- Add more aliases in pegasus.te
- Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for a - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewa - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in / - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working i - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec
This commit is contained in:
parent
6655c4c00e
commit
5ed54459f6
@ -3381,7 +3381,7 @@ index 644d4d7..51181b8 100644
|
|||||||
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
|
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
|
||||||
index 9e9263a..979f47f 100644
|
index 9e9263a..43cdcb9 100644
|
||||||
--- a/policy/modules/kernel/corecommands.if
|
--- a/policy/modules/kernel/corecommands.if
|
||||||
+++ b/policy/modules/kernel/corecommands.if
|
+++ b/policy/modules/kernel/corecommands.if
|
||||||
@@ -8,6 +8,22 @@
|
@@ -8,6 +8,22 @@
|
||||||
@ -3508,7 +3508,15 @@ index 9e9263a..979f47f 100644
|
|||||||
mmap_files_pattern($1, bin_t, bin_t)
|
mmap_files_pattern($1, bin_t, bin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -954,6 +999,24 @@ interface(`corecmd_exec_chroot',`
|
@@ -945,6 +990,7 @@ interface(`corecmd_shell_domtrans',`
|
||||||
|
interface(`corecmd_exec_chroot',`
|
||||||
|
gen_require(`
|
||||||
|
type chroot_exec_t;
|
||||||
|
+ type bin_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_lnk_files_pattern($1, bin_t, bin_t)
|
||||||
|
@@ -954,6 +1000,24 @@ interface(`corecmd_exec_chroot',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -3533,7 +3541,7 @@ index 9e9263a..979f47f 100644
|
|||||||
## Get the attributes of all executable files.
|
## Get the attributes of all executable files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1012,6 +1075,10 @@ interface(`corecmd_exec_all_executables',`
|
@@ -1012,6 +1076,10 @@ interface(`corecmd_exec_all_executables',`
|
||||||
can_exec($1, exec_type)
|
can_exec($1, exec_type)
|
||||||
list_dirs_pattern($1, bin_t, bin_t)
|
list_dirs_pattern($1, bin_t, bin_t)
|
||||||
read_lnk_files_pattern($1, bin_t, exec_type)
|
read_lnk_files_pattern($1, bin_t, exec_type)
|
||||||
@ -3544,7 +3552,7 @@ index 9e9263a..979f47f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1049,6 +1116,7 @@ interface(`corecmd_manage_all_executables',`
|
@@ -1049,6 +1117,7 @@ interface(`corecmd_manage_all_executables',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -3552,7 +3560,7 @@ index 9e9263a..979f47f 100644
|
|||||||
manage_files_pattern($1, bin_t, exec_type)
|
manage_files_pattern($1, bin_t, exec_type)
|
||||||
manage_lnk_files_pattern($1, bin_t, bin_t)
|
manage_lnk_files_pattern($1, bin_t, bin_t)
|
||||||
')
|
')
|
||||||
@@ -1091,3 +1159,36 @@ interface(`corecmd_mmap_all_executables',`
|
@@ -1091,3 +1160,36 @@ interface(`corecmd_mmap_all_executables',`
|
||||||
|
|
||||||
mmap_files_pattern($1, bin_t, exec_type)
|
mmap_files_pattern($1, bin_t, exec_type)
|
||||||
')
|
')
|
||||||
@ -18381,10 +18389,10 @@ index 0000000..cf6582f
|
|||||||
+
|
+
|
||||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..3c3b9b3
|
index 0000000..d74943c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/roles/unconfineduser.te
|
+++ b/policy/modules/roles/unconfineduser.te
|
||||||
@@ -0,0 +1,331 @@
|
@@ -0,0 +1,332 @@
|
||||||
+policy_module(unconfineduser, 1.0.0)
|
+policy_module(unconfineduser, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -18574,6 +18582,7 @@ index 0000000..3c3b9b3
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
|
+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
|
||||||
|
+ role system_r types unconfined_dbusd_t;
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ unconfined_domain(unconfined_dbusd_t)
|
+ unconfined_domain(unconfined_dbusd_t)
|
||||||
@ -22530,7 +22539,7 @@ index 6bf0ecc..d740738 100644
|
|||||||
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
|
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index 2696452..63fd06a 100644
|
index 2696452..0426df3 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -26,28 +26,59 @@ gen_require(`
|
@@ -26,28 +26,59 @@ gen_require(`
|
||||||
@ -22876,7 +22885,7 @@ index 2696452..63fd06a 100644
|
|||||||
ssh_sigchld(xauth_t)
|
ssh_sigchld(xauth_t)
|
||||||
ssh_read_pipes(xauth_t)
|
ssh_read_pipes(xauth_t)
|
||||||
ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
||||||
@@ -299,64 +408,108 @@ optional_policy(`
|
@@ -299,64 +408,109 @@ optional_policy(`
|
||||||
# XDM Local policy
|
# XDM Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -22903,10 +22912,11 @@ index 2696452..63fd06a 100644
|
|||||||
allow xdm_t self:socket create_socket_perms;
|
allow xdm_t self:socket create_socket_perms;
|
||||||
allow xdm_t self:appletalk_socket create_socket_perms;
|
allow xdm_t self:appletalk_socket create_socket_perms;
|
||||||
allow xdm_t self:key { search link write };
|
allow xdm_t self:key { search link write };
|
||||||
|
+allow xdm_t self:dbus { send_msg acquire_svc };
|
||||||
|
+
|
||||||
|
+allow xdm_t xauth_home_t:file manage_file_perms;
|
||||||
|
|
||||||
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||||
+allow xdm_t xauth_home_t:file manage_file_perms;
|
|
||||||
+
|
|
||||||
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
|
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
|
||||||
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
@ -22995,7 +23005,7 @@ index 2696452..63fd06a 100644
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
@@ -365,20 +518,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
@@ -365,20 +519,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
|
|
||||||
@ -23025,7 +23035,7 @@ index 2696452..63fd06a 100644
|
|||||||
corenet_all_recvfrom_netlabel(xdm_t)
|
corenet_all_recvfrom_netlabel(xdm_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xdm_t)
|
corenet_tcp_sendrecv_generic_if(xdm_t)
|
||||||
corenet_udp_sendrecv_generic_if(xdm_t)
|
corenet_udp_sendrecv_generic_if(xdm_t)
|
||||||
@@ -388,38 +548,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
@@ -388,38 +549,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_generic_node(xdm_t)
|
corenet_tcp_bind_generic_node(xdm_t)
|
||||||
corenet_udp_bind_generic_node(xdm_t)
|
corenet_udp_bind_generic_node(xdm_t)
|
||||||
@ -23078,7 +23088,7 @@ index 2696452..63fd06a 100644
|
|||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -430,9 +600,28 @@ files_list_mnt(xdm_t)
|
@@ -430,9 +601,28 @@ files_list_mnt(xdm_t)
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -23107,7 +23117,7 @@ index 2696452..63fd06a 100644
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -441,28 +630,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
@@ -441,28 +631,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -23156,7 +23166,7 @@ index 2696452..63fd06a 100644
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -471,24 +677,144 @@ userdom_read_user_home_content_files(xdm_t)
|
@@ -471,24 +678,144 @@ userdom_read_user_home_content_files(xdm_t)
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -23307,7 +23317,7 @@ index 2696452..63fd06a 100644
|
|||||||
tunable_policy(`xdm_sysadm_login',`
|
tunable_policy(`xdm_sysadm_login',`
|
||||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||||
# FIXME:
|
# FIXME:
|
||||||
@@ -502,11 +828,26 @@ tunable_policy(`xdm_sysadm_login',`
|
@@ -502,11 +829,26 @@ tunable_policy(`xdm_sysadm_login',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23334,7 +23344,7 @@ index 2696452..63fd06a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -514,12 +855,56 @@ optional_policy(`
|
@@ -514,12 +856,56 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23391,7 +23401,7 @@ index 2696452..63fd06a 100644
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -537,28 +922,78 @@ optional_policy(`
|
@@ -537,28 +923,78 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23479,7 +23489,7 @@ index 2696452..63fd06a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -570,6 +1005,14 @@ optional_policy(`
|
@@ -570,6 +1006,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23494,7 +23504,7 @@ index 2696452..63fd06a 100644
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -594,8 +1037,11 @@ allow xserver_t input_xevent_t:x_event send;
|
@@ -594,8 +1038,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -23507,7 +23517,7 @@ index 2696452..63fd06a 100644
|
|||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -608,8 +1054,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
@@ -608,8 +1055,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -23523,7 +23533,7 @@ index 2696452..63fd06a 100644
|
|||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -617,6 +1070,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
@@ -617,6 +1071,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||||
|
|
||||||
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
||||||
|
|
||||||
@ -23534,7 +23544,7 @@ index 2696452..63fd06a 100644
|
|||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -628,12 +1085,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
@@ -628,12 +1086,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -23556,7 +23566,7 @@ index 2696452..63fd06a 100644
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -641,12 +1105,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
@@ -641,12 +1106,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||||
# Xorg wants to check if kernel is tainted
|
# Xorg wants to check if kernel is tainted
|
||||||
kernel_read_kernel_sysctls(xserver_t)
|
kernel_read_kernel_sysctls(xserver_t)
|
||||||
kernel_write_proc_files(xserver_t)
|
kernel_write_proc_files(xserver_t)
|
||||||
@ -23570,7 +23580,7 @@ index 2696452..63fd06a 100644
|
|||||||
corenet_all_recvfrom_netlabel(xserver_t)
|
corenet_all_recvfrom_netlabel(xserver_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||||
@@ -667,23 +1131,28 @@ dev_rw_apm_bios(xserver_t)
|
@@ -667,23 +1132,28 @@ dev_rw_apm_bios(xserver_t)
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
@ -23602,7 +23612,7 @@ index 2696452..63fd06a 100644
|
|||||||
|
|
||||||
# brought on by rhgb
|
# brought on by rhgb
|
||||||
files_search_mnt(xserver_t)
|
files_search_mnt(xserver_t)
|
||||||
@@ -694,7 +1163,16 @@ fs_getattr_xattr_fs(xserver_t)
|
@@ -694,7 +1164,16 @@ fs_getattr_xattr_fs(xserver_t)
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -23620,7 +23630,7 @@ index 2696452..63fd06a 100644
|
|||||||
mls_xwin_read_to_clearance(xserver_t)
|
mls_xwin_read_to_clearance(xserver_t)
|
||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
@@ -708,20 +1186,18 @@ init_getpgid(xserver_t)
|
@@ -708,20 +1187,18 @@ init_getpgid(xserver_t)
|
||||||
term_setattr_unallocated_ttys(xserver_t)
|
term_setattr_unallocated_ttys(xserver_t)
|
||||||
term_use_unallocated_ttys(xserver_t)
|
term_use_unallocated_ttys(xserver_t)
|
||||||
|
|
||||||
@ -23644,7 +23654,7 @@ index 2696452..63fd06a 100644
|
|||||||
|
|
||||||
userdom_search_user_home_dirs(xserver_t)
|
userdom_search_user_home_dirs(xserver_t)
|
||||||
userdom_use_user_ttys(xserver_t)
|
userdom_use_user_ttys(xserver_t)
|
||||||
@@ -729,8 +1205,6 @@ userdom_setattr_user_ttys(xserver_t)
|
@@ -729,8 +1206,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||||
userdom_read_user_tmp_files(xserver_t)
|
userdom_read_user_tmp_files(xserver_t)
|
||||||
userdom_rw_user_tmpfs_files(xserver_t)
|
userdom_rw_user_tmpfs_files(xserver_t)
|
||||||
|
|
||||||
@ -23653,7 +23663,7 @@ index 2696452..63fd06a 100644
|
|||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xserver_t self:process { execmem execheap execstack };
|
allow xserver_t self:process { execmem execheap execstack };
|
||||||
domain_mmap_low_uncond(xserver_t)
|
domain_mmap_low_uncond(xserver_t)
|
||||||
@@ -775,16 +1249,44 @@ optional_policy(`
|
@@ -775,16 +1250,44 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23699,7 +23709,7 @@ index 2696452..63fd06a 100644
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -793,6 +1295,10 @@ optional_policy(`
|
@@ -793,6 +1296,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23710,7 +23720,7 @@ index 2696452..63fd06a 100644
|
|||||||
xfs_stream_connect(xserver_t)
|
xfs_stream_connect(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -808,10 +1314,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
@@ -808,10 +1315,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
@ -23724,7 +23734,7 @@ index 2696452..63fd06a 100644
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -819,7 +1325,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
@@ -819,7 +1326,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
|
|
||||||
# Run xkbcomp.
|
# Run xkbcomp.
|
||||||
@ -23733,7 +23743,7 @@ index 2696452..63fd06a 100644
|
|||||||
can_exec(xserver_t, xkb_var_lib_t)
|
can_exec(xserver_t, xkb_var_lib_t)
|
||||||
|
|
||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
@@ -832,26 +1338,21 @@ init_use_fds(xserver_t)
|
@@ -832,26 +1339,21 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -23768,7 +23778,7 @@ index 2696452..63fd06a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -902,7 +1403,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
@@ -902,7 +1404,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
@ -23777,7 +23787,7 @@ index 2696452..63fd06a 100644
|
|||||||
# operations allowed on all windows
|
# operations allowed on all windows
|
||||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||||
|
|
||||||
@@ -956,11 +1457,31 @@ allow x_domain self:x_resource { read write };
|
@@ -956,11 +1458,31 @@ allow x_domain self:x_resource { read write };
|
||||||
# can mess with the screensaver
|
# can mess with the screensaver
|
||||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||||
|
|
||||||
@ -23809,7 +23819,7 @@ index 2696452..63fd06a 100644
|
|||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined(x_domain),
|
# should be xserver_unconfined(x_domain),
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
@@ -982,18 +1503,150 @@ tunable_policy(`! xserver_object_manager',`
|
@@ -982,18 +1504,150 @@ tunable_policy(`! xserver_object_manager',`
|
||||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -30235,7 +30245,7 @@ index b50c5fe..2faaaf2 100644
|
|||||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||||
index 4e94884..55d2481 100644
|
index 4e94884..9b82ed0 100644
|
||||||
--- a/policy/modules/system/logging.if
|
--- a/policy/modules/system/logging.if
|
||||||
+++ b/policy/modules/system/logging.if
|
+++ b/policy/modules/system/logging.if
|
||||||
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
||||||
@ -30397,7 +30407,7 @@ index 4e94884..55d2481 100644
|
|||||||
+#
|
+#
|
||||||
+interface(`logging_relabel_syslog_pid_socket',`
|
+interface(`logging_relabel_syslog_pid_socket',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type devlog_t;
|
+ type syslogd_var_run_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
|
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
|
||||||
|
@ -9774,10 +9774,15 @@ index 4ec0626..88e7e89 100644
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(canna_t)
|
userdom_dontaudit_use_unpriv_user_fds(canna_t)
|
||||||
diff --git a/ccs.if b/ccs.if
|
diff --git a/ccs.if b/ccs.if
|
||||||
index 5ded72d..c1b4d35 100644
|
index 5ded72d..cb94e5e 100644
|
||||||
--- a/ccs.if
|
--- a/ccs.if
|
||||||
+++ b/ccs.if
|
+++ b/ccs.if
|
||||||
@@ -102,16 +102,20 @@ interface(`ccs_admin',`
|
@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
|
||||||
|
interface(`ccs_admin',`
|
||||||
|
gen_require(`
|
||||||
|
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
|
||||||
|
- type ccs_var_lib_t_t, ccs_var_log_t;
|
||||||
|
+ type ccs_var_lib_t, ccs_var_log_t;
|
||||||
type ccs_var_run_t, ccs_tmp_t;
|
type ccs_var_run_t, ccs_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -12633,7 +12638,7 @@ index 23dc348..7cc536b 100644
|
|||||||
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
|
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
|
||||||
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
|
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
|
||||||
diff --git a/condor.if b/condor.if
|
diff --git a/condor.if b/condor.if
|
||||||
index 3fe3cb8..b8e08c6 100644
|
index 3fe3cb8..5fe84a6 100644
|
||||||
--- a/condor.if
|
--- a/condor.if
|
||||||
+++ b/condor.if
|
+++ b/condor.if
|
||||||
@@ -1,81 +1,397 @@
|
@@ -1,81 +1,397 @@
|
||||||
@ -13046,7 +13051,7 @@ index 3fe3cb8..b8e08c6 100644
|
|||||||
+interface(`condor_admin',`
|
+interface(`condor_admin',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ attribute condor_domain;
|
+ attribute condor_domain;
|
||||||
+ type condor_initrc_exec_config_t, condor_log_t;
|
+ type condor_initrc_exec_t, condor_log_t;
|
||||||
+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
|
+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
|
||||||
+ type condor_var_run_t, condor_startd_tmp_t;
|
+ type condor_var_run_t, condor_startd_tmp_t;
|
||||||
+ type condor_unit_file_t;
|
+ type condor_unit_file_t;
|
||||||
@ -20898,7 +20903,7 @@ index 23ab808..4a801b5 100644
|
|||||||
|
|
||||||
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
|
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
|
||||||
diff --git a/dnsmasq.if b/dnsmasq.if
|
diff --git a/dnsmasq.if b/dnsmasq.if
|
||||||
index 19aa0b8..531cf03 100644
|
index 19aa0b8..1e8b244 100644
|
||||||
--- a/dnsmasq.if
|
--- a/dnsmasq.if
|
||||||
+++ b/dnsmasq.if
|
+++ b/dnsmasq.if
|
||||||
@@ -10,7 +10,6 @@
|
@@ -10,7 +10,6 @@
|
||||||
@ -21107,11 +21112,12 @@ index 19aa0b8..531cf03 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -267,12 +354,17 @@ interface(`dnsmasq_spec_filetrans_pid',`
|
@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
|
||||||
interface(`dnsmasq_admin',`
|
interface(`dnsmasq_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
|
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
|
||||||
- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
|
- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
|
||||||
|
+ type dnsmasq_var_log_t;
|
||||||
+ type dnsmasq_initrc_exec_t;
|
+ type dnsmasq_initrc_exec_t;
|
||||||
+ type dnsmasq_unit_file_t;
|
+ type dnsmasq_unit_file_t;
|
||||||
')
|
')
|
||||||
@ -21127,7 +21133,7 @@ index 19aa0b8..531cf03 100644
|
|||||||
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
|
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 dnsmasq_initrc_exec_t system_r;
|
role_transition $2 dnsmasq_initrc_exec_t system_r;
|
||||||
@@ -281,9 +373,13 @@ interface(`dnsmasq_admin',`
|
@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',`
|
||||||
files_list_var_lib($1)
|
files_list_var_lib($1)
|
||||||
admin_pattern($1, dnsmasq_lease_t)
|
admin_pattern($1, dnsmasq_lease_t)
|
||||||
|
|
||||||
@ -23594,7 +23600,7 @@ index 5cf6ac6..0fc685b 100644
|
|||||||
+ allow $1 firewalld_unit_file_t:service all_service_perms;
|
+ allow $1 firewalld_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/firewalld.te b/firewalld.te
|
diff --git a/firewalld.te b/firewalld.te
|
||||||
index c8014f8..64e18e1 100644
|
index c8014f8..2888d51 100644
|
||||||
--- a/firewalld.te
|
--- a/firewalld.te
|
||||||
+++ b/firewalld.te
|
+++ b/firewalld.te
|
||||||
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
|
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
|
||||||
@ -23619,7 +23625,15 @@ index c8014f8..64e18e1 100644
|
|||||||
dontaudit firewalld_t self:capability sys_tty_config;
|
dontaudit firewalld_t self:capability sys_tty_config;
|
||||||
allow firewalld_t self:fifo_file rw_fifo_file_perms;
|
allow firewalld_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow firewalld_t self:unix_stream_socket { accept listen };
|
allow firewalld_t self:unix_stream_socket { accept listen };
|
||||||
@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
|
@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
||||||
|
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
||||||
|
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
||||||
|
|
||||||
|
allow firewalld_t firewalld_var_log_t:file append_file_perms;
|
||||||
|
allow firewalld_t firewalld_var_log_t:file create_file_perms;
|
||||||
|
@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
|
||||||
allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
|
allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
|
||||||
logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
|
logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
|
||||||
|
|
||||||
@ -23641,7 +23655,7 @@ index c8014f8..64e18e1 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(firewalld_t)
|
corecmd_exec_bin(firewalld_t)
|
||||||
corecmd_exec_shell(firewalld_t)
|
corecmd_exec_shell(firewalld_t)
|
||||||
@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t)
|
@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(firewalld_t)
|
domain_use_interactive_fds(firewalld_t)
|
||||||
|
|
||||||
@ -23667,7 +23681,7 @@ index c8014f8..64e18e1 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_domain(firewalld_t, firewalld_exec_t)
|
dbus_system_domain(firewalld_t, firewalld_exec_t)
|
||||||
@@ -85,6 +101,10 @@ optional_policy(`
|
@@ -85,6 +102,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28851,10 +28865,10 @@ index 0000000..f4659d1
|
|||||||
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
|
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
|
||||||
diff --git a/gssproxy.if b/gssproxy.if
|
diff --git a/gssproxy.if b/gssproxy.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..28263c7
|
index 0000000..4bd5abf
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/gssproxy.if
|
+++ b/gssproxy.if
|
||||||
@@ -0,0 +1,204 @@
|
@@ -0,0 +1,203 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for gssproxy</summary>
|
+## <summary>policy for gssproxy</summary>
|
||||||
+
|
+
|
||||||
@ -28989,7 +29003,6 @@ index 0000000..28263c7
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ systemd_exec_systemctl($1)
|
+ systemd_exec_systemctl($1)
|
||||||
+ systemd_read_fifo_file_password_run($1)
|
|
||||||
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
|
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
|
||||||
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
|
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
|
||||||
+
|
+
|
||||||
@ -29927,6 +29940,21 @@ index ecad9c7..86d790f 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_use_newrole_fds(irc_t)
|
seutil_use_newrole_fds(irc_t)
|
||||||
')
|
')
|
||||||
|
diff --git a/ircd.if b/ircd.if
|
||||||
|
index ade9803..3620c9a 100644
|
||||||
|
--- a/ircd.if
|
||||||
|
+++ b/ircd.if
|
||||||
|
@@ -33,8 +33,8 @@ interface(`ircd_admin',`
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
admin_pattern($1, ircd_etc_t)
|
||||||
|
-
|
||||||
|
- logging_search_log($1)
|
||||||
|
+
|
||||||
|
+ logging_search_logs($1)
|
||||||
|
admin_pattern($1, ircd_log_t)
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
diff --git a/ircd.te b/ircd.te
|
diff --git a/ircd.te b/ircd.te
|
||||||
index e9f746e..40e440c 100644
|
index e9f746e..40e440c 100644
|
||||||
--- a/ircd.te
|
--- a/ircd.te
|
||||||
@ -37838,7 +37866,7 @@ index a83894c..481dca3 100644
|
|||||||
+
|
+
|
||||||
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
|
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
|
||||||
diff --git a/modemmanager.if b/modemmanager.if
|
diff --git a/modemmanager.if b/modemmanager.if
|
||||||
index b1ac8b5..90ca430 100644
|
index b1ac8b5..d65017f 100644
|
||||||
--- a/modemmanager.if
|
--- a/modemmanager.if
|
||||||
+++ b/modemmanager.if
|
+++ b/modemmanager.if
|
||||||
@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
|
@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
|
||||||
@ -37860,7 +37888,7 @@ index b1ac8b5..90ca430 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ systemd_exec_systemctl($1)
|
+ systemd_exec_systemctl($1)
|
||||||
+ systemd_read_fifo_file_password_run($1)
|
+ systemd_read_fifo_file_passwd_run($1)
|
||||||
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
|
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
|
||||||
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
|
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
|
||||||
+
|
+
|
||||||
@ -38038,6 +38066,19 @@ index d287fe9..3dc493c 100644
|
|||||||
|
|
||||||
init_dbus_chat_script(mono_t)
|
init_dbus_chat_script(mono_t)
|
||||||
|
|
||||||
|
diff --git a/monop.if b/monop.if
|
||||||
|
index 8fdaece..5440757 100644
|
||||||
|
--- a/monop.if
|
||||||
|
+++ b/monop.if
|
||||||
|
@@ -31,7 +31,7 @@ interface(`monop_admin',`
|
||||||
|
role_transition $2 monopd_initrc_exec_t system_r;
|
||||||
|
allow $2 system_r;
|
||||||
|
|
||||||
|
- logging_search_etc($1)
|
||||||
|
+ logging_search_logs($1)
|
||||||
|
admin_pattern($1, monopd_etc_t)
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
diff --git a/monop.te b/monop.te
|
diff --git a/monop.te b/monop.te
|
||||||
index 4462c0e..84944d1 100644
|
index 4462c0e..84944d1 100644
|
||||||
--- a/monop.te
|
--- a/monop.te
|
||||||
@ -46701,7 +46742,7 @@ index 8f2ab09..7b8f5ad 100644
|
|||||||
+ allow $1 nscd_unit_file_t:service all_service_perms;
|
+ allow $1 nscd_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/nscd.te b/nscd.te
|
diff --git a/nscd.te b/nscd.te
|
||||||
index df4c10f..2814186 100644
|
index df4c10f..8c09c68 100644
|
||||||
--- a/nscd.te
|
--- a/nscd.te
|
||||||
+++ b/nscd.te
|
+++ b/nscd.te
|
||||||
@@ -1,36 +1,37 @@
|
@@ -1,36 +1,37 @@
|
||||||
@ -46851,7 +46892,7 @@ index df4c10f..2814186 100644
|
|||||||
userdom_dontaudit_use_user_terminals(nscd_t)
|
userdom_dontaudit_use_user_terminals(nscd_t)
|
||||||
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(nscd_t)
|
userdom_dontaudit_search_user_home_dirs(nscd_t)
|
||||||
@@ -121,20 +130,30 @@ optional_policy(`
|
@@ -121,20 +130,31 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -46881,6 +46922,7 @@ index df4c10f..2814186 100644
|
|||||||
- udev_read_db(nscd_t)
|
- udev_read_db(nscd_t)
|
||||||
+ samba_read_config(nscd_t)
|
+ samba_read_config(nscd_t)
|
||||||
+ samba_read_var_files(nscd_t)
|
+ samba_read_var_files(nscd_t)
|
||||||
|
+ samba_stream_connect_nmbd(nscd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -52601,10 +52643,10 @@ index 96db654..ff3aadd 100644
|
|||||||
+ virt_rw_svirt_dev(pcscd_t)
|
+ virt_rw_svirt_dev(pcscd_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/pegasus.fc b/pegasus.fc
|
diff --git a/pegasus.fc b/pegasus.fc
|
||||||
index dfd46e4..0aead56 100644
|
index dfd46e4..2e04b85 100644
|
||||||
--- a/pegasus.fc
|
--- a/pegasus.fc
|
||||||
+++ b/pegasus.fc
|
+++ b/pegasus.fc
|
||||||
@@ -1,15 +1,21 @@
|
@@ -1,15 +1,24 @@
|
||||||
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||||
+
|
+
|
||||||
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||||
@ -52613,27 +52655,30 @@ index dfd46e4..0aead56 100644
|
|||||||
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
|
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
|
||||||
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
||||||
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
|
||||||
|
|
||||||
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
||||||
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
||||||
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
|
|
||||||
|
|
||||||
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
|
|
||||||
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
|
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
|
||||||
|
|
||||||
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
|
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
|
||||||
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
||||||
|
|
||||||
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
|
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
|
||||||
+#openlmi agents
|
+#openlmi agents
|
||||||
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_service_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
|
||||||
|
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
|
||||||
|
|
||||||
|
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
|
||||||
|
|
||||||
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
||||||
|
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
|
||||||
diff --git a/pegasus.if b/pegasus.if
|
diff --git a/pegasus.if b/pegasus.if
|
||||||
index d2fc677..ded726f 100644
|
index d2fc677..ded726f 100644
|
||||||
--- a/pegasus.if
|
--- a/pegasus.if
|
||||||
@ -52735,7 +52780,7 @@ index d2fc677..ded726f 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/pegasus.te b/pegasus.te
|
diff --git a/pegasus.te b/pegasus.te
|
||||||
index 7bcf327..b6885d4 100644
|
index 7bcf327..f36e1ae 100644
|
||||||
--- a/pegasus.te
|
--- a/pegasus.te
|
||||||
+++ b/pegasus.te
|
+++ b/pegasus.te
|
||||||
@@ -1,17 +1,16 @@
|
@@ -1,17 +1,16 @@
|
||||||
@ -52759,21 +52804,24 @@ index 7bcf327..b6885d4 100644
|
|||||||
type pegasus_cache_t;
|
type pegasus_cache_t;
|
||||||
files_type(pegasus_cache_t)
|
files_type(pegasus_cache_t)
|
||||||
|
|
||||||
@@ -30,20 +29,199 @@ files_type(pegasus_mof_t)
|
@@ -30,20 +29,213 @@ files_type(pegasus_mof_t)
|
||||||
type pegasus_var_run_t;
|
type pegasus_var_run_t;
|
||||||
files_pid_file(pegasus_var_run_t)
|
files_pid_file(pegasus_var_run_t)
|
||||||
|
|
||||||
+# pegasus openlmi providers
|
+# pegasus openlmi providers
|
||||||
|
+pegasus_openlmi_domain_template(admin)
|
||||||
|
+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
|
||||||
|
+
|
||||||
+pegasus_openlmi_domain_template(account)
|
+pegasus_openlmi_domain_template(account)
|
||||||
+pegasus_openlmi_domain_template(logicalfile)
|
+pegasus_openlmi_domain_template(logicalfile)
|
||||||
+pegasus_openlmi_domain_template(networking)
|
+pegasus_openlmi_domain_template(services)
|
||||||
+pegasus_openlmi_domain_template(service)
|
|
||||||
+
|
+
|
||||||
+pegasus_openlmi_domain_template(storage)
|
+pegasus_openlmi_domain_template(storage)
|
||||||
+type pegasus_openlmi_storage_tmp_t;
|
+type pegasus_openlmi_storage_tmp_t;
|
||||||
+files_tmp_file(pegasus_openlmi_storage_tmp_t)
|
+files_tmp_file(pegasus_openlmi_storage_tmp_t)
|
||||||
+
|
+
|
||||||
+pegasus_openlmi_domain_template(system)
|
+pegasus_openlmi_domain_template(system)
|
||||||
|
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
|
||||||
+pegasus_openlmi_domain_template(unconfined)
|
+pegasus_openlmi_domain_template(unconfined)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -52862,26 +52910,38 @@ index 7bcf327..b6885d4 100644
|
|||||||
+ # so we want to have unconfined_domain attribute for filename rules
|
+ # so we want to have unconfined_domain attribute for filename rules
|
||||||
+ unconfined_domain(pegasus_openlmi_logicalfile_t)
|
+ unconfined_domain(pegasus_openlmi_logicalfile_t)
|
||||||
+')
|
+')
|
||||||
|
+######################################
|
||||||
|
+#
|
||||||
|
+# pegasus openlmi networking local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ dbus_system_bus_client(pegasus_openlmi_services_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ realmd_dbus_chat(pegasus_openlmi_services_t)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
+#
|
+#
|
||||||
+# pegasus openlmi networking local policy
|
+# pegasus openlmi networking local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow pegasus_openlmi_networking_t self:capability { net_admin };
|
+allow pegasus_openlmi_system_t self:capability { net_admin };
|
||||||
+
|
+
|
||||||
+allow pegasus_openlmi_networking_t self:netlink_route_socket r_netlink_socket_perms;;
|
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;;
|
||||||
+allow pegasus_openlmi_networking_t self:udp_socket create_socket_perms;
|
+allow pegasus_openlmi_system_t self:udp_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
+dev_rw_sysfs(pegasus_openlmi_networking_t)
|
+dev_rw_sysfs(pegasus_openlmi_system_t)
|
||||||
+dev_read_urand(pegasus_openlmi_networking_t)
|
+dev_read_urand(pegasus_openlmi_system_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_system_bus_client(pegasus_openlmi_networking_t)
|
+ dbus_system_bus_client(pegasus_openlmi_system_t)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+optional_policy(`
|
||||||
+ networkmanager_dbus_chat(pegasus_openlmi_networking_t)
|
+ networkmanager_dbus_chat(pegasus_openlmi_system_t)
|
||||||
+ ')
|
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
@ -52889,20 +52949,19 @@ index 7bcf327..b6885d4 100644
|
|||||||
+# pegasus openlmi service local policy
|
+# pegasus openlmi service local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
|
+init_disable_services(pegasus_openlmi_admin_t)
|
||||||
|
+init_enable_services(pegasus_openlmi_admin_t)
|
||||||
|
+init_reload_services(pegasus_openlmi_admin_t)
|
||||||
|
+init_exec(pegasus_openlmi_admin_t)
|
||||||
+
|
+
|
||||||
+init_disable_services(pegasus_openlmi_service_t)
|
+systemd_config_all_services(pegasus_openlmi_admin_t)
|
||||||
+init_enable_services(pegasus_openlmi_service_t)
|
+systemd_manage_all_unit_files(pegasus_openlmi_admin_t)
|
||||||
+init_reload_services(pegasus_openlmi_service_t)
|
+systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
|
||||||
+init_exec(pegasus_openlmi_service_t)
|
|
||||||
+
|
|
||||||
+systemd_config_all_services(pegasus_openlmi_service_t)
|
|
||||||
+systemd_manage_all_unit_files(pegasus_openlmi_service_t)
|
|
||||||
+systemd_manage_all_unit_lnk_files(pegasus_openlmi_service_t)
|
|
||||||
+
|
+
|
||||||
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
|
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_system_bus_client(pegasus_openlmi_service_t)
|
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
@ -52964,7 +53023,7 @@ index 7bcf327..b6885d4 100644
|
|||||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||||
@@ -54,22 +232,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
@@ -54,22 +246,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
@ -52995,7 +53054,7 @@ index 7bcf327..b6885d4 100644
|
|||||||
|
|
||||||
kernel_read_network_state(pegasus_t)
|
kernel_read_network_state(pegasus_t)
|
||||||
kernel_read_kernel_sysctls(pegasus_t)
|
kernel_read_kernel_sysctls(pegasus_t)
|
||||||
@@ -80,27 +258,21 @@ kernel_read_net_sysctls(pegasus_t)
|
@@ -80,27 +272,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||||
kernel_read_xen_state(pegasus_t)
|
kernel_read_xen_state(pegasus_t)
|
||||||
kernel_write_xen_state(pegasus_t)
|
kernel_write_xen_state(pegasus_t)
|
||||||
|
|
||||||
@ -53028,7 +53087,7 @@ index 7bcf327..b6885d4 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(pegasus_t)
|
corecmd_exec_bin(pegasus_t)
|
||||||
corecmd_exec_shell(pegasus_t)
|
corecmd_exec_shell(pegasus_t)
|
||||||
@@ -114,6 +286,7 @@ files_getattr_all_dirs(pegasus_t)
|
@@ -114,6 +300,7 @@ files_getattr_all_dirs(pegasus_t)
|
||||||
|
|
||||||
auth_use_nsswitch(pegasus_t)
|
auth_use_nsswitch(pegasus_t)
|
||||||
auth_domtrans_chk_passwd(pegasus_t)
|
auth_domtrans_chk_passwd(pegasus_t)
|
||||||
@ -53036,7 +53095,7 @@ index 7bcf327..b6885d4 100644
|
|||||||
|
|
||||||
domain_use_interactive_fds(pegasus_t)
|
domain_use_interactive_fds(pegasus_t)
|
||||||
domain_read_all_domains_state(pegasus_t)
|
domain_read_all_domains_state(pegasus_t)
|
||||||
@@ -128,18 +301,25 @@ init_stream_connect_script(pegasus_t)
|
@@ -128,18 +315,25 @@ init_stream_connect_script(pegasus_t)
|
||||||
logging_send_audit_msgs(pegasus_t)
|
logging_send_audit_msgs(pegasus_t)
|
||||||
logging_send_syslog_msg(pegasus_t)
|
logging_send_syslog_msg(pegasus_t)
|
||||||
|
|
||||||
@ -53068,7 +53127,7 @@ index 7bcf327..b6885d4 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -151,16 +331,24 @@ optional_policy(`
|
@@ -151,16 +345,24 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -53097,7 +53156,7 @@ index 7bcf327..b6885d4 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -168,7 +356,7 @@ optional_policy(`
|
@@ -168,7 +370,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -53120,7 +53179,7 @@ index 0000000..7b54c39
|
|||||||
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
|
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
|
||||||
diff --git a/pesign.if b/pesign.if
|
diff --git a/pesign.if b/pesign.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..c20674c
|
index 0000000..26b1f0c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pesign.if
|
+++ b/pesign.if
|
||||||
@@ -0,0 +1,103 @@
|
@@ -0,0 +1,103 @@
|
||||||
@ -53181,7 +53240,7 @@ index 0000000..c20674c
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ systemd_exec_systemctl($1)
|
+ systemd_exec_systemctl($1)
|
||||||
+ systemd_read_fifo_file_password_run($1)
|
+ systemd_read_fifo_file_passwd_run($1)
|
||||||
+ allow $1 pesign_unit_file_t:file read_file_perms;
|
+ allow $1 pesign_unit_file_t:file read_file_perms;
|
||||||
+ allow $1 pesign_unit_file_t:service manage_service_perms;
|
+ allow $1 pesign_unit_file_t:service manage_service_perms;
|
||||||
+
|
+
|
||||||
@ -56706,7 +56765,7 @@ index c0e8785..c0e0959 100644
|
|||||||
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
||||||
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
|
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
|
||||||
diff --git a/postfix.if b/postfix.if
|
diff --git a/postfix.if b/postfix.if
|
||||||
index 2e23946..589bbf2 100644
|
index 2e23946..e9ac366 100644
|
||||||
--- a/postfix.if
|
--- a/postfix.if
|
||||||
+++ b/postfix.if
|
+++ b/postfix.if
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -57145,7 +57204,7 @@ index 2e23946..589bbf2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -478,30 +479,84 @@ interface(`postfix_domtrans_postqueue',`
|
@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',`
|
||||||
type postfix_postqueue_t, postfix_postqueue_exec_t;
|
type postfix_postqueue_t, postfix_postqueue_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -57198,6 +57257,7 @@ index 2e23946..589bbf2 100644
|
|||||||
+interface(`postfix_domtrans_postgqueue',`
|
+interface(`postfix_domtrans_postgqueue',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type postfix_postgqueue_t;
|
+ type postfix_postgqueue_t;
|
||||||
|
+ type postfix_postgqueue_exec_t;
|
||||||
+ ')
|
+ ')
|
||||||
+ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
|
+ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
|
||||||
+')
|
+')
|
||||||
@ -57240,7 +57300,7 @@ index 2e23946..589bbf2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -514,13 +569,12 @@ interface(`postfix_exec_postqueue',`
|
@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',`
|
||||||
type postfix_postqueue_exec_t;
|
type postfix_postqueue_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -57255,7 +57315,7 @@ index 2e23946..589bbf2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -533,13 +587,13 @@ interface(`postfix_create_private_sockets',`
|
@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',`
|
||||||
type postfix_private_t;
|
type postfix_private_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -57271,7 +57331,7 @@ index 2e23946..589bbf2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -552,13 +606,14 @@ interface(`postfix_manage_private_sockets',`
|
@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',`
|
||||||
type postfix_private_t;
|
type postfix_private_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -57288,7 +57348,7 @@ index 2e23946..589bbf2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -571,14 +626,12 @@ interface(`postfix_domtrans_smtp',`
|
@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',`
|
||||||
type postfix_smtp_t, postfix_smtp_exec_t;
|
type postfix_smtp_t, postfix_smtp_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -57304,7 +57364,7 @@ index 2e23946..589bbf2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -586,7 +639,7 @@ interface(`postfix_domtrans_smtp',`
|
@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -57313,7 +57373,7 @@ index 2e23946..589bbf2 100644
|
|||||||
gen_require(`
|
gen_require(`
|
||||||
attribute postfix_spool_type;
|
attribute postfix_spool_type;
|
||||||
')
|
')
|
||||||
@@ -607,11 +660,11 @@ interface(`postfix_getattr_all_spool_files',`
|
@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',`
|
||||||
#
|
#
|
||||||
interface(`postfix_search_spool',`
|
interface(`postfix_search_spool',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -57327,7 +57387,7 @@ index 2e23946..589bbf2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -626,11 +679,11 @@ interface(`postfix_search_spool',`
|
@@ -626,11 +680,11 @@ interface(`postfix_search_spool',`
|
||||||
#
|
#
|
||||||
interface(`postfix_list_spool',`
|
interface(`postfix_list_spool',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -57341,7 +57401,7 @@ index 2e23946..589bbf2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -645,17 +698,16 @@ interface(`postfix_list_spool',`
|
@@ -645,17 +699,16 @@ interface(`postfix_list_spool',`
|
||||||
#
|
#
|
||||||
interface(`postfix_read_spool_files',`
|
interface(`postfix_read_spool_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -57362,7 +57422,7 @@ index 2e23946..589bbf2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -665,11 +717,31 @@ interface(`postfix_read_spool_files',`
|
@@ -665,11 +718,31 @@ interface(`postfix_read_spool_files',`
|
||||||
#
|
#
|
||||||
interface(`postfix_manage_spool_files',`
|
interface(`postfix_manage_spool_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -57396,7 +57456,7 @@ index 2e23946..589bbf2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -693,8 +765,8 @@ interface(`postfix_domtrans_user_mail_handler',`
|
@@ -693,8 +766,8 @@ interface(`postfix_domtrans_user_mail_handler',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -57407,7 +57467,7 @@ index 2e23946..589bbf2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -710,37 +782,137 @@ interface(`postfix_domtrans_user_mail_handler',`
|
@@ -710,37 +783,137 @@ interface(`postfix_domtrans_user_mail_handler',`
|
||||||
#
|
#
|
||||||
interface(`postfix_admin',`
|
interface(`postfix_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -64824,10 +64884,10 @@ index 70ab68b..e97da31 100644
|
|||||||
/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
|
/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
|
||||||
|
|
||||||
diff --git a/quantum.if b/quantum.if
|
diff --git a/quantum.if b/quantum.if
|
||||||
index afc0068..5fb7731 100644
|
index afc0068..7b3cfad 100644
|
||||||
--- a/quantum.if
|
--- a/quantum.if
|
||||||
+++ b/quantum.if
|
+++ b/quantum.if
|
||||||
@@ -2,41 +2,292 @@
|
@@ -2,41 +2,293 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -65056,6 +65116,7 @@ index afc0068..5fb7731 100644
|
|||||||
+#
|
+#
|
||||||
+interface(`quantum_stream_connect',`
|
+interface(`quantum_stream_connect',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
|
+ type quantum_t;
|
||||||
+ type quantum_var_lib_t;
|
+ type quantum_var_lib_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
@ -80163,7 +80224,7 @@ index 0000000..92c3638
|
|||||||
+
|
+
|
||||||
+sysnet_dns_name_resolve(smsd_t)
|
+sysnet_dns_name_resolve(smsd_t)
|
||||||
diff --git a/smstools.if b/smstools.if
|
diff --git a/smstools.if b/smstools.if
|
||||||
index cbfe369..085ac13 100644
|
index cbfe369..6594af3 100644
|
||||||
--- a/smstools.if
|
--- a/smstools.if
|
||||||
+++ b/smstools.if
|
+++ b/smstools.if
|
||||||
@@ -1,5 +1,81 @@
|
@@ -1,5 +1,81 @@
|
||||||
@ -80248,6 +80309,15 @@ index cbfe369..085ac13 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## All of the rules required to
|
## All of the rules required to
|
||||||
|
@@ -32,7 +108,7 @@ interface(`smstools_admin',`
|
||||||
|
role_transition $2 smsd_initrc_exec_t system_r;
|
||||||
|
allow $2 system_r;
|
||||||
|
|
||||||
|
- files_search_config($1)
|
||||||
|
+ files_search_etc($1)
|
||||||
|
admin_pattern($1, smsd_conf_t)
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
diff --git a/snapper.fc b/snapper.fc
|
diff --git a/snapper.fc b/snapper.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..3f412d5
|
index 0000000..3f412d5
|
||||||
@ -95127,7 +95197,7 @@ index 36e32df..3d08962 100644
|
|||||||
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
|
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
|
||||||
')
|
')
|
||||||
diff --git a/zarafa.te b/zarafa.te
|
diff --git a/zarafa.te b/zarafa.te
|
||||||
index a4479b1..1d12d58 100644
|
index a4479b1..7a9f1b6 100644
|
||||||
--- a/zarafa.te
|
--- a/zarafa.te
|
||||||
+++ b/zarafa.te
|
+++ b/zarafa.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -95250,7 +95320,7 @@ index a4479b1..1d12d58 100644
|
|||||||
manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
|
manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
|
||||||
manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
|
manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
|
||||||
files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
|
files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
|
||||||
@@ -109,70 +117,78 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
|
@@ -109,70 +117,80 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
|
||||||
|
|
||||||
stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
|
stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
|
||||||
|
|
||||||
@ -95307,9 +95377,10 @@ index a4479b1..1d12d58 100644
|
|||||||
-corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
|
-corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
|
||||||
+
|
+
|
||||||
+auth_use_nsswitch(zarafa_spooler_t)
|
+auth_use_nsswitch(zarafa_spooler_t)
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+#
|
#
|
||||||
|
-# Zarafa domain local policy
|
||||||
+# zarafa_gateway local policy
|
+# zarafa_gateway local policy
|
||||||
+#
|
+#
|
||||||
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
|
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
|
||||||
@ -95317,8 +95388,8 @@ index a4479b1..1d12d58 100644
|
|||||||
+#######################################
|
+#######################################
|
||||||
+#
|
+#
|
||||||
+# zarafa-ical local policy
|
+# zarafa-ical local policy
|
||||||
+#
|
#
|
||||||
+
|
|
||||||
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
|
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
@ -95326,13 +95397,12 @@ index a4479b1..1d12d58 100644
|
|||||||
+# zarafa-monitor local policy
|
+# zarafa-monitor local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
#
|
+#
|
||||||
-# Zarafa domain local policy
|
|
||||||
+# zarafa domains local policy
|
+# zarafa domains local policy
|
||||||
#
|
+#
|
||||||
|
+
|
||||||
+# bad permission on /etc/zarafa
|
+# bad permission on /etc/zarafa
|
||||||
allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
|
allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
|
||||||
-allow zarafa_domain self:process { setrlimit signal };
|
-allow zarafa_domain self:process { setrlimit signal };
|
||||||
@ -95351,10 +95421,11 @@ index a4479b1..1d12d58 100644
|
|||||||
-
|
-
|
||||||
dev_read_rand(zarafa_domain)
|
dev_read_rand(zarafa_domain)
|
||||||
dev_read_urand(zarafa_domain)
|
dev_read_urand(zarafa_domain)
|
||||||
-
|
|
||||||
-logging_send_syslog_msg(zarafa_domain)
|
-logging_send_syslog_msg(zarafa_domain)
|
||||||
-
|
-
|
||||||
-miscfiles_read_localization(zarafa_domain)
|
-miscfiles_read_localization(zarafa_domain)
|
||||||
|
+dev_read_sysfs(zarafa_domain)
|
||||||
diff --git a/zebra.fc b/zebra.fc
|
diff --git a/zebra.fc b/zebra.fc
|
||||||
index 28ee4ca..e1b30b2 100644
|
index 28ee4ca..e1b30b2 100644
|
||||||
--- a/zebra.fc
|
--- a/zebra.fc
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 68%{?dist}
|
Release: 69%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -538,6 +538,25 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 31 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-69
|
||||||
|
- Add more aliases in pegasus.te
|
||||||
|
- Add more fixes for *_admin interfaces
|
||||||
|
- Add interface fixes
|
||||||
|
- Allow nscd to stream connect to nmbd
|
||||||
|
- Allow gnupg apps to write to pcscd socket
|
||||||
|
- Add more fixes for openlmi provides. Fix naming and support for additionals
|
||||||
|
- Allow fetchmail to resolve host names
|
||||||
|
- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t
|
||||||
|
- Add labeling for cmpiLMI_Fan-cimprovagt
|
||||||
|
- Allow net_admin for glusterd
|
||||||
|
- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/
|
||||||
|
- Add pegasus_openlmi_system_t
|
||||||
|
- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te
|
||||||
|
- Fix corecmd_exec_chroot()
|
||||||
|
- Fix logging_relabel_syslog_pid_socket interface
|
||||||
|
- Fix typo in unconfineduser.te
|
||||||
|
- Allow system_r to access unconfined_dbusd_t to run hp_chec
|
||||||
|
|
||||||
* Tue Jul 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-68
|
* Tue Jul 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-68
|
||||||
- Allow xdm_t to act as a dbus client to itsel
|
- Allow xdm_t to act as a dbus client to itsel
|
||||||
- Allow fetchmail to resolve host names
|
- Allow fetchmail to resolve host names
|
||||||
|
Loading…
Reference in New Issue
Block a user