- Fix virt_use_samba boolean
- Looks like all domains that use dbus libraries are now reading /dev/uran - Add glance_use_fusefs() boolean - Allow tgtd to read /proc/net/psched - Additional access required for gear management of openshift directories - Allow sys_ptrace for mock-build - Fix mock_read_lib_files() interface - Allow mock-build to write all inherited ttys and ptys - Allow spamd to create razor home dirs with correct labeling - Clean up sysnet_use_ldap() - systemd calling needs to be optional - Allow init_t to setattr/relabelfrom dhcp state files
This commit is contained in:
Miroslav Grepl
parent
345f520dd6
commit
3f5abd2216
@ -8744,7 +8744,7 @@ index 6a1e4d1..84e8030 100644
|
||||
+ dontaudit $1 domain:dir_file_class_set audit_access;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..806e1cc 100644
|
||||
index cf04cb5..e0615d1 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
|
||||
@ -8785,7 +8785,7 @@ index cf04cb5..806e1cc 100644
|
||||
|
||||
# Transitions only allowed from domains to other domains
|
||||
neverallow domain ~domain:process { transition dyntransition };
|
||||
@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *;
|
||||
@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *;
|
||||
allow domain self:dir list_dir_perms;
|
||||
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
|
||||
allow domain self:file rw_file_perms;
|
||||
@ -8827,13 +8827,14 @@ index cf04cb5..806e1cc 100644
|
||||
+# All executables should be able to search the directory they are in
|
||||
+corecmd_search_bin(domain)
|
||||
+
|
||||
+
|
||||
+tunable_policy(`domain_kernel_load_modules',`
|
||||
+ kernel_request_load_module(domain)
|
||||
+')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# This check is in the general socket
|
||||
@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',`
|
||||
@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8852,7 +8853,7 @@ index cf04cb5..806e1cc 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -133,6 +190,9 @@ optional_policy(`
|
||||
@@ -133,6 +191,9 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
xserver_dontaudit_use_xdm_fds(domain)
|
||||
xserver_dontaudit_rw_xdm_pipes(domain)
|
||||
@ -8862,7 +8863,7 @@ index cf04cb5..806e1cc 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -147,12 +207,18 @@ optional_policy(`
|
||||
@@ -147,12 +208,18 @@ optional_policy(`
|
||||
# Use/sendto/connectto sockets created by any domain.
|
||||
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
||||
|
||||
@ -8882,7 +8883,7 @@ index cf04cb5..806e1cc 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -166,5 +232,346 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -166,5 +233,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -9086,6 +9087,7 @@ index cf04cb5..806e1cc 100644
|
||||
+ systemd_filetrans_named_content(named_filetrans_domain)
|
||||
+ systemd_filetrans_named_hostname(named_filetrans_domain)
|
||||
+ systemd_filetrans_home_content(named_filetrans_domain)
|
||||
+ systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -27067,7 +27069,7 @@ index 3efd5b6..0bd3a26 100644
|
||||
+ allow $1 login_pgm:process sigchld;
|
||||
+')
|
||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||
index 09b791d..73376ca 100644
|
||||
index 09b791d..ff0708e 100644
|
||||
--- a/policy/modules/system/authlogin.te
|
||||
+++ b/policy/modules/system/authlogin.te
|
||||
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
|
||||
@ -27338,17 +27340,37 @@ index 09b791d..73376ca 100644
|
||||
files_list_var_lib(nsswitch_domain)
|
||||
|
||||
# read /etc/nsswitch.conf
|
||||
@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
|
||||
@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
|
||||
|
||||
sysnet_dns_name_resolve(nsswitch_domain)
|
||||
|
||||
-tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
- files_list_var_lib(nsswitch_domain)
|
||||
+systemd_hostnamed_read_config(nsswitch_domain)
|
||||
+
|
||||
+
|
||||
tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
- files_list_var_lib(nsswitch_domain)
|
||||
+ allow nsswitch_domain self:tcp_socket create_socket_perms;
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
+ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
|
||||
+ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
|
||||
+ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
|
||||
+ corenet_tcp_connect_ldap_port(nsswitch_domain)
|
||||
+ corenet_sendrecv_ldap_client_packets(nsswitch_domain)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
+ # Support for LDAPS
|
||||
+ dev_read_rand(nsswitch_domain)
|
||||
+ # LDAP Configuration using encrypted requires
|
||||
+ dev_read_urand(nsswitch_domain)
|
||||
+ sysnet_read_config(nsswitch_domain)
