* Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-278
- Add couple rules related to map permissions - Allow ddclient use nsswitch BZ(1456241) - Allow thumb_t domain getattr fixed_disk device. BZ(1379137) - Add interface dbus_manage_session_tmp_dirs() - Dontaudit useradd_t sys_ptrace BZ(1480121) - Allow ipsec_t can exec ipsec_exec_t - Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
This commit is contained in:
parent
0c6eef95d3
commit
313e17b74e
Binary file not shown.
@ -3182,7 +3182,7 @@ index 99e3903ea..fa68362ea 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||||
index 1d732f1e7..121ace88e 100644
|
index 1d732f1e7..d698fdd02 100644
|
||||||
--- a/policy/modules/admin/usermanage.te
|
--- a/policy/modules/admin/usermanage.te
|
||||||
+++ b/policy/modules/admin/usermanage.te
|
+++ b/policy/modules/admin/usermanage.te
|
||||||
@@ -26,6 +26,7 @@ type chfn_exec_t;
|
@@ -26,6 +26,7 @@ type chfn_exec_t;
|
||||||
@ -3502,7 +3502,7 @@ index 1d732f1e7..121ace88e 100644
|
|||||||
userdom_use_unpriv_users_fds(sysadm_passwd_t)
|
userdom_use_unpriv_users_fds(sysadm_passwd_t)
|
||||||
# user generally runs this from their home directory, so do not audit a search
|
# user generally runs this from their home directory, so do not audit a search
|
||||||
# on user home dir
|
# on user home dir
|
||||||
@@ -446,8 +492,9 @@ optional_policy(`
|
@@ -446,8 +492,10 @@ optional_policy(`
|
||||||
# Useradd local policy
|
# Useradd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -3511,10 +3511,11 @@ index 1d732f1e7..121ace88e 100644
|
|||||||
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
|
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
|
||||||
+
|
+
|
||||||
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
|
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
|
||||||
|
+dontaudit useradd_t self:cap_userns { sys_ptrace };
|
||||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow useradd_t self:process setfscreate;
|
allow useradd_t self:process setfscreate;
|
||||||
allow useradd_t self:fd use;
|
allow useradd_t self:fd use;
|
||||||
@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow useradd_t self:unix_dgram_socket sendto;
|
allow useradd_t self:unix_dgram_socket sendto;
|
||||||
allow useradd_t self:unix_stream_socket connectto;
|
allow useradd_t self:unix_stream_socket connectto;
|
||||||
|
|
||||||
@ -3525,7 +3526,7 @@ index 1d732f1e7..121ace88e 100644
|
|||||||
# for getting the number of groups
|
# for getting the number of groups
|
||||||
kernel_read_kernel_sysctls(useradd_t)
|
kernel_read_kernel_sysctls(useradd_t)
|
||||||
|
|
||||||
@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t)
|
@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
|
||||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||||
corecmd_exec_bin(useradd_t)
|
corecmd_exec_bin(useradd_t)
|
||||||
|
|
||||||
@ -3565,7 +3566,7 @@ index 1d732f1e7..121ace88e 100644
|
|||||||
|
|
||||||
auth_run_chk_passwd(useradd_t, useradd_roles)
|
auth_run_chk_passwd(useradd_t, useradd_roles)
|
||||||
auth_rw_lastlog(useradd_t)
|
auth_rw_lastlog(useradd_t)
|
||||||
@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t)
|
@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
|
||||||
auth_use_nsswitch(useradd_t)
|
auth_use_nsswitch(useradd_t)
|
||||||
# these may be unnecessary due to the above
|
# these may be unnecessary due to the above
|
||||||
# domtrans_chk_passwd() call.
|
# domtrans_chk_passwd() call.
|
||||||
@ -3573,7 +3574,7 @@ index 1d732f1e7..121ace88e 100644
|
|||||||
auth_manage_shadow(useradd_t)
|
auth_manage_shadow(useradd_t)
|
||||||
auth_relabel_shadow(useradd_t)
|
auth_relabel_shadow(useradd_t)
|
||||||
auth_etc_filetrans_shadow(useradd_t)
|
auth_etc_filetrans_shadow(useradd_t)
|
||||||
@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t)
|
@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
|
||||||
logging_send_audit_msgs(useradd_t)
|
logging_send_audit_msgs(useradd_t)
|
||||||
logging_send_syslog_msg(useradd_t)
|
logging_send_syslog_msg(useradd_t)
|
||||||
|
|
||||||
@ -3623,7 +3624,7 @@ index 1d732f1e7..121ace88e 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -545,14 +599,27 @@ optional_policy(`
|
@@ -545,14 +600,27 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -3651,7 +3652,7 @@ index 1d732f1e7..121ace88e 100644
|
|||||||
tunable_policy(`samba_domain_controller',`
|
tunable_policy(`samba_domain_controller',`
|
||||||
samba_append_log(useradd_t)
|
samba_append_log(useradd_t)
|
||||||
')
|
')
|
||||||
@@ -562,3 +629,12 @@ optional_policy(`
|
@@ -562,3 +630,12 @@ optional_policy(`
|
||||||
rpm_use_fds(useradd_t)
|
rpm_use_fds(useradd_t)
|
||||||
rpm_rw_pipes(useradd_t)
|
rpm_rw_pipes(useradd_t)
|
||||||
')
|
')
|
||||||
@ -38740,7 +38741,7 @@ index 0d4c8d35e..537aa4274 100644
|
|||||||
+ ps_process_pattern($1, ipsec_mgmt_t)
|
+ ps_process_pattern($1, ipsec_mgmt_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
||||||
index 312cd0417..102b975de 100644
|
index 312cd0417..56961b493 100644
|
||||||
--- a/policy/modules/system/ipsec.te
|
--- a/policy/modules/system/ipsec.te
|
||||||
+++ b/policy/modules/system/ipsec.te
|
+++ b/policy/modules/system/ipsec.te
|
||||||
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||||
@ -38802,7 +38803,15 @@ index 312cd0417..102b975de 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||||
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||||
@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
@@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||||
|
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
|
||||||
|
|
||||||
|
can_exec(ipsec_t, ipsec_mgmt_exec_t)
|
||||||
|
+can_exec(ipsec_t, ipsec_exec_t)
|
||||||
|
|
||||||
|
# pluto runs an updown script (by calling popen()!) as this is by default
|
||||||
|
# a shell script, we need to find a way to make things work without
|
||||||
|
@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
||||||
allow ipsec_mgmt_t ipsec_t:fd use;
|
allow ipsec_mgmt_t ipsec_t:fd use;
|
||||||
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
||||||
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
|
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
|
||||||
@ -38815,7 +38824,7 @@ index 312cd0417..102b975de 100644
|
|||||||
kernel_list_proc(ipsec_t)
|
kernel_list_proc(ipsec_t)
|
||||||
kernel_read_proc_symlinks(ipsec_t)
|
kernel_read_proc_symlinks(ipsec_t)
|
||||||
# allow pluto to access /proc/net/ipsec_eroute;
|
# allow pluto to access /proc/net/ipsec_eroute;
|
||||||
@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t)
|
@@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t)
|
||||||
corecmd_exec_bin(ipsec_t)
|
corecmd_exec_bin(ipsec_t)
|
||||||
|
|
||||||
# Pluto needs network access
|
# Pluto needs network access
|
||||||
@ -38847,7 +38856,7 @@ index 312cd0417..102b975de 100644
|
|||||||
|
|
||||||
dev_read_sysfs(ipsec_t)
|
dev_read_sysfs(ipsec_t)
|
||||||
dev_read_rand(ipsec_t)
|
dev_read_rand(ipsec_t)
|
||||||
@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t)
|
@@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t)
|
||||||
fs_getattr_all_fs(ipsec_t)
|
fs_getattr_all_fs(ipsec_t)
|
||||||
fs_search_auto_mountpoints(ipsec_t)
|
fs_search_auto_mountpoints(ipsec_t)
|
||||||
|
|
||||||
@ -38882,7 +38891,7 @@ index 312cd0417..102b975de 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(ipsec_t)
|
seutil_sigchld_newrole(ipsec_t)
|
||||||
@@ -182,19 +213,30 @@ optional_policy(`
|
@@ -182,19 +214,30 @@ optional_policy(`
|
||||||
udev_read_db(ipsec_t)
|
udev_read_db(ipsec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -38917,7 +38926,7 @@ index 312cd0417..102b975de 100644
|
|||||||
|
|
||||||
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
||||||
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
||||||
@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
@@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||||
|
|
||||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||||
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
||||||
@ -38933,7 +38942,7 @@ index 312cd0417..102b975de 100644
|
|||||||
|
|
||||||
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
||||||
# run ps on that pid, and delete the file
|
# run ps on that pid, and delete the file
|
||||||
@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
@@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||||
kernel_getattr_core_if(ipsec_mgmt_t)
|
kernel_getattr_core_if(ipsec_mgmt_t)
|
||||||
kernel_getattr_message_if(ipsec_mgmt_t)
|
kernel_getattr_message_if(ipsec_mgmt_t)
|
||||||
|
|
||||||
@ -38950,7 +38959,7 @@ index 312cd0417..102b975de 100644
|
|||||||
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
||||||
files_getattr_kernel_modules(ipsec_mgmt_t)
|
files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||||
|
|
||||||
@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
@@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||||
corecmd_exec_bin(ipsec_mgmt_t)
|
corecmd_exec_bin(ipsec_mgmt_t)
|
||||||
corecmd_exec_shell(ipsec_mgmt_t)
|
corecmd_exec_shell(ipsec_mgmt_t)
|
||||||
|
|
||||||
@ -38959,7 +38968,7 @@ index 312cd0417..102b975de 100644
|
|||||||
dev_read_rand(ipsec_mgmt_t)
|
dev_read_rand(ipsec_mgmt_t)
|
||||||
dev_read_urand(ipsec_mgmt_t)
|
dev_read_urand(ipsec_mgmt_t)
|
||||||
|
|
||||||
@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
@@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
||||||
files_read_etc_files(ipsec_mgmt_t)
|
files_read_etc_files(ipsec_mgmt_t)
|
||||||
files_exec_etc_files(ipsec_mgmt_t)
|
files_exec_etc_files(ipsec_mgmt_t)
|
||||||
files_read_etc_runtime_files(ipsec_mgmt_t)
|
files_read_etc_runtime_files(ipsec_mgmt_t)
|
||||||
@ -38967,7 +38976,7 @@ index 312cd0417..102b975de 100644
|
|||||||
files_read_usr_files(ipsec_mgmt_t)
|
files_read_usr_files(ipsec_mgmt_t)
|
||||||
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
|
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
|
||||||
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
||||||
@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
@@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||||
fs_list_tmpfs(ipsec_mgmt_t)
|
fs_list_tmpfs(ipsec_mgmt_t)
|
||||||
|
|
||||||
term_use_console(ipsec_mgmt_t)
|
term_use_console(ipsec_mgmt_t)
|
||||||
@ -38979,7 +38988,7 @@ index 312cd0417..102b975de 100644
|
|||||||
|
|
||||||
init_read_utmp(ipsec_mgmt_t)
|
init_read_utmp(ipsec_mgmt_t)
|
||||||
init_use_script_ptys(ipsec_mgmt_t)
|
init_use_script_ptys(ipsec_mgmt_t)
|
||||||
@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t)
|
@@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||||
init_use_fds(ipsec_mgmt_t)
|
init_use_fds(ipsec_mgmt_t)
|
||||||
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
||||||
|
|
||||||
@ -39013,7 +39022,7 @@ index 312cd0417..102b975de 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consoletype_exec(ipsec_mgmt_t)
|
consoletype_exec(ipsec_mgmt_t)
|
||||||
@@ -322,6 +391,10 @@ optional_policy(`
|
@@ -322,6 +392,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -39024,7 +39033,7 @@ index 312cd0417..102b975de 100644
|
|||||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -335,7 +408,7 @@ optional_policy(`
|
@@ -335,7 +409,7 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow racoon_t self:capability { net_admin net_bind_service };
|
allow racoon_t self:capability { net_admin net_bind_service };
|
||||||
@ -39033,7 +39042,7 @@ index 312cd0417..102b975de 100644
|
|||||||
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
||||||
allow racoon_t self:netlink_selinux_socket { bind create read };
|
allow racoon_t self:netlink_selinux_socket { bind create read };
|
||||||
allow racoon_t self:udp_socket create_socket_perms;
|
allow racoon_t self:udp_socket create_socket_perms;
|
||||||
@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t)
|
@@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t)
|
||||||
corecmd_exec_shell(racoon_t)
|
corecmd_exec_shell(racoon_t)
|
||||||
corecmd_exec_bin(racoon_t)
|
corecmd_exec_bin(racoon_t)
|
||||||
|
|
||||||
@ -39053,7 +39062,7 @@ index 312cd0417..102b975de 100644
|
|||||||
corenet_udp_bind_isakmp_port(racoon_t)
|
corenet_udp_bind_isakmp_port(racoon_t)
|
||||||
corenet_udp_bind_ipsecnat_port(racoon_t)
|
corenet_udp_bind_ipsecnat_port(racoon_t)
|
||||||
|
|
||||||
@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t)
|
@@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t)
|
||||||
logging_send_syslog_msg(racoon_t)
|
logging_send_syslog_msg(racoon_t)
|
||||||
logging_send_audit_msgs(racoon_t)
|
logging_send_audit_msgs(racoon_t)
|
||||||
|
|
||||||
@ -39066,7 +39075,7 @@ index 312cd0417..102b975de 100644
|
|||||||
auth_can_read_shadow_passwords(racoon_t)
|
auth_can_read_shadow_passwords(racoon_t)
|
||||||
tunable_policy(`racoon_read_shadow',`
|
tunable_policy(`racoon_read_shadow',`
|
||||||
auth_tunable_read_shadow(racoon_t)
|
auth_tunable_read_shadow(racoon_t)
|
||||||
@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t)
|
@@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||||
|
|
||||||
locallogin_use_fds(setkey_t)
|
locallogin_use_fds(setkey_t)
|
||||||
|
|
||||||
@ -49031,10 +49040,10 @@ index 000000000..634d9596a
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..35fc2b865
|
index 000000000..e7c2cc70b
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,1020 @@
|
@@ -0,0 +1,1021 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -49325,6 +49334,7 @@ index 000000000..35fc2b865
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_connect_system_bus(systemd_logind_t)
|
+ dbus_connect_system_bus(systemd_logind_t)
|
||||||
+ dbus_system_bus_client(systemd_logind_t)
|
+ dbus_system_bus_client(systemd_logind_t)
|
||||||
|
+ dbus_manage_session_tmp_dirs(systemd_logind_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
@ -12512,7 +12512,7 @@ index 008f8ef26..144c0740a 100644
|
|||||||
admin_pattern($1, certmonger_var_run_t)
|
admin_pattern($1, certmonger_var_run_t)
|
||||||
')
|
')
|
||||||
diff --git a/certmonger.te b/certmonger.te
|
diff --git a/certmonger.te b/certmonger.te
|
||||||
index 550b287ce..80de6d3b7 100644
|
index 550b287ce..c2433ff15 100644
|
||||||
--- a/certmonger.te
|
--- a/certmonger.te
|
||||||
+++ b/certmonger.te
|
+++ b/certmonger.te
|
||||||
@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
|
@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
|
||||||
@ -12611,7 +12611,7 @@ index 550b287ce..80de6d3b7 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -92,11 +116,73 @@ optional_policy(`
|
@@ -92,11 +116,74 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -12645,6 +12645,7 @@ index 550b287ce..80de6d3b7 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ pki_rw_tomcat_cert(certmonger_t)
|
+ pki_rw_tomcat_cert(certmonger_t)
|
||||||
+ pki_read_tomcat_lib_files(certmonger_t)
|
+ pki_read_tomcat_lib_files(certmonger_t)
|
||||||
|
+ pki_tomcat_systemctl(certmonger_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -22522,7 +22523,7 @@ index dda905b9c..558729530 100644
|
|||||||
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||||
+')
|
+')
|
||||||
diff --git a/dbus.if b/dbus.if
|
diff --git a/dbus.if b/dbus.if
|
||||||
index 62d22cb46..77afd180d 100644
|
index 62d22cb46..c0c2ed47d 100644
|
||||||
--- a/dbus.if
|
--- a/dbus.if
|
||||||
+++ b/dbus.if
|
+++ b/dbus.if
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -22671,9 +22672,9 @@ index 62d22cb46..77afd180d 100644
|
|||||||
- files_search_var_lib($1)
|
- files_search_var_lib($1)
|
||||||
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||||
+ files_search_var_lib($1)
|
+ files_search_var_lib($1)
|
||||||
|
|
||||||
+ dev_read_urand($1)
|
|
||||||
+
|
+
|
||||||
|
+ dev_read_urand($1)
|
||||||
|
|
||||||
+ # For connecting to the bus
|
+ # For connecting to the bus
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
|
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
|
||||||
@ -23383,7 +23384,7 @@ index 62d22cb46..77afd180d 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -597,28 +661,50 @@ interface(`dbus_use_system_bus_fds',`
|
@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -23441,6 +23442,24 @@ index 62d22cb46..77afd180d 100644
|
|||||||
- typeattribute $1 dbusd_unconfined;
|
- typeattribute $1 dbusd_unconfined;
|
||||||
+ allow $1 system_dbusd_t:dbus acquire_svc;
|
+ allow $1 system_dbusd_t:dbus acquire_svc;
|
||||||
+
|
+
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage session_dbusd tmp dirs.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`dbus_manage_session_tmp_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type session_dbusd_tmp_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
|
||||||
')
|
')
|
||||||
diff --git a/dbus.te b/dbus.te
|
diff --git a/dbus.te b/dbus.te
|
||||||
index c9998c80d..d8ef03416 100644
|
index c9998c80d..d8ef03416 100644
|
||||||
@ -24046,7 +24065,7 @@ index 5606b4069..cd18cf2a7 100644
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 ddclient_initrc_exec_t system_r;
|
role_transition $2 ddclient_initrc_exec_t system_r;
|
||||||
diff --git a/ddclient.te b/ddclient.te
|
diff --git a/ddclient.te b/ddclient.te
|
||||||
index a4caa1b5b..42f30662d 100644
|
index a4caa1b5b..f244f9a63 100644
|
||||||
--- a/ddclient.te
|
--- a/ddclient.te
|
||||||
+++ b/ddclient.te
|
+++ b/ddclient.te
|
||||||
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
|
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
|
||||||
@ -24091,7 +24110,7 @@ index a4caa1b5b..42f30662d 100644
|
|||||||
fs_getattr_all_fs(ddclient_t)
|
fs_getattr_all_fs(ddclient_t)
|
||||||
fs_search_auto_mountpoints(ddclient_t)
|
fs_search_auto_mountpoints(ddclient_t)
|
||||||
|
|
||||||
+auth_read_passwd(ddclient_t)
|
+auth_use_nsswitch(ddclient_t)
|
||||||
+
|
+
|
||||||
logging_send_syslog_msg(ddclient_t)
|
logging_send_syslog_msg(ddclient_t)
|
||||||
|
|
||||||
@ -25752,10 +25771,10 @@ index 000000000..b3784d85d
|
|||||||
+')
|
+')
|
||||||
diff --git a/dirsrv.te b/dirsrv.te
|
diff --git a/dirsrv.te b/dirsrv.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..cb6af79d7
|
index 000000000..22cafcd43
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/dirsrv.te
|
+++ b/dirsrv.te
|
||||||
@@ -0,0 +1,205 @@
|
@@ -0,0 +1,207 @@
|
||||||
+policy_module(dirsrv,1.0.0)
|
+policy_module(dirsrv,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -25818,11 +25837,13 @@ index 000000000..cb6af79d7
|
|||||||
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
||||||
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
||||||
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
|
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
|
||||||
|
+allow dirsrv_t dirsrv_tmpfs_t:file map;
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
||||||
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
||||||
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
||||||
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
|
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
|
||||||
|
+allow dirsrv_t dirsrv_var_lib_t:file map;
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
|
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
|
||||||
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
|
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
|
||||||
@ -72978,10 +72999,10 @@ index 000000000..47cd0f8ba
|
|||||||
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
|
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
|
||||||
diff --git a/pki.if b/pki.if
|
diff --git a/pki.if b/pki.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..f18fcc68f
|
index 000000000..f69ae0298
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pki.if
|
+++ b/pki.if
|
||||||
@@ -0,0 +1,479 @@
|
@@ -0,0 +1,503 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for pki</summary>
|
+## <summary>policy for pki</summary>
|
||||||
+
|
+
|
||||||
@ -73461,9 +73482,33 @@ index 000000000..f18fcc68f
|
|||||||
+ files_search_pids($1)
|
+ files_search_pids($1)
|
||||||
+ stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
|
+ stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute pki in the pkit_tomcat_t domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`pki_tomcat_systemctl',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type pki_tomcat_t;
|
||||||
|
+ type pki_tomcat_unit_file_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ systemd_exec_systemctl($1)
|
||||||
|
+ systemd_read_fifo_file_passwd_run($1)
|
||||||
|
+ allow $1 pki_tomcat_unit_file_t:file read_file_perms;
|
||||||
|
+ allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
|
||||||
|
+
|
||||||
|
+ ps_process_pattern($1, pki_tomcat_t)
|
||||||
|
+')
|
||||||
diff --git a/pki.te b/pki.te
|
diff --git a/pki.te b/pki.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..cde75a219
|
index 000000000..9c27847b2
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pki.te
|
+++ b/pki.te
|
||||||
@@ -0,0 +1,285 @@
|
@@ -0,0 +1,285 @@
|
||||||
@ -73579,7 +73624,7 @@ index 000000000..cde75a219
|
|||||||
+can_exec(pki_tomcat_t, pki_common_t)
|
+can_exec(pki_tomcat_t, pki_common_t)
|
||||||
+init_stream_connect_script(pki_tomcat_t)
|
+init_stream_connect_script(pki_tomcat_t)
|
||||||
+
|
+
|
||||||
+auth_read_passwd(pki_tomcat_t)
|
+auth_use_nsswitch(pki_tomcat_t)
|
||||||
+
|
+
|
||||||
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
|
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
|
||||||
+
|
+
|
||||||
@ -93545,7 +93590,7 @@ index ebe91fc70..6ba4338cb 100644
|
|||||||
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||||
')
|
')
|
||||||
diff --git a/rpm.if b/rpm.if
|
diff --git a/rpm.if b/rpm.if
|
||||||
index ef3b22507..d2b4c1697 100644
|
index ef3b22507..79518530e 100644
|
||||||
--- a/rpm.if
|
--- a/rpm.if
|
||||||
+++ b/rpm.if
|
+++ b/rpm.if
|
||||||
@@ -1,8 +1,8 @@
|
@@ -1,8 +1,8 @@
|
||||||
@ -93646,16 +93691,34 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -109,7 +116,7 @@ interface(`rpm_exec',`
|
@@ -109,7 +116,25 @@ interface(`rpm_exec',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Send null signals to rpm.
|
-## Send null signals to rpm.
|
||||||
|
+## Do not audit to execute a rpm.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`rpm_dontaudit_exec',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type rpm_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 rpm_exec_t:file exec_file_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Send a null signal to rpm.
|
+## Send a null signal to rpm.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -127,7 +134,7 @@ interface(`rpm_signull',`
|
@@ -127,7 +152,7 @@ interface(`rpm_signull',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93664,7 +93727,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -145,7 +152,7 @@ interface(`rpm_use_fds',`
|
@@ -145,7 +170,7 @@ interface(`rpm_use_fds',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93673,7 +93736,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -163,7 +170,7 @@ interface(`rpm_read_pipes',`
|
@@ -163,7 +188,7 @@ interface(`rpm_read_pipes',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93682,7 +93745,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -181,6 +188,60 @@ interface(`rpm_rw_pipes',`
|
@@ -181,6 +206,60 @@ interface(`rpm_rw_pipes',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93743,7 +93806,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## Send and receive messages from
|
## Send and receive messages from
|
||||||
## rpm over dbus.
|
## rpm over dbus.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -224,7 +285,7 @@ interface(`rpm_dontaudit_dbus_chat',`
|
@@ -224,7 +303,7 @@ interface(`rpm_dontaudit_dbus_chat',`
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive messages from
|
## Send and receive messages from
|
||||||
@ -93752,7 +93815,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -244,7 +305,7 @@ interface(`rpm_script_dbus_chat',`
|
@@ -244,7 +323,7 @@ interface(`rpm_script_dbus_chat',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93761,7 +93824,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -263,7 +324,8 @@ interface(`rpm_search_log',`
|
@@ -263,7 +342,8 @@ interface(`rpm_search_log',`
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93771,19 +93834,17 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -276,14 +338,30 @@ interface(`rpm_append_log',`
|
@@ -276,14 +356,30 @@ interface(`rpm_append_log',`
|
||||||
type rpm_log_t;
|
type rpm_log_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
- logging_search_logs($1)
|
- logging_search_logs($1)
|
||||||
- append_files_pattern($1, rpm_log_t, rpm_log_t)
|
- append_files_pattern($1, rpm_log_t, rpm_log_t)
|
||||||
+ allow $1 rpm_log_t:file append_inherited_file_perms;
|
+ allow $1 rpm_log_t:file append_inherited_file_perms;
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## Create, read, write, and delete
|
|
||||||
-## rpm log files.
|
|
||||||
+## Create, read, write, and delete the RPM log.
|
+## Create, read, write, and delete the RPM log.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -93798,15 +93859,17 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
|
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## Create, read, write, and delete
|
||||||
|
-## rpm log files.
|
||||||
+## Create, read, write, and delete the RPM log.
|
+## Create, read, write, and delete the RPM log.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -302,7 +380,32 @@ interface(`rpm_manage_log',`
|
@@ -302,7 +398,32 @@ interface(`rpm_manage_log',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93840,7 +93903,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -320,8 +423,8 @@ interface(`rpm_use_script_fds',`
|
@@ -320,8 +441,8 @@ interface(`rpm_use_script_fds',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93851,7 +93914,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -335,12 +438,15 @@ interface(`rpm_manage_script_tmp_files',`
|
@@ -335,12 +456,15 @@ interface(`rpm_manage_script_tmp_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
@ -93868,7 +93931,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -353,14 +459,13 @@ interface(`rpm_append_tmp_files',`
|
@@ -353,14 +477,13 @@ interface(`rpm_append_tmp_files',`
|
||||||
type rpm_tmp_t;
|
type rpm_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -93886,7 +93949,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -374,12 +479,34 @@ interface(`rpm_manage_tmp_files',`
|
@@ -374,12 +497,34 @@ interface(`rpm_manage_tmp_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
@ -93922,7 +93985,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -399,7 +526,7 @@ interface(`rpm_read_script_tmp_files',`
|
@@ -399,7 +544,7 @@ interface(`rpm_read_script_tmp_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93931,7 +93994,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -420,8 +547,7 @@ interface(`rpm_read_cache',`
|
@@ -420,8 +565,7 @@ interface(`rpm_read_cache',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93941,7 +94004,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -442,7 +568,7 @@ interface(`rpm_manage_cache',`
|
@@ -442,7 +586,7 @@ interface(`rpm_manage_cache',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93950,7 +94013,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -459,11 +585,13 @@ interface(`rpm_read_db',`
|
@@ -459,11 +603,13 @@ interface(`rpm_read_db',`
|
||||||
allow $1 rpm_var_lib_t:dir list_dir_perms;
|
allow $1 rpm_var_lib_t:dir list_dir_perms;
|
||||||
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
||||||
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
||||||
@ -93965,7 +94028,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -482,8 +610,7 @@ interface(`rpm_delete_db',`
|
@@ -482,8 +628,7 @@ interface(`rpm_delete_db',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -93975,7 +94038,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -499,12 +626,33 @@ interface(`rpm_manage_db',`
|
@@ -499,12 +644,33 @@ interface(`rpm_manage_db',`
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
||||||
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
||||||
@ -94010,7 +94073,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -517,9 +665,10 @@ interface(`rpm_dontaudit_manage_db',`
|
@@ -517,9 +683,10 @@ interface(`rpm_dontaudit_manage_db',`
|
||||||
type rpm_var_lib_t;
|
type rpm_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -94022,7 +94085,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
@@ -543,8 +692,7 @@ interface(`rpm_read_pid_files',`
|
@@ -543,8 +710,7 @@ interface(`rpm_read_pid_files',`
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -94032,7 +94095,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -563,8 +711,7 @@ interface(`rpm_manage_pid_files',`
|
@@ -563,8 +729,7 @@ interface(`rpm_manage_pid_files',`
|
||||||
|
|
||||||
######################################
|
######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -94042,7 +94105,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -573,43 +720,54 @@ interface(`rpm_manage_pid_files',`
|
@@ -573,43 +738,54 @@ interface(`rpm_manage_pid_files',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`rpm_pid_filetrans',`
|
interface(`rpm_pid_filetrans',`
|
||||||
@ -94114,7 +94177,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -617,22 +775,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
|
@@ -617,22 +793,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
@ -94183,7 +94246,7 @@ index ef3b22507..d2b4c1697 100644
|
|||||||
|
|
||||||
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
|
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
@@ -641,9 +834,6 @@ interface(`rpm_admin',`
|
@@ -641,9 +852,6 @@ interface(`rpm_admin',`
|
||||||
|
|
||||||
admin_pattern($1, rpm_file_t)
|
admin_pattern($1, rpm_file_t)
|
||||||
|
|
||||||
@ -108617,10 +108680,10 @@ index 000000000..a6e216c73
|
|||||||
+
|
+
|
||||||
diff --git a/targetd.te b/targetd.te
|
diff --git a/targetd.te b/targetd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..681ec9f67
|
index 000000000..acdccbb18
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/targetd.te
|
+++ b/targetd.te
|
||||||
@@ -0,0 +1,101 @@
|
@@ -0,0 +1,109 @@
|
||||||
+policy_module(targetd, 1.0.0)
|
+policy_module(targetd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -108638,6 +108701,9 @@ index 000000000..681ec9f67
|
|||||||
+type targetd_unit_file_t;
|
+type targetd_unit_file_t;
|
||||||
+systemd_unit_file(targetd_unit_file_t)
|
+systemd_unit_file(targetd_unit_file_t)
|
||||||
+
|
+
|
||||||
|
+type targetd_tmp_t;
|
||||||
|
+files_tmp_file(targetd_tmp_t)
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# targetd local policy
|
+# targetd local policy
|
||||||
@ -108655,6 +108721,10 @@ index 000000000..681ec9f67
|
|||||||
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
|
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
|
||||||
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
|
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
|
||||||
+
|
+
|
||||||
|
+manage_dirs_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
|
||||||
|
+manage_files_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
|
||||||
|
+files_tmp_filetrans(targetd_t, targetd_tmp_t, { file dir })
|
||||||
|
+
|
||||||
+files_rw_isid_type_dirs(targetd_t)
|
+files_rw_isid_type_dirs(targetd_t)
|
||||||
+
|
+
|
||||||
+fs_getattr_xattr_fs(targetd_t)
|
+fs_getattr_xattr_fs(targetd_t)
|
||||||
@ -108716,6 +108786,7 @@ index 000000000..681ec9f67
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ rpm_dontaudit_read_db(targetd_t)
|
+ rpm_dontaudit_read_db(targetd_t)
|
||||||
|
+ rpm_dontaudit_exec(targetd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -110838,10 +110909,10 @@ index 000000000..9524b50aa
|
|||||||
+')
|
+')
|
||||||
diff --git a/thumb.te b/thumb.te
|
diff --git a/thumb.te b/thumb.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..d366c8b37
|
index 000000000..2b15dca23
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/thumb.te
|
+++ b/thumb.te
|
||||||
@@ -0,0 +1,168 @@
|
@@ -0,0 +1,172 @@
|
||||||
+policy_module(thumb, 1.0.0)
|
+policy_module(thumb, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -111010,6 +111081,10 @@ index 000000000..d366c8b37
|
|||||||
+ corenet_dontaudit_udp_bind_all_ports(thumb_t)
|
+ corenet_dontaudit_udp_bind_all_ports(thumb_t)
|
||||||
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
|
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ storage_getattr_fixed_disk_dev(thumb_t)
|
||||||
|
+')
|
||||||
diff --git a/thunderbird.te b/thunderbird.te
|
diff --git a/thunderbird.te b/thunderbird.te
|
||||||
index 5e867da56..b25ea6e08 100644
|
index 5e867da56..b25ea6e08 100644
|
||||||
--- a/thunderbird.te
|
--- a/thunderbird.te
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 277%{?dist}
|
Release: 278%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -681,6 +681,15 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-278
|
||||||
|
- Add couple rules related to map permissions
|
||||||
|
- Allow ddclient use nsswitch BZ(1456241)
|
||||||
|
- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
|
||||||
|
- Add interface dbus_manage_session_tmp_dirs()
|
||||||
|
- Dontaudit useradd_t sys_ptrace BZ(1480121)
|
||||||
|
- Allow ipsec_t can exec ipsec_exec_t
|
||||||
|
- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
|
||||||
|
|
||||||
* Mon Aug 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-277
|
* Mon Aug 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-277
|
||||||
- Allow cupsd_t to execute ld_so_cache
|
- Allow cupsd_t to execute ld_so_cache
|
||||||
- Add cgroup_seclabel policycap.
|
- Add cgroup_seclabel policycap.
|
||||||
|
Loading…
Reference in New Issue
Block a user