Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts: config.tgz
This commit is contained in:
commit
5f75e360e4
|
@ -1,5 +1,5 @@
|
||||||
# Turn off the ability for one process to read/modify another processes memory
|
# Turn off the ability for one process to read/modify another processes memory
|
||||||
deny_ptrace = true
|
deny_ptrace = false
|
||||||
|
|
||||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||||
deny_execmem = false
|
deny_execmem = false
|
||||||
|
@ -11,7 +11,7 @@ allow_execmod = true
|
||||||
|
|
||||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||||
#
|
#
|
||||||
allow_execstack = false
|
allow_execstack = true
|
||||||
|
|
||||||
# Allow ftpd to read cifs directories.
|
# Allow ftpd to read cifs directories.
|
||||||
#
|
#
|
||||||
|
@ -33,6 +33,10 @@ allow_gssd_read_tmp = true
|
||||||
#
|
#
|
||||||
allow_httpd_anon_write = false
|
allow_httpd_anon_write = false
|
||||||
|
|
||||||
|
# Allow Apache to connect to port 80 for graceful shutdown
|
||||||
|
#
|
||||||
|
httpd_graceful_shutdown = true
|
||||||
|
|
||||||
# Allow Apache to use mod_auth_pam module
|
# Allow Apache to use mod_auth_pam module
|
||||||
#
|
#
|
||||||
allow_httpd_mod_auth_pam = false
|
allow_httpd_mod_auth_pam = false
|
||||||
|
@ -232,7 +236,9 @@ allow_xserver_execmem = false
|
||||||
# disallow guest accounts to execute files that they can create
|
# disallow guest accounts to execute files that they can create
|
||||||
#
|
#
|
||||||
allow_guest_exec_content = false
|
allow_guest_exec_content = false
|
||||||
allow_xguest_exec_content = false
|
|
||||||
|
# xguest now requires to execute content in homedir to allow gnome-shell to work# properly.
|
||||||
|
allow_xguest_exec_content = true
|
||||||
|
|
||||||
# Only allow browser to use the web
|
# Only allow browser to use the web
|
||||||
#
|
#
|
||||||
|
@ -264,7 +270,7 @@ unconfined_mozilla_plugin_transition=true
|
||||||
|
|
||||||
# Allow unconfined domain to transition to confined domain
|
# Allow unconfined domain to transition to confined domain
|
||||||
#
|
#
|
||||||
unconfined_telepathy_transition=true
|
unconfined_telepathy_transition=false
|
||||||
|
|
||||||
# Allow unconfined domain to transition to chrome_sandbox confined domain
|
# Allow unconfined domain to transition to chrome_sandbox confined domain
|
||||||
#
|
#
|
||||||
|
|
BIN
config.tgz
BIN
config.tgz
Binary file not shown.
|
@ -67,6 +67,13 @@ collectd = module
|
||||||
#
|
#
|
||||||
colord = module
|
colord = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: couchdb
|
||||||
|
#
|
||||||
|
# Apache CouchDB database server
|
||||||
|
#
|
||||||
|
couchdb = module
|
||||||
|
|
||||||
# Layer: apps
|
# Layer: apps
|
||||||
# Module: cpufreqselector
|
# Module: cpufreqselector
|
||||||
#
|
#
|
||||||
|
@ -194,6 +201,13 @@ automount = module
|
||||||
#
|
#
|
||||||
avahi = module
|
avahi = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: bcfg2
|
||||||
|
#
|
||||||
|
# Configuration management server
|
||||||
|
#
|
||||||
|
bcfg2 = module
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: boinc
|
# Module: boinc
|
||||||
#
|
#
|
||||||
|
@ -723,13 +737,6 @@ hddtemp = module
|
||||||
#
|
#
|
||||||
passenger = module
|
passenger = module
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: permissivedomains
|
|
||||||
#
|
|
||||||
# Contains all permissivedomains shipped by distribution
|
|
||||||
#
|
|
||||||
permissivedomains = module
|
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: policykit
|
# Module: policykit
|
||||||
#
|
#
|
||||||
|
@ -758,6 +765,20 @@ ptchown = module
|
||||||
#
|
#
|
||||||
psad = module
|
psad = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: pwauth
|
||||||
|
#
|
||||||
|
# External plugin for mod_authnz_external authenticator
|
||||||
|
#
|
||||||
|
pwauth = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: quantum
|
||||||
|
#
|
||||||
|
# Quantum is a virtual network service for Openstack
|
||||||
|
#
|
||||||
|
quantum = module
|
||||||
|
|
||||||
# Layer: system
|
# Layer: system
|
||||||
# Module: hostname
|
# Module: hostname
|
||||||
#
|
#
|
||||||
|
@ -835,7 +856,6 @@ icecast = module
|
||||||
#
|
#
|
||||||
i18n_input = off
|
i18n_input = off
|
||||||
|
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: jabber
|
# Module: jabber
|
||||||
#
|
#
|
||||||
|
@ -843,6 +863,13 @@ i18n_input = off
|
||||||
#
|
#
|
||||||
jabber = module
|
jabber = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: jetty
|
||||||
|
#
|
||||||
|
# Java based http server
|
||||||
|
#
|
||||||
|
jetty = module
|
||||||
|
|
||||||
# Layer: admin
|
# Layer: admin
|
||||||
# Module: kdump
|
# Module: kdump
|
||||||
#
|
#
|
||||||
|
@ -2369,6 +2396,13 @@ milter = module
|
||||||
#
|
#
|
||||||
keyboardd = module
|
keyboardd = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: keystone
|
||||||
|
#
|
||||||
|
# openstack-keystone
|
||||||
|
#
|
||||||
|
keystone = module
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: firewalld
|
# Module: firewalld
|
||||||
#
|
#
|
||||||
|
@ -2439,6 +2473,13 @@ sblim = module
|
||||||
#
|
#
|
||||||
cfengine = module
|
cfengine = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: pacemaker
|
||||||
|
#
|
||||||
|
# pacemaker
|
||||||
|
#
|
||||||
|
pacemaker = module
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: polipo
|
# Module: polipo
|
||||||
#
|
#
|
||||||
|
@ -2480,3 +2521,38 @@ obex = module
|
||||||
# policy for grindengine MPI jobs
|
# policy for grindengine MPI jobs
|
||||||
#
|
#
|
||||||
sge = module
|
sge = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: jockey
|
||||||
|
#
|
||||||
|
# policy for jockey-backend
|
||||||
|
#
|
||||||
|
jockey = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: numad
|
||||||
|
#
|
||||||
|
# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology
|
||||||
|
#
|
||||||
|
numad = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: condor
|
||||||
|
#
|
||||||
|
# policy for condor
|
||||||
|
#
|
||||||
|
condor = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: svnserve
|
||||||
|
#
|
||||||
|
# policy for subversion service
|
||||||
|
#
|
||||||
|
svnserve = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: man2html
|
||||||
|
#
|
||||||
|
# policy for man2html apps
|
||||||
|
#
|
||||||
|
man2html = module
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
# No file contexts
|
|
@ -0,0 +1 @@
|
||||||
|
## <summary>No Interfaces</summary>
|
Binary file not shown.
|
@ -0,0 +1,162 @@
|
||||||
|
policy_module(permissivedomains,17)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type bcfg2_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive bcfg2_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type couchdb_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive couchdb_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type blueman_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive blueman_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type httpd_zoneminder_script_t, zoneminder_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive httpd_zoneminder_script_t;
|
||||||
|
permissive zoneminder_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type selinux_munin_plugin_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive selinux_munin_plugin_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type dnssec_trigger_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive dnssec_trigger_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type obex_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive obex_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type sge_shepherd_t;
|
||||||
|
type sge_execd_t;
|
||||||
|
type sge_job_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive sge_shepherd_t;
|
||||||
|
permissive sge_execd_t;
|
||||||
|
permissive sge_job_t;
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type matahari_rpcd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive matahari_rpcd_t;
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type keystone_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive keystone_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type pacemaker_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive pacemaker_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type jockey_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive jockey_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type quantum_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive quantum_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type numad_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive numad_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type pwauth_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive pwauth_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type man2html_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive man2html_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type svnserve_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
permissive svnserve_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type condor_collector_t;
|
||||||
|
type condor_negotiator_t;
|
||||||
|
type condor_startd_t;
|
||||||
|
type condor_schedd_t;
|
||||||
|
type condor_procd_t;
|
||||||
|
type condor_master_t;
|
||||||
|
')
|
||||||
|
permissive condor_collector_t;
|
||||||
|
permissive condor_negotiator_t;
|
||||||
|
permissive condor_schedd_t;
|
||||||
|
permissive condor_startd_t;
|
||||||
|
permissive condor_procd_t;
|
||||||
|
permissive condor_master_t;
|
||||||
|
')
|
74611
policy-F16.patch
74611
policy-F16.patch
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,854 @@
|
||||||
|
commit f53f820fe366940d4fdecaef80de4e5b1178fac6
|
||||||
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
|
Date: Thu Jun 7 01:38:59 2012 +0200
|
||||||
|
|
||||||
|
roleattribute patch
|
||||||
|
|
||||||
|
diff --git a/livecd.if b/livecd.if
|
||||||
|
index bfbf676..fb7869e 100644
|
||||||
|
--- a/livecd.if
|
||||||
|
+++ b/livecd.if
|
||||||
|
@@ -38,12 +38,19 @@ interface(`livecd_run',`
|
||||||
|
gen_require(`
|
||||||
|
type livecd_t;
|
||||||
|
type livecd_exec_t;
|
||||||
|
- attribute_role livecd_roles;
|
||||||
|
+ #attribute_role livecd_roles;
|
||||||
|
')
|
||||||
|
|
||||||
|
livecd_domtrans($1)
|
||||||
|
- roleattribute $2 livecd_roles;
|
||||||
|
+ #roleattribute $2 livecd_roles;
|
||||||
|
+ role $2 types livecd_t;
|
||||||
|
role_transition $2 livecd_exec_t system_r;
|
||||||
|
+
|
||||||
|
+ seutil_run_setfiles_mac(livecd_t, system_r)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ mount_run(livecd_t, $2)
|
||||||
|
+ ')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
diff --git a/livecd.te b/livecd.te
|
||||||
|
index 65efdae..7a944b5 100644
|
||||||
|
--- a/livecd.te
|
||||||
|
+++ b/livecd.te
|
||||||
|
@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
-attribute_role livecd_roles;
|
||||||
|
-roleattribute system_r livecd_roles;
|
||||||
|
+#attribute_role livecd_roles;
|
||||||
|
+#roleattribute system_r livecd_roles;
|
||||||
|
|
||||||
|
type livecd_t;
|
||||||
|
type livecd_exec_t;
|
||||||
|
application_domain(livecd_t, livecd_exec_t)
|
||||||
|
-role livecd_roles types livecd_t;
|
||||||
|
+role system_r types livecd_t;
|
||||||
|
+#role livecd_roles types livecd_t;
|
||||||
|
|
||||||
|
type livecd_tmp_t;
|
||||||
|
files_tmp_file(livecd_tmp_t)
|
||||||
|
@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t)
|
||||||
|
|
||||||
|
sysnet_filetrans_named_content(livecd_t)
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- mount_run(livecd_t, livecd_roles)
|
||||||
|
- seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# mount_run(livecd_t, livecd_roles)
|
||||||
|
+# seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||||||
|
+#')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
ssh_filetrans_admin_home_content(livecd_t)
|
||||||
|
diff --git a/mozilla.if b/mozilla.if
|
||||||
|
index 30b0241..30bfefb 100644
|
||||||
|
--- a/mozilla.if
|
||||||
|
+++ b/mozilla.if
|
||||||
|
@@ -18,10 +18,11 @@
|
||||||
|
interface(`mozilla_role',`
|
||||||
|
gen_require(`
|
||||||
|
type mozilla_t, mozilla_exec_t, mozilla_home_t;
|
||||||
|
- attribute_role mozilla_roles;
|
||||||
|
+ #attribute_role mozilla_roles;
|
||||||
|
')
|
||||||
|
|
||||||
|
- roleattribute $1 mozilla_roles;
|
||||||
|
+ #roleattribute $1 mozilla_roles;
|
||||||
|
+ role $1 types mozilla_t;
|
||||||
|
|
||||||
|
domain_auto_trans($2, mozilla_exec_t, mozilla_t)
