- Fix openshift_search_lib
- Add support for abrt-uefioops-oops - Allow colord to getattr any file system - Allow chrome processes to look at each other - Allow sys_ptrace for abrt_t - Add new policy for gssproxy - Dontaudit leaked file descriptor writes from firewalld - openshift_net_type is interface not template - Dontaudit pppd to search gnome config - Update openshift_search_lib() interface - Add fs_list_pstorefs() - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 - Better labels for raspberry pi devices - Allow init to create devpts_t directory - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 - Allow sysadm_t to build kernels - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 - Allow userdomains to stream connect to gssproxy - Dontaudit leaked file descriptor writes from firewalld - Allow xserver to read /dev/urandom - Add additional fixes for ipsec-mgmt - Make SSHing into an Openshift Enterprise Node working
This commit is contained in:
parent
88eb5b40ad
commit
574431f1a2
File diff suppressed because it is too large
Load Diff
@ -1,8 +1,8 @@
|
|||||||
diff --git a/abrt.fc b/abrt.fc
|
diff --git a/abrt.fc b/abrt.fc
|
||||||
index e4f84de..ad5a65f 100644
|
index e4f84de..4e4cbd4 100644
|
||||||
--- a/abrt.fc
|
--- a/abrt.fc
|
||||||
+++ b/abrt.fc
|
+++ b/abrt.fc
|
||||||
@@ -1,30 +1,39 @@
|
@@ -1,30 +1,40 @@
|
||||||
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||||
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
||||||
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||||
@ -15,6 +15,7 @@ index e4f84de..ad5a65f 100644
|
|||||||
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
|
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
|
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
|
||||||
|
+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
|
||||||
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
||||||
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
|
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
|
||||||
+
|
+
|
||||||
@ -517,7 +518,7 @@ index 058d908..702b716 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/abrt.te b/abrt.te
|
diff --git a/abrt.te b/abrt.te
|
||||||
index cc43d25..ffbe9e5 100644
|
index cc43d25..5e60ff3 100644
|
||||||
--- a/abrt.te
|
--- a/abrt.te
|
||||||
+++ b/abrt.te
|
+++ b/abrt.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -666,7 +667,8 @@ index cc43d25..ffbe9e5 100644
|
|||||||
+# abrt local policy
|
+# abrt local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
|
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
|
||||||
|
+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
|
||||||
dontaudit abrt_t self:capability sys_rawio;
|
dontaudit abrt_t self:capability sys_rawio;
|
||||||
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
|
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
|
||||||
+
|
+
|
||||||
@ -939,7 +941,7 @@ index cc43d25..ffbe9e5 100644
|
|||||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||||
@@ -352,30 +410,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
@@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_worker_t)
|
dev_read_urand(abrt_retrace_worker_t)
|
||||||
|
|
||||||
@ -981,8 +983,10 @@ index cc43d25..ffbe9e5 100644
|
|||||||
kernel_read_kernel_sysctls(abrt_dump_oops_t)
|
kernel_read_kernel_sysctls(abrt_dump_oops_t)
|
||||||
kernel_read_ring_buffer(abrt_dump_oops_t)
|
kernel_read_ring_buffer(abrt_dump_oops_t)
|
||||||
|
|
||||||
@@ -384,14 +450,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
|
domain_use_interactive_fds(abrt_dump_oops_t)
|
||||||
|
|
||||||
fs_list_inotifyfs(abrt_dump_oops_t)
|
fs_list_inotifyfs(abrt_dump_oops_t)
|
||||||
|
+fs_list_pstorefs(abrt_dump_oops_t)
|
||||||
|
|
||||||
logging_read_generic_logs(abrt_dump_oops_t)
|
logging_read_generic_logs(abrt_dump_oops_t)
|
||||||
+logging_send_syslog_msg(abrt_dump_oops_t)
|
+logging_send_syslog_msg(abrt_dump_oops_t)
|
||||||
@ -999,7 +1003,7 @@ index cc43d25..ffbe9e5 100644
|
|||||||
|
|
||||||
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
||||||
|
|
||||||
@@ -400,16 +467,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
@@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
||||||
corecmd_exec_bin(abrt_watch_log_t)
|
corecmd_exec_bin(abrt_watch_log_t)
|
||||||
|
|
||||||
logging_read_all_logs(abrt_watch_log_t)
|
logging_read_all_logs(abrt_watch_log_t)
|
||||||
@ -10385,10 +10389,10 @@ index 0000000..5977d96
|
|||||||
+')
|
+')
|
||||||
diff --git a/chrome.te b/chrome.te
|
diff --git a/chrome.te b/chrome.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ba0a059
|
index 0000000..f4a8884
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/chrome.te
|
+++ b/chrome.te
|
||||||
@@ -0,0 +1,236 @@
|
@@ -0,0 +1,237 @@
|
||||||
+policy_module(chrome,1.0.0)
|
+policy_module(chrome,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -10596,6 +10600,7 @@ index 0000000..ba0a059
|
|||||||
+
|
+
|
||||||
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
|
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
|
||||||
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
|
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
|
||||||
|
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
||||||
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
||||||
@ -12168,7 +12173,7 @@ index 8e27a37..825f537 100644
|
|||||||
+ ps_process_pattern($1, colord_t)
|
+ ps_process_pattern($1, colord_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/colord.te b/colord.te
|
diff --git a/colord.te b/colord.te
|
||||||
index 09f18e2..f0cade4 100644
|
index 09f18e2..9d70983 100644
|
||||||
--- a/colord.te
|
--- a/colord.te
|
||||||
+++ b/colord.te
|
+++ b/colord.te
|
||||||
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
|
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
|
||||||
@ -12219,8 +12224,9 @@ index 09f18e2..f0cade4 100644
|
|||||||
files_list_mnt(colord_t)
|
files_list_mnt(colord_t)
|
||||||
-files_read_usr_files(colord_t)
|
-files_read_usr_files(colord_t)
|
||||||
|
|
||||||
fs_getattr_noxattr_fs(colord_t)
|
-fs_getattr_noxattr_fs(colord_t)
|
||||||
-fs_getattr_tmpfs(colord_t)
|
-fs_getattr_tmpfs(colord_t)
|
||||||
|
+fs_getattr_all_fs(colord_t)
|
||||||
fs_list_noxattr_fs(colord_t)
|
fs_list_noxattr_fs(colord_t)
|
||||||
fs_read_noxattr_fs_files(colord_t)
|
fs_read_noxattr_fs_files(colord_t)
|
||||||
fs_search_all(colord_t)
|
fs_search_all(colord_t)
|
||||||
@ -22900,7 +22906,7 @@ index 21d7b84..0e272bd 100644
|
|||||||
|
|
||||||
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
|
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
|
||||||
diff --git a/firewalld.if b/firewalld.if
|
diff --git a/firewalld.if b/firewalld.if
|
||||||
index 5cf6ac6..839999e 100644
|
index 5cf6ac6..62547ee 100644
|
||||||
--- a/firewalld.if
|
--- a/firewalld.if
|
||||||
+++ b/firewalld.if
|
+++ b/firewalld.if
|
||||||
@@ -2,6 +2,66 @@
|
@@ -2,6 +2,66 @@
|
||||||
@ -22970,18 +22976,37 @@ index 5cf6ac6..839999e 100644
|
|||||||
## Send and receive messages from
|
## Send and receive messages from
|
||||||
## firewalld over dbus.
|
## firewalld over dbus.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -23,8 +83,8 @@ interface(`firewalld_dbus_chat',`
|
@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## All of the rules required to
|
-## All of the rules required to
|
||||||
-## administrate an firewalld environment.
|
-## administrate an firewalld environment.
|
||||||
|
+## Dontaudit attempts to write
|
||||||
|
+## firewalld tmp files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`firewalld_dontaudit_write_tmp_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type firewalld_tmp_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 firewalld_tmp_t:file write;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## All of the rules required to administrate
|
+## All of the rules required to administrate
|
||||||
+## an firewalld environment
|
+## an firewalld environment
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -45,10 +105,14 @@ interface(`firewalld_admin',`
|
@@ -45,10 +124,14 @@ interface(`firewalld_admin',`
|
||||||
type firewalld_var_log_t;
|
type firewalld_var_log_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -22998,7 +23023,7 @@ index 5cf6ac6..839999e 100644
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 firewalld_initrc_exec_t system_r;
|
role_transition $2 firewalld_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
@@ -59,6 +123,9 @@ interface(`firewalld_admin',`
|
@@ -59,6 +142,9 @@ interface(`firewalld_admin',`
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
admin_pattern($1, firewalld_var_log_t)
|
admin_pattern($1, firewalld_var_log_t)
|
||||||
|
|
||||||
@ -28202,6 +28227,298 @@ index 25f09ae..3085534 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
chronyd_rw_shm(gpsd_t)
|
chronyd_rw_shm(gpsd_t)
|
||||||
chronyd_stream_connect(gpsd_t)
|
chronyd_stream_connect(gpsd_t)
|
||||||
|
diff --git a/gssproxy.fc b/gssproxy.fc
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..404ae4f
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/gssproxy.fc
|
||||||
|
@@ -0,0 +1,7 @@
|
||||||
|
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
|
||||||
|
+
|
||||||
|
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
|
||||||
|
+
|
||||||
|
+/var/run/gssproxy.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0)
|
||||||
|
diff --git a/gssproxy.if b/gssproxy.if
