- Add additional fixes for #948073 bug
- Allow sge_execd_t to also connect to sge ports - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow sge_execd to bind sge ports. Allow kill capability and read - Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is - Add networkmanager_stream_connect() - Make gnome-abrt wokring with staff_t - Fix openshift_manage_lib_files() interface - mdadm runs ps command which seems to getattr on random log files - Allow mozilla_plugin_t to create pulseaudit_home_t directories - Allow qemu-ga to shutdown virtual hosts - Add labelling for cupsd-browsed - Add web browser plugins to connect to aol ports - Allow nm-dhcp-helper to stream connect to NM - Add port definition for sge ports
This commit is contained in:
parent
ff5e7c397d
commit
471c1eb0e1
@ -5083,7 +5083,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||
|
||||
define(`create_packet_interfaces',``
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index 4edc40d..73d7b76 100644
|
||||
index 4edc40d..2b87328 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
||||
@ -5308,7 +5308,7 @@ index 4edc40d..73d7b76 100644
|
||||
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
|
||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
@@ -214,38 +254,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
@@ -214,38 +254,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
|
||||
network_port(printer, tcp,515,s0)
|
||||
network_port(ptal, tcp,5703,s0)
|
||||
@ -5337,6 +5337,7 @@ index 4edc40d..73d7b76 100644
|
||||
network_port(sap, tcp,9875,s0, udp,9875,s0)
|
||||
+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
|
||||
network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
|
||||
+network_port(sge, tcp,6444,s0, tcp,6445,s0)
|
||||
network_port(sieve, tcp,4190,s0)
|
||||
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
|
||||
network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
|
||||
@ -5356,7 +5357,7 @@ index 4edc40d..73d7b76 100644
|
||||
network_port(ssh, tcp,22,s0)
|
||||
network_port(stunnel) # no defined portcon
|
||||
network_port(svn, tcp,3690,s0, udp,3690,s0)
|
||||
@@ -257,8 +300,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
@@ -257,8 +301,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
network_port(tcs, tcp, 30003, s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
@ -5367,7 +5368,7 @@ index 4edc40d..73d7b76 100644
|
||||
network_port(transproxy, tcp,8081,s0)
|
||||
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
|
||||
network_port(ups, tcp,3493,s0)
|
||||
@@ -268,10 +312,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
||||
@@ -268,10 +313,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
||||
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
||||
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
|
||||
network_port(virt_migration, tcp,49152-49216,s0)
|
||||
@ -5380,7 +5381,7 @@ index 4edc40d..73d7b76 100644
|
||||
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
|
||||
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
|
||||
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
|
||||
@@ -292,12 +336,16 @@ network_port(zope, tcp,8021,s0)
|
||||
@@ -292,12 +337,16 @@ network_port(zope, tcp,8021,s0)
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
# these entries just cover any remaining reserved ports not otherwise declared.
|
||||
|
||||
@ -5399,7 +5400,7 @@ index 4edc40d..73d7b76 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -330,6 +378,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
@@ -330,6 +379,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
|
||||
build_option(`enable_mls',`
|
||||
network_interface(lo, lo, s0 - mls_systemhigh)
|
||||
@ -5408,7 +5409,7 @@ index 4edc40d..73d7b76 100644
|
||||
',`
|
||||
typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
')
|
||||
@@ -342,9 +392,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
@@ -342,9 +393,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
allow corenet_unconfined_type node_type:node *;
|
||||
allow corenet_unconfined_type netif_type:netif *;
|
||||
allow corenet_unconfined_type packet_type:packet *;
|
||||
@ -8069,7 +8070,7 @@ index 6a1e4d1..adafd25 100644
|
||||
+ dontaudit $1 domain:socket_class_set { read write };
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..3a38af0 100644
|
||||
index cf04cb5..8542b3d 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
|
||||
@ -8197,7 +8198,7 @@ index cf04cb5..3a38af0 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -166,5 +229,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -166,5 +229,271 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -8214,6 +8215,10 @@ index cf04cb5..3a38af0 100644
|
||||
+dev_config_null_dev_service(unconfined_domain_type)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ locallogin_filetrans_home_content(unconfined_domain_type)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ seutil_filetrans_named_content(unconfined_domain_type)
|
||||
+')
|
||||
+
|
||||
@ -28769,7 +28774,7 @@ index be6a81b..a5303e9 100644
|
||||
+/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
|
||||
+/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
|
||||
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
|
||||
index 0e3c2a9..40adf5a 100644
|
||||
index 0e3c2a9..ea9bd57 100644
|
||||
--- a/policy/modules/system/locallogin.if
|
||||
+++ b/policy/modules/system/locallogin.if
|
||||
@@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',`
|
||||
@ -28830,8 +28835,8 @@ index 0e3c2a9..40adf5a 100644
|
||||
+ ')
|
||||
+
|
||||
+ userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
|
||||
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
|
||||
index c04ac46..e06286c 100644
|
||||
--- a/policy/modules/system/locallogin.te
|
||||
@ -33644,7 +33649,7 @@ index 6944526..ec17624 100644
|
||||
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
|
||||
+')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index b7686d5..9a50b11 100644
|
||||
index b7686d5..50102d0 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
|
||||
@ -33805,7 +33810,7 @@ index b7686d5..9a50b11 100644
|
||||
hotplug_getattr_config_dirs(dhcpc_t)
|
||||
hotplug_search_config(dhcpc_t)
|
||||
|
||||
@@ -190,23 +212,35 @@ optional_policy(`
|
||||
@@ -190,23 +212,36 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
netutils_run_ping(dhcpc_t, dhcpc_roles)
|
||||
netutils_run(dhcpc_t, dhcpc_roles)
|
||||
@ -33820,6 +33825,7 @@ index b7686d5..9a50b11 100644
|
||||
+ networkmanager_domtrans(dhcpc_t)
|
||||
+ networkmanager_read_pid_files(dhcpc_t)
|
||||
+ networkmanager_manage_lib(dhcpc_t)
|
||||
+ networkmanager_stream_connect(dhcpc_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -33841,7 +33847,7 @@ index b7686d5..9a50b11 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +250,11 @@ optional_policy(`
|
||||
@@ -216,7 +251,11 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(dhcpc_t)
|
||||
@ -33854,7 +33860,7 @@ index b7686d5..9a50b11 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -259,6 +297,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
@@ -259,6 +298,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
allow ifconfig_t self:msg { send receive };
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
@ -33862,7 +33868,7 @@ index b7686d5..9a50b11 100644
|
||||
# for /sbin/ip
|
||||
allow ifconfig_t self:packet_socket create_socket_perms;
|
||||
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
@@ -277,11 +316,20 @@ corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
@@ -277,11 +317,20 @@ corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
dev_read_sysfs(ifconfig_t)
|
||||
# for IPSEC setup:
|
||||
dev_read_urand(ifconfig_t)
|
||||
@ -33883,7 +33889,7 @@ index b7686d5..9a50b11 100644
|
||||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
@@ -294,22 +342,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
@@ -294,22 +343,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
term_dontaudit_use_ptmx(ifconfig_t)
|
||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
@ -33911,7 +33917,7 @@ index b7686d5..9a50b11 100644
|
||||
userdom_use_all_users_fds(ifconfig_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
@@ -318,7 +366,22 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -318,7 +367,22 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -33934,7 +33940,7 @@ index b7686d5..9a50b11 100644
|
||||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
')
|
||||
@@ -329,8 +392,7 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -329,8 +393,7 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33944,7 +33950,7 @@ index b7686d5..9a50b11 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -339,7 +401,11 @@ optional_policy(`
|
||||
@@ -339,7 +402,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33957,7 +33963,7 @@ index b7686d5..9a50b11 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -360,3 +426,9 @@ optional_policy(`
|
||||
@@ -360,3 +427,9 @@ optional_policy(`
|
||||
xen_append_log(ifconfig_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||
')
|
||||
@ -41322,7 +41328,7 @@ index 3c5dba7..e27d755 100644
|
||||
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
|
||||
')
|
||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||
index e2b538b..2582882 100644
|
||||
index e2b538b..77626dd 100644
|
||||
--- a/policy/modules/system/userdomain.te
|
||||
+++ b/policy/modules/system/userdomain.te
|
||||
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
|
||||
@ -41410,7 +41416,7 @@ index e2b538b..2582882 100644
|
||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
||||
fs_associate_tmpfs(user_home_dir_t)
|
||||
files_type(user_home_dir_t)
|
||||
@@ -70,26 +82,218 @@ ubac_constrained(user_home_dir_t)
|
||||
@@ -70,26 +82,222 @@ ubac_constrained(user_home_dir_t)
|
||||
|
||||
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
|
||||
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
|
||||
@ -41482,6 +41488,10 @@ index e2b538b..2582882 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ locallogin_filetrans_home_content(userdomain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ssh_filetrans_home_content(userdomain)
|
||||
+ ssh_rw_tcp_sockets(userdomain)
|
||||
+')
|
||||
|
@ -516,7 +516,7 @@ index 058d908..702b716 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/abrt.te b/abrt.te
|
||||
index cc43d25..563c773 100644
|
||||
index cc43d25..7722b79 100644
|
||||
--- a/abrt.te
|
||||
+++ b/abrt.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -525,7 +525,7 @@ index cc43d25..563c773 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -6,105 +6,115 @@ policy_module(abrt, 1.3.4)
|
||||
@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
@ -585,6 +585,7 @@ index cc43d25..563c773 100644
|
||||
type abrt_var_cache_t;
|
||||
files_type(abrt_var_cache_t)
|
||||
+files_tmp_file(abrt_var_cache_t)
|
||||
+userdom_user_tmp_file(abrt_var_cache_t)
|
||||
|
||||
+# pid files
|
||||
type abrt_var_run_t;
|
||||
@ -684,7 +685,7 @@ index cc43d25..563c773 100644
|
||||
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
|
||||
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
|
||||
|
||||
@@ -112,23 +122,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
|
||||
@ -713,7 +714,7 @@ index cc43d25..563c773 100644
|
||||
kernel_request_load_module(abrt_t)
|
||||
kernel_rw_kernel_sysctl(abrt_t)
|
||||
|
||||
@@ -137,16 +149,14 @@ corecmd_exec_shell(abrt_t)
|
||||
@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t)
|
||||
corecmd_read_all_executables(abrt_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(abrt_t)
|
||||
@ -732,7 +733,7 @@ index cc43d25..563c773 100644
|
||||
|
||||
dev_getattr_all_chr_files(abrt_t)
|
||||
dev_getattr_all_blk_files(abrt_t)
|
||||
@@ -163,29 +173,36 @@ files_getattr_all_files(abrt_t)
|
||||
@@ -163,29 +174,36 @@ files_getattr_all_files(abrt_t)
|
||||
files_read_config_files(abrt_t)
|
||||
files_read_etc_runtime_files(abrt_t)
|
||||
files_read_var_symlinks(abrt_t)
|
||||
@ -772,7 +773,7 @@ index cc43d25..563c773 100644
|
||||
|
||||
tunable_policy(`abrt_anon_write',`
|
||||
miscfiles_manage_public_files(abrt_t)
|
||||
@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',`
|
||||
@@ -193,15 +211,11 @@ tunable_policy(`abrt_anon_write',`
|
||||
|
||||
optional_policy(`
|
||||
apache_list_modules(abrt_t)
|
||||
@ -789,7 +790,7 @@ index cc43d25..563c773 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -209,6 +222,12 @@ optional_policy(`
|
||||
@@ -209,6 +223,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -802,7 +803,7 @@ index cc43d25..563c773 100644
|
||||
policykit_domtrans_auth(abrt_t)
|
||||
policykit_read_lib(abrt_t)
|
||||
policykit_read_reload(abrt_t)
|
||||
@@ -220,6 +239,7 @@ optional_policy(`
|
||||
@@ -220,6 +240,7 @@ optional_policy(`
|
||||
corecmd_exec_all_executables(abrt_t)
|
||||
')
|
||||
|
||||
@ -810,7 +811,7 @@ index cc43d25..563c773 100644
|
||||
optional_policy(`
|
||||
rpm_exec(abrt_t)
|
||||
rpm_dontaudit_manage_db(abrt_t)
|
||||
@@ -230,6 +250,7 @@ optional_policy(`
|
||||
@@ -230,6 +251,7 @@ optional_policy(`
|
||||
rpm_signull(abrt_t)
|
||||
')
|
||||
|
||||
@ -818,7 +819,7 @@ index cc43d25..563c773 100644
|
||||
optional_policy(`
|
||||
sendmail_domtrans(abrt_t)
|
||||
')
|
||||
@@ -240,9 +261,17 @@ optional_policy(`
|
||||
@@ -240,9 +262,17 @@ optional_policy(`
|
||||
sosreport_delete_tmp_files(abrt_t)
|
||||
')
|
||||
|
||||
@ -837,7 +838,7 @@ index cc43d25..563c773 100644
|
||||
#
|
||||
|
||||
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',`
|
||||
@@ -253,9 +283,13 @@ tunable_policy(`abrt_handle_event',`
|
||||
can_exec(abrt_t, abrt_handle_event_exec_t)
|
||||
')
|
||||
|
||||
@ -852,7 +853,7 @@ index cc43d25..563c773 100644
|
||||
#
|
||||
|
||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||
@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
@@ -268,6 +302,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||
@ -860,7 +861,7 @@ index cc43d25..563c773 100644
|
||||
|
||||
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
||||
@@ -276,15 +311,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
||||
|
||||
domain_read_all_domains_state(abrt_helper_t)
|
||||
|
||||
@ -881,7 +882,7 @@ index cc43d25..563c773 100644
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||
@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -292,11 +332,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||
@ -908,7 +909,7 @@ index cc43d25..563c773 100644
|
||||
#
|
||||
|
||||
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
||||
@@ -314,10 +368,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
||||
|
||||
dev_read_urand(abrt_retrace_coredump_t)
|
||||
|
||||
@ -922,7 +923,7 @@ index cc43d25..563c773 100644
|
||||
optional_policy(`
|
||||
rpm_exec(abrt_retrace_coredump_t)
|
||||
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
||||
@@ -330,10 +385,11 @@ optional_policy(`
|
||||
@@ -330,10 +386,11 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -936,7 +937,7 @@ index cc43d25..563c773 100644
|
||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||
@@ -352,30 +408,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||
@@ -352,30 +409,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||
|
||||
dev_read_urand(abrt_retrace_worker_t)
|
||||
|
||||
@ -978,7 +979,7 @@ index cc43d25..563c773 100644
|
||||
kernel_read_kernel_sysctls(abrt_dump_oops_t)
|
||||
kernel_read_ring_buffer(abrt_dump_oops_t)
|
||||
|
||||
@@ -384,14 +448,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
|
||||
@@ -384,14 +449,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
|
||||
fs_list_inotifyfs(abrt_dump_oops_t)
|
||||
|
||||
logging_read_generic_logs(abrt_dump_oops_t)
|
||||
@ -996,7 +997,7 @@ index cc43d25..563c773 100644
|
||||
|
||||
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
||||
|
||||
@@ -400,16 +465,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
||||
