Fixed issues related to removing docker policy files
This commit is contained in:
parent
f9d97717a8
commit
60d4b2cec9
|
@ -8783,7 +8783,7 @@ index 0b1a871..f260e6f 100644
|
||||||
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
|
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
|
||||||
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
|
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
|
||||||
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
||||||
index 6a1e4d1..7ac2831 100644
|
index 6a1e4d1..549967a 100644
|
||||||
--- a/policy/modules/kernel/domain.if
|
--- a/policy/modules/kernel/domain.if
|
||||||
+++ b/policy/modules/kernel/domain.if
|
+++ b/policy/modules/kernel/domain.if
|
||||||
@@ -76,33 +76,8 @@ interface(`domain_type',`
|
@@ -76,33 +76,8 @@ interface(`domain_type',`
|
||||||
|
@ -8945,7 +8945,7 @@ index 6a1e4d1..7ac2831 100644
|
||||||
## Preventing such mappings helps protect against
|
## Preventing such mappings helps protect against
|
||||||
## exploiting null deref bugs in the kernel.
|
## exploiting null deref bugs in the kernel.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1508,6 +1540,24 @@ interface(`domain_unconfined_signal',`
|
@@ -1508,6 +1540,40 @@ interface(`domain_unconfined_signal',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -8965,12 +8965,28 @@ index 6a1e4d1..7ac2831 100644
|
||||||
+ typeattribute $1 named_filetrans_domain;
|
+ typeattribute $1 named_filetrans_domain;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+#####################################
|
||||||
|
+## <summary>
|
||||||
|
+## named_filetrans_domain stub attribute interface. No access allowed.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain" unused="true">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`domain_stub_named_filetrans_domain',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute named_filetrans_domain;
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
## Unconfined access to domains.
|
## Unconfined access to domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1530,4 +1580,63 @@ interface(`domain_unconfined',`
|
@@ -1530,4 +1596,63 @@ interface(`domain_unconfined',`
|
||||||
typeattribute $1 can_change_object_identity;
|
typeattribute $1 can_change_object_identity;
|
||||||
typeattribute $1 set_curr_context;
|
typeattribute $1 set_curr_context;
|
||||||
typeattribute $1 process_uncond_exempt;
|
typeattribute $1 process_uncond_exempt;
|
||||||
|
@ -9035,7 +9051,7 @@ index 6a1e4d1..7ac2831 100644
|
||||||
+ dontaudit $1 domain:dir_file_class_set audit_access;
|
+ dontaudit $1 domain:dir_file_class_set audit_access;
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||||
index cf04cb5..005fd45 100644
|
index cf04cb5..04c9593 100644
|
||||||
--- a/policy/modules/kernel/domain.te
|
--- a/policy/modules/kernel/domain.te
|
||||||
+++ b/policy/modules/kernel/domain.te
|
+++ b/policy/modules/kernel/domain.te
|
||||||
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
|
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
|
||||||
|
@ -9184,7 +9200,7 @@ index cf04cb5..005fd45 100644
|
||||||
|
|
||||||
# Create/access any System V IPC objects.
|
# Create/access any System V IPC objects.
|
||||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||||
@@ -166,5 +238,361 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
@@ -166,5 +238,357 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||||
# act on all domains keys
|
# act on all domains keys
|
||||||
allow unconfined_domain_type domain:key *;
|
allow unconfined_domain_type domain:key *;
|
||||||
|
|
||||||
|
@ -9305,10 +9321,6 @@ index cf04cb5..005fd45 100644
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ docker_filetrans_named_content(named_filetrans_domain)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ dnsmasq_filetrans_named_content(named_filetrans_domain)
|
+ dnsmasq_filetrans_named_content(named_filetrans_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -19587,17 +19599,33 @@ index da11120..621ec5a 100644
|
||||||
init_exec(secadm_t)
|
init_exec(secadm_t)
|
||||||
|
|
||||||
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
|
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
|
||||||
index 234a940..d340f20 100644
|
index 234a940..a92415a 100644
|
||||||
--- a/policy/modules/roles/staff.if
|
--- a/policy/modules/roles/staff.if
|
||||||
+++ b/policy/modules/roles/staff.if
|
+++ b/policy/modules/roles/staff.if
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,20 @@
|
||||||
-## <summary>Administrator's unprivileged user role</summary>
|
-## <summary>Administrator's unprivileged user role</summary>
|
||||||
+## <summary>Administrator's unprivileged user</summary>
|
+## <summary>Administrator's unprivileged user</summary>
|
||||||
|
+
|
||||||
|
+#####################################
|
||||||
|
+## <summary>
|
||||||
|
+## staff stub userdomain interface. No access allowed.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain" unused="true">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`staff_stub',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type staff_t;
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
|
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
|
||||||
index 0fef1fc..405687c 100644
|
index 0fef1fc..c57c9cf 100644
|
||||||
--- a/policy/modules/roles/staff.te
|
--- a/policy/modules/roles/staff.te
|
||||||
+++ b/policy/modules/roles/staff.te
|
+++ b/policy/modules/roles/staff.te
|
||||||
@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
|
@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
