* Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301
- Merge pull request #37 from milosmalik/rawhide - Allow mozilla_plugin_t domain to dbus chat with devicekit - Dontaudit leaked logwatch pipes - Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. - Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546) - Allow chronyd daemon to execute chronyc. BZ(1507478) - Allow pdns to read network system state BZ(1507244) - Allow gssproxy to read network system state Resolves: rhbz#1507191 - Allow nfsd_t domain to read configfs_t files/dirs - Allow tgtd_t domain to read generic certs - Allow ptp4l to send msgs via dgram socket to unprivileged user domains - Allow dirsrv_snmp_t to use inherited user ptys and read system state - Allow glusterd_t domain to create own tmpfs dirs/files - Allow keepalived stream connect to snmp
This commit is contained in:
parent
ba9b7318d9
commit
4c1c744cdd
Binary file not shown.
@ -50199,10 +50199,10 @@ index 000000000..5871e072d
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 000000000..5033e0eb6
|
||||
index 000000000..bb880db4a
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,1039 @@
|
||||
@@ -0,0 +1,1040 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -50272,6 +50272,7 @@ index 000000000..5033e0eb6
|
||||
+
|
||||
+type systemd_resolved_var_run_t;
|
||||
+files_pid_file(systemd_resolved_var_run_t)
|
||||
+files_mountpoint(systemd_resolved_var_run_t)
|
||||
+
|
||||
+type systemd_resolved_unit_file_t;
|
||||
+systemd_unit_file(systemd_resolved_unit_file_t)
|
||||
@ -58380,7 +58381,7 @@ index e79d54501..101086d66 100644
|
||||
')
|
||||
|
||||
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
||||
index 6e9131723..dc1c884fe 100644
|
||||
index 6e9131723..528c5d2d1 100644
|
||||
--- a/policy/support/obj_perm_sets.spt
|
||||
+++ b/policy/support/obj_perm_sets.spt
|
||||
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
||||
@ -58389,7 +58390,7 @@ index 6e9131723..dc1c884fe 100644
|
||||
#
|
||||
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
|
||||
-
|
||||
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
|
||||
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket dccp_socket }')
|
||||
|
||||
#
|
||||
# Datagram socket classes.
|
||||
|
@ -5626,7 +5626,7 @@ index f6eb4851f..3628a384f 100644
|
||||
+ allow $1 httpd_t:process { noatsecure };
|
||||
')
|
||||
diff --git a/apache.te b/apache.te
|
||||
index 6649962b6..cb95398ea 100644
|
||||
index 6649962b6..3db9df9f9 100644
|
||||
--- a/apache.te
|
||||
+++ b/apache.te
|
||||
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
|
||||
@ -6345,7 +6345,7 @@ index 6649962b6..cb95398ea 100644
|
||||
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
|
||||
|
||||
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
@@ -450,140 +571,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@@ -450,140 +571,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
|
||||
@ -6412,6 +6412,7 @@ index 6649962b6..cb95398ea 100644
|
||||
-fs_search_auto_mountpoints(httpd_t)
|
||||
+fs_rw_anon_inodefs_files(httpd_t)
|
||||
+fs_rw_hugetlbfs_files(httpd_t)
|
||||
+fs_exec_hugetlbfs_files(httpd_t)
|
||||
+fs_list_inotifyfs(httpd_t)
|
||||
+
|
||||
+auth_use_nsswitch(httpd_t)
|
||||
@ -6588,7 +6589,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
|
||||
@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
@@ -594,28 +754,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -6648,7 +6649,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -624,68 +806,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
@ -6751,7 +6752,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_setrlimit',`
|
||||
@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',`
|
||||
@@ -695,49 +865,48 @@ tunable_policy(`httpd_setrlimit',`
|
||||
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
|
||||
@ -6832,7 +6833,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -749,24 +917,32 @@ optional_policy(`
|
||||
@@ -749,24 +918,32 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6871,7 +6872,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -775,6 +951,10 @@ optional_policy(`
|
||||
@@ -775,6 +952,10 @@ optional_policy(`
|
||||
tunable_policy(`httpd_dbus_avahi',`
|
||||
avahi_dbus_chat(httpd_t)
|
||||
')
|
||||
@ -6882,7 +6883,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -786,35 +966,62 @@ optional_policy(`
|
||||
@@ -786,35 +967,62 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6958,7 +6959,7 @@ index 6649962b6..cb95398ea 100644
|
||||
|
||||
tunable_policy(`httpd_manage_ipa',`
|
||||
memcached_manage_pid_files(httpd_t)
|
||||
@@ -822,8 +1029,31 @@ optional_policy(`
|
||||
@@ -822,8 +1030,31 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6990,7 +6991,7 @@ index 6649962b6..cb95398ea 100644
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
mysql_tcp_connect(httpd_t)
|
||||
@@ -832,6 +1062,8 @@ optional_policy(`
|
||||
@@ -832,6 +1063,8 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nagios_read_config(httpd_t)
|
||||
@ -6999,7 +7000,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -842,20 +1074,48 @@ optional_policy(`
|
||||
@@ -842,20 +1075,48 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -7054,7 +7055,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -863,16 +1123,31 @@ optional_policy(`
|
||||
@@ -863,16 +1124,31 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -7088,7 +7089,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -883,65 +1158,189 @@ optional_policy(`
|
||||
@@ -883,65 +1159,189 @@ optional_policy(`
|
||||
yam_read_content(httpd_t)
|
||||
')
|
||||
|
||||
@ -7300,7 +7301,7 @@ index 6649962b6..cb95398ea 100644
|
||||
files_dontaudit_search_pids(httpd_suexec_t)
|
||||
files_search_home(httpd_suexec_t)
|
||||
|
||||
@@ -950,123 +1349,75 @@ auth_use_nsswitch(httpd_suexec_t)
|
||||
@@ -950,123 +1350,75 @@ auth_use_nsswitch(httpd_suexec_t)
|
||||
logging_search_logs(httpd_suexec_t)
|
||||
logging_send_syslog_msg(httpd_suexec_t)
|
||||
|
||||
@ -7454,7 +7455,7 @@ index 6649962b6..cb95398ea 100644
|
||||
mysql_read_config(httpd_suexec_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
@@ -1083,172 +1434,107 @@ optional_policy(`
|
||||
@@ -1083,172 +1435,107 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
@ -7692,7 +7693,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_read_user_content',`
|
||||
@@ -1256,64 +1542,74 @@ tunable_policy(`httpd_read_user_content',`
|
||||
@@ -1256,64 +1543,74 @@ tunable_policy(`httpd_read_user_content',`
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_use_cifs',`
|
||||
@ -7790,7 +7791,7 @@ index 6649962b6..cb95398ea 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -1321,8 +1617,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
@@ -1321,8 +1618,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
@ -7807,7 +7808,7 @@ index 6649962b6..cb95398ea 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1330,49 +1633,43 @@ optional_policy(`
|
||||
@@ -1330,49 +1634,43 @@ optional_policy(`
|
||||
# User content local policy
|
||||
#
|
||||
|
||||
@ -7876,7 +7877,7 @@ index 6649962b6..cb95398ea 100644
|
||||
kernel_read_system_state(httpd_passwd_t)
|
||||
|
||||
corecmd_exec_bin(httpd_passwd_t)
|
||||
@@ -1382,38 +1679,109 @@ dev_read_urand(httpd_passwd_t)
|
||||
@@ -1382,38 +1680,109 @@ dev_read_urand(httpd_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(httpd_passwd_t)
|
||||
|
||||
@ -13908,7 +13909,7 @@ index 32e8265c2..508f3b84f 100644
|
||||
+ roleattribute $2 chronyc_roles;
|
||||
')
|
||||
diff --git a/chronyd.te b/chronyd.te
|
||||
index e5b621c29..89ecee1f7 100644
|
||||
index e5b621c29..47b5fe7e4 100644
|
||||
--- a/chronyd.te
|
||||
+++ b/chronyd.te
|
||||
@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
|
||||
@ -13967,17 +13968,19 @@ index e5b621c29..89ecee1f7 100644
|
||||
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
|
||||
manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
|
||||
fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
|
||||
@@ -61,6 +82,9 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
|
||||
@@ -61,6 +82,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
|
||||
|
||||
kernel_read_system_state(chronyd_t)
|
||||
kernel_read_network_state(chronyd_t)
|
||||
+kernel_request_load_module(chronyd_t)
|
||||
+
|
||||
+can_exec(chronyd_t,chronyc_exec_t)
|
||||
+
|
||||
+clock_read_adjtime(chronyd_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(chronyd_t)
|
||||
corenet_all_recvfrom_netlabel(chronyd_t)
|
||||
@@ -76,18 +100,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
|
||||
@@ -76,18 +102,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
|
||||
corenet_udp_bind_chronyd_port(chronyd_t)
|
||||
corenet_udp_sendrecv_chronyd_port(chronyd_t)
|
||||
|
||||
@ -22724,7 +22727,7 @@ index 83bfda6ed..92d9fb2e7 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 cyrus_initrc_exec_t system_r;
|
||||
diff --git a/cyrus.te b/cyrus.te
|
||||
index 4283f2de2..fe348758e 100644
|
||||
index 4283f2de2..c29c47501 100644
|
||||
--- a/cyrus.te
|
||||
+++ b/cyrus.te
|
||||
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
|
||||
@ -22736,9 +22739,11 @@ index 4283f2de2..fe348758e 100644
|
||||
dontaudit cyrus_t self:capability sys_tty_config;
|
||||
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow cyrus_t self:process setrlimit;
|
||||
@@ -63,12 +63,12 @@ kernel_read_kernel_sysctls(cyrus_t)
|
||||
@@ -62,13 +62,14 @@ files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
|
||||
kernel_read_kernel_sysctls(cyrus_t)
|
||||
kernel_read_system_state(cyrus_t)
|
||||
kernel_read_all_sysctls(cyrus_t)
|
||||
+kernel_read_network_state(cyrus_t)
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(cyrus_t)
|
||||
corenet_all_recvfrom_netlabel(cyrus_t)
|
||||
@ -22750,7 +22755,7 @@ index 4283f2de2..fe348758e 100644
|
||||
|
||||
corenet_sendrecv_mail_server_packets(cyrus_t)
|
||||
corenet_tcp_bind_mail_port(cyrus_t)
|
||||
@@ -76,6 +76,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
|
||||
@@ -76,6 +77,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
|
||||
corenet_sendrecv_lmtp_server_packets(cyrus_t)
|
||||
corenet_tcp_bind_lmtp_port(cyrus_t)
|
||||
|
||||
@ -22760,7 +22765,7 @@ index 4283f2de2..fe348758e 100644
|
||||
corenet_sendrecv_pop_server_packets(cyrus_t)
|
||||
corenet_tcp_bind_pop_port(cyrus_t)
|
||||
|
||||
@@ -95,8 +98,6 @@ domain_use_interactive_fds(cyrus_t)
|
||||
@@ -95,8 +99,6 @@ domain_use_interactive_fds(cyrus_t)
|
||||
|
||||
files_list_var_lib(cyrus_t)
|
||||
files_read_etc_runtime_files(cyrus_t)
|
||||
@ -22769,7 +22774,7 @@ index 4283f2de2..fe348758e 100644
|
||||
|
||||
fs_getattr_all_fs(cyrus_t)
|
||||
fs_search_auto_mountpoints(cyrus_t)
|
||||
@@ -107,7 +108,6 @@ libs_exec_lib_files(cyrus_t)
|
||||
@@ -107,7 +109,6 @@ libs_exec_lib_files(cyrus_t)
|
||||
|
||||
logging_send_syslog_msg(cyrus_t)
|
||||
|
||||
@ -22777,7 +22782,7 @@ index 4283f2de2..fe348758e 100644
|
||||
miscfiles_read_generic_certs(cyrus_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(cyrus_t)
|
||||
@@ -121,6 +121,14 @@ optional_policy(`
|
||||
@@ -121,6 +122,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22792,7 +22797,7 @@ index 4283f2de2..fe348758e 100644
|
||||
kerberos_read_keytab(cyrus_t)
|
||||
kerberos_use(cyrus_t)
|
||||
')
|
||||
@@ -134,8 +142,8 @@ optional_policy(`
|
||||
@@ -134,8 +143,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26230,10 +26235,10 @@ index 000000000..b3784d85d
|
||||
+')
|
||||
diff --git a/dirsrv.te b/dirsrv.te
|
||||
new file mode 100644
|
||||
index 000000000..f068532e7
|
||||
index 000000000..58a8bf4fd
|
||||
--- /dev/null
|
||||
+++ b/dirsrv.te
|
||||
@@ -0,0 +1,207 @@
|
||||
@@ -0,0 +1,210 @@
|
||||
+policy_module(dirsrv,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -26418,6 +26423,8 @@ index 000000000..f068532e7
|
||||
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
|
||||
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
|
||||
+
|
||||
+kernel_read_system_state(dirsrv_snmp_t)
|
||||
+
|
||||
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
|
||||
+
|
||||
+dev_read_rand(dirsrv_snmp_t)
|
||||
@ -26430,10 +26437,11 @@ index 000000000..f068532e7
|
||||
+fs_getattr_tmpfs(dirsrv_snmp_t)
|
||||
+fs_search_tmpfs(dirsrv_snmp_t)
|
||||
+
|
||||
+
|
||||
+sysnet_read_config(dirsrv_snmp_t)
|
||||
+sysnet_dns_name_resolve(dirsrv_snmp_t)
|
||||
+
|
||||
+userdom_use_inherited_user_ptys(dirsrv_snmp_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
|
||||
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
|
||||
@ -32102,10 +32110,10 @@ index 000000000..d9ba5fa27
|
||||
+')
|
||||
diff --git a/ganesha.te b/ganesha.te
|
||||
new file mode 100644
|
||||
index 000000000..3cf186efc
|
||||
index 000000000..0fdeecfd6
|
||||
--- /dev/null
|
||||
+++ b/ganesha.te
|
||||
@@ -0,0 +1,109 @@
|
||||
@@ -0,0 +1,110 @@
|
||||
+policy_module(ganesha, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -32182,6 +32190,7 @@ index 000000000..3cf186efc
|
||||
+
|
||||
+dev_rw_infiniband_dev(ganesha_t)
|
||||
+dev_read_gpfs(ganesha_t)
|
||||
+dev_read_rand(ganesha_t)
|
||||
+
|
||||
+logging_send_syslog_msg(ganesha_t)
|
||||
+
|
||||
@ -33861,10 +33870,10 @@ index 000000000..450146018
|
||||
+
|
||||
diff --git a/glusterd.te b/glusterd.te
|
||||
new file mode 100644
|
||||
index 000000000..5d279ca35
|
||||
index 000000000..7eeb7b0c0
|
||||
--- /dev/null
|
||||
+++ b/glusterd.te
|
||||
@@ -0,0 +1,324 @@
|
||||
@@ -0,0 +1,331 @@
|
||||
+policy_module(glusterd, 1.1.3)
|
||||
+
|
||||
+## <desc>
|
||||
@ -33916,6 +33925,9 @@ index 000000000..5d279ca35
|
||||
+type glusterd_tmp_t;
|
||||
+files_tmp_file(glusterd_tmp_t)
|
||||
+
|
||||
+type glusterd_tmpfs_t;
|
||||
+files_tmpfs_file(glusterd_tmpfs_t)
|
||||
+
|
||||
+type glusterd_log_t;
|
||||
+logging_log_file(glusterd_log_t)
|
||||
+
|
||||
@ -33954,6 +33966,10 @@ index 000000000..5d279ca35
|
||||
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
|
||||
+allow glusterd_t glusterd_tmp_t:dir mounton;
|
||||
+
|
||||
+manage_dirs_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
|
||||
+manage_files_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(glusterd_t, glusterd_tmpfs_t, { dir file })
|
||||
+
|
||||
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
||||
+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
||||
+logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
|
||||
@ -38150,10 +38166,10 @@ index 000000000..8a2013af9
|
||||
+')
|
||||
diff --git a/gssproxy.te b/gssproxy.te
|
||||
new file mode 100644
|
||||
index 000000000..86a4d31a1
|
||||
index 000000000..800eb43a1
|
||||
--- /dev/null
|
||||
+++ b/gssproxy.te
|
||||
@@ -0,0 +1,74 @@
|
||||
@@ -0,0 +1,75 @@
|
||||
+policy_module(gssproxy, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -38196,6 +38212,7 @@ index 000000000..86a4d31a1
|
||||
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
|
||||
+
|
||||
+kernel_rw_rpc_sysctls(gssproxy_t)
|
||||
+kernel_read_network_state(gssproxy_t)
|
||||
+
|
||||
+domain_use_interactive_fds(gssproxy_t)
|
||||
+
|
||||
@ -43845,10 +43862,10 @@ index 000000000..bd7e7fa17
|
||||
+')
|
||||
diff --git a/keepalived.te b/keepalived.te
|
||||
new file mode 100644
|
||||
index 000000000..f84877209
|
||||
index 000000000..d7cf7c7c3
|
||||
--- /dev/null
|
||||
+++ b/keepalived.te
|
||||
@@ -0,0 +1,101 @@
|
||||
@@ -0,0 +1,102 @@
|
||||
+policy_module(keepalived, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -43926,6 +43943,7 @@ index 000000000..f84877209
|
||||
+ snmp_manage_var_lib_files(keepalived_t)
|
||||
+ snmp_manage_var_lib_sock_files(keepalived_t)
|
||||
+ snmp_manage_var_lib_dirs(keepalived_t)
|
||||
+ snmp_stream_connect(keepalived_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -47497,10 +47515,10 @@ index 000000000..7ba50607c
|
||||
+
|
||||
diff --git a/linuxptp.te b/linuxptp.te
|
||||
new file mode 100644
|
||||
index 000000000..7acdb2d40
|
||||
index 000000000..37414ae0d
|
||||
--- /dev/null
|
||||
+++ b/linuxptp.te
|
||||
@@ -0,0 +1,180 @@
|
||||
@@ -0,0 +1,184 @@
|
||||
+policy_module(linuxptp, 1.0.0)
|
||||
+
|
||||
+
|
||||
@ -47670,10 +47688,14 @@ index 000000000..7acdb2d40
|
||||
+corenet_udp_bind_generic_node(ptp4l_t)
|
||||
+corenet_udp_bind_reserved_port(ptp4l_t)
|
||||
+
|
||||
+kernel_read_network_state(ptp4l_t)
|
||||
+
|
||||
+dev_rw_realtime_clock(ptp4l_t)
|
||||
+
|
||||
+logging_send_syslog_msg(ptp4l_t)
|
||||
+
|
||||
+userdom_dgram_send(ptp4l_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ chronyd_rw_shm(ptp4l_t)
|
||||
+')
|
||||
@ -48443,6 +48465,32 @@ index be0ab84b3..af94fb163 100644
|
||||
+role system_r types logrotate_mail_t;
|
||||
logging_read_all_logs(logrotate_mail_t)
|
||||
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
|
||||
diff --git a/logwatch.if b/logwatch.if
|
||||
index 06c3d36ca..2bb771f02 100644
|
||||
--- a/logwatch.if
|
||||
+++ b/logwatch.if
|
||||
@@ -37,3 +37,21 @@ interface(`logwatch_search_cache_dir',`
|
||||
files_search_var($1)
|
||||
allow $1 logwatch_cache_t:dir search_dir_perms;
|
||||
')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Dontaudit read and write an leaked file descriptors
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`logwatch_dontaudit_leaks',`
|
||||
+ gen_require(`
|
||||
+ type logwatch_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 logwatch_t:fifo_file { read write };
|
||||
+')
|
||||
diff --git a/logwatch.te b/logwatch.te
|
||||
index ab650340c..433d37810 100644
|
||||
--- a/logwatch.te
|
||||
@ -54207,7 +54255,7 @@ index 6194b806b..e27c53d6e 100644
|
||||
')
|
||||
+
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 11ac8e4fc..28c1c5f16 100644
|
||||
index 11ac8e4fc..bb6533dae 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
|
||||
@ -54488,11 +54536,11 @@ index 11ac8e4fc..28c1c5f16 100644
|
||||
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
|
||||
|
||||
-userdom_use_user_ptys(mozilla_t)
|
||||
+userdom_use_inherited_user_ptys(mozilla_t)
|
||||
|
||||
-
|
||||
-userdom_manage_user_tmp_dirs(mozilla_t)
|
||||
-userdom_manage_user_tmp_files(mozilla_t)
|
||||
-
|
||||
+userdom_use_inherited_user_ptys(mozilla_t)
|
||||
|
||||
-userdom_manage_user_home_content_dirs(mozilla_t)
|
||||
-userdom_manage_user_home_content_files(mozilla_t)
|
||||
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
|
||||
@ -54626,34 +54674,34 @@ index 11ac8e4fc..28c1c5f16 100644
|
||||
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
|
||||
+ gnome_manage_config(mozilla_t)
|
||||
+ gnome_manage_gconf_home_files(mozilla_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ java_domtrans(mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- java_exec(mozilla_t)
|
||||
- java_manage_generic_home_content(mozilla_t)
|
||||
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
|
||||
+ java_domtrans(mozilla_t)
|
||||
+ lpd_domtrans_lpr(mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- lpd_run_lpr(mozilla_t, mozilla_roles)
|
||||
+ lpd_domtrans_lpr(mozilla_t)
|
||||
+ mplayer_domtrans(mozilla_t)
|
||||
+ mplayer_read_user_home_files(mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mplayer_exec(mozilla_t)
|
||||
- mplayer_manage_generic_home_content(mozilla_t)
|
||||
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
|
||||
+ mplayer_domtrans(mozilla_t)
|
||||
+ mplayer_read_user_home_files(mozilla_t)
|
||||
+ nscd_socket_use(mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- pulseaudio_run(mozilla_t, mozilla_roles)
|
||||
+ nscd_socket_use(mozilla_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ #pulseaudio_role(mozilla_roles, mozilla_t)
|
||||
+ pulseaudio_exec(mozilla_t)
|
||||
+ pulseaudio_stream_connect(mozilla_t)
|
||||
@ -54661,7 +54709,7 @@ index 11ac8e4fc..28c1c5f16 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -300,259 +340,261 @@ optional_policy(`
|
||||
@@ -300,259 +340,265 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55026,13 +55074,6 @@ index 11ac8e4fc..28c1c5f16 100644
|
||||
+ dbus_session_bus_client(mozilla_plugin_t)
|
||||
+ dbus_connect_session_bus(mozilla_plugin_t)
|
||||
+ dbus_read_lib_files(mozilla_plugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_manage_config(mozilla_plugin_t)
|
||||
+ gnome_read_usr_config(mozilla_plugin_t)
