* Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62

- Fix definition of sandbox.disabled to sandbox.pp.disabled
This commit is contained in:
Miroslav Grepl 2013-07-09 21:53:12 +02:00
parent d3c6b2620c
commit 60ad55be4d
3 changed files with 440 additions and 232 deletions

View File

@ -3042,7 +3042,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain) + fs_mounton_fusefs(seunshare_domain)
+') +')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 644d4d7..38a8a2d 100644 index 644d4d7..51181b8 100644
--- a/policy/modules/kernel/corecommands.fc --- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@ @@ -1,9 +1,10 @@
@ -3229,7 +3229,7 @@ index 644d4d7..38a8a2d 100644
+/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-sleep/(.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
@ -8257,7 +8257,7 @@ index 6529bd9..831344c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *; allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..adafd25 100644 index 6a1e4d1..c691385 100644
--- a/policy/modules/kernel/domain.if --- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',` @@ -76,33 +76,8 @@ interface(`domain_type',`
@ -8296,6 +8296,15 @@ index 6a1e4d1..adafd25 100644
') ')
######################################## ########################################
@@ -128,7 +103,7 @@ interface(`domain_entry_file',`
')
allow $1 $2:file entrypoint;
- allow $1 $2:file { mmap_file_perms ioctl lock };
+ allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };
typeattribute $2 entry_type;
@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',` @@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
######################################## ########################################
@ -9055,7 +9064,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 64ff4d7..fe6d89c 100644 index 64ff4d7..3e91f7d 100644
--- a/policy/modules/kernel/files.if --- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@ @@ -19,6 +19,136 @@
@ -11585,7 +11594,7 @@ index 64ff4d7..fe6d89c 100644
') ')
allow $1 var_t:dir search_dir_perms; allow $1 var_t:dir search_dir_perms;
@@ -6562,3 +7839,474 @@ interface(`files_unconfined',` @@ -6562,3 +7839,491 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type; typeattribute $1 files_unconfined_type;
') ')
@ -12060,6 +12069,23 @@ index 64ff4d7..fe6d89c 100644
+ allow $1 file_type:service all_service_perms; + allow $1 file_type:service all_service_perms;
+') +')
+ +
+########################################
+## <summary>
+## Get the status of etc_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_status_etc',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service status;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..822f6be 100644 index 148d87a..822f6be 100644
--- a/policy/modules/kernel/files.te --- a/policy/modules/kernel/files.te
@ -16648,10 +16674,10 @@ index 234a940..d340f20 100644
######################################## ########################################
## <summary> ## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 5da7870..3577c24 100644 index 5da7870..1a2de40 100644
--- a/policy/modules/roles/staff.te --- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1) @@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
role staff_r; role staff_r;
userdom_unpriv_user_template(staff) userdom_unpriv_user_template(staff)
@ -16683,6 +16709,7 @@ index 5da7870..3577c24 100644
+dev_read_kmsg(staff_t) +dev_read_kmsg(staff_t)
+ +
+domain_read_all_domains_state(staff_t) +domain_read_all_domains_state(staff_t)
+domain_getsched_all_domains(staff_t)
+domain_getattr_all_domains(staff_t) +domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t) +domain_obj_id_change_exemption(staff_t)
+ +
@ -16719,7 +16746,7 @@ index 5da7870..3577c24 100644
optional_policy(` optional_policy(`
apache_role(staff_r, staff_t) apache_role(staff_r, staff_t)
') ')
@@ -23,11 +78,102 @@ optional_policy(` @@ -23,11 +79,102 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -16823,7 +16850,7 @@ index 5da7870..3577c24 100644
') ')
optional_policy(` optional_policy(`
@@ -35,15 +181,31 @@ optional_policy(` @@ -35,15 +182,31 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -16857,7 +16884,7 @@ index 5da7870..3577c24 100644
') ')
optional_policy(` optional_policy(`
@@ -52,10 +214,55 @@ optional_policy(` @@ -52,10 +215,55 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -16913,7 +16940,7 @@ index 5da7870..3577c24 100644
xserver_role(staff_r, staff_t) xserver_role(staff_r, staff_t)
') ')
@@ -65,10 +272,6 @@ ifndef(`distro_redhat',` @@ -65,10 +273,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -16924,7 +16951,7 @@ index 5da7870..3577c24 100644
cdrecord_role(staff_r, staff_t) cdrecord_role(staff_r, staff_t)
') ')
@@ -78,10 +281,6 @@ ifndef(`distro_redhat',` @@ -78,10 +282,6 @@ ifndef(`distro_redhat',`
optional_policy(` optional_policy(`
dbus_role_template(staff, staff_r, staff_t) dbus_role_template(staff, staff_r, staff_t)
@ -16935,7 +16962,7 @@ index 5da7870..3577c24 100644
') ')
optional_policy(` optional_policy(`
@@ -101,10 +300,6 @@ ifndef(`distro_redhat',` @@ -101,10 +301,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -16946,7 +16973,7 @@ index 5da7870..3577c24 100644
java_role(staff_r, staff_t) java_role(staff_r, staff_t)
') ')
@@ -125,10 +320,6 @@ ifndef(`distro_redhat',` @@ -125,10 +321,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -16957,7 +16984,7 @@ index 5da7870..3577c24 100644
pyzor_role(staff_r, staff_t) pyzor_role(staff_r, staff_t)
') ')
@@ -141,10 +332,6 @@ ifndef(`distro_redhat',` @@ -141,10 +333,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -16968,7 +16995,7 @@ index 5da7870..3577c24 100644
spamassassin_role(staff_r, staff_t) spamassassin_role(staff_r, staff_t)
') ')
@@ -176,3 +363,22 @@ ifndef(`distro_redhat',` @@ -176,3 +364,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t) wireshark_role(staff_r, staff_t)
') ')
') ')
@ -17020,10 +17047,10 @@ index ff92430..36740ea 100644
## <summary> ## <summary>
## Execute a generic bin program in the sysadm domain. ## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 88d0028..c461b2b 100644 index 88d0028..c3275cb 100644
--- a/policy/modules/roles/sysadm.te --- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,80 @@ policy_module(sysadm, 2.5.1) @@ -5,39 +5,81 @@ policy_module(sysadm, 2.5.1)
# Declarations # Declarations
# #
@ -17056,6 +17083,7 @@ index 88d0028..c461b2b 100644
+ +
+files_read_kernel_modules(sysadm_t) +files_read_kernel_modules(sysadm_t)
+files_filetrans_named_content(sysadm_t) +files_filetrans_named_content(sysadm_t)
+files_status_etc(sysadm_t)
+ +
+fs_mount_fusefs(sysadm_t) +fs_mount_fusefs(sysadm_t)
+ +
@ -17115,7 +17143,7 @@ index 88d0028..c461b2b 100644
ifdef(`direct_sysadm_daemon',` ifdef(`direct_sysadm_daemon',`
optional_policy(` optional_policy(`
@@ -55,13 +96,7 @@ ifdef(`distro_gentoo',` @@ -55,13 +97,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t) init_exec_rc(sysadm_t)
') ')
@ -17130,7 +17158,7 @@ index 88d0028..c461b2b 100644
domain_ptrace_all_domains(sysadm_t) domain_ptrace_all_domains(sysadm_t)
') ')
@@ -71,9 +106,9 @@ optional_policy(` @@ -71,9 +107,9 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_run_helper(sysadm_t, sysadm_r) apache_run_helper(sysadm_t, sysadm_r)
@ -17141,7 +17169,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -87,6 +122,7 @@ optional_policy(` @@ -87,6 +123,7 @@ optional_policy(`
optional_policy(` optional_policy(`
asterisk_stream_connect(sysadm_t) asterisk_stream_connect(sysadm_t)
@ -17149,7 +17177,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -110,11 +146,17 @@ optional_policy(` @@ -110,11 +147,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17167,7 +17195,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -122,11 +164,19 @@ optional_policy(` @@ -122,11 +165,19 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17189,7 +17217,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -140,6 +190,10 @@ optional_policy(` @@ -140,6 +191,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17200,7 +17228,7 @@ index 88d0028..c461b2b 100644
dmesg_exec(sysadm_t) dmesg_exec(sysadm_t)
') ')
@@ -156,11 +210,11 @@ optional_policy(` @@ -156,11 +211,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17214,7 +17242,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -179,6 +233,13 @@ optional_policy(` @@ -179,6 +234,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t) ipsec_stream_connect(sysadm_t)
# for lsof # for lsof
ipsec_getattr_key_sockets(sysadm_t) ipsec_getattr_key_sockets(sysadm_t)
@ -17228,7 +17256,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -186,15 +247,20 @@ optional_policy(` @@ -186,15 +248,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17252,7 +17280,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -214,22 +280,20 @@ optional_policy(` @@ -214,22 +281,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r)
@ -17281,7 +17309,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -241,14 +305,27 @@ optional_policy(` @@ -241,14 +306,27 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17309,7 +17337,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -256,10 +333,20 @@ optional_policy(` @@ -256,10 +334,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17330,7 +17358,7 @@ index 88d0028..c461b2b 100644
portage_run(sysadm_t, sysadm_r) portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r)
