* Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141
- Allow chronyd to execute mkdir command. - Allow chronyd_t to read dhcpc state. - Label /usr/libexec/chrony-helper as chronyd_exec_t - Allow openhpid liboa_soap plugin to read resolv.conf file. - Allow openhpid liboa_soap plugin to read generic certs. - Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) - Allow logrotate to reload services. - Allow apcupsd_t to read /sys/devices - Allow kpropd to connect to kropd tcp port. - Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user. - Allow snapperd to pass data (one way only) via pipe negotiated over dbus. - Add snapper_read_inherited_pipe() interface. - Add missing ";" in kerberos.te - Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t. - Add support for /etc/sanlock which is writable by sanlock daemon. - Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t. - Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde - Add interface to read/write watchdog device. - Add transition rule for iptables_var_lib_t - Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet. - Revert "Allow grubby to manage and create /run/blkid with correct labeling" - Allow grubby to manage and create /run/blkid with correct labeling - Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling. - arping running as netutils_t needs to access /etc/ld.so.cache in MLS. - Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode. - Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces. - Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS. - Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users. - depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
This commit is contained in:
Lukas Vrabec
parent
d8af5a753a
commit
28b73b2eef
File diff suppressed because it is too large
Load Diff
@ -7703,7 +7703,7 @@ index f3c0aba..f6e25ed 100644
|
||||
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
|
||||
')
|
||||
diff --git a/apcupsd.te b/apcupsd.te
|
||||
index 080bc4d..12d701e 100644
|
||||
index 080bc4d..5db6cde 100644
|
||||
--- a/apcupsd.te
|
||||
+++ b/apcupsd.te
|
||||
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
|
||||
@ -7741,7 +7741,7 @@ index 080bc4d..12d701e 100644
|
||||
corenet_all_recvfrom_netlabel(apcupsd_t)
|
||||
corenet_tcp_sendrecv_generic_if(apcupsd_t)
|
||||
corenet_tcp_sendrecv_generic_node(apcupsd_t)
|
||||
@@ -67,26 +73,36 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
|
||||
@@ -67,26 +73,38 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
|
||||
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
|
||||
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
|
||||
corenet_tcp_connect_apcupsd_port(apcupsd_t)
|
||||
@ -7753,6 +7753,8 @@ index 080bc4d..12d701e 100644
|
||||
corenet_udp_sendrecv_snmp_port(apcupsd_t)
|
||||
|
||||
+fs_getattr_xattr_fs(apcupsd_t)
|
||||
+
|
||||
+dev_read_sysfs(apcupsd_t)
|
||||
+
|
||||
dev_rw_generic_usb_dev(apcupsd_t)
|
||||
|
||||
@ -7770,10 +7772,10 @@ index 080bc4d..12d701e 100644
|
||||
+#apcupsd runs shutdown, probably need a shutdown domain
|
||||
+init_rw_utmp(apcupsd_t)
|
||||
+init_telinit(apcupsd_t)
|
||||
+
|
||||
+auth_use_nsswitch(apcupsd_t)
|
||||
|
||||
-miscfiles_read_localization(apcupsd_t)
|
||||
+auth_use_nsswitch(apcupsd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(apcupsd_t)
|
||||
|
||||
sysnet_dns_name_resolve(apcupsd_t)
|
||||
@ -7783,7 +7785,7 @@ index 080bc4d..12d701e 100644
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(apcupsd_t)
|
||||
@@ -101,6 +117,11 @@ optional_policy(`
|
||||
@@ -101,6 +119,11 @@ optional_policy(`
|
||||
shutdown_domtrans(apcupsd_t)
|
||||
')
|
||||
|
||||
@ -7795,7 +7797,7 @@ index 080bc4d..12d701e 100644
|
||||
########################################
|
||||
#
|
||||
# CGI local policy
|
||||
@@ -108,20 +129,20 @@ optional_policy(`
|
||||
@@ -108,20 +131,20 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
apache_content_template(apcupsd_cgi)
|
||||
@ -12738,10 +12740,10 @@ index 0000000..5955ff0
|
||||
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
|
||||
+')
|
||||
diff --git a/chronyd.fc b/chronyd.fc
|
||||
index 4e4143e..d5e0260 100644
|
||||
index 4e4143e..e20f1b4 100644
|
||||
--- a/chronyd.fc
|
||||
+++ b/chronyd.fc
|
||||
@@ -1,7 +1,9 @@
|
||||
@@ -1,8 +1,11 @@
|
||||
-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
|
||||
+/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
|
||||
|
||||
@ -12750,8 +12752,10 @@ index 4e4143e..d5e0260 100644
|
||||
+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
|
||||
+
|
||||
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
|
||||
+/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
|
||||
|
||||
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
|
||||
|
||||
diff --git a/chronyd.if b/chronyd.if
|
||||
index 32e8265..74fd151 100644
|
||||
--- a/chronyd.if
|
||||
@ -12923,7 +12927,7 @@ index 32e8265..74fd151 100644
|
||||
+ allow $1 chronyd_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/chronyd.te b/chronyd.te
|
||||
index e5b621c..e8b9178 100644
|
||||
index e5b621c..08ecb52 100644
|
||||
--- a/chronyd.te
|
||||
+++ b/chronyd.te
|
||||
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
|
||||
@ -12954,7 +12958,7 @@ index e5b621c..e8b9178 100644
|
||||
allow chronyd_t chronyd_keys_t:file read_file_perms;
|
||||
|
||||
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
|
||||
@@ -76,18 +83,30 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
|
||||
@@ -76,18 +83,34 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
|
||||
corenet_udp_bind_chronyd_port(chronyd_t)
|
||||
corenet_udp_sendrecv_chronyd_port(chronyd_t)
|
||||
|
||||
@ -12968,10 +12972,14 @@ index e5b621c..e8b9178 100644
|
||||
|
||||
auth_use_nsswitch(chronyd_t)
|
||||
|
||||
+corecmd_exec_bin(chronyd_t)
|
||||
+
|
||||
logging_send_syslog_msg(chronyd_t)
|
||||
|
||||
-miscfiles_read_localization(chronyd_t)
|
||||
+mta_send_mail(chronyd_t)
|
||||
+
|
||||
+sysnet_read_dhcpc_state(chronyd_t)
|
||||
|
||||
optional_policy(`
|
||||
gpsd_rw_shm(chronyd_t)
|
||||
@ -22180,7 +22188,7 @@ index 62d22cb..f8ab4af 100644
|
||||
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
|
||||
')
|
||||
diff --git a/dbus.te b/dbus.te
|
||||
index c9998c8..011faba 100644
|
||||
index c9998c8..44c6283 100644
|
||||
--- a/dbus.te
|
||||
+++ b/dbus.te
|
||||
@@ -4,17 +4,15 @@ gen_require(`
|
||||
@ -22304,7 +22312,7 @@ index c9998c8..011faba 100644
|
||||
mls_fd_use_all_levels(system_dbusd_t)
|
||||
mls_rangetrans_target(system_dbusd_t)
|
||||
mls_file_read_all_levels(system_dbusd_t)
|
||||
@@ -123,66 +122,166 @@ term_dontaudit_use_console(system_dbusd_t)
|
||||
@@ -123,66 +122,170 @@ term_dontaudit_use_console(system_dbusd_t)
|
||||
auth_use_nsswitch(system_dbusd_t)
|
||||
auth_read_pam_console_data(system_dbusd_t)
|
||||
|
||||
@ -22357,10 +22365,9 @@ index c9998c8..011faba 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ getty_start_services(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- seutil_sigchld_newrole(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_exec_gconf(system_dbusd_t)
|
||||
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
|
||||
+')
|
||||
@ -22381,10 +22388,15 @@ index c9998c8..011faba 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sysnet_domtrans_dhcpc(system_dbusd_t)
|
||||
+ snapper_read_inherited_pipe(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sysnet_domtrans_dhcpc(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- seutil_sigchld_newrole(system_dbusd_t)
|
||||
+ systemd_use_fds_logind(system_dbusd_t)
|
||||
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
|
||||
+ systemd_write_inhibit_pipes(system_dbusd_t)
|
||||
@ -22444,11 +22456,11 @@ index c9998c8..011faba 100644
|
||||
+optional_policy(`
|
||||
+ unconfined_dbus_send(system_bus_type)
|
||||
+')
|
||||
|
||||
+
|
||||
+ifdef(`hide_broken_symptoms',`
|
||||
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
|
||||
+')
|
||||
+
|
||||
|
||||
+########################################
|
||||
+#
|
||||
+# session_bus_type rules
|
||||
@ -22485,7 +22497,7 @@ index c9998c8..011faba 100644
|
||||
kernel_read_kernel_sysctls(session_bus_type)
|
||||
|
||||
corecmd_list_bin(session_bus_type)
|
||||
@@ -191,23 +290,18 @@ corecmd_read_bin_files(session_bus_type)
|
||||
@@ -191,23 +294,18 @@ corecmd_read_bin_files(session_bus_type)
|
||||
corecmd_read_bin_pipes(session_bus_type)
|
||||
corecmd_read_bin_sockets(session_bus_type)
|
||||
|
||||
@ -22510,7 +22522,7 @@ index c9998c8..011faba 100644
|
||||
files_dontaudit_search_var(session_bus_type)
|
||||
|
||||
fs_getattr_romfs(session_bus_type)
|
||||
@@ -215,7 +309,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
||||
@@ -215,7 +313,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
||||
fs_list_inotifyfs(session_bus_type)
|
||||
fs_dontaudit_list_nfs(session_bus_type)
|
||||
|
||||
@ -22518,7 +22530,7 @@ index c9998c8..011faba 100644
|
||||
selinux_validate_context(session_bus_type)
|
||||
selinux_compute_access_vector(session_bus_type)
|
||||
selinux_compute_create_context(session_bus_type)
|
||||
@@ -225,18 +318,36 @@ selinux_compute_user_contexts(session_bus_type)
|
||||
@@ -225,18 +322,36 @@ selinux_compute_user_contexts(session_bus_type)
|
||||
auth_read_pam_console_data(session_bus_type)
|
||||
|
||||
logging_send_audit_msgs(session_bus_type)
|
||||
@ -22560,7 +22572,7 @@ index c9998c8..011faba 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -244,5 +355,9 @@ optional_policy(`
|
||||
@@ -244,5 +359,9 @@ optional_policy(`
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
@ -39410,10 +39422,10 @@ index 0000000..20adcb3
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/kerberos.fc b/kerberos.fc
|
||||
index 4fe75fd..b9f07ae 100644
|
||||
index 4fe75fd..f01d946 100644
|
||||
--- a/kerberos.fc
|
||||
+++ b/kerberos.fc
|
||||
@@ -1,52 +1,52 @@
|
||||
@@ -1,52 +1,54 @@
|
||||
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
||||
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
||||
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
||||
@ -39451,25 +39463,33 @@ index 4fe75fd..b9f07ae 100644
|
||||
|
||||
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
||||
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
||||
-
|
||||
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
|
||||
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
||||
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
||||
-
|
||||
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
||||
+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
|
||||
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
-
|
||||
+/var/lib/kdcproxy(/.*)? gen_context(system_u:object_r:krb5kdc_var_lib_t,s0)
|
||||
|
||||
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
|
||||
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
|
||||
|
||||
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
-
|
||||
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
|
||||
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
||||
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
||||
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
-
|
||||
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
|
||||
@ -39484,13 +39504,6 @@ index 4fe75fd..b9f07ae 100644
|
||||
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
+
|
||||
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
|
||||
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
|
||||
+
|
||||
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+
|
||||
+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
|
||||
+
|
||||
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
@ -39505,7 +39518,7 @@ index 4fe75fd..b9f07ae 100644
|
||||
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
diff --git a/kerberos.if b/kerberos.if
|
||||
index f6c00d8..7b777ab 100644
|
||||
index f6c00d8..e3cb4f1 100644
|
||||
--- a/kerberos.if
|
||||
+++ b/kerberos.if
|
||||
@@ -1,27 +1,29 @@
|
||||
@ -39823,7 +39836,7 @@ index f6c00d8..7b777ab 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -278,254 +290,255 @@ interface(`kerberos_read_keytab',`
|
||||
@@ -278,49 +290,122 @@ interface(`kerberos_read_keytab',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -39893,31 +39906,23 @@ index f6c00d8..7b777ab 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <param name="object_class">
|
||||
-## <summary>
|
||||
-## Class of the object being created.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-## <param name="name" optional="true">
|
||||
+## <param name="role">
|
||||
## <summary>
|
||||
-## The name of the object being created.
|
||||
-## Class of the object being created.
|
||||
+## The role to be allowed to manage the kerberos domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
#
|
||||
-interface(`kerberos_etc_filetrans_keytab',`
|
||||
+#
|
||||
+interface(`kerberos_admin',`
|
||||
gen_require(`
|
||||
- type krb5_keytab_t;
|
||||
+ gen_require(`
|
||||
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
|
||||
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
|
||||
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
||||
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
|
||||
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
|
||||
')
|
||||
|
||||
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 kadmind_t:process signal_perms;
|
||||
+ ps_process_pattern($1, kadmind_t)
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
@ -39957,6 +39962,33 @@ index f6c00d8..7b777ab 100644
|
||||
+ admin_pattern($1, krb5kdc_tmp_t)
|
||||
+
|
||||
+ admin_pattern($1, krb5kdc_var_run_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Type transition files created in /tmp
|
||||
+## to the krb5_host_rcache type.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="name" optional="true">
|
||||
@@ -329,60 +414,63 @@ interface(`kerberos_manage_keytab_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`kerberos_etc_filetrans_keytab',`
|
||||
+interface(`kerberos_tmp_filetrans_host_rcache',`
|
||||
gen_require(`
|
||||
- type krb5_keytab_t;
|
||||
+ type krb5_host_rcache_t;
|
||||
')
|
||||
|
||||
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
|
||||
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
|
||||
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -39964,7 +39996,7 @@ index f6c00d8..7b777ab 100644
|
||||
-## Create a derived type for kerberos
|
||||
-## keytab files.
|
||||
+## Type transition files created in /tmp
|
||||
+## to the krb5_host_rcache type.
|
||||
+## to the kadmind_tmp type.
|
||||
## </summary>
|
||||
-## <param name="prefix">
|
||||
+## <param name="domain">
|
||||
@ -39985,50 +40017,18 @@ index f6c00d8..7b777ab 100644
|
||||
- refpolicywarn(`$0($*) has been deprecated.')
|
||||
- kerberos_read_keytab($2)
|
||||
- kerberos_use($2)
|
||||
+interface(`kerberos_tmp_filetrans_host_rcache',`
|
||||
+interface(`kerberos_tmp_filetrans_kadmin',`
|
||||
+ gen_require(`
|
||||
+ type krb5_host_rcache_t;
|
||||
+ type kadmind_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
|
||||
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read kerberos kdc configuration files.
|
||||
+## Type transition files created in /tmp
|
||||
+## to the kadmind_tmp type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <rolecap/>
|
||||
+## <param name="name" optional="true">
|
||||
+## <summary>
|
||||
+## The name of the object being created.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
#
|
||||
-interface(`kerberos_read_kdc_config',`
|
||||
+interface(`kerberos_tmp_filetrans_kadmin',`
|
||||
gen_require(`
|
||||
- type krb5kdc_conf_t;
|
||||
+ type kadmind_tmp_t;
|
||||
')
|
||||
|
||||
- files_search_etc($1)
|
||||
- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||
+ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
|
||||
+ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete
|
||||
-## kerberos host rcache files.
|
||||
-## Read kerberos kdc configuration files.
|
||||
+## read kerberos homedir content (.k5login)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -40038,13 +40038,39 @@ index f6c00d8..7b777ab 100644
|
||||
## </param>
|
||||
-## <rolecap/>
|
||||
#
|
||||
-interface(`kerberos_manage_host_rcache',`
|
||||
-interface(`kerberos_read_kdc_config',`
|
||||
+interface(`kerberos_read_home_content',`
|
||||
gen_require(`
|
||||
- type krb5_host_rcache_t;
|
||||
- type krb5kdc_conf_t;
|
||||
+ type krb5_home_t;
|
||||
')
|
||||
|
||||
- files_search_etc($1)
|
||||
- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete
|
||||
-## kerberos host rcache files.
|
||||
+## Manage the kerberos kdc /var/lib files
|
||||
+## and directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -391,141 +479,88 @@ interface(`kerberos_read_kdc_config',`
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
-interface(`kerberos_manage_host_rcache',`
|
||||
+interface(`kerberos_manage_kdc_var_lib',`
|
||||
gen_require(`
|
||||
- type krb5_host_rcache_t;
|
||||
+ type krb5kdc_var_lib_t;
|
||||
')
|
||||
|
||||
- domain_obj_id_change_exemption($1)
|
||||
-
|
||||
- tunable_policy(`allow_kerberos',`
|
||||
@ -40057,8 +40083,9 @@ index f6c00d8..7b777ab 100644
|
||||
- files_search_tmp($1)
|
||||
- allow $1 krb5_host_rcache_t:file manage_file_perms;
|
||||
- ')
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
|
||||
+ files_search_etc($1)
|
||||
+ manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
|
||||
+ manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -40139,14 +40166,14 @@ index f6c00d8..7b777ab 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-## <param name="role">
|
||||
-## <summary>
|
||||
-## Role allowed access.
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <param name="role">
|
||||
-## <summary>
|
||||
-## Role allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-## <rolecap/>
|
||||
#
|
||||
-interface(`kerberos_admin',`
|
||||
@ -40215,7 +40242,7 @@ index f6c00d8..7b777ab 100644
|
||||
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
|
||||
')
|
||||
diff --git a/kerberos.te b/kerberos.te
|
||||
index 8833d59..462e466 100644
|
||||
index 8833d59..1d0599a 100644
|
||||
--- a/kerberos.te
|
||||
+++ b/kerberos.te
|
||||
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
|
||||
@ -40234,7 +40261,7 @@ index 8833d59..462e466 100644
|
||||
|
||||
type kadmind_t;
|
||||
type kadmind_exec_t;
|
||||
@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
|
||||
@@ -35,23 +35,29 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
|
||||
domain_obj_id_change_exemption(kpropd_t)
|
||||
|
||||
type krb5_conf_t;
|
||||
@ -40261,12 +40288,14 @@ index 8833d59..462e466 100644
|
||||
-files_type(krb5kdc_lock_t)
|
||||
+files_lock_file(krb5kdc_lock_t)
|
||||
|
||||
+type krb5kdc_var_lib_t;
|
||||
+files_type(krb5kdc_var_lib_t)
|
||||
+
|
||||
+# types for KDC principal file(s)
|
||||
type krb5kdc_principal_t;
|
||||
files_type(krb5kdc_principal_t)
|
||||
|
||||
@@ -74,28 +78,33 @@ files_pid_file(krb5kdc_var_run_t)
|
||||
@@ -74,28 +80,33 @@ files_pid_file(krb5kdc_var_run_t)
|
||||
# kadmind local policy
|
||||
#
|
||||
|
||||
@ -40306,7 +40335,7 @@ index 8833d59..462e466 100644
|
||||
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
|
||||
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
|
||||
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
@@ -103,13 +114,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
|
||||
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
|
||||
|
||||
@ -40325,7 +40354,7 @@ index 8833d59..462e466 100644
|
||||
corenet_all_recvfrom_netlabel(kadmind_t)
|
||||
corenet_tcp_sendrecv_generic_if(kadmind_t)
|
||||
corenet_udp_sendrecv_generic_if(kadmind_t)
|
||||
@@ -119,31 +130,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
|
||||
@@ -119,31 +132,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
|
||||
corenet_udp_sendrecv_all_ports(kadmind_t)
|
||||
corenet_tcp_bind_generic_node(kadmind_t)
|
||||
corenet_udp_bind_generic_node(kadmind_t)
|
||||
@ -40373,7 +40402,7 @@ index 8833d59..462e466 100644
|
||||
sysnet_use_ldap(kadmind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
|
||||
@@ -154,11 +178,16 @@ optional_policy(`
|
||||
@@ -154,11 +180,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40390,7 +40419,7 @@ index 8833d59..462e466 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -174,24 +203,27 @@ optional_policy(`
|
||||
@@ -174,24 +205,27 @@ optional_policy(`
|
||||
# Krb5kdc local policy
|
||||
#
|
||||
|
||||
@ -40422,17 +40451,19 @@ index 8833d59..462e466 100644
|
||||
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
|
||||
|
||||
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
|
||||
@@ -201,71 +233,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
@@ -201,71 +235,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
|
||||
-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
|
||||
-
|
||||
-can_exec(krb5kdc_t, krb5kdc_exec_t)
|
||||
+manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
|
||||
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
|
||||
+files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
|
||||
|
||||
-can_exec(krb5kdc_t, krb5kdc_exec_t)
|
||||
+manage_files_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
|
||||
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
|
||||
|
||||
kernel_read_system_state(krb5kdc_t)
|
||||
kernel_read_kernel_sysctls(krb5kdc_t)
|
||||
+kernel_list_proc(krb5kdc_t)
|
||||
@ -40514,7 +40545,7 @@ index 8833d59..462e466 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -273,6 +310,10 @@ optional_policy(`
|
||||
@@ -273,6 +315,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40525,7 +40556,7 @@ index 8833d59..462e466 100644
|
||||
udev_read_db(krb5kdc_t)
|
||||
')
|
||||
|
||||
@@ -281,10 +322,12 @@ optional_policy(`
|
||||
@@ -281,10 +327,12 @@ optional_policy(`
|
||||
# kpropd local policy
|
||||
#
|
||||
|
||||
@ -40541,7 +40572,7 @@ index 8833d59..462e466 100644
|
||||
|
||||
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
|
||||
|
||||
@@ -301,27 +344,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
@@ -301,27 +349,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
|
||||
|
||||
@ -40558,6 +40589,7 @@ index 8833d59..462e466 100644
|
||||
-corenet_sendrecv_kprop_server_packets(kpropd_t)
|
||||
corenet_tcp_bind_kprop_port(kpropd_t)
|
||||
-corenet_tcp_sendrecv_kprop_port(kpropd_t)
|
||||
+corenet_tcp_connect_kprop_port(kpropd_t)
|
||||
|
||||
dev_read_urand(kpropd_t)
|
||||
|
||||
@ -43365,7 +43397,7 @@ index dd8e01a..9cd6b0b 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/logrotate.te b/logrotate.te
|
||||
index be0ab84..ce57aac 100644
|
||||
index be0ab84..08c168f 100644
|
||||
--- a/logrotate.te
|
||||
+++ b/logrotate.te
|
||||
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
|
||||
@ -43487,7 +43519,7 @@ index be0ab84..ce57aac 100644
|
||||
files_manage_generic_spool(logrotate_t)
|
||||
files_manage_generic_spool_dirs(logrotate_t)
|
||||
files_getattr_generic_locks(logrotate_t)
|
||||
@@ -95,6 +123,8 @@ mls_process_write_to_clearance(logrotate_t)
|
||||
@@ -95,32 +123,51 @@ mls_process_write_to_clearance(logrotate_t)
|
||||
selinux_get_fs_mount(logrotate_t)
|
||||
selinux_get_enforce_mode(logrotate_t)
|
||||
|
||||
@ -43496,7 +43528,9 @@ index be0ab84..ce57aac 100644
|
||||
auth_manage_login_records(logrotate_t)
|
||||
auth_use_nsswitch(logrotate_t)
|
||||
|
||||
@@ -103,24 +133,40 @@ init_all_labeled_script_domtrans(logrotate_t)
|
||||
init_all_labeled_script_domtrans(logrotate_t)
|
||||
+init_reload_services(logrotate_t)
|
||||
|
||||
logging_manage_all_logs(logrotate_t)
|
||||
logging_send_syslog_msg(logrotate_t)
|
||||
logging_send_audit_msgs(logrotate_t)
|
||||
@ -43543,7 +43577,7 @@ index be0ab84..ce57aac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -135,16 +181,17 @@ optional_policy(`
|
||||
@@ -135,16 +182,17 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
apache_read_config(logrotate_t)
|
||||
@ -43563,7 +43597,7 @@ index be0ab84..ce57aac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -170,6 +217,11 @@ optional_policy(`
|
||||
@@ -170,6 +218,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43575,7 +43609,7 @@ index be0ab84..ce57aac 100644
|
||||
fail2ban_stream_connect(logrotate_t)
|
||||
')
|
||||
|
||||
@@ -178,7 +230,7 @@ optional_policy(`
|
||||
@@ -178,7 +231,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43584,7 +43618,7 @@ index be0ab84..ce57aac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,17 +250,18 @@ optional_policy(`
|
||||
@@ -198,17 +251,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43606,7 +43640,7 @@ index be0ab84..ce57aac 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,6 +269,14 @@ optional_policy(`
|
||||
@@ -216,6 +270,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43621,7 +43655,7 @@ index be0ab84..ce57aac 100644
|
||||
samba_exec_log(logrotate_t)
|
||||
')
|
||||
|
||||
@@ -228,26 +289,43 @@ optional_policy(`
|
||||
@@ -228,26 +290,43 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44249,7 +44283,7 @@ index d314333..27ede09 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/lsm.te b/lsm.te
|
||||
index 4ec0eea..022172c 100644
|
||||
index 4ec0eea..996fdc8 100644
|
||||
--- a/lsm.te
|
||||
+++ b/lsm.te
|
||||
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
|
||||
@ -44266,7 +44300,7 @@ index 4ec0eea..022172c 100644
|
||||
|
||||
type lsmd_t;
|
||||
type lsmd_exec_t;
|
||||
@@ -12,6 +19,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
|
||||
@@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
|
||||
type lsmd_var_run_t;
|
||||
files_pid_file(lsmd_var_run_t)
|
||||
|
||||
@ -44284,6 +44318,13 @@ index 4ec0eea..022172c 100644
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow lsmd_t self:capability setgid;
|
||||
+allow lsmd_t self:capability { setuid setgid };
|
||||
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
@@ -26,4 +44,67 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
|
||||
@ -61205,10 +61246,10 @@ index 0000000..598789a
|
||||
+
|
||||
diff --git a/openhpid.te b/openhpid.te
|
||||
new file mode 100644
|
||||
index 0000000..51acfae
|
||||
index 0000000..ade6576
|
||||
--- /dev/null
|
||||
+++ b/openhpid.te
|
||||
@@ -0,0 +1,47 @@
|
||||
@@ -0,0 +1,52 @@
|
||||
+policy_module(openhpid, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -61254,8 +61295,13 @@ index 0000000..51acfae
|
||||
+corenet_tcp_bind_openhpid_port(openhpid_t)
|
||||
+
|
||||
+dev_read_urand(openhpid_t)
|
||||
+dev_rw_watchdog(openhpid_t)
|
||||
+
|
||||
+logging_send_syslog_msg(openhpid_t)
|
||||
+
|
||||
+miscfiles_read_generic_certs(openhpid_t)
|
||||
+
|
||||
+sysnet_read_config(openhpid_t)
|
||||
diff --git a/openshift-origin.fc b/openshift-origin.fc
|
||||
new file mode 100644
|
||||
index 0000000..30ca148
|
||||
@ -79848,10 +79894,10 @@ index 951db7f..04b6dde 100644
|
||||
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
|
||||
')
|
||||
diff --git a/raid.te b/raid.te
|
||||
index c99753f..0d4e845 100644
|
||||
index c99753f..f6bd1c6 100644
|
||||
--- a/raid.te
|
||||
+++ b/raid.te
|
||||
@@ -15,54 +15,92 @@ role mdadm_roles types mdadm_t;
|
||||
@@ -15,54 +15,100 @@ role mdadm_roles types mdadm_t;
|
||||
type mdadm_initrc_exec_t;
|
||||
init_script_file(mdadm_initrc_exec_t)
|
||||
|
||||
@ -79862,7 +79908,10 @@ index c99753f..0d4e845 100644
|
||||
+systemd_unit_file(mdadm_unit_file_t)
|
||||
+
|
||||
+type mdadm_tmp_t;
|
||||
+files_tmpfs_file(mdadm_tmp_t)
|
||||
+files_tmp_file(mdadm_tmp_t)
|
||||
+
|
||||
+type mdadm_tmpfs_t;
|
||||
+files_tmpfs_file(mdadm_tmpfs_t)
|
||||
+
|
||||
type mdadm_var_run_t alias mdadm_map_t;
|
||||
files_pid_file(mdadm_var_run_t)
|
||||
@ -79891,6 +79940,10 @@ index c99753f..0d4e845 100644
|
||||
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
|
||||
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
|
||||
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
|
||||
+
|
||||
+manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
|
||||
+manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
||||
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
||||
@ -79935,6 +79988,7 @@ index c99753f..0d4e845 100644
|
||||
+dev_read_generic_files(mdadm_t)
|
||||
+dev_read_generic_usb_dev(mdadm_t)
|
||||
+dev_read_urand(mdadm_t)
|
||||
+dev_read_rand(mdadm_t)
|
||||
+
|
||||
+domain_read_all_domains_state(mdadm_t)
|
||||
domain_use_interactive_fds(mdadm_t)
|
||||
@ -79953,7 +80007,7 @@ index c99753f..0d4e845 100644
|
||||
|
||||
mls_file_read_all_levels(mdadm_t)
|
||||
mls_file_write_all_levels(mdadm_t)
|
||||
@@ -71,15 +109,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
@@ -71,15 +117,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
storage_manage_fixed_disk(mdadm_t)
|
||||
storage_read_scsi_generic(mdadm_t)
|
||||
storage_write_scsi_generic(mdadm_t)
|
||||
@ -79977,7 +80031,7 @@ index c99753f..0d4e845 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
|
||||
userdom_dontaudit_search_user_home_content(mdadm_t)
|
||||
@@ -90,17 +135,38 @@ optional_policy(`
|
||||
@@ -90,17 +143,38 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -92507,14 +92561,16 @@ index 0000000..a3319b0
|
||||
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
|
||||
+
|
||||
diff --git a/sanlock.fc b/sanlock.fc
|
||||
index 3df2a0f..9059165 100644
|
||||
index 3df2a0f..4eb82b8 100644
|
||||
--- a/sanlock.fc
|
||||
+++ b/sanlock.fc
|
||||
@@ -1,7 +1,10 @@
|
||||
@@ -1,7 +1,12 @@
|
||||
+
|
||||
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
|
||||
|
||||
-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
|
||||
+/etc/sanlock(/.*)? gen_context(system_u:object_r:sanlock_conf_t,s0)
|
||||
+
|
||||
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
|
||||
+
|
||||
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
|
||||
@ -92661,10 +92717,10 @@ index cd6c213..82a5ff0 100644
|
||||
+ allow $1 sanlock_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/sanlock.te b/sanlock.te
|
||||
index 0045465..61da47f 100644
|
||||
index 0045465..2059657 100644
|
||||
--- a/sanlock.te
|
||||
+++ b/sanlock.te
|
||||
@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
|
||||
@@ -6,25 +6,33 @@ policy_module(sanlock, 1.1.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
@ -92699,7 +92755,14 @@ index 0045465..61da47f 100644
|
||||
type sanlock_t;
|
||||
type sanlock_exec_t;
|
||||
init_daemon_domain(sanlock_t, sanlock_exec_t)
|
||||
@@ -34,6 +39,9 @@ logging_log_file(sanlock_log_t)
|
||||
|
||||
+type sanlock_conf_t;
|
||||
+files_config_file(sanlock_conf_t)
|
||||
+
|
||||
type sanlock_var_run_t;
|
||||
files_pid_file(sanlock_var_run_t)
|
||||
|
||||
@@ -34,6 +42,9 @@ logging_log_file(sanlock_log_t)
|
||||
type sanlock_initrc_exec_t;
|
||||
init_script_file(sanlock_initrc_exec_t)
|
||||
|
||||
@ -92709,7 +92772,7 @@ index 0045465..61da47f 100644
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
@@ -44,17 +52,15 @@ ifdef(`enable_mls',`
|
||||
@@ -44,17 +55,18 @@ ifdef(`enable_mls',`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -92723,6 +92786,9 @@ index 0045465..61da47f 100644
|
||||
allow sanlock_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow sanlock_t self:unix_stream_socket { accept listen };
|
||||
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
|
||||
+manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
|
||||
|
||||
-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
||||
-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
||||
@ -92731,7 +92797,7 @@ index 0045465..61da47f 100644
|
||||
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
|
||||
|
||||
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
|
||||
@@ -65,13 +71,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
|
||||
@@ -65,13 +77,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
|
||||
kernel_read_system_state(sanlock_t)
|
||||
kernel_read_kernel_sysctls(sanlock_t)
|
||||
|
||||
@ -92751,7 +92817,7 @@ index 0045465..61da47f 100644
|
||||
auth_use_nsswitch(sanlock_t)
|
||||
|
||||
init_read_utmp(sanlock_t)
|
||||
@@ -79,20 +88,29 @@ init_dontaudit_write_utmp(sanlock_t)
|
||||
@@ -79,20 +94,29 @@ init_dontaudit_write_utmp(sanlock_t)
|
||||
|
||||
logging_send_syslog_msg(sanlock_t)
|
||||
|
||||
@ -92790,7 +92856,7 @@ index 0045465..61da47f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -100,7 +118,10 @@ optional_policy(`
|
||||
@@ -100,7 +124,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -96334,10 +96400,10 @@ index 0000000..4f4bdb3
|
||||
+/home/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
|
||||
diff --git a/snapper.if b/snapper.if
|
||||
new file mode 100644
|
||||
index 0000000..5a3cb30
|
||||
index 0000000..ed76979
|
||||
--- /dev/null
|
||||
+++ b/snapper.if
|
||||
@@ -0,0 +1,62 @@
|
||||
@@ -0,0 +1,80 @@
|
||||
+
|
||||
+## <summary>policy for snapperd</summary>
|
||||
+
|
||||
@ -96381,6 +96447,24 @@ index 0000000..5a3cb30
|
||||
+ allow snapperd_t $1:dbus send_msg;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow a domain to read inherited snapper pipe.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`snapper_read_inherited_pipe',`
|
||||
+ gen_require(`
|
||||
+ type snapperd_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 snapperd_t:fifo_file read_inherited_file_perms;
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Allow domain to create .smapshot
|
||||
@ -101164,7 +101248,7 @@ index 0000000..a6e216c
|
||||
+
|
||||
diff --git a/targetd.te b/targetd.te
|
||||
new file mode 100644
|
||||
index 0000000..a2cb50c
|
||||
index 0000000..6768bda
|
||||
--- /dev/null
|
||||
+++ b/targetd.te
|
||||
@@ -0,0 +1,62 @@
|
||||
@ -101214,8 +101298,8 @@ index 0000000..a2cb50c
|
||||
+
|
||||
+libs_exec_ldconfig(targetd_t)
|
||||
+
|
||||
+storage_getattr_fixed_disk_dev(targetd_t)
|
||||
+storage_getattr_removable_dev(targetd_t)
|
||||
+storage_raw_read_fixed_disk(targetd_t)
|
||||
+storage_raw_read_removable_device(targetd_t)
|
||||
+
|
||||
+sysnet_read_config(targetd_t)
|
||||
+
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 140%{?dist}
|
||||
Release: 141%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -647,6 +647,37 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141
|
||||
- Allow chronyd to execute mkdir command.
|
||||
- Allow chronyd_t to read dhcpc state.
|
||||
- Label /usr/libexec/chrony-helper as chronyd_exec_t
|
||||
- Allow openhpid liboa_soap plugin to read resolv.conf file.
|
||||
- Allow openhpid liboa_soap plugin to read generic certs.
|
||||
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
|
||||
- Allow logrotate to reload services.
|
||||
- Allow apcupsd_t to read /sys/devices
|
||||
- Allow kpropd to connect to kropd tcp port.
|
||||
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
|
||||
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
|
||||
- Add snapper_read_inherited_pipe() interface.
|
||||
- Add missing ";" in kerberos.te
|
||||
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
|
||||
- Add support for /etc/sanlock which is writable by sanlock daemon.
|
||||
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
|
||||
- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
|
||||
- Add interface to read/write watchdog device.
|
||||
- Add transition rule for iptables_var_lib_t
|
||||
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
|
||||
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
|
||||
- Allow grubby to manage and create /run/blkid with correct labeling
|
||||
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
|
||||
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
|
||||
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
|
||||
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
|
||||
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
|
||||
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
|
||||
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
|
||||
|
||||
* Wed Aug 05 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-140
|
||||
- firewalld needs to relabel own config files. BZ(#1250537)
|
||||
- Allow rhsmcertd to send signull to unconfined_service
|
||||
|
||||
Loading…
Reference in New Issue
Block a user