* Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272) - Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling. - Dontaudit fenced search gnome config - Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180) - Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t. - Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon - Fix labeling for fence_scsi_check script - Allow openhpid to read system state Aloow openhpid to connect to tcp http port. - Allow openhpid to read snmp var lib files. - Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe - Fix regexp in chronyd.fc file - systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175) - Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. - Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t - Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
This commit is contained in:
Lukas Vrabec
parent
73a6a99de0
commit
2818673721
@ -3466,7 +3466,7 @@ index 7590165..d81185e 100644
|
||||
+ fs_mounton_fusefs(seunshare_domain)
|
||||
')
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 33e0f8d..d41bb39 100644
|
||||
index 33e0f8d..e16fba2 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -1,9 +1,10 @@
|
||||
@ -3728,13 +3728,12 @@ index 33e0f8d..d41bb39 100644
|
||||
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@@ -280,10 +343,15 @@ ifdef(`distro_gentoo',`
|
||||
@@ -280,10 +343,14 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3744,7 +3743,7 @@ index 33e0f8d..d41bb39 100644
|
||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -298,16 +366,22 @@ ifdef(`distro_gentoo',`
|
||||
@@ -298,16 +365,22 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3769,7 +3768,7 @@ index 33e0f8d..d41bb39 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -325,20 +399,27 @@ ifdef(`distro_redhat', `
|
||||
@@ -325,20 +398,27 @@ ifdef(`distro_redhat', `
|
||||
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -3798,7 +3797,7 @@ index 33e0f8d..d41bb39 100644
|
||||
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -346,6 +427,7 @@ ifdef(`distro_redhat', `
|
||||
@@ -346,6 +426,7 @@ ifdef(`distro_redhat', `
|
||||
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3806,7 +3805,7 @@ index 33e0f8d..d41bb39 100644
|
||||
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -387,17 +469,34 @@ ifdef(`distro_suse', `
|
||||
@@ -387,17 +468,34 @@ ifdef(`distro_suse', `
|
||||
#
|
||||
# /var
|
||||
#
|
||||
@ -10085,7 +10084,7 @@ index 6a1e4d1..26e5558 100644
|
||||
+ dontaudit $1 domain:dir_file_class_set audit_access;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..e8da15e 100644
|
||||
index cf04cb5..e9c1427 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
|
||||
@ -10238,7 +10237,7 @@ index cf04cb5..e8da15e 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -166,5 +242,365 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -166,5 +242,369 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -10379,6 +10378,10 @@ index cf04cb5..e8da15e 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ iptables_filetrans_named_content(named_filetrans_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kerberos_filetrans_named_content(named_filetrans_domain)
|
||||
+')
|
||||
+
|
||||
@ -22428,7 +22431,7 @@ index ff92430..36740ea 100644
|
||||
## <summary>
|
||||
## Execute a generic bin program in the sysadm domain.
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index 2522ca6..f2029b6 100644
|
||||
index 2522ca6..0371f63 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
|
||||
@ -22634,7 +22637,7 @@ index 2522ca6..f2029b6 100644
|
||||
fstools_run(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@@ -175,6 +249,13 @@ optional_policy(`
|
||||
@@ -175,10 +249,27 @@ optional_policy(`
|
||||
ipsec_stream_connect(sysadm_t)
|
||||
# for lsof
|
||||
ipsec_getattr_key_sockets(sysadm_t)
|
||||
@ -22648,23 +22651,21 @@ index 2522ca6..f2029b6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -182,6 +263,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
iptables_run(sysadm_t, sysadm_r)
|
||||
+ iptables_filetrans_named_content(sysadm_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ irc_role(sysadm_r, sysadm_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kerberos_exec_kadmind(sysadm_t)
|
||||
+ kerberos_filetrans_named_content(sysadm_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
kudzu_run(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@@ -190,11 +280,12 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
@@ -190,11 +281,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22679,7 +22680,7 @@ index 2522ca6..f2029b6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -210,22 +301,20 @@ optional_policy(`
|
||||
@@ -210,22 +302,20 @@ optional_policy(`
|
||||
modutils_run_depmod(sysadm_t, sysadm_r)
|
||||
modutils_run_insmod(sysadm_t, sysadm_r)
|
||||
modutils_run_update_mods(sysadm_t, sysadm_r)
|
||||
@ -22708,7 +22709,7 @@ index 2522ca6..f2029b6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -237,14 +326,28 @@ optional_policy(`
|
||||
@@ -237,14 +327,28 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22737,7 +22738,7 @@ index 2522ca6..f2029b6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -252,10 +355,20 @@ optional_policy(`
|
||||
@@ -252,10 +356,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22758,7 +22759,7 @@ index 2522ca6..f2029b6 100644