|
||||
+')
|
||||
|
||||
+tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
miscfiles_read_generic_certs(nsswitch_domain)
|
||||
sysnet_use_ldap(nsswitch_domain)
|
||||
- sysnet_use_ldap(nsswitch_domain)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27359,10 +27381,11 @@ index 09b791d..73376ca 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
+ ldap_read_certs(nsswitch_domain)
|
||||
ldap_stream_connect(nsswitch_domain)
|
||||
')
|
||||
')
|
||||
@@ -438,6 +480,7 @@ optional_policy(`
|
||||
@@ -438,6 +501,7 @@ optional_policy(`
|
||||
likewise_stream_connect_lsassd(nsswitch_domain)
|
||||
')
|
||||
|
||||
@ -27370,7 +27393,7 @@ index 09b791d..73376ca 100644
|
||||
optional_policy(`
|
||||
kerberos_use(nsswitch_domain)
|
||||
')
|
||||
@@ -456,10 +499,145 @@ optional_policy(`
|
||||
@@ -456,10 +520,145 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
sssd_stream_connect(nsswitch_domain)
|
||||
@ -31296,7 +31319,7 @@ index 0d4c8d3..e6ffda3 100644
|
||||
+ ps_process_pattern($1, ipsec_mgmt_t)
|
||||
+')
|
||||
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
||||
index 312cd04..d6d434a 100644
|
||||
index 312cd04..3c62b4c 100644
|
||||
--- a/policy/modules/system/ipsec.te
|
||||
+++ b/policy/modules/system/ipsec.te
|
||||
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||
@ -31493,7 +31516,7 @@ index 312cd04..d6d434a 100644
|
||||
|
||||
init_read_utmp(ipsec_mgmt_t)
|
||||
init_use_script_ptys(ipsec_mgmt_t)
|
||||
@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||
@@ -288,17 +325,23 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||
init_use_fds(ipsec_mgmt_t)
|
||||
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
||||
|
||||
@ -31517,11 +31540,12 @@ index 312cd04..d6d434a 100644
|
||||
+optional_policy(`
|
||||
+ bind_read_dnssec_keys(ipsec_mgmt_t)
|
||||
+ bind_read_config(ipsec_mgmt_t)
|
||||
+ bind_read_state(ipsec_mgmt_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ipsec_mgmt_t)
|
||||
@@ -322,6 +364,10 @@ optional_policy(`
|
||||
@@ -322,6 +365,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -31532,7 +31556,7 @@ index 312cd04..d6d434a 100644
|
||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
@@ -335,7 +381,7 @@ optional_policy(`
|
||||
@@ -335,7 +382,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow racoon_t self:capability { net_admin net_bind_service };
|
||||
@ -31541,7 +31565,7 @@ index 312cd04..d6d434a 100644
|
||||
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
||||
allow racoon_t self:netlink_selinux_socket { bind create read };
|
||||
allow racoon_t self:udp_socket create_socket_perms;
|
||||
@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t)
|
||||
@@ -370,13 +417,12 @@ kernel_request_load_module(racoon_t)
|
||||
corecmd_exec_shell(racoon_t)
|
||||
corecmd_exec_bin(racoon_t)
|
||||
|
||||
@ -31561,7 +31585,7 @@ index 312cd04..d6d434a 100644
|
||||
corenet_udp_bind_isakmp_port(racoon_t)
|
||||
corenet_udp_bind_ipsecnat_port(racoon_t)
|
||||
|
||||
@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t)
|
||||
@@ -401,10 +447,10 @@ locallogin_use_fds(racoon_t)
|
||||
logging_send_syslog_msg(racoon_t)
|
||||
logging_send_audit_msgs(racoon_t)
|
||||
|
||||
@ -31574,7 +31598,7 @@ index 312cd04..d6d434a 100644
|
||||
auth_can_read_shadow_passwords(racoon_t)
|
||||
tunable_policy(`racoon_read_shadow',`
|
||||
auth_tunable_read_shadow(racoon_t)
|
||||
@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
@@ -438,9 +484,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
|
||||
locallogin_use_fds(setkey_t)
|
||||
|
||||
@ -37506,7 +37530,7 @@ index 40edc18..a072ac2 100644
|
||||
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
||||
index 2cea692..1c0de21 100644
|
||||
index 2cea692..e094fc0 100644
|
||||
--- a/policy/modules/system/sysnetwork.if
|
||||
+++ b/policy/modules/system/sysnetwork.if
|
||||
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
|
||||
@ -37843,17 +37867,22 @@ index 2cea692..1c0de21 100644
|
||||
corenet_tcp_sendrecv_generic_if($1)
|
||||
corenet_tcp_sendrecv_generic_node($1)
|
||||
corenet_tcp_sendrecv_ldap_port($1)
|
||||
@@ -763,6 +968,9 @@ interface(`sysnet_use_ldap',`
|
||||
@@ -760,9 +965,14 @@ interface(`sysnet_use_ldap',`
|
||||
|
||||
# Support for LDAPS
|
||||
dev_read_rand($1)
|
||||
+ # LDAP Configuration using encrypted requires
|
||||
dev_read_urand($1)
|
||||
|
||||
sysnet_read_config($1)
|
||||
+
|
||||
+ # LDAP Configuration using encrypted requires
|
||||
+ dev_read_urand($1)
|
||||
+ optional_policy(`
|
||||
+ ldap_read_certs($1)
|
||||
+ ')
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -784,7 +992,6 @@ interface(`sysnet_use_portmap',`
|
||||
@@ -784,7 +994,6 @@ interface(`sysnet_use_portmap',`
