* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. - Clean up pkcs11proxyd policy. - We need to require sandbox_web_type attribute in sandbox_x_domain_template(). - Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t." - depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t. - Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions. - Update modules_filetrans_named_content() interface to cover more modules.* files. - New policy for systemd-machined. #1255305 - In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example. - Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution) - Merge pull request #42 from vmojzis/rawhide-base - Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
This commit is contained in:
Lukas Vrabec
parent
b03747cd87
commit
61514837cc
File diff suppressed because it is too large
Load Diff
@ -7985,7 +7985,7 @@ index 1a7a97e..2c7252a 100644
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 apmd_initrc_exec_t system_r;
|
role_transition $2 apmd_initrc_exec_t system_r;
|
||||||
diff --git a/apm.te b/apm.te
|
diff --git a/apm.te b/apm.te
|
||||||
index 7fd431b..e9c4c5a 100644
|
index 7fd431b..41f2a57 100644
|
||||||
--- a/apm.te
|
--- a/apm.te
|
||||||
+++ b/apm.te
|
+++ b/apm.te
|
||||||
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
|
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
|
||||||
@ -8014,7 +8014,7 @@ index 7fd431b..e9c4c5a 100644
|
|||||||
|
|
||||||
domain_use_interactive_fds(apm_t)
|
domain_use_interactive_fds(apm_t)
|
||||||
|
|
||||||
@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t)
|
@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t)
|
||||||
# Server local policy
|
# Server local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -8025,7 +8025,11 @@ index 7fd431b..e9c4c5a 100644
|
|||||||
allow apmd_t self:process { signal_perms getsession };
|
allow apmd_t self:process { signal_perms getsession };
|
||||||
allow apmd_t self:fifo_file rw_fifo_file_perms;
|
allow apmd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow apmd_t self:netlink_socket create_socket_perms;
|
allow apmd_t self:netlink_socket create_socket_perms;
|
||||||
@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
|
+allow apmd_t self:netlink_generic_socket create_socket_perms;
|
||||||
|
allow apmd_t self:unix_stream_socket { accept listen };
|
||||||
|
|
||||||
|
allow apmd_t apmd_lock_t:file manage_file_perms;
|
||||||
|
@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t)
|
||||||
kernel_rw_all_sysctls(apmd_t)
|
kernel_rw_all_sysctls(apmd_t)
|
||||||
kernel_read_system_state(apmd_t)
|
kernel_read_system_state(apmd_t)
|
||||||
kernel_write_proc_files(apmd_t)
|
kernel_write_proc_files(apmd_t)
|
||||||
@ -8033,7 +8037,7 @@ index 7fd431b..e9c4c5a 100644
|
|||||||
|
|
||||||
dev_read_input(apmd_t)
|
dev_read_input(apmd_t)
|
||||||
dev_read_mouse(apmd_t)
|
dev_read_mouse(apmd_t)
|
||||||
@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
|
@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
|
||||||
fs_dontaudit_getattr_all_symlinks(apmd_t)
|
fs_dontaudit_getattr_all_symlinks(apmd_t)
|
||||||
fs_dontaudit_getattr_all_pipes(apmd_t)
|
fs_dontaudit_getattr_all_pipes(apmd_t)
|
||||||
fs_dontaudit_getattr_all_sockets(apmd_t)
|
fs_dontaudit_getattr_all_sockets(apmd_t)
|
||||||
@ -8043,7 +8047,7 @@ index 7fd431b..e9c4c5a 100644
|
|||||||
|
|
||||||
corecmd_exec_all_executables(apmd_t)
|
corecmd_exec_all_executables(apmd_t)
|
||||||
|
|
||||||
@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
|
@@ -129,6 +133,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
|
||||||
auth_use_nsswitch(apmd_t)
|
auth_use_nsswitch(apmd_t)
|
||||||
|
|
||||||
init_domtrans_script(apmd_t)
|
init_domtrans_script(apmd_t)
|
||||||
@ -8052,7 +8056,7 @@ index 7fd431b..e9c4c5a 100644
|
|||||||
|
|
||||||
libs_exec_ld_so(apmd_t)
|
libs_exec_ld_so(apmd_t)
|
||||||
libs_exec_lib_files(apmd_t)
|
libs_exec_lib_files(apmd_t)
|
||||||
@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
|
@@ -136,17 +142,16 @@ libs_exec_lib_files(apmd_t)
|
||||||
logging_send_audit_msgs(apmd_t)
|
logging_send_audit_msgs(apmd_t)
|
||||||
logging_send_syslog_msg(apmd_t)
|
logging_send_syslog_msg(apmd_t)
|
||||||
|
|
||||||
@ -8072,7 +8076,7 @@ index 7fd431b..e9c4c5a 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
automount_domtrans(apmd_t)
|
automount_domtrans(apmd_t)
|
||||||
@@ -206,11 +210,15 @@ optional_policy(`
|
@@ -206,11 +211,15 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -68616,10 +68620,10 @@ index 0000000..1fa6db2
|
|||||||
+')
|
+')
|
||||||
diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te
|
diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6b49e41
|
index 0000000..a2cb118
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pkcs11proxyd.te
|
+++ b/pkcs11proxyd.te
|
||||||
@@ -0,0 +1,41 @@
|
@@ -0,0 +1,42 @@
|
||||||
+policy_module(pkcs11proxyd, 1.0.0)
|
+policy_module(pkcs11proxyd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -68644,6 +68648,7 @@ index 0000000..6b49e41
|
|||||||
+#
|
+#
|
||||||
+# pkcs11proxyd local policy
|
+# pkcs11proxyd local policy
|
||||||
+#
|
+#
|
||||||
|
+
|
||||||
+allow pkcs11proxyd_t self:capability { kill setuid setgid };
|
+allow pkcs11proxyd_t self:capability { kill setuid setgid };
|
||||||
+allow pkcs11proxyd_t self:process { getpgid setpgid };
|
+allow pkcs11proxyd_t self:process { getpgid setpgid };
|
||||||
+
|
+
|
||||||
@ -68655,10 +68660,10 @@ index 0000000..6b49e41
|
|||||||
+manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t)
|
+manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t)
|
||||||
+files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file })
|
+files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file })
|
||||||
+
|
+
|
||||||
+auth_use_nsswitch(pkcs11proxyd_t)
|
|
||||||
+
|
|
||||||
+dev_read_urand(pkcs11proxyd_t)
|
+dev_read_urand(pkcs11proxyd_t)
|
||||||
+
|
+
|
||||||
|
+auth_use_nsswitch(pkcs11proxyd_t)
|
||||||
|
+
|
||||||
+logging_send_syslog_msg(pkcs11proxyd_t)
|
+logging_send_syslog_msg(pkcs11proxyd_t)
|
||||||
+
|
+
|
||||||
diff --git a/pki.fc b/pki.fc
|
diff --git a/pki.fc b/pki.fc
|
||||||
|
|||||||
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 149%{?dist}
|
Release: 150%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -656,6 +656,20 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
|
||||||
|
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
|
||||||
|
- Clean up pkcs11proxyd policy.
|
||||||
|
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
|
||||||
|
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
|
||||||
|
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
|
||||||
|
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
|
||||||
|
- Update modules_filetrans_named_content() interface to cover more modules.* files.
|
||||||
|
- New policy for systemd-machined. #1255305
|
||||||
|
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
|
||||||
|
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
|
||||||
|
- Merge pull request #42 from vmojzis/rawhide-base
|
||||||
|
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
|
||||||
|
|
||||||
* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
|
* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
|
||||||
- Add few rules related to new policy for pkcs11proxyd
|
- Add few rules related to new policy for pkcs11proxyd
|
||||||
- Added new policy for pkcs11proxyd daemon
|
- Added new policy for pkcs11proxyd daemon
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user