@@ -400,16 +466,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
||||
corecmd_exec_bin(abrt_watch_log_t)
|
||||
|
||||
logging_read_all_logs(abrt_watch_log_t)
|
||||
@ -8814,7 +8815,7 @@ index 02fefaa..fbcef10 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/boinc.te b/boinc.te
|
||||
index 7c92aa1..0a48a05 100644
|
||||
index 7c92aa1..1a30d34 100644
|
||||
--- a/boinc.te
|
||||
+++ b/boinc.te
|
||||
@@ -1,11 +1,13 @@
|
||||
@ -8909,7 +8910,7 @@ index 7c92aa1..0a48a05 100644
|
||||
|
||||
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
||||
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
||||
@@ -54,74 +91,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
|
||||
@@ -54,74 +91,47 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
|
||||
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
|
||||
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
|
||||
|
||||
@ -8945,6 +8946,8 @@ index 7c92aa1..0a48a05 100644
|
||||
kernel_search_vm_sysctl(boinc_t)
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(boinc_t)
|
||||
+dev_getattr_mouse_dev(boinc_t)
|
||||
+
|
||||
+files_getattr_all_dirs(boinc_t)
|
||||
+files_getattr_all_files(boinc_t)
|
||||
+
|
||||
@ -9003,7 +9006,7 @@ index 7c92aa1..0a48a05 100644
|
||||
|
||||
term_getattr_all_ptys(boinc_t)
|
||||
term_getattr_unallocated_ttys(boinc_t)
|
||||
@@ -130,55 +138,65 @@ init_read_utmp(boinc_t)
|
||||
@@ -130,55 +140,65 @@ init_read_utmp(boinc_t)
|
||||
|
||||
logging_send_syslog_msg(boinc_t)
|
||||
|
||||
@ -9919,10 +9922,10 @@ index 2354e21..fb8c9ed 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/certwatch.te b/certwatch.te
|
||||
index 403af41..48a40cd 100644
|
||||
index 403af41..84b41e6 100644
|
||||
--- a/certwatch.te
|
||||
+++ b/certwatch.te
|
||||
@@ -20,33 +20,42 @@ role certwatch_roles types certwatch_t;
|
||||
@@ -20,33 +20,44 @@ role certwatch_roles types certwatch_t;
|
||||
|
||||
allow certwatch_t self:capability sys_nice;
|
||||
allow certwatch_t self:process { setsched getsched };
|
||||
@ -9953,6 +9956,8 @@ index 403af41..48a40cd 100644
|
||||
|
||||
-userdom_use_user_terminals(certwatch_t)
|
||||
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
|
||||
+sysnet_read_config(certwatch_t)
|
||||
+
|
||||
+userdom_use_inherited_user_terminals(certwatch_t)
|
||||
+userdom_dontaudit_list_admin_dir(certwatch_t)
|
||||
|
||||
@ -10352,10 +10357,10 @@ index 0000000..5977d96
|
||||
+')
|
||||
diff --git a/chrome.te b/chrome.te
|
||||
new file mode 100644
|
||||
index 0000000..41d3959
|
||||
index 0000000..7267a85
|
||||
--- /dev/null
|
||||
+++ b/chrome.te
|
||||
@@ -0,0 +1,220 @@
|
||||
@@ -0,0 +1,222 @@
|
||||
+policy_module(chrome,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -10389,6 +10394,7 @@ index 0000000..41d3959
|
||||
+#
|
||||
+# chrome_sandbox local policy
|
||||
+#
|
||||
+allow chrome_sandbox_t self:capability2 block_suspend;
|
||||
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
|
||||
+dontaudit chrome_sandbox_t self:capability sys_nice;
|
||||
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
|
||||
@ -10425,6 +10431,7 @@ index 0000000..41d3959
|
||||
+corecmd_exec_bin(chrome_sandbox_t)
|
||||
+
|
||||
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
|
||||
@ -11597,16 +11604,26 @@ index cc4e7cb..f348d27 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 cmirrord_initrc_exec_t system_r;
|
||||
diff --git a/cmirrord.te b/cmirrord.te
|
||||
index d8e9958..0046a69 100644
|
||||
index d8e9958..d2303a4 100644
|
||||
--- a/cmirrord.te
|
||||
+++ b/cmirrord.te
|
||||
@@ -42,16 +42,12 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
|
||||
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow cmirrord_t self:capability { net_admin kill };
|
||||
+allow cmirrord_t self:capability { sys_admin net_admin kill };
|
||||
dontaudit cmirrord_t self:capability sys_tty_config;
|
||||
allow cmirrord_t self:process { setfscreate signal };
|
||||
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
|
||||
domain_use_interactive_fds(cmirrord_t)
|
||||
domain_obj_id_change_exemption(cmirrord_t)
|
||||
|
||||
-files_read_etc_files(cmirrord_t)
|
||||
-
|
||||
storage_create_fixed_disk_dev(cmirrord_t)
|
||||
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
|
||||
|
||||
seutil_read_file_contexts(cmirrord_t)
|
||||
|
||||
@ -11617,6 +11634,10 @@ index d8e9958..0046a69 100644
|
||||
optional_policy(`
|
||||
corosync_stream_connect(cmirrord_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rhcs_rw_cluster_tmpfs(cmirrord_t)
|
||||
+')
|
||||
diff --git a/cobbler.fc b/cobbler.fc
|
||||
index 973d208..2b650a7 100644
|
||||
--- a/cobbler.fc
|
||||
@ -11679,7 +11700,7 @@ index c223f81..83d5104 100644
|
||||
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
|
||||
')
|
||||
diff --git a/cobbler.te b/cobbler.te
|
||||
index 2a71346..b3ad8cb 100644
|
||||
index 2a71346..c1eef8d 100644
|
||||
--- a/cobbler.te
|
||||
+++ b/cobbler.te
|
||||
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||
@ -11690,6 +11711,15 @@ index 2a71346..b3ad8cb 100644
|
||||
|
||||
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
|
||||
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
|
||||
@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
|
||||
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
|
||||
|
||||