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1)
|
||||
@ -37861,7 +37890,7 @@ index 2cea692..1c0de21 100644
|
||||
corenet_tcp_sendrecv_generic_if($1)
|
||||
corenet_udp_sendrecv_generic_if($1)
|
||||
corenet_tcp_sendrecv_generic_node($1)
|
||||
@@ -796,3 +1003,115 @@ interface(`sysnet_use_portmap',`
|
||||
@@ -796,3 +1005,115 @@ interface(`sysnet_use_portmap',`
|
||||
|
||||
sysnet_read_config($1)
|
||||
')
|
||||
@ -37978,7 +38007,7 @@ index 2cea692..1c0de21 100644
|
||||
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
|
||||
+')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index a392fc4..b0a854f 100644
|
||||
index a392fc4..f1782ee 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
|
||||
@ -38208,7 +38237,7 @@ index a392fc4..b0a854f 100644
|
||||
vmware_append_log(dhcpc_t)
|
||||
')
|
||||
|
||||
@@ -264,12 +312,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
@@ -264,12 +312,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
allow ifconfig_t self:msg { send receive };
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
@ -38225,6 +38254,7 @@ index a392fc4..b0a854f 100644
|
||||
+can_exec(ifconfig_t, ifconfig_exec_t)
|
||||
+
|
||||
+manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
|
||||
+manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
|
||||
+create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
|
||||
+files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
|
||||
+allow ifconfig_t ifconfig_var_run_t:file mounton;
|
||||
@ -38232,7 +38262,7 @@ index a392fc4..b0a854f 100644
|
||||
kernel_use_fds(ifconfig_t)
|
||||
kernel_read_system_state(ifconfig_t)
|
||||
kernel_read_network_state(ifconfig_t)
|
||||
@@ -279,14 +338,31 @@ kernel_rw_net_sysctls(ifconfig_t)
|
||||
@@ -279,14 +339,32 @@ kernel_rw_net_sysctls(ifconfig_t)
|
||||
|
||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
|
||||
@ -38249,7 +38279,8 @@ index a392fc4..b0a854f 100644
|
||||
+dev_unmount_sysfs_fs(ifconfig_t)
|
||||
|
||||
domain_use_interactive_fds(ifconfig_t)
|
||||
|
||||
+domain_read_all_domains_state(ifconfig_t)
|
||||
+
|
||||
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
|
||||
+
|
||||
+files_dontaudit_rw_inherited_pipes(ifconfig_t)
|
||||
@ -38257,14 +38288,14 @@ index a392fc4..b0a854f 100644
|
||||
+files_dontaudit_read_root_files(ifconfig_t)
|
||||
+files_rw_inherited_tmp_file(ifconfig_t)
|
||||
+files_dontaudit_rw_var_files(ifconfig_t)
|
||||
+
|
||||
|
||||
files_read_etc_files(ifconfig_t)
|
||||
files_read_etc_runtime_files(ifconfig_t)
|
||||
+files_read_usr_files(ifconfig_t)
|
||||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
@@ -299,24 +375,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
@@ -299,33 +377,50 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
term_dontaudit_use_ptmx(ifconfig_t)
|
||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
@ -38292,8 +38323,13 @@ index a392fc4..b0a854f 100644
|
||||
+userdom_use_inherited_user_terminals(ifconfig_t)
|
||||
userdom_use_all_users_fds(ifconfig_t)
|
||||
|
||||
+optional_policy(`
|
||||
+ hostname_exec(ifconfig_t)
|
||||
+')
|
||||
+
|
||||
ifdef(`distro_ubuntu',`
|
||||
@@ -325,7 +399,22 @@ ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(ifconfig_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -38316,7 +38352,7 @@ index a392fc4..b0a854f 100644
|
||||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
')
|
||||
@@ -336,7 +425,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -336,7 +431,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38329,7 +38365,7 @@ index a392fc4..b0a854f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -350,7 +443,15 @@ optional_policy(`
|
||||
@@ -350,7 +449,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38346,7 +38382,7 @@ index a392fc4..b0a854f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -371,3 +472,13 @@ optional_policy(`
|
||||
@@ -371,3 +478,13 @@ optional_policy(`
|
||||
xen_append_log(ifconfig_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||
')
|
||||
@ -38417,10 +38453,10 @@ index 0000000..916c8ed
|
||||
+/var/run/initramfs(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
new file mode 100644
|
||||
index 0000000..8bca1d7
|
||||
index 0000000..24b2af3
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -0,0 +1,1440 @@
|
||||
@@ -0,0 +1,1458 @@
|
||||
+## <summary>SELinux policy for systemd components</summary>
|
||||
+
|
||||
+######################################
|
||||
@ -38792,6 +38828,24 @@ index 0000000..8bca1d7
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Dontaudit attempts to write inherited logind sessions pipes.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',`
|
||||
+ gen_require(`
|