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..072ddb0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/gssproxy.if
|
||||||
|
@@ -0,0 +1,203 @@
|
||||||
|
+
|
||||||
|
+## <summary>policy for gssproxy</summary>
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute TEMPLATE in the gssproxy domin.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gssproxy_domtrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gssproxy_t, gssproxy_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ corecmd_search_bin($1)
|
||||||
|
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Search gssproxy lib directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gssproxy_search_lib',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gssproxy_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read gssproxy lib files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gssproxy_read_lib_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gssproxy_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage gssproxy lib files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gssproxy_manage_lib_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gssproxy_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage gssproxy lib directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gssproxy_manage_lib_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gssproxy_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read gssproxy PID files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gssproxy_read_pid_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gssproxy_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute gssproxy server in the gssproxy domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gssproxy_systemctl',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gssproxy_t;
|
||||||
|
+ type gssproxy_unit_file_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ systemd_exec_systemctl($1)
|
||||||
|
+ systemd_read_fifo_file_password_run($1)
|
||||||
|
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
|
||||||
|
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
|
||||||
|
+
|
||||||
|
+ ps_process_pattern($1, gssproxy_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Connect to gssproxy over an unix
|
||||||
|
+## domain stream socket.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`gssproxy_stream_connect',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gssproxy_t, gssproxy_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## All of the rules required to administrate
|
||||||
|
+## an gssproxy environment
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="role">
|
||||||
|
+## <summary>
|
||||||
|
+## Role allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`gssproxy_admin',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type gssproxy_t;
|
||||||
|
+ type gssproxy_var_lib_t;
|
||||||
|
+ type gssproxy_var_run_t;
|
||||||
|
+ type gssproxy_unit_file_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 gssproxy_t:process { ptrace signal_perms };
|
||||||
|
+ ps_process_pattern($1, gssproxy_t)
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ admin_pattern($1, gssproxy_var_lib_t)
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ admin_pattern($1, gssproxy_var_run_t)
|
||||||
|
+
|
||||||
|
+ gssproxy_systemctl($1)
|
||||||
|
+ admin_pattern($1, gssproxy_unit_file_t)
|
||||||
|
+ allow $1 gssproxy_unit_file_t:service all_service_perms;
|
||||||
|
+ optional_policy(`
|
||||||
|
+ systemd_passwd_agent_exec($1)
|
||||||
|
+ systemd_read_fifo_file_passwd_run($1)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
diff --git a/gssproxy.te b/gssproxy.te
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..6f0253c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/gssproxy.te
|
||||||
|
@@ -0,0 +1,64 @@
|
||||||
|
+policy_module(gssproxy, 1.0.0)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# Declarations
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+type gssproxy_t;
|
||||||
|
+type gssproxy_exec_t;
|
||||||
|
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
|
||||||
|
+
|
||||||
|
+type gssproxy_var_lib_t;
|
||||||
|
+files_type(gssproxy_var_lib_t)
|
||||||
|
+
|
||||||
|
+type gssproxy_var_run_t;
|
||||||
|
+files_pid_file(gssproxy_var_run_t)
|
||||||
|
+
|
||||||
|
+type gssproxy_unit_file_t;
|
||||||
|
+systemd_unit_file(gssproxy_unit_file_t)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# gssproxy local policy
|
||||||
|
+#
|
||||||
|
+allow gssproxy_t self:capability2 block_suspend;
|
||||||
|
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
||||||
|
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
||||||
|
