- Change hsperfdata_root to have as user_tmp_t
- Allow rsyslog low-level network access - Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by li - Allow conman to resolve DNS and use user ptys - update pegasus_openlmi_admin_t policy - nslcd wants chown capability - Dontaudit exec insmod in boinc policy
This commit is contained in:
parent
c14474eca6
commit
3f1341d528
@ -8742,7 +8742,7 @@ index 6a1e4d1..84e8030 100644
|
||||
+ dontaudit $1 domain:dir_file_class_set audit_access;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..0b3704b 100644
|
||||
index cf04cb5..806e1cc 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
|
||||
@ -8880,7 +8880,7 @@ index cf04cb5..0b3704b 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -166,5 +232,342 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -166,5 +232,346 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -9100,6 +9100,10 @@ index cf04cb5..0b3704b 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ userdom_filetrans_named_user_tmp_files(named_filetrans_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ virt_filetrans_named_content(named_filetrans_domain)
|
||||
+')
|
||||
+
|
||||
@ -9224,7 +9228,7 @@ index cf04cb5..0b3704b 100644
|
||||
+ unconfined_server_stream_connect(domain)
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
||||
index b876c48..9cbe36a 100644
|
||||
index b876c48..bbd0e79 100644
|
||||
--- a/policy/modules/kernel/files.fc
|
||||
+++ b/policy/modules/kernel/files.fc
|
||||
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
|
||||
@ -9358,7 +9362,7 @@ index b876c48..9cbe36a 100644
|
||||
#
|
||||
# /selinux
|
||||
#
|
||||
@@ -178,25 +191,29 @@ ifdef(`distro_debian',`
|
||||
@@ -178,13 +191,14 @@ ifdef(`distro_debian',`
|
||||
#
|
||||
# /srv
|
||||
#
|
||||
@ -9375,11 +9379,7 @@ index b876c48..9cbe36a 100644
|
||||
/tmp/.* <<none>>
|
||||
/tmp/\.journal <<none>>
|
||||
|
||||
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/tmp/lost\+found/.* <<none>>
|
||||
+/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0)
|
||||
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0)
|
||||
|
||||
@@ -194,9 +208,10 @@ ifdef(`distro_debian',`
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@ -9391,7 +9391,7 @@ index b876c48..9cbe36a 100644
|
||||
|
||||
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
|
||||
@@ -204,15 +221,9 @@ ifdef(`distro_debian',`
|
||||
@@ -204,15 +219,9 @@ ifdef(`distro_debian',`
|
||||
|
||||
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
|
||||
@ -9408,7 +9408,7 @@ index b876c48..9cbe36a 100644
|
||||
|
||||
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
|
||||
|
||||
@@ -220,8 +231,6 @@ ifdef(`distro_debian',`
|
||||
@@ -220,8 +229,6 @@ ifdef(`distro_debian',`
|
||||
/usr/tmp/.* <<none>>
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
@ -9417,7 +9417,7 @@ index b876c48..9cbe36a 100644
|
||||
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
|
||||
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
')
|
||||
@@ -229,7 +238,7 @@ ifndef(`distro_redhat',`
|
||||
@@ -229,7 +236,7 @@ ifndef(`distro_redhat',`
|
||||
#
|
||||
# /var
|
||||
#
|
||||
@ -9426,7 +9426,7 @@ index b876c48..9cbe36a 100644
|
||||
/var/.* gen_context(system_u:object_r:var_t,s0)
|
||||
/var/\.journal <<none>>
|
||||
|
||||
@@ -237,11 +246,25 @@ ifndef(`distro_redhat',`
|
||||
@@ -237,11 +244,25 @@ ifndef(`distro_redhat',`
|
||||
|
||||
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
@ -9453,7 +9453,7 @@ index b876c48..9cbe36a 100644
|
||||
|
||||
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/log/lost\+found/.* <<none>>
|
||||
@@ -256,12 +279,14 @@ ifndef(`distro_redhat',`
|
||||
@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
|
||||
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.*\.*pid <<none>>
