* Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
- Label virtlogd binary as virtd_exec_t. BZ(1291940) - Allow iptables to read nsfs files. BZ(1296826)
This commit is contained in:
Lukas Vrabec
parent
6d3ee17c0b
commit
4c488a69fa
Binary file not shown.
@ -35886,7 +35886,7 @@ index c42fbc3..bf211db 100644
|
|||||||
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||||
index be8ed1e..660ef80 100644
|
index be8ed1e..bce6063 100644
|
||||||
--- a/policy/modules/system/iptables.te
|
--- a/policy/modules/system/iptables.te
|
||||||
+++ b/policy/modules/system/iptables.te
|
+++ b/policy/modules/system/iptables.te
|
||||||
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
|
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
|
||||||
@ -35947,7 +35947,7 @@ index be8ed1e..660ef80 100644
|
|||||||
kernel_use_fds(iptables_t)
|
kernel_use_fds(iptables_t)
|
||||||
|
|
||||||
# needed by ipvsadm
|
# needed by ipvsadm
|
||||||
@@ -64,6 +74,8 @@ corenet_relabelto_all_packets(iptables_t)
|
@@ -64,19 +74,23 @@ corenet_relabelto_all_packets(iptables_t)
|
||||||
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
|
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
|
||||||
|
|
||||||
dev_read_sysfs(iptables_t)
|
dev_read_sysfs(iptables_t)
|
||||||
@ -35956,7 +35956,9 @@ index be8ed1e..660ef80 100644
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(iptables_t)
|
fs_getattr_xattr_fs(iptables_t)
|
||||||
fs_search_auto_mountpoints(iptables_t)
|
fs_search_auto_mountpoints(iptables_t)
|
||||||
@@ -72,11 +84,12 @@ fs_list_inotifyfs(iptables_t)
|
fs_list_inotifyfs(iptables_t)
|
||||||
|
+fs_read_nsfs_files(iptables_t)
|
||||||
|
|
||||||
mls_file_read_all_levels(iptables_t)
|
mls_file_read_all_levels(iptables_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(iptables_t)
|
term_dontaudit_use_console(iptables_t)
|
||||||
@ -35971,7 +35973,7 @@ index be8ed1e..660ef80 100644
|
|||||||
|
|
||||||
auth_use_nsswitch(iptables_t)
|
auth_use_nsswitch(iptables_t)
|
||||||
|
|
||||||
@@ -85,15 +98,14 @@ init_use_script_ptys(iptables_t)
|
@@ -85,15 +99,14 @@ init_use_script_ptys(iptables_t)
|
||||||
# to allow rules to be saved on reboot:
|
# to allow rules to be saved on reboot:
|
||||||
init_rw_script_tmp_files(iptables_t)
|
init_rw_script_tmp_files(iptables_t)
|
||||||
init_rw_script_stream_sockets(iptables_t)
|
init_rw_script_stream_sockets(iptables_t)
|
||||||
@ -35989,7 +35991,7 @@ index be8ed1e..660ef80 100644
|
|||||||
userdom_use_all_users_fds(iptables_t)
|
userdom_use_all_users_fds(iptables_t)
|
||||||
|
|
||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
@@ -102,6 +114,9 @@ ifdef(`hide_broken_symptoms',`
|
@@ -102,6 +115,9 @@ ifdef(`hide_broken_symptoms',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
fail2ban_append_log(iptables_t)
|
fail2ban_append_log(iptables_t)
|
||||||
@ -35999,7 +36001,7 @@ index be8ed1e..660ef80 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -110,6 +125,12 @@ optional_policy(`
|
@@ -110,6 +126,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -36012,7 +36014,7 @@ index be8ed1e..660ef80 100644
|
|||||||
modutils_run_insmod(iptables_t, iptables_roles)
|
modutils_run_insmod(iptables_t, iptables_roles)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -124,6 +145,16 @@ optional_policy(`
|
@@ -124,6 +146,16 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
psad_rw_tmp_files(iptables_t)
|
psad_rw_tmp_files(iptables_t)
|
||||||
@ -36029,7 +36031,7 @@ index be8ed1e..660ef80 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -135,9 +166,9 @@ optional_policy(`
|
@@ -135,9 +167,9 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|||||||
@ -108706,10 +108706,10 @@ index 3d11c6a..b19a117 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --git a/virt.fc b/virt.fc
|
diff --git a/virt.fc b/virt.fc
|
||||||
index a4f20bc..374e8ef 100644
|
index a4f20bc..58f9c69 100644
|
||||||
--- a/virt.fc
|
--- a/virt.fc
|
||||||
+++ b/virt.fc
|
+++ b/virt.fc
|
||||||
@@ -1,51 +1,101 @@
|
@@ -1,51 +1,102 @@
|
||||||
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||||
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
||||||
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||||
@ -108762,6 +108762,7 @@ index a4f20bc..374e8ef 100644
|
|||||||
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
|
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
|
||||||
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||||
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||||
|
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||||
+/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
+/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||||
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
|
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
|
||||||
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||||
|
|||||||
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 167%{?dist}
|
Release: 168%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -664,6 +664,10 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
|
||||||
|
- Label virtlogd binary as virtd_exec_t. BZ(1291940)
|
||||||
|
- Allow iptables to read nsfs files. BZ(1296826)
|
||||||
|
|
||||||
* Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
|
* Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
|
||||||
- Add fwupd policy for daemon to allow session software to update device firmware
|
- Add fwupd policy for daemon to allow session software to update device firmware
|
||||||
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
|
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user