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
||||||
|
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
||||||
|
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
|
||||||
|
+manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
|
||||||
|
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
|
||||||
|
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file })
|
||||||
|
+
|
||||||
|
+kernel_rw_rpc_sysctls(gssproxy_t)
|
||||||
|
+
|
||||||
|
+domain_use_interactive_fds(gssproxy_t)
|
||||||
|
+
|
||||||
|
+files_read_etc_files(gssproxy_t)
|
||||||
|
+
|
||||||
|
+auth_use_nsswitch(gssproxy_t)
|
||||||
|
+
|
||||||
|
+dev_read_urand(gssproxy_t)
|
||||||
|
+
|
||||||
|
+logging_send_syslog_msg(gssproxy_t)
|
||||||
|
+
|
||||||
|
+miscfiles_read_localization(gssproxy_t)
|
||||||
|
+
|
||||||
|
+userdom_manage_user_tmp_dirs(gssproxy_t)
|
||||||
|
+userdom_manage_user_tmp_files(gssproxy_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ kerberos_use(gssproxy_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ kerberos_keytab_template(gssproxy, gssproxy_t)
|
||||||
|
+ kerberos_manage_host_rcache(gssproxy_t)
|
||||||
|
+')
|
||||||
diff --git a/guest.te b/guest.te
|
diff --git a/guest.te b/guest.te
|
||||||
index d928711..93d2d83 100644
|
index d928711..93d2d83 100644
|
||||||
--- a/guest.te
|
--- a/guest.te
|
||||||
@ -48498,10 +48815,10 @@ index 0000000..f2d6119
|
|||||||
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
|
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
|
||||||
diff --git a/openshift.if b/openshift.if
|
diff --git a/openshift.if b/openshift.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..0dd82f8
|
index 0000000..6c841fa
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/openshift.if
|
+++ b/openshift.if
|
||||||
@@ -0,0 +1,656 @@
|
@@ -0,0 +1,676 @@
|
||||||
+
|
+
|
||||||
+## <summary> policy for openshift </summary>
|
+## <summary> policy for openshift </summary>
|
||||||
+
|
+
|
||||||
@ -48740,7 +49057,27 @@ index 0000000..0dd82f8
|
|||||||
+ type openshift_var_lib_t;
|
+ type openshift_var_lib_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 openshift_var_lib_t:dir search_dir_perms;
|
+ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
||||||
|
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Getattr openshift lib files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`openshift_getattr_lib',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type openshift_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
||||||
+ files_search_var_lib($1)
|
+ files_search_var_lib($1)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -48986,7 +49323,7 @@ index 0000000..0dd82f8
|
|||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+template(`openshift_net_type',`
|
+interface(`openshift_net_type',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ attribute openshift_net_domain;
|
+ attribute openshift_net_domain;
|
||||||
+ ')
|
+ ')
|
||||||
@ -57211,7 +57548,7 @@ index cd8b8b9..cde0d62 100644
|
|||||||
+ allow $1 pppd_unit_file_t:service all_service_perms;
|
+ allow $1 pppd_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/ppp.te b/ppp.te
|
diff --git a/ppp.te b/ppp.te
|
||||||
index b2b5dba..49bdf0d 100644
|
index b2b5dba..7b8a7d1 100644
|
||||||
--- a/ppp.te
|
--- a/ppp.te
|
||||||
+++ b/ppp.te
|
+++ b/ppp.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -57402,14 +57739,14 @@ index b2b5dba..49bdf0d 100644
|
|||||||
|
|
||||||
-fs_getattr_all_fs(pppd_t)
|
-fs_getattr_all_fs(pppd_t)
|
||||||
-fs_search_auto_mountpoints(pppd_t)
|
-fs_search_auto_mountpoints(pppd_t)
|
||||||
-
|
+# for scripts
|
||||||
|
|
||||||
-term_use_unallocated_ttys(pppd_t)
|
-term_use_unallocated_ttys(pppd_t)
|
||||||
-term_setattr_unallocated_ttys(pppd_t)
|
-term_setattr_unallocated_ttys(pppd_t)
|
||||||
-term_ioctl_generic_ptys(pppd_t)
|
-term_ioctl_generic_ptys(pppd_t)
|
||||||
-term_create_pty(pppd_t, pppd_devpts_t)
|
-term_create_pty(pppd_t, pppd_devpts_t)
|
||||||
-term_use_generic_ptys(pppd_t)
|
-term_use_generic_ptys(pppd_t)
|
||||||
+# for scripts
|
-
|
||||||
|
|
||||||
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
|
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
|
||||||
init_read_utmp(pppd_t)
|
init_read_utmp(pppd_t)
|
||||||
-init_signal_script(pppd_t)
|
-init_signal_script(pppd_t)
|
||||||
@ -57551,6 +57888,17 @@ index b2b5dba..49bdf0d 100644
|
|||||||
sysnet_exec_ifconfig(pptp_t)
|
sysnet_exec_ifconfig(pptp_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
|
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
|
||||||
|
@@ -299,6 +318,10 @@ optional_policy(`
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ gnome_dontaudit_search_config(pppd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
