* Tue Aug 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-209
- Fix lsm SELinux module - Dontaudit firewalld to create dirs in /root/ BZ(1340611) - Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t - Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774) - Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299) - Add sys_admin capability to sbd domain - Allow vdagent to comunnicate with systemd-logind via dbus - Allow lsmd_plugin_t domain to create fixed_disk device. - Allow opendnssec domain to create and manage own tmp dirs/files - Allow opendnssec domain to read system state - Allow systemd_logind stop system init_t - Add interface init_stop() - Add interface userdom_dontaudit_create_admin_dir() - Label /var/run/storaged as lvm_var_run_t. - Allow unconfineduser to run ipa_helper_t.
This commit is contained in:
parent
0762fb6259
commit
6140a0daa8
Binary file not shown.
@ -27111,10 +27111,10 @@ index 0000000..15b42ae
|
|||||||
+
|
+
|
||||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..270e9a8
|
index 0000000..a298e23
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/roles/unconfineduser.te
|
+++ b/policy/modules/roles/unconfineduser.te
|
||||||
@@ -0,0 +1,350 @@
|
@@ -0,0 +1,354 @@
|
||||||
+policy_module(unconfineduser, 1.0.0)
|
+policy_module(unconfineduser, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -27422,6 +27422,10 @@ index 0000000..270e9a8
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ ipa_run_helper(unconfined_t, unconfined_r)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
|
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
|
||||||
+ oddjob_run(unconfined_t, unconfined_r)
|
+ oddjob_run(unconfined_t, unconfined_r)
|
||||||
+')
|
+')
|
||||||
@ -35568,7 +35572,7 @@ index bc0ffc8..37b8ea5 100644
|
|||||||
')
|
')
|
||||||
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
||||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||||
index 79a45f6..9926eaf 100644
|
index 79a45f6..d092e6e 100644
|
||||||
--- a/policy/modules/system/init.if
|
--- a/policy/modules/system/init.if
|
||||||
+++ b/policy/modules/system/init.if
|
+++ b/policy/modules/system/init.if
|
||||||
@@ -1,5 +1,21 @@
|
@@ -1,5 +1,21 @@
|
||||||
@ -36611,7 +36615,7 @@ index 79a45f6..9926eaf 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1806,37 +2294,690 @@ interface(`init_pid_filetrans_utmp',`
|
@@ -1806,37 +2294,708 @@ interface(`init_pid_filetrans_utmp',`
|
||||||
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
|
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -37039,6 +37043,24 @@ index 79a45f6..9926eaf 100644
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Stop system from init
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`init_stop',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type init_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 init_t:system stop;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Start system from init
|
+## Start system from init
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -41815,7 +41837,7 @@ index 59b04c1..6810e0b 100644
|
|||||||
+
|
+
|
||||||
+logging_stream_connect_syslog(syslog_client_type)
|
+logging_stream_connect_syslog(syslog_client_type)
|
||||||
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
|
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
|
||||||
index 6b91740..7c98978 100644
|
index 6b91740..7724116 100644
|
||||||
--- a/policy/modules/system/lvm.fc
|
--- a/policy/modules/system/lvm.fc
|
||||||
+++ b/policy/modules/system/lvm.fc
|
+++ b/policy/modules/system/lvm.fc
|
||||||
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
|
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
|
||||||
@ -41936,7 +41958,7 @@ index 6b91740..7c98978 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
@@ -98,5 +174,9 @@ ifdef(`distro_gentoo',`
|
@@ -98,5 +174,11 @@ ifdef(`distro_gentoo',`
|
||||||
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
|
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
|
||||||
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
|
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
|
||||||
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
|
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
|
||||||
@ -41946,6 +41968,8 @@ index 6b91740..7c98978 100644
|
|||||||
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
|
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||||
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
|
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
|
||||||
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||||
|
+
|
||||||
|
+/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||||
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
|
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
|
||||||
index 58bc27f..9e86fce 100644
|
index 58bc27f..9e86fce 100644
|
||||||
--- a/policy/modules/system/lvm.if
|
--- a/policy/modules/system/lvm.if
|
||||||
@ -48905,10 +48929,10 @@ index 0000000..16cd1ac
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ceca7a3
|
index 0000000..e77911b
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,964 @@
|
@@ -0,0 +1,965 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -49137,6 +49161,7 @@ index 0000000..ceca7a3
|
|||||||
+
|
+
|
||||||
+init_status(systemd_logind_t)
|
+init_status(systemd_logind_t)
|
||||||
+init_start(systemd_logind_t)
|
+init_start(systemd_logind_t)
|
||||||
|
+init_stop(systemd_logind_t)
|
||||||
+init_signal(systemd_logind_t)
|
+init_signal(systemd_logind_t)
|
||||||
+init_reboot(systemd_logind_t)
|
+init_reboot(systemd_logind_t)
|
||||||
+init_halt(systemd_logind_t)
|
+init_halt(systemd_logind_t)
|
||||||
@ -51288,7 +51313,7 @@ index db75976..c54480a 100644
|
|||||||
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
|
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 9dc60c6..420907f 100644
|
index 9dc60c6..beadc1e 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||||
@ -54590,7 +54615,7 @@ index 9dc60c6..420907f 100644
|
|||||||
## Create keys for all user domains.
|
## Create keys for all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3435,4 +4628,1781 @@ interface(`userdom_dbus_send_all_users',`
|
@@ -3435,4 +4628,1799 @@ interface(`userdom_dbus_send_all_users',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
@ -54782,6 +54807,24 @@ index 9dc60c6..420907f 100644
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## dontaudit create dirs /root
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_dontaudit_create_admin_dir',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type admin_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 admin_home_t:dir create_dir_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## RW unpriviledged user SysV sempaphores.
|
+## RW unpriviledged user SysV sempaphores.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
|
@ -16971,7 +16971,7 @@ index bd18063..47c8fd0 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
policykit_domtrans_auth(consolekit_t)
|
policykit_domtrans_auth(consolekit_t)
|
||||||
diff --git a/corosync.fc b/corosync.fc
|
diff --git a/corosync.fc b/corosync.fc
|
||||||
index da39f0f..6a96733 100644
|
index da39f0f..b26d3e0 100644
|
||||||
--- a/corosync.fc
|
--- a/corosync.fc
|
||||||
+++ b/corosync.fc
|
+++ b/corosync.fc
|
||||||
@@ -1,5 +1,7 @@
|
@@ -1,5 +1,7 @@
|
||||||
@ -16982,6 +16982,12 @@ index da39f0f..6a96733 100644
|
|||||||
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
|
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
|
||||||
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
|
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
|
||||||
|
|
||||||
|
@@ -10,3 +12,5 @@
|
||||||
|
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
|
||||||
|
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
|
||||||
|
/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
|
||||||
|
+/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
|
||||||
|
+/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
|
||||||
diff --git a/corosync.if b/corosync.if
|
diff --git a/corosync.if b/corosync.if
|
||||||
index 694a037..d859681 100644
|
index 694a037..d859681 100644
|
||||||
--- a/corosync.if
|
--- a/corosync.if
|
||||||
@ -20797,7 +20803,7 @@ index 3023be7..4f0fe46 100644
|
|||||||
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
|
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
|
||||||
')
|
')
|
||||||
diff --git a/cups.te b/cups.te
|
diff --git a/cups.te b/cups.te
|
||||||
index c91813c..8aececf 100644
|
index c91813c..71b61c4 100644
|
||||||
--- a/cups.te
|
--- a/cups.te
|
||||||
+++ b/cups.te
|
+++ b/cups.te
|
||||||
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
|
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
|
||||||
@ -21199,7 +21205,11 @@ index c91813c..8aececf 100644
|
|||||||
allow cupsd_config_t cupsd_t:process signal;
|
allow cupsd_config_t cupsd_t:process signal;
|
||||||
ps_process_pattern(cupsd_config_t, cupsd_t)
|
ps_process_pattern(cupsd_config_t, cupsd_t)
|
||||||
|
|
||||||
@@ -370,20 +434,19 @@ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
|
@@ -367,23 +431,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||||
|
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
|
||||||
|
|
||||||
|
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
|
||||||
|
+allow cupsd_config_t cupsd_var_run_t:sock_file read_file_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
||||||
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
||||||
@ -21223,7 +21233,7 @@ index c91813c..8aececf 100644
|
|||||||
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
||||||
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
|
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
|
||||||
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
|
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
|
||||||
@@ -392,20 +455,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
|
@@ -392,20 +456,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
|
||||||
corenet_sendrecv_all_client_packets(cupsd_config_t)
|
corenet_sendrecv_all_client_packets(cupsd_config_t)
|
||||||
corenet_tcp_connect_all_ports(cupsd_config_t)
|
corenet_tcp_connect_all_ports(cupsd_config_t)
|
||||||
|
|
||||||
@ -21244,7 +21254,7 @@ index c91813c..8aececf 100644
|
|||||||
fs_search_auto_mountpoints(cupsd_config_t)
|
fs_search_auto_mountpoints(cupsd_config_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(cupsd_config_t)
|
domain_use_interactive_fds(cupsd_config_t)
|
||||||
@@ -417,11 +472,6 @@ auth_use_nsswitch(cupsd_config_t)
|
@@ -417,11 +473,6 @@ auth_use_nsswitch(cupsd_config_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(cupsd_config_t)
|
logging_send_syslog_msg(cupsd_config_t)
|
||||||
|
|
||||||
@ -21256,7 +21266,7 @@ index c91813c..8aececf 100644
|
|||||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
||||||
userdom_read_all_users_state(cupsd_config_t)
|
userdom_read_all_users_state(cupsd_config_t)
|
||||||
@@ -449,9 +499,12 @@ optional_policy(`
|
@@ -449,9 +500,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21270,7 +21280,7 @@ index c91813c..8aececf 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -467,6 +520,10 @@ optional_policy(`
|
@@ -467,6 +521,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21281,7 +21291,7 @@ index c91813c..8aececf 100644
|
|||||||
rpm_read_db(cupsd_config_t)
|
rpm_read_db(cupsd_config_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -487,10 +544,6 @@ optional_policy(`
|
@@ -487,10 +545,6 @@ optional_policy(`
|
||||||
# Lpd local policy
|
# Lpd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -21292,7 +21302,7 @@ index c91813c..8aececf 100644
|
|||||||
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
|
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
|
||||||
@@ -508,15 +561,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
@@ -508,15 +562,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(cupsd_lpd_t)
|
kernel_read_kernel_sysctls(cupsd_lpd_t)
|
||||||
kernel_read_system_state(cupsd_lpd_t)
|
kernel_read_system_state(cupsd_lpd_t)
|
||||||
@ -21310,7 +21320,7 @@ index c91813c..8aececf 100644
|
|||||||
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
|
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
|
||||||
|
|
||||||
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
|
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
|
||||||
@@ -537,9 +590,6 @@ auth_use_nsswitch(cupsd_lpd_t)
|
@@ -537,9 +591,6 @@ auth_use_nsswitch(cupsd_lpd_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(cupsd_lpd_t)
|
logging_send_syslog_msg(cupsd_lpd_t)
|
||||||
|
|
||||||
@ -21320,7 +21330,7 @@ index c91813c..8aececf 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
|
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
|
||||||
')
|
')
|
||||||
@@ -550,7 +600,6 @@ optional_policy(`
|
@@ -550,7 +601,6 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
|
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
|
||||||
@ -21328,7 +21338,7 @@ index c91813c..8aececf 100644
|
|||||||
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
|
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
||||||
@@ -566,148 +615,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
|
@@ -566,148 +616,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
|
||||||
|
|
||||||
kernel_read_system_state(cups_pdf_t)
|
kernel_read_system_state(cups_pdf_t)
|
||||||
|
|
||||||
@ -21480,7 +21490,7 @@ index c91813c..8aececf 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -735,7 +659,6 @@ kernel_read_kernel_sysctls(ptal_t)
|
@@ -735,7 +660,6 @@ kernel_read_kernel_sysctls(ptal_t)
|
||||||
kernel_list_proc(ptal_t)
|
kernel_list_proc(ptal_t)
|
||||||
kernel_read_proc_symlinks(ptal_t)
|
kernel_read_proc_symlinks(ptal_t)
|
||||||
|
|
||||||
@ -21488,7 +21498,7 @@ index c91813c..8aececf 100644
|
|||||||
corenet_all_recvfrom_netlabel(ptal_t)
|
corenet_all_recvfrom_netlabel(ptal_t)
|
||||||
corenet_tcp_sendrecv_generic_if(ptal_t)
|
corenet_tcp_sendrecv_generic_if(ptal_t)
|
||||||
corenet_tcp_sendrecv_generic_node(ptal_t)
|
corenet_tcp_sendrecv_generic_node(ptal_t)
|
||||||
@@ -745,13 +668,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
|
@@ -745,13 +669,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
|
||||||
corenet_tcp_bind_ptal_port(ptal_t)
|
corenet_tcp_bind_ptal_port(ptal_t)
|
||||||
corenet_tcp_sendrecv_ptal_port(ptal_t)
|
corenet_tcp_sendrecv_ptal_port(ptal_t)
|
||||||
|
|
||||||
@ -21502,7 +21512,7 @@ index c91813c..8aececf 100644
|
|||||||
files_read_etc_runtime_files(ptal_t)
|
files_read_etc_runtime_files(ptal_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(ptal_t)
|
fs_getattr_all_fs(ptal_t)
|
||||||
@@ -759,8 +680,6 @@ fs_search_auto_mountpoints(ptal_t)
|
@@ -759,8 +681,6 @@ fs_search_auto_mountpoints(ptal_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(ptal_t)
|
logging_send_syslog_msg(ptal_t)
|
||||||
|
|
||||||
@ -21511,7 +21521,7 @@ index c91813c..8aececf 100644
|
|||||||
sysnet_read_config(ptal_t)
|
sysnet_read_config(ptal_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
|
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
|
||||||
@@ -773,3 +692,4 @@ optional_policy(`
|
@@ -773,3 +693,4 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(ptal_t)
|
udev_read_db(ptal_t)
|
||||||
')
|
')
|
||||||
@ -28863,7 +28873,7 @@ index c62c567..a74f123 100644
|
|||||||
+ allow $1 firewalld_unit_file_t:service all_service_perms;
|
+ allow $1 firewalld_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/firewalld.te b/firewalld.te
|
diff --git a/firewalld.te b/firewalld.te
|
||||||
index 98072a3..9670e41 100644
|
index 98072a3..e42654a 100644
|
||||||
--- a/firewalld.te
|
--- a/firewalld.te
|
||||||
+++ b/firewalld.te
|
+++ b/firewalld.te
|
||||||
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
|
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
|
||||||
@ -28907,7 +28917,7 @@ index 98072a3..9670e41 100644
|
|||||||
|
|
||||||
kernel_read_network_state(firewalld_t)
|
kernel_read_network_state(firewalld_t)
|
||||||
kernel_read_system_state(firewalld_t)
|
kernel_read_system_state(firewalld_t)
|
||||||
@@ -63,20 +77,23 @@ dev_search_sysfs(firewalld_t)
|
@@ -63,20 +77,25 @@ dev_search_sysfs(firewalld_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(firewalld_t)
|
domain_use_interactive_fds(firewalld_t)
|
||||||
|
|
||||||
@ -28935,10 +28945,12 @@ index 98072a3..9670e41 100644
|
|||||||
+sysnet_manage_config(firewalld_t)
|
+sysnet_manage_config(firewalld_t)
|
||||||
+sysnet_relabelfrom_net_conf(firewalld_t)
|
+sysnet_relabelfrom_net_conf(firewalld_t)
|
||||||
+sysnet_relabelto_net_conf(firewalld_t)
|
+sysnet_relabelto_net_conf(firewalld_t)
|
||||||
|
+
|
||||||
|
+userdom_dontaudit_create_admin_dir(firewalld_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_domain(firewalld_t, firewalld_exec_t)
|
dbus_system_domain(firewalld_t, firewalld_exec_t)
|
||||||
@@ -95,6 +112,10 @@ optional_policy(`
|
@@ -95,6 +114,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -29267,7 +29279,7 @@ index 5010f04..3b73741 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --git a/fprintd.te b/fprintd.te
|
diff --git a/fprintd.te b/fprintd.te
|
||||||
index 92a6479..59a65a4 100644
|
index 92a6479..f064c94 100644
|
||||||
--- a/fprintd.te
|
--- a/fprintd.te
|
||||||
+++ b/fprintd.te
|
+++ b/fprintd.te
|
||||||
@@ -18,25 +18,29 @@ files_type(fprintd_var_lib_t)
|
@@ -18,25 +18,29 @@ files_type(fprintd_var_lib_t)
|
||||||
@ -29303,7 +29315,7 @@ index 92a6479..59a65a4 100644
|
|||||||
|
|
||||||
userdom_use_user_ptys(fprintd_t)
|
userdom_use_user_ptys(fprintd_t)
|
||||||
userdom_read_all_users_state(fprintd_t)
|
userdom_read_all_users_state(fprintd_t)
|
||||||
@@ -54,8 +58,17 @@ optional_policy(`
|
@@ -54,8 +58,21 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -29316,6 +29328,10 @@ index 92a6479..59a65a4 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ rhcs_dbus_chat_cluster(fprintd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ udev_read_db(fprintd_t)
|
+ udev_read_db(fprintd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -46858,7 +46874,7 @@ index d314333..27ede09 100644
|
|||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
diff --git a/lsm.te b/lsm.te
|
diff --git a/lsm.te b/lsm.te
|
||||||
index 4ec0eea..693d9ae 100644
|
index 4ec0eea..1400ca8 100644
|
||||||
--- a/lsm.te
|
--- a/lsm.te
|
||||||
+++ b/lsm.te
|
+++ b/lsm.te
|
||||||
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
|
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
|
||||||
@ -46900,7 +46916,7 @@ index 4ec0eea..693d9ae 100644
|
|||||||
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
|
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||||
@@ -26,4 +44,71 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
@@ -26,4 +44,72 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||||
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||||
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
|
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
|
||||||
|
|
||||||
@ -46969,6 +46985,7 @@ index 4ec0eea..693d9ae 100644
|
|||||||
+sysnet_read_config(lsmd_plugin_t)
|
+sysnet_read_config(lsmd_plugin_t)
|
||||||
+
|
+
|
||||||
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
|
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
|
||||||
|
+storage_create_fixed_disk_dev(lsmd_plugin_t)
|
||||||
+storage_read_scsi_generic(lsmd_plugin_t)
|
+storage_read_scsi_generic(lsmd_plugin_t)
|
||||||
+storage_write_scsi_generic(lsmd_plugin_t)
|
+storage_write_scsi_generic(lsmd_plugin_t)
|
||||||
+storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)
|
+storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)
|
||||||
@ -64243,10 +64260,10 @@ index 0000000..eac3932
|
|||||||
+')
|
+')
|
||||||
diff --git a/opendnssec.te b/opendnssec.te
|
diff --git a/opendnssec.te b/opendnssec.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..83507cf
|
index 0000000..e246d45
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/opendnssec.te
|
+++ b/opendnssec.te
|
||||||
@@ -0,0 +1,59 @@
|
@@ -0,0 +1,68 @@
|
||||||
+policy_module(opendnssec, 1.0.0)
|
+policy_module(opendnssec, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -64267,6 +64284,9 @@ index 0000000..83507cf
|
|||||||
+type opendnssec_var_run_t;
|
+type opendnssec_var_run_t;
|
||||||
+files_pid_file(opendnssec_var_run_t)
|
+files_pid_file(opendnssec_var_run_t)
|
||||||
+
|
+
|
||||||
|
+type opendnssec_tmp_t;
|
||||||
|
+files_tmp_file(opendnssec_tmp_t)
|
||||||
|
+
|
||||||
+type opendnssec_unit_file_t;
|
+type opendnssec_unit_file_t;
|
||||||
+systemd_unit_file(opendnssec_unit_file_t)
|
+systemd_unit_file(opendnssec_unit_file_t)
|
||||||
+
|
+
|
||||||
@ -64292,6 +64312,12 @@ index 0000000..83507cf
|
|||||||
+manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
|
+manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
|
||||||
+files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file })
|
+files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file })
|
||||||
+
|
+
|
||||||
|
+manage_dirs_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
|
||||||
|
+manage_files_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
|
||||||
|
+files_tmp_filetrans(opendnssec_t, opendnssec_tmp_t, { file dir })
|
||||||
|
+
|
||||||
|
+kernel_read_system_state(opendnssec_t)
|
||||||
|
+
|
||||||
+auth_use_nsswitch(opendnssec_t)
|
+auth_use_nsswitch(opendnssec_t)
|
||||||
+
|
+
|
||||||
+corecmd_exec_bin(opendnssec_t)
|
+corecmd_exec_bin(opendnssec_t)
|
||||||
@ -97645,7 +97671,7 @@ index 0000000..7a058a8
|
|||||||
+')
|
+')
|
||||||
diff --git a/sbd.te b/sbd.te
|
diff --git a/sbd.te b/sbd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..f6e5b0f
|
index 0000000..95a5182
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/sbd.te
|
+++ b/sbd.te
|
||||||