|
||||
portage_run(sysadm_t, sysadm_r)
|
||||
portage_run_fetch(sysadm_t, sysadm_r)
|
||||
portage_run_gcc_config(sysadm_t, sysadm_r)
|
||||
@@ -266,35 +379,41 @@ optional_policy(`
|
||||
@@ -266,35 +380,41 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22807,7 +22808,7 @@ index 2522ca6..f2029b6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -308,6 +427,7 @@ optional_policy(`
|
||||
@@ -308,6 +428,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
screen_role_template(sysadm, sysadm_r, sysadm_t)
|
||||
@ -22815,7 +22816,7 @@ index 2522ca6..f2029b6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -315,12 +435,20 @@ optional_policy(`
|
||||
@@ -315,12 +436,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22837,7 +22838,7 @@ index 2522ca6..f2029b6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -345,30 +473,37 @@ optional_policy(`
|
||||
@@ -345,30 +474,37 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22884,7 +22885,7 @@ index 2522ca6..f2029b6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -380,10 +515,6 @@ optional_policy(`
|
||||
@@ -380,10 +516,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22895,7 +22896,7 @@ index 2522ca6..f2029b6 100644
|
||||
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
|
||||
usermanage_run_groupadd(sysadm_t, sysadm_r)
|
||||
usermanage_run_useradd(sysadm_t, sysadm_r)
|
||||
@@ -391,6 +522,9 @@ optional_policy(`
|
||||
@@ -391,6 +523,9 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
virt_stream_connect(sysadm_t)
|
||||
@ -22905,7 +22906,7 @@ index 2522ca6..f2029b6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -398,31 +532,34 @@ optional_policy(`
|
||||
@@ -398,31 +533,34 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22946,7 +22947,7 @@ index 2522ca6..f2029b6 100644
|
||||
auth_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
|
||||
@@ -435,10 +572,6 @@ ifndef(`distro_redhat',`
|
||||
@@ -435,10 +573,6 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22957,7 +22958,7 @@ index 2522ca6..f2029b6 100644
|
||||
dbus_role_template(sysadm, sysadm_r, sysadm_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -459,15 +592,79 @@ ifndef(`distro_redhat',`
|
||||
@@ -459,15 +593,79 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -35737,7 +35738,7 @@ index 73a1c4e..ec4c7c7 100644
|
||||
+
|
||||
+/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
|
||||
index c42fbc3..277fe6c 100644
|
||||
index c42fbc3..bf211db 100644
|
||||
--- a/policy/modules/system/iptables.if
|
||||
+++ b/policy/modules/system/iptables.if
|
||||
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
|
||||
@ -35782,6 +35783,28 @@ index c42fbc3..277fe6c 100644
|
||||
#####################################
|
||||
## <summary>
|
||||
## Set the attributes of iptables config files.
|
||||
@@ -163,3 +183,21 @@ interface(`iptables_manage_config',`
|
||||
files_search_etc($1)
|
||||
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Transition to iptables named content
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`iptables_filetrans_named_content',`
|
||||
+ gen_require(`
|
||||
+ type iptables_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
||||
+')
|
||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||
index be8ed1e..3c2729f 100644
|
||||
--- a/policy/modules/system/iptables.te
|
||||
@ -44649,10 +44672,10 @@ index 0000000..cde0261
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..dff8d54
|
||||
index 0000000..8209291
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,723 @@
|
||||
@@ -0,0 +1,725 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -44780,6 +44803,8 @@ index 0000000..dff8d54
|
||||
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||||
+manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||||
+
|
||||
+systemd_start_power_services(systemd_logind_t)
|
||||
+
|
||||
+dev_getattr_all_chr_files(systemd_logind_t)
|
||||
+dev_getattr_all_blk_files(systemd_logind_t)
|
||||
+dev_rw_sysfs(systemd_logind_t)
|
||||
@ -45674,7 +45699,7 @@ index 9a1650d..d7e8a01 100644
|
||||
|
||||
########################################
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index 39f185f..125f7fe 100644
|
||||
index 39f185f..5658ab4 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
|
||||
@ -45712,17 +45737,18 @@ index 39f185f..125f7fe 100644
|
||||
allow udev_t self:process { execmem setfscreate };
|
||||
allow udev_t self:fd use;
|
||||
allow udev_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -53,7 +54,9 @@ allow udev_t self:unix_stream_socket { listen accept };
|
||||
@@ -53,7 +54,10 @@ allow udev_t self:unix_stream_socket { listen accept };
|
||||
allow udev_t self:unix_dgram_socket sendto;
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+allow udev_t self:netlink_generic_socket create_socket_perms;
|
||||
allow udev_t self:rawip_socket create_socket_perms;
|
||||
+allow udev_t self:netlink_socket create_socket_perms;
|
||||
+allow udev_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
|
||||
|
||||
allow udev_t udev_exec_t:file write;
|
||||
can_exec(udev_t, udev_exec_t)
|
||||
@@ -64,31 +67,39 @@ can_exec(udev_t, udev_helper_exec_t)
|
||||
@@ -64,31 +68,39 @@ can_exec(udev_t, udev_helper_exec_t)
|
||||
# read udev config
|
||||
allow udev_t udev_etc_t:file read_file_perms;
