* Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy. - Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033 - Allow collectd setgid capability Resolves:#1310896 - Allow adcli running as sssd_t to write krb5.keytab file. - Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304) - Allow kexec to read kernel module files in /usr/lib/modules. - Add httpd_log_t for /var/log/graphite-web rhbz#1306981 - Remove redudant rules and fix _admin interface. - Add SELinux policy for LTTng 2.x central tracing registry session daemon. - Allow create mongodb unix dgram sockets. rhbz#1306819 - Support for InnoDB Tablespace Encryption. - Dontaudit leaded file descriptors from firewalld - Add port for rkt services - Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon.
This commit is contained in:
Lukas Vrabec
parent
5d7b1f6d2e
commit
352a55a547
Binary file not shown.
@ -5718,7 +5718,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||
|
||||
define(`create_packet_interfaces',``
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index b191055..e66e77a 100644
|
||||
index b191055..5ee0a46 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
|
||||
@ -5874,7 +5874,7 @@ index b191055..e66e77a 100644
|
||||
network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||
network_port(gpsd, tcp,2947,s0)
|
||||
network_port(hadoop_datanode, tcp,50010,s0)
|
||||
@@ -140,45 +179,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
|
||||
@@ -140,45 +179,57 @@ network_port(hadoop_namenode, tcp,8020,s0)
|
||||
network_port(hddtemp, tcp,7634,s0)
|
||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
|
||||
@ -5915,7 +5915,9 @@ index b191055..e66e77a 100644
|
||||
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
|
||||
+network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
|
||||
+network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0)
|
||||
+network_port(lltng, tcp, 5345, s0)
|
||||
+network_port(rabbitmq, tcp,25672,s0)
|
||||
+network_port(rkt, tcp,18112,s0)
|
||||
+network_port(rlogin, tcp,543,s0, tcp,2105,s0)
|
||||
+network_port(rtsclient, tcp,2501,s0)
|
||||
network_port(kprop, tcp,754,s0)
|
||||
@ -5945,7 +5947,7 @@ index b191055..e66e77a 100644
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
|
||||
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
|
||||
@@ -186,101 +235,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||
@@ -186,101 +237,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||
network_port(mxi, tcp,8005,s0, udp,8005,s0)
|
||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
|
||||
network_port(mysqlmanagerd, tcp,2273,s0)
|
||||
@ -6090,7 +6092,7 @@ index b191055..e66e77a 100644
|
||||
network_port(xserver, tcp,6000-6020,s0)
|
||||
network_port(zarafa, tcp,236,s0, tcp,237,s0)
|
||||
network_port(zabbix, tcp,10051,s0)
|
||||
@@ -288,19 +362,23 @@ network_port(zabbix_agent, tcp,10050,s0)
|
||||
@@ -288,19 +364,23 @@ network_port(zabbix_agent, tcp,10050,s0)
|
||||
network_port(zookeeper_client, tcp,2181,s0)
|
||||
network_port(zookeeper_election, tcp,3888,s0)
|
||||
network_port(zookeeper_leader, tcp,2888,s0)
|
||||
@ -6117,7 +6119,7 @@ index b191055..e66e77a 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -333,6 +411,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
@@ -333,6 +413,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
|
||||
build_option(`enable_mls',`
|
||||
network_interface(lo, lo, s0 - mls_systemhigh)
|
||||
@ -6126,7 +6128,7 @@ index b191055..e66e77a 100644
|
||||
',`
|
||||
typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
')
|
||||
@@ -345,9 +425,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
@@ -345,9 +427,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
allow corenet_unconfined_type node_type:node *;
|
||||
allow corenet_unconfined_type netif_type:netif *;
|
||||
allow corenet_unconfined_type packet_type:packet *;
|
||||
@ -36340,7 +36342,7 @@ index c42fbc3..bf211db 100644
|
||||
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
||||
+')
|
||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||
index be8ed1e..bce6063 100644
|
||||
index be8ed1e..e336bc1 100644
|
||||
--- a/policy/modules/system/iptables.te
|
||||
+++ b/policy/modules/system/iptables.te
|
||||
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
