* Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62
- Fix definition of sandbox.disabled to sandbox.pp.disabled
This commit is contained in:
parent
d3c6b2620c
commit
60ad55be4d
@ -3042,7 +3042,7 @@ index 7590165..19aaaed 100644
|
|||||||
+ fs_mounton_fusefs(seunshare_domain)
|
+ fs_mounton_fusefs(seunshare_domain)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||||
index 644d4d7..38a8a2d 100644
|
index 644d4d7..51181b8 100644
|
||||||
--- a/policy/modules/kernel/corecommands.fc
|
--- a/policy/modules/kernel/corecommands.fc
|
||||||
+++ b/policy/modules/kernel/corecommands.fc
|
+++ b/policy/modules/kernel/corecommands.fc
|
||||||
@@ -1,9 +1,10 @@
|
@@ -1,9 +1,10 @@
|
||||||
@ -3229,7 +3229,7 @@ index 644d4d7..38a8a2d 100644
|
|||||||
+/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
|
-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib/systemd/system-sleep/(.*)? gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
+/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -8257,7 +8257,7 @@ index 6529bd9..831344c 100644
|
|||||||
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
|
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
|
||||||
allow devices_unconfined_type mtrr_device_t:file *;
|
allow devices_unconfined_type mtrr_device_t:file *;
|
||||||
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
||||||
index 6a1e4d1..adafd25 100644
|
index 6a1e4d1..c691385 100644
|
||||||
--- a/policy/modules/kernel/domain.if
|
--- a/policy/modules/kernel/domain.if
|
||||||
+++ b/policy/modules/kernel/domain.if
|
+++ b/policy/modules/kernel/domain.if
|
||||||
@@ -76,33 +76,8 @@ interface(`domain_type',`
|
@@ -76,33 +76,8 @@ interface(`domain_type',`
|
||||||
@ -8296,6 +8296,15 @@ index 6a1e4d1..adafd25 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@@ -128,7 +103,7 @@ interface(`domain_entry_file',`
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 $2:file entrypoint;
|
||||||
|
- allow $1 $2:file { mmap_file_perms ioctl lock };
|
||||||
|
+ allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };
|
||||||
|
|
||||||
|
typeattribute $2 entry_type;
|
||||||
|
|
||||||
@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
|
@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -9055,7 +9064,7 @@ index c2c6e05..be423a7 100644
|
|||||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||||
index 64ff4d7..fe6d89c 100644
|
index 64ff4d7..3e91f7d 100644
|
||||||
--- a/policy/modules/kernel/files.if
|
--- a/policy/modules/kernel/files.if
|
||||||
+++ b/policy/modules/kernel/files.if
|
+++ b/policy/modules/kernel/files.if
|
||||||
@@ -19,6 +19,136 @@
|
@@ -19,6 +19,136 @@
|
||||||
@ -11585,7 +11594,7 @@ index 64ff4d7..fe6d89c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search_dir_perms;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
@@ -6562,3 +7839,474 @@ interface(`files_unconfined',`
|
@@ -6562,3 +7839,491 @@ interface(`files_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 files_unconfined_type;
|
typeattribute $1 files_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -12060,6 +12069,23 @@ index 64ff4d7..fe6d89c 100644
|
|||||||
+ allow $1 file_type:service all_service_perms;
|
+ allow $1 file_type:service all_service_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Get the status of etc_t files
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`files_status_etc',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type etc_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 etc_t:service status;
|
||||||
|
+')
|
||||||
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
|
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
|
||||||
index 148d87a..822f6be 100644
|
index 148d87a..822f6be 100644
|
||||||
--- a/policy/modules/kernel/files.te
|
--- a/policy/modules/kernel/files.te
|
||||||
@ -16648,10 +16674,10 @@ index 234a940..d340f20 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
|
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
|
||||||
index 5da7870..3577c24 100644
|
index 5da7870..1a2de40 100644
|
||||||
--- a/policy/modules/roles/staff.te
|
--- a/policy/modules/roles/staff.te
|
||||||
+++ b/policy/modules/roles/staff.te
|
+++ b/policy/modules/roles/staff.te
|
||||||
@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
|
@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
|
||||||
role staff_r;
|
role staff_r;
|
||||||
|
|
||||||
userdom_unpriv_user_template(staff)
|
userdom_unpriv_user_template(staff)
|
||||||
@ -16683,6 +16709,7 @@ index 5da7870..3577c24 100644
|
|||||||
+dev_read_kmsg(staff_t)
|
+dev_read_kmsg(staff_t)
|
||||||
+
|
+
|
||||||
+domain_read_all_domains_state(staff_t)
|
+domain_read_all_domains_state(staff_t)
|
||||||
|
+domain_getsched_all_domains(staff_t)
|
||||||
+domain_getattr_all_domains(staff_t)
|
+domain_getattr_all_domains(staff_t)
|
||||||
+domain_obj_id_change_exemption(staff_t)
|
+domain_obj_id_change_exemption(staff_t)
|
||||||
+
|
+
|
||||||
@ -16719,7 +16746,7 @@ index 5da7870..3577c24 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_role(staff_r, staff_t)
|
apache_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
@@ -23,11 +78,102 @@ optional_policy(`
|
@@ -23,11 +79,102 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16823,7 +16850,7 @@ index 5da7870..3577c24 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -35,15 +181,31 @@ optional_policy(`
|
@@ -35,15 +182,31 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16857,7 +16884,7 @@ index 5da7870..3577c24 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -52,10 +214,55 @@ optional_policy(`
|
@@ -52,10 +215,55 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16913,7 +16940,7 @@ index 5da7870..3577c24 100644
|
|||||||
xserver_role(staff_r, staff_t)
|
xserver_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -65,10 +272,6 @@ ifndef(`distro_redhat',`
|
@@ -65,10 +273,6 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16924,7 +16951,7 @@ index 5da7870..3577c24 100644
|
|||||||
cdrecord_role(staff_r, staff_t)
|
cdrecord_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -78,10 +281,6 @@ ifndef(`distro_redhat',`
|
@@ -78,10 +282,6 @@ ifndef(`distro_redhat',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_role_template(staff, staff_r, staff_t)
|
dbus_role_template(staff, staff_r, staff_t)
|
||||||
@ -16935,7 +16962,7 @@ index 5da7870..3577c24 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -101,10 +300,6 @@ ifndef(`distro_redhat',`
|
@@ -101,10 +301,6 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16946,7 +16973,7 @@ index 5da7870..3577c24 100644
|
|||||||
java_role(staff_r, staff_t)
|
java_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -125,10 +320,6 @@ ifndef(`distro_redhat',`
|
@@ -125,10 +321,6 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16957,7 +16984,7 @@ index 5da7870..3577c24 100644
|
|||||||
pyzor_role(staff_r, staff_t)
|
pyzor_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -141,10 +332,6 @@ ifndef(`distro_redhat',`
|
@@ -141,10 +333,6 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -16968,7 +16995,7 @@ index 5da7870..3577c24 100644
|
|||||||
spamassassin_role(staff_r, staff_t)
|
spamassassin_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -176,3 +363,22 @@ ifndef(`distro_redhat',`
|
@@ -176,3 +364,22 @@ ifndef(`distro_redhat',`
|
||||||
wireshark_role(staff_r, staff_t)
|
wireshark_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@ -17020,10 +17047,10 @@ index ff92430..36740ea 100644
