* Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-
- Add systemd fixes to make rawhide booting
This commit is contained in:
parent
20ce6a9e49
commit
42c4091430
File diff suppressed because it is too large
Load Diff
@ -4742,7 +4742,7 @@ index 61c74bc..17b3ecc 100644
|
|||||||
+ allow $1 avahi_unit_file_t:service all_service_perms;
|
+ allow $1 avahi_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/avahi.te b/avahi.te
|
diff --git a/avahi.te b/avahi.te
|
||||||
index a7a0e71..65bbd77 100644
|
index a7a0e71..258486d 100644
|
||||||
--- a/avahi.te
|
--- a/avahi.te
|
||||||
+++ b/avahi.te
|
+++ b/avahi.te
|
||||||
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
|
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
|
||||||
@ -4769,15 +4769,17 @@ index a7a0e71..65bbd77 100644
|
|||||||
corenet_all_recvfrom_netlabel(avahi_t)
|
corenet_all_recvfrom_netlabel(avahi_t)
|
||||||
corenet_tcp_sendrecv_generic_if(avahi_t)
|
corenet_tcp_sendrecv_generic_if(avahi_t)
|
||||||
corenet_udp_sendrecv_generic_if(avahi_t)
|
corenet_udp_sendrecv_generic_if(avahi_t)
|
||||||
@@ -74,7 +78,6 @@ fs_list_inotifyfs(avahi_t)
|
@@ -73,8 +77,8 @@ fs_search_auto_mountpoints(avahi_t)
|
||||||
|
fs_list_inotifyfs(avahi_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(avahi_t)
|
domain_use_interactive_fds(avahi_t)
|
||||||
|
+domain_dontaudit_signull_all_domains(avahi_t)
|
||||||
|
|
||||||
-files_read_etc_files(avahi_t)
|
-files_read_etc_files(avahi_t)
|
||||||
files_read_etc_runtime_files(avahi_t)
|
files_read_etc_runtime_files(avahi_t)
|
||||||
files_read_usr_files(avahi_t)
|
files_read_usr_files(avahi_t)
|
||||||
|
|
||||||
@@ -92,6 +95,8 @@ sysnet_domtrans_ifconfig(avahi_t)
|
@@ -92,6 +96,8 @@ sysnet_domtrans_ifconfig(avahi_t)
|
||||||
sysnet_manage_config(avahi_t)
|
sysnet_manage_config(avahi_t)
|
||||||
sysnet_etc_filetrans_config(avahi_t)
|
sysnet_etc_filetrans_config(avahi_t)
|
||||||
|
|
||||||
@ -4786,7 +4788,7 @@ index a7a0e71..65bbd77 100644
|
|||||||
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(avahi_t)
|
userdom_dontaudit_search_user_home_dirs(avahi_t)
|
||||||
|
|
||||||
@@ -104,6 +109,10 @@ optional_policy(`
|
@@ -104,6 +110,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -13551,7 +13553,7 @@ index 0000000..284fbae
|
|||||||
+ sysnet_domtrans_ifconfig(ctdbd_t)
|
+ sysnet_domtrans_ifconfig(ctdbd_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/cups.fc b/cups.fc
|
diff --git a/cups.fc b/cups.fc
|
||||||
index 848bb92..306cd8e 100644
|
index 848bb92..624fc09 100644
|
||||||
--- a/cups.fc
|
--- a/cups.fc
|
||||||
+++ b/cups.fc
|
+++ b/cups.fc
|
||||||
@@ -19,7 +19,10 @@
|
@@ -19,7 +19,10 @@
|
||||||
@ -13586,9 +13588,9 @@ index 848bb92..306cd8e 100644
|
|||||||
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
|
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
|
||||||
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||||
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
+
|
+
|
||||||
@ -25918,6 +25920,19 @@ index 53e53ca..92520eb 100644
|
|||||||
+miscfiles_read_localization(jabberd_domain)
|
+miscfiles_read_localization(jabberd_domain)
|
||||||
+
|
+
|
||||||
+sysnet_read_config(jabberd_domain)
|
+sysnet_read_config(jabberd_domain)
|
||||||
|
diff --git a/java.fc b/java.fc
|
||||||
|
index 72f3df0..43b488f 100644
|
||||||
|
--- a/java.fc
|
||||||
|
+++ b/java.fc
|
||||||
|
@@ -28,8 +28,6 @@
|
||||||
|
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
|
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
|
|
||||||
|
-/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
|
-
|
||||||
|
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
|
|
||||||
|
ifdef(`distro_redhat',`
|
||||||
diff --git a/java.te b/java.te
|
diff --git a/java.te b/java.te
|
||||||
index 95771f4..9d7f599 100644
|
index 95771f4..9d7f599 100644
|
||||||
--- a/java.te
|
--- a/java.te
|
||||||
@ -26864,9 +26879,27 @@ index 0c52f60..a085fbd 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --git a/kerberos.fc b/kerberos.fc
|
diff --git a/kerberos.fc b/kerberos.fc
|
||||||
index 3525d24..ad19527 100644
|
index 3525d24..de533f9 100644
