* Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191
- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t - Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954) - Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. - Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. - Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus - Merge pull request #125 from rhatdan/typebounds - Typebounds user domains - Allow systemd_resolved_t to check if ipv6 is disabled. - systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120 - Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
This commit is contained in:
parent
5e78b00393
commit
4c0ceef239
Binary file not shown.
@ -6288,7 +6288,7 @@ index 3f6e168..340e49f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
||||||
index b31c054..50a45cf 100644
|
index b31c054..012cc6f 100644
|
||||||
--- a/policy/modules/kernel/devices.fc
|
--- a/policy/modules/kernel/devices.fc
|
||||||
+++ b/policy/modules/kernel/devices.fc
|
+++ b/policy/modules/kernel/devices.fc
|
||||||
@@ -15,15 +15,18 @@
|
@@ -15,15 +15,18 @@
|
||||||
@ -6396,7 +6396,7 @@ index b31c054..50a45cf 100644
|
|||||||
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
|
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
|
||||||
|
|
||||||
@@ -172,11 +193,16 @@ ifdef(`distro_suse', `
|
@@ -172,15 +193,21 @@ ifdef(`distro_suse', `
|
||||||
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
|
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||||
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
|
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||||
|
|
||||||
@ -6413,7 +6413,12 @@ index b31c054..50a45cf 100644
|
|||||||
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
|
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||||
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||||
/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
|
/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||||
@@ -198,12 +224,27 @@ ifdef(`distro_debian',`
|
/dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||||
|
+/dev/xen/privcmd -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||||
|
|
||||||
|
ifdef(`distro_debian',`
|
||||||
|
# this is a static /dev dir "backup mount"
|
||||||
|
@@ -198,12 +225,27 @@ ifdef(`distro_debian',`
|
||||||
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||||
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||||
|
|
||||||
@ -6444,7 +6449,7 @@ index b31c054..50a45cf 100644
|
|||||||
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||||
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||||
index 76f285e..c542dd3 100644
|
index 76f285e..5cd2702 100644
|
||||||
--- a/policy/modules/kernel/devices.if
|
--- a/policy/modules/kernel/devices.if
|
||||||
+++ b/policy/modules/kernel/devices.if
|
+++ b/policy/modules/kernel/devices.if
|
||||||
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
|
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||||
@ -8716,7 +8721,7 @@ index 76f285e..c542dd3 100644
|
|||||||
## Read and write to the zero device (/dev/zero).
|
## Read and write to the zero device (/dev/zero).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4851,3 +5915,1019 @@ interface(`dev_unconfined',`
|
@@ -4851,3 +5915,1020 @@ interface(`dev_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 devices_unconfined_type;
|
typeattribute $1 devices_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -9619,6 +9624,7 @@ index 76f285e..c542dd3 100644
|
|||||||
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
|
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
|
||||||
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
|
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
|
||||||
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
|
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
|
||||||
|
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd")
|
||||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
|
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
|
||||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
|
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
|
||||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
|
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
|
||||||
@ -46330,10 +46336,10 @@ index a392fc4..78fa512 100644
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..0e4185f
|
index 0000000..6cf3942
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.fc
|
+++ b/policy/modules/system/systemd.fc
|
||||||
@@ -0,0 +1,68 @@
|
@@ -0,0 +1,69 @@
|
||||||
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
|
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
|
||||||
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
|
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
|
||||||
+
|
+
|
||||||
@ -46356,6 +46362,7 @@ index 0000000..0e4185f
|
|||||||
+
|
+
|
||||||
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||||
|
+/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
|
+/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
|
+/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
|
+/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
|
||||||
@ -48126,10 +48133,10 @@ index 0000000..ebd6cc8
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6c16f21
|
index 0000000..f799c5b
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,928 @@
|
@@ -0,0 +1,929 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -49012,6 +49019,7 @@ index 0000000..6c16f21
|
|||||||
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
|
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
|
||||||
+
|
+
|
||||||
+dev_write_kmsg(systemd_resolved_t)
|
+dev_write_kmsg(systemd_resolved_t)
|
||||||
|
+dev_read_sysfs(systemd_resolved_t)
|
||||||
+
|
+
|
||||||
+sysnet_manage_config(systemd_resolved_t)
|
+sysnet_manage_config(systemd_resolved_t)
|
||||||
+
|
+
|
||||||
|
@ -25419,7 +25419,7 @@ index 23ab808..84735a8 100644
|
|||||||
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||||
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||||
diff --git a/dnsmasq.if b/dnsmasq.if
|
diff --git a/dnsmasq.if b/dnsmasq.if
|
||||||
index 19aa0b8..45c70c1 100644
|
index 19aa0b8..a79982c 100644
|
||||||
--- a/dnsmasq.if
|
--- a/dnsmasq.if
|
||||||
+++ b/dnsmasq.if
|
+++ b/dnsmasq.if
|
||||||
@@ -10,7 +10,6 @@
|
@@ -10,7 +10,6 @@
|
||||||
@ -25666,7 +25666,7 @@ index 19aa0b8..45c70c1 100644
|
|||||||
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
|
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 dnsmasq_initrc_exec_t system_r;
|
role_transition $2 dnsmasq_initrc_exec_t system_r;
|
||||||
@@ -281,9 +395,13 @@ interface(`dnsmasq_admin',`
|
@@ -281,9 +395,36 @@ interface(`dnsmasq_admin',`
|
||||||
files_list_var_lib($1)
|
files_list_var_lib($1)
|
||||||
admin_pattern($1, dnsmasq_lease_t)
|
admin_pattern($1, dnsmasq_lease_t)
|
||||||
|
|
||||||
@ -25680,9 +25680,32 @@ index 19aa0b8..45c70c1 100644
|
|||||||
+ dnsmasq_systemctl($1)
|
+ dnsmasq_systemctl($1)
|
||||||
+ admin_pattern($1, dnsmasq_unit_file_t)
|
+ admin_pattern($1, dnsmasq_unit_file_t)
|
||||||
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
|
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send and receive messages from
|
||||||
|
+## dnsmasq over dbus.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`dnsmasq_dbus_chat',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type dnsmasq_t;
|
||||||
|
+ class dbus send_msg;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 dnsmasq_t:dbus send_msg;
|
||||||
|
+ allow dnsmasq_t $1:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
+
|
||||||
|
+
|
||||||
diff --git a/dnsmasq.te b/dnsmasq.te
|
diff --git a/dnsmasq.te b/dnsmasq.te
|
||||||
index 37a3b7b..921056a 100644
|
index 37a3b7b..0a64088 100644
|
||||||
--- a/dnsmasq.te
|
--- a/dnsmasq.te
|
||||||
+++ b/dnsmasq.te
|
+++ b/dnsmasq.te
|
||||||
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
|
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
|
||||||
@ -25731,7 +25754,7 @@ index 37a3b7b..921056a 100644
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
|
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
|
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
|
||||||
@@ -98,12 +105,21 @@ optional_policy(`
|
@@ -98,12 +105,25 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -25741,20 +25764,24 @@ index 37a3b7b..921056a 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
dbus_connect_system_bus(dnsmasq_t)
|
dbus_connect_system_bus(dnsmasq_t)
|
||||||
dbus_system_bus_client(dnsmasq_t)
|
dbus_system_bus_client(dnsmasq_t)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ networkmanager_dbus_chat(dnsmasq_t)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ dnsmasq_domtrans(dnsmasq_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- networkmanager_read_pid_files(dnsmasq_t)
|
- networkmanager_read_pid_files(dnsmasq_t)
|
||||||
+ dnsmasq_domtrans(dnsmasq_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ networkmanager_read_conf(dnsmasq_t)
|
+ networkmanager_read_conf(dnsmasq_t)
|
||||||
+ networkmanager_manage_pid_files(dnsmasq_t)
|
+ networkmanager_manage_pid_files(dnsmasq_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -124,6 +140,14 @@ optional_policy(`
|
@@ -124,6 +144,14 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
virt_manage_lib_files(dnsmasq_t)
|
virt_manage_lib_files(dnsmasq_t)
|
||||||
@ -25912,10 +25939,10 @@ index 0000000..d22ed69
|
|||||||
+')
|
+')
|
||||||
diff --git a/dnssec.te b/dnssec.te
|
diff --git a/dnssec.te b/dnssec.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..181a31b
|
index 0000000..f186d85
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/dnssec.te
|
+++ b/dnssec.te
|
||||||
@@ -0,0 +1,87 @@
|
@@ -0,0 +1,88 @@
|
||||||
+policy_module(dnssec, 1.0.0)
|
+policy_module(dnssec, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -25949,8 +25976,9 @@ index 0000000..181a31b
|
|||||||
+
|
+
|
||||||
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
|
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
|
||||||
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
|
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
|
||||||
|
+manage_lnk_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
|
||||||
+allow dnssec_trigger_t dnssec_trigger_var_run_t:file relabelfrom_file_perms;
|
+allow dnssec_trigger_t dnssec_trigger_var_run_t:file relabelfrom_file_perms;
|
||||||
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
|
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file lnk_file })
|
||||||
+
|
+
|
||||||
+manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
|
+manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
|
||||||
+manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
|
+manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
|
||||||
@ -31935,10 +31963,10 @@ index 0000000..764ae00
|
|||||||
+
|
+
|
||||||
diff --git a/glusterd.te b/glusterd.te
|
diff --git a/glusterd.te b/glusterd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..59e84ca
|
index 0000000..33654d5
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/glusterd.te
|
+++ b/glusterd.te
|
||||||
@@ -0,0 +1,295 @@
|
@@ -0,0 +1,297 @@
|
||||||
+policy_module(glusterd, 1.1.3)
|
+policy_module(glusterd, 1.1.3)
|
||||||
+
|
+
|
||||||
+## <desc>
|
+## <desc>
|
||||||
@ -32176,6 +32204,7 @@ index 0000000..59e84ca
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_system_bus_client(glusterd_t)
|
+ dbus_system_bus_client(glusterd_t)
|
||||||
+ dbus_connect_system_bus(glusterd_t)
|
+ dbus_connect_system_bus(glusterd_t)
|
||||||
|
+ unconfined_dbus_chat(glusterd_t)
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ policykit_dbus_chat(glusterd_t)
|
+ policykit_dbus_chat(glusterd_t)
|
||||||
@ -32221,6 +32250,7 @@ index 0000000..59e84ca
|
|||||||
+ rpc_domtrans_nfsd(glusterd_t)
|
+ rpc_domtrans_nfsd(glusterd_t)
|
||||||
+ rpc_domtrans_rpcd(glusterd_t)
|
+ rpc_domtrans_rpcd(glusterd_t)
|
||||||
+ rpc_manage_nfs_state_data(glusterd_t)
|
+ rpc_manage_nfs_state_data(glusterd_t)
|
||||||
|
+ rpc_manage_nfs_state_data_dir(glusterd_t)
|
||||||
+ rpcbind_stream_connect(glusterd_t)
|
+ rpcbind_stream_connect(glusterd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -58382,7 +58412,7 @@ index 86dc29d..7380935 100644
|
|||||||
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
||||||
')
|
')
|
||||||
diff --git a/networkmanager.te b/networkmanager.te
|
diff --git a/networkmanager.te b/networkmanager.te
|
||||||
index 55f2009..2646460 100644
|
index 55f2009..ab2d757 100644
|
||||||
--- a/networkmanager.te
|
--- a/networkmanager.te
|
||||||
+++ b/networkmanager.te
|
+++ b/networkmanager.te
|
||||||
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
||||||
@ -58640,7 +58670,7 @@ index 55f2009..2646460 100644
|
|||||||
consoletype_exec(NetworkManager_t)
|
consoletype_exec(NetworkManager_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -210,16 +260,11 @@ optional_policy(`
|
@@ -210,31 +260,34 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||||
|
|
||||||
@ -58659,7 +58689,12 @@ index 55f2009..2646460 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -231,10 +276,17 @@ optional_policy(`
|
optional_policy(`
|
||||||
|
dnsmasq_read_pid_files(NetworkManager_t)
|
||||||
|
+ dnsmasq_dbus_chat(NetworkManager_t)
|
||||||
|
dnsmasq_delete_pid_files(NetworkManager_t)
|
||||||
|
dnsmasq_domtrans(NetworkManager_t)
|
||||||
|
dnsmasq_initrc_domtrans(NetworkManager_t)
|
||||||
dnsmasq_kill(NetworkManager_t)
|
dnsmasq_kill(NetworkManager_t)
|
||||||
dnsmasq_signal(NetworkManager_t)
|
dnsmasq_signal(NetworkManager_t)
|
||||||
dnsmasq_signull(NetworkManager_t)
|
dnsmasq_signull(NetworkManager_t)
|
||||||
@ -58678,7 +58713,7 @@ index 55f2009..2646460 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -246,10 +298,26 @@ optional_policy(`
|
@@ -246,10 +299,26 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -58705,7 +58740,7 @@ index 55f2009..2646460 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -257,15 +325,19 @@ optional_policy(`
|
@@ -257,15 +326,19 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -58727,7 +58762,7 @@ index 55f2009..2646460 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -274,10 +346,17 @@ optional_policy(`
|
@@ -274,10 +347,17 @@ optional_policy(`
|
||||||
nscd_signull(NetworkManager_t)
|
nscd_signull(NetworkManager_t)
|
||||||
nscd_kill(NetworkManager_t)
|
nscd_kill(NetworkManager_t)
|
||||||
nscd_initrc_domtrans(NetworkManager_t)
|
nscd_initrc_domtrans(NetworkManager_t)
|
||||||
@ -58745,7 +58780,7 @@ index 55f2009..2646460 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -286,9 +365,12 @@ optional_policy(`
|
@@ -286,9 +366,12 @@ optional_policy(`
|
||||||
openvpn_kill(NetworkManager_t)
|
openvpn_kill(NetworkManager_t)
|
||||||
openvpn_signal(NetworkManager_t)
|
openvpn_signal(NetworkManager_t)
|
||||||
openvpn_signull(NetworkManager_t)
|
openvpn_signull(NetworkManager_t)
|
||||||
@ -58758,7 +58793,7 @@ index 55f2009..2646460 100644
|
|||||||
policykit_domtrans_auth(NetworkManager_t)
|
policykit_domtrans_auth(NetworkManager_t)
|
||||||
policykit_read_lib(NetworkManager_t)
|
policykit_read_lib(NetworkManager_t)
|
||||||
policykit_read_reload(NetworkManager_t)
|
policykit_read_reload(NetworkManager_t)
|
||||||
@@ -296,7 +378,7 @@ optional_policy(`
|
@@ -296,7 +379,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -58767,7 +58802,7 @@ index 55f2009..2646460 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -307,6 +389,7 @@ optional_policy(`
|
@@ -307,6 +390,7 @@ optional_policy(`
|
||||||
ppp_signal(NetworkManager_t)
|
ppp_signal(NetworkManager_t)
|
||||||
ppp_signull(NetworkManager_t)
|
ppp_signull(NetworkManager_t)
|
||||||
ppp_read_config(NetworkManager_t)
|
ppp_read_config(NetworkManager_t)
|
||||||
@ -58775,7 +58810,7 @@ index 55f2009..2646460 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -320,14 +403,21 @@ optional_policy(`
|
@@ -320,14 +404,21 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -58802,7 +58837,7 @@ index 55f2009..2646460 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -338,6 +428,13 @@ optional_policy(`
|
@@ -338,6 +429,13 @@ optional_policy(`
|
||||||
vpn_relabelfrom_tun_socket(NetworkManager_t)
|
vpn_relabelfrom_tun_socket(NetworkManager_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -58816,7 +58851,7 @@ index 55f2009..2646460 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# wpa_cli local policy
|
# wpa_cli local policy
|
||||||
@@ -357,6 +454,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
@@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||||
init_dontaudit_use_fds(wpa_cli_t)
|
init_dontaudit_use_fds(wpa_cli_t)
|
||||||
init_use_script_ptys(wpa_cli_t)
|
init_use_script_ptys(wpa_cli_t)
|
||||||
|
|
||||||
@ -86765,15 +86800,16 @@ index 6cf79c4..1a605f9 100644
|
|||||||
')
|
')
|
||||||
diff --git a/rhev.fc b/rhev.fc
|
diff --git a/rhev.fc b/rhev.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4b66adf
|
index 0000000..013d1d9
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/rhev.fc
|
+++ b/rhev.fc
|
||||||
@@ -0,0 +1,13 @@
|
@@ -0,0 +1,14 @@
|
||||||
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
||||||
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
+/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
||||||
+/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
+/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
||||||
|
+/usr/share/ovirt-guest-agent/ovirt-guest-agent\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
|
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
|
||||||
+
|
+
|
||||||
@ -88928,7 +88964,7 @@ index a6fb30c..38a2f09 100644
|
|||||||
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/rpc.if b/rpc.if
|
diff --git a/rpc.if b/rpc.if
|
||||||
index 0bf13c2..4f3c2b9 100644
|
index 0bf13c2..ed393a0 100644
|
||||||
--- a/rpc.if
|
--- a/rpc.if
|
||||||
+++ b/rpc.if
|
+++ b/rpc.if
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -89240,7 +89276,7 @@ index 0bf13c2..4f3c2b9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -326,12 +345,31 @@ interface(`rpc_search_nfs_state_data',`
|
@@ -326,12 +345,50 @@ interface(`rpc_search_nfs_state_data',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
@ -89270,11 +89306,30 @@ index 0bf13c2..4f3c2b9 100644
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Manage NFS state data in /var/lib/nfs.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`rpc_manage_nfs_state_data_dir',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type var_lib_nfs_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ allow $1 var_lib_nfs_t:dir manage_dir_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Read NFS state data in /var/lib/nfs.
|
+## Read NFS state data in /var/lib/nfs.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -350,8 +388,7 @@ interface(`rpc_read_nfs_state_data',`
|
@@ -350,8 +407,7 @@ interface(`rpc_read_nfs_state_data',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -89284,7 +89339,7 @@ index 0bf13c2..4f3c2b9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -366,31 +403,68 @@ interface(`rpc_manage_nfs_state_data',`
|
@@ -366,31 +422,68 @@ interface(`rpc_manage_nfs_state_data',`
|
||||||
|
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
||||||
@ -89359,7 +89414,7 @@ index 0bf13c2..4f3c2b9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 rpc_domain:process { ptrace signal_perms };
|
allow $1 rpc_domain:process { ptrace signal_perms };
|
||||||
@@ -411,7 +485,7 @@ interface(`rpc_admin',`
|
@@ -411,7 +504,7 @@ interface(`rpc_admin',`
|
||||||
admin_pattern($1, rpcd_var_run_t)
|
admin_pattern($1, rpcd_var_run_t)
|
||||||
|
|
||||||
files_list_all($1)
|
files_list_all($1)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 190%{?dist}
|
Release: 191%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -647,6 +647,18 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191
|
||||||
|
- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
|
||||||
|
- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
|
||||||
|
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
|
||||||
|
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.
|
||||||
|
- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus
|
||||||
|
- Merge pull request #125 from rhatdan/typebounds
|
||||||
|
- Typebounds user domains
|
||||||
|
- Allow systemd_resolved_t to check if ipv6 is disabled.
|
||||||
|
- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
|
||||||
|
- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
|
||||||
|
|
||||||
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190
|
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190
|
||||||
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
|
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
|
||||||
- Allow zabbix to connect to postgresql port
|
- Allow zabbix to connect to postgresql port
|
||||||
|
Loading…
Reference in New Issue
Block a user