- Add cron unconfined role support for uncofined SELinux user
- Call kernel_rw_usermodehelper_state() in init.te - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() - Allow dkim-milter to bind udp ports - Allow milter domains to send signull itself - Allow block_suspend for yum running as mock_t - Allow beam.smp to manage couchdb files - Add couchdb_manage_files() - Add labeling for /var/log/php_errors.log - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee - Fix calling usermodehelper to use _state in interface name - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux - Call kernel_read_usermodhelper/kernel_rw_usermodhelper - Make rpm_transition_script accept a role - Added new policy for pcp - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata
This commit is contained in:
parent
5dcd635c58
commit
3a0ebd8398
|
@ -19854,10 +19854,10 @@ index 0000000..cf6582f
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..c212063
|
index 0000000..ca62aef
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/roles/unconfineduser.te
|
+++ b/policy/modules/roles/unconfineduser.te
|
||||||
@@ -0,0 +1,335 @@
|
@@ -0,0 +1,339 @@
|
||||||
+policy_module(unconfineduser, 1.0.0)
|
+policy_module(unconfineduser, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -20037,6 +20037,10 @@ index 0000000..c212063
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ cron_unconfined_role(unconfined_r, unconfined_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ chrome_role_notrans(unconfined_r, unconfined_t)
|
+ chrome_role_notrans(unconfined_r, unconfined_t)
|
||||||
+
|
+
|
||||||
+ tunable_policy(`unconfined_chrome_sandbox_transition',`
|
+ tunable_policy(`unconfined_chrome_sandbox_transition',`
|
||||||
|
|
|
@ -2984,10 +2984,10 @@ index 0000000..8ba9c95
|
||||||
+ spamassassin_read_pid_files(antivirus_domain)
|
+ spamassassin_read_pid_files(antivirus_domain)
|
||||||
+')
|
+')
|
||||||
diff --git a/apache.fc b/apache.fc
|
diff --git a/apache.fc b/apache.fc
|
||||||
index 7caefc3..ad4ec67 100644
|
index 7caefc3..3d2065e 100644
|
||||||
--- a/apache.fc
|
--- a/apache.fc
|
||||||
+++ b/apache.fc
|
+++ b/apache.fc
|
||||||
@@ -1,162 +1,195 @@
|
@@ -1,162 +1,196 @@
|
||||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||||
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
||||||
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||||
|
@ -3241,6 +3241,7 @@ index 7caefc3..ad4ec67 100644
|
||||||
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||||
|
+/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||||
+ifdef(`distro_debian', `
|
+ifdef(`distro_debian', `
|
||||||
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||||
|
@ -10053,10 +10054,10 @@ index 0000000..de66654
|
||||||
+')
|
+')
|
||||||
diff --git a/bumblebee.te b/bumblebee.te
|
diff --git a/bumblebee.te b/bumblebee.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..92e9d8b
|
index 0000000..00e1ff2
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/bumblebee.te
|
+++ b/bumblebee.te
|
||||||
@@ -0,0 +1,56 @@
|
@@ -0,0 +1,58 @@
|
||||||
+policy_module(bumblebee, 1.0.0)
|
+policy_module(bumblebee, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -10107,6 +10108,8 @@ index 0000000..92e9d8b
|
||||||
+sysnet_dns_name_resolve(bumblebee_t)
|
+sysnet_dns_name_resolve(bumblebee_t)
|
||||||
+
|
+
|
||||||
+xserver_domtrans(bumblebee_t)
|
+xserver_domtrans(bumblebee_t)
|
||||||
|
+xserver_signal(bumblebee_t)
|
||||||
|
+xserver_stream_connect(bumblebee_t)
|
||||||
+xserver_manage_xkb_libs(bumblebee_t)
|
+xserver_manage_xkb_libs(bumblebee_t)
|
||||||
+corenet_tcp_connect_xserver_port(bumblebee_t)
|
+corenet_tcp_connect_xserver_port(bumblebee_t)
|
||||||
+
|
+
|
||||||
|
@ -14660,7 +14663,7 @@ index c086302..4f33119 100644
|
||||||
|
|
||||||
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
|
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
|
||||||
diff --git a/couchdb.if b/couchdb.if
|
diff --git a/couchdb.if b/couchdb.if
|
||||||
index 715a826..afa2f78 100644
|
index 715a826..36d5a7d 100644
|
||||||
--- a/couchdb.if
|
--- a/couchdb.if
|
||||||
+++ b/couchdb.if
|
+++ b/couchdb.if
|
||||||
@@ -2,7 +2,7 @@
|
@@ -2,7 +2,7 @@
|
||||||
|
@ -14761,7 +14764,7 @@ index 715a826..afa2f78 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -73,19 +112,63 @@ interface(`couchdb_read_pid_files',`
|
@@ -73,19 +112,85 @@ interface(`couchdb_read_pid_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
|
@ -14786,6 +14789,28 @@ index 715a826..afa2f78 100644
|
||||||
+
|
+
|
||||||
+ files_search_pids($1)
|
+ files_search_pids($1)
|
||||||
+ allow $1 couchdb_var_run_t:dir search_dir_perms;
|
+ allow $1 couchdb_var_run_t:dir search_dir_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow domain to manage couchdb content.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`couchdb_manage_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type couchdb_var_run_t;
|
||||||
|
+ type couchdb_log_t;
|
||||||
|
+ type couchdb_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
|
||||||
|
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
|
||||||
|
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -14829,7 +14854,7 @@ index 715a826..afa2f78 100644
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
## Role allowed access.
|
## Role allowed access.
|
||||||
@@ -95,14 +178,19 @@ interface(`couchdb_read_pid_files',`
|
@@ -95,14 +200,19 @@ interface(`couchdb_read_pid_files',`
|
||||||
#
|
#
|
||||||
interface(`couchdb_admin',`
|
interface(`couchdb_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -14850,7 +14875,7 @@ index 715a826..afa2f78 100644
|
||||||
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
|
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 couchdb_initrc_exec_t system_r;
|
role_transition $2 couchdb_initrc_exec_t system_r;
|
||||||
@@ -122,4 +210,13 @@ interface(`couchdb_admin',`
|
@@ -122,4 +232,13 @@ interface(`couchdb_admin',`
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
admin_pattern($1, couchdb_var_run_t)
|
admin_pattern($1, couchdb_var_run_t)
|
||||||
|
@ -22802,10 +22827,10 @@ index c7bb4e7..e6fe2f40 100644
|
||||||
sysnet_etc_filetrans_config(dnssec_triggerd_t)
|
sysnet_etc_filetrans_config(dnssec_triggerd_t)
|
||||||
diff --git a/docker.fc b/docker.fc
|
diff --git a/docker.fc b/docker.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..484dd44
|
index 0000000..b24266e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/docker.fc
|
+++ b/docker.fc
|
||||||
@@ -0,0 +1,12 @@
|
@@ -0,0 +1,14 @@
|
||||||
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
|
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
|
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
|
||||||
|
@ -22815,16 +22840,17 @@ index 0000000..484dd44
|
||||||
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
|
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
|
||||||
+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
|
+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
|
||||||
+
|
+
|
||||||
|
+/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0)
|
||||||
|
+
|
||||||
+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
|
+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0)
|
+
|
||||||
\ No newline at end of file
|
|
||||||
diff --git a/docker.if b/docker.if
|
diff --git a/docker.if b/docker.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..543baf1
|
index 0000000..c77a25f
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/docker.if
|
+++ b/docker.if
|
||||||
@@ -0,0 +1,250 @@
|
@@ -0,0 +1,257 @@
|
||||||
+
|
+
|
||||||
+## <summary>The open-source application container engine.</summary>
|
+## <summary>The open-source application container engine.</summary>
|
||||||
+
|
+
|
||||||
|
@ -23020,44 +23046,6 @@ index 0000000..543baf1
|
||||||
+ ps_process_pattern($1, docker_t)
|
+ ps_process_pattern($1, docker_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## All of the rules required to administrate
|
|
||||||
+## an docker environment
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+interface(`docker_admin',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type docker_t;
|
|
||||||
+ type docker_var_lib_t, docker_var_run_t;
|
|
||||||
+ type docker_unit_file_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ allow $1 docker_t:process { ptrace signal_perms };
|
|
||||||
+ ps_process_pattern($1, docker_t)
|
|
||||||
+
|
|
||||||
+ files_search_var_lib($1)
|
|
||||||
+ admin_pattern($1, docker_var_lib_t)
|
|
||||||
+
|
|
||||||
+ files_search_pids($1)
|
|
||||||
+ admin_pattern($1, docker_var_run_t)
|
|
||||||
+
|
|
||||||
+ docker_systemctl($1)
|
|
||||||
+ admin_pattern($1, docker_unit_file_t)
|
|
||||||
+ allow $1 docker_unit_file_t:service all_service_perms;
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ systemd_passwd_agent_exec($1)
|
|
||||||
+ systemd_read_fifo_file_passwd_run($1)
|
|
||||||
+ ')
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Read and write docker shared memory.
|
+## Read and write docker shared memory.
|
||||||
|
@ -23075,12 +23063,57 @@ index 0000000..543baf1
|
||||||
+
|
+
|
||||||
+ allow $1 docker_t:sem rw_sem_perms;
|
+ allow $1 docker_t:sem rw_sem_perms;
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## All of the rules required to administrate
|
||||||
|
+## an docker environment
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`docker_admin',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_t;
|
||||||
|
+ type docker_var_lib_t, docker_var_run_t;
|
||||||
|
+ type docker_unit_file_t;
|
||||||
|
+ type docker_lock_t;
|
||||||
|
+ type docker_log_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 docker_t:process { ptrace signal_perms };
|
||||||
|
+ ps_process_pattern($1, docker_t)
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ admin_pattern($1, docker_var_lib_t)
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ admin_pattern($1, docker_var_run_t)
|
||||||
|
+
|
||||||
|
+ files_search_locks($1)
|
||||||
|
+ admin_pattern($1, docker_lock_t)
|
||||||
|
+
|
||||||
|
+ logging_search_logs($1)
|
||||||
|
+ admin_pattern($1, docker_log_t)
|
||||||
|
+
|
||||||
|
+ docker_systemctl($1)
|
||||||
|
+ admin_pattern($1, docker_unit_file_t)
|
||||||
|
+ allow $1 docker_unit_file_t:service all_service_perms;
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ systemd_passwd_agent_exec($1)
|
||||||
|
+ systemd_read_fifo_file_passwd_run($1)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
diff --git a/docker.te b/docker.te
|
diff --git a/docker.te b/docker.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..5c6eaab
|
index 0000000..68c225c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/docker.te
|
+++ b/docker.te
|
||||||
@@ -0,0 +1,157 @@
|
@@ -0,0 +1,172 @@
|
||||||
+policy_module(docker, 1.0.0)
|
+policy_module(docker, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -23095,6 +23128,9 @@ index 0000000..5c6eaab
|
||||||
+type docker_var_lib_t;
|
+type docker_var_lib_t;
|
||||||
+files_type(docker_var_lib_t)
|
+files_type(docker_var_lib_t)
|
||||||
+
|
+
|
||||||
|
+type docker_lock_t;
|
||||||
|
+files_lock_file(docker_lock_t)
|
||||||
|
+
|
||||||
+type docker_log_t;
|
+type docker_log_t;
|
||||||
+logging_log_file(docker_log_t)
|
+logging_log_file(docker_log_t)
|
||||||
+
|
+
|
||||||
|
@ -23117,6 +23153,10 @@ index 0000000..5c6eaab
|
||||||
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
|
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+allow docker_t self:capability2 block_suspend;
|
+allow docker_t self:capability2 block_suspend;
|
||||||
+
|
+
|
||||||
|
+manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
|
||||||
|
+manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
|
||||||
|
+files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
|
||||||
|
+
|
||||||
+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
|
+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
|
||||||
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
|
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
|
||||||
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
|
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
|
||||||
|
@ -23160,6 +23200,8 @@ index 0000000..5c6eaab
|
||||||
+
|
+
|
||||||
+auth_use_nsswitch(docker_t)
|
+auth_use_nsswitch(docker_t)
|
||||||
+
|
+
|
||||||
|
+init_read_state(docker_t)
|
||||||
|
+
|
||||||
+logging_send_audit_msgs(docker_t)
|
+logging_send_audit_msgs(docker_t)
|
||||||
+logging_send_syslog_msg(docker_t)
|
+logging_send_syslog_msg(docker_t)
|
||||||
+
|
+
|
||||||
|
@ -23183,7 +23225,8 @@ index 0000000..5c6eaab
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
|
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
|
||||||
+allow docker_t self:process { getcap setcap setpgid setsched signal_perms };
|
+allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
|
||||||
|
+
|
||||||
+allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
|
+allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
|
||||||
+allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
|
+allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
|
||||||
+allow docker_t self:unix_dgram_socket create_socket_perms;
|
+allow docker_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
@ -23219,10 +23262,12 @@ index 0000000..5c6eaab
|
||||||
+fs_manage_cgroup_dirs(docker_t)
|
+fs_manage_cgroup_dirs(docker_t)
|
||||||
+fs_manage_cgroup_files(docker_t)
|
+fs_manage_cgroup_files(docker_t)
|
||||||
+fs_relabelfrom_xattr_fs(docker_t)
|
+fs_relabelfrom_xattr_fs(docker_t)
|
||||||
|
+fs_relabelfrom_tmpfs(docker_t)
|
||||||
+
|
+
|
||||||
+term_use_generic_ptys(docker_t)
|
+term_use_generic_ptys(docker_t)
|
||||||
+term_use_ptmx(docker_t)
|
+term_use_ptmx(docker_t)
|
||||||
+term_getattr_pty_fs(docker_t)
|
+term_getattr_pty_fs(docker_t)
|
||||||
|
+term_relabel_pty_fs(docker_t)
|
||||||
+
|
+
|
||||||
+modutils_domtrans_insmod(docker_t)
|
+modutils_domtrans_insmod(docker_t)
|
||||||
+
|
+
|
||||||
|
@ -23237,6 +23282,9 @@ index 0000000..5c6eaab
|
||||||
+ virt_stream_connect_sandbox(docker_t)
|
+ virt_stream_connect_sandbox(docker_t)
|
||||||
+ virt_manage_sandbox_files(docker_t)
|
+ virt_manage_sandbox_files(docker_t)
|
||||||
+ virt_relabel_sandbox_filesystem(docker_t)
|
+ virt_relabel_sandbox_filesystem(docker_t)
|
||||||
|
+ # for lxc
|
||||||
|
+ virt_transition_svirt_sandbox(docker_t, system_r)
|
||||||
|
+ virt_mounton_sandbox_file(docker_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/dovecot.fc b/dovecot.fc
|
diff --git a/dovecot.fc b/dovecot.fc
|
||||||
index c880070..4448055 100644
|
index c880070..4448055 100644
|
||||||
|
@ -40487,10 +40535,10 @@ index cba62db..562833a 100644
|
||||||
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
|
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/milter.te b/milter.te
|
diff --git a/milter.te b/milter.te
|
||||||
index 4dc99f4..22dbcb9 100644
|
index 4dc99f4..c11bec2 100644
|
||||||
--- a/milter.te
|
--- a/milter.te
|
||||||
+++ b/milter.te
|
+++ b/milter.te
|
||||||
@@ -5,73 +5,113 @@ policy_module(milter, 1.5.0)
|
@@ -5,73 +5,117 @@ policy_module(milter, 1.5.0)
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -40532,6 +40580,8 @@ index 4dc99f4..22dbcb9 100644
|
||||||
allow milter_domains self:fifo_file rw_fifo_file_perms;
|
allow milter_domains self:fifo_file rw_fifo_file_perms;
|
||||||
-allow milter_domains self:tcp_socket { accept listen };
|
-allow milter_domains self:tcp_socket { accept listen };
|
||||||
+
|
+
|
||||||
|
+allow milter_domains self:process signull;
|
||||||
|
+
|
||||||
+# Allow communication with MTA over a TCP socket
|
+# Allow communication with MTA over a TCP socket
|
||||||
+allow milter_domains self:tcp_socket create_stream_socket_perms;
|
+allow milter_domains self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
@ -40573,6 +40623,8 @@ index 4dc99f4..22dbcb9 100644
|
||||||
+
|
+
|
||||||
+kernel_read_kernel_sysctls(dkim_milter_t)
|
+kernel_read_kernel_sysctls(dkim_milter_t)
|
||||||
+
|
+
|
||||||
|
+corenet_udp_bind_all_ports(dkim_milter_t)
|
||||||
|
+
|
||||||
+auth_use_nsswitch(dkim_milter_t)
|
+auth_use_nsswitch(dkim_milter_t)
|
||||||
+
|
+
|
||||||
+sysnet_dns_name_resolve(dkim_milter_t)
|
+sysnet_dns_name_resolve(dkim_milter_t)
|
||||||
|
@ -40631,7 +40683,7 @@ index 4dc99f4..22dbcb9 100644
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(greylist_milter_t)
|
mysql_stream_connect(greylist_milter_t)
|
||||||
@@ -79,30 +119,45 @@ optional_policy(`
|
@@ -79,30 +123,45 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -40846,10 +40898,10 @@ index 0000000..c713b27
|
||||||
+/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
|
+/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
|
||||||
diff --git a/mirrormanager.if b/mirrormanager.if
|
diff --git a/mirrormanager.if b/mirrormanager.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..adf2319
|
index 0000000..fbb831d
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/mirrormanager.if
|
+++ b/mirrormanager.if
|
||||||
@@ -0,0 +1,243 @@
|
@@ -0,0 +1,237 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for mirrormanager</summary>
|
+## <summary>policy for mirrormanager</summary>
|
||||||
+
|
+
|
||||||
|
@ -41057,12 +41109,6 @@ index 0000000..adf2319
|
||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+## <param name="role">
|
|
||||||
+## <summary>
|
|
||||||
+## Role allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <rolecap/>
|
|
||||||
+#
|
+#
|
||||||
+interface(`mirrormanager_admin',`
|
+interface(`mirrormanager_admin',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
|
@ -41471,10 +41517,10 @@ index 0000000..6568bfe
|
||||||
+')
|
+')
|
||||||
diff --git a/mock.te b/mock.te
|
diff --git a/mock.te b/mock.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..92c3b35
|
index 0000000..fc64201
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/mock.te
|
+++ b/mock.te
|
||||||
@@ -0,0 +1,275 @@
|
@@ -0,0 +1,276 @@
|
||||||
+policy_module(mock,1.0.0)
|
+policy_module(mock,1.0.0)
|
||||||
+
|
+
|
||||||
+## <desc>
|
+## <desc>
|
||||||
|
@ -41522,6 +41568,7 @@ index 0000000..92c3b35
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
|
+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
|
||||||
|
+allow mock_t self:capability2 block_suspend;
|
||||||
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
|
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
|
||||||
+# Needed because mock can run java and mono withing build environment
|
+# Needed because mock can run java and mono withing build environment
|
||||||
+allow mock_t self:process { execmem execstack };
|
+allow mock_t self:process { execmem execstack };
|
||||||
|
@ -70924,7 +70971,7 @@ index 2c3d338..cf3e5ad 100644
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
diff --git a/rabbitmq.te b/rabbitmq.te
|
diff --git a/rabbitmq.te b/rabbitmq.te
|
||||||
index dc3b0ed..750df0e 100644
|
index dc3b0ed..d760e9e 100644
|
||||||
--- a/rabbitmq.te
|
--- a/rabbitmq.te
|
||||||
+++ b/rabbitmq.te
|
+++ b/rabbitmq.te
|
||||||
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
|
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
|
||||||
|
@ -70982,7 +71029,7 @@ index dc3b0ed..750df0e 100644
|
||||||
|
|
||||||
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
|
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
|
||||||
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
|
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
|
||||||
@@ -69,37 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
|
@@ -69,37 +81,49 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
|
||||||
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
|
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
|
||||||
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
|
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
|
||||||
|
|
||||||
|
@ -71027,10 +71074,9 @@ index dc3b0ed..750df0e 100644
|
||||||
+logging_send_syslog_msg(rabbitmq_beam_t)
|
+logging_send_syslog_msg(rabbitmq_beam_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ couchdb_manage_files(rabbitmq_beam_t)
|
||||||
+ couchdb_manage_lib_files(rabbitmq_beam_t)
|
+ couchdb_manage_lib_files(rabbitmq_beam_t)
|
||||||
+ couchdb_read_conf_files(rabbitmq_beam_t)
|
+ couchdb_read_conf_files(rabbitmq_beam_t)
|
||||||
+ couchdb_read_log_files(rabbitmq_beam_t)
|
|
||||||
+ couchdb_search_pid_dirs(rabbitmq_beam_t)
|
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
@ -71046,7 +71092,7 @@ index dc3b0ed..750df0e 100644
|
||||||
allow rabbitmq_epmd_t self:process signal;
|
allow rabbitmq_epmd_t self:process signal;
|
||||||
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
|
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
|
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -117,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
|
@@ -117,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
|
||||||
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
|
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
|
||||||
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
|
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
|
||||||
|
|
||||||
|
@ -74754,7 +74800,7 @@ index c8bdea2..1337d42 100644
|
||||||
+ allow $1 cluster_unit_file_t:service all_service_perms;
|
+ allow $1 cluster_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/rhcs.te b/rhcs.te
|
diff --git a/rhcs.te b/rhcs.te
|
||||||
index 6cf79c4..00a6db2 100644
|
index 6cf79c4..8ee9185 100644
|
||||||
--- a/rhcs.te
|
--- a/rhcs.te
|
||||||
+++ b/rhcs.te
|
+++ b/rhcs.te
|
||||||
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
|
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
|
||||||
|
@ -75130,15 +75176,16 @@ index 6cf79c4..00a6db2 100644
|
||||||
|
|
||||||
corecmd_exec_bin(fenced_t)
|
corecmd_exec_bin(fenced_t)
|
||||||
corecmd_exec_shell(fenced_t)
|
corecmd_exec_shell(fenced_t)
|
||||||
@@ -140,6 +425,7 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
|
@@ -140,6 +425,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
|
||||||
|
|
||||||
corenet_sendrecv_zented_server_packets(fenced_t)
|
corenet_sendrecv_zented_server_packets(fenced_t)
|
||||||
corenet_tcp_bind_zented_port(fenced_t)
|
corenet_tcp_bind_zented_port(fenced_t)
|
||||||
+corenet_udp_bind_zented_port(fenced_t)
|
+corenet_udp_bind_zented_port(fenced_t)
|
||||||
|
+corenet_tcp_connect_zented_port(fenced_t)
|
||||||
corenet_tcp_sendrecv_zented_port(fenced_t)
|
corenet_tcp_sendrecv_zented_port(fenced_t)
|
||||||
|
|
||||||
corenet_sendrecv_http_client_packets(fenced_t)
|
corenet_sendrecv_http_client_packets(fenced_t)
|
||||||
@@ -148,9 +434,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
|
@@ -148,9 +435,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
|
||||||
|
|
||||||
dev_read_sysfs(fenced_t)
|
dev_read_sysfs(fenced_t)
|
||||||
dev_read_urand(fenced_t)
|
dev_read_urand(fenced_t)
|
||||||
|
@ -75149,7 +75196,7 @@ index 6cf79c4..00a6db2 100644
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(fenced_t)
|
storage_raw_read_fixed_disk(fenced_t)
|
||||||
storage_raw_write_fixed_disk(fenced_t)
|
storage_raw_write_fixed_disk(fenced_t)
|
||||||
@@ -160,7 +444,7 @@ term_getattr_pty_fs(fenced_t)
|
@@ -160,7 +445,7 @@ term_getattr_pty_fs(fenced_t)
|
||||||
term_use_generic_ptys(fenced_t)
|
term_use_generic_ptys(fenced_t)
|
||||||
term_use_ptmx(fenced_t)
|
term_use_ptmx(fenced_t)
|
||||||
|
|
||||||
|
@ -75158,7 +75205,7 @@ index 6cf79c4..00a6db2 100644
|
||||||
|
|
||||||
tunable_policy(`fenced_can_network_connect',`
|
tunable_policy(`fenced_can_network_connect',`
|
||||||
corenet_sendrecv_all_client_packets(fenced_t)
|
corenet_sendrecv_all_client_packets(fenced_t)
|
||||||
@@ -182,7 +466,8 @@ optional_policy(`
|
@@ -182,7 +467,8 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -75168,7 +75215,7 @@ index 6cf79c4..00a6db2 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -190,12 +475,12 @@ optional_policy(`
|
@@ -190,12 +476,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -75184,7 +75231,7 @@ index 6cf79c4..00a6db2 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -203,6 +488,13 @@ optional_policy(`
|
@@ -203,6 +489,13 @@ optional_policy(`
|
||||||
snmp_manage_var_lib_dirs(fenced_t)
|
snmp_manage_var_lib_dirs(fenced_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -75198,7 +75245,7 @@ index 6cf79c4..00a6db2 100644
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# foghorn local policy
|
# foghorn local policy
|
||||||
@@ -221,16 +513,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
|
@@ -221,16 +514,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
|
||||||
corenet_tcp_connect_agentx_port(foghorn_t)
|
corenet_tcp_connect_agentx_port(foghorn_t)
|
||||||
corenet_tcp_sendrecv_agentx_port(foghorn_t)
|
corenet_tcp_sendrecv_agentx_port(foghorn_t)
|
||||||
|
|
||||||
|
@ -75219,7 +75266,7 @@ index 6cf79c4..00a6db2 100644
|
||||||
snmp_stream_connect(foghorn_t)
|
snmp_stream_connect(foghorn_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -257,6 +551,8 @@ storage_getattr_removable_dev(gfs_controld_t)
|
@@ -257,6 +552,8 @@ storage_getattr_removable_dev(gfs_controld_t)
|
||||||
|
|
||||||
init_rw_script_tmp_files(gfs_controld_t)
|
init_rw_script_tmp_files(gfs_controld_t)
|
||||||
|
|
||||||
|
@ -75228,7 +75275,7 @@ index 6cf79c4..00a6db2 100644
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
lvm_exec(gfs_controld_t)
|
lvm_exec(gfs_controld_t)
|
||||||
dev_rw_lvm_control(gfs_controld_t)
|
dev_rw_lvm_control(gfs_controld_t)
|
||||||
@@ -275,10 +571,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
@@ -275,10 +572,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||||
|
|
||||||
dev_list_sysfs(groupd_t)
|
dev_list_sysfs(groupd_t)
|
||||||
|
|
||||||
|
@ -75270,7 +75317,7 @@ index 6cf79c4..00a6db2 100644
|
||||||
######################################
|
######################################
|
||||||
#
|
#
|
||||||
# qdiskd local policy
|
# qdiskd local policy
|
||||||
@@ -321,6 +646,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
@@ -321,6 +647,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||||
|
|
||||||
auth_use_nsswitch(qdiskd_t)
|
auth_use_nsswitch(qdiskd_t)
|
||||||
|
|
||||||
|
@ -92875,10 +92922,10 @@ index 0000000..c1fd8b4
|
||||||
+')
|
+')
|
||||||
diff --git a/thumb.te b/thumb.te
|
diff --git a/thumb.te b/thumb.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..2ddef5c
|
index 0000000..ed78f6f
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/thumb.te
|
+++ b/thumb.te
|
||||||
@@ -0,0 +1,150 @@
|
@@ -0,0 +1,154 @@
|
||||||
+policy_module(thumb, 1.0.0)
|
+policy_module(thumb, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -92994,6 +93041,10 @@ index 0000000..2ddef5c
|
||||||
+xserver_use_user_fonts(thumb_t)
|
+xserver_use_user_fonts(thumb_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ bumblebee_stream_connect(thumb_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
|
+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
|
||||||
+ dbus_dontaudit_chat_session_bus(thumb_t)
|
+ dbus_dontaudit_chat_session_bus(thumb_t)
|
||||||
+')
|
+')
|
||||||
|
@ -95712,7 +95763,7 @@ index a4f20bc..6351bcb 100644
|
||||||
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||||
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||||
diff --git a/virt.if b/virt.if
|
diff --git a/virt.if b/virt.if
|
||||||
index facdee8..3ad56e3 100644
|
index facdee8..09db35b 100644
|
||||||
--- a/virt.if
|
--- a/virt.if
|
||||||
+++ b/virt.if
|
+++ b/virt.if
|
||||||
@@ -1,120 +1,51 @@
|
@@ -1,120 +1,51 @@
|
||||||
|
@ -96727,44 +96778,40 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -860,74 +658,227 @@ interface(`virt_read_lib_files',`
|
@@ -860,74 +658,245 @@ interface(`virt_read_lib_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
-interface(`virt_manage_lib_files',`
|
-interface(`virt_manage_lib_files',`
|
||||||
+interface(`virt_manage_cache',`
|
+interface(`virt_manage_cache',`
|
||||||
gen_require(`
|
+ gen_require(`
|
||||||
- type virt_var_lib_t;
|
|
||||||
+ type virt_cache_t;
|
+ type virt_cache_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
- files_search_var_lib($1)
|
|
||||||
- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
||||||
+ files_search_var($1)
|
+ files_search_var($1)
|
||||||
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
|
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
|
||||||
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
|
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
|
||||||
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
|
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## Create objects in virt pid
|
|
||||||
-## directories with a private type.
|
|
||||||
+## Allow domain to manage virt image files
|
+## Allow domain to manage virt image files
|
||||||
## </summary>
|
+## </summary>
|
||||||
## <param name="domain">
|
+## <param name="domain">
|
||||||
## <summary>
|
+## <summary>
|
||||||
## Domain allowed access.
|
+## Domain allowed access.
|
||||||
## </summary>
|
+## </summary>
|
||||||
## </param>
|
+## </param>
|
||||||
-## <param name="private type">
|
|
||||||
+#
|
+#
|
||||||
+interface(`virt_manage_images',`
|
+interface(`virt_manage_images',`
|
||||||
+ gen_require(`
|
gen_require(`
|
||||||
+ type virt_var_lib_t;
|
type virt_var_lib_t;
|
||||||
+ attribute virt_image_type;
|
+ attribute virt_image_type;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
|
- files_search_var_lib($1)
|
||||||
|
- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
||||||
+ virt_search_lib($1)
|
+ virt_search_lib($1)
|
||||||
+ allow $1 virt_image_type:dir list_dir_perms;
|
+ allow $1 virt_image_type:dir list_dir_perms;
|
||||||
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
|
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
|
||||||
|
@ -96794,10 +96841,12 @@ index facdee8..3ad56e3 100644
|
||||||
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
|
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
|
||||||
+ manage_files_pattern($1, virt_image_t, virt_image_t)
|
+ manage_files_pattern($1, virt_image_t, virt_image_t)
|
||||||
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
|
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## Create objects in virt pid
|
||||||
|
-## directories with a private type.
|
||||||
+## Execute virt server in the virt domain.
|
+## Execute virt server in the virt domain.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
|
@ -96824,12 +96873,10 @@ index facdee8..3ad56e3 100644
|
||||||
+## Ptrace the svirt domain
|
+## Ptrace the svirt domain
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## The type of the object to be created.
|
|
||||||
+## Domain allowed to transition.
|
+## Domain allowed to transition.
|
||||||
## </summary>
|
+## </summary>
|
||||||
## </param>
|
+## </param>
|
||||||
-## <param name="object">
|
|
||||||
+#
|
+#
|
||||||
+interface(`virt_ptrace',`
|
+interface(`virt_ptrace',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
|
@ -96842,14 +96889,13 @@ index facdee8..3ad56e3 100644
|
||||||
+#######################################
|
+#######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Manage Sandbox Files
|
+## Manage Sandbox Files
|
||||||
+## </summary>
|
## </summary>
|
||||||
+## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
-## The object class of the object being created.
|
## Domain allowed access.
|
||||||
+## Domain allowed access.
|
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
-## <param name="name" optional="true">
|
-## <param name="private type">
|
||||||
+#
|
+#
|
||||||
+interface(`virt_manage_sandbox_files',`
|
+interface(`virt_manage_sandbox_files',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
|
@ -96867,16 +96913,14 @@ index facdee8..3ad56e3 100644
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
-## The name of the object being created.
|
-## The type of the object to be created.
|
||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
-## <infoflow type="write" weight="10"/>
|
-## <param name="object">
|
||||||
#
|
+#
|
||||||
-interface(`virt_pid_filetrans',`
|
|
||||||
+interface(`virt_relabel_sandbox_filesystem',`
|
+interface(`virt_relabel_sandbox_filesystem',`
|
||||||
gen_require(`
|
+ gen_require(`
|
||||||
- type virt_var_run_t;
|
|
||||||
+ type svirt_sandbox_file_t;
|
+ type svirt_sandbox_file_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
|
@ -96885,16 +96929,40 @@ index facdee8..3ad56e3 100644
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Mounton Sandbox Files
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
-## The object class of the object being created.
|
||||||
|
+## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
-## <param name="name" optional="true">
|
||||||
|
+#
|
||||||
|
+interface(`virt_mounton_sandbox_file',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type svirt_sandbox_file_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
+## Connect to virt over a unix domain stream socket.
|
+## Connect to virt over a unix domain stream socket.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## The name of the object being created.
|
||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
## </summary>
|
||||||
+## </param>
|
## </param>
|
||||||
+#
|
-## <infoflow type="write" weight="10"/>
|
||||||
|
#
|
||||||
|
-interface(`virt_pid_filetrans',`
|
||||||
+interface(`virt_stream_connect_sandbox',`
|
+interface(`virt_stream_connect_sandbox',`
|
||||||
+ gen_require(`
|
gen_require(`
|
||||||
|
- type virt_var_run_t;
|
||||||
+ attribute svirt_sandbox_domain;
|
+ attribute svirt_sandbox_domain;
|
||||||
+ type svirt_sandbox_file_t;
|
+ type svirt_sandbox_file_t;
|
||||||
')
|
')
|
||||||
|
@ -96978,7 +97046,7 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -935,19 +886,17 @@ interface(`virt_read_log',`
|
@@ -935,19 +904,17 @@ interface(`virt_read_log',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -97002,7 +97070,7 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -955,20 +904,17 @@ interface(`virt_append_log',`
|
@@ -955,20 +922,17 @@ interface(`virt_append_log',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -97027,7 +97095,7 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -976,18 +922,17 @@ interface(`virt_manage_log',`
|
@@ -976,18 +940,17 @@ interface(`virt_manage_log',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -97050,7 +97118,7 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -995,36 +940,57 @@ interface(`virt_search_images',`
|
@@ -995,36 +958,57 @@ interface(`virt_search_images',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -97127,7 +97195,7 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1032,20 +998,28 @@ interface(`virt_read_images',`
|
@@ -1032,20 +1016,28 @@ interface(`virt_read_images',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -97163,7 +97231,7 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1053,37 +1027,129 @@ interface(`virt_rw_all_image_chr_files',`
|
@@ -1053,37 +1045,131 @@ interface(`virt_rw_all_image_chr_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -97187,7 +97255,7 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
-## <param name="domain">
|
-## <param name="domain">
|
||||||
+## <param name="prefix">
|
+## <param name="prefix">
|
||||||
## <summary>
|
+## <summary>
|
||||||
+## Prefix for the domain.
