- Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - Treat usermodehelper_t as a sysctl_type - xdm communicates with geo - Add lvm_read_metadata() - Allow rabbitmq_beam to connect to jabber_interserver_port - Allow logwatch_mail_t to transition to qmail_inject and queueu - Added new rules to pcp policy - Allow vmtools_helper_t to change role to system_r - Allow NM to dbus chat with vmtools
This commit is contained in:
parent
74ec503d1c
commit
3e0039f065
File diff suppressed because it is too large
Load Diff
|
@ -2335,10 +2335,10 @@ index aa44abf..16a6342 100644
|
||||||
rpm_domtrans(anaconda_t)
|
rpm_domtrans(anaconda_t)
|
||||||
diff --git a/antivirus.fc b/antivirus.fc
|
diff --git a/antivirus.fc b/antivirus.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..9d5214b
|
index 0000000..219f32d
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/antivirus.fc
|
+++ b/antivirus.fc
|
||||||
@@ -0,0 +1,43 @@
|
@@ -0,0 +1,44 @@
|
||||||
+/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0)
|
+/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0)
|
||||||
+/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0)
|
+/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0)
|
||||||
+
|
+
|
||||||
|
@ -2350,6 +2350,7 @@ index 0000000..9d5214b
|
||||||
+
|
+
|
||||||
+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
||||||
+
|
+
|
||||||
|
+/usr/sbin/amavi -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
||||||
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
||||||
+/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
+/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
||||||
+/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
+/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
||||||
|
@ -14439,10 +14440,10 @@ index 5b830ec..0647a3b 100644
|
||||||
+ ps_process_pattern($1, consolekit_t)
|
+ ps_process_pattern($1, consolekit_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/consolekit.te b/consolekit.te
|
diff --git a/consolekit.te b/consolekit.te
|
||||||
index bd18063..0957efc 100644
|
index bd18063..47c8fd0 100644
|
||||||
--- a/consolekit.te
|
--- a/consolekit.te
|
||||||
+++ b/consolekit.te
|
+++ b/consolekit.te
|
||||||
@@ -19,12 +19,16 @@ type consolekit_var_run_t;
|
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
|
||||||
files_pid_file(consolekit_var_run_t)
|
files_pid_file(consolekit_var_run_t)
|
||||||
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
|
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
|
||||||
|
|
||||||
|
@ -14459,16 +14460,19 @@ index bd18063..0957efc 100644
|
||||||
allow consolekit_t self:process { getsched signal };
|
allow consolekit_t self:process { getsched signal };
|
||||||
allow consolekit_t self:fifo_file rw_fifo_file_perms;
|
allow consolekit_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow consolekit_t self:unix_stream_socket { accept listen };
|
allow consolekit_t self:unix_stream_socket { accept listen };
|
||||||
@@ -33,7 +37,7 @@ create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
|
||||||
append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
||||||
read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
||||||
setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
||||||
|
-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
||||||
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
|
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
|
||||||
|
+manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
||||||
|
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
|
||||||
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
|
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
|
||||||
|
|
||||||
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
|
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
|
||||||
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
|
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
|
||||||
@@ -54,38 +58,37 @@ dev_read_sysfs(consolekit_t)
|
@@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t)
|
||||||
|
|
||||||
domain_read_all_domains_state(consolekit_t)
|
domain_read_all_domains_state(consolekit_t)
|
||||||
domain_use_interactive_fds(consolekit_t)
|
domain_use_interactive_fds(consolekit_t)
|
||||||
|
@ -14517,7 +14521,7 @@ index bd18063..0957efc 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -109,13 +112,6 @@ optional_policy(`
|
@@ -109,13 +110,6 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -14747,7 +14751,7 @@ index c086302..4f33119 100644
|
||||||
|
|
||||||
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
|
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
|
||||||
diff --git a/couchdb.if b/couchdb.if
|
diff --git a/couchdb.if b/couchdb.if
|
||||||
index 715a826..36d5a7d 100644
|
index 715a826..3f0c0dc 100644
|
||||||
--- a/couchdb.if
|
--- a/couchdb.if
|
||||||
+++ b/couchdb.if
|
+++ b/couchdb.if
|
||||||
@@ -2,7 +2,7 @@
|
@@ -2,7 +2,7 @@
|
||||||
|
@ -14848,7 +14852,7 @@ index 715a826..36d5a7d 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -73,19 +112,85 @@ interface(`couchdb_read_pid_files',`
|
@@ -73,19 +112,87 @@ interface(`couchdb_read_pid_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
|
@ -14890,11 +14894,13 @@ index 715a826..36d5a7d 100644
|
||||||
+ type couchdb_var_run_t;
|
+ type couchdb_var_run_t;
|
||||||
+ type couchdb_log_t;
|
+ type couchdb_log_t;
|
||||||
+ type couchdb_var_lib_t;
|
+ type couchdb_var_lib_t;
|
||||||
|
+ type couchdb_conf_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
|
+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
|
||||||
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
|
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
|
||||||
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
|
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
|
||||||
|
+ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -14938,7 +14944,7 @@ index 715a826..36d5a7d 100644
