- Add labeling for /usr/share/pki
- Allow programs that read var_run_t symlinks also read var_t symlinks - Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 - Fix labeling for /etc/dhcp directory - add missing systemd_stub_unit_file() interface - Add files_stub_var() interface - Add lables for cert_t directories - Make localectl set-x11-keymap working at all - Allow abrt to manage mock build environments to catch build problems. - Allow virt_domains to setsched for running gdb on itself - Allow thumb_t to execute user home content - Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 - Allow certwatch to execut /usr/bin/httpd - Allow cgred to send signal perms to itself, needs back port to RHEL6 - Allow openshift_cron_t to look at quota - Allow cups_t to read inhered tmpfs_t from the kernel - Allow yppasswdd to use NIS - Tuned wants sys_rawio capability - Add ftpd_use_fusefs boolean - Allow dirsrvadmin_t to signal itself
This commit is contained in:
parent
43a40ee0c7
commit
30fc9edc15
File diff suppressed because it is too large
Load Diff
@ -516,7 +516,7 @@ index 058d908..702b716 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/abrt.te b/abrt.te
|
diff --git a/abrt.te b/abrt.te
|
||||||
index cc43d25..304203f 100644
|
index cc43d25..0842350 100644
|
||||||
--- a/abrt.te
|
--- a/abrt.te
|
||||||
+++ b/abrt.te
|
+++ b/abrt.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -935,7 +935,7 @@ index cc43d25..304203f 100644
|
|||||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||||
@@ -352,30 +406,37 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
@@ -352,30 +406,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_worker_t)
|
dev_read_urand(abrt_retrace_worker_t)
|
||||||
|
|
||||||
@ -947,6 +947,7 @@ index cc43d25..304203f 100644
|
|||||||
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mock_domtrans(abrt_retrace_worker_t)
|
+ mock_domtrans(abrt_retrace_worker_t)
|
||||||
|
+ mock_manage_lib_files(abrt_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
########################################
|
########################################
|
||||||
@ -976,7 +977,7 @@ index cc43d25..304203f 100644
|
|||||||
kernel_read_kernel_sysctls(abrt_dump_oops_t)
|
kernel_read_kernel_sysctls(abrt_dump_oops_t)
|
||||||
kernel_read_ring_buffer(abrt_dump_oops_t)
|
kernel_read_ring_buffer(abrt_dump_oops_t)
|
||||||
|
|
||||||
@@ -384,14 +445,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
|
@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
|
||||||
fs_list_inotifyfs(abrt_dump_oops_t)
|
fs_list_inotifyfs(abrt_dump_oops_t)
|
||||||
|
|
||||||
logging_read_generic_logs(abrt_dump_oops_t)
|
logging_read_generic_logs(abrt_dump_oops_t)
|
||||||
@ -994,7 +995,7 @@ index cc43d25..304203f 100644
|
|||||||
|
|
||||||
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
||||||
|
|
||||||
@@ -400,16 +462,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
@@ -400,16 +463,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
||||||
corecmd_exec_bin(abrt_watch_log_t)
|
corecmd_exec_bin(abrt_watch_log_t)
|
||||||
|
|
||||||
logging_read_all_logs(abrt_watch_log_t)
|
logging_read_all_logs(abrt_watch_log_t)
|
||||||
@ -9740,10 +9741,10 @@ index 2354e21..bec6c06 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
diff --git a/certwatch.te b/certwatch.te
|
diff --git a/certwatch.te b/certwatch.te
|
||||||
index 403af41..7c0b1be 100644
|
index 403af41..68a5e26 100644
|
||||||
--- a/certwatch.te
|
--- a/certwatch.te
|
||||||
+++ b/certwatch.te
|
+++ b/certwatch.te
|
||||||
@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t;
|
@@ -21,27 +21,29 @@ role certwatch_roles types certwatch_t;
|
||||||
allow certwatch_t self:capability sys_nice;
|
allow certwatch_t self:capability sys_nice;
|
||||||
allow certwatch_t self:process { setsched getsched };
|
allow certwatch_t self:process { setsched getsched };
|
||||||
|
|
||||||
@ -9774,7 +9775,10 @@ index 403af41..7c0b1be 100644
|
|||||||
+userdom_dontaudit_list_admin_dir(certwatch_t)
|
+userdom_dontaudit_list_admin_dir(certwatch_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ apache_exec(certwatch_t)
|
||||||
apache_exec_modules(certwatch_t)
|
apache_exec_modules(certwatch_t)
|
||||||
|
apache_read_config(certwatch_t)
|
||||||
|
')
|
||||||
diff --git a/cfengine.if b/cfengine.if
|
diff --git a/cfengine.if b/cfengine.if
|
||||||
index a731122..5279d4e 100644
|
index a731122..5279d4e 100644
|
||||||
--- a/cfengine.if
|
--- a/cfengine.if
|
||||||
@ -9933,7 +9937,7 @@ index 85ca63f..1d1c99c 100644
|
|||||||
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
|
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
|
||||||
files_list_etc($1)
|
files_list_etc($1)
|
||||||
diff --git a/cgroup.te b/cgroup.te
|
diff --git a/cgroup.te b/cgroup.te
|
||||||
index fdee107..eb7a3ac 100644
|
index fdee107..7a38b63 100644
|
||||||
--- a/cgroup.te
|
--- a/cgroup.te
|
||||||
+++ b/cgroup.te
|
+++ b/cgroup.te
|
||||||
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
|
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
|
||||||
@ -9979,10 +9983,10 @@ index fdee107..eb7a3ac 100644
|
|||||||
#
|
#
|
||||||
# cgred local policy
|
# cgred local policy
|
||||||
#
|
#
|
||||||
|
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
|
||||||
|
+allow cgred_t self:process signal_perms;
|
||||||
|
|
||||||
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
|
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
|
||||||
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
|
|
||||||
+
|
|
||||||
allow cgred_t self:netlink_socket { write bind create read };
|
allow cgred_t self:netlink_socket { write bind create read };
|
||||||
allow cgred_t self:unix_dgram_socket { write create connect };
|
allow cgred_t self:unix_dgram_socket { write create connect };
|
||||||
|
|
||||||
@ -16021,7 +16025,7 @@ index 06da9a0..ca832e1 100644
|
|||||||
+ ps_process_pattern($1, cupsd_t)
|
+ ps_process_pattern($1, cupsd_t)
|
||||||
')
|
')
|
||||||
diff --git a/cups.te b/cups.te
|
diff --git a/cups.te b/cups.te
|
||||||
index 9f34c2e..45fe9a0 100644
|
index 9f34c2e..3b03f21 100644
|
||||||
--- a/cups.te
|
--- a/cups.te
|
||||||
+++ b/cups.te
|
+++ b/cups.te
|
||||||
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
|
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
|
||||||
@ -16243,7 +16247,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
files_exec_usr_files(cupsd_t)
|
files_exec_usr_files(cupsd_t)
|
||||||
# for /var/lib/defoma
|
# for /var/lib/defoma
|
||||||
files_read_var_lib_files(cupsd_t)
|
files_read_var_lib_files(cupsd_t)
|
||||||
@@ -215,16 +246,16 @@ files_read_world_readable_files(cupsd_t)
|
@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t)
|
||||||
files_read_world_readable_symlinks(cupsd_t)
|
files_read_world_readable_symlinks(cupsd_t)
|
||||||
files_read_var_files(cupsd_t)
|
files_read_var_files(cupsd_t)
|
||||||
files_read_var_symlinks(cupsd_t)
|
files_read_var_symlinks(cupsd_t)
|
||||||
@ -16259,10 +16263,11 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
fs_search_fusefs(cupsd_t)
|
fs_search_fusefs(cupsd_t)
|
||||||
fs_read_anon_inodefs_files(cupsd_t)
|
fs_read_anon_inodefs_files(cupsd_t)
|
||||||
+fs_rw_anon_inodefs_files(cupsd_t)
|
+fs_rw_anon_inodefs_files(cupsd_t)
|
||||||
|
+fs_rw_inherited_tmpfs_files(cupsd_t)
|
||||||
|
|
||||||
mls_fd_use_all_levels(cupsd_t)
|
mls_fd_use_all_levels(cupsd_t)
|
||||||
mls_file_downgrade(cupsd_t)
|
mls_file_downgrade(cupsd_t)
|
||||||
@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t)
|
@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t)
|
||||||
|
|
||||||
term_search_ptys(cupsd_t)
|
term_search_ptys(cupsd_t)
|
||||||
term_use_unallocated_ttys(cupsd_t)
|
term_use_unallocated_ttys(cupsd_t)
|
||||||
@ -16271,7 +16276,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
|
|
||||||
selinux_compute_access_vector(cupsd_t)
|
selinux_compute_access_vector(cupsd_t)
|
||||||
selinux_validate_context(cupsd_t)
|
selinux_validate_context(cupsd_t)
|
||||||
@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
|
@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
|
||||||
auth_rw_faillog(cupsd_t)
|
auth_rw_faillog(cupsd_t)
|
||||||
auth_use_nsswitch(cupsd_t)
|
auth_use_nsswitch(cupsd_t)
|
||||||
|
|
||||||
@ -16297,7 +16302,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
userdom_dontaudit_search_user_home_content(cupsd_t)
|
userdom_dontaudit_search_user_home_content(cupsd_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -275,6 +307,8 @@ optional_policy(`
|
@@ -275,6 +308,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(cupsd_t)
|
dbus_system_bus_client(cupsd_t)
|
||||||
|
|
||||||
@ -16306,7 +16311,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
userdom_dbus_send_all_users(cupsd_t)
|
userdom_dbus_send_all_users(cupsd_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -285,8 +319,10 @@ optional_policy(`
|
@@ -285,8 +320,10 @@ optional_policy(`
|
||||||
hal_dbus_chat(cupsd_t)
|
hal_dbus_chat(cupsd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -16317,7 +16322,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -299,8 +335,8 @@ optional_policy(`
|
@@ -299,8 +336,8 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16327,7 +16332,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -309,7 +345,6 @@ optional_policy(`
|
@@ -309,7 +346,6 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
lpd_exec_lpr(cupsd_t)
|
lpd_exec_lpr(cupsd_t)
|
||||||
@ -16335,7 +16340,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
lpd_read_config(cupsd_t)
|
lpd_read_config(cupsd_t)
|
||||||
lpd_relabel_spool(cupsd_t)
|
lpd_relabel_spool(cupsd_t)
|
||||||
')
|
')
|
||||||
@@ -337,7 +372,7 @@ optional_policy(`
|
@@ -337,7 +373,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16344,7 +16349,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -345,11 +380,9 @@ optional_policy(`
|
@@ -345,11 +381,9 @@ optional_policy(`
|
||||||
# Configuration daemon local policy
|
# Configuration daemon local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -16358,7 +16363,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
|
|
||||||
allow cupsd_config_t cupsd_t:process signal;
|
allow cupsd_config_t cupsd_t:process signal;
|
||||||
ps_process_pattern(cupsd_config_t, cupsd_t)
|
ps_process_pattern(cupsd_config_t, cupsd_t)
|
||||||
@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
|
@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
|
||||||
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
||||||
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
|
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
|
||||||
|
|
||||||
@ -16378,7 +16383,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
||||||
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
|
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
|
||||||
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
|
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
|
||||||
@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
|
@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
|
||||||
corenet_sendrecv_all_client_packets(cupsd_config_t)
|
corenet_sendrecv_all_client_packets(cupsd_config_t)
|
||||||
corenet_tcp_connect_all_ports(cupsd_config_t)
|
corenet_tcp_connect_all_ports(cupsd_config_t)
|
||||||
|
|
||||||
@ -16399,7 +16404,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
fs_search_auto_mountpoints(cupsd_config_t)
|
fs_search_auto_mountpoints(cupsd_config_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(cupsd_config_t)
|
domain_use_interactive_fds(cupsd_config_t)
|
||||||
@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t)
|
@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(cupsd_config_t)
|
logging_send_syslog_msg(cupsd_config_t)
|
||||||
|
|
||||||
@ -16411,7 +16416,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
||||||
userdom_read_all_users_state(cupsd_config_t)
|
userdom_read_all_users_state(cupsd_config_t)
|
||||||
@@ -452,9 +469,12 @@ optional_policy(`
|
@@ -452,9 +470,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16425,7 +16430,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -490,10 +510,6 @@ optional_policy(`
|
@@ -490,10 +511,6 @@ optional_policy(`
|
||||||
# Lpd local policy
|
# Lpd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -16436,7 +16441,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
|
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
|
||||||
@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(cupsd_lpd_t)
|
kernel_read_kernel_sysctls(cupsd_lpd_t)
|
||||||
kernel_read_system_state(cupsd_lpd_t)
|
kernel_read_system_state(cupsd_lpd_t)
|
||||||
@ -16469,7 +16474,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
|
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
|
||||||
')
|
')
|
||||||
@@ -546,7 +553,6 @@ optional_policy(`
|
@@ -546,7 +554,6 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
|
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
|
||||||
@ -16477,7 +16482,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
|
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
||||||
@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
|
@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
|
||||||
|
|
||||||
kernel_read_system_state(cups_pdf_t)
|
kernel_read_system_state(cups_pdf_t)
|
||||||
|
|
||||||
@ -16495,7 +16500,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
userdom_manage_user_home_content_dirs(cups_pdf_t)
|
userdom_manage_user_home_content_dirs(cups_pdf_t)
|
||||||
userdom_manage_user_home_content_files(cups_pdf_t)
|
userdom_manage_user_home_content_files(cups_pdf_t)
|
||||||
userdom_home_filetrans_user_home_dir(cups_pdf_t)
|
userdom_home_filetrans_user_home_dir(cups_pdf_t)
|
||||||
@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',`
|
@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_files(cups_pdf_t)
|
fs_manage_nfs_files(cups_pdf_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -16626,7 +16631,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t)
|
@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
|
||||||
kernel_list_proc(ptal_t)
|
kernel_list_proc(ptal_t)
|
||||||
kernel_read_proc_symlinks(ptal_t)
|
kernel_read_proc_symlinks(ptal_t)
|
||||||
|
|
||||||
@ -16634,7 +16639,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
corenet_all_recvfrom_netlabel(ptal_t)
|
corenet_all_recvfrom_netlabel(ptal_t)
|
||||||
corenet_tcp_sendrecv_generic_if(ptal_t)
|
corenet_tcp_sendrecv_generic_if(ptal_t)
|
||||||
corenet_tcp_sendrecv_generic_node(ptal_t)
|
corenet_tcp_sendrecv_generic_node(ptal_t)
|
||||||
@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
|
@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
|
||||||
corenet_tcp_bind_ptal_port(ptal_t)
|
corenet_tcp_bind_ptal_port(ptal_t)
|
||||||
corenet_tcp_sendrecv_ptal_port(ptal_t)
|
corenet_tcp_sendrecv_ptal_port(ptal_t)
|
||||||
|
|
||||||
@ -16648,7 +16653,7 @@ index 9f34c2e..45fe9a0 100644
|
|||||||
files_read_etc_runtime_files(ptal_t)
|
files_read_etc_runtime_files(ptal_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(ptal_t)
|
fs_getattr_all_fs(ptal_t)
|
||||||
@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t)
|
@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(ptal_t)
|
logging_send_syslog_msg(ptal_t)
|
||||||
|
|
||||||
@ -19296,7 +19301,7 @@ index 0000000..332a1c9
|
|||||||
+')
|
+')
|
||||||
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
|
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..a3d076f
|
index 0000000..ab083cf
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/dirsrv-admin.te
|
+++ b/dirsrv-admin.te
|
||||||
@@ -0,0 +1,144 @@
|
@@ -0,0 +1,144 @@
|
||||||
@ -19334,7 +19339,7 @@ index 0000000..a3d076f
|
|||||||
+#
|
+#
|
||||||
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
|
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
|
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
|
||||||
+allow dirsrvadmin_t self:process setrlimit;
|
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
|
||||||
+
|
+
|
||||||
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
||||||
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
||||||
@ -23081,7 +23086,7 @@ index d062080..e098a40 100644
|
|||||||
ftp_run_ftpdctl($1, $2)
|
ftp_run_ftpdctl($1, $2)
|
||||||
')
|
')
|
||||||
diff --git a/ftp.te b/ftp.te
|
diff --git a/ftp.te b/ftp.te
|
||||||
index e50f33c..2f7de33 100644
|
index e50f33c..5e6cdb8 100644
|
||||||
--- a/ftp.te
|
--- a/ftp.te
|
||||||
+++ b/ftp.te
|
+++ b/ftp.te
|
||||||
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
|
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
|
||||||
@ -23102,16 +23107,23 @@ index e50f33c..2f7de33 100644
|
|||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false)
|
@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
|
||||||
## used for public file transfer services.
|
## used for public file transfer services.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
-gen_tunable(allow_ftpd_use_cifs, false)
|
-gen_tunable(allow_ftpd_use_cifs, false)
|
||||||
+gen_tunable(ftpd_use_cifs, false)
|
+gen_tunable(ftpd_use_cifs, false)
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow samba to export ntfs/fusefs volumes.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(ftpd_use_fusefs, false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
|
@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
|
||||||
## used for public file transfer services.
|
## used for public file transfer services.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
@ -23120,7 +23132,7 @@ index e50f33c..2f7de33 100644
|
|||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
|
@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
|
||||||
type ftpd_initrc_exec_t;
|
type ftpd_initrc_exec_t;
|
||||||
init_script_file(ftpd_initrc_exec_t)
|
init_script_file(ftpd_initrc_exec_t)
|
||||||
|
|
||||||
@ -23130,7 +23142,7 @@ index e50f33c..2f7de33 100644
|
|||||||
type ftpd_lock_t;
|
type ftpd_lock_t;
|
||||||
files_lock_file(ftpd_lock_t)
|
files_lock_file(ftpd_lock_t)
|
||||||
|
|
||||||
@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
|
@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
|
||||||
allow ftpd_t ftpd_lock_t:file manage_file_perms;
|
allow ftpd_t ftpd_lock_t:file manage_file_perms;
|
||||||
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
|
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
|
||||||
|
|
||||||
@ -23140,7 +23152,7 @@ index e50f33c..2f7de33 100644
|
|||||||
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
||||||
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
||||||
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
||||||
@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
|
@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(ftpd_t)
|
kernel_read_kernel_sysctls(ftpd_t)
|
||||||
kernel_read_system_state(ftpd_t)
|
kernel_read_system_state(ftpd_t)
|
||||||
@ -23156,7 +23168,7 @@ index e50f33c..2f7de33 100644
|
|||||||
corenet_all_recvfrom_netlabel(ftpd_t)
|
corenet_all_recvfrom_netlabel(ftpd_t)
|
||||||
corenet_tcp_sendrecv_generic_if(ftpd_t)
|
corenet_tcp_sendrecv_generic_if(ftpd_t)
|
||||||
corenet_udp_sendrecv_generic_if(ftpd_t)
|
corenet_udp_sendrecv_generic_if(ftpd_t)
|
||||||
@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
|
@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
|
||||||
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
|
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
|
||||||
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
||||||
|
|
||||||
@ -23170,7 +23182,7 @@ index e50f33c..2f7de33 100644
|
|||||||
files_read_etc_runtime_files(ftpd_t)
|
files_read_etc_runtime_files(ftpd_t)
|
||||||
files_search_var_lib(ftpd_t)
|
files_search_var_lib(ftpd_t)
|
||||||
|
|
||||||
@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t)
|
@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t)
|
||||||
logging_send_syslog_msg(ftpd_t)
|
logging_send_syslog_msg(ftpd_t)
|
||||||
logging_set_loginuid(ftpd_t)
|
logging_set_loginuid(ftpd_t)
|
||||||
|
|
||||||
@ -23178,7 +23190,7 @@ index e50f33c..2f7de33 100644
|
|||||||
miscfiles_read_public_files(ftpd_t)
|
miscfiles_read_public_files(ftpd_t)
|
||||||
|
|
||||||
seutil_dontaudit_search_config(ftpd_t)
|
seutil_dontaudit_search_config(ftpd_t)
|
||||||
@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t)
|
@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
|
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(ftpd_t)
|
userdom_dontaudit_search_user_home_dirs(ftpd_t)
|
||||||
@ -23201,6 +23213,13 @@ index e50f33c..2f7de33 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
-tunable_policy(`allow_ftpd_use_nfs',`
|
-tunable_policy(`allow_ftpd_use_nfs',`
|
||||||
|
+tunable_policy(`ftpd_use_fusefs',`
|
||||||
|
+ fs_manage_fusefs_dirs(ftpd_t)
|
||||||
|
+ fs_manage_fusefs_files(ftpd_t)
|
||||||
|
+',`
|
||||||
|
+ fs_search_fusefs(ftpd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+tunable_policy(`ftpd_use_nfs',`
|
+tunable_policy(`ftpd_use_nfs',`
|
||||||
fs_read_nfs_files(ftpd_t)
|
fs_read_nfs_files(ftpd_t)
|
||||||
fs_read_nfs_symlinks(ftpd_t)
|
fs_read_nfs_symlinks(ftpd_t)
|
||||||
@ -23228,7 +23247,7 @@ index e50f33c..2f7de33 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`ftpd_use_passive_mode',`
|
tunable_policy(`ftpd_use_passive_mode',`
|
||||||
@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',`
|
@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',`
|
||||||
corenet_sendrecv_mssql_client_packets(ftpd_t)
|
corenet_sendrecv_mssql_client_packets(ftpd_t)
|
||||||
corenet_tcp_connect_mssql_port(ftpd_t)
|
corenet_tcp_connect_mssql_port(ftpd_t)
|
||||||
corenet_tcp_sendrecv_mssql_port(ftpd_t)
|
corenet_tcp_sendrecv_mssql_port(ftpd_t)
|
||||||
@ -23241,7 +23260,7 @@ index e50f33c..2f7de33 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`ftp_home_dir',`
|
tunable_policy(`ftp_home_dir',`
|
||||||
@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',`
|
@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',`
|
||||||
|
|
||||||
userdom_manage_user_home_content_dirs(ftpd_t)
|
userdom_manage_user_home_content_dirs(ftpd_t)
|
||||||
userdom_manage_user_home_content_files(ftpd_t)
|
userdom_manage_user_home_content_files(ftpd_t)
|
||||||
@ -23254,7 +23273,7 @@ index e50f33c..2f7de33 100644
|
|||||||
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
|
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -360,7 +374,7 @@ optional_policy(`
|
@@ -360,7 +388,7 @@ optional_policy(`
|
||||||
selinux_validate_context(ftpd_t)
|
selinux_validate_context(ftpd_t)
|
||||||
|
|
||||||
kerberos_keytab_template(ftpd, ftpd_t)
|
kerberos_keytab_template(ftpd, ftpd_t)
|
||||||
@ -23263,7 +23282,7 @@ index e50f33c..2f7de33 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -410,21 +424,20 @@ optional_policy(`
|
@@ -410,21 +438,20 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
|
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
|
||||||
@ -23287,7 +23306,7 @@ index e50f33c..2f7de33 100644
|
|||||||
|
|
||||||
miscfiles_read_public_files(anon_sftpd_t)
|
miscfiles_read_public_files(anon_sftpd_t)
|
||||||
|
|
||||||
@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',`
|
@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',`
|
||||||
# Sftpd local policy
|
# Sftpd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -23328,7 +23347,7 @@ index e50f33c..2f7de33 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',`
|
@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',`
|
||||||
tunable_policy(`sftpd_full_access',`
|
tunable_policy(`sftpd_full_access',`
|
||||||
allow sftpd_t self:capability { dac_override dac_read_search };
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
||||||
fs_read_noxattr_fs_files(sftpd_t)
|
fs_read_noxattr_fs_files(sftpd_t)
|
||||||
@ -36788,7 +36807,7 @@ index 6194b80..648d041 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/mozilla.te b/mozilla.te
|
diff --git a/mozilla.te b/mozilla.te
|
||||||
index 6a306ee..4c1c064 100644
|
index 6a306ee..8faac8d 100644
|
||||||
--- a/mozilla.te
|
--- a/mozilla.te
|
||||||
+++ b/mozilla.te
|
+++ b/mozilla.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -37047,10 +37066,10 @@ index 6a306ee..4c1c064 100644
|
|||||||
-userdom_manage_user_home_content_dirs(mozilla_t)
|
-userdom_manage_user_home_content_dirs(mozilla_t)
|
||||||
-userdom_manage_user_home_content_files(mozilla_t)
|
-userdom_manage_user_home_content_files(mozilla_t)
|
||||||
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
|
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
|
||||||
-
|
|
||||||
-userdom_write_user_tmp_sockets(mozilla_t)
|
|
||||||
+userdom_use_inherited_user_ptys(mozilla_t)
|
+userdom_use_inherited_user_ptys(mozilla_t)
|
||||||
|
|
||||||
|
-userdom_write_user_tmp_sockets(mozilla_t)
|
||||||
|
-
|
||||||
-mozilla_run_plugin(mozilla_t, mozilla_roles)
|
-mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||||
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
|
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
|
||||||
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
|
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||||
@ -37213,7 +37232,7 @@ index 6a306ee..4c1c064 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -300,221 +308,171 @@ optional_policy(`
|
@@ -300,221 +308,173 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -37468,7 +37487,8 @@ index 6a306ee..4c1c064 100644
|
|||||||
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
|
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
|
||||||
-userdom_manage_user_home_content_files(mozilla_plugin_t)
|
-userdom_manage_user_home_content_files(mozilla_plugin_t)
|
||||||
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
|
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
|
||||||
-
|
+systemd_read_logind_sessions_files(mozilla_plugin_t)
|
||||||
|
|
||||||
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
|
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
|
||||||
+term_getattr_all_ttys(mozilla_plugin_t)
|
+term_getattr_all_ttys(mozilla_plugin_t)
|
||||||
+term_getattr_all_ptys(mozilla_plugin_t)
|
+term_getattr_all_ptys(mozilla_plugin_t)
|
||||||
@ -37528,7 +37548,7 @@ index 6a306ee..4c1c064 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -523,36 +481,47 @@ optional_policy(`
|
@@ -523,36 +483,47 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -37589,7 +37609,7 @@ index 6a306ee..4c1c064 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -560,7 +529,7 @@ optional_policy(`
|
@@ -560,7 +531,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -37598,7 +37618,7 @@ index 6a306ee..4c1c064 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -568,108 +537,108 @@ optional_policy(`
|
@@ -568,108 +539,108 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -43275,7 +43295,7 @@ index 46e55c3..346242e 100644
|
|||||||
+ allow $1 nis_unit_file_t:service all_service_perms;
|
+ allow $1 nis_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/nis.te b/nis.te
|
diff --git a/nis.te b/nis.te
|
||||||
index 3e4a31c..0d16edc 100644
|
index 3e4a31c..bd8e3ff 100644
|
||||||
--- a/nis.te
|
--- a/nis.te
|
||||||
+++ b/nis.te
|
+++ b/nis.te
|
||||||
@@ -1,12 +1,10 @@
|
@@ -1,12 +1,10 @@
|
||||||
@ -43465,18 +43485,22 @@ index 3e4a31c..0d16edc 100644
|
|||||||
|
|
||||||
sysnet_read_config(yppasswdd_t)
|
sysnet_read_config(yppasswdd_t)
|
||||||
|
|
||||||
@@ -219,6 +215,10 @@ optional_policy(`
|
@@ -219,6 +215,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ mta_send_mail(yppasswdd_t)
|
+ mta_send_mail(yppasswdd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ nis_use_ypbind(yppasswdd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
seutil_sigchld_newrole(yppasswdd_t)
|
seutil_sigchld_newrole(yppasswdd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -234,7 +234,8 @@ optional_policy(`
|
@@ -234,7 +238,8 @@ optional_policy(`
|
||||||
dontaudit ypserv_t self:capability sys_tty_config;
|
dontaudit ypserv_t self:capability sys_tty_config;
|
||||||
allow ypserv_t self:fifo_file rw_fifo_file_perms;
|
allow ypserv_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow ypserv_t self:process signal_perms;
|
allow ypserv_t self:process signal_perms;
|
||||||
@ -43486,7 +43510,7 @@ index 3e4a31c..0d16edc 100644
|
|||||||
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
|
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
|
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
|
||||||
allow ypserv_t self:udp_socket create_socket_perms;
|
allow ypserv_t self:udp_socket create_socket_perms;
|
||||||
@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t)
|
@@ -254,7 +259,6 @@ kernel_read_kernel_sysctls(ypserv_t)
|
||||||
kernel_list_proc(ypserv_t)
|
kernel_list_proc(ypserv_t)
|
||||||
kernel_read_proc_symlinks(ypserv_t)
|
kernel_read_proc_symlinks(ypserv_t)
|
||||||
|
|
||||||
@ -43494,7 +43518,7 @@ index 3e4a31c..0d16edc 100644
|
|||||||
corenet_all_recvfrom_netlabel(ypserv_t)
|
corenet_all_recvfrom_netlabel(ypserv_t)
|
||||||
corenet_tcp_sendrecv_generic_if(ypserv_t)
|
corenet_tcp_sendrecv_generic_if(ypserv_t)
|
||||||
corenet_udp_sendrecv_generic_if(ypserv_t)
|
corenet_udp_sendrecv_generic_if(ypserv_t)
|
||||||
@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
|
@@ -264,31 +268,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
|
||||||
corenet_udp_sendrecv_all_ports(ypserv_t)
|
corenet_udp_sendrecv_all_ports(ypserv_t)
|
||||||
corenet_tcp_bind_generic_node(ypserv_t)
|
corenet_tcp_bind_generic_node(ypserv_t)
|
||||||
corenet_udp_bind_generic_node(ypserv_t)
|
corenet_udp_bind_generic_node(ypserv_t)
|
||||||
@ -43532,7 +43556,7 @@ index 3e4a31c..0d16edc 100644
|
|||||||
|
|
||||||
nis_domtrans_ypxfr(ypserv_t)
|
nis_domtrans_ypxfr(ypserv_t)
|
||||||
|
|
||||||
@@ -310,8 +306,8 @@ optional_policy(`
|
@@ -310,8 +310,8 @@ optional_policy(`
|
||||||
# ypxfr local policy
|
# ypxfr local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -43543,7 +43567,7 @@ index 3e4a31c..0d16edc 100644
|
|||||||
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
|
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow ypxfr_t self:udp_socket create_socket_perms;
|
allow ypxfr_t self:udp_socket create_socket_perms;
|
||||||
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
|
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
|
@@ -326,7 +326,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
|
||||||
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
|
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
|
||||||
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
|
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
|
||||||
|
|
||||||
@ -43551,7 +43575,7 @@ index 3e4a31c..0d16edc 100644
|
|||||||
corenet_all_recvfrom_netlabel(ypxfr_t)
|
corenet_all_recvfrom_netlabel(ypxfr_t)
|
||||||
corenet_tcp_sendrecv_generic_if(ypxfr_t)
|
corenet_tcp_sendrecv_generic_if(ypxfr_t)
|
||||||
corenet_udp_sendrecv_generic_if(ypxfr_t)
|
corenet_udp_sendrecv_generic_if(ypxfr_t)
|
||||||
@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
|
@@ -336,23 +335,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
|
||||||
corenet_udp_sendrecv_all_ports(ypxfr_t)
|
corenet_udp_sendrecv_all_ports(ypxfr_t)
|
||||||
corenet_tcp_bind_generic_node(ypxfr_t)
|
corenet_tcp_bind_generic_node(ypxfr_t)
|
||||||
corenet_udp_bind_generic_node(ypxfr_t)
|
corenet_udp_bind_generic_node(ypxfr_t)
|
||||||
@ -48201,10 +48225,10 @@ index 0000000..407386d
|
|||||||
+')
|
+')
|
||||||
diff --git a/openshift.te b/openshift.te
|
diff --git a/openshift.te b/openshift.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..45e60e5
|
index 0000000..894ce1c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/openshift.te
|
+++ b/openshift.te
|
||||||
@@ -0,0 +1,526 @@
|
@@ -0,0 +1,530 @@
|
||||||
+policy_module(openshift,1.0.0)
|
+policy_module(openshift,1.0.0)
|
||||||
+
|
+
|
||||||
+gen_require(`
|
+gen_require(`
|
||||||
@ -48728,6 +48752,10 @@ index 0000000..45e60e5
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ quota_read_db(openshift_cron_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ ssh_exec_keygen(openshift_cron_t)
|
+ ssh_exec_keygen(openshift_cron_t)
|
||||||
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
|
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
|
||||||
+')
|
+')
|
||||||
@ -81326,10 +81354,10 @@ index 0000000..bfcd2c7
|
|||||||
+')
|
+')
|
||||||
diff --git a/thumb.te b/thumb.te
|
diff --git a/thumb.te b/thumb.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..aaf768a
|
index 0000000..49cd645
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/thumb.te
|
+++ b/thumb.te
|
||||||
@@ -0,0 +1,137 @@
|
@@ -0,0 +1,138 @@
|
||||||
+policy_module(thumb, 1.0.0)
|
+policy_module(thumb, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -81424,6 +81452,7 @@ index 0000000..aaf768a
|
|||||||
+userdom_dontaudit_setattr_user_tmp(thumb_t)
|
+userdom_dontaudit_setattr_user_tmp(thumb_t)
|
||||||
+userdom_read_user_tmp_files(thumb_t)
|
+userdom_read_user_tmp_files(thumb_t)
|
||||||
+userdom_read_user_home_content_files(thumb_t)
|
+userdom_read_user_home_content_files(thumb_t)
|
||||||
|
+userdom_exec_user_home_content_files(thumb_t)
|
||||||
+userdom_write_user_tmp_files(thumb_t)
|
+userdom_write_user_tmp_files(thumb_t)
|
||||||
+userdom_read_home_audio_files(thumb_t)
|
+userdom_read_home_audio_files(thumb_t)
|
||||||
+userdom_home_reader(thumb_t)
|
+userdom_home_reader(thumb_t)
|
||||||
@ -82357,7 +82386,7 @@ index e29db63..061fb98 100644
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 tuned_initrc_exec_t system_r;
|
role_transition $2 tuned_initrc_exec_t system_r;
|
||||||
diff --git a/tuned.te b/tuned.te
|
diff --git a/tuned.te b/tuned.te
|
||||||
index 7116181..0bd0be9 100644
|
index 7116181..7a80e6d 100644
|
||||||
--- a/tuned.te
|
--- a/tuned.te
|
||||||
+++ b/tuned.te
|
+++ b/tuned.te
|
||||||
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
||||||
@ -82370,9 +82399,12 @@ index 7116181..0bd0be9 100644
|
|||||||
type tuned_var_run_t;
|
type tuned_var_run_t;
|
||||||
files_pid_file(tuned_var_run_t)
|
files_pid_file(tuned_var_run_t)
|
||||||
|
|
||||||
@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t)
|
@@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t)
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
allow tuned_t self:capability { sys_admin sys_nice };
|
-allow tuned_t self:capability { sys_admin sys_nice };
|
||||||
|
+allow tuned_t self:capability { sys_admin sys_nice sys_rawio };
|
||||||
dontaudit tuned_t self:capability { dac_override sys_tty_config };
|
dontaudit tuned_t self:capability { dac_override sys_tty_config };
|
||||||
-allow tuned_t self:process { setsched signal };
|
-allow tuned_t self:process { setsched signal };
|
||||||
+allow tuned_t self:process { setsched signal };
|
+allow tuned_t self:process { setsched signal };
|
||||||
@ -85655,7 +85687,7 @@ index 9dec06c..b991ec7 100644
|
|||||||
+ allow svirt_lxc_domain $1:process sigchld;
|
+ allow svirt_lxc_domain $1:process sigchld;
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index 1f22fba..e780b1b 100644
|
index 1f22fba..64e638c 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,94 +1,98 @@
|
@@ -1,94 +1,98 @@
|
||||||
@ -86524,7 +86556,7 @@ index 1f22fba..e780b1b 100644
|
|||||||
+# virtual domains common policy
|
+# virtual domains common policy
|
||||||
+#
|
+#
|
||||||
+allow virt_domain self:capability2 compromise_kernel;
|
+allow virt_domain self:capability2 compromise_kernel;
|
||||||
+allow virt_domain self:process { setrlimit signal_perms getsched };
|
+allow virt_domain self:process { setrlimit signal_perms getsched setsched };
|
||||||
+allow virt_domain self:fifo_file rw_fifo_file_perms;
|
+allow virt_domain self:fifo_file rw_fifo_file_perms;
|
||||||
+allow virt_domain self:shm create_shm_perms;
|
+allow virt_domain self:shm create_shm_perms;
|
||||||
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
|
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 23%{?dist}
|
Release: 24%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -526,6 +526,28 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-24
|
||||||
|
- Add labeling for /usr/share/pki
|
||||||
|
- Allow programs that read var_run_t symlinks also read var_t symlinks
|
||||||
|
- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports
|
||||||
|
- Fix labeling for /etc/dhcp directory
|
||||||
|
- add missing systemd_stub_unit_file() interface
|
||||||
|
- Add files_stub_var() interface
|
||||||
|
- Add lables for cert_t directories
|
||||||
|
- Make localectl set-x11-keymap working at all
|
||||||
|
- Allow abrt to manage mock build environments to catch build problems.
|
||||||
|
- Allow virt_domains to setsched for running gdb on itself
|
||||||
|
- Allow thumb_t to execute user home content
|
||||||
|
- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
|
||||||
|
- Allow certwatch to execut /usr/bin/httpd
|
||||||
|
- Allow cgred to send signal perms to itself, needs back port to RHEL6
|
||||||
|
- Allow openshift_cron_t to look at quota
|
||||||
|
- Allow cups_t to read inhered tmpfs_t from the kernel
|
||||||
|
- Allow yppasswdd to use NIS
|
||||||
|
- Tuned wants sys_rawio capability
|
||||||
|
- Add ftpd_use_fusefs boolean
|
||||||
|
- Allow dirsrvadmin_t to signal itself
|
||||||
|
|
||||||
* Wed Mar 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-23
|
* Wed Mar 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-23
|
||||||
- Allow localectl to read /etc/X11/xorg.conf.d directory
|
- Allow localectl to read /etc/X11/xorg.conf.d directory
|
||||||
- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""
|
- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""
|
||||||
|
Loading…
Reference in New Issue
Block a user