|
||||
+ gnome_filetrans_home_content(mozilla_plugin_t)
|
||||
+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -55040,6 +55081,17 @@ index 11ac8e4fc..28c1c5f16 100644
|
||||
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
|
||||
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
|
||||
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
|
||||
+ devicekit_dbus_chat_disk(mozilla_plugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_manage_config(mozilla_plugin_t)
|
||||
+ gnome_read_usr_config(mozilla_plugin_t)
|
||||
+ gnome_filetrans_home_content(mozilla_plugin_t)
|
||||
+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
|
||||
')
|
||||
|
||||
@ -55069,7 +55121,7 @@ index 11ac8e4fc..28c1c5f16 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -560,7 +602,11 @@ optional_policy(`
|
||||
@@ -560,7 +606,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -55082,7 +55134,7 @@ index 11ac8e4fc..28c1c5f16 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -568,108 +614,144 @@ optional_policy(`
|
||||
@@ -568,108 +618,144 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -71802,10 +71854,10 @@ index 000000000..02df03ad6
|
||||
+')
|
||||
diff --git a/pdns.te b/pdns.te
|
||||
new file mode 100644
|
||||
index 000000000..63ddc577c
|
||||
index 000000000..4df7ada2a
|
||||
--- /dev/null
|
||||
+++ b/pdns.te
|
||||
@@ -0,0 +1,83 @@
|
||||
@@ -0,0 +1,85 @@
|
||||
+policy_module(pdns, 1.0.2)
|
||||
+
|
||||
+########################################
|
||||
@ -71849,6 +71901,8 @@ index 000000000..63ddc577c
|
||||
+allow pdns_t self:unix_dgram_socket create_socket_perms;
|
||||
+pdns_read_config(pdns_t)
|
||||
+
|
||||
+kernel_read_network_state(pdns_t)
|
||||
+
|
||||
+corenet_tcp_bind_dns_port(pdns_t)
|
||||
+corenet_udp_bind_dns_port(pdns_t)
|
||||
+
|
||||
@ -72037,7 +72091,7 @@ index d2fc677c1..86dce34a2 100644
|
||||
')
|
||||
+
|
||||
diff --git a/pegasus.te b/pegasus.te
|
||||
index 608f454d8..8f0f5fd9c 100644
|
||||
index 608f454d8..64782ff03 100644
|
||||
--- a/pegasus.te
|
||||
+++ b/pegasus.te
|
||||
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
||||
@ -72056,7 +72110,7 @@ index 608f454d8..8f0f5fd9c 100644
|
||||
type pegasus_cache_t;
|
||||
files_type(pegasus_cache_t)
|
||||
|
||||
@@ -30,20 +29,335 @@ files_type(pegasus_mof_t)
|
||||
@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
|
||||
type pegasus_var_run_t;
|
||||
files_pid_file(pegasus_var_run_t)
|
||||
|
||||
@ -72189,6 +72243,8 @@ index 608f454d8..8f0f5fd9c 100644
|
||||
+
|
||||
+kernel_read_network_state(pegasus_openlmi_services_t)
|
||||
+
|
||||
+miscfiles_read_certs(pegasus_openlmi_services_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(pegasus_openlmi_services_t)
|
||||
+')
|
||||
@ -72398,7 +72454,7 @@ index 608f454d8..8f0f5fd9c 100644
|
||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||
@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
@@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
@ -72433,7 +72489,7 @@ index 608f454d8..8f0f5fd9c 100644
|
||||
kernel_read_fs_sysctls(pegasus_t)
|
||||
kernel_read_system_state(pegasus_t)
|
||||
kernel_search_vm_sysctl(pegasus_t)
|
||||
@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
@@ -80,27 +397,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
kernel_read_xen_state(pegasus_t)
|
||||
kernel_write_xen_state(pegasus_t)
|
||||
|
||||
@ -72466,7 +72522,7 @@ index 608f454d8..8f0f5fd9c 100644
|
||||
|
||||
corecmd_exec_bin(pegasus_t)
|
||||
corecmd_exec_shell(pegasus_t)
|
||||
@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
@@ -114,9 +425,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
|
||||
auth_use_nsswitch(pegasus_t)
|
||||
auth_domtrans_chk_passwd(pegasus_t)
|
||||
@ -72478,7 +72534,7 @@ index 608f454d8..8f0f5fd9c 100644
|
||||
|
||||
files_list_var_lib(pegasus_t)
|
||||
files_read_var_lib_files(pegasus_t)
|
||||
@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t)
|
||||
@@ -128,18 +441,29 @@ init_stream_connect_script(pegasus_t)
|
||||
logging_send_audit_msgs(pegasus_t)
|
||||
logging_send_syslog_msg(pegasus_t)
|
||||
|
||||
@ -72500,21 +72556,21 @@ index 608f454d8..8f0f5fd9c 100644
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(pegasus_t)
|
||||
+ dbus_connect_system_bus(pegasus_t)
|
||||
|
||||
- optional_policy(`
|
||||
- networkmanager_dbus_chat(pegasus_t)
|
||||
- ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ networkmanager_dbus_chat(pegasus_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
|
||||
- optional_policy(`
|
||||
- networkmanager_dbus_chat(pegasus_t)
|
||||
- ')
|
||||
+optional_policy(`
|
||||
+ rhcs_stream_connect_cluster(pegasus_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -151,16 +473,24 @@ optional_policy(`
|
||||
@@ -151,16 +475,24 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -72543,7 +72599,7 @@ index 608f454d8..8f0f5fd9c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -168,7 +498,7 @@ optional_policy(`
|
||||
@@ -168,7 +500,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -72552,7 +72608,7 @@ index 608f454d8..8f0f5fd9c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -180,12 +510,17 @@ optional_policy(`
|
||||
@@ -180,12 +512,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -77332,7 +77388,7 @@ index ded95ec3a..210018ce4 100644
|
||||
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
|
||||
')
|
||||
diff --git a/postfix.te b/postfix.te
|
||||
index 5cfb83eca..67f813d34 100644
|
||||
index 5cfb83eca..5de033f81 100644
|
||||
--- a/postfix.te
|
||||
+++ b/postfix.te
|
||||
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
|
||||
@ -78040,7 +78096,7 @@ index 5cfb83eca..67f813d34 100644
|
||||
|
||||
init_sigchld_script(postfix_postqueue_t)
|
||||
init_use_script_fds(postfix_postqueue_t)
|
||||
@@ -655,69 +595,80 @@ optional_policy(`
|
||||
@@ -655,69 +595,84 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -78104,6 +78160,10 @@ index 5cfb83eca..67f813d34 100644
|
||||
term_use_all_ptys(postfix_showq_t)
|
||||
term_use_all_ttys(postfix_showq_t)
|
||||
|
||||
+optional_policy(`
|
||||
+ logwatch_dontaudit_leaks(postfix_showq_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
-# Smtp delivery local policy
|
||||
@ -78138,7 +78198,7 @@ index 5cfb83eca..67f813d34 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -730,28 +681,32 @@ optional_policy(`
|
||||
@@ -730,28 +685,32 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -78179,7 +78239,7 @@ index 5cfb83eca..67f813d34 100644
|
||||
|
||||
optional_policy(`
|
||||
dovecot_stream_connect_auth(postfix_smtpd_t)
|
||||
@@ -764,6 +719,7 @@ optional_policy(`
|
||||
@@ -764,6 +723,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
milter_stream_connect_all(postfix_smtpd_t)
|
||||
@ -78187,7 +78247,7 @@ index 5cfb83eca..67f813d34 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -774,31 +730,102 @@ optional_policy(`
|
||||
@@ -774,31 +734,102 @@ optional_policy(`
|
||||
sasl_connect(postfix_smtpd_t)
|
||||
')
|
||||
|
||||
@ -93683,7 +93743,7 @@ index 0bf13c220..79a2a9c48 100644
|
||||
+ allow $1 gssd_t:process { noatsecure rlimitinh };
|
||||
+')
|
||||
diff --git a/rpc.te b/rpc.te
|
||||
index 2da9fca2f..9099c9800 100644
|
||||
index 2da9fca2f..c8afd1e50 100644
|
||||
--- a/rpc.te
|
||||
+++ b/rpc.te
|
||||
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
|
||||
@ -93888,7 +93948,7 @@ index 2da9fca2f..9099c9800 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -201,42 +231,64 @@ optional_policy(`
|
||||
@@ -201,42 +231,66 @@ optional_policy(`
|
||||
# NFSD local policy
|
||||
#
|
||||
|
||||
@ -93935,6 +93995,8 @@ index 2da9fca2f..9099c9800 100644
|
||||
files_manage_mounttab(nfsd_t)
|
||||
+files_read_etc_runtime_files(nfsd_t)
|
||||
|
||||
+fs_read_configfs_files(nfsd_t)
|
||||
+fs_read_configfs_dirs(nfsd_t)
|
||||
+fs_mounton_nfsd_fs(nfsd_t)
|
||||
fs_mount_nfsd_fs(nfsd_t)
|
||||
fs_getattr_all_fs(nfsd_t)
|
||||
@ -93964,7 +94026,7 @@ index 2da9fca2f..9099c9800 100644
|
||||
miscfiles_manage_public_files(nfsd_t)
|
||||
')
|
||||
|
||||
@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
dev_getattr_all_chr_files(nfsd_t)