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
## Role allowed access.
|
## Role allowed access.
|
||||||
@@ -95,14 +200,19 @@ interface(`couchdb_read_pid_files',`
|
@@ -95,14 +202,19 @@ interface(`couchdb_read_pid_files',`
|
||||||
#
|
#
|
||||||
interface(`couchdb_admin',`
|
interface(`couchdb_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -14959,7 +14965,7 @@ index 715a826..36d5a7d 100644
|
||||||
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
|
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 couchdb_initrc_exec_t system_r;
|
role_transition $2 couchdb_initrc_exec_t system_r;
|
||||||
@@ -122,4 +232,13 @@ interface(`couchdb_admin',`
|
@@ -122,4 +234,13 @@ interface(`couchdb_admin',`
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
admin_pattern($1, couchdb_var_run_t)
|
admin_pattern($1, couchdb_var_run_t)
|
||||||
|
@ -31415,7 +31421,7 @@ index 180f1b7..3c8757e 100644
|
||||||
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
|
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
|
||||||
+')
|
+')
|
||||||
diff --git a/gpg.te b/gpg.te
|
diff --git a/gpg.te b/gpg.te
|
||||||
index 0e97e82..0a158ad 100644
|
index 0e97e82..695e8fa 100644
|
||||||
--- a/gpg.te
|
--- a/gpg.te
|
||||||
+++ b/gpg.te
|
+++ b/gpg.te
|
||||||
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
|
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
|
||||||
|
@ -31488,7 +31494,7 @@ index 0e97e82..0a158ad 100644
|
||||||
+allow gpgdomain self:process { getsched setsched };
|
+allow gpgdomain self:process { getsched setsched };
|
||||||
+#at setrlimit is for ulimit -c 0
|
+#at setrlimit is for ulimit -c 0
|
||||||
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
|
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
|
||||||
+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
|
+dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
|
||||||
+
|
+
|
||||||
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
|
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
|
||||||
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
|
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
|
||||||
|
@ -39059,7 +39065,7 @@ index be0ab84..1859690 100644
|
||||||
logging_read_all_logs(logrotate_mail_t)
|
logging_read_all_logs(logrotate_mail_t)
|
||||||
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
|
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
|
||||||
diff --git a/logwatch.te b/logwatch.te
|
diff --git a/logwatch.te b/logwatch.te
|
||||||
index ab65034..ed34956 100644
|
index ab65034..c76dbda 100644
|
||||||
--- a/logwatch.te
|
--- a/logwatch.te
|
||||||
+++ b/logwatch.te
|
+++ b/logwatch.te
|
||||||
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
|
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
|
||||||
|
@ -39144,7 +39150,7 @@ index ab65034..ed34956 100644
|
||||||
rpc_search_nfs_state_data(logwatch_t)
|
rpc_search_nfs_state_data(logwatch_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -187,6 +192,12 @@ dev_read_sysfs(logwatch_mail_t)
|
@@ -187,6 +192,17 @@ dev_read_sysfs(logwatch_mail_t)
|
||||||
|
|
||||||
logging_read_all_logs(logwatch_mail_t)
|
logging_read_all_logs(logwatch_mail_t)
|
||||||
|
|
||||||
|
@ -39157,6 +39163,11 @@ index ab65034..ed34956 100644
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ courier_stream_connect_authdaemon(logwatch_mail_t)
|
+ courier_stream_connect_authdaemon(logwatch_mail_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ qmail_domtrans_inject(logwatch_mail_t)
|
||||||
|
+ qmail_domtrans_queue(logwatch_mail_t)
|
||||||
|
+')
|
||||||
diff --git a/lpd.fc b/lpd.fc
|
diff --git a/lpd.fc b/lpd.fc
|
||||||
index 2fb9b2e..08974e3 100644
|
index 2fb9b2e..08974e3 100644
|
||||||
--- a/lpd.fc
|
--- a/lpd.fc
|
||||||
|
@ -58980,10 +58991,10 @@ index 0000000..ba24b40
|
||||||
+
|
+
|
||||||
diff --git a/pcp.te b/pcp.te
|
diff --git a/pcp.te b/pcp.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..d21c5d7
|
index 0000000..3bd4aa3
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pcp.te
|
+++ b/pcp.te
|
||||||
@@ -0,0 +1,192 @@
|
@@ -0,0 +1,196 @@
|
||||||
+policy_module(pcp, 1.0.0)
|
+policy_module(pcp, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -59090,6 +59101,7 @@ index 0000000..d21c5d7
|
||||||
+fs_getattr_all_fs(pcp_pmcd_t)
|
+fs_getattr_all_fs(pcp_pmcd_t)
|
||||||
+fs_getattr_all_dirs(pcp_pmcd_t)
|
+fs_getattr_all_dirs(pcp_pmcd_t)
|
||||||
+fs_list_cgroup_dirs(pcp_pmcd_t)
|