dbus_system_domain(pppd_t, pppd_exec_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
diff --git a/prelink.fc b/prelink.fc
|
diff --git a/prelink.fc b/prelink.fc
|
||||||
index a90d623..62af9a4 100644
|
index a90d623..62af9a4 100644
|
||||||
--- a/prelink.fc
|
--- a/prelink.fc
|
||||||
@ -69772,7 +70120,7 @@ index 0628d50..84f2fd7 100644
|
|||||||
+ allow rpm_script_t $1:process sigchld;
|
+ allow rpm_script_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
diff --git a/rpm.te b/rpm.te
|
diff --git a/rpm.te b/rpm.te
|
||||||
index 5cbe81c..decdd95 100644
|
index 5cbe81c..f79d5f4 100644
|
||||||
--- a/rpm.te
|
--- a/rpm.te
|
||||||
+++ b/rpm.te
|
+++ b/rpm.te
|
||||||
@@ -1,15 +1,13 @@
|
@@ -1,15 +1,13 @@
|
||||||
@ -69830,7 +70178,13 @@ index 5cbe81c..decdd95 100644
|
|||||||
|
|
||||||
type rpm_script_tmp_t;
|
type rpm_script_tmp_t;
|
||||||
files_tmp_file(rpm_script_tmp_t)
|
files_tmp_file(rpm_script_tmp_t)
|
||||||
@@ -75,23 +69,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec
|
@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t)
|
||||||
|
# rpm Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
+allow rpm_t self:capability2 block_suspend;
|
||||||
|
allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
|
||||||
|
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
|
||||||
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
|
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
|
||||||
allow rpm_t self:fd use;
|
allow rpm_t self:fd use;
|
||||||
allow rpm_t self:fifo_file rw_fifo_file_perms;
|
allow rpm_t self:fifo_file rw_fifo_file_perms;
|
||||||
@ -69864,7 +70218,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
||||||
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
||||||
@@ -99,23 +98,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
||||||
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
||||||
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||||
@ -69892,7 +70246,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
|
|
||||||
kernel_read_crypto_sysctls(rpm_t)
|
kernel_read_crypto_sysctls(rpm_t)
|
||||||
kernel_read_network_state(rpm_t)
|
kernel_read_network_state(rpm_t)
|
||||||
@@ -126,41 +121,34 @@ kernel_rw_irq_sysctls(rpm_t)
|
@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t)
|
||||||
|
|
||||||
corecmd_exec_all_executables(rpm_t)
|
corecmd_exec_all_executables(rpm_t)
|
||||||
|
|
||||||
@ -69948,7 +70302,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
|
|
||||||
fs_getattr_all_dirs(rpm_t)
|
fs_getattr_all_dirs(rpm_t)
|
||||||
fs_list_inotifyfs(rpm_t)
|
fs_list_inotifyfs(rpm_t)
|
||||||
@@ -183,29 +171,49 @@ selinux_compute_relabel_context(rpm_t)
|
@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t)
|
||||||
selinux_compute_user_contexts(rpm_t)
|
selinux_compute_user_contexts(rpm_t)
|
||||||
|
|
||||||
storage_raw_write_fixed_disk(rpm_t)
|
storage_raw_write_fixed_disk(rpm_t)
|
||||||
@ -70000,7 +70354,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
userdom_use_unpriv_users_fds(rpm_t)
|
userdom_use_unpriv_users_fds(rpm_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -224,13 +232,17 @@ optional_policy(`
|
@@ -224,13 +233,17 @@ optional_policy(`
|
||||||
networkmanager_dbus_chat(rpm_t)
|
networkmanager_dbus_chat(rpm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -70022,7 +70376,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -239,19 +251,20 @@ optional_policy(`
|
@@ -239,19 +252,20 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
|
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
|
||||||
@ -70046,7 +70400,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
allow rpm_script_t rpm_tmp_t:file read_file_perms;
|
allow rpm_script_t rpm_tmp_t:file read_file_perms;
|
||||||
|
|
||||||
allow rpm_script_t rpm_script_tmp_t:dir mounton;
|
allow rpm_script_t rpm_script_tmp_t:dir mounton;
|
||||||
@@ -267,8 +280,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
@@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
||||||
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
||||||
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||||
@ -70057,7 +70411,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
|
|
||||||
kernel_read_crypto_sysctls(rpm_script_t)
|
kernel_read_crypto_sysctls(rpm_script_t)
|
||||||
kernel_read_kernel_sysctls(rpm_script_t)
|
kernel_read_kernel_sysctls(rpm_script_t)
|
||||||
@@ -277,45 +291,27 @@ kernel_read_network_state(rpm_script_t)
|
@@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t)
|
||||||
kernel_list_all_proc(rpm_script_t)
|
kernel_list_all_proc(rpm_script_t)
|
||||||
kernel_read_software_raid_state(rpm_script_t)
|