|
||||||
--- a/kerberos.fc
|
--- a/kerberos.fc
|
||||||
+++ b/kerberos.fc
|
+++ b/kerberos.fc
|
||||||
|
@@ -13,13 +13,13 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
||||||
|
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
|
||||||
|
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
|
||||||
|
|
||||||
|
-/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
||||||
|
-/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
||||||
|
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
||||||
|
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
||||||
|
/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
||||||
|
/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
|
||||||
|
|
||||||
|
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||||
|
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||||
|
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||||
|
+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||||
|
|
||||||
|
/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||||
|
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||||
@@ -27,7 +27,15 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
@@ -27,7 +27,15 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
||||||
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||||
/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||||
@ -29116,7 +29149,7 @@ index 572b5db..1e55f43 100644
|
|||||||
+userdom_use_inherited_user_terminals(lockdev_t)
|
+userdom_use_inherited_user_terminals(lockdev_t)
|
||||||
+
|
+
|
||||||
diff --git a/logrotate.te b/logrotate.te
|
diff --git a/logrotate.te b/logrotate.te
|
||||||
index 7090dae..0b9e946 100644
|
index 7090dae..ea589dd 100644
|
||||||
--- a/logrotate.te
|
--- a/logrotate.te
|
||||||
+++ b/logrotate.te
|
+++ b/logrotate.te
|
||||||
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
|
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
|
||||||
@ -29178,12 +29211,13 @@ index 7090dae..0b9e946 100644
|
|||||||
|
|
||||||
# cjp: why is this needed?
|
# cjp: why is this needed?
|
||||||
init_domtrans_script(logrotate_t)
|
init_domtrans_script(logrotate_t)
|
||||||
@@ -116,17 +118,17 @@ miscfiles_read_localization(logrotate_t)
|
@@ -116,17 +118,18 @@ miscfiles_read_localization(logrotate_t)
|
||||||
|
|
||||||
seutil_dontaudit_read_config(logrotate_t)
|
seutil_dontaudit_read_config(logrotate_t)
|
||||||
|
|
||||||
-userdom_use_user_terminals(logrotate_t)
|
-userdom_use_user_terminals(logrotate_t)
|
||||||
+systemd_exec_systemctl(logrotate_t)
|
+systemd_exec_systemctl(logrotate_t)
|
||||||
|
+systemd_getattr_unit_files(logrotate_t)
|
||||||
+init_stream_connect(logrotate_t)
|
+init_stream_connect(logrotate_t)
|
||||||
+
|
+
|
||||||
+userdom_use_inherited_user_terminals(logrotate_t)
|
+userdom_use_inherited_user_terminals(logrotate_t)
|
||||||
@ -29203,7 +29237,7 @@ index 7090dae..0b9e946 100644
|
|||||||
# for savelog
|
# for savelog
|
||||||
can_exec(logrotate_t, logrotate_exec_t)
|
can_exec(logrotate_t, logrotate_exec_t)
|
||||||
|
|
||||||
@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
|
@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -29212,7 +29246,7 @@ index 7090dae..0b9e946 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -154,6 +156,10 @@ optional_policy(`
|
@@ -154,6 +157,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -29223,7 +29257,7 @@ index 7090dae..0b9e946 100644
|
|||||||
asterisk_domtrans(logrotate_t)
|
asterisk_domtrans(logrotate_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -162,10 +168,20 @@ optional_policy(`
|
@@ -162,10 +169,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -29244,7 +29278,7 @@ index 7090dae..0b9e946 100644
|
|||||||
cups_domtrans(logrotate_t)
|
cups_domtrans(logrotate_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -178,6 +194,10 @@ optional_policy(`
|
@@ -178,6 +195,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -29255,7 +29289,7 @@ index 7090dae..0b9e946 100644
|
|||||||
icecast_signal(logrotate_t)
|
icecast_signal(logrotate_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -194,15 +214,19 @@ optional_policy(`
|
@@ -194,15 +215,19 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -29276,7 +29310,7 @@ index 7090dae..0b9e946 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_exec_log(logrotate_t)
|
samba_exec_log(logrotate_t)
|
||||||
@@ -228,3 +252,14 @@ optional_policy(`
|
@@ -228,3 +253,14 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
varnishd_manage_log(logrotate_t)
|
varnishd_manage_log(logrotate_t)
|
||||||
')
|
')
|
||||||
@ -29409,9 +29443,18 @@ index 75ce30f..7f05283 100644
|
|||||||
+ cron_use_system_job_fds(logwatch_mail_t)
|
+ cron_use_system_job_fds(logwatch_mail_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/lpd.fc b/lpd.fc
|
diff --git a/lpd.fc b/lpd.fc
|
||||||
index 5c9eb68..ca4fd2b 100644
|
index 5c9eb68..e4f3c24 100644
|
||||||
--- a/lpd.fc
|
--- a/lpd.fc
|
||||||
+++ b/lpd.fc
|
+++ b/lpd.fc
|
||||||
|
@@ -24,7 +24,7 @@
|
||||||
|
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
|
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
|
|
||||||
|
-/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
|
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
|
||||||
|
|
||||||
@@ -35,3 +35,4 @@
|
@@ -35,3 +35,4 @@
|
||||||
/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
|
/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
|
||||||
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
|
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
|
||||||
@ -32973,7 +33016,7 @@ index afa18c8..f6e2bb8 100644
|
|||||||
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
||||||
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||||
diff --git a/mta.if b/mta.if
|
diff --git a/mta.if b/mta.if
|
||||||
index 4e2a5ba..68e2429 100644
|
index 4e2a5ba..c3643f0 100644
|
||||||
--- a/mta.if
|
--- a/mta.if
|
||||||
+++ b/mta.if
|
+++ b/mta.if
|
||||||
@@ -37,6 +37,7 @@ interface(`mta_stub',`
|
@@ -37,6 +37,7 @@ interface(`mta_stub',`
|
||||||
@ -33127,7 +33170,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make the specified type by a system MTA.
|
## Make the specified type by a system MTA.
|
||||||
@@ -306,10 +257,11 @@ interface(`mta_mailserver_sender',`
|
@@ -306,10 +257,15 @@ interface(`mta_mailserver_sender',`
|
||||||
interface(`mta_mailserver_delivery',`
|
interface(`mta_mailserver_delivery',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute mailserver_delivery;
|
attribute mailserver_delivery;
|
||||||
@ -33137,10 +33180,14 @@ index 4e2a5ba..68e2429 100644
|
|||||||
typeattribute $1 mailserver_delivery;
|
typeattribute $1 mailserver_delivery;
|
||||||
+
|
+
|
||||||
+ userdom_home_manager($1)
|
+ userdom_home_manager($1)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ mta_rw_delivery_tcp_sockets($1)
|
||||||
|
+ ')
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -393,12 +345,19 @@ interface(`mta_send_mail',`
|
@@ -393,12 +349,19 @@ interface(`mta_send_mail',`
|
||||||
#
|
#
|
||||||
interface(`mta_sendmail_domtrans',`
|
interface(`mta_sendmail_domtrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33162,7 +33209,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -411,7 +370,6 @@ interface(`mta_sendmail_domtrans',`
|
@@ -411,7 +374,6 @@ interface(`mta_sendmail_domtrans',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -33170,7 +33217,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
interface(`mta_signal_system_mail',`
|
interface(`mta_signal_system_mail',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type system_mail_t;
|
type system_mail_t;
|
||||||
@@ -422,6 +380,60 @@ interface(`mta_signal_system_mail',`
|
@@ -422,6 +384,60 @@ interface(`mta_signal_system_mail',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -33231,7 +33278,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
## Execute sendmail in the caller domain.
|
## Execute sendmail in the caller domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -440,6 +452,26 @@ interface(`mta_sendmail_exec',`
|
@@ -440,6 +456,26 @@ interface(`mta_sendmail_exec',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -33258,7 +33305,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
