capability ~sys_module;
allow init_t self:fifo_file rw_fifo_file_perms; allow init_t self:fifo_file rw_fifo_file_perms;
@ -29672,7 +29689,7 @@ index 17eda24..e8e4114 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms; allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file) dev_filetrans(init_t, initctl_t, fifo_file)
@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; @@ -125,13 +202,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t) kernel_read_system_state(init_t)
kernel_share_state(init_t) kernel_share_state(init_t)
@ -29692,7 +29709,7 @@ index 17eda24..e8e4114 100644
domain_getpgid_all_domains(init_t) domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t) domain_kill_all_domains(init_t)
@@ -139,14 +220,22 @@ domain_signal_all_domains(init_t) @@ -139,14 +221,22 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t) domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t) domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t) domain_sigchld_all_domains(init_t)
@ -29715,7 +29732,7 @@ index 17eda24..e8e4114 100644
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t) files_dontaudit_rw_root_chr_files(init_t)
@@ -156,28 +245,52 @@ fs_list_inotifyfs(init_t) @@ -156,28 +246,52 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t) fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t) mcs_process_set_categories(init_t)
@ -29771,7 +29788,7 @@ index 17eda24..e8e4114 100644
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap }; allow init_t self:process { getcap setcap };
@@ -186,29 +299,229 @@ ifdef(`distro_gentoo',` @@ -186,29 +300,229 @@ ifdef(`distro_gentoo',`
') ')
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@ -30009,7 +30026,7 @@ index 17eda24..e8e4114 100644
') ')
optional_policy(` optional_policy(`
@@ -216,7 +529,31 @@ optional_policy(` @@ -216,7 +530,31 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30041,7 +30058,7 @@ index 17eda24..e8e4114 100644
') ')
######################################## ########################################
@@ -225,9 +562,9 @@ optional_policy(` @@ -225,9 +563,9 @@ optional_policy(`
# #
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -30053,7 +30070,7 @@ index 17eda24..e8e4114 100644
allow initrc_t self:passwd rootok; allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms; allow initrc_t self:key manage_key_perms;
@@ -258,12 +595,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) @@ -258,12 +596,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms; allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file) files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -30070,7 +30087,7 @@ index 17eda24..e8e4114 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +620,36 @@ kernel_change_ring_buffer_level(initrc_t) @@ -279,23 +621,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t) kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t) kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t) kernel_read_all_sysctls(initrc_t)
@ -30113,7 +30130,7 @@ index 17eda24..e8e4114 100644
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +657,11 @@ corenet_sendrecv_all_client_packets(initrc_t) @@ -303,9 +658,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t) dev_read_rand(initrc_t)
dev_read_urand(initrc_t) dev_read_urand(initrc_t)
@ -30125,7 +30142,7 @@ index 17eda24..e8e4114 100644
dev_rw_sysfs(initrc_t) dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t) dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t) dev_read_framebuffer(initrc_t)
@@ -313,8 +669,10 @@ dev_write_framebuffer(initrc_t) @@ -313,8 +670,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t) dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t) dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t)
@ -30136,7 +30153,7 @@ index 17eda24..e8e4114 100644
dev_delete_lvm_control_dev(initrc_t) dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t) dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t) dev_manage_generic_files(initrc_t)
@@ -322,8 +680,7 @@ dev_manage_generic_files(initrc_t) @@ -322,8 +681,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t) dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t) dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t) dev_getattr_all_chr_files(initrc_t)
@ -30146,7 +30163,7 @@ index 17eda24..e8e4114 100644
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t) domain_signal_all_domains(initrc_t)
@@ -332,7 +689,6 @@ domain_sigstop_all_domains(initrc_t) @@ -332,7 +690,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t) domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t) domain_getattr_all_domains(initrc_t)
@ -30154,7 +30171,7 @@ index 17eda24..e8e4114 100644
domain_getsession_all_domains(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t) domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
@@ -340,6 +696,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) @@ -340,6 +697,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t)
@ -30162,7 +30179,7 @@ index 17eda24..e8e4114 100644
files_getattr_all_dirs(initrc_t) files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t) files_getattr_all_files(initrc_t)
@@ -347,14 +704,15 @@ files_getattr_all_symlinks(initrc_t) @@ -347,14 +705,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t) files_purge_tmp(initrc_t)
@ -30180,7 +30197,7 @@ index 17eda24..e8e4114 100644
