- virsh now does a setexeccon call
- Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-serv - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Allow systemd-timestamp to set SELinux context - Add support for /var/lib/systemd/linger - Fix ssh_sysadm_login to be working on MLS as expected
This commit is contained in:
Miroslav Grepl
parent
79355670f4
commit
2599f2f590
|
|
@ -220921,7 +220921,7 @@ index fe0c682..da12170 100644
|
|||
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index 5fc0391..94900fb 100644
|
||||
index 5fc0391..386c48c 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3)
|
||||
|
|
@ -221187,7 +221187,6 @@ index 5fc0391..94900fb 100644
|
|||
+userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
+userdom_signal_unpriv_users(sshd_t)
|
||||
+userdom_dyntransition_unpriv_users(sshd_t)
|
||||
+userdom_dyntransition_admin_users(sshd_t)
|
||||
+
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
|
|
@ -221200,6 +221199,7 @@ index 5fc0391..94900fb 100644
|
|||
- userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
- userdom_signal_unpriv_users(sshd_t)
|
||||
+ userdom_spec_domtrans_all_users(sshd_t)
|
||||
+ userdom_dyntransition_admin_users(sshd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
|
@ -226158,7 +226158,7 @@ index bb5c4a6..7ebb938 100644
|
|||
')
|
||||
|
||||
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
|
||||
index 9a4d3a7..b7b205c 100644
|
||||
index 9a4d3a7..9d960bb 100644
|
||||
--- a/policy/modules/system/init.fc
|
||||
+++ b/policy/modules/system/init.fc
|
||||
@@ -1,6 +1,9 @@
|
||||
|
|
@ -226183,7 +226183,7 @@ index 9a4d3a7..b7b205c 100644
|
|||
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
|
||||
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
@@ -42,11 +50,23 @@ ifdef(`distro_gentoo', `
|
||||
@@ -42,19 +50,33 @@ ifdef(`distro_gentoo', `
|
||||
#
|
||||
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
|
||||
|
|
@ -226207,7 +226207,9 @@ index 9a4d3a7..b7b205c 100644
|
|||
|
||||
#
|
||||
# /var
|
||||
@@ -55,6 +75,7 @@ ifdef(`distro_gentoo', `
|
||||
#
|
||||
+/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0)
|
||||
/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
|
|
@ -226215,13 +226217,13 @@ index 9a4d3a7..b7b205c 100644
|
|||
|
||||
ifdef(`distro_debian',`
|
||||
/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
@@ -73,3 +94,4 @@ ifdef(`distro_suse', `
|
||||
@@ -73,3 +95,4 @@ ifdef(`distro_suse', `
|
||||
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
')
|
||||
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||
index 24e7804..386109d 100644
|
||||
index 24e7804..c0ec978 100644
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -106,6 +106,8 @@ interface(`init_domain',`
|
||||
|
|
@ -226458,7 +226460,7 @@ index 24e7804..386109d 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -566,6 +622,24 @@ interface(`init_sigchld',`
|
||||
@@ -566,6 +622,58 @@ interface(`init_sigchld',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -226479,11 +226481,45 @@ index 24e7804..386109d 100644
|
|||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create objects in the init_var_lib_t directories
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="file_type">
|
||||
+## <summary>
|
||||
+## The type of the object to be created
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="object_class">
|
||||
+## <summary>
|
||||
+## The object class.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="name" optional="true">
|
||||
+## <summary>
|
||||
+## The name of the object being created.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`init_var_lib_filetrans',`
|
||||
+ gen_require(`
|
||||
+ type init_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Connect to init with a unix socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -576,10 +650,66 @@ interface(`init_sigchld',`
|
||||
@@ -576,10 +684,66 @@ interface(`init_sigchld',`
|
||||
#
|
||||
interface(`init_stream_connect',`
|
||||
gen_require(`
|
||||
|
|
@ -226552,7 +226588,7 @@ index 24e7804..386109d 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -743,22 +873,23 @@ interface(`init_write_initctl',`
|
||||
@@ -743,22 +907,23 @@ interface(`init_write_initctl',`
|
||||
interface(`init_telinit',`
|
||||
gen_require(`
|
||||
type initctl_t;
|
||||
|
|
@ -226585,7 +226621,7 @@ index 24e7804..386109d 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -787,7 +918,7 @@ interface(`init_rw_initctl',`
|
||||
@@ -787,7 +952,7 @@ interface(`init_rw_initctl',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
|
@ -226594,7 +226630,7 @@ index 24e7804..386109d 100644
|
|||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -830,11 +961,12 @@ interface(`init_script_file_entry_type',`
|
||||
@@ -830,11 +995,12 @@ interface(`init_script_file_entry_type',`
|
||||
#
|
||||
interface(`init_spec_domtrans_script',`
|
||||
gen_require(`
|
||||
|
|
@ -226609,7 +226645,7 @@ index 24e7804..386109d 100644
|
|||
|
||||
ifdef(`distro_gentoo',`
|
||||
gen_require(`
|
||||
@@ -845,11 +977,11 @@ interface(`init_spec_domtrans_script',`
|
||||
@@ -845,11 +1011,11 @@ interface(`init_spec_domtrans_script',`
|
||||
')
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
|
|
@ -226623,7 +226659,7 @@ index 24e7804..386109d 100644
|
|||
')
|
||||
')
|
||||
|
||||
@@ -865,19 +997,41 @@ interface(`init_spec_domtrans_script',`
|
||||
@@ -865,19 +1031,41 @@ interface(`init_spec_domtrans_script',`
|
||||
#
|
||||
interface(`init_domtrans_script',`
|
||||
gen_require(`
|
||||
|
|
@ -226669,7 +226705,7 @@ index 24e7804..386109d 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -933,9 +1087,14 @@ interface(`init_script_file_domtrans',`
|
||||
@@ -933,9 +1121,14 @@ interface(`init_script_file_domtrans',`
|
||||
interface(`init_labeled_script_domtrans',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
|
|
@ -226684,7 +226720,7 @@ index 24e7804..386109d 100644
|
|||
files_search_etc($1)
|
||||
')
|
||||
|
||||
@@ -1026,7 +1185,9 @@ interface(`init_ptrace',`
|
||||
@@ -1026,7 +1219,9 @@ interface(`init_ptrace',`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
|
|
@ -226695,7 +226731,7 @@ index 24e7804..386109d 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1125,6 +1286,25 @@ interface(`init_getattr_all_script_files',`
|
||||
@@ -1125,6 +1320,25 @@ interface(`init_getattr_all_script_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -226721,7 +226757,7 @@ index 24e7804..386109d 100644
|
|||
## Read all init script files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1144,6 +1324,24 @@ interface(`init_read_all_script_files',`
|
||||
@@ -1144,6 +1358,24 @@ interface(`init_read_all_script_files',`
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
|
|
@ -226746,7 +226782,7 @@ index 24e7804..386109d 100644
|
|||
## Dontaudit read all init script files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1195,12 +1393,7 @@ interface(`init_read_script_state',`
|
||||
@@ -1195,12 +1427,7 @@ interface(`init_read_script_state',`
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
|
|
@ -226760,7 +226796,7 @@ index 24e7804..386109d 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1440,6 +1633,27 @@ interface(`init_dbus_send_script',`
|
||||
@@ -1440,6 +1667,27 @@ interface(`init_dbus_send_script',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
|
|
@ -226788,7 +226824,7 @@ index 24e7804..386109d 100644
|
|||
## init scripts over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1526,6 +1740,25 @@ interface(`init_getattr_script_status_files',`
|
||||
@@ -1526,6 +1774,25 @@ interface(`init_getattr_script_status_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -226814,7 +226850,7 @@ index 24e7804..386109d 100644
|
|||
## Do not audit attempts to read init script
|
||||
## status files.
|
||||
## </summary>
|
||||
@@ -1584,6 +1817,24 @@ interface(`init_rw_script_tmp_files',`
|
||||
@@ -1584,6 +1851,24 @@ interface(`init_rw_script_tmp_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -226839,14 +226875,16 @@ index 24e7804..386109d 100644
|
|||
## Create files in a init script
|
||||
## temporary data directory.
|
||||
## </summary>
|
||||
@@ -1656,6 +1907,43 @@ interface(`init_read_utmp',`
|
||||
@@ -1656,11 +1941,48 @@ interface(`init_read_utmp',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to write utmp.
|
||||
+## Read utmp.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain to not audit.
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
|
|
@ -226880,10 +226918,15 @@ index 24e7804..386109d 100644
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts to write utmp.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1744,7 +2032,7 @@ interface(`init_dontaudit_rw_utmp',`
|
||||
+## Do not audit attempts to write utmp.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -1744,7 +2066,7 @@ interface(`init_dontaudit_rw_utmp',`
|
||||
type initrc_var_run_t;
|
||||
')
|
||||
|
||||
|
|
@ -226892,11 +226935,10 @@ index 24e7804..386109d 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1785,7 +2073,134 @@ interface(`init_pid_filetrans_utmp',`
|
||||
@@ -1785,6 +2107,133 @@ interface(`init_pid_filetrans_utmp',`
|
||||
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
|
||||
')
|
||||
|
||||
-########################################
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Allow search directory in the /run/systemd directory.
|
||||
|
|
@ -227024,11 +227066,10 @@ index 24e7804..386109d 100644
|
|||
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to daemon with a tcp socket
|
||||
## </summary>
|
||||
@@ -1819,3 +2234,283 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
@@ -1819,3 +2268,283 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
')
|
||||
corenet_udp_recvfrom_labeled($1, daemon)
|
||||
')
|
||||
|
|
@ -227313,7 +227354,7 @@ index 24e7804..386109d 100644
|
|||
+ allow $1 init_t:system undefined;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index dd3be8d..b8592b4 100644
|
||||
index dd3be8d..4d9b509 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,24 @@ gen_require(`
|
||||
|
|
@ -227380,10 +227421,10 @@ index dd3be8d..b8592b4 100644
|
|||
files_pid_file(init_var_run_t)
|
||||
|
||||
#
|
||||
+# init_var_lib_t is the type for /var/lib/random-seed
|
||||
+# init_var_lib_t is the type for /var/lib/systemd
|
||||
+#
|
||||
+type init_var_lib_t;
|
||||
+files_pid_file(init_var_lib_t)
|
||||
+files_type(init_var_lib_t)
|
||||
+
|
||||
+type machineid_t;
|
||||
+files_config_file(machineid_t)
|
||||
|
|
@ -234737,10 +234778,10 @@ index b7686d5..9a50b11 100644
|
|||
+')
|
||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||
new file mode 100644
|
||||
index 0000000..4221a94
|
||||
index 0000000..595f756
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.fc
|
||||
@@ -0,0 +1,38 @@
|
||||
@@ -0,0 +1,39 @@
|
||||
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
|
||||
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
|
||||
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||
|
|
@ -234768,6 +234809,7 @@ index 0000000..4221a94
|
|||
+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
|
||||
+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
|
||||
+
|
||||
+/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
|
||||
+/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
|
||||
+/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
|
||||
+
|
||||
|
|
@ -235828,10 +235870,10 @@ index 0000000..a4b0917
|
|||
+
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..1131866
|
||||
index 0000000..c0a85ab
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,616 @@
|
||||
@@ -0,0 +1,624 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
|
|
@ -235855,6 +235897,9 @@ index 0000000..1131866
|
|||
+type systemd_logind_sessions_t;
|
||||
+files_pid_file(systemd_logind_sessions_t)
|
||||
+
|
||||
+type systemd_logind_var_lib_t;
|
||||
+files_type(systemd_logind_var_lib_t)
|
||||
+
|
||||
+# /run/systemd/{seats, users}
|
||||
+type systemd_logind_var_run_t;
|
||||
+files_pid_file(systemd_logind_var_run_t)
|
||||
|
|
@ -235918,13 +235963,17 @@ index 0000000..1131866
|
|||
+
|
||||
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
|
||||
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
|
||||
+allow systemd_logind_t self:process getcap;
|
||||
+allow systemd_logind_t self:process { getcap };
|
||||
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+mls_file_read_all_levels(systemd_logind_t)
|
||||
+mls_file_write_all_levels(systemd_logind_t)
|
||||
+
|
||||
+manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
|
||||
+manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
|
||||
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
|
||||
+
|
||||
+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
|
||||
+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
|
||||
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
|
||||
|
|
@ -236002,7 +236051,6 @@ index 0000000..1131866
|
|||
+logging_send_syslog_msg(systemd_logind_t)
|
||||
+logging_stream_connect_syslog(systemd_logind_t)
|
||||
+
|
||||
+
|
||||
+udev_read_db(systemd_logind_t)
|
||||
+udev_manage_rules_files(systemd_logind_t)
|
||||
+
|
||||
|
|
@ -236350,7 +236398,7 @@ index 0000000..1131866
|
|||
+# Timedated policy
|
||||
+#
|
||||
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
|
||||
+allow systemd_timedated_t self:process { getattr getsched signal };
|
||||
+allow systemd_timedated_t self:process { getattr getsched signal setfscreate };
|
||||
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
|
||||
|
|
@ -236383,6 +236431,8 @@ index 0000000..1131866
|
|||
+miscfiles_manage_localization(systemd_timedated_t)
|
||||
+miscfiles_etc_filetrans_localization(systemd_timedated_t)
|
||||
+
|
||||
+seutil_read_file_contexts(systemd_timedated_t)
|
||||
+
|
||||
+userdom_read_all_users_state(systemd_timedated_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
|
|
|
|||
|
|
@ -25955,7 +25955,7 @@ index d03fd43..f73c152 100644
|
|||
+ type_transition $1 gkeyringd_exec_t:process $2;
|
||||
')
|
||||
diff --git a/gnome.te b/gnome.te
|
||||
index 20f726b..ac1375b 100644
|
||||
index 20f726b..eb0d80a 100644
|
||||
--- a/gnome.te
|
||||
+++ b/gnome.te
|
||||
@@ -1,18 +1,36 @@
|
||||
|
|
@ -25999,7 +25999,7 @@ index 20f726b..ac1375b 100644
|
|||
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
|
||||
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
|
||||
typealias gconf_home_t alias unconfined_gconf_home_t;
|
||||
@@ -29,107 +47,227 @@ type gconfd_exec_t;
|
||||
@@ -29,107 +47,228 @@ type gconfd_exec_t;
|
||||
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
|
||||
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
|
||||
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
|
||||
|
|
@ -26210,6 +26210,7 @@ index 20f726b..ac1375b 100644
|
|||
|
||||
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
|
||||
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
|
||||
+allow gkeyringd_domain config_home_t:dir add_entry_dir_perms;
|
||||
+allow gkeyringd_domain config_home_t:file write;
|
||||
|
||||
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
|
||||
|
|
@ -32457,7 +32458,7 @@ index dd8e01a..9cd6b0b 100644
|
|||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/logrotate.te b/logrotate.te
|
||||
index 7bab8e5..5c6ac99 100644
|
||||
index 7bab8e5..3124cab 100644
|
||||
--- a/logrotate.te
|
||||
+++ b/logrotate.te
|
||||
@@ -1,20 +1,18 @@
|
||||
|
|
@ -32519,7 +32520,7 @@ index 7bab8e5..5c6ac99 100644
|
|||
allow logrotate_t self:shm create_shm_perms;
|
||||
allow logrotate_t self:sem create_sem_perms;
|
||||
allow logrotate_t self:msgq create_msgq_perms;
|
||||
@@ -48,79 +52,91 @@ allow logrotate_t self:msg { send receive };
|
||||
@@ -48,79 +52,93 @@ allow logrotate_t self:msg { send receive };
|
||||
allow logrotate_t logrotate_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
|
||||
|
||||
|
|
@ -32606,8 +32607,6 @@ index 7bab8e5..5c6ac99 100644
|
|||
logging_exec_all_logs(logrotate_t)
|
||||
|
||||
-miscfiles_read_localization(logrotate_t)
|
||||
-
|
||||
-seutil_dontaudit_read_config(logrotate_t)
|
||||
+systemd_exec_systemctl(logrotate_t)
|
||||
+systemd_getattr_unit_files(logrotate_t)
|
||||
+systemd_start_all_unit_files(logrotate_t)
|
||||
|
|
@ -32615,6 +32614,9 @@ index 7bab8e5..5c6ac99 100644
|
|||
+systemd_status_all_unit_files(logrotate_t)
|
||||
+init_stream_connect(logrotate_t)
|
||||
|
||||
-seutil_dontaudit_read_config(logrotate_t)
|
||||
+miscfiles_read_hwdata(logrotate_t)
|
||||
|
||||
-userdom_use_user_terminals(logrotate_t)
|
||||
+userdom_use_inherited_user_terminals(logrotate_t)
|
||||
userdom_list_user_home_dirs(logrotate_t)
|
||||
|
|
@ -32639,7 +32641,7 @@ index 7bab8e5..5c6ac99 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -140,11 +156,11 @@ optional_policy(`
|
||||
@@ -140,11 +158,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -32653,7 +32655,7 @@ index 7bab8e5..5c6ac99 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -178,7 +194,7 @@ optional_policy(`
|
||||
@@ -178,7 +196,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -32662,7 +32664,7 @@ index 7bab8e5..5c6ac99 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,21 +214,22 @@ optional_policy(`
|
||||
@@ -198,21 +216,22 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -32689,7 +32691,7 @@ index 7bab8e5..5c6ac99 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -228,10 +245,20 @@ optional_policy(`
|
||||
@@ -228,10 +247,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -32710,7 +32712,7 @@ index 7bab8e5..5c6ac99 100644
|
|||
su_exec(logrotate_t)
|
||||
')
|
||||
|
||||
@@ -241,13 +268,11 @@ optional_policy(`
|
||||
@@ -241,13 +270,11 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
|
|
@ -41731,7 +41733,7 @@ index a1fb3c3..8fe1d63 100644
|
|||
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
diff --git a/networkmanager.if b/networkmanager.if
|
||||
index 0e8508c..96dbf6f 100644
|
||||
index 0e8508c..163b870 100644
|
||||
--- a/networkmanager.if
|
||||
+++ b/networkmanager.if
|
||||
@@ -2,7 +2,7 @@
|
||||
|
|
@ -41936,7 +41938,13 @@ index 0e8508c..96dbf6f 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -212,12 +258,12 @@ interface(`networkmanager_read_pid_files',`
|
||||
@@ -207,17 +253,17 @@ interface(`networkmanager_read_pid_files',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
- allow $1 NetworkManager_var_run_t:file read_file_perms;
|
||||
+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -47641,10 +47649,10 @@ index 0000000..1a26cd5
|
|||
+')
|
||||
diff --git a/openshift.te b/openshift.te
|
||||
new file mode 100644
|
||||
index 0000000..b89f7fc
|
||||
index 0000000..30757e2
|
||||
--- /dev/null
|
||||
+++ b/openshift.te
|
||||
@@ -0,0 +1,463 @@
|
||||
@@ -0,0 +1,467 @@
|
||||
+policy_module(openshift,1.0.0)
|
||||
+
|
||||
+gen_require(`
|
||||
|
|
@ -47955,6 +47963,10 @@ index 0000000..b89f7fc
|
|||
+ ssh_dontaudit_search_user_home_dir(openshift_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ udev_read_pid_files(openshift_domain)
|
||||
+')
|
||||
+
|
||||
+#######################################################
|
||||
+#
|
||||
+# Policy for openshift user domain process
|
||||
|
|
@ -48035,7 +48047,7 @@ index 0000000..b89f7fc
|
|||
+fs_read_cgroup_files(openshift_cgroup_read_t)
|
||||
+
|
||||
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
|
||||
+read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
|
||||
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
|
|
@ -49384,29 +49396,36 @@ index dfd46e4..9515043 100644
|
|||
|
||||
/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
||||
diff --git a/pegasus.if b/pegasus.if
|
||||
index d2fc677..920b13f 100644
|
||||
index d2fc677..22b745a 100644
|
||||
--- a/pegasus.if
|
||||
+++ b/pegasus.if
|
||||
@@ -1,52 +1 @@
|
||||
@@ -1,52 +1,37 @@
|
||||
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
|
||||
-
|
||||
|
||||
-########################################
|
||||
-## <summary>
|
||||
+######################################
|
||||
## <summary>
|
||||
-## All of the rules required to
|
||||
-## administrate an pegasus environment.
|
||||
-## </summary>
|
||||
+## Creates types and rules for a basic
|
||||
+## openlmi init daemon domain.
|
||||
## </summary>
|
||||
-## <param name="domain">
|
||||
-## <summary>
|
||||
-## Domain allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
+## <param name="prefix">
|
||||
+## <summary>
|
||||
+## Prefix for the domain.
|
||||
+## </summary>
|
||||
## </param>
|
||||
-## <param name="role">
|
||||
-## <summary>
|
||||
-## Role allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-## <rolecap/>
|
||||
-#
|
||||
#
|
||||
-interface(`pegasus_admin',`
|
||||
- gen_require(`
|
||||
- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
|
||||
|
|
@ -49439,18 +49458,46 @@ index d2fc677..920b13f 100644
|
|||
-
|
||||
- files_search_pids($1)
|
||||
- admin_pattern($1, pegasus_var_run_t)
|
||||
-')
|
||||
+template(`pegasus_openlmi_domain_template',`
|
||||
+ gen_require(`
|
||||
+ attribute pegasus_openlmi_domain;
|
||||
+ ')
|
||||
+
|
||||
+ ##############################
|
||||
+ #
|
||||
+ # Declarations
|
||||
+ #
|
||||
+
|
||||
+ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
|
||||
+ type $1_exec_t;
|
||||
+ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
|
||||
+
|
||||
+ ##############################
|
||||
+ #
|
||||
+ # Local policy
|
||||
+ #
|
||||
+
|
||||
+ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
|
||||
+
|
||||
+ kernel_read_system_state(pegasus_openlmi_$1_t)
|
||||
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
|
||||
')
|
||||
diff --git a/pegasus.te b/pegasus.te
|
||||
index 7bcf327..e440d35 100644
|
||||
index 7bcf327..0ff4cb5 100644
|
||||
--- a/pegasus.te
|
||||
+++ b/pegasus.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@@ -1,17 +1,16 @@
|
||||
-policy_module(pegasus, 1.8.3)
|
||||
+policy_module(pegasus, 1.8.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -9,9 +9,6 @@ type pegasus_t;
|
||||
# Declarations
|
||||
#
|
||||
|
||||
+attribute pegasus_openlmi_domain;
|
||||
+
|
||||
type pegasus_t;
|
||||
type pegasus_exec_t;
|
||||
init_daemon_domain(pegasus_t, pegasus_exec_t)
|
||||
|
||||
|
|
@ -49460,7 +49507,29 @@ index 7bcf327..e440d35 100644
|
|||
type pegasus_cache_t;
|
||||
files_type(pegasus_cache_t)
|
||||
|
||||
@@ -39,11 +36,12 @@ allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac
|
||||
@@ -30,20 +29,33 @@ files_type(pegasus_mof_t)
|
||||
type pegasus_var_run_t;
|
||||
files_pid_file(pegasus_var_run_t)
|
||||
|
||||
+# pegasus openlmi providers
|
||||
+#pegasus_openlmi_domain_template(account)
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# pegasus openlmi providers local policy
|
||||
+#
|
||||
+
|
||||
+corecmd_exec_bin(pegasus_openlmi_domain)
|
||||
+
|
||||
+sysnet_read_config(pegasus_openlmi_domain)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
-# Local policy
|
||||
+# pegasus local policy
|
||||
#
|
||||
|
||||
allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
|
||||
dontaudit pegasus_t self:capability sys_tty_config;
|
||||
allow pegasus_t self:process signal;
|
||||
allow pegasus_t self:fifo_file rw_fifo_file_perms;
|
||||
|
|
@ -49476,7 +49545,7 @@ index 7bcf327..e440d35 100644
|
|||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||
@@ -54,22 +52,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
@@ -54,22 +66,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
|
|
@ -49507,7 +49576,7 @@ index 7bcf327..e440d35 100644
|
|||
|
||||
kernel_read_network_state(pegasus_t)
|
||||
kernel_read_kernel_sysctls(pegasus_t)
|
||||
@@ -80,27 +78,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
@@ -80,27 +92,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
kernel_read_xen_state(pegasus_t)
|
||||
kernel_write_xen_state(pegasus_t)
|
||||
|
||||
|
|
@ -49540,7 +49609,7 @@ index 7bcf327..e440d35 100644
|
|||
|
||||
corecmd_exec_bin(pegasus_t)
|
||||
corecmd_exec_shell(pegasus_t)
|
||||
@@ -114,6 +106,7 @@ files_getattr_all_dirs(pegasus_t)
|
||||
@@ -114,6 +120,7 @@ files_getattr_all_dirs(pegasus_t)
|
||||
|
||||
auth_use_nsswitch(pegasus_t)
|
||||
auth_domtrans_chk_passwd(pegasus_t)
|
||||
|
|
@ -49548,7 +49617,7 @@ index 7bcf327..e440d35 100644
|
|||
|
||||
domain_use_interactive_fds(pegasus_t)
|
||||
domain_read_all_domains_state(pegasus_t)
|
||||
@@ -128,18 +121,23 @@ init_stream_connect_script(pegasus_t)
|
||||
@@ -128,18 +135,23 @@ init_stream_connect_script(pegasus_t)
|
||||
logging_send_audit_msgs(pegasus_t)
|
||||
logging_send_syslog_msg(pegasus_t)
|
||||
|
||||
|
|
@ -49578,7 +49647,7 @@ index 7bcf327..e440d35 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -151,16 +149,15 @@ optional_policy(`
|
||||
@@ -151,16 +163,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -49598,7 +49667,7 @@ index 7bcf327..e440d35 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -168,7 +165,7 @@ optional_policy(`
|
||||
@@ -168,7 +179,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -75467,7 +75536,7 @@ index 1499b0b..82fc7f6 100644
|
|||
- spamassassin_role($2, $1)
|
||||
')
|
||||
diff --git a/spamassassin.te b/spamassassin.te
|
||||
index 4faa7e0..9e4d192 100644
|
||||
index 4faa7e0..3a3ac18 100644
|
||||
--- a/spamassassin.te
|
||||
+++ b/spamassassin.te
|
||||
@@ -1,4 +1,4 @@
|
||||
|
|
@ -75955,17 +76024,17 @@ index 4faa7e0..9e4d192 100644
|
|||
allow spamd_t self:unix_dgram_socket sendto;
|
||||
-allow spamd_t self:unix_stream_socket { accept connectto listen };
|
||||
-allow spamd_t self:tcp_socket { accept listen };
|
||||
+allow spamd_t self:unix_stream_socket connectto;
|
||||
+allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow spamd_t self:udp_socket create_socket_perms;
|
||||
|
||||
-
|
||||
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
|
||||
-
|
||||
+allow spamd_t self:unix_stream_socket connectto;
|
||||
+allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow spamd_t self:udp_socket create_socket_perms;
|
||||
|
||||
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
||||
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
||||
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
||||
|
|
@ -76170,7 +76239,7 @@ index 4faa7e0..9e4d192 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -474,32 +552,30 @@ optional_policy(`
|
||||
@@ -474,32 +552,32 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -76202,16 +76271,18 @@ index 4faa7e0..9e4d192 100644
|
|||
-corenet_tcp_sendrecv_generic_if(spamd_update_t)
|
||||
-corenet_tcp_sendrecv_generic_node(spamd_update_t)
|
||||
-corenet_tcp_sendrecv_all_ports(spamd_update_t)
|
||||
+kernel_read_system_state(spamd_update_t)
|
||||
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
|
||||
|
||||
-corenet_sendrecv_http_client_packets(spamd_update_t)
|
||||
+kernel_read_system_state(spamd_update_t)
|
||||
+
|
||||
+# for updating rules
|
||||
corenet_tcp_connect_http_port(spamd_update_t)
|
||||
-corenet_tcp_sendrecv_http_port(spamd_update_t)
|
||||
|
||||
corecmd_exec_bin(spamd_update_t)
|
||||
corecmd_exec_shell(spamd_update_t)
|
||||
@@ -508,25 +584,21 @@ dev_read_urand(spamd_update_t)
|
||||
@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t)
|
||||
|
||||
domain_use_interactive_fds(spamd_update_t)
|
||||
|
||||
|
|
@ -79437,9 +79508,18 @@ index 38389e6..4847b43 100644
|
|||
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
|
||||
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
|
||||
diff --git a/tgtd.te b/tgtd.te
|
||||
index c93c973..0eff459 100644
|
||||
index c93c973..08aef1e 100644
|
||||
--- a/tgtd.te
|
||||
+++ b/tgtd.te
|
||||
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow tgtd_t self:capability sys_resource;
|
||||
+allow tgtd_t self:capability { dac_override sys_resource };
|
||||
allow tgtd_t self:capability2 block_suspend;
|
||||
allow tgtd_t self:process { setrlimit signal };
|
||||
allow tgtd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t)
|
||||
kernel_read_fs_sysctls(tgtd_t)
|
||||
|
||||
|
|
@ -79448,15 +79528,16 @@ index c93c973..0eff459 100644
|
|||
corenet_tcp_sendrecv_generic_if(tgtd_t)
|
||||
corenet_tcp_sendrecv_generic_node(tgtd_t)
|
||||
corenet_tcp_bind_generic_node(tgtd_t)
|
||||
@@ -69,16 +68,12 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
|
||||
@@ -69,7 +68,7 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
|
||||
|
||||
dev_read_sysfs(tgtd_t)
|
||||
|
||||
-files_read_etc_files(tgtd_t)
|
||||
-
|
||||
+files_list_mnt(tgtd_t)
|
||||
|
||||
fs_read_anon_inodefs_files(tgtd_t)
|
||||
|
||||
storage_manage_fixed_disk(tgtd_t)
|
||||
@@ -77,8 +76,6 @@ storage_manage_fixed_disk(tgtd_t)
|
||||
|
||||
logging_send_syslog_msg(tgtd_t)
|
||||
|
||||
|
|
@ -80827,30 +80908,45 @@ index e29db63..061fb98 100644
|
|||
domain_system_change_exemption($1)
|
||||
role_transition $2 tuned_initrc_exec_t system_r;
|
||||
diff --git a/tuned.te b/tuned.te
|
||||
index 7116181..ffc2e44 100644
|
||||
index 7116181..9815e42 100644
|
||||
--- a/tuned.te
|
||||
+++ b/tuned.te
|
||||
@@ -31,8 +31,9 @@ files_pid_file(tuned_var_run_t)
|
||||
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
||||
type tuned_log_t;
|
||||
logging_log_file(tuned_log_t)
|
||||
|
||||
+type tuned_tmp_t;
|
||||
+files_tmp_file(tuned_tmp_t)
|
||||
+
|
||||
type tuned_var_run_t;
|
||||
files_pid_file(tuned_var_run_t)
|
||||
|
||||
@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t)
|
||||
|
||||
allow tuned_t self:capability { sys_admin sys_nice };
|
||||
dontaudit tuned_t self:capability { dac_override sys_tty_config };
|
||||
-allow tuned_t self:process { setsched signal };
|
||||
+allow tuned_t self:process { setsched signal };
|
||||
allow tuned_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+allow tuned_t self:udp_socket create_socket_perms;
|
||||
|
||||
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
|
||||
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
|
||||
@@ -44,7 +45,7 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
||||
@@ -44,7 +49,11 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
||||
append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
||||
create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
||||
setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
||||
-logging_log_filetrans(tuned_t, tuned_log_t, file)
|
||||
+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
|
||||
+
|
||||
+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
|
||||
+manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
|
||||
+files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
|
||||
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
|
||||
@@ -57,6 +58,7 @@ kernel_request_load_module(tuned_t)
|
||||
@@ -57,6 +66,7 @@ kernel_request_load_module(tuned_t)
|
||||
kernel_rw_kernel_sysctl(tuned_t)
|
||||
kernel_rw_hotplug_sysctls(tuned_t)
|
||||
kernel_rw_vm_sysctls(tuned_t)
|
||||
|
|
@ -80858,7 +80954,7 @@ index 7116181..ffc2e44 100644
|
|||
|
||||
corecmd_exec_bin(tuned_t)
|
||||
corecmd_exec_shell(tuned_t)
|
||||
@@ -67,28 +69,44 @@ dev_read_urand(tuned_t)
|
||||
@@ -67,28 +77,44 @@ dev_read_urand(tuned_t)
|
||||
dev_rw_sysfs(tuned_t)
|
||||
dev_rw_netcontrol(tuned_t)
|
||||
|
||||
|
|
@ -80866,10 +80962,10 @@ index 7116181..ffc2e44 100644
|
|||
files_dontaudit_search_home(tuned_t)
|
||||
-files_dontaudit_list_tmp(tuned_t)
|
||||
+files_list_tmp(tuned_t)
|
||||
+
|
||||
+fs_getattr_all_fs(tuned_t)
|
||||
|
||||
-fs_getattr_xattr_fs(tuned_t)
|
||||
+fs_getattr_all_fs(tuned_t)
|
||||
+
|
||||
+auth_use_nsswitch(tuned_t)
|
||||
|
||||
logging_send_syslog_msg(tuned_t)
|
||||
|
|
@ -84048,7 +84144,7 @@ index 9dec06c..d8a2b54 100644
|
|||
+ allow svirt_lxc_domain $1:process sigchld;
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index 1f22fba..def6a6b 100644
|
||||
index 1f22fba..64b70d6 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,94 +1,98 @@
|
||||
|
|
@ -84510,9 +84606,7 @@ index 1f22fba..def6a6b 100644
|
|||
-
|
||||
-dontaudit svirt_t virt_content_t:file write_file_perms;
|
||||
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
|
||||
+allow svirt_tcg_t self:process { execmem execstack };
|
||||
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
-
|
||||
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
|
||||
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
|
|
@ -84541,7 +84635,9 @@ index 1f22fba..def6a6b 100644
|
|||
-corenet_sendrecv_all_server_packets(svirt_t)
|
||||
-corenet_udp_bind_all_ports(svirt_t)
|
||||
-corenet_tcp_bind_all_ports(svirt_t)
|
||||
-
|
||||
+allow svirt_tcg_t self:process { execmem execstack };
|
||||
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
-corenet_sendrecv_all_client_packets(svirt_t)
|
||||
-corenet_tcp_connect_all_ports(svirt_t)
|
||||
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
|
||||
|
|
@ -85172,8 +85268,9 @@ index 1f22fba..def6a6b 100644
|
|||
+typealias virsh_exec_t alias xm_exec_t;
|
||||
|
||||
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
|
||||
-allow virsh_t self:process { getcap getsched setsched setcap signal };
|
||||
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
|
||||
allow virsh_t self:process { getcap getsched setsched setcap signal };
|
||||
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
|
||||
allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow virsh_t self:unix_stream_socket { accept connectto listen };
|
||||
-allow virsh_t self:tcp_socket { accept listen };
|
||||
|
|
@ -85190,7 +85287,7 @@ index 1f22fba..def6a6b 100644
|
|||
|
||||
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
@@ -758,23 +802,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
@@ -758,23 +802,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
|
|
@ -85203,12 +85300,12 @@ index 1f22fba..def6a6b 100644
|
|||
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
|
||||
-
|
||||
-allow virsh_t svirt_lxc_domain:process transition;
|
||||
-
|
||||
-can_exec(virsh_t, virsh_exec_t)
|
||||
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+virt_filetrans_named_content(virsh_t)
|
||||
|
||||
-can_exec(virsh_t, virsh_exec_t)
|
||||
-
|
||||
-virt_domtrans(virsh_t)
|
||||
-virt_manage_images(virsh_t)
|
||||
-virt_manage_config(virsh_t)
|
||||
|
|
@ -85216,10 +85313,11 @@ index 1f22fba..def6a6b 100644
|
|||
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
|
||||
|
||||
-kernel_read_crypto_sysctls(virsh_t)
|
||||
+kernel_write_proc_files(virsh_t)
|
||||
kernel_read_system_state(virsh_t)
|
||||
kernel_read_network_state(virsh_t)
|
||||
kernel_read_kernel_sysctls(virsh_t)
|
||||
@@ -785,25 +820,18 @@ kernel_write_xen_state(virsh_t)
|
||||
@@ -785,25 +821,18 @@ kernel_write_xen_state(virsh_t)
|
||||
corecmd_exec_bin(virsh_t)
|
||||
corecmd_exec_shell(virsh_t)
|
||||
|
||||
|
|
@ -85246,7 +85344,7 @@ index 1f22fba..def6a6b 100644
|
|||
|
||||
fs_getattr_all_fs(virsh_t)
|
||||
fs_manage_xenfs_dirs(virsh_t)
|
||||
@@ -812,24 +840,21 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
@@ -812,24 +841,21 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
|
||||
storage_raw_read_fixed_disk(virsh_t)
|
||||
|
||||
|
|
@ -85277,7 +85375,7 @@ index 1f22fba..def6a6b 100644
|
|||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virsh_t)
|
||||
fs_manage_nfs_files(virsh_t)
|
||||
@@ -847,6 +872,10 @@ optional_policy(`
|
||||
@@ -847,6 +873,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -85288,7 +85386,7 @@ index 1f22fba..def6a6b 100644
|
|||
rpm_exec(virsh_t)
|
||||
')
|
||||
|
||||
@@ -854,7 +883,7 @@ optional_policy(`
|
||||
@@ -854,7 +884,7 @@ optional_policy(`
|
||||
xen_manage_image_dirs(virsh_t)
|
||||
xen_append_log(virsh_t)
|
||||
xen_domtrans(virsh_t)
|
||||
|
|
@ -85297,7 +85395,7 @@ index 1f22fba..def6a6b 100644
|
|||
xen_stream_connect(virsh_t)
|
||||
xen_stream_connect_xenstore(virsh_t)
|
||||
')
|
||||
@@ -879,34 +908,40 @@ optional_policy(`
|
||||
@@ -879,34 +909,40 @@ optional_policy(`
|
||||
kernel_read_xen_state(virsh_ssh_t)
|
||||
kernel_write_xen_state(virsh_ssh_t)
|
||||
|
||||
|
|
@ -85348,7 +85446,7 @@ index 1f22fba..def6a6b 100644
|
|||
|
||||
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
@@ -916,12 +951,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
@@ -916,12 +952,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
|
||||
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
|
||||
|
|
@ -85364,7 +85462,7 @@ index 1f22fba..def6a6b 100644
|
|||
|
||||
corecmd_exec_bin(virtd_lxc_t)
|
||||
corecmd_exec_shell(virtd_lxc_t)
|
||||
@@ -933,10 +971,8 @@ dev_read_urand(virtd_lxc_t)
|
||||
@@ -933,10 +972,8 @@ dev_read_urand(virtd_lxc_t)
|
||||
|
||||
domain_use_interactive_fds(virtd_lxc_t)
|
||||
|
||||
|
|
@ -85375,7 +85473,7 @@ index 1f22fba..def6a6b 100644
|
|||
files_relabel_rootfs(virtd_lxc_t)
|
||||
files_mounton_non_security(virtd_lxc_t)
|
||||
files_mount_all_file_type_fs(virtd_lxc_t)
|
||||
@@ -944,6 +980,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
|
||||
@@ -944,6 +981,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
|
||||
files_list_isid_type_dirs(virtd_lxc_t)
|
||||
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
|
||||
|
||||
|
|
@ -85383,7 +85481,7 @@ index 1f22fba..def6a6b 100644
|
|||
fs_getattr_all_fs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||
@@ -955,15 +992,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
@@ -955,15 +993,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
fs_unmount_all_fs(virtd_lxc_t)
|
||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||
|
||||
|
|
@ -85402,7 +85500,7 @@ index 1f22fba..def6a6b 100644
|
|||
|
||||
term_use_generic_ptys(virtd_lxc_t)
|
||||
term_use_ptmx(virtd_lxc_t)
|
||||
@@ -973,20 +1006,38 @@ auth_use_nsswitch(virtd_lxc_t)
|
||||
@@ -973,20 +1007,38 @@ auth_use_nsswitch(virtd_lxc_t)
|
||||
|
||||
logging_send_syslog_msg(virtd_lxc_t)
|
||||
|
||||
|
|
@ -85447,7 +85545,7 @@ index 1f22fba..def6a6b 100644
|
|||
allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||
allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||
allow svirt_lxc_domain self:sem create_sem_perms;
|
||||
@@ -995,19 +1046,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||
@@ -995,19 +1047,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||
|
||||
|
|
@ -85467,7 +85565,7 @@ index 1f22fba..def6a6b 100644
|
|||
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
@@ -1015,17 +1053,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
@@ -1015,17 +1054,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
|
|
@ -85486,7 +85584,7 @@ index 1f22fba..def6a6b 100644
|
|||
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||
|
||||
corecmd_exec_all_executables(svirt_lxc_domain)
|
||||
@@ -1037,21 +1072,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||
@@ -1037,21 +1073,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||
|
|
@ -85513,7 +85611,7 @@ index 1f22fba..def6a6b 100644
|
|||
auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
auth_search_pam_console_data(svirt_lxc_domain)
|
||||
@@ -1063,11 +1097,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||
@@ -1063,11 +1098,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||
|
||||
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||
|
||||
|
|
@ -85522,15 +85620,17 @@ index 1f22fba..def6a6b 100644
|
|||
miscfiles_read_fonts(svirt_lxc_domain)
|
||||
|
||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+systemd_read_unit_files(svirt_lxc_domain)
|
||||
+
|
||||
+userdom_use_inherited_user_terminals(svirt_lxc_domain)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+')
|
||||
+
|
||||
+systemd_read_unit_files(svirt_lxc_domain)
|
||||
|
||||
optional_policy(`
|
||||
udev_read_pid_files(svirt_lxc_domain)
|
||||
@@ -1078,81 +1115,67 @@ optional_policy(`
|
||||
@@ -1078,81 +1118,67 @@ optional_policy(`
|
||||
apache_read_sys_content(svirt_lxc_domain)
|
||||
')
|
||||
|
||||
|
|
@ -85638,7 +85738,7 @@ index 1f22fba..def6a6b 100644
|
|||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1165,12 +1188,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1165,12 +1191,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
|
|
@ -85653,7 +85753,7 @@ index 1f22fba..def6a6b 100644
|
|||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1183,9 +1206,8 @@ optional_policy(`
|
||||
@@ -1183,9 +1209,8 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -85664,7 +85764,7 @@ index 1f22fba..def6a6b 100644
|
|||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1198,5 +1220,65 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||
@@ -1198,5 +1223,65 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||
|
||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||
|
||||
|
|
@ -85731,7 +85831,7 @@ index 1f22fba..def6a6b 100644
|
|||
+
|
||||
+type svirt_socket_t;
|
||||
+role system_r types svirt_socket_t;
|
||||
+allow svirt_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
diff --git a/vlock.te b/vlock.te
|
||||
index 9ead775..b5285e7 100644
|
||||
--- a/vlock.te
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 12%{?dist}
|
||||
Release: 13%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -521,6 +521,22 @@ SELinux Reference policy mls base module.
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Feb 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-13
|
||||
- virsh now does a setexeccon call
|
||||
- Additional rules required by openshift domains
|
||||
- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work
|
||||
- Allow spamd_update_t to search spamc_home_t
|
||||
- Avcs discovered by mounting an isci device under /mnt
|
||||
- Allow lspci running as logrotate to read pci.ids
|
||||
- Additional fix for networkmanager_read_pid_files()
|
||||
- Fix networkmanager_read_pid_files() interface
|
||||
- Allow all svirt domains to connect to svirt_socket_t
|
||||
- Allow virsh to set SELinux context for a process.
|
||||
- Allow tuned to create netlink_kobject_uevent_socket
|
||||
- Allow systemd-timestamp to set SELinux context
|
||||
- Add support for /var/lib/systemd/linger
|
||||
- Fix ssh_sysadm_login to be working on MLS as expected
|
||||
|
||||
* Mon Feb 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-12
|
||||
- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file
|
||||
- Add missing files_rw_inherited_tmp_files interface
|
||||
|
|
|
|||
Loading…
Reference in New Issue