- Fix openshift_search_lib

- Add support for abrt-uefioops-oops
- Allow colord to getattr any file system
- Allow chrome processes to look at each other
- Allow sys_ptrace for abrt_t
- Add new policy for gssproxy
- Dontaudit leaked file descriptor writes from firewalld
- openshift_net_type is interface not template
- Dontaudit pppd to search gnome config
- Update openshift_search_lib() interface
- Add fs_list_pstorefs()
- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18
- Better labels for raspberry pi devices
- Allow init to create devpts_t directory
- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18
- Allow sysadm_t to build kernels
- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18
- Allow userdomains to stream connect to gssproxy
- Dontaudit leaked file descriptor writes from firewalld
- Allow xserver to read /dev/urandom
- Add additional fixes for ipsec-mgmt
- Make SSHing into an Openshift Enterprise Node working
This commit is contained in:
Miroslav Grepl 2013-06-04 08:43:23 +02:00
parent 88eb5b40ad
commit 574431f1a2
3 changed files with 965 additions and 422 deletions

File diff suppressed because it is too large Load Diff

View File

@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc diff --git a/abrt.fc b/abrt.fc
index e4f84de..ad5a65f 100644 index e4f84de..4e4cbd4 100644
--- a/abrt.fc --- a/abrt.fc
+++ b/abrt.fc +++ b/abrt.fc
@@ -1,30 +1,39 @@ @@ -1,30 +1,40 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@ -15,6 +15,7 @@ index e4f84de..ad5a65f 100644
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0) +/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+ +
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) +/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0) +/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+ +
@ -517,7 +518,7 @@ index 058d908..702b716 100644
+') +')
+ +
diff --git a/abrt.te b/abrt.te diff --git a/abrt.te b/abrt.te
index cc43d25..ffbe9e5 100644 index cc43d25..5e60ff3 100644
--- a/abrt.te --- a/abrt.te
+++ b/abrt.te +++ b/abrt.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -666,7 +667,8 @@ index cc43d25..ffbe9e5 100644
+# abrt local policy +# abrt local policy
# #
allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
dontaudit abrt_t self:capability sys_rawio; dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+ +
@ -939,7 +941,7 @@ index cc43d25..ffbe9e5 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -352,30 +410,38 @@ corecmd_exec_shell(abrt_retrace_worker_t) @@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t)
@ -981,8 +983,10 @@ index cc43d25..ffbe9e5 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t)
@@ -384,14 +450,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t)
@ -999,7 +1003,7 @@ index cc43d25..ffbe9e5 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
@@ -400,16 +467,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) @@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t) corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t)
@ -10385,10 +10389,10 @@ index 0000000..5977d96
+') +')
diff --git a/chrome.te b/chrome.te diff --git a/chrome.te b/chrome.te
new file mode 100644 new file mode 100644
index 0000000..ba0a059 index 0000000..f4a8884
--- /dev/null --- /dev/null
+++ b/chrome.te +++ b/chrome.te
@@ -0,0 +1,236 @@ @@ -0,0 +1,237 @@
+policy_module(chrome,1.0.0) +policy_module(chrome,1.0.0)
+ +
+######################################## +########################################
@ -10596,6 +10600,7 @@ index 0000000..ba0a059
+ +
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) +domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) +ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+ +
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) +manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) +manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
@ -12168,7 +12173,7 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t) + ps_process_pattern($1, colord_t)
+') +')
diff --git a/colord.te b/colord.te diff --git a/colord.te b/colord.te
index 09f18e2..f0cade4 100644 index 09f18e2..9d70983 100644
--- a/colord.te --- a/colord.te
+++ b/colord.te +++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@ -12219,8 +12224,9 @@ index 09f18e2..f0cade4 100644
files_list_mnt(colord_t) files_list_mnt(colord_t)
-files_read_usr_files(colord_t) -files_read_usr_files(colord_t)
fs_getattr_noxattr_fs(colord_t) -fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t) -fs_getattr_tmpfs(colord_t)
+fs_getattr_all_fs(colord_t)
fs_list_noxattr_fs(colord_t) fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t) fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t) fs_search_all(colord_t)
@ -22900,7 +22906,7 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if diff --git a/firewalld.if b/firewalld.if
index 5cf6ac6..839999e 100644 index 5cf6ac6..62547ee 100644
--- a/firewalld.if --- a/firewalld.if
+++ b/firewalld.if +++ b/firewalld.if
@@ -2,6 +2,66 @@ @@ -2,6 +2,66 @@
@ -22970,18 +22976,37 @@ index 5cf6ac6..839999e 100644
## Send and receive messages from ## Send and receive messages from
## firewalld over dbus. ## firewalld over dbus.
## </summary> ## </summary>
@@ -23,8 +83,8 @@ interface(`firewalld_dbus_chat',` @@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
######################################## ########################################
## <summary> ## <summary>
-## All of the rules required to -## All of the rules required to
-## administrate an firewalld environment. -## administrate an firewalld environment.