|
||||
|
||||
@ -45769,7 +45795,7 @@ index 39f185f..125f7fe 100644
|
||||
|
||||
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
|
||||
kernel_rw_net_sysctls(udev_t)
|
||||
@@ -99,6 +110,7 @@ corecmd_exec_all_executables(udev_t)
|
||||
@@ -99,6 +111,7 @@ corecmd_exec_all_executables(udev_t)
|
||||
|
||||
dev_rw_sysfs(udev_t)
|
||||
dev_manage_all_dev_nodes(udev_t)
|
||||
@ -45777,7 +45803,7 @@ index 39f185f..125f7fe 100644
|
||||
dev_rw_generic_files(udev_t)
|
||||
dev_delete_generic_files(udev_t)
|
||||
dev_search_usbfs(udev_t)
|
||||
@@ -107,23 +119,31 @@ dev_relabel_all_dev_nodes(udev_t)
|
||||
@@ -107,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t)
|
||||
# preserved, instead of short circuiting the relabel
|
||||
dev_relabel_generic_symlinks(udev_t)
|
||||
dev_manage_generic_symlinks(udev_t)
|
||||
@ -45813,7 +45839,7 @@ index 39f185f..125f7fe 100644
|
||||
|
||||
mls_file_read_all_levels(udev_t)
|
||||
mls_file_write_all_levels(udev_t)
|
||||
@@ -145,17 +165,20 @@ auth_use_nsswitch(udev_t)
|
||||
@@ -145,17 +166,20 @@ auth_use_nsswitch(udev_t)
|
||||
init_read_utmp(udev_t)
|
||||
init_dontaudit_write_utmp(udev_t)
|
||||
init_getattr_initctl(udev_t)
|
||||
@ -45835,7 +45861,7 @@ index 39f185f..125f7fe 100644
|
||||
|
||||
seutil_read_config(udev_t)
|
||||
seutil_read_default_contexts(udev_t)
|
||||
@@ -169,9 +192,13 @@ sysnet_read_dhcpc_pid(udev_t)
|
||||
@@ -169,9 +193,13 @@ sysnet_read_dhcpc_pid(udev_t)
|
||||
sysnet_delete_dhcpc_pid(udev_t)
|
||||
sysnet_signal_dhcpc(udev_t)
|
||||
sysnet_manage_config(udev_t)
|
||||
@ -45850,7 +45876,7 @@ index 39f185f..125f7fe 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
|
||||
@@ -195,16 +222,9 @@ ifdef(`distro_gentoo',`
|
||||
@@ -195,16 +223,9 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -45869,7 +45895,7 @@ index 39f185f..125f7fe 100644
|
||||
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
netutils_domtrans(udev_t)
|
||||
@@ -242,6 +262,7 @@ optional_policy(`
|
||||
@@ -242,6 +263,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cups_domtrans_config(udev_t)
|
||||
@ -45877,7 +45903,7 @@ index 39f185f..125f7fe 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -249,17 +270,31 @@ optional_policy(`
|
||||
@@ -249,17 +271,31 @@ optional_policy(`
|
||||
dbus_use_system_bus_fds(udev_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -45911,7 +45937,7 @@ index 39f185f..125f7fe 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -289,6 +324,10 @@ optional_policy(`
|
||||
@@ -289,6 +325,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -45922,7 +45948,7 @@ index 39f185f..125f7fe 100644
|
||||
openct_read_pid_files(udev_t)
|
||||
openct_domtrans(udev_t)
|
||||
')
|
||||
@@ -303,6 +342,15 @@ optional_policy(`
|
||||
@@ -303,6 +343,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -45938,7 +45964,7 @@ index 39f185f..125f7fe 100644
|
||||
unconfined_signal(udev_t)
|
||||
')
|
||||
|
||||
@@ -315,6 +363,7 @@ optional_policy(`
|
||||
@@ -315,6 +364,7 @@ optional_policy(`
|
||||
kernel_read_xen_state(udev_t)
|
||||
xen_manage_log(udev_t)
|
||||
xen_read_image_files(udev_t)
|
||||
|
||||
@ -9476,7 +9476,7 @@ index 531a8f2..0b86f2f 100644
|
||||
+ allow $1 named_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/bind.te b/bind.te
|
||||
index 1241123..e196b89 100644
|
||||
index 1241123..cce7112 100644
|
||||
--- a/bind.te
|
||||
+++ b/bind.te
|
||||
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
|
||||
@ -9520,7 +9520,11 @@ index 1241123..e196b89 100644
|
||||
logging_log_filetrans(named_t, named_log_t, file)
|
||||
|
||||
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
|
||||
@@ -115,7 +117,6 @@ kernel_read_network_state(named_t)
|
||||
@@ -112,10 +114,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
|
||||
kernel_read_kernel_sysctls(named_t)
|
||||
kernel_read_system_state(named_t)
|
||||
kernel_read_network_state(named_t)
|
||||
+kernel_read_net_sysctls(named_t)
|
||||
|
||||
corecmd_search_bin(named_t)
|
||||
|
||||
@ -9528,7 +9532,7 @@ index 1241123..e196b89 100644
|
||||
corenet_all_recvfrom_netlabel(named_t)
|
||||
corenet_tcp_sendrecv_generic_if(named_t)
|
||||
corenet_udp_sendrecv_generic_if(named_t)
|
||||
@@ -144,6 +145,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
|
||||
@@ -144,6 +146,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
|
||||
dev_read_sysfs(named_t)
|
||||
dev_read_rand(named_t)
|
||||
dev_read_urand(named_t)
|
||||
@ -9536,7 +9540,7 @@ index 1241123..e196b89 100644
|
||||
|
||||
domain_use_interactive_fds(named_t)
|
||||
|
||||
@@ -175,6 +177,19 @@ tunable_policy(`named_write_master_zones',`
|
||||
@@ -175,6 +178,19 @@ tunable_policy(`named_write_master_zones',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9556,7 +9560,7 @@ index 1241123..e196b89 100644
|
||||
dbus_system_domain(named_t, named_exec_t)
|
||||
|
||||
init_dbus_chat_script(named_t)
|
||||
@@ -187,7 +202,13 @@ optional_policy(`
|
||||
@@ -187,7 +203,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9570,7 +9574,7 @@ index 1241123..e196b89 100644
|
||||
kerberos_use(named_t)
|
||||
')
|
||||
|
||||
@@ -215,7 +236,8 @@ optional_policy(`
|
||||
@@ -215,7 +237,8 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow ndc_t self:capability { dac_override net_admin };
|
||||
@ -9580,7 +9584,7 @@ index 1241123..e196b89 100644
