* Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-235
- Allow libvirt daemon to create /var/chace/libvirt dir. - Allow systemd using ProtectKernelTunables securit feature. BZ(1392161) - F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829)
This commit is contained in:
Lukas Vrabec
parent
a4801c838b
commit
5ed99329f5
Binary file not shown.
|
|
@ -10069,7 +10069,7 @@ index 0b1a871..29965c3 100644
|
|||
+dev_getattr_all(devices_unconfined_type)
|
||||
+
|
||||
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
||||
index 6a1e4d1..f23f6a6 100644
|
||||
index 6a1e4d1..e215d29 100644
|
||||
--- a/policy/modules/kernel/domain.if
|
||||
+++ b/policy/modules/kernel/domain.if
|
||||
@@ -76,33 +76,8 @@ interface(`domain_type',`
|
||||
|
|
@ -10306,7 +10306,7 @@ index 6a1e4d1..f23f6a6 100644
|
|||
## Unconfined access to domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1530,4 +1632,82 @@ interface(`domain_unconfined',`
|
||||
@@ -1530,4 +1632,101 @@ interface(`domain_unconfined',`
|
||||
typeattribute $1 can_change_object_identity;
|
||||
typeattribute $1 set_curr_context;
|
||||
typeattribute $1 process_uncond_exempt;
|
||||
|
|
@ -10388,6 +10388,25 @@ index 6a1e4d1..f23f6a6 100644
|
|||
+ ')
|
||||
+
|
||||
+ allow $1 domain:process setrlimit;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow set resource limits to all domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`domain_rlimitinh_all_domains',`
|
||||
+ gen_require(`
|
||||
+ attribute domain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 domain:process rlimitinh;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..43876e0 100644
|
||||
|
|
@ -21629,7 +21648,7 @@ index 7be4ddf..9710b33 100644
|
|||
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
|
||||
+/sys/kernel/debug/.* <<none>>
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index e100d88..1428581 100644
|
||||
index e100d88..8139871 100644
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
+++ b/policy/modules/kernel/kernel.if
|
||||
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
|
||||
|
|
@ -22025,7 +22044,7 @@ index e100d88..1428581 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2085,9 +2241,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
||||
@@ -2085,7 +2241,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
||||
')
|
||||
|
||||
dontaudit $1 sysctl_type:dir list_dir_perms;
|
||||
|
|
@ -22049,13 +22068,39 @@ index e100d88..1428581 100644
|
|||
+ ')
|
||||
+
|
||||
+ allow $1 sysctl_type:dir mounton;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow attempts to mounton all filesystems used by ProtectKernelTunables systemd feature.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_mounton_systemd_ProtectKernelTunables',`
|
||||
+ gen_require(`
|
||||
+ type sysctl_t;
|
||||
+ type sysctl_irq_t;
|
||||
+ type proc_t;
|
||||
+ type mtrr_device_t;
|
||||
+ type debugfs_t;
|
||||
+ type cgroup_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sysctl_t:dir mounton;
|
||||
+ allow $1 sysctl_irq_t:dir mounton;
|
||||
+ allow $1 proc_t:dir mounton;
|
||||
+ allow $1 mtrr_device_t:dir mounton;
|
||||
+ allow $1 debugfs_t:dir mounton;
|
||||
+ allow $1 cgroup_t:dir mounton;
|
||||
+
|
||||
')
|
||||
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow caller to read all sysctls.
|
||||
@@ -2282,6 +2457,25 @@ interface(`kernel_list_unlabeled',`
|
||||
@@ -2282,6 +2485,25 @@ interface(`kernel_list_unlabeled',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -22081,7 +22126,7 @@ index e100d88..1428581 100644
|
|||
## Read the process state (/proc/pid) of all unlabeled_t.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2306,7 +2500,7 @@ interface(`kernel_read_unlabeled_state',`
|
||||
@@ -2306,7 +2528,7 @@ interface(`kernel_read_unlabeled_state',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
|
@ -22090,7 +22135,7 @@ index e100d88..1428581 100644
|
|||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -2488,6 +2682,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||
@@ -2488,6 +2710,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -22115,11 +22160,55 @@ index e100d88..1428581 100644
|
|||
## Do not audit attempts by caller to get attributes for
|
||||
## unlabeled character devices.
|
||||
## </summary>
|
||||
@@ -2525,6 +2737,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
@@ -2525,7 +2765,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Allow caller to relabel unlabeled files.