|
||||
@ -36455,20 +36457,21 @@ index be8ed1e..bce6063 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -110,6 +126,12 @@ optional_policy(`
|
||||
@@ -110,6 +126,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ firewalld_read_config(iptables_t)
|
||||
+ firewalld_read_pid_files(iptables_t)
|
||||
+ firewalld_dontaudit_write_tmp_files(iptables_t)
|
||||
+ firewalld_dontaudit_leaks(iptables_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
modutils_run_insmod(iptables_t, iptables_roles)
|
||||
')
|
||||
|
||||
@@ -124,6 +146,16 @@ optional_policy(`
|
||||
@@ -124,6 +147,16 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
psad_rw_tmp_files(iptables_t)
|
||||
@ -36485,7 +36488,7 @@ index be8ed1e..bce6063 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -135,9 +167,9 @@ optional_policy(`
|
||||
@@ -135,9 +168,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/abrt.te b/abrt.te
|
||||
index eb50f07..11582eb 100644
|
||||
index eb50f07..22f5977 100644
|
||||
--- a/abrt.te
|
||||
+++ b/abrt.te
|
||||
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
||||
@ -1044,7 +1044,7 @@ index eb50f07..11582eb 100644
|
||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||
@@ -365,38 +468,76 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||
@@ -365,38 +468,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||
|
||||
dev_read_urand(abrt_retrace_worker_t)
|
||||
|
||||
@ -1094,6 +1094,8 @@ index eb50f07..11582eb 100644
|
||||
+
|
||||
+auth_read_passwd(abrt_dump_oops_t)
|
||||
+
|
||||
+corecmd_getattr_all_executables(abrt_dump_oops_t)
|
||||
+
|
||||
+dev_read_urand(abrt_dump_oops_t)
|
||||
+dev_read_rand(abrt_dump_oops_t)
|
||||
|
||||
@ -1102,10 +1104,10 @@ index eb50f07..11582eb 100644
|
||||
+domain_ptrace_all_domains(abrt_dump_oops_t)
|
||||
+domain_read_all_domains_state(abrt_dump_oops_t)
|
||||
+domain_getattr_all_domains(abrt_dump_oops_t)
|
||||
|
||||
+
|
||||
+files_manage_non_security_dirs(abrt_dump_oops_t)
|
||||
+files_manage_non_security_files(abrt_dump_oops_t)
|
||||
+
|
||||
|
||||
+fs_getattr_all_fs(abrt_dump_oops_t)
|
||||
fs_list_inotifyfs(abrt_dump_oops_t)
|
||||
+fs_list_pstorefs(abrt_dump_oops_t)
|
||||
@ -1125,7 +1127,7 @@ index eb50f07..11582eb 100644
|
||||
|
||||
#######################################
|
||||
#
|
||||
@@ -404,25 +545,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||
@@ -404,25 +547,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||
#
|
||||
|
||||
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -1188,7 +1190,7 @@ index eb50f07..11582eb 100644
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -430,10 +606,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||
@@ -430,10 +608,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||
# Global local policy
|
||||
#
|
||||
|
||||
@ -3449,10 +3451,10 @@ index 0000000..d8b04b5
|
||||
+ spamassassin_read_pid_files(antivirus_domain)
|
||||
+')
|
||||
diff --git a/apache.fc b/apache.fc
|
||||
index 7caefc3..b25689b 100644
|
||||
index 7caefc3..4313ba3 100644
|
||||
--- a/apache.fc
|
||||
+++ b/apache.fc
|
||||
@@ -1,162 +1,211 @@
|
||||
@@ -1,162 +1,212 @@
|
||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
||||
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
@ -3710,6 +3712,7 @@ index 7caefc3..b25689b 100644
|
||||
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/var/log/graphite-web(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
@ -15295,7 +15298,7 @@ index 954309e..6780142 100644
|
||||
')
|
||||
+
|
||||
diff --git a/collectd.te b/collectd.te
|
||||
index 6471fa8..3baa00b 100644
|
||||
index 6471fa8..3f5989f 100644
|
||||
--- a/collectd.te
|
||||
+++ b/collectd.te
|
||||
@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
|
||||
@ -15317,7 +15320,7 @@ index 6471fa8..3baa00b 100644
|
||||
#
|
||||
|
||||
-allow collectd_t self:capability { ipc_lock sys_nice };
|
||||
+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override };
|
||||
+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override setuid setgid };
|
||||
allow collectd_t self:process { getsched setsched signal };
|
||||
allow collectd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow collectd_t self:packet_socket create_socket_perms;
|
||||