@@ -270,31 +357,36 @@ optional_policy(` @@ -270,31 +358,36 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17374,7 +17402,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -319,12 +411,18 @@ optional_policy(` @@ -319,12 +412,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17394,7 +17422,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -349,7 +447,18 @@ optional_policy(` @@ -349,7 +448,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17414,7 +17442,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -360,19 +469,15 @@ optional_policy(` @@ -360,19 +470,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17436,7 +17464,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -384,10 +489,6 @@ optional_policy(` @@ -384,10 +490,6 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17447,7 +17475,7 @@ index 88d0028..c461b2b 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r)
@@ -395,6 +496,9 @@ optional_policy(` @@ -395,6 +497,9 @@ optional_policy(`
optional_policy(` optional_policy(`
virt_stream_connect(sysadm_t) virt_stream_connect(sysadm_t)
@ -17457,7 +17485,7 @@ index 88d0028..c461b2b 100644
') ')
optional_policy(` optional_policy(`
@@ -402,31 +506,34 @@ optional_policy(` @@ -402,31 +507,34 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17498,7 +17526,7 @@ index 88d0028..c461b2b 100644
auth_role(sysadm_r, sysadm_t) auth_role(sysadm_r, sysadm_t)
') ')
@@ -439,10 +546,6 @@ ifndef(`distro_redhat',` @@ -439,10 +547,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -17509,7 +17537,7 @@ index 88d0028..c461b2b 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t) dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(` optional_policy(`
@@ -463,15 +566,75 @@ ifndef(`distro_redhat',` @@ -463,15 +567,75 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -23933,10 +23961,10 @@ index 1b6619e..be02b96 100644
+ allow $1 application_domain_type:socket_class_set getattr; + allow $1 application_domain_type:socket_class_set getattr;
+') +')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
index c6fdab7..cd80b96 100644 index c6fdab7..af71c62 100644
--- a/policy/modules/system/application.te --- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te +++ b/policy/modules/system/application.te
@@ -6,12 +6,33 @@ attribute application_domain_type; @@ -6,15 +6,40 @@ attribute application_domain_type;
# Executables to be run by user # Executables to be run by user
attribute application_exec_type; attribute application_exec_type;
@ -23957,11 +23985,11 @@ index c6fdab7..cd80b96 100644
+ afs_rw_udp_sockets(application_domain_type) + afs_rw_udp_sockets(application_domain_type)
+') +')
+ +
+optional_policy(` optional_policy(`
+ cfengine_append_inherited_log(application_domain_type) + cfengine_append_inherited_log(application_domain_type)
+') +')
+ +
optional_policy(` +optional_policy(`
+ cron_rw_inherited_user_spool_files(application_domain_type) + cron_rw_inherited_user_spool_files(application_domain_type)
cron_sigchld(application_domain_type) cron_sigchld(application_domain_type)
') ')
@ -23971,6 +23999,13 @@ index c6fdab7..cd80b96 100644
ssh_rw_stream_sockets(application_domain_type) ssh_rw_stream_sockets(application_domain_type)
') ')
optional_policy(`
+ screen_sigchld(application_domain_type)
+')
+
+optional_policy(`
sudo_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 28ad538..ebe81bf 100644 index 28ad538..ebe81bf 100644
--- a/policy/modules/system/authlogin.fc --- a/policy/modules/system/authlogin.fc
@ -28588,7 +28623,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t) + ps_process_pattern($1, ipsec_mgmt_t)
+') +')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 9e54bf9..468dc31 100644 index 9e54bf9..9a068f6 100644
--- a/policy/modules/system/ipsec.te --- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -28756,7 +28791,18 @@ index 9e54bf9..468dc31 100644
optional_policy(` optional_policy(`
consoletype_exec(ipsec_mgmt_t) consoletype_exec(ipsec_mgmt_t)
@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t) @@ -322,6 +349,10 @@ optional_policy(`
')
optional_policy(`
+ l2tpd_read_pid_files(ipsec_mgmt_t)
+')
+
+optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t) corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t) corecmd_exec_bin(racoon_t)
@ -28776,7 +28822,7 @@ index 9e54bf9..468dc31 100644
corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t) @@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t) logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t) logging_send_audit_msgs(racoon_t)
@ -28789,7 +28835,7 @@ index 9e54bf9..468dc31 100644
auth_can_read_shadow_passwords(racoon_t) auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',` tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t) auth_tunable_read_shadow(racoon_t)
@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t) @@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t) locallogin_use_fds(setkey_t)
@ -28889,7 +28935,7 @@ index c42fbc3..174cfdb 100644
## <summary> ## <summary>
## Set the attributes of iptables config files. ## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 5dfa44b..2502d06 100644 index 5dfa44b..4abf7fd 100644
--- a/policy/modules/system/iptables.te --- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t; @@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@ -28971,7 +29017,7 @@ index 5dfa44b..2502d06 100644
userdom_use_all_users_fds(iptables_t) userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
@@ -102,11 +104,14 @@ ifdef(`hide_broken_symptoms',` @@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(` optional_policy(`
fail2ban_append_log(iptables_t) fail2ban_append_log(iptables_t)
@ -28980,13 +29026,19 @@ index 5dfa44b..2502d06 100644
') ')
optional_policy(` optional_policy(`
firstboot_use_fds(iptables_t) @@ -110,6 +114,11 @@ optional_policy(`
firstboot_rw_pipes(iptables_t)
+ firewalld_dontaudit_write_tmp_files(iptables_t)
') ')
optional_policy(` optional_policy(`
@@ -124,6 +129,12 @@ optional_policy(` + firewalld_read_config(iptables_t)
+ firewalld_dontaudit_write_tmp_files(iptables_t)
+')
+
+optional_policy(`
modutils_run_insmod(iptables_t, iptables_roles)
')
@@ -124,6 +133,12 @@ optional_policy(`
optional_policy(` optional_policy(`
psad_rw_tmp_files(iptables_t) psad_rw_tmp_files(iptables_t)
@ -28999,7 +29051,7 @@ index 5dfa44b..2502d06 100644
') ')
optional_policy(` optional_policy(`
@@ -135,9 +146,9 @@ optional_policy(` @@ -135,9 +150,9 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -34933,10 +34985,10 @@ index b7686d5..431d2f1 100644
+') +')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644 new file mode 100644
index 0000000..4e12420 index 0000000..2cd29ba
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,42 @@ @@ -0,0 +1,43 @@
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
+ +
@ -34952,6 +35004,7 @@ index 0000000..4e12420
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+ +
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
@ -36218,10 +36271,10 @@ index 0000000..6862d53
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..87474b2 index 0000000..b43a6c1
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,647 @@ @@ -0,0 +1,654 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -36285,6 +36338,9 @@ index 0000000..87474b2
+type power_unit_file_t; +type power_unit_file_t;
+systemd_unit_file(power_unit_file_t) +systemd_unit_file(power_unit_file_t)
+ +
+type systemd_vconsole_unit_file_t;
+systemd_unit_file(systemd_vconsole_unit_file_t)
+
+# executable for systemctl +# executable for systemctl
+type systemd_systemctl_exec_t; +type systemd_systemctl_exec_t;
+corecmd_executable_file(systemd_systemctl_exec_t) +corecmd_executable_file(systemd_systemctl_exec_t)
@ -36696,9 +36752,13 @@ index 0000000..87474b2
+ +
+dev_write_kmsg(systemd_localed_t) +dev_write_kmsg(systemd_localed_t)
+ +
+init_dbus_chat(systemd_localed_t)
+
+logging_stream_connect_syslog(systemd_localed_t) +logging_stream_connect_syslog(systemd_localed_t)
+logging_send_syslog_msg(systemd_localed_t) +logging_send_syslog_msg(systemd_localed_t)
+ +
+allow systemd_localed_t systemd_vconsole_unit_file_t:service start;
+
+miscfiles_manage_localization(systemd_localed_t) +miscfiles_manage_localization(systemd_localed_t)
+miscfiles_etc_filetrans_localization(systemd_localed_t) +miscfiles_etc_filetrans_localization(systemd_localed_t)
+ +

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 59%{?dist} Release: 62%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -539,6 +539,39 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62
- Fix definition of sandbox.disabled to sandbox.pp.disabled
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-61
- Allow mdamd to execute systemctl
- Allow mdadm to read /dev/kvm
- Allow ipsec_mgmt_t to read l2tpd pid content
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-60
- Allow nsd_t to read /dev/urand
- Allow mdadm_t to read framebuffer
- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t
- Allow mozilla_plugin_config_t to create tmp files
- Cleanup openvswitch policy
- Allow mozilla plugin to getattr on all executables
- Allow l2tpd_t to create fifo_files in /var/run
- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory
- Allow mdadm to connecto its own unix_stream_socket
- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now.
- Allow apache to access smokeping pid files
- Allow rabbitmq_beam_t to getattr on all filesystems
- Add systemd support for iodined
- Allow nup_upsdrvctl_t to execute its entrypoint
- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch
- add labeling for ~/.cache/libvirt-sandbox
- Add interface to allow domains transitioned to by confined users to send sigchld to screen program
- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab
- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service
- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs.
- Allow staff to getsched all domains, required to run htop
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59 * Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
- Add prosody policy written by Michael Scherer - Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info - Allow nagios plugins to read /sys info