|
||||||
|
# Unrestricted inheritance from the caller.
|
||||||
|
@@ -47,6 +48,8 @@ interface(`mozilla_role',`
|
||||||
|
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||||
|
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||||
|
|
||||||
|
+ #should be remove then with adding of roleattribute
|
||||||
|
+ mozilla_run_plugin(mozilla_t, $1)
|
||||||
|
mozilla_dbus_chat($2)
|
||||||
|
|
||||||
|
userdom_manage_tmp_role($1, mozilla_t)
|
||||||
|
@@ -63,7 +66,6 @@ interface(`mozilla_role',`
|
||||||
|
|
||||||
|
mozilla_filetrans_home_content($2)
|
||||||
|
|
||||||
|
- mozilla_dbus_chat($2)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
diff --git a/mozilla.te b/mozilla.te
|
||||||
|
index 7bf56bf..56700a4 100644
|
||||||
|
--- a/mozilla.te
|
||||||
|
+++ b/mozilla.te
|
||||||
|
@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false)
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(mozilla_plugin_enable_homedirs, false)
|
||||||
|
|
||||||
|
-attribute_role mozilla_roles;
|
||||||
|
+#attribute_role mozilla_roles;
|
||||||
|
|
||||||
|
type mozilla_t;
|
||||||
|
type mozilla_exec_t;
|
||||||
|
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
|
||||||
|
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
|
||||||
|
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
|
||||||
|
-role mozilla_roles types mozilla_t;
|
||||||
|
+#role mozilla_roles types mozilla_t;
|
||||||
|
+role system_r types mozilla_t;
|
||||||
|
|
||||||
|
type mozilla_conf_t;
|
||||||
|
files_config_file(mozilla_conf_t)
|
||||||
|
@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t)
|
||||||
|
type mozilla_plugin_t;
|
||||||
|
type mozilla_plugin_exec_t;
|
||||||
|
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
|
||||||
|
-role mozilla_roles types mozilla_plugin_t;
|
||||||
|
+#role mozilla_roles types mozilla_plugin_t;
|
||||||
|
+role system_r types mozilla_plugin_t;
|
||||||
|
|
||||||
|
type mozilla_plugin_tmp_t;
|
||||||
|
userdom_user_tmp_content(mozilla_plugin_tmp_t)
|
||||||
|
@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t)
|
||||||
|
type mozilla_plugin_config_t;
|
||||||
|
type mozilla_plugin_config_exec_t;
|
||||||
|
application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
|
||||||
|
-role mozilla_roles types mozilla_plugin_config_t;
|
||||||
|
+#role mozilla_roles types mozilla_plugin_config_t;
|
||||||
|
+role system_r types mozilla_plugin_config_t;
|
||||||
|
|
||||||
|
type mozilla_tmp_t;
|
||||||
|
userdom_user_tmp_file(mozilla_tmp_t)
|
||||||
|
@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t)
|
||||||
|
|
||||||
|
userdom_use_inherited_user_ptys(mozilla_t)
|
||||||
|
|
||||||
|
-mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||||
|
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||||
|
|
||||||
|
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
|
||||||
|
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
||||||
|
@@ -298,7 +301,8 @@ optional_policy(`
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- pulseaudio_role(mozilla_roles, mozilla_t)
|
||||||
|
+ #pulseaudio_role(mozilla_roles, mozilla_t)
|
||||||
|
+ pulseaudio_exec(mozilla_t)
|
||||||
|
pulseaudio_stream_connect(mozilla_t)
|
||||||
|
pulseaudio_manage_home_files(mozilla_t)
|
||||||
|
')
|
||||||
|
@@ -476,9 +480,9 @@ optional_policy(`
|
||||||
|
java_exec(mozilla_plugin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||||||
|
+#')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mplayer_exec(mozilla_plugin_t)
|
||||||
|
diff --git a/ncftool.if b/ncftool.if
|
||||||
|
index 1520b6c..3a4455f 100644
|
||||||
|
--- a/ncftool.if
|
||||||
|
+++ b/ncftool.if
|
||||||
|
@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',`
|
||||||
|
#
|
||||||
|
interface(`ncftool_run',`
|
||||||
|
gen_require(`
|
||||||
|
- attribute_role ncftool_roles;
|
||||||
|
+ type ncftool_t;
|
||||||
|
+ #attribute_role ncftool_roles;
|
||||||
|
')
|
||||||
|
|
||||||
|
- ncftool_domtrans($1)
|
||||||
|
- roleattribute $2 ncftool_roles;
|
||||||
|
+ #ncftool_domtrans($1)
|
||||||
|
+ #roleattribute $2 ncftool_roles;
|
||||||
|
+
|
||||||
|
+ role $1 types ncftool_t;
|
||||||
|
+
|
||||||
|
+ ncftool_domtrans($2)
|
||||||
|
+
|
||||||
|
+ ps_process_pattern($2, ncftool_t)
|
||||||
|
+ allow $2 ncftool_t:process signal;
|
||||||
|
')
|
||||||
|
|
||||||
|
diff --git a/ncftool.te b/ncftool.te
|
||||||
|
index 91ab36d..8c48c33 100644
|
||||||
|
--- a/ncftool.te
|
||||||
|
+++ b/ncftool.te
|
||||||
|
@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0)
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
-attribute_role ncftool_roles;
|
||||||
|
-roleattribute system_r ncftool_roles;
|
||||||
|
+#attribute_role ncftool_roles;
|
||||||
|
+#roleattribute system_r ncftool_roles;
|
||||||
|
|
||||||
|
type ncftool_t;
|
||||||
|
type ncftool_exec_t;
|
||||||
|
application_domain(ncftool_t, ncftool_exec_t)
|
||||||
|
domain_obj_id_change_exemption(ncftool_t)
|
||||||
|
domain_system_change_exemption(ncftool_t)
|
||||||
|
-role ncftool_roles types ncftool_t;
|
||||||
|
+#role ncftool_roles types ncftool_t;
|
||||||
|
+role system_r types ncftool_t;
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(ncftool_t)
|
||||||
|
sysnet_delete_dhcpc_pid(ncftool_t)
|
||||||
|
-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||||||
|
-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||||||
|
+sysnet_domtrans_dhcpc(ncftool_t)
|
||||||
|
+sysnet_domtrans_ifconfig(ncftool_t)
|
||||||
|
+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||||||
|
+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||||||
|
sysnet_etc_filetrans_config(ncftool_t)
|
||||||
|
sysnet_manage_config(ncftool_t)
|
||||||
|
sysnet_read_dhcpc_state(ncftool_t)
|
||||||
|
@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t)
|
||||||
|
userdom_use_user_terminals(ncftool_t)
|
||||||
|
userdom_read_user_tmp_files(ncftool_t)
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- brctl_run(ncftool_t, ncftool_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# brctl_run(ncftool_t, ncftool_roles)
|
||||||
|
+#')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
consoletype_exec(ncftool_t)
|
||||||
|
@@ -85,9 +88,12 @@ optional_policy(`
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
modutils_read_module_config(ncftool_t)
|
||||||
|
- modutils_run_insmod(ncftool_t, ncftool_roles)
|
||||||
|
+ modutils_domtrans_insmod(ncftool_t)
|
||||||
|
+ #modutils_run_insmod(ncftool_t, ncftool_roles)
|
||||||
|
+
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- netutils_run(ncftool_t, ncftool_roles)
|
||||||
|
+ netutils_domtrans(ncftool_t)
|
||||||
|
+ #netutils_run(ncftool_t, ncftool_roles)
|
||||||
|
')
|
||||||
|
diff --git a/ppp.if b/ppp.if
|
||||||
|
index c174b05..a4cad0b 100644
|
||||||
|
--- a/ppp.if
|
||||||
|
+++ b/ppp.if
|
||||||
|
@@ -175,11 +175,18 @@ interface(`ppp_run_cond',`
|
||||||
|
#
|
||||||
|
interface(`ppp_run',`
|
||||||
|
gen_require(`
|
||||||
|
- attribute_role pppd_roles;
|
||||||
|
+ #attribute_role pppd_roles;
|
||||||
|
+ type pppd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- ppp_domtrans($1)
|
||||||
|
- roleattribute $2 pppd_roles;
|
||||||
|
+ #ppp_domtrans($1)
|
||||||
|
+ #roleattribute $2 pppd_roles;
|
||||||
|
+
|
||||||
|
+ role $2 types pppd_t;
|
||||||
|
+
|
||||||
|
+ tunable_policy(`pppd_for_user',`
|
||||||
|
+ ppp_domtrans($1)
|
||||||
|
+ ')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
diff --git a/ppp.te b/ppp.te
|
||||||
|
index 17e10a2..92cec2b 100644
|
||||||
|
--- a/ppp.te
|
||||||
|
+++ b/ppp.te
|
||||||
|
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(pppd_for_user, false)
|
||||||
|
|
||||||
|
-attribute_role pppd_roles;
|
||||||
|
+#attribute_role pppd_roles;