|
|||||||
## <summary>
|
## <summary>
|
||||||
## Execute a generic bin program in the sysadm domain.
|
## Execute a generic bin program in the sysadm domain.
|
||||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||||
index 88d0028..c461b2b 100644
|
index 88d0028..c3275cb 100644
|
||||||
--- a/policy/modules/roles/sysadm.te
|
--- a/policy/modules/roles/sysadm.te
|
||||||
+++ b/policy/modules/roles/sysadm.te
|
+++ b/policy/modules/roles/sysadm.te
|
||||||
@@ -5,39 +5,80 @@ policy_module(sysadm, 2.5.1)
|
@@ -5,39 +5,81 @@ policy_module(sysadm, 2.5.1)
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -17056,6 +17083,7 @@ index 88d0028..c461b2b 100644
|
|||||||
+
|
+
|
||||||
+files_read_kernel_modules(sysadm_t)
|
+files_read_kernel_modules(sysadm_t)
|
||||||
+files_filetrans_named_content(sysadm_t)
|
+files_filetrans_named_content(sysadm_t)
|
||||||
|
+files_status_etc(sysadm_t)
|
||||||
+
|
+
|
||||||
+fs_mount_fusefs(sysadm_t)
|
+fs_mount_fusefs(sysadm_t)
|
||||||
+
|
+
|
||||||
@ -17115,7 +17143,7 @@ index 88d0028..c461b2b 100644
|
|||||||
|
|
||||||
ifdef(`direct_sysadm_daemon',`
|
ifdef(`direct_sysadm_daemon',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -55,13 +96,7 @@ ifdef(`distro_gentoo',`
|
@@ -55,13 +97,7 @@ ifdef(`distro_gentoo',`
|
||||||
init_exec_rc(sysadm_t)
|
init_exec_rc(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -17130,7 +17158,7 @@ index 88d0028..c461b2b 100644
|
|||||||
domain_ptrace_all_domains(sysadm_t)
|
domain_ptrace_all_domains(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -71,9 +106,9 @@ optional_policy(`
|
@@ -71,9 +107,9 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_run_helper(sysadm_t, sysadm_r)
|
apache_run_helper(sysadm_t, sysadm_r)
|
||||||
@ -17141,7 +17169,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -87,6 +122,7 @@ optional_policy(`
|
@@ -87,6 +123,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
asterisk_stream_connect(sysadm_t)
|
asterisk_stream_connect(sysadm_t)
|
||||||
@ -17149,7 +17177,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -110,11 +146,17 @@ optional_policy(`
|
@@ -110,11 +147,17 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17167,7 +17195,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -122,11 +164,19 @@ optional_policy(`
|
@@ -122,11 +165,19 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17189,7 +17217,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -140,6 +190,10 @@ optional_policy(`
|
@@ -140,6 +191,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17200,7 +17228,7 @@ index 88d0028..c461b2b 100644
|
|||||||
dmesg_exec(sysadm_t)
|
dmesg_exec(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -156,11 +210,11 @@ optional_policy(`
|
@@ -156,11 +211,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17214,7 +17242,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -179,6 +233,13 @@ optional_policy(`
|
@@ -179,6 +234,13 @@ optional_policy(`
|
||||||
ipsec_stream_connect(sysadm_t)
|
ipsec_stream_connect(sysadm_t)
|
||||||
# for lsof
|
# for lsof
|
||||||
ipsec_getattr_key_sockets(sysadm_t)
|
ipsec_getattr_key_sockets(sysadm_t)
|
||||||
@ -17228,7 +17256,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -186,15 +247,20 @@ optional_policy(`
|
@@ -186,15 +248,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17252,7 +17280,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -214,22 +280,20 @@ optional_policy(`
|
@@ -214,22 +281,20 @@ optional_policy(`
|
||||||
modutils_run_depmod(sysadm_t, sysadm_r)
|
modutils_run_depmod(sysadm_t, sysadm_r)
|
||||||
modutils_run_insmod(sysadm_t, sysadm_r)
|
modutils_run_insmod(sysadm_t, sysadm_r)
|
||||||
modutils_run_update_mods(sysadm_t, sysadm_r)
|
modutils_run_update_mods(sysadm_t, sysadm_r)
|
||||||
@ -17281,7 +17309,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -241,14 +305,27 @@ optional_policy(`
|
@@ -241,14 +306,27 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17309,7 +17337,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -256,10 +333,20 @@ optional_policy(`
|
@@ -256,10 +334,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17330,7 +17358,7 @@ index 88d0028..c461b2b 100644
|
|||||||
portage_run(sysadm_t, sysadm_r)
|
portage_run(sysadm_t, sysadm_r)
|
||||||
portage_run_fetch(sysadm_t, sysadm_r)
|
portage_run_fetch(sysadm_t, sysadm_r)
|
||||||
portage_run_gcc_config(sysadm_t, sysadm_r)
|
portage_run_gcc_config(sysadm_t, sysadm_r)