## Read mail server configuration.
|
## Read mail server configuration.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -496,6 +528,7 @@ interface(`mta_read_aliases',`
|
@@ -496,6 +532,7 @@ interface(`mta_read_aliases',`
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 etc_aliases_t:file read_file_perms;
|
allow $1 etc_aliases_t:file read_file_perms;
|
||||||
@ -33266,7 +33313,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -534,7 +567,7 @@ interface(`mta_etc_filetrans_aliases',`
|
@@ -534,7 +571,7 @@ interface(`mta_etc_filetrans_aliases',`
|
||||||
type etc_aliases_t;
|
type etc_aliases_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -33275,7 +33322,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -554,7 +587,7 @@ interface(`mta_rw_aliases',`
|
@@ -554,7 +591,7 @@ interface(`mta_rw_aliases',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
@ -33284,7 +33331,33 @@ index 4e2a5ba..68e2429 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -648,8 +681,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
|
@@ -576,6 +613,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
|
||||||
|
dontaudit $1 mailserver_delivery:tcp_socket { read write };
|
||||||
|
')
|
||||||
|
|
||||||
|
+######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow attempts to read and write TCP
|
||||||
|
+## sockets of mail delivery domains.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`mta_rw_delivery_tcp_sockets',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute mailserver_delivery;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 mailserver_delivery:tcp_socket { read write };
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Connect to all mail servers over TCP. (Deprecated)
|
||||||
|
@@ -648,8 +704,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
|
||||||
|
|
||||||
files_dontaudit_search_spool($1)
|
files_dontaudit_search_spool($1)
|
||||||
dontaudit $1 mail_spool_t:dir search_dir_perms;
|
dontaudit $1 mail_spool_t:dir search_dir_perms;
|
||||||
@ -33295,7 +33368,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -679,7 +712,26 @@ interface(`mta_spool_filetrans',`
|
@@ -679,7 +735,26 @@ interface(`mta_spool_filetrans',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_spool($1)
|
files_search_spool($1)
|
||||||
@ -33323,7 +33396,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -699,8 +751,8 @@ interface(`mta_rw_spool',`
|
@@ -699,8 +774,8 @@ interface(`mta_rw_spool',`
|
||||||
|
|
||||||
files_search_spool($1)
|
files_search_spool($1)
|
||||||
allow $1 mail_spool_t:dir list_dir_perms;
|
allow $1 mail_spool_t:dir list_dir_perms;
|
||||||
@ -33334,7 +33407,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
|
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -840,7 +892,7 @@ interface(`mta_dontaudit_rw_queue',`
|
@@ -840,7 +915,7 @@ interface(`mta_dontaudit_rw_queue',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
|
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
|
||||||
@ -33343,7 +33416,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -866,6 +918,36 @@ interface(`mta_manage_queue',`
|
@@ -866,6 +941,36 @@ interface(`mta_manage_queue',`
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -33380,7 +33453,7 @@ index 4e2a5ba..68e2429 100644
|
|||||||
## Read sendmail binary.
|
## Read sendmail binary.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -901,3 +983,170 @@ interface(`mta_rw_user_mail_stream_sockets',`
|
@@ -901,3 +1006,170 @@ interface(`mta_rw_user_mail_stream_sockets',`
|
||||||
|
|
||||||
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
|
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
|
||||||
')
|
')
|
||||||
@ -39606,18 +39679,17 @@ index b246bdd..99f27c0 100644
|
|||||||
files_read_etc_files(pads_t)
|
files_read_etc_files(pads_t)
|
||||||
files_search_spool(pads_t)
|
files_search_spool(pads_t)
|
||||||
diff --git a/passenger.fc b/passenger.fc
|
diff --git a/passenger.fc b/passenger.fc
|
||||||
index 545518d..e275c31 100644
|
index 545518d..7d5bf4c 100644
|
||||||
--- a/passenger.fc
|
--- a/passenger.fc
|
||||||
+++ b/passenger.fc
|
+++ b/passenger.fc
|
||||||
@@ -3,6 +3,12 @@
|
@@ -3,6 +3,11 @@
|
||||||
/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
||||||
/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
||||||
|
|
||||||
+/usr/local/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
+/usr/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
||||||
+/usr/local/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
+/usr/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
||||||
+/usr/local/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
+/usr/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
||||||
+/usr/local/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
+/usr/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
||||||
+
|
|
||||||
+
|
+
|
||||||
/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
|
/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
|
||||||
|
|
||||||
@ -46004,7 +46076,7 @@ index 5014056..9505fce 100644
|
|||||||
- allow unconfined_qemu_t qemu_exec_t:file execmod;
|
- allow unconfined_qemu_t qemu_exec_t:file execmod;
|
||||||
-')
|
-')
|
||||||
diff --git a/qmail.fc b/qmail.fc
|
diff --git a/qmail.fc b/qmail.fc
|
||||||
index 0055e54..f988f51 100644
|
index 0055e54..edee505 100644
|
||||||
--- a/qmail.fc
|
--- a/qmail.fc
|
||||||
+++ b/qmail.fc
|
+++ b/qmail.fc
|
||||||
@@ -17,6 +17,7 @@
|
@@ -17,6 +17,7 @@
|
||||||
@ -46015,6 +46087,15 @@ index 0055e54..f988f51 100644
|
|||||||
|
|
||||||
/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
|
/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
|
||||||
|
|
||||||
|
@@ -25,7 +26,7 @@ ifdef(`distro_debian', `
|
||||||
|
|
||||||
|
/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
|
||||||
|
|
||||||
|
-#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
|
||||||
|
+#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
|
||||||
|
/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
|
||||||
diff --git a/qmail.if b/qmail.if
|
diff --git a/qmail.if b/qmail.if
|
||||||
index a55bf44..c6dee66 100644
|
index a55bf44..c6dee66 100644
|
||||||
--- a/qmail.if
|
--- a/qmail.if
|
||||||
@ -59852,7 +59933,7 @@ index 904f13e..5801347 100644
|
|||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
diff --git a/tor.te b/tor.te
|
diff --git a/tor.te b/tor.te
|
||||||
index c842cad..7f05b44 100644
|
index c842cad..3c0dfe4 100644
|
||||||
--- a/tor.te
|
--- a/tor.te
|
||||||
+++ b/tor.te
|
+++ b/tor.te
|
||||||
@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t)
|
@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t)
|
||||||
@ -59872,15 +59953,18 @@ index c842cad..7f05b44 100644
|
|||||||
allow tor_t self:fifo_file rw_fifo_file_perms;
|
allow tor_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow tor_t self:unix_stream_socket create_stream_socket_perms;
|
allow tor_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
|
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
@@ -75,7 +79,6 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
|
@@ -73,9 +77,9 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
|
||||||
|
files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
|
||||||
|
|
||||||
kernel_read_system_state(tor_t)
|
kernel_read_system_state(tor_t)
|
||||||
|
+kernel_read_net_sysctls(tor_t)
|
||||||
|
|
||||||
# networking basics
|
# networking basics
|
||||||
-corenet_all_recvfrom_unlabeled(tor_t)
|
-corenet_all_recvfrom_unlabeled(tor_t)
|
||||||
corenet_all_recvfrom_netlabel(tor_t)
|
corenet_all_recvfrom_netlabel(tor_t)
|
||||||
corenet_tcp_sendrecv_generic_if(tor_t)
|
corenet_tcp_sendrecv_generic_if(tor_t)
|
||||||
corenet_udp_sendrecv_generic_if(tor_t)
|
corenet_udp_sendrecv_generic_if(tor_t)
|
||||||
@@ -87,6 +90,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
|
@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
|
||||||
corenet_tcp_bind_generic_node(tor_t)
|
corenet_tcp_bind_generic_node(tor_t)
|
||||||
corenet_udp_bind_generic_node(tor_t)
|
corenet_udp_bind_generic_node(tor_t)
|
||||||
corenet_tcp_bind_tor_port(tor_t)
|
corenet_tcp_bind_tor_port(tor_t)
|
||||||
@ -59888,7 +59972,7 @@ index c842cad..7f05b44 100644
|
|||||||
corenet_udp_bind_dns_port(tor_t)
|
corenet_udp_bind_dns_port(tor_t)
|
||||||
corenet_sendrecv_tor_server_packets(tor_t)
|
corenet_sendrecv_tor_server_packets(tor_t)
|
||||||
corenet_sendrecv_dns_server_packets(tor_t)
|
corenet_sendrecv_dns_server_packets(tor_t)
|
||||||
@@ -95,13 +99,14 @@ corenet_tcp_connect_all_ports(tor_t)
|
@@ -95,13 +100,14 @@ corenet_tcp_connect_all_ports(tor_t)
|
||||||
corenet_sendrecv_all_client_packets(tor_t)
|
corenet_sendrecv_all_client_packets(tor_t)
|
||||||
# ... especially including port 80 and other privileged ports
|
# ... especially including port 80 and other privileged ports
|
||||||
corenet_tcp_connect_all_reserved_ports(tor_t)
|
corenet_tcp_connect_all_reserved_ports(tor_t)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.11.0
|
Version: 3.11.0
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -491,6 +491,9 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-14
|
||||||
|
- Add systemd fixes to make rawhide booting
|
||||||
|
|
||||||
* Fri Jul 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-13
|
* Fri Jul 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-13
|
||||||
- Add systemd_logind_inhibit_var_run_t attribute
|
- Add systemd_logind_inhibit_var_run_t attribute
|
||||||
- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type
|
- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type
|
||||||
|
Loading…
Reference in New Issue
Block a user