|
+## Prefix for the domain.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
|
@ -97212,7 +97280,7 @@ index facdee8..3ad56e3 100644
|
||||||
+## Make the specified type usable as a lxc domain
|
+## Make the specified type usable as a lxc domain
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="type">
|
+## <param name="type">
|
||||||
+## <summary>
|
## <summary>
|
||||||
+## Type to be used as a lxc domain
|
+## Type to be used as a lxc domain
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
|
@ -97298,7 +97366,9 @@ index facdee8..3ad56e3 100644
|
||||||
+ role $2 types svirt_sandbox_domain;
|
+ role $2 types svirt_sandbox_domain;
|
||||||
+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
|
+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
|
||||||
+
|
+
|
||||||
|
+ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
|
||||||
+ allow svirt_sandbox_domain $1:process sigchld;
|
+ allow svirt_sandbox_domain $1:process sigchld;
|
||||||
|
+ ps_process_pattern($1, svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -97307,7 +97377,7 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1091,36 +1157,54 @@ interface(`virt_manage_virt_cache',`
|
@@ -1091,36 +1177,54 @@ interface(`virt_manage_virt_cache',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -97381,7 +97451,7 @@ index facdee8..3ad56e3 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1136,50 +1220,36 @@ interface(`virt_manage_images',`
|
@@ -1136,50 +1240,36 @@ interface(`virt_manage_images',`
|
||||||
#
|
#
|
||||||
interface(`virt_admin',`
|
interface(`virt_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -97423,7 +97493,8 @@ index facdee8..3ad56e3 100644
|
||||||
-
|
-
|
||||||
- files_search_tmp($1)
|
- files_search_tmp($1)
|
||||||
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
|
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
|
||||||
-
|
+ allow $1 virt_domain:process signal_perms;
|
||||||
|
|
||||||
- files_search_etc($1)
|
- files_search_etc($1)
|
||||||
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
|
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
|
||||||
-
|
-
|
||||||
|
@ -97432,8 +97503,7 @@ index facdee8..3ad56e3 100644
|
||||||
-
|
-
|
||||||
- files_search_pids($1)
|
- files_search_pids($1)
|
||||||
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
|
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
|
||||||
+ allow $1 virt_domain:process signal_perms;
|
-
|
||||||
|
|
||||||
- files_search_var($1)
|
- files_search_var($1)
|
||||||
- admin_pattern($1, svirt_cache_t)
|
- admin_pattern($1, svirt_cache_t)
|
||||||
-
|
-
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 14%{?dist}
|
Release: 15%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -579,6 +579,31 @@ SELinux Reference policy mls base module.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-15
|
||||||
|
- Add cron unconfined role support for uncofined SELinux user
|
||||||
|
- Call kernel_rw_usermodehelper_state() in init.te
|
||||||
|
- Call corenet_udp_bind_all_ports() in milter.te
|
||||||
|
- Allow fence_virtd to connect to zented port
|
||||||
|
- Fix header for mirrormanager_admin()
|
||||||
|
- Allow dkim-milter to bind udp ports
|
||||||
|
- Allow milter domains to send signull itself
|
||||||
|
- Allow block_suspend for yum running as mock_t
|
||||||
|
- Allow beam.smp to manage couchdb files
|
||||||
|
- Add couchdb_manage_files()
|
||||||
|
- Add labeling for /var/log/php_errors.log
|
||||||
|
- Allow bumblebee to stream connect to xserver
|
||||||
|
- Allow bumblebee to send a signal to xserver
|
||||||
|
- gnome-thumbnail to stream connect to bumblebee
|
||||||
|
- Fix calling usermodehelper to use _state in interface name
|
||||||
|
- Allow xkbcomp running as bumblebee_t to execute bin_t
|
||||||
|
- Allow logrotate to read squid.conf
|
||||||
|
- Additional rules to get docker and lxc to play well with SELinux
|
||||||
|
- Call kernel_read_usermodhelper/kernel_rw_usermodhelper
|
||||||
|
- Make rpm_transition_script accept a role
|
||||||
|
- Added new policy for pcp
|
||||||
|
- Allow bumbleed to connect to xserver port
|
||||||
|
- Allow pegasus_openlmi_storage_t to read hwdata
|
||||||
|
|
||||||
* Fri Jan 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-14
|
* Fri Jan 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-14
|
||||||
- Make rpm_transition_script accept a role
|
- Make rpm_transition_script accept a role
|
||||||
- Clean up pcp.te
|
- Clean up pcp.te
|
||||||
|
|
Loading…
Reference in New Issue