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t) files_manage_generic_spool(initrc_t)
@@ -364,8 +722,12 @@ files_list_isid_type_dirs(initrc_t) @@ -364,8 +723,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t) files_list_default(initrc_t)
files_mounton_default(initrc_t) files_mounton_default(initrc_t)
@ -30194,7 +30211,7 @@ index 17eda24..e8e4114 100644
fs_list_inotifyfs(initrc_t) fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t) fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs # rhgb-console writes to ramfs
@@ -375,10 +737,11 @@ fs_mount_all_fs(initrc_t) @@ -375,10 +738,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t) fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t) fs_getattr_all_fs(initrc_t)
@ -30208,7 +30225,7 @@ index 17eda24..e8e4114 100644
mcs_process_set_categories(initrc_t) mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t) mls_file_read_all_levels(initrc_t)
@@ -387,8 +750,10 @@ mls_process_read_up(initrc_t) @@ -387,8 +751,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t) mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t) mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t) mls_fd_share_all_levels(initrc_t)
@ -30219,7 +30236,7 @@ index 17eda24..e8e4114 100644
storage_getattr_fixed_disk_dev(initrc_t) storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +763,7 @@ term_use_all_terms(initrc_t) @@ -398,6 +764,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t) term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t) auth_rw_login_records(initrc_t)
@ -30227,7 +30244,7 @@ index 17eda24..e8e4114 100644
auth_setattr_login_records(initrc_t) auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t) auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t) auth_read_pam_pid(initrc_t)
@@ -416,20 +782,18 @@ logging_read_all_logs(initrc_t) @@ -416,20 +783,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t) logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t) logging_read_audit_config(initrc_t)
@ -30251,7 +30268,7 @@ index 17eda24..e8e4114 100644
ifdef(`distro_debian',` ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t) dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +815,6 @@ ifdef(`distro_gentoo',` @@ -451,7 +816,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate; allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t) dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t) dev_create_zero_dev(initrc_t)
@ -30259,7 +30276,7 @@ index 17eda24..e8e4114 100644
term_create_console_dev(initrc_t) term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks # unfortunately /sbin/rc does stupid tricks
@@ -486,6 +849,10 @@ ifdef(`distro_gentoo',` @@ -486,6 +850,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t) sysnet_setattr_config(initrc_t)
optional_policy(` optional_policy(`
@ -30270,7 +30287,7 @@ index 17eda24..e8e4114 100644
alsa_read_lib(initrc_t) alsa_read_lib(initrc_t)
') ')
@@ -506,7 +873,7 @@ ifdef(`distro_redhat',` @@ -506,7 +874,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -30279,7 +30296,7 @@ index 17eda24..e8e4114 100644
files_dontaudit_read_root_files(initrc_t) files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd # These seem to be from the initrd
@@ -521,6 +888,7 @@ ifdef(`distro_redhat',` @@ -521,6 +889,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t) files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
@ -30287,7 +30304,7 @@ index 17eda24..e8e4114 100644
# wants to read /.fonts directory # wants to read /.fonts directory
files_read_default_files(initrc_t) files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t) files_mountpoint(initrc_tmp_t)
@@ -541,6 +909,7 @@ ifdef(`distro_redhat',` @@ -541,6 +910,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t) miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t) miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t) miscfiles_relabel_localization(initrc_t)
@ -30295,7 +30312,7 @@ index 17eda24..e8e4114 100644
miscfiles_read_fonts(initrc_t) miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t) miscfiles_read_hwdata(initrc_t)
@@ -550,8 +919,44 @@ ifdef(`distro_redhat',` @@ -550,8 +920,44 @@ ifdef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -30340,7 +30357,7 @@ index 17eda24..e8e4114 100644
') ')
optional_policy(` optional_policy(`
@@ -559,14 +964,31 @@ ifdef(`distro_redhat',` @@ -559,14 +965,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t) rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t) rpc_manage_nfs_state_data(initrc_t)
') ')
@ -30372,7 +30389,7 @@ index 17eda24..e8e4114 100644
') ')
') ')
@@ -577,6 +999,39 @@ ifdef(`distro_suse',` @@ -577,6 +1000,39 @@ ifdef(`distro_suse',`
') ')
') ')
@ -30412,7 +30429,7 @@ index 17eda24..e8e4114 100644
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1044,8 @@ optional_policy(` @@ -589,6 +1045,8 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(initrc_t) apache_read_config(initrc_t)
apache_list_modules(initrc_t) apache_list_modules(initrc_t)
@ -30421,7 +30438,7 @@ index 17eda24..e8e4114 100644
') ')
optional_policy(` optional_policy(`
@@ -610,6 +1067,7 @@ optional_policy(` @@ -610,6 +1068,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cgroup_stream_connect_cgred(initrc_t) cgroup_stream_connect_cgred(initrc_t)
@ -30429,7 +30446,7 @@ index 17eda24..e8e4114 100644
') ')
optional_policy(` optional_policy(`
@@ -626,6 +1084,17 @@ optional_policy(` @@ -626,6 +1085,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30447,7 +30464,7 @@ index 17eda24..e8e4114 100644
dev_getattr_printer_dev(initrc_t) dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t) cups_read_log(initrc_t)
@@ -642,9 +1111,13 @@ optional_policy(` @@ -642,9 +1112,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t) dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
@ -30461,7 +30478,7 @@ index 17eda24..e8e4114 100644
') ')
optional_policy(` optional_policy(`
@@ -657,15 +1130,11 @@ optional_policy(` @@ -657,15 +1131,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30479,7 +30496,7 @@ index 17eda24..e8e4114 100644
') ')
optional_policy(` optional_policy(`
@@ -686,6 +1155,15 @@ optional_policy(` @@ -686,6 +1156,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30495,7 +30512,7 @@ index 17eda24..e8e4114 100644
inn_exec_config(initrc_t) inn_exec_config(initrc_t)
') ')
@@ -726,6 +1204,7 @@ optional_policy(` @@ -726,6 +1205,7 @@ optional_policy(`
lpd_list_spool(initrc_t) lpd_list_spool(initrc_t)
lpd_read_config(initrc_t) lpd_read_config(initrc_t)
@ -30503,7 +30520,7 @@ index 17eda24..e8e4114 100644
') ')
optional_policy(` optional_policy(`
@@ -743,7 +1222,13 @@ optional_policy(` @@ -743,7 +1223,13 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30518,7 +30535,7 @@ index 17eda24..e8e4114 100644
mta_dontaudit_read_spool_symlinks(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t)
') ')
@@ -766,6 +1251,10 @@ optional_policy(` @@ -766,6 +1252,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30529,7 +30546,7 @@ index 17eda24..e8e4114 100644
postgresql_manage_db(initrc_t) postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t) postgresql_read_config(initrc_t)
') ')
@@ -775,10 +1264,20 @@ optional_policy(` @@ -775,10 +1265,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30550,7 +30567,7 @@ index 17eda24..e8e4114 100644
quota_manage_flags(initrc_t) quota_manage_flags(initrc_t)
') ')
@@ -787,6 +1286,10 @@ optional_policy(` @@ -787,6 +1287,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30561,7 +30578,7 @@ index 17eda24..e8e4114 100644
fs_write_ramfs_sockets(initrc_t) fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t) fs_search_ramfs(initrc_t)
@@ -808,8 +1311,6 @@ optional_policy(` @@ -808,8 +1312,6 @@ optional_policy(`
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -30570,7 +30587,7 @@ index 17eda24..e8e4114 100644
') ')
optional_policy(` optional_policy(`
@@ -818,6 +1319,10 @@ optional_policy(` @@ -818,6 +1320,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30581,7 +30598,7 @@ index 17eda24..e8e4114 100644
# shorewall-init script run /var/lib/shorewall/firewall # shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t) shorewall_lib_domtrans(initrc_t)
') ')
@@ -827,10 +1332,12 @@ optional_policy(` @@ -827,10 +1333,12 @@ optional_policy(`
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -30594,7 +30611,7 @@ index 17eda24..e8e4114 100644
optional_policy(` optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1364,60 @@ optional_policy(` @@ -857,21 +1365,60 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30656,7 +30673,7 @@ index 17eda24..e8e4114 100644
') ')
optional_policy(` optional_policy(`
@@ -887,6 +1433,10 @@ optional_policy(` @@ -887,6 +1434,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -30667,7 +30684,7 @@ index 17eda24..e8e4114 100644
# Set device ownerships/modes. # Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t) xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1447,218 @@ optional_policy(` @@ -897,3 +1448,218 @@ optional_policy(`
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')

View File

@ -11109,7 +11109,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1) files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te diff --git a/cgroup.te b/cgroup.te
index 80a88a2..f947039 100644 index 80a88a2..7cebead 100644
--- a/cgroup.te --- a/cgroup.te
+++ b/cgroup.te +++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@ -11137,7 +11137,7 @@ index 80a88a2..f947039 100644
domain_setpriority_all_domains(cgclear_t) domain_setpriority_all_domains(cgclear_t)
fs_manage_cgroup_dirs(cgclear_t) fs_manage_cgroup_dirs(cgclear_t)
@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms; @@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
kernel_list_unlabeled(cgconfig_t) kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t) kernel_read_system_state(cgconfig_t)
@ -11162,7 +11162,11 @@ index 80a88a2..f947039 100644
allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect }; allow cgred_t self:unix_dgram_socket { write create connect };
@@ -99,10 +102,11 @@ domain_setpriority_all_domains(cgred_t) +allow cgred_t cgconfig_t:file read_file_perms;
allow cgred_t cgrules_etc_t:file read_file_perms;
allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t) files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t) files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t) files_read_all_symlinks(cgred_t)
@ -24972,9 +24976,18 @@ index ef62363..1ec4d89 100644
+ procmail_domtrans(dspam_t) + procmail_domtrans(dspam_t)
+') +')
diff --git a/entropyd.te b/entropyd.te diff --git a/entropyd.te b/entropyd.te
index b8b8328..4608c0c 100644 index b8b8328..111084c 100644
--- a/entropyd.te --- a/entropyd.te
+++ b/entropyd.te +++ b/entropyd.te
@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0)
## the entropy feeds.
## </p>
## </desc>
-gen_tunable(entropyd_use_audio, false)
+gen_tunable(entropyd_use_audio, true)
type entropyd_t;
type entropyd_exec_t;
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t) @@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t) dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t) dev_write_rand(entropyd_t)
@ -33211,14 +33224,14 @@ index 0000000..0fd2678
+ kerberos_use(ipa_otpd_t) + kerberos_use(ipa_otpd_t)
+') +')
diff --git a/irc.fc b/irc.fc diff --git a/irc.fc b/irc.fc
index 48e7739..c3285c2 100644 index 48e7739..1bf0326 100644
--- a/irc.fc --- a/irc.fc
+++ b/irc.fc +++ b/irc.fc
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0) HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0) -HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0) +HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
@ -54147,10 +54160,10 @@ index 0d3c270..709dda1 100644
+ ') + ')
') ')
diff --git a/numad.te b/numad.te diff --git a/numad.te b/numad.te
index b0a1be4..239f27a 100644 index b0a1be4..303a927 100644
--- a/numad.te --- a/numad.te
+++ b/numad.te +++ b/numad.te
@@ -8,29 +8,29 @@ policy_module(numad, 1.1.0) @@ -8,37 +8,44 @@ policy_module(numad, 1.1.0)
type numad_t; type numad_t;
type numad_exec_t; type numad_exec_t;
init_daemon_domain(numad_t, numad_exec_t) init_daemon_domain(numad_t, numad_exec_t)
@ -54189,15 +54202,17 @@ index b0a1be4..239f27a 100644
manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
files_pid_filetrans(numad_t, numad_var_run_t, file) files_pid_filetrans(numad_t, numad_var_run_t, file)
@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
dev_read_sysfs(numad_t) kernel_read_system_state(numad_t)
-files_read_etc_files(numad_t) -dev_read_sysfs(numad_t)
+dev_rw_sysfs(numad_t)
+
+domain_use_interactive_fds(numad_t) +domain_use_interactive_fds(numad_t)
+domain_read_all_domains_state(numad_t) +domain_read_all_domains_state(numad_t)
+domain_setpriority_all_domains(numad_t) +domain_setpriority_all_domains(numad_t)
+
-files_read_etc_files(numad_t)
+fs_manage_cgroup_dirs(numad_t) +fs_manage_cgroup_dirs(numad_t)
+fs_rw_cgroup_files(numad_t) +fs_rw_cgroup_files(numad_t)
@ -77725,7 +77740,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t) - admin_pattern($1, rhsmcertd_lock_t)
') ')
diff --git a/rhsmcertd.te b/rhsmcertd.te diff --git a/rhsmcertd.te b/rhsmcertd.te
index d32e1a2..c4cf8a7 100644 index d32e1a2..c820b6f 100644
--- a/rhsmcertd.te --- a/rhsmcertd.te
+++ b/rhsmcertd.te +++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@ -77746,16 +77761,17 @@ index d32e1a2..c4cf8a7 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
@@ -50,25 +49,48 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) @@ -50,25 +49,49 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t) kernel_read_network_state(rhsmcertd_t)
+kernel_read_sysctl(rhsmcertd_t) +kernel_read_sysctl(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t)
+kernel_read_sysctl(rhsmcertd_t)
+
+corenet_tcp_connect_http_port(rhsmcertd_t) +corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_squid_port(rhsmcertd_t) +corenet_tcp_connect_squid_port(rhsmcertd_t)
+
corecmd_exec_bin(rhsmcertd_t) corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t) +corecmd_exec_shell(rhsmcertd_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 30%{?dist} Release: 31%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -580,6 +580,17 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Fix label on irclogs in the homedir
* Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-31 * Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-31
- Modify xdm_write_home to allow create files/links in /root with xdm_home_t - Modify xdm_write_home to allow create files/links in /root with xdm_home_t
- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights - Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights