- Add exim_exec_t label for /usr/sbin/exim_tidydb
- Call init_dontaudit_rw_stream_socket() interface in mta policy - sssd need to search /var/cache/krb5rcache directory - Allow corosync to relabel own tmp files - Allow zarafa domains to send system log messages - Allow ssh to do tunneling - Allow initrc scripts to sendto init_t unix_stream_socket - Changes to make sure dmsmasq and virt directories are labeled corr - Changes needed to allow sysadm_t to manage systemd unit files - init is passing file descriptors to dbus and on to system daemons - Allow sulogin additional access Reported by dgrift and Jeremy Mill - Steve Grubb believes that wireshark does not need this access - Fix /var/run/initramfs to stop restorecon from looking at - pki needs another port - Add more labels for cluster scripts - Allow apps that manage cgroup_files to manage cgroup link files - Fix label on nfs-utils scripts directories - Allow gatherd to read /dev/rand and /dev/urand
This commit is contained in:
Miroslav
parent
392fd7310f
commit
5b0c573864
272
policy-F16.patch
272
policy-F16.patch
|
|
@ -10871,7 +10871,7 @@ index be9246b..e3de8fa 100644
|
|||
tunable_policy(`wine_mmap_zero_ignore',`
|
||||
dontaudit wine_t self:memprotect mmap_zero;
|
||||
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
|
||||
index 8bfe97d..9e4ad2c 100644
|
||||
index 8bfe97d..95a3d06 100644
|
||||
--- a/policy/modules/apps/wireshark.te
|
||||
+++ b/policy/modules/apps/wireshark.te
|
||||
@@ -15,6 +15,7 @@ ubac_constrained(wireshark_t)
|
||||
|
|
@ -10882,6 +10882,15 @@ index 8bfe97d..9e4ad2c 100644
|
|||
userdom_user_home_content(wireshark_home_t)
|
||||
|
||||
type wireshark_tmp_t;
|
||||
@@ -34,7 +35,7 @@ ubac_constrained(wireshark_tmpfs_t)
|
||||
# Local Policy
|
||||
#
|
||||
|
||||
-allow wireshark_t self:capability { net_admin net_raw setgid };
|
||||
+allow wireshark_t self:capability { net_admin net_raw };
|
||||
allow wireshark_t self:process { signal getsched };
|
||||
allow wireshark_t self:fifo_file { getattr read write };
|
||||
allow wireshark_t self:shm destroy;
|
||||
@@ -85,6 +86,8 @@ fs_search_auto_mountpoints(wireshark_t)
|
||||
|
||||
libs_read_lib_files(wireshark_t)
|
||||
|
|
@ -12337,7 +12346,7 @@ index 4f3b542..5a41e58 100644
|
|||
corenet_udp_recvfrom_labeled($1, $2)
|
||||
corenet_raw_recvfrom_labeled($1, $2)
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index 99b71cb..807f958 100644
|
||||
index 99b71cb..39dfc9f 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -11,11 +11,14 @@ attribute netif_type;
|
||||
|
|
@ -12458,8 +12467,9 @@ index 99b71cb..807f958 100644
|
|||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
|
||||
-network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
|
||||
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,18001,s0) #8443 is mod_nss default port #18001 is used for jboss
|
||||
network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
|
||||
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
|
||||
network_port(i18n_input, tcp,9010,s0)
|
||||
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||
|
|
@ -18826,7 +18836,7 @@ index 2be17d2..afb3532 100644
|
|||
+ userdom_execmod_user_home_files(staff_usertype)
|
||||
+')
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index e14b961..7ef880f 100644
|
||||
index e14b961..ba7c72e 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
|
||||
|
|
@ -19095,16 +19105,19 @@ index e14b961..7ef880f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -332,7 +404,7 @@ optional_policy(`
|
||||
@@ -332,7 +404,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- thunderbird_role(sysadm_r, sysadm_t)
|
||||
+ systemd_passwd_agent_run(sysadm_t, sysadm_r)
|
||||
+ systemd_config_all_services(sysadm_t)
|
||||
+ systemd_manage_all_unit_files(sysadm_t)
|
||||
+ systemd_manage_all_unit_lnk_files(sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -343,19 +415,15 @@ optional_policy(`
|
||||
@@ -343,19 +418,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -19126,7 +19139,7 @@ index e14b961..7ef880f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -367,45 +435,45 @@ optional_policy(`
|
||||
@@ -367,45 +438,45 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -19183,7 +19196,7 @@ index e14b961..7ef880f 100644
|
|||
auth_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
|
||||
@@ -439,6 +507,7 @@ ifndef(`distro_redhat',`
|
||||
@@ -439,6 +510,7 @@ ifndef(`distro_redhat',`
|
||||
|
||||
optional_policy(`
|
||||
gnome_role(sysadm_r, sysadm_t)
|
||||
|
|
@ -19191,7 +19204,7 @@ index e14b961..7ef880f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -446,11 +515,62 @@ ifndef(`distro_redhat',`
|
||||
@@ -446,11 +518,62 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -27812,7 +27825,7 @@ index 5220c9d..a2e6830 100644
|
|||
## <summary>
|
||||
## Allow the specified domain to read corosync's log files.
|
||||
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
|
||||
index 04969e5..c3176a6 100644
|
||||
index 04969e5..0e76440 100644
|
||||
--- a/policy/modules/services/corosync.te
|
||||
+++ b/policy/modules/services/corosync.te
|
||||
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
|
||||
|
|
@ -27826,7 +27839,7 @@ index 04969e5..c3176a6 100644
|
|||
|
||||
allow corosync_t self:fifo_file rw_fifo_file_perms;
|
||||
allow corosync_t self:sem create_sem_perms;
|
||||
@@ -41,6 +41,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
|
||||
@@ -41,9 +41,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
|
||||
allow corosync_t self:unix_dgram_socket create_socket_perms;
|
||||
allow corosync_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
|
@ -27835,7 +27848,11 @@ index 04969e5..c3176a6 100644
|
|||
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
|
||||
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
|
||||
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
|
||||
@@ -63,8 +65,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
|
||||
+allow corosync_t corosync_tmp_t:file { relabelfrom relabelto };
|
||||
|
||||
manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
|
||||
manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
|
||||
@@ -63,8 +66,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
|
||||
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_system_state(corosync_t)
|
||||
|
|
@ -27847,7 +27864,7 @@ index 04969e5..c3176a6 100644
|
|||
|
||||
corenet_udp_bind_netsupport_port(corosync_t)
|
||||
|
||||
@@ -73,6 +78,7 @@ dev_read_urand(corosync_t)
|
||||
@@ -73,6 +79,7 @@ dev_read_urand(corosync_t)
|
||||
domain_read_all_domains_state(corosync_t)
|
||||
|
||||
files_manage_mounttab(corosync_t)
|
||||
|
|
@ -27855,7 +27872,7 @@ index 04969e5..c3176a6 100644
|
|||
|
||||
auth_use_nsswitch(corosync_t)
|
||||
|
||||
@@ -83,19 +89,44 @@ logging_send_syslog_msg(corosync_t)
|
||||
@@ -83,19 +90,44 @@ logging_send_syslog_msg(corosync_t)
|
||||
|
||||
miscfiles_read_localization(corosync_t)
|
||||
|
||||
|
|
@ -30170,7 +30187,7 @@ index 1a1becd..d4357ec 100644
|
|||
')
|
||||
+
|
||||
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
|
||||
index 1bff6ee..3136cb7 100644
|
||||
index 1bff6ee..c6db074 100644
|
||||
--- a/policy/modules/services/dbus.te
|
||||
+++ b/policy/modules/services/dbus.te
|
||||
@@ -10,6 +10,7 @@ gen_require(`
|
||||
|
|
@ -30252,7 +30269,7 @@ index 1bff6ee..3136cb7 100644
|
|||
policykit_dbus_chat(system_dbusd_t)
|
||||
policykit_domtrans_auth(system_dbusd_t)
|
||||
policykit_search_lib(system_dbusd_t)
|
||||
@@ -151,12 +171,155 @@ optional_policy(`
|
||||
@@ -151,12 +171,156 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -30284,6 +30301,7 @@ index 1bff6ee..3136cb7 100644
|
|||
+init_stream_connect(system_bus_type)
|
||||
+init_dgram_send(system_bus_type)
|
||||
+init_use_fds(system_bus_type)
|
||||
+init_rw_stream_sockets(system_bus_type)
|
||||
|
||||
+ps_process_pattern(system_dbusd_t, system_bus_type)
|
||||
+
|
||||
|
|
@ -31755,10 +31773,10 @@ index 0000000..6fd8e9f
|
|||
+')
|
||||
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
|
||||
new file mode 100644
|
||||
index 0000000..cc83e0b
|
||||
index 0000000..43c82e7
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/dirsrv.te
|
||||
@@ -0,0 +1,184 @@
|
||||
@@ -0,0 +1,185 @@
|
||||
+policy_module(dirsrv,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -31867,6 +31885,7 @@ index 0000000..cc83e0b
|
|||
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
|
||||
+corenet_sendrecv_all_client_packets(dirsrv_t)
|
||||
+
|
||||
+dev_read_sysfs(dirsrv_t)
|
||||
+dev_read_urand(dirsrv_t)
|
||||
+
|
||||
+files_read_etc_files(dirsrv_t)
|
||||
|
|
@ -31991,7 +32010,7 @@ index b886676..ad3210e 100644
|
|||
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
|
||||
index 9bd812b..c4abec3 100644
|
||||
index 9bd812b..2385a2c 100644
|
||||
--- a/policy/modules/services/dnsmasq.if
|
||||
+++ b/policy/modules/services/dnsmasq.if
|
||||
@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
|
||||
|
|
@ -32032,7 +32051,7 @@ index 9bd812b..c4abec3 100644
|
|||
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
||||
')
|
||||
|
||||
@@ -163,17 +163,79 @@ interface(`dnsmasq_delete_pid_files',`
|
||||
@@ -163,17 +163,80 @@ interface(`dnsmasq_delete_pid_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -32106,6 +32125,7 @@ index 9bd812b..c4abec3 100644
|
|||
+
|
||||
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
|
||||
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
|
||||
+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -33087,16 +33107,18 @@ index 0000000..d409571
|
|||
+')
|
||||
+
|
||||
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
|
||||
index 298f066..c2570df 100644
|
||||
index 298f066..b54de69 100644
|
||||
--- a/policy/modules/services/exim.fc
|
||||
+++ b/policy/modules/services/exim.fc
|
||||
@@ -1,3 +1,6 @@
|
||||
@@ -1,4 +1,8 @@
|
||||
+
|
||||
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
|
||||
+
|
||||
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
|
||||
+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
|
||||
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
|
||||
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
|
||||
/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
|
||||
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
|
||||
index 6bef7f8..464669c 100644
|
||||
--- a/policy/modules/services/exim.if
|
||||
|
|
@ -36925,7 +36947,7 @@ index 3525d24..e065744 100644
|
|||
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
|
||||
index 604f67b..be8a805 100644
|
||||
index 604f67b..588823c 100644
|
||||
--- a/policy/modules/services/kerberos.if
|
||||
+++ b/policy/modules/services/kerberos.if
|
||||
@@ -26,9 +26,9 @@
|
||||
|
|
@ -36962,16 +36984,17 @@ index 604f67b..be8a805 100644
|
|||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@@ -103,7 +102,7 @@ interface(`kerberos_use',`
|
||||
@@ -103,7 +102,8 @@ interface(`kerberos_use',`
|
||||
corenet_sendrecv_kerberos_client_packets($1)
|
||||
corenet_sendrecv_ocsp_client_packets($1)
|
||||
|
||||
- allow $1 krb5_host_rcache_t:file getattr;
|
||||
+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
|
||||
+ allow $1 krb5_host_rcache_t:file getattr_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -218,6 +217,25 @@ interface(`kerberos_rw_keytab',`
|
||||
@@ -218,6 +218,25 @@ interface(`kerberos_rw_keytab',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -36997,7 +37020,7 @@ index 604f67b..be8a805 100644
|
|||
## Create a derived type for kerberos keytab
|
||||
## </summary>
|
||||
## <param name="prefix">
|
||||
@@ -235,7 +253,7 @@ template(`kerberos_keytab_template',`
|
||||
@@ -235,7 +254,7 @@ template(`kerberos_keytab_template',`
|
||||
type $1_keytab_t;
|
||||
files_type($1_keytab_t)
|
||||
|
||||
|
|
@ -37006,15 +37029,16 @@ index 604f67b..be8a805 100644
|
|||
|
||||
kerberos_read_keytab($2)
|
||||
kerberos_use($2)
|
||||
@@ -289,6 +307,7 @@ interface(`kerberos_manage_host_rcache',`
|
||||
@@ -289,6 +308,8 @@ interface(`kerberos_manage_host_rcache',`
|
||||
|
||||
seutil_read_file_contexts($1)
|
||||
|
||||
+ files_rw_generic_tmp_dir($1)
|
||||
+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
|
||||
allow $1 krb5_host_rcache_t:file manage_file_perms;
|
||||
files_search_tmp($1)
|
||||
')
|
||||
@@ -296,28 +315,6 @@ interface(`kerberos_manage_host_rcache',`
|
||||
@@ -296,28 +317,6 @@ interface(`kerberos_manage_host_rcache',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -37043,7 +37067,7 @@ index 604f67b..be8a805 100644
|
|||
## All of the rules required to administrate
|
||||
## an kerberos environment
|
||||
## </summary>
|
||||
@@ -338,9 +335,8 @@ interface(`kerberos_admin',`
|
||||
@@ -338,9 +337,8 @@ interface(`kerberos_admin',`
|
||||
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
|
||||
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
|
||||
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
||||
|
|
@ -37054,7 +37078,7 @@ index 604f67b..be8a805 100644
|
|||
')
|
||||
|
||||
allow $1 kadmind_t:process { ptrace signal_perms };
|
||||
@@ -378,3 +374,108 @@ interface(`kerberos_admin',`
|
||||
@@ -378,3 +376,108 @@ interface(`kerberos_admin',`
|
||||
|
||||
admin_pattern($1, krb5kdc_var_run_t)
|
||||
')
|
||||
|
|
@ -40376,7 +40400,7 @@ index 343cee3..f8c4fb6 100644
|
|||
+ mta_filetrans_admin_home_content($1)
|
||||
+')
|
||||
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
|
||||
index 64268e4..ee1f72b 100644
|
||||
index 64268e4..142fbfb 100644
|
||||
--- a/policy/modules/services/mta.te
|
||||
+++ b/policy/modules/services/mta.te
|
||||
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
|
||||
|
|
@ -40422,9 +40446,11 @@ index 64268e4..ee1f72b 100644
|
|||
dev_read_sysfs(system_mail_t)
|
||||
dev_read_rand(system_mail_t)
|
||||
dev_read_urand(system_mail_t)
|
||||
@@ -80,8 +71,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t)
|
||||
@@ -79,9 +70,16 @@ selinux_getattr_fs(system_mail_t)
|
||||
term_dontaudit_use_unallocated_ttys(system_mail_t)
|
||||
|
||||
init_use_script_ptys(system_mail_t)
|
||||
+init_dontaudit_rw_stream_socket(system_mail_t)
|
||||
|
||||
-userdom_use_user_terminals(system_mail_t)
|
||||
+userdom_use_inherited_user_terminals(system_mail_t)
|
||||
|
|
@ -40438,7 +40464,7 @@ index 64268e4..ee1f72b 100644
|
|||
|
||||
optional_policy(`
|
||||
apache_read_squirrelmail_data(system_mail_t)
|
||||
@@ -92,14 +89,21 @@ optional_policy(`
|
||||
@@ -92,14 +90,21 @@ optional_policy(`
|
||||
apache_dontaudit_rw_stream_sockets(system_mail_t)
|
||||
apache_dontaudit_rw_tcp_sockets(system_mail_t)
|
||||
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
|
||||
|
|
@ -40463,7 +40489,7 @@ index 64268e4..ee1f72b 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -111,6 +115,8 @@ optional_policy(`
|
||||
@@ -111,6 +116,8 @@ optional_policy(`
|
||||
cron_read_system_job_tmp_files(system_mail_t)
|
||||
cron_dontaudit_write_pipes(system_mail_t)
|
||||
cron_rw_system_job_stream_sockets(system_mail_t)
|
||||
|
|
@ -40472,7 +40498,7 @@ index 64268e4..ee1f72b 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -124,12 +130,9 @@ optional_policy(`
|
||||
@@ -124,12 +131,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -40487,7 +40513,7 @@ index 64268e4..ee1f72b 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -146,6 +149,10 @@ optional_policy(`
|
||||
@@ -146,6 +150,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -40498,7 +40524,7 @@ index 64268e4..ee1f72b 100644
|
|||
nagios_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -158,22 +165,13 @@ optional_policy(`
|
||||
@@ -158,22 +166,13 @@ optional_policy(`
|
||||
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
|
||||
|
||||
domain_use_interactive_fds(system_mail_t)
|
||||
|
|
@ -40524,7 +40550,7 @@ index 64268e4..ee1f72b 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -189,9 +187,17 @@ optional_policy(`
|
||||
@@ -189,9 +188,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -40542,7 +40568,7 @@ index 64268e4..ee1f72b 100644
|
|||
# should break this up among sections:
|
||||
|
||||
optional_policy(`
|
||||
@@ -199,15 +205,16 @@ optional_policy(`
|
||||
@@ -199,15 +206,16 @@ optional_policy(`
|
||||
arpwatch_search_data(mailserver_delivery)
|
||||
arpwatch_manage_tmp_files(mta_user_agent)
|
||||
|
||||
|
|
@ -40563,7 +40589,7 @@ index 64268e4..ee1f72b 100644
|
|||
########################################
|
||||
#
|
||||
# Mailserver delivery local policy
|
||||
@@ -220,7 +227,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
@@ -220,7 +228,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
|
||||
|
|
@ -40573,7 +40599,7 @@ index 64268e4..ee1f72b 100644
|
|||
|
||||
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
|
||||
|
||||
@@ -242,6 +250,10 @@ optional_policy(`
|
||||
@@ -242,6 +251,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -40584,7 +40610,7 @@ index 64268e4..ee1f72b 100644
|
|||
# so MTA can access /var/lib/mailman/mail/wrapper
|
||||
files_search_var_lib(mailserver_delivery)
|
||||
|
||||
@@ -249,16 +261,25 @@ optional_policy(`
|
||||
@@ -249,16 +262,25 @@ optional_policy(`
|
||||
mailman_read_data_symlinks(mailserver_delivery)
|
||||
')
|
||||
|
||||
|
|
@ -40612,7 +40638,7 @@ index 64268e4..ee1f72b 100644
|
|||
# Create dead.letter in user home directories.
|
||||
userdom_manage_user_home_content_files(user_mail_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
|
||||
@@ -292,3 +313,44 @@ optional_policy(`
|
||||
@@ -292,3 +314,44 @@ optional_policy(`
|
||||
postfix_read_config(user_mail_t)
|
||||
postfix_list_spool(user_mail_t)
|
||||
')
|
||||
|
|
@ -53064,7 +53090,7 @@ index 078bcd7..2d60774 100644
|
|||
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
|
||||
index 22adaca..76e8829 100644
|
||||
index 22adaca..ba5d941 100644
|
||||
--- a/policy/modules/services/ssh.if
|
||||
+++ b/policy/modules/services/ssh.if
|
||||
@@ -32,10 +32,10 @@
|
||||
|
|
@ -53135,7 +53161,7 @@ index 22adaca..76e8829 100644
|
|||
type $1_t, ssh_server;
|
||||
auth_login_pgm_domain($1_t)
|
||||
|
||||
@@ -181,16 +179,17 @@ template(`ssh_server_template', `
|
||||
@@ -181,16 +179,18 @@ template(`ssh_server_template', `
|
||||
type $1_var_run_t;
|
||||
files_pid_file($1_var_run_t)
|
||||
|
||||
|
|
@ -53147,6 +53173,7 @@ index 22adaca..76e8829 100644
|
|||
+ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
|
||||
allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_t self:udp_socket create_socket_perms;
|
||||
+ allow $1_t self:tun_socket create_socket_perms;
|
||||
# ssh agent connections:
|
||||
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_t self:shm create_shm_perms;
|
||||
|
|
@ -53156,7 +53183,7 @@ index 22adaca..76e8829 100644
|
|||
term_create_pty($1_t, $1_devpts_t)
|
||||
|
||||
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
||||
@@ -206,6 +205,7 @@ template(`ssh_server_template', `
|
||||
@@ -206,6 +206,7 @@ template(`ssh_server_template', `
|
||||
|
||||
kernel_read_kernel_sysctls($1_t)
|
||||
kernel_read_network_state($1_t)
|
||||
|
|
@ -53164,7 +53191,7 @@ index 22adaca..76e8829 100644
|
|||
|
||||
corenet_all_recvfrom_unlabeled($1_t)
|
||||
corenet_all_recvfrom_netlabel($1_t)
|
||||
@@ -220,8 +220,11 @@ template(`ssh_server_template', `
|
||||
@@ -220,8 +221,11 @@ template(`ssh_server_template', `
|
||||
corenet_tcp_bind_generic_node($1_t)
|
||||
corenet_udp_bind_generic_node($1_t)
|
||||
corenet_tcp_bind_ssh_port($1_t)
|
||||
|
|
@ -53177,7 +53204,7 @@ index 22adaca..76e8829 100644
|
|||
|
||||
fs_dontaudit_getattr_all_fs($1_t)
|
||||
|
||||
@@ -234,6 +237,7 @@ template(`ssh_server_template', `
|
||||
@@ -234,6 +238,7 @@ template(`ssh_server_template', `
|
||||
corecmd_getattr_bin_files($1_t)
|
||||
|
||||
domain_interactive_fd($1_t)
|
||||
|
|
@ -53185,7 +53212,7 @@ index 22adaca..76e8829 100644
|
|||
|
||||
files_read_etc_files($1_t)
|
||||
files_read_etc_runtime_files($1_t)
|
||||
@@ -243,13 +247,17 @@ template(`ssh_server_template', `
|
||||
@@ -243,13 +248,17 @@ template(`ssh_server_template', `
|
||||
|
||||
miscfiles_read_localization($1_t)
|
||||
|
||||
|
|
@ -53205,7 +53232,7 @@ index 22adaca..76e8829 100644
|
|||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files($1_t)
|
||||
fs_read_nfs_symlinks($1_t)
|
||||
@@ -268,6 +276,14 @@ template(`ssh_server_template', `
|
||||
@@ -268,6 +277,14 @@ template(`ssh_server_template', `
|
||||
files_read_var_lib_symlinks($1_t)
|
||||
nx_spec_domtrans_server($1_t)
|
||||
')
|
||||
|
|
@ -53220,7 +53247,7 @@ index 22adaca..76e8829 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -290,11 +306,11 @@ template(`ssh_server_template', `
|
||||
@@ -290,11 +307,11 @@ template(`ssh_server_template', `
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
|
|
@ -53233,7 +53260,7 @@ index 22adaca..76e8829 100644
|
|||
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
|
||||
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
|
||||
type ssh_agent_tmp_t;
|
||||
@@ -327,7 +343,7 @@ template(`ssh_role_template',`
|
||||
@@ -327,7 +344,7 @@ template(`ssh_role_template',`
|
||||
|
||||
# allow ps to show ssh
|
||||
ps_process_pattern($3, ssh_t)
|
||||
|
|
@ -53242,7 +53269,7 @@ index 22adaca..76e8829 100644
|
|||
|
||||
# for rsync
|
||||
allow ssh_t $3:unix_stream_socket rw_socket_perms;
|
||||
@@ -338,6 +354,7 @@ template(`ssh_role_template',`
|
||||
@@ -338,6 +355,7 @@ template(`ssh_role_template',`
|
||||
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
|
||||
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
|
||||
userdom_search_user_home_dirs($1_t)
|
||||
|
|
@ -53250,7 +53277,7 @@ index 22adaca..76e8829 100644
|
|||
|
||||
##############################
|
||||
#
|
||||
@@ -359,7 +376,7 @@ template(`ssh_role_template',`
|
||||
@@ -359,7 +377,7 @@ template(`ssh_role_template',`
|
||||
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
|
||||
|
||||
# Allow the user shell to signal the ssh program.
|
||||
|
|
@ -53259,7 +53286,7 @@ index 22adaca..76e8829 100644
|
|||
|
||||
# allow ps to show ssh
|
||||
ps_process_pattern($3, $1_ssh_agent_t)
|
||||
@@ -381,7 +398,6 @@ template(`ssh_role_template',`
|
||||
@@ -381,7 +399,6 @@ template(`ssh_role_template',`
|
||||
|
||||
files_read_etc_files($1_ssh_agent_t)
|
||||
files_read_etc_runtime_files($1_ssh_agent_t)
|
||||
|
|
@ -53267,7 +53294,7 @@ index 22adaca..76e8829 100644
|
|||
|
||||
libs_read_lib_files($1_ssh_agent_t)
|
||||
|
||||
@@ -393,14 +409,13 @@ template(`ssh_role_template',`
|
||||
@@ -393,14 +410,13 @@ template(`ssh_role_template',`
|
||||
seutil_dontaudit_read_config($1_ssh_agent_t)
|
||||
|
||||
# Write to the user domain tty.
|
||||
|
|
@ -53285,7 +53312,7 @@ index 22adaca..76e8829 100644
|
|||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files($1_ssh_agent_t)
|
||||
@@ -477,8 +492,9 @@ interface(`ssh_read_pipes',`
|
||||
@@ -477,8 +493,9 @@ interface(`ssh_read_pipes',`
|
||||
type sshd_t;
|
||||
')
|
||||
|
||||
|
|
@ -53296,7 +53323,7 @@ index 22adaca..76e8829 100644
|
|||
########################################
|
||||
## <summary>
|
||||
## Read and write a ssh server unnamed pipe.
|
||||
@@ -494,7 +510,7 @@ interface(`ssh_rw_pipes',`
|
||||
@@ -494,7 +511,7 @@ interface(`ssh_rw_pipes',`
|
||||
type sshd_t;
|
||||
')
|
||||
|
||||
|
|
@ -53305,7 +53332,7 @@ index 22adaca..76e8829 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -586,6 +602,24 @@ interface(`ssh_domtrans',`
|
||||
@@ -586,6 +603,24 @@ interface(`ssh_domtrans',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -53330,7 +53357,7 @@ index 22adaca..76e8829 100644
|
|||
## Execute the ssh client in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -618,7 +652,7 @@ interface(`ssh_setattr_key_files',`
|
||||
@@ -618,7 +653,7 @@ interface(`ssh_setattr_key_files',`
|
||||
type sshd_key_t;
|
||||
')
|
||||
|
||||
|
|
@ -53339,7 +53366,7 @@ index 22adaca..76e8829 100644
|
|||
files_search_pids($1)
|
||||
')
|
||||
|
||||
@@ -680,6 +714,32 @@ interface(`ssh_domtrans_keygen',`
|
||||
@@ -680,6 +715,32 @@ interface(`ssh_domtrans_keygen',`
|
||||
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
|
||||
')
|
||||
|
||||
|
|
@ -53372,7 +53399,7 @@ index 22adaca..76e8829 100644
|
|||
########################################
|
||||
## <summary>
|
||||
## Read ssh server keys
|
||||
@@ -695,7 +755,7 @@ interface(`ssh_dontaudit_read_server_keys',`
|
||||
@@ -695,7 +756,7 @@ interface(`ssh_dontaudit_read_server_keys',`
|
||||
type sshd_key_t;
|
||||
')
|
||||
|
||||
|
|
@ -53381,7 +53408,7 @@ index 22adaca..76e8829 100644
|
|||
')
|
||||
|
||||
######################################
|
||||
@@ -735,3 +795,62 @@ interface(`ssh_delete_tmp',`
|
||||
@@ -735,3 +796,62 @@ interface(`ssh_delete_tmp',`
|
||||
files_search_tmp($1)
|
||||
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
|
||||
')
|
||||
|
|
@ -53445,7 +53472,7 @@ index 22adaca..76e8829 100644
|
|||
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index 2dad3c8..a85027d 100644
|
||||
index 2dad3c8..be7b7a3 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
|
||||
|
|
@ -53569,18 +53596,19 @@ index 2dad3c8..a85027d 100644
|
|||
|
||||
kernel_read_kernel_sysctls(ssh_t)
|
||||
kernel_read_system_state(ssh_t)
|
||||
@@ -138,7 +144,10 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
|
||||
@@ -138,7 +144,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
|
||||
corenet_tcp_sendrecv_all_ports(ssh_t)
|
||||
corenet_tcp_connect_ssh_port(ssh_t)
|
||||
corenet_sendrecv_ssh_client_packets(ssh_t)
|
||||
+corenet_tcp_bind_generic_node(ssh_t)
|
||||
+corenet_tcp_bind_all_unreserved_ports(ssh_t)
|
||||
+corenet_rw_tun_tap_dev(ssh_t)
|
||||
|
||||
+dev_read_rand(ssh_t)
|
||||
dev_read_urand(ssh_t)
|
||||
|
||||
fs_getattr_all_fs(ssh_t)
|
||||
@@ -162,21 +171,28 @@ logging_read_generic_logs(ssh_t)
|
||||
@@ -162,21 +172,28 @@ logging_read_generic_logs(ssh_t)
|
||||
auth_use_nsswitch(ssh_t)
|
||||
|
||||
miscfiles_read_localization(ssh_t)
|
||||
|
|
@ -53615,7 +53643,7 @@ index 2dad3c8..a85027d 100644
|
|||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
@@ -196,10 +212,15 @@ tunable_policy(`user_tcp_server',`
|
||||
@@ -196,10 +213,15 @@ tunable_policy(`user_tcp_server',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -53631,7 +53659,7 @@ index 2dad3c8..a85027d 100644
|
|||
##############################
|
||||
#
|
||||
# ssh_keysign_t local policy
|
||||
@@ -209,19 +230,14 @@ tunable_policy(`allow_ssh_keysign',`
|
||||
@@ -209,19 +231,14 @@ tunable_policy(`allow_ssh_keysign',`
|
||||
allow ssh_keysign_t self:capability { setgid setuid };
|
||||
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
|
|
@ -53653,7 +53681,7 @@ index 2dad3c8..a85027d 100644
|
|||
#################################
|
||||
#
|
||||
# sshd local policy
|
||||
@@ -232,33 +248,43 @@ optional_policy(`
|
||||
@@ -232,33 +249,43 @@ optional_policy(`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow sshd_t self:key { search link write };
|
||||
|
|
@ -53706,7 +53734,7 @@ index 2dad3c8..a85027d 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -266,11 +292,24 @@ optional_policy(`
|
||||
@@ -266,11 +293,24 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -53732,7 +53760,7 @@ index 2dad3c8..a85027d 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -284,6 +323,15 @@ optional_policy(`
|
||||
@@ -284,6 +324,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -53748,7 +53776,7 @@ index 2dad3c8..a85027d 100644
|
|||
unconfined_shell_domtrans(sshd_t)
|
||||
')
|
||||
|
||||
@@ -292,26 +340,26 @@ optional_policy(`
|
||||
@@ -292,26 +341,26 @@ optional_policy(`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
|
@ -53794,7 +53822,7 @@ index 2dad3c8..a85027d 100644
|
|||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@@ -322,19 +370,25 @@ tunable_policy(`ssh_sysadm_login',`
|
||||
@@ -322,19 +371,25 @@ tunable_policy(`ssh_sysadm_login',`
|
||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||
# and by sysadm_t
|
||||
|
||||
|
|
@ -53821,7 +53849,7 @@ index 2dad3c8..a85027d 100644
|
|||
dev_read_urand(ssh_keygen_t)
|
||||
|
||||
term_dontaudit_use_console(ssh_keygen_t)
|
||||
@@ -351,10 +405,7 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
@@ -351,10 +406,7 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
logging_send_syslog_msg(ssh_keygen_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||
|
|
@ -55345,7 +55373,7 @@ index 2124b6a..55b5012 100644
|
|||
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
||||
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
|
||||
index 7c5d8d8..d83a9a2 100644
|
||||
index 7c5d8d8..72e3065 100644
|
||||
--- a/policy/modules/services/virt.if
|
||||
+++ b/policy/modules/services/virt.if
|
||||
@@ -13,39 +13,44 @@
|
||||
|
|
@ -55541,7 +55569,7 @@ index 7c5d8d8..d83a9a2 100644
|
|||
+ type virt_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ filetrans_pattern($1, virt_var_run_t, $2, $3)
|
||||
+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -59423,7 +59451,7 @@ index 21ae664..3e448dd 100644
|
|||
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
|
||||
index 9fb4747..afe5e5f 100644
|
||||
index 9fb4747..6e2c42a 100644
|
||||
--- a/policy/modules/services/zarafa.te
|
||||
+++ b/policy/modules/services/zarafa.te
|
||||
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
|
||||
|
|
@ -59467,7 +59495,15 @@ index 9fb4747..afe5e5f 100644
|
|||
#######################################
|
||||
#
|
||||
# zarafa-ical local policy
|
||||
@@ -136,6 +156,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
|
||||
@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
|
||||
|
||||
files_read_usr_files(zarafa_server_t)
|
||||
|
||||
-logging_send_syslog_msg(zarafa_server_t)
|
||||
logging_send_audit_msgs(zarafa_server_t)
|
||||
|
||||
sysnet_dns_name_resolve(zarafa_server_t)
|
||||
@@ -136,6 +155,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
|
||||
corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
|
||||
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
|
||||
|
||||
|
|
@ -59504,12 +59540,13 @@ index 9fb4747..afe5e5f 100644
|
|||
########################################
|
||||
#
|
||||
# zarafa domains local policy
|
||||
@@ -156,6 +206,4 @@ kernel_read_system_state(zarafa_domain)
|
||||
@@ -156,6 +205,6 @@ kernel_read_system_state(zarafa_domain)
|
||||
|
||||
files_read_etc_files(zarafa_domain)
|
||||
|
||||
-auth_use_nsswitch(zarafa_domain)
|
||||
-
|
||||
+logging_send_syslog_msg(zarafa_domain)
|
||||
|
||||
miscfiles_read_localization(zarafa_domain)
|
||||
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
|
||||
index 6b87605..347f754 100644
|
||||
|
|
@ -61525,7 +61562,7 @@ index 94fd8dd..3e8f08e 100644
|
|||
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 29a9565..b400c03 100644
|
||||
index 29a9565..0635313 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -16,6 +16,34 @@ gen_require(`
|
||||
|
|
@ -61607,7 +61644,7 @@ index 29a9565..b400c03 100644
|
|||
|
||||
-allow init_t initrc_t:unix_stream_socket connectto;
|
||||
+allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
||||
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
|
||||
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
|
||||
|
||||
-# For /var/run/shutdown.pid.
|
||||
|
|
@ -63518,7 +63555,7 @@ index e5836d3..c76046b 100644
|
|||
- unconfined_domain(ldconfig_t)
|
||||
-')
|
||||
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
|
||||
index a0b379d..2a55eab 100644
|
||||
index a0b379d..b823395 100644
|
||||
--- a/policy/modules/system/locallogin.te
|
||||
+++ b/policy/modules/system/locallogin.te
|
||||
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
|
||||
|
|
@ -63581,8 +63618,19 @@ index a0b379d..2a55eab 100644
|
|||
unconfined_shell_domtrans(local_login_t)
|
||||
')
|
||||
|
||||
@@ -225,11 +226,14 @@ files_read_etc_files(sulogin_t)
|
||||
@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms;
|
||||
allow sulogin_t self:msgq create_msgq_perms;
|
||||
allow sulogin_t self:msg { send receive };
|
||||
|
||||
+kernel_read_crypto_sysctls(sulogin_t)
|
||||
kernel_read_system_state(sulogin_t)
|
||||
|
||||
fs_search_auto_mountpoints(sulogin_t)
|
||||
@@ -223,13 +225,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
|
||||
files_read_etc_files(sulogin_t)
|
||||
# because file systems are not mounted:
|
||||
files_dontaudit_search_isid_type_dirs(sulogin_t)
|
||||
+files_search_pids(sulogin_t)
|
||||
|
||||
auth_read_shadow(sulogin_t)
|
||||
+auth_use_nsswitch(sulogin_t)
|
||||
|
|
@ -63596,13 +63644,14 @@ index a0b379d..2a55eab 100644
|
|||
seutil_read_config(sulogin_t)
|
||||
seutil_read_default_contexts(sulogin_t)
|
||||
|
||||
@@ -238,14 +242,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
|
||||
@@ -238,14 +244,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
|
||||
userdom_search_user_home_dirs(sulogin_t)
|
||||
userdom_use_user_ptys(sulogin_t)
|
||||
|
||||
-sysadm_shell_domtrans(sulogin_t)
|
||||
+term_use_console(sulogin_t)
|
||||
+term_use_unallocated_ttys(sulogin_t)
|
||||
+term_use_generic_ptys(sulogin_t)
|
||||
+
|
||||
+ifdef(`enable_mls',`
|
||||
+ sysadm_shell_domtrans(sulogin_t)
|
||||
|
|
@ -63622,7 +63671,7 @@ index a0b379d..2a55eab 100644
|
|||
init_getpgid(sulogin_t)
|
||||
', `
|
||||
allow sulogin_t self:process setexec;
|
||||
@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', `
|
||||
@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
|
||||
selinux_compute_relabel_context(sulogin_t)
|
||||
selinux_compute_user_contexts(sulogin_t)
|
||||
')
|
||||
|
|
@ -67045,7 +67094,7 @@ index 34d0ec5..ac52258 100644
|
|||
+')
|
||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||
new file mode 100644
|
||||
index 0000000..839455d
|
||||
index 0000000..9eaa38e
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.fc
|
||||
@@ -0,0 +1,19 @@
|
||||
|
|
@ -67057,7 +67106,7 @@ index 0000000..839455d
|
|||
+
|
||||
+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||
+
|
||||
+/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||
+/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||
+/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
|
||||
+/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
|
||||
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
|
||||
|
|
@ -67067,13 +67116,13 @@ index 0000000..839455d
|
|||
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
|
||||
+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
|
||||
+/var/run/initramfs <<none>>
|
||||
+/var/run/initramfs(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
new file mode 100644
|
||||
index 0000000..fc27830
|
||||
index 0000000..fdb31d8
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -0,0 +1,377 @@
|
||||
@@ -0,0 +1,414 @@
|
||||
+## <summary>SELinux policy for systemd components</summary>
|
||||
+
|
||||
+#######################################
|
||||
|
|
@ -67433,6 +67482,43 @@ index 0000000..fc27830
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## manage all systemd unit files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_manage_all_unit_files',`
|
||||
+ gen_require(`
|
||||
+ attribute systemd_unit_file_type;
|
||||
+ ')
|
||||
+
|
||||
+ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## manage all systemd unit lnk_files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_manage_all_unit_lnk_files',`
|
||||
+ gen_require(`
|
||||
+ attribute systemd_unit_file_type;
|
||||
+ ')
|
||||
+
|
||||
+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to connect to
|
||||
+## systemd_logger with a unix socket.
|
||||
+## </summary>
|
||||
|
|
@ -67453,7 +67539,7 @@ index 0000000..fc27830
|
|||
+
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..a91d3dd
|
||||
index 0000000..1a24c0a
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,352 @@
|
||||
|
|
@ -67528,7 +67614,7 @@ index 0000000..a91d3dd
|
|||
+
|
||||
+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
|
||||
+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
|
||||
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, systemd_logind_sessions_t)
|
||||
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
|
||||
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
|
||||
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
|
||||
+
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 24%{?dist}
|
||||
Release: 25%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -466,6 +466,26 @@ SELinux Reference policy mls base module.
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Sep 6 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-25
|
||||
- Add exim_exec_t label for /usr/sbin/exim_tidydb
|
||||
- Call init_dontaudit_rw_stream_socket() interface in mta policy
|
||||
- sssd need to search /var/cache/krb5rcache directory
|
||||
- Allow corosync to relabel own tmp files
|
||||
- Allow zarafa domains to send system log messages
|
||||
- Allow ssh to do tunneling
|
||||
- Allow initrc scripts to sendto init_t unix_stream_socket
|
||||
- Changes to make sure dmsmasq and virt directories are labeled correctly
|
||||
- Changes needed to allow sysadm_t to manage systemd unit files
|
||||
- init is passing file descriptors to dbus and on to system daemons
|
||||
- Allow sulogin additional access Reported by dgrift and Jeremy Miller
|
||||
- Steve Grubb believes that wireshark does not need this access
|
||||
- Fix /var/run/initramfs to stop restorecon from looking at
|
||||
- pki needs another port
|
||||
- Add more labels for cluster scripts
|
||||
- Allow apps that manage cgroup_files to manage cgroup link files
|
||||
- Fix label on nfs-utils scripts directories
|
||||
- Allow gatherd to read /dev/rand and /dev/urand
|
||||
|
||||
* Wed Aug 31 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-24
|
||||
- pki needs another port
|
||||
- Add more labels for cluster scripts
|
||||
|
|
|
|||
Loading…
Reference in New Issue