kernel_read_system_state(cobblerd_t)
|
||||
-kernel_dontaudit_search_network_state(cobblerd_t)
|
||||
+kernel_read_network_state(cobblerd_t)
|
||||
|
||||
corecmd_exec_bin(cobblerd_t)
|
||||
corecmd_exec_shell(cobblerd_t)
|
||||
@@ -117,9 +118,7 @@ dev_read_urand(cobblerd_t)
|
||||
files_list_boot(cobblerd_t)
|
||||
files_list_tmp(cobblerd_t)
|
||||
@ -16042,10 +16072,10 @@ index 6ce66e7..1d0337a 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/cups.fc b/cups.fc
|
||||
index 949011e..0332f88 100644
|
||||
index 949011e..afe482b 100644
|
||||
--- a/cups.fc
|
||||
+++ b/cups.fc
|
||||
@@ -1,77 +1,86 @@
|
||||
@@ -1,77 +1,87 @@
|
||||
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
|
||||
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
||||
@ -16118,6 +16148,7 @@ index 949011e..0332f88 100644
|
||||
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
+/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
@ -36560,10 +36591,10 @@ index 4462c0e..84944d1 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
|
||||
diff --git a/mozilla.fc b/mozilla.fc
|
||||
index 6ffaba2..90fd526 100644
|
||||
index 6ffaba2..640ff5e 100644
|
||||
--- a/mozilla.fc
|
||||
+++ b/mozilla.fc
|
||||
@@ -1,38 +1,63 @@
|
||||
@@ -1,38 +1,64 @@
|
||||
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
||||
@ -36598,6 +36629,7 @@ index 6ffaba2..90fd526 100644
|
||||
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\..icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
@ -36662,7 +36694,7 @@ index 6ffaba2..90fd526 100644
|
||||
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
||||
+')
|
||||
diff --git a/mozilla.if b/mozilla.if
|
||||
index 6194b80..116d9d2 100644
|
||||
index 6194b80..879f5db 100644
|
||||
--- a/mozilla.if
|
||||
+++ b/mozilla.if
|
||||
@@ -1,146 +1,75 @@
|
||||
@ -37301,7 +37333,7 @@ index 6194b80..116d9d2 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -530,45 +448,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||
@@ -530,45 +448,51 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -37366,6 +37398,7 @@ index 6194b80..116d9d2 100644
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
|
||||
@ -37377,7 +37410,7 @@ index 6194b80..116d9d2 100644
|
||||
')
|
||||
+
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 6a306ee..66e7ada 100644
|
||||
index 6a306ee..8f6c0ba 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -37815,7 +37848,7 @@ index 6a306ee..66e7ada 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -300,221 +316,174 @@ optional_policy(`
|
||||
@@ -300,221 +316,175 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -37923,6 +37956,7 @@ index 6a306ee..66e7ada 100644
|
||||
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
|
||||
-
|
||||
-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
|
||||
+corenet_tcp_connect_aol_port(mozilla_plugin_t)
|
||||
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
|
||||
-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
|
||||
-
|
||||
@ -38132,7 +38166,7 @@ index 6a306ee..66e7ada 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -523,36 +492,47 @@ optional_policy(`
|
||||
@@ -523,36 +493,48 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38188,12 +38222,13 @@ index 6a306ee..66e7ada 100644
|
||||
+ pulseaudio_exec(mozilla_plugin_t)
|
||||
+ pulseaudio_stream_connect(mozilla_plugin_t)
|
||||
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
|
||||
+ pulseaudio_manage_home_dirs(mozilla_plugin_t)
|
||||
+ pulseaudio_manage_home_files(mozilla_plugin_t)
|
||||
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -560,7 +540,7 @@ optional_policy(`
|
||||
@@ -560,7 +542,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38202,7 +38237,7 @@ index 6a306ee..66e7ada 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -568,108 +548,113 @@ optional_policy(`
|
||||
@@ -568,108 +550,113 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -42883,7 +42918,7 @@ index a1fb3c3..8fe1d63 100644
|
||||
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
diff --git a/networkmanager.if b/networkmanager.if
|
||||
index 0e8508c..b9c69d2 100644
|
||||
index 0e8508c..2669fe1 100644
|
||||
--- a/networkmanager.if
|
||||
+++ b/networkmanager.if
|
||||
@@ -2,7 +2,7 @@
|
||||
@ -43130,7 +43165,7 @@ index 0e8508c..b9c69d2 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
@@ -227,33 +292,92 @@ interface(`networkmanager_read_pid_files',`
|
||||
@@ -227,33 +292,111 @@ interface(`networkmanager_read_pid_files',`
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
@ -43201,6 +43236,25 @@ index 0e8508c..b9c69d2 100644
|
||||
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+####################################
|
||||
+## <summary>
|
||||
+## Connect to NM over a unix domain
|
||||
+## stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`networkmanager_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type NetworkManager_t, NetworkManager_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
@ -48227,10 +48281,10 @@ index 0000000..f2d6119
|
||||
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
|
||||
diff --git a/openshift.if b/openshift.if
|
||||
new file mode 100644
|
||||
index 0000000..8a1731a
|
||||
index 0000000..0dd82f8
|
||||
--- /dev/null
|
||||
+++ b/openshift.if
|
||||
@@ -0,0 +1,654 @@
|
||||
@@ -0,0 +1,656 @@