|
||||
allow ndc_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ndc_t self:unix_stream_socket { accept listen };
|
||||
|
||||
@@ -229,10 +251,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
|
||||
@@ -229,10 +252,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow ndc_t named_zone_t:dir search_dir_perms;
|
||||
|
||||
@ -9592,7 +9596,7 @@ index 1241123..e196b89 100644
|
||||
corenet_all_recvfrom_netlabel(ndc_t)
|
||||
corenet_tcp_sendrecv_generic_if(ndc_t)
|
||||
corenet_tcp_sendrecv_generic_node(ndc_t)
|
||||
@@ -242,6 +263,9 @@ corenet_tcp_bind_generic_node(ndc_t)
|
||||
@@ -242,6 +264,9 @@ corenet_tcp_bind_generic_node(ndc_t)
|
||||
corenet_tcp_connect_rndc_port(ndc_t)
|
||||
corenet_sendrecv_rndc_client_packets(ndc_t)
|
||||
|
||||
@ -9602,7 +9606,7 @@ index 1241123..e196b89 100644
|
||||
domain_use_interactive_fds(ndc_t)
|
||||
|
||||
files_search_pids(ndc_t)
|
||||
@@ -257,7 +281,7 @@ init_use_script_ptys(ndc_t)
|
||||
@@ -257,7 +282,7 @@ init_use_script_ptys(ndc_t)
|
||||
|
||||
logging_send_syslog_msg(ndc_t)
|
||||
|
||||
@ -12985,7 +12989,7 @@ index 0000000..5955ff0
|
||||
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
|
||||
+')
|
||||
diff --git a/chronyd.fc b/chronyd.fc
|
||||
index 4e4143e..16d23e1 100644
|
||||
index 4e4143e..36ee9e1 100644
|
||||
--- a/chronyd.fc
|
||||
+++ b/chronyd.fc
|
||||
@@ -1,13 +1,17 @@
|
||||
@ -13003,8 +13007,9 @@ index 4e4143e..16d23e1 100644
|
||||
|
||||
/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
|
||||
|
||||
/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
|
||||
+/var/run/chrony-helper(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
|
||||
-/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
|
||||
+/var/run/chronyd(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
|
||||
+/var/run/chrony-helper(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
|
||||
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
|
||||
/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
|
||||
diff --git a/chronyd.if b/chronyd.if
|
||||
@ -57241,7 +57246,7 @@ index 86dc29d..7380935 100644
|
||||
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
||||
')
|
||||
diff --git a/networkmanager.te b/networkmanager.te
|
||||
index 55f2009..b84767b 100644
|
||||
index 55f2009..4a29f9c 100644
|
||||
--- a/networkmanager.te
|
||||
+++ b/networkmanager.te
|
||||
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
||||
@ -57266,7 +57271,7 @@ index 55f2009..b84767b 100644
|
||||
type NetworkManager_log_t;
|
||||
logging_log_file(NetworkManager_log_t)
|
||||
|
||||
@@ -39,25 +42,55 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
|
||||
@@ -39,25 +42,56 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
@ -57298,6 +57303,7 @@ index 55f2009..b84767b 100644
|
||||
-allow NetworkManager_t self:unix_stream_socket { accept listen };
|
||||
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
+allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto };
|
||||
+allow NetworkManager_t self:netlink_generic_socket create_socket_perms;
|
||||
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
|
||||
allow NetworkManager_t self:netlink_socket create_socket_perms;
|
||||
@ -57331,7 +57337,7 @@ index 55f2009..b84767b 100644
|
||||
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
|
||||
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
|
||||
@@ -68,6 +101,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
|
||||
@@ -68,6 +102,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
|
||||
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
|
||||
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
|
||||
|
||||
@ -57339,7 +57345,7 @@ index 55f2009..b84767b 100644
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
|
||||
@@ -81,17 +115,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
|
||||
@@ -81,17 +116,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
|
||||
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
|
||||
|
||||
@ -57359,7 +57365,7 @@ index 55f2009..b84767b 100644
|
||||
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
||||
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
|
||||
corenet_udp_sendrecv_generic_if(NetworkManager_t)
|
||||
@@ -102,36 +134,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
|
||||
@@ -102,36 +135,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
|
||||
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
|
||||
corenet_udp_sendrecv_all_ports(NetworkManager_t)
|
||||
corenet_udp_bind_generic_node(NetworkManager_t)
|
||||
@ -57401,7 +57407,7 @@ index 55f2009..b84767b 100644
|
||||
fs_getattr_all_fs(NetworkManager_t)
|
||||
fs_search_auto_mountpoints(NetworkManager_t)
|
||||
fs_list_inotifyfs(NetworkManager_t)
|
||||
@@ -140,18 +160,36 @@ mls_file_read_all_levels(NetworkManager_t)
|
||||
@@ -140,18 +161,36 @@ mls_file_read_all_levels(NetworkManager_t)
|
||||
|
||||
selinux_dontaudit_search_fs(NetworkManager_t)
|
||||
|
||||
@ -57439,7 +57445,7 @@ index 55f2009..b84767b 100644
|
||||
|
||||
seutil_read_config(NetworkManager_t)
|
||||
|
||||
@@ -166,21 +204,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
||||
@@ -166,21 +205,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
||||
sysnet_read_dhcpc_state(NetworkManager_t)
|
||||
sysnet_delete_dhcpc_state(NetworkManager_t)