@@ -0,0 +1,52 @@
|
@@ -0,0 +1,52 @@
|
||||||
@ -97670,7 +97696,7 @@ index 0000000..f6e5b0f
|
|||||||
+#
|
+#
|
||||||
+# sbd local policy
|
+# sbd local policy
|
||||||
+#
|
+#
|
||||||
+allow sbd_t self:capability { dac_override ipc_lock sys_nice };
|
+allow sbd_t self:capability { dac_override ipc_lock sys_nice sys_admin};
|
||||||
+allow sbd_t self:process { fork setsched signal_perms };
|
+allow sbd_t self:process { fork setsched signal_perms };
|
||||||
+allow sbd_t self:fifo_file rw_fifo_file_perms;
|
+allow sbd_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow sbd_t self:unix_stream_socket create_stream_socket_perms;
|
+allow sbd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -110953,7 +110979,7 @@ index 31c752e..ef52235 100644
|
|||||||
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
|
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
diff --git a/vdagent.te b/vdagent.te
|
diff --git a/vdagent.te b/vdagent.te
|
||||||
index 87da8a2..4ca0271 100644
|
index 87da8a2..4be1fcb 100644
|
||||||
--- a/vdagent.te
|
--- a/vdagent.te
|
||||||
+++ b/vdagent.te
|
+++ b/vdagent.te
|
||||||
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
|
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
|
||||||
@ -110964,7 +110990,7 @@ index 87da8a2..4ca0271 100644
|
|||||||
allow vdagent_t self:fifo_file rw_fifo_file_perms;
|
allow vdagent_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow vdagent_t self:unix_stream_socket { accept listen };
|
allow vdagent_t self:unix_stream_socket { accept listen };
|
||||||
|
|
||||||
@@ -39,23 +40,28 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
@@ -39,23 +40,29 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
||||||
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
||||||
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
|
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
|
||||||
|
|
||||||
@ -110985,6 +111011,7 @@ index 87da8a2..4ca0271 100644
|
|||||||
-logging_send_syslog_msg(vdagent_t)
|
-logging_send_syslog_msg(vdagent_t)
|
||||||
+systemd_read_logind_sessions_files(vdagent_t)
|
+systemd_read_logind_sessions_files(vdagent_t)
|
||||||
+systemd_login_read_pid_files(vdagent_t)
|
+systemd_login_read_pid_files(vdagent_t)
|
||||||
|
+systemd_dbus_chat_logind(vdagent_t)
|
||||||
|
|
||||||
-miscfiles_read_localization(vdagent_t)
|
-miscfiles_read_localization(vdagent_t)
|
||||||
+logging_send_syslog_msg(vdagent_t)
|
+logging_send_syslog_msg(vdagent_t)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 208%{?dist}
|
Release: 209%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -648,6 +648,23 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-209
|
||||||
|
- Fix lsm SELinux module
|
||||||
|
- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
|
||||||
|
- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
|
||||||
|
- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)
|
||||||
|
- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)
|
||||||
|
- Add sys_admin capability to sbd domain
|
||||||
|
- Allow vdagent to comunnicate with systemd-logind via dbus
|
||||||
|
- Allow lsmd_plugin_t domain to create fixed_disk device.
|
||||||
|
- Allow opendnssec domain to create and manage own tmp dirs/files
|
||||||
|
- Allow opendnssec domain to read system state
|
||||||
|
- Allow systemd_logind stop system init_t
|
||||||
|
- Add interface init_stop()
|
||||||
|
- Add interface userdom_dontaudit_create_admin_dir()
|
||||||
|
- Label /var/run/storaged as lvm_var_run_t.
|
||||||
|
- Allow unconfineduser to run ipa_helper_t.
|
||||||
|
|
||||||
* Fri Aug 12 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-208
|
* Fri Aug 12 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-208
|
||||||
- Allow cups_config_t domain also mange sock_files. BZ(1361299)
|
- Allow cups_config_t domain also mange sock_files. BZ(1361299)
|
||||||
- Add wake_alarm capability to fprintd domain BZ(1362430)
|
- Add wake_alarm capability to fprintd domain BZ(1362430)
|
||||||
|
Loading…
Reference in New Issue
Block a user