* Thu Oct 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-300
- Allow zabbix_t domain to change its resource limits - Add new boolean nagios_use_nfs - Allow system_mail_t to search network sysctls - Hide all allow rules with ptrace inside deny_ptrace boolean - Allow nagios_script_t to read nagios_spool_t files - Allow sbd_t to create own sbd_tmpfs_t dirs/files - Allow firewalld and networkmanager to chat with hypervkvp via dbus - Allow dmidecode to read rhsmcert_log_t files - Allow mail system to connect mariadb sockets. - Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877) - Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170) - Allow iptables_t to run setfiles to restore context on system - Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466)
This commit is contained in:
parent
7911257b23
commit
59afa60b46
Binary file not shown.
@ -26642,10 +26642,10 @@ index 000000000..d9efb902a
|
|||||||
+#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
+#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
||||||
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
|
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..bb9082586
|
index 000000000..ecc53819c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/roles/unconfineduser.if
|
+++ b/policy/modules/roles/unconfineduser.if
|
||||||
@@ -0,0 +1,763 @@
|
@@ -0,0 +1,764 @@
|
||||||
+## <summary>Unconfined user role</summary>
|
+## <summary>Unconfined user role</summary>
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -27121,6 +27121,7 @@ index 000000000..bb9082586
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ dontaudit $1 unconfined_t:dir list_dir_perms;
|
+ dontaudit $1 unconfined_t:dir list_dir_perms;
|
||||||
|
+ dontaudit $1 unconfined_t:file read_file_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -32045,7 +32046,7 @@ index 6bf0ecc2d..75b2f31f9 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index 8b403774f..7eb9dade6 100644
|
index 8b403774f..edd47215b 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -26,28 +26,66 @@ gen_require(`
|
@@ -26,28 +26,66 @@ gen_require(`
|
||||||
@ -32404,7 +32405,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
ssh_sigchld(xauth_t)
|
ssh_sigchld(xauth_t)
|
||||||
ssh_read_pipes(xauth_t)
|
ssh_read_pipes(xauth_t)
|
||||||
ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
||||||
@@ -300,64 +420,107 @@ optional_policy(`
|
@@ -300,64 +420,108 @@ optional_policy(`
|
||||||
# XDM Local policy
|
# XDM Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -32503,6 +32504,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
|
-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
|
||||||
+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
|
+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
|
||||||
+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
|
+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
|
||||||
|
+allow xdm_t xdm_var_run_t:file map;
|
||||||
|
|
||||||
-allow xdm_t xserver_t:process signal;
|
-allow xdm_t xserver_t:process signal;
|
||||||
+allow xdm_t xserver_t:process { signal signull };
|
+allow xdm_t xserver_t:process { signal signull };
|
||||||
@ -32525,7 +32527,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
@@ -366,20 +529,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
@@ -366,20 +530,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
|
|
||||||
@ -32559,7 +32561,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
corenet_all_recvfrom_netlabel(xdm_t)
|
corenet_all_recvfrom_netlabel(xdm_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xdm_t)
|
corenet_tcp_sendrecv_generic_if(xdm_t)
|
||||||
corenet_udp_sendrecv_generic_if(xdm_t)
|
corenet_udp_sendrecv_generic_if(xdm_t)
|
||||||
@@ -389,38 +563,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
@@ -389,38 +564,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_generic_node(xdm_t)
|
corenet_tcp_bind_generic_node(xdm_t)
|
||||||
corenet_udp_bind_generic_node(xdm_t)
|
corenet_udp_bind_generic_node(xdm_t)
|
||||||
@ -32615,7 +32617,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -431,9 +618,30 @@ files_list_mnt(xdm_t)
|
@@ -431,9 +619,30 @@ files_list_mnt(xdm_t)
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -32646,7 +32648,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -442,28 +650,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
@@ -442,28 +651,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -32702,7 +32704,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -472,24 +702,167 @@ userdom_read_user_home_content_files(xdm_t)
|
@@ -472,24 +703,167 @@ userdom_read_user_home_content_files(xdm_t)
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -32876,7 +32878,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
tunable_policy(`xdm_sysadm_login',`
|
tunable_policy(`xdm_sysadm_login',`
|
||||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||||
# FIXME:
|
# FIXME:
|
||||||
@@ -502,12 +875,31 @@ tunable_policy(`xdm_sysadm_login',`
|
@@ -502,12 +876,31 @@ tunable_policy(`xdm_sysadm_login',`
|
||||||
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
|
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -32908,7 +32910,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -518,8 +910,36 @@ optional_policy(`
|
@@ -518,8 +911,36 @@ optional_policy(`
|
||||||
dbus_system_bus_client(xdm_t)
|
dbus_system_bus_client(xdm_t)
|
||||||
dbus_connect_system_bus(xdm_t)
|
dbus_connect_system_bus(xdm_t)
|
||||||
|
|
||||||
@ -32946,7 +32948,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -530,6 +950,20 @@ optional_policy(`
|
@@ -530,6 +951,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -32967,7 +32969,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -547,28 +981,78 @@ optional_policy(`
|
@@ -547,28 +982,78 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -33055,7 +33057,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -580,6 +1064,14 @@ optional_policy(`
|
@@ -580,6 +1065,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -33070,7 +33072,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -594,7 +1086,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
@@ -594,7 +1087,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
||||||
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
|
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
|
||||||
|
|
||||||
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
|
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
|
||||||
@ -33079,7 +33081,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
|
|
||||||
# setuid/setgid for the wrapper program to change UID
|
# setuid/setgid for the wrapper program to change UID
|
||||||
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
||||||
@@ -604,8 +1096,11 @@ allow xserver_t input_xevent_t:x_event send;
|
@@ -604,8 +1097,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -33092,7 +33094,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -618,8 +1113,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
@@ -618,8 +1114,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -33108,7 +33110,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -627,36 +1129,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
@@ -627,36 +1130,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||||
|
|
||||||
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
||||||
|
|
||||||
@ -33166,7 +33168,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
corenet_all_recvfrom_netlabel(xserver_t)
|
corenet_all_recvfrom_netlabel(xserver_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||||
@@ -677,23 +1196,29 @@ dev_rw_apm_bios(xserver_t)
|
@@ -677,23 +1197,29 @@ dev_rw_apm_bios(xserver_t)
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
@ -33199,7 +33201,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
|
|
||||||
# brought on by rhgb
|
# brought on by rhgb
|
||||||
files_search_mnt(xserver_t)
|
files_search_mnt(xserver_t)
|
||||||
@@ -705,6 +1230,14 @@ fs_search_nfs(xserver_t)
|
@@ -705,6 +1231,14 @@ fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
|
|
||||||
@ -33214,7 +33216,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
mls_xwin_read_to_clearance(xserver_t)
|
mls_xwin_read_to_clearance(xserver_t)
|
||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
@@ -718,28 +1251,25 @@ init_getpgid(xserver_t)
|
@@ -718,28 +1252,25 @@ init_getpgid(xserver_t)
|
||||||
term_setattr_unallocated_ttys(xserver_t)
|
term_setattr_unallocated_ttys(xserver_t)
|
||||||
term_use_unallocated_ttys(xserver_t)
|
term_use_unallocated_ttys(xserver_t)
|
||||||
|
|
||||||
@ -33247,7 +33249,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xserver_t self:process { execmem execheap execstack };
|
allow xserver_t self:process { execmem execheap execstack };
|
||||||
@@ -785,17 +1315,54 @@ optional_policy(`
|
@@ -785,17 +1316,54 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -33304,7 +33306,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -803,6 +1370,10 @@ optional_policy(`
|
@@ -803,6 +1371,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -33315,7 +33317,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
xfs_stream_connect(xserver_t)
|
xfs_stream_connect(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -818,18 +1389,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
@@ -818,18 +1390,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
@ -33340,7 +33342,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
can_exec(xserver_t, xkb_var_lib_t)
|
can_exec(xserver_t, xkb_var_lib_t)
|
||||||
|
|
||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
@@ -842,26 +1412,21 @@ init_use_fds(xserver_t)
|
@@ -842,26 +1413,21 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -33375,7 +33377,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -912,7 +1477,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
@@ -912,7 +1478,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
@ -33384,7 +33386,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
# operations allowed on all windows
|
# operations allowed on all windows
|
||||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||||
|
|
||||||
@@ -966,11 +1531,31 @@ allow x_domain self:x_resource { read write };
|
@@ -966,11 +1532,31 @@ allow x_domain self:x_resource { read write };
|
||||||
# can mess with the screensaver
|
# can mess with the screensaver
|
||||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||||
|
|
||||||
@ -33416,7 +33418,7 @@ index 8b403774f..7eb9dade6 100644
|
|||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined(x_domain),
|
# should be xserver_unconfined(x_domain),
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
@@ -992,18 +1577,148 @@ tunable_policy(`! xserver_object_manager',`
|
@@ -992,18 +1578,148 @@ tunable_policy(`! xserver_object_manager',`
|
||||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -40220,7 +40222,7 @@ index c42fbc329..bf211dbee 100644
|
|||||||
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||||
index be8ed1e6c..1afb965b8 100644
|
index be8ed1e6c..697c2cf05 100644
|
||||||
--- a/policy/modules/system/iptables.te
|
--- a/policy/modules/system/iptables.te
|
||||||
+++ b/policy/modules/system/iptables.te
|
+++ b/policy/modules/system/iptables.te
|
||||||
@@ -16,44 +16,61 @@ role iptables_roles types iptables_t;
|
@@ -16,44 +16,61 @@ role iptables_roles types iptables_t;
|
||||||
@ -40395,7 +40397,11 @@ index be8ed1e6c..1afb965b8 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -135,9 +186,9 @@ optional_policy(`
|
@@ -132,12 +183,13 @@ optional_policy(`
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
seutil_sigchld_newrole(iptables_t)
|
||||||
|
+ seutil_run_setfiles(iptables_t, iptables_roles)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -50193,10 +50199,10 @@ index 000000000..5871e072d
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..9b84c582d
|
index 000000000..5033e0eb6
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,1037 @@
|
@@ -0,0 +1,1039 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -50874,6 +50880,8 @@ index 000000000..9b84c582d
|
|||||||
+
|
+
|
||||||
+dev_write_kmsg(systemd_localed_t)
|
+dev_write_kmsg(systemd_localed_t)
|
||||||
+
|
+
|
||||||
|
+files_mmap_usr_files(systemd_localed_t)
|
||||||
|
+
|
||||||
+init_dbus_chat(systemd_localed_t)
|
+init_dbus_chat(systemd_localed_t)
|
||||||
+init_reload_services(systemd_localed_t)
|
+init_reload_services(systemd_localed_t)
|
||||||
+
|
+
|
||||||
|
@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/abrt.te b/abrt.te
|
diff --git a/abrt.te b/abrt.te
|
||||||
index eb50f070f..64589c601 100644
|
index eb50f070f..4a8367de4 100644
|
||||||
--- a/abrt.te
|
--- a/abrt.te
|
||||||
+++ b/abrt.te
|
+++ b/abrt.te
|
||||||
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
||||||
@ -839,9 +839,9 @@ index eb50f070f..64589c601 100644
|
|||||||
+logging_send_syslog_msg(abrt_t)
|
+logging_send_syslog_msg(abrt_t)
|
||||||
+logging_stream_connect_syslog(abrt_t)
|
+logging_stream_connect_syslog(abrt_t)
|
||||||
+logging_read_syslog_pid(abrt_t)
|
+logging_read_syslog_pid(abrt_t)
|
||||||
|
|
||||||
+auth_use_nsswitch(abrt_t)
|
|
||||||
+
|
+
|
||||||
|
+auth_use_nsswitch(abrt_t)
|
||||||
|
|
||||||
+init_read_utmp(abrt_t)
|
+init_read_utmp(abrt_t)
|
||||||
+
|
+
|
||||||
+miscfiles_read_generic_certs(abrt_t)
|
+miscfiles_read_generic_certs(abrt_t)
|
||||||
@ -1060,7 +1060,7 @@ index eb50f070f..64589c601 100644
|
|||||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||||
@@ -365,38 +476,87 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
@@ -365,38 +476,90 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_worker_t)
|
dev_read_urand(abrt_retrace_worker_t)
|
||||||
|
|
||||||
@ -1119,9 +1119,12 @@ index eb50f070f..64589c601 100644
|
|||||||
|
|
||||||
domain_use_interactive_fds(abrt_dump_oops_t)
|
domain_use_interactive_fds(abrt_dump_oops_t)
|
||||||
+domain_signull_all_domains(abrt_dump_oops_t)
|
+domain_signull_all_domains(abrt_dump_oops_t)
|
||||||
+domain_ptrace_all_domains(abrt_dump_oops_t)
|
|
||||||
+domain_read_all_domains_state(abrt_dump_oops_t)
|
+domain_read_all_domains_state(abrt_dump_oops_t)
|
||||||
+domain_getattr_all_domains(abrt_dump_oops_t)
|
+domain_getattr_all_domains(abrt_dump_oops_t)
|
||||||
|
+
|
||||||
|
+tunable_policy(`deny_ptrace',`',`
|
||||||
|
+ domain_ptrace_all_domains(abrt_dump_oops_t)
|
||||||
|
+')
|
||||||
|
|
||||||
+files_manage_non_security_dirs(abrt_dump_oops_t)
|
+files_manage_non_security_dirs(abrt_dump_oops_t)
|
||||||
+files_manage_non_security_files(abrt_dump_oops_t)
|
+files_manage_non_security_files(abrt_dump_oops_t)
|
||||||
@ -1152,7 +1155,7 @@ index eb50f070f..64589c601 100644
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@@ -404,25 +564,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
@@ -404,25 +567,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
||||||
@ -1215,7 +1218,7 @@ index eb50f070f..64589c601 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -430,10 +625,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
@@ -430,10 +628,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||||
# Global local policy
|
# Global local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -26558,10 +26561,10 @@ index 41c3f6770..653a1ecbb 100644
|
|||||||
## <summary>
|
## <summary>
|
||||||
## Execute dmidecode in the dmidecode
|
## Execute dmidecode in the dmidecode
|
||||||
diff --git a/dmidecode.te b/dmidecode.te
|
diff --git a/dmidecode.te b/dmidecode.te
|
||||||
index aa0ef6e94..3c52d892c 100644
|
index aa0ef6e94..d55bbd34c 100644
|
||||||
--- a/dmidecode.te
|
--- a/dmidecode.te
|
||||||
+++ b/dmidecode.te
|
+++ b/dmidecode.te
|
||||||
@@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t)
|
@@ -31,4 +31,9 @@ mls_file_read_all_levels(dmidecode_t)
|
||||||
|
|
||||||
locallogin_use_fds(dmidecode_t)
|
locallogin_use_fds(dmidecode_t)
|
||||||
|
|
||||||
@ -26570,6 +26573,7 @@ index aa0ef6e94..3c52d892c 100644
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ rhsmcertd_rw_lock_files(dmidecode_t)
|
+ rhsmcertd_rw_lock_files(dmidecode_t)
|
||||||
|
+ rhsmcertd_read_log(dmidecode_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/dnsmasq.fc b/dnsmasq.fc
|
diff --git a/dnsmasq.fc b/dnsmasq.fc
|
||||||
index 23ab808d8..84735a8cb 100644
|
index 23ab808d8..84735a8cb 100644
|
||||||
@ -27529,7 +27533,7 @@ index d5badb755..c2431fc73 100644
|
|||||||
+ admin_pattern($1, dovecot_passwd_t)
|
+ admin_pattern($1, dovecot_passwd_t)
|
||||||
')
|
')
|
||||||
diff --git a/dovecot.te b/dovecot.te
|
diff --git a/dovecot.te b/dovecot.te
|
||||||
index 0aabc7e66..e95d44512 100644
|
index 0aabc7e66..958d6c8df 100644
|
||||||
--- a/dovecot.te
|
--- a/dovecot.te
|
||||||
+++ b/dovecot.te
|
+++ b/dovecot.te
|
||||||
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
|
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
|
||||||
@ -27785,7 +27789,7 @@ index 0aabc7e66..e95d44512 100644
|
|||||||
sendmail_domtrans(dovecot_t)
|
sendmail_domtrans(dovecot_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -227,46 +225,69 @@ optional_policy(`
|
@@ -227,49 +225,73 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -27865,7 +27869,11 @@ index 0aabc7e66..e95d44512 100644
|
|||||||
mysql_stream_connect(dovecot_auth_t)
|
mysql_stream_connect(dovecot_auth_t)
|
||||||
mysql_read_config(dovecot_auth_t)
|
mysql_read_config(dovecot_auth_t)
|
||||||
mysql_tcp_connect(dovecot_auth_t)
|
mysql_tcp_connect(dovecot_auth_t)
|
||||||
@@ -277,53 +298,79 @@ optional_policy(`
|
+ mysql_rw_db_sockets(dovecot_auth_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
@@ -277,53 +299,79 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27964,7 +27972,7 @@ index 0aabc7e66..e95d44512 100644
|
|||||||
mta_read_queue(dovecot_deliver_t)
|
mta_read_queue(dovecot_deliver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -332,5 +379,6 @@ optional_policy(`
|
@@ -332,5 +380,6 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38941,10 +38949,10 @@ index 000000000..d0c5a1502
|
|||||||
+/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
|
+/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
|
||||||
diff --git a/hwloc.if b/hwloc.if
|
diff --git a/hwloc.if b/hwloc.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..c2349ecf5
|
index 000000000..f98e16612
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/hwloc.if
|
+++ b/hwloc.if
|
||||||
@@ -0,0 +1,106 @@
|
@@ -0,0 +1,110 @@
|
||||||
+## <summary>Dump topology and locality information from hardware tables.</summary>
|
+## <summary>Dump topology and locality information from hardware tables.</summary>
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -39045,9 +39053,13 @@ index 000000000..c2349ecf5
|
|||||||
+ type hwloc_dhwd_t, hwloc_var_run_t;
|
+ type hwloc_dhwd_t, hwloc_var_run_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 hwloc_dhwd_t:process { ptrace signal_perms };
|
+ allow $1 hwloc_dhwd_t:process { signal_perms };
|
||||||
+ ps_process_pattern($1, hwloc_dhwd_t)
|
+ ps_process_pattern($1, hwloc_dhwd_t)
|
||||||
+
|
+
|
||||||
|
+ tunable_policy(`deny_ptrace',`',`
|
||||||
|
+ allow $1 hwloc_dhwd_t:process ptrace;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
+ admin_pattern($1, hwloc_var_run_t)
|
+ admin_pattern($1, hwloc_var_run_t)
|
||||||
+ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
|
+ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
|
||||||
+')
|
+')
|
||||||
@ -39259,10 +39271,10 @@ index 6517fadbb..f1837481b 100644
|
|||||||
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
|
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/hypervkvp.te b/hypervkvp.te
|
diff --git a/hypervkvp.te b/hypervkvp.te
|
||||||
index 4eb7041ef..ea3c93385 100644
|
index 4eb7041ef..180e5b799 100644
|
||||||
--- a/hypervkvp.te
|
--- a/hypervkvp.te
|
||||||
+++ b/hypervkvp.te
|
+++ b/hypervkvp.te
|
||||||
@@ -5,24 +5,158 @@ policy_module(hypervkvp, 1.0.0)
|
@@ -5,24 +5,163 @@ policy_module(hypervkvp, 1.0.0)
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -39295,10 +39307,9 @@ index 4eb7041ef..ea3c93385 100644
|
|||||||
+
|
+
|
||||||
+type hypervvssd_unit_file_t;
|
+type hypervvssd_unit_file_t;
|
||||||
+systemd_unit_file(hypervvssd_unit_file_t)
|
+systemd_unit_file(hypervvssd_unit_file_t)
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
#
|
+#
|
||||||
-# Local policy
|
|
||||||
+# hyperv domain local policy
|
+# hyperv domain local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
@ -39312,14 +39323,13 @@ index 4eb7041ef..ea3c93385 100644
|
|||||||
+corecmd_exec_bin(hyperv_domain)
|
+corecmd_exec_bin(hyperv_domain)
|
||||||
+
|
+
|
||||||
+dev_read_sysfs(hyperv_domain)
|
+dev_read_sysfs(hyperv_domain)
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
#
|
|
||||||
+# hypervkvp local policy
|
|
||||||
#
|
|
||||||
|
|
||||||
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
|
########################################
|
||||||
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
|
#
|
||||||
|
-# Local policy
|
||||||
|
+# hypervkvp local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
+allow hypervkvp_t self:capability sys_ptrace;
|
+allow hypervkvp_t self:capability sys_ptrace;
|
||||||
+allow hypervkvp_t self:process setfscreate;
|
+allow hypervkvp_t self:process setfscreate;
|
||||||
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
|
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||||
@ -39397,12 +39407,17 @@ index 4eb7041ef..ea3c93385 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ firewalld_dbus_chat(hypervkvp_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ netutils_domtrans_ping(hypervkvp_t)
|
+ netutils_domtrans_ping(hypervkvp_t)
|
||||||
+ netutils_domtrans(hypervkvp_t)
|
+ netutils_domtrans(hypervkvp_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ networkmanager_read_pid_files(hypervkvp_t)
|
+ networkmanager_read_pid_files(hypervkvp_t)
|
||||||
|
+ networkmanager_dbus_chat(hypervkvp_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -39414,10 +39429,12 @@ index 4eb7041ef..ea3c93385 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
#
|
||||||
+# hypervvssd local policy
|
+# hypervvssd local policy
|
||||||
+#
|
#
|
||||||
+
|
|
||||||
|
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+allow hypervvssd_t self:capability sys_admin;
|
+allow hypervvssd_t self:capability sys_admin;
|
||||||
+
|
+
|
||||||
+dev_rw_hypervvssd(hypervvssd_t)
|
+dev_rw_hypervvssd(hypervvssd_t)
|
||||||
@ -56872,7 +56889,7 @@ index ed81cac5a..cd52baf59 100644
|
|||||||
+ mta_filetrans_admin_home_content($1)
|
+ mta_filetrans_admin_home_content($1)
|
||||||
+')
|
+')
|
||||||
diff --git a/mta.te b/mta.te
|
diff --git a/mta.te b/mta.te
|
||||||
index ff1d68c6a..d04527358 100644
|
index ff1d68c6a..28ff27c22 100644
|
||||||
--- a/mta.te
|
--- a/mta.te
|
||||||
+++ b/mta.te
|
+++ b/mta.te
|
||||||
@@ -14,8 +14,6 @@ attribute mailserver_sender;
|
@@ -14,8 +14,6 @@ attribute mailserver_sender;
|
||||||
@ -56972,7 +56989,7 @@ index ff1d68c6a..d04527358 100644
|
|||||||
procmail_exec(user_mail_domain)
|
procmail_exec(user_mail_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -166,57 +166,77 @@ optional_policy(`
|
@@ -166,57 +166,79 @@ optional_policy(`
|
||||||
uucp_manage_spool(user_mail_domain)
|
uucp_manage_spool(user_mail_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -56985,24 +57002,25 @@ index ff1d68c6a..d04527358 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
-allow system_mail_t self:capability { dac_override fowner };
|
-allow system_mail_t self:capability { dac_override fowner };
|
||||||
-
|
|
||||||
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
|
|
||||||
-
|
|
||||||
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
|
|
||||||
+# newalias required this, not sure if it is needed in 'if' file
|
+# newalias required this, not sure if it is needed in 'if' file
|
||||||
+allow system_mail_t self:capability { dac_read_search fowner };
|
+allow system_mail_t self:capability { dac_read_search fowner };
|
||||||
+dontaudit system_mail_t self:capability net_admin;
|
+dontaudit system_mail_t self:capability net_admin;
|
||||||
|
|
||||||
allow system_mail_t mail_home_t:file manage_file_perms;
|
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
|
||||||
|
+allow system_mail_t mail_home_t:file manage_file_perms;
|
||||||
|
|
||||||
|
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
|
||||||
|
|
||||||
|
-allow system_mail_t mail_home_t:file manage_file_perms;
|
||||||
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
|
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
|
||||||
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
|
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
|
||||||
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
|
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
|
||||||
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
|
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
|
||||||
|
-
|
||||||
-allow system_mail_t user_mail_domain:dir list_dir_perms;
|
-allow system_mail_t user_mail_domain:dir list_dir_perms;
|
||||||
-allow system_mail_t user_mail_domain:file read_file_perms;
|
-allow system_mail_t user_mail_domain:file read_file_perms;
|
||||||
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
|
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
|
||||||
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
|
+kernel_search_network_sysctl(system_mail_t)
|
||||||
|
|
||||||
corecmd_exec_shell(system_mail_t)
|
corecmd_exec_shell(system_mail_t)
|
||||||
|
|
||||||
@ -57019,14 +57037,14 @@ index ff1d68c6a..d04527358 100644
|
|||||||
|
|
||||||
init_use_script_ptys(system_mail_t)
|
init_use_script_ptys(system_mail_t)
|
||||||
+init_dontaudit_rw_stream_socket(system_mail_t)
|
+init_dontaudit_rw_stream_socket(system_mail_t)
|
||||||
|
+
|
||||||
-userdom_use_user_terminals(system_mail_t)
|
|
||||||
+userdom_use_inherited_user_terminals(system_mail_t)
|
+userdom_use_inherited_user_terminals(system_mail_t)
|
||||||
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
|
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
|
||||||
+userdom_dontaudit_list_admin_dir(system_mail_t)
|
+userdom_dontaudit_list_admin_dir(system_mail_t)
|
||||||
+userdom_dontaudit_list_user_tmp(system_mail_t)
|
+userdom_dontaudit_list_user_tmp(system_mail_t)
|
||||||
+userdom_dontaudit_read_inherited_admin_home_files(system_mail_t)
|
+userdom_dontaudit_read_inherited_admin_home_files(system_mail_t)
|
||||||
+
|
|
||||||
|
-userdom_use_user_terminals(system_mail_t)
|
||||||
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
|
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
|
||||||
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
|
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
|
||||||
+
|
+
|
||||||
@ -57069,7 +57087,7 @@ index ff1d68c6a..d04527358 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -225,17 +245,21 @@ optional_policy(`
|
@@ -225,17 +247,21 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57093,7 +57111,7 @@ index ff1d68c6a..d04527358 100644
|
|||||||
courier_stream_connect_authdaemon(system_mail_t)
|
courier_stream_connect_authdaemon(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -244,9 +268,10 @@ optional_policy(`
|
@@ -244,9 +270,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57107,7 +57125,7 @@ index ff1d68c6a..d04527358 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -258,10 +283,17 @@ optional_policy(`
|
@@ -258,10 +285,17 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57125,7 +57143,7 @@ index ff1d68c6a..d04527358 100644
|
|||||||
nagios_read_tmp_files(system_mail_t)
|
nagios_read_tmp_files(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -272,6 +304,19 @@ optional_policy(`
|
@@ -272,6 +306,19 @@ optional_policy(`
|
||||||
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
||||||
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
||||||
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
|
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
|
||||||
@ -57145,7 +57163,7 @@ index ff1d68c6a..d04527358 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -279,6 +324,10 @@ optional_policy(`
|
@@ -279,6 +326,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57156,7 +57174,7 @@ index ff1d68c6a..d04527358 100644
|
|||||||
userdom_dontaudit_use_user_ptys(system_mail_t)
|
userdom_dontaudit_use_user_ptys(system_mail_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -287,42 +336,36 @@ optional_policy(`
|
@@ -287,42 +338,36 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57209,7 +57227,7 @@ index ff1d68c6a..d04527358 100644
|
|||||||
|
|
||||||
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
|
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
|
||||||
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||||
@@ -331,44 +374,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
@@ -331,44 +376,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||||
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||||
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||||
|
|
||||||
@ -57279,7 +57297,7 @@ index ff1d68c6a..d04527358 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -381,24 +428,49 @@ optional_policy(`
|
@@ -381,24 +430,49 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -60031,10 +60049,10 @@ index 0641e970f..f3b111172 100644
|
|||||||
+ admin_pattern($1, nrpe_etc_t)
|
+ admin_pattern($1, nrpe_etc_t)
|
||||||
')
|
')
|
||||||
diff --git a/nagios.te b/nagios.te
|
diff --git a/nagios.te b/nagios.te
|
||||||
index 7b3e682e6..3b5f4e6ec 100644
|
index 7b3e682e6..bbbadba75 100644
|
||||||
--- a/nagios.te
|
--- a/nagios.te
|
||||||
+++ b/nagios.te
|
+++ b/nagios.te
|
||||||
@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
|
@@ -5,6 +5,33 @@ policy_module(nagios, 1.13.0)
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -60052,6 +60070,14 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(nagios_run_pnp4nagios, false)
|
+gen_tunable(nagios_run_pnp4nagios, false)
|
||||||
+
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Determine whether Nagios, NRPE can
|
||||||
|
+## access nfs file systems.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(nagios_use_nfs, false)
|
||||||
|
+
|
||||||
+gen_require(`
|
+gen_require(`
|
||||||
+ class passwd rootok;
|
+ class passwd rootok;
|
||||||
+ class passwd passwd;
|
+ class passwd passwd;
|
||||||
@ -60060,7 +60086,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
attribute nagios_plugin_domain;
|
attribute nagios_plugin_domain;
|
||||||
|
|
||||||
type nagios_t;
|
type nagios_t;
|
||||||
@@ -27,7 +46,7 @@ type nagios_var_run_t;
|
@@ -27,7 +54,7 @@ type nagios_var_run_t;
|
||||||
files_pid_file(nagios_var_run_t)
|
files_pid_file(nagios_var_run_t)
|
||||||
|
|
||||||
type nagios_spool_t;
|
type nagios_spool_t;
|
||||||
@ -60069,7 +60095,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
|
|
||||||
type nagios_var_lib_t;
|
type nagios_var_lib_t;
|
||||||
files_type(nagios_var_lib_t)
|
files_type(nagios_var_lib_t)
|
||||||
@@ -39,6 +58,7 @@ nagios_plugin_template(services)
|
@@ -39,6 +66,7 @@ nagios_plugin_template(services)
|
||||||
nagios_plugin_template(system)
|
nagios_plugin_template(system)
|
||||||
nagios_plugin_template(unconfined)
|
nagios_plugin_template(unconfined)
|
||||||
nagios_plugin_template(eventhandler)
|
nagios_plugin_template(eventhandler)
|
||||||
@ -60077,7 +60103,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
|
|
||||||
type nagios_eventhandler_plugin_tmp_t;
|
type nagios_eventhandler_plugin_tmp_t;
|
||||||
files_tmp_file(nagios_eventhandler_plugin_tmp_t)
|
files_tmp_file(nagios_eventhandler_plugin_tmp_t)
|
||||||
@@ -46,6 +66,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t)
|
@@ -46,6 +74,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t)
|
||||||
type nagios_system_plugin_tmp_t;
|
type nagios_system_plugin_tmp_t;
|
||||||
files_tmp_file(nagios_system_plugin_tmp_t)
|
files_tmp_file(nagios_system_plugin_tmp_t)
|
||||||
|
|
||||||
@ -60087,7 +60113,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
type nrpe_t;
|
type nrpe_t;
|
||||||
type nrpe_exec_t;
|
type nrpe_exec_t;
|
||||||
init_daemon_domain(nrpe_t, nrpe_exec_t)
|
init_daemon_domain(nrpe_t, nrpe_exec_t)
|
||||||
@@ -63,30 +86,33 @@ files_pid_file(nrpe_var_run_t)
|
@@ -63,30 +94,33 @@ files_pid_file(nrpe_var_run_t)
|
||||||
|
|
||||||
allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
|
allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
@ -60129,7 +60155,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
|
|
||||||
allow nagios_t nagios_plugin_domain:process signal_perms;
|
allow nagios_t nagios_plugin_domain:process signal_perms;
|
||||||
|
|
||||||
@@ -96,11 +122,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
|
@@ -96,11 +130,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
|
||||||
allow nagios_t nagios_etc_t:file read_file_perms;
|
allow nagios_t nagios_etc_t:file read_file_perms;
|
||||||
allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
|
allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
@ -60148,7 +60174,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
|
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
|
||||||
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
|
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
|
||||||
@@ -110,11 +138,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
|
@@ -110,11 +146,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
|
||||||
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
|
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
|
||||||
|
|
||||||
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
|
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
|
||||||
@ -60165,7 +60191,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
|
|
||||||
kernel_read_system_state(nagios_t)
|
kernel_read_system_state(nagios_t)
|
||||||
kernel_read_kernel_sysctls(nagios_t)
|
kernel_read_kernel_sysctls(nagios_t)
|
||||||
@@ -123,7 +154,6 @@ kernel_read_software_raid_state(nagios_t)
|
@@ -123,7 +162,6 @@ kernel_read_software_raid_state(nagios_t)
|
||||||
corecmd_exec_bin(nagios_t)
|
corecmd_exec_bin(nagios_t)
|
||||||
corecmd_exec_shell(nagios_t)
|
corecmd_exec_shell(nagios_t)
|
||||||
|
|
||||||
@ -60173,7 +60199,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
corenet_all_recvfrom_netlabel(nagios_t)
|
corenet_all_recvfrom_netlabel(nagios_t)
|
||||||
corenet_tcp_sendrecv_generic_if(nagios_t)
|
corenet_tcp_sendrecv_generic_if(nagios_t)
|
||||||
corenet_tcp_sendrecv_generic_node(nagios_t)
|
corenet_tcp_sendrecv_generic_node(nagios_t)
|
||||||
@@ -143,18 +173,16 @@ domain_read_all_domains_state(nagios_t)
|
@@ -143,18 +181,16 @@ domain_read_all_domains_state(nagios_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(nagios_t)
|
files_read_etc_runtime_files(nagios_t)
|
||||||
files_read_kernel_symbol_table(nagios_t)
|
files_read_kernel_symbol_table(nagios_t)
|
||||||
@ -60193,7 +60219,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
|
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(nagios_t)
|
userdom_dontaudit_search_user_home_dirs(nagios_t)
|
||||||
|
|
||||||
@@ -162,6 +190,41 @@ mta_send_mail(nagios_t)
|
@@ -162,6 +198,47 @@ mta_send_mail(nagios_t)
|
||||||
mta_signal_system_mail(nagios_t)
|
mta_signal_system_mail(nagios_t)
|
||||||
mta_kill_system_mail(nagios_t)
|
mta_kill_system_mail(nagios_t)
|
||||||
|
|
||||||
@ -60231,11 +60257,17 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
+tunable_policy(`nagios_run_pnp4nagios',`
|
+tunable_policy(`nagios_run_pnp4nagios',`
|
||||||
+ allow nagios_t nagios_log_t:file execute;
|
+ allow nagios_t nagios_log_t:file execute;
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+tunable_policy(`nagios_use_nfs',`
|
||||||
|
+ fs_manage_nfs_files(nagios_t)
|
||||||
|
+ fs_manage_nfs_dirs(nagios_t)
|
||||||
|
+ fs_manage_nfs_symlinks(nagios_t)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
netutils_kill_ping(nagios_t)
|
netutils_kill_ping(nagios_t)
|
||||||
')
|
')
|
||||||
@@ -178,35 +241,37 @@ optional_policy(`
|
@@ -178,35 +255,38 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
# CGI local policy
|
# CGI local policy
|
||||||
#
|
#
|
||||||
@ -60267,6 +60299,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
- rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
|
- rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
|
||||||
+ files_search_spool(nagios_script_t)
|
+ files_search_spool(nagios_script_t)
|
||||||
+ rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
|
+ rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
|
||||||
|
+ read_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
|
||||||
|
|
||||||
- allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
|
- allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
|
||||||
- read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
|
- read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
|
||||||
@ -60291,7 +60324,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -214,7 +279,7 @@ optional_policy(`
|
@@ -214,7 +294,7 @@ optional_policy(`
|
||||||
# Nrpe local policy
|
# Nrpe local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -60300,7 +60333,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
|
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
|
||||||
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
|
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
|
||||||
allow nrpe_t self:fifo_file rw_fifo_file_perms;
|
allow nrpe_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -229,9 +294,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
|
@@ -229,9 +309,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
|
||||||
|
|
||||||
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
|
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
|
||||||
|
|
||||||
@ -60311,7 +60344,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(nrpe_t)
|
corecmd_exec_bin(nrpe_t)
|
||||||
corecmd_exec_shell(nrpe_t)
|
corecmd_exec_shell(nrpe_t)
|
||||||
@@ -252,8 +317,8 @@ dev_read_urand(nrpe_t)
|
@@ -252,8 +332,8 @@ dev_read_urand(nrpe_t)
|
||||||
domain_use_interactive_fds(nrpe_t)
|
domain_use_interactive_fds(nrpe_t)
|
||||||
domain_read_all_domains_state(nrpe_t)
|
domain_read_all_domains_state(nrpe_t)
|
||||||
|
|
||||||
@ -60321,7 +60354,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
|
|
||||||
fs_getattr_all_fs(nrpe_t)
|
fs_getattr_all_fs(nrpe_t)
|
||||||
fs_search_auto_mountpoints(nrpe_t)
|
fs_search_auto_mountpoints(nrpe_t)
|
||||||
@@ -262,10 +327,34 @@ auth_use_nsswitch(nrpe_t)
|
@@ -262,10 +342,40 @@ auth_use_nsswitch(nrpe_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(nrpe_t)
|
logging_send_syslog_msg(nrpe_t)
|
||||||
|
|
||||||
@ -60354,11 +60387,17 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+
|
||||||
|
+tunable_policy(`nagios_use_nfs',`
|
||||||
|
+ fs_manage_nfs_files(nrpe_t)
|
||||||
|
+ fs_manage_nfs_dirs(nrpe_t)
|
||||||
|
+ fs_manage_nfs_symlinks(nrpe_t)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
|
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
|
||||||
')
|
')
|
||||||
@@ -309,16 +398,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
|
@@ -309,16 +419,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
|
||||||
# Mail local policy
|
# Mail local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -60379,7 +60418,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
logging_send_syslog_msg(nagios_mail_plugin_t)
|
logging_send_syslog_msg(nagios_mail_plugin_t)
|
||||||
|
|
||||||
sysnet_dns_name_resolve(nagios_mail_plugin_t)
|
sysnet_dns_name_resolve(nagios_mail_plugin_t)
|
||||||
@@ -345,9 +434,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
|
@@ -345,9 +455,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
|
||||||
|
|
||||||
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
|
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
|
||||||
|
|
||||||
@ -60394,7 +60433,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
|
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
|
storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
|
||||||
@@ -357,9 +451,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
|
@@ -357,9 +472,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
|
||||||
# Services local policy
|
# Services local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -60408,7 +60447,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(nagios_services_plugin_t)
|
corecmd_exec_bin(nagios_services_plugin_t)
|
||||||
|
|
||||||
@@ -391,6 +487,11 @@ optional_policy(`
|
@@ -391,6 +508,11 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(nagios_services_plugin_t)
|
mysql_stream_connect(nagios_services_plugin_t)
|
||||||
@ -60420,7 +60459,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -402,32 +503,40 @@ optional_policy(`
|
@@ -402,32 +524,40 @@ optional_policy(`
|
||||||
# System local policy
|
# System local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -60464,7 +60503,7 @@ index 7b3e682e6..3b5f4e6ec 100644
|
|||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# Event local policy
|
# Event local policy
|
||||||
@@ -442,9 +551,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
|
@@ -442,9 +572,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
|
||||||
|
|
||||||
init_domtrans_script(nagios_eventhandler_plugin_t)
|
init_domtrans_script(nagios_eventhandler_plugin_t)
|
||||||
|
|
||||||
@ -77293,7 +77332,7 @@ index ded95ec3a..210018ce4 100644
|
|||||||
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
|
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
|
||||||
')
|
')
|
||||||
diff --git a/postfix.te b/postfix.te
|
diff --git a/postfix.te b/postfix.te
|
||||||
index 5cfb83eca..657a4346e 100644
|
index 5cfb83eca..67f813d34 100644
|
||||||
--- a/postfix.te
|
--- a/postfix.te
|
||||||
+++ b/postfix.te
|
+++ b/postfix.te
|
||||||
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
|
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
|
||||||
@ -78148,7 +78187,7 @@ index 5cfb83eca..657a4346e 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -774,31 +730,101 @@ optional_policy(`
|
@@ -774,31 +730,102 @@ optional_policy(`
|
||||||
sasl_connect(postfix_smtpd_t)
|
sasl_connect(postfix_smtpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -78254,6 +78293,7 @@ index 5cfb83eca..657a4346e 100644
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mysql_stream_connect(postfix_domain)
|
+ mysql_stream_connect(postfix_domain)
|
||||||
|
+ mysql_rw_db_sockets(postfix_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -86309,7 +86349,7 @@ index 44605825c..4c66c2502 100644
|
|||||||
+
|
+
|
||||||
')
|
')
|
||||||
diff --git a/radius.te b/radius.te
|
diff --git a/radius.te b/radius.te
|
||||||
index 403a4fed1..5357a7e46 100644
|
index 403a4fed1..590926857 100644
|
||||||
--- a/radius.te
|
--- a/radius.te
|
||||||
+++ b/radius.te
|
+++ b/radius.te
|
||||||
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
|
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
|
||||||
@ -86342,11 +86382,21 @@ index 403a4fed1..5357a7e46 100644
|
|||||||
+allow radiusd_t self:capability { chown dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
|
+allow radiusd_t self:capability { chown dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
|
||||||
dontaudit radiusd_t self:capability sys_tty_config;
|
dontaudit radiusd_t self:capability sys_tty_config;
|
||||||
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
|
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
|
||||||
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace};
|
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal};
|
||||||
allow radiusd_t self:fifo_file rw_fifo_file_perms;
|
allow radiusd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow radiusd_t self:unix_stream_socket { accept listen };
|
allow radiusd_t self:unix_stream_socket { accept listen };
|
||||||
allow radiusd_t self:tcp_socket { accept listen };
|
allow radiusd_t self:tcp_socket { accept listen };
|
||||||
@@ -49,9 +59,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
|
@@ -43,15 +53,17 @@ allow radiusd_t radiusd_etc_t:dir list_dir_perms;
|
||||||
|
allow radiusd_t radiusd_etc_t:file read_file_perms;
|
||||||
|
allow radiusd_t radiusd_etc_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
|
+tunable_policy(`deny_ptrace',`',`
|
||||||
|
+ allow radiusd_t self:process ptrace;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
|
||||||
|
manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
|
||||||
|
manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
|
||||||
filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
|
filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
|
||||||
|
|
||||||
manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
|
manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
|
||||||
@ -86357,7 +86407,7 @@ index 403a4fed1..5357a7e46 100644
|
|||||||
logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
|
logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
|
||||||
|
|
||||||
manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
|
manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
|
||||||
@@ -60,11 +68,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
|
@@ -60,11 +72,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
|
||||||
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
|
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
|
||||||
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
|
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
|
||||||
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
|
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
|
||||||
@ -86370,7 +86420,7 @@ index 403a4fed1..5357a7e46 100644
|
|||||||
corenet_all_recvfrom_netlabel(radiusd_t)
|
corenet_all_recvfrom_netlabel(radiusd_t)
|
||||||
corenet_tcp_sendrecv_generic_if(radiusd_t)
|
corenet_tcp_sendrecv_generic_if(radiusd_t)
|
||||||
corenet_udp_sendrecv_generic_if(radiusd_t)
|
corenet_udp_sendrecv_generic_if(radiusd_t)
|
||||||
@@ -74,12 +82,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
|
@@ -74,12 +86,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
|
||||||
corenet_udp_sendrecv_all_ports(radiusd_t)
|
corenet_udp_sendrecv_all_ports(radiusd_t)
|
||||||
corenet_udp_bind_generic_node(radiusd_t)
|
corenet_udp_bind_generic_node(radiusd_t)
|
||||||
|
|
||||||
@ -86393,7 +86443,7 @@ index 403a4fed1..5357a7e46 100644
|
|||||||
corenet_sendrecv_snmp_client_packets(radiusd_t)
|
corenet_sendrecv_snmp_client_packets(radiusd_t)
|
||||||
corenet_tcp_connect_snmp_port(radiusd_t)
|
corenet_tcp_connect_snmp_port(radiusd_t)
|
||||||
|
|
||||||
@@ -97,7 +115,6 @@ domain_use_interactive_fds(radiusd_t)
|
@@ -97,7 +119,6 @@ domain_use_interactive_fds(radiusd_t)
|
||||||
fs_getattr_all_fs(radiusd_t)
|
fs_getattr_all_fs(radiusd_t)
|
||||||
fs_search_auto_mountpoints(radiusd_t)
|
fs_search_auto_mountpoints(radiusd_t)
|
||||||
|
|
||||||
@ -86401,7 +86451,7 @@ index 403a4fed1..5357a7e46 100644
|
|||||||
files_read_etc_runtime_files(radiusd_t)
|
files_read_etc_runtime_files(radiusd_t)
|
||||||
files_dontaudit_list_tmp(radiusd_t)
|
files_dontaudit_list_tmp(radiusd_t)
|
||||||
|
|
||||||
@@ -109,7 +126,6 @@ libs_exec_lib_files(radiusd_t)
|
@@ -109,7 +130,6 @@ libs_exec_lib_files(radiusd_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(radiusd_t)
|
logging_send_syslog_msg(radiusd_t)
|
||||||
|
|
||||||
@ -86409,7 +86459,7 @@ index 403a4fed1..5357a7e46 100644
|
|||||||
miscfiles_read_generic_certs(radiusd_t)
|
miscfiles_read_generic_certs(radiusd_t)
|
||||||
|
|
||||||
sysnet_use_ldap(radiusd_t)
|
sysnet_use_ldap(radiusd_t)
|
||||||
@@ -117,11 +133,22 @@ sysnet_use_ldap(radiusd_t)
|
@@ -117,11 +137,22 @@ sysnet_use_ldap(radiusd_t)
|
||||||
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
|
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(radiusd_t)
|
userdom_dontaudit_search_user_home_dirs(radiusd_t)
|
||||||
|
|
||||||
@ -86432,7 +86482,7 @@ index 403a4fed1..5357a7e46 100644
|
|||||||
logrotate_exec(radiusd_t)
|
logrotate_exec(radiusd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -132,6 +159,11 @@ optional_policy(`
|
@@ -132,6 +163,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -86444,7 +86494,7 @@ index 403a4fed1..5357a7e46 100644
|
|||||||
samba_domtrans_winbind_helper(radiusd_t)
|
samba_domtrans_winbind_helper(radiusd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -140,5 +172,10 @@ optional_policy(`
|
@@ -140,5 +176,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -97654,7 +97704,7 @@ index 50d07fb2e..a34db489c 100644
|
|||||||
+ allow $1 samba_unit_file_t:service all_service_perms;
|
+ allow $1 samba_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/samba.te b/samba.te
|
diff --git a/samba.te b/samba.te
|
||||||
index 2b7c441e7..0ad80a509 100644
|
index 2b7c441e7..7443a9ded 100644
|
||||||
--- a/samba.te
|
--- a/samba.te
|
||||||
+++ b/samba.te
|
+++ b/samba.te
|
||||||
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
|
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
|
||||||
@ -98365,7 +98415,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
|
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
|
||||||
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
|
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
|
||||||
@@ -526,20 +627,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
@@ -526,20 +627,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||||
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||||
|
|
||||||
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
|
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||||
@ -98381,6 +98431,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
||||||
-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
|
-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
|
||||||
files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
|
files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
|
||||||
|
+allow nmbd_t samba_var_t:file map;
|
||||||
|
|
||||||
-allow nmbd_t { swat_t smbcontrol_t }:process signal;
|
-allow nmbd_t { swat_t smbcontrol_t }:process signal;
|
||||||
-
|
-
|
||||||
@ -98390,7 +98441,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
kernel_getattr_core_if(nmbd_t)
|
kernel_getattr_core_if(nmbd_t)
|
||||||
kernel_getattr_message_if(nmbd_t)
|
kernel_getattr_message_if(nmbd_t)
|
||||||
@@ -547,53 +644,44 @@ kernel_read_kernel_sysctls(nmbd_t)
|
@@ -547,53 +645,44 @@ kernel_read_kernel_sysctls(nmbd_t)
|
||||||
kernel_read_network_state(nmbd_t)
|
kernel_read_network_state(nmbd_t)
|
||||||
kernel_read_software_raid_state(nmbd_t)
|
kernel_read_software_raid_state(nmbd_t)
|
||||||
kernel_read_system_state(nmbd_t)
|
kernel_read_system_state(nmbd_t)
|
||||||
@ -98459,7 +98510,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -606,18 +694,29 @@ optional_policy(`
|
@@ -606,18 +695,29 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -98495,7 +98546,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
samba_read_config(smbcontrol_t)
|
samba_read_config(smbcontrol_t)
|
||||||
samba_search_var(smbcontrol_t)
|
samba_search_var(smbcontrol_t)
|
||||||
@@ -627,39 +726,38 @@ domain_use_interactive_fds(smbcontrol_t)
|
@@ -627,39 +727,38 @@ domain_use_interactive_fds(smbcontrol_t)
|
||||||
|
|
||||||
dev_read_urand(smbcontrol_t)
|
dev_read_urand(smbcontrol_t)
|
||||||
|
|
||||||
@ -98547,7 +98598,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
allow smbmount_t samba_secrets_t:file manage_file_perms;
|
allow smbmount_t samba_secrets_t:file manage_file_perms;
|
||||||
|
|
||||||
@@ -668,26 +766,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
@@ -668,26 +767,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
||||||
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
||||||
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
|
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
|
||||||
|
|
||||||
@ -98583,7 +98634,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
fs_getattr_cifs(smbmount_t)
|
fs_getattr_cifs(smbmount_t)
|
||||||
fs_mount_cifs(smbmount_t)
|
fs_mount_cifs(smbmount_t)
|
||||||
@@ -699,58 +793,77 @@ fs_read_cifs_files(smbmount_t)
|
@@ -699,58 +794,77 @@ fs_read_cifs_files(smbmount_t)
|
||||||
storage_raw_read_fixed_disk(smbmount_t)
|
storage_raw_read_fixed_disk(smbmount_t)
|
||||||
storage_raw_write_fixed_disk(smbmount_t)
|
storage_raw_write_fixed_disk(smbmount_t)
|
||||||
|
|
||||||
@ -98676,7 +98727,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||||
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||||
@@ -759,17 +872,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
|
@@ -759,17 +873,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
|
||||||
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
|
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
|
||||||
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
||||||
|
|
||||||
@ -98700,7 +98751,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
kernel_read_kernel_sysctls(swat_t)
|
kernel_read_kernel_sysctls(swat_t)
|
||||||
kernel_read_system_state(swat_t)
|
kernel_read_system_state(swat_t)
|
||||||
@@ -777,36 +886,25 @@ kernel_read_network_state(swat_t)
|
@@ -777,36 +887,25 @@ kernel_read_network_state(swat_t)
|
||||||
|
|
||||||
corecmd_search_bin(swat_t)
|
corecmd_search_bin(swat_t)
|
||||||
|
|
||||||
@ -98743,7 +98794,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
auth_domtrans_chk_passwd(swat_t)
|
auth_domtrans_chk_passwd(swat_t)
|
||||||
auth_use_nsswitch(swat_t)
|
auth_use_nsswitch(swat_t)
|
||||||
@@ -818,10 +916,11 @@ logging_send_syslog_msg(swat_t)
|
@@ -818,10 +917,11 @@ logging_send_syslog_msg(swat_t)
|
||||||
logging_send_audit_msgs(swat_t)
|
logging_send_audit_msgs(swat_t)
|
||||||
logging_search_logs(swat_t)
|
logging_search_logs(swat_t)
|
||||||
|
|
||||||
@ -98757,7 +98808,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
cups_read_rw_config(swat_t)
|
cups_read_rw_config(swat_t)
|
||||||
cups_stream_connect(swat_t)
|
cups_stream_connect(swat_t)
|
||||||
@@ -840,17 +939,20 @@ optional_policy(`
|
@@ -840,17 +940,20 @@ optional_policy(`
|
||||||
# Winbind local policy
|
# Winbind local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -98784,7 +98835,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
allow winbind_t samba_etc_t:dir list_dir_perms;
|
allow winbind_t samba_etc_t:dir list_dir_perms;
|
||||||
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
|
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
|
||||||
@@ -860,9 +962,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
|
@@ -860,9 +963,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
|
||||||
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
|
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
|
||||||
|
|
||||||
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
|
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
|
||||||
@ -98795,7 +98846,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
||||||
|
|
||||||
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
|
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||||
@@ -870,41 +970,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
|
@@ -870,41 +971,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||||
manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
|
manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||||
manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
|
manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||||
files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
|
files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
|
||||||
@ -98854,7 +98905,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
corenet_tcp_connect_smbd_port(winbind_t)
|
corenet_tcp_connect_smbd_port(winbind_t)
|
||||||
corenet_tcp_connect_epmap_port(winbind_t)
|
corenet_tcp_connect_epmap_port(winbind_t)
|
||||||
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||||
@@ -912,38 +1017,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
@@ -912,38 +1018,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||||
dev_read_sysfs(winbind_t)
|
dev_read_sysfs(winbind_t)
|
||||||
dev_read_urand(winbind_t)
|
dev_read_urand(winbind_t)
|
||||||
|
|
||||||
@ -98913,7 +98964,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -959,31 +1078,36 @@ optional_policy(`
|
@@ -959,31 +1079,36 @@ optional_policy(`
|
||||||
# Winbind helper local policy
|
# Winbind helper local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -98957,7 +99008,7 @@ index 2b7c441e7..0ad80a509 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_append_log(winbind_helper_t)
|
apache_append_log(winbind_helper_t)
|
||||||
@@ -997,25 +1121,38 @@ optional_policy(`
|
@@ -997,25 +1122,38 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -100984,10 +101035,10 @@ index 000000000..7a058a82a
|
|||||||
+')
|
+')
|
||||||
diff --git a/sbd.te b/sbd.te
|
diff --git a/sbd.te b/sbd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..01266ebaf
|
index 000000000..763349da1
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/sbd.te
|
+++ b/sbd.te
|
||||||
@@ -0,0 +1,55 @@
|
@@ -0,0 +1,62 @@
|
||||||
+policy_module(sbd, 1.0.0)
|
+policy_module(sbd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -101005,6 +101056,9 @@ index 000000000..01266ebaf
|
|||||||
+type sbd_unit_file_t;
|
+type sbd_unit_file_t;
|
||||||
+systemd_unit_file(sbd_unit_file_t)
|
+systemd_unit_file(sbd_unit_file_t)
|
||||||
+
|
+
|
||||||
|
+type sbd_tmpfs_t;
|
||||||
|
+userdom_user_tmpfs_file(sbd_tmpfs_t)
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# sbd local policy
|
+# sbd local policy
|
||||||
@ -101020,6 +101074,10 @@ index 000000000..01266ebaf
|
|||||||
+manage_lnk_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
|
+manage_lnk_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
|
||||||
+files_pid_filetrans(sbd_t, sbd_var_run_t, { dir file lnk_file })
|
+files_pid_filetrans(sbd_t, sbd_var_run_t, { dir file lnk_file })
|
||||||
+
|
+
|
||||||
|
+manage_files_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
|
||||||
|
+manage_dirs_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
|
||||||
|
+fs_tmpfs_filetrans(sbd_t, sbd_tmpfs_t, { file dir })
|
||||||
|
+
|
||||||
+kernel_read_system_state(sbd_t)
|
+kernel_read_system_state(sbd_t)
|
||||||
+kernel_dgram_send(sbd_t)
|
+kernel_dgram_send(sbd_t)
|
||||||
+kernel_rw_kernel_sysctl(sbd_t)
|
+kernel_rw_kernel_sysctl(sbd_t)
|
||||||
@ -123563,7 +123621,7 @@ index dd63de028..38ce6208e 100644
|
|||||||
- admin_pattern($1, zabbix_tmpfs_t)
|
- admin_pattern($1, zabbix_tmpfs_t)
|
||||||
')
|
')
|
||||||
diff --git a/zabbix.te b/zabbix.te
|
diff --git a/zabbix.te b/zabbix.te
|
||||||
index 7f496c617..ad28abbc1 100644
|
index 7f496c617..9c540d761 100644
|
||||||
--- a/zabbix.te
|
--- a/zabbix.te
|
||||||
+++ b/zabbix.te
|
+++ b/zabbix.te
|
||||||
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
|
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
|
||||||
@ -123602,7 +123660,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
type zabbix_log_t;
|
type zabbix_log_t;
|
||||||
logging_log_file(zabbix_log_t)
|
logging_log_file(zabbix_log_t)
|
||||||
|
|
||||||
@@ -36,27 +41,61 @@ files_tmp_file(zabbix_tmp_t)
|
@@ -36,27 +41,62 @@ files_tmp_file(zabbix_tmp_t)
|
||||||
type zabbix_tmpfs_t;
|
type zabbix_tmpfs_t;
|
||||||
files_tmpfs_file(zabbix_tmpfs_t)
|
files_tmpfs_file(zabbix_tmpfs_t)
|
||||||
|
|
||||||
@ -123658,6 +123716,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
-allow zabbix_t self:shm create_shm_perms;
|
-allow zabbix_t self:shm create_shm_perms;
|
||||||
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
|
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
|
||||||
+allow zabbix_t self:capability { dac_read_search };
|
+allow zabbix_t self:capability { dac_read_search };
|
||||||
|
+allow zabbix_t self:process { setrlimit };
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||||
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||||
@ -123676,7 +123735,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
|
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
|
||||||
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
|
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
|
||||||
@@ -70,13 +109,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
|
@@ -70,13 +110,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
|
||||||
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
|
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
|
||||||
|
|
||||||
kernel_read_system_state(zabbix_t)
|
kernel_read_system_state(zabbix_t)
|
||||||
@ -123690,7 +123749,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
|
|
||||||
corenet_sendrecv_ftp_client_packets(zabbix_t)
|
corenet_sendrecv_ftp_client_packets(zabbix_t)
|
||||||
corenet_tcp_connect_ftp_port(zabbix_t)
|
corenet_tcp_connect_ftp_port(zabbix_t)
|
||||||
@@ -85,24 +120,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
|
@@ -85,24 +121,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
|
||||||
corenet_sendrecv_http_client_packets(zabbix_t)
|
corenet_sendrecv_http_client_packets(zabbix_t)
|
||||||
corenet_tcp_connect_http_port(zabbix_t)
|
corenet_tcp_connect_http_port(zabbix_t)
|
||||||
corenet_tcp_sendrecv_http_port(zabbix_t)
|
corenet_tcp_sendrecv_http_port(zabbix_t)
|
||||||
@ -123718,7 +123777,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
tunable_policy(`zabbix_can_network',`
|
tunable_policy(`zabbix_can_network',`
|
||||||
corenet_sendrecv_all_client_packets(zabbix_t)
|
corenet_sendrecv_all_client_packets(zabbix_t)
|
||||||
corenet_tcp_connect_all_ports(zabbix_t)
|
corenet_tcp_connect_all_ports(zabbix_t)
|
||||||
@@ -110,12 +139,11 @@ tunable_policy(`zabbix_can_network',`
|
@@ -110,12 +140,11 @@ tunable_policy(`zabbix_can_network',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -123733,7 +123792,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -125,6 +153,7 @@ optional_policy(`
|
@@ -125,6 +154,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
snmp_read_snmp_var_lib_files(zabbix_t)
|
snmp_read_snmp_var_lib_files(zabbix_t)
|
||||||
@ -123741,7 +123800,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -132,18 +161,9 @@ optional_policy(`
|
@@ -132,18 +162,9 @@ optional_policy(`
|
||||||
# Agent local policy
|
# Agent local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -123762,7 +123821,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
|
|
||||||
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
|
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
||||||
@@ -151,16 +171,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
@@ -151,16 +172,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
||||||
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
|
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
|
||||||
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
|
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
|
||||||
|
|
||||||
@ -123782,7 +123841,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
|
|
||||||
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
|
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
|
||||||
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
|
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
|
||||||
@@ -170,6 +187,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
|
@@ -170,6 +188,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
|
||||||
corenet_tcp_connect_ssh_port(zabbix_agent_t)
|
corenet_tcp_connect_ssh_port(zabbix_agent_t)
|
||||||
corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
|
corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
|
||||||
|
|
||||||
@ -123813,7 +123872,7 @@ index 7f496c617..ad28abbc1 100644
|
|||||||
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
|
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
|
||||||
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
|
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
|
||||||
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||||
@@ -177,21 +218,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
@@ -177,21 +219,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||||
dev_getattr_all_blk_files(zabbix_agent_t)
|
dev_getattr_all_blk_files(zabbix_agent_t)
|
||||||
dev_getattr_all_chr_files(zabbix_agent_t)
|
dev_getattr_all_chr_files(zabbix_agent_t)
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 299%{?dist}
|
Release: 300%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -719,6 +719,21 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Oct 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-300
|
||||||
|
- Allow zabbix_t domain to change its resource limits
|
||||||
|
- Add new boolean nagios_use_nfs
|
||||||
|
- Allow system_mail_t to search network sysctls
|
||||||
|
- Hide all allow rules with ptrace inside deny_ptrace boolean
|
||||||
|
- Allow nagios_script_t to read nagios_spool_t files
|
||||||
|
- Allow sbd_t to create own sbd_tmpfs_t dirs/files
|
||||||
|
- Allow firewalld and networkmanager to chat with hypervkvp via dbus
|
||||||
|
- Allow dmidecode to read rhsmcert_log_t files
|
||||||
|
- Allow mail system to connect mariadb sockets.
|
||||||
|
- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)
|
||||||
|
- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170)
|
||||||
|
- Allow iptables_t to run setfiles to restore context on system
|
||||||
|
- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466)
|
||||||
|
|
||||||
* Tue Oct 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-299
|
* Tue Oct 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-299
|
||||||
- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
|
- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
|
||||||
- Allow chronyd_t do request kernel module and block_suspend capability
|
- Allow chronyd_t do request kernel module and block_suspend capability
|
||||||
|
Loading…
Reference in New Issue
Block a user