Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts: config.tgz
This commit is contained in:
commit
5f75e360e4
@ -1,5 +1,5 @@
|
||||
# Turn off the ability for one process to read/modify another processes memory
|
||||
deny_ptrace = true
|
||||
deny_ptrace = false
|
||||
|
||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||
deny_execmem = false
|
||||
@ -11,7 +11,7 @@ allow_execmod = true
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
allow_execstack = false
|
||||
allow_execstack = true
|
||||
|
||||
# Allow ftpd to read cifs directories.
|
||||
#
|
||||
@ -33,6 +33,10 @@ allow_gssd_read_tmp = true
|
||||
#
|
||||
allow_httpd_anon_write = false
|
||||
|
||||
# Allow Apache to connect to port 80 for graceful shutdown
|
||||
#
|
||||
httpd_graceful_shutdown = true
|
||||
|
||||
# Allow Apache to use mod_auth_pam module
|
||||
#
|
||||
allow_httpd_mod_auth_pam = false
|
||||
@ -232,7 +236,9 @@ allow_xserver_execmem = false
|
||||
# disallow guest accounts to execute files that they can create
|
||||
#
|
||||
allow_guest_exec_content = false
|
||||
allow_xguest_exec_content = false
|
||||
|
||||
# xguest now requires to execute content in homedir to allow gnome-shell to work# properly.
|
||||
allow_xguest_exec_content = true
|
||||
|
||||
# Only allow browser to use the web
|
||||
#
|
||||
@ -264,7 +270,7 @@ unconfined_mozilla_plugin_transition=true
|
||||
|
||||
# Allow unconfined domain to transition to confined domain
|
||||
#
|
||||
unconfined_telepathy_transition=true
|
||||
unconfined_telepathy_transition=false
|
||||
|
||||
# Allow unconfined domain to transition to chrome_sandbox confined domain
|
||||
#
|
||||
|
BIN
config.tgz
BIN
config.tgz
Binary file not shown.
@ -67,6 +67,13 @@ collectd = module
|
||||
#
|
||||
colord = module
|
||||
|
||||
# Layer: services
|
||||
# Module: couchdb
|
||||
#
|
||||
# Apache CouchDB database server
|
||||
#
|
||||
couchdb = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: cpufreqselector
|
||||
#
|
||||
@ -194,6 +201,13 @@ automount = module
|
||||
#
|
||||
avahi = module
|
||||
|
||||
# Layer: services
|
||||
# Module: bcfg2
|
||||
#
|
||||
# Configuration management server
|
||||
#
|
||||
bcfg2 = module
|
||||
|
||||
# Layer: services
|
||||
# Module: boinc
|
||||
#
|
||||
@ -723,13 +737,6 @@ hddtemp = module
|
||||
#
|
||||
passenger = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: permissivedomains
|
||||
#
|
||||
# Contains all permissivedomains shipped by distribution
|
||||
#
|
||||
permissivedomains = module
|
||||
|
||||
# Layer: services
|
||||
# Module: policykit
|
||||
#
|
||||
@ -758,6 +765,20 @@ ptchown = module
|
||||
#
|
||||
psad = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: pwauth
|
||||
#
|
||||
# External plugin for mod_authnz_external authenticator
|
||||
#
|
||||
pwauth = module
|
||||
|
||||
# Layer: services
|
||||
# Module: quantum
|
||||
#
|
||||
# Quantum is a virtual network service for Openstack
|
||||
#
|
||||
quantum = module
|
||||
|
||||
# Layer: system
|
||||
# Module: hostname
|
||||
#
|
||||
@ -835,7 +856,6 @@ icecast = module
|
||||
#
|
||||
i18n_input = off
|
||||
|
||||
|
||||
# Layer: services
|
||||
# Module: jabber
|
||||
#
|
||||
@ -843,6 +863,13 @@ i18n_input = off
|
||||
#
|
||||
jabber = module
|
||||
|
||||
# Layer: services
|
||||
# Module: jetty
|
||||
#
|
||||
# Java based http server
|
||||
#
|
||||
jetty = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: kdump
|
||||
#
|
||||
@ -2369,6 +2396,13 @@ milter = module
|
||||
#
|
||||
keyboardd = module
|
||||
|
||||
# Layer: services
|
||||
# Module: keystone
|
||||
#
|
||||
# openstack-keystone
|
||||
#
|
||||
keystone = module
|
||||
|
||||
# Layer: services
|
||||
# Module: firewalld
|
||||
#
|
||||
@ -2439,6 +2473,13 @@ sblim = module
|
||||
#
|
||||
cfengine = module
|
||||
|
||||
# Layer: services
|
||||
# Module: pacemaker
|
||||
#
|
||||
# pacemaker
|
||||
#
|
||||
pacemaker = module
|
||||
|
||||
# Layer: services
|
||||
# Module: polipo
|
||||
#
|
||||
@ -2480,3 +2521,38 @@ obex = module
|
||||
# policy for grindengine MPI jobs
|
||||
#
|
||||
sge = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: jockey
|
||||
#
|
||||
# policy for jockey-backend
|
||||
#
|
||||
jockey = module
|
||||
|
||||
# Layer: services
|
||||
# Module: numad
|
||||
#
|
||||
# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology
|
||||
#
|
||||
numad = module
|
||||
|
||||
# Layer: services
|
||||
# Module: condor
|
||||
#
|
||||
# policy for condor
|
||||
#
|
||||
condor = module
|
||||
|
||||
# Layer: services
|
||||
# Module: svnserve
|
||||
#
|
||||
# policy for subversion service
|
||||
#
|
||||
svnserve = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: man2html
|
||||
#
|
||||
# policy for man2html apps
|
||||
#
|
||||
man2html = module
|
||||
|
1
permissivedomains.fc
Normal file
1
permissivedomains.fc
Normal file
@ -0,0 +1 @@
|
||||
# No file contexts
|
1
permissivedomains.if
Normal file
1
permissivedomains.if
Normal file
@ -0,0 +1 @@
|
||||
## <summary>No Interfaces</summary>
|
BIN
permissivedomains.pp
Normal file
BIN
permissivedomains.pp
Normal file
Binary file not shown.
162
permissivedomains.te
Normal file
162
permissivedomains.te
Normal file
@ -0,0 +1,162 @@
|
||||
policy_module(permissivedomains,17)
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type bcfg2_t;
|
||||
')
|
||||
|
||||
permissive bcfg2_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type couchdb_t;
|
||||
')
|
||||
|
||||
permissive couchdb_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type blueman_t;
|
||||
')
|
||||
|
||||
permissive blueman_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type httpd_zoneminder_script_t, zoneminder_t;
|
||||
')
|
||||
|
||||
permissive httpd_zoneminder_script_t;
|
||||
permissive zoneminder_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type selinux_munin_plugin_t;
|
||||
')
|
||||
|
||||
permissive selinux_munin_plugin_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type dnssec_trigger_t;
|
||||
')
|
||||
|
||||
permissive dnssec_trigger_t;
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type obex_t;
|
||||
')
|
||||
|
||||
permissive obex_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type sge_shepherd_t;
|
||||
type sge_execd_t;
|
||||
type sge_job_t;
|
||||
')
|
||||
|
||||
permissive sge_shepherd_t;
|
||||
permissive sge_execd_t;
|
||||
permissive sge_job_t;
|
||||
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type matahari_rpcd_t;
|
||||
')
|
||||
|
||||
permissive matahari_rpcd_t;
|
||||
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type keystone_t;
|
||||
')
|
||||
|
||||
permissive keystone_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type pacemaker_t;
|
||||
')
|
||||
|
||||
permissive pacemaker_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type jockey_t;
|
||||
')
|
||||
|
||||
permissive jockey_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type quantum_t;
|
||||
')
|
||||
|
||||
permissive quantum_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type numad_t;
|
||||
')
|
||||
|
||||
permissive numad_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type pwauth_t;
|
||||
')
|
||||
|
||||
permissive pwauth_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type man2html_t;
|
||||
')
|
||||
|
||||
permissive man2html_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type svnserve_t;
|
||||
')
|
||||
|
||||
permissive svnserve_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type condor_collector_t;
|
||||
type condor_negotiator_t;
|
||||
type condor_startd_t;
|
||||
type condor_schedd_t;
|
||||
type condor_procd_t;
|
||||
type condor_master_t;
|
||||
')
|
||||
permissive condor_collector_t;
|
||||
permissive condor_negotiator_t;
|
||||
permissive condor_schedd_t;
|
||||
permissive condor_startd_t;
|
||||
permissive condor_procd_t;
|
||||
permissive condor_master_t;
|
||||
')
|
74607
policy-F16.patch
74607
policy-F16.patch
File diff suppressed because it is too large
Load Diff
1128
policy-rawhide-roleattribute.patch
Normal file
1128
policy-rawhide-roleattribute.patch
Normal file
File diff suppressed because it is too large
Load Diff
90452
policy-rawhide.patch
Normal file
90452
policy-rawhide.patch
Normal file
File diff suppressed because it is too large
Load Diff
854
policy_contrib-rawhide-roleattribute.patch
Normal file
854
policy_contrib-rawhide-roleattribute.patch
Normal file
@ -0,0 +1,854 @@
|
||||
commit f53f820fe366940d4fdecaef80de4e5b1178fac6
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 01:38:59 2012 +0200
|
||||
|
||||
roleattribute patch
|
||||
|
||||
diff --git a/livecd.if b/livecd.if
|
||||
index bfbf676..fb7869e 100644
|
||||
--- a/livecd.if
|
||||
+++ b/livecd.if
|
||||
@@ -38,12 +38,19 @@ interface(`livecd_run',`
|
||||
