* Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
- rename several contrib modules according to their filenames - Add interface gnome_filetrans_cert_home_content() - By default container domains should not be allowed to create devices - Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t. - Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used - Allow systemd gpt generator to read removable devices. BZ(1323458) - Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454)
This commit is contained in:
parent
c1300100ed
commit
4c61782def
Binary file not shown.
@ -26525,10 +26525,10 @@ index 0000000..03faeac
|
||||
+
|
||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||
new file mode 100644
|
||||
index 0000000..31076d7
|
||||
index 0000000..bca9f3c
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/roles/unconfineduser.te
|
||||
@@ -0,0 +1,345 @@
|
||||
@@ -0,0 +1,349 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -26766,6 +26766,10 @@ index 0000000..31076d7
|
||||
+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ gnome_filetrans_cert_home_content(unconfined_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ ipsec_mgmt_dbus_chat(unconfined_t)
|
||||
+ ')
|
||||
@ -48023,10 +48027,10 @@ index 0000000..3380372
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..d8fdd7b
|
||||
index 0000000..6c16f21
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,920 @@
|
||||
@@ -0,0 +1,928 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -48870,11 +48874,14 @@ index 0000000..d8fdd7b
|
||||
+# systemd_gpt_generator domain
|
||||
+#
|
||||
+
|
||||
+allow systemd_gpt_generator_t self:capability sys_rawio;
|
||||
+
|
||||
+dev_read_sysfs(systemd_gpt_generator_t)
|
||||
+dev_write_kmsg(systemd_gpt_generator_t)
|
||||
+dev_read_nvme(systemd_gpt_generator_t)
|
||||
+
|
||||
+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
|
||||
+storage_raw_read_removable_device(systemd_gpt_generator_t)
|
||||
+
|
||||
+allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms;
|
||||
+systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file)
|
||||
@ -48889,6 +48896,7 @@ index 0000000..d8fdd7b
|
||||
+allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
|
||||
+allow systemd_resolved_t self:process setcap;
|
||||
+allow systemd_resolved_t self:tcp_socket { accept listen };
|
||||
+allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
|
||||
+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
|
||||
@ -48899,9 +48907,13 @@ index 0000000..d8fdd7b
|
||||
+
|
||||
+kernel_dgram_send(systemd_resolved_t)
|
||||
+
|
||||
+auth_read_passwd(systemd_resolved_t)
|
||||
+
|
||||
+corenet_tcp_bind_llmnr_port(systemd_resolved_t)
|
||||
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
|
||||
+
|
||||
+dev_write_kmsg(systemd_resolved_t)
|
||||
+
|
||||
+sysnet_manage_config(systemd_resolved_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
|
@ -31776,11 +31776,11 @@ index 0000000..fc9bf19
|
||||
+
|
||||
diff --git a/glusterd.te b/glusterd.te
|
||||
new file mode 100644
|
||||
index 0000000..b974353
|
||||
index 0000000..74ec2fd
|
||||
--- /dev/null
|
||||
+++ b/glusterd.te
|
||||
@@ -0,0 +1,295 @@
|
||||
+policy_module(glusterfs, 1.1.2)
|
||||
+policy_module(glusterd, 1.1.3)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
@ -32360,7 +32360,7 @@ index e39de43..5edcb83 100644
|
||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||
diff --git a/gnome.if b/gnome.if
|
||||
index ab09d61..0734f6b 100644
|
||||
index ab09d61..980f1f6 100644
|
||||
--- a/gnome.if
|
||||
+++ b/gnome.if
|
||||
@@ -1,52 +1,76 @@
|
||||
@ -33409,7 +33409,7 @@ index ab09d61..0734f6b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -706,12 +815,985 @@ interface(`gnome_stream_connect_gkeyringd',`
|
||||
@@ -706,12 +815,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -34318,6 +34318,24 @@ index ab09d61..0734f6b 100644
|
||||
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## File name transition for generic home content files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`gnome_filetrans_cert_home_content',`
|
||||
+ gen_require(`
|
||||
+ type home_cert_t;
|
||||
+ ')
|
||||
+
|
||||
+ gnome_data_filetrans($1, home_cert_t, dir, "certificates")
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create gnome directory in the /root directory
|
||||
@ -67157,9 +67175,15 @@ index bf59ef7..0e33327 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/passenger.te b/passenger.te
|
||||
index 08ec33b..3b92c4d 100644
|
||||
index 08ec33b..3ad995c 100644
|
||||
--- a/passenger.te
|
||||
+++ b/passenger.te
|
||||
@@ -1,4 +1,4 @@
|
||||
-policy_module(passanger, 1.1.1)
|
||||
+policy_module(passenger, 1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -14,6 +14,9 @@ role system_r types passenger_t;
|
||||
type passenger_log_t;
|
||||
logging_log_file(passenger_log_t)
|
||||
@ -87969,11 +87993,11 @@ index 0000000..0be4cee
|
||||
+')
|
||||
diff --git a/rkhunter.te b/rkhunter.te
|
||||
new file mode 100644
|
||||
index 0000000..aa2d09e
|
||||
index 0000000..44de480
|
||||
--- /dev/null
|
||||
+++ b/rkhunter.te
|
||||
@@ -0,0 +1,4 @@
|
||||
+policy_module(rhhunter, 1.0)
|
||||
+policy_module(rkhunter, 1.1)
|
||||
+
|
||||
+type rkhunter_var_lib_t;
|
||||
+files_type(rkhunter_var_lib_t)
|
||||
@ -103246,11 +103270,11 @@ index 0000000..80c6480
|
||||
+')
|
||||
diff --git a/stapserver.te b/stapserver.te
|
||||
new file mode 100644
|
||||
index 0000000..bc92f68
|
||||
index 0000000..e847ea3
|
||||
--- /dev/null
|
||||
+++ b/stapserver.te
|
||||
@@ -0,0 +1,114 @@
|
||||
+policy_module(systemtap, 1.1.0)
|
||||
+policy_module(stapserver, 1.1.1)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
@ -111647,7 +111671,7 @@ index facdee8..816d860 100644
|
||||
+ ps_process_pattern(virtd_t, $1)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf5..2a1d3e5 100644
|
||||
index f03dcf5..5e41cd6 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,451 +1,395 @@
|
||||
@ -113207,7 +113231,7 @@ index f03dcf5..2a1d3e5 100644
|
||||
selinux_get_enforce_mode(virtd_lxc_t)
|
||||
selinux_get_fs_mount(virtd_lxc_t)
|
||||
selinux_validate_context(virtd_lxc_t)
|
||||
@@ -974,194 +1237,355 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
@@ -974,194 +1237,354 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
selinux_compute_relabel_context(virtd_lxc_t)
|
||||
selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
@ -113290,7 +113314,6 @@ index f03dcf5..2a1d3e5 100644
|
||||
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
|
||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto };
|
||||
+virt_mounton_sandbox_file(svirt_sandbox_domain)
|
||||
@ -113704,7 +113727,7 @@ index f03dcf5..2a1d3e5 100644
|
||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1174,12 +1597,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
@ -113719,7 +113742,7 @@ index f03dcf5..2a1d3e5 100644
|
||||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,7 +1616,7 @@ optional_policy(`
|
||||
@@ -1192,7 +1615,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -113728,7 +113751,7 @@ index f03dcf5..2a1d3e5 100644
|
||||
#
|
||||
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
@@ -1201,11 +1625,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1201,11 +1624,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 181%{?dist}
|
||||
Release: 182%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -653,6 +653,15 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
|
||||
- rename several contrib modules according to their filenames
|
||||
- Add interface gnome_filetrans_cert_home_content()
|
||||
- By default container domains should not be allowed to create devices
|
||||
- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
|
||||
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
|
||||
- Allow systemd gpt generator to read removable devices. BZ(1323458)
|
||||
- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454)
|
||||
|
||||
* Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
|
||||
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
|
||||
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
|
||||
|
Loading…
Reference in New Issue
Block a user