|
||||
+
|
||||
+## <summary> policy for openshift </summary>
|
||||
+
|
||||
@ -48490,6 +48544,7 @@ index 0000000..8a1731a
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
||||
+ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -48529,6 +48584,7 @@ index 0000000..8a1731a
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
||||
+ manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -50835,7 +50891,7 @@ index d2fc677..ded726f 100644
|
||||
')
|
||||
+
|
||||
diff --git a/pegasus.te b/pegasus.te
|
||||
index 7bcf327..832de74 100644
|
||||
index 7bcf327..ebc50dc 100644
|
||||
--- a/pegasus.te
|
||||
+++ b/pegasus.te
|
||||
@@ -1,17 +1,16 @@
|
||||
@ -51041,7 +51097,7 @@ index 7bcf327..832de74 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -151,16 +205,19 @@ optional_policy(`
|
||||
@@ -151,16 +205,23 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -51051,12 +51107,16 @@ index 7bcf327..832de74 100644
|
||||
|
||||
optional_policy(`
|
||||
- samba_manage_config(pegasus_t)
|
||||
+ rpc_read_exports(pegasus_t)
|
||||
+ realmd_dbus_chat(pegasus_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- seutil_sigchld_newrole(pegasus_t)
|
||||
- seutil_dontaudit_read_config(pegasus_t)
|
||||
+ rpc_read_exports(pegasus_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_exec(pegasus_t)
|
||||
+')
|
||||
+
|
||||
@ -51065,7 +51125,7 @@ index 7bcf327..832de74 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -168,7 +225,7 @@ optional_policy(`
|
||||
@@ -168,7 +229,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -58497,7 +58557,7 @@ index 6864479..0e7d875 100644
|
||||
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
|
||||
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
|
||||
diff --git a/pulseaudio.if b/pulseaudio.if
|
||||
index fa3dc8e..59808e5 100644
|
||||
index fa3dc8e..99cfa95 100644
|
||||
--- a/pulseaudio.if
|
||||
+++ b/pulseaudio.if
|
||||
@@ -2,47 +2,44 @@
|
||||
@ -58663,7 +58723,7 @@ index fa3dc8e..59808e5 100644
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
@@ -205,85 +204,95 @@ interface(`pulseaudio_setattr_home_dir',`
|
||||
@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',`
|
||||
type pulseaudio_home_t;
|
||||
')
|
||||
|
||||
@ -58725,7 +58785,7 @@ index fa3dc8e..59808e5 100644
|
||||
## <summary>
|
||||
-## Read and write Pulse Audio files.
|
||||
+## Create, read, write, and delete pulseaudio
|
||||
+## home directory files.
|
||||
+## home directories.
|
||||
## </summary>
|
||||
-## <param name="domain">
|
||||
+## <param name="user_domain">
|
||||
@ -58735,15 +58795,41 @@ index fa3dc8e..59808e5 100644
|
||||
## </param>
|
||||
#
|
||||
-interface(`pulseaudio_rw_home_files',`
|
||||
+interface(`pulseaudio_manage_home_files',`
|
||||
+interface(`pulseaudio_manage_home_dirs',`
|
||||
gen_require(`
|
||||
type pulseaudio_home_t;
|
||||
')
|
||||
|
||||
userdom_search_user_home_dirs($1)
|
||||
- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
+ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete
|
||||
-## pulseaudio home content.
|
||||
+## Create, read, write, and delete pulseaudio
|
||||
+## home directory files.
|
||||
## </summary>
|
||||
-## <param name="domain">
|
||||
+## <param name="user_domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pulseaudio_manage_home_files',`
|
||||
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
|
||||
- pulseaudio_manage_home($1)
|
||||
+ gen_require(`
|
||||
+ type pulseaudio_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
+ pulseaudio_filetrans_home_content($1)
|
||||
')
|
||||
|
||||
@ -58761,47 +58847,17 @@ index fa3dc8e..59808e5 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`pulseaudio_manage_home_files',`
|
||||
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
|
||||
- pulseaudio_manage_home($1)
|
||||
+interface(`pulseaudio_manage_home_symlinks',`
|
||||
+ gen_require(`
|
||||
+ type pulseaudio_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ userdom_search_user_home_dirs($1)
|
||||
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete
|
||||
-## pulseaudio home content.
|
||||
+## Create pulseaudio content in the user home directory
|
||||
+## with an correct label.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -291,62 +300,74 @@ interface(`pulseaudio_manage_home_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`pulseaudio_manage_home',`
|
||||
+interface(`pulseaudio_filetrans_home_content',`
|
||||
+interface(`pulseaudio_manage_home_symlinks',`
|
||||
gen_require(`
|
||||
type pulseaudio_home_t;
|
||||
')
|
||||
|
||||
- userdom_search_user_home_dirs($1)
|
||||
userdom_search_user_home_dirs($1)
|
||||
- allow $1 pulseaudio_home_t:dir manage_dir_perms;
|
||||
- allow $1 pulseaudio_home_t:file manage_file_perms;
|
||||
- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
|
||||
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
|
||||
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
|
||||
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
|
||||
+ optional_policy(`
|
||||
+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
|
||||
+ ')
|
||||
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -58809,7 +58865,7 @@ index fa3dc8e..59808e5 100644
|
||||
-## Create objects in user home
|
||||
-## directories with the pulseaudio
|
||||
-## home type.
|
||||
+## Create pulseaudio content in the admin home directory
|
||||
+## Create pulseaudio content in the user home directory
|
||||
+## with an correct label.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -58823,10 +58879,31 @@ index fa3dc8e..59808e5 100644
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-## <param name="name" optional="true">
|
||||
-## <summary>
|
||||
+#
|
||||
+interface(`pulseaudio_filetrans_home_content',`
|
||||
+ gen_require(`
|
||||
+ type pulseaudio_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
|
||||
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
|
||||
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
|
||||
+ optional_policy(`
|
||||
+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create pulseaudio content in the admin home directory
|
||||
+## with an correct label.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
## <summary>
|
||||
-## The name of the object being created.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`pulseaudio_home_filetrans_pulseaudio_home',`
|
||||
+interface(`pulseaudio_filetrans_admin_home_content',`
|
||||
@ -63224,7 +63301,7 @@ index 951db7f..6d6ec1d 100644
|
||||
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
|
||||
')
|
||||
diff --git a/raid.te b/raid.te
|
||||
index 2c1730b..d75003d 100644
|
||||
index 2c1730b..259b790 100644
|
||||
--- a/raid.te
|
||||
+++ b/raid.te
|
||||
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
|
||||
@ -63292,7 +63369,7 @@ index 2c1730b..d75003d 100644
|
||||
|
||||
mls_file_read_all_levels(mdadm_t)
|
||||
mls_file_write_all_levels(mdadm_t)
|
||||
@@ -70,16 +80,17 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
@@ -70,16 +80,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
storage_manage_fixed_disk(mdadm_t)
|
||||
storage_read_scsi_generic(mdadm_t)
|
||||
storage_write_scsi_generic(mdadm_t)
|
||||
@ -63305,6 +63382,7 @@ index 2c1730b..d75003d 100644
|
||||
+
|
||||
init_dontaudit_getattr_initctl(mdadm_t)
|
||||
|
||||
+logging_dontaudit_getattr_all_logs(mdadm_t)
|
||||
logging_send_syslog_msg(mdadm_t)
|
||||
|
||||
-miscfiles_read_localization(mdadm_t)
|
||||
@ -63896,7 +63974,7 @@ index 661bb88..06f69c4 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/readahead.te b/readahead.te
|
||||
index f1512d6..93f1ee6 100644
|
||||
index f1512d6..bc627d7 100644
|
||||
--- a/readahead.te
|
||||
+++ b/readahead.te
|
||||
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
|
||||
@ -63964,12 +64042,14 @@ index f1512d6..93f1ee6 100644
|
||||
mls_file_read_all_levels(readahead_t)
|
||||
|
||||
storage_raw_read_fixed_disk(readahead_t)
|
||||
@@ -84,13 +98,13 @@ auth_dontaudit_read_shadow(readahead_t)
|
||||
@@ -84,13 +98,15 @@ auth_dontaudit_read_shadow(readahead_t)
|
||||
init_use_fds(readahead_t)
|
||||
init_use_script_ptys(readahead_t)
|
||||
init_getattr_initctl(readahead_t)
|
||||
+# needs to write to /run/systemd/notify
|
||||
+init_write_pid_socket(readahead_t)
|
||||
+init_create_pid_dirs(readahead_t)
|
||||
+init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead")
|
||||
|
||||
logging_send_syslog_msg(readahead_t)
|
||||
logging_set_audit_parameters(readahead_t)
|
||||
@ -71526,7 +71606,7 @@ index aee75af..a6bab06 100644
|
||||
+ allow $1 samba_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/samba.te b/samba.te
|
||||
index 57c034b..31e7d21 100644
|
||||
index 57c034b..fccf544 100644
|
||||
--- a/samba.te
|
||||
+++ b/samba.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -71801,7 +71881,7 @@ index 57c034b..31e7d21 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ realmd_read_cache_files(samba_net_t)
|
||||
+ realmd_manage_cache_files(samba_net_t)
|
||||
+ realmd_read_tmp_files(samba_net_t)
|
||||
+')
|
||||
+
|
||||
@ -75873,10 +75953,10 @@ index 0000000..c9d2d9c
|
||||
+
|
||||
diff --git a/sge.te b/sge.te
|
||||
new file mode 100644
|
||||
index 0000000..9a329a1
|
||||
index 0000000..af30acf
|
||||
--- /dev/null
|
||||
+++ b/sge.te
|
||||
@@ -0,0 +1,191 @@
|
||||
@@ -0,0 +1,195 @@
|
||||
+policy_module(sge, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -75923,19 +76003,23 @@ index 0000000..9a329a1
|
||||
+# sge_execd local policy
|
||||
+#
|
||||
+
|
||||
+allow sge_execd_t self:capability { dac_override setuid chown setgid };
|
||||
+allow sge_execd_t self:capability { dac_override kill setuid chown setgid };
|
||||
+allow sge_execd_t self:process { setsched signal setpgid };
|
||||
+
|
||||
+allow sge_execd_t sge_shepherd_t:process signal;
|
||||
+
|
||||
+kernel_read_kernel_sysctls(sge_execd_t)
|
||||
+
|
||||
+corenet_tcp_bind_sge_port(sge_execd_t)
|
||||
+corenet_tcp_connect_sge_port(sge_execd_t)
|
||||
+
|
||||
+dev_read_sysfs(sge_execd_t)
|
||||
+
|
||||
+files_exec_usr_files(sge_execd_t)
|
||||
+files_search_spool(sge_execd_t)
|
||||
+
|
||||
+fs_getattr_xattr_fs(sge_execd_t)
|
||||
+fs_read_cgroup_files(sge_execd_t)
|
||||
+
|
||||
+auth_use_nsswitch(sge_execd_t)
|
||||
+
|
||||
@ -87057,7 +87141,7 @@ index 9dec06c..7877729 100644
|
||||
+ allow $1 svirt_image_t:chr_file rw_file_perms;
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index 1f22fba..3f1bc45 100644
|
||||
index 1f22fba..f48ade0 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,94 +1,98 @@
|
||||
@ -87677,14 +87761,14 @@ index 1f22fba..3f1bc45 100644
|
||||
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||
-
|
||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
||||
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
||||
|
