* Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163

- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
- Add ipsec_read_pid() interface
This commit is contained in:
Lukas Vrabec 2015-12-09 14:42:39 +01:00
parent 2b449e6e35
commit 5c898c0814
4 changed files with 96 additions and 54 deletions

Binary file not shown.

View File

@ -22548,7 +22548,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2522ca6..0371f63 100644
index 2522ca6..a73a163 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@ -22754,7 +22754,11 @@ index 2522ca6..0371f63 100644
fstools_run(sysadm_t, sysadm_r)
')
@@ -175,10 +249,27 @@ optional_policy(`
@@ -172,13 +246,31 @@ optional_policy(`
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
ipsec_exec_mgmt(sysadm_t)
+ ipsec_read_pid(sysadm_t)
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@ -22782,7 +22786,7 @@ index 2522ca6..0371f63 100644
')
optional_policy(`
@@ -190,11 +281,12 @@ optional_policy(`
@@ -190,11 +282,12 @@ optional_policy(`
')
optional_policy(`
@ -22797,7 +22801,7 @@ index 2522ca6..0371f63 100644
')
optional_policy(`
@@ -210,22 +302,20 @@ optional_policy(`
@@ -210,22 +303,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@ -22826,7 +22830,7 @@ index 2522ca6..0371f63 100644
')
optional_policy(`
@@ -237,14 +327,28 @@ optional_policy(`
@@ -237,14 +328,28 @@ optional_policy(`
')
optional_policy(`
@ -22855,7 +22859,7 @@ index 2522ca6..0371f63 100644
')
optional_policy(`
@@ -252,10 +356,20 @@ optional_policy(`
@@ -252,10 +357,20 @@ optional_policy(`
')
optional_policy(`
@ -22876,7 +22880,7 @@ index 2522ca6..0371f63 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
@@ -266,35 +380,41 @@ optional_policy(`
@@ -266,35 +381,41 @@ optional_policy(`
')
optional_policy(`
@ -22925,7 +22929,7 @@ index 2522ca6..0371f63 100644
')
optional_policy(`
@@ -308,6 +428,7 @@ optional_policy(`
@@ -308,6 +429,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@ -22933,7 +22937,7 @@ index 2522ca6..0371f63 100644
')
optional_policy(`
@@ -315,12 +436,20 @@ optional_policy(`
@@ -315,12 +437,20 @@ optional_policy(`
')
optional_policy(`
@ -22955,7 +22959,7 @@ index 2522ca6..0371f63 100644
')
optional_policy(`
@@ -345,30 +474,37 @@ optional_policy(`
@@ -345,30 +475,37 @@ optional_policy(`
')
optional_policy(`
@ -23002,7 +23006,7 @@ index 2522ca6..0371f63 100644
')
optional_policy(`
@@ -380,10 +516,6 @@ optional_policy(`
@@ -380,10 +517,6 @@ optional_policy(`
')
optional_policy(`
@ -23013,7 +23017,7 @@ index 2522ca6..0371f63 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
@@ -391,6 +523,9 @@ optional_policy(`
@@ -391,6 +524,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@ -23023,7 +23027,7 @@ index 2522ca6..0371f63 100644
')
optional_policy(`
@@ -398,31 +533,34 @@ optional_policy(`
@@ -398,31 +534,34 @@ optional_policy(`
')
optional_policy(`
@ -23064,7 +23068,7 @@ index 2522ca6..0371f63 100644
auth_role(sysadm_r, sysadm_t)
')
@@ -435,10 +573,6 @@ ifndef(`distro_redhat',`
@@ -435,10 +574,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -23075,7 +23079,7 @@ index 2522ca6..0371f63 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
@@ -459,15 +593,79 @@ ifndef(`distro_redhat',`
@@ -459,15 +594,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -35414,7 +35418,7 @@ index 662e79b..d32012f 100644
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 0d4c8d3..720ece8 100644
index 0d4c8d3..537aa42 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -18,6 +18,24 @@ interface(`ipsec_domtrans',`
@ -35600,7 +35604,34 @@ index 0d4c8d3..720ece8 100644
')
########################################
@@ -369,3 +497,27 @@ interface(`ipsec_run_setkey',`
@@ -267,6 +395,26 @@ interface(`ipsec_write_pid',`
########################################
## <summary>
+## Allow read the IPSEC pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_read_pid',`
+ gen_require(`
+ type ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+ read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete the IPSEC pid files.
## </summary>
## <param name="domain">
@@ -369,3 +517,27 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@ -35629,7 +35660,7 @@ index 0d4c8d3..720ece8 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd04..8e32ea8 100644
index 312cd04..34f5262 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -35771,7 +35802,7 @@ index 312cd04..8e32ea8 100644
seutil_sigchld_newrole(ipsec_t)
')
@@ -182,19 +211,29 @@ optional_policy(`
@@ -182,19 +211,30 @@ optional_policy(`
udev_read_db(ipsec_t)
')
@ -35802,10 +35833,11 @@ index 312cd04..8e32ea8 100644
allow ipsec_mgmt_t self:key_socket create_socket_perms;
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms };
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -208,12 +247,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
@@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -35821,7 +35853,7 @@ index 312cd04..8e32ea8 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
@@ -246,6 +287,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
@@ -246,6 +288,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@ -35838,7 +35870,7 @@ index 312cd04..8e32ea8 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +306,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +307,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@ -35847,7 +35879,7 @@ index 312cd04..8e32ea8 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
@@ -269,6 +322,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
@@ -269,6 +323,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@ -35855,7 +35887,7 @@ index 312cd04..8e32ea8 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -278,9 +332,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
@@ -278,9 +333,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@ -35867,7 +35899,7 @@ index 312cd04..8e32ea8 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
@@ -288,17 +343,28 @@ init_exec_script_files(ipsec_mgmt_t)
@@ -288,17 +344,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@ -35901,7 +35933,7 @@ index 312cd04..8e32ea8 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
@@ -322,6 +388,10 @@ optional_policy(`
@@ -322,6 +389,10 @@ optional_policy(`
')
optional_policy(`
@ -35912,7 +35944,7 @@ index 312cd04..8e32ea8 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -335,7 +405,7 @@ optional_policy(`
@@ -335,7 +406,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@ -35921,7 +35953,7 @@ index 312cd04..8e32ea8 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
@@ -370,13 +440,12 @@ kernel_request_load_module(racoon_t)
@@ -370,13 +441,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@ -35941,7 +35973,7 @@ index 312cd04..8e32ea8 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -401,10 +470,10 @@ locallogin_use_fds(racoon_t)
@@ -401,10 +471,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@ -35954,7 +35986,7 @@ index 312cd04..8e32ea8 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
@@ -438,9 +507,8 @@ corenet_setcontext_all_spds(setkey_t)
@@ -438,9 +508,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)

View File

@ -8260,7 +8260,7 @@ index 50c9b9c..533a555 100644
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
index 2d7bf34..2927585 100644
index 2d7bf34..766a91a 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@ -8273,15 +8273,16 @@ index 2d7bf34..2927585 100644
########################################
#
# Local policy
@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
@@ -33,6 +36,8 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
allow arpwatch_t self:tcp_socket { accept listen };
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
+allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
@@ -45,11 +50,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
@ -8306,7 +8307,7 @@ index 2d7bf34..2927585 100644
dev_read_sysfs(arpwatch_t)
dev_read_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t)
@@ -59,15 +76,12 @@ fs_search_auto_mountpoints(arpwatch_t)
domain_use_interactive_fds(arpwatch_t)
@ -65103,7 +65104,7 @@ index 9b15730..cb00f20 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
index 44dbc99..ba23186 100644
index 44dbc99..a17af8b 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@ -65120,7 +65121,7 @@ index 44dbc99..ba23186 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
@@ -27,20 +24,28 @@ files_tmp_file(openvswitch_tmp_t)
@@ -27,20 +24,29 @@ files_tmp_file(openvswitch_tmp_t)
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@ -65145,6 +65146,7 @@ index 44dbc99..ba23186 100644
+allow openvswitch_t self:tcp_socket create_stream_socket_perms;
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
+allow openvswitch_t self:netlink_generic_socket create_socket_perms;
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
@ -65157,7 +65159,7 @@ index 44dbc99..ba23186 100644
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
@@ -48,9 +53,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
@@ -48,9 +54,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@ -65168,7 +65170,7 @@ index 44dbc99..ba23186 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
@@ -65,33 +68,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
@@ -65,33 +69,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@ -93304,7 +93306,7 @@ index 2b7c441..0232e85 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
index e18b0a2..463e207 100644
index e18b0a2..dc2a745 100644
--- a/sambagui.te
+++ b/sambagui.te
@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
@ -93325,8 +93327,11 @@ index e18b0a2..463e207 100644
sysnet_use_ldap(sambagui_t)
@@ -61,6 +61,7 @@ optional_policy(`
@@ -59,8 +59,10 @@ optional_policy(`
samba_append_log(sambagui_t)
samba_manage_config(sambagui_t)
samba_manage_var_files(sambagui_t)
+ samba_manage_var_dirs(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
+ samba_systemctl(sambagui_t)
@ -110464,7 +110469,7 @@ index facdee8..19b6ffb 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..27c7cb7 100644
index f03dcf5..a9548bd 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,248 @@
@ -111457,7 +111462,7 @@ index f03dcf5..27c7cb7 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -746,44 +686,277 @@ optional_policy(`
@@ -746,44 +686,278 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@ -111534,7 +111539,8 @@ index f03dcf5..27c7cb7 100644
+manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file })
+manage_sock_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file sock_file})
+userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
@ -111757,7 +111763,7 @@ index f03dcf5..27c7cb7 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
@@ -794,25 +967,18 @@ kernel_write_xen_state(virsh_t)
@@ -794,25 +968,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@ -111784,7 +111790,7 @@ index f03dcf5..27c7cb7 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
@@ -821,23 +987,25 @@ fs_search_auto_mountpoints(virsh_t)
@@ -821,23 +988,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@ -111818,7 +111824,7 @@ index f03dcf5..27c7cb7 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
@@ -856,14 +1024,20 @@ optional_policy(`
@@ -856,14 +1025,20 @@ optional_policy(`
')
optional_policy(`
@ -111840,7 +111846,7 @@ index f03dcf5..27c7cb7 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
@@ -888,49 +1062,65 @@ optional_policy(`
@@ -888,49 +1063,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@ -111924,7 +111930,7 @@ index f03dcf5..27c7cb7 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
@@ -942,17 +1132,16 @@ dev_read_urand(virtd_lxc_t)
@@ -942,17 +1133,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@ -111944,7 +111950,7 @@ index f03dcf5..27c7cb7 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -964,8 +1153,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
@@ -964,8 +1154,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -111968,7 +111974,7 @@ index f03dcf5..27c7cb7 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1178,343 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1179,343 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -112453,7 +112459,7 @@ index f03dcf5..27c7cb7 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1527,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1528,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -112468,7 +112474,7 @@ index f03dcf5..27c7cb7 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,9 +1545,8 @@ optional_policy(`
@@ -1192,9 +1546,8 @@ optional_policy(`
########################################
#
@ -112479,7 +112485,7 @@ index f03dcf5..27c7cb7 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1205,7 +1557,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
@@ -1205,7 +1558,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
kernel_read_network_state(virt_bridgehelper_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 162%{?dist}
Release: 163%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -664,6 +664,10 @@ exit 0
%endif
%changelog
* Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
- Add ipsec_read_pid() interface
* Mon Dec 07 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-162
- Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)