|
||||||
@@ -270,31 +357,36 @@ optional_policy(`
|
@@ -270,31 +358,36 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17374,7 +17402,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -319,12 +411,18 @@ optional_policy(`
|
@@ -319,12 +412,18 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17394,7 +17422,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -349,7 +447,18 @@ optional_policy(`
|
@@ -349,7 +448,18 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17414,7 +17442,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -360,19 +469,15 @@ optional_policy(`
|
@@ -360,19 +470,15 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17436,7 +17464,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -384,10 +489,6 @@ optional_policy(`
|
@@ -384,10 +490,6 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17447,7 +17475,7 @@ index 88d0028..c461b2b 100644
|
|||||||
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
|
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
|
||||||
usermanage_run_groupadd(sysadm_t, sysadm_r)
|
usermanage_run_groupadd(sysadm_t, sysadm_r)
|
||||||
usermanage_run_useradd(sysadm_t, sysadm_r)
|
usermanage_run_useradd(sysadm_t, sysadm_r)
|
||||||
@@ -395,6 +496,9 @@ optional_policy(`
|
@@ -395,6 +497,9 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
virt_stream_connect(sysadm_t)
|
virt_stream_connect(sysadm_t)
|
||||||
@ -17457,7 +17485,7 @@ index 88d0028..c461b2b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -402,31 +506,34 @@ optional_policy(`
|
@@ -402,31 +507,34 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17498,7 +17526,7 @@ index 88d0028..c461b2b 100644
|
|||||||
auth_role(sysadm_r, sysadm_t)
|
auth_role(sysadm_r, sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -439,10 +546,6 @@ ifndef(`distro_redhat',`
|
@@ -439,10 +547,6 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -17509,7 +17537,7 @@ index 88d0028..c461b2b 100644
|
|||||||
dbus_role_template(sysadm, sysadm_r, sysadm_t)
|
dbus_role_template(sysadm, sysadm_r, sysadm_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -463,15 +566,75 @@ ifndef(`distro_redhat',`
|
@@ -463,15 +567,75 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23933,10 +23961,10 @@ index 1b6619e..be02b96 100644
|
|||||||
+ allow $1 application_domain_type:socket_class_set getattr;
|
+ allow $1 application_domain_type:socket_class_set getattr;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
|
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
|
||||||
index c6fdab7..cd80b96 100644
|
index c6fdab7..af71c62 100644
|
||||||
--- a/policy/modules/system/application.te
|
--- a/policy/modules/system/application.te
|
||||||
+++ b/policy/modules/system/application.te
|
+++ b/policy/modules/system/application.te
|
||||||
@@ -6,12 +6,33 @@ attribute application_domain_type;
|
@@ -6,15 +6,40 @@ attribute application_domain_type;
|
||||||
# Executables to be run by user
|
# Executables to be run by user
|
||||||
attribute application_exec_type;
|
attribute application_exec_type;
|
||||||
|
|
||||||
@ -23957,11 +23985,11 @@ index c6fdab7..cd80b96 100644
|
|||||||
+ afs_rw_udp_sockets(application_domain_type)
|
+ afs_rw_udp_sockets(application_domain_type)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
+ cfengine_append_inherited_log(application_domain_type)
|
+ cfengine_append_inherited_log(application_domain_type)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
optional_policy(`
|
+optional_policy(`
|
||||||
+ cron_rw_inherited_user_spool_files(application_domain_type)
|
+ cron_rw_inherited_user_spool_files(application_domain_type)
|
||||||
cron_sigchld(application_domain_type)
|
cron_sigchld(application_domain_type)
|
||||||
')
|
')
|
||||||
@ -23971,6 +23999,13 @@ index c6fdab7..cd80b96 100644
|
|||||||
ssh_rw_stream_sockets(application_domain_type)
|
ssh_rw_stream_sockets(application_domain_type)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ screen_sigchld(application_domain_type)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
sudo_sigchld(application_domain_type)
|
||||||
|
')
|
||||||
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
|
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
|
||||||
index 28ad538..ebe81bf 100644
|
index 28ad538..ebe81bf 100644
|
||||||
--- a/policy/modules/system/authlogin.fc
|
--- a/policy/modules/system/authlogin.fc
|
||||||
@ -28588,7 +28623,7 @@ index 0d4c8d3..a89c4a2 100644
|
|||||||
+ ps_process_pattern($1, ipsec_mgmt_t)
|
+ ps_process_pattern($1, ipsec_mgmt_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
||||||
index 9e54bf9..468dc31 100644
|
index 9e54bf9..9a068f6 100644
|
||||||
--- a/policy/modules/system/ipsec.te
|
--- a/policy/modules/system/ipsec.te
|
||||||
+++ b/policy/modules/system/ipsec.te
|
+++ b/policy/modules/system/ipsec.te
|
||||||
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||||
@ -28756,7 +28791,18 @@ index 9e54bf9..468dc31 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consoletype_exec(ipsec_mgmt_t)
|
consoletype_exec(ipsec_mgmt_t)
|
||||||
@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t)
|
@@ -322,6 +349,10 @@ optional_policy(`
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ l2tpd_read_pid_files(ipsec_mgmt_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t)
|
||||||
corecmd_exec_shell(racoon_t)
|
corecmd_exec_shell(racoon_t)
|
||||||
corecmd_exec_bin(racoon_t)
|
corecmd_exec_bin(racoon_t)
|
||||||
|
|
||||||
@ -28776,7 +28822,7 @@ index 9e54bf9..468dc31 100644
|
|||||||
corenet_udp_bind_isakmp_port(racoon_t)
|
corenet_udp_bind_isakmp_port(racoon_t)
|
||||||
corenet_udp_bind_ipsecnat_port(racoon_t)
|
corenet_udp_bind_ipsecnat_port(racoon_t)
|
||||||
|
|
||||||
@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t)
|
@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t)
|
||||||
logging_send_syslog_msg(racoon_t)
|
logging_send_syslog_msg(racoon_t)
|
||||||
logging_send_audit_msgs(racoon_t)
|
logging_send_audit_msgs(racoon_t)
|
||||||
|
|
||||||
@ -28789,7 +28835,7 @@ index 9e54bf9..468dc31 100644
|
|||||||
auth_can_read_shadow_passwords(racoon_t)
|
auth_can_read_shadow_passwords(racoon_t)
|
||||||
tunable_policy(`racoon_read_shadow',`
|
tunable_policy(`racoon_read_shadow',`
|
||||||
auth_tunable_read_shadow(racoon_t)
|
auth_tunable_read_shadow(racoon_t)
|
||||||
@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t)
|
@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
|
||||||
|
|
||||||
locallogin_use_fds(setkey_t)
|
locallogin_use_fds(setkey_t)
|
||||||
|
|
||||||
@ -28889,7 +28935,7 @@ index c42fbc3..174cfdb 100644
|
|||||||
## <summary>
|
## <summary>
|
||||||
## Set the attributes of iptables config files.
|
## Set the attributes of iptables config files.
|
||||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||||
index 5dfa44b..2502d06 100644
|
index 5dfa44b..4abf7fd 100644
|
||||||
--- a/policy/modules/system/iptables.te
|
--- a/policy/modules/system/iptables.te
|
||||||
+++ b/policy/modules/system/iptables.te
|
+++ b/policy/modules/system/iptables.te
|
||||||
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
|
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
|
||||||
@ -28971,7 +29017,7 @@ index 5dfa44b..2502d06 100644
|
|||||||
userdom_use_all_users_fds(iptables_t)
|
userdom_use_all_users_fds(iptables_t)
|
||||||
|
|
||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
@@ -102,11 +104,14 @@ ifdef(`hide_broken_symptoms',`
|
@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
fail2ban_append_log(iptables_t)
|
fail2ban_append_log(iptables_t)
|
||||||
@ -28980,13 +29026,19 @@ index 5dfa44b..2502d06 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
firstboot_use_fds(iptables_t)
|
@@ -110,6 +114,11 @@ optional_policy(`
|
||||||
firstboot_rw_pipes(iptables_t)
|
|
||||||
+ firewalld_dontaudit_write_tmp_files(iptables_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -124,6 +129,12 @@ optional_policy(`
|
+ firewalld_read_config(iptables_t)
|
||||||
|
+ firewalld_dontaudit_write_tmp_files(iptables_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
modutils_run_insmod(iptables_t, iptables_roles)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -124,6 +133,12 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
psad_rw_tmp_files(iptables_t)
|
psad_rw_tmp_files(iptables_t)
|
||||||
@ -28999,7 +29051,7 @@ index 5dfa44b..2502d06 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -135,9 +146,9 @@ optional_policy(`
|
@@ -135,9 +150,9 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -34933,10 +34985,10 @@ index b7686d5..431d2f1 100644
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4e12420
|
index 0000000..2cd29ba
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.fc
|
+++ b/policy/modules/system/systemd.fc
|
||||||
@@ -0,0 +1,42 @@
|
@@ -0,0 +1,43 @@
|
||||||
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
||||||
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
||||||
+
|
+
|
||||||
@ -34952,6 +35004,7 @@ index 0000000..4e12420
|
|||||||
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||||
|
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
||||||
@ -36218,10 +36271,10 @@ index 0000000..6862d53
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..87474b2
|
index 0000000..b43a6c1
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,647 @@
|
@@ -0,0 +1,654 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -36285,6 +36338,9 @@ index 0000000..87474b2
|
|||||||
+type power_unit_file_t;
|
+type power_unit_file_t;
|
||||||
+systemd_unit_file(power_unit_file_t)
|
+systemd_unit_file(power_unit_file_t)
|
||||||
+
|
+
|
||||||
|
+type systemd_vconsole_unit_file_t;
|
||||||
|
+systemd_unit_file(systemd_vconsole_unit_file_t)
|
||||||
|
+
|
||||||
+# executable for systemctl
|
+# executable for systemctl
|
||||||
+type systemd_systemctl_exec_t;
|
+type systemd_systemctl_exec_t;
|
||||||
+corecmd_executable_file(systemd_systemctl_exec_t)
|
+corecmd_executable_file(systemd_systemctl_exec_t)
|
||||||
@ -36696,9 +36752,13 @@ index 0000000..87474b2
|
|||||||
+
|
+
|
||||||
+dev_write_kmsg(systemd_localed_t)
|
+dev_write_kmsg(systemd_localed_t)
|
||||||
+
|
+
|
||||||
|
+init_dbus_chat(systemd_localed_t)
|
||||||
|
+
|
||||||
+logging_stream_connect_syslog(systemd_localed_t)
|
+logging_stream_connect_syslog(systemd_localed_t)
|
||||||
+logging_send_syslog_msg(systemd_localed_t)
|
+logging_send_syslog_msg(systemd_localed_t)
|
||||||
+
|
+
|
||||||
|
+allow systemd_localed_t systemd_vconsole_unit_file_t:service start;
|
||||||
|
+
|
||||||
+miscfiles_manage_localization(systemd_localed_t)
|
+miscfiles_manage_localization(systemd_localed_t)
|
||||||
+miscfiles_etc_filetrans_localization(systemd_localed_t)
|
+miscfiles_etc_filetrans_localization(systemd_localed_t)
|
||||||
+
|
+
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 59%{?dist}
|
Release: 62%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -539,6 +539,39 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62
|
||||||
|
- Fix definition of sandbox.disabled to sandbox.pp.disabled
|
||||||
|
|
||||||
|
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-61
|
||||||
|
- Allow mdamd to execute systemctl
|
||||||
|
- Allow mdadm to read /dev/kvm
|
||||||
|
- Allow ipsec_mgmt_t to read l2tpd pid content
|
||||||
|
|
||||||
|
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-60
|
||||||
|
- Allow nsd_t to read /dev/urand
|
||||||
|
- Allow mdadm_t to read framebuffer
|
||||||
|
- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t
|
||||||
|
- Allow mozilla_plugin_config_t to create tmp files
|
||||||
|
- Cleanup openvswitch policy
|
||||||
|
- Allow mozilla plugin to getattr on all executables
|
||||||
|
- Allow l2tpd_t to create fifo_files in /var/run
|
||||||
|
- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory
|
||||||
|
- Allow mdadm to connecto its own unix_stream_socket
|
||||||
|
- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now.
|
||||||
|
- Allow apache to access smokeping pid files
|
||||||
|
- Allow rabbitmq_beam_t to getattr on all filesystems
|
||||||
|
- Add systemd support for iodined
|
||||||
|
- Allow nup_upsdrvctl_t to execute its entrypoint
|
||||||
|
- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch
|
||||||
|
- add labeling for ~/.cache/libvirt-sandbox
|
||||||
|
- Add interface to allow domains transitioned to by confined users to send sigchld to screen program
|
||||||
|
- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab
|
||||||
|
- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service
|
||||||
|
- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs.
|
||||||
|
- Allow staff to getsched all domains, required to run htop
|
||||||
|
- Add port definition for redis port
|
||||||
|
- fix selinuxuser_use_ssh_chroot boolean
|
||||||
|
|
||||||
* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
|
* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
|
||||||
- Add prosody policy written by Michael Scherer
|
- Add prosody policy written by Michael Scherer
|
||||||
- Allow nagios plugins to read /sys info
|
- Allow nagios plugins to read /sys info
|
||||||
|
Loading…
Reference in New Issue
Block a user