|
||||
+## Allow caller to relabel unlabeled filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2533,18 +2773,17 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`kernel_relabelfrom_unlabeled_files',`
|
||||
+interface(`kernel_relabelfrom_unlabeled_fs',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
- kernel_list_unlabeled($1)
|
||||
- allow $1 unlabeled_t:file { getattr relabelfrom };
|
||||
+ allow $1 unlabeled_t:filesystem relabelfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Allow caller to relabel unlabeled symbolic links.
|
||||
+## Allow caller to relabel unlabeled files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2552,13 +2791,32 @@ interface(`kernel_relabelfrom_unlabeled_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`kernel_relabelfrom_unlabeled_symlinks',`
|
||||
+interface(`kernel_relabelfrom_unlabeled_files',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
kernel_list_unlabeled($1)
|
||||
- allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
|
||||
+ allow $1 unlabeled_t:file { getattr relabelfrom };
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow caller to relabel unlabeled symbolic links.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
|
|
@ -22127,34 +22216,22 @@ index e100d88..1428581 100644
|
|||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_relabelfrom_unlabeled_fs',`
|
||||
+interface(`kernel_relabelfrom_unlabeled_symlinks',`
|
||||
+ gen_require(`
|
||||
+ type unlabeled_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 unlabeled_t:filesystem relabelfrom;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Allow caller to relabel unlabeled files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2667,16 +2897,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||
+ kernel_list_unlabeled($1)
|
||||
+ allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2667,6 +2925,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Receive TCP packets from an unlabeled connection.
|
||||
+## Receive DCCP packets from an unlabeled connection.
|
||||
## </summary>
|
||||
-## <desc>
|
||||
-## <p>
|
||||
-## Receive TCP packets from an unlabeled connection.
|
||||
-## </p>
|
||||
-## <p>
|
||||
-## The corenetwork interface corenet_tcp_recv_unlabeled() should
|
||||
-## be used instead of this one.
|
||||
-## </p>
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
|
|
@ -22171,20 +22248,10 @@ index e100d88..1428581 100644
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Receive TCP packets from an unlabeled connection.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Receive TCP packets from an unlabeled connection.
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## The corenetwork interface corenet_tcp_recv_unlabeled() should
|
||||
+## be used instead of this one.
|
||||
+## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2694,6 +2942,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||
## Receive TCP packets from an unlabeled connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -2694,6 +2970,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -22210,7 +22277,7 @@ index e100d88..1428581 100644
|
|||
## Do not audit attempts to receive TCP packets from an unlabeled
|
||||
## connection.
|
||||
## </summary>
|
||||
@@ -2803,6 +3070,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
||||
@@ -2803,6 +3098,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
||||
|
||||
allow $1 unlabeled_t:rawip_socket recvfrom;
|
||||
')
|
||||
|
|
@ -22244,7 +22311,7 @@ index e100d88..1428581 100644
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -2958,6 +3252,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
@@ -2958,6 +3280,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -22269,7 +22336,7 @@ index e100d88..1428581 100644
|
|||
## Unconfined access to kernel module resources.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2972,5 +3284,649 @@ interface(`kernel_unconfined',`
|
||||
@@ -2972,5 +3312,649 @@ interface(`kernel_unconfined',`
|
||||
')
|
||||
|
||||
typeattribute $1 kern_unconfined;
|
||||
|
|
@ -22491,7 +22558,7 @@ index e100d88..1428581 100644
|
|||
+ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
|
||||
+
|
||||
+ list_dirs_pattern($1, proc_t, proc_numa_t)
|
||||
+')
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
|
|
@ -22510,7 +22577,7 @@ index e100d88..1428581 100644
|
|||
+ ')
|
||||
+
|
||||
+ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
|
||||
')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
|
|
@ -37725,7 +37792,7 @@ index 79a45f6..6126f21 100644
|
|||
+ allow $1 init_var_lib_t:dir search_dir_perms;
|
||||
')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda24..25e49cf 100644
|
||||
index 17eda24..9f2c792 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
|
|
@ -37905,11 +37972,12 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
||||
dev_filetrans(init_t, initctl_t, fifo_file)
|
||||
@@ -125,13 +212,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||
@@ -125,13 +212,24 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||
|
||||
kernel_read_system_state(init_t)
|
||||
kernel_share_state(init_t)
|
||||
+kernel_stream_connect(init_t)
|
||||
+kernel_mounton_systemd_ProtectKernelTunables(init_t)
|
||||
|
||||
corecmd_exec_chroot(init_t)
|
||||
corecmd_exec_bin(init_t)
|
||||
|
|
@ -37930,15 +37998,17 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
domain_getpgid_all_domains(init_t)
|
||||
domain_kill_all_domains(init_t)
|
||||
@@ -139,14 +236,25 @@ domain_signal_all_domains(init_t)
|
||||
@@ -139,14 +237,26 @@ domain_signal_all_domains(init_t)
|
||||
domain_signull_all_domains(init_t)
|
||||
domain_sigstop_all_domains(init_t)
|
||||
domain_sigchld_all_domains(init_t)
|
||||
-
|
||||
-files_read_etc_files(init_t)
|
||||
+domain_read_all_domains_state(init_t)
|
||||
+domain_getattr_all_domains(init_t)
|
||||
+domain_setrlimit_all_domains(init_t)
|
||||
|
||||
-files_read_etc_files(init_t)
|
||||
+domain_rlimitinh_all_domains(init_t)
|
||||
+
|
||||
+files_read_config_files(init_t)
|
||||
+files_read_all_pids(init_t)
|
||||
+files_read_system_conf_files(init_t)
|
||||
|
|
@ -37957,7 +38027,7 @@ index 17eda24..25e49cf 100644
|
|||
# file descriptors inherited from the rootfs:
|
||||
files_dontaudit_rw_root_files(init_t)
|
||||
files_dontaudit_rw_root_chr_files(init_t)
|
||||
@@ -155,29 +263,73 @@ fs_list_inotifyfs(init_t)
|
||||
@@ -155,29 +265,73 @@ fs_list_inotifyfs(init_t)
|
||||
# cjp: this may be related to /dev/log
|
||||
fs_write_ramfs_sockets(init_t)
|
||||
|
||||
|
|
@ -38020,10 +38090,10 @@ index 17eda24..25e49cf 100644
|
|||
+
|
||||
+miscfiles_manage_localization(init_t)
|
||||
+miscfiles_filetrans_named_content(init_t)
|
||||
+
|
||||
+udev_manage_rules_files(init_t)
|
||||
|
||||
-miscfiles_read_localization(init_t)
|
||||
+udev_manage_rules_files(init_t)
|
||||
+
|
||||
+userdom_use_user_ttys(init_t)
|
||||
+userdom_manage_tmp_dirs(init_t)
|
||||
+userdom_manage_tmp_sockets(init_t)
|
||||
|
|
@ -38036,7 +38106,7 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
@@ -186,29 +338,275 @@ ifdef(`distro_gentoo',`
|
||||
@@ -186,29 +340,275 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
|
@ -38275,18 +38345,18 @@ index 17eda24..25e49cf 100644
|
|||
+optional_policy(`
|
||||
+ lvm_rw_pipes(init_t)
|
||||
+ lvm_read_config(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- auth_rw_login_records(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ lldpad_relabel_tmpfs(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- auth_rw_login_records(init_t)
|
||||
