* Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191

- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.
- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus
- Merge pull request #125 from rhatdan/typebounds
- Typebounds user domains
- Allow systemd_resolved_t to check if ipv6 is disabled.
- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
This commit is contained in:
Lukas Vrabec 2016-05-24 15:22:09 +02:00
parent 5e78b00393
commit 4c0ceef239
4 changed files with 118 additions and 43 deletions

Binary file not shown.

View File

@ -6288,7 +6288,7 @@ index 3f6e168..340e49f 100644
') ')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index b31c054..50a45cf 100644 index b31c054..012cc6f 100644
--- a/policy/modules/kernel/devices.fc --- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@ @@ -15,15 +15,18 @@
@ -6396,7 +6396,7 @@ index b31c054..50a45cf 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
@@ -172,11 +193,16 @@ ifdef(`distro_suse', ` @@ -172,15 +193,21 @@ ifdef(`distro_suse', `
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@ -6413,7 +6413,12 @@ index b31c054..50a45cf 100644
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
@@ -198,12 +224,27 @@ ifdef(`distro_debian',` /dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/privcmd -c gen_context(system_u:object_r:xen_device_t,s0)
ifdef(`distro_debian',`
# this is a static /dev dir "backup mount"
@@ -198,12 +225,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@ -6444,7 +6449,7 @@ index b31c054..50a45cf 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..c542dd3 100644 index 76f285e..5cd2702 100644
--- a/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -8716,7 +8721,7 @@ index 76f285e..c542dd3 100644
## Read and write to the zero device (/dev/zero). ## Read and write to the zero device (/dev/zero).
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4851,3 +5915,1019 @@ interface(`dev_unconfined',` @@ -4851,3 +5915,1020 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type; typeattribute $1 devices_unconfined_type;
') ')
@ -9619,6 +9624,7 @@ index 76f285e..c542dd3 100644
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
@ -46330,10 +46336,10 @@ index a392fc4..78fa512 100644
+') +')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644 new file mode 100644
index 0000000..0e4185f index 0000000..6cf3942
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,68 @@ @@ -0,0 +1,69 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+ +
@ -46356,6 +46362,7 @@ index 0000000..0e4185f
+ +
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0) +/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0) +/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
@ -48126,10 +48133,10 @@ index 0000000..ebd6cc8
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..6c16f21 index 0000000..f799c5b
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,928 @@ @@ -0,0 +1,929 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -49012,6 +49019,7 @@ index 0000000..6c16f21
+corenet_udp_bind_llmnr_port(systemd_resolved_t) +corenet_udp_bind_llmnr_port(systemd_resolved_t)
+ +
+dev_write_kmsg(systemd_resolved_t) +dev_write_kmsg(systemd_resolved_t)
+dev_read_sysfs(systemd_resolved_t)
+ +
+sysnet_manage_config(systemd_resolved_t) +sysnet_manage_config(systemd_resolved_t)
+ +

View File

@ -25419,7 +25419,7 @@ index 23ab808..84735a8 100644
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if diff --git a/dnsmasq.if b/dnsmasq.if
index 19aa0b8..45c70c1 100644 index 19aa0b8..a79982c 100644
--- a/dnsmasq.if --- a/dnsmasq.if
+++ b/dnsmasq.if +++ b/dnsmasq.if
@@ -10,7 +10,6 @@ @@ -10,7 +10,6 @@
@ -25666,7 +25666,7 @@ index 19aa0b8..45c70c1 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r; role_transition $2 dnsmasq_initrc_exec_t system_r;
