- Allow bumblebeed to send signal to insmod
- Dontaudit attempts by crond_t net_admin caused by journald - Allow the docker daemon to mounton tty_device_t - Add addtional snapper fixes to allo relabel file_t - Allow setattr for all mountpoints - Allow snapperd to write all dirs - Add support for /etc/sysconfig/snapper - Allow mozilla_plugin to getsession - Add labeling for thttpd - Allow sosreport to execute grub2-probe - Allow NM to manage hostname config file - Allow systemd_timedated_t to dbus chat with rpm_script_t - Allow lsmd plugins to connect to http/ssh/http_cache ports by default - Add lsmd_plugin_connect_any boolea - Add support for ipset - Add support for /dev/sclp_line0 - Add modutils_signal_insmod() - Add files_relabelto_all_mountpoints() interface - Allow the docker daemon to mounton tty_device_t - Allow all systemd domains to read /proc/1 - Login programs talking to journald are attempting to net_admin, add dontaudit - init is not gettar on processes as shutdown time - Add systemd_hostnamed_manage_config() interface - Make unconfined_service_t valid in enforcing - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - Add lvm_read_metadata()
This commit is contained in:
Miroslav Grepl
parent
2a6e2e714e
commit
439063013f
File diff suppressed because it is too large
Load Diff
|
|
@ -2992,10 +2992,10 @@ index 0000000..8ba9c95
|
|||
+ spamassassin_read_pid_files(antivirus_domain)
|
||||
+')
|
||||
diff --git a/apache.fc b/apache.fc
|
||||
index 7caefc3..536a4bd 100644
|
||||
index 7caefc3..516f7bb 100644
|
||||
--- a/apache.fc
|
||||
+++ b/apache.fc
|
||||
@@ -1,162 +1,197 @@
|
||||
@@ -1,162 +1,200 @@
|
||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
||||
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
|
|
@ -3040,6 +3040,7 @@ index 7caefc3..536a4bd 100644
|
|||
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+/etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
|
|
@ -3112,6 +3113,7 @@ index 7caefc3..536a4bd 100644
|
|||
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
|
||||
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
+/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
+
|
||||
+ifdef(`distro_suse', `
|
||||
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
|
|
@ -3249,6 +3251,7 @@ index 7caefc3..536a4bd 100644
|
|||
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+/var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+ifdef(`distro_debian', `
|
||||
|
|
@ -3282,6 +3285,7 @@ index 7caefc3..536a4bd 100644
|
|||
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
|
||||
+
|
||||
|
|
@ -3331,7 +3335,6 @@ index 7caefc3..536a4bd 100644
|
|||
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+
|
||||
diff --git a/apache.if b/apache.if
|
||||
index f6eb485..51b128e 100644
|
||||
--- a/apache.if
|
||||
|
|
@ -10107,10 +10110,10 @@ index 0000000..de66654
|
|||
+')
|
||||
diff --git a/bumblebee.te b/bumblebee.te
|
||||
new file mode 100644
|
||||
index 0000000..fe923e3
|
||||
index 0000000..1076e6a
|
||||
--- /dev/null
|
||||
+++ b/bumblebee.te
|
||||
@@ -0,0 +1,59 @@
|
||||
@@ -0,0 +1,60 @@
|
||||
+policy_module(bumblebee, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -10158,6 +10161,7 @@ index 0000000..fe923e3
|
|||
+logging_send_syslog_msg(bumblebee_t)
|
||||
+
|
||||
+modutils_domtrans_insmod(bumblebee_t)
|
||||
+modutils_signal_insmod(bumblebee_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(bumblebee_t)
|
||||
+
|
||||
|
|
@ -16522,7 +16526,7 @@ index 1303b30..72481a7 100644
|
|||
+ logging_log_filetrans($1, cron_log_t, $2, $3)
|
||||
')
|
||||
diff --git a/cron.te b/cron.te
|
||||
index 7de3859..ce147f1 100644
|
||||
index 7de3859..4e6ebcd 100644
|
||||
--- a/cron.te
|
||||
+++ b/cron.te
|
||||
@@ -11,46 +11,46 @@ gen_require(`
|
||||
|
|
@ -16722,7 +16726,7 @@ index 7de3859..ce147f1 100644
|
|||
selinux_get_fs_mount(admin_crontab_t)
|
||||
selinux_validate_context(admin_crontab_t)
|
||||
selinux_compute_access_vector(admin_crontab_t)
|
||||
@@ -204,12 +148,14 @@ selinux_compute_relabel_context(admin_crontab_t)
|
||||
@@ -204,22 +148,26 @@ selinux_compute_relabel_context(admin_crontab_t)
|
||||
selinux_compute_user_contexts(admin_crontab_t)
|
||||
|
||||
tunable_policy(`fcron_crond',`
|
||||
|
|
@ -16738,7 +16742,9 @@ index 7de3859..ce147f1 100644
|
|||
#
|
||||
|
||||
allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
|
||||
@@ -218,8 +164,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
|
||||
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
|
||||
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
|
||||
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
|
||||
allow crond_t self:process { setexec setfscreate };
|
||||
allow crond_t self:fd use;
|
||||
allow crond_t self:fifo_file rw_fifo_file_perms;
|
||||
|
|
@ -23445,10 +23451,10 @@ index 0000000..89401fe
|
|||
+')
|
||||
diff --git a/docker.te b/docker.te
|
||||
new file mode 100644
|
||||
index 0000000..a1e6966
|
||||
index 0000000..75d51ed
|
||||
--- /dev/null
|
||||
+++ b/docker.te
|
||||
@@ -0,0 +1,239 @@
|
||||
@@ -0,0 +1,240 @@
|
||||
+policy_module(docker, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -23657,6 +23663,7 @@ index 0000000..a1e6966
|
|||
+term_use_ptmx(docker_t)
|
||||
+term_getattr_pty_fs(docker_t)
|
||||
+term_relabel_pty_fs(docker_t)
|
||||
+term_mounton_unallocated_ttys(docker_t)
|
||||
+
|
||||
+modutils_domtrans_insmod(docker_t)
|
||||
+
|
||||
|
|
@ -39632,10 +39639,24 @@ index d314333..da30c5d 100644
|
|||
+ ')
|
||||
')
|
||||
diff --git a/lsm.te b/lsm.te
|
||||
index 4ec0eea..5bf5627 100644
|
||||
index 4ec0eea..0f702df 100644
|
||||
--- a/lsm.te
|
||||
+++ b/lsm.te
|
||||
@@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
|
||||
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Determine whether lsmd_plugin can
|
||||
+## connect to all TCP ports.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(lsmd_plugin_connect_any, false)
|
||||
|
||||
type lsmd_t;
|
||||
type lsmd_exec_t;
|
||||
@@ -12,6 +19,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
|
||||
type lsmd_var_run_t;
|
||||
files_pid_file(lsmd_var_run_t)
|
||||
|
||||
|
|
@ -39653,7 +39674,7 @@ index 4ec0eea..5bf5627 100644
|
|||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -26,4 +37,36 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
@@ -26,4 +44,47 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
|
||||
|
||||
|
|
@ -39667,6 +39688,7 @@ index 4ec0eea..5bf5627 100644
|
|||
+#
|
||||
+
|
||||
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
|
||||
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||
+
|
||||
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
|
||||
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
|
||||
|
|
@ -39678,12 +39700,22 @@ index 4ec0eea..5bf5627 100644
|
|||
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
|
||||
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
|
||||
+
|
||||
+tunable_policy(`lsmd_plugin_connect_any',`
|
||||
+ corenet_tcp_connect_all_ports(lsmd_plugin_t)
|
||||
+ corenet_sendrecv_all_packets(lsmd_plugin_t)
|
||||
+ corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
|
||||
+')
|
||||
+
|
||||
+kernel_read_system_state(lsmd_plugin_t)
|
||||
+
|
||||
+dev_read_urand(lsmd_plugin_t)
|
||||
+
|
||||
+corecmd_exec_bin(lsmd_plugin_t)
|
||||
+
|
||||
+corenet_tcp_connect_http_port(lsmd_plugin_t)
|
||||
+corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
|
||||
+corenet_tcp_connect_ssh_port(lsmd_plugin_t)
|
||||
+
|
||||
+init_stream_connect(lsmd_plugin_t)
|
||||
+init_dontaudit_rw_stream_socket(lsmd_plugin_t)
|
||||
+
|
||||
|
|
@ -44133,7 +44165,7 @@ index 6194b80..03c6414 100644
|
|||
')
|
||||
+
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 11ac8e4..ea784b3 100644
|
||||
index 11ac8e4..dfd8d3a 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
|
||||
|
|
@ -44571,7 +44603,7 @@ index 11ac8e4..ea784b3 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -300,259 +324,241 @@ optional_policy(`
|
||||
@@ -300,259 +324,243 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -44585,7 +44617,7 @@ index 11ac8e4..ea784b3 100644
|
|||
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
|
||||
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
|
||||
+
|
||||
+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
|
||||
+allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
|
||||
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
|
||||
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
@ -44670,6 +44702,8 @@ index 11ac8e4..ea784b3 100644
|
|||
kernel_request_load_module(mozilla_plugin_t)
|
||||
kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
|
||||
+files_dontaudit_read_root_files(mozilla_plugin_t)
|
||||
+kernel_dontaudit_list_all_proc(mozilla_plugin_t)
|
||||
+kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
|
||||
|
||||
corecmd_exec_bin(mozilla_plugin_t)
|
||||
corecmd_exec_shell(mozilla_plugin_t)
|
||||
|
|
@ -44962,7 +44996,7 @@ index 11ac8e4..ea784b3 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -560,7 +566,11 @@ optional_policy(`
|
||||
@@ -560,7 +568,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -44975,7 +45009,7 @@ index 11ac8e4..ea784b3 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -568,108 +578,131 @@ optional_policy(`
|
||||
@@ -568,108 +580,131 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -48293,7 +48327,7 @@ index 687af38..404ed6d 100644
|
|||
+ mysql_stream_connect($1)
|
||||
')
|
||||
diff --git a/mysql.te b/mysql.te
|
||||
index 7584bbe..d053405 100644
|
||||
index 7584bbe..ae0d53a 100644
|
||||
--- a/mysql.te
|
||||
+++ b/mysql.te
|
||||
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
|
||||
|
|
@ -48453,7 +48487,7 @@ index 7584bbe..d053405 100644
|
|||
seutil_sigchld_newrole(mysqld_t)
|
||||
')
|
||||
|
||||
@@ -155,21 +160,17 @@ optional_policy(`
|
||||
@@ -155,21 +160,18 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
|
|
@ -48463,6 +48497,7 @@ index 7584bbe..d053405 100644
|
|||
|
||||
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
|
||||
+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
|
||||
+dontaudit mysqld_safe_t self:capability sys_ptrace;
|
||||
allow mysqld_safe_t self:process { setsched getsched setrlimit };
|
||||
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
|
|
@ -48479,7 +48514,7 @@ index 7584bbe..d053405 100644
|
|||
|
||||
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
@@ -177,9 +178,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
@@ -177,9 +179,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
|
||||
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
|
|
@ -48490,7 +48525,7 @@ index 7584bbe..d053405 100644
|
|||
|
||||
kernel_read_system_state(mysqld_safe_t)
|
||||
kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
@@ -187,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
@@ -187,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
corecmd_exec_bin(mysqld_safe_t)
|
||||
corecmd_exec_shell(mysqld_safe_t)
|
||||
|
||||
|
|
@ -48526,7 +48561,7 @@ index 7584bbe..d053405 100644
|
|||
|
||||
optional_policy(`
|
||||
hostname_exec(mysqld_safe_t)
|
||||
@@ -209,7 +216,7 @@ optional_policy(`
|
||||
@@ -209,7 +217,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -48535,7 +48570,7 @@ index 7584bbe..d053405 100644
|
|||
#
|
||||
|
||||
allow mysqlmanagerd_t self:capability { dac_override kill };
|
||||
@@ -218,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -218,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
|
|
@ -48553,7 +48588,7 @@ index 7584bbe..d053405 100644
|
|||
|
||||
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
|
||||
|
||||
@@ -230,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
@@ -230,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
|
||||
|
||||
|
|
@ -50258,7 +50293,7 @@ index 86dc29d..993ecf5 100644
|
|||
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
||||
')
|
||||
diff --git a/networkmanager.te b/networkmanager.te
|
||||
index 55f2009..8562dec 100644
|
||||
index 55f2009..5e67bb6 100644
|
||||
--- a/networkmanager.te
|
||||
+++ b/networkmanager.te
|
||||
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
||||
|
|
@ -50624,7 +50659,7 @@ index 55f2009..8562dec 100644
|
|||
+ systemd_write_inhibit_pipes(NetworkManager_t)
|
||||
+ systemd_read_logind_sessions_files(NetworkManager_t)
|
||||
+ systemd_dbus_chat_logind(NetworkManager_t)
|
||||
+ systemd_hostnamed_read_config(NetworkManager_t)
|
||||
+ systemd_hostnamed_manage_config(NetworkManager_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
|
@ -80070,7 +80105,7 @@ index ef3b225..d248cd3 100644
|
|||
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/rpm.te b/rpm.te
|
||||
index 6fc360e..4e28c91 100644
|
||||
index 6fc360e..44f9739 100644
|
||||
--- a/rpm.te
|
||||
+++ b/rpm.te
|
||||
@@ -1,15 +1,13 @@
|
||||
|
|
@ -80474,7 +80509,7 @@ index 6fc360e..4e28c91 100644
|
|||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -363,41 +385,67 @@ ifdef(`distro_redhat',`
|
||||
@@ -363,41 +385,68 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -80512,6 +80547,7 @@ index 6fc360e..4e28c91 100644
|
|||
- ')
|
||||
+ optional_policy(`
|
||||
+ systemd_dbus_chat_logind(rpm_script_t)
|
||||
+ systemd_dbus_chat_timedated(rpm_script_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
|
|
@ -80553,7 +80589,7 @@ index 6fc360e..4e28c91 100644
|
|||
|
||||
optional_policy(`
|
||||
java_domtrans_unconfined(rpm_script_t)
|
||||
@@ -409,6 +457,6 @@ optional_policy(`
|
||||
@@ -409,6 +458,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -83828,10 +83864,10 @@ index 0000000..b7db254
|
|||
+# Empty
|
||||
diff --git a/sandbox.if b/sandbox.if
|
||||
new file mode 100644
|
||||
index 0000000..8a6ad19
|
||||
index 0000000..89bc443
|
||||
--- /dev/null
|
||||
+++ b/sandbox.if
|
||||
@@ -0,0 +1,56 @@
|
||||
@@ -0,0 +1,57 @@
|
||||
+
|
||||
+## <summary>policy for sandbox</summary>
|
||||
+
|
||||
|
|
@ -83862,6 +83898,7 @@ index 0000000..8a6ad19
|
|||
+ allow sandbox_domain $1:process { sigchld signull };
|
||||
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
|
||||
+ dontaudit sandbox_domain $1:process signal;
|
||||
+ dontaudit sandbox_domain $1:key { link read search view };
|
||||
+ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
|
||||
+')
|
||||
+
|
||||
|
|
@ -83966,10 +84003,10 @@ index 0000000..6caef63
|
|||
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
|
||||
diff --git a/sandboxX.if b/sandboxX.if
|
||||
new file mode 100644
|
||||
index 0000000..e30b346
|
||||
index 0000000..3258f45
|
||||
--- /dev/null
|
||||
+++ b/sandboxX.if
|
||||
@@ -0,0 +1,393 @@
|
||||
@@ -0,0 +1,394 @@
|
||||
+
|
||||
+## <summary>policy for sandboxX </summary>
|
||||
+
|
||||
|
|
@ -84011,6 +84048,7 @@ index 0000000..e30b346
|
|||
+ dontaudit sandbox_xserver_t $1:file read;
|
||||
+ allow sandbox_x_domain sandbox_x_domain:process signal;
|
||||
+ # Dontaudit leaked file descriptors
|
||||
+ dontaudit sandbox_x_domain $1:key { link read search view };
|
||||
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
|
||||
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
|
||||
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
|
||||
|
|
@ -88492,13 +88530,14 @@ index cbfe369..6594af3 100644
|
|||
files_search_var_lib($1)
|
||||
diff --git a/snapper.fc b/snapper.fc
|
||||
new file mode 100644
|
||||
index 0000000..1cb1360
|
||||
index 0000000..ab5d7e7
|
||||
--- /dev/null
|
||||
+++ b/snapper.fc
|
||||
@@ -0,0 +1,5 @@
|
||||
@@ -0,0 +1,6 @@
|
||||
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
|
||||
+
|
||||
+/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
|
||||
+/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0)
|
||||
+
|
||||
+/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
|
||||
diff --git a/snapper.if b/snapper.if
|
||||
|
|
@ -88551,10 +88590,10 @@ index 0000000..94105ee
|
|||
+')
|
||||
diff --git a/snapper.te b/snapper.te
|
||||
new file mode 100644
|
||||
index 0000000..a299f53
|
||||
index 0000000..01ade60
|
||||
--- /dev/null
|
||||
+++ b/snapper.te
|
||||
@@ -0,0 +1,66 @@
|
||||
@@ -0,0 +1,70 @@
|
||||
+policy_module(snapper, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -88599,6 +88638,10 @@ index 0000000..a299f53
|
|||
+corecmd_exec_shell(snapperd_t)
|
||||
+corecmd_exec_bin(snapperd_t)
|
||||
+
|
||||
+files_write_all_dirs(snapperd_t)
|
||||
+files_setattr_all_mountpoints(snapperd_t)
|
||||
+files_relabelto_all_mountpoints(snapperd_t)
|
||||
+files_relabelfrom_isid_type(snapperd_t)
|
||||
+files_read_all_files(snapperd_t)
|
||||
+files_list_all(snapperd_t)
|
||||
+
|
||||
|
|
@ -88948,7 +88991,7 @@ index 634c6b4..e1edfd9 100644
|
|||
|
||||
########################################
|
||||
diff --git a/sosreport.te b/sosreport.te
|
||||
index f2f507d..3d93f55 100644
|
||||
index f2f507d..0d4a35c 100644
|
||||
--- a/sosreport.te
|
||||
+++ b/sosreport.te
|
||||
@@ -13,15 +13,15 @@ type sosreport_exec_t;
|
||||
|
|
@ -89016,16 +89059,17 @@ index f2f507d..3d93f55 100644
|
|||
|
||||
corecmd_exec_all_executables(sosreport_t)
|
||||
|
||||
@@ -69,6 +89,8 @@ dev_read_urand(sosreport_t)
|
||||
@@ -69,6 +89,9 @@ dev_read_urand(sosreport_t)
|
||||
dev_read_raw_memory(sosreport_t)
|
||||
dev_read_sysfs(sosreport_t)
|
||||
dev_rw_generic_usb_dev(sosreport_t)
|
||||
+dev_rw_lvm_control(sosreport_t)
|
||||
+dev_getattr_all_chr_files(sosreport_t)
|
||||
+dev_getattr_all_blk_files(sosreport_t)
|
||||
|
||||
domain_getattr_all_domains(sosreport_t)
|
||||
domain_read_all_domains_state(sosreport_t)
|
||||
@@ -83,7 +105,6 @@ files_list_all(sosreport_t)
|
||||
@@ -83,7 +106,6 @@ files_list_all(sosreport_t)
|
||||
files_read_config_files(sosreport_t)
|
||||
files_read_generic_tmp_files(sosreport_t)
|
||||
files_read_non_auth_files(sosreport_t)
|
||||
|
|
@ -89033,7 +89077,7 @@ index f2f507d..3d93f55 100644
|
|||
files_read_var_lib_files(sosreport_t)
|
||||
files_read_var_symlinks(sosreport_t)
|
||||
files_read_kernel_modules(sosreport_t)
|
||||
@@ -92,25 +113,35 @@ files_manage_etc_runtime_files(sosreport_t)
|
||||
@@ -92,25 +114,35 @@ files_manage_etc_runtime_files(sosreport_t)
|
||||
files_etc_filetrans_etc_runtime(sosreport_t, file)
|
||||
|
||||
fs_getattr_all_fs(sosreport_t)
|
||||
|
|
@ -89072,10 +89116,14 @@ index f2f507d..3d93f55 100644
|
|||
|
||||
optional_policy(`
|
||||
abrt_manage_pid_files(sosreport_t)
|
||||
@@ -119,6 +150,10 @@ optional_policy(`
|
||||
@@ -119,6 +151,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ bootloader_exec(sosreport_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ brctl_domtrans(sosreport_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -89083,10 +89131,11 @@ index f2f507d..3d93f55 100644
|
|||
cups_stream_connect(sosreport_t)
|
||||
')
|
||||
|
||||
@@ -127,6 +162,15 @@ optional_policy(`
|
||||
@@ -127,6 +167,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ lvm_read_config(sosreport_t)
|
||||
+ lvm_dontaudit_access_check_lock(sosreport_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -89099,7 +89148,7 @@ index f2f507d..3d93f55 100644
|
|||
fstools_domtrans(sosreport_t)
|
||||
')
|
||||
|
||||
@@ -136,6 +180,10 @@ optional_policy(`
|
||||
@@ -136,6 +186,10 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
hal_dbus_chat(sosreport_t)
|
||||
')
|
||||
|
|
@ -89110,7 +89159,7 @@ index f2f507d..3d93f55 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -147,13 +195,34 @@ optional_policy(`
|
||||
@@ -147,13 +201,34 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 27%{?dist}
|
||||
Release: 28%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -580,6 +580,35 @@ SELinux Reference policy mls base module.
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Feb 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-28
|
||||
- Allow bumblebeed to send signal to insmod
|
||||
- Dontaudit attempts by crond_t net_admin caused by journald
|
||||
- Allow the docker daemon to mounton tty_device_t
|
||||
- Add addtional snapper fixes to allo relabel file_t
|
||||
- Allow setattr for all mountpoints
|
||||
- Allow snapperd to write all dirs
|
||||
- Add support for /etc/sysconfig/snapper
|
||||
- Allow mozilla_plugin to getsession
|
||||
- Add labeling for thttpd
|
||||
- Allow sosreport to execute grub2-probe
|
||||
- Allow NM to manage hostname config file
|
||||
- Allow systemd_timedated_t to dbus chat with rpm_script_t
|
||||
- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
|
||||
- Add lsmd_plugin_connect_any boolea
|
||||
- Add support for ipset
|
||||
- Add support for /dev/sclp_line0
|
||||
- Add modutils_signal_insmod()
|
||||
- Add files_relabelto_all_mountpoints() interface
|
||||
- Allow the docker daemon to mounton tty_device_t
|
||||
- Allow all systemd domains to read /proc/1
|
||||
- Login programs talking to journald are attempting to net_admin, add dontaudit
|
||||
- init is not gettar on processes as shutdown time
|
||||
- Add systemd_hostnamed_manage_config() interface
|
||||
- Make unconfined_service_t valid in enforcing
|
||||
- Remove transition for temp dirs created by init_t
|
||||
- gdm-simple-slave uses use setsockopt
|
||||
- Add lvm_read_metadata()
|
||||
|
||||
* Mon Feb 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-27
|
||||
- Make unconfined_service_t valid in enforcing
|
||||
- Remove transition for temp dirs created by init_t
|
||||
|
|
|
|||
Loading…
Reference in New Issue