|
||||
sysnet_search_dhcp_state(NetworkManager_t)
|
||||
@ -57478,7 +57484,7 @@ index 55f2009..b84767b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -196,10 +247,6 @@ optional_policy(`
|
||||
@@ -196,10 +248,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57489,7 +57495,7 @@ index 55f2009..b84767b 100644
|
||||
consoletype_exec(NetworkManager_t)
|
||||
')
|
||||
|
||||
@@ -210,16 +257,11 @@ optional_policy(`
|
||||
@@ -210,16 +258,11 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||
|
||||
@ -57508,7 +57514,7 @@ index 55f2009..b84767b 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -231,10 +273,17 @@ optional_policy(`
|
||||
@@ -231,10 +274,17 @@ optional_policy(`
|
||||
dnsmasq_kill(NetworkManager_t)
|
||||
dnsmasq_signal(NetworkManager_t)
|
||||
dnsmasq_signull(NetworkManager_t)
|
||||
@ -57527,7 +57533,7 @@ index 55f2009..b84767b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -246,10 +295,26 @@ optional_policy(`
|
||||
@@ -246,10 +296,26 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57554,7 +57560,7 @@ index 55f2009..b84767b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -257,15 +322,19 @@ optional_policy(`
|
||||
@@ -257,15 +323,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57576,7 +57582,7 @@ index 55f2009..b84767b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -274,10 +343,17 @@ optional_policy(`
|
||||
@@ -274,10 +344,17 @@ optional_policy(`
|
||||
nscd_signull(NetworkManager_t)
|
||||
nscd_kill(NetworkManager_t)
|
||||
nscd_initrc_domtrans(NetworkManager_t)
|
||||
@ -57594,7 +57600,7 @@ index 55f2009..b84767b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -286,9 +362,12 @@ optional_policy(`
|
||||
@@ -286,9 +363,12 @@ optional_policy(`
|
||||
openvpn_kill(NetworkManager_t)
|
||||
openvpn_signal(NetworkManager_t)
|
||||
openvpn_signull(NetworkManager_t)
|
||||
@ -57607,7 +57613,7 @@ index 55f2009..b84767b 100644
|
||||
policykit_domtrans_auth(NetworkManager_t)
|
||||
policykit_read_lib(NetworkManager_t)
|
||||
policykit_read_reload(NetworkManager_t)
|
||||
@@ -296,7 +375,7 @@ optional_policy(`
|
||||
@@ -296,7 +376,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57616,7 +57622,7 @@ index 55f2009..b84767b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -307,6 +386,7 @@ optional_policy(`
|
||||
@@ -307,6 +387,7 @@ optional_policy(`
|
||||
ppp_signal(NetworkManager_t)
|
||||
ppp_signull(NetworkManager_t)
|
||||
ppp_read_config(NetworkManager_t)
|
||||
@ -57624,7 +57630,7 @@ index 55f2009..b84767b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -320,14 +400,21 @@ optional_policy(`
|
||||
@@ -320,14 +401,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57651,7 +57657,7 @@ index 55f2009..b84767b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
@@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
init_dontaudit_use_fds(wpa_cli_t)
|
||||
init_use_script_ptys(wpa_cli_t)
|
||||
|
||||
@ -62320,10 +62326,10 @@ index 0000000..598789a
|
||||
+
|
||||
diff --git a/openhpid.te b/openhpid.te
|
||||
new file mode 100644
|
||||
index 0000000..ade6576
|
||||
index 0000000..2cb47c8
|
||||
--- /dev/null
|
||||
+++ b/openhpid.te
|
||||
@@ -0,0 +1,52 @@
|
||||
@@ -0,0 +1,59 @@
|
||||
+policy_module(openhpid, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -62365,8 +62371,11 @@ index 0000000..ade6576
|
||||
+manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
|
||||
+files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
|
||||
+
|
||||
+kernel_read_system_state(openhpid_t)
|
||||
+
|
||||
+corenet_tcp_bind_generic_node(openhpid_t)
|
||||
+corenet_tcp_bind_openhpid_port(openhpid_t)
|
||||
+corenet_tcp_connect_http_port(openhpid_t)
|
||||
+
|
||||
+dev_read_urand(openhpid_t)
|
||||
+dev_rw_watchdog(openhpid_t)
|
||||
@ -62376,6 +62385,10 @@ index 0000000..ade6576
|
||||
+miscfiles_read_generic_certs(openhpid_t)
|
||||
+
|
||||
+sysnet_read_config(openhpid_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ snmp_read_snmp_var_lib_files(openhpid_t)
|
||||
+')
|
||||
diff --git a/openshift-origin.fc b/openshift-origin.fc
|
||||
new file mode 100644
|
||||
index 0000000..30ca148
|
||||
@ -64677,7 +64690,7 @@ index 9b15730..cb00f20 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/openvswitch.te b/openvswitch.te
|
||||
index 44dbc99..eb8d420 100644
|
||||
index 44dbc99..ba23186 100644
|
||||
--- a/openvswitch.te
|
||||
+++ b/openvswitch.te
|
||||
@@ -9,11 +9,8 @@ type openvswitch_t;
|
||||
@ -64742,7 +64755,7 @@ index 44dbc99..eb8d420 100644
|
||||
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
||||
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
|
||||
|
||||
@@ -65,33 +68,46 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
|
||||
@@ -65,33 +68,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
|
||||
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
||||
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
|
||||
|
||||
@ -64787,6 +64800,7 @@ index 44dbc99..eb8d420 100644
|
||||
+modutils_exec_insmod(openvswitch_t)
|
||||
+modutils_list_module_config(openvswitch_t)
|
||||
+modutils_read_module_config(openvswitch_t)
|
||||
+modutils_read_module_deps(openvswitch_t)
|
||||
|
||||
sysnet_dns_name_resolve(openvswitch_t)
|
||||
|
||||
@ -83435,7 +83449,7 @@ index c8a1e16..2d409bf 100644
|
||||
xen_domtrans_xm(rgmanager_t)