kernel_read_software_raid_state(rpm_script_t)
|
||||||
|
|
||||||
@ -70107,7 +70461,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
mls_file_read_all_levels(rpm_script_t)
|
mls_file_read_all_levels(rpm_script_t)
|
||||||
mls_file_write_all_levels(rpm_script_t)
|
mls_file_write_all_levels(rpm_script_t)
|
||||||
|
|
||||||
@@ -331,30 +327,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
|
@@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
|
||||||
|
|
||||||
term_getattr_unallocated_ttys(rpm_script_t)
|
term_getattr_unallocated_ttys(rpm_script_t)
|
||||||
term_list_ptys(rpm_script_t)
|
term_list_ptys(rpm_script_t)
|
||||||
@ -70165,7 +70519,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -363,40 +377,54 @@ ifdef(`distro_redhat',`
|
@@ -363,40 +378,54 @@ ifdef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -70230,7 +70584,7 @@ index 5cbe81c..decdd95 100644
|
|||||||
unconfined_domtrans(rpm_script_t)
|
unconfined_domtrans(rpm_script_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -409,6 +437,6 @@ optional_policy(`
|
@@ -409,6 +438,6 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -87519,7 +87873,7 @@ index 9dec06c..7877729 100644
|
|||||||
+ allow $1 svirt_image_t:chr_file rw_file_perms;
|
+ allow $1 svirt_image_t:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index 1f22fba..4d026c1 100644
|
index 1f22fba..a8390d3 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,94 +1,98 @@
|
@@ -1,94 +1,98 @@
|
||||||
@ -88168,7 +88522,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_t)
|
corecmd_exec_bin(virtd_t)
|
||||||
corecmd_exec_shell(virtd_t)
|
corecmd_exec_shell(virtd_t)
|
||||||
@@ -520,24 +352,15 @@ corecmd_exec_shell(virtd_t)
|
@@ -520,24 +352,16 @@ corecmd_exec_shell(virtd_t)
|
||||||
corenet_all_recvfrom_netlabel(virtd_t)
|
corenet_all_recvfrom_netlabel(virtd_t)
|
||||||
corenet_tcp_sendrecv_generic_if(virtd_t)
|
corenet_tcp_sendrecv_generic_if(virtd_t)
|
||||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||||
@ -88190,12 +88544,13 @@ index 1f22fba..4d026c1 100644
|
|||||||
-corenet_tcp_sendrecv_soundd_port(virtd_t)
|
-corenet_tcp_sendrecv_soundd_port(virtd_t)
|
||||||
-
|
-
|
||||||
corenet_rw_tun_tap_dev(virtd_t)
|
corenet_rw_tun_tap_dev(virtd_t)
|
||||||
|
+corenet_relabel_tun_tap_dev(virtd_t)
|
||||||
|
|
||||||
+dev_rw_vfio_dev(virtd_t)
|
+dev_rw_vfio_dev(virtd_t)
|
||||||
dev_rw_sysfs(virtd_t)
|
dev_rw_sysfs(virtd_t)
|
||||||
dev_read_urand(virtd_t)
|
dev_read_urand(virtd_t)
|
||||||
dev_read_rand(virtd_t)
|
dev_read_rand(virtd_t)
|
||||||
@@ -548,22 +371,23 @@ dev_rw_vhost(virtd_t)
|
@@ -548,22 +372,23 @@ dev_rw_vhost(virtd_t)
|
||||||
dev_setattr_generic_usb_dev(virtd_t)
|
dev_setattr_generic_usb_dev(virtd_t)
|
||||||
dev_relabel_generic_usb_dev(virtd_t)
|
dev_relabel_generic_usb_dev(virtd_t)
|
||||||
|
|
||||||
@ -88224,7 +88579,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
fs_rw_anon_inodefs_files(virtd_t)
|
fs_rw_anon_inodefs_files(virtd_t)
|
||||||
fs_list_inotifyfs(virtd_t)
|
fs_list_inotifyfs(virtd_t)
|
||||||
fs_manage_cgroup_dirs(virtd_t)
|
fs_manage_cgroup_dirs(virtd_t)
|
||||||
@@ -594,15 +418,18 @@ term_use_ptmx(virtd_t)
|
@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t)
|
||||||
|
|
||||||
auth_use_nsswitch(virtd_t)
|
auth_use_nsswitch(virtd_t)
|
||||||
|
|
||||||
@ -88244,7 +88599,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
|
|
||||||
selinux_validate_context(virtd_t)
|
selinux_validate_context(virtd_t)
|
||||||
|
|
||||||
@@ -613,18 +440,24 @@ seutil_read_file_contexts(virtd_t)
|
@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t)
|
||||||
sysnet_signull_ifconfig(virtd_t)
|
sysnet_signull_ifconfig(virtd_t)
|
||||||
sysnet_signal_ifconfig(virtd_t)
|
sysnet_signal_ifconfig(virtd_t)
|
||||||
sysnet_domtrans_ifconfig(virtd_t)
|
sysnet_domtrans_ifconfig(virtd_t)
|
||||||
@ -88279,7 +88634,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
|
|
||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virtd_t)
|
fs_manage_nfs_dirs(virtd_t)
|
||||||
@@ -633,7 +466,7 @@ tunable_policy(`virt_use_nfs',`
|
@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`virt_use_samba',`
|
tunable_policy(`virt_use_samba',`
|
||||||
@ -88288,7 +88643,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
fs_manage_cifs_files(virtd_t)
|
fs_manage_cifs_files(virtd_t)
|
||||||
fs_read_cifs_symlinks(virtd_t)
|
fs_read_cifs_symlinks(virtd_t)
|
||||||
')
|
')
|
||||||
@@ -658,95 +491,321 @@ optional_policy(`
|
@@ -658,95 +492,321 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -88658,7 +89013,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
|
|
||||||
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||||
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||||
@@ -758,23 +817,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
@@ -758,23 +818,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
@ -88688,7 +89043,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
kernel_read_system_state(virsh_t)
|
kernel_read_system_state(virsh_t)
|
||||||
kernel_read_network_state(virsh_t)
|
kernel_read_network_state(virsh_t)
|
||||||
kernel_read_kernel_sysctls(virsh_t)
|
kernel_read_kernel_sysctls(virsh_t)
|
||||||
@@ -785,25 +836,18 @@ kernel_write_xen_state(virsh_t)
|
@@ -785,25 +837,18 @@ kernel_write_xen_state(virsh_t)
|
||||||
corecmd_exec_bin(virsh_t)
|
corecmd_exec_bin(virsh_t)
|
||||||
corecmd_exec_shell(virsh_t)
|
corecmd_exec_shell(virsh_t)
|
||||||
|
|
||||||
@ -88715,7 +89070,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
|
|
||||||
fs_getattr_all_fs(virsh_t)
|
fs_getattr_all_fs(virsh_t)
|
||||||
fs_manage_xenfs_dirs(virsh_t)
|
fs_manage_xenfs_dirs(virsh_t)
|
||||||
@@ -812,24 +856,22 @@ fs_search_auto_mountpoints(virsh_t)
|
@@ -812,24 +857,22 @@ fs_search_auto_mountpoints(virsh_t)
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(virsh_t)
|
storage_raw_read_fixed_disk(virsh_t)
|
||||||
|
|
||||||
@ -88747,7 +89102,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virsh_t)
|
fs_manage_nfs_dirs(virsh_t)
|
||||||
fs_manage_nfs_files(virsh_t)
|
fs_manage_nfs_files(virsh_t)
|
||||||
@@ -847,14 +889,20 @@ optional_policy(`
|
@@ -847,14 +890,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -88769,7 +89124,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
xen_stream_connect(virsh_t)
|
xen_stream_connect(virsh_t)
|
||||||
xen_stream_connect_xenstore(virsh_t)
|
xen_stream_connect_xenstore(virsh_t)
|
||||||
')
|
')
|
||||||
@@ -879,34 +927,44 @@ optional_policy(`
|
@@ -879,34 +928,44 @@ optional_policy(`
|
||||||
kernel_read_xen_state(virsh_ssh_t)
|
kernel_read_xen_state(virsh_ssh_t)
|
||||||
kernel_write_xen_state(virsh_ssh_t)
|
kernel_write_xen_state(virsh_ssh_t)
|
||||||
|
|
||||||
@ -88823,7 +89178,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
@@ -916,12 +974,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
@@ -916,12 +975,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
|
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
|
||||||
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
|
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
|
||||||
@ -88841,7 +89196,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_lxc_t)
|
corecmd_exec_bin(virtd_lxc_t)
|
||||||
corecmd_exec_shell(virtd_lxc_t)
|
corecmd_exec_shell(virtd_lxc_t)
|
||||||
@@ -933,10 +996,8 @@ dev_read_urand(virtd_lxc_t)
|
@@ -933,10 +997,8 @@ dev_read_urand(virtd_lxc_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(virtd_lxc_t)
|
domain_use_interactive_fds(virtd_lxc_t)
|
||||||
|
|
||||||
@ -88852,7 +89207,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
files_relabel_rootfs(virtd_lxc_t)
|
files_relabel_rootfs(virtd_lxc_t)
|
||||||
files_mounton_non_security(virtd_lxc_t)
|
files_mounton_non_security(virtd_lxc_t)
|
||||||
files_mount_all_file_type_fs(virtd_lxc_t)
|
files_mount_all_file_type_fs(virtd_lxc_t)
|
||||||
@@ -944,6 +1005,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
|
@@ -944,6 +1006,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
|
||||||
files_list_isid_type_dirs(virtd_lxc_t)
|
files_list_isid_type_dirs(virtd_lxc_t)
|
||||||
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
|
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
|
||||||
|
|
||||||
@ -88860,7 +89215,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
fs_getattr_all_fs(virtd_lxc_t)
|
fs_getattr_all_fs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||||
@@ -955,15 +1017,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
@@ -955,15 +1018,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||||
fs_unmount_all_fs(virtd_lxc_t)
|
fs_unmount_all_fs(virtd_lxc_t)
|
||||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||||
|
|
||||||
@ -88879,7 +89234,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
|
|
||||||
term_use_generic_ptys(virtd_lxc_t)
|
term_use_generic_ptys(virtd_lxc_t)
|
||||||
term_use_ptmx(virtd_lxc_t)
|
term_use_ptmx(virtd_lxc_t)
|
||||||
@@ -973,21 +1031,36 @@ auth_use_nsswitch(virtd_lxc_t)
|
@@ -973,21 +1032,36 @@ auth_use_nsswitch(virtd_lxc_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(virtd_lxc_t)
|
logging_send_syslog_msg(virtd_lxc_t)
|
||||||
|
|
||||||
@ -88924,7 +89279,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||||
allow svirt_lxc_domain self:sem create_sem_perms;
|
allow svirt_lxc_domain self:sem create_sem_perms;
|
||||||
allow svirt_lxc_domain self:shm create_shm_perms;
|
allow svirt_lxc_domain self:shm create_shm_perms;