+ consolekit_manage_log(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ dbus_connect_system_bus(init_t)
|
||||
dbus_system_bus_client(init_t)
|
||||
+ dbus_delete_pid_files(init_t)
|
||||
|
|
@ -38307,21 +38377,21 @@ index 17eda24..25e49cf 100644
|
|||
+optional_policy(`
|
||||
+ networkmanager_stream_connect(init_t)
|
||||
+ networkmanager_stream_connect(initrc_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ plymouthd_stream_connect(init_t)
|
||||
+ plymouthd_exec_plymouth(init_t)
|
||||
+ plymouthd_filetrans_named_content(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_use(init_t)
|
||||
+ plymouthd_stream_connect(init_t)
|
||||
+ plymouthd_exec_plymouth(init_t)
|
||||
+ plymouthd_filetrans_named_content(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ssh_getattr_server_keys(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +614,30 @@ optional_policy(`
|
||||
@@ -216,7 +616,30 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38353,7 +38423,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -225,9 +646,9 @@ optional_policy(`
|
||||
@@ -225,9 +648,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
|
|
@ -38365,7 +38435,7 @@ index 17eda24..25e49cf 100644
|
|||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -258,12 +679,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -258,12 +681,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
|
|
@ -38382,7 +38452,7 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -279,23 +704,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -279,23 +706,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
|
|
@ -38425,7 +38495,7 @@ index 17eda24..25e49cf 100644
|
|||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -303,9 +741,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -303,9 +743,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
|
|
@ -38437,7 +38507,7 @@ index 17eda24..25e49cf 100644
|
|||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -313,8 +753,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -313,8 +755,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
|
|
@ -38448,7 +38518,7 @@ index 17eda24..25e49cf 100644
|
|||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +764,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +766,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
|
|
@ -38458,7 +38528,7 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -332,7 +773,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -332,7 +775,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
|
|
@ -38466,7 +38536,7 @@ index 17eda24..25e49cf 100644
|
|||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -340,6 +780,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -340,6 +782,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
|
|
@ -38474,7 +38544,7 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -347,14 +788,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -347,14 +790,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
|
|
@ -38492,7 +38562,7 @@ index 17eda24..25e49cf 100644
|
|||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -364,8 +806,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -364,8 +808,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
|
|
@ -38506,7 +38576,7 @@ index 17eda24..25e49cf 100644
|
|||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -375,10 +821,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -375,10 +823,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
|
|
@ -38520,7 +38590,7 @@ index 17eda24..25e49cf 100644
|
|||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -387,8 +834,10 @@ mls_process_read_up(initrc_t)
|
||||
@@ -387,8 +836,10 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
|
|
@ -38531,7 +38601,7 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
storage_getattr_fixed_disk_dev(initrc_t)
|
||||
storage_setattr_fixed_disk_dev(initrc_t)
|
||||
@@ -398,6 +847,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -398,6 +849,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
|
|
@ -38539,7 +38609,7 @@ index 17eda24..25e49cf 100644
|
|||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -416,20 +866,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -416,20 +868,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
|
|
@ -38563,7 +38633,7 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -451,7 +899,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -451,7 +901,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
|
|
@ -38571,7 +38641,7 @@ index 17eda24..25e49cf 100644
|
|||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -486,6 +933,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -486,6 +935,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38582,7 +38652,7 @@ index 17eda24..25e49cf 100644
|
|||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -506,7 +957,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -506,7 +959,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
|
|
@ -38591,7 +38661,7 @@ index 17eda24..25e49cf 100644
|
|||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -521,6 +972,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -521,6 +974,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
|
|
@ -38599,7 +38669,7 @@ index 17eda24..25e49cf 100644
|
|||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -541,6 +993,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -541,6 +995,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
|
|
@ -38607,7 +38677,7 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -550,8 +1003,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -550,8 +1005,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38652,7 +38722,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -559,14 +1048,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -559,14 +1050,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
|
|
@ -38684,7 +38754,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
')
|
||||
|
||||
@@ -577,6 +1083,39 @@ ifdef(`distro_suse',`
|
||||
@@ -577,6 +1085,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -38724,7 +38794,7 @@ index 17eda24..25e49cf 100644
|
|||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -589,6 +1128,8 @@ optional_policy(`
|
||||
@@ -589,6 +1130,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
|
|
@ -38733,7 +38803,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -610,6 +1151,7 @@ optional_policy(`
|
||||
@@ -610,6 +1153,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
|
|
@ -38741,7 +38811,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -626,6 +1168,17 @@ optional_policy(`
|
||||
@@ -626,6 +1170,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38759,7 +38829,7 @@ index 17eda24..25e49cf 100644
|
|||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -642,9 +1195,13 @@ optional_policy(`
|
||||
@@ -642,9 +1197,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
|
|
@ -38773,7 +38843,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -657,15 +1214,11 @@ optional_policy(`
|
||||
@@ -657,15 +1216,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38791,7 +38861,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -686,6 +1239,15 @@ optional_policy(`
|
||||
@@ -686,6 +1241,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38807,7 +38877,7 @@ index 17eda24..25e49cf 100644
|
|||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -726,6 +1288,7 @@ optional_policy(`
|
||||
@@ -726,6 +1290,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
|
|
@ -38815,7 +38885,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,7 +1306,13 @@ optional_policy(`
|
||||
@@ -743,7 +1308,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38830,7 +38900,7 @@ index 17eda24..25e49cf 100644
|
|||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -766,6 +1335,10 @@ optional_policy(`
|
||||
@@ -766,6 +1337,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38841,7 +38911,7 @@ index 17eda24..25e49cf 100644
|
|||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -775,10 +1348,20 @@ optional_policy(`
|
||||
@@ -775,10 +1350,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38862,7 +38932,7 @@ index 17eda24..25e49cf 100644
|
|||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1370,10 @@ optional_policy(`
|
||||
@@ -787,6 +1372,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38873,7 +38943,7 @@ index 17eda24..25e49cf 100644
|
|||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -808,8 +1395,6 @@ optional_policy(`
|
||||
@@ -808,8 +1397,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
|
|
@ -38882,7 +38952,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -818,6 +1403,10 @@ optional_policy(`
|
||||
@@ -818,6 +1405,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38893,7 +38963,7 @@ index 17eda24..25e49cf 100644
|
|||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -827,10 +1416,12 @@ optional_policy(`
|
||||
@@ -827,10 +1418,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
|
|
@ -38906,7 +38976,7 @@ index 17eda24..25e49cf 100644
|
|||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -857,21 +1448,62 @@ optional_policy(`
|
||||
@@ -857,21 +1450,62 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38970,7 +39040,7 @@ index 17eda24..25e49cf 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -887,6 +1519,10 @@ optional_policy(`
|
||||
@@ -887,6 +1521,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38981,7 +39051,7 @@ index 17eda24..25e49cf 100644
|
|||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -897,3 +1533,218 @@ optional_policy(`
|
||||
@@ -897,3 +1535,218 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -114657,10 +114657,10 @@ index facdee8..2cff369 100644
|
|||
+ domtrans_pattern($1,container_file_t, $2)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf5..8036117 100644
|
||||
index f03dcf5..d7dc78b 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,451 +1,410 @@
|
||||
@@ -1,451 +1,411 @@
|
||||
-policy_module(virt, 1.7.4)
|
||||
+policy_module(virt, 1.5.0)
|
||||
|
||||
|
|
@ -115350,6 +115350,7 @@ index f03dcf5..8036117 100644
|
|||
|
||||
manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
|
||||
manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
|
||||
+files_var_filetrans(virtd_t, virt_cache_t, dir)
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
|
||||
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
|
||||
|
|
@ -115381,7 +115382,7 @@ index f03dcf5..8036117 100644
|
|||
|
||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
@@ -455,42 +414,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
@@ -455,42 +415,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
|
|
@ -115428,7 +115429,7 @@ index f03dcf5..8036117 100644
|
|||
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
|
||||
@@ -503,23 +449,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
@@ -503,23 +450,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
||||
|
||||
|
|
@ -115462,7 +115463,7 @@ index f03dcf5..8036117 100644
|
|||
|
||||
corecmd_exec_bin(virtd_t)
|
||||
corecmd_exec_shell(virtd_t)
|
||||
@@ -527,24 +474,16 @@ corecmd_exec_shell(virtd_t)
|
||||
@@ -527,24 +475,16 @@ corecmd_exec_shell(virtd_t)
|
||||
corenet_all_recvfrom_netlabel(virtd_t)
|
||||
corenet_tcp_sendrecv_generic_if(virtd_t)
|
||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||
|
|
@ -115490,7 +115491,7 @@ index f03dcf5..8036117 100644
|
|||
dev_rw_sysfs(virtd_t)
|
||||
dev_read_urand(virtd_t)
|
||||
dev_read_rand(virtd_t)
|
||||
@@ -555,20 +494,26 @@ dev_rw_vhost(virtd_t)
|
||||
@@ -555,20 +495,26 @@ dev_rw_vhost(virtd_t)
|
||||
dev_setattr_generic_usb_dev(virtd_t)
|
||||
dev_relabel_generic_usb_dev(virtd_t)
|
||||
|
||||
|
|
@ -115521,7 +115522,7 @@ index f03dcf5..8036117 100644
|
|||
fs_list_auto_mountpoints(virtd_t)
|
||||
fs_getattr_all_fs(virtd_t)
|
||||
fs_rw_anon_inodefs_files(virtd_t)
|
||||
@@ -601,15 +546,18 @@ term_use_ptmx(virtd_t)
|
||||
@@ -601,15 +547,18 @@ term_use_ptmx(virtd_t)
|
||||
|
||||
auth_use_nsswitch(virtd_t)
|
||||
|
||||
|
|
@ -115541,7 +115542,7 @@ index f03dcf5..8036117 100644
|
|||
|
||||
selinux_validate_context(virtd_t)
|
||||
|
||||
@@ -620,18 +568,26 @@ seutil_read_file_contexts(virtd_t)
|
||||
@@ -620,18 +569,26 @@ seutil_read_file_contexts(virtd_t)
|
||||
sysnet_signull_ifconfig(virtd_t)
|
||||
sysnet_signal_ifconfig(virtd_t)
|
||||
sysnet_domtrans_ifconfig(virtd_t)
|
||||
|
|
@ -115578,7 +115579,7 @@ index f03dcf5..8036117 100644
|
|||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virtd_t)
|
||||
@@ -640,7 +596,7 @@ tunable_policy(`virt_use_nfs',`
|
||||
@@ -640,7 +597,7 @@ tunable_policy(`virt_use_nfs',`
|
||||
')
|
||||
|
||||
tunable_policy(`virt_use_samba',`
|
||||
|
|
@ -115587,7 +115588,7 @@ index f03dcf5..8036117 100644
|
|||
fs_manage_cifs_files(virtd_t)
|
||||
fs_read_cifs_symlinks(virtd_t)
|
||||
')
|
||||
@@ -665,20 +621,12 @@ optional_policy(`
|
||||
@@ -665,20 +622,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -115608,7 +115609,7 @@ index f03dcf5..8036117 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -691,20 +639,26 @@ optional_policy(`
|
||||
@@ -691,20 +640,26 @@ optional_policy(`
|
||||
dnsmasq_kill(virtd_t)
|
||||
dnsmasq_signull(virtd_t)
|
||||
dnsmasq_create_pid_dirs(virtd_t)
|
||||
|
|
@ -115639,7 +115640,7 @@ index f03dcf5..8036117 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -712,11 +666,18 @@ optional_policy(`
|
||||
@@ -712,11 +667,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -115658,7 +115659,7 @@ index f03dcf5..8036117 100644
|
|||
policykit_domtrans_auth(virtd_t)
|
||||
policykit_domtrans_resolve(virtd_t)
|
||||
policykit_read_lib(virtd_t)
|
||||
@@ -727,10 +688,18 @@ optional_policy(`
|
||||
@@ -727,10 +689,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -115677,7 +115678,7 @@ index f03dcf5..8036117 100644
|
|||
kernel_read_xen_state(virtd_t)
|
||||
kernel_write_xen_state(virtd_t)
|
||||
|
||||
@@ -746,44 +715,336 @@ optional_policy(`
|
||||
@@ -746,44 +716,336 @@ optional_policy(`
|
||||
udev_read_pid_files(virtd_t)
|
||||
')
|
||||
|
||||
|
|
@ -116036,7 +116037,7 @@ index f03dcf5..8036117 100644
|
|||
kernel_read_system_state(virsh_t)
|
||||
kernel_read_network_state(virsh_t)
|
||||
kernel_read_kernel_sysctls(virsh_t)
|
||||
@@ -794,25 +1055,18 @@ kernel_write_xen_state(virsh_t)
|
||||
@@ -794,25 +1056,18 @@ kernel_write_xen_state(virsh_t)
|
||||
corecmd_exec_bin(virsh_t)
|
||||
corecmd_exec_shell(virsh_t)
|
||||
|
||||
|
|
@ -116063,7 +116064,7 @@ index f03dcf5..8036117 100644
|
|||
|
||||
fs_getattr_all_fs(virsh_t)
|
||||
fs_manage_xenfs_dirs(virsh_t)
|
||||
@@ -821,23 +1075,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
@@ -821,23 +1076,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
|
||||
storage_raw_read_fixed_disk(virsh_t)
|
||||
|
||||
|
|
@ -116097,7 +116098,7 @@ index f03dcf5..8036117 100644
|
|||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virsh_t)
|
||||
@@ -856,14 +1112,20 @@ optional_policy(`
|
||||
@@ -856,14 +1113,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -116119,7 +116120,7 @@ index f03dcf5..8036117 100644
|
|||
xen_stream_connect(virsh_t)
|
||||
xen_stream_connect_xenstore(virsh_t)
|
||||
')
|
||||
@@ -888,49 +1150,66 @@ optional_policy(`
|
||||
@@ -888,49 +1151,66 @@ optional_policy(`
|
||||
kernel_read_xen_state(virsh_ssh_t)
|
||||
kernel_write_xen_state(virsh_ssh_t)
|
||||
|
||||
|
|
@ -116204,7 +116205,7 @@ index f03dcf5..8036117 100644
|
|||
|
||||
corecmd_exec_bin(virtd_lxc_t)
|
||||
corecmd_exec_shell(virtd_lxc_t)
|
||||
@@ -942,17 +1221,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
@@ -942,17 +1222,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
|
||||
domain_use_interactive_fds(virtd_lxc_t)
|
||||
|
||||
|
|
@ -116224,7 +116225,7 @@ index f03dcf5..8036117 100644
|
|||
fs_getattr_all_fs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||
@@ -964,8 +1242,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
@@ -964,8 +1243,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
fs_unmount_all_fs(virtd_lxc_t)
|
||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||
|
||||
|
|
@ -116248,7 +116249,7 @@ index f03dcf5..8036117 100644
|
|||
selinux_get_enforce_mode(virtd_lxc_t)
|
||||
selinux_get_fs_mount(virtd_lxc_t)
|
||||
selinux_validate_context(virtd_lxc_t)
|
||||
@@ -974,194 +1267,370 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
@@ -974,194 +1268,370 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
selinux_compute_relabel_context(virtd_lxc_t)
|
||||
selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
|
|
@ -116764,7 +116765,7 @@ index f03dcf5..8036117 100644
|
|||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1174,12 +1644,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
|
|
@ -116779,7 +116780,7 @@ index f03dcf5..8036117 100644
|
|||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,7 +1661,7 @@ optional_policy(`
|
||||
@@ -1192,7 +1662,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -116788,7 +116789,7 @@ index f03dcf5..8036117 100644
|
|||
#
|
||||
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
@@ -1201,11 +1670,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1201,11 +1671,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 234%{?dist}
|
||||
Release: 235%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -675,6 +675,11 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-235
|
||||
- Allow libvirt daemon to create /var/chace/libvirt dir.
|
||||
- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)
|
||||
- F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829)
|
||||
|
||||
* Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-234
|
||||
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)
|
||||
- Tighten security on containe types
|
||||
|
|
|
|||
Loading…
Reference in New Issue