|
||||||
|
@ -19673,7 +19701,7 @@ index 0fef1fc..405687c 100644
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_role(staff_r, staff_t)
|
apache_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
@@ -23,11 +83,115 @@ optional_policy(`
|
@@ -23,11 +83,110 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -19702,11 +19730,6 @@ index 0fef1fc..405687c 100644
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- git_role(staff_r, staff_t)
|
- git_role(staff_r, staff_t)
|
||||||
+ docker_stream_connect(staff_t)
|
|
||||||
+ docker_exec(staff_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ dnsmasq_read_pid_files(staff_t)
|
+ dnsmasq_read_pid_files(staff_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -19790,7 +19813,7 @@ index 0fef1fc..405687c 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -35,15 +199,31 @@ optional_policy(`
|
@@ -35,15 +194,31 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -19824,7 +19847,7 @@ index 0fef1fc..405687c 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -52,11 +232,61 @@ optional_policy(`
|
@@ -52,11 +227,61 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -19887,7 +19910,7 @@ index 0fef1fc..405687c 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
@@ -65,10 +295,6 @@ ifndef(`distro_redhat',`
|
@@ -65,10 +290,6 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -19898,7 +19921,7 @@ index 0fef1fc..405687c 100644
|
||||||
cdrecord_role(staff_r, staff_t)
|
cdrecord_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -78,10 +304,6 @@ ifndef(`distro_redhat',`
|
@@ -78,10 +299,6 @@ ifndef(`distro_redhat',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_role_template(staff, staff_r, staff_t)
|
dbus_role_template(staff, staff_r, staff_t)
|
||||||
|
@ -19909,7 +19932,7 @@ index 0fef1fc..405687c 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -101,10 +323,6 @@ ifndef(`distro_redhat',`
|
@@ -101,10 +318,6 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -19920,7 +19943,7 @@ index 0fef1fc..405687c 100644
|
||||||
java_role(staff_r, staff_t)
|
java_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -125,10 +343,6 @@ ifndef(`distro_redhat',`
|
@@ -125,10 +338,6 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -19931,7 +19954,7 @@ index 0fef1fc..405687c 100644
|
||||||
pyzor_role(staff_r, staff_t)
|
pyzor_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -141,10 +355,6 @@ ifndef(`distro_redhat',`
|
@@ -141,10 +350,6 @@ ifndef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -19942,7 +19965,7 @@ index 0fef1fc..405687c 100644
|
||||||
spamassassin_role(staff_r, staff_t)
|
spamassassin_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -176,3 +386,22 @@ ifndef(`distro_redhat',`
|
@@ -176,3 +381,22 @@ ifndef(`distro_redhat',`
|
||||||
wireshark_role(staff_r, staff_t)
|
wireshark_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
@ -35440,10 +35463,33 @@ index 6b91740..562d1fd 100644
|
||||||
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
|
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
|
||||||
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||||
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
|
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
|
||||||
index 58bc27f..f5ae583 100644
|
index 58bc27f..65018fa 100644
|
||||||
--- a/policy/modules/system/lvm.if
|
--- a/policy/modules/system/lvm.if
|
||||||
+++ b/policy/modules/system/lvm.if
|
+++ b/policy/modules/system/lvm.if
|
||||||
@@ -86,6 +86,50 @@ interface(`lvm_read_config',`
|
@@ -1,5 +1,22 @@
|
||||||
|
## <summary>Policy for logical volume management programs.</summary>
|
||||||
|
|
||||||
|
+
|
||||||
|
+#####################################
|
||||||
|
+## <summary>
|
||||||
|
+## lvm stub domain interface. No access allowed.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain" unused="true">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`lvm_stub',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type lvm_t;
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute lvm programs in the lvm domain.
|
||||||
|
@@ -86,6 +103,50 @@ interface(`lvm_read_config',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -35494,7 +35540,7 @@ index 58bc27f..f5ae583 100644
|
||||||
## Manage LVM configuration files.
|
## Manage LVM configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -123,3 +167,131 @@ interface(`lvm_domtrans_clvmd',`
|
@@ -123,3 +184,131 @@ interface(`lvm_domtrans_clvmd',`
|
||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
|
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
|
||||||
')
|
')
|
||||||
|
@ -35627,7 +35673,7 @@ index 58bc27f..f5ae583 100644
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
|
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
|
||||||
index 79048c4..ce6f0ce 100644
|
index 79048c4..c3a255a 100644
|
||||||
--- a/policy/modules/system/lvm.te
|
--- a/policy/modules/system/lvm.te
|
||||||
+++ b/policy/modules/system/lvm.te
|
+++ b/policy/modules/system/lvm.te
|
||||||
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
|
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
|
||||||
|
@ -35858,14 +35904,10 @@ index 79048c4..ce6f0ce 100644
|
||||||
bootloader_rw_tmp_files(lvm_t)
|
bootloader_rw_tmp_files(lvm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -333,14 +375,34 @@ optional_policy(`
|
@@ -333,14 +375,30 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ docker_rw_sem(lvm_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ livecd_rw_semaphores(lvm_t)
|
+ livecd_rw_semaphores(lvm_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue