- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly
- Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_ - Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid - Allow virsh to read xen lock file - Allow qemu-ga to create files in /run with proper labeling - Allow glusterd to connect to own socket in /tmp - Allow glance-api to connect to http port to make glance image-create working - Allow keystonte_t to execute rpm
This commit is contained in:
parent
728c6f653e
commit
2d9b83e8dc
@ -23869,10 +23869,10 @@ index 6bf0ecc..f0080ba 100644
|
|||||||
+ files_search_tmp($1)
|
+ files_search_tmp($1)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index 2696452..d6f03e7 100644
|
index 2696452..cb2c21b 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -26,27 +26,50 @@ gen_require(`
|
@@ -26,27 +26,57 @@ gen_require(`
|
||||||
#
|
#
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -23914,6 +23914,13 @@ index 2696452..d6f03e7 100644
|
|||||||
-## <p>
|
-## <p>
|
||||||
-## Support X userspace object manager
|
-## Support X userspace object manager
|
||||||
-## </p>
|
-## </p>
|
||||||
|
+## <p>
|
||||||
|
+## Allow the graphical login program to create files in HOME dirs as xdm_home_t.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(xdm_write_home, false)
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Support X userspace object manager
|
+## Support X userspace object manager
|
||||||
+## </p>
|
+## </p>
|
||||||
@ -23932,7 +23939,7 @@ index 2696452..d6f03e7 100644
|
|||||||
attribute x_domain;
|
attribute x_domain;
|
||||||
|
|
||||||
# X Events
|
# X Events
|
||||||
@@ -107,44 +130,54 @@ xserver_object_types_template(remote)
|
@@ -107,44 +137,54 @@ xserver_object_types_template(remote)
|
||||||
xserver_common_x_domain_template(remote, remote_t)
|
xserver_common_x_domain_template(remote, remote_t)
|
||||||
|
|
||||||
type user_fonts_t;
|
type user_fonts_t;
|
||||||
@ -23988,7 +23995,7 @@ index 2696452..d6f03e7 100644
|
|||||||
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
|
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
|
||||||
userdom_user_tmp_file(xauth_tmp_t)
|
userdom_user_tmp_file(xauth_tmp_t)
|
||||||
|
|
||||||
@@ -154,19 +187,28 @@ files_type(xconsole_device_t)
|
@@ -154,19 +194,28 @@ files_type(xconsole_device_t)
|
||||||
fs_associate_tmpfs(xconsole_device_t)
|
fs_associate_tmpfs(xconsole_device_t)
|
||||||
files_associate_tmp(xconsole_device_t)
|
files_associate_tmp(xconsole_device_t)
|
||||||
|
|
||||||
@ -24019,7 +24026,7 @@ index 2696452..d6f03e7 100644
|
|||||||
|
|
||||||
type xdm_var_lib_t;
|
type xdm_var_lib_t;
|
||||||
files_type(xdm_var_lib_t)
|
files_type(xdm_var_lib_t)
|
||||||
@@ -174,13 +216,27 @@ files_type(xdm_var_lib_t)
|
@@ -174,13 +223,27 @@ files_type(xdm_var_lib_t)
|
||||||
type xdm_var_run_t;
|
type xdm_var_run_t;
|
||||||
files_pid_file(xdm_var_run_t)
|
files_pid_file(xdm_var_run_t)
|
||||||
|
|
||||||
@ -24048,7 +24055,7 @@ index 2696452..d6f03e7 100644
|
|||||||
# type for /var/lib/xkb
|
# type for /var/lib/xkb
|
||||||
type xkb_var_lib_t;
|
type xkb_var_lib_t;
|
||||||
files_type(xkb_var_lib_t)
|
files_type(xkb_var_lib_t)
|
||||||
@@ -193,14 +249,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
|
@@ -193,14 +256,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
|
||||||
init_system_domain(xserver_t, xserver_exec_t)
|
init_system_domain(xserver_t, xserver_exec_t)
|
||||||
ubac_constrained(xserver_t)
|
ubac_constrained(xserver_t)
|
||||||
|
|
||||||
@ -24067,7 +24074,7 @@ index 2696452..d6f03e7 100644
|
|||||||
userdom_user_tmpfs_file(xserver_tmpfs_t)
|
userdom_user_tmpfs_file(xserver_tmpfs_t)
|
||||||
|
|
||||||
type xsession_exec_t;
|
type xsession_exec_t;
|
||||||
@@ -225,21 +279,33 @@ optional_policy(`
|
@@ -225,21 +286,33 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow iceauth_t iceauth_home_t:file manage_file_perms;
|
allow iceauth_t iceauth_home_t:file manage_file_perms;
|
||||||
@ -24110,7 +24117,7 @@ index 2696452..d6f03e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -247,48 +313,83 @@ tunable_policy(`use_samba_home_dirs',`
|
@@ -247,48 +320,83 @@ tunable_policy(`use_samba_home_dirs',`
|
||||||
# Xauth local policy
|
# Xauth local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -24194,18 +24201,18 @@ index 2696452..d6f03e7 100644
|
|||||||
+ifdef(`hide_broken_symptoms',`
|
+ifdef(`hide_broken_symptoms',`
|
||||||
+ term_dontaudit_use_unallocated_ttys(xauth_t)
|
+ term_dontaudit_use_unallocated_ttys(xauth_t)
|
||||||
+ dev_dontaudit_rw_dri(xauth_t)
|
+ dev_dontaudit_rw_dri(xauth_t)
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
|
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
+ ssh_use_ptys(xauth_t)
|
+ ssh_use_ptys(xauth_t)
|
||||||
ssh_sigchld(xauth_t)
|
ssh_sigchld(xauth_t)
|
||||||
ssh_read_pipes(xauth_t)
|
ssh_read_pipes(xauth_t)
|
||||||
ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
||||||
@@ -299,64 +400,106 @@ optional_policy(`
|
@@ -299,64 +407,106 @@ optional_policy(`
|
||||||
# XDM Local policy
|
# XDM Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -24322,7 +24329,7 @@ index 2696452..d6f03e7 100644
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
@@ -365,20 +508,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
@@ -365,20 +515,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
|
|
||||||
@ -24352,7 +24359,7 @@ index 2696452..d6f03e7 100644
|
|||||||
corenet_all_recvfrom_netlabel(xdm_t)
|
corenet_all_recvfrom_netlabel(xdm_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xdm_t)
|
corenet_tcp_sendrecv_generic_if(xdm_t)
|
||||||
corenet_udp_sendrecv_generic_if(xdm_t)
|
corenet_udp_sendrecv_generic_if(xdm_t)
|
||||||
@@ -388,38 +538,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
@@ -388,38 +545,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_generic_node(xdm_t)
|
corenet_tcp_bind_generic_node(xdm_t)
|
||||||
corenet_udp_bind_generic_node(xdm_t)
|
corenet_udp_bind_generic_node(xdm_t)
|
||||||
@ -24405,7 +24412,7 @@ index 2696452..d6f03e7 100644
|
|||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -430,9 +590,28 @@ files_list_mnt(xdm_t)
|
@@ -430,9 +597,28 @@ files_list_mnt(xdm_t)
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -24434,7 +24441,7 @@ index 2696452..d6f03e7 100644
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -441,28 +620,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
@@ -441,28 +627,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -24481,7 +24488,7 @@ index 2696452..d6f03e7 100644
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -471,24 +665,43 @@ userdom_read_user_home_content_files(xdm_t)
|
@@ -471,24 +672,144 @@ userdom_read_user_home_content_files(xdm_t)
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -24490,7 +24497,108 @@ index 2696452..d6f03e7 100644
|
|||||||
+userdom_manage_user_tmp_files(xdm_t)
|
+userdom_manage_user_tmp_files(xdm_t)
|
||||||
+userdom_manage_user_tmp_sockets(xdm_t)
|
+userdom_manage_user_tmp_sockets(xdm_t)
|
||||||
+userdom_manage_tmpfs_role(system_r, xdm_t)
|
+userdom_manage_tmpfs_role(system_r, xdm_t)
|
||||||
+userdom_home_manager(xdm_t)
|
+
|
||||||
|
+#userdom_home_manager(xdm_t)
|
||||||
|
+tunable_policy(`xdm_write_home',`
|
||||||
|
+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
|
||||||
|
+',`
|
||||||
|
+ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
+ fs_list_auto_mountpoints(xdm_t)
|
||||||
|
+ fs_manage_nfs_dirs(xdm_t)
|
||||||
|
+ fs_manage_nfs_files(xdm_t)
|
||||||
|
+ fs_manage_nfs_symlinks(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+tunable_policy(`use_samba_home_dirs',`
|
||||||
|
+ fs_manage_cifs_dirs(xdm_t)
|
||||||
|
+ fs_manage_cifs_files(xdm_t)
|
||||||
|
+ fs_manage_cifs_symlinks(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+tunable_policy(`use_fusefs_home_dirs',`
|
||||||
|
+ fs_manage_fusefs_dirs(xdm_t)
|
||||||
|
+ fs_manage_fusefs_files(xdm_t)
|
||||||
|
+ fs_manage_fusefs_symlinks(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+tunable_policy(`use_ecryptfs_home_dirs',`
|
||||||
|
+ fs_manage_ecryptfs_dirs(xdm_t)
|
||||||
|
+ fs_manage_ecryptfs_files(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+### filename transitions ###
|
||||||
|
+userdom_filetrans_generic_home_content(xdm_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates")
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ apache_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ auth_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ gnome_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ gpg_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ irc_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ kerberos_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ mozilla_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ mta_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ pulseaudio_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ spamassassin_filetrans_home_content(xdm_t)
|
||||||
|
+ spamassassin_filetrans_admin_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ ssh_filetrans_admin_home_content(xdm_t)
|
||||||
|
+ ssh_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ telepathy_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ thumb_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ tvtime_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ virt_filetrans_home_content(xdm_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+### end of filename transitions ###
|
||||||
+
|
+
|
||||||
+application_signal(xdm_t)
|
+application_signal(xdm_t)
|
||||||
|
|
||||||
@ -24531,7 +24639,7 @@ index 2696452..d6f03e7 100644
|
|||||||
tunable_policy(`xdm_sysadm_login',`
|
tunable_policy(`xdm_sysadm_login',`
|
||||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||||
# FIXME:
|
# FIXME:
|
||||||
@@ -502,11 +715,26 @@ tunable_policy(`xdm_sysadm_login',`
|
@@ -502,11 +823,26 @@ tunable_policy(`xdm_sysadm_login',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24558,7 +24666,7 @@ index 2696452..d6f03e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -514,12 +742,72 @@ optional_policy(`
|
@@ -514,12 +850,72 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24619,7 +24727,7 @@ index 2696452..d6f03e7 100644
|
|||||||
+ gnome_exec_keyringd(xdm_t)
|
+ gnome_exec_keyringd(xdm_t)
|
||||||
+ gnome_manage_config(xdm_t)
|
+ gnome_manage_config(xdm_t)
|
||||||
+ gnome_manage_gconf_home_files(xdm_t)
|
+ gnome_manage_gconf_home_files(xdm_t)
|
||||||
+ gnome_filetrans_home_content(xdm_t)
|
+ #gnome_filetrans_home_content(xdm_t)
|
||||||
+ gnome_read_config(xdm_t)
|
+ gnome_read_config(xdm_t)
|
||||||
+ gnome_read_usr_config(xdm_t)
|
+ gnome_read_usr_config(xdm_t)
|
||||||
+ gnome_read_gconf_config(xdm_t)
|
+ gnome_read_gconf_config(xdm_t)
|
||||||
@ -24631,7 +24739,7 @@ index 2696452..d6f03e7 100644
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -537,28 +825,78 @@ optional_policy(`
|
@@ -537,28 +933,78 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24719,7 +24827,7 @@ index 2696452..d6f03e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -570,6 +908,14 @@ optional_policy(`
|
@@ -570,6 +1016,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24734,7 +24842,7 @@ index 2696452..d6f03e7 100644
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -594,8 +940,11 @@ allow xserver_t input_xevent_t:x_event send;
|
@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -24747,7 +24855,7 @@ index 2696452..d6f03e7 100644
|
|||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -608,8 +957,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -24763,7 +24871,7 @@ index 2696452..d6f03e7 100644
|
|||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -617,6 +973,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||||
|
|
||||||
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
||||||
|
|
||||||
@ -24774,7 +24882,7 @@ index 2696452..d6f03e7 100644
|
|||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -628,12 +988,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -24796,7 +24904,7 @@ index 2696452..d6f03e7 100644
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -641,12 +1008,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||||
# Xorg wants to check if kernel is tainted
|
# Xorg wants to check if kernel is tainted
|
||||||
kernel_read_kernel_sysctls(xserver_t)
|
kernel_read_kernel_sysctls(xserver_t)
|
||||||
kernel_write_proc_files(xserver_t)
|
kernel_write_proc_files(xserver_t)
|
||||||
@ -24810,7 +24918,7 @@ index 2696452..d6f03e7 100644
|
|||||||
corenet_all_recvfrom_netlabel(xserver_t)
|
corenet_all_recvfrom_netlabel(xserver_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||||
@@ -667,23 +1034,27 @@ dev_rw_apm_bios(xserver_t)
|
@@ -667,23 +1142,27 @@ dev_rw_apm_bios(xserver_t)
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
@ -24841,7 +24949,7 @@ index 2696452..d6f03e7 100644
|
|||||||
|
|
||||||
# brought on by rhgb
|
# brought on by rhgb
|
||||||
files_search_mnt(xserver_t)
|
files_search_mnt(xserver_t)
|
||||||
@@ -694,7 +1065,16 @@ fs_getattr_xattr_fs(xserver_t)
|
@@ -694,7 +1173,16 @@ fs_getattr_xattr_fs(xserver_t)
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -24859,7 +24967,7 @@ index 2696452..d6f03e7 100644
|
|||||||
mls_xwin_read_to_clearance(xserver_t)
|
mls_xwin_read_to_clearance(xserver_t)
|
||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
@@ -708,20 +1088,18 @@ init_getpgid(xserver_t)
|
@@ -708,20 +1196,18 @@ init_getpgid(xserver_t)
|
||||||
term_setattr_unallocated_ttys(xserver_t)
|
term_setattr_unallocated_ttys(xserver_t)
|
||||||
term_use_unallocated_ttys(xserver_t)
|
term_use_unallocated_ttys(xserver_t)
|
||||||
|
|
||||||
@ -24883,7 +24991,7 @@ index 2696452..d6f03e7 100644
|
|||||||
|
|
||||||
userdom_search_user_home_dirs(xserver_t)
|
userdom_search_user_home_dirs(xserver_t)
|
||||||
userdom_use_user_ttys(xserver_t)
|
userdom_use_user_ttys(xserver_t)
|
||||||
@@ -729,8 +1107,6 @@ userdom_setattr_user_ttys(xserver_t)
|
@@ -729,8 +1215,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||||
userdom_read_user_tmp_files(xserver_t)
|
userdom_read_user_tmp_files(xserver_t)
|
||||||
userdom_rw_user_tmpfs_files(xserver_t)
|
userdom_rw_user_tmpfs_files(xserver_t)
|
||||||
|
|
||||||
@ -24892,7 +25000,7 @@ index 2696452..d6f03e7 100644
|
|||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xserver_t self:process { execmem execheap execstack };
|
allow xserver_t self:process { execmem execheap execstack };
|
||||||
domain_mmap_low_uncond(xserver_t)
|
domain_mmap_low_uncond(xserver_t)
|
||||||
@@ -775,16 +1151,44 @@ optional_policy(`
|
@@ -775,16 +1259,44 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24938,7 +25046,7 @@ index 2696452..d6f03e7 100644
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -793,6 +1197,10 @@ optional_policy(`
|
@@ -793,6 +1305,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24949,7 +25057,7 @@ index 2696452..d6f03e7 100644
|
|||||||
xfs_stream_connect(xserver_t)
|
xfs_stream_connect(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -808,10 +1216,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
@@ -808,10 +1324,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
@ -24963,7 +25071,7 @@ index 2696452..d6f03e7 100644
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -819,7 +1227,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
@@ -819,7 +1335,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
|
|
||||||
# Run xkbcomp.
|
# Run xkbcomp.
|
||||||
@ -24972,7 +25080,7 @@ index 2696452..d6f03e7 100644
|
|||||||
can_exec(xserver_t, xkb_var_lib_t)
|
can_exec(xserver_t, xkb_var_lib_t)
|
||||||
|
|
||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
@@ -832,26 +1240,21 @@ init_use_fds(xserver_t)
|
@@ -832,26 +1348,21 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -25007,7 +25115,7 @@ index 2696452..d6f03e7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -902,7 +1305,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
@@ -902,7 +1413,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
@ -25016,7 +25124,7 @@ index 2696452..d6f03e7 100644
|
|||||||
# operations allowed on all windows
|
# operations allowed on all windows
|
||||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||||
|
|
||||||
@@ -956,11 +1359,31 @@ allow x_domain self:x_resource { read write };
|
@@ -956,11 +1467,31 @@ allow x_domain self:x_resource { read write };
|
||||||
# can mess with the screensaver
|
# can mess with the screensaver
|
||||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||||
|
|
||||||
@ -25048,7 +25156,7 @@ index 2696452..d6f03e7 100644
|
|||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined(x_domain),
|
# should be xserver_unconfined(x_domain),
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
@@ -982,18 +1405,40 @@ tunable_policy(`! xserver_object_manager',`
|
@@ -982,18 +1513,41 @@ tunable_policy(`! xserver_object_manager',`
|
||||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -25104,6 +25212,7 @@ index 2696452..d6f03e7 100644
|
|||||||
+ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t)
|
+ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t)
|
||||||
+ unconfined_domain(xdm_unconfined_t)
|
+ unconfined_domain(xdm_unconfined_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
|
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
|
||||||
index 1b6619e..be02b96 100644
|
index 1b6619e..be02b96 100644
|
||||||
--- a/policy/modules/system/application.if
|
--- a/policy/modules/system/application.if
|
||||||
@ -39212,7 +39321,7 @@ index db75976..65191bd 100644
|
|||||||
+
|
+
|
||||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 3c5dba7..df7407b 100644
|
index 3c5dba7..e27d755 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||||
@ -41879,7 +41988,7 @@ index 3c5dba7..df7407b 100644
|
|||||||
## Create keys for all user domains.
|
## Create keys for all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3438,4 +4197,1390 @@ interface(`userdom_dbus_send_all_users',`
|
@@ -3438,4 +4197,1415 @@ interface(`userdom_dbus_send_all_users',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
@ -43269,6 +43378,31 @@ index 3c5dba7..df7407b 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
|
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+######################################
|
||||||
|
+## <summary>
|
||||||
|
+## File name transition for generic home content files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_filetrans_generic_home_content',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type home_bin_t;
|
||||||
|
+ type audio_home_t;
|
||||||
|
+ type home_cert_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||||
index e2b538b..2582882 100644
|
index e2b538b..2582882 100644
|
||||||
|
@ -23993,7 +23993,7 @@ index 9eacb2c..229782f 100644
|
|||||||
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
|
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
diff --git a/glance.te b/glance.te
|
diff --git a/glance.te b/glance.te
|
||||||
index e0a4f46..0a1aec6 100644
|
index e0a4f46..16c0ddd 100644
|
||||||
--- a/glance.te
|
--- a/glance.te
|
||||||
+++ b/glance.te
|
+++ b/glance.te
|
||||||
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
|
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
|
||||||
@ -24072,7 +24072,7 @@ index e0a4f46..0a1aec6 100644
|
|||||||
|
|
||||||
logging_send_syslog_msg(glance_registry_t)
|
logging_send_syslog_msg(glance_registry_t)
|
||||||
|
|
||||||
@@ -108,13 +110,20 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
@@ -108,13 +110,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||||
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
|
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
|
||||||
can_exec(glance_api_t, glance_tmp_t)
|
can_exec(glance_api_t, glance_tmp_t)
|
||||||
|
|
||||||
@ -24087,6 +24087,7 @@ index e0a4f46..0a1aec6 100644
|
|||||||
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
|
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
|
||||||
corenet_tcp_connect_glance_registry_port(glance_api_t)
|
corenet_tcp_connect_glance_registry_port(glance_api_t)
|
||||||
+corenet_tcp_connect_mysqld_port(glance_api_t)
|
+corenet_tcp_connect_mysqld_port(glance_api_t)
|
||||||
|
+corenet_tcp_connect_http_port(glance_api_t)
|
||||||
+
|
+
|
||||||
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
|
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
|
||||||
+
|
+
|
||||||
@ -24278,7 +24279,7 @@ index 0000000..1ed97fe
|
|||||||
+
|
+
|
||||||
diff --git a/glusterd.te b/glusterd.te
|
diff --git a/glusterd.te b/glusterd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..190dcb1
|
index 0000000..735cc94
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/glusterd.te
|
+++ b/glusterd.te
|
||||||
@@ -0,0 +1,146 @@
|
@@ -0,0 +1,146 @@
|
||||||
@ -24343,7 +24344,7 @@ index 0000000..190dcb1
|
|||||||
+allow glusterd_t self:process { setrlimit signal };
|
+allow glusterd_t self:process { setrlimit signal };
|
||||||
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
|
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow glusterd_t self:tcp_socket { accept listen };
|
+allow glusterd_t self:tcp_socket { accept listen };
|
||||||
+allow glusterd_t self:unix_stream_socket { accept listen };
|
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
||||||
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
||||||
@ -31941,7 +31942,7 @@ index d3e7fc9..f20248c 100644
|
|||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
diff --git a/keystone.te b/keystone.te
|
diff --git a/keystone.te b/keystone.te
|
||||||
index 3494d9b..124a2ab 100644
|
index 3494d9b..a82637c 100644
|
||||||
--- a/keystone.te
|
--- a/keystone.te
|
||||||
+++ b/keystone.te
|
+++ b/keystone.te
|
||||||
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
|
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
|
||||||
@ -31959,7 +31960,7 @@ index 3494d9b..124a2ab 100644
|
|||||||
|
|
||||||
allow keystone_t self:fifo_file rw_fifo_file_perms;
|
allow keystone_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow keystone_t self:unix_stream_socket { accept listen };
|
allow keystone_t self:unix_stream_socket { accept listen };
|
||||||
@@ -57,20 +61,25 @@ corenet_all_recvfrom_netlabel(keystone_t)
|
@@ -57,20 +61,29 @@ corenet_all_recvfrom_netlabel(keystone_t)
|
||||||
corenet_tcp_sendrecv_generic_if(keystone_t)
|
corenet_tcp_sendrecv_generic_if(keystone_t)
|
||||||
corenet_tcp_sendrecv_generic_node(keystone_t)
|
corenet_tcp_sendrecv_generic_node(keystone_t)
|
||||||
corenet_tcp_bind_generic_node(keystone_t)
|
corenet_tcp_bind_generic_node(keystone_t)
|
||||||
@ -31988,6 +31989,10 @@ index 3494d9b..124a2ab 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ postgresql_stream_connect(keystone_t)
|
+ postgresql_stream_connect(keystone_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ rpm_exec(keystone_t)
|
||||||
|
+')
|
||||||
diff --git a/kismet.if b/kismet.if
|
diff --git a/kismet.if b/kismet.if
|
||||||
index aa2a337..7ff229f 100644
|
index aa2a337..7ff229f 100644
|
||||||
--- a/kismet.if
|
--- a/kismet.if
|
||||||
@ -55192,7 +55197,7 @@ index 2e23946..589bbf2 100644
|
|||||||
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
|
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
|
||||||
')
|
')
|
||||||
diff --git a/postfix.te b/postfix.te
|
diff --git a/postfix.te b/postfix.te
|
||||||
index 191a66f..056b316 100644
|
index 191a66f..a9c1d4b 100644
|
||||||
--- a/postfix.te
|
--- a/postfix.te
|
||||||
+++ b/postfix.te
|
+++ b/postfix.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -55864,7 +55869,7 @@ index 191a66f..056b316 100644
|
|||||||
|
|
||||||
init_sigchld_script(postfix_postqueue_t)
|
init_sigchld_script(postfix_postqueue_t)
|
||||||
init_use_script_fds(postfix_postqueue_t)
|
init_use_script_fds(postfix_postqueue_t)
|
||||||
@@ -647,67 +577,77 @@ optional_policy(`
|
@@ -647,67 +577,78 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -55910,11 +55915,12 @@ index 191a66f..056b316 100644
|
|||||||
+allow postfix_showq_t self:tcp_socket create_socket_perms;
|
+allow postfix_showq_t self:tcp_socket create_socket_perms;
|
||||||
|
|
||||||
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
||||||
|
+rw_files_pattern(postfix_showq_t, postfix_var_run_t, postfix_var_run_t)
|
||||||
|
+
|
||||||
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
|
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
|
||||||
+
|
+
|
||||||
+postfix_list_spool(postfix_showq_t)
|
+postfix_list_spool(postfix_showq_t)
|
||||||
+
|
|
||||||
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
|
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
|
||||||
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
|
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
|
||||||
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
||||||
@ -55960,7 +55966,7 @@ index 191a66f..056b316 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -720,24 +660,27 @@ optional_policy(`
|
@@ -720,24 +661,27 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -55994,7 +56000,7 @@ index 191a66f..056b316 100644
|
|||||||
fs_getattr_all_dirs(postfix_smtpd_t)
|
fs_getattr_all_dirs(postfix_smtpd_t)
|
||||||
fs_getattr_all_fs(postfix_smtpd_t)
|
fs_getattr_all_fs(postfix_smtpd_t)
|
||||||
|
|
||||||
@@ -754,6 +697,7 @@ optional_policy(`
|
@@ -754,6 +698,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
milter_stream_connect_all(postfix_smtpd_t)
|
milter_stream_connect_all(postfix_smtpd_t)
|
||||||
@ -56002,7 +56008,7 @@ index 191a66f..056b316 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -764,31 +708,99 @@ optional_policy(`
|
@@ -764,31 +709,99 @@ optional_policy(`
|
||||||
sasl_connect(postfix_smtpd_t)
|
sasl_connect(postfix_smtpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -63868,7 +63874,7 @@ index 04babe3..3b92679 100644
|
|||||||
+
|
+
|
||||||
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
|
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
|
||||||
diff --git a/realmd.if b/realmd.if
|
diff --git a/realmd.if b/realmd.if
|
||||||
index bff31df..041893c 100644
|
index bff31df..3b5faf0 100644
|
||||||
--- a/realmd.if
|
--- a/realmd.if
|
||||||
+++ b/realmd.if
|
+++ b/realmd.if
|
||||||
@@ -1,8 +1,9 @@
|
@@ -1,8 +1,9 @@
|
||||||
@ -63883,7 +63889,7 @@ index bff31df..041893c 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -39,3 +40,86 @@ interface(`realmd_dbus_chat',`
|
@@ -39,3 +40,80 @@ interface(`realmd_dbus_chat',`
|
||||||
allow $1 realmd_t:dbus send_msg;
|
allow $1 realmd_t:dbus send_msg;
|
||||||
allow realmd_t $1:dbus send_msg;
|
allow realmd_t $1:dbus send_msg;
|
||||||
')
|
')
|
||||||
@ -63900,10 +63906,10 @@ index bff31df..041893c 100644
|
|||||||
+#
|
+#
|
||||||
+interface(`realmd_search_cache',`
|
+interface(`realmd_search_cache',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type realmd_cache_t;
|
+ type realmd_var_cache_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 realmd_cache_t:dir search_dir_perms;
|
+ allow $1 realmd_var_cache_t:dir search_dir_perms;
|
||||||
+ files_search_var($1)
|
+ files_search_var($1)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -63919,11 +63925,11 @@ index bff31df..041893c 100644
|
|||||||
+#
|
+#
|
||||||
+interface(`realmd_read_cache_files',`
|
+interface(`realmd_read_cache_files',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type realmd_cache_t;
|
+ type realmd_var_cache_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_var($1)
|
+ files_search_var($1)
|
||||||
+ read_files_pattern($1, realmd_cache_t, realmd_cache_t)
|
+ read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -63939,11 +63945,11 @@ index bff31df..041893c 100644
|
|||||||
+#
|
+#
|
||||||
+interface(`realmd_manage_cache_files',`
|
+interface(`realmd_manage_cache_files',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type realmd_cache_t;
|
+ type realmd_var_cache_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_var($1)
|
+ files_search_var($1)
|
||||||
+ manage_files_pattern($1, realmd_cache_t, realmd_cache_t)
|
+ manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -63958,18 +63964,12 @@ index bff31df..041893c 100644
|
|||||||
+#
|
+#
|
||||||
+interface(`realmd_manage_cache_dirs',`
|
+interface(`realmd_manage_cache_dirs',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type realmd_cache_t;
|
+ type realmd_var_cache_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_var($1)
|
+ files_search_var($1)
|
||||||
+ manage_dirs_pattern($1, realmd_cache_t, realmd_cache_t)
|
+ manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
+
|
|
||||||
+manage_dirs_pattern(realmd_t, realmd_cache_t, realmd_cache_t)
|
|
||||||
+manage_files_pattern(realmd_t, realmd_cache_t, realmd_cache_t)
|
|
||||||
+manage_lnk_files_pattern(realmd_t, realmd_cache_t, realmd_cache_t)
|
|
||||||
+files_var_filetrans(realmd_t, realmd_cache_t, { dir file lnk_file })
|
|
||||||
diff --git a/realmd.te b/realmd.te
|
diff --git a/realmd.te b/realmd.te
|
||||||
index 9a8f052..c558c79 100644
|
index 9a8f052..c558c79 100644
|
||||||
--- a/realmd.te
|
--- a/realmd.te
|
||||||
@ -85090,10 +85090,10 @@ index 0be8535..b96e329 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --git a/virt.fc b/virt.fc
|
diff --git a/virt.fc b/virt.fc
|
||||||
index c30da4c..014e40c 100644
|
index c30da4c..d60e3e4 100644
|
||||||
--- a/virt.fc
|
--- a/virt.fc
|
||||||
+++ b/virt.fc
|
+++ b/virt.fc
|
||||||
@@ -1,52 +1,80 @@
|
@@ -1,52 +1,81 @@
|
||||||
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||||
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
||||||
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||||
@ -85212,6 +85212,7 @@ index c30da4c..014e40c 100644
|
|||||||
+
|
+
|
||||||
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
|
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
|
||||||
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
||||||
|
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
||||||
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||||
diff --git a/virt.if b/virt.if
|
diff --git a/virt.if b/virt.if
|
||||||
index 9dec06c..6e25af1 100644
|
index 9dec06c..6e25af1 100644
|
||||||
@ -86882,7 +86883,7 @@ index 9dec06c..6e25af1 100644
|
|||||||
+ allow $1 svirt_image_t:chr_file rw_file_perms;
|
+ allow $1 svirt_image_t:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index 1f22fba..832423f 100644
|
index 1f22fba..9d71252 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,94 +1,98 @@
|
@@ -1,94 +1,98 @@
|
||||||
@ -87336,24 +87337,24 @@ index 1f22fba..832423f 100644
|
|||||||
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
|
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
|
||||||
-
|
-
|
||||||
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
|
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
|
||||||
-
|
|
||||||
-corenet_udp_sendrecv_generic_if(svirt_t)
|
|
||||||
-corenet_udp_sendrecv_generic_node(svirt_t)
|
|
||||||
-corenet_udp_sendrecv_all_ports(svirt_t)
|
|
||||||
-corenet_udp_bind_generic_node(svirt_t)
|
|
||||||
+# it was a part of auth_use_nsswitch
|
+# it was a part of auth_use_nsswitch
|
||||||
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
|
corenet_udp_sendrecv_generic_if(svirt_t)
|
||||||
|
corenet_udp_sendrecv_generic_node(svirt_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(svirt_t)
|
||||||
|
corenet_udp_bind_generic_node(svirt_t)
|
||||||
|
-
|
||||||
-corenet_all_recvfrom_unlabeled(svirt_t)
|
-corenet_all_recvfrom_unlabeled(svirt_t)
|
||||||
-corenet_all_recvfrom_netlabel(svirt_t)
|
-corenet_all_recvfrom_netlabel(svirt_t)
|
||||||
-corenet_tcp_sendrecv_generic_if(svirt_t)
|
-corenet_tcp_sendrecv_generic_if(svirt_t)
|
||||||
corenet_udp_sendrecv_generic_if(svirt_t)
|
-corenet_udp_sendrecv_generic_if(svirt_t)
|
||||||
-corenet_tcp_sendrecv_generic_node(svirt_t)
|
-corenet_tcp_sendrecv_generic_node(svirt_t)
|
||||||
corenet_udp_sendrecv_generic_node(svirt_t)
|
-corenet_udp_sendrecv_generic_node(svirt_t)
|
||||||
-corenet_tcp_sendrecv_all_ports(svirt_t)
|
-corenet_tcp_sendrecv_all_ports(svirt_t)
|
||||||
corenet_udp_sendrecv_all_ports(svirt_t)
|
-corenet_udp_sendrecv_all_ports(svirt_t)
|
||||||
-corenet_tcp_bind_generic_node(svirt_t)
|
-corenet_tcp_bind_generic_node(svirt_t)
|
||||||
corenet_udp_bind_generic_node(svirt_t)
|
-corenet_udp_bind_generic_node(svirt_t)
|
||||||
-
|
-
|
||||||
-corenet_sendrecv_all_server_packets(svirt_t)
|
-corenet_sendrecv_all_server_packets(svirt_t)
|
||||||
corenet_udp_bind_all_ports(svirt_t)
|
corenet_udp_bind_all_ports(svirt_t)
|
||||||
@ -87505,13 +87506,13 @@ index 1f22fba..832423f 100644
|
|||||||
-
|
-
|
||||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||||
-
|
|
||||||
-can_exec(virtd_t, virt_tmp_t)
|
|
||||||
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||||
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||||
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
||||||
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
||||||
|
|
||||||
|
-can_exec(virtd_t, virt_tmp_t)
|
||||||
|
-
|
||||||
-kernel_read_crypto_sysctls(virtd_t)
|
-kernel_read_crypto_sysctls(virtd_t)
|
||||||
kernel_read_system_state(virtd_t)
|
kernel_read_system_state(virtd_t)
|
||||||
kernel_read_network_state(virtd_t)
|
kernel_read_network_state(virtd_t)
|
||||||
@ -88115,7 +88116,7 @@ index 1f22fba..832423f 100644
|
|||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virsh_t)
|
fs_manage_nfs_dirs(virsh_t)
|
||||||
fs_manage_nfs_files(virsh_t)
|
fs_manage_nfs_files(virsh_t)
|
||||||
@@ -847,6 +872,10 @@ optional_policy(`
|
@@ -847,14 +872,19 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -88126,8 +88127,9 @@ index 1f22fba..832423f 100644
|
|||||||
rpm_exec(virsh_t)
|
rpm_exec(virsh_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -854,7 +883,7 @@ optional_policy(`
|
optional_policy(`
|
||||||
xen_manage_image_dirs(virsh_t)
|
xen_manage_image_dirs(virsh_t)
|
||||||
|
+ xen_read_image_files(virsh_t)
|
||||||
xen_append_log(virsh_t)
|
xen_append_log(virsh_t)
|
||||||
xen_domtrans(virsh_t)
|
xen_domtrans(virsh_t)
|
||||||
- xen_read_xenstored_pid_files(virsh_t)
|
- xen_read_xenstored_pid_files(virsh_t)
|
||||||
@ -88135,7 +88137,7 @@ index 1f22fba..832423f 100644
|
|||||||
xen_stream_connect(virsh_t)
|
xen_stream_connect(virsh_t)
|
||||||
xen_stream_connect_xenstore(virsh_t)
|
xen_stream_connect_xenstore(virsh_t)
|
||||||
')
|
')
|
||||||
@@ -879,34 +908,44 @@ optional_policy(`
|
@@ -879,34 +909,44 @@ optional_policy(`
|
||||||
kernel_read_xen_state(virsh_ssh_t)
|
kernel_read_xen_state(virsh_ssh_t)
|
||||||
kernel_write_xen_state(virsh_ssh_t)
|
kernel_write_xen_state(virsh_ssh_t)
|
||||||
|
|
||||||
@ -88189,7 +88191,7 @@ index 1f22fba..832423f 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
@@ -916,12 +955,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
@@ -916,12 +956,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
|
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
|
||||||
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
|
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
|
||||||
@ -88207,7 +88209,7 @@ index 1f22fba..832423f 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_lxc_t)
|
corecmd_exec_bin(virtd_lxc_t)
|
||||||
corecmd_exec_shell(virtd_lxc_t)
|
corecmd_exec_shell(virtd_lxc_t)
|
||||||
@@ -933,10 +977,8 @@ dev_read_urand(virtd_lxc_t)
|
@@ -933,10 +978,8 @@ dev_read_urand(virtd_lxc_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(virtd_lxc_t)
|
domain_use_interactive_fds(virtd_lxc_t)
|
||||||
|
|
||||||
@ -88218,7 +88220,7 @@ index 1f22fba..832423f 100644
|
|||||||
files_relabel_rootfs(virtd_lxc_t)
|
files_relabel_rootfs(virtd_lxc_t)
|
||||||
files_mounton_non_security(virtd_lxc_t)
|
files_mounton_non_security(virtd_lxc_t)
|
||||||
files_mount_all_file_type_fs(virtd_lxc_t)
|
files_mount_all_file_type_fs(virtd_lxc_t)
|
||||||
@@ -944,6 +986,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
|
@@ -944,6 +987,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
|
||||||
files_list_isid_type_dirs(virtd_lxc_t)
|
files_list_isid_type_dirs(virtd_lxc_t)
|
||||||
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
|
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
|
||||||
|
|
||||||
@ -88226,7 +88228,7 @@ index 1f22fba..832423f 100644
|
|||||||
fs_getattr_all_fs(virtd_lxc_t)
|
fs_getattr_all_fs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||||
@@ -955,15 +998,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
@@ -955,15 +999,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||||
fs_unmount_all_fs(virtd_lxc_t)
|
fs_unmount_all_fs(virtd_lxc_t)
|
||||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||||
|
|
||||||
@ -88245,7 +88247,7 @@ index 1f22fba..832423f 100644
|
|||||||
|
|
||||||
term_use_generic_ptys(virtd_lxc_t)
|
term_use_generic_ptys(virtd_lxc_t)
|
||||||
term_use_ptmx(virtd_lxc_t)
|
term_use_ptmx(virtd_lxc_t)
|
||||||
@@ -973,21 +1012,36 @@ auth_use_nsswitch(virtd_lxc_t)
|
@@ -973,21 +1013,36 @@ auth_use_nsswitch(virtd_lxc_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(virtd_lxc_t)
|
logging_send_syslog_msg(virtd_lxc_t)
|
||||||
|
|
||||||
@ -88290,7 +88292,7 @@ index 1f22fba..832423f 100644
|
|||||||
allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||||
allow svirt_lxc_domain self:sem create_sem_perms;
|
allow svirt_lxc_domain self:sem create_sem_perms;
|
||||||
allow svirt_lxc_domain self:shm create_shm_perms;
|
allow svirt_lxc_domain self:shm create_shm_perms;
|
||||||
@@ -995,18 +1049,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
|
@@ -995,18 +1050,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||||
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||||
|
|
||||||
@ -88317,7 +88319,7 @@ index 1f22fba..832423f 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
@@ -1015,17 +1067,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
@@ -1015,17 +1068,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
@ -88336,7 +88338,7 @@ index 1f22fba..832423f 100644
|
|||||||
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||||
|
|
||||||
corecmd_exec_all_executables(svirt_lxc_domain)
|
corecmd_exec_all_executables(svirt_lxc_domain)
|
||||||
@@ -1037,21 +1086,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
@@ -1037,21 +1087,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||||
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||||
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||||
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||||
@ -88363,7 +88365,7 @@ index 1f22fba..832423f 100644
|
|||||||
auth_dontaudit_read_login_records(svirt_lxc_domain)
|
auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||||
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||||
auth_search_pam_console_data(svirt_lxc_domain)
|
auth_search_pam_console_data(svirt_lxc_domain)
|
||||||
@@ -1063,96 +1111,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
|
@@ -1063,96 +1112,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||||
|
|
||||||
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||||
|
|
||||||
@ -88501,7 +88503,7 @@ index 1f22fba..832423f 100644
|
|||||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
@@ -1165,12 +1209,12 @@ dev_read_sysfs(virt_qmf_t)
|
@@ -1165,12 +1210,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||||
dev_read_rand(virt_qmf_t)
|
dev_read_rand(virt_qmf_t)
|
||||||
dev_read_urand(virt_qmf_t)
|
dev_read_urand(virt_qmf_t)
|
||||||
|
|
||||||
@ -88516,7 +88518,7 @@ index 1f22fba..832423f 100644
|
|||||||
sysnet_read_config(virt_qmf_t)
|
sysnet_read_config(virt_qmf_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1183,9 +1227,8 @@ optional_policy(`
|
@@ -1183,9 +1228,8 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -88527,7 +88529,7 @@ index 1f22fba..832423f 100644
|
|||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -1198,5 +1241,70 @@ kernel_read_network_state(virt_bridgehelper_t)
|
@@ -1198,5 +1242,75 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||||
|
|
||||||
@ -88547,7 +88549,7 @@ index 1f22fba..832423f 100644
|
|||||||
+
|
+
|
||||||
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
|
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
|
||||||
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
|
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
|
||||||
+filetrans_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t,{ dir file } )
|
+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
|
||||||
+
|
+
|
||||||
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
|
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
|
||||||
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
|
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
|
||||||
@ -88596,6 +88598,11 @@ index 1f22fba..832423f 100644
|
|||||||
+ shutdown_domtrans(virt_qemu_ga_t)
|
+ shutdown_domtrans(virt_qemu_ga_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# tye for svirt sockets
|
||||||
|
+#
|
||||||
|
+
|
||||||
+type svirt_socket_t;
|
+type svirt_socket_t;
|
||||||
+role system_r types svirt_socket_t;
|
+role system_r types svirt_socket_t;
|
||||||
+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
|
+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 39%{?dist}
|
Release: 41%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -257,7 +257,7 @@ fi;
|
|||||||
. %{_sysconfdir}/selinux/config; \
|
. %{_sysconfdir}/selinux/config; \
|
||||||
if [ -e /etc/selinux/%2/.rebuild ]; then \
|
if [ -e /etc/selinux/%2/.rebuild ]; then \
|
||||||
rm /etc/selinux/%2/.rebuild; \
|
rm /etc/selinux/%2/.rebuild; \
|
||||||
(cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
|
(cd /etc/selinux/%2/modules/active/modules; rm -f l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
|
||||||
/usr/sbin/semodule -B -n -s %2; \
|
/usr/sbin/semodule -B -n -s %2; \
|
||||||
else \
|
else \
|
||||||
touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
|
touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
|
||||||
@ -530,6 +530,19 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-41
|
||||||
|
- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly
|
||||||
|
- Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t
|
||||||
|
- Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid
|
||||||
|
- Allow virsh to read xen lock file
|
||||||
|
- Allow qemu-ga to create files in /run with proper labeling
|
||||||
|
- Allow glusterd to connect to own socket in /tmp
|
||||||
|
- Allow glance-api to connect to http port to make glance image-create working
|
||||||
|
- Allow keystonte_t to execute rpm
|
||||||
|
|
||||||
|
* Fri May 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-40
|
||||||
|
- Fix realmd cache interfaces
|
||||||
|
|
||||||
* Fri May 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-39
|
* Fri May 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-39
|
||||||
- Allow tcpd to execute leafnode
|
- Allow tcpd to execute leafnode
|
||||||
- Allow samba-net to read realmd cache files
|
- Allow samba-net to read realmd cache files
|
||||||
|
Loading…
Reference in New Issue
Block a user