|
||||
@ -9468,14 +9468,14 @@ index b876c48..9cbe36a 100644
|
||||
/var/tmp/.* <<none>>
|
||||
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/tmp/lost\+found/.* <<none>>
|
||||
@@ -271,3 +296,5 @@ ifdef(`distro_debian',`
|
||||
@@ -271,3 +294,5 @@ ifdef(`distro_debian',`
|
||||
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
')
|
||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index f962f76..ae94e80 100644
|
||||
index f962f76..337a00e 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -19,6 +19,136 @@
|
||||
@ -12384,7 +12384,7 @@ index f962f76..ae94e80 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6573,10 +7835,785 @@ interface(`files_polyinstantiate_all',`
|
||||
@@ -6573,10 +7835,784 @@ interface(`files_polyinstantiate_all',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -13039,7 +13039,6 @@ index f962f76..ae94e80 100644
|
||||
+ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
|
||||
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
|
||||
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
|
||||
+ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root")
|
||||
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
|
||||
+ files_var_filetrans($1, tmp_t, dir, "tmp")
|
||||
+ files_var_filetrans($1, var_run_t, dir, "run")
|
||||
@ -24486,7 +24485,7 @@ index 6bf0ecc..bf98136 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index 8b40377..2a244f6 100644
|
||||
index 8b40377..f0e5cc0 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,28 +26,59 @@ gen_require(`
|
||||
@ -25125,7 +25124,7 @@ index 8b40377..2a244f6 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
@@ -472,24 +693,153 @@ userdom_read_user_home_content_files(xdm_t)
|
||||
@@ -472,24 +693,155 @@ userdom_read_user_home_content_files(xdm_t)
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
@ -25148,12 +25147,14 @@ index 8b40377..2a244f6 100644
|
||||
+ fs_manage_nfs_dirs(xdm_t)
|
||||
+ fs_manage_nfs_files(xdm_t)
|
||||
+ fs_manage_nfs_symlinks(xdm_t)
|
||||
+ fs_append_nfs_files(xdm_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_manage_cifs_dirs(xdm_t)
|
||||
+ fs_manage_cifs_files(xdm_t)
|
||||
+ fs_manage_cifs_symlinks(xdm_t)
|
||||
+ fs_append_cifs_files(xdm_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_fusefs_home_dirs',`
|
||||
@ -25285,7 +25286,7 @@ index 8b40377..2a244f6 100644
|
||||
tunable_policy(`xdm_sysadm_login',`
|
||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||
# FIXME:
|
||||
@@ -503,11 +853,26 @@ tunable_policy(`xdm_sysadm_login',`
|
||||
@@ -503,11 +855,26 @@ tunable_policy(`xdm_sysadm_login',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25312,7 +25313,7 @@ index 8b40377..2a244f6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -517,9 +882,34 @@ optional_policy(`
|
||||
@@ -517,9 +884,34 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xdm_t)
|
||||
dbus_connect_system_bus(xdm_t)
|
||||
@ -25348,7 +25349,7 @@ index 8b40377..2a244f6 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -530,6 +920,20 @@ optional_policy(`
|
||||
@@ -530,6 +922,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25369,7 +25370,7 @@ index 8b40377..2a244f6 100644
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -547,28 +951,78 @@ optional_policy(`
|
||||
@@ -547,28 +953,78 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25457,7 +25458,7 @@ index 8b40377..2a244f6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -580,6 +1034,14 @@ optional_policy(`
|
||||
@@ -580,6 +1036,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25472,7 +25473,7 @@ index 8b40377..2a244f6 100644
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -594,7 +1056,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
||||
@@ -594,7 +1058,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
||||
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
|
||||
|
||||
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
|
||||
@ -25481,7 +25482,7 @@ index 8b40377..2a244f6 100644
|
||||
|
||||
# setuid/setgid for the wrapper program to change UID
|
||||
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
||||
@@ -604,8 +1066,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
@@ -604,8 +1068,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
@ -25494,7 +25495,7 @@ index 8b40377..2a244f6 100644
|
||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow xserver_t self:fd use;
|
||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -618,8 +1083,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
@@ -618,8 +1085,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
@ -25510,7 +25511,7 @@ index 8b40377..2a244f6 100644
|
||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
@@ -627,6 +1099,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||
@@ -627,6 +1101,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||
|
||||
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
||||
|
||||
@ -25521,7 +25522,7 @@ index 8b40377..2a244f6 100644
|
||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
@@ -638,25 +1114,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
@@ -638,25 +1116,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -25558,7 +25559,7 @@ index 8b40377..2a244f6 100644
|
||||
corenet_all_recvfrom_netlabel(xserver_t)
|
||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||
@@ -677,23 +1160,28 @@ dev_rw_apm_bios(xserver_t)
|
||||
@@ -677,23 +1162,28 @@ dev_rw_apm_bios(xserver_t)
|
||||
dev_rw_agp(xserver_t)
|
||||
dev_rw_framebuffer(xserver_t)
|
||||
dev_manage_dri_dev(xserver_t)
|
||||
@ -25590,7 +25591,7 @@ index 8b40377..2a244f6 100644
|
||||
|
||||
# brought on by rhgb
|
||||
files_search_mnt(xserver_t)
|
||||
@@ -705,6 +1193,14 @@ fs_search_nfs(xserver_t)
|
||||
@@ -705,6 +1195,14 @@ fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
|
||||
@ -25605,7 +25606,7 @@ index 8b40377..2a244f6 100644
|
||||
mls_xwin_read_to_clearance(xserver_t)
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
@@ -718,20 +1214,18 @@ init_getpgid(xserver_t)
|
||||
@@ -718,20 +1216,18 @@ init_getpgid(xserver_t)
|
||||
term_setattr_unallocated_ttys(xserver_t)
|
||||
term_use_unallocated_ttys(xserver_t)
|
||||
|
||||
@ -25629,7 +25630,7 @@ index 8b40377..2a244f6 100644
|
||||
|
||||
userdom_search_user_home_dirs(xserver_t)
|
||||
userdom_use_user_ttys(xserver_t)
|
||||
@@ -739,8 +1233,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
@@ -739,8 +1235,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
userdom_read_user_tmp_files(xserver_t)
|
||||
userdom_rw_user_tmpfs_files(xserver_t)
|
||||
|
||||
@ -25638,7 +25639,7 @@ index 8b40377..2a244f6 100644
|
||||
ifndef(`distro_redhat',`
|
||||
allow xserver_t self:process { execmem execheap execstack };
|
||||
domain_mmap_low_uncond(xserver_t)
|
||||
@@ -785,17 +1277,44 @@ optional_policy(`
|
||||
@@ -785,17 +1279,44 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25685,7 +25686,7 @@ index 8b40377..2a244f6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -803,6 +1322,10 @@ optional_policy(`
|
||||
@@ -803,6 +1324,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25696,7 +25697,7 @@ index 8b40377..2a244f6 100644
|
||||
xfs_stream_connect(xserver_t)
|
||||
')
|
||||
|
||||
@@ -818,10 +1341,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
@@ -818,10 +1343,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
@ -25710,7 +25711,7 @@ index 8b40377..2a244f6 100644
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -829,7 +1352,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -829,7 +1354,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
|
||||
# Run xkbcomp.
|
||||
@ -25719,7 +25720,7 @@ index 8b40377..2a244f6 100644
|
||||
can_exec(xserver_t, xkb_var_lib_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
@@ -842,26 +1365,21 @@ init_use_fds(xserver_t)
|
||||
@@ -842,26 +1367,21 @@ init_use_fds(xserver_t)
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -25754,7 +25755,7 @@ index 8b40377..2a244f6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -912,7 +1430,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
@@ -912,7 +1432,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
@ -25763,7 +25764,7 @@ index 8b40377..2a244f6 100644
|
||||
# operations allowed on all windows
|
||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||
|
||||
@@ -966,11 +1484,31 @@ allow x_domain self:x_resource { read write };
|
||||
@@ -966,11 +1486,31 @@ allow x_domain self:x_resource { read write };
|
||||
# can mess with the screensaver
|
||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||
|
||||
@ -25795,7 +25796,7 @@ index 8b40377..2a244f6 100644
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@@ -992,18 +1530,150 @@ tunable_policy(`! xserver_object_manager',`
|
||||
@@ -992,18 +1532,150 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
@ -33298,7 +33299,7 @@ index 4e94884..b144ffe 100644
|
||||
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
|
||||
+')
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 59b04c1..cdc1c76 100644
|
||||
index 59b04c1..1259fbd 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
|
||||
@ -33497,7 +33498,7 @@ index 59b04c1..cdc1c76 100644
|
||||
# sys_nice for rsyslog
|
||||
# cjp: why net_admin!
|
||||
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
|
||||
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid };
|
||||
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
|
||||
dontaudit syslogd_t self:capability sys_tty_config;
|
||||
+allow syslogd_t self:capability2 { syslog block_suspend };
|
||||
# setpgid for metalog
|
||||
@ -33509,15 +33510,18 @@ index 59b04c1..cdc1c76 100644
|
||||
# receive messages to be logged
|
||||
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -371,6 +413,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
|
||||
@@ -369,8 +411,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
|
||||
allow syslogd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow syslogd_t self:udp_socket create_socket_perms;
|
||||
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow syslogd_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow syslogd_t syslog_conf_t:file read_file_perms;
|
||||
+allow syslogd_t syslog_conf_t:dir list_dir_perms;
|
||||
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||
@@ -389,30 +432,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
@@ -389,30 +433,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
||||
|
||||
@ -33567,7 +33571,7 @@ index 59b04c1..cdc1c76 100644
|
||||
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
||||
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
||||
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
||||
@@ -422,6 +481,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
||||
@@ -422,6 +482,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
||||
corenet_tcp_connect_rsh_port(syslogd_t)
|
||||
# Allow users to define additional syslog ports to connect to
|
||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||
@ -33576,7 +33580,7 @@ index 59b04c1..cdc1c76 100644
|
||||
corenet_tcp_connect_syslogd_port(syslogd_t)
|
||||
corenet_tcp_connect_postgresql_port(syslogd_t)
|
||||
corenet_tcp_connect_mysqld_port(syslogd_t)
|
||||
@@ -432,9 +493,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
@@ -432,9 +494,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
||||
|
||||
@ -33604,7 +33608,7 @@ index 59b04c1..cdc1c76 100644
|
||||
domain_use_interactive_fds(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
@@ -448,13 +526,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||
@@ -448,13 +527,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||
|
||||
fs_getattr_all_fs(syslogd_t)
|
||||
fs_search_auto_mountpoints(syslogd_t)
|
||||
@ -33622,7 +33626,7 @@ index 59b04c1..cdc1c76 100644
|
||||
# for sending messages to logged in users
|
||||
init_read_utmp(syslogd_t)
|
||||
init_dontaudit_write_utmp(syslogd_t)
|
||||
@@ -466,11 +548,11 @@ init_use_fds(syslogd_t)
|
||||
@@ -466,11 +549,11 @@ init_use_fds(syslogd_t)
|
||||
|
||||
# cjp: this doesnt make sense
|
||||
logging_send_syslog_msg(syslogd_t)
|
||||
@ -33637,7 +33641,7 @@ index 59b04c1..cdc1c76 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
# default gentoo syslog-ng config appends kernel
|
||||
@@ -507,15 +589,40 @@ optional_policy(`
|
||||
@@ -507,15 +590,40 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33678,7 +33682,7 @@ index 59b04c1..cdc1c76 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -526,3 +633,26 @@ optional_policy(`
|
||||
@@ -526,3 +634,26 @@ optional_policy(`
|
||||
# log to the xconsole
|
||||
xserver_rw_console(syslogd_t)
|
||||
')
|
||||
@ -41857,10 +41861,10 @@ index 5fe902d..fcc9efe 100644
|
||||
+ rpm_transition_script(unconfined_service_t, system_r)
|
||||
')
|
||||
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
|
||||
index db75976..e4eb903 100644
|
||||
index db75976..4ca3a28 100644
|
||||
--- a/policy/modules/system/userdomain.fc
|
||||
+++ b/policy/modules/system/userdomain.fc
|
||||
@@ -1,4 +1,24 @@
|
||||
@@ -1,4 +1,28 @@
|
||||
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
|
||||
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
|
||||
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
|
||||
@ -41886,8 +41890,12 @@ index db75976..e4eb903 100644
|
||||
+HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
|
||||
+
|
||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
+
|
||||
+/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index 9dc60c6..b921b57 100644
|
||||
index 9dc60c6..102478f 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||
@ -44163,7 +44171,34 @@ index 9dc60c6..b921b57 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2661,6 +3341,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||
@@ -2538,6 +3218,26 @@ interface(`userdom_manage_user_tmp_files',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete user
|
||||
+## temporary files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_filetrans_named_user_tmp_files',`
|
||||
+ gen_require(`
|
||||
+ type user_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
|
||||
+ files_search_tmp($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete user
|
||||
## temporary symbolic links.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2661,6 +3361,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||
files_tmp_filetrans($1, user_tmp_t, $2, $3)
|
||||
')
|
||||
|
||||
@ -44189,7 +44224,7 @@ index 9dc60c6..b921b57 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Read user tmpfs files.
|
||||
@@ -2677,13 +3376,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||
@@ -2677,13 +3396,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||
@ -44205,7 +44240,7 @@ index 9dc60c6..b921b57 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2704,7 +3404,7 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
@@ -2704,7 +3424,7 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -44214,7 +44249,7 @@ index 9dc60c6..b921b57 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2712,14 +3412,30 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
@@ -2712,14 +3432,30 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -44249,7 +44284,7 @@ index 9dc60c6..b921b57 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2814,6 +3530,24 @@ interface(`userdom_use_user_ttys',`
|
||||
@@ -2814,6 +3550,24 @@ interface(`userdom_use_user_ttys',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -44274,7 +44309,7 @@ index 9dc60c6..b921b57 100644
|
||||
## Read and write a user domain pty.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2832,22 +3566,34 @@ interface(`userdom_use_user_ptys',`
|
||||
@@ -2832,22 +3586,34 @@ interface(`userdom_use_user_ptys',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -44317,7 +44352,7 @@ index 9dc60c6..b921b57 100644
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2856,14 +3602,33 @@ interface(`userdom_use_user_ptys',`
|
||||
@@ -2856,14 +3622,33 @@ interface(`userdom_use_user_ptys',`
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
@ -44355,7 +44390,7 @@ index 9dc60c6..b921b57 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2882,8 +3647,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
|
||||
@@ -2882,8 +3667,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
|
||||
type user_tty_device_t, user_devpts_t;
|
||||
')
|
||||
|
||||
@ -44385,7 +44420,7 @@ index 9dc60c6..b921b57 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2955,69 +3739,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
@@ -2955,69 +3759,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
allow unpriv_userdomain $1:process sigchld;
|
||||
')
|
||||
|
||||
@ -44486,7 +44521,7 @@ index 9dc60c6..b921b57 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3025,12 +3808,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
||||
@@ -3025,12 +3828,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -44501,7 +44536,7 @@ index 9dc60c6..b921b57 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3094,7 +3877,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
@@ -3094,7 +3897,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
|
||||
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
||||
allow unpriv_userdomain $1:fd use;
|
||||
@ -44510,7 +44545,7 @@ index 9dc60c6..b921b57 100644
|
||||
allow unpriv_userdomain $1:process sigchld;
|
||||
')
|
||||
|
||||
@@ -3110,29 +3893,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
@@ -3110,16 +3913,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
#
|
||||
interface(`userdom_search_user_home_content',`
|
||||
gen_require(`
|
||||
@ -44521,11 +44556,33 @@ index 9dc60c6..b921b57 100644
|
||||
|
||||
files_list_home($1)
|
||||
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
|
||||
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
|
||||
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Send signull to unprivileged user domains.
|
||||
+## Send general signals to unprivileged user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3127,30 +3932,12 @@ interface(`userdom_search_user_home_content',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_signull_unpriv_users',`
|
||||
+interface(`userdom_signal_unpriv_users',`
|
||||
gen_require(`
|
||||
attribute unpriv_userdomain;
|
||||
')
|
||||
|
||||
- allow $1 unpriv_userdomain:process signull;
|
||||
-')
|
||||
-
|
||||
-########################################
|
||||
-## <summary>
|
||||
-## Send signull to unprivileged user domains.
|
||||
-## Send general signals to unprivileged user domains.
|
||||
-## </summary>
|
||||
-## <param name="domain">
|
||||
-## <summary>
|
||||
@ -44533,75 +44590,44 @@ index 9dc60c6..b921b57 100644
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-#
|
||||
-interface(`userdom_signull_unpriv_users',`
|
||||
-interface(`userdom_signal_unpriv_users',`
|
||||
- gen_require(`
|
||||
- attribute unpriv_userdomain;
|
||||
- ')
|
||||
-
|
||||
- allow $1 unpriv_userdomain:process signull;
|
||||
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
|
||||
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
|
||||
- allow $1 unpriv_userdomain:process signal;
|
||||
+ allow $1 unpriv_userdomain:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3214,31 +3981,49 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||
@@ -3214,7 +4001,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||
type user_devpts_t;
|
||||
')
|
||||
|
||||
- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
|
||||
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Relabel files to unprivileged user pty types.
|
||||
+## Do not audit attempts to open user ptys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain allowed access.
|
||||
+## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_relabelto_user_ptys',`
|
||||
+interface(`userdom_dontaudit_open_user_ptys',`
|
||||
gen_require(`
|
||||
type user_devpts_t;
|
||||
')
|
||||
|
||||
- allow $1 user_devpts_t:chr_file relabelto;
|
||||
+ dontaudit $1 user_devpts_t:chr_file open;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to relabel files from
|
||||
-## user pty types.
|
||||
+## Relabel files to unprivileged user pty types.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_relabelto_user_ptys',`
|
||||
+ gen_require(`
|
||||
+ type user_devpts_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 user_devpts_t:chr_file relabelto;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to relabel files from
|
||||
+## user pty types.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3269,7 +4054,83 @@ interface(`userdom_write_user_tmp_files',`
|
||||
+## Do not audit attempts to open user ptys.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_dontaudit_open_user_ptys',`
|
||||
+ gen_require(`
|
||||
+ type user_devpts_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 user_devpts_t:chr_file open;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3269,7 +4074,83 @@ interface(`userdom_write_user_tmp_files',`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
@ -44686,7 +44712,7 @@ index 9dc60c6..b921b57 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3287,7 +4148,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
|
||||
@@ -3287,7 +4168,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
|
||||
type user_tty_device_t;
|
||||
')
|
||||
|
||||
@ -44695,7 +44721,7 @@ index 9dc60c6..b921b57 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3306,6 +4167,7 @@ interface(`userdom_read_all_users_state',`
|
||||
@@ -3306,6 +4187,7 @@ interface(`userdom_read_all_users_state',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, userdomain, userdomain)
|
||||
@ -44703,7 +44729,7 @@ index 9dc60c6..b921b57 100644
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -3382,6 +4244,42 @@ interface(`userdom_signal_all_users',`
|
||||
@@ -3382,6 +4264,42 @@ interface(`userdom_signal_all_users',`
|
||||
allow $1 userdomain:process signal;
|
||||
')
|
||||
|
||||
@ -44746,7 +44772,7 @@ index 9dc60c6..b921b57 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to all user domains.
|
||||
@@ -3402,6 +4300,24 @@ interface(`userdom_sigchld_all_users',`
|
||||
@@ -3402,6 +4320,24 @@ interface(`userdom_sigchld_all_users',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -44771,7 +44797,7 @@ index 9dc60c6..b921b57 100644
|
||||
## Create keys for all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3435,4 +4351,1680 @@ interface(`userdom_dbus_send_all_users',`
|
||||
@@ -3435,4 +4371,1680 @@ interface(`userdom_dbus_send_all_users',`
|
||||
')
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
@ -44940,7 +44966,7 @@ index 9dc60c6..b921b57 100644
|
||||
+
|
||||
+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
|
||||
+ allow $1 admin_home_t:dir list_dir_perms;
|
||||
+')
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
@ -44959,7 +44985,7 @@ index 9dc60c6..b921b57 100644
|
||||
+
|
||||
+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
|
||||
+ allow $1 admin_home_t:dir search_dir_perms;
|
||||
')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
|
@ -14431,10 +14431,10 @@ index 0000000..54b4b04
|
||||
+')
|
||||
diff --git a/conman.te b/conman.te
|
||||
new file mode 100644
|
||||
index 0000000..0de2d4d
|
||||
index 0000000..d6b0314
|
||||
--- /dev/null
|
||||
+++ b/conman.te
|
||||
@@ -0,0 +1,45 @@
|
||||
@@ -0,0 +1,49 @@
|
||||
+policy_module(conman, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -14462,7 +14462,7 @@ index 0000000..0de2d4d
|
||||
+
|
||||
+allow conman_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow conman_t self:tcp_socket { listen create_socket_perms };
|
||||
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
|
||||
+
|
||||
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
|
||||
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
|
||||
@ -14477,6 +14477,10 @@ index 0000000..0de2d4d
|
||||
+
|
||||
+logging_send_syslog_msg(conman_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(conman_t)
|
||||
+
|
||||
+userdom_use_user_ptys(conman_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ freeipmi_stream_connect(conman_t)
|
||||
+')
|
||||
@ -53622,7 +53626,7 @@ index 97df768..852d1c6 100644
|
||||
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
|
||||
')
|
||||
diff --git a/nslcd.te b/nslcd.te
|
||||
index 421bf1a..b80dbe5 100644
|
||||
index 421bf1a..e3f91f6 100644
|
||||
--- a/nslcd.te
|
||||
+++ b/nslcd.te
|
||||
@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
|
||||
@ -53636,7 +53640,7 @@ index 421bf1a..b80dbe5 100644
|
||||
-allow nslcd_t self:capability { setgid setuid dac_override };
|
||||
-allow nslcd_t self:process signal;
|
||||
-allow nslcd_t self:unix_stream_socket { accept listen };
|
||||
+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
|
||||
+allow nslcd_t self:capability { chown dac_override setgid setuid sys_nice };
|
||||
+allow nslcd_t self:process { setsched signal signull };
|
||||
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -60369,7 +60373,7 @@ index d2fc677..ded726f 100644
|
||||
')
|
||||
+
|
||||
diff --git a/pegasus.te b/pegasus.te
|
||||
index 608f454..aa814c8 100644
|
||||
index 608f454..6054e92 100644
|
||||
--- a/pegasus.te
|
||||
+++ b/pegasus.te
|
||||
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
||||
@ -60388,7 +60392,7 @@ index 608f454..aa814c8 100644
|
||||
type pegasus_cache_t;
|
||||
files_type(pegasus_cache_t)
|
||||
|
||||
@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
|
||||
@@ -30,20 +29,324 @@ files_type(pegasus_mof_t)