||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||
-
|
||||
-can_exec(virtd_t, virt_tmp_t)
|
||||
-
|
||||
-kernel_read_crypto_sysctls(virtd_t)
|
||||
@ -87819,15 +87903,13 @@ index 1f22fba..3f1bc45 100644
|
||||
fs_manage_cifs_files(virtd_t)
|
||||
fs_read_cifs_symlinks(virtd_t)
|
||||
')
|
||||
@@ -646,107 +470,328 @@ optional_policy(`
|
||||
consoletype_exec(virtd_t)
|
||||
')
|
||||
@@ -649,104 +473,325 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(virtd_t)
|
||||
|
||||
-optional_policy(`
|
||||
- dbus_system_bus_client(virtd_t)
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(virtd_t)
|
||||
+
|
||||
- optional_policy(`
|
||||
- avahi_dbus_chat(virtd_t)
|
||||
- ')
|
||||
+ optional_policy(`
|
||||
+ avahi_dbus_chat(virtd_t)
|
||||
+ ')
|
||||
@ -88020,10 +88102,7 @@ index 1f22fba..3f1bc45 100644
|
||||
+dev_rw_inherited_vhost(virt_domain)
|
||||
+
|
||||
+domain_use_interactive_fds(virt_domain)
|
||||
|
||||
- optional_policy(`
|
||||
- avahi_dbus_chat(virtd_t)
|
||||
- ')
|
||||
+
|
||||
+files_read_mnt_symlinks(virt_domain)
|
||||
+files_read_var_files(virt_domain)
|
||||
+files_search_all(virt_domain)
|
||||
@ -88219,12 +88298,12 @@ index 1f22fba..3f1bc45 100644
|
||||
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
|
||||
-
|
||||
-allow virsh_t svirt_lxc_domain:process transition;
|
||||
-
|
||||
-can_exec(virsh_t, virsh_exec_t)
|
||||
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+virt_filetrans_named_content(virsh_t)
|
||||
|
||||
-can_exec(virsh_t, virsh_exec_t)
|
||||
-
|
||||
-virt_domtrans(virsh_t)
|
||||
-virt_manage_images(virsh_t)
|
||||
-virt_manage_config(virsh_t)
|
||||
@ -88710,7 +88789,7 @@ index 1f22fba..3f1bc45 100644
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1198,5 +1246,75 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||
@@ -1198,5 +1246,79 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||
|
||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||
|
||||
@ -88742,7 +88821,9 @@ index 1f22fba..3f1bc45 100644
|
||||
+
|
||||
+files_list_all_mountpoints(virt_qemu_ga_t)
|
||||
+files_write_all_mountpoints(virt_qemu_ga_t)
|
||||
+
|
||||
+fs_list_all(virt_qemu_ga_t)
|
||||
+fs_getattr_all_fs(virt_qemu_ga_t)
|
||||
+
|
||||
+term_use_virtio_console(virt_qemu_ga_t)
|
||||
+term_use_all_ttys(virt_qemu_ga_t)
|
||||
@ -88752,6 +88833,8 @@ index 1f22fba..3f1bc45 100644
|
||||
+
|
||||
+sysnet_dns_name_resolve(virt_qemu_ga_t)
|
||||
+
|
||||
+systemd_exec_systemctl(virt_qemu_ga_t)
|
||||
+
|
||||
+userdom_use_user_ptys(virt_qemu_ga_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 44%{?dist}
|
||||
Release: 45%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -55,7 +55,7 @@ Source30: booleans.subs_dist
|
||||
Url: http://oss.tresys.com/repos/refpolicy/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildArch: noarch
|
||||
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gzip
|
||||
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(post): /bin/awk /usr/bin/sha512sum
|
||||
|
||||
@ -351,8 +351,6 @@ install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||
echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
||||
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
||||
gzip %{buildroot}/%{_usr}/share/selinux/devel/policy.xml
|
||||
mv %{buildroot}/%{_usr}/share/selinux/devel/policy.xml.gz %{buildroot}/%{_usr}/share/selinux/devel/policy.xml
|
||||
/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot}
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/devel/html
|
||||
htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/`
|
||||
@ -532,6 +530,24 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri May 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-45
|
||||
- Add additional fixes for #948073 bug
|
||||
- Allow sge_execd_t to also connect to sge ports
|
||||
- Allow openshift_cron_t to manage openshift_var_lib_t sym links
|
||||
- Allow openshift_cron_t to manage openshift_var_lib_t sym links
|
||||
- Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files
|
||||
- Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files
|
||||
- Add networkmanager_stream_connect()
|
||||
- Make gnome-abrt wokring with staff_t
|
||||
- Fix openshift_manage_lib_files() interface
|
||||
- mdadm runs ps command which seems to getattr on random log files
|
||||
- Allow mozilla_plugin_t to create pulseaudit_home_t directories
|
||||
- Allow qemu-ga to shutdown virtual hosts
|
||||
- Add labelling for cupsd-browsed
|
||||
- Add web browser plugins to connect to aol ports
|
||||
- Allow nm-dhcp-helper to stream connect to NM
|
||||
- Add port definition for sge ports
|
||||
|
||||
* Mon May 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-44
|
||||
- Make sure users and unconfined domains create .hushlogin with the correct label
|
||||
- Allow pegaus to chat with realmd over DBus
|
||||
@ -540,7 +556,7 @@ SELinux Reference policy mls base module.
|
||||
- Allow certwatch to read net_config_t when it executes apache
|
||||
- Allow readahead to create /run/systemd and then create its own directory with the correct label
|
||||
|
||||
* Mon May 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-43
|
||||
* Fri May 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-43
|
||||
- Transition directories and files when in a user_tmp_t directory
|
||||
- Change certwatch to domtrans to apache instead of just execute
|
||||
- Allow virsh_t to read xen lib files
|
||||
|
Loading…
Reference in New Issue
Block a user