|
||||||
|
|
||||||
|
# pppd_t is the domain for the pppd program.
|
||||||
|
# pppd_exec_t is the type of the pppd executable.
|
||||||
|
type pppd_t;
|
||||||
|
type pppd_exec_t;
|
||||||
|
init_daemon_domain(pppd_t, pppd_exec_t)
|
||||||
|
-role pppd_roles types pppd_t;
|
||||||
|
+#role pppd_roles types pppd_t;
|
||||||
|
+role system_r types pppd_t;
|
||||||
|
|
||||||
|
type pppd_devpts_t;
|
||||||
|
term_pty(pppd_devpts_t)
|
||||||
|
@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t)
|
||||||
|
type pptp_t;
|
||||||
|
type pptp_exec_t;
|
||||||
|
init_daemon_domain(pptp_t, pptp_exec_t)
|
||||||
|
-role pppd_roles types pptp_t;
|
||||||
|
+#role pppd_roles types pptp_t;
|
||||||
|
+role system_r types pptp_t;
|
||||||
|
|
||||||
|
type pptp_log_t;
|
||||||
|
logging_log_file(pptp_log_t)
|
||||||
|
@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t)
|
||||||
|
init_signal_script(pppd_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(pppd_t)
|
||||||
|
-auth_run_chk_passwd(pppd_t,pppd_roles)
|
||||||
|
+auth_domtrans_chk_passwd(pppd_t)
|
||||||
|
+#auth_run_chk_passwd(pppd_t,pppd_roles)
|
||||||
|
auth_write_login_records(pppd_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(pppd_t)
|
||||||
|
@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t)
|
||||||
|
ppp_exec(pppd_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- ddclient_run(pppd_t, pppd_roles)
|
||||||
|
+ #ddclient_run(pppd_t, pppd_roles)
|
||||||
|
+ ddclient_domtrans(pppd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
diff --git a/usernetctl.if b/usernetctl.if
|
||||||
|
index d45c715..2d4f1ba 100644
|
||||||
|
--- a/usernetctl.if
|
||||||
|
+++ b/usernetctl.if
|
||||||
|
@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
|
||||||
|
#
|
||||||
|
interface(`usernetctl_run',`
|
||||||
|
gen_require(`
|
||||||
|
- attribute_role usernetctl_roles;
|
||||||
|
+ type usernetctl_t;
|
||||||
|
+ #attribute_role usernetctl_roles;
|
||||||
|
')
|
||||||
|
|
||||||
|
- usernetctl_domtrans($1)
|
||||||
|
- roleattribute $2 usernetctl_roles;
|
||||||
|
+ #usernetctl_domtrans($1)
|
||||||
|
+ #roleattribute $2 usernetctl_roles;
|
||||||
|
+
|
||||||
|
+ sysnet_run_ifconfig(usernetctl_t, $2)
|
||||||
|
+ sysnet_run_dhcpc(usernetctl_t, $2)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ iptables_run(usernetctl_t, $2)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ modutils_run_insmod(usernetctl_t, $2)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ ppp_run(usernetctl_t, $2)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
')
|
||||||
|
diff --git a/usernetctl.te b/usernetctl.te
|
||||||
|
index 8604c1c..35b12a6 100644
|
||||||
|
--- a/usernetctl.te
|
||||||
|
+++ b/usernetctl.te
|
||||||
|
@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
-attribute_role usernetctl_roles;
|
||||||
|
+#attribute_role usernetctl_roles;
|
||||||
|
|
||||||
|
type usernetctl_t;
|
||||||
|
type usernetctl_exec_t;
|
||||||
|
application_domain(usernetctl_t, usernetctl_exec_t)
|
||||||
|
domain_interactive_fd(usernetctl_t)
|
||||||
|
-role usernetctl_roles types usernetctl_t;
|
||||||
|
+#role usernetctl_roles types usernetctl_t;
|
||||||
|
+role system_r types usernetctl_t;
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t)
|
||||||
|
|
||||||
|
userdom_use_inherited_user_terminals(usernetctl_t)
|
||||||
|
|
||||||
|
-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||||||
|
-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||||||
|
+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||||||
|
+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- consoletype_run(usernetctl_t, usernetctl_roles)
|
||||||
|
+ #consoletype_run(usernetctl_t, usernetctl_roles)
|
||||||
|
+ consoletype_exec(usernetctl_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
hostname_exec(usernetctl_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- iptables_run(usernetctl_t, usernetctl_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# iptables_run(usernetctl_t, usernetctl_roles)
|
||||||
|
+#')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||||||
|
+#')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
nis_use_ypbind(usernetctl_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- ppp_run(usernetctl_t, usernetctl_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# ppp_run(usernetctl_t, usernetctl_roles)
|
||||||
|
+#')
|
||||||
|
diff --git a/vpn.if b/vpn.if
|
||||||
|
index 7b93e07..a4e2f60 100644
|
||||||
|
--- a/vpn.if
|
||||||
|
+++ b/vpn.if
|
||||||
|
@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
|
||||||
|
#
|
||||||
|
interface(`vpn_run',`
|
||||||
|
gen_require(`
|
||||||
|
- attribute_role vpnc_roles;
|
||||||
|
+ #attribute_role vpnc_roles;
|
||||||
|
+ type vpnc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
+ #vpn_domtrans($1)
|
||||||
|
+ #roleattribute $2 vpnc_roles;
|
||||||
|
+
|
||||||
|
vpn_domtrans($1)
|
||||||
|
- roleattribute $2 vpnc_roles;
|
||||||
|
+ role $2 types vpnc_t;
|
||||||
|
+ sysnet_run_ifconfig(vpnc_t, $2)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
diff --git a/vpn.te b/vpn.te
|
||||||
|
index 99fd457..d2585bb 100644
|
||||||
|
--- a/vpn.te
|
||||||
|
+++ b/vpn.te
|
||||||
|
@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0)
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
-attribute_role vpnc_roles;
|
||||||
|
-roleattribute system_r vpnc_roles;
|
||||||
|
+#attribute_role vpnc_roles;
|
||||||
|
+#roleattribute system_r vpnc_roles;
|
||||||
|
|
||||||
|
type vpnc_t;
|
||||||
|
type vpnc_exec_t;
|
||||||
|
init_system_domain(vpnc_t, vpnc_exec_t)
|
||||||
|
application_domain(vpnc_t, vpnc_exec_t)
|
||||||
|
-role vpnc_roles types vpnc_t;
|
||||||
|
+#role vpnc_roles types vpnc_t;
|
||||||
|
+role system_r types vpnc_t;
|
||||||
|
|
||||||
|
type vpnc_tmp_t;
|
||||||
|
files_tmp_file(vpnc_tmp_t)
|
||||||
|
@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t)
|
||||||
|
seutil_dontaudit_search_config(vpnc_t)
|
||||||
|
seutil_use_newrole_fds(vpnc_t)
|
||||||
|
|
||||||
|
-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||||||
|
+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||||||
|
sysnet_etc_filetrans_config(vpnc_t)
|
||||||
|
sysnet_manage_config(vpnc_t)
|
||||||
|
|
||||||
|
commit 88b64bdd71ef734271b9370fc37e02785f354f7f
|
||||||
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
|
Date: Thu Jun 7 02:33:40 2012 +0200
|
||||||
|
|
||||||
|
Fix ncftool.if
|
||||||
|
|
||||||
|
diff --git a/ncftool.if b/ncftool.if
|
||||||
|
index 3a4455f..59f096b 100644
|
||||||
|
--- a/ncftool.if
|
||||||
|
+++ b/ncftool.if
|
||||||
|
@@ -43,11 +43,12 @@ interface(`ncftool_run',`
|
||||||
|
#ncftool_domtrans($1)
|
||||||
|
#roleattribute $2 ncftool_roles;
|
||||||
|
|
||||||
|
- role $1 types ncftool_t;
|
||||||
|
+ ncftool_domtrans($1)
|
||||||
|
+ role $2 types ncftool_t;
|
||||||
|
|
||||||
|
- ncftool_domtrans($2)
|
||||||
|
+ optional_policy(`
|
||||||
|
+ brctl_run(ncftool_t, $2)
|
||||||
|
+ ')
|
||||||
|
|
||||||
|
- ps_process_pattern($2, ncftool_t)
|
||||||
|
- allow $2 ncftool_t:process signal;
|
||||||
|
')
|
||||||
|
|
||||||
|
commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9
|
||||||
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
|
Date: Thu Jun 7 10:47:57 2012 +0200
|
||||||
|
|
||||||
|
roleattriburte temp fixes for portage and dpkg
|
||||||
|
|
||||||
|
diff --git a/dpkg.if b/dpkg.if
|
||||||
|
index 4d32b42..d945bd0 100644
|
||||||
|
--- a/dpkg.if
|
||||||
|
+++ b/dpkg.if
|
||||||
|
@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
|
||||||
|
#
|
||||||
|
interface(`dpkg_run',`
|
||||||
|
gen_require(`
|
||||||
|
- attribute_role dpkg_roles;
|
||||||
|
+ #attribute_role dpkg_roles;
|
||||||
|
+ type dpkg_t, dpkg_script_t
|
||||||
|
')
|
||||||
|
|
||||||
|
+ #dpkg_domtrans($1)
|
||||||
|
+ #roleattribute $2 dpkg_roles;
|
||||||
|
+
|
||||||
|
dpkg_domtrans($1)
|
||||||
|
- roleattribute $2 dpkg_roles;
|
||||||
|
+ role $2 types dpkg_t;
|
||||||
|
+ role $2 types dpkg_script_t;
|
||||||
|
+ seutil_run_loadpolicy(dpkg_script_t, $2)
|
||||||
|
+
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
diff --git a/dpkg.te b/dpkg.te
|
||||||
|
index a1b8f92..9ac1b80 100644
|
||||||
|
--- a/dpkg.te
|
||||||
|
+++ b/dpkg.te
|
||||||
|
@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
-attribute_role dpkg_roles;
|
||||||
|
-roleattribute system_r dpkg_roles;
|
||||||
|
+#attribute_role dpkg_roles;
|
||||||
|
+#roleattribute system_r dpkg_roles;
|
||||||
|
|
||||||
|
type dpkg_t;
|
||||||
|
type dpkg_exec_t;
|
||||||
|
@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
|
||||||
|
domain_role_change_exemption(dpkg_t)
|
||||||
|
domain_system_change_exemption(dpkg_t)
|
||||||
|
domain_interactive_fd(dpkg_t)
|
||||||
|
-role dpkg_roles types dpkg_t;
|
||||||
|
+#role dpkg_roles types dpkg_t;
|
||||||
|
+role system_r types dpkg_t;
|
||||||
|
|
||||||
|
# lockfile
|
||||||
|
type dpkg_lock_t;
|
||||||
|
@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
|
||||||
|
domain_obj_id_change_exemption(dpkg_script_t)
|
||||||
|
domain_system_change_exemption(dpkg_script_t)
|
||||||
|
domain_interactive_fd(dpkg_script_t)
|
||||||
|
-role dpkg_roles types dpkg_script_t;
|
||||||
|
+#role dpkg_roles types dpkg_script_t;
|
||||||
|
+role system_r types dpkg_script_t;
|
||||||
|
|
||||||
|
type dpkg_script_tmp_t;
|
||||||
|
files_tmp_file(dpkg_script_tmp_t)
|
||||||
|
@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t)
|
||||||
|
init_domtrans_script(dpkg_t)
|
||||||
|
init_use_script_ptys(dpkg_t)
|
||||||
|
|
||||||
|
+#libs_exec_ld_so(dpkg_t)
|
||||||
|
+#libs_exec_lib_files(dpkg_t)
|
||||||
|
+#libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||||||
|
libs_exec_ld_so(dpkg_t)
|
||||||
|
libs_exec_lib_files(dpkg_t)
|
||||||
|
-libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||||||
|
+libs_domtrans_ldconfig(dpkg_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(dpkg_t)
|
||||||
|
|
||||||
|
@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t)
|
||||||
|
files_read_etc_runtime_files(dpkg_t)
|
||||||
|
files_exec_usr_files(dpkg_t)
|
||||||
|
miscfiles_read_localization(dpkg_t)
|
||||||
|
-modutils_run_depmod(dpkg_t, dpkg_roles)
|
||||||
|
-modutils_run_insmod(dpkg_t, dpkg_roles)
|
||||||
|
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||||||
|
-seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||||||
|
+#modutils_run_depmod(dpkg_t, dpkg_roles)
|
||||||
|
+#modutils_run_insmod(dpkg_t, dpkg_roles)
|
||||||
|
+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||||||
|
+#seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||||||
|
userdom_use_all_users_fds(dpkg_t)
|
||||||
|
optional_policy(`
|
||||||
|
mta_send_mail(dpkg_t)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
optional_policy(`
|
||||||
|
- usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||||||
|
- usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||||||