|
||||
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
@ -93972,7 +94034,7 @@ index 2da9fca2f..9099c9800 100644
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
|
||||
@ -93987,7 +94049,7 @@ index 2da9fca2f..9099c9800 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -270,7 +321,7 @@ optional_policy(`
|
||||
@@ -270,7 +323,7 @@ optional_policy(`
|
||||
# GSSD local policy
|
||||
#
|
||||
|
||||
@ -93996,7 +94058,7 @@ index 2da9fca2f..9099c9800 100644
|
||||
allow gssd_t self:process { getsched setsched };
|
||||
allow gssd_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
||||
|
||||
@ -94004,7 +94066,7 @@ index 2da9fca2f..9099c9800 100644
|
||||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
kernel_request_load_module(gssd_t)
|
||||
@@ -288,25 +340,31 @@ kernel_signal(gssd_t)
|
||||
@@ -288,25 +342,31 @@ kernel_signal(gssd_t)
|
||||
|
||||
corecmd_exec_bin(gssd_t)
|
||||
|
||||
@ -94039,7 +94101,7 @@ index 2da9fca2f..9099c9800 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -314,9 +372,12 @@ optional_policy(`
|
||||
@@ -314,9 +374,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -111403,7 +111465,7 @@ index 5406b6ee8..dc5b46e28 100644
|
||||
admin_pattern($1, tgtd_tmpfs_t)
|
||||
')
|
||||
diff --git a/tgtd.te b/tgtd.te
|
||||
index d01096386..ae473b2b2 100644
|
||||
index d01096386..c491b2f9c 100644
|
||||
--- a/tgtd.te
|
||||
+++ b/tgtd.te
|
||||
@@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
|
||||
@ -111435,7 +111497,7 @@ index d01096386..ae473b2b2 100644
|
||||
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
|
||||
|
||||
corenet_sendrecv_iscsi_client_packets(tgtd_t)
|
||||
@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
|
||||
@@ -72,16 +73,18 @@ corenet_tcp_connect_isns_port(tgtd_t)
|
||||
|
||||
dev_read_sysfs(tgtd_t)
|
||||
|
||||
@ -111444,6 +111506,8 @@ index d01096386..ae473b2b2 100644
|
||||
|
||||
fs_read_anon_inodefs_files(tgtd_t)
|
||||
|
||||
+miscfiles_read_generic_certs(tgtd_t)
|
||||
+
|
||||
storage_manage_fixed_disk(tgtd_t)
|
||||
+storage_read_scsi_generic(tgtd_t)
|
||||
+storage_write_scsi_generic(tgtd_t)
|
||||
@ -120205,11 +120269,12 @@ index 6b72968ea..de409cc61 100644
|
||||
+userdom_use_inherited_user_terminals(vlock_t)
|
||||
diff --git a/vmtools.fc b/vmtools.fc
|
||||
new file mode 100644
|
||||
index 000000000..c5deffb77
|
||||
index 000000000..13ee573e4
|
||||
--- /dev/null
|
||||
+++ b/vmtools.fc
|
||||
@@ -0,0 +1,5 @@
|
||||
@@ -0,0 +1,6 @@
|
||||
+/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0)
|
||||
+/usr/bin/VGAuthService -- gen_context(system_u:object_r:vmtools_exec_t,s0)
|
||||
+
|
||||
+/usr/bin/vmware-user-suid-wrapper -- gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
|
||||
+
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 300%{?dist}
|
||||
Release: 301%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -717,6 +717,22 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301
|
||||
- Merge pull request #37 from milosmalik/rawhide
|
||||
- Allow mozilla_plugin_t domain to dbus chat with devicekit
|
||||
- Dontaudit leaked logwatch pipes
|
||||
- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
|
||||
- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)
|
||||
- Allow chronyd daemon to execute chronyc. BZ(1507478)
|
||||
- Allow pdns to read network system state BZ(1507244)
|
||||
- Allow gssproxy to read network system state Resolves: rhbz#1507191
|
||||
- Allow nfsd_t domain to read configfs_t files/dirs
|
||||
- Allow tgtd_t domain to read generic certs
|
||||
- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
|
||||
- Allow dirsrv_snmp_t to use inherited user ptys and read system state
|
||||
- Allow glusterd_t domain to create own tmpfs dirs/files
|
||||
- Allow keepalived stream connect to snmp
|
||||
|
||||
* Thu Oct 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-300
|
||||
- Allow zabbix_t domain to change its resource limits
|
||||
- Add new boolean nagios_use_nfs
|
||||
|
Loading…
Reference in New Issue
Block a user