@@ -281,9 +395,13 @@ interface(`dnsmasq_admin',` @@ -281,9 +395,36 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1) files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t) admin_pattern($1, dnsmasq_lease_t)
@ -25680,9 +25680,32 @@ index 19aa0b8..45c70c1 100644
+ dnsmasq_systemctl($1) + dnsmasq_systemctl($1)
+ admin_pattern($1, dnsmasq_unit_file_t) + admin_pattern($1, dnsmasq_unit_file_t)
+ allow $1 dnsmasq_unit_file_t:service all_service_perms; + allow $1 dnsmasq_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## dnsmasq over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_dbus_chat',`
+ gen_require(`
+ type dnsmasq_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dnsmasq_t:dbus send_msg;
+ allow dnsmasq_t $1:dbus send_msg;
') ')
+
+
diff --git a/dnsmasq.te b/dnsmasq.te diff --git a/dnsmasq.te b/dnsmasq.te
index 37a3b7b..921056a 100644 index 37a3b7b..0a64088 100644
--- a/dnsmasq.te --- a/dnsmasq.te
+++ b/dnsmasq.te +++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@ -25731,7 +25754,7 @@ index 37a3b7b..921056a 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -98,12 +105,21 @@ optional_policy(` @@ -98,12 +105,25 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -25741,20 +25764,24 @@ index 37a3b7b..921056a 100644
+optional_policy(` +optional_policy(`
dbus_connect_system_bus(dnsmasq_t) dbus_connect_system_bus(dnsmasq_t)
dbus_system_bus_client(dnsmasq_t) dbus_system_bus_client(dnsmasq_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(dnsmasq_t)
+ ')
+')
+
+optional_policy(`
+ dnsmasq_domtrans(dnsmasq_t)
') ')
optional_policy(` optional_policy(`
- networkmanager_read_pid_files(dnsmasq_t) - networkmanager_read_pid_files(dnsmasq_t)
+ dnsmasq_domtrans(dnsmasq_t)
+')
+
+optional_policy(`
+ networkmanager_read_conf(dnsmasq_t) + networkmanager_read_conf(dnsmasq_t)
+ networkmanager_manage_pid_files(dnsmasq_t) + networkmanager_manage_pid_files(dnsmasq_t)
') ')
optional_policy(` optional_policy(`
@@ -124,6 +140,14 @@ optional_policy(` @@ -124,6 +144,14 @@ optional_policy(`
optional_policy(` optional_policy(`
virt_manage_lib_files(dnsmasq_t) virt_manage_lib_files(dnsmasq_t)
@ -25912,10 +25939,10 @@ index 0000000..d22ed69
+') +')
diff --git a/dnssec.te b/dnssec.te diff --git a/dnssec.te b/dnssec.te
new file mode 100644 new file mode 100644
index 0000000..181a31b index 0000000..f186d85
--- /dev/null --- /dev/null
+++ b/dnssec.te +++ b/dnssec.te
@@ -0,0 +1,87 @@ @@ -0,0 +1,88 @@
+policy_module(dnssec, 1.0.0) +policy_module(dnssec, 1.0.0)
+ +
+######################################## +########################################
@ -25949,8 +25976,9 @@ index 0000000..181a31b
+ +
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) +manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) +manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_lnk_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+allow dnssec_trigger_t dnssec_trigger_var_run_t:file relabelfrom_file_perms; +allow dnssec_trigger_t dnssec_trigger_var_run_t:file relabelfrom_file_perms;
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file }) +files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file lnk_file })
+ +
+manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t) +manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t) +manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
@ -31935,10 +31963,10 @@ index 0000000..764ae00
+ +
diff --git a/glusterd.te b/glusterd.te diff --git a/glusterd.te b/glusterd.te
new file mode 100644 new file mode 100644
index 0000000..59e84ca index 0000000..33654d5
--- /dev/null --- /dev/null
+++ b/glusterd.te +++ b/glusterd.te
@@ -0,0 +1,295 @@ @@ -0,0 +1,297 @@
+policy_module(glusterd, 1.1.3) +policy_module(glusterd, 1.1.3)
+ +
+## <desc> +## <desc>
@ -32176,6 +32204,7 @@ index 0000000..59e84ca
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(glusterd_t) + dbus_system_bus_client(glusterd_t)