+## Dontaudit attempts to write
+## firewalld tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firewalld_dontaudit_write_tmp_files',`
+ gen_require(`
+ type firewalld_tmp_t;
+ ')
+
+ dontaudit $1 firewalld_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate +## All of the rules required to administrate
+## an firewalld environment +## an firewalld environment
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -45,10 +105,14 @@ interface(`firewalld_admin',` @@ -45,10 +124,14 @@ interface(`firewalld_admin',`
type firewalld_var_log_t; type firewalld_var_log_t;
') ')
@ -22998,7 +23023,7 @@ index 5cf6ac6..839999e 100644
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r; role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r; allow $2 system_r;
@@ -59,6 +123,9 @@ interface(`firewalld_admin',` @@ -59,6 +142,9 @@ interface(`firewalld_admin',`
logging_search_logs($1) logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t) admin_pattern($1, firewalld_var_log_t)
@ -28202,6 +28227,298 @@ index 25f09ae..3085534 100644
optional_policy(` optional_policy(`
chronyd_rw_shm(gpsd_t) chronyd_rw_shm(gpsd_t)
chronyd_stream_connect(gpsd_t) chronyd_stream_connect(gpsd_t)
diff --git a/gssproxy.fc b/gssproxy.fc
new file mode 100644
index 0000000..404ae4f
--- /dev/null
+++ b/gssproxy.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/var/run/gssproxy.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
index 0000000..072ddb0
--- /dev/null
+++ b/gssproxy.if
@@ -0,0 +1,203 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_var_run_t;
+ type gssproxy_unit_file_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_var_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_file_t)
+ allow $1 gssproxy_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
index 0000000..6f0253c
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,64 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_var_run_t;
+files_pid_file(gssproxy_var_run_t)
+
+type gssproxy_unit_file_t;
+systemd_unit_file(gssproxy_unit_file_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_use(gssproxy_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(gssproxy, gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+')
diff --git a/guest.te b/guest.te diff --git a/guest.te b/guest.te
index d928711..93d2d83 100644 index d928711..93d2d83 100644
--- a/guest.te --- a/guest.te
@ -48498,10 +48815,10 @@ index 0000000..f2d6119
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if diff --git a/openshift.if b/openshift.if
new file mode 100644 new file mode 100644
index 0000000..0dd82f8 index 0000000..6c841fa
--- /dev/null --- /dev/null
+++ b/openshift.if +++ b/openshift.if
@@ -0,0 +1,656 @@ @@ -0,0 +1,676 @@
+ +
+## <summary> policy for openshift </summary> +## <summary> policy for openshift </summary>
+ +
@ -48740,7 +49057,27 @@ index 0000000..0dd82f8
+ type openshift_var_lib_t; + type openshift_var_lib_t;
+ ') + ')
+ +
+ allow $1 openshift_var_lib_t:dir search_dir_perms; + search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Getattr openshift lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_getattr_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1) + files_search_var_lib($1)
+') +')
+ +
@ -48986,7 +49323,7 @@ index 0000000..0dd82f8
+## </summary> +## </summary>
+## </param> +## </param>
+# +#
+template(`openshift_net_type',` +interface(`openshift_net_type',`
+ gen_require(` + gen_require(`
+ attribute openshift_net_domain; + attribute openshift_net_domain;
+ ') + ')
@ -57211,7 +57548,7 @@ index cd8b8b9..cde0d62 100644
+ allow $1 pppd_unit_file_t:service all_service_perms; + allow $1 pppd_unit_file_t:service all_service_perms;
') ')
diff --git a/ppp.te b/ppp.te diff --git a/ppp.te b/ppp.te
index b2b5dba..49bdf0d 100644 index b2b5dba..7b8a7d1 100644
--- a/ppp.te --- a/ppp.te
+++ b/ppp.te +++ b/ppp.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -57402,14 +57739,14 @@ index b2b5dba..49bdf0d 100644
-fs_getattr_all_fs(pppd_t) -fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t) -fs_search_auto_mountpoints(pppd_t)
- +# for scripts
-term_use_unallocated_ttys(pppd_t) -term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t) -term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t) -term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t) -term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t) -term_use_generic_ptys(pppd_t)
+# for scripts -
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t) -init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t) init_read_utmp(pppd_t)
-init_signal_script(pppd_t) -init_signal_script(pppd_t)
@ -57551,6 +57888,17 @@ index b2b5dba..49bdf0d 100644
sysnet_exec_ifconfig(pptp_t) sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -299,6 +318,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(pppd_t)
+')
+
+optional_policy(`
dbus_system_domain(pppd_t, pppd_exec_t)
optional_policy(`
diff --git a/prelink.fc b/prelink.fc diff --git a/prelink.fc b/prelink.fc
index a90d623..62af9a4 100644 index a90d623..62af9a4 100644
--- a/prelink.fc --- a/prelink.fc
@ -69772,7 +70120,7 @@ index 0628d50..84f2fd7 100644
+ allow rpm_script_t $1:process sigchld; + allow rpm_script_t $1:process sigchld;
') ')
diff --git a/rpm.te b/rpm.te diff --git a/rpm.te b/rpm.te
index 5cbe81c..decdd95 100644 index 5cbe81c..f79d5f4 100644
--- a/rpm.te --- a/rpm.te
+++ b/rpm.te +++ b/rpm.te
@@ -1,15 +1,13 @@ @@ -1,15 +1,13 @@
@ -69830,7 +70178,13 @@ index 5cbe81c..decdd95 100644
type rpm_script_tmp_t; type rpm_script_tmp_t;
files_tmp_file(rpm_script_tmp_t) files_tmp_file(rpm_script_tmp_t)
@@ -75,23 +69,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec @@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t)
# rpm Local policy
#
+allow rpm_t self:capability2 block_suspend;
allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use; allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms; allow rpm_t self:fifo_file rw_fifo_file_perms;
@ -69864,7 +70218,7 @@ index 5cbe81c..decdd95 100644
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
@@ -99,23 +98,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) @@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@ -69892,7 +70246,7 @@ index 5cbe81c..decdd95 100644
kernel_read_crypto_sysctls(rpm_t) kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t) kernel_read_network_state(rpm_t)
@@ -126,41 +121,34 @@ kernel_rw_irq_sysctls(rpm_t) @@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t) corecmd_exec_all_executables(rpm_t)
@ -69948,7 +70302,7 @@ index 5cbe81c..decdd95 100644
fs_getattr_all_dirs(rpm_t) fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t) fs_list_inotifyfs(rpm_t)
@@ -183,29 +171,49 @@ selinux_compute_relabel_context(rpm_t) @@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t) selinux_compute_user_contexts(rpm_t)
storage_raw_write_fixed_disk(rpm_t) storage_raw_write_fixed_disk(rpm_t)
@ -70000,7 +70354,7 @@ index 5cbe81c..decdd95 100644
userdom_use_unpriv_users_fds(rpm_t) userdom_use_unpriv_users_fds(rpm_t)
optional_policy(` optional_policy(`
@@ -224,13 +232,17 @@ optional_policy(` @@ -224,13 +233,17 @@ optional_policy(`
networkmanager_dbus_chat(rpm_t) networkmanager_dbus_chat(rpm_t)
') ')
@ -70022,7 +70376,7 @@ index 5cbe81c..decdd95 100644
') ')
######################################## ########################################
@@ -239,19 +251,20 @@ optional_policy(` @@ -239,19 +252,20 @@ optional_policy(`
# #
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
@ -70046,7 +70400,7 @@ index 5cbe81c..decdd95 100644
allow rpm_script_t rpm_tmp_t:file read_file_perms; allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton; allow rpm_script_t rpm_script_tmp_t:dir mounton;
@@ -267,8 +280,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) @@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@ -70057,7 +70411,7 @@ index 5cbe81c..decdd95 100644
kernel_read_crypto_sysctls(rpm_script_t) kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t)
@@ -277,45 +291,27 @@ kernel_read_network_state(rpm_script_t) @@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t) kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t) kernel_read_software_raid_state(rpm_script_t)
@ -70107,7 +70461,7 @@ index 5cbe81c..decdd95 100644
mls_file_read_all_levels(rpm_script_t) mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t)
@@ -331,30 +327,48 @@ storage_raw_write_fixed_disk(rpm_script_t) @@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t) term_list_ptys(rpm_script_t)
@ -70165,7 +70519,7 @@ index 5cbe81c..decdd95 100644
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
optional_policy(` optional_policy(`
@@ -363,40 +377,54 @@ ifdef(`distro_redhat',` @@ -363,40 +378,54 @@ ifdef(`distro_redhat',`
') ')
') ')
@ -70230,7 +70584,7 @@ index 5cbe81c..decdd95 100644
unconfined_domtrans(rpm_script_t) unconfined_domtrans(rpm_script_t)
optional_policy(` optional_policy(`
@@ -409,6 +437,6 @@ optional_policy(` @@ -409,6 +438,6 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -87519,7 +87873,7 @@ index 9dec06c..7877729 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms; + allow $1 svirt_image_t:chr_file rw_file_perms;
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index 1f22fba..4d026c1 100644 index 1f22fba..a8390d3 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -1,94 +1,98 @@ @@ -1,94 +1,98 @@
@ -88168,7 +88522,7 @@ index 1f22fba..4d026c1 100644
corecmd_exec_bin(virtd_t) corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t) corecmd_exec_shell(virtd_t)
@@ -520,24 +352,15 @@ corecmd_exec_shell(virtd_t) @@ -520,24 +352,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t) corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t)
@ -88190,12 +88544,13 @@ index 1f22fba..4d026c1 100644
-corenet_tcp_sendrecv_soundd_port(virtd_t) -corenet_tcp_sendrecv_soundd_port(virtd_t)
- -
corenet_rw_tun_tap_dev(virtd_t) corenet_rw_tun_tap_dev(virtd_t)
+corenet_relabel_tun_tap_dev(virtd_t)
+dev_rw_vfio_dev(virtd_t) +dev_rw_vfio_dev(virtd_t)
dev_rw_sysfs(virtd_t) dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t) dev_read_urand(virtd_t)
dev_read_rand(virtd_t) dev_read_rand(virtd_t)
@@ -548,22 +371,23 @@ dev_rw_vhost(virtd_t) @@ -548,22 +372,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t) dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t)
@ -88224,7 +88579,7 @@ index 1f22fba..4d026c1 100644
fs_rw_anon_inodefs_files(virtd_t) fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t) fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t) fs_manage_cgroup_dirs(virtd_t)
@@ -594,15 +418,18 @@ term_use_ptmx(virtd_t) @@ -594,15 +419,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t) auth_use_nsswitch(virtd_t)
@ -88244,7 +88599,7 @@ index 1f22fba..4d026c1 100644
selinux_validate_context(virtd_t) selinux_validate_context(virtd_t)
@@ -613,18 +440,24 @@ seutil_read_file_contexts(virtd_t) @@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t) sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t)
@ -88279,7 +88634,7 @@ index 1f22fba..4d026c1 100644
tunable_policy(`virt_use_nfs',` tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t) fs_manage_nfs_dirs(virtd_t)
@@ -633,7 +466,7 @@ tunable_policy(`virt_use_nfs',` @@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',`
') ')
tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_samba',`
@ -88288,7 +88643,7 @@ index 1f22fba..4d026c1 100644
fs_manage_cifs_files(virtd_t) fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t) fs_read_cifs_symlinks(virtd_t)
') ')
@@ -658,95 +491,321 @@ optional_policy(` @@ -658,95 +492,321 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -88658,7 +89013,7 @@ index 1f22fba..4d026c1 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
@@ -758,23 +817,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -758,23 +818,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@ -88688,7 +89043,7 @@ index 1f22fba..4d026c1 100644
kernel_read_system_state(virsh_t) kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t) kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t) kernel_read_kernel_sysctls(virsh_t)
@@ -785,25 +836,18 @@ kernel_write_xen_state(virsh_t) @@ -785,25 +837,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t) corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t) corecmd_exec_shell(virsh_t)
@ -88715,7 +89070,7 @@ index 1f22fba..4d026c1 100644
fs_getattr_all_fs(virsh_t) fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t) fs_manage_xenfs_dirs(virsh_t)
@@ -812,24 +856,22 @@ fs_search_auto_mountpoints(virsh_t) @@ -812,24 +857,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t) storage_raw_read_fixed_disk(virsh_t)
@ -88747,7 +89102,7 @@ index 1f22fba..4d026c1 100644
tunable_policy(`virt_use_nfs',` tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t) fs_manage_nfs_files(virsh_t)
@@ -847,14 +889,20 @@ optional_policy(` @@ -847,14 +890,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -88769,7 +89124,7 @@ index 1f22fba..4d026c1 100644
xen_stream_connect(virsh_t) xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t) xen_stream_connect_xenstore(virsh_t)
') ')
@@ -879,34 +927,44 @@ optional_policy(` @@ -879,34 +928,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t) kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t)
@ -88823,7 +89178,7 @@ index 1f22fba..4d026c1 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -916,12 +974,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -916,12 +975,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@ -88841,7 +89196,7 @@ index 1f22fba..4d026c1 100644
corecmd_exec_bin(virtd_lxc_t) corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t)
@@ -933,10 +996,8 @@ dev_read_urand(virtd_lxc_t) @@ -933,10 +997,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t)
@ -88852,7 +89207,7 @@ index 1f22fba..4d026c1 100644
files_relabel_rootfs(virtd_lxc_t) files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t)
@@ -944,6 +1005,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) @@ -944,6 +1006,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@ -88860,7 +89215,7 @@ index 1f22fba..4d026c1 100644
fs_getattr_all_fs(virtd_lxc_t) fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -955,15 +1017,11 @@ fs_rw_cgroup_files(virtd_lxc_t) @@ -955,15 +1018,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -88879,7 +89234,7 @@ index 1f22fba..4d026c1 100644
term_use_generic_ptys(virtd_lxc_t) term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t) term_use_ptmx(virtd_lxc_t)
@@ -973,21 +1031,36 @@ auth_use_nsswitch(virtd_lxc_t) @@ -973,21 +1032,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t)
@ -88924,7 +89279,7 @@ index 1f22fba..4d026c1 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms; allow svirt_lxc_domain self:shm create_shm_perms;
@@ -995,18 +1068,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; @@ -995,18 +1069,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@ -88951,7 +89306,7 @@ index 1f22fba..4d026c1 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -1015,17 +1086,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -1015,17 +1087,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@ -88970,7 +89325,7 @@ index 1f22fba..4d026c1 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain)
@@ -1037,21 +1105,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) @@ -1037,21 +1106,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@ -88997,7 +89352,7 @@ index 1f22fba..4d026c1 100644
auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain)
@@ -1063,96 +1130,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) @@ -1063,96 +1131,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@ -89136,7 +89491,7 @@ index 1f22fba..4d026c1 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1165,12 +1228,12 @@ dev_read_sysfs(virt_qmf_t) @@ -1165,12 +1229,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t) dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t) dev_read_urand(virt_qmf_t)
@ -89151,7 +89506,7 @@ index 1f22fba..4d026c1 100644
sysnet_read_config(virt_qmf_t) sysnet_read_config(virt_qmf_t)
optional_policy(` optional_policy(`
@@ -1183,9 +1246,8 @@ optional_policy(` @@ -1183,9 +1247,8 @@ optional_policy(`
######################################## ########################################
# #
@ -89162,7 +89517,7 @@ index 1f22fba..4d026c1 100644
allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1198,5 +1260,114 @@ kernel_read_network_state(virt_bridgehelper_t) @@ -1198,5 +1261,114 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 47%{?dist} Release: 48%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -94,10 +94,6 @@ SELinux policy development and man page package
%{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/example.*
%{_usr}/share/selinux/devel/policy.* %{_usr}/share/selinux/devel/policy.*
%post devel
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
exit 0
%package doc %package doc
Summary: SELinux policy documentation Summary: SELinux policy documentation
Group: System Environment/Base Group: System Environment/Base
@ -534,6 +530,30 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Mon Jun 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-48
- Fix openshift_search_lib
- Add support for abrt-uefioops-oops
- Allow colord to getattr any file system
- Allow chrome processes to look at each other
- Allow sys_ptrace for abrt_t
- Add new policy for gssproxy
- Dontaudit leaked file descriptor writes from firewalld
- openshift_net_type is interface not template
- Dontaudit pppd to search gnome config
- Update openshift_search_lib() interface
- Add fs_list_pstorefs()
- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18
- Better labels for raspberry pi devices
- Allow init to create devpts_t directory
- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18
- Allow sysadm_t to build kernels
- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18
- Allow userdomains to stream connect to gssproxy
- Dontaudit leaked file descriptor writes from firewalld
- Allow xserver to read /dev/urandom
- Add additional fixes for ipsec-mgmt
- Make SSHing into an Openshift Enterprise Node working
* Wed May 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-47 * Wed May 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-47
- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime - Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime
- with the proper label. - with the proper label.