||||
+ type systemd_logind_sessions_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 systemd_logind_sessions_t:fifo_file write;
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Write systemd inhibit pipes.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
||||
@ -19874,7 +19874,7 @@ index dda905b..ccd0ba9 100644
|
||||
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||
+')
|
||||
diff --git a/dbus.if b/dbus.if
|
||||
index 62d22cb..2b84a85 100644
|
||||
index 62d22cb..89671dd 100644
|
||||
--- a/dbus.if
|
||||
+++ b/dbus.if
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -19999,7 +19999,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -103,91 +129,82 @@ template(`dbus_role_template',`
|
||||
@@ -103,91 +129,84 @@ template(`dbus_role_template',`
|
||||
#
|
||||
interface(`dbus_system_bus_client',`
|
||||
gen_require(`
|
||||
@ -20021,6 +20021,8 @@ index 62d22cb..2b84a85 100644
|
||||
- files_search_var_lib($1)
|
||||
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
+ files_search_var_lib($1)
|
||||
+
|
||||
+ dev_read_urand($1)
|
||||
|
||||
+ # For connecting to the bus
|
||||
files_search_pids($1)
|
||||
@ -20123,7 +20125,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',`
|
||||
@@ -195,15 +214,18 @@ interface(`dbus_connect_spec_session_bus',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20148,7 +20150,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -211,57 +231,39 @@ interface(`dbus_session_bus_client',`
|
||||
@@ -211,57 +233,39 @@ interface(`dbus_session_bus_client',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20220,7 +20222,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -269,15 +271,19 @@ interface(`dbus_spec_session_bus_client',`
|
||||
@@ -269,15 +273,19 @@ interface(`dbus_spec_session_bus_client',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20246,7 +20248,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -285,44 +291,52 @@ interface(`dbus_send_session_bus',`
|
||||
@@ -285,44 +293,52 @@ interface(`dbus_send_session_bus',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20313,7 +20315,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -330,18 +344,18 @@ interface(`dbus_send_spec_session_bus',`
|
||||
@@ -330,18 +346,18 @@ interface(`dbus_send_spec_session_bus',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20337,7 +20339,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -349,20 +363,18 @@ interface(`dbus_read_config',`
|
||||
@@ -349,20 +365,18 @@ interface(`dbus_read_config',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20363,7 +20365,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -370,26 +382,20 @@ interface(`dbus_read_lib_files',`
|
||||
@@ -370,26 +384,20 @@ interface(`dbus_read_lib_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20396,7 +20398,7 @@ index 62d22cb..2b84a85 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
@@ -397,81 +403,67 @@ interface(`dbus_manage_lib_files',`
|
||||
@@ -397,81 +405,67 @@ interface(`dbus_manage_lib_files',`
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
## <summary>
|
||||
@ -20506,7 +20508,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -479,18 +471,18 @@ interface(`dbus_spec_session_domain',`
|
||||
@@ -479,18 +473,18 @@ interface(`dbus_spec_session_domain',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20530,7 +20532,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -498,98 +490,80 @@ interface(`dbus_connect_system_bus',`
|
||||
@@ -498,98 +492,80 @@ interface(`dbus_connect_system_bus',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20657,7 +20659,7 @@ index 62d22cb..2b84a85 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -597,28 +571,49 @@ interface(`dbus_use_system_bus_fds',`
|
||||
@@ -597,28 +573,49 @@ interface(`dbus_use_system_bus_fds',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -22165,7 +22167,7 @@ index c697edb..31d45bf 100644
|
||||
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/dhcp.te b/dhcp.te
|
||||
index 98a24b9..36e32aa 100644
|
||||
index 98a24b9..5b576ff 100644
|
||||
--- a/dhcp.te
|
||||
+++ b/dhcp.te
|
||||
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
|
||||
@ -22194,23 +22196,39 @@ index 98a24b9..36e32aa 100644
|
||||
files_read_etc_runtime_files(dhcpd_t)
|
||||
files_search_var_lib(dhcpd_t)
|
||||
|
||||
@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t)
|
||||
@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
|
||||
|
||||
logging_send_syslog_msg(dhcpd_t)
|
||||
|
||||
-miscfiles_read_localization(dhcpd_t)
|
||||
-
|
||||
+sysnet_read_config(dhcpd_t)
|
||||
sysnet_read_dhcp_config(dhcpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
|
||||
@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