+ dbus_connect_system_bus(glusterd_t) + dbus_connect_system_bus(glusterd_t)
+ unconfined_dbus_chat(glusterd_t)
+ +
+ optional_policy(` + optional_policy(`
+ policykit_dbus_chat(glusterd_t) + policykit_dbus_chat(glusterd_t)
@ -32221,6 +32250,7 @@ index 0000000..59e84ca
+ rpc_domtrans_nfsd(glusterd_t) + rpc_domtrans_nfsd(glusterd_t)
+ rpc_domtrans_rpcd(glusterd_t) + rpc_domtrans_rpcd(glusterd_t)
+ rpc_manage_nfs_state_data(glusterd_t) + rpc_manage_nfs_state_data(glusterd_t)
+ rpc_manage_nfs_state_data_dir(glusterd_t)
+ rpcbind_stream_connect(glusterd_t) + rpcbind_stream_connect(glusterd_t)
+') +')
+ +
@ -58382,7 +58412,7 @@ index 86dc29d..7380935 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
') ')
diff --git a/networkmanager.te b/networkmanager.te diff --git a/networkmanager.te b/networkmanager.te
index 55f2009..2646460 100644 index 55f2009..ab2d757 100644
--- a/networkmanager.te --- a/networkmanager.te
+++ b/networkmanager.te +++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t; @@ -9,15 +9,18 @@ type NetworkManager_t;
@ -58640,7 +58670,7 @@ index 55f2009..2646460 100644
consoletype_exec(NetworkManager_t) consoletype_exec(NetworkManager_t)
') ')
@@ -210,16 +260,11 @@ optional_policy(` @@ -210,31 +260,34 @@ optional_policy(`
optional_policy(` optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@ -58659,7 +58689,12 @@ index 55f2009..2646460 100644
') ')
') ')
@@ -231,10 +276,17 @@ optional_policy(` optional_policy(`
dnsmasq_read_pid_files(NetworkManager_t)
+ dnsmasq_dbus_chat(NetworkManager_t)
dnsmasq_delete_pid_files(NetworkManager_t)
dnsmasq_domtrans(NetworkManager_t)
dnsmasq_initrc_domtrans(NetworkManager_t)
dnsmasq_kill(NetworkManager_t) dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t) dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t) dnsmasq_signull(NetworkManager_t)
@ -58678,7 +58713,7 @@ index 55f2009..2646460 100644
') ')
optional_policy(` optional_policy(`
@@ -246,10 +298,26 @@ optional_policy(` @@ -246,10 +299,26 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -58705,7 +58740,7 @@ index 55f2009..2646460 100644
') ')
optional_policy(` optional_policy(`
@@ -257,15 +325,19 @@ optional_policy(` @@ -257,15 +326,19 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -58727,7 +58762,7 @@ index 55f2009..2646460 100644
') ')
optional_policy(` optional_policy(`
@@ -274,10 +346,17 @@ optional_policy(` @@ -274,10 +347,17 @@ optional_policy(`
nscd_signull(NetworkManager_t) nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t) nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t)
@ -58745,7 +58780,7 @@ index 55f2009..2646460 100644
') ')
optional_policy(` optional_policy(`
@@ -286,9 +365,12 @@ optional_policy(` @@ -286,9 +366,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t) openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t) openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t) openvpn_signull(NetworkManager_t)
@ -58758,7 +58793,7 @@ index 55f2009..2646460 100644
policykit_domtrans_auth(NetworkManager_t) policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t) policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t) policykit_read_reload(NetworkManager_t)
@@ -296,7 +378,7 @@ optional_policy(` @@ -296,7 +379,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -58767,7 +58802,7 @@ index 55f2009..2646460 100644
') ')
optional_policy(` optional_policy(`
@@ -307,6 +389,7 @@ optional_policy(` @@ -307,6 +390,7 @@ optional_policy(`
ppp_signal(NetworkManager_t) ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t) ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t) ppp_read_config(NetworkManager_t)
@ -58775,7 +58810,7 @@ index 55f2009..2646460 100644
') ')
optional_policy(` optional_policy(`
@@ -320,14 +403,21 @@ optional_policy(` @@ -320,14 +404,21 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -58802,7 +58837,7 @@ index 55f2009..2646460 100644
