* Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
- Label virtlogd binary as virtd_exec_t. BZ(1291940) - Allow iptables to read nsfs files. BZ(1296826)
This commit is contained in:
Lukas Vrabec
parent
6d3ee17c0b
commit
4c488a69fa
Binary file not shown.
@ -35886,7 +35886,7 @@ index c42fbc3..bf211db 100644
|
||||
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
||||
+')
|
||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||
index be8ed1e..660ef80 100644
|
||||
index be8ed1e..bce6063 100644
|
||||
--- a/policy/modules/system/iptables.te
|
||||
+++ b/policy/modules/system/iptables.te
|
||||
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
|
||||
@ -35947,7 +35947,7 @@ index be8ed1e..660ef80 100644
|
||||
kernel_use_fds(iptables_t)
|
||||
|
||||
# needed by ipvsadm
|
||||
@@ -64,6 +74,8 @@ corenet_relabelto_all_packets(iptables_t)
|
||||
@@ -64,19 +74,23 @@ corenet_relabelto_all_packets(iptables_t)
|
||||
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
|
||||
|
||||
dev_read_sysfs(iptables_t)
|
||||
@ -35956,7 +35956,9 @@ index be8ed1e..660ef80 100644
|
||||
|
||||
fs_getattr_xattr_fs(iptables_t)
|
||||
fs_search_auto_mountpoints(iptables_t)
|
||||
@@ -72,11 +84,12 @@ fs_list_inotifyfs(iptables_t)
|
||||
fs_list_inotifyfs(iptables_t)
|
||||
+fs_read_nsfs_files(iptables_t)
|
||||
|
||||
mls_file_read_all_levels(iptables_t)
|
||||
|
||||
term_dontaudit_use_console(iptables_t)
|
||||
@ -35971,7 +35973,7 @@ index be8ed1e..660ef80 100644
|
||||
|
||||
auth_use_nsswitch(iptables_t)
|
||||
|
||||
@@ -85,15 +98,14 @@ init_use_script_ptys(iptables_t)
|
||||
@@ -85,15 +99,14 @@ init_use_script_ptys(iptables_t)
|
||||
# to allow rules to be saved on reboot:
|
||||
init_rw_script_tmp_files(iptables_t)
|
||||
init_rw_script_stream_sockets(iptables_t)
|
||||
@ -35989,7 +35991,7 @@ index be8ed1e..660ef80 100644
|
||||
userdom_use_all_users_fds(iptables_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
@@ -102,6 +114,9 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -102,6 +115,9 @@ ifdef(`hide_broken_symptoms',`
|
||||
|
||||
optional_policy(`
|
||||
fail2ban_append_log(iptables_t)
|
||||
@ -35999,7 +36001,7 @@ index be8ed1e..660ef80 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -110,6 +125,12 @@ optional_policy(`
|
||||
@@ -110,6 +126,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36012,7 +36014,7 @@ index be8ed1e..660ef80 100644
|
||||
modutils_run_insmod(iptables_t, iptables_roles)
|
||||
')
|
||||
|
||||
@@ -124,6 +145,16 @@ optional_policy(`
|
||||
@@ -124,6 +146,16 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
psad_rw_tmp_files(iptables_t)
|
||||
@ -36029,7 +36031,7 @@ index be8ed1e..660ef80 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -135,9 +166,9 @@ optional_policy(`
|
||||
@@ -135,9 +167,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -108706,10 +108706,10 @@ index 3d11c6a..b19a117 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/virt.fc b/virt.fc
|
||||
index a4f20bc..374e8ef 100644
|
||||
index a4f20bc..58f9c69 100644
|
||||
--- a/virt.fc
|
||||
+++ b/virt.fc
|
||||
@@ -1,51 +1,101 @@
|
||||
@@ -1,51 +1,102 @@
|
||||
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
||||
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||
@ -108762,6 +108762,7 @@ index a4f20bc..374e8ef 100644
|
||||
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
|
||||
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||
+/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
|
||||
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 167%{?dist}
|
||||
Release: 168%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -664,6 +664,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
|
||||
- Label virtlogd binary as virtd_exec_t. BZ(1291940)
|
||||
- Allow iptables to read nsfs files. BZ(1296826)
|
||||
|
||||
* Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
|
||||
- Add fwupd policy for daemon to allow session software to update device firmware
|
||||
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user