|
+ modutils_domtrans_depmod(dpkg_t)
|
||||||
|
+ modutils_domtrans_insmod(dpkg_t)
|
||||||
|
+ seutil_domtrans_loadpolicy(dpkg_t)
|
||||||
|
+ seutil_domtrans_setfiles(dpkg_t)
|
||||||
|
+ usermanage_domtrans_groupadd(dpkg_t)
|
||||||
|
+ usermanage_domtrans_useradd(dpkg_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
+#optional_policy(`
|
||||||
|
+# usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||||||
|
+# usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||||||
|
+#')
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# dpkg-script Local policy
|
||||||
|
@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(dpkg_script_t)
|
||||||
|
|
||||||
|
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||||||
|
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||||||
|
+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||||||
|
+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||||||
|
|
||||||
|
-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||||||
|
-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||||||
|
+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||||||
|
+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||||||
|
|
||||||
|
userdom_use_all_users_fds(dpkg_script_t)
|
||||||
|
|
||||||
|
@@ -319,9 +335,9 @@ optional_policy(`
|
||||||
|
apt_use_fds(dpkg_script_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- bootloader_run(dpkg_script_t, dpkg_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# bootloader_run(dpkg_script_t, dpkg_roles)
|
||||||
|
+#')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mta_send_mail(dpkg_script_t)
|
||||||
|
@@ -335,7 +351,7 @@ optional_policy(`
|
||||||
|
unconfined_domain(dpkg_script_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||||||
|
- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||||||
|
+# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||||||
|
+#')
|
||||||
|
diff --git a/portage.if b/portage.if
|
||||||
|
index b4bb48a..e5e8f12 100644
|
||||||
|
--- a/portage.if
|
||||||
|
+++ b/portage.if
|
||||||
|
@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
|
||||||
|
#
|
||||||
|
interface(`portage_run',`
|
||||||
|
gen_require(`
|
||||||
|
- attribute_role portage_roles;
|
||||||
|
+ type portage_t, portage_fetch_t, portage_sandbox_t;
|
||||||
|
+ #attribute_role portage_roles;
|
||||||
|
')
|
||||||
|
|
||||||
|
- portage_domtrans($1)
|
||||||
|
- roleattribute $2 portage_roles;
|
||||||
|
+ #portage_domtrans($1)
|
||||||
|
+ #roleattribute $2 portage_roles;
|
||||||
|
+ portage_domtrans($1)
|
||||||
|
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||||||
|
+
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
diff --git a/portage.te b/portage.te
|
||||||
|
index 22bdf7d..f726e1d 100644
|
||||||
|
--- a/portage.te
|
||||||
|
+++ b/portage.te
|
||||||
|
@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(portage_use_nfs, false)
|
||||||
|
|
||||||
|
-attribute_role portage_roles;
|
||||||
|
+#attribute_role portage_roles;
|
||||||
|
|
||||||
|
type gcc_config_t;
|
||||||
|
type gcc_config_exec_t;
|
||||||
|
@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
|
||||||
|
domain_obj_id_change_exemption(portage_t)
|
||||||
|
rsync_entry_type(portage_t)
|
||||||
|
corecmd_shell_entry_type(portage_t)
|
||||||
|
-role portage_roles types portage_t;
|
||||||
|
+#role portage_roles types portage_t;
|
||||||
|
+role system_r types portage_t;
|
||||||
|
|
||||||
|
# portage compile sandbox domain
|
||||||
|
type portage_sandbox_t;
|
||||||
|
@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
|
||||||
|
# the shell is the entrypoint if regular sandbox is disabled
|
||||||
|
# portage_exec_t is the entrypoint if regular sandbox is enabled
|
||||||
|
corecmd_shell_entry_type(portage_sandbox_t)
|
||||||
|
-role portage_roles types portage_sandbox_t;
|
||||||
|
+#role portage_roles types portage_sandbox_t;
|
||||||
|
+role system_r types portage_sandbox_t;
|
||||||
|
|
||||||
|
# portage package fetching domain
|
||||||
|
type portage_fetch_t;
|
||||||
|
@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
|
||||||
|
application_domain(portage_fetch_t, portage_fetch_exec_t)
|
||||||
|
corecmd_shell_entry_type(portage_fetch_t)
|
||||||
|
rsync_entry_type(portage_fetch_t)
|
||||||
|
-role portage_roles types portage_fetch_t;
|
||||||
|
+#role portage_roles types portage_fetch_t;
|
||||||
|
+role system_r types portage_fetch_t;
|
||||||
|
|
||||||
|
type portage_devpts_t;
|
||||||
|
term_pty(portage_devpts_t)
|
||||||
|
@@ -115,7 +118,8 @@ files_list_all(gcc_config_t)
|
||||||
|
init_dontaudit_read_script_status_files(gcc_config_t)
|
||||||
|
|
||||||
|
libs_read_lib_files(gcc_config_t)
|
||||||
|
-libs_run_ldconfig(gcc_config_t, portage_roles)
|
||||||
|
+#libs_run_ldconfig(gcc_config_t, portage_roles)
|
||||||
|
+libs_domtrans_ldconfig(gcc_config_t)
|
||||||
|
libs_manage_shared_libs(gcc_config_t)
|
||||||
|
# gcc-config creates a temp dir for the libs
|
||||||
|
libs_manage_lib_dirs(gcc_config_t)
|
||||||
|
@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t)
|
||||||
|
init_exec(portage_t)
|
||||||
|
|
||||||
|
# run setfiles -r
|
||||||
|
-seutil_run_setfiles(portage_t, portage_roles)
|
||||||
|
+#seutil_run_setfiles(portage_t, portage_roles)
|
||||||
|
# run semodule
|
||||||
|
-seutil_run_semanage(portage_t, portage_roles)
|
||||||
|
+#seutil_run_semanage(portage_t, portage_roles)
|
||||||
|
|
||||||
|
-portage_run_gcc_config(portage_t, portage_roles)
|
||||||
|
+#portage_run_gcc_config(portage_t, portage_roles)
|
||||||
|
# if sesandbox is disabled, compiling is performed in this domain
|
||||||
|
portage_compile_domain(portage_t)
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- bootloader_run(portage_t, portage_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# bootloader_run(portage_t, portage_roles)
|
||||||
|
+#')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cron_system_entry(portage_t, portage_exec_t)
|
||||||
|
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- modutils_run_depmod(portage_t, portage_roles)
|
||||||
|
- modutils_run_update_mods(portage_t, portage_roles)
|
||||||
|
+#optional_policy(`
|
||||||
|
+# modutils_run_depmod(portage_t, portage_roles)
|
||||||
|
+# modutils_run_update_mods(portage_t, portage_roles)
|
||||||
|
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
-optional_policy(`
|
||||||
|
- usermanage_run_groupadd(portage_t, portage_roles)
|
||||||
|
- usermanage_run_useradd(portage_t, portage_roles)
|
||||||
|
-')
|
||||||
|
+#optional_policy(`
|
||||||
|
+# usermanage_run_groupadd(portage_t, portage_roles)
|
||||||
|
+# usermanage_run_useradd(portage_t, portage_roles)
|
||||||
|
+#')
|
||||||
|
+
|
||||||
|
+seutil_domtrans_setfiles(portage_t)
|
||||||
|
+seutil_domtrans_semanage(portage_t)
|
||||||
|
+bootloader_domtrans(portage_t)
|
||||||
|
+modutils_domtrans_depmod(portage_t)
|
||||||
|
+modutils_domtrans_update_mods(portage_t)
|
||||||
|
+usermanage_domtrans_groupadd(portage_t)
|
||||||
|
+usermanage_domtrans_useradd(portage_t)
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
# seems to work ok without these
|
||||||
|
commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef
|
||||||
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
|
Date: Thu Jun 7 10:52:09 2012 +0200
|
||||||
|
|
||||||
|
Fix typo
|
||||||
|
|
||||||
|
diff --git a/portage.if b/portage.if
|
||||||
|
index e5e8f12..7098ded 100644
|
||||||
|
--- a/portage.if
|
||||||
|
+++ b/portage.if
|
||||||
|
@@ -50,7 +50,7 @@ interface(`portage_run',`
|
||||||
|
#portage_domtrans($1)
|
||||||
|
#roleattribute $2 portage_roles;
|
||||||
|
portage_domtrans($1)
|
||||||
|
- role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||||||
|
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
|
commit cf999ca29d2a4401c481e28c169e10d676d73526
|
||||||
|
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
|
Date: Thu Jun 7 10:59:22 2012 +0200
|
||||||
|
|
||||||
|
One more typo
|
||||||
|
|
||||||
|
diff --git a/dpkg.if b/dpkg.if
|
||||||
|
index d945bd0..78736d8 100644
|
||||||
|
--- a/dpkg.if
|
||||||
|
+++ b/dpkg.if
|
||||||
|
@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',`
|
||||||
|
interface(`dpkg_run',`
|
||||||
|
gen_require(`
|
||||||
|
#attribute_role dpkg_roles;
|
||||||
|
- type dpkg_t, dpkg_script_t
|
||||||
|
+ type dpkg_t, dpkg_script_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
#dpkg_domtrans($1)
|
File diff suppressed because it is too large
Load Diff
|
@ -15,16 +15,18 @@
|
||||||
%endif
|
%endif
|
||||||
%define POLICYVER 27
|
%define POLICYVER 27
|
||||||
%define POLICYCOREUTILSVER 2.1.9-4
|
%define POLICYCOREUTILSVER 2.1.9-4
|
||||||
%define CHECKPOLICYVER 2.1.7-3
|
%define CHECKPOLICYVER 2.1.9-4
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.11.0
|
||||||
Release: 85%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
patch: policy-F16.patch
|
patch: policy-rawhide.patch
|
||||||
patch1: unconfined_permissive.patch
|
patch1: policy_contrib-rawhide.patch
|
||||||
|
patch2: policy_contrib-rawhide-roleattribute.patch
|
||||||
|
patch3: policy-rawhide-roleattribute.patch
|
||||||
Source1: modules-targeted.conf
|
Source1: modules-targeted.conf
|
||||||
Source2: booleans-targeted.conf
|
Source2: booleans-targeted.conf
|
||||||
Source3: Makefile.devel
|
Source3: Makefile.devel
|
||||||
|
@ -45,39 +47,47 @@ Source23: users-targeted
|
||||||
Source25: users-minimum
|
Source25: users-minimum
|
||||||
Source26: file_contexts.subs_dist
|
Source26: file_contexts.subs_dist
|
||||||
Source27: selinux-policy.conf
|
Source27: selinux-policy.conf
|
||||||
|
Source28: permissivedomains.pp
|
||||||
|
Source29: serefpolicy-contrib-%{version}.tgz
|
||||||
|
|
||||||
Url: http://oss.tresys.com/repos/refpolicy/
|
Url: http://oss.tresys.com/repos/refpolicy/
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
|
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
|
||||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.46-6
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.46-6
|
||||||
Requires(post): /bin/awk /usr/bin/md5sum
|
Requires(post): /bin/awk /usr/bin/sha512sum
|
||||||
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
|
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
|
||||||
Obsoletes: selinux-policy-devel <= %{version}-%{release}
|
|
||||||
Provides: selinux-policy-devel = %{version}-%{release}
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
SELinux Base package
|
SELinux Base package
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%{_mandir}/man*/*
|
|
||||||
# policycoreutils owns these manpage directories, we only own the files within them
|
|
||||||
%{_mandir}/ru/*/*
|
|
||||||
%dir %{_usr}/share/selinux
|
%dir %{_usr}/share/selinux
|
||||||
%dir %{_usr}/share/selinux/devel
|
|
||||||
%dir %{_usr}/share/selinux/devel/include
|
|
||||||
%dir %{_usr}/share/selinux/packages
|
%dir %{_usr}/share/selinux/packages
|
||||||
%dir %{_sysconfdir}/selinux
|
%dir %{_sysconfdir}/selinux
|
||||||
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
||||||
%ghost %{_sysconfdir}/sysconfig/selinux
|
%ghost %{_sysconfdir}/sysconfig/selinux
|
||||||
|
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: SELinux policy devel
|
||||||
|
Group: System Environment/Base
|
||||||
|
Requires(pre): selinux-policy = %{version}-%{release}
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
SELinux policy development and man page package
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%{_mandir}/man*/*
|
||||||
|
%{_mandir}/ru/*/*
|
||||||
|
%dir %{_usr}/share/selinux/devel
|
||||||
|
%dir %{_usr}/share/selinux/devel/include
|
||||||
%{_usr}/share/selinux/devel/include/*
|
%{_usr}/share/selinux/devel/include/*
|
||||||
%{_usr}/share/selinux/devel/Makefile
|
%{_usr}/share/selinux/devel/Makefile
|
||||||
%{_usr}/share/selinux/devel/example.*
|
%{_usr}/share/selinux/devel/example.*
|
||||||
%{_usr}/share/selinux/devel/policy.*
|
|
||||||
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
|
||||||
|
|
||||||
%if %{BUILD_DOC}
|
|
||||||
%package doc
|
%package doc
|
||||||
Summary: SELinux policy documentation
|
Summary: SELinux policy documentation
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
|
@ -91,7 +101,7 @@ SELinux policy documentation package
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%doc %{_usr}/share/doc/%{name}-%{version}
|
%doc %{_usr}/share/doc/%{name}-%{version}
|
||||||
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
|
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
|
||||||
%endif
|
%{_usr}/share/selinux/devel/policy.*
|
||||||
|
|
||||||
%define makeCmds() \
|
%define makeCmds() \
|
||||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
|
||||||
|
@ -105,6 +115,7 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
|
||||||
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
|
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
|
||||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
|
||||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
||||||
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
|
||||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
|
||||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \
|
||||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
|
||||||
|
@ -127,8 +138,9 @@ rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \
|
||||||
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
|
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
|
||||||
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
|
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
|
||||||
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
|
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
|
||||||
/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policymd5; \
|
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
||||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
|
||||||
|
rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern
|
||||||
%nil
|
%nil
|
||||||
|
|
||||||
%define fileList() \
|
%define fileList() \
|
||||||
|
@ -137,13 +149,14 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||||
%dir %{_sysconfdir}/selinux/%1 \
|
%dir %{_sysconfdir}/selinux/%1 \
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
||||||
|
%dir %{_sysconfdir}/selinux/%1/logins \
|
||||||
%dir %{_sysconfdir}/selinux/%1/modules \
|
%dir %{_sysconfdir}/selinux/%1/modules \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
||||||
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
|
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
|
||||||
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \
|
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
||||||
%verify(not md5 size md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \
|
||||||
|
@ -157,7 +170,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||||
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
|
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
|
||||||
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
||||||
%{_sysconfdir}/selinux/%1/.policymd5 \
|
%{_sysconfdir}/selinux/%1/.policy.sha512 \
|
||||||
%dir %{_sysconfdir}/selinux/%1/contexts \
|
%dir %{_sysconfdir}/selinux/%1/contexts \
|
||||||
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
||||||
|
@ -166,6 +179,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||||
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
|
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
|
||||||
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
|
||||||
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
|
||||||
|
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
|
||||||
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
|
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
|
||||||
|
@ -191,8 +205,8 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||||
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
||||||
/usr/sbin/selinuxenabled; \
|
/usr/sbin/selinuxenabled; \
|
||||||
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
||||||
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore; \
|
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
|
||||||
/sbin/restorecon -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
|
/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
|
||||||
rm -f ${FILE_CONTEXT}.pre; \
|
rm -f ${FILE_CONTEXT}.pre; \
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
|
@ -204,10 +218,10 @@ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
|
||||||
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
||||||
fi; \
|
fi; \
|
||||||
touch /etc/selinux/%1/.rebuild; \
|
touch /etc/selinux/%1/.rebuild; \
|
||||||
if [ -e /etc/selinux/%1/.policymd5 ]; then \
|
if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
|
||||||
md5=`md5sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
|
sha512=`sha512sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
|
||||||
checkmd5=`cat /etc/selinux/%1/.policymd5`; \
|
checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
|
||||||
if [ "$md5" == "$checkmd5" ] ; then \
|
if [ "$sha512" == "$checksha512" ] ; then \
|
||||||
rm /etc/selinux/%1/.rebuild; \
|
rm /etc/selinux/%1/.rebuild; \
|
||||||
fi; \
|
fi; \
|
||||||
fi; \
|
fi; \
|
||||||
|
@ -218,7 +232,7 @@ fi;
|
||||||
if [ -e /etc/selinux/%2/.rebuild ]; then \
|
if [ -e /etc/selinux/%2/.rebuild ]; then \
|
||||||
rm /etc/selinux/%2/.rebuild; \
|
rm /etc/selinux/%2/.rebuild; \
|
||||||
if [ %1 -ne 1 ]; then \
|
if [ %1 -ne 1 ]; then \
|
||||||
/usr/sbin/semodule -n -s %2 -r kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
|
/usr/sbin/semodule -n -s %2 -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
|
||||||
fi \
|
fi \
|
||||||
rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp \
|
rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp \
|
||||||
/usr/sbin/semodule -B -n -s %2; \
|
/usr/sbin/semodule -B -n -s %2; \
|
||||||
|
@ -240,9 +254,15 @@ Based off of reference policy: Checked out revision 2.20091117
|
||||||
%build
|
%build
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
|
%setup -n serefpolicy-contrib-%{version} -q -b 29
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
contrib_path=`pwd`
|
||||||
%setup -n serefpolicy-%{version} -q
|
%setup -n serefpolicy-%{version} -q
|
||||||
%patch -p1
|
%patch -p1
|
||||||
#%patch1 -p1 -b .unconfined
|
%patch3 -p1
|
||||||
|
refpolicy_path=`pwd`
|
||||||
|
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
|
||||||
|
|
||||||
%install
|
%install
|
||||||
mkdir selinux_config
|
mkdir selinux_config
|
||||||
|
@ -252,8 +272,6 @@ done
|
||||||
tar zxvf selinux_config/config.tgz
|
tar zxvf selinux_config/config.tgz
|
||||||
# Build targeted policy
|
# Build targeted policy
|
||||||
%{__rm} -fR %{buildroot}
|
%{__rm} -fR %{buildroot}
|
||||||
mkdir -p %{buildroot}%{_mandir}
|
|
||||||
cp -R man/* %{buildroot}%{_mandir}
|
|
||||||
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
||||||
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
||||||
touch %{buildroot}%{_sysconfdir}/selinux/config
|
touch %{buildroot}%{_sysconfdir}/selinux/config
|
||||||
|
@ -269,6 +287,8 @@ make clean
|
||||||
%if %{BUILD_TARGETED}
|
%if %{BUILD_TARGETED}
|
||||||
# Build targeted policy
|
# Build targeted policy
|
||||||
# Commented out because only targeted ref policy currently builds
|
# Commented out because only targeted ref policy currently builds
|
||||||
|
mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
|
||||||
|
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted
|
||||||
%makeCmds targeted mcs n allow
|
%makeCmds targeted mcs n allow
|
||||||
%installCmds targeted mcs n allow
|
%installCmds targeted mcs n allow
|
||||||
%endif
|
%endif
|
||||||
|
@ -276,6 +296,8 @@ make clean
|
||||||
%if %{BUILD_MINIMUM}
|
%if %{BUILD_MINIMUM}
|
||||||
# Build minimum policy
|
# Build minimum policy
|
||||||
# Commented out because only minimum ref policy currently builds
|
# Commented out because only minimum ref policy currently builds
|
||||||
|
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
|
||||||
|
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum
|
||||||
%makeCmds minimum mcs n allow
|
%makeCmds minimum mcs n allow
|
||||||
%installCmds minimum mcs n allow
|
%installCmds minimum mcs n allow
|
||||||
%modulesList minimum
|
%modulesList minimum
|
||||||
|
@ -287,22 +309,20 @@ make clean
|
||||||
%installCmds mls mls n deny
|
%installCmds mls mls n deny
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{BUILD_DOC}
|
mkdir -p %{buildroot}%{_mandir}
|
||||||
|
cp -R man/* %{buildroot}%{_mandir}
|
||||||
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
|
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
|
||||||
%endif
|
|
||||||
|
|
||||||
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
|
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
|
||||||
|
|
||||||
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
||||||
mkdir %{buildroot}%{_usr}/share/selinux/packages/
|
|
||||||
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
|
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
|
||||||
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
|
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
|
||||||
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
|
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||||
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
|
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||||
%if %{BUILD_DOC}
|
|
||||||
echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
||||||
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
||||||
%endif
|
|
||||||
|
mkdir %{buildroot}%{_usr}/share/selinux/packages/
|
||||||
|
|
||||||
rm -rf selinux_config
|
rm -rf selinux_config
|
||||||
%clean
|
%clean
|
||||||
%{__rm} -fR %{buildroot}
|
%{__rm} -fR %{buildroot}
|
||||||
|
@ -321,6 +341,7 @@ echo "
|
||||||
SELINUX=enforcing
|
SELINUX=enforcing
|
||||||
# SELINUXTYPE= can take one of these two values:
|
# SELINUXTYPE= can take one of these two values:
|
||||||
# targeted - Targeted processes are protected,
|
# targeted - Targeted processes are protected,
|
||||||
|
# minimum - Modification of targeted policy. Only selected processes are protected.
|
||||||
# mls - Multi Level Security protection.
|
# mls - Multi Level Security protection.
|
||||||
SELINUXTYPE=targeted
|
SELINUXTYPE=targeted
|
||||||
|
|
||||||
|
@ -483,7 +504,475 @@ SELinux Reference policy mls base module.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-85
|
* Thu Jun 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-1
|
||||||
|
- Mass merge with upstream
|
||||||
|
* new policy topology to include contrib policy modules
|
||||||
|
* we have now two base policy patches
|
||||||
|
|
||||||
|
* Wed May 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-128
|
||||||
|
- Fix description of authlogin_nsswitch_use_ldap
|
||||||
|
- Fix transition rule for rhsmcertd_t needed for RHEL7
|
||||||
|
- Allow useradd to list nfs state data
|
||||||
|
- Allow openvpn to manage its log file and directory
|
||||||
|
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
|
||||||
|
- Allow thumb to use nvidia devices
|
||||||
|
- Allow local_login to create user_tmp_t files for kerberos
|
||||||
|
- Pulseaudio needs to read systemd_login /var/run content
|
||||||
|
- virt should only transition named system_conf_t config files
|
||||||
|
- Allow munin to execute its plugins
|
||||||
|
- Allow nagios system plugin to read /etc/passwd
|
||||||
|
- Allow plugin to connect to soundd port
|
||||||
|
- Fix httpd_passwd to be able to ask passwords
|
||||||
|
- Radius servers can use ldap for backing store
|
||||||
|
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
|
||||||
|
- Allow systemd_logind to list the contents of gnome keyring
|
||||||
|
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
|
||||||
|
- Add policy for isns-utils
|
||||||
|
|
||||||
|
* Mon May 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-127
|
||||||
|
- Add policy for subversion daemon
|
||||||
|
- Allow boinc to read passwd
|
||||||
|
- Allow pads to read kernel network state
|
||||||
|
- Fix man2html interface for sepolgen-ifgen
|
||||||
|
- Remove extra /usr/lib/systemd/system/smb
|
||||||
|
- Remove all /lib/systemd and replace with /usr/lib/systemd
|
||||||
|
- Add policy for man2html
|
||||||
|
- Fix the label of kerberos_home_t to krb5_home_t
|
||||||
|
- Allow mozilla plugins to use Citrix
|
||||||
|
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
|
||||||
|
- Allow tune /sys options via systemd's tmpfiles.d "w" type
|
||||||
|
|
||||||
|
* Wed May 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-126
|
||||||
|
- Dontaudit lpr_t to read/write leaked mozilla tmp files
|
||||||
|
- Add file name transition for .grl-podcasts directory
|
||||||
|
- Allow corosync to read user tmp files
|
||||||
|
- Allow fenced to create snmp lib dirs/files
|
||||||
|
- More fixes for sge policy
|
||||||
|
- Allow mozilla_plugin_t to execute any application
|
||||||
|
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
|
||||||
|
- Allow mongod to read system state information
|
||||||
|
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
|
||||||
|
- Allow polipo to manage polipo_cache dirs
|
||||||
|
- Add jabbar_client port to mozilla_plugin_t
|
||||||
|
- Cleanup procmail policy
|
||||||
|
- system bus will pass around open file descriptors on files that do not have labels on them
|
||||||
|
- Allow l2tpd_t to read system state
|
||||||
|
- Allow tuned to run ls /dev
|
||||||
|
- Allow sudo domains to read usr_t files
|
||||||
|
- Add label to machine-id
|
||||||
|
- Fix corecmd_read_bin_symlinks cut and paste error
|
||||||
|
|
||||||
|
* Wed May 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-125
|
||||||
|
- Fix pulseaudio port definition
|
||||||
|
- Add labeling for condor_starter
|
||||||
|
- Allow chfn_t to creat user_tmp_files
|
||||||
|
- Allow chfn_t to execute bin_t
|
||||||
|
- Allow prelink_cron_system_t to getpw calls
|
||||||
|
- Allow sudo domains to manage kerberos rcache files
|
||||||
|
- Allow user_mail_domains to work with courie
|
||||||
|
- Port definitions necessary for running jboss apps within openshift
|
||||||
|
- Add support for openstack-nova-metadata-api
|
||||||
|
- Add support for nova-console*
|
||||||
|
- Add support for openstack-nova-xvpvncproxy
|
||||||
|
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
|
||||||
|
- Fix auth_role() interface
|
||||||
|
- Allow numad to read sysfs
|
||||||
|
- Allow matahari-rpcd to execute shell
|
||||||
|
- Add label for ~/.spicec
|
||||||
|
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
|
||||||
|
- Devicekit_disk wants to read the logind sessions file when writing a cd
|
||||||
|
- Add fixes for condor to make condor jobs working correctly
|
||||||
|
- Change label of /var/log/rpmpkgs to cron_log_t
|
||||||
|
- Access requires to allow systemd-tmpfiles --create to work.
|
||||||
|
- Fix obex to be a user application started by the session bus.
|
||||||
|
- Add additional filename trans rules for kerberos
|
||||||
|
- Fix /var/run/heartbeat labeling
|
||||||
|
- Allow apps that are managing rcache to file trans correctly
|
||||||
|
- Allow openvpn to authenticate against ldap server
|
||||||
|
- Containers need to listen to network starting and stopping events
|
||||||
|
|
||||||
|
* Wed May 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-124
|
||||||
|
- Make systemd unit files less specific
|
||||||
|
|
||||||
|
* Tue May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-123
|
||||||
|
- Fix zarafa labeling
|
||||||
|
- Allow guest_t to fix labeling
|
||||||
|
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
|
||||||
|
- add lxc_contexts
|
||||||
|
- Allow accountsd to read /proc
|
||||||
|
- Allow restorecond to getattr on all file sytems
|
||||||
|
- tmpwatch now calls getpw
|
||||||
|
- Allow apache daemon to transition to pwauth domain
|
||||||
|
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
|
||||||
|
- The obex socket seems to be a stream socket
|
||||||
|
- dd label for /var/run/nologin
|
||||||
|
|
||||||
|
* Mon May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-122
|
||||||
|
- Allow jetty running as httpd_t to read hugetlbfs files
|
||||||
|
- Allow sys_nice and setsched for rhsmcertd
|
||||||
|
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
|
||||||
|
- Allow setfiles to append to xdm_tmp_t
|
||||||
|
- Add labeling for /export as a usr_t directory
|
||||||
|
- Add labels for .grl files created by gstreamer
|
||||||
|
|
||||||
|
* Fri May 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-121
|
||||||
|
- Add labeling for /usr/share/jetty/bin/jetty.sh
|
||||||
|
- Add jetty policy which contains file type definitios
|
||||||
|
- Allow jockey to use its own fifo_file and make this the default for all domains
|
||||||
|
- Allow mozilla_plugins to use spice (vnc_port/couchdb)
|
||||||
|
- asterisk wants to read the network state
|
||||||
|
- Blueman now uses /var/lib/blueman- Add label for nodejs_debug
|
||||||
|
- Allow mozilla_plugin_t to create ~/.pki directory and content
|
||||||
|
|
||||||
|
* Wed May 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-120
|
||||||
|
- Add clamscan_can_scan_system boolean
|
||||||
|
- Allow mysqld to read kernel network state
|
||||||
|
- Allow sshd to read/write condor lib files
|
||||||
|
- Allow sshd to read/write condor-startd tcp socket
|
||||||
|
- Fix description on httpd_graceful_shutdown
|
||||||
|
- Allow glance_registry to communicate with mysql
|
||||||
|
- dbus_system_domain is using systemd to lauch applications
|
||||||
|
- add interfaces to allow domains to send kill signals to user mail agents
|
||||||
|
- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
|
||||||
|
- Lots of new access required for secure containers
|
||||||
|
- Corosync needs sys_admin capability
|
||||||
|
- ALlow colord to create shm
|
||||||
|
- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific
|
||||||
|
- Add boolean to control whether or not mozilla plugins can create random content in the users homedir
|
||||||
|
- Add new interface to allow domains to list msyql_db directories, needed for libra
|
||||||
|
- shutdown has to be allowed to delete etc_runtime_t
|
||||||
|
- Fail2ban needs to read /etc/passwd
|
||||||
|
- Allow ldconfig to create /var/cache/ldconfig
|
||||||
|
- Allow tgtd to read hardware state information
|
||||||
|
- Allow collectd to create packet socket
|
||||||
|
- Allow chronyd to send signal to itself
|
||||||
|
- Allow collectd to read /dev/random
|
||||||
|
- Allow collectd to send signal to itself
|
||||||
|
- firewalld needs to execute restorecon
|
||||||
|
- Allow restorecon and other login domains to execute restorecon
|
||||||
|
|
||||||
|
* Tue Apr 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-119
|
||||||
|
- Allow logrotate to getattr on systemd unit files
|
||||||
|
- Add support for tor systemd unit file
|
||||||
|
- Allow apmd to create /var/run/pm-utils with the correct label
|
||||||
|
- Allow l2tpd to send sigkill to pppd
|
||||||
|
- Allow pppd to stream connect to l2tpd
|
||||||
|
- Add label for scripts in /etc/gdm/
|
||||||
|
- Allow systemd_logind_t to ignore mcs constraints on sigkill
|
||||||
|
- Fix files_filetrans_system_conf_named_files() interface
|
||||||
|
- Add labels for /usr/share/wordpress/wp-includes/*.php
|
||||||
|
- Allow cobbler to get SELinux mode and booleans
|
||||||
|
|
||||||
|
* Mon Apr 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-118
|
||||||
|
- Add unconfined_execmem_exec_t as an alias to bin_t
|
||||||
|
- Allow fenced to read snmp var lib files, also allow it to read usr_t
|
||||||
|
- ontaudit access checks on all executables from mozilla_plugin
|
||||||
|
- Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode
|
||||||
|
- Allow systemd_tmpfiles_t to getattr all pipes and sockets
|
||||||
|
- Allow glance-registry to send system log messages
|
||||||
|
- semanage needs to manage mock lib files/dirs
|
||||||
|
|
||||||
|
* Sun Apr 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-117
|
||||||
|
- Add policy for abrt-watch-log
|
||||||
|
- Add definitions for jboss_messaging ports
|
||||||
|
- Allow systemd_tmpfiles to manage printer devices
|
||||||
|
- Allow oddjob to use nsswitch
|
||||||
|
- Fix labeling of log files for postgresql
|
||||||
|
- Allow mozilla_plugin_t to execmem and execstack by default
|
||||||
|
- Allow firewalld to execute shell
|
||||||
|
- Fix /etc/wicd content files to get created with the correct label
|
||||||
|
- Allow mcelog to exec shell
|
||||||
|
- Add ~/.orc as a gstreamer_home_t
|
||||||
|
- /var/spool/postfix/lib64 should be labeled lib_t
|
||||||
|
- mpreaper should be able to list all file system labeled directories
|
||||||
|
- Add support for apache to use openstack
|
||||||
|
- Add labeling for /etc/zipl.conf and zipl binary
|
||||||
|
- Turn on allow_execstack and turn off telepathy transition for final release
|
||||||
|
|
||||||
|
* Mon Apr 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-116
|
||||||
|
- More access required for virt_qmf_t
|
||||||
|
- Additional assess required for systemd-logind to support multi-seat
|
||||||
|
- Allow mozilla_plugin to setrlimit
|
||||||
|
- Revert changes to fuse file system to stop deadlock
|
||||||
|
|
||||||
|
* Mon Apr 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-115
|
||||||
|
- Allow condor domains to connect to ephemeral ports
|
||||||
|
- More fixes for condor policy
|
||||||
|
- Allow keystone to stream connect to mysqld
|
||||||
|
- Allow mozilla_plugin_t to read generic USB device to support GPS devices
|
||||||
|
- Allow thum to file name transition gstreamer home content
|
||||||
|
- Allow thum to read all non security files
|
||||||
|
- Allow glance_api_t to connect to ephemeral ports
|
||||||
|
- Allow nagios plugins to read /dev/urandom
|
||||||
|
- Allow syslogd to search postfix spool to support postfix chroot env
|
||||||
|
- Fix labeling for /var/spool/postfix/dev
|
||||||
|
- Allow wdmd chown
|
||||||
|
- Label .esd_auth as pulseaudio_home_t
|
||||||
|
- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now
|
||||||
|
|
||||||
|
* Fri Apr 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-114
|
||||||
|
- Add support for clamd+systemd
|
||||||
|
- Allow fresclam to execute systemctl to handle clamd
|
||||||
|
- Change labeling for /usr/sbin/rpc.ypasswd.env
|
||||||
|
- Allow yppaswd_t to execute yppaswd_exec_t
|
||||||
|
- Allow yppaswd_t to read /etc/passwd
|
||||||
|
- Gnomekeyring socket has been moved to /run/user/USER/
|
||||||
|
- Allow samba-net to connect to ldap port
|
||||||
|
- Allow signal for vhostmd
|
||||||
|
- allow mozilla_plugin_t to read user_home_t socket
|
||||||
|
- New access required for secure Linux Containers
|
||||||
|
- zfs now supports xattrs
|
||||||
|
- Allow quantum to execute sudo and list sysfs
|
||||||
|
- Allow init to dbus chat with the firewalld
|
||||||
|
- Allow zebra to read /etc/passwd
|
||||||
|
|
||||||
|
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-113
|
||||||
|
- Allow svirt_t to create content in the users homedir under ~/.libvirt
|
||||||
|
- Fix label on /var/lib/heartbeat
|
||||||
|
- Allow systemd_logind_t to send kill signals to all processes started by a user
|
||||||
|
- Fuse now supports Xattr Support
|
||||||
|
|
||||||
|
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-112
|
||||||
|
- upowered needs to setsched on the kernel
|
||||||
|
- Allow mpd_t to manage log files
|
||||||
|
- Allow xdm_t to create /var/run/systemd/multi-session-x
|
||||||
|
- Add rules for missedfont.log to be used by thumb.fc
|
||||||
|
- Additional access required for virt_qmf_t
|
||||||
|
- Allow dhclient to dbus chat with the firewalld
|
||||||
|
- Add label for lvmetad
|
||||||
|
- Allow systemd_logind_t to remove userdomain sock_files
|
||||||
|
- Allow cups to execute usr_t files
|
||||||
|
- Fix labeling on nvidia shared libraries
|
||||||
|
- wdmd_t needs access to sssd and /etc/passwd
|
||||||
|
- Add boolean to allow ftp servers to run in passive mode
|
||||||
|
- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with
|
||||||
|
- Fix using httpd_use_fusefs
|
||||||
|
- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox
|
||||||
|
|
||||||
|
* Fri Apr 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-111
|
||||||
|
- Rename rdate port to time port, and allow gnomeclock to connect to it
|
||||||
|
- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda
|
||||||
|
- /etc/auto.* should be labeled bin_t
|
||||||
|
- Add httpd_use_fusefs boolean
|
||||||
|
- Add fixes for heartbeat
|
||||||
|
- Allow sshd_t to signal processes that it transitions to
|
||||||
|
- Add condor policy
|
||||||
|
- Allow svirt to create monitors in ~/.libvirt
|
||||||
|
- Allow dovecot to domtrans sendmail to handle sieve scripts
|
||||||
|
- Lot of fixes for cfengine
|
||||||
|
|
||||||
|
* Tue Apr 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-110
|
||||||
|
- /var/run/postmaster.* labeling is no longer needed
|
||||||
|
- Alllow drbdadmin to read /dev/urandom
|
||||||
|
- l2tpd_t seems to use ptmx
|
||||||
|
- group+ and passwd+ should be labeled as /etc/passwd
|
||||||
|
- Zarafa-indexer is a socket
|
||||||
|
|
||||||
|
* Fri Mar 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-109
|
||||||
|
- Ensure lastlog is labeled correctly
|
||||||
|
- Allow accountsd to read /proc data about gdm
|
||||||
|
- Add fixes for tuned
|
||||||
|
- Add bcfg2 fixes which were discovered during RHEL6 testing
|
||||||
|
- More fixes for gnome-keyring socket being moved
|
||||||
|
- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown
|
||||||
|
- Fix description for files_dontaudit_read_security_files() interface
|
||||||
|
|
||||||
|
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-108
|
||||||
|
- Add new policy and man page for bcfg2
|
||||||
|
- cgconfig needs to use getpw calls
|
||||||
|
- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt
|
||||||
|
- gnome-keyring wants to create a directory in cache_home_t
|
||||||
|
- sanlock calls getpw
|
||||||
|
|
||||||
|
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-107
|
||||||
|
- Add numad policy and numad man page
|
||||||
|
- Add fixes for interface bugs discovered by SEWatch
|
||||||
|
- Add /tmp support for squid
|
||||||
|
- Add fix for #799102
|
||||||
|
* change default labeling for /var/run/slapd.* sockets
|
||||||
|
- Make thumb_t as userdom_home_reader
|
||||||
|
- label /var/lib/sss/mc same as pubconf, so getpw domains can read it
|
||||||
|
- Allow smbspool running as cups_t to stream connect to nmbd
|
||||||
|
- accounts needs to be able to execute passwd on behalf of users
|
||||||
|
- Allow systemd_tmpfiles_t to delete boot flags
|
||||||
|
- Allow dnssec_trigger to connect to apache ports
|
||||||
|
- Allow gnome keyring to create sock_files in ~/.cache
|
||||||
|
- google_authenticator is using .google_authenticator
|
||||||
|
- sandbox running from within firefox is exposing more leaks
|
||||||
|
- Dontaudit thumb to read/write /dev/card0
|
||||||
|
- Dontaudit getattr on init_exec_t for gnomeclock_t
|
||||||
|
- Allow certmonger to do a transition to certmonger_unconfined_t
|
||||||
|
- Allow dhcpc setsched which is caused by nmcli
|
||||||
|
- Add rpm_exec_t for /usr/sbin/bcfg2
|
||||||
|
- system cronjobs are sending dbus messages to systemd_logind
|
||||||
|
- Thumnailers read /dev/urand
|
||||||
|
|
||||||
|
* Thu Mar 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-106
|
||||||
|
- Allow auditctl getcap
|
||||||
|
- Allow vdagent to use libsystemd-login
|
||||||
|
- Allow abrt-dump-oops to search /etc/abrt
|
||||||
|
- Got these avc's while trying to print a boarding pass from firefox
|
||||||
|
- Devicekit is now putting the media directory under /run/media
|
||||||
|
- Allow thumbnailers to create content in ~/.thumbails directory
|
||||||
|
- Add support for proL2TPd by Dominick Grift
|
||||||
|
- Allow all domains to call getcap
|
||||||
|
- wdmd seems to get a random chown capability check that it does not need
|
||||||
|
- Allow vhostmd to read kernel sysctls
|
||||||
|
|
||||||
|
* Wed Mar 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-105
|
||||||
|
- Allow chronyd to read unix
|
||||||
|
- Allow hpfax to read /etc/passwd
|
||||||
|
- Add support matahari vios-proxy-* apps and add virtd_exec_t label for them
|
||||||
|
- Allow rpcd to read quota_db_t
|
||||||
|
- Update to man pages to match latest policy
|
||||||
|
- Fix bug in jockey interface for sepolgen-ifgen
|
||||||
|
- Add initial svirt_prot_exec_t policy
|
||||||
|
|
||||||
|
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-104
|
||||||
|
- More fixes for systemd from Dan Walsh
|
||||||
|
|
||||||
|
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-103
|
||||||
|
- Add a new type for /etc/firewalld and allow firewalld to write to this directory
|
||||||
|
- Add definition for ~/Maildir, and allow mail deliver domains to write there
|
||||||
|
- Allow polipo to run from a cron job
|
||||||
|
- Allow rtkit to schedule wine processes
|
||||||
|
- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label
|
||||||
|
- Allow users domains to send signals to consolehelper domains
|
||||||
|
|
||||||
|
* Fri Mar 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-102
|
||||||
|
- More fixes for boinc policy
|
||||||
|
- Allow polipo domain to create its own cache dir and pid file
|
||||||
|
- Add systemctl support to httpd domain
|
||||||
|
- Add systemctl support to polipo, allow NetworkManager to manage the service
|
||||||
|
- Add policy for jockey-backend
|
||||||
|
- Add support for motion daemon which is now covered by zoneminder policy
|
||||||
|
- Allow colord to read/write motion tmpfs
|
||||||
|
- Allow vnstat to search through var_lib_t directories
|
||||||
|
- Stop transitioning to quota_t, from init an sysadm_t
|
||||||
|
|
||||||
|
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-101
|
||||||
|
- Add svirt_lxc_file_t as a customizable type
|
||||||
|
|
||||||
|
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-100
|
||||||
|
- Add additional fixes for icmp nagios plugin
|
||||||
|
- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin
|
||||||
|
- Add certmonger_unconfined_exec_t
|
||||||
|
- Make sure tap22 device is created with the correct label
|
||||||
|
- Allow staff users to read systemd unit files
|
||||||
|
- Merge in previously built policy
|
||||||
|
- Arpwatch needs to be able to start netlink sockets in order to start
|
||||||
|
- Allow cgred_t to sys_ptrace to look at other DAC Processes
|
||||||
|
|
||||||
|
* Mon Mar 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-99
|
||||||
|
- Back port some of the access that was allowed in nsplugin_t
|
||||||
|
- Add definitiona for couchdb ports
|
||||||
|
- Allow nagios to use inherited users ttys
|
||||||
|
- Add git support for mock
|
||||||
|
- Allow inetd to use rdate port
|
||||||
|
- Add own type for rdate port
|
||||||
|
- Allow samba to act as a portmapper
|
||||||
|
- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev
|
||||||
|
- New fixes needed for samba4
|
||||||
|
- Allow apps that use lib_t to read lib_t symlinks
|
||||||
|
|
||||||
|
* Fri Mar 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-98
|
||||||
|
- Add policy for nove-cert
|
||||||
|
- Add labeling for nova-openstack systemd unit files
|
||||||
|
- Add policy for keystoke
|
||||||
|
|
||||||
|
* Thu Mar 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-97
|
||||||
|
- Fix man pages fro domains
|
||||||
|
- Add man pages for SELinux users and roles
|
||||||
|
- Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon
|
||||||
|
- Add policy for matahari-rpcd
|
||||||
|
- nfsd executes mount command on restart
|
||||||
|
- Matahari domains execute renice and setsched
|
||||||
|
- Dontaudit leaked tty in mozilla_plugin_config
|
||||||
|
- mailman is changing to a per instance naming
|
||||||
|
- Add 7600 and 4447 as jboss_management ports
|
||||||
|
- Add fixes for nagios event handlers
|
||||||
|
- Label httpd.event as httpd_exec_t, it is an apache daemon
|
||||||
|
|
||||||
|
* Mon Mar 5 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-96
|
||||||
|
- Add labeling for /var/spool/postfix/dev/log
|
||||||
|
- NM reads sysctl.conf
|
||||||
|
- Iscsi log file context specification fix
|
||||||
|
- Allow mozilla plugins to send dbus messages to user domains that transition to it
|
||||||
|
- Allow mysql to read the passwd file
|
||||||
|
- Allow mozilla_plugin_t to create mozilla home dirs in user homedir
|
||||||
|
- Allow deltacloud to read kernel sysctl
|
||||||
|
- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself
|
||||||
|
- Allow postgresql_t to connectto itself
|
||||||
|
- Add login_userdomain attribute for users which can log in using terminal
|
||||||
|
|
||||||
|
* Tue Feb 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-95
|
||||||
|
- Allow sysadm_u to reach system_r by default #784011
|
||||||
|
- Allow nagios plugins to use inherited user terminals
|
||||||
|
- Razor labeling is not used no longer
|
||||||
|
- Add systemd support for matahari
|
||||||
|
- Add port_types to man page, move booleans to the top, fix some english
|
||||||
|
- Add support for matahari-sysconfig-console
|
||||||
|
- Clean up matahari.fc
|
||||||
|
- Fix matahari_admin() interfac
|
||||||
|
- Add labels for/etc/ssh/ssh_host_*.pub keys
|
||||||
|
|
||||||
|
* Mon Feb 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-94
|
||||||
|
- Allow ksysguardproces to send system log msgs
|
||||||
|
- Allow boinc setpgid and signull
|
||||||
|
- Allow xdm_t to sys_ptrace to run pidof command
|
||||||
|
- Allow smtpd_t to manage spool files/directories and symbolic links
|
||||||
|
- Add labeling for jetty
|
||||||
|
- Needed changes to get unbound/dnssec to work with openswan
|
||||||
|
|
||||||
|
* Thu Feb 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-93
|
||||||
|
- Add user_fonts_t alias xfs_tmp_t
|
||||||
|
- Since depmod now runs as insmod_t we need to write to kernel_object_t
|
||||||
|
- Allow firewalld to dbus chat with networkmanager
|
||||||
|
- Allow qpidd to connect to matahari ports
|
||||||
|
- policykit needs to read /proc for uses not owned by it
|
||||||
|
- Allow systemctl apps to connecto the init stream
|
||||||
|
|
||||||
|
* Wed Feb 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-92
|
||||||
|
- Turn on deny_ptrace boolean
|
||||||
|
|
||||||
|
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-91
|
||||||
|
- Remove pam_selinux.8 man page. There was a conflict.
|
||||||
|
|
||||||
|
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-90
|
||||||
|
- Add proxy class and read access for gssd_proxy
|
||||||
|
- Separate out the sharing public content booleans
|
||||||
|
- Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate
|
||||||
|
- Add label transition for gstream-0.10 and 12
|
||||||
|
- Add booleans to allow rsync to share nfs and cifs file sytems
|
||||||
|
- chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it
|
||||||
|
- Fix filename transitions for cups files
|
||||||
|
- Allow denyhosts to read "unix"
|
||||||
|
- Add file name transition for locale.conf.new
|
||||||
|
- Allow boinc projects to gconf config files
|
||||||
|
- sssd needs to be able to increase the socket limit under certain loads
|
||||||
|
- sge_execd needs to read /etc/passwd
|
||||||
|
- Allow denyhost to check network state
|
||||||
|
- NetworkManager needs to read sessions data
|
||||||
|
- Allow denyhost to check network state
|
||||||
|
- Allow xen to search virt images directories
|
||||||
|
- Add label for /dev/megaraid_sas_ioctl_node
|
||||||
|
- Add autogenerated man pages
|
||||||
|
|
||||||
|
* Thu Feb 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-89
|
||||||
|
- Allow boinc project to getattr on fs
|
||||||
|
- Allow init to execute initrc_state_t
|
||||||
|
- rhev-agent package was rename to ovirt-guest-agent
|
||||||
|
- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly
|
||||||
|
- sytemd writes content to /run/initramfs and executes it on shutdown
|
||||||
|
- kdump_t needs to read /etc/mtab, should be back ported to F16
|
||||||
|
- udev needs to load kernel modules in early system boot
|
||||||
|
|
||||||
|
* Tue Feb 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-88
|
||||||
|
- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses
|
||||||
|
- Add additional systemd interfaces which are needed fro *_admin interfaces
|
||||||
|
- Fix bind_admin() interface
|
||||||
|
|
||||||
|
* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-87
|
||||||
- Allow firewalld to read urand
|
- Allow firewalld to read urand
|
||||||
- Alias java, execmem_mono to bin_t to allow third parties
|
- Alias java, execmem_mono to bin_t to allow third parties
|
||||||
- Add label for kmod
|
- Add label for kmod
|
||||||
|
@ -493,6 +982,31 @@ SELinux Reference policy mls base module.
|
||||||
- Allow systemd_tmpfiles_t to delete all file types
|
- Allow systemd_tmpfiles_t to delete all file types
|
||||||
- Allow collectd to ipc_lock
|
- Allow collectd to ipc_lock
|
||||||
|
|
||||||
|
* Fri Feb 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-86
|
||||||
|
- make consoletype_exec optional, so we can remove consoletype policy
|
||||||
|
- remove unconfined_permisive.patch
|
||||||
|
- Allow openvpn_t to inherit user home content and tmp content
|
||||||
|
- Fix dnssec-trigger labeling
|
||||||
|
- Turn on obex policy for staff_t
|
||||||
|
- Pem files should not be secret
|
||||||
|
- Add lots of rules to fix AVC's when playing with containers
|
||||||
|
- Fix policy for dnssec
|
||||||
|
- Label ask-passwd directories correctly for systemd
|
||||||
|
|
||||||
|
* Thu Feb 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-85
|
||||||
|
- sshd fixes seem to be causing unconfined domains to dyntrans to themselves
|
||||||
|
- fuse file system is now being mounted in /run/user
|
||||||
|
- systemd_logind is sending signals to processes that are dbus messaging with it
|
||||||
|
- Add support for winshadow port and allow iscsid to connect to this port
|
||||||
|
- httpd should be allowed to bind to the http_port_t udp socket
|
||||||
|
- zarafa_var_lib_t can be a lnk_file
|
||||||
|
- A couple of new .xsession-errors files
|
||||||
|
- Seems like user space and login programs need to read logind_sessions_files
|
||||||
|
- Devicekit disk seems to be being launched by systemd
|
||||||
|
- Cleanup handling of setfiles so most of rules in te file
|
||||||
|
- Correct port number for dnssec
|
||||||
|
- logcheck has the home dir set to its cache
|
||||||
|
|
||||||
* Tue Feb 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-84
|
* Tue Feb 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-84
|
||||||
- Add policy for grindengine MPI jobs
|
- Add policy for grindengine MPI jobs
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue