- Fix /dev/vfio/vfio labeling
This commit is contained in:
parent
fc059db54d
commit
6383860028
@ -5832,7 +5832,7 @@ index 3f6e168..51ad69a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
||||||
index b31c054..5d200ef 100644
|
index b31c054..341e29c 100644
|
||||||
--- a/policy/modules/kernel/devices.fc
|
--- a/policy/modules/kernel/devices.fc
|
||||||
+++ b/policy/modules/kernel/devices.fc
|
+++ b/policy/modules/kernel/devices.fc
|
||||||
@@ -15,15 +15,18 @@
|
@@ -15,15 +15,18 @@
|
||||||
@ -5880,7 +5880,7 @@ index b31c054..5d200ef 100644
|
|||||||
')
|
')
|
||||||
+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
|
+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||||
+/dev/vfio/(vfio)?[0-9]+ -c gen_context(system_u:object_r:vfio_device_t,s0)
|
+/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
|
||||||
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
|
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
|
||||||
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
@ -14921,7 +14921,7 @@ index 7be4ddf..d5ef507 100644
|
|||||||
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||||
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
|
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
|
||||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||||
index e100d88..ee4c057 100644
|
index e100d88..1c1a61c 100644
|
||||||
--- a/policy/modules/kernel/kernel.if
|
--- a/policy/modules/kernel/kernel.if
|
||||||
+++ b/policy/modules/kernel/kernel.if
|
+++ b/policy/modules/kernel/kernel.if
|
||||||
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
|
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
|
||||||
@ -15035,12 +15035,11 @@ index e100d88..ee4c057 100644
|
|||||||
## Do not audit attempts by caller to
|
## Do not audit attempts by caller to
|
||||||
## read system state information in proc.
|
## read system state information in proc.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
|
@@ -1208,6 +1260,24 @@ interface(`kernel_read_messages',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
+## Allow caller to read kernel messages
|
+## Allow caller to mounton the kernel messages file
|
||||||
+## using the /proc/kmsg interface.
|
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -15050,10 +15049,10 @@ index e100d88..ee4c057 100644
|
|||||||
+#
|
+#
|
||||||
+interface(`kernel_mounton_messages',`
|
+interface(`kernel_mounton_messages',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type proc_kmsg_t, proc_t;
|
+ type proc_kmsg_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 proc_kmsg_t:dir mounton;
|
+ allow $1 proc_kmsg_t:file mounton;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -15061,7 +15060,7 @@ index e100d88..ee4c057 100644
|
|||||||
## Allow caller to get the attributes of kernel message
|
## Allow caller to get the attributes of kernel message
|
||||||
## interface (/proc/kmsg).
|
## interface (/proc/kmsg).
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
|
@@ -1477,6 +1547,24 @@ interface(`kernel_dontaudit_list_all_proc',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -15086,7 +15085,7 @@ index e100d88..ee4c057 100644
|
|||||||
## Do not audit attempts by caller to search
|
## Do not audit attempts by caller to search
|
||||||
## the base directory of sysctls.
|
## the base directory of sysctls.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1750,16 +1839,9 @@ interface(`kernel_rw_unix_sysctls',`
|
@@ -1750,16 +1838,9 @@ interface(`kernel_rw_unix_sysctls',`
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
@ -15104,7 +15103,7 @@ index e100d88..ee4c057 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1771,16 +1853,9 @@ interface(`kernel_read_hotplug_sysctls',`
|
@@ -1771,16 +1852,9 @@ interface(`kernel_read_hotplug_sysctls',`
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
@ -15122,7 +15121,7 @@ index e100d88..ee4c057 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1792,16 +1867,9 @@ interface(`kernel_rw_hotplug_sysctls',`
|
@@ -1792,16 +1866,9 @@ interface(`kernel_rw_hotplug_sysctls',`
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
@ -15140,7 +15139,7 @@ index e100d88..ee4c057 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1813,16 +1881,9 @@ interface(`kernel_read_modprobe_sysctls',`
|
@@ -1813,16 +1880,9 @@ interface(`kernel_read_modprobe_sysctls',`
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
@ -15158,7 +15157,7 @@ index e100d88..ee4c057 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2085,7 +2146,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
@@ -2085,7 +2145,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 sysctl_type:dir list_dir_perms;
|
dontaudit $1 sysctl_type:dir list_dir_perms;
|
||||||
@ -15167,7 +15166,7 @@ index e100d88..ee4c057 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2282,6 +2343,25 @@ interface(`kernel_list_unlabeled',`
|
@@ -2282,6 +2342,25 @@ interface(`kernel_list_unlabeled',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -15193,7 +15192,7 @@ index e100d88..ee4c057 100644
|
|||||||
## Read the process state (/proc/pid) of all unlabeled_t.
|
## Read the process state (/proc/pid) of all unlabeled_t.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2306,7 +2386,7 @@ interface(`kernel_read_unlabeled_state',`
|
@@ -2306,7 +2385,7 @@ interface(`kernel_read_unlabeled_state',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -15202,7 +15201,7 @@ index e100d88..ee4c057 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -2488,6 +2568,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
@@ -2488,6 +2567,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -15227,7 +15226,7 @@ index e100d88..ee4c057 100644
|
|||||||
## Do not audit attempts by caller to get attributes for
|
## Do not audit attempts by caller to get attributes for
|
||||||
## unlabeled character devices.
|
## unlabeled character devices.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2525,6 +2623,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
@@ -2525,6 +2622,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -15252,7 +15251,7 @@ index e100d88..ee4c057 100644
|
|||||||
## Allow caller to relabel unlabeled files.
|
## Allow caller to relabel unlabeled files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2667,6 +2783,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
@@ -2667,6 +2782,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -15277,7 +15276,7 @@ index e100d88..ee4c057 100644
|
|||||||
## Receive TCP packets from an unlabeled connection.
|
## Receive TCP packets from an unlabeled connection.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -2694,6 +2828,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
@@ -2694,6 +2827