|
||||
')
|
||||
diff --git a/rhcs.fc b/rhcs.fc
|
||||
index 47de2d6..9ecda11 100644
|
||||
index 47de2d6..dfb3396 100644
|
||||
--- a/rhcs.fc
|
||||
+++ b/rhcs.fc
|
||||
@@ -1,31 +1,95 @@
|
||||
@ -83528,7 +83542,7 @@ index 47de2d6..9ecda11 100644
|
||||
+
|
||||
+/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
||||
+
|
||||
+/usr/share/cluster/fence_scsi_check.* -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
||||
+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
||||
+
|
||||
@ -84405,7 +84419,7 @@ index c8bdea2..29df561 100644
|
||||
+ allow $1 cluster_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/rhcs.te b/rhcs.te
|
||||
index 6cf79c4..9d253c3 100644
|
||||
index 6cf79c4..2c7b543 100644
|
||||
--- a/rhcs.te
|
||||
+++ b/rhcs.te
|
||||
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
|
||||
@ -84854,7 +84868,7 @@ index 6cf79c4..9d253c3 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -203,6 +502,17 @@ optional_policy(`
|
||||
@@ -203,6 +502,21 @@ optional_policy(`
|
||||
snmp_manage_var_lib_dirs(fenced_t)
|
||||
')
|
||||
|
||||
@ -84868,11 +84882,15 @@ index 6cf79c4..9d253c3 100644
|
||||
+optional_policy(`
|
||||
+ watchdog_unconfined_exec_read_lnk_files(fenced_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_dontaudit_search_config(fenced_t)
|
||||
+')
|
||||
+
|
||||
#######################################
|
||||
#
|
||||
# foghorn local policy
|
||||
@@ -221,16 +531,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
|
||||
@@ -221,16 +535,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
|
||||
corenet_tcp_connect_agentx_port(foghorn_t)
|
||||
corenet_tcp_sendrecv_agentx_port(foghorn_t)
|
||||
|
||||
@ -84893,7 +84911,7 @@ index 6cf79c4..9d253c3 100644
|
||||
snmp_stream_connect(foghorn_t)
|
||||
')
|
||||
|
||||
@@ -247,16 +559,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
|
||||
@@ -247,16 +563,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
|
||||
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
|
||||
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
||||
|
||||
@ -84915,7 +84933,7 @@ index 6cf79c4..9d253c3 100644
|
||||
optional_policy(`
|
||||
lvm_exec(gfs_controld_t)
|
||||
dev_rw_lvm_control(gfs_controld_t)
|
||||
@@ -275,10 +591,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||
@@ -275,10 +595,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||
|
||||
dev_list_sysfs(groupd_t)
|
||||
|
||||
@ -84975,7 +84993,7 @@ index 6cf79c4..9d253c3 100644
|
||||
######################################
|
||||
#
|
||||
# qdiskd local policy
|
||||
@@ -292,7 +655,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
|
||||
@@ -292,7 +659,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
|
||||
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
|
||||
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
|
||||
|
||||
@ -84983,7 +85001,7 @@ index 6cf79c4..9d253c3 100644
|
||||
kernel_read_software_raid_state(qdiskd_t)
|
||||
kernel_getattr_core_if(qdiskd_t)
|
||||
|
||||
@@ -321,6 +683,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
@@ -321,6 +687,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
|
||||
auth_use_nsswitch(qdiskd_t)
|
||||
|
||||
@ -93700,10 +93718,10 @@ index 0000000..7a8e744
|
||||
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
|
||||
+
|
||||
diff --git a/sanlock.fc b/sanlock.fc
|
||||
index 3df2a0f..4eb82b8 100644
|
||||
index 3df2a0f..7264d8a 100644
|
||||
--- a/sanlock.fc
|
||||
+++ b/sanlock.fc
|
||||
@@ -1,7 +1,12 @@
|
||||
@@ -1,7 +1,18 @@
|
||||
+
|
||||
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
|
||||
|
||||
@ -93712,25 +93730,32 @@ index 3df2a0f..4eb82b8 100644
|
||||
+
|
||||
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
|
||||
+
|
||||
+/var/run/sanlk-resetd(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
|
||||
+
|
||||
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
|
||||
+
|
||||
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
|
||||
+
|
||||
+/usr/sbin/sanlk-resetd -- gen_context(system_u:object_r:sanlk_resetd_exec_t,s0)
|
||||
|
||||
-/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
|
||||
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
|
||||
+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
|
||||
|
||||
-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0)
|
||||
+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/sanlk-resetd\.service -- gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0)
|
||||
diff --git a/sanlock.if b/sanlock.if
|
||||
index cd6c213..82a5ff0 100644
|
||||
index cd6c213..372c7bb 100644
|
||||
--- a/sanlock.if
|
||||
+++ b/sanlock.if
|
||||
@@ -1,4 +1,5 @@
|
||||
@@ -1,4 +1,6 @@
|
||||
-## <summary>shared storage lock manager.</summary>
|
||||
+
|
||||
+## <summary>policy for sanlock</summary>
|
||||
+## <summary>Sanlock - lock manager built on shared storage.</summary>
|
||||
+
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -15,18 +16,17 @@ interface(`sanlock_domtrans',`
|
||||
@@ -15,18 +17,17 @@ interface(`sanlock_domtrans',`
|
||||
type sanlock_t, sanlock_exec_t;
|
||||
')
|
||||
|
||||
@ -93752,7 +93777,7 @@ index cd6c213..82a5ff0 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -40,8 +40,7 @@ interface(`sanlock_initrc_domtrans',`
|
||||
@@ -40,8 +41,7 @@ interface(`sanlock_initrc_domtrans',`
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
@ -93762,7 +93787,7 @@ index cd6c213..82a5ff0 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -60,28 +59,51 @@ interface(`sanlock_manage_pid_files',`
|
||||
@@ -60,28 +60,51 @@ interface(`sanlock_manage_pid_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -93823,7 +93848,7 @@ index cd6c213..82a5ff0 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -97,21 +119,23 @@ interface(`sanlock_stream_connect',`
|
||||
@@ -97,21 +120,125 @@ interface(`sanlock_stream_connect',`
|
||||
#
|
||||
interface(`sanlock_admin',`
|
||||
gen_require(`
|
||||
@ -93846,20 +93871,120 @@ index cd6c213..82a5ff0 100644
|
||||
role_transition $2 sanlock_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
- files_search_pids($1)
|
||||
- admin_pattern($1, sanlock_var_run_t)
|
||||
-
|
||||
- logging_search_logs($1)
|
||||
- admin_pattern($1, sanlock_log_t)
|
||||
+ virt_systemctl($1)
|
||||
+ admin_pattern($1, sanlock_unit_file_t)
|
||||
+ allow $1 sanlock_unit_file_t:service all_service_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute sanlk_resetd_exec_t in the sanlk_resetd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sanlock_domtrans_sanlk_resetd',`
|
||||
+ gen_require(`
|
||||
+ type sanlk_resetd_t, sanlk_resetd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, sanlk_resetd_exec_t, sanlk_resetd_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute sanlk_resetd in the caller domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sanlock_exec_sanlk_resetd',`
|
||||
+ gen_require(`
|
||||
+ type sanlk_resetd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ can_exec($1, sanlk_resetd_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute sanlk_resetd server in the sanlk_resetd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sanlock_systemctl_sanlk_resetd',`
|
||||
+ gen_require(`
|
||||
+ type sanlk_resetd_t;
|
||||
+ type sanlk_resetd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ allow $1 sanlk_resetd_unit_file_t:file read_file_perms;
|
||||
+ allow $1 sanlk_resetd_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, sanlk_resetd_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an sanlk_resetd environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sanlock_admin_sanlk_resetd',`
|
||||
+ gen_require(`
|
||||
+ type sanlk_resetd_t;
|
||||
+ type sanlk_resetd_unit_file_t;
|
||||
+ type sanlk_resetd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sanlk_resetd_t:process { signal_perms };
|
||||
+ ps_process_pattern($1, sanlk_resetd_t)
|
||||
+
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
+ allow $1 sanlk_resetd_t:process ptrace;
|
||||
+ ')
|
||||
+
|
||||
files_search_pids($1)
|
||||
- admin_pattern($1, sanlock_var_run_t)
|
||||
|
||||
- logging_search_logs($1)
|
||||
- admin_pattern($1, sanlock_log_t)
|
||||
+ sanlk_resetd_systemctl($1)
|
||||
+ admin_pattern($1, sanlk_resetd_unit_file_t)
|
||||
+ allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
|
||||
+
|
||||
+ sanlk_resetd_systemctl($1)
|
||||
+ admin_pattern($1, sanlk_resetd_unit_file_t)
|
||||
+ allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
|
||||
+ optional_policy(`
|
||||
+ systemd_passwd_agent_exec($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ ')
|
||||
')
|
||||
diff --git a/sanlock.te b/sanlock.te
|
||||
index 0045465..2059657 100644
|
||||
index 0045465..7afb413 100644
|
||||
--- a/sanlock.te
|
||||
+++ b/sanlock.te
|
||||
@@ -6,25 +6,33 @@ policy_module(sanlock, 1.1.0)
|
||||
@@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
@ -93895,23 +94020,30 @@ index 0045465..2059657 100644
|
||||
type sanlock_exec_t;
|
||||
init_daemon_domain(sanlock_t, sanlock_exec_t)
|
||||
|
||||
+type sanlk_resetd_t;
|
||||
+type sanlk_resetd_exec_t;
|
||||
+init_daemon_domain(sanlk_resetd_t, sanlk_resetd_exec_t)
|
||||
+
|
||||
+type sanlock_conf_t;
|
||||
+files_config_file(sanlock_conf_t)
|
||||
+
|
||||
type sanlock_var_run_t;
|
||||
files_pid_file(sanlock_var_run_t)
|
||||
|
||||
@@ -34,6 +42,9 @@ logging_log_file(sanlock_log_t)
|
||||
@@ -34,6 +46,12 @@ logging_log_file(sanlock_log_t)
|
||||
type sanlock_initrc_exec_t;
|
||||
init_script_file(sanlock_initrc_exec_t)
|
||||
|
||||
+type sanlock_unit_file_t;
|
||||
+systemd_unit_file(sanlock_unit_file_t)
|
||||
+
|
||||
+type sanlk_resetd_unit_file_t;
|
||||
+systemd_unit_file(sanlk_resetd_unit_file_t)
|
||||
+
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
@@ -44,17 +55,18 @@ ifdef(`enable_mls',`
|
||||
@@ -44,17 +62,18 @@ ifdef(`enable_mls',`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -93925,18 +94057,18 @@ index 0045465..2059657 100644
|
||||
allow sanlock_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow sanlock_t self:unix_stream_socket { accept listen };
|
||||
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
|
||||
+manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
|
||||
|
||||
-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
||||
-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
||||
-setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
||||
+manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
|
||||
+manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
|
||||
+
|
||||
+manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
||||
