rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fixed issues related to removing docker policy files

Browse Source
This commit is contained in:
Lukas Vrabec 2015-03-19 17:57:47 +01:00
parent f9d97717a8
commit 60d4b2cec9
2 changed files with 447 additions and 383 deletions

112
policy-rawhide-base.patch
View File

@ -8783,7 +8783,7 @@ index 0b1a871..f260e6f 100644
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..7ac2831 100644
index 6a1e4d1..549967a 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@ -8945,7 +8945,7 @@ index 6a1e4d1..7ac2831 100644
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
@@ -1508,6 +1540,24 @@ interface(`domain_unconfined_signal',`
@@ -1508,6 +1540,40 @@ interface(`domain_unconfined_signal',`
########################################
## <summary>
@ -8965,12 +8965,28 @@ index 6a1e4d1..7ac2831 100644
+ typeattribute $1 named_filetrans_domain;
+')
+
+#####################################
+## <summary>
+## named_filetrans_domain stub attribute interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`domain_stub_named_filetrans_domain',`
+ gen_require(`
+ attribute named_filetrans_domain;
+ ')
+')
+
+########################################
+## <summary>
## Unconfined access to domains.
## </summary>
## <param name="domain">
@@ -1530,4 +1580,63 @@ interface(`domain_unconfined',`
@@ -1530,4 +1596,63 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@ -9035,7 +9051,7 @@ index 6a1e4d1..7ac2831 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..005fd45 100644
index cf04cb5..04c9593 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -9184,7 +9200,7 @@ index cf04cb5..005fd45 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -166,5 +238,361 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
@@ -166,5 +238,357 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@ -9305,10 +9321,6 @@ index cf04cb5..005fd45 100644
+')
+
+optional_policy(`
+ docker_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+ dnsmasq_filetrans_named_content(named_filetrans_domain)
+')
+
@ -19587,17 +19599,33 @@ index da11120..621ec5a 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
index 234a940..d340f20 100644
index 234a940..a92415a 100644
--- a/policy/modules/roles/staff.if
+++ b/policy/modules/roles/staff.if
@@ -1,4 +1,4 @@
@@ -1,4 +1,20 @@
-## <summary>Administrator's unprivileged user role</summary>
+## <summary>Administrator's unprivileged user</summary>
+
+#####################################
+## <summary>
+## staff stub userdomain interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`staff_stub',`
+ gen_require(`
+ type staff_t;
+ ')
+')
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0fef1fc..405687c 100644
index 0fef1fc..c57c9cf 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
@ -19673,7 +19701,7 @@ index 0fef1fc..405687c 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
@@ -23,11 +83,115 @@ optional_policy(`
@@ -23,11 +83,110 @@ optional_policy(`
')
optional_policy(`
@ -19702,11 +19730,6 @@ index 0fef1fc..405687c 100644
optional_policy(`
- git_role(staff_r, staff_t)
+ docker_stream_connect(staff_t)
+ docker_exec(staff_t)
+')
+
+optional_policy(`
+ dnsmasq_read_pid_files(staff_t)
+')
+
@ -19790,7 +19813,7 @@ index 0fef1fc..405687c 100644
')
optional_policy(`
@@ -35,15 +199,31 @@ optional_policy(`
@@ -35,15 +194,31 @@ optional_policy(`
')
optional_policy(`
@ -19824,7 +19847,7 @@ index 0fef1fc..405687c 100644
')
optional_policy(`
@@ -52,11 +232,61 @@ optional_policy(`
@@ -52,11 +227,61 @@ optional_policy(`
')
optional_policy(`
@ -19887,7 +19910,7 @@ index 0fef1fc..405687c 100644
')
ifndef(`distro_redhat',`
@@ -65,10 +295,6 @@ ifndef(`distro_redhat',`
@@ -65,10 +290,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -19898,7 +19921,7 @@ index 0fef1fc..405687c 100644
cdrecord_role(staff_r, staff_t)
')
@@ -78,10 +304,6 @@ ifndef(`distro_redhat',`
@@ -78,10 +299,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@ -19909,7 +19932,7 @@ index 0fef1fc..405687c 100644
')
optional_policy(`
@@ -101,10 +323,6 @@ ifndef(`distro_redhat',`
@@ -101,10 +318,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -19920,7 +19943,7 @@ index 0fef1fc..405687c 100644
java_role(staff_r, staff_t)
')
@@ -125,10 +343,6 @@ ifndef(`distro_redhat',`
@@ -125,10 +338,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -19931,7 +19954,7 @@ index 0fef1fc..405687c 100644
pyzor_role(staff_r, staff_t)
')
@@ -141,10 +355,6 @@ ifndef(`distro_redhat',`
@@ -141,10 +350,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -19942,7 +19965,7 @@ index 0fef1fc..405687c 100644
spamassassin_role(staff_r, staff_t)
')
@@ -176,3 +386,22 @@ ifndef(`distro_redhat',`
@@ -176,3 +381,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@ -35440,10 +35463,33 @@ index 6b91740..562d1fd 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f..f5ae583 100644
index 58bc27f..65018fa 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -86,6 +86,50 @@ interface(`lvm_read_config',`
@@ -1,5 +1,22 @@
## <summary>Policy for logical volume management programs.</summary>
+
+#####################################
+## <summary>
+## lvm stub domain interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`lvm_stub',`
+ gen_require(`
+ type lvm_t;
+ ')
+')
+
########################################
## <summary>
## Execute lvm programs in the lvm domain.
@@ -86,6 +103,50 @@ interface(`lvm_read_config',`
########################################
## <summary>
@ -35494,7 +35540,7 @@ index 58bc27f..f5ae583 100644
## Manage LVM configuration files.
## </summary>
## <param name="domain">
@@ -123,3 +167,131 @@ interface(`lvm_domtrans_clvmd',`
@@ -123,3 +184,131 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@ -35627,7 +35673,7 @@ index 58bc27f..f5ae583 100644
+')
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c4..ce6f0ce 100644
index 79048c4..c3a255a 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -35858,14 +35904,10 @@ index 79048c4..ce6f0ce 100644
bootloader_rw_tmp_files(lvm_t)
')
@@ -333,14 +375,34 @@ optional_policy(`
@@ -333,14 +375,30 @@ optional_policy(`
')
optional_policy(`
+ docker_rw_sem(lvm_t)
+')
+
+optional_policy(`
+ livecd_rw_semaphores(lvm_t)
+')
+

718
policy-rawhide-contrib.patch
View File

File diff suppressed because it is too large Load Diff