* Fri Jan 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-232
- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977) - Allow tlp_t domain to read proc_net_t BZ(1403487) - Merge pull request #179 from rhatdan/virt1 - Allow tlp_t domain to read/write cpu microcode BZ(1403103) - Allow virt domain to use interited virtlogd domains fifo_file - Fixes for containers - Allow glusterd_t to bind on glusterd_port_t udp ports. - Update ctdbd_t policy to reflect all changes. - Allow ctdbd_t domain transition to rpcd_t
This commit is contained in:
parent
aabe3f000e
commit
3f98d5071c
Binary file not shown.
@ -49424,10 +49424,10 @@ index 0000000..86e3d01
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..caba12b
|
index 0000000..0c415d2
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,978 @@
|
@@ -0,0 +1,980 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -50303,6 +50303,8 @@ index 0000000..caba12b
|
|||||||
+dev_write_kmsg(systemd_gpt_generator_t)
|
+dev_write_kmsg(systemd_gpt_generator_t)
|
||||||
+dev_read_nvme(systemd_gpt_generator_t)
|
+dev_read_nvme(systemd_gpt_generator_t)
|
||||||
+
|
+
|
||||||
|
+fs_read_efivarfs_files(systemd_gpt_generator_t)
|
||||||
|
+
|
||||||
+fstools_exec(systemd_gpt_generator_t)
|
+fstools_exec(systemd_gpt_generator_t)
|
||||||
+
|
+
|
||||||
+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
|
+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
|
||||||
|
@ -20522,7 +20522,7 @@ index b25b01d..06895f3 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/ctdb.te b/ctdb.te
|
diff --git a/ctdb.te b/ctdb.te
|
||||||
index 001b502..9892b34 100644
|
index 001b502..ac0508e 100644
|
||||||
--- a/ctdb.te
|
--- a/ctdb.te
|
||||||
+++ b/ctdb.te
|
+++ b/ctdb.te
|
||||||
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
|
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
|
||||||
@ -20576,7 +20576,7 @@ index 001b502..9892b34 100644
|
|||||||
kernel_read_network_state(ctdbd_t)
|
kernel_read_network_state(ctdbd_t)
|
||||||
kernel_read_system_state(ctdbd_t)
|
kernel_read_system_state(ctdbd_t)
|
||||||
kernel_rw_net_sysctls(ctdbd_t)
|
kernel_rw_net_sysctls(ctdbd_t)
|
||||||
@@ -72,10 +89,16 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
|
@@ -72,27 +89,38 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
|
||||||
corenet_tcp_sendrecv_generic_if(ctdbd_t)
|
corenet_tcp_sendrecv_generic_if(ctdbd_t)
|
||||||
corenet_tcp_sendrecv_generic_node(ctdbd_t)
|
corenet_tcp_sendrecv_generic_node(ctdbd_t)
|
||||||
corenet_tcp_bind_generic_node(ctdbd_t)
|
corenet_tcp_bind_generic_node(ctdbd_t)
|
||||||
@ -20593,7 +20593,10 @@ index 001b502..9892b34 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(ctdbd_t)
|
corecmd_exec_bin(ctdbd_t)
|
||||||
corecmd_exec_shell(ctdbd_t)
|
corecmd_exec_shell(ctdbd_t)
|
||||||
@@ -85,14 +108,18 @@ dev_read_urand(ctdbd_t)
|
+corecmd_getattr_all_executables(ctdbd_t)
|
||||||
|
|
||||||
|
dev_read_sysfs(ctdbd_t)
|
||||||
|
dev_read_urand(ctdbd_t)
|
||||||
|
|
||||||
domain_dontaudit_read_all_domains_state(ctdbd_t)
|
domain_dontaudit_read_all_domains_state(ctdbd_t)
|
||||||
|
|
||||||
@ -20614,10 +20617,12 @@ index 001b502..9892b34 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
consoletype_exec(ctdbd_t)
|
consoletype_exec(ctdbd_t)
|
||||||
')
|
')
|
||||||
@@ -106,9 +133,20 @@ optional_policy(`
|
@@ -106,9 +134,22 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ rpc_domtrans_rpcd(ctdbd_t)
|
||||||
|
+ rpc_manage_nfs_state_data_dir(ctdbd_t)
|
||||||
+ rpc_read_nfs_state_data(ctdbd_t)
|
+ rpc_read_nfs_state_data(ctdbd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -32425,10 +32430,10 @@ index 0000000..764ae00
|
|||||||
+
|
+
|
||||||
diff --git a/glusterd.te b/glusterd.te
|
diff --git a/glusterd.te b/glusterd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..40c6ade
|
index 0000000..03db2af
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/glusterd.te
|
+++ b/glusterd.te
|
||||||
@@ -0,0 +1,307 @@
|
@@ -0,0 +1,308 @@
|
||||||
+policy_module(glusterd, 1.1.3)
|