+fs_list_cgroup_dirs(pcp_pmcd_t)
|
||||||
|
+fs_read_cgroup_files(pcp_pmcd_t)
|
||||||
+
|
+
|
||||||
+logging_send_syslog_msg(pcp_pmcd_t)
|
+logging_send_syslog_msg(pcp_pmcd_t)
|
||||||
+
|
+
|
||||||
|
@ -59158,11 +59170,14 @@ index 0000000..d21c5d7
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
+allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||||
|
+allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
+
|
+
|
||||||
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
|
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
|
||||||
+
|
+
|
||||||
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
|
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
|
||||||
+
|
+
|
||||||
|
+logging_send_syslog_msg(pcp_pmie_t)
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# pcp_pmlogger local policy
|
+# pcp_pmlogger local policy
|
||||||
|
@ -72386,7 +72401,7 @@ index 2c3d338..cf3e5ad 100644
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
diff --git a/rabbitmq.te b/rabbitmq.te
|
diff --git a/rabbitmq.te b/rabbitmq.te
|
||||||
index dc3b0ed..0d48e31 100644
|
index dc3b0ed..c77c09c 100644
|
||||||
--- a/rabbitmq.te
|
--- a/rabbitmq.te
|
||||||
+++ b/rabbitmq.te
|
+++ b/rabbitmq.te
|
||||||
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
|
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
|
||||||
|
@ -72429,7 +72444,7 @@ index dc3b0ed..0d48e31 100644
|
||||||
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
|
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
|
||||||
|
|
||||||
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
|
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
|
||||||
@@ -55,51 +64,67 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
|
@@ -55,51 +64,63 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
|
||||||
corecmd_exec_bin(rabbitmq_beam_t)
|
corecmd_exec_bin(rabbitmq_beam_t)
|
||||||
corecmd_exec_shell(rabbitmq_beam_t)
|
corecmd_exec_shell(rabbitmq_beam_t)
|
||||||
|
|
||||||
|
@ -72443,25 +72458,28 @@ index dc3b0ed..0d48e31 100644
|
||||||
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
|
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
|
||||||
|
|
||||||
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
|
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
|
||||||
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
|
-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
|
||||||
+corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
|
-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
|
||||||
corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
|
|
||||||
|
|
||||||
corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
|
corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
|
||||||
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
|
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
|
||||||
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
|
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
|
||||||
|
|
||||||
-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
|
-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
|
||||||
corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
|
-corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
|
||||||
-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
|
-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
|
||||||
|
+domain_read_all_domains_state(rabbitmq_beam_t)
|
||||||
|
|
||||||
-dev_read_sysfs(rabbitmq_beam_t)
|
-dev_read_sysfs(rabbitmq_beam_t)
|
||||||
-dev_read_urand(rabbitmq_beam_t)
|
-dev_read_urand(rabbitmq_beam_t)
|
||||||
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
|
|
||||||
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
|
|
||||||
+
|
|
||||||
+domain_read_all_domains_state(rabbitmq_beam_t)
|
|
||||||
+
|
|
||||||
+files_getattr_all_mountpoints(rabbitmq_beam_t)
|
+files_getattr_all_mountpoints(rabbitmq_beam_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(rabbitmq_beam_t)
|
fs_getattr_all_fs(rabbitmq_beam_t)
|
||||||
|
@ -72470,8 +72488,6 @@ index dc3b0ed..0d48e31 100644
|
||||||
fs_search_cgroup_dirs(rabbitmq_beam_t)
|
fs_search_cgroup_dirs(rabbitmq_beam_t)
|
||||||
|
|
||||||
-files_read_etc_files(rabbitmq_beam_t)
|
-files_read_etc_files(rabbitmq_beam_t)
|
||||||
+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
|
|
||||||
+
|
|
||||||
+dev_read_sysfs(rabbitmq_beam_t)
|
+dev_read_sysfs(rabbitmq_beam_t)
|
||||||
+dev_read_urand(rabbitmq_beam_t)
|
+dev_read_urand(rabbitmq_beam_t)
|
||||||
|
|
||||||
|
@ -72493,8 +72509,6 @@ index dc3b0ed..0d48e31 100644
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ couchdb_manage_files(rabbitmq_beam_t)
|
+ couchdb_manage_files(rabbitmq_beam_t)
|
||||||
+ couchdb_manage_lib_files(rabbitmq_beam_t)
|
|
||||||
+ couchdb_read_conf_files(rabbitmq_beam_t)
|
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
@ -72510,7 +72524,7 @@ index dc3b0ed..0d48e31 100644
|
||||||
allow rabbitmq_epmd_t self:process signal;
|
allow rabbitmq_epmd_t self:process signal;
|
||||||
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
|
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
|
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -107,6 +132,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
|
@@ -107,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
|
||||||
|
|
||||||
allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
|
allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
|
||||||
|
|
||||||
|
@ -72519,7 +72533,7 @@ index dc3b0ed..0d48e31 100644
|
||||||
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
|
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
|
||||||
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
|
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
|
||||||
corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
|
corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
|
||||||
@@ -117,8 +144,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
|
@@ -117,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
|
||||||
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
|
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
|
||||||
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
|
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
|
||||||
|
|
||||||
|
@ -101472,10 +101486,10 @@ index 0000000..7933d80
|
||||||
+')
|
+')
|
||||||
diff --git a/vmtools.te b/vmtools.te
|
diff --git a/vmtools.te b/vmtools.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..c47cb0e
|
index 0000000..ab589a9
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/vmtools.te
|
+++ b/vmtools.te
|
||||||
@@ -0,0 +1,82 @@
|
@@ -0,0 +1,87 @@
|
||||||
+policy_module(vmtools, 1.0.0)
|
+policy_module(vmtools, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -101495,6 +101509,7 @@ index 0000000..c47cb0e
|
||||||
+type vmtools_helper_t;
|
+type vmtools_helper_t;
|
||||||
+type vmtools_helper_exec_t;
|
+type vmtools_helper_exec_t;
|
||||||
+application_domain(vmtools_helper_t, vmtools_helper_exec_t)
|
+application_domain(vmtools_helper_t, vmtools_helper_exec_t)
|
||||||
|
+domain_system_change_exemption(vmtools_helper_t)
|
||||||
+role vmtools_helper_roles types vmtools_helper_t;
|
+role vmtools_helper_roles types vmtools_helper_t;
|
||||||
+
|
+
|
||||||
+type vmtools_unit_file_t;
|
+type vmtools_unit_file_t;
|
||||||
|
@ -101546,6 +101561,10 @@ index 0000000..c47cb0e
|
||||||
+xserver_stream_connect(vmtools_t)
|
+xserver_stream_connect(vmtools_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ networkmanager_dbus_chat(vmtools_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ unconfined_domain(vmtools_t)
|
+ unconfined_domain(vmtools_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 26%{?dist}
|
Release: 27%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -580,6 +580,19 @@ SELinux Reference policy mls base module.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-27
|
||||||
|
- Make unconfined_service_t valid in enforcing
|
||||||
|
- Remove transition for temp dirs created by init_t
|
||||||
|
- gdm-simple-slave uses use setsockopt
|
||||||
|
- Treat usermodehelper_t as a sysctl_type
|
||||||
|
- xdm communicates with geo
|
||||||
|
- Add lvm_read_metadata()
|
||||||
|
- Allow rabbitmq_beam to connect to jabber_interserver_port
|
||||||
|
- Allow logwatch_mail_t to transition to qmail_inject and queueu
|
||||||
|
- Added new rules to pcp policy
|
||||||
|
- Allow vmtools_helper_t to change role to system_r
|
||||||
|
- Allow NM to dbus chat with vmtools
|
||||||
|
|
||||||
* Fri Feb 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-26
|
* Fri Feb 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-26
|
||||||
- Add labeling for /usr/sbin/amavi
|
- Add labeling for /usr/sbin/amavi
|
||||||
- Colin asked for this program to be treated as cloud-init
|
- Colin asked for this program to be treated as cloud-init
|
||||||
|
|
Loading…
Reference in New Issue