|
||||
type pegasus_var_run_t;
|
||||
files_pid_file(pegasus_var_run_t)
|
||||
|
||||
@ -60566,6 +60570,8 @@ index 608f454..aa814c8 100644
|
||||
+# pegasus openlmi service local policy
|
||||
+#
|
||||
+
|
||||
+fs_getattr_all_fs(pegasus_openlmi_admin_t)
|
||||
+
|
||||
+init_manage_transient_unit(pegasus_openlmi_admin_t)
|
||||
+init_disable_services(pegasus_openlmi_admin_t)
|
||||
+init_enable_services(pegasus_openlmi_admin_t)
|
||||
@ -60580,6 +60586,9 @@ index 608f454..aa814c8 100644
|
||||
+
|
||||
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
|
||||
+
|
||||
+logging_read_syslog_pid(pegasus_openlmi_admin_t)
|
||||
+logging_read_generic_logs(pegasus_openlmi_admin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
|
||||
+
|
||||
@ -60713,7 +60722,7 @@ index 608f454..aa814c8 100644
|
||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||
@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
@@ -54,22 +357,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
@ -60744,7 +60753,7 @@ index 608f454..aa814c8 100644
|
||||
|
||||
kernel_read_network_state(pegasus_t)
|
||||
kernel_read_kernel_sysctls(pegasus_t)
|
||||
@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
@@ -80,27 +383,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
kernel_read_xen_state(pegasus_t)
|
||||
kernel_write_xen_state(pegasus_t)
|
||||
|
||||
@ -60777,7 +60786,7 @@ index 608f454..aa814c8 100644
|
||||
|
||||
corecmd_exec_bin(pegasus_t)
|
||||
corecmd_exec_shell(pegasus_t)
|
||||
@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
@@ -114,9 +411,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
|
||||
auth_use_nsswitch(pegasus_t)
|
||||
auth_domtrans_chk_passwd(pegasus_t)
|
||||
@ -60789,7 +60798,7 @@ index 608f454..aa814c8 100644
|
||||
|
||||
files_list_var_lib(pegasus_t)
|
||||
files_read_var_lib_files(pegasus_t)
|
||||
@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
|
||||
@@ -128,18 +427,29 @@ init_stream_connect_script(pegasus_t)
|
||||
logging_send_audit_msgs(pegasus_t)
|
||||
logging_send_syslog_msg(pegasus_t)
|
||||
|
||||
@ -60825,7 +60834,7 @@ index 608f454..aa814c8 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -151,16 +456,24 @@ optional_policy(`
|
||||
@@ -151,16 +461,24 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -60854,7 +60863,7 @@ index 608f454..aa814c8 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -168,7 +481,7 @@ optional_policy(`
|
||||
@@ -168,7 +486,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -60863,7 +60872,7 @@ index 608f454..aa814c8 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -180,6 +493,7 @@ optional_policy(`
|
||||
@@ -180,6 +498,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 43%{?dist}
|
||||
Release: 44%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -588,6 +588,15 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-44
|
||||
- Change hsperfdata_root to have as user_tmp_t
|
||||
- Allow rsyslog low-level network access
|
||||
- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm
|
||||
- Allow conman to resolve DNS and use user ptys
|
||||
- update pegasus_openlmi_admin_t policy
|
||||
- nslcd wants chown capability
|
||||
- Dontaudit exec insmod in boinc policy
|
||||
|
||||
* Fri Apr 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-43
|
||||
- Add labels for /var/named/chroot_sdb/dev devices
|
||||
- Add support for strongimcv
|
||||
|
Loading…
Reference in New Issue
Block a user