+policy_module(glusterd, 1.1.3)
|
||||||
+
|
+
|
||||||
+## <desc>
|
+## <desc>
|
||||||
@ -32563,6 +32568,7 @@ index 0000000..40c6ade
|
|||||||
+
|
+
|
||||||
+corenet_tcp_connect_gluster_port(glusterd_t)
|
+corenet_tcp_connect_gluster_port(glusterd_t)
|
||||||
+corenet_tcp_bind_gluster_port(glusterd_t)
|
+corenet_tcp_bind_gluster_port(glusterd_t)
|
||||||
|
+corenet_udp_bind_gluster_port(glusterd_t)
|
||||||
+
|
+
|
||||||
+# replacement for rpc.mountd
|
+# replacement for rpc.mountd
|
||||||
+corenet_sendrecv_all_server_packets(glusterd_t)
|
+corenet_sendrecv_all_server_packets(glusterd_t)
|
||||||
@ -109138,14 +109144,16 @@ index 97cd155..49321a5 100644
|
|||||||
fs_search_auto_mountpoints(timidity_t)
|
fs_search_auto_mountpoints(timidity_t)
|
||||||
diff --git a/tlp.fc b/tlp.fc
|
diff --git a/tlp.fc b/tlp.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..8b8cf4a
|
index 0000000..eef708d
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/tlp.fc
|
+++ b/tlp.fc
|
||||||
@@ -0,0 +1,5 @@
|
@@ -0,0 +1,7 @@
|
||||||
+/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*)) -- gen_context(system_u:object_r:tlp_unit_file_t,s0)
|
+/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*)) -- gen_context(system_u:object_r:tlp_unit_file_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/sbin/tlp -- gen_context(system_u:object_r:tlp_exec_t,s0)
|
+/usr/sbin/tlp -- gen_context(system_u:object_r:tlp_exec_t,s0)
|
||||||
+
|
+
|
||||||
|
+/var/lib/tlp(/.*)? gen_context(system_u:object_r:tlp_var_lib_t,s0)
|
||||||
|
+
|
||||||
+/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0)
|
+/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0)
|
||||||
diff --git a/tlp.if b/tlp.if
|
diff --git a/tlp.if b/tlp.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
@ -109339,10 +109347,10 @@ index 0000000..46f12a4
|
|||||||
+')
|
+')
|
||||||
diff --git a/tlp.te b/tlp.te
|
diff --git a/tlp.te b/tlp.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..98e708a
|
index 0000000..0183c55
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/tlp.te
|
+++ b/tlp.te
|
||||||
@@ -0,0 +1,55 @@
|
@@ -0,0 +1,65 @@
|
||||||
+policy_module(tlp, 1.0.0)
|
+policy_module(tlp, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -109357,6 +109365,9 @@ index 0000000..98e708a
|
|||||||
+type tlp_var_run_t;
|
+type tlp_var_run_t;
|
||||||
+files_pid_file(tlp_var_run_t)
|
+files_pid_file(tlp_var_run_t)
|
||||||
+
|
+
|
||||||
|
+type tlp_var_lib_t;
|
||||||
|
+files_type(tlp_var_lib_t)
|
||||||
|
+
|
||||||
+type tlp_unit_file_t;
|
+type tlp_unit_file_t;
|
||||||
+systemd_unit_file(tlp_unit_file_t)
|
+systemd_unit_file(tlp_unit_file_t)
|
||||||
+
|
+
|
||||||
@ -109368,12 +109379,18 @@ index 0000000..98e708a
|
|||||||
+allow tlp_t self:unix_stream_socket create_stream_socket_perms;
|
+allow tlp_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+allow tlp_t self:udp_socket create_socket_perms;
|
+allow tlp_t self:udp_socket create_socket_perms;
|
||||||
+allow tlp_t self:unix_dgram_socket create_socket_perms;
|
+allow tlp_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
+allow tlp_t self:netlink_generic_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
|
+manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
|
||||||
+manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
|
+manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
|
||||||
+files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file })
|
+files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file })
|
||||||
+
|
+
|
||||||
|
+manage_dirs_pattern(tlp_t, tlp_var_lib_t, tlp_var_lib_t)
|
||||||
|
+manage_files_pattern(tlp_t, tlp_var_lib_t, tlp_var_lib_t)
|
||||||
|
+files_var_lib_filetrans(tlp_t, tlp_var_lib_t, dir)
|
||||||
|
+
|
||||||
+kernel_read_system_state(tlp_t)
|
+kernel_read_system_state(tlp_t)
|
||||||
|
+kernel_read_network_state(tlp_t)
|
||||||
+kernel_read_fs_sysctls(tlp_t)
|
+kernel_read_fs_sysctls(tlp_t)
|
||||||
+kernel_rw_fs_sysctls(tlp_t)
|
+kernel_rw_fs_sysctls(tlp_t)
|
||||||