gen_require(`
|
||||
type livecd_t;
|
||||
type livecd_exec_t;
|
||||
- attribute_role livecd_roles;
|
||||
+ #attribute_role livecd_roles;
|
||||
')
|
||||
|
||||
livecd_domtrans($1)
|
||||
- roleattribute $2 livecd_roles;
|
||||
+ #roleattribute $2 livecd_roles;
|
||||
+ role $2 types livecd_t;
|
||||
role_transition $2 livecd_exec_t system_r;
|
||||
+
|
||||
+ seutil_run_setfiles_mac(livecd_t, system_r)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ mount_run(livecd_t, $2)
|
||||
+ ')
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/livecd.te b/livecd.te
|
||||
index 65efdae..7a944b5 100644
|
||||
--- a/livecd.te
|
||||
+++ b/livecd.te
|
||||
@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role livecd_roles;
|
||||
-roleattribute system_r livecd_roles;
|
||||
+#attribute_role livecd_roles;
|
||||
+#roleattribute system_r livecd_roles;
|
||||
|
||||
type livecd_t;
|
||||
type livecd_exec_t;
|
||||
application_domain(livecd_t, livecd_exec_t)
|
||||
-role livecd_roles types livecd_t;
|
||||
+role system_r types livecd_t;
|
||||
+#role livecd_roles types livecd_t;
|
||||
|
||||
type livecd_tmp_t;
|
||||
files_tmp_file(livecd_tmp_t)
|
||||
@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t)
|
||||
|
||||
sysnet_filetrans_named_content(livecd_t)
|
||||
|
||||
-optional_policy(`
|
||||
- mount_run(livecd_t, livecd_roles)
|
||||
- seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# mount_run(livecd_t, livecd_roles)
|
||||
+# seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
ssh_filetrans_admin_home_content(livecd_t)
|
||||
diff --git a/mozilla.if b/mozilla.if
|
||||
index 30b0241..30bfefb 100644
|
||||
--- a/mozilla.if
|
||||
+++ b/mozilla.if
|
||||
@@ -18,10 +18,11 @@
|
||||
interface(`mozilla_role',`
|
||||
gen_require(`
|
||||
type mozilla_t, mozilla_exec_t, mozilla_home_t;
|
||||
- attribute_role mozilla_roles;
|
||||
+ #attribute_role mozilla_roles;
|
||||
')
|
||||
|
||||
- roleattribute $1 mozilla_roles;
|
||||
+ #roleattribute $1 mozilla_roles;
|
||||
+ role $1 types mozilla_t;
|
||||
|
||||
domain_auto_trans($2, mozilla_exec_t, mozilla_t)
|
||||
# Unrestricted inheritance from the caller.
|
||||
@@ -47,6 +48,8 @@ interface(`mozilla_role',`
|
||||
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||
|
||||
+ #should be remove then with adding of roleattribute
|
||||
+ mozilla_run_plugin(mozilla_t, $1)
|
||||
mozilla_dbus_chat($2)
|
||||
|
||||
userdom_manage_tmp_role($1, mozilla_t)
|
||||
@@ -63,7 +66,6 @@ interface(`mozilla_role',`
|
||||
|
||||
mozilla_filetrans_home_content($2)
|
||||
|
||||
- mozilla_dbus_chat($2)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 7bf56bf..56700a4 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false)
|
||||
## </desc>
|
||||
gen_tunable(mozilla_plugin_enable_homedirs, false)
|
||||
|
||||
-attribute_role mozilla_roles;
|
||||
+#attribute_role mozilla_roles;
|
||||
|
||||
type mozilla_t;
|
||||
type mozilla_exec_t;
|
||||
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
|
||||
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
|
||||
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
|
||||
-role mozilla_roles types mozilla_t;
|
||||
+#role mozilla_roles types mozilla_t;
|
||||
+role system_r types mozilla_t;
|
||||
|
||||
type mozilla_conf_t;
|
||||
files_config_file(mozilla_conf_t)
|
||||
@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t)
|
||||
type mozilla_plugin_t;
|
||||
type mozilla_plugin_exec_t;
|
||||
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
|
||||
-role mozilla_roles types mozilla_plugin_t;
|
||||
+#role mozilla_roles types mozilla_plugin_t;
|
||||
+role system_r types mozilla_plugin_t;
|
||||
|
||||
type mozilla_plugin_tmp_t;
|
||||
userdom_user_tmp_content(mozilla_plugin_tmp_t)
|
||||
@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t)
|
||||
type mozilla_plugin_config_t;
|
||||
type mozilla_plugin_config_exec_t;
|
||||
application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
|
||||
-role mozilla_roles types mozilla_plugin_config_t;
|
||||
+#role mozilla_roles types mozilla_plugin_config_t;
|
||||
+role system_r types mozilla_plugin_config_t;
|
||||
|
||||
type mozilla_tmp_t;
|
||||
userdom_user_tmp_file(mozilla_tmp_t)
|
||||
@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t)
|
||||
|
||||
userdom_use_inherited_user_ptys(mozilla_t)
|
||||
|
||||
-mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||
|
||||
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
|
||||
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
||||
@@ -298,7 +301,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- pulseaudio_role(mozilla_roles, mozilla_t)
|
||||
+ #pulseaudio_role(mozilla_roles, mozilla_t)
|
||||
+ pulseaudio_exec(mozilla_t)
|
||||
pulseaudio_stream_connect(mozilla_t)
|
||||
pulseaudio_manage_home_files(mozilla_t)
|
||||
')
|
||||
@@ -476,9 +480,9 @@ optional_policy(`
|
||||
java_exec(mozilla_plugin_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
mplayer_exec(mozilla_plugin_t)
|
||||
diff --git a/ncftool.if b/ncftool.if
|
||||
index 1520b6c..3a4455f 100644
|
||||
--- a/ncftool.if
|
||||
+++ b/ncftool.if
|
||||
@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',`
|
||||
#
|
||||
interface(`ncftool_run',`
|
||||
gen_require(`
|
||||
- attribute_role ncftool_roles;
|
||||
+ type ncftool_t;
|
||||
+ #attribute_role ncftool_roles;
|
||||
')
|
||||
|
||||
- ncftool_domtrans($1)
|
||||
- roleattribute $2 ncftool_roles;
|
||||
+ #ncftool_domtrans($1)
|
||||
+ #roleattribute $2 ncftool_roles;
|
||||
+
|
||||
+ role $1 types ncftool_t;
|
||||
+
|
||||
+ ncftool_domtrans($2)
|
||||
+
|
||||
+ ps_process_pattern($2, ncftool_t)
|
||||
+ allow $2 ncftool_t:process signal;
|
||||
')
|
||||
|
||||
diff --git a/ncftool.te b/ncftool.te
|
||||
index 91ab36d..8c48c33 100644
|
||||
--- a/ncftool.te
|
||||
+++ b/ncftool.te
|
||||
@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role ncftool_roles;
|
||||
-roleattribute system_r ncftool_roles;
|
||||
+#attribute_role ncftool_roles;
|
||||
+#roleattribute system_r ncftool_roles;
|
||||
|
||||
type ncftool_t;
|
||||
type ncftool_exec_t;
|
||||
application_domain(ncftool_t, ncftool_exec_t)
|
||||
domain_obj_id_change_exemption(ncftool_t)
|
||||
domain_system_change_exemption(ncftool_t)
|
||||
-role ncftool_roles types ncftool_t;
|
||||
+#role ncftool_roles types ncftool_t;
|
||||
+role system_r types ncftool_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t)
|
||||
|
||||
miscfiles_read_localization(ncftool_t)
|
||||
sysnet_delete_dhcpc_pid(ncftool_t)
|
||||
-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||||
-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||||
+sysnet_domtrans_dhcpc(ncftool_t)
|
||||
+sysnet_domtrans_ifconfig(ncftool_t)
|
||||
+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
||||
+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
||||
sysnet_etc_filetrans_config(ncftool_t)
|
||||
sysnet_manage_config(ncftool_t)
|
||||
sysnet_read_dhcpc_state(ncftool_t)
|
||||
@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t)
|
||||
userdom_use_user_terminals(ncftool_t)
|
||||
userdom_read_user_tmp_files(ncftool_t)
|
||||
|
||||
-optional_policy(`
|
||||
- brctl_run(ncftool_t, ncftool_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# brctl_run(ncftool_t, ncftool_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ncftool_t)
|
||||
@@ -85,9 +88,12 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
modutils_read_module_config(ncftool_t)
|
||||
- modutils_run_insmod(ncftool_t, ncftool_roles)
|
||||
+ modutils_domtrans_insmod(ncftool_t)
|
||||
+ #modutils_run_insmod(ncftool_t, ncftool_roles)
|
||||
+
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- netutils_run(ncftool_t, ncftool_roles)
|
||||
+ netutils_domtrans(ncftool_t)
|
||||
+ #netutils_run(ncftool_t, ncftool_roles)
|
||||
')
|
||||
diff --git a/ppp.if b/ppp.if
|
||||
index c174b05..a4cad0b 100644
|
||||
--- a/ppp.if
|
||||
+++ b/ppp.if
|
||||
@@ -175,11 +175,18 @@ interface(`ppp_run_cond',`
|
||||
#
|
||||
interface(`ppp_run',`
|
||||
gen_require(`
|
||||
- attribute_role pppd_roles;
|
||||
+ #attribute_role pppd_roles;
|
||||
+ type pppd_t;
|
||||
')
|
||||
|
||||
- ppp_domtrans($1)
|
||||
- roleattribute $2 pppd_roles;
|
||||
+ #ppp_domtrans($1)
|
||||
+ #roleattribute $2 pppd_roles;
|
||||
+
|
||||
+ role $2 types pppd_t;
|
||||
+
|
||||
+ tunable_policy(`pppd_for_user',`
|
||||
+ ppp_domtrans($1)
|
||||
+ ')
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/ppp.te b/ppp.te
|
||||
index 17e10a2..92cec2b 100644
|
||||
--- a/ppp.te
|
||||
+++ b/ppp.te
|
||||
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
|
||||
## </desc>
|
||||
gen_tunable(pppd_for_user, false)
|
||||
|
||||
-attribute_role pppd_roles;
|
||||
+#attribute_role pppd_roles;
|
||||
|
||||
# pppd_t is the domain for the pppd program.
|
||||
# pppd_exec_t is the type of the pppd executable.
|
||||
type pppd_t;
|
||||
type pppd_exec_t;
|
||||
init_daemon_domain(pppd_t, pppd_exec_t)
|
||||
-role pppd_roles types pppd_t;
|
||||
+#role pppd_roles types pppd_t;
|
||||
+role system_r types pppd_t;
|
||||
|
||||
type pppd_devpts_t;
|
||||
term_pty(pppd_devpts_t)
|
||||
@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t)
|
||||
type pptp_t;
|
||||
type pptp_exec_t;
|
||||
init_daemon_domain(pptp_t, pptp_exec_t)
|
||||
-role pppd_roles types pptp_t;
|
||||
+#role pppd_roles types pptp_t;
|
||||
+role system_r types pptp_t;
|
||||
|
||||
type pptp_log_t;
|
||||
logging_log_file(pptp_log_t)
|
||||
@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t)
|
||||
init_signal_script(pppd_t)
|
||||
|
||||
auth_use_nsswitch(pppd_t)
|
||||
-auth_run_chk_passwd(pppd_t,pppd_roles)
|
||||
+auth_domtrans_chk_passwd(pppd_t)
|
||||
+#auth_run_chk_passwd(pppd_t,pppd_roles)
|
||||
auth_write_login_records(pppd_t)
|
||||
|
||||
logging_send_syslog_msg(pppd_t)
|
||||
@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t)
|
||||
ppp_exec(pppd_t)
|
||||
|
||||
optional_policy(`
|
||||
- ddclient_run(pppd_t, pppd_roles)
|
||||
+ #ddclient_run(pppd_t, pppd_roles)
|
||||
+ ddclient_domtrans(pppd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/usernetctl.if b/usernetctl.if
|
||||
index d45c715..2d4f1ba 100644
|
||||
--- a/usernetctl.if
|
||||
+++ b/usernetctl.if
|
||||
@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
|
||||
#
|
||||
interface(`usernetctl_run',`
|
||||
gen_require(`
|
||||
- attribute_role usernetctl_roles;
|
||||
+ type usernetctl_t;
|
||||
+ #attribute_role usernetctl_roles;
|
||||
')
|
||||
|
||||
- usernetctl_domtrans($1)
|
||||
- roleattribute $2 usernetctl_roles;
|
||||
+ #usernetctl_domtrans($1)
|
||||
+ #roleattribute $2 usernetctl_roles;
|
||||
+
|
||||
+ sysnet_run_ifconfig(usernetctl_t, $2)
|
||||
+ sysnet_run_dhcpc(usernetctl_t, $2)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ iptables_run(usernetctl_t, $2)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ modutils_run_insmod(usernetctl_t, $2)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ ppp_run(usernetctl_t, $2)
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
diff --git a/usernetctl.te b/usernetctl.te
|
||||
index 8604c1c..35b12a6 100644
|
||||
--- a/usernetctl.te
|
||||
+++ b/usernetctl.te
|
||||
@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role usernetctl_roles;
|
||||
+#attribute_role usernetctl_roles;
|
||||
|
||||
type usernetctl_t;
|
||||
type usernetctl_exec_t;
|
||||
application_domain(usernetctl_t, usernetctl_exec_t)
|
||||
domain_interactive_fd(usernetctl_t)
|
||||
-role usernetctl_roles types usernetctl_t;
|
||||
+#role usernetctl_roles types usernetctl_t;
|
||||
+role system_r types usernetctl_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t)
|
||||
|
||||
userdom_use_inherited_user_terminals(usernetctl_t)
|
||||
|
||||
-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||||
-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||||
+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
||||
+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_run(usernetctl_t, usernetctl_roles)
|
||||
+ #consoletype_run(usernetctl_t, usernetctl_roles)
|
||||
+ consoletype_exec(usernetctl_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(usernetctl_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- iptables_run(usernetctl_t, usernetctl_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# iptables_run(usernetctl_t, usernetctl_roles)
|
||||
+#')
|
||||
|
||||
-optional_policy(`
|
||||
- modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# modutils_run_insmod(usernetctl_t, usernetctl_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(usernetctl_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- ppp_run(usernetctl_t, usernetctl_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# ppp_run(usernetctl_t, usernetctl_roles)
|
||||
+#')
|
||||
diff --git a/vpn.if b/vpn.if
|
||||
index 7b93e07..a4e2f60 100644
|
||||
--- a/vpn.if
|
||||
+++ b/vpn.if
|
||||
@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
|
||||
#
|
||||
interface(`vpn_run',`
|
||||
gen_require(`
|
||||
- attribute_role vpnc_roles;
|
||||
+ #attribute_role vpnc_roles;
|
||||
+ type vpnc_t;
|
||||
')
|
||||
|
||||
+ #vpn_domtrans($1)
|
||||
+ #roleattribute $2 vpnc_roles;
|
||||
+
|
||||
vpn_domtrans($1)
|
||||
- roleattribute $2 vpnc_roles;
|
||||
+ role $2 types vpnc_t;
|
||||
+ sysnet_run_ifconfig(vpnc_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/vpn.te b/vpn.te
|
||||
index 99fd457..d2585bb 100644
|
||||
--- a/vpn.te
|
||||
+++ b/vpn.te
|
||||
@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role vpnc_roles;
|
||||
-roleattribute system_r vpnc_roles;
|
||||
+#attribute_role vpnc_roles;
|
||||
+#roleattribute system_r vpnc_roles;
|
||||
|
||||
type vpnc_t;
|
||||
type vpnc_exec_t;
|
||||
init_system_domain(vpnc_t, vpnc_exec_t)
|
||||
application_domain(vpnc_t, vpnc_exec_t)
|
||||
-role vpnc_roles types vpnc_t;
|
||||
+#role vpnc_roles types vpnc_t;
|
||||
+role system_r types vpnc_t;
|
||||
|
||||
type vpnc_tmp_t;
|
||||
files_tmp_file(vpnc_tmp_t)
|
||||
@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t)
|
||||
seutil_dontaudit_search_config(vpnc_t)
|
||||
seutil_use_newrole_fds(vpnc_t)
|
||||
|
||||
-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||||
+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
||||
sysnet_etc_filetrans_config(vpnc_t)
|
||||
sysnet_manage_config(vpnc_t)
|
||||
|
||||
commit 88b64bdd71ef734271b9370fc37e02785f354f7f
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 02:33:40 2012 +0200
|
||||
|
||||
Fix ncftool.if
|
||||
|
||||
diff --git a/ncftool.if b/ncftool.if
|
||||
index 3a4455f..59f096b 100644
|
||||
--- a/ncftool.if
|
||||
+++ b/ncftool.if
|
||||
@@ -43,11 +43,12 @@ interface(`ncftool_run',`
|
||||
#ncftool_domtrans($1)
|
||||
#roleattribute $2 ncftool_roles;
|
||||
|
||||
- role $1 types ncftool_t;
|
||||
+ ncftool_domtrans($1)
|
||||
+ role $2 types ncftool_t;
|
||||
|
||||
- ncftool_domtrans($2)
|
||||
+ optional_policy(`
|
||||
+ brctl_run(ncftool_t, $2)
|
||||
+ ')
|
||||
|
||||
- ps_process_pattern($2, ncftool_t)
|
||||
- allow $2 ncftool_t:process signal;
|
||||
')
|
||||
|
||||
commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 10:47:57 2012 +0200
|
||||
|
||||
roleattriburte temp fixes for portage and dpkg
|
||||
|
||||
diff --git a/dpkg.if b/dpkg.if
|
||||
index 4d32b42..d945bd0 100644
|
||||
--- a/dpkg.if
|
||||
+++ b/dpkg.if
|
||||
@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
|
||||
#
|
||||
interface(`dpkg_run',`
|
||||
gen_require(`
|
||||
- attribute_role dpkg_roles;
|
||||
+ #attribute_role dpkg_roles;
|
||||
+ type dpkg_t, dpkg_script_t
|
||||
')
|
||||
|
||||
+ #dpkg_domtrans($1)
|
||||
+ #roleattribute $2 dpkg_roles;
|
||||
+
|
||||
dpkg_domtrans($1)
|
||||
- roleattribute $2 dpkg_roles;
|
||||
+ role $2 types dpkg_t;
|
||||
+ role $2 types dpkg_script_t;
|
||||
+ seutil_run_loadpolicy(dpkg_script_t, $2)
|
||||
+
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/dpkg.te b/dpkg.te
|
||||
index a1b8f92..9ac1b80 100644
|
||||
--- a/dpkg.te
|
||||
+++ b/dpkg.te
|
||||
@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
-attribute_role dpkg_roles;
|
||||
-roleattribute system_r dpkg_roles;
|
||||
+#attribute_role dpkg_roles;
|
||||
+#roleattribute system_r dpkg_roles;
|
||||
|
||||
type dpkg_t;
|
||||
type dpkg_exec_t;
|
||||
@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
|
||||
domain_role_change_exemption(dpkg_t)
|
||||
domain_system_change_exemption(dpkg_t)
|
||||
domain_interactive_fd(dpkg_t)
|
||||
-role dpkg_roles types dpkg_t;
|
||||
+#role dpkg_roles types dpkg_t;
|
||||
+role system_r types dpkg_t;
|
||||
|
||||
# lockfile
|
||||
type dpkg_lock_t;
|
||||
@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
|
||||
domain_obj_id_change_exemption(dpkg_script_t)
|
||||
domain_system_change_exemption(dpkg_script_t)
|
||||
domain_interactive_fd(dpkg_script_t)
|
||||
-role dpkg_roles types dpkg_script_t;
|
||||
+#role dpkg_roles types dpkg_script_t;
|
||||
+role system_r types dpkg_script_t;
|
||||
|
||||
type dpkg_script_tmp_t;
|
||||
files_tmp_file(dpkg_script_tmp_t)
|
||||
@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t)
|
||||
init_domtrans_script(dpkg_t)
|
||||
init_use_script_ptys(dpkg_t)
|
||||
|
||||
+#libs_exec_ld_so(dpkg_t)
|
||||
+#libs_exec_lib_files(dpkg_t)
|
||||
+#libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||||
libs_exec_ld_so(dpkg_t)
|
||||
libs_exec_lib_files(dpkg_t)
|
||||
-libs_run_ldconfig(dpkg_t, dpkg_roles)
|
||||
+libs_domtrans_ldconfig(dpkg_t)
|
||||
|
||||
logging_send_syslog_msg(dpkg_t)
|
||||
|
||||
@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t)
|
||||
files_read_etc_runtime_files(dpkg_t)
|
||||
files_exec_usr_files(dpkg_t)
|
||||
miscfiles_read_localization(dpkg_t)
|
||||
-modutils_run_depmod(dpkg_t, dpkg_roles)
|
||||
-modutils_run_insmod(dpkg_t, dpkg_roles)
|
||||
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||||
-seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||||
+#modutils_run_depmod(dpkg_t, dpkg_roles)
|
||||
+#modutils_run_insmod(dpkg_t, dpkg_roles)
|
||||
+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
|
||||
+#seutil_run_setfiles(dpkg_t, dpkg_roles)
|
||||
userdom_use_all_users_fds(dpkg_t)
|
||||
optional_policy(`
|
||||
mta_send_mail(dpkg_t)
|
||||
')
|
||||
+
|
||||
+
|
||||
optional_policy(`
|
||||
- usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||||
- usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||||
+ modutils_domtrans_depmod(dpkg_t)
|
||||
+ modutils_domtrans_insmod(dpkg_t)
|
||||
+ seutil_domtrans_loadpolicy(dpkg_t)
|
||||
+ seutil_domtrans_setfiles(dpkg_t)
|
||||
+ usermanage_domtrans_groupadd(dpkg_t)
|
||||
+ usermanage_domtrans_useradd(dpkg_t)
|
||||
')
|
||||
|
||||
+#optional_policy(`
|
||||
+# usermanage_run_groupadd(dpkg_t, dpkg_roles)
|
||||
+# usermanage_run_useradd(dpkg_t, dpkg_roles)
|
||||
+#')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# dpkg-script Local policy
|
||||
@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t)
|
||||
|
||||
miscfiles_read_localization(dpkg_script_t)
|
||||
|
||||
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||||
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||||
+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
|
||||
+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
|
||||
|
||||
-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||||
-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||||
+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
|
||||
+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
|
||||
|
||||
userdom_use_all_users_fds(dpkg_script_t)
|
||||
|
||||
@@ -319,9 +335,9 @@ optional_policy(`
|
||||
apt_use_fds(dpkg_script_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- bootloader_run(dpkg_script_t, dpkg_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# bootloader_run(dpkg_script_t, dpkg_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(dpkg_script_t)
|
||||
@@ -335,7 +351,7 @@ optional_policy(`
|
||||
unconfined_domain(dpkg_script_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||||
- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
|
||||
+# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
|
||||
+#')
|
||||
diff --git a/portage.if b/portage.if
|
||||
index b4bb48a..e5e8f12 100644
|
||||
--- a/portage.if
|
||||
+++ b/portage.if
|
||||
@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
|
||||
#
|
||||
interface(`portage_run',`
|
||||
gen_require(`
|
||||
- attribute_role portage_roles;
|
||||
+ type portage_t, portage_fetch_t, portage_sandbox_t;
|
||||
+ #attribute_role portage_roles;
|
||||
')
|
||||
|
||||
- portage_domtrans($1)
|
||||
- roleattribute $2 portage_roles;
|
||||
+ #portage_domtrans($1)
|
||||
+ #roleattribute $2 portage_roles;
|
||||
+ portage_domtrans($1)
|
||||
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||||
+
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/portage.te b/portage.te
|
||||
index 22bdf7d..f726e1d 100644
|
||||
--- a/portage.te
|
||||
+++ b/portage.te
|
||||
@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
|
||||
## </desc>
|
||||
gen_tunable(portage_use_nfs, false)
|
||||
|
||||
-attribute_role portage_roles;
|
||||
+#attribute_role portage_roles;
|
||||
|
||||
type gcc_config_t;
|
||||
type gcc_config_exec_t;
|
||||
@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
|
||||
domain_obj_id_change_exemption(portage_t)
|
||||
rsync_entry_type(portage_t)
|
||||
corecmd_shell_entry_type(portage_t)
|
||||
-role portage_roles types portage_t;
|
||||
+#role portage_roles types portage_t;
|
||||
+role system_r types portage_t;
|
||||
|
||||
# portage compile sandbox domain
|
||||
type portage_sandbox_t;
|
||||
@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
|
||||
# the shell is the entrypoint if regular sandbox is disabled
|
||||
# portage_exec_t is the entrypoint if regular sandbox is enabled
|
||||
corecmd_shell_entry_type(portage_sandbox_t)
|
||||
-role portage_roles types portage_sandbox_t;
|
||||
+#role portage_roles types portage_sandbox_t;
|
||||
+role system_r types portage_sandbox_t;
|
||||
|
||||
# portage package fetching domain
|
||||
type portage_fetch_t;
|
||||
@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
|
||||
application_domain(portage_fetch_t, portage_fetch_exec_t)
|
||||
corecmd_shell_entry_type(portage_fetch_t)
|
||||
rsync_entry_type(portage_fetch_t)
|
||||
-role portage_roles types portage_fetch_t;
|
||||
+#role portage_roles types portage_fetch_t;
|
||||
+role system_r types portage_fetch_t;
|
||||
|
||||
type portage_devpts_t;
|
||||
term_pty(portage_devpts_t)
|
||||
@@ -115,7 +118,8 @@ files_list_all(gcc_config_t)
|
||||
init_dontaudit_read_script_status_files(gcc_config_t)
|
||||
|
||||
libs_read_lib_files(gcc_config_t)
|
||||
-libs_run_ldconfig(gcc_config_t, portage_roles)
|
||||
+#libs_run_ldconfig(gcc_config_t, portage_roles)
|
||||
+libs_domtrans_ldconfig(gcc_config_t)
|
||||
libs_manage_shared_libs(gcc_config_t)
|
||||
# gcc-config creates a temp dir for the libs
|
||||
libs_manage_lib_dirs(gcc_config_t)
|
||||
@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t)
|
||||
init_exec(portage_t)
|
||||
|
||||
# run setfiles -r
|
||||
-seutil_run_setfiles(portage_t, portage_roles)
|
||||
+#seutil_run_setfiles(portage_t, portage_roles)
|
||||
# run semodule
|
||||
-seutil_run_semanage(portage_t, portage_roles)
|
||||
+#seutil_run_semanage(portage_t, portage_roles)
|
||||
|
||||
-portage_run_gcc_config(portage_t, portage_roles)
|
||||
+#portage_run_gcc_config(portage_t, portage_roles)
|
||||
# if sesandbox is disabled, compiling is performed in this domain
|
||||
portage_compile_domain(portage_t)
|
||||
|
||||
-optional_policy(`
|
||||
- bootloader_run(portage_t, portage_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# bootloader_run(portage_t, portage_roles)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(portage_t, portage_exec_t)
|
||||
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- modutils_run_depmod(portage_t, portage_roles)
|
||||
- modutils_run_update_mods(portage_t, portage_roles)
|
||||
+#optional_policy(`
|
||||
+# modutils_run_depmod(portage_t, portage_roles)
|
||||
+# modutils_run_update_mods(portage_t, portage_roles)
|
||||
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- usermanage_run_groupadd(portage_t, portage_roles)
|
||||
- usermanage_run_useradd(portage_t, portage_roles)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# usermanage_run_groupadd(portage_t, portage_roles)
|
||||
+# usermanage_run_useradd(portage_t, portage_roles)
|
||||
+#')
|
||||
+
|
||||
+seutil_domtrans_setfiles(portage_t)
|
||||
+seutil_domtrans_semanage(portage_t)
|
||||
+bootloader_domtrans(portage_t)
|
||||
+modutils_domtrans_depmod(portage_t)
|
||||
+modutils_domtrans_update_mods(portage_t)
|
||||
+usermanage_domtrans_groupadd(portage_t)
|
||||
+usermanage_domtrans_useradd(portage_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# seems to work ok without these
|
||||
commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 10:52:09 2012 +0200
|
||||
|
||||
Fix typo
|
||||
|
||||
diff --git a/portage.if b/portage.if
|
||||
index e5e8f12..7098ded 100644
|
||||
--- a/portage.if
|
||||
+++ b/portage.if
|
||||
@@ -50,7 +50,7 @@ interface(`portage_run',`
|
||||
#portage_domtrans($1)
|
||||
#roleattribute $2 portage_roles;
|
||||
portage_domtrans($1)
|
||||
- role $2 types { portage_t portage_fetch_t portage_sandbox_t }
|
||||
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
|
||||
|
||||
')
|
||||
|
||||
commit cf999ca29d2a4401c481e28c169e10d676d73526
|
||||
Author: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu Jun 7 10:59:22 2012 +0200
|
||||
|
||||
One more typo
|
||||
|
||||
diff --git a/dpkg.if b/dpkg.if
|
||||
index d945bd0..78736d8 100644
|
||||
--- a/dpkg.if
|
||||
+++ b/dpkg.if
|
||||
@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',`
|
||||
interface(`dpkg_run',`
|
||||
gen_require(`
|
||||
#attribute_role dpkg_roles;
|
||||
- type dpkg_t, dpkg_script_t
|
||||
+ type dpkg_t, dpkg_script_t;
|
||||
')
|
||||
|
||||
#dpkg_domtrans($1)
|
58863
policy_contrib-rawhide.patch
Normal file
58863
policy_contrib-rawhide.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -15,16 +15,18 @@
|
||||
%endif
|
||||
%define POLICYVER 27
|
||||
%define POLICYCOREUTILSVER 2.1.9-4
|
||||
%define CHECKPOLICYVER 2.1.7-3
|
||||
%define CHECKPOLICYVER 2.1.9-4
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 85%{?dist}
|
||||
Version: 3.11.0
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
patch: policy-F16.patch
|
||||
patch1: unconfined_permissive.patch
|
||||
patch: policy-rawhide.patch
|
||||
patch1: policy_contrib-rawhide.patch
|
||||
patch2: policy_contrib-rawhide-roleattribute.patch
|
||||
patch3: policy-rawhide-roleattribute.patch
|
||||
Source1: modules-targeted.conf
|
||||
Source2: booleans-targeted.conf
|
||||
Source3: Makefile.devel
|
||||
@ -45,39 +47,47 @@ Source23: users-targeted
|
||||
Source25: users-minimum
|
||||
Source26: file_contexts.subs_dist
|
||||
Source27: selinux-policy.conf
|
||||
Source28: permissivedomains.pp
|
||||
Source29: serefpolicy-contrib-%{version}.tgz
|
||||
|
||||
Url: http://oss.tresys.com/repos/refpolicy/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildArch: noarch
|
||||
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.46-6
|
||||
Requires(post): /bin/awk /usr/bin/md5sum
|
||||
Requires(post): /bin/awk /usr/bin/sha512sum
|
||||
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
|
||||
Obsoletes: selinux-policy-devel <= %{version}-%{release}
|
||||
Provides: selinux-policy-devel = %{version}-%{release}
|
||||
|
||||
%description
|
||||
SELinux Base package
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
%{_mandir}/man*/*
|
||||
# policycoreutils owns these manpage directories, we only own the files within them
|
||||
%{_mandir}/ru/*/*
|
||||
%dir %{_usr}/share/selinux
|
||||
%dir %{_usr}/share/selinux/devel
|
||||
%dir %{_usr}/share/selinux/devel/include
|
||||
%dir %{_usr}/share/selinux/packages
|
||||
%dir %{_sysconfdir}/selinux
|
||||
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
||||
%ghost %{_sysconfdir}/sysconfig/selinux
|
||||
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
||||
|
||||
%package devel
|
||||
Summary: SELinux policy devel
|
||||
Group: System Environment/Base
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
SELinux policy development and man page package
|
||||
|
||||
%files devel
|
||||
%defattr(-,root,root,-)
|
||||
%{_mandir}/man*/*
|
||||
%{_mandir}/ru/*/*
|
||||
%dir %{_usr}/share/selinux/devel
|
||||
%dir %{_usr}/share/selinux/devel/include
|
||||
%{_usr}/share/selinux/devel/include/*
|
||||
%{_usr}/share/selinux/devel/Makefile
|
||||
%{_usr}/share/selinux/devel/example.*
|
||||
%{_usr}/share/selinux/devel/policy.*
|
||||
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
||||
|
||||
%if %{BUILD_DOC}
|
||||
%package doc
|
||||
Summary: SELinux policy documentation
|
||||
Group: System Environment/Base
|
||||
@ -91,7 +101,7 @@ SELinux policy documentation package
|
||||
%defattr(-,root,root,-)
|
||||
%doc %{_usr}/share/doc/%{name}-%{version}
|
||||
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
|
||||
%endif
|
||||
%{_usr}/share/selinux/devel/policy.*
|
||||
|
||||
%define makeCmds() \
|
||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
|
||||
@ -105,6 +115,7 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
|
||||
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
|
||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
|
||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
|
||||
@ -127,8 +138,9 @@ rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \
|
||||
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
|
||||
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
|
||||
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
|
||||
/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policymd5; \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
|
||||
rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern
|
||||
%nil
|
||||
|
||||
%define fileList() \
|
||||
@ -137,13 +149,14 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||
%dir %{_sysconfdir}/selinux/%1 \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
||||
%dir %{_sysconfdir}/selinux/%1/logins \
|
||||
%dir %{_sysconfdir}/selinux/%1/modules \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
||||
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
|
||||
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
||||
%verify(not md5 size md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \
|
||||
@ -157,7 +170,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
|
||||
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
||||
%{_sysconfdir}/selinux/%1/.policymd5 \
|
||||
%{_sysconfdir}/selinux/%1/.policy.sha512 \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
||||
@ -166,6 +179,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
|
||||
@ -191,8 +205,8 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
||||
/usr/sbin/selinuxenabled; \
|
||||
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
||||
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore; \
|
||||
/sbin/restorecon -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
|
||||
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
|
||||
/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
|
||||
rm -f ${FILE_CONTEXT}.pre; \
|
||||
fi;
|
||||
|
||||
@ -204,10 +218,10 @@ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
|
||||
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
||||
fi; \
|
||||
touch /etc/selinux/%1/.rebuild; \
|
||||
if [ -e /etc/selinux/%1/.policymd5 ]; then \
|
||||
md5=`md5sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
|
||||
checkmd5=`cat /etc/selinux/%1/.policymd5`; \
|
||||
if [ "$md5" == "$checkmd5" ] ; then \
|
||||
if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
|
||||
sha512=`sha512sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
|
||||
checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
|
||||
if [ "$sha512" == "$checksha512" ] ; then \
|
||||
rm /etc/selinux/%1/.rebuild; \
|
||||
fi; \
|
||||
fi; \
|
||||
@ -218,7 +232,7 @@ fi;
|
||||
if [ -e /etc/selinux/%2/.rebuild ]; then \
|
||||
rm /etc/selinux/%2/.rebuild; \
|
||||
if [ %1 -ne 1 ]; then \
|
||||
/usr/sbin/semodule -n -s %2 -r kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
|
||||
/usr/sbin/semodule -n -s %2 -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
|
||||
fi \
|
||||
rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp \
|
||||
/usr/sbin/semodule -B -n -s %2; \
|
||||
@ -240,9 +254,15 @@ Based off of reference policy: Checked out revision 2.20091117
|
||||
%build
|
||||
|
||||
%prep
|
||||
%setup -n serefpolicy-contrib-%{version} -q -b 29
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
contrib_path=`pwd`
|
||||
%setup -n serefpolicy-%{version} -q
|
||||
%patch -p1
|
||||
#%patch1 -p1 -b .unconfined
|
||||
%patch3 -p1
|
||||
refpolicy_path=`pwd`
|
||||
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
|
||||
|
||||
%install
|
||||
mkdir selinux_config
|
||||
@ -252,8 +272,6 @@ done
|
||||
tar zxvf selinux_config/config.tgz
|
||||
# Build targeted policy
|
||||
%{__rm} -fR %{buildroot}
|
||||
mkdir -p %{buildroot}%{_mandir}
|
||||
cp -R man/* %{buildroot}%{_mandir}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/config
|
||||
@ -269,6 +287,8 @@ make clean
|
||||
%if %{BUILD_TARGETED}
|
||||
# Build targeted policy
|
||||
# Commented out because only targeted ref policy currently builds
|
||||
mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
|
||||
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted
|
||||
%makeCmds targeted mcs n allow
|
||||
%installCmds targeted mcs n allow
|
||||
%endif
|
||||
@ -276,6 +296,8 @@ make clean
|
||||
%if %{BUILD_MINIMUM}
|
||||
# Build minimum policy
|
||||
# Commented out because only minimum ref policy currently builds
|
||||
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
|
||||
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum
|
||||
%makeCmds minimum mcs n allow
|
||||
%installCmds minimum mcs n allow
|
||||
%modulesList minimum
|
||||
@ -287,22 +309,20 @@ make clean
|
||||
%installCmds mls mls n deny
|
||||
%endif
|
||||
|
||||
%if %{BUILD_DOC}
|
||||
mkdir -p %{buildroot}%{_mandir}
|
||||
cp -R man/* %{buildroot}%{_mandir}
|
||||
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
|
||||
%endif
|
||||
|
||||
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
|
||||
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/packages/
|
||||
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
|
||||
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
|
||||
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||
%if %{BUILD_DOC}
|
||||
echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
||||
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
||||
%endif
|
||||
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/packages/
|
||||
|
||||
rm -rf selinux_config
|
||||
%clean
|
||||
%{__rm} -fR %{buildroot}
|
||||
@ -321,6 +341,7 @@ echo "
|
||||
SELINUX=enforcing
|
||||
# SELINUXTYPE= can take one of these two values:
|
||||
# targeted - Targeted processes are protected,
|
||||
# minimum - Modification of targeted policy. Only selected processes are protected.
|
||||
# mls - Multi Level Security protection.
|
||||
SELINUXTYPE=targeted
|
||||
|
||||
@ -483,7 +504,475 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-85
|
||||
* Thu Jun 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-1
|
||||
- Mass merge with upstream
|
||||
* new policy topology to include contrib policy modules
|
||||
* we have now two base policy patches
|
||||
|
||||
* Wed May 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-128
|
||||
- Fix description of authlogin_nsswitch_use_ldap
|
||||
- Fix transition rule for rhsmcertd_t needed for RHEL7
|
||||
- Allow useradd to list nfs state data
|
||||
- Allow openvpn to manage its log file and directory
|
||||
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
|
||||
- Allow thumb to use nvidia devices
|
||||
- Allow local_login to create user_tmp_t files for kerberos
|
||||
- Pulseaudio needs to read systemd_login /var/run content
|
||||
- virt should only transition named system_conf_t config files
|
||||
- Allow munin to execute its plugins
|
||||
- Allow nagios system plugin to read /etc/passwd
|
||||
- Allow plugin to connect to soundd port
|
||||
- Fix httpd_passwd to be able to ask passwords
|
||||
- Radius servers can use ldap for backing store
|
||||
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
|
||||
- Allow systemd_logind to list the contents of gnome keyring
|
||||
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
|
||||
- Add policy for isns-utils
|
||||
|
||||
* Mon May 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-127
|
||||
- Add policy for subversion daemon
|
||||
- Allow boinc to read passwd
|
||||
- Allow pads to read kernel network state
|
||||
- Fix man2html interface for sepolgen-ifgen
|
||||
- Remove extra /usr/lib/systemd/system/smb
|
||||
- Remove all /lib/systemd and replace with /usr/lib/systemd
|
||||
- Add policy for man2html
|
||||
- Fix the label of kerberos_home_t to krb5_home_t
|
||||
- Allow mozilla plugins to use Citrix
|
||||
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
|
||||
- Allow tune /sys options via systemd's tmpfiles.d "w" type
|
||||
|
||||
* Wed May 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-126
|
||||
- Dontaudit lpr_t to read/write leaked mozilla tmp files
|
||||
- Add file name transition for .grl-podcasts directory
|
||||
- Allow corosync to read user tmp files
|
||||
- Allow fenced to create snmp lib dirs/files
|
||||
- More fixes for sge policy
|
||||
- Allow mozilla_plugin_t to execute any application
|
||||
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
|
||||
- Allow mongod to read system state information
|
||||
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
|
||||
- Allow polipo to manage polipo_cache dirs
|
||||
- Add jabbar_client port to mozilla_plugin_t
|
||||
- Cleanup procmail policy
|
||||
- system bus will pass around open file descriptors on files that do not have labels on them
|
||||
- Allow l2tpd_t to read system state
|
||||
- Allow tuned to run ls /dev
|
||||
- Allow sudo domains to read usr_t files
|
||||
- Add label to machine-id
|
||||
- Fix corecmd_read_bin_symlinks cut and paste error
|
||||
|
||||
* Wed May 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-125
|
||||
- Fix pulseaudio port definition
|
||||
- Add labeling for condor_starter
|
||||
- Allow chfn_t to creat user_tmp_files
|
||||
- Allow chfn_t to execute bin_t
|
||||
- Allow prelink_cron_system_t to getpw calls
|
||||
- Allow sudo domains to manage kerberos rcache files
|
||||
- Allow user_mail_domains to work with courie
|
||||
- Port definitions necessary for running jboss apps within openshift
|
||||
- Add support for openstack-nova-metadata-api
|
||||
- Add support for nova-console*
|
||||
- Add support for openstack-nova-xvpvncproxy
|
||||
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
|
||||
- Fix auth_role() interface
|
||||
- Allow numad to read sysfs
|
||||
- Allow matahari-rpcd to execute shell
|
||||
- Add label for ~/.spicec
|
||||
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
|
||||
- Devicekit_disk wants to read the logind sessions file when writing a cd
|
||||
- Add fixes for condor to make condor jobs working correctly
|
||||
- Change label of /var/log/rpmpkgs to cron_log_t
|
||||
- Access requires to allow systemd-tmpfiles --create to work.
|
||||
- Fix obex to be a user application started by the session bus.
|
||||
- Add additional filename trans rules for kerberos
|
||||
- Fix /var/run/heartbeat labeling
|
||||
- Allow apps that are managing rcache to file trans correctly
|
||||
- Allow openvpn to authenticate against ldap server
|
||||
- Containers need to listen to network starting and stopping events
|
||||
|
||||
* Wed May 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-124
|
||||
- Make systemd unit files less specific
|
||||
|
||||
* Tue May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-123
|
||||
- Fix zarafa labeling
|
||||
- Allow guest_t to fix labeling
|
||||
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
|
||||
- add lxc_contexts
|
||||
- Allow accountsd to read /proc
|
||||
- Allow restorecond to getattr on all file sytems
|
||||
- tmpwatch now calls getpw
|
||||
- Allow apache daemon to transition to pwauth domain
|
||||
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
|
||||
- The obex socket seems to be a stream socket
|
||||
- dd label for /var/run/nologin
|
||||
|
||||
* Mon May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-122
|
||||
- Allow jetty running as httpd_t to read hugetlbfs files
|
||||
- Allow sys_nice and setsched for rhsmcertd
|
||||
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
|
||||
- Allow setfiles to append to xdm_tmp_t
|
||||
- Add labeling for /export as a usr_t directory
|
||||
- Add labels for .grl files created by gstreamer
|
||||
|
||||
* Fri May 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-121
|
||||
- Add labeling for /usr/share/jetty/bin/jetty.sh
|
||||
- Add jetty policy which contains file type definitios
|
||||
- Allow jockey to use its own fifo_file and make this the default for all domains
|
||||
- Allow mozilla_plugins to use spice (vnc_port/couchdb)
|
||||
- asterisk wants to read the network state
|
||||
- Blueman now uses /var/lib/blueman- Add label for nodejs_debug
|
||||
- Allow mozilla_plugin_t to create ~/.pki directory and content
|
||||
|
||||
* Wed May 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-120
|
||||
- Add clamscan_can_scan_system boolean
|
||||
- Allow mysqld to read kernel network state
|
||||
- Allow sshd to read/write condor lib files
|
||||
- Allow sshd to read/write condor-startd tcp socket
|
||||
- Fix description on httpd_graceful_shutdown
|
||||
- Allow glance_registry to communicate with mysql
|
||||
- dbus_system_domain is using systemd to lauch applications
|
||||
- add interfaces to allow domains to send kill signals to user mail agents
|
||||
- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
|
||||
- Lots of new access required for secure containers
|
||||
- Corosync needs sys_admin capability
|
||||
- ALlow colord to create shm
|
||||
- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific
|
||||
- Add boolean to control whether or not mozilla plugins can create random content in the users homedir
|
||||
- Add new interface to allow domains to list msyql_db directories, needed for libra
|
||||
- shutdown has to be allowed to delete etc_runtime_t
|
||||
- Fail2ban needs to read /etc/passwd
|
||||
- Allow ldconfig to create /var/cache/ldconfig
|
||||
- Allow tgtd to read hardware state information
|
||||
- Allow collectd to create packet socket
|
||||
- Allow chronyd to send signal to itself
|
||||
- Allow collectd to read /dev/random
|
||||
- Allow collectd to send signal to itself
|
||||
- firewalld needs to execute restorecon
|
||||
- Allow restorecon and other login domains to execute restorecon
|
||||
|
||||
* Tue Apr 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-119
|
||||
- Allow logrotate to getattr on systemd unit files
|
||||
- Add support for tor systemd unit file
|
||||
- Allow apmd to create /var/run/pm-utils with the correct label
|
||||
- Allow l2tpd to send sigkill to pppd
|
||||
- Allow pppd to stream connect to l2tpd
|
||||
- Add label for scripts in /etc/gdm/
|
||||
- Allow systemd_logind_t to ignore mcs constraints on sigkill
|
||||
- Fix files_filetrans_system_conf_named_files() interface
|
||||
- Add labels for /usr/share/wordpress/wp-includes/*.php
|
||||
- Allow cobbler to get SELinux mode and booleans
|
||||
|
||||
* Mon Apr 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-118
|
||||
- Add unconfined_execmem_exec_t as an alias to bin_t
|
||||
- Allow fenced to read snmp var lib files, also allow it to read usr_t
|
||||
- ontaudit access checks on all executables from mozilla_plugin
|
||||
- Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode
|
||||
- Allow systemd_tmpfiles_t to getattr all pipes and sockets
|
||||
- Allow glance-registry to send system log messages
|
||||
- semanage needs to manage mock lib files/dirs
|
||||
|
||||
* Sun Apr 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-117
|
||||
- Add policy for abrt-watch-log
|
||||
- Add definitions for jboss_messaging ports
|
||||
- Allow systemd_tmpfiles to manage printer devices
|
||||
- Allow oddjob to use nsswitch
|
||||
- Fix labeling of log files for postgresql
|
||||
- Allow mozilla_plugin_t to execmem and execstack by default
|
||||
- Allow firewalld to execute shell
|
||||
- Fix /etc/wicd content files to get created with the correct label
|
||||
- Allow mcelog to exec shell
|
||||
- Add ~/.orc as a gstreamer_home_t
|
||||
- /var/spool/postfix/lib64 should be labeled lib_t
|
||||
- mpreaper should be able to list all file system labeled directories
|
||||
- Add support for apache to use openstack
|
||||
- Add labeling for /etc/zipl.conf and zipl binary
|
||||
- Turn on allow_execstack and turn off telepathy transition for final release
|
||||
|
||||
* Mon Apr 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-116
|
||||
- More access required for virt_qmf_t
|
||||
- Additional assess required for systemd-logind to support multi-seat
|
||||
- Allow mozilla_plugin to setrlimit
|
||||
- Revert changes to fuse file system to stop deadlock
|
||||
|
||||
* Mon Apr 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-115
|
||||
- Allow condor domains to connect to ephemeral ports
|
||||
- More fixes for condor policy
|
||||
- Allow keystone to stream connect to mysqld
|
||||
- Allow mozilla_plugin_t to read generic USB device to support GPS devices
|
||||
- Allow thum to file name transition gstreamer home content
|
||||
- Allow thum to read all non security files
|
||||
- Allow glance_api_t to connect to ephemeral ports
|
||||
- Allow nagios plugins to read /dev/urandom
|
||||
- Allow syslogd to search postfix spool to support postfix chroot env
|
||||
- Fix labeling for /var/spool/postfix/dev
|
||||
- Allow wdmd chown
|
||||
- Label .esd_auth as pulseaudio_home_t
|
||||
- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now
|
||||
|
||||
* Fri Apr 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-114
|
||||
- Add support for clamd+systemd
|
||||
- Allow fresclam to execute systemctl to handle clamd
|
||||
- Change labeling for /usr/sbin/rpc.ypasswd.env
|
||||
- Allow yppaswd_t to execute yppaswd_exec_t
|
||||
- Allow yppaswd_t to read /etc/passwd
|
||||
- Gnomekeyring socket has been moved to /run/user/USER/
|
||||
- Allow samba-net to connect to ldap port
|
||||
- Allow signal for vhostmd
|
||||
- allow mozilla_plugin_t to read user_home_t socket
|
||||
- New access required for secure Linux Containers
|
||||
- zfs now supports xattrs
|
||||
- Allow quantum to execute sudo and list sysfs
|
||||
- Allow init to dbus chat with the firewalld
|
||||
- Allow zebra to read /etc/passwd
|
||||
|
||||
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-113
|
||||
- Allow svirt_t to create content in the users homedir under ~/.libvirt
|
||||
- Fix label on /var/lib/heartbeat
|
||||
- Allow systemd_logind_t to send kill signals to all processes started by a user
|
||||
- Fuse now supports Xattr Support
|
||||
|
||||
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-112
|
||||
- upowered needs to setsched on the kernel
|
||||
- Allow mpd_t to manage log files
|
||||
- Allow xdm_t to create /var/run/systemd/multi-session-x
|
||||
- Add rules for missedfont.log to be used by thumb.fc
|
||||
- Additional access required for virt_qmf_t
|
||||
- Allow dhclient to dbus chat with the firewalld
|
||||
- Add label for lvmetad
|
||||
- Allow systemd_logind_t to remove userdomain sock_files
|
||||
- Allow cups to execute usr_t files
|
||||
- Fix labeling on nvidia shared libraries
|
||||
- wdmd_t needs access to sssd and /etc/passwd
|
||||
- Add boolean to allow ftp servers to run in passive mode
|
||||
- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with
|
||||
- Fix using httpd_use_fusefs
|
||||
- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox
|
||||
|
||||
* Fri Apr 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-111
|
||||
- Rename rdate port to time port, and allow gnomeclock to connect to it
|
||||
- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda
|
||||
- /etc/auto.* should be labeled bin_t
|
||||
- Add httpd_use_fusefs boolean
|
||||
- Add fixes for heartbeat
|
||||
- Allow sshd_t to signal processes that it transitions to
|
||||
- Add condor policy
|
||||
- Allow svirt to create monitors in ~/.libvirt
|
||||
- Allow dovecot to domtrans sendmail to handle sieve scripts
|
||||
- Lot of fixes for cfengine
|
||||
|
||||
* Tue Apr 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-110
|
||||
- /var/run/postmaster.* labeling is no longer needed
|
||||
- Alllow drbdadmin to read /dev/urandom
|
||||
- l2tpd_t seems to use ptmx
|
||||
- group+ and passwd+ should be labeled as /etc/passwd
|
||||
- Zarafa-indexer is a socket
|
||||
|
||||
* Fri Mar 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-109
|
||||
- Ensure lastlog is labeled correctly
|
||||
- Allow accountsd to read /proc data about gdm
|
||||
- Add fixes for tuned
|
||||
- Add bcfg2 fixes which were discovered during RHEL6 testing
|
||||
- More fixes for gnome-keyring socket being moved
|
||||
- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown
|
||||
- Fix description for files_dontaudit_read_security_files() interface
|
||||
|
||||
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-108
|
||||
- Add new policy and man page for bcfg2
|
||||
- cgconfig needs to use getpw calls
|
||||
- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt
|
||||
- gnome-keyring wants to create a directory in cache_home_t
|
||||
- sanlock calls getpw
|
||||
|
||||
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-107
|
||||
- Add numad policy and numad man page
|
||||
- Add fixes for interface bugs discovered by SEWatch
|
||||
- Add /tmp support for squid
|
||||
- Add fix for #799102
|
||||
* change default labeling for /var/run/slapd.* sockets
|
||||
- Make thumb_t as userdom_home_reader
|
||||
- label /var/lib/sss/mc same as pubconf, so getpw domains can read it
|
||||
- Allow smbspool running as cups_t to stream connect to nmbd
|
||||
- accounts needs to be able to execute passwd on behalf of users
|
||||
- Allow systemd_tmpfiles_t to delete boot flags
|
||||
- Allow dnssec_trigger to connect to apache ports
|
||||
- Allow gnome keyring to create sock_files in ~/.cache
|
||||
- google_authenticator is using .google_authenticator
|
||||
- sandbox running from within firefox is exposing more leaks
|
||||
- Dontaudit thumb to read/write /dev/card0
|
||||
- Dontaudit getattr on init_exec_t for gnomeclock_t
|
||||
- Allow certmonger to do a transition to certmonger_unconfined_t
|
||||
- Allow dhcpc setsched which is caused by nmcli
|
||||
- Add rpm_exec_t for /usr/sbin/bcfg2
|
||||
- system cronjobs are sending dbus messages to systemd_logind
|
||||
- Thumnailers read /dev/urand
|
||||
|
||||
* Thu Mar 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-106
|
||||
- Allow auditctl getcap
|
||||
- Allow vdagent to use libsystemd-login
|
||||
- Allow abrt-dump-oops to search /etc/abrt
|
||||
- Got these avc's while trying to print a boarding pass from firefox
|
||||
- Devicekit is now putting the media directory under /run/media
|
||||
- Allow thumbnailers to create content in ~/.thumbails directory
|
||||
- Add support for proL2TPd by Dominick Grift
|
||||
- Allow all domains to call getcap
|
||||
- wdmd seems to get a random chown capability check that it does not need
|
||||
- Allow vhostmd to read kernel sysctls
|
||||
|
||||
* Wed Mar 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-105
|
||||
- Allow chronyd to read unix
|
||||
- Allow hpfax to read /etc/passwd
|
||||
- Add support matahari vios-proxy-* apps and add virtd_exec_t label for them
|
||||
- Allow rpcd to read quota_db_t
|
||||
- Update to man pages to match latest policy
|
||||
- Fix bug in jockey interface for sepolgen-ifgen
|
||||
- Add initial svirt_prot_exec_t policy
|
||||
|
||||
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-104
|
||||
- More fixes for systemd from Dan Walsh
|
||||
|
||||
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-103
|
||||
- Add a new type for /etc/firewalld and allow firewalld to write to this directory
|
||||
- Add definition for ~/Maildir, and allow mail deliver domains to write there
|
||||
- Allow polipo to run from a cron job
|
||||
- Allow rtkit to schedule wine processes
|
||||
- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label
|
||||
- Allow users domains to send signals to consolehelper domains
|
||||
|
||||
* Fri Mar 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-102
|
||||
- More fixes for boinc policy
|
||||
- Allow polipo domain to create its own cache dir and pid file
|
||||
- Add systemctl support to httpd domain
|
||||
- Add systemctl support to polipo, allow NetworkManager to manage the service
|
||||
- Add policy for jockey-backend
|
||||
- Add support for motion daemon which is now covered by zoneminder policy
|
||||
- Allow colord to read/write motion tmpfs
|
||||
- Allow vnstat to search through var_lib_t directories
|
||||
- Stop transitioning to quota_t, from init an sysadm_t
|
||||
|
||||
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-101
|
||||
- Add svirt_lxc_file_t as a customizable type
|
||||
|
||||
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-100
|
||||
- Add additional fixes for icmp nagios plugin
|
||||
- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin
|
||||
- Add certmonger_unconfined_exec_t
|
||||
- Make sure tap22 device is created with the correct label
|
||||
- Allow staff users to read systemd unit files
|
||||
- Merge in previously built policy
|
||||
- Arpwatch needs to be able to start netlink sockets in order to start
|
||||
- Allow cgred_t to sys_ptrace to look at other DAC Processes
|
||||
|
||||
* Mon Mar 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-99
|
||||
- Back port some of the access that was allowed in nsplugin_t
|
||||
- Add definitiona for couchdb ports
|
||||
- Allow nagios to use inherited users ttys
|
||||
- Add git support for mock
|
||||
- Allow inetd to use rdate port
|
||||
- Add own type for rdate port
|
||||
- Allow samba to act as a portmapper
|
||||
- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev
|
||||
- New fixes needed for samba4
|
||||
- Allow apps that use lib_t to read lib_t symlinks
|
||||
|
||||
* Fri Mar 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-98
|
||||
- Add policy for nove-cert
|
||||
- Add labeling for nova-openstack systemd unit files
|
||||
- Add policy for keystoke
|
||||
|
||||
* Thu Mar 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-97
|
||||
- Fix man pages fro domains
|
||||
- Add man pages for SELinux users and roles
|
||||
- Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon
|
||||
- Add policy for matahari-rpcd
|
||||
- nfsd executes mount command on restart
|
||||
- Matahari domains execute renice and setsched
|
||||
- Dontaudit leaked tty in mozilla_plugin_config
|
||||
- mailman is changing to a per instance naming
|
||||
- Add 7600 and 4447 as jboss_management ports
|
||||
- Add fixes for nagios event handlers
|
||||
- Label httpd.event as httpd_exec_t, it is an apache daemon
|
||||
|
||||
* Mon Mar 5 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-96
|
||||
- Add labeling for /var/spool/postfix/dev/log
|
||||
- NM reads sysctl.conf
|
||||
- Iscsi log file context specification fix
|
||||
- Allow mozilla plugins to send dbus messages to user domains that transition to it
|
||||
- Allow mysql to read the passwd file
|
||||
- Allow mozilla_plugin_t to create mozilla home dirs in user homedir
|
||||
- Allow deltacloud to read kernel sysctl
|
||||
- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself
|
||||
- Allow postgresql_t to connectto itself
|
||||
- Add login_userdomain attribute for users which can log in using terminal
|
||||
|
||||
* Tue Feb 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-95
|
||||
- Allow sysadm_u to reach system_r by default #784011
|
||||
- Allow nagios plugins to use inherited user terminals
|
||||
- Razor labeling is not used no longer
|
||||
- Add systemd support for matahari
|
||||
- Add port_types to man page, move booleans to the top, fix some english
|
||||
- Add support for matahari-sysconfig-console
|
||||
- Clean up matahari.fc
|
||||
- Fix matahari_admin() interfac
|
||||
- Add labels for/etc/ssh/ssh_host_*.pub keys
|
||||
|
||||
* Mon Feb 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-94
|
||||
- Allow ksysguardproces to send system log msgs
|
||||
- Allow boinc setpgid and signull
|
||||
- Allow xdm_t to sys_ptrace to run pidof command
|
||||
- Allow smtpd_t to manage spool files/directories and symbolic links
|
||||
- Add labeling for jetty
|
||||
- Needed changes to get unbound/dnssec to work with openswan
|
||||
|
||||
* Thu Feb 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-93
|
||||
- Add user_fonts_t alias xfs_tmp_t
|
||||
- Since depmod now runs as insmod_t we need to write to kernel_object_t
|
||||
- Allow firewalld to dbus chat with networkmanager
|
||||
- Allow qpidd to connect to matahari ports
|
||||
- policykit needs to read /proc for uses not owned by it
|
||||
- Allow systemctl apps to connecto the init stream
|
||||
|
||||
* Wed Feb 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-92
|
||||
- Turn on deny_ptrace boolean
|
||||
|
||||
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-91
|
||||
- Remove pam_selinux.8 man page. There was a conflict.
|
||||
|
||||
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-90
|
||||
- Add proxy class and read access for gssd_proxy
|
||||
- Separate out the sharing public content booleans
|
||||
- Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate
|
||||
- Add label transition for gstream-0.10 and 12
|
||||
- Add booleans to allow rsync to share nfs and cifs file sytems
|
||||
- chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it
|
||||
- Fix filename transitions for cups files
|
||||
- Allow denyhosts to read "unix"
|
||||
- Add file name transition for locale.conf.new
|
||||
- Allow boinc projects to gconf config files
|
||||
- sssd needs to be able to increase the socket limit under certain loads
|
||||
- sge_execd needs to read /etc/passwd
|
||||
- Allow denyhost to check network state
|
||||
- NetworkManager needs to read sessions data
|
||||
- Allow denyhost to check network state
|
||||
- Allow xen to search virt images directories
|
||||
- Add label for /dev/megaraid_sas_ioctl_node
|
||||
- Add autogenerated man pages
|
||||
|
||||
* Thu Feb 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-89
|
||||
- Allow boinc project to getattr on fs
|
||||
- Allow init to execute initrc_state_t
|
||||
- rhev-agent package was rename to ovirt-guest-agent
|
||||
- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly
|
||||
- sytemd writes content to /run/initramfs and executes it on shutdown
|
||||
- kdump_t needs to read /etc/mtab, should be back ported to F16
|
||||
- udev needs to load kernel modules in early system boot
|
||||
|
||||
* Tue Feb 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-88
|
||||
- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses
|
||||
- Add additional systemd interfaces which are needed fro *_admin interfaces
|
||||
- Fix bind_admin() interface
|
||||
|
||||
* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-87
|
||||
- Allow firewalld to read urand
|
||||
- Alias java, execmem_mono to bin_t to allow third parties
|
||||
- Add label for kmod
|
||||
@ -493,6 +982,31 @@ SELinux Reference policy mls base module.
|
||||
- Allow systemd_tmpfiles_t to delete all file types
|
||||
- Allow collectd to ipc_lock
|
||||
|
||||
* Fri Feb 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-86
|
||||
- make consoletype_exec optional, so we can remove consoletype policy
|
||||
- remove unconfined_permisive.patch
|
||||
- Allow openvpn_t to inherit user home content and tmp content
|
||||
- Fix dnssec-trigger labeling
|
||||
- Turn on obex policy for staff_t
|
||||
- Pem files should not be secret
|
||||
- Add lots of rules to fix AVC's when playing with containers
|
||||
- Fix policy for dnssec
|
||||
- Label ask-passwd directories correctly for systemd
|
||||
|
||||
* Thu Feb 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-85
|
||||
- sshd fixes seem to be causing unconfined domains to dyntrans to themselves
|
||||
- fuse file system is now being mounted in /run/user
|
||||
- systemd_logind is sending signals to processes that are dbus messaging with it
|
||||
- Add support for winshadow port and allow iscsid to connect to this port
|
||||
- httpd should be allowed to bind to the http_port_t udp socket
|
||||
- zarafa_var_lib_t can be a lnk_file
|
||||
- A couple of new .xsession-errors files
|
||||
- Seems like user space and login programs need to read logind_sessions_files
|
||||
- Devicekit disk seems to be being launched by systemd
|
||||
- Cleanup handling of setfiles so most of rules in te file
|
||||
- Correct port number for dnssec
|
||||
- logcheck has the home dir set to its cache
|
||||
|
||||
* Tue Feb 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-84
|
||||
- Add policy for grindengine MPI jobs
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user