* Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272
- Allow sssd_t domain to map sssd_var_lib_t files - allow map permission where needed - contrib: allow map permission where needed - Allow syslogd_t to map syslogd_var_run_t files - allow map permission where needed
This commit is contained in:
parent
c6aaaee231
commit
284401b055
Binary file not shown.
@ -6849,7 +6849,7 @@ index b31c05491..3ad1127cc 100644
|
|||||||
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||||
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||||
index 76f285ea6..732931f47 100644
|
index 76f285ea6..917fc3cc5 100644
|
||||||
--- a/policy/modules/kernel/devices.if
|
--- a/policy/modules/kernel/devices.if
|
||||||
+++ b/policy/modules/kernel/devices.if
|
+++ b/policy/modules/kernel/devices.if
|
||||||
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
|
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||||
@ -8135,7 +8135,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3669,6 +4404,7 @@ interface(`dev_read_sound_mixer',`
|
@@ -3633,6 +4368,7 @@ interface(`dev_read_sound',`
|
||||||
')
|
')
|
||||||
|
|
||||||
read_chr_files_pattern($1, device_t, sound_device_t)
|
read_chr_files_pattern($1, device_t, sound_device_t)
|
||||||
@ -8143,7 +8143,15 @@ index 76f285ea6..732931f47 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3855,7 +4591,7 @@ interface(`dev_getattr_sysfs_dirs',`
|
@@ -3669,6 +4405,7 @@ interface(`dev_read_sound_mixer',`
|
||||||
|
')
|
||||||
|
|
||||||
|
read_chr_files_pattern($1, device_t, sound_device_t)
|
||||||
|
+ allow $1 sound_device_t:chr_file map;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -3855,7 +4592,7 @@ interface(`dev_getattr_sysfs_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8152,7 +8160,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3863,91 +4599,89 @@ interface(`dev_getattr_sysfs_dirs',`
|
@@ -3863,91 +4600,89 @@ interface(`dev_getattr_sysfs_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8263,7 +8271,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3955,60 +4689,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
|
@@ -3955,60 +4690,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8500,7 +8508,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
|
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
|
||||||
|
|
||||||
list_dirs_pattern($1, sysfs_t, sysfs_t)
|
list_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||||
@@ -4016,6 +4905,81 @@ interface(`dev_rw_sysfs',`
|
@@ -4016,6 +4906,81 @@ interface(`dev_rw_sysfs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8582,7 +8590,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## Read and write the TPM device.
|
## Read and write the TPM device.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4113,6 +5077,25 @@ interface(`dev_write_urand',`
|
@@ -4113,6 +5078,25 @@ interface(`dev_write_urand',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8608,7 +8616,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## Getattr generic the USB devices.
|
## Getattr generic the USB devices.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4123,7 +5106,7 @@ interface(`dev_write_urand',`
|
@@ -4123,7 +5107,7 @@ interface(`dev_write_urand',`
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_generic_usb_dev',`
|
interface(`dev_getattr_generic_usb_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8617,7 +8625,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
getattr_chr_files_pattern($1, device_t, usb_device_t)
|
getattr_chr_files_pattern($1, device_t, usb_device_t)
|
||||||
@@ -4409,9 +5392,9 @@ interface(`dev_rw_usbfs',`
|
@@ -4409,9 +5393,9 @@ interface(`dev_rw_usbfs',`
|
||||||
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
|
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8629,7 +8637,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -4419,17 +5402,17 @@ interface(`dev_rw_usbfs',`
|
@@ -4419,17 +5403,17 @@ interface(`dev_rw_usbfs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8652,7 +8660,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -4437,12 +5420,12 @@ interface(`dev_getattr_video_dev',`
|
@@ -4437,12 +5421,12 @@ interface(`dev_getattr_video_dev',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8668,7 +8676,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4539,6 +5522,134 @@ interface(`dev_write_video_dev',`
|
@@ -4539,6 +5523,134 @@ interface(`dev_write_video_dev',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8803,7 +8811,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## Allow read/write the vhost net device
|
## Allow read/write the vhost net device
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4557,6 +5668,24 @@ interface(`dev_rw_vhost',`
|
@@ -4557,6 +5669,24 @@ interface(`dev_rw_vhost',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8828,7 +8836,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## Read and write VMWare devices.
|
## Read and write VMWare devices.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4589,7 +5718,7 @@ interface(`dev_rwx_vmware',`
|
@@ -4589,7 +5719,7 @@ interface(`dev_rwx_vmware',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_rw_vmware($1)
|
dev_rw_vmware($1)
|
||||||
@ -8837,7 +8845,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4630,6 +5759,24 @@ interface(`dev_write_watchdog',`
|
@@ -4630,6 +5760,24 @@ interface(`dev_write_watchdog',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8862,7 +8870,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## Read and write the the wireless device.
|
## Read and write the the wireless device.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4762,6 +5909,44 @@ interface(`dev_rw_xserver_misc',`
|
@@ -4762,6 +5910,44 @@ interface(`dev_rw_xserver_misc',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8907,7 +8915,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
## Read and write to the zero device (/dev/zero).
|
## Read and write to the zero device (/dev/zero).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4794,7 +5979,7 @@ interface(`dev_rwx_zero',`
|
@@ -4794,7 +5980,7 @@ interface(`dev_rwx_zero',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_rw_zero($1)
|
dev_rw_zero($1)
|
||||||
@ -8916,7 +8924,7 @@ index 76f285ea6..732931f47 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4851,3 +6036,1042 @@ interface(`dev_unconfined',`
|
@@ -4851,3 +6037,1042 @@ interface(`dev_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 devices_unconfined_type;
|
typeattribute $1 devices_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -28908,7 +28916,7 @@ index 8274418c6..a47fd0b4d 100644
|
|||||||
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
|
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
|
||||||
index 6bf0ecc2d..e6be63aa8 100644
|
index 6bf0ecc2d..29db5fd25 100644
|
||||||
--- a/policy/modules/services/xserver.if
|
--- a/policy/modules/services/xserver.if
|
||||||
+++ b/policy/modules/services/xserver.if
|
+++ b/policy/modules/services/xserver.if
|
||||||
@@ -18,100 +18,36 @@
|
@@ -18,100 +18,36 @@
|
||||||
@ -29625,7 +29633,7 @@ index 6bf0ecc2d..e6be63aa8 100644
|
|||||||
+ type xdm_var_lib_t;
|
+ type xdm_var_lib_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 xdm_var_lib_t:file read_inherited_file_perms;
|
+ allow $1 xdm_var_lib_t:file { read_inherited_file_perms map };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -40037,7 +40045,7 @@ index b50c5fe81..9eacd9ba1 100644
|
|||||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||||
index 4e9488463..7b395456f 100644
|
index 4e9488463..5f5045ae1 100644
|
||||||
--- a/policy/modules/system/logging.if
|
--- a/policy/modules/system/logging.if
|
||||||
+++ b/policy/modules/system/logging.if
|
+++ b/policy/modules/system/logging.if
|
||||||
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
||||||
@ -40361,7 +40369,13 @@ index 4e9488463..7b395456f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -885,6 +1107,63 @@ interface(`logging_read_generic_logs',`
|
@@ -880,11 +1102,69 @@ interface(`logging_read_generic_logs',`
|
||||||
|
|
||||||
|
files_search_var($1)
|
||||||
|
allow $1 var_log_t:dir list_dir_perms;
|
||||||
|
+ allow $1 var_log_t:file map;
|
||||||
|
read_files_pattern($1, var_log_t, var_log_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -40425,7 +40439,7 @@ index 4e9488463..7b395456f 100644
|
|||||||
## Write generic log files.
|
## Write generic log files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -905,6 +1184,24 @@ interface(`logging_write_generic_logs',`
|
@@ -905,6 +1185,24 @@ interface(`logging_write_generic_logs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -40450,7 +40464,7 @@ index 4e9488463..7b395456f 100644
|
|||||||
## Dontaudit Write generic log files.
|
## Dontaudit Write generic log files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -984,11 +1281,16 @@ interface(`logging_admin_audit',`
|
@@ -984,11 +1282,16 @@ interface(`logging_admin_audit',`
|
||||||
type auditd_t, auditd_etc_t, auditd_log_t;
|
type auditd_t, auditd_etc_t, auditd_log_t;
|
||||||
type auditd_var_run_t;
|
type auditd_var_run_t;
|
||||||
type auditd_initrc_exec_t;
|
type auditd_initrc_exec_t;
|
||||||
@ -40468,7 +40482,7 @@ index 4e9488463..7b395456f 100644
|
|||||||
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||||
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||||
|
|
||||||
@@ -1004,6 +1306,55 @@ interface(`logging_admin_audit',`
|
@@ -1004,6 +1307,55 @@ interface(`logging_admin_audit',`
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 auditd_initrc_exec_t system_r;
|
role_transition $2 auditd_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
@ -40524,7 +40538,7 @@ index 4e9488463..7b395456f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1032,10 +1383,15 @@ interface(`logging_admin_syslog',`
|
@@ -1032,10 +1384,15 @@ interface(`logging_admin_syslog',`
|
||||||
type syslogd_initrc_exec_t;
|
type syslogd_initrc_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -40542,7 +40556,7 @@ index 4e9488463..7b395456f 100644
|
|||||||
|
|
||||||
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||||
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||||
@@ -1057,6 +1413,8 @@ interface(`logging_admin_syslog',`
|
@@ -1057,6 +1414,8 @@ interface(`logging_admin_syslog',`
|
||||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||||
|
|
||||||
logging_manage_all_logs($1)
|
logging_manage_all_logs($1)
|
||||||
@ -40551,7 +40565,7 @@ index 4e9488463..7b395456f 100644
|
|||||||
|
|
||||||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
@@ -1085,3 +1443,110 @@ interface(`logging_admin',`
|
@@ -1085,3 +1444,110 @@ interface(`logging_admin',`
|
||||||
logging_admin_audit($1, $2)
|
logging_admin_audit($1, $2)
|
||||||
logging_admin_syslog($1, $2)
|
logging_admin_syslog($1, $2)
|
||||||
')
|
')
|
||||||
@ -40663,7 +40677,7 @@ index 4e9488463..7b395456f 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||||
index 59b04c1a2..2ad89c533 100644
|
index 59b04c1a2..483fb780e 100644
|
||||||
--- a/policy/modules/system/logging.te
|
--- a/policy/modules/system/logging.te
|
||||||
+++ b/policy/modules/system/logging.te
|
+++ b/policy/modules/system/logging.te
|
||||||
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
|
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
|
||||||
@ -40947,7 +40961,7 @@ index 59b04c1a2..2ad89c533 100644
|
|||||||
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
|
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
|
||||||
files_search_spool(syslogd_t)
|
files_search_spool(syslogd_t)
|
||||||
|
|
||||||
@@ -389,30 +456,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
@@ -389,30 +456,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||||
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||||
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
||||||
|
|
||||||
@ -40964,6 +40978,7 @@ index 59b04c1a2..2ad89c533 100644
|
|||||||
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||||
-files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
-files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
||||||
+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||||
|
+mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||||
+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
|
+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
|
||||||
|
|
||||||
+kernel_rw_stream_socket_perms(syslogd_t)
|
+kernel_rw_stream_socket_perms(syslogd_t)
|
||||||
@ -40998,7 +41013,7 @@ index 59b04c1a2..2ad89c533 100644
|
|||||||
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
||||||
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
||||||
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
||||||
@@ -422,6 +506,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
@@ -422,6 +507,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
||||||
corenet_tcp_connect_rsh_port(syslogd_t)
|
corenet_tcp_connect_rsh_port(syslogd_t)
|
||||||
# Allow users to define additional syslog ports to connect to
|
# Allow users to define additional syslog ports to connect to
|
||||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||||
@ -41007,7 +41022,7 @@ index 59b04c1a2..2ad89c533 100644
|
|||||||
corenet_tcp_connect_syslogd_port(syslogd_t)
|
corenet_tcp_connect_syslogd_port(syslogd_t)
|
||||||
corenet_tcp_connect_postgresql_port(syslogd_t)
|
corenet_tcp_connect_postgresql_port(syslogd_t)
|
||||||
corenet_tcp_connect_mysqld_port(syslogd_t)
|
corenet_tcp_connect_mysqld_port(syslogd_t)
|
||||||
@@ -432,9 +518,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
@@ -432,9 +519,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||||
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
||||||
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
||||||
|
|
||||||
@ -41041,7 +41056,7 @@ index 59b04c1a2..2ad89c533 100644
|
|||||||
domain_use_interactive_fds(syslogd_t)
|
domain_use_interactive_fds(syslogd_t)
|
||||||
|
|
||||||
files_read_etc_files(syslogd_t)
|
files_read_etc_files(syslogd_t)
|
||||||
@@ -448,13 +557,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
@@ -448,13 +558,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||||
|
|
||||||
fs_getattr_all_fs(syslogd_t)
|
fs_getattr_all_fs(syslogd_t)
|
||||||
fs_search_auto_mountpoints(syslogd_t)
|
fs_search_auto_mountpoints(syslogd_t)
|
||||||
@ -41059,7 +41074,7 @@ index 59b04c1a2..2ad89c533 100644
|
|||||||
# for sending messages to logged in users
|
# for sending messages to logged in users
|
||||||
init_read_utmp(syslogd_t)
|
init_read_utmp(syslogd_t)
|
||||||
init_dontaudit_write_utmp(syslogd_t)
|
init_dontaudit_write_utmp(syslogd_t)
|
||||||
@@ -466,11 +579,12 @@ init_use_fds(syslogd_t)
|
@@ -466,11 +580,12 @@ init_use_fds(syslogd_t)
|
||||||
|
|
||||||
# cjp: this doesnt make sense
|
# cjp: this doesnt make sense
|
||||||
logging_send_syslog_msg(syslogd_t)
|
logging_send_syslog_msg(syslogd_t)
|
||||||
@ -41075,7 +41090,7 @@ index 59b04c1a2..2ad89c533 100644
|
|||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
# default gentoo syslog-ng config appends kernel
|
# default gentoo syslog-ng config appends kernel
|
||||||
@@ -497,6 +611,7 @@ optional_policy(`
|
@@ -497,6 +612,7 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_manage_log_files(syslogd_t)
|
cron_manage_log_files(syslogd_t)
|
||||||
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
|
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
|
||||||
@ -41083,7 +41098,7 @@ index 59b04c1a2..2ad89c533 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -507,15 +622,44 @@ optional_policy(`
|
@@ -507,15 +623,44 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -41128,7 +41143,7 @@ index 59b04c1a2..2ad89c533 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -526,3 +670,29 @@ optional_policy(`
|
@@ -526,3 +671,29 @@ optional_policy(`
|
||||||
# log to the xconsole
|
# log to the xconsole
|
||||||
xserver_rw_console(syslogd_t)
|
xserver_rw_console(syslogd_t)
|
||||||
')
|
')
|
||||||
@ -46632,10 +46647,10 @@ index 000000000..121b42208
|
|||||||
+/var/run/initramfs(/.*)? <<none>>
|
+/var/run/initramfs(/.*)? <<none>>
|
||||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..d1356af89
|
index 000000000..278a1f69b
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.if
|
+++ b/policy/modules/system/systemd.if
|
||||||
@@ -0,0 +1,1842 @@
|
@@ -0,0 +1,1843 @@
|
||||||
+## <summary>SELinux policy for systemd components</summary>
|
+## <summary>SELinux policy for systemd components</summary>
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
@ -48435,6 +48450,7 @@ index 000000000..d1356af89
|
|||||||
+
|
+
|
||||||
+ files_search_etc($1)
|
+ files_search_etc($1)
|
||||||
+ manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
|
+ manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
|
||||||
|
+ mmap_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
|
||||||
+ allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto};
|
+ allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto};
|
||||||
+ files_etc_filetrans($1, systemd_hwdb_etc_t, file)
|
+ files_etc_filetrans($1, systemd_hwdb_etc_t, file)
|
||||||
+')
|
+')
|
||||||
|
@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/abrt.te b/abrt.te
|
diff --git a/abrt.te b/abrt.te
|
||||||
index eb50f070f..4e5a59207 100644
|
index eb50f070f..53dd1ab4d 100644
|
||||||
--- a/abrt.te
|
--- a/abrt.te
|
||||||
+++ b/abrt.te
|
+++ b/abrt.te
|
||||||
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
||||||
@ -738,7 +738,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
|
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
|
||||||
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
|
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
|
||||||
|
|
||||||
@@ -125,48 +136,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
@@ -125,48 +136,60 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
|
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
|
||||||
@ -748,6 +748,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
|
+mmap_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
|
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
|
||||||
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
|
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
|
||||||
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
|
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
|
||||||
@ -805,7 +806,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
|
|
||||||
domain_getattr_all_domains(abrt_t)
|
domain_getattr_all_domains(abrt_t)
|
||||||
domain_read_all_domains_state(abrt_t)
|
domain_read_all_domains_state(abrt_t)
|
||||||
@@ -176,29 +198,44 @@ files_getattr_all_files(abrt_t)
|
@@ -176,29 +199,44 @@ files_getattr_all_files(abrt_t)
|
||||||
files_read_config_files(abrt_t)
|
files_read_config_files(abrt_t)
|
||||||
files_read_etc_runtime_files(abrt_t)
|
files_read_etc_runtime_files(abrt_t)
|
||||||
files_read_var_symlinks(abrt_t)
|
files_read_var_symlinks(abrt_t)
|
||||||
@ -853,7 +854,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
|
|
||||||
tunable_policy(`abrt_anon_write',`
|
tunable_policy(`abrt_anon_write',`
|
||||||
miscfiles_manage_public_files(abrt_t)
|
miscfiles_manage_public_files(abrt_t)
|
||||||
@@ -206,15 +243,11 @@ tunable_policy(`abrt_anon_write',`
|
@@ -206,15 +244,11 @@ tunable_policy(`abrt_anon_write',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_list_modules(abrt_t)
|
apache_list_modules(abrt_t)
|
||||||
@ -870,7 +871,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -222,6 +255,37 @@ optional_policy(`
|
@@ -222,6 +256,37 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -908,7 +909,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
policykit_domtrans_auth(abrt_t)
|
policykit_domtrans_auth(abrt_t)
|
||||||
policykit_read_lib(abrt_t)
|
policykit_read_lib(abrt_t)
|
||||||
policykit_read_reload(abrt_t)
|
policykit_read_reload(abrt_t)
|
||||||
@@ -234,18 +298,25 @@ optional_policy(`
|
@@ -234,18 +299,25 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -937,7 +938,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
sosreport_domtrans(abrt_t)
|
sosreport_domtrans(abrt_t)
|
||||||
@@ -253,9 +324,21 @@ optional_policy(`
|
@@ -253,9 +325,21 @@ optional_policy(`
|
||||||
sosreport_delete_tmp_files(abrt_t)
|
sosreport_delete_tmp_files(abrt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -960,7 +961,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -266,9 +349,13 @@ tunable_policy(`abrt_handle_event',`
|
@@ -266,9 +350,13 @@ tunable_policy(`abrt_handle_event',`
|
||||||
can_exec(abrt_t, abrt_handle_event_exec_t)
|
can_exec(abrt_t, abrt_handle_event_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -975,7 +976,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||||
@@ -281,6 +368,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
@@ -281,6 +369,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||||
@ -983,7 +984,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
|
|
||||||
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
@@ -289,15 +377,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
@@ -289,15 +378,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
||||||
|
|
||||||
domain_read_all_domains_state(abrt_helper_t)
|
domain_read_all_domains_state(abrt_helper_t)
|
||||||
|
|
||||||
@ -1004,7 +1005,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||||
@@ -305,11 +398,25 @@ ifdef(`hide_broken_symptoms',`
|
@@ -305,11 +399,25 @@ ifdef(`hide_broken_symptoms',`
|
||||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||||
@ -1031,7 +1032,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -327,10 +434,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
@@ -327,10 +435,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_coredump_t)
|
dev_read_urand(abrt_retrace_coredump_t)
|
||||||
|
|
||||||
@ -1045,7 +1046,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_exec(abrt_retrace_coredump_t)
|
rpm_exec(abrt_retrace_coredump_t)
|
||||||
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
||||||
@@ -343,10 +452,11 @@ optional_policy(`
|
@@ -343,10 +453,11 @@ optional_policy(`
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@ -1059,7 +1060,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||||
@@ -365,38 +475,84 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
@@ -365,38 +476,86 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_worker_t)
|
dev_read_urand(abrt_retrace_worker_t)
|
||||||
|
|
||||||
@ -1135,6 +1136,8 @@ index eb50f070f..4e5a59207 100644
|
|||||||
logging_read_generic_logs(abrt_dump_oops_t)
|
logging_read_generic_logs(abrt_dump_oops_t)
|
||||||
+logging_read_syslog_pid(abrt_dump_oops_t)
|
+logging_read_syslog_pid(abrt_dump_oops_t)
|
||||||
+logging_send_syslog_msg(abrt_dump_oops_t)
|
+logging_send_syslog_msg(abrt_dump_oops_t)
|
||||||
|
+logging_mmap_generic_logs(abrt_dump_oops_t)
|
||||||
|
+logging_mmap_journal(abrt_dump_oops_t)
|
||||||
+
|
+
|
||||||
+init_read_var_lib_files(abrt_dump_oops_t)
|
+init_read_var_lib_files(abrt_dump_oops_t)
|
||||||
+
|
+
|
||||||
@ -1148,7 +1151,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@@ -404,25 +560,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
@@ -404,25 +563,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
||||||
@ -1211,7 +1214,7 @@ index eb50f070f..4e5a59207 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -430,10 +621,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
@@ -430,10 +624,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||||
# Global local policy
|
# Global local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -10663,7 +10666,7 @@ index c723a0ae0..1c29d21e7 100644
|
|||||||
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
|
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/bluetooth.te b/bluetooth.te
|
diff --git a/bluetooth.te b/bluetooth.te
|
||||||
index 851769e55..4b11e9620 100644
|
index 851769e55..4bb326132 100644
|
||||||
--- a/bluetooth.te
|
--- a/bluetooth.te
|
||||||
+++ b/bluetooth.te
|
+++ b/bluetooth.te
|
||||||
@@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t)
|
@@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t)
|
||||||
@ -10683,7 +10686,7 @@ index 851769e55..4b11e9620 100644
|
|||||||
dontaudit bluetooth_t self:capability sys_tty_config;
|
dontaudit bluetooth_t self:capability sys_tty_config;
|
||||||
allow bluetooth_t self:process { getcap setcap getsched signal_perms };
|
allow bluetooth_t self:process { getcap setcap getsched signal_perms };
|
||||||
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
|
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
|
@@ -78,10 +81,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
|
||||||
|
|
||||||
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
||||||
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
||||||
@ -10693,7 +10696,11 @@ index 851769e55..4b11e9620 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
|
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
|
||||||
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
|
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
|
||||||
@@ -90,27 +94,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
+mmap_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
|
||||||
|
files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
|
||||||
|
|
||||||
|
manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
|
||||||
|
@@ -90,27 +95,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
||||||
|
|
||||||
can_exec(bluetooth_t, bluetooth_helper_exec_t)
|
can_exec(bluetooth_t, bluetooth_helper_exec_t)
|
||||||
|
|
||||||
@ -10736,7 +10743,7 @@ index 851769e55..4b11e9620 100644
|
|||||||
|
|
||||||
fs_getattr_all_fs(bluetooth_t)
|
fs_getattr_all_fs(bluetooth_t)
|
||||||
fs_search_auto_mountpoints(bluetooth_t)
|
fs_search_auto_mountpoints(bluetooth_t)
|
||||||
@@ -122,7 +136,6 @@ auth_use_nsswitch(bluetooth_t)
|
@@ -122,7 +137,6 @@ auth_use_nsswitch(bluetooth_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(bluetooth_t)
|
logging_send_syslog_msg(bluetooth_t)
|
||||||
|
|
||||||
@ -10744,7 +10751,7 @@ index 851769e55..4b11e9620 100644
|
|||||||
miscfiles_read_fonts(bluetooth_t)
|
miscfiles_read_fonts(bluetooth_t)
|
||||||
miscfiles_read_hwdata(bluetooth_t)
|
miscfiles_read_hwdata(bluetooth_t)
|
||||||
|
|
||||||
@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
@@ -130,6 +144,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
||||||
userdom_dontaudit_use_user_terminals(bluetooth_t)
|
userdom_dontaudit_use_user_terminals(bluetooth_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
||||||
|
|
||||||
@ -10755,7 +10762,7 @@ index 851769e55..4b11e9620 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(bluetooth_t)
|
dbus_system_bus_client(bluetooth_t)
|
||||||
dbus_connect_system_bus(bluetooth_t)
|
dbus_connect_system_bus(bluetooth_t)
|
||||||
@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
|
@@ -200,7 +218,6 @@ dev_read_urand(bluetooth_helper_t)
|
||||||
domain_read_all_domains_state(bluetooth_helper_t)
|
domain_read_all_domains_state(bluetooth_helper_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(bluetooth_helper_t)
|
files_read_etc_runtime_files(bluetooth_helper_t)
|
||||||
@ -33889,7 +33896,7 @@ index e39de436a..5edcb8330 100644
|
|||||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
diff --git a/gnome.if b/gnome.if
|
diff --git a/gnome.if b/gnome.if
|
||||||
index ab09d6195..72d67c2cb 100644
|
index ab09d6195..0007f00b3 100644
|
||||||
--- a/gnome.if
|
--- a/gnome.if
|
||||||
+++ b/gnome.if
|
+++ b/gnome.if
|
||||||
@@ -1,52 +1,76 @@
|
@@ -1,52 +1,76 @@
|
||||||
@ -34307,7 +34314,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 gnome_home_type:dir manage_dir_perms;
|
+ allow $1 gnome_home_type:dir manage_dir_perms;
|
||||||
+ allow $1 gnome_home_type:file manage_file_perms;
|
+ allow $1 gnome_home_type:file { manage_file_perms map };
|
||||||
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
|
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
|
||||||
+ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
|
+ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
|
||||||
+ userdom_search_user_home_dirs($1)
|
+ userdom_search_user_home_dirs($1)
|
||||||
@ -34543,7 +34550,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',`
|
@@ -433,17 +519,19 @@ interface(`gnome_home_filetrans',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -34557,6 +34564,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
- allow $1 gconf_home_t:dir create_dir_perms;
|
- allow $1 gconf_home_t:dir create_dir_perms;
|
||||||
+ append_files_pattern($1, cache_home_t, cache_home_t)
|
+ append_files_pattern($1, cache_home_t, cache_home_t)
|
||||||
+ userdom_search_user_home_dirs($1)
|
+ userdom_search_user_home_dirs($1)
|
||||||
|
+ allow $1 gnome_home_t:file { read_file_perms map };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -34566,7 +34574,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
|
@@ -451,23 +539,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -34594,7 +34602,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',`
|
@@ -475,22 +558,18 @@ interface(`gnome_read_generic_gconf_home_content',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -34621,7 +34629,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
|
@@ -498,79 +577,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -34719,7 +34727,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',`
|
@@ -579,12 +638,12 @@ interface(`gnome_home_filetrans_gnome_home',`
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="private_type">
|
## <param name="private_type">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -34734,7 +34742,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="name" optional="true">
|
## <param name="name" optional="true">
|
||||||
@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',`
|
@@ -593,18 +652,18 @@ interface(`gnome_home_filetrans_gnome_home',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -34759,7 +34767,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -612,46 +670,80 @@ interface(`gnome_gconf_home_filetrans',`
|
@@ -612,46 +671,81 @@ interface(`gnome_gconf_home_filetrans',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -34844,6 +34852,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
- allow $1_gkeyringd_t $2:dbus send_msg;
|
- allow $1_gkeyringd_t $2:dbus send_msg;
|
||||||
+ userdom_search_user_home_dirs($1)
|
+ userdom_search_user_home_dirs($1)
|
||||||
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
|
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
|
||||||
|
+ allow $1 icc_data_home_t:file map;
|
||||||
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
|
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
|
||||||
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
|
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
|
||||||
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
|
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
|
||||||
@ -34857,7 +34866,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -659,46 +751,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
|
@@ -659,46 +753,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -34939,7 +34948,7 @@ index ab09d6195..72d67c2cb 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -706,12 +816,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
|
@@ -706,12 +818,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -60092,7 +60101,7 @@ index 94b973407..448a7e836 100644
|
|||||||
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||||
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||||
diff --git a/networkmanager.if b/networkmanager.if
|
diff --git a/networkmanager.if b/networkmanager.if
|
||||||
index 86dc29dfa..c7d9376d5 100644
|
index 86dc29dfa..cb39739a5 100644
|
||||||
--- a/networkmanager.if
|
--- a/networkmanager.if
|
||||||
+++ b/networkmanager.if
|
+++ b/networkmanager.if
|
||||||
@@ -2,7 +2,7 @@
|
@@ -2,7 +2,7 @@
|
||||||
@ -60262,10 +60271,21 @@ index 86dc29dfa..c7d9376d5 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -211,9 +259,30 @@ interface(`networkmanager_read_lib_files',`
|
@@ -189,6 +237,7 @@ interface(`networkmanager_manage_lib_files',`
|
||||||
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||||
|
+ allow $1 NetworkManager_var_lib_t:file map;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -209,11 +258,33 @@ interface(`networkmanager_read_lib_files',`
|
||||||
|
files_search_var_lib($1)
|
||||||
|
list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||||
|
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||||
|
+ allow $1 NetworkManager_var_lib_t:file map;
|
||||||
|
+')
|
||||||
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Read NetworkManager conf files.
|
+## Read NetworkManager conf files.
|
||||||
@ -60285,8 +60305,8 @@ index 86dc29dfa..c7d9376d5 100644
|
|||||||
+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
|
+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
|
||||||
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
|
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
|
||||||
+ read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t)
|
+ read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Append networkmanager log files.
|
-## Append networkmanager log files.
|
||||||
@ -60294,7 +60314,7 @@ index 86dc29dfa..c7d9376d5 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -221,19 +290,18 @@ interface(`networkmanager_read_lib_files',`
|
@@ -221,19 +292,18 @@ interface(`networkmanager_read_lib_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -60319,18 +60339,17 @@ index 86dc29dfa..c7d9376d5 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -241,13 +309,66 @@ interface(`networkmanager_append_log_files',`
|
@@ -241,13 +311,66 @@ interface(`networkmanager_append_log_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
-interface(`networkmanager_read_pid_files',`
|
-interface(`networkmanager_read_pid_files',`
|
||||||
+interface(`networkmanager_manage_pid_files',`
|
+interface(`networkmanager_manage_pid_files',`
|
||||||
gen_require(`
|
+ gen_require(`
|
||||||
type NetworkManager_var_run_t;
|
+ type NetworkManager_var_run_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
files_search_pids($1)
|
+ files_search_pids($1)
|
||||||
- allow $1 NetworkManager_var_run_t:file read_file_perms;
|
|
||||||
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -60345,11 +60364,12 @@ index 86dc29dfa..c7d9376d5 100644
|
|||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+interface(`networkmanager_manage_pid_sock_files',`
|
+interface(`networkmanager_manage_pid_sock_files',`
|
||||||
+ gen_require(`
|
gen_require(`
|
||||||
+ type NetworkManager_var_run_t;
|
type NetworkManager_var_run_t;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
+ files_search_pids($1)
|
files_search_pids($1)
|
||||||
|
- allow $1 NetworkManager_var_run_t:file read_file_perms;
|
||||||
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -60388,7 +60408,7 @@ index 86dc29dfa..c7d9376d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
####################################
|
####################################
|
||||||
@@ -272,14 +393,33 @@ interface(`networkmanager_stream_connect',`
|
@@ -272,14 +395,33 @@ interface(`networkmanager_stream_connect',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -60424,7 +60444,7 @@ index 86dc29dfa..c7d9376d5 100644
|
|||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
## Role allowed access.
|
## Role allowed access.
|
||||||
@@ -287,33 +427,190 @@ interface(`networkmanager_stream_connect',`
|
@@ -287,33 +429,194 @@ interface(`networkmanager_stream_connect',`
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
@ -60470,10 +60490,12 @@ index 86dc29dfa..c7d9376d5 100644
|
|||||||
- admin_pattern($1, NetworkManager_log_t)
|
- admin_pattern($1, NetworkManager_log_t)
|
||||||
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
|
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
|
||||||
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
|
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
|
||||||
+')
|
+ allow $1 NetworkManager_var_lib_t:file map;
|
||||||
|
|
||||||
- files_search_var_lib($1)
|
- files_search_var_lib($1)
|
||||||
- admin_pattern($1, NetworkManager_var_lib_t)
|
- admin_pattern($1, NetworkManager_var_lib_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Allow the specified domain to manage
|
+## Allow the specified domain to manage
|
||||||
@ -60491,6 +60513,8 @@ index 86dc29dfa..c7d9376d5 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||||
|
+ allow $1 NetworkManager_var_lib_t:file map;
|
||||||
|
+
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -93498,7 +93522,7 @@ index ebe91fc70..6ba4338cb 100644
|
|||||||
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||||
')
|
')
|
||||||
diff --git a/rpm.if b/rpm.if
|
diff --git a/rpm.if b/rpm.if
|
||||||
index ef3b22507..b15d901a4 100644
|
index ef3b22507..d2b4c1697 100644
|
||||||
--- a/rpm.if
|
--- a/rpm.if
|
||||||
+++ b/rpm.if
|
+++ b/rpm.if
|
||||||
@@ -1,8 +1,8 @@
|
@@ -1,8 +1,8 @@
|
||||||
@ -93903,10 +93927,11 @@ index ef3b22507..b15d901a4 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -459,11 +585,12 @@ interface(`rpm_read_db',`
|
@@ -459,11 +585,13 @@ interface(`rpm_read_db',`
|
||||||
allow $1 rpm_var_lib_t:dir list_dir_perms;
|
allow $1 rpm_var_lib_t:dir list_dir_perms;
|
||||||
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
||||||
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
||||||
|
+ allow $1 rpm_var_lib_t:file map;
|
||||||
+ rpm_read_cache($1)
|
+ rpm_read_cache($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -93917,7 +93942,7 @@ index ef3b22507..b15d901a4 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -482,8 +609,7 @@ interface(`rpm_delete_db',`
|
@@ -482,8 +610,7 @@ interface(`rpm_delete_db',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93927,10 +93952,15 @@ index ef3b22507..b15d901a4 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -503,8 +629,28 @@ interface(`rpm_manage_db',`
|
@@ -499,12 +626,33 @@ interface(`rpm_manage_db',`
|
||||||
|
files_search_var_lib($1)
|
||||||
########################################
|
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
||||||
## <summary>
|
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
||||||
|
+ allow $1 rpm_var_lib_t:file map;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Do not audit attempts to create, read,the RPM package database.
|
+## Do not audit attempts to create, read,the RPM package database.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -93947,17 +93977,17 @@ index ef3b22507..b15d901a4 100644
|
|||||||
+ dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
|
+ dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
|
||||||
+ dontaudit $1 rpm_var_lib_t:file read_file_perms;
|
+ dontaudit $1 rpm_var_lib_t:file read_file_perms;
|
||||||
+ dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
|
+ dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to create, read,
|
## Do not audit attempts to create, read,
|
||||||
-## write, and delete rpm lib content.
|
-## write, and delete rpm lib content.
|
||||||
+## write, and delete the RPM package database.
|
+## write, and delete the RPM package database.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -517,7 +663,7 @@ interface(`rpm_dontaudit_manage_db',`
|
@@ -517,9 +665,10 @@ interface(`rpm_dontaudit_manage_db',`
|
||||||
type rpm_var_lib_t;
|
type rpm_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -93965,8 +93995,11 @@ index ef3b22507..b15d901a4 100644
|
|||||||
+ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
|
+ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
|
||||||
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
|
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
|
||||||
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
|
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
|
||||||
|
+ dontaudit $1 rpm_var_lib_t:file map;
|
||||||
')
|
')
|
||||||
@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',`
|
|
||||||
|
#####################################
|
||||||
|
@@ -543,8 +692,7 @@ interface(`rpm_read_pid_files',`
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93976,7 +94009,7 @@ index ef3b22507..b15d901a4 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',`
|
@@ -563,8 +711,7 @@ interface(`rpm_manage_pid_files',`
|
||||||
|
|
||||||
######################################
|
######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93986,7 +94019,7 @@ index ef3b22507..b15d901a4 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',`
|
@@ -573,43 +720,54 @@ interface(`rpm_manage_pid_files',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`rpm_pid_filetrans',`
|
interface(`rpm_pid_filetrans',`
|
||||||
@ -94058,7 +94091,7 @@ index ef3b22507..b15d901a4 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
|
@@ -617,22 +775,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
@ -94127,7 +94160,7 @@ index ef3b22507..b15d901a4 100644
|
|||||||
|
|
||||||
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
|
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
@@ -641,9 +831,6 @@ interface(`rpm_admin',`
|
@@ -641,9 +834,6 @@ interface(`rpm_admin',`
|
||||||
|
|
||||||
admin_pattern($1, rpm_file_t)
|
admin_pattern($1, rpm_file_t)
|
||||||
|
|
||||||
@ -106555,7 +106588,7 @@ index dbb005aca..2655c75ab 100644
|
|||||||
+/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
|
+/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||||
+/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
|
+/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||||
diff --git a/sssd.if b/sssd.if
|
diff --git a/sssd.if b/sssd.if
|
||||||
index a24045518..aac25848d 100644
|
index a24045518..8e00992e4 100644
|
||||||
--- a/sssd.if
|
--- a/sssd.if
|
||||||
+++ b/sssd.if
|
+++ b/sssd.if
|
||||||
@@ -1,21 +1,21 @@
|
@@ -1,21 +1,21 @@
|
||||||
@ -106736,13 +106769,14 @@ index a24045518..aac25848d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -131,14 +171,13 @@ interface(`sssd_read_public_files',`
|
@@ -131,14 +171,14 @@ interface(`sssd_read_public_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
sssd_search_lib($1)
|
sssd_search_lib($1)
|
||||||
- allow $1 sssd_public_t:dir list_dir_perms;
|
- allow $1 sssd_public_t:dir list_dir_perms;
|
||||||
+ list_dirs_pattern($1, sssd_public_t, sssd_public_t)
|
+ list_dirs_pattern($1, sssd_public_t, sssd_public_t)
|
||||||
read_files_pattern($1, sssd_public_t, sssd_public_t)
|
read_files_pattern($1, sssd_public_t, sssd_public_t)
|
||||||
|
+ mmap_files_pattern($1, sssd_public_t, sssd_public_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
-#######################################
|
-#######################################
|
||||||
@ -106754,7 +106788,7 @@ index a24045518..aac25848d 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -146,18 +185,55 @@ interface(`sssd_read_public_files',`
|
@@ -146,18 +186,55 @@ interface(`sssd_read_public_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -106813,7 +106847,7 @@ index a24045518..aac25848d 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -176,8 +252,7 @@ interface(`sssd_read_pid_files',`
|
@@ -176,8 +253,7 @@ interface(`sssd_read_pid_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -106823,7 +106857,7 @@ index a24045518..aac25848d 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -216,8 +291,7 @@ interface(`sssd_search_lib',`
|
@@ -216,8 +292,7 @@ interface(`sssd_search_lib',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -106833,7 +106867,7 @@ index a24045518..aac25848d 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -235,6 +309,24 @@ interface(`sssd_dontaudit_search_lib',`
|
@@ -235,6 +310,24 @@ interface(`sssd_dontaudit_search_lib',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -106858,7 +106892,7 @@ index a24045518..aac25848d 100644
|
|||||||
## Read sssd lib files.
|
## Read sssd lib files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -297,8 +389,7 @@ interface(`sssd_dbus_chat',`
|
@@ -297,8 +390,7 @@ interface(`sssd_dbus_chat',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -106868,7 +106902,7 @@ index a24045518..aac25848d 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -317,8 +408,130 @@ interface(`sssd_stream_connect',`
|
@@ -317,8 +409,130 @@ interface(`sssd_stream_connect',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -107001,7 +107035,7 @@ index a24045518..aac25848d 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -327,7 +540,7 @@ interface(`sssd_stream_connect',`
|
@@ -327,7 +541,7 @@ interface(`sssd_stream_connect',`
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -107010,7 +107044,7 @@ index a24045518..aac25848d 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
@@ -335,27 +548,29 @@ interface(`sssd_stream_connect',`
|
@@ -335,27 +549,29 @@ interface(`sssd_stream_connect',`
|
||||||
interface(`sssd_admin',`
|
interface(`sssd_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
||||||
@ -107052,10 +107086,10 @@ index a24045518..aac25848d 100644
|
|||||||
- admin_pattern($1, sssd_log_t)
|
- admin_pattern($1, sssd_log_t)
|
||||||
')
|
')
|
||||||
diff --git a/sssd.te b/sssd.te
|
diff --git a/sssd.te b/sssd.te
|
||||||
index 2d8db1fa3..9b13b3058 100644
|
index 2d8db1fa3..b4eaeb4cc 100644
|
||||||
--- a/sssd.te
|
--- a/sssd.te
|
||||||
+++ b/sssd.te
|
+++ b/sssd.te
|
||||||
@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
|
@@ -28,51 +28,65 @@ logging_log_file(sssd_var_log_t)
|
||||||
type sssd_var_run_t;
|
type sssd_var_run_t;
|
||||||
files_pid_file(sssd_var_run_t)
|
files_pid_file(sssd_var_run_t)
|
||||||
|
|
||||||
@ -107091,8 +107125,13 @@ index 2d8db1fa3..9b13b3058 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
||||||
manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
||||||
@@ -51,28 +63,28 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
+mmap_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
||||||
|
|
||||||
|
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
|
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
|
manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
|
+mmap_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
|
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
|
||||||
|
|
||||||
-append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
|
-append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
|
||||||
@ -107132,7 +107171,7 @@ index 2d8db1fa3..9b13b3058 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(sssd_t)
|
corecmd_exec_bin(sssd_t)
|
||||||
|
|
||||||
@@ -83,28 +95,36 @@ domain_read_all_domains_state(sssd_t)
|
@@ -83,28 +97,36 @@ domain_read_all_domains_state(sssd_t)
|
||||||
domain_obj_id_change_exemption(sssd_t)
|
domain_obj_id_change_exemption(sssd_t)
|
||||||
|
|
||||||
files_list_tmp(sssd_t)
|
files_list_tmp(sssd_t)
|
||||||
@ -107173,7 +107212,7 @@ index 2d8db1fa3..9b13b3058 100644
|
|||||||
|
|
||||||
init_read_utmp(sssd_t)
|
init_read_utmp(sssd_t)
|
||||||
|
|
||||||
@@ -112,18 +132,71 @@ logging_send_syslog_msg(sssd_t)
|
@@ -112,18 +134,71 @@ logging_send_syslog_msg(sssd_t)
|
||||||
logging_send_audit_msgs(sssd_t)
|
logging_send_audit_msgs(sssd_t)
|
||||||
|
|
||||||
miscfiles_read_generic_certs(sssd_t)
|
miscfiles_read_generic_certs(sssd_t)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 271%{?dist}
|
Release: 272%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -681,6 +681,13 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272
|
||||||
|
- Allow sssd_t domain to map sssd_var_lib_t files
|
||||||
|
- allow map permission where needed
|
||||||
|
- contrib: allow map permission where needed
|
||||||
|
- Allow syslogd_t to map syslogd_var_run_t files
|
||||||
|
- allow map permission where needed
|
||||||
|
|
||||||
* Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-271
|
* Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-271
|
||||||
- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
|
- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
|
||||||
- Label /usr/libexec/sudo/sesh as shell_exec_t
|
- Label /usr/libexec/sudo/sesh as shell_exec_t
|
||||||
|
Loading…
Reference in New Issue
Block a user