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
|
||||
|
||||
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
|
||||
@@ -65,13 +77,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
|
||||
@@ -65,13 +84,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
|
||||
kernel_read_system_state(sanlock_t)
|
||||
kernel_read_kernel_sysctls(sanlock_t)
|
||||
|
||||
@ -93956,7 +94088,7 @@ index 0045465..2059657 100644
|
||||
auth_use_nsswitch(sanlock_t)
|
||||
|
||||
init_read_utmp(sanlock_t)
|
||||
@@ -79,20 +94,29 @@ init_dontaudit_write_utmp(sanlock_t)
|
||||
@@ -79,20 +101,29 @@ init_dontaudit_write_utmp(sanlock_t)
|
||||
|
||||
logging_send_syslog_msg(sanlock_t)
|
||||
|
||||
@ -93995,7 +94127,7 @@ index 0045465..2059657 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -100,7 +124,10 @@ optional_policy(`
|
||||
@@ -100,7 +131,34 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -94007,6 +94139,30 @@ index 0045465..2059657 100644
|
||||
- virt_signal_all_virt_domains(sanlock_t)
|
||||
+ virt_signal_svirt(sanlock_t)
|
||||
+ virt_read_pid_files(sanlock_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# sanlk_resetd local policy
|
||||
+#
|
||||
+
|
||||
+allow sanlk_resetd_t self:capability dac_override;
|
||||
+allow sanlk_resetd_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow sanlk_resetd_t sanlock_t:unix_stream_socket connectto;
|
||||
+
|
||||
+manage_dirs_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
|
||||
+manage_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
|
||||
+manage_sock_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
|
||||
+files_pid_filetrans(sanlk_resetd_t, sanlock_var_run_t, dir)
|
||||
+
|
||||
+kernel_dgram_send(sanlk_resetd_t)
|
||||
+
|
||||
+domain_use_interactive_fds(sanlk_resetd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(sanlk_resetd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ wdmd_stream_connect(sanlk_resetd_t)
|
||||
')
|
||||
diff --git a/sasl.fc b/sasl.fc
|
||||
index 54f41c2..7e58679 100644
|
||||
@ -94579,7 +94735,7 @@ index e7c2cf7..435aaa6 100644
|
||||
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
|
||||
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
|
||||
diff --git a/screen.if b/screen.if
|
||||
index be5cce2..a7a8a67 100644
|
||||
index be5cce2..b81f5df 100644
|
||||
--- a/screen.if
|
||||
+++ b/screen.if
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -94600,7 +94756,7 @@ index be5cce2..a7a8a67 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -35,50 +34,52 @@ template(`screen_role_template',`
|
||||
@@ -35,50 +34,53 @@ template(`screen_role_template',`
|
||||
#
|
||||
|
||||
type $1_screen_t, screen_domain;
|
||||
@ -94620,6 +94776,7 @@ index be5cce2..a7a8a67 100644
|
||||
- #
|
||||
- # Local policy
|
||||
- #
|
||||
+ userdom_list_user_home_dirs($1_screen_t)
|
||||
+ userdom_home_reader($1_screen_t)
|
||||
|
||||
domtrans_pattern($3, screen_exec_t, $1_screen_t)
|
||||
@ -94675,7 +94832,7 @@ index be5cce2..a7a8a67 100644
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_cifs_domtrans($1_screen_t, $3)
|
||||
@@ -88,3 +89,41 @@ template(`screen_role_template',`
|
||||
@@ -88,3 +90,41 @@ template(`screen_role_template',`
|
||||
fs_nfs_domtrans($1_screen_t, $3)
|
||||
')
|
||||
')
|
||||
@ -112411,7 +112568,7 @@ index eecd0e0..8df2e8c 100644
|
||||
|
||||
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
|
||||
diff --git a/watchdog.if b/watchdog.if
|
||||
index 6461a77..146852e 100644
|
||||
index 6461a77..8fda2dd 100644
|
||||
--- a/watchdog.if
|
||||
+++ b/watchdog.if
|
||||
@@ -37,3 +37,21 @@ interface(`watchdog_admin',`
|
||||
@ -112434,7 +112591,7 @@ index 6461a77..146852e 100644
|
||||
+ type watchdog_unconfined_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 watchdog_unconfined_exec_t:lnk_file read_lnk_file_perms;
|
||||
+ read_lnk_files_pattern($1,watchdog_unconfined_exec_t, watchdog_unconfined_exec_t)
|
||||
+')
|
||||
diff --git a/watchdog.te b/watchdog.te
|
||||
index 3548317..fc3da17 100644
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 146%{?dist}
|
||||
Release: 147%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -651,6 +651,23 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
|
||||
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
|
||||
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
|
||||
- Dontaudit fenced search gnome config
|
||||
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
|
||||
- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
|
||||
- Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon
|
||||
- Fix labeling for fence_scsi_check script
|
||||
- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
|
||||
- Allow openhpid to read snmp var lib files.
|
||||
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
|
||||
- Fix regexp in chronyd.fc file
|
||||
- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
|
||||
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
|
||||
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
|
||||
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
|
||||
|
||||
* Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
|
||||
- Allow passenger to getattr filesystem xattr
|
||||
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
|
||||
|
||||
Loading…
Reference in New Issue
Block a user