- Allow collectd to talk to libvirt
- Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - unconfined_service should be allowed to transition to rpm_script_t - Allow couchdb to listen on port 6984 - Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command - Allow systemd-logind to setup user tmpfs directories - Add additional fixes for systemd_networkd_t - Allow systemd-logind to manage user_tmpfs_t - Allow systemd-logind to mount /run/user/1000 to get gdm working
This commit is contained in:
parent
3f9fe17186
commit
6337678e76
|
@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||||
|
|
||||||
define(`create_packet_interfaces',``
|
define(`create_packet_interfaces',``
|
||||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||||
index b191055..136b78e 100644
|
index b191055..11bfc30 100644
|
||||||
--- a/policy/modules/kernel/corenetwork.te.in
|
--- a/policy/modules/kernel/corenetwork.te.in
|
||||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
|
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
|
||||||
|
@ -5515,11 +5515,12 @@ index b191055..136b78e 100644
|
||||||
network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
|
network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
|
||||||
network_port(comsat, udp,512,s0)
|
network_port(comsat, udp,512,s0)
|
||||||
network_port(condor, tcp,9618,s0, udp,9618,s0)
|
network_port(condor, tcp,9618,s0, udp,9618,s0)
|
||||||
+network_port(conman, tcp,7890,s0, udp,7890,s0)
|
-network_port(couchdb, tcp,5984,s0, udp,5984,s0)
|
||||||
+network_port(connlcli, tcp,1358,s0, udp,1358,s0)
|
|
||||||
network_port(couchdb, tcp,5984,s0, udp,5984,s0)
|
|
||||||
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
|
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
|
||||||
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
|
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
|
||||||
|
+network_port(conman, tcp,7890,s0, udp,7890,s0)
|
||||||
|
+network_port(connlcli, tcp,1358,s0, udp,1358,s0)
|
||||||
|
+network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
|
||||||
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
|
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
|
||||||
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
||||||
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
|
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
|
||||||
|
@ -13159,7 +13160,7 @@ index f962f76..ae94e80 100644
|
||||||
+ allow $1 etc_t:service status;
|
+ allow $1 etc_t:service status;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
|
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
|
||||||
index 1a03abd..dfcd2ad 100644
|
index 1a03abd..32a40f8 100644
|
||||||
--- a/policy/modules/kernel/files.te
|
--- a/policy/modules/kernel/files.te
|
||||||
+++ b/policy/modules/kernel/files.te
|
+++ b/policy/modules/kernel/files.te
|
||||||
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
|
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
|
||||||
|
@ -13179,7 +13180,7 @@ index 1a03abd..dfcd2ad 100644
|
||||||
|
|
||||||
# For labeling types that are to be polyinstantiated
|
# For labeling types that are to be polyinstantiated
|
||||||
attribute polydir;
|
attribute polydir;
|
||||||
@@ -48,47 +52,55 @@ attribute usercanread;
|
@@ -48,47 +52,53 @@ attribute usercanread;
|
||||||
#
|
#
|
||||||
type boot_t;
|
type boot_t;
|
||||||
files_mountpoint(boot_t)
|
files_mountpoint(boot_t)
|
||||||
|
@ -13223,12 +13224,11 @@ index 1a03abd..dfcd2ad 100644
|
||||||
# generated during initialization.
|
# generated during initialization.
|
||||||
#
|
#
|
||||||
-type etc_runtime_t;
|
-type etc_runtime_t;
|
||||||
+type etc_runtime_t, configfile;
|
-files_type(etc_runtime_t)
|
||||||
files_type(etc_runtime_t)
|
-#Temporarily in policy until FC5 dissappears
|
||||||
#Temporarily in policy until FC5 dissappears
|
-typealias etc_runtime_t alias firstboot_rw_t;
|
||||||
typealias etc_runtime_t alias firstboot_rw_t;
|
-
|
||||||
|
-#
|
||||||
#
|
|
||||||
-# file_t is the default type of a file that has not yet been
|
-# file_t is the default type of a file that has not yet been
|
||||||
-# assigned an extended attribute (EA) value (when using a filesystem
|
-# assigned an extended attribute (EA) value (when using a filesystem
|
||||||
-# that supports EAs).
|
-# that supports EAs).
|
||||||
|
@ -13237,8 +13237,10 @@ index 1a03abd..dfcd2ad 100644
|
||||||
-files_mountpoint(file_t)
|
-files_mountpoint(file_t)
|
||||||
-kernel_rootfs_mountpoint(file_t)
|
-kernel_rootfs_mountpoint(file_t)
|
||||||
-sid file gen_context(system_u:object_r:file_t,s0)
|
-sid file gen_context(system_u:object_r:file_t,s0)
|
||||||
-
|
+type etc_runtime_t, configfile;
|
||||||
-#
|
+files_ro_base_file(etc_runtime_t)
|
||||||
|
|
||||||
|
#
|
||||||
# home_root_t is the type for the directory where user home directories
|
# home_root_t is the type for the directory where user home directories
|
||||||
# are created
|
# are created
|
||||||
#
|
#
|
||||||
|
@ -13247,7 +13249,7 @@ index 1a03abd..dfcd2ad 100644
|
||||||
files_mountpoint(home_root_t)
|
files_mountpoint(home_root_t)
|
||||||
files_poly_parent(home_root_t)
|
files_poly_parent(home_root_t)
|
||||||
|
|
||||||
@@ -96,12 +108,13 @@ files_poly_parent(home_root_t)
|
@@ -96,12 +106,13 @@ files_poly_parent(home_root_t)
|
||||||
# lost_found_t is the type for the lost+found directories.
|
# lost_found_t is the type for the lost+found directories.
|
||||||
#
|
#
|
||||||
type lost_found_t;
|
type lost_found_t;
|
||||||
|
@ -13262,7 +13264,7 @@ index 1a03abd..dfcd2ad 100644
|
||||||
files_mountpoint(mnt_t)
|
files_mountpoint(mnt_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -123,6 +136,7 @@ files_type(readable_t)
|
@@ -123,6 +134,7 @@ files_type(readable_t)
|
||||||
# root_t is the type for rootfs and the root directory.
|
# root_t is the type for rootfs and the root directory.
|
||||||
#
|
#
|
||||||
type root_t;
|
type root_t;
|
||||||
|
@ -13270,7 +13272,7 @@ index 1a03abd..dfcd2ad 100644
|
||||||
files_mountpoint(root_t)
|
files_mountpoint(root_t)
|
||||||
files_poly_parent(root_t)
|
files_poly_parent(root_t)
|
||||||
kernel_rootfs_mountpoint(root_t)
|
kernel_rootfs_mountpoint(root_t)
|
||||||
@@ -133,45 +147,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
|
@@ -133,45 +145,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
|
||||||
#
|
#
|
||||||
type src_t;
|
type src_t;
|
||||||
files_mountpoint(src_t)
|
files_mountpoint(src_t)
|
||||||
|
@ -13325,7 +13327,7 @@ index 1a03abd..dfcd2ad 100644
|
||||||
files_lock_file(var_lock_t)
|
files_lock_file(var_lock_t)
|
||||||
files_mountpoint(var_lock_t)
|
files_mountpoint(var_lock_t)
|
||||||
|
|
||||||
@@ -180,6 +203,7 @@ files_mountpoint(var_lock_t)
|
@@ -180,6 +201,7 @@ files_mountpoint(var_lock_t)
|
||||||
# used for pid and other runtime files.
|
# used for pid and other runtime files.
|
||||||
#
|
#
|
||||||
type var_run_t;
|
type var_run_t;
|
||||||
|
@ -13333,7 +13335,7 @@ index 1a03abd..dfcd2ad 100644
|
||||||
files_pid_file(var_run_t)
|
files_pid_file(var_run_t)
|
||||||
files_mountpoint(var_run_t)
|
files_mountpoint(var_run_t)
|
||||||
|
|
||||||
@@ -187,7 +211,9 @@ files_mountpoint(var_run_t)
|
@@ -187,7 +209,9 @@ files_mountpoint(var_run_t)
|
||||||
# var_spool_t is the type of /var/spool
|
# var_spool_t is the type of /var/spool
|
||||||
#
|
#
|
||||||
type var_spool_t;
|
type var_spool_t;
|
||||||
|
@ -13343,7 +13345,7 @@ index 1a03abd..dfcd2ad 100644
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -224,12 +250,13 @@ fs_associate_tmpfs(tmpfsfile)
|
@@ -224,12 +248,13 @@ fs_associate_tmpfs(tmpfsfile)
|
||||||
#
|
#
|
||||||
|
|
||||||
# Create/access any file in a labeled filesystem;
|
# Create/access any file in a labeled filesystem;
|
||||||
|
@ -24413,7 +24415,7 @@ index 6bf0ecc..bf98136 100644
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index 8b40377..c52fbe6 100644
|
index 8b40377..95dde04 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -26,28 +26,59 @@ gen_require(`
|
@@ -26,28 +26,59 @@ gen_require(`
|
||||||
|
@ -24621,7 +24623,7 @@ index 8b40377..c52fbe6 100644
|
||||||
userdom_user_tmpfs_file(xserver_tmpfs_t)
|
userdom_user_tmpfs_file(xserver_tmpfs_t)
|
||||||
|
|
||||||
type xsession_exec_t;
|
type xsession_exec_t;
|
||||||
@@ -226,21 +288,33 @@ optional_policy(`
|
@@ -226,21 +288,35 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow iceauth_t iceauth_home_t:file manage_file_perms;
|
allow iceauth_t iceauth_home_t:file manage_file_perms;
|
||||||
|
@ -24642,6 +24644,10 @@ index 8b40377..c52fbe6 100644
|
||||||
-tunable_policy(`use_nfs_home_dirs',`
|
-tunable_policy(`use_nfs_home_dirs',`
|
||||||
- fs_manage_nfs_files(iceauth_t)
|
- fs_manage_nfs_files(iceauth_t)
|
||||||
-')
|
-')
|
||||||
|
+xserver_filetrans_home_content(iceauth_t)
|
||||||
|
|
||||||
|
-tunable_policy(`use_samba_home_dirs',`
|
||||||
|
- fs_manage_cifs_files(iceauth_t)
|
||||||
+ifdef(`hide_broken_symptoms',`
|
+ifdef(`hide_broken_symptoms',`
|
||||||
+ dev_dontaudit_read_urand(iceauth_t)
|
+ dev_dontaudit_read_urand(iceauth_t)
|
||||||
+ dev_dontaudit_rw_dri(iceauth_t)
|
+ dev_dontaudit_rw_dri(iceauth_t)
|
||||||
|
@ -24649,9 +24655,7 @@ index 8b40377..c52fbe6 100644
|
||||||
+ fs_dontaudit_list_inotifyfs(iceauth_t)
|
+ fs_dontaudit_list_inotifyfs(iceauth_t)
|
||||||
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
|
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
|
||||||
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
|
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
|
||||||
|
+
|
||||||
-tunable_policy(`use_samba_home_dirs',`
|
|
||||||
- fs_manage_cifs_files(iceauth_t)
|
|
||||||
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
|
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
|
||||||
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
|
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
|
||||||
+ userdom_dontaudit_write_user_tmp_files(iceauth_t)
|
+ userdom_dontaudit_write_user_tmp_files(iceauth_t)
|
||||||
|
@ -24662,7 +24666,7 @@ index 8b40377..c52fbe6 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -248,48 +322,89 @@ tunable_policy(`use_samba_home_dirs',`
|
@@ -248,48 +324,90 @@ tunable_policy(`use_samba_home_dirs',`
|
||||||
# Xauth local policy
|
# Xauth local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -24725,6 +24729,7 @@ index 8b40377..c52fbe6 100644
|
||||||
+userdom_use_inherited_user_terminals(xauth_t)
|
+userdom_use_inherited_user_terminals(xauth_t)
|
||||||
userdom_read_user_tmp_files(xauth_t)
|
userdom_read_user_tmp_files(xauth_t)
|
||||||
+userdom_read_all_users_state(xauth_t)
|
+userdom_read_all_users_state(xauth_t)
|
||||||
|
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
|
||||||
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
|
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
|
||||||
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
|
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
|
||||||
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
|
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
|
||||||
|
@ -24763,7 +24768,7 @@ index 8b40377..c52fbe6 100644
|
||||||
ssh_sigchld(xauth_t)
|
ssh_sigchld(xauth_t)
|
||||||
ssh_read_pipes(xauth_t)
|
ssh_read_pipes(xauth_t)
|
||||||
ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
||||||
@@ -300,64 +415,109 @@ optional_policy(`
|
@@ -300,64 +418,109 @@ optional_policy(`
|
||||||
# XDM Local policy
|
# XDM Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -24791,10 +24796,10 @@ index 8b40377..c52fbe6 100644
|
||||||
allow xdm_t self:appletalk_socket create_socket_perms;
|
allow xdm_t self:appletalk_socket create_socket_perms;
|
||||||
allow xdm_t self:key { search link write };
|
allow xdm_t self:key { search link write };
|
||||||
+allow xdm_t self:dbus { send_msg acquire_svc };
|
+allow xdm_t self:dbus { send_msg acquire_svc };
|
||||||
+
|
|
||||||
+allow xdm_t xauth_home_t:file manage_file_perms;
|
|
||||||
|
|
||||||
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||||
|
+allow xdm_t xauth_home_t:file manage_file_perms;
|
||||||
|
+
|
||||||
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
|
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
|
||||||
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
|
@ -24883,7 +24888,7 @@ index 8b40377..c52fbe6 100644
|
||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
@@ -366,20 +529,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
|
|
||||||
|
@ -24916,7 +24921,7 @@ index 8b40377..c52fbe6 100644
|
||||||
corenet_all_recvfrom_netlabel(xdm_t)
|
corenet_all_recvfrom_netlabel(xdm_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xdm_t)
|
corenet_tcp_sendrecv_generic_if(xdm_t)
|
||||||
corenet_udp_sendrecv_generic_if(xdm_t)
|
corenet_udp_sendrecv_generic_if(xdm_t)
|
||||||
@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
@@ -389,38 +562,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_generic_node(xdm_t)
|
corenet_tcp_bind_generic_node(xdm_t)
|
||||||
corenet_udp_bind_generic_node(xdm_t)
|
corenet_udp_bind_generic_node(xdm_t)
|
||||||
|
@ -24970,7 +24975,7 @@ index 8b40377..c52fbe6 100644
|
||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -431,9 +612,28 @@ files_list_mnt(xdm_t)
|
@@ -431,9 +615,28 @@ files_list_mnt(xdm_t)
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
|
@ -24999,7 +25004,7 @@ index 8b40377..c52fbe6 100644
|
||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
@@ -442,28 +645,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
|
@ -25048,7 +25053,7 @@ index 8b40377..c52fbe6 100644
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -472,24 +689,149 @@ userdom_read_user_home_content_files(xdm_t)
|
@@ -472,24 +692,149 @@ userdom_read_user_home_content_files(xdm_t)
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
|
@ -25204,7 +25209,7 @@ index 8b40377..c52fbe6 100644
|
||||||
tunable_policy(`xdm_sysadm_login',`
|
tunable_policy(`xdm_sysadm_login',`
|
||||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||||
# FIXME:
|
# FIXME:
|
||||||
@@ -503,11 +845,26 @@ tunable_policy(`xdm_sysadm_login',`
|
@@ -503,11 +848,26 @@ tunable_policy(`xdm_sysadm_login',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -25231,7 +25236,7 @@ index 8b40377..c52fbe6 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -517,9 +874,34 @@ optional_policy(`
|
@@ -517,9 +877,34 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xdm_t)
|
dbus_system_bus_client(xdm_t)
|
||||||
dbus_connect_system_bus(xdm_t)
|
dbus_connect_system_bus(xdm_t)
|
||||||
|
@ -25239,17 +25244,17 @@ index 8b40377..c52fbe6 100644
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ accountsd_dbus_chat(xdm_t)
|
+ accountsd_dbus_chat(xdm_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
|
||||||
+ optional_policy(`
|
optional_policy(`
|
||||||
|
- accountsd_dbus_chat(xdm_t)
|
||||||
+ bluetooth_dbus_chat(xdm_t)
|
+ bluetooth_dbus_chat(xdm_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ cpufreqselector_dbus_chat(xdm_t)
|
+ cpufreqselector_dbus_chat(xdm_t)
|
||||||
+ ')
|
+ ')
|
||||||
|
+
|
||||||
optional_policy(`
|
+ optional_policy(`
|
||||||
- accountsd_dbus_chat(xdm_t)
|
|
||||||
+ devicekit_dbus_chat_disk(xdm_t)
|
+ devicekit_dbus_chat_disk(xdm_t)
|
||||||
+ devicekit_dbus_chat_power(xdm_t)
|
+ devicekit_dbus_chat_power(xdm_t)
|
||||||
+ ')
|
+ ')
|
||||||
|
@ -25267,7 +25272,7 @@ index 8b40377..c52fbe6 100644
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -530,6 +912,20 @@ optional_policy(`
|
@@ -530,6 +915,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -25288,7 +25293,7 @@ index 8b40377..c52fbe6 100644
|
||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -547,28 +943,78 @@ optional_policy(`
|
@@ -547,28 +946,78 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -25376,7 +25381,7 @@ index 8b40377..c52fbe6 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -580,6 +1026,14 @@ optional_policy(`
|
@@ -580,6 +1029,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -25391,7 +25396,7 @@ index 8b40377..c52fbe6 100644
|
||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -594,7 +1048,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
@@ -594,7 +1051,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
||||||
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
|
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
|
||||||
|
|
||||||
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
|
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
|
||||||
|
@ -25400,7 +25405,7 @@ index 8b40377..c52fbe6 100644
|
||||||
|
|
||||||
# setuid/setgid for the wrapper program to change UID
|
# setuid/setgid for the wrapper program to change UID
|
||||||
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
||||||
@@ -604,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send;
|
@@ -604,8 +1061,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
|
@ -25413,7 +25418,7 @@ index 8b40377..c52fbe6 100644
|
||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -618,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
@@ -618,8 +1078,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
|
@ -25429,7 +25434,7 @@ index 8b40377..c52fbe6 100644
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -627,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
@@ -627,6 +1094,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||||
|
|
||||||
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
||||||
|
|
||||||
|
@ -25440,7 +25445,7 @@ index 8b40377..c52fbe6 100644
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -638,25 +1106,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
@@ -638,25 +1109,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
|
@ -25477,7 +25482,7 @@ index 8b40377..c52fbe6 100644
|
||||||
corenet_all_recvfrom_netlabel(xserver_t)
|
corenet_all_recvfrom_netlabel(xserver_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||||
@@ -677,23 +1152,28 @@ dev_rw_apm_bios(xserver_t)
|
@@ -677,23 +1155,28 @@ dev_rw_apm_bios(xserver_t)
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
|
@ -25509,7 +25514,7 @@ index 8b40377..c52fbe6 100644
|
||||||
|
|
||||||
# brought on by rhgb
|
# brought on by rhgb
|
||||||
files_search_mnt(xserver_t)
|
files_search_mnt(xserver_t)
|
||||||
@@ -705,6 +1185,14 @@ fs_search_nfs(xserver_t)
|
@@ -705,6 +1188,14 @@ fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
|
|
||||||
|
@ -25524,7 +25529,7 @@ index 8b40377..c52fbe6 100644
|
||||||
mls_xwin_read_to_clearance(xserver_t)
|
mls_xwin_read_to_clearance(xserver_t)
|
||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
@@ -718,20 +1206,18 @@ init_getpgid(xserver_t)
|
@@ -718,20 +1209,18 @@ init_getpgid(xserver_t)
|
||||||
term_setattr_unallocated_ttys(xserver_t)
|
term_setattr_unallocated_ttys(xserver_t)
|
||||||
term_use_unallocated_ttys(xserver_t)
|
term_use_unallocated_ttys(xserver_t)
|
||||||
|
|
||||||
|
@ -25548,7 +25553,7 @@ index 8b40377..c52fbe6 100644
|
||||||
|
|
||||||
userdom_search_user_home_dirs(xserver_t)
|
userdom_search_user_home_dirs(xserver_t)
|
||||||
userdom_use_user_ttys(xserver_t)
|
userdom_use_user_ttys(xserver_t)
|
||||||
@@ -739,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
|
@@ -739,8 +1228,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||||
userdom_read_user_tmp_files(xserver_t)
|
userdom_read_user_tmp_files(xserver_t)
|
||||||
userdom_rw_user_tmpfs_files(xserver_t)
|
userdom_rw_user_tmpfs_files(xserver_t)
|
||||||
|
|
||||||
|
@ -25557,7 +25562,7 @@ index 8b40377..c52fbe6 100644
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xserver_t self:process { execmem execheap execstack };
|
allow xserver_t self:process { execmem execheap execstack };
|
||||||
domain_mmap_low_uncond(xserver_t)
|
domain_mmap_low_uncond(xserver_t)
|
||||||
@@ -785,17 +1269,44 @@ optional_policy(`
|
@@ -785,17 +1272,44 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -25604,7 +25609,7 @@ index 8b40377..c52fbe6 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -803,6 +1314,10 @@ optional_policy(`
|
@@ -803,6 +1317,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -25615,7 +25620,7 @@ index 8b40377..c52fbe6 100644
|
||||||
xfs_stream_connect(xserver_t)
|
xfs_stream_connect(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -818,10 +1333,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
@@ -818,10 +1336,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
|
@ -25629,7 +25634,7 @@ index 8b40377..c52fbe6 100644
|
||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -829,7 +1344,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
@@ -829,7 +1347,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
|
|
||||||
# Run xkbcomp.
|
# Run xkbcomp.
|
||||||
|
@ -25638,7 +25643,7 @@ index 8b40377..c52fbe6 100644
|
||||||
can_exec(xserver_t, xkb_var_lib_t)
|
can_exec(xserver_t, xkb_var_lib_t)
|
||||||
|
|
||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
@@ -842,26 +1357,21 @@ init_use_fds(xserver_t)
|
@@ -842,26 +1360,21 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
|
@ -25673,7 +25678,7 @@ index 8b40377..c52fbe6 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -912,7 +1422,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
|
@ -25682,7 +25687,7 @@ index 8b40377..c52fbe6 100644
|
||||||
# operations allowed on all windows
|
# operations allowed on all windows
|
||||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||||
|
|
||||||
@@ -966,11 +1476,31 @@ allow x_domain self:x_resource { read write };
|
@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write };
|
||||||
# can mess with the screensaver
|
# can mess with the screensaver
|
||||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||||
|
|
||||||
|
@ -25714,7 +25719,7 @@ index 8b40377..c52fbe6 100644
|
||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined(x_domain),
|
# should be xserver_unconfined(x_domain),
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
@@ -992,18 +1522,150 @@ tunable_policy(`! xserver_object_manager',`
|
@@ -992,18 +1525,150 @@ tunable_policy(`! xserver_object_manager',`
|
||||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -34949,7 +34954,7 @@ index a38605e..f035d9f 100644
|
||||||
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
|
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
|
||||||
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
|
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
|
||||||
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
|
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
|
||||||
index 4584457..fb1c881 100644
|
index 4584457..c2ae1ea 100644
|
||||||
--- a/policy/modules/system/mount.if
|
--- a/policy/modules/system/mount.if
|
||||||
+++ b/policy/modules/system/mount.if
|
+++ b/policy/modules/system/mount.if
|
||||||
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
|
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
|
||||||
|
@ -34974,7 +34979,7 @@ index 4584457..fb1c881 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
mount_domtrans($1)
|
mount_domtrans($1)
|
||||||
@@ -47,6 +55,92 @@ interface(`mount_run',`
|
@@ -47,6 +55,110 @@ interface(`mount_run',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -35043,6 +35048,24 @@ index 4584457..fb1c881 100644
|
||||||
+ files_search_pids($1)
|
+ files_search_pids($1)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Do not audit attemps to write mount PID files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`mount_dontaudit_write_mount_pid',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type mount_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 mount_var_run_t:file write;
|
||||||
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Manage mount PID files.
|
+## Manage mount PID files.
|
||||||
|
@ -35067,7 +35090,7 @@ index 4584457..fb1c881 100644
|
||||||
## Execute mount in the caller domain.
|
## Execute mount in the caller domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -91,7 +185,7 @@ interface(`mount_signal',`
|
@@ -91,7 +203,7 @@ interface(`mount_signal',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -35076,7 +35099,7 @@ index 4584457..fb1c881 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -131,45 +225,184 @@ interface(`mount_send_nfs_client_request',`
|
@@ -131,45 +243,184 @@ interface(`mount_send_nfs_client_request',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -35142,15 +35165,12 @@ index 4584457..fb1c881 100644
|
||||||
#
|
#
|
||||||
-interface(`mount_run_unconfined',`
|
-interface(`mount_run_unconfined',`
|
||||||
+interface(`mount_exec_fusermount',`
|
+interface(`mount_exec_fusermount',`
|
||||||
gen_require(`
|
+ gen_require(`
|
||||||
- type unconfined_mount_t;
|
|
||||||
+ type fusermount_exec_t;
|
+ type fusermount_exec_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
- mount_domtrans_unconfined($1)
|
|
||||||
- role $2 types unconfined_mount_t;
|
|
||||||
+ can_exec($1, fusermount_exec_t)
|
+ can_exec($1, fusermount_exec_t)
|
||||||
')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
@ -35163,12 +35183,15 @@ index 4584457..fb1c881 100644
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+interface(`mount_dontaudit_exec_fusermount',`
|
+interface(`mount_dontaudit_exec_fusermount',`
|
||||||
+ gen_require(`
|
gen_require(`
|
||||||
|
- type unconfined_mount_t;
|
||||||
+ type fusermount_exec_t;
|
+ type fusermount_exec_t;
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
|
- mount_domtrans_unconfined($1)
|
||||||
|
- role $2 types unconfined_mount_t;
|
||||||
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
|
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
|
||||||
+')
|
')
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
@ -39676,10 +39699,10 @@ index 0000000..8bca1d7
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..188a153
|
index 0000000..ca13b14
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,677 @@
|
@@ -0,0 +1,680 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
|
@ -39776,6 +39799,9 @@ index 0000000..188a153
|
||||||
+mls_file_read_all_levels(systemd_logind_t)
|
+mls_file_read_all_levels(systemd_logind_t)
|
||||||
+mls_file_write_all_levels(systemd_logind_t)
|
+mls_file_write_all_levels(systemd_logind_t)
|
||||||
+
|
+
|
||||||
|
+fs_mount_tmpfs(systemd_logind_t)
|
||||||
|
+fs_unmount_tmpfs(systemd_logind_t)
|
||||||
|
+
|
||||||
+manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
|
+manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
|
||||||
+manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
|
+manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
|
||||||
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
|
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
|
||||||
|
@ -39861,8 +39887,8 @@ index 0000000..188a153
|
||||||
+
|
+
|
||||||
+userdom_read_all_users_state(systemd_logind_t)
|
+userdom_read_all_users_state(systemd_logind_t)
|
||||||
+userdom_use_user_ttys(systemd_logind_t)
|
+userdom_use_user_ttys(systemd_logind_t)
|
||||||
+userdom_manage_all_user_tmp_content(systemd_logind_t)
|
+userdom_manage_tmp_role(system_r, systemd_logind_t)
|
||||||
+userdom_manage_all_user_tmpfs_content(systemd_logind_t)
|
+userdom_manage_tmpfs_role(system_r, systemd_logind_t)
|
||||||
+
|
+
|
||||||
+xserver_dbus_chat(systemd_logind_t)
|
+xserver_dbus_chat(systemd_logind_t)
|
||||||
+
|
+
|
||||||
|
@ -41487,10 +41513,10 @@ index 5ca20a9..e749152 100644
|
||||||
+ corecmd_bin_domtrans($1, unconfined_service_t)
|
+ corecmd_bin_domtrans($1, unconfined_service_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
|
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
|
||||||
index 5fe902d..9382e97 100644
|
index 5fe902d..fcc9efe 100644
|
||||||
--- a/policy/modules/system/unconfined.te
|
--- a/policy/modules/system/unconfined.te
|
||||||
+++ b/policy/modules/system/unconfined.te
|
+++ b/policy/modules/system/unconfined.te
|
||||||
@@ -1,207 +1,16 @@
|
@@ -1,207 +1,20 @@
|
||||||
-policy_module(unconfined, 3.5.1)
|
-policy_module(unconfined, 3.5.1)
|
||||||
+policy_module(unconfined, 3.5.0)
|
+policy_module(unconfined, 3.5.0)
|
||||||
|
|
||||||
|
@ -41700,12 +41726,13 @@ index 5fe902d..9382e97 100644
|
||||||
-
|
-
|
||||||
-allow unconfined_execmem_t self:process { execstack execmem };
|
-allow unconfined_execmem_t self:process { execstack execmem };
|
||||||
-unconfined_domain_noaudit(unconfined_execmem_t)
|
-unconfined_domain_noaudit(unconfined_execmem_t)
|
||||||
-
|
|
||||||
-optional_policy(`
|
|
||||||
- unconfined_dbus_chat(unconfined_execmem_t)
|
|
||||||
-')
|
|
||||||
+corecmd_bin_entry_type(unconfined_service_t)
|
+corecmd_bin_entry_type(unconfined_service_t)
|
||||||
+corecmd_shell_entry_type(unconfined_service_t)
|
+corecmd_shell_entry_type(unconfined_service_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- unconfined_dbus_chat(unconfined_execmem_t)
|
||||||
|
+ rpm_transition_script(unconfined_service_t, system_r)
|
||||||
|
')
|
||||||
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
|
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
|
||||||
index db75976..e4eb903 100644
|
index db75976..e4eb903 100644
|
||||||
--- a/policy/modules/system/userdomain.fc
|
--- a/policy/modules/system/userdomain.fc
|
||||||
|
@ -41737,7 +41764,7 @@ index db75976..e4eb903 100644
|
||||||
+
|
+
|
||||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 9dc60c6..428fe58 100644
|
index 9dc60c6..858bd7a 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||||
|
@ -42230,7 +42257,7 @@ index 9dc60c6..428fe58 100644
|
||||||
+ type user_tmpfs_t;
|
+ type user_tmpfs_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 user_tmpfs_t:file manage_file_perms;
|
+ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
|
@ -42286,11 +42313,11 @@ index 9dc60c6..428fe58 100644
|
||||||
- gen_require(`
|
- gen_require(`
|
||||||
- type $1_t;
|
- type $1_t;
|
||||||
- ')
|
- ')
|
||||||
+interface(`userdom_basic_networking',`
|
-
|
||||||
|
|
||||||
- allow $1_t self:tcp_socket create_stream_socket_perms;
|
- allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||||
- allow $1_t self:udp_socket create_socket_perms;
|
- allow $1_t self:udp_socket create_socket_perms;
|
||||||
-
|
+interface(`userdom_basic_networking',`
|
||||||
|
|
||||||
- corenet_all_recvfrom_unlabeled($1_t)
|
- corenet_all_recvfrom_unlabeled($1_t)
|
||||||
- corenet_all_recvfrom_netlabel($1_t)
|
- corenet_all_recvfrom_netlabel($1_t)
|
||||||
- corenet_tcp_sendrecv_generic_if($1_t)
|
- corenet_tcp_sendrecv_generic_if($1_t)
|
||||||
|
@ -42382,27 +42409,27 @@ index 9dc60c6..428fe58 100644
|
||||||
+ kernel_get_sysvipc_info($1_usertype)
|
+ kernel_get_sysvipc_info($1_usertype)
|
||||||
# Find CDROM devices:
|
# Find CDROM devices:
|
||||||
- kernel_read_device_sysctls($1_t)
|
- kernel_read_device_sysctls($1_t)
|
||||||
-
|
|
||||||
- corecmd_exec_bin($1_t)
|
|
||||||
+ kernel_read_device_sysctls($1_usertype)
|
+ kernel_read_device_sysctls($1_usertype)
|
||||||
+ kernel_request_load_module($1_usertype)
|
+ kernel_request_load_module($1_usertype)
|
||||||
|
|
||||||
- corenet_udp_bind_generic_node($1_t)
|
- corecmd_exec_bin($1_t)
|
||||||
- corenet_udp_bind_generic_port($1_t)
|
|
||||||
+ corenet_udp_bind_generic_node($1_usertype)
|
+ corenet_udp_bind_generic_node($1_usertype)
|
||||||
+ corenet_udp_bind_generic_port($1_usertype)
|
+ corenet_udp_bind_generic_port($1_usertype)
|
||||||
|
|
||||||
- dev_read_rand($1_t)
|
- corenet_udp_bind_generic_node($1_t)
|
||||||
- dev_write_sound($1_t)
|
- corenet_udp_bind_generic_port($1_t)
|
||||||
- dev_read_sound($1_t)
|
|
||||||
- dev_read_sound_mixer($1_t)
|
|
||||||
- dev_write_sound_mixer($1_t)
|
|
||||||
+ dev_read_rand($1_usertype)
|
+ dev_read_rand($1_usertype)
|
||||||
+ dev_write_sound($1_usertype)
|
+ dev_write_sound($1_usertype)
|
||||||
+ dev_read_sound($1_usertype)
|
+ dev_read_sound($1_usertype)
|
||||||
+ dev_read_sound_mixer($1_usertype)
|
+ dev_read_sound_mixer($1_usertype)
|
||||||
+ dev_write_sound_mixer($1_usertype)
|
+ dev_write_sound_mixer($1_usertype)
|
||||||
|
|
||||||
|
- dev_read_rand($1_t)
|
||||||
|
- dev_write_sound($1_t)
|
||||||
|
- dev_read_sound($1_t)
|
||||||
|
- dev_read_sound_mixer($1_t)
|
||||||
|
- dev_write_sound_mixer($1_t)
|
||||||
|
-
|
||||||
- files_exec_etc_files($1_t)
|
- files_exec_etc_files($1_t)
|
||||||
- files_search_locks($1_t)
|
- files_search_locks($1_t)
|
||||||
+ files_exec_etc_files($1_usertype)
|
+ files_exec_etc_files($1_usertype)
|
||||||
|
@ -42426,12 +42453,12 @@ index 9dc60c6..428fe58 100644
|
||||||
+ fs_read_noxattr_fs_files($1_usertype)
|
+ fs_read_noxattr_fs_files($1_usertype)
|
||||||
+ fs_read_noxattr_fs_symlinks($1_usertype)
|
+ fs_read_noxattr_fs_symlinks($1_usertype)
|
||||||
+ fs_rw_cgroup_files($1_usertype)
|
+ fs_rw_cgroup_files($1_usertype)
|
||||||
|
+
|
||||||
- fs_rw_cgroup_files($1_t)
|
|
||||||
+ application_getattr_socket($1_usertype)
|
+ application_getattr_socket($1_usertype)
|
||||||
+
|
+
|
||||||
+ logging_send_syslog_msg($1_t)
|
+ logging_send_syslog_msg($1_t)
|
||||||
+
|
|
||||||
|
- fs_rw_cgroup_files($1_t)
|
||||||
+ selinux_get_enforce_mode($1_t)
|
+ selinux_get_enforce_mode($1_t)
|
||||||
|
|
||||||
# cjp: some of this probably can be removed
|
# cjp: some of this probably can be removed
|
||||||
|
@ -42537,68 +42564,68 @@ index 9dc60c6..428fe58 100644
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ geoclue_dbus_chat($1_usertype)
|
+ geoclue_dbus_chat($1_usertype)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ gnome_dbus_chat_gconfdefault($1_usertype)
|
||||||
+ ')
|
+ ')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- bluetooth_dbus_chat($1_t)
|
- bluetooth_dbus_chat($1_t)
|
||||||
+ gnome_dbus_chat_gconfdefault($1_usertype)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- consolekit_dbus_chat($1_t)
|
|
||||||
+ hal_dbus_chat($1_usertype)
|
+ hal_dbus_chat($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- cups_dbus_chat_config($1_t)
|
- consolekit_dbus_chat($1_t)
|
||||||
+ kde_dbus_chat_backlighthelper($1_usertype)
|
+ kde_dbus_chat_backlighthelper($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- hal_dbus_chat($1_t)
|
- cups_dbus_chat_config($1_t)
|
||||||
+ modemmanager_dbus_chat($1_usertype)
|
+ modemmanager_dbus_chat($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- networkmanager_dbus_chat($1_t)
|
- hal_dbus_chat($1_t)
|
||||||
+ networkmanager_dbus_chat($1_usertype)
|
+ networkmanager_dbus_chat($1_usertype)
|
||||||
+ networkmanager_read_lib_files($1_usertype)
|
+ networkmanager_read_lib_files($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- policykit_dbus_chat($1_t)
|
- networkmanager_dbus_chat($1_t)
|
||||||
+ policykit_dbus_chat($1_usertype)
|
+ policykit_dbus_chat($1_usertype)
|
||||||
')
|
')
|
||||||
+
|
|
||||||
+ optional_policy(`
|
optional_policy(`
|
||||||
|
- policykit_dbus_chat($1_t)
|
||||||
+ vpn_dbus_chat($1_usertype)
|
+ vpn_dbus_chat($1_usertype)
|
||||||
+ ')
|
')
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ git_role($1_r, $1_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- inetd_use_fds($1_t)
|
- inetd_use_fds($1_t)
|
||||||
- inetd_rw_tcp_sockets($1_t)
|
- inetd_rw_tcp_sockets($1_t)
|
||||||
+ inetd_use_fds($1_usertype)
|
+ git_role($1_r, $1_t)
|
||||||
+ inetd_rw_tcp_sockets($1_usertype)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- inn_read_config($1_t)
|
- inn_read_config($1_t)
|
||||||
- inn_read_news_lib($1_t)
|
- inn_read_news_lib($1_t)
|
||||||
- inn_read_news_spool($1_t)
|
- inn_read_news_spool($1_t)
|
||||||
+ inn_read_config($1_usertype)
|
+ inetd_use_fds($1_usertype)
|
||||||
+ inn_read_news_lib($1_usertype)
|
+ inetd_rw_tcp_sockets($1_usertype)
|
||||||
+ inn_read_news_spool($1_usertype)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- kerberos_manage_krb5_home_files($1_t)
|
- kerberos_manage_krb5_home_files($1_t)
|
||||||
- kerberos_relabel_krb5_home_files($1_t)
|
- kerberos_relabel_krb5_home_files($1_t)
|
||||||
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
|
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
|
||||||
|
+ inn_read_config($1_usertype)
|
||||||
|
+ inn_read_news_lib($1_usertype)
|
||||||
|
+ inn_read_news_spool($1_usertype)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
+ lircd_stream_connect($1_usertype)
|
+ lircd_stream_connect($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -42660,35 +42687,27 @@ index 9dc60c6..428fe58 100644
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- resmgr_stream_connect($1_t)
|
- resmgr_stream_connect($1_t)
|
||||||
+ resmgr_stream_connect($1_usertype)
|
+ resmgr_stream_connect($1_usertype)
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ rpc_dontaudit_getattr_exports($1_usertype)
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ rpcbind_stream_connect($1_usertype)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- rpc_dontaudit_getattr_exports($1_t)
|
- rpc_dontaudit_getattr_exports($1_t)
|
||||||
- rpc_manage_nfs_rw_content($1_t)
|
- rpc_manage_nfs_rw_content($1_t)
|
||||||
+ samba_stream_connect_winbind($1_usertype)
|
+ rpc_dontaudit_getattr_exports($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- samba_stream_connect_winbind($1_t)
|
- samba_stream_connect_winbind($1_t)
|
||||||
+ sandbox_transition($1_usertype, $1_r)
|
+ rpcbind_stream_connect($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- slrnpull_search_spool($1_t)
|
- slrnpull_search_spool($1_t)
|
||||||
+ seunshare_role_template($1, $1_r, $1_t)
|
+ samba_stream_connect_winbind($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- usernetctl_run($1_t, $1_r)
|
- usernetctl_run($1_t, $1_r)
|
||||||
+ slrnpull_search_spool($1_usertype)
|
+ sandbox_transition($1_usertype, $1_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -42697,6 +42716,14 @@ index 9dc60c6..428fe58 100644
|
||||||
- virt_home_filetrans_virt_content($1_t, dir, "isos")
|
- virt_home_filetrans_virt_content($1_t, dir, "isos")
|
||||||
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
|
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
|
||||||
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
|
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
|
||||||
|
+ seunshare_role_template($1, $1_r, $1_t)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ slrnpull_search_spool($1_usertype)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
+ thumb_role($1_r, $1_usertype)
|
+ thumb_role($1_r, $1_usertype)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
@ -42721,7 +42748,9 @@ index 9dc60c6..428fe58 100644
|
||||||
+
|
+
|
||||||
+ ifelse(`$1',`unconfined',`',`
|
+ ifelse(`$1',`unconfined',`',`
|
||||||
+ gen_tunable($1_exec_content, true)
|
+ gen_tunable($1_exec_content, true)
|
||||||
+
|
|
||||||
|
- userdom_exec_user_tmp_files($1_t)
|
||||||
|
- userdom_exec_user_home_content_files($1_t)
|
||||||
+ tunable_policy(`$1_exec_content',`
|
+ tunable_policy(`$1_exec_content',`
|
||||||
+ userdom_exec_user_tmp_files($1_usertype)
|
+ userdom_exec_user_tmp_files($1_usertype)
|
||||||
+ userdom_exec_user_home_content_files($1_usertype)
|
+ userdom_exec_user_home_content_files($1_usertype)
|
||||||
|
@ -42729,9 +42758,7 @@ index 9dc60c6..428fe58 100644
|
||||||
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
|
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
|
||||||
+ fs_exec_nfs_files($1_usertype)
|
+ fs_exec_nfs_files($1_usertype)
|
||||||
+ ')
|
+ ')
|
||||||
|
+
|
||||||
- userdom_exec_user_tmp_files($1_t)
|
|
||||||
- userdom_exec_user_home_content_files($1_t)
|
|
||||||
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
|
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
|
||||||
+ fs_exec_cifs_files($1_usertype)
|
+ fs_exec_cifs_files($1_usertype)
|
||||||
+ ')
|
+ ')
|
||||||
|
@ -43138,16 +43165,16 @@ index 9dc60c6..428fe58 100644
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ gpm_stream_connect($1_usertype)
|
+ gpm_stream_connect($1_usertype)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ mount_run_fusermount($1_t, $1_r)
|
||||||
|
+ mount_read_pid_files($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- netutils_run_ping_cond($1_t, $1_r)
|
- netutils_run_ping_cond($1_t, $1_r)
|
||||||
- netutils_run_traceroute_cond($1_t, $1_r)
|
- netutils_run_traceroute_cond($1_t, $1_r)
|
||||||
+ mount_run_fusermount($1_t, $1_r)
|
|
||||||
+ mount_read_pid_files($1_t)
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ wine_role_template($1, $1_r, $1_t)
|
+ wine_role_template($1, $1_r, $1_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
|
@ -44391,7 +44418,7 @@ index 9dc60c6..428fe58 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3214,31 +3977,49 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
@@ -3214,30 +3977,48 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||||
type user_devpts_t;
|
type user_devpts_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -44424,7 +44451,6 @@ index 9dc60c6..428fe58 100644
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Do not audit attempts to relabel files from
|
-## Do not audit attempts to relabel files from
|
||||||
-## user pty types.
|
|
||||||
+## Relabel files to unprivileged user pty types.
|
+## Relabel files to unprivileged user pty types.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
|
@ -44444,10 +44470,9 @@ index 9dc60c6..428fe58 100644
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Do not audit attempts to relabel files from
|
+## Do not audit attempts to relabel files from
|
||||||
+## user pty types.
|
## user pty types.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
|
||||||
@@ -3269,7 +4050,83 @@ interface(`userdom_write_user_tmp_files',`
|
@@ -3269,7 +4050,83 @@ interface(`userdom_write_user_tmp_files',`
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
@ -46300,7 +46325,7 @@ index 9dc60c6..428fe58 100644
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||||
index f4ac38d..711759c 100644
|
index f4ac38d..7283238 100644
|
||||||
--- a/policy/modules/system/userdomain.te
|
--- a/policy/modules/system/userdomain.te
|
||||||
+++ b/policy/modules/system/userdomain.te
|
+++ b/policy/modules/system/userdomain.te
|
||||||
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
|
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
|
||||||
|
@ -46389,7 +46414,7 @@ index f4ac38d..711759c 100644
|
||||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
||||||
fs_associate_tmpfs(user_home_dir_t)
|
fs_associate_tmpfs(user_home_dir_t)
|
||||||
files_type(user_home_dir_t)
|
files_type(user_home_dir_t)
|
||||||
@@ -70,26 +83,384 @@ ubac_constrained(user_home_dir_t)
|
@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t)
|
||||||
|
|
||||||
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
|
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
|
||||||
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
|
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
|
||||||
|
@ -46456,6 +46481,8 @@ index f4ac38d..711759c 100644
|
||||||
+dontaudit unpriv_userdomain self:dir setattr;
|
+dontaudit unpriv_userdomain self:dir setattr;
|
||||||
+allow unpriv_userdomain self:key manage_key_perms;
|
+allow unpriv_userdomain self:key manage_key_perms;
|
||||||
+
|
+
|
||||||
|
+mount_dontaudit_write_mount_pid(unpriv_userdomain)
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ alsa_read_rw_config(unpriv_userdomain)
|
+ alsa_read_rw_config(unpriv_userdomain)
|
||||||
+ alsa_manage_home_files(unpriv_userdomain)
|
+ alsa_manage_home_files(unpriv_userdomain)
|
||||||
|
|
|
@ -11316,10 +11316,10 @@ index 0000000..57866f6
|
||||||
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
|
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
|
||||||
diff --git a/chrome.if b/chrome.if
|
diff --git a/chrome.if b/chrome.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..8ea5b7c
|
index 0000000..a0fdbcb
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/chrome.if
|
+++ b/chrome.if
|
||||||
@@ -0,0 +1,133 @@
|
@@ -0,0 +1,136 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for chrome</summary>
|
+## <summary>policy for chrome</summary>
|
||||||
+
|
+
|
||||||
|
@ -11343,6 +11343,9 @@ index 0000000..8ea5b7c
|
||||||
+
|
+
|
||||||
+ allow $1 chrome_sandbox_t:fd use;
|
+ allow $1 chrome_sandbox_t:fd use;
|
||||||
+
|
+
|
||||||
|
+ dontaudit chrome_sandbox_t $1:socket_class_set getattr;
|
||||||
|
+ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
|
||||||
|
+
|
||||||
+ ifdef(`hide_broken_symptoms',`
|
+ ifdef(`hide_broken_symptoms',`
|
||||||
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
|
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
|
||||||
+ ')
|
+ ')
|
||||||
|
@ -13273,7 +13276,7 @@ index 954309e..f4db2ca 100644
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/collectd.te b/collectd.te
|
diff --git a/collectd.te b/collectd.te
|
||||||
index 6471fa8..26584f2 100644
|
index 6471fa8..36c3464 100644
|
||||||
--- a/collectd.te
|
--- a/collectd.te
|
||||||
+++ b/collectd.te
|
+++ b/collectd.te
|
||||||
@@ -26,18 +26,28 @@ files_type(collectd_var_lib_t)
|
@@ -26,18 +26,28 @@ files_type(collectd_var_lib_t)
|
||||||
|
@ -13342,7 +13345,7 @@ index 6471fa8..26584f2 100644
|
||||||
|
|
||||||
logging_send_syslog_msg(collectd_t)
|
logging_send_syslog_msg(collectd_t)
|
||||||
|
|
||||||
@@ -75,16 +90,30 @@ tunable_policy(`collectd_tcp_network_connect',`
|
@@ -75,16 +90,31 @@ tunable_policy(`collectd_tcp_network_connect',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -13355,6 +13358,7 @@ index 6471fa8..26584f2 100644
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
virt_read_config(collectd_t)
|
virt_read_config(collectd_t)
|
||||||
|
+ virt_stream_connect(collectd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -16650,7 +16654,7 @@ index 1303b30..72481a7 100644
|
||||||
+ logging_log_filetrans($1, cron_log_t, $2, $3)
|
+ logging_log_filetrans($1, cron_log_t, $2, $3)
|
||||||
')
|
')
|
||||||
diff --git a/cron.te b/cron.te
|
diff --git a/cron.te b/cron.te
|
||||||
index 7de3859..23baf47 100644
|
index 7de3859..24f2712 100644
|
||||||
--- a/cron.te
|
--- a/cron.te
|
||||||
+++ b/cron.te
|
+++ b/cron.te
|
||||||
@@ -11,46 +11,46 @@ gen_require(`
|
@@ -11,46 +11,46 @@ gen_require(`
|
||||||
|
@ -16724,7 +16728,7 @@ index 7de3859..23baf47 100644
|
||||||
type crond_tmp_t;
|
type crond_tmp_t;
|
||||||
files_tmp_file(crond_tmp_t)
|
files_tmp_file(crond_tmp_t)
|
||||||
files_poly_parent(crond_tmp_t)
|
files_poly_parent(crond_tmp_t)
|
||||||
@@ -92,15 +95,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
|
@@ -92,15 +95,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
|
||||||
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
|
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
|
||||||
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
|
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
|
||||||
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
|
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
|
||||||
|
@ -16739,12 +16743,13 @@ index 7de3859..23baf47 100644
|
||||||
init_daemon_domain(system_cronjob_t, anacron_exec_t)
|
init_daemon_domain(system_cronjob_t, anacron_exec_t)
|
||||||
corecmd_shell_entry_type(system_cronjob_t)
|
corecmd_shell_entry_type(system_cronjob_t)
|
||||||
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
|
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
|
||||||
|
+corecmd_bin_entry_type(system_cronjob_t)
|
||||||
+role system_r types system_cronjob_t;
|
+role system_r types system_cronjob_t;
|
||||||
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
|
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
|
||||||
|
|
||||||
type system_cronjob_lock_t alias system_crond_lock_t;
|
type system_cronjob_lock_t alias system_crond_lock_t;
|
||||||
files_lock_file(system_cronjob_lock_t)
|
files_lock_file(system_cronjob_lock_t)
|
||||||
@@ -108,94 +112,34 @@ files_lock_file(system_cronjob_lock_t)
|
@@ -108,94 +113,34 @@ files_lock_file(system_cronjob_lock_t)
|
||||||
type system_cronjob_tmp_t alias system_crond_tmp_t;
|
type system_cronjob_tmp_t alias system_crond_tmp_t;
|
||||||
files_tmp_file(system_cronjob_tmp_t)
|
files_tmp_file(system_cronjob_tmp_t)
|
||||||
|
|
||||||
|
@ -16851,7 +16856,7 @@ index 7de3859..23baf47 100644
|
||||||
selinux_get_fs_mount(admin_crontab_t)
|
selinux_get_fs_mount(admin_crontab_t)
|
||||||
selinux_validate_context(admin_crontab_t)
|
selinux_validate_context(admin_crontab_t)
|
||||||
selinux_compute_access_vector(admin_crontab_t)
|
selinux_compute_access_vector(admin_crontab_t)
|
||||||
@@ -204,22 +148,26 @@ selinux_compute_relabel_context(admin_crontab_t)
|
@@ -204,22 +149,26 @@ selinux_compute_relabel_context(admin_crontab_t)
|
||||||
selinux_compute_user_contexts(admin_crontab_t)
|
selinux_compute_user_contexts(admin_crontab_t)
|
||||||
|
|
||||||
tunable_policy(`fcron_crond',`
|
tunable_policy(`fcron_crond',`
|
||||||
|
@ -16881,7 +16886,7 @@ index 7de3859..23baf47 100644
|
||||||
allow crond_t self:shm create_shm_perms;
|
allow crond_t self:shm create_shm_perms;
|
||||||
allow crond_t self:sem create_sem_perms;
|
allow crond_t self:sem create_sem_perms;
|
||||||
allow crond_t self:msgq create_msgq_perms;
|
allow crond_t self:msgq create_msgq_perms;
|
||||||
@@ -227,7 +175,7 @@ allow crond_t self:msg { send receive };
|
@@ -227,7 +176,7 @@ allow crond_t self:msg { send receive };
|
||||||
allow crond_t self:key { search write link };
|
allow crond_t self:key { search write link };
|
||||||
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
|
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
|
||||||
|
|
||||||
|
@ -16890,7 +16895,7 @@ index 7de3859..23baf47 100644
|
||||||
logging_log_filetrans(crond_t, cron_log_t, file)
|
logging_log_filetrans(crond_t, cron_log_t, file)
|
||||||
|
|
||||||
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
|
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
|
||||||
@@ -237,73 +185,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
|
@@ -237,73 +186,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
|
||||||
|
|
||||||
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
|
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
|
||||||
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
|
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
|
||||||
|
@ -16994,7 +16999,7 @@ index 7de3859..23baf47 100644
|
||||||
auth_use_nsswitch(crond_t)
|
auth_use_nsswitch(crond_t)
|
||||||
|
|
||||||
logging_send_audit_msgs(crond_t)
|
logging_send_audit_msgs(crond_t)
|
||||||
@@ -312,41 +255,46 @@ logging_set_loginuid(crond_t)
|
@@ -312,41 +256,46 @@ logging_set_loginuid(crond_t)
|
||||||
|
|
||||||
seutil_read_config(crond_t)
|
seutil_read_config(crond_t)
|
||||||
seutil_read_default_contexts(crond_t)
|
seutil_read_default_contexts(crond_t)
|
||||||
|
@ -17057,7 +17062,7 @@ index 7de3859..23baf47 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -354,103 +302,135 @@ optional_policy(`
|
@@ -354,103 +303,135 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -17224,7 +17229,7 @@ index 7de3859..23baf47 100644
|
||||||
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
|
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
|
||||||
allow system_cronjob_t cron_spool_t:file rw_file_perms;
|
allow system_cronjob_t cron_spool_t:file rw_file_perms;
|
||||||
|
|
||||||
@@ -461,11 +441,11 @@ kernel_read_network_state(system_cronjob_t)
|
@@ -461,11 +442,11 @@ kernel_read_network_state(system_cronjob_t)
|
||||||
kernel_read_system_state(system_cronjob_t)
|
kernel_read_system_state(system_cronjob_t)
|
||||||
kernel_read_software_raid_state(system_cronjob_t)
|
kernel_read_software_raid_state(system_cronjob_t)
|
||||||
|
|
||||||
|
@ -17237,7 +17242,7 @@ index 7de3859..23baf47 100644
|
||||||
corenet_all_recvfrom_netlabel(system_cronjob_t)
|
corenet_all_recvfrom_netlabel(system_cronjob_t)
|
||||||
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
|
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
|
||||||
corenet_udp_sendrecv_generic_if(system_cronjob_t)
|
corenet_udp_sendrecv_generic_if(system_cronjob_t)
|
||||||
@@ -485,6 +465,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
|
@@ -485,6 +466,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
|
||||||
fs_getattr_all_pipes(system_cronjob_t)
|
fs_getattr_all_pipes(system_cronjob_t)
|
||||||
fs_getattr_all_sockets(system_cronjob_t)
|
fs_getattr_all_sockets(system_cronjob_t)
|
||||||
|
|
||||||
|
@ -17245,7 +17250,7 @@ index 7de3859..23baf47 100644
|
||||||
domain_dontaudit_read_all_domains_state(system_cronjob_t)
|
domain_dontaudit_read_all_domains_state(system_cronjob_t)
|
||||||
|
|
||||||
files_exec_etc_files(system_cronjob_t)
|
files_exec_etc_files(system_cronjob_t)
|
||||||
@@ -495,17 +476,22 @@ files_getattr_all_files(system_cronjob_t)
|
@@ -495,17 +477,22 @@ files_getattr_all_files(system_cronjob_t)
|
||||||
files_getattr_all_symlinks(system_cronjob_t)
|
files_getattr_all_symlinks(system_cronjob_t)
|
||||||
files_getattr_all_pipes(system_cronjob_t)
|
files_getattr_all_pipes(system_cronjob_t)
|
||||||
files_getattr_all_sockets(system_cronjob_t)
|
files_getattr_all_sockets(system_cronjob_t)
|
||||||
|
@ -17270,7 +17275,7 @@ index 7de3859..23baf47 100644
|
||||||
|
|
||||||
auth_use_nsswitch(system_cronjob_t)
|
auth_use_nsswitch(system_cronjob_t)
|
||||||
|
|
||||||
@@ -516,20 +502,26 @@ logging_read_generic_logs(system_cronjob_t)
|
@@ -516,20 +503,26 @@ logging_read_generic_logs(system_cronjob_t)
|
||||||
logging_send_audit_msgs(system_cronjob_t)
|
logging_send_audit_msgs(system_cronjob_t)
|
||||||
logging_send_syslog_msg(system_cronjob_t)
|
logging_send_syslog_msg(system_cronjob_t)
|
||||||
|
|
||||||
|
@ -17300,7 +17305,7 @@ index 7de3859..23baf47 100644
|
||||||
selinux_validate_context(system_cronjob_t)
|
selinux_validate_context(system_cronjob_t)
|
||||||
selinux_compute_access_vector(system_cronjob_t)
|
selinux_compute_access_vector(system_cronjob_t)
|
||||||
selinux_compute_create_context(system_cronjob_t)
|
selinux_compute_create_context(system_cronjob_t)
|
||||||
@@ -539,10 +531,18 @@ tunable_policy(`cron_can_relabel',`
|
@@ -539,10 +532,18 @@ tunable_policy(`cron_can_relabel',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -17319,7 +17324,7 @@ index 7de3859..23baf47 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -551,10 +551,6 @@ optional_policy(`
|
@@ -551,10 +552,6 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(system_cronjob_t)
|
dbus_system_bus_client(system_cronjob_t)
|
||||||
|
@ -17330,7 +17335,7 @@ index 7de3859..23baf47 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -591,6 +587,7 @@ optional_policy(`
|
@@ -591,6 +588,7 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mta_read_config(system_cronjob_t)
|
mta_read_config(system_cronjob_t)
|
||||||
mta_send_mail(system_cronjob_t)
|
mta_send_mail(system_cronjob_t)
|
||||||
|
@ -17338,7 +17343,7 @@ index 7de3859..23baf47 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -598,7 +595,23 @@ optional_policy(`
|
@@ -598,7 +596,23 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -17362,7 +17367,7 @@ index 7de3859..23baf47 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -608,6 +621,7 @@ optional_policy(`
|
@@ -608,6 +622,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
spamassassin_manage_lib_files(system_cronjob_t)
|
spamassassin_manage_lib_files(system_cronjob_t)
|
||||||
|
@ -17370,7 +17375,7 @@ index 7de3859..23baf47 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -615,12 +629,24 @@ optional_policy(`
|
@@ -615,12 +630,24 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -17397,7 +17402,7 @@ index 7de3859..23baf47 100644
|
||||||
#
|
#
|
||||||
|
|
||||||
allow cronjob_t self:process { signal_perms setsched };
|
allow cronjob_t self:process { signal_perms setsched };
|
||||||
@@ -628,12 +654,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
@@ -628,12 +655,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow cronjob_t self:unix_dgram_socket create_socket_perms;
|
allow cronjob_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
|
@ -17431,7 +17436,7 @@ index 7de3859..23baf47 100644
|
||||||
corenet_all_recvfrom_netlabel(cronjob_t)
|
corenet_all_recvfrom_netlabel(cronjob_t)
|
||||||
corenet_tcp_sendrecv_generic_if(cronjob_t)
|
corenet_tcp_sendrecv_generic_if(cronjob_t)
|
||||||
corenet_udp_sendrecv_generic_if(cronjob_t)
|
corenet_udp_sendrecv_generic_if(cronjob_t)
|
||||||
@@ -641,66 +687,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
|
@@ -641,66 +688,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
|
||||||
corenet_udp_sendrecv_generic_node(cronjob_t)
|
corenet_udp_sendrecv_generic_node(cronjob_t)
|
||||||
corenet_tcp_sendrecv_all_ports(cronjob_t)
|
corenet_tcp_sendrecv_all_ports(cronjob_t)
|
||||||
corenet_udp_sendrecv_all_ports(cronjob_t)
|
corenet_udp_sendrecv_all_ports(cronjob_t)
|
||||||
|
@ -18130,7 +18135,7 @@ index 949011e..afe482b 100644
|
||||||
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
diff --git a/cups.if b/cups.if
|
diff --git a/cups.if b/cups.if
|
||||||
index 3023be7..20e370b 100644
|
index 3023be7..303af85 100644
|
||||||
--- a/cups.if
|
--- a/cups.if
|
||||||
+++ b/cups.if
|
+++ b/cups.if
|
||||||
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
|
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
|
||||||
|
@ -18207,7 +18212,7 @@ index 3023be7..20e370b 100644
|
||||||
|
|
||||||
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
|
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
@@ -368,13 +399,44 @@ interface(`cups_admin',`
|
@@ -368,13 +399,45 @@ interface(`cups_admin',`
|
||||||
logging_list_logs($1)
|
logging_list_logs($1)
|
||||||
admin_pattern($1, cupsd_log_t)
|
admin_pattern($1, cupsd_log_t)
|
||||||
|
|
||||||
|
@ -18256,6 +18261,7 @@ index 3023be7..20e370b 100644
|
||||||
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
||||||
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
||||||
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
||||||
|
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
|
||||||
')
|
')
|
||||||
diff --git a/cups.te b/cups.te
|
diff --git a/cups.te b/cups.te
|
||||||
index c91813c..2230476 100644
|
index c91813c..2230476 100644
|
||||||
|
@ -23932,7 +23938,7 @@ index c880070..4448055 100644
|
||||||
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
||||||
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
||||||
diff --git a/dovecot.if b/dovecot.if
|
diff --git a/dovecot.if b/dovecot.if
|
||||||
index d5badb7..f439164 100644
|
index d5badb7..c2431fc 100644
|
||||||
--- a/dovecot.if
|
--- a/dovecot.if
|
||||||
+++ b/dovecot.if
|
+++ b/dovecot.if
|
||||||
@@ -1,29 +1,49 @@
|
@@ -1,29 +1,49 @@
|
||||||
|
@ -24059,7 +24065,7 @@ index d5badb7..f439164 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -120,10 +136,29 @@ interface(`dovecot_write_inherited_tmp_files',`
|
@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
|
||||||
allow $1 dovecot_tmp_t:file write;
|
allow $1 dovecot_tmp_t:file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -24079,6 +24085,7 @@ index d5badb7..f439164 100644
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_etc($1)
|
+ files_search_etc($1)
|
||||||
|
+ list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
|
||||||
+ read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
|
+ read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -24091,7 +24098,7 @@ index d5badb7..f439164 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -132,7 +167,7 @@ interface(`dovecot_write_inherited_tmp_files',`
|
@@ -132,7 +168,7 @@ interface(`dovecot_write_inherited_tmp_files',`
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -24100,7 +24107,7 @@ index d5badb7..f439164 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
@@ -146,9 +181,13 @@ interface(`dovecot_admin',`
|
@@ -146,9 +182,13 @@ interface(`dovecot_admin',`
|
||||||
type dovecot_keytab_t;
|
type dovecot_keytab_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -24115,7 +24122,7 @@ index d5badb7..f439164 100644
|
||||||
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
|
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 dovecot_initrc_exec_t system_r;
|
role_transition $2 dovecot_initrc_exec_t system_r;
|
||||||
@@ -157,20 +196,25 @@ interface(`dovecot_admin',`
|
@@ -157,20 +197,25 @@ interface(`dovecot_admin',`
|
||||||
files_list_etc($1)
|
files_list_etc($1)
|
||||||
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
|
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
|
||||||
|
|
||||||
|
@ -30767,7 +30774,7 @@ index ab09d61..d0bfef0 100644
|
||||||
+ type_transition $1 gkeyringd_exec_t:process $2;
|
+ type_transition $1 gkeyringd_exec_t:process $2;
|
||||||
')
|
')
|
||||||
diff --git a/gnome.te b/gnome.te
|
diff --git a/gnome.te b/gnome.te
|
||||||
index 63893eb..e9adc23 100644
|
index 63893eb..8720f49 100644
|
||||||
--- a/gnome.te
|
--- a/gnome.te
|
||||||
+++ b/gnome.te
|
+++ b/gnome.te
|
||||||
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
|
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
|
||||||
|
@ -30806,7 +30813,7 @@ index 63893eb..e9adc23 100644
|
||||||
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
|
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
|
||||||
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
|
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
|
||||||
typealias gconf_home_t alias unconfined_gconf_home_t;
|
typealias gconf_home_t alias unconfined_gconf_home_t;
|
||||||
@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
|
@@ -31,105 +50,226 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
|
||||||
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
|
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
|
||||||
role gconfd_roles types gconfd_t;
|
role gconfd_roles types gconfd_t;
|
||||||
|
|
||||||
|
@ -31034,6 +31041,7 @@ index 63893eb..e9adc23 100644
|
||||||
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
||||||
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
||||||
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
|
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
|
||||||
|
+fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
|
||||||
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
|
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
|
||||||
|
|
||||||
-kernel_read_system_state(gkeyringd_domain)
|
-kernel_read_system_state(gkeyringd_domain)
|
||||||
|
@ -43487,10 +43495,10 @@ index 0000000..b694afc
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/mozilla.fc b/mozilla.fc
|
diff --git a/mozilla.fc b/mozilla.fc
|
||||||
index 6ffaba2..7128926 100644
|
index 6ffaba2..549fb8c 100644
|
||||||
--- a/mozilla.fc
|
--- a/mozilla.fc
|
||||||
+++ b/mozilla.fc
|
+++ b/mozilla.fc
|
||||||
@@ -1,38 +1,71 @@
|
@@ -1,38 +1,72 @@
|
||||||
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
||||||
|
@ -43514,6 +43522,7 @@ index 6ffaba2..7128926 100644
|
||||||
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
|
+HOME_DIR/\.cache/icedtea-web(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
|
@ -43597,7 +43606,7 @@ index 6ffaba2..7128926 100644
|
||||||
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
||||||
+')
|
+')
|
||||||
diff --git a/mozilla.if b/mozilla.if
|
diff --git a/mozilla.if b/mozilla.if
|
||||||
index 6194b80..03c6414 100644
|
index 6194b80..cafb2b0 100644
|
||||||
--- a/mozilla.if
|
--- a/mozilla.if
|
||||||
+++ b/mozilla.if
|
+++ b/mozilla.if
|
||||||
@@ -1,146 +1,75 @@
|
@@ -1,146 +1,75 @@
|
||||||
|
@ -44308,7 +44317,7 @@ index 6194b80..03c6414 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -530,45 +519,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -44386,6 +44395,7 @@ index 6194b80..03c6414 100644
|
||||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
|
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
|
||||||
|
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
|
||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
|
@ -84729,10 +84739,10 @@ index 0000000..3258f45
|
||||||
+')
|
+')
|
||||||
diff --git a/sandboxX.te b/sandboxX.te
|
diff --git a/sandboxX.te b/sandboxX.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..01ff0ea
|
index 0000000..956922c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/sandboxX.te
|
+++ b/sandboxX.te
|
||||||
@@ -0,0 +1,496 @@
|
@@ -0,0 +1,500 @@
|
||||||
+policy_module(sandboxX,1.0.0)
|
+policy_module(sandboxX,1.0.0)
|
||||||
+
|
+
|
||||||
+dbus_stub()
|
+dbus_stub()
|
||||||
|
@ -84947,6 +84957,10 @@ index 0000000..01ff0ea
|
||||||
+storage_dontaudit_rw_fuse(sandbox_x_domain)
|
+storage_dontaudit_rw_fuse(sandbox_x_domain)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ bluetooth_dbus_chat(sandbox_x_domain)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ consolekit_dbus_chat(sandbox_x_domain)
|
+ consolekit_dbus_chat(sandbox_x_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -89257,7 +89271,7 @@ index 7d86b34..5f58180 100644
|
||||||
+ files_list_pids($1)
|
+ files_list_pids($1)
|
||||||
')
|
')
|
||||||
diff --git a/snort.te b/snort.te
|
diff --git a/snort.te b/snort.te
|
||||||
index 1af72df..f63015b 100644
|
index 1af72df..7e55b50 100644
|
||||||
--- a/snort.te
|
--- a/snort.te
|
||||||
+++ b/snort.te
|
+++ b/snort.te
|
||||||
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
|
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
|
||||||
|
@ -89275,7 +89289,18 @@ index 1af72df..f63015b 100644
|
||||||
allow snort_t self:netlink_firewall_socket create_socket_perms;
|
allow snort_t self:netlink_firewall_socket create_socket_perms;
|
||||||
|
|
||||||
allow snort_t snort_etc_t:dir list_dir_perms;
|
allow snort_t snort_etc_t:dir list_dir_perms;
|
||||||
@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t)
|
@@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms;
|
||||||
|
allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
|
||||||
|
-append_files_pattern(snort_t, snort_log_t, snort_log_t)
|
||||||
|
-create_files_pattern(snort_t, snort_log_t, snort_log_t)
|
||||||
|
-setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
|
||||||
|
+manage_files_pattern(snort_t, snort_log_t, snort_log_t)
|
||||||
|
logging_log_filetrans(snort_t, snort_log_t, { file dir })
|
||||||
|
|
||||||
|
manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
|
||||||
|
@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
|
||||||
kernel_dontaudit_read_system_state(snort_t)
|
kernel_dontaudit_read_system_state(snort_t)
|
||||||
kernel_read_network_state(snort_t)
|
kernel_read_network_state(snort_t)
|
||||||
|
|
||||||
|
@ -89283,7 +89308,7 @@ index 1af72df..f63015b 100644
|
||||||
corenet_all_recvfrom_netlabel(snort_t)
|
corenet_all_recvfrom_netlabel(snort_t)
|
||||||
corenet_tcp_sendrecv_generic_if(snort_t)
|
corenet_tcp_sendrecv_generic_if(snort_t)
|
||||||
corenet_udp_sendrecv_generic_if(snort_t)
|
corenet_udp_sendrecv_generic_if(snort_t)
|
||||||
@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t)
|
@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(snort_t)
|
domain_use_interactive_fds(snort_t)
|
||||||
|
|
||||||
|
@ -101913,10 +101938,10 @@ index 0000000..7933d80
|
||||||
+')
|
+')
|
||||||
diff --git a/vmtools.te b/vmtools.te
|
diff --git a/vmtools.te b/vmtools.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..5ce7d9c
|
index 0000000..d59b917
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/vmtools.te
|
+++ b/vmtools.te
|
||||||
@@ -0,0 +1,89 @@
|
@@ -0,0 +1,94 @@
|
||||||
+policy_module(vmtools, 1.0.0)
|
+policy_module(vmtools, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -102006,6 +102031,11 @@ index 0000000..5ce7d9c
|
||||||
+corecmd_exec_bin(vmtools_helper_t)
|
+corecmd_exec_bin(vmtools_helper_t)
|
||||||
+
|
+
|
||||||
+userdom_stream_connect(vmtools_helper_t)
|
+userdom_stream_connect(vmtools_helper_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(vmtools_helper_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff --git a/vmware.if b/vmware.if
|
diff --git a/vmware.if b/vmware.if
|
||||||
index 20a1fb2..470ea95 100644
|
index 20a1fb2..470ea95 100644
|
||||||
--- a/vmware.if
|
--- a/vmware.if
|
||||||
|
@ -102295,7 +102325,7 @@ index 7a7f342..afedcba 100644
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
diff --git a/vpn.te b/vpn.te
|
diff --git a/vpn.te b/vpn.te
|
||||||
index 95b26d1..28e0030 100644
|
index 95b26d1..3d74e70 100644
|
||||||
--- a/vpn.te
|
--- a/vpn.te
|
||||||
+++ b/vpn.te
|
+++ b/vpn.te
|
||||||
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
|
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
|
||||||
|
@ -102407,7 +102437,7 @@ index 95b26d1..28e0030 100644
|
||||||
-
|
-
|
||||||
-optional_policy(`
|
-optional_policy(`
|
||||||
- seutil_use_newrole_fds(vpnc_t)
|
- seutil_use_newrole_fds(vpnc_t)
|
||||||
+ networkmanager_delete_pid_files(vpnc_t)
|
+ networkmanager_manage_pid_files(vpnc_t)
|
||||||
')
|
')
|
||||||
diff --git a/w3c.fc b/w3c.fc
|
diff --git a/w3c.fc b/w3c.fc
|
||||||
index 463c799..227feaf 100644
|
index 463c799..227feaf 100644
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 36%{?dist}
|
Release: 37%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -580,6 +580,26 @@ SELinux Reference policy mls base module.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-37
|
||||||
|
- Allow collectd to talk to libvirt
|
||||||
|
- Allow chrome_sandbox to use leaked unix_stream_sockets
|
||||||
|
- Dontaudit leaks of sockets into chrome_sandbox_t
|
||||||
|
- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
|
||||||
|
- Run vmtools as unconfined domains
|
||||||
|
- Allow snort to manage its log files
|
||||||
|
- Allow systemd_cronjob_t to be entered via bin_t
|
||||||
|
- Allow procman to list doveconf_etc_t
|
||||||
|
- allow keyring daemon to create content in tmpfs directories
|
||||||
|
- Add proper labelling for icedtea-web
|
||||||
|
- vpnc is creating content in networkmanager var run directory
|
||||||
|
- unconfined_service should be allowed to transition to rpm_script_t
|
||||||
|
- Allow couchdb to listen on port 6984
|
||||||
|
- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command
|
||||||
|
- Allow systemd-logind to setup user tmpfs directories
|
||||||
|
- Add additional fixes for systemd_networkd_t
|
||||||
|
- Allow systemd-logind to manage user_tmpfs_t
|
||||||
|
- Allow systemd-logind to mount /run/user/1000 to get gdm working
|
||||||
|
|
||||||
* Fri Mar 14 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-36
|
* Fri Mar 14 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-36
|
||||||
- Add additional fixes for systemd_networkd_t
|
- Add additional fixes for systemd_networkd_t
|
||||||
- Allow systemd-logind to manage user_tmpfs_t
|
- Allow systemd-logind to manage user_tmpfs_t
|
||||||
|
|
Loading…
Reference in New Issue