|
||||||
@@ -995,18 +1068,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
|
@@ -995,18 +1069,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||||
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||||
|
|
||||||
@ -88951,7 +89306,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
@@ -1015,17 +1086,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
@@ -1015,17 +1087,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
@ -88970,7 +89325,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||||
|
|
||||||
corecmd_exec_all_executables(svirt_lxc_domain)
|
corecmd_exec_all_executables(svirt_lxc_domain)
|
||||||
@@ -1037,21 +1105,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
@@ -1037,21 +1106,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||||
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||||
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||||
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||||
@ -88997,7 +89352,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
auth_dontaudit_read_login_records(svirt_lxc_domain)
|
auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||||
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||||
auth_search_pam_console_data(svirt_lxc_domain)
|
auth_search_pam_console_data(svirt_lxc_domain)
|
||||||
@@ -1063,96 +1130,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
|
@@ -1063,96 +1131,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||||
|
|
||||||
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||||
|
|
||||||
@ -89136,7 +89491,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
@@ -1165,12 +1228,12 @@ dev_read_sysfs(virt_qmf_t)
|
@@ -1165,12 +1229,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||||
dev_read_rand(virt_qmf_t)
|
dev_read_rand(virt_qmf_t)
|
||||||
dev_read_urand(virt_qmf_t)
|
dev_read_urand(virt_qmf_t)
|
||||||
|
|
||||||
@ -89151,7 +89506,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
sysnet_read_config(virt_qmf_t)
|
sysnet_read_config(virt_qmf_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1183,9 +1246,8 @@ optional_policy(`
|
@@ -1183,9 +1247,8 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -89162,7 +89517,7 @@ index 1f22fba..4d026c1 100644
|
|||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -1198,5 +1260,114 @@ kernel_read_network_state(virt_bridgehelper_t)
|
@@ -1198,5 +1261,114 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 47%{?dist}
|
Release: 48%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -94,10 +94,6 @@ SELinux policy development and man page package
|
|||||||
%{_usr}/share/selinux/devel/example.*
|
%{_usr}/share/selinux/devel/example.*
|
||||||
%{_usr}/share/selinux/devel/policy.*
|
%{_usr}/share/selinux/devel/policy.*
|
||||||
|
|
||||||
%post devel
|
|
||||||
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
|
|
||||||
exit 0
|
|
||||||
|
|
||||||
%package doc
|
%package doc
|
||||||
Summary: SELinux policy documentation
|
Summary: SELinux policy documentation
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -534,6 +530,30 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-48
|
||||||
|
- Fix openshift_search_lib
|
||||||
|
- Add support for abrt-uefioops-oops
|
||||||
|
- Allow colord to getattr any file system
|
||||||
|
- Allow chrome processes to look at each other
|
||||||
|
- Allow sys_ptrace for abrt_t
|
||||||
|
- Add new policy for gssproxy
|
||||||
|
- Dontaudit leaked file descriptor writes from firewalld
|
||||||
|
- openshift_net_type is interface not template
|
||||||
|
- Dontaudit pppd to search gnome config
|
||||||
|
- Update openshift_search_lib() interface
|
||||||
|
- Add fs_list_pstorefs()
|
||||||
|
- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18
|
||||||
|
- Better labels for raspberry pi devices
|
||||||
|
- Allow init to create devpts_t directory
|
||||||
|
- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18
|
||||||
|
- Allow sysadm_t to build kernels
|
||||||
|
- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18
|
||||||
|
- Allow userdomains to stream connect to gssproxy
|
||||||
|
- Dontaudit leaked file descriptor writes from firewalld
|
||||||
|
- Allow xserver to read /dev/urandom
|
||||||
|
- Add additional fixes for ipsec-mgmt
|
||||||
|
- Make SSHing into an Openshift Enterprise Node working
|
||||||
|
|
||||||
* Wed May 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-47
|
* Wed May 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-47
|
||||||
- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime
|
- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime
|
||||||
- with the proper label.
|
- with the proper label.
|
||||||
|
Loading…
Reference in New Issue
Block a user