') ')
optional_policy(` optional_policy(`
@@ -338,6 +428,13 @@ optional_policy(` @@ -338,6 +429,13 @@ optional_policy(`
vpn_relabelfrom_tun_socket(NetworkManager_t) vpn_relabelfrom_tun_socket(NetworkManager_t)
') ')
@ -58816,7 +58851,7 @@ index 55f2009..2646460 100644
######################################## ########################################
# #
# wpa_cli local policy # wpa_cli local policy
@@ -357,6 +454,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru @@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t) init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t) init_use_script_ptys(wpa_cli_t)
@ -86765,15 +86800,16 @@ index 6cf79c4..1a605f9 100644
') ')
diff --git a/rhev.fc b/rhev.fc diff --git a/rhev.fc b/rhev.fc
new file mode 100644 new file mode 100644
index 0000000..4b66adf index 0000000..013d1d9
--- /dev/null --- /dev/null
+++ b/rhev.fc +++ b/rhev.fc
@@ -0,0 +1,13 @@ @@ -0,0 +1,14 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+ +
+/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent/ovirt-guest-agent\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+ +
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0) +/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+ +
@ -88928,7 +88964,7 @@ index a6fb30c..38a2f09 100644
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ +
diff --git a/rpc.if b/rpc.if diff --git a/rpc.if b/rpc.if
index 0bf13c2..4f3c2b9 100644 index 0bf13c2..ed393a0 100644
--- a/rpc.if --- a/rpc.if
+++ b/rpc.if +++ b/rpc.if
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -89240,7 +89276,7 @@ index 0bf13c2..4f3c2b9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -326,12 +345,31 @@ interface(`rpc_search_nfs_state_data',` @@ -326,12 +345,50 @@ interface(`rpc_search_nfs_state_data',`
') ')
files_search_var_lib($1) files_search_var_lib($1)
@ -89270,11 +89306,30 @@ index 0bf13c2..4f3c2b9 100644
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data_dir',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read NFS state data in /var/lib/nfs. +## Read NFS state data in /var/lib/nfs.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -350,8 +388,7 @@ interface(`rpc_read_nfs_state_data',` @@ -350,8 +407,7 @@ interface(`rpc_read_nfs_state_data',`
######################################## ########################################
## <summary> ## <summary>
@ -89284,7 +89339,7 @@ index 0bf13c2..4f3c2b9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -366,31 +403,68 @@ interface(`rpc_manage_nfs_state_data',` @@ -366,31 +422,68 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1) files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@ -89359,7 +89414,7 @@ index 0bf13c2..4f3c2b9 100644
') ')
allow $1 rpc_domain:process { ptrace signal_perms }; allow $1 rpc_domain:process { ptrace signal_perms };
@@ -411,7 +485,7 @@ interface(`rpc_admin',` @@ -411,7 +504,7 @@ interface(`rpc_admin',`
admin_pattern($1, rpcd_var_run_t) admin_pattern($1, rpcd_var_run_t)
files_list_all($1) files_list_all($1)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 190%{?dist} Release: 191%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -647,6 +647,18 @@ exit 0
%endif %endif
%changelog %changelog
* Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191
- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.
- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus
- Merge pull request #125 from rhatdan/typebounds
- Typebounds user domains
- Allow systemd_resolved_t to check if ipv6 is disabled.
- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190 * Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. - Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
- Allow zabbix to connect to postgresql port - Allow zabbix to connect to postgresql port