|
||||
sysnet_use_ldap(dhcpd_t)
|
||||
')
|
||||
userdom_dontaudit_search_user_home_dirs(dhcpd_t)
|
||||
|
||||
+ifdef(`distro_gentoo',`
|
||||
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
|
||||
tunable_policy(`dhcpd_use_ldap',`
|
||||
- sysnet_use_ldap(dhcpd_t)
|
||||
+ allow dhcpd_t self:tcp_socket create_socket_perms;
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`dhcpd_use_ldap',`
|
||||
+ corenet_tcp_sendrecv_generic_if(dhcpd_t)
|
||||
+ corenet_tcp_sendrecv_generic_node(dhcpd_t)
|
||||
+ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
|
||||
+ corenet_tcp_connect_ldap_port(dhcpd_t)
|
||||
+ corenet_sendrecv_ldap_client_packets(dhcpd_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`dhcpd_use_ldap',`
|
||||
+ ldap_read_certs(dhcpd_t)
|
||||
+')
|
||||
+
|
||||
+ifdef(`distro_gentoo',`
|
||||
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ # used for dynamic DNS
|
||||
bind_read_dnssec_keys(dhcpd_t)
|
||||
@ -24089,10 +24107,10 @@ index 0000000..1048292
|
||||
+')
|
||||
diff --git a/docker.te b/docker.te
|
||||
new file mode 100644
|
||||
index 0000000..acaabd3
|
||||
index 0000000..4b54a05
|
||||
--- /dev/null
|
||||
+++ b/docker.te
|
||||
@@ -0,0 +1,267 @@
|
||||
@@ -0,0 +1,268 @@
|
||||
+policy_module(docker, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -24319,6 +24337,7 @@ index 0000000..acaabd3
|
||||
+modutils_domtrans_insmod(docker_t)
|
||||
+
|
||||
+systemd_status_all_unit_files(docker_t)
|
||||
+systemd_start_systemd_services(docker_t)
|
||||
+
|
||||
+userdom_stream_connect(docker_t)
|
||||
+userdom_search_user_home_content(docker_t)
|
||||
@ -28246,10 +28265,10 @@ index 0000000..04e159f
|
||||
+')
|
||||
diff --git a/gear.te b/gear.te
|
||||
new file mode 100644
|
||||
index 0000000..e6a1c7c
|
||||
index 0000000..7f1639a
|
||||
--- /dev/null
|
||||
+++ b/gear.te
|
||||
@@ -0,0 +1,101 @@
|
||||
@@ -0,0 +1,105 @@
|
||||
+policy_module(gear, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -28277,7 +28296,7 @@ index 0000000..e6a1c7c
|
||||
+#
|
||||
+# gear local policy
|
||||
+#
|
||||
+allow gear_t self:capability chown;
|
||||
+allow gear_t self:capability { chown net_admin fowner dac_override };
|
||||
+allow gear_t self:capability2 block_suspend;
|
||||
+allow gear_t self:process { getattr signal_perms };
|
||||
+allow gear_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -28351,6 +28370,10 @@ index 0000000..e6a1c7c
|
||||
+optional_policy(`
|
||||
+ docker_stream_connect(gear_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ openshift_manage_lib_files(gear_t)
|
||||
+')
|
||||
diff --git a/geoclue.fc b/geoclue.fc
|
||||
new file mode 100644
|
||||
index 0000000..a97f14f
|
||||
@ -28946,11 +28969,20 @@ index 9eacb2c..229782f 100644
|
||||
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/glance.te b/glance.te
|
||||
index 5cd0909..a304d35 100644
|
||||
index 5cd0909..1464b4d 100644
|
||||
--- a/glance.te
|
||||
+++ b/glance.te
|
||||
@@ -7,8 +7,7 @@ policy_module(glance, 1.1.0)
|
||||
@@ -5,10 +5,16 @@ policy_module(glance, 1.1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow glance domain to manage fuse files
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(glance_use_fusefs, false)
|
||||
+
|
||||
attribute glance_domain;
|
||||
|
||||
-type glance_registry_t, glance_domain;
|
||||
@ -28959,7 +28991,7 @@ index 5cd0909..a304d35 100644
|
||||
init_daemon_domain(glance_registry_t, glance_registry_exec_t)
|
||||
|
||||
type glance_registry_initrc_exec_t;
|
||||
@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t)
|
||||
@@ -17,8 +23,10 @@ init_script_file(glance_registry_initrc_exec_t)
|
||||
type glance_registry_tmp_t;
|
||||
files_tmp_file(glance_registry_tmp_t)
|
||||
|
||||
@ -28972,7 +29004,7 @@ index 5cd0909..a304d35 100644
|
||||
init_daemon_domain(glance_api_t, glance_api_exec_t)
|
||||
|
||||
type glance_api_initrc_exec_t;
|
||||
@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
|
||||
@@ -41,6 +49,7 @@ files_pid_file(glance_var_run_t)
|
||||
# Common local policy
|
||||
#
|
||||
|
||||
@ -28980,7 +29012,7 @@ index 5cd0909..a304d35 100644
|
||||
allow glance_domain self:fifo_file rw_fifo_file_perms;
|
||||
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
allow glance_domain self:tcp_socket { accept listen };
|
||||
@@ -56,29 +58,29 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
|
||||
@@ -56,29 +65,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
|
||||
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
||||
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
||||
|
||||
@ -29011,6 +29043,15 @@ index 5cd0909..a304d35 100644
|
||||
-
|
||||
sysnet_dns_name_resolve(glance_domain)
|
||||
|
||||
+tunable_policy(`glance_use_fusefs',`
|
||||
+ fs_manage_fusefs_dirs(glance_domain)
|
||||
+ fs_manage_fusefs_files(glance_domain)
|
||||
+ fs_read_fusefs_symlinks(glance_domain)
|
||||
+ fs_getattr_fusefs(glance_domain)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mysql_read_db_lnk_files(glance_domain)
|
||||
+')
|
||||
@ -29018,7 +29059,7 @@ index 5cd0909..a304d35 100644
|
||||
########################################
|
||||
#
|
||||
# Registry local policy
|
||||
@@ -88,8 +90,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
|
||||
@@ -88,8 +106,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
|
||||
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
|
||||
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
|
||||
|
||||
@ -29033,7 +29074,7 @@ index 5cd0909..a304d35 100644
|
||||
|
||||
logging_send_syslog_msg(glance_registry_t)
|
||||
|
||||
@@ -108,13 +116,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||
@@ -108,13 +132,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
|
||||
can_exec(glance_api_t, glance_tmp_t)
|
||||
|
||||
@ -43398,10 +43439,10 @@ index 0000000..8d0e473
|
||||
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
|
||||
diff --git a/mock.if b/mock.if
|
||||
new file mode 100644
|
||||
index 0000000..6568bfe
|
||||
index 0000000..f5b98e6
|
||||
--- /dev/null
|
||||
+++ b/mock.if
|
||||
@@ -0,0 +1,310 @@
|
||||
@@ -0,0 +1,311 @@
|
||||
+## <summary>policy for mock</summary>
|
||||
+
|
||||
+########################################
|
||||
@ -43457,6 +43498,7 @@ index 0000000..6568bfe
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
||||
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
||||
+')
|
||||
+
|
||||
@ -43714,10 +43756,10 @@ index 0000000..6568bfe
|
||||
+')
|
||||
diff --git a/mock.te b/mock.te
|
||||
new file mode 100644
|
||||
index 0000000..fc64201
|
||||
index 0000000..1bf717f
|
||||
--- /dev/null
|
||||
+++ b/mock.te
|
||||
@@ -0,0 +1,276 @@
|
||||
@@ -0,0 +1,277 @@
|
||||
+policy_module(mock,1.0.0)
|
||||
+
|
||||
+## <desc>
|
||||
@ -43912,7 +43954,7 @@ index 0000000..fc64201
|
||||
+#
|
||||
+# mock_build local policy
|
||||
+#
|
||||
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
|
||||
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
|
||||
+dontaudit mock_build_t self:capability audit_write;
|
||||
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
|
||||
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
|
||||
@ -43989,6 +44031,7 @@ index 0000000..fc64201
|
||||
+
|
||||
+libs_exec_ldconfig(mock_build_t)
|
||||
+
|
||||
+term_use_all_inherited_terms(mock_build_t)
|
||||
+userdom_use_inherited_user_ptys(mock_build_t)
|
||||
+
|
||||
+tunable_policy(`mock_enable_homedirs',`
|
||||
@ -79241,7 +79284,7 @@ index 6dbc905..4b17c93 100644
|
||||
- admin_pattern($1, rhsmcertd_lock_t)
|
||||
')
|
||||
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
||||
index d32e1a2..c820b6f 100644
|
||||
index d32e1a2..54838ad 100644
|
||||
--- a/rhsmcertd.te
|
||||
+++ b/rhsmcertd.te
|
||||
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
|
||||
@ -79262,7 +79305,7 @@ index d32e1a2..c820b6f 100644
|
||||
|
||||
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
|
||||
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
|
||||
@@ -50,25 +49,49 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
|
||||
@@ -50,25 +49,50 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
|
||||
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
||||
|
||||
kernel_read_network_state(rhsmcertd_t)
|
||||
@ -79271,6 +79314,7 @@ index d32e1a2..c820b6f 100644
|
||||
+kernel_read_sysctl(rhsmcertd_t)
|
||||
+
|
||||
+corenet_tcp_connect_http_port(rhsmcertd_t)
|
||||
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
|
||||
+corenet_tcp_connect_squid_port(rhsmcertd_t)
|
||||
|
||||
corecmd_exec_bin(rhsmcertd_t)
|
||||
@ -88224,7 +88268,7 @@ index 12700b4..fde3c8d 100644
|
||||
+ unconfined_domain(unconfined_sendmail_t)
|
||||
')
|
||||
diff --git a/sensord.fc b/sensord.fc
|
||||
index 8185d5a..97926d2 100644
|
||||
index 8185d5a..9be989a 100644
|
||||
--- a/sensord.fc
|
||||
+++ b/sensord.fc
|
||||
@@ -1,5 +1,9 @@
|
||||
@ -88234,7 +88278,7 @@ index 8185d5a..97926d2 100644
|
||||
|
||||
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
|
||||
|
||||
+/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0)
|
||||
+/var/log/sensor.* gen_context(system_u:object_r:sensord_log_t,s0)
|
||||
+
|
||||
/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
|
||||
diff --git a/sensord.if b/sensord.if
|
||||
@ -89414,7 +89458,7 @@ index e2544e1..d3fbd78 100644
|
||||
+ xserver_xdm_append_log(shutdown_t)
|
||||
')
|
||||
diff --git a/slocate.te b/slocate.te
|
||||
index 7292dc0..41c780f 100644
|
||||
index 7292dc0..ce903d6 100644
|
||||
--- a/slocate.te
|
||||
+++ b/slocate.te
|
||||
@@ -62,7 +62,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
|
||||
@ -89425,6 +89469,15 @@ index 7292dc0..41c780f 100644
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
files_dontaudit_getattr_all_dirs(locate_t)
|
||||
@@ -71,3 +70,8 @@ ifdef(`enable_mls',`
|
||||
optional_policy(`
|
||||
cron_system_entry(locate_t, locate_exec_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mock_getattr_lib(locate_t)
|
||||
+')
|
||||
+
|
||||
diff --git a/slpd.if b/slpd.if
|
||||
index ca32e89..98278dd 100644
|
||||
--- a/slpd.if
|
||||
@ -91463,7 +91516,7 @@ index 1499b0b..6950cab 100644
|
||||
- spamassassin_role($2, $1)
|
||||
')
|
||||
diff --git a/spamassassin.te b/spamassassin.te
|
||||
index cc58e35..c76586c 100644
|
||||
index cc58e35..4f35a1b 100644
|
||||
--- a/spamassassin.te
|
||||
+++ b/spamassassin.te
|
||||
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
|
||||
@ -91937,17 +91990,17 @@ index cc58e35..c76586c 100644
|
||||
allow spamd_t self:unix_dgram_socket sendto;
|
||||
-allow spamd_t self:unix_stream_socket { accept connectto listen };
|
||||
-allow spamd_t self:tcp_socket { accept listen };
|
||||
-
|
||||
+allow spamd_t self:unix_stream_socket connectto;
|
||||
+allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow spamd_t self:udp_socket create_socket_perms;
|
||||
|
||||
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
|
||||
+allow spamd_t self:unix_stream_socket connectto;
|
||||
+allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow spamd_t self:udp_socket create_socket_perms;
|
||||
|
||||
-
|
||||
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
||||
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
||||
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
||||
@ -92130,7 +92183,7 @@ index cc58e35..c76586c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -455,7 +533,12 @@ optional_policy(`
|
||||
@@ -455,7 +533,17 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
razor_domtrans(spamd_t)
|
||||
razor_read_lib_files(spamd_t)
|
||||
@ -92141,10 +92194,15 @@ index cc58e35..c76586c 100644
|
||||
+ tunable_policy(`spamd_enable_home_dirs',`
|
||||
+ razor_manage_user_home_files(spamd_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ spamassassin_filetrans_home_content(spamd_t)
|
||||
+ spamassassin_filetrans_admin_home_content(spamd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -463,9 +546,9 @@ optional_policy(`
|
||||
@@ -463,9 +551,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -92155,7 +92213,7 @@ index cc58e35..c76586c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -474,32 +557,32 @@ optional_policy(`
|
||||
@@ -474,32 +562,32 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -92198,7 +92256,7 @@ index cc58e35..c76586c 100644
|
||||
|
||||
corecmd_exec_bin(spamd_update_t)
|
||||
corecmd_exec_shell(spamd_update_t)
|
||||
@@ -508,25 +591,21 @@ dev_read_urand(spamd_update_t)
|
||||
@@ -508,25 +596,21 @@ dev_read_urand(spamd_update_t)
|
||||
|
||||
domain_use_interactive_fds(spamd_update_t)
|
||||
|
||||
@ -95958,7 +96016,7 @@ index 5406b6e..dc5b46e 100644
|
||||
admin_pattern($1, tgtd_tmpfs_t)
|
||||
')
|
||||
diff --git a/tgtd.te b/tgtd.te
|
||||
index d010963..5ecc3bf 100644
|
||||
index d010963..3822bc7 100644
|
||||
--- a/tgtd.te
|
||||
+++ b/tgtd.te
|
||||
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
|
||||
@ -95970,8 +96028,11 @@ index d010963..5ecc3bf 100644
|
||||
allow tgtd_t self:capability2 block_suspend;
|
||||
allow tgtd_t self:process { setrlimit signal };
|
||||
allow tgtd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -58,13 +58,13 @@ kernel_read_system_state(tgtd_t)
|
||||
@@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_system_state(tgtd_t)
|
||||
kernel_read_fs_sysctls(tgtd_t)
|
||||
+kernel_read_network_state(tgtd_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(tgtd_t)
|
||||
-corenet_all_recvfrom_unlabeled(tgtd_t)
|
||||
@ -95985,7 +96046,7 @@ index d010963..5ecc3bf 100644
|
||||
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
|
||||
|
||||
corenet_sendrecv_iscsi_client_packets(tgtd_t)
|
||||
@@ -72,16 +72,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
|
||||
@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
|
||||
|
||||
dev_read_sysfs(tgtd_t)
|
||||
|
||||
@ -101047,7 +101108,7 @@ index facdee8..88dcafb 100644
|
||||
+ virt_stream_connect($1)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf5..fe84861 100644
|
||||
index f03dcf5..25f4104 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,150 +1,212 @@
|
||||
@ -101909,7 +101970,7 @@ index f03dcf5..fe84861 100644
|
||||
|
||||
tunable_policy(`virt_use_samba',`
|
||||
- fs_manage_cifs_files(virtd_t)
|
||||
+ fs_manage_nfs_files(virtd_t)
|
||||
+ fs_manage_cifs_dirs(virtd_t)
|
||||
fs_manage_cifs_files(virtd_t)
|
||||
fs_read_cifs_symlinks(virtd_t)
|
||||
')
|
||||
@ -102020,16 +102081,7 @@ index f03dcf5..fe84861 100644
|
||||
+allow virt_domain self:tcp_socket create_stream_socket_perms;
|
||||
+allow virt_domain self:udp_socket create_socket_perms;
|
||||
+allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
|
||||
-allow virsh_t self:process { getcap getsched setsched setcap signal };
|
||||
-allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow virsh_t self:unix_stream_socket { accept connectto listen };
|
||||
-allow virsh_t self:tcp_socket { accept listen };
|
||||
-
|
||||
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
+
|
||||
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
|
||||
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
|
||||
+dontaudit virt_domain virt_content_t:file write_file_perms;
|
||||
@ -102047,17 +102099,30 @@ index f03dcf5..fe84861 100644
|
||||
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
|
||||
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
|
||||
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
|
||||
+
|
||||
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
||||
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
||||
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
|
||||
|
||||
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
|
||||
-allow virsh_t self:process { getcap getsched setsched setcap signal };
|
||||
-allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow virsh_t self:unix_stream_socket { accept connectto listen };
|
||||
-allow virsh_t self:tcp_socket { accept listen };
|
||||
-
|
||||
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-
|
||||
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
||||
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
||||
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
|
||||
|
||||
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
|
||||
+
|
||||
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
|
||||
@ -102089,18 +102154,15 @@ index f03dcf5..fe84861 100644
|
||||
+
|
||||
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
|
||||
|
||||
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
|
||||
+dontaudit virt_domain virt_tmpfs_type:file { read write };
|
||||
|
||||
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
|
||||
-allow virsh_t svirt_lxc_domain:process transition;
|
||||
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
|
||||
|
||||
-allow virsh_t svirt_lxc_domain:process transition;
|
||||
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
||||
|
||||
-can_exec(virsh_t, virsh_exec_t)
|
||||
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
||||
+
|
||||
+corecmd_exec_bin(virt_domain)
|
||||
+corecmd_exec_shell(virt_domain)
|
||||
+
|
||||
@ -102132,7 +102194,7 @@ index f03dcf5..fe84861 100644
|
||||
+files_read_mnt_symlinks(virt_domain)
|
||||
+files_read_var_files(virt_domain)
|
||||
+files_search_all(virt_domain)
|
||||
|
||||
+
|
||||
+fs_getattr_xattr_fs(virt_domain)
|
||||
+fs_getattr_tmpfs(virt_domain)
|
||||
+fs_rw_anon_inodefs_files(virt_domain)
|
||||
@ -102221,7 +102283,7 @@ index f03dcf5..fe84861 100644
|
||||
+ fs_read_cifs_symlinks(virt_domain)
|
||||
+ fs_getattr_cifs(virt_domain)
|
||||
+')
|
||||
+
|
||||
|
||||
+tunable_policy(`virt_use_usb',`
|
||||
+ dev_rw_usbfs(virt_domain)
|
||||
+ dev_read_sysfs(virt_domain)
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 47%{?dist}
|
||||
Release: 48%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -588,6 +588,20 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Apr 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-48
|
||||
- Fix virt_use_samba boolean
|
||||
- Looks like all domains that use dbus libraries are now reading /dev/urand
|
||||
- Add glance_use_fusefs() boolean
|
||||
- Allow tgtd to read /proc/net/psched
|
||||
- Additional access required for gear management of openshift directories
|
||||
- Allow sys_ptrace for mock-build
|
||||
- Fix mock_read_lib_files() interface
|
||||
- Allow mock-build to write all inherited ttys and ptys
|
||||
- Allow spamd to create razor home dirs with correct labeling
|
||||
- Clean up sysnet_use_ldap()
|
||||
- systemd calling needs to be optional
|
||||
- Allow init_t to setattr/relabelfrom dhcp state files
|
||||
|
||||
* Wed Apr 23 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-47
|
||||
- mongod should not be a part of cloudforms.pp
|
||||
- Fix labeling in snapper.fc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user