@ -20550,7 +20553,7 @@ index 3023be7..0317731 100644
|
||||
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
|
||||
')
|
||||
diff --git a/cups.te b/cups.te
|
||||
index c91813c..3d89006 100644
|
||||
index c91813c..65e9a4d 100644
|
||||
--- a/cups.te
|
||||
+++ b/cups.te
|
||||
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
|
||||
@ -20914,6 +20917,15 @@ index c91813c..3d89006 100644
|
||||
samba_read_config(cupsd_t)
|
||||
samba_rw_var_files(cupsd_t)
|
||||
samba_stream_connect_nmbd(cupsd_t)
|
||||
@@ -326,7 +387,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- snmp_read_snmp_var_lib_files(cupsd_t)
|
||||
+ snmp_manage_var_lib_files(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -334,7 +395,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
@ -40567,10 +40579,10 @@ index 3a00b3a..92f125f 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/kdump.te b/kdump.te
|
||||
index 715fc21..8bcd248 100644
|
||||
index 715fc21..e8792ed 100644
|
||||
--- a/kdump.te
|
||||
+++ b/kdump.te
|
||||
@@ -12,35 +12,57 @@ init_system_domain(kdump_t, kdump_exec_t)
|
||||
@@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
|
||||
type kdump_etc_t;
|
||||
files_config_file(kdump_etc_t)
|
||||
|
||||
@ -40620,6 +40632,7 @@ index 715fc21..8bcd248 100644
|
||||
-files_read_etc_files(kdump_t)
|
||||
files_read_etc_runtime_files(kdump_t)
|
||||
+files_read_kernel_symbol_table(kdump_t)
|
||||
+files_read_kernel_modules(kdump_t)
|
||||
files_read_kernel_img(kdump_t)
|
||||
|
||||
+kernel_read_system_state(kdump_t)
|
||||
@ -40633,7 +40646,7 @@ index 715fc21..8bcd248 100644
|
||||
dev_read_framebuffer(kdump_t)
|
||||
dev_read_sysfs(kdump_t)
|
||||
|
||||
@@ -48,22 +70,35 @@ term_use_console(kdump_t)
|
||||
@@ -48,22 +71,35 @@ term_use_console(kdump_t)
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -40673,7 +40686,7 @@ index 715fc21..8bcd248 100644
|
||||
|
||||
kernel_read_system_state(kdumpctl_t)
|
||||
|
||||
@@ -71,46 +106,56 @@ corecmd_exec_bin(kdumpctl_t)
|
||||
@@ -71,46 +107,56 @@ corecmd_exec_bin(kdumpctl_t)
|
||||
corecmd_exec_shell(kdumpctl_t)
|
||||
|
||||
dev_read_sysfs(kdumpctl_t)
|
||||
@ -46094,6 +46107,187 @@ index 4ec0eea..03738f2 100644
|
||||
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
|
||||
+storage_read_scsi_generic(lsmd_plugin_t)
|
||||
+storage_write_scsi_generic(lsmd_plugin_t)
|
||||
diff --git a/lttng-tools.fc b/lttng-tools.fc
|
||||
new file mode 100644
|
||||
index 0000000..bdd17ca
|
||||
--- /dev/null
|
||||
+++ b/lttng-tools.fc
|
||||
@@ -0,0 +1,5 @@
|
||||
+/usr/bin/lttng-sessiond -- gen_context(system_u:object_r:lttng_sessiond_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/lttng-sessiond.service -- gen_context(system_u:object_r:lttng_sessiond_unit_file_t,s0)
|
||||
+
|
||||
+/var/run/lttng(/.*)? gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0)
|
||||
diff --git a/lttng-tools.if b/lttng-tools.if
|
||||
new file mode 100644
|
||||
index 0000000..6b0da33
|
||||
--- /dev/null
|
||||
+++ b/lttng-tools.if
|
||||
@@ -0,0 +1,98 @@
|
||||
+
|
||||
+## <summary>LTTng 2.x central tracing registry session daemon.</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute lttng_sessiond_exec_t in the lttng_sessiond domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`lttng_sessiond_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type lttng_sessiond_t, lttng_sessiond_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, lttng_sessiond_exec_t, lttng_sessiond_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute lttng_sessiond in the caller domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`lttng_sessiond_exec',`
|
||||
+ gen_require(`
|
||||
+ type lttng_sessiond_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ can_exec($1, lttng_sessiond_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute lttng_sessiond server in the lttng_sessiond domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`lttng_sessiond_systemctl',`
|
||||
+ gen_require(`
|
||||
+ type lttng_sessiond_t;
|
||||
+ type lttng_sessiond_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ allow $1 lttng_sessiond_unit_file_t:file read_file_perms;
|
||||
+ allow $1 lttng_sessiond_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, lttng_sessiond_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an lttng_sessiond environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`lttng_sessiond_admin',`
|
||||
+ gen_require(`
|
||||
+ type lttng_sessiond_t;
|
||||
+ type lttng_sessiond_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 lttng_sessiond_t:process { signal_perms };
|
||||
+ ps_process_pattern($1, lttng_sessiond_t)
|
||||
+
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
+ allow $1 lttng_sessiond_t:process ptrace;
|
||||
+ ')
|
||||
+
|
||||
+ lttng_sessiond_systemctl($1)
|
||||
+ admin_pattern($1, lttng_sessiond_unit_file_t)
|
||||
+ allow $1 lttng_sessiond_unit_file_t:service all_service_perms;
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ systemd_passwd_agent_exec($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/lttng-tools.te b/lttng-tools.te
|
||||
new file mode 100644
|
||||
index 0000000..0b9ade5
|
||||
--- /dev/null
|
||||
+++ b/lttng-tools.te
|
||||
@@ -0,0 +1,60 @@
|
||||
+policy_module(lttng-tools, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type lttng_sessiond_t;
|
||||
+type lttng_sessiond_exec_t;
|
||||
+init_daemon_domain(lttng_sessiond_t, lttng_sessiond_exec_t)
|
||||
+
|
||||
+type lttng_sessiond_tmpfs_t;
|
||||
+files_tmpfs_file(lttng_sessiond_tmpfs_t)
|
||||
+
|
||||
+type lttng_sessiond_var_run_t;
|
||||
+files_pid_file(lttng_sessiond_var_run_t)
|
||||
+
|
||||
+type lttng_sessiond_unit_file_t;
|
||||
+systemd_unit_file(lttng_sessiond_unit_file_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# lttng_sessiond local policy
|
||||
+#
|
||||
+
|
||||
+allow lttng_sessiond_t self:capability { chown setgid setuid fsetid net_admin sys_resource };
|
||||
+
|
||||
+allow lttng_sessiond_t self:process { setrlimit signal_perms };
|
||||
+allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow lttng_sessiond_t self:tcp_socket listen;
|
||||
+allow lttng_sessiond_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
|
||||
+manage_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
|
||||
+manage_lnk_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
|
||||
+manage_sock_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
|
||||
+files_pid_filetrans(lttng_sessiond_t, lttng_sessiond_var_run_t, { dir })
|
||||
+
|
||||
+manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
|
||||
+manage_files_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(lttng_sessiond_t, lttng_sessiond_tmpfs_t, { dir file })
|
||||
+
|
||||
+kernel_read_system_state(lttng_sessiond_t)
|
||||
+kernel_read_net_sysctls(lttng_sessiond_t)
|
||||
+kernel_read_fs_sysctls(lttng_sessiond_t)
|
||||
+
|
||||
+corecmd_exec_shell(lttng_sessiond_t)
|
||||
+
|
||||
+corenet_tcp_bind_generic_node(lttng_sessiond_t)
|
||||
+corenet_tcp_bind_lltng_port(lttng_sessiond_t)
|
||||
+
|
||||
+dev_read_sysfs(lttng_sessiond_t)
|
||||
+
|
||||
+fs_getattr_tmpfs(lttng_sessiond_t)
|
||||
+
|
||||
+auth_use_nsswitch(lttng_sessiond_t)
|
||||
+
|
||||
+modutils_exec_insmod(lttng_sessiond_t)
|
||||
+modutils_read_module_config(lttng_sessiond_t)
|
||||
+files_read_kernel_modules(lttng_sessiond_t)
|
||||
diff --git a/mailman.fc b/mailman.fc
|
||||
index 995d0a5..3d40d59 100644
|
||||
--- a/mailman.fc
|
||||
@ -49489,7 +49683,7 @@ index 6fcfc31..e9e6bc5 100644
|
||||
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
|
||||
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
|
||||
diff --git a/mongodb.te b/mongodb.te
|
||||
index 169f236..608c584 100644
|
||||
index 169f236..f19680b 100644
|
||||
--- a/mongodb.te
|
||||
+++ b/mongodb.te
|
||||
@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
|
||||
@ -49502,7 +49696,7 @@ index 169f236..608c584 100644
|
||||
type mongod_log_t;
|
||||
logging_log_file(mongod_log_t)
|
||||
|
||||
@@ -21,19 +24,25 @@ files_type(mongod_var_lib_t)
|
||||
@@ -21,19 +24,26 @@ files_type(mongod_var_lib_t)
|
||||
type mongod_var_run_t;
|
||||
files_pid_file(mongod_var_run_t)
|
||||
|
||||
@ -49526,6 +49720,7 @@ index 169f236..608c584 100644
|
||||
-logging_log_filetrans(mongod_t, mongod_log_t, dir)
|
||||
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow mongod_t self:unix_dgram_socket create_socket_perms;
|
||||
+allow mongod_t self:udp_socket create_socket_perms;
|
||||
+allow mongod_t self:tcp_socket { accept listen };
|
||||
+
|
||||
@ -49534,7 +49729,7 @@ index 169f236..608c584 100644
|
||||
|
||||
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
|
||||
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
|
||||
@@ -41,21 +50,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
|
||||
@@ -41,21 +51,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
|
||||
|
||||
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
|
||||
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
|
||||
@ -54602,7 +54797,7 @@ index b708708..f4c0e61 100644
|
||||
+ apache_search_sys_content(munin_t)
|
||||
+')
|
||||
diff --git a/mysql.fc b/mysql.fc
|
||||
index 06f8666..4599ab5 100644
|
||||
index 06f8666..2accd90 100644
|
||||
--- a/mysql.fc
|
||||
+++ b/mysql.fc
|
||||
@@ -1,27 +1,46 @@
|
||||
@ -54656,7 +54851,7 @@ index 06f8666..4599ab5 100644
|
||||
+#
|
||||
+# /var
|
||||
+#
|
||||
+/var/lib/mysql(-files)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
|
||||
+/var/lib/mysql(-files|-keyring)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
|
||||
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
||||
|
||||
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
|
||||
@ -102307,7 +102502,7 @@ index a240455..04419ae 100644
|
||||
- admin_pattern($1, sssd_log_t)
|
||||
')
|
||||
diff --git a/sssd.te b/sssd.te
|
||||
index 2d8db1f..edad970 100644
|
||||
index 2d8db1f..a696686 100644
|
||||
--- a/sssd.te
|
||||
+++ b/sssd.te
|
||||
@@ -28,17 +28,25 @@ logging_log_file(sssd_var_log_t)
|
||||
@ -102350,7 +102545,7 @@ index 2d8db1f..edad970 100644
|
||||
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
|
||||
|
||||
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
@@ -62,17 +68,12 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
|
||||
@@ -62,17 +68,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
|
||||
|
||||
kernel_read_network_state(sssd_t)
|
||||
kernel_read_system_state(sssd_t)
|
||||
@ -102368,10 +102563,11 @@ index 2d8db1f..edad970 100644
|
||||
corenet_dontaudit_udp_bind_all_ports(sssd_t)
|
||||
+corenet_tcp_connect_kerberos_password_port(sssd_t)
|
||||
+corenet_tcp_connect_smbd_port(sssd_t)
|
||||
+corenet_tcp_connect_http_port(sssd_t)
|
||||
|
||||
corecmd_exec_bin(sssd_t)
|
||||
|
||||
@@ -83,28 +84,35 @@ domain_read_all_domains_state(sssd_t)
|
||||
@@ -83,28 +85,35 @@ domain_read_all_domains_state(sssd_t)
|
||||
domain_obj_id_change_exemption(sssd_t)
|
||||
|
||||
files_list_tmp(sssd_t)
|
||||
@ -102411,7 +102607,7 @@ index 2d8db1f..edad970 100644
|
||||
|
||||
init_read_utmp(sssd_t)
|
||||
|
||||
@@ -112,18 +120,63 @@ logging_send_syslog_msg(sssd_t)
|
||||
@@ -112,18 +121,64 @@ logging_send_syslog_msg(sssd_t)
|
||||
logging_send_audit_msgs(sssd_t)
|
||||
|
||||
miscfiles_read_generic_certs(sssd_t)
|
||||
@ -102438,6 +102634,7 @@ index 2d8db1f..edad970 100644
|
||||
+ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
|
||||
+ kerberos_read_home_content(sssd_t)
|
||||
+ kerberos_rw_config(sssd_t)
|
||||
+ kerberos_rw_keytab(sssd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 171%{?dist}
|
||||
Release: 172%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -673,6 +673,22 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
|
||||
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
|
||||
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
|
||||
- Allow collectd setgid capability Resolves:#1310896
|
||||
- Allow adcli running as sssd_t to write krb5.keytab file.
|
||||
- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)
|
||||
- Allow kexec to read kernel module files in /usr/lib/modules.
|
||||
- Add httpd_log_t for /var/log/graphite-web rhbz#1306981
|
||||
- Remove redudant rules and fix _admin interface.
|
||||
- Add SELinux policy for LTTng 2.x central tracing registry session daemon.
|
||||
- Allow create mongodb unix dgram sockets. rhbz#1306819
|
||||
- Support for InnoDB Tablespace Encryption.
|
||||
- Dontaudit leaded file descriptors from firewalld
|
||||
- Add port for rkt services
|
||||
- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon.
|
||||
|
||||
* Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
|
||||
- Allow setroubleshoot_fixit_t to use temporary files
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user