+kernel_rw_kernel_sysctl(tlp_t)
|
+kernel_rw_kernel_sysctl(tlp_t)
|
||||||
@ -109385,6 +109402,7 @@ index 0000000..98e708a
|
|||||||
+
|
+
|
||||||
+dev_list_sysfs(tlp_t)
|
+dev_list_sysfs(tlp_t)
|
||||||
+dev_manage_sysfs(tlp_t)
|
+dev_manage_sysfs(tlp_t)
|
||||||
|
+dev_rw_cpu_microcode(tlp_t)
|
||||||
+
|
+
|
||||||
+files_read_kernel_modules(tlp_t)
|
+files_read_kernel_modules(tlp_t)
|
||||||
+
|
+
|
||||||
@ -114622,7 +114640,7 @@ index facdee8..2cff369 100644
|
|||||||
+ domtrans_pattern($1,container_file_t, $2)
|
+ domtrans_pattern($1,container_file_t, $2)
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index f03dcf5..9bde200 100644
|
index f03dcf5..587e30f 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,451 +1,403 @@
|
@@ -1,451 +1,403 @@
|
||||||
@ -115393,18 +115411,19 @@ index f03dcf5..9bde200 100644
|
|||||||
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||||
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||||
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||||
|
-
|
||||||
|
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||||
|
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||||
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||||
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||||
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
||||||
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
|
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
|
||||||
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
||||||
|
|
||||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
-can_exec(virtd_t, virt_tmp_t)
|
||||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
|
||||||
+# libvirtd is permitted to talk to virtlogd
|
+# libvirtd is permitted to talk to virtlogd
|
||||||
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
|
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
|
||||||
|
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
|
||||||
-can_exec(virtd_t, virt_tmp_t)
|
|
||||||
|
|
||||||
-kernel_read_crypto_sysctls(virtd_t)
|
-kernel_read_crypto_sysctls(virtd_t)
|
||||||
kernel_read_system_state(virtd_t)
|
kernel_read_system_state(virtd_t)
|
||||||
@ -115576,12 +115595,11 @@ index f03dcf5..9bde200 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- iptables_domtrans(virtd_t)
|
|
||||||
+ firewalld_dbus_chat(virtd_t)
|
+ firewalld_dbus_chat(virtd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ iptables_domtrans(virtd_t)
|
iptables_domtrans(virtd_t)
|
||||||
iptables_initrc_domtrans(virtd_t)
|
iptables_initrc_domtrans(virtd_t)
|
||||||
+ iptables_systemctl(virtd_t)
|
+ iptables_systemctl(virtd_t)
|
||||||
+
|
+
|
||||||
@ -115833,7 +115851,7 @@ index f03dcf5..9bde200 100644
|
|||||||
+storage_raw_read_removable_device(virt_domain)
|
+storage_raw_read_removable_device(virt_domain)
|
||||||
+
|
+
|
||||||
+sysnet_read_config(virt_domain)
|
+sysnet_read_config(virt_domain)
|
||||||
+
|
|
||||||
+term_use_all_inherited_terms(virt_domain)
|
+term_use_all_inherited_terms(virt_domain)
|
||||||
+term_getattr_pty_fs(virt_domain)
|
+term_getattr_pty_fs(virt_domain)
|
||||||
+term_use_generic_ptys(virt_domain)
|
+term_use_generic_ptys(virt_domain)
|
||||||
@ -115846,7 +115864,7 @@ index f03dcf5..9bde200 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ alsa_read_rw_config(virt_domain)
|
+ alsa_read_rw_config(virt_domain)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ nscd_dontaudit_write_sock_file(virt_domain)
|
+ nscd_dontaudit_write_sock_file(virt_domain)
|
||||||
+')
|
+')
|
||||||
@ -116206,7 +116224,7 @@ index f03dcf5..9bde200 100644
|
|||||||
selinux_get_enforce_mode(virtd_lxc_t)
|
selinux_get_enforce_mode(virtd_lxc_t)
|
||||||
selinux_get_fs_mount(virtd_lxc_t)
|
selinux_get_fs_mount(virtd_lxc_t)
|
||||||
selinux_validate_context(virtd_lxc_t)
|
selinux_validate_context(virtd_lxc_t)
|
||||||
@@ -974,194 +1260,372 @@ selinux_compute_create_context(virtd_lxc_t)
|
@@ -974,194 +1260,376 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||||
selinux_compute_relabel_context(virtd_lxc_t)
|
selinux_compute_relabel_context(virtd_lxc_t)
|
||||||
selinux_compute_user_contexts(virtd_lxc_t)
|
selinux_compute_user_contexts(virtd_lxc_t)
|
||||||
|
|
||||||
@ -116493,6 +116511,7 @@ index f03dcf5..9bde200 100644
|
|||||||
+ fs_manage_nfs_symlinks(svirt_sandbox_domain)
|
+ fs_manage_nfs_symlinks(svirt_sandbox_domain)
|
||||||
+ fs_mount_nfs(svirt_sandbox_domain)
|
+ fs_mount_nfs(svirt_sandbox_domain)
|
||||||
+ fs_unmount_nfs(svirt_sandbox_domain)
|
+ fs_unmount_nfs(svirt_sandbox_domain)
|
||||||
|
+ fs_exec_nfs_files(svirt_sandbox_domain)
|
||||||
+ kernel_rw_fs_sysctls(svirt_sandbox_domain)
|
+ kernel_rw_fs_sysctls(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -116501,6 +116520,7 @@ index f03dcf5..9bde200 100644
|
|||||||
+ fs_manage_cifs_dirs(svirt_sandbox_domain)
|
+ fs_manage_cifs_dirs(svirt_sandbox_domain)
|
||||||
+ fs_manage_cifs_named_sockets(svirt_sandbox_domain)
|
+ fs_manage_cifs_named_sockets(svirt_sandbox_domain)
|
||||||
+ fs_manage_cifs_symlinks(svirt_sandbox_domain)
|
+ fs_manage_cifs_symlinks(svirt_sandbox_domain)
|
||||||
|
+ fs_exec_cifs_files(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+tunable_policy(`virt_sandbox_use_fusefs',`
|
+tunable_policy(`virt_sandbox_use_fusefs',`
|
||||||
@ -116509,6 +116529,7 @@ index f03dcf5..9bde200 100644
|
|||||||
+ fs_manage_fusefs_symlinks(svirt_sandbox_domain)
|
+ fs_manage_fusefs_symlinks(svirt_sandbox_domain)
|
||||||
+ fs_mount_fusefs(svirt_sandbox_domain)
|
+ fs_mount_fusefs(svirt_sandbox_domain)
|
||||||
+ fs_unmount_fusefs(svirt_sandbox_domain)
|
+ fs_unmount_fusefs(svirt_sandbox_domain)
|
||||||
|
+ fs_exec_fusefs(svirt_sandbox_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -116536,6 +116557,7 @@ index f03dcf5..9bde200 100644
|
|||||||
+dontaudit container_t self:capability2 block_suspend ;
|
+dontaudit container_t self:capability2 block_suspend ;
|
||||||
+allow container_t self:process { execstack execmem };
|
+allow container_t self:process { execstack execmem };
|
||||||
+manage_chr_files_pattern(container_t, container_file_t, container_file_t)
|
+manage_chr_files_pattern(container_t, container_file_t, container_file_t)
|
||||||
|
+manage_blk_files_pattern(container_t, container_file_t, container_file_t)
|
||||||
+
|
+
|
||||||
+tunable_policy(`virt_sandbox_use_sys_admin',`
|
+tunable_policy(`virt_sandbox_use_sys_admin',`
|
||||||
+ allow container_t self:capability sys_admin;
|
+ allow container_t self:capability sys_admin;
|
||||||
@ -116723,7 +116745,7 @@ index f03dcf5..9bde200 100644
|
|||||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
@@ -1174,12 +1638,12 @@ dev_read_sysfs(virt_qmf_t)
|
@@ -1174,12 +1642,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||||
dev_read_rand(virt_qmf_t)
|
dev_read_rand(virt_qmf_t)
|
||||||
dev_read_urand(virt_qmf_t)
|
dev_read_urand(virt_qmf_t)
|
||||||
|
|
||||||
@ -116738,7 +116760,7 @@ index f03dcf5..9bde200 100644
|
|||||||
sysnet_read_config(virt_qmf_t)
|
sysnet_read_config(virt_qmf_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1192,7 +1656,7 @@ optional_policy(`
|
@@ -1192,7 +1660,7 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -116747,7 +116769,7 @@ index f03dcf5..9bde200 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
@@ -1201,11 +1665,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
@@ -1201,11 +1669,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
@ -120367,7 +120389,7 @@ index dd63de0..38ce620 100644
|
|||||||
- admin_pattern($1, zabbix_tmpfs_t)
|
- admin_pattern($1, zabbix_tmpfs_t)
|
||||||
')
|
')
|
||||||
diff --git a/zabbix.te b/zabbix.te
|
diff --git a/zabbix.te b/zabbix.te
|
||||||
index 7f496c6..fccb7b1 100644
|
index 7f496c6..aab4f86 100644
|
||||||
--- a/zabbix.te
|
--- a/zabbix.te
|
||||||
+++ b/zabbix.te
|
+++ b/zabbix.te
|
||||||
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
|
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
|
||||||
@ -120545,7 +120567,7 @@ index 7f496c6..fccb7b1 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -132,18 +161,7 @@ optional_policy(`
|
@@ -132,18 +161,9 @@ optional_policy(`
|
||||||
# Agent local policy
|
# Agent local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -120556,7 +120578,8 @@ index 7f496c6..fccb7b1 100644
|
|||||||
-allow zabbix_agent_t self:shm create_shm_perms;
|
-allow zabbix_agent_t self:shm create_shm_perms;
|
||||||
-allow zabbix_agent_t self:tcp_socket { accept listen };
|
-allow zabbix_agent_t self:tcp_socket { accept listen };
|
||||||
-allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
|
-allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
-
|
+allow zabbix_agent_t self:process { setrlimit };
|
||||||
|
|
||||||
-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
||||||
-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
||||||
-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
||||||
@ -120565,7 +120588,7 @@ index 7f496c6..fccb7b1 100644
|
|||||||
|
|
||||||
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
|
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
||||||
@@ -151,16 +169,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
@@ -151,16 +171,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
||||||
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
|
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
|
||||||
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
|
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
|
||||||
|
|
||||||
@ -120585,7 +120608,7 @@ index 7f496c6..fccb7b1 100644
|
|||||||
|
|
||||||
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
|
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
|
||||||
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
|
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
|
||||||
@@ -170,6 +185,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
|
@@ -170,6 +187,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
|
||||||
corenet_tcp_connect_ssh_port(zabbix_agent_t)
|
corenet_tcp_connect_ssh_port(zabbix_agent_t)
|
||||||
corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
|
corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
|
||||||
|
|
||||||
@ -120616,7 +120639,7 @@ index 7f496c6..fccb7b1 100644
|
|||||||
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
|
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
|
||||||
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
|
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
|
||||||
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||||
@@ -177,21 +216,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
@@ -177,21 +218,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||||
dev_getattr_all_blk_files(zabbix_agent_t)
|
dev_getattr_all_blk_files(zabbix_agent_t)
|
||||||
dev_getattr_all_chr_files(zabbix_agent_t)
|
dev_getattr_all_chr_files(zabbix_agent_t)
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 231%{?dist}
|
Release: 232%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -675,6 +675,17 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-232
|
||||||
|
- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977)
|
||||||
|
- Allow tlp_t domain to read proc_net_t BZ(1403487)
|
||||||
|
- Merge pull request #179 from rhatdan/virt1
|
||||||
|
- Allow tlp_t domain to read/write cpu microcode BZ(1403103)
|
||||||
|
- Allow virt domain to use interited virtlogd domains fifo_file
|
||||||
|
- Fixes for containers
|
||||||
|
- Allow glusterd_t to bind on glusterd_port_t udp ports.
|
||||||
|
- Update ctdbd_t policy to reflect all changes.
|
||||||
|
- Allow ctdbd_t domain transition to rpcd_t
|
||||||
|
|
||||||
* Wed Dec 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-231
|
* Wed Dec 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-231
|
||||||
- Allow pptp_t to read /dev/random BZ(1404248)
|
- Allow pptp_t to read /dev/random BZ(1404248)
|
||||||
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
|
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
|
||||||
|
Loading…
Reference in New Issue
Block a user