* Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
- Allow logrotate to systemctl rsyslog service. BZ(1284173) - Allow condor_master_t domain capability chown. BZ(1297048) - Allow chronyd to be dbus bus client. BZ(1297129) - Allow openvswitch read/write hugetlb filesystem. - Revert "Allow openvswitch read/write hugetlb filesystem." - Allow smbcontrol domain to send sigchld to ctdbd domain. - Allow openvswitch read/write hugetlb filesystem. - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930) - Allow keepalived to connect to 3306/tcp port - mysqld_port_t. - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib - Merge pull request #86 from rhatdan/rawhide-contrib - Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146) - Added interface logging_systemctl_syslogd - Label rsyslog unit file - Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
This commit is contained in:
parent
936bb7a648
commit
5d165e36c4
Binary file not shown.
@ -19566,7 +19566,7 @@ index e100d88..65a3b6d 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 8dbab4c..a85c5d7 100644
|
||||
index 8dbab4c..7c405f5 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -25,6 +25,9 @@ attribute kern_unconfined;
|
||||
@ -19722,7 +19722,7 @@ index 8dbab4c..a85c5d7 100644
|
||||
|
||||
corecmd_exec_shell(kernel_t)
|
||||
corecmd_list_bin(kernel_t)
|
||||
@@ -277,25 +315,54 @@ files_list_root(kernel_t)
|
||||
@@ -277,13 +315,23 @@ files_list_root(kernel_t)
|
||||
files_list_etc(kernel_t)
|
||||
files_list_home(kernel_t)
|
||||
files_read_usr_files(kernel_t)
|
||||
@ -19746,11 +19746,10 @@ index 8dbab4c..a85c5d7 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# Bugzilla 222337
|
||||
fs_rw_tmpfs_chr_files(kernel_t)
|
||||
@@ -291,11 +339,29 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
+
|
||||
+optional_policy(`
|
||||
optional_policy(`
|
||||
+ abrt_filetrans_named_content(kernel_t)
|
||||
+ abrt_dump_oops_domtrans(kernel_t)
|
||||
+')
|
||||
@ -19767,7 +19766,7 @@ index 8dbab4c..a85c5d7 100644
|
||||
+ kerberos_filetrans_home_content(kernel_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
+optional_policy(`
|
||||
hotplug_search_config(kernel_t)
|
||||
')
|
||||
|
||||
@ -19777,7 +19776,7 @@ index 8dbab4c..a85c5d7 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -305,6 +372,19 @@ optional_policy(`
|
||||
@@ -305,6 +371,19 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(kernel_t)
|
||||
@ -19797,7 +19796,7 @@ index 8dbab4c..a85c5d7 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -312,6 +392,11 @@ optional_policy(`
|
||||
@@ -312,6 +391,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -19809,7 +19808,7 @@ index 8dbab4c..a85c5d7 100644
|
||||
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
||||
# to just give it everything.
|
||||
allow kernel_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -332,9 +417,6 @@ optional_policy(`
|
||||
@@ -332,9 +416,6 @@ optional_policy(`
|
||||
|
||||
sysnet_read_config(kernel_t)
|
||||
|
||||
@ -19819,7 +19818,7 @@ index 8dbab4c..a85c5d7 100644
|
||||
rpc_udp_rw_nfs_sockets(kernel_t)
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -343,9 +425,7 @@ optional_policy(`
|
||||
@@ -343,9 +424,7 @@ optional_policy(`
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
||||
@ -19830,7 +19829,7 @@ index 8dbab4c..a85c5d7 100644
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
@@ -354,7 +434,7 @@ optional_policy(`
|
||||
@@ -354,7 +433,7 @@ optional_policy(`
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
||||
@ -19839,7 +19838,14 @@ index 8dbab4c..a85c5d7 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -367,6 +447,15 @@ optional_policy(`
|
||||
@@ -364,9 +443,22 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ systemd_coredump_domtrans(kernel_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
unconfined_domain_noaudit(kernel_t)
|
||||
')
|
||||
|
||||
@ -19855,7 +19861,7 @@ index 8dbab4c..a85c5d7 100644
|
||||
########################################
|
||||
#
|
||||
# Unlabeled process local policy
|
||||
@@ -399,14 +488,39 @@ if( ! secure_mode_insmod ) {
|
||||
@@ -399,14 +491,39 @@ if( ! secure_mode_insmod ) {
|
||||
# Rules for unconfined acccess to this module
|
||||
#
|
||||
|
||||
@ -37265,10 +37271,10 @@ index 446fa99..22f539c 100644
|
||||
+ plymouthd_exec_plymouth(sulogin_t)
|
||||
')
|
||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||
index b50c5fe..13da95a 100644
|
||||
index b50c5fe..5c39fe5 100644
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -1,11 +1,14 @@
|
||||
@@ -1,11 +1,15 @@
|
||||
-/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
+/dev/log -l gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
|
||||
@ -37280,11 +37286,12 @@ index b50c5fe..13da95a 100644
|
||||
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
|
||||
|
||||
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/syslogd.* -- gen_context(system_u:object_r:syslogd_unit_file_t,s0)
|
||||
+
|
||||
/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
|
||||
/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
|
||||
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
|
||||
@@ -17,12 +20,25 @@
|
||||
@@ -17,12 +21,25 @@
|
||||
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
@ -37311,7 +37318,7 @@ index b50c5fe..13da95a 100644
|
||||
|
||||
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
|
||||
@@ -38,21 +55,22 @@ ifdef(`distro_suse', `
|
||||
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
|
||||
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
||||
@ -37337,7 +37344,7 @@ index b50c5fe..13da95a 100644
|
||||
')
|
||||
|
||||
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
|
||||
@@ -65,11 +82,16 @@ ifdef(`distro_redhat',`
|
||||
@@ -65,11 +83,16 @@ ifdef(`distro_redhat',`
|
||||
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
@ -37356,7 +37363,7 @@ index b50c5fe..13da95a 100644
|
||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||
index 4e94884..3c33045 100644
|
||||
index 4e94884..41a18bc 100644
|
||||
--- a/policy/modules/system/logging.if
|
||||
+++ b/policy/modules/system/logging.if
|
||||
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
||||
@ -37470,21 +37477,14 @@ index 4e94884..3c33045 100644
|
||||
+interface(`logging_create_devlog_dev',`
|
||||
+ gen_require(`
|
||||
+ type devlog_t;
|
||||
')
|
||||
|
||||
- allow $1 devlog_t:lnk_file read_lnk_file_perms;
|
||||
- allow $1 devlog_t:sock_file write_sock_file_perms;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
|
||||
+ dev_filetrans($1, devlog_t, lnk_file, "log")
|
||||
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
|
||||
+ logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
|
||||
+')
|
||||
|
||||
- # the type of socket depends on the syslog daemon
|
||||
- allow $1 syslogd_t:unix_dgram_socket sendto;
|
||||
- allow $1 syslogd_t:unix_stream_socket connectto;
|
||||
- allow $1 self:unix_dgram_socket create_socket_perms;
|
||||
- allow $1 self:unix_stream_socket create_socket_perms;
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Relabel the devlog sock_file.
|
||||
@ -37498,16 +37498,19 @@ index 4e94884..3c33045 100644
|
||||
+interface(`logging_relabel_devlog_dev',`
|
||||
+ gen_require(`
|
||||
+ type devlog_t;
|
||||
+ ')
|
||||
')
|
||||
|
||||
- # If syslog is down, the glibc syslog() function
|
||||
- # will write to the console.
|
||||
- term_write_console($1)
|
||||
- term_dontaudit_read_console($1)
|
||||
- allow $1 devlog_t:lnk_file read_lnk_file_perms;
|
||||
- allow $1 devlog_t:sock_file write_sock_file_perms;
|
||||
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
|
||||
+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
|
||||
+')
|
||||
+
|
||||
|
||||
- # the type of socket depends on the syslog daemon
|
||||
- allow $1 syslogd_t:unix_dgram_socket sendto;
|
||||
- allow $1 syslogd_t:unix_stream_socket connectto;
|
||||
- allow $1 self:unix_dgram_socket create_socket_perms;
|
||||
- allow $1 self:unix_stream_socket create_socket_perms;
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow domain to read the syslog pid files.
|
||||
@ -37522,7 +37525,11 @@ index 4e94884..3c33045 100644
|
||||
+ gen_require(`
|
||||
+ type syslogd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
|
||||
- # If syslog is down, the glibc syslog() function
|
||||
- # will write to the console.
|
||||
- term_write_console($1)
|
||||
- term_dontaudit_read_console($1)
|
||||
+ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
+ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
+')
|
||||
@ -37767,7 +37774,7 @@ index 4e94884..3c33045 100644
|
||||
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
|
||||
@@ -1004,6 +1286,33 @@ interface(`logging_admin_audit',`
|
||||
@@ -1004,6 +1286,55 @@ interface(`logging_admin_audit',`
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 auditd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
@ -37798,10 +37805,32 @@ index 4e94884..3c33045 100644
|
||||
+ allow $1 auditd_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, auditd_t)
|
||||
+')
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute auditd server in the auditd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`logging_systemctl_syslogd',`
|
||||
+ gen_require(`
|
||||
+ type syslogd_t;
|
||||
+ type syslogd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ allow $1 syslogd_unit_file_t:file read_file_perms;
|
||||
+ allow $1 syslog_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, syslogd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1032,10 +1341,15 @@ interface(`logging_admin_syslog',`
|
||||
@@ -1032,10 +1363,15 @@ interface(`logging_admin_syslog',`
|
||||
type syslogd_initrc_exec_t;
|
||||
')
|
||||
|
||||
@ -37819,7 +37848,7 @@ index 4e94884..3c33045 100644
|
||||
|
||||
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
@@ -1057,6 +1371,8 @@ interface(`logging_admin_syslog',`
|
||||
@@ -1057,6 +1393,8 @@ interface(`logging_admin_syslog',`
|
||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
|
||||
logging_manage_all_logs($1)
|
||||
@ -37828,7 +37857,7 @@ index 4e94884..3c33045 100644
|
||||
|
||||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
@@ -1085,3 +1401,90 @@ interface(`logging_admin',`
|
||||
@@ -1085,3 +1423,90 @@ interface(`logging_admin',`
|
||||
logging_admin_audit($1, $2)
|
||||
logging_admin_syslog($1, $2)
|
||||
')
|
||||
@ -37920,7 +37949,7 @@ index 4e94884..3c33045 100644
|
||||
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
|
||||
+')
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 59b04c1..e1ec2e8 100644
|
||||
index 59b04c1..6810e0b 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
|
||||
@ -37979,7 +38008,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
|
||||
type syslogd_initrc_exec_t;
|
||||
init_script_file(syslogd_initrc_exec_t)
|
||||
@@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t)
|
||||
@@ -71,16 +99,23 @@ init_script_file(syslogd_initrc_exec_t)
|
||||
type syslogd_tmp_t;
|
||||
files_tmp_file(syslogd_tmp_t)
|
||||
|
||||
@ -37995,7 +38024,15 @@ index 59b04c1..e1ec2e8 100644
|
||||
|
||||
type var_log_t;
|
||||
logging_log_file(var_log_t)
|
||||
@@ -94,6 +126,8 @@ ifdef(`enable_mls',`
|
||||
files_mountpoint(var_log_t)
|
||||
|
||||
+type syslogd_unit_file_t;
|
||||
+systemd_unit_file(syslogd_unit_file_t)
|
||||
+
|
||||
ifdef(`enable_mls',`
|
||||
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
|
||||
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
|
||||
@@ -94,6 +129,8 @@ ifdef(`enable_mls',`
|
||||
allow auditctl_t self:capability { fsetid dac_read_search dac_override };
|
||||
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
|
||||
|
||||
@ -38004,7 +38041,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
|
||||
allow auditctl_t auditd_etc_t:dir list_dir_perms;
|
||||
|
||||
@@ -111,7 +145,9 @@ domain_use_interactive_fds(auditctl_t)
|
||||
@@ -111,7 +148,9 @@ domain_use_interactive_fds(auditctl_t)
|
||||
|
||||
mls_file_read_all_levels(auditctl_t)
|
||||
|
||||
@ -38015,7 +38052,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
|
||||
init_dontaudit_use_fds(auditctl_t)
|
||||
|
||||
@@ -136,9 +172,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -136,9 +175,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow auditd_t auditd_etc_t:dir list_dir_perms;
|
||||
allow auditd_t auditd_etc_t:file read_file_perms;
|
||||
|
||||
@ -38027,7 +38064,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
|
||||
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
||||
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
||||
@@ -148,6 +185,7 @@ kernel_read_kernel_sysctls(auditd_t)
|
||||
@@ -148,6 +188,7 @@ kernel_read_kernel_sysctls(auditd_t)
|
||||
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
||||
# Probably want a transition, and a new auditd_helper app
|
||||
kernel_read_system_state(auditd_t)
|
||||
@ -38035,7 +38072,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
|
||||
dev_read_sysfs(auditd_t)
|
||||
|
||||
@@ -155,9 +193,6 @@ fs_getattr_all_fs(auditd_t)
|
||||
@@ -155,9 +196,6 @@ fs_getattr_all_fs(auditd_t)
|
||||
fs_search_auto_mountpoints(auditd_t)
|
||||
fs_rw_anon_inodefs_files(auditd_t)
|
||||
|
||||
@ -38045,7 +38082,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
corenet_all_recvfrom_netlabel(auditd_t)
|
||||
corenet_tcp_sendrecv_generic_if(auditd_t)
|
||||
corenet_tcp_sendrecv_generic_node(auditd_t)
|
||||
@@ -183,16 +218,17 @@ logging_send_syslog_msg(auditd_t)
|
||||
@@ -183,16 +221,17 @@ logging_send_syslog_msg(auditd_t)
|
||||
logging_domtrans_dispatcher(auditd_t)
|
||||
logging_signal_dispatcher(auditd_t)
|
||||
|
||||
@ -38067,7 +38104,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(auditd_t)
|
||||
|
||||
@@ -237,19 +273,29 @@ corecmd_exec_shell(audisp_t)
|
||||
@@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t)
|
||||
|
||||
domain_use_interactive_fds(audisp_t)
|
||||
|
||||
@ -38099,7 +38136,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -266,9 +312,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
@@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
|
||||
|
||||
@ -38111,7 +38148,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
corenet_all_recvfrom_netlabel(audisp_remote_t)
|
||||
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
|
||||
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
|
||||
@@ -280,13 +327,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
|
||||
@@ -280,13 +330,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
|
||||
|
||||
files_read_etc_files(audisp_remote_t)
|
||||
|
||||
@ -38139,7 +38176,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
########################################
|
||||
#
|
||||
# klogd local policy
|
||||
@@ -326,7 +386,6 @@ files_read_etc_files(klogd_t)
|
||||
@@ -326,7 +389,6 @@ files_read_etc_files(klogd_t)
|
||||
|
||||
logging_send_syslog_msg(klogd_t)
|
||||
|
||||
@ -38147,7 +38184,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
|
||||
mls_file_read_all_levels(klogd_t)
|
||||
|
||||
@@ -355,13 +414,12 @@ optional_policy(`
|
||||
@@ -355,13 +417,12 @@ optional_policy(`
|
||||
# sys_admin for the integrated klog of syslog-ng and metalog
|
||||
# sys_nice for rsyslog
|
||||
# cjp: why net_admin!
|
||||
@ -38164,7 +38201,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
# receive messages to be logged
|
||||
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -369,11 +427,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
|
||||
@@ -369,11 +430,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
|
||||
allow syslogd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow syslogd_t self:udp_socket create_socket_perms;
|
||||
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -38181,7 +38218,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
|
||||
|
||||
# create/append log files.
|
||||
@@ -389,30 +451,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
@@ -389,30 +454,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
||||
|
||||
@ -38232,7 +38269,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
||||
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
||||
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
||||
@@ -422,6 +501,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
||||
@@ -422,6 +504,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
||||
corenet_tcp_connect_rsh_port(syslogd_t)
|
||||
# Allow users to define additional syslog ports to connect to
|
||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||
@ -38241,7 +38278,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
corenet_tcp_connect_syslogd_port(syslogd_t)
|
||||
corenet_tcp_connect_postgresql_port(syslogd_t)
|
||||
corenet_tcp_connect_mysqld_port(syslogd_t)
|
||||
@@ -432,9 +513,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
@@ -432,9 +516,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
||||
|
||||
@ -38275,7 +38312,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
domain_use_interactive_fds(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
@@ -448,13 +552,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||
@@ -448,13 +555,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||
|
||||
fs_getattr_all_fs(syslogd_t)
|
||||
fs_search_auto_mountpoints(syslogd_t)
|
||||
@ -38293,7 +38330,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
# for sending messages to logged in users
|
||||
init_read_utmp(syslogd_t)
|
||||
init_dontaudit_write_utmp(syslogd_t)
|
||||
@@ -466,11 +574,12 @@ init_use_fds(syslogd_t)
|
||||
@@ -466,11 +577,12 @@ init_use_fds(syslogd_t)
|
||||
|
||||
# cjp: this doesnt make sense
|
||||
logging_send_syslog_msg(syslogd_t)
|
||||
@ -38309,7 +38346,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
# default gentoo syslog-ng config appends kernel
|
||||
@@ -497,6 +606,7 @@ optional_policy(`
|
||||
@@ -497,6 +609,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
cron_manage_log_files(syslogd_t)
|
||||
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
|
||||
@ -38317,7 +38354,7 @@ index 59b04c1..e1ec2e8 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -507,15 +617,40 @@ optional_policy(`
|
||||
@@ -507,15 +620,44 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38354,11 +38391,15 @@ index 59b04c1..e1ec2e8 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ systemd_rw_coredump_tmpfs_files(syslogd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ daemontools_search_svc_dir(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -526,3 +661,26 @@ optional_policy(`
|
||||
@@ -526,3 +668,26 @@ optional_policy(`
|
||||
# log to the xconsole
|
||||
xserver_rw_console(syslogd_t)
|
||||
')
|
||||
@ -43551,10 +43592,10 @@ index a392fc4..78fa512 100644
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||
new file mode 100644
|
||||
index 0000000..884ac5c
|
||||
index 0000000..b53de2b
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.fc
|
||||
@@ -0,0 +1,59 @@
|
||||
@@ -0,0 +1,61 @@
|
||||
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
|
||||
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
|
||||
+
|
||||
@ -43565,6 +43606,7 @@ index 0000000..884ac5c
|
||||
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
|
||||
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||
+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
|
||||
+/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
|
||||
+
|
||||
+/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
|
||||
+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||
@ -43596,6 +43638,7 @@ index 0000000..884ac5c
|
||||
+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
|
||||
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
|
||||
+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
|
||||
+/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
|
||||
+
|
||||
+/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
|
||||
+/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
|
||||
@ -43616,10 +43659,10 @@ index 0000000..884ac5c
|
||||
+/var/run/initramfs(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
new file mode 100644
|
||||
index 0000000..c253b33
|
||||
index 0000000..300bf59
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -0,0 +1,1640 @@
|
||||
@@ -0,0 +1,1676 @@
|
||||
+## <summary>SELinux policy for systemd components</summary>
|
||||
+
|
||||
+######################################
|
||||
@ -45260,12 +45303,48 @@ index 0000000..c253b33
|
||||
+ allow systemd_machined_t $1:dbus send_msg;
|
||||
+ ps_process_pattern(systemd_machined_t, $1)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run systemd-coredump.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_coredump_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type systemd_coredump_t, systemd_coredump_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, systemd_coredump_exec_t, systemd_coredump_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write to systemd-coredump temporary file system.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_rw_coredump_tmpfs_files',`
|
||||
+ gen_require(`
|
||||
+ type systemd_coredump_tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 systemd_coredump_tmpfs_t:file rw_file_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..b4a073f
|
||||
index 0000000..eb1b3c3
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,825 @@
|
||||
@@ -0,0 +1,842 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -45301,6 +45380,11 @@ index 0000000..b4a073f
|
||||
+files_security_file(random_seed_t)
|
||||
+files_mountpoint(random_seed_t)
|
||||
+
|
||||
+systemd_domain_template(systemd_coredump)
|
||||
+
|
||||
+type systemd_coredump_tmpfs_t;
|
||||
+files_tmpfs_file(systemd_coredump_tmpfs_t)
|
||||
+
|
||||
+systemd_domain_template(systemd_networkd)
|
||||
+
|
||||
+type systemd_networkd_unit_file_t;
|
||||
@ -46052,6 +46136,18 @@ index 0000000..b4a073f
|
||||
+
|
||||
+logging_send_syslog_msg(systemd_sysctl_t)
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# systemd_coredump domains
|
||||
+#
|
||||
+
|
||||
+manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file )
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(systemd_coredump_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Common rules for systemd domains
|
||||
|
@ -13298,7 +13298,7 @@ index 32e8265..c5a2913 100644
|
||||
+ allow $1 chronyd_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/chronyd.te b/chronyd.te
|
||||
index e5b621c..135100a 100644
|
||||
index e5b621c..74e168f 100644
|
||||
--- a/chronyd.te
|
||||
+++ b/chronyd.te
|
||||
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
|
||||
@ -13329,7 +13329,7 @@ index e5b621c..135100a 100644
|
||||
allow chronyd_t chronyd_keys_t:file read_file_perms;
|
||||
|
||||
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
|
||||
@@ -76,18 +83,38 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
|
||||
@@ -76,18 +83,41 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
|
||||
corenet_udp_bind_chronyd_port(chronyd_t)
|
||||
corenet_udp_sendrecv_chronyd_port(chronyd_t)
|
||||
|
||||
@ -13355,6 +13355,9 @@ index e5b621c..135100a 100644
|
||||
+systemd_exec_systemctl(chronyd_t)
|
||||
+
|
||||
+userdom_dgram_send(chronyd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(chronyd_t)
|
||||
|
||||
optional_policy(`
|
||||
gpsd_rw_shm(chronyd_t)
|
||||
@ -16066,7 +16069,7 @@ index 881d92f..a2d588a 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/condor.te b/condor.te
|
||||
index ce9f040..32ebb0c 100644
|
||||
index ce9f040..dc29445 100644
|
||||
--- a/condor.te
|
||||
+++ b/condor.te
|
||||
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
|
||||
@ -16144,7 +16147,7 @@ index ce9f040..32ebb0c 100644
|
||||
#
|
||||
|
||||
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
|
||||
+allow condor_master_t self:capability { setuid setgid sys_ptrace };
|
||||
+allow condor_master_t self:capability { chown setuid setgid sys_ptrace };
|
||||
|
||||
allow condor_master_t condor_domain:process { sigkill signal };
|
||||
|
||||
@ -19829,10 +19832,10 @@ index 8401fe6..d58f3e7 100644
|
||||
|
||||
/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
|
||||
diff --git a/ctdb.if b/ctdb.if
|
||||
index b25b01d..6b7d687 100644
|
||||
index b25b01d..06895f3 100644
|
||||
--- a/ctdb.if
|
||||
+++ b/ctdb.if
|
||||
@@ -1,9 +1,161 @@
|
||||
@@ -1,9 +1,178 @@
|
||||
-## <summary>Clustered Database based on Samba Trivial Database.</summary>
|
||||
+
|
||||
+## <summary>policy for ctdbd</summary>
|
||||
@ -19891,6 +19894,23 @@ index b25b01d..6b7d687 100644
|
||||
+ allow $1 ctdbd_t:process signal;
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Allow domain to sigchld ctdbd.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ctdbd_sigchld',`
|
||||
+ gen_require(`
|
||||
+ type ctdbd_t;
|
||||
+ ')
|
||||
+ allow $1 ctdbd_t:process sigchld;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read ctdbd's log files.
|
||||
@ -19997,7 +20017,7 @@ index b25b01d..6b7d687 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -17,13 +169,12 @@ interface(`ctdbd_manage_lib_files',`
|
||||
@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',`
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
@ -20014,7 +20034,7 @@ index b25b01d..6b7d687 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -31,19 +182,58 @@ interface(`ctdbd_manage_lib_files',`
|
||||
@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -20078,7 +20098,7 @@ index b25b01d..6b7d687 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -57,16 +247,19 @@ interface(`ctdbd_stream_connect',`
|
||||
@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',`
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
@ -20102,7 +20122,7 @@ index b25b01d..6b7d687 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 ctdbd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
@@ -74,12 +267,10 @@ interface(`ctdb_admin',`
|
||||
@@ -74,12 +284,10 @@ interface(`ctdb_admin',`
|
||||
logging_search_logs($1)
|
||||
admin_pattern($1, ctdbd_log_t)
|
||||
|
||||
@ -37248,10 +37268,10 @@ index 0000000..61f2003
|
||||
+userdom_use_user_terminals(iotop_t)
|
||||
diff --git a/ipa.fc b/ipa.fc
|
||||
new file mode 100644
|
||||
index 0000000..749756a
|
||||
index 0000000..3a71430
|
||||
--- /dev/null
|
||||
+++ b/ipa.fc
|
||||
@@ -0,0 +1,11 @@
|
||||
@@ -0,0 +1,13 @@
|
||||
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
|
||||
+
|
||||
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
|
||||
@ -37261,6 +37281,8 @@ index 0000000..749756a
|
||||
+
|
||||
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
|
||||
+
|
||||
+/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
||||
+
|
||||
+/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
|
||||
+
|
||||
diff --git a/ipa.if b/ipa.if
|
||||
@ -37449,10 +37471,10 @@ index 0000000..904782d
|
||||
+')
|
||||
diff --git a/ipa.te b/ipa.te
|
||||
new file mode 100644
|
||||
index 0000000..694c092
|
||||
index 0000000..af46439
|
||||
--- /dev/null
|
||||
+++ b/ipa.te
|
||||
@@ -0,0 +1,122 @@
|
||||
@@ -0,0 +1,130 @@
|
||||
+policy_module(ipa, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -37472,6 +37494,9 @@ index 0000000..694c092
|
||||
+type ipa_otpd_unit_file_t;
|
||||
+systemd_unit_file(ipa_otpd_unit_file_t)
|
||||
+
|
||||
+type ipa_log_t;
|
||||
+logging_log_file(ipa_log_t)
|
||||
+
|
||||
+type ipa_var_lib_t;
|
||||
+files_type(ipa_var_lib_t)
|
||||
+
|
||||
@ -37529,10 +37554,15 @@ index 0000000..694c092
|
||||
+allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+
|
||||
+manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t)
|
||||
+logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
|
||||
+
|
||||
+kernel_read_system_state(ipa_helper_t)
|
||||
+
|
||||
+corenet_tcp_connect_ldap_port(ipa_helper_t)
|
||||
+corenet_tcp_connect_smbd_port(ipa_helper_t)
|
||||
+corenet_tcp_connect_http_port(ipa_helper_t)
|
||||
+corenet_tcp_connect_kerberos_password_port(ipa_helper_t)
|
||||
+
|
||||
+corecmd_exec_bin(ipa_helper_t)
|
||||
+corecmd_exec_shell(ipa_helper_t)
|
||||
@ -40563,10 +40593,10 @@ index 0000000..bd7e7fa
|
||||
+')
|
||||
diff --git a/keepalived.te b/keepalived.te
|
||||
new file mode 100644
|
||||
index 0000000..20adcb3
|
||||
index 0000000..8ab40b5
|
||||
--- /dev/null
|
||||
+++ b/keepalived.te
|
||||
@@ -0,0 +1,90 @@
|
||||
@@ -0,0 +1,91 @@
|
||||
+policy_module(keepalived, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -40613,6 +40643,7 @@ index 0000000..20adcb3
|
||||
+
|
||||
+corenet_tcp_connect_connlcli_port(keepalived_t)
|
||||
+corenet_tcp_connect_http_port(keepalived_t)
|
||||
+corenet_tcp_connect_mysqld_port(keepalived_t)
|
||||
+corenet_tcp_connect_smtp_port(keepalived_t)
|
||||
+corenet_tcp_connect_snmp_port(keepalived_t)
|
||||
+corenet_tcp_connect_agentx_port(keepalived_t)
|
||||
@ -44665,7 +44696,7 @@ index dd8e01a..9cd6b0b 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/logrotate.te b/logrotate.te
|
||||
index be0ab84..08c168f 100644
|
||||
index be0ab84..24e669e 100644
|
||||
--- a/logrotate.te
|
||||
+++ b/logrotate.te
|
||||
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
|
||||
@ -44787,7 +44818,7 @@ index be0ab84..08c168f 100644
|
||||
files_manage_generic_spool(logrotate_t)
|
||||
files_manage_generic_spool_dirs(logrotate_t)
|
||||
files_getattr_generic_locks(logrotate_t)
|
||||
@@ -95,32 +123,51 @@ mls_process_write_to_clearance(logrotate_t)
|
||||
@@ -95,32 +123,52 @@ mls_process_write_to_clearance(logrotate_t)
|
||||
selinux_get_fs_mount(logrotate_t)
|
||||
selinux_get_enforce_mode(logrotate_t)
|
||||
|
||||
@ -44804,6 +44835,7 @@ index be0ab84..08c168f 100644
|
||||
logging_send_audit_msgs(logrotate_t)
|
||||
+# cjp: why is this needed?
|
||||
logging_exec_all_logs(logrotate_t)
|
||||
+logging_systemctl_syslogd(logrotate_t)
|
||||
|
||||
-miscfiles_read_localization(logrotate_t)
|
||||
+systemd_exec_systemctl(logrotate_t)
|
||||
@ -44845,7 +44877,7 @@ index be0ab84..08c168f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -135,16 +182,17 @@ optional_policy(`
|
||||
@@ -135,16 +183,17 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
apache_read_config(logrotate_t)
|
||||
@ -44865,7 +44897,7 @@ index be0ab84..08c168f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -170,6 +218,11 @@ optional_policy(`
|
||||
@@ -170,6 +219,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44877,7 +44909,7 @@ index be0ab84..08c168f 100644
|
||||
fail2ban_stream_connect(logrotate_t)
|
||||
')
|
||||
|
||||
@@ -178,7 +231,7 @@ optional_policy(`
|
||||
@@ -178,7 +232,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44886,7 +44918,7 @@ index be0ab84..08c168f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,17 +251,18 @@ optional_policy(`
|
||||
@@ -198,17 +252,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44908,7 +44940,7 @@ index be0ab84..08c168f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,6 +270,14 @@ optional_policy(`
|
||||
@@ -216,6 +271,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44923,7 +44955,7 @@ index be0ab84..08c168f 100644
|
||||
samba_exec_log(logrotate_t)
|
||||
')
|
||||
|
||||
@@ -228,26 +290,43 @@ optional_policy(`
|
||||
@@ -228,26 +291,43 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -59456,10 +59488,10 @@ index bcd7d0a..0188086 100644
|
||||
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
|
||||
+')
|
||||
diff --git a/nsd.fc b/nsd.fc
|
||||
index 4f2b1b6..5348e92 100644
|
||||
index 4f2b1b6..adea830 100644
|
||||
--- a/nsd.fc
|
||||
+++ b/nsd.fc
|
||||
@@ -1,16 +1,13 @@
|
||||
@@ -1,16 +1,17 @@
|
||||
-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
|
||||
|
||||
-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
|
||||
@ -59480,6 +59512,10 @@ index 4f2b1b6..5348e92 100644
|
||||
-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
|
||||
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
|
||||
+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
+/usr/sbin/nsd-checkconf -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
+/usr/sbin/nsd-checkzone -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
+/usr/sbin/nsd-control -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
+/usr/sbin/nsd-control-setup -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
||||
|
||||
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
|
||||
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
|
||||
@ -59573,7 +59609,7 @@ index a9c60ff..ad4f14a 100644
|
||||
+ refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
diff --git a/nsd.te b/nsd.te
|
||||
index 47bb1d2..a97c60f 100644
|
||||
index 47bb1d2..3316c17 100644
|
||||
--- a/nsd.te
|
||||
+++ b/nsd.te
|
||||
@@ -9,9 +9,7 @@ type nsd_t;
|
||||
@ -59587,7 +59623,7 @@ index 47bb1d2..a97c60f 100644
|
||||
type nsd_conf_t;
|
||||
files_type(nsd_conf_t)
|
||||
|
||||
@@ -20,32 +18,28 @@ domain_type(nsd_crond_t)
|
||||
@@ -20,32 +18,31 @@ domain_type(nsd_crond_t)
|
||||
domain_entry_file(nsd_crond_t, nsd_exec_t)
|
||||
role system_r types nsd_crond_t;
|
||||
|
||||
@ -59602,13 +59638,17 @@ index 47bb1d2..a97c60f 100644
|
||||
+type nsd_zone_t alias nsd_db_t;
|
||||
files_type(nsd_zone_t)
|
||||
|
||||
+type nsd_tmp_t;
|
||||
+files_tmp_file(nsd_tmp_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
-# Local policy
|
||||
+# NSD Local policy
|
||||
#
|
||||
|
||||
allow nsd_t self:capability { chown dac_override kill setgid setuid };
|
||||
-allow nsd_t self:capability { chown dac_override kill setgid setuid };
|
||||
+allow nsd_t self:capability { chown dac_override kill setgid setuid net_admin };
|
||||
dontaudit nsd_t self:capability sys_tty_config;
|
||||
allow nsd_t self:process signal_perms;
|
||||
+allow nsd_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -59627,7 +59667,18 @@ index 47bb1d2..a97c60f 100644
|
||||
|
||||
manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
|
||||
files_pid_filetrans(nsd_t, nsd_var_run_t, file)
|
||||
@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t)
|
||||
@@ -55,6 +52,10 @@ manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
|
||||
manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
|
||||
files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
|
||||
|
||||
+manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
|
||||
+manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
|
||||
+files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
|
||||
+
|
||||
can_exec(nsd_t, nsd_exec_t)
|
||||
|
||||
kernel_read_system_state(nsd_t)
|
||||
@@ -62,7 +63,6 @@ kernel_read_kernel_sysctls(nsd_t)
|
||||
|
||||
corecmd_exec_bin(nsd_t)
|
||||
|
||||
@ -59635,7 +59686,7 @@ index 47bb1d2..a97c60f 100644
|
||||
corenet_all_recvfrom_netlabel(nsd_t)
|
||||
corenet_tcp_sendrecv_generic_if(nsd_t)
|
||||
corenet_udp_sendrecv_generic_if(nsd_t)
|
||||
@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
|
||||
@@ -72,16 +72,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
|
||||
corenet_udp_sendrecv_all_ports(nsd_t)
|
||||
corenet_tcp_bind_generic_node(nsd_t)
|
||||
corenet_udp_bind_generic_node(nsd_t)
|
||||
@ -59655,7 +59706,7 @@ index 47bb1d2..a97c60f 100644
|
||||
|
||||
fs_getattr_all_fs(nsd_t)
|
||||
fs_search_auto_mountpoints(nsd_t)
|
||||
@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t)
|
||||
@@ -90,8 +91,6 @@ auth_use_nsswitch(nsd_t)
|
||||
|
||||
logging_send_syslog_msg(nsd_t)
|
||||
|
||||
@ -59664,7 +59715,7 @@ index 47bb1d2..a97c60f 100644
|
||||
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(nsd_t)
|
||||
|
||||
@@ -105,23 +97,24 @@ optional_policy(`
|
||||
@@ -105,23 +104,24 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -59697,7 +59748,7 @@ index 47bb1d2..a97c60f 100644
|
||||
|
||||
manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
|
||||
filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
|
||||
@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t)
|
||||
@@ -133,27 +133,27 @@ kernel_read_system_state(nsd_crond_t)
|
||||
corecmd_exec_bin(nsd_crond_t)
|
||||
corecmd_exec_shell(nsd_crond_t)
|
||||
|
||||
@ -65138,7 +65189,7 @@ index 9b15730..cb00f20 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/openvswitch.te b/openvswitch.te
|
||||
index 44dbc99..a17af8b 100644
|
||||
index 44dbc99..fce33b0 100644
|
||||
--- a/openvswitch.te
|
||||
+++ b/openvswitch.te
|
||||
@@ -9,11 +9,8 @@ type openvswitch_t;
|
||||
@ -65204,7 +65255,7 @@ index 44dbc99..a17af8b 100644
|
||||
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
||||
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
|
||||
|
||||
@@ -65,33 +69,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
|
||||
@@ -65,33 +69,48 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
|
||||
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
||||
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
|
||||
|
||||
@ -65240,9 +65291,10 @@ index 44dbc99..a17af8b 100644
|
||||
|
||||
fs_getattr_all_fs(openvswitch_t)
|
||||
fs_search_cgroup_dirs(openvswitch_t)
|
||||
|
||||
+auth_use_nsswitch(openvswitch_t)
|
||||
+fs_rw_hugetlbfs_files(openvswitch_t)
|
||||
+
|
||||
+auth_use_nsswitch(openvswitch_t)
|
||||
|
||||
logging_send_syslog_msg(openvswitch_t)
|
||||
|
||||
-miscfiles_read_localization(openvswitch_t)
|
||||
@ -92007,7 +92059,7 @@ index 50d07fb..e9569d2 100644
|
||||
+ allow $1 samba_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/samba.te b/samba.te
|
||||
index 2b7c441..0232e85 100644
|
||||
index 2b7c441..ca83568 100644
|
||||
--- a/samba.te
|
||||
+++ b/samba.te
|
||||
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
|
||||
@ -92835,7 +92887,7 @@ index 2b7c441..0232e85 100644
|
||||
|
||||
samba_read_config(smbcontrol_t)
|
||||
samba_search_var(smbcontrol_t)
|
||||
@@ -627,16 +716,13 @@ domain_use_interactive_fds(smbcontrol_t)
|
||||
@@ -627,39 +716,38 @@ domain_use_interactive_fds(smbcontrol_t)
|
||||
|
||||
dev_read_urand(smbcontrol_t)
|
||||
|
||||
@ -92854,7 +92906,8 @@ index 2b7c441..0232e85 100644
|
||||
|
||||
optional_policy(`
|
||||
ctdbd_stream_connect(smbcontrol_t)
|
||||
@@ -644,22 +730,23 @@ optional_policy(`
|
||||
+ ctdbd_sigchld(smbcontrol_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -92886,7 +92939,7 @@ index 2b7c441..0232e85 100644
|
||||
|
||||
allow smbmount_t samba_secrets_t:file manage_file_perms;
|
||||
|
||||
@@ -668,26 +755,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
||||
@@ -668,26 +756,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
||||
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
||||
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
|
||||
|
||||
@ -92922,7 +92975,7 @@ index 2b7c441..0232e85 100644
|
||||
|
||||
fs_getattr_cifs(smbmount_t)
|
||||
fs_mount_cifs(smbmount_t)
|
||||
@@ -699,58 +782,77 @@ fs_read_cifs_files(smbmount_t)
|
||||
@@ -699,58 +783,77 @@ fs_read_cifs_files(smbmount_t)
|
||||
storage_raw_read_fixed_disk(smbmount_t)
|
||||
storage_raw_write_fixed_disk(smbmount_t)
|
||||
|
||||
@ -93014,7 +93067,7 @@ index 2b7c441..0232e85 100644
|
||||
|
||||
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||
@@ -759,17 +861,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
|
||||
@@ -759,17 +862,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
|
||||
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
|
||||
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
||||
|
||||
@ -93038,7 +93091,7 @@ index 2b7c441..0232e85 100644
|
||||
|
||||
kernel_read_kernel_sysctls(swat_t)
|
||||
kernel_read_system_state(swat_t)
|
||||
@@ -777,36 +875,25 @@ kernel_read_network_state(swat_t)
|
||||
@@ -777,36 +876,25 @@ kernel_read_network_state(swat_t)
|
||||
|
||||
corecmd_search_bin(swat_t)
|
||||
|
||||
@ -93081,7 +93134,7 @@ index 2b7c441..0232e85 100644
|
||||
|
||||
auth_domtrans_chk_passwd(swat_t)
|
||||
auth_use_nsswitch(swat_t)
|
||||
@@ -818,10 +905,11 @@ logging_send_syslog_msg(swat_t)
|
||||
@@ -818,10 +906,11 @@ logging_send_syslog_msg(swat_t)
|
||||
logging_send_audit_msgs(swat_t)
|
||||
logging_search_logs(swat_t)
|
||||
|
||||
@ -93095,7 +93148,7 @@ index 2b7c441..0232e85 100644
|
||||
optional_policy(`
|
||||
cups_read_rw_config(swat_t)
|
||||
cups_stream_connect(swat_t)
|
||||
@@ -840,17 +928,20 @@ optional_policy(`
|
||||
@@ -840,17 +929,20 @@ optional_policy(`
|
||||
# Winbind local policy
|
||||
#
|
||||
|
||||
@ -93121,7 +93174,7 @@ index 2b7c441..0232e85 100644
|
||||
|
||||
allow winbind_t samba_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
|
||||
@@ -860,9 +951,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
|
||||
@@ -860,9 +952,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
|
||||
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
|
||||
|
||||
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
|
||||
@ -93132,7 +93185,7 @@ index 2b7c441..0232e85 100644
|
||||
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
||||
|
||||
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||
@@ -873,38 +962,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
|
||||
@@ -873,38 +963,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
|
||||
|
||||
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
|
||||
|
||||
@ -93186,7 +93239,7 @@ index 2b7c441..0232e85 100644
|
||||
corenet_tcp_connect_smbd_port(winbind_t)
|
||||
corenet_tcp_connect_epmap_port(winbind_t)
|
||||
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
@@ -912,38 +1005,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
@@ -912,38 +1006,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
dev_read_sysfs(winbind_t)
|
||||
dev_read_urand(winbind_t)
|
||||
|
||||
@ -93245,7 +93298,7 @@ index 2b7c441..0232e85 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -959,31 +1066,36 @@ optional_policy(`
|
||||
@@ -959,31 +1067,36 @@ optional_policy(`
|
||||
# Winbind helper local policy
|
||||
#
|
||||
|
||||
@ -93289,7 +93342,7 @@ index 2b7c441..0232e85 100644
|
||||
|
||||
optional_policy(`
|
||||
apache_append_log(winbind_helper_t)
|
||||
@@ -997,25 +1109,38 @@ optional_policy(`
|
||||
@@ -997,25 +1110,38 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 165%{?dist}
|
||||
Release: 166%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -664,6 +664,25 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
|
||||
- Allow logrotate to systemctl rsyslog service. BZ(1284173)
|
||||
- Allow condor_master_t domain capability chown. BZ(1297048)
|
||||
- Allow chronyd to be dbus bus client. BZ(1297129)
|
||||
- Allow openvswitch read/write hugetlb filesystem.
|
||||
- Revert "Allow openvswitch read/write hugetlb filesystem."
|
||||
- Allow smbcontrol domain to send sigchld to ctdbd domain.
|
||||
- Allow openvswitch read/write hugetlb filesystem.
|
||||
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
|
||||
- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
|
||||
- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.
|
||||
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
|
||||
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
|
||||
- Merge pull request #86 from rhatdan/rawhide-contrib
|
||||
- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)
|
||||
- Added interface logging_systemctl_syslogd
|
||||
- Label rsyslog unit file
|
||||
- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
|
||||
|
||||
* Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
|
||||
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
|
||||
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
|
||||
|
Loading…
Reference in New Issue
Block a user