* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. - Clean up pkcs11proxyd policy. - We need to require sandbox_web_type attribute in sandbox_x_domain_template(). - Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t." - depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t. - Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions. - Update modules_filetrans_named_content() interface to cover more modules.* files. - New policy for systemd-machined. #1255305 - In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example. - Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution) - Merge pull request #42 from vmojzis/rawhide-base - Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
This commit is contained in:
Lukas Vrabec
parent
b03747cd87
commit
61514837cc
File diff suppressed because it is too large
Load Diff
@ -7985,7 +7985,7 @@ index 1a7a97e..2c7252a 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 apmd_initrc_exec_t system_r;
|
||||
diff --git a/apm.te b/apm.te
|
||||
index 7fd431b..e9c4c5a 100644
|
||||
index 7fd431b..41f2a57 100644
|
||||
--- a/apm.te
|
||||
+++ b/apm.te
|
||||
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
|
||||
@ -8014,7 +8014,7 @@ index 7fd431b..e9c4c5a 100644
|
||||
|
||||
domain_use_interactive_fds(apm_t)
|
||||
|
||||
@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t)
|
||||
@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t)
|
||||
# Server local policy
|
||||
#
|
||||
|
||||
@ -8025,7 +8025,11 @@ index 7fd431b..e9c4c5a 100644
|
||||
allow apmd_t self:process { signal_perms getsession };
|
||||
allow apmd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow apmd_t self:netlink_socket create_socket_perms;
|
||||
@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
|
||||
+allow apmd_t self:netlink_generic_socket create_socket_perms;
|
||||
allow apmd_t self:unix_stream_socket { accept listen };
|
||||
|
||||
allow apmd_t apmd_lock_t:file manage_file_perms;
|
||||
@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t)
|
||||
kernel_rw_all_sysctls(apmd_t)
|
||||
kernel_read_system_state(apmd_t)
|
||||
kernel_write_proc_files(apmd_t)
|
||||
@ -8033,7 +8037,7 @@ index 7fd431b..e9c4c5a 100644
|
||||
|
||||
dev_read_input(apmd_t)
|
||||
dev_read_mouse(apmd_t)
|
||||
@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
|
||||
@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
|
||||
fs_dontaudit_getattr_all_symlinks(apmd_t)
|
||||
fs_dontaudit_getattr_all_pipes(apmd_t)
|
||||
fs_dontaudit_getattr_all_sockets(apmd_t)
|
||||
@ -8043,7 +8047,7 @@ index 7fd431b..e9c4c5a 100644
|
||||
|
||||
corecmd_exec_all_executables(apmd_t)
|
||||
|
||||
@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
|
||||
@@ -129,6 +133,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
|
||||
auth_use_nsswitch(apmd_t)
|
||||
|
||||
init_domtrans_script(apmd_t)
|
||||
@ -8052,7 +8056,7 @@ index 7fd431b..e9c4c5a 100644
|
||||
|
||||
libs_exec_ld_so(apmd_t)
|
||||
libs_exec_lib_files(apmd_t)
|
||||
@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
|
||||
@@ -136,17 +142,16 @@ libs_exec_lib_files(apmd_t)
|
||||
logging_send_audit_msgs(apmd_t)
|
||||
logging_send_syslog_msg(apmd_t)
|
||||
|
||||
@ -8072,7 +8076,7 @@ index 7fd431b..e9c4c5a 100644
|
||||
|
||||
optional_policy(`
|
||||
automount_domtrans(apmd_t)
|
||||
@@ -206,11 +210,15 @@ optional_policy(`
|
||||
@@ -206,11 +211,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -68616,10 +68620,10 @@ index 0000000..1fa6db2
|
||||
+')
|
||||
diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te
|
||||
new file mode 100644
|
||||
index 0000000..6b49e41
|
||||
index 0000000..a2cb118
|
||||
--- /dev/null
|
||||
+++ b/pkcs11proxyd.te
|
||||
@@ -0,0 +1,41 @@
|
||||
@@ -0,0 +1,42 @@
|
||||
+policy_module(pkcs11proxyd, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -68644,6 +68648,7 @@ index 0000000..6b49e41
|
||||
+#
|
||||
+# pkcs11proxyd local policy
|
||||
+#
|
||||
+
|
||||
+allow pkcs11proxyd_t self:capability { kill setuid setgid };
|
||||
+allow pkcs11proxyd_t self:process { getpgid setpgid };
|
||||
+
|
||||
@ -68655,10 +68660,10 @@ index 0000000..6b49e41
|
||||
+manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t)
|
||||
+files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file })
|
||||
+
|
||||
+auth_use_nsswitch(pkcs11proxyd_t)
|
||||
+
|
||||
+dev_read_urand(pkcs11proxyd_t)
|
||||
+
|
||||
+auth_use_nsswitch(pkcs11proxyd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(pkcs11proxyd_t)
|
||||
+
|
||||
diff --git a/pki.fc b/pki.fc
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 149%{?dist}
|
||||
Release: 150%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -656,6 +656,20 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
|
||||
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
|
||||
- Clean up pkcs11proxyd policy.
|
||||
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
|
||||
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
|
||||
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
|
||||
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
|
||||
- Update modules_filetrans_named_content() interface to cover more modules.* files.
|
||||
- New policy for systemd-machined. #1255305
|
||||
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
|
||||
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
|
||||
- Merge pull request #42 from vmojzis/rawhide-base
|
||||
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
|
||||
|
||||
* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
|
||||
- Add few rules related to new policy for pkcs11proxyd
|
||||
- Added new policy for pkcs11proxyd daemon
|
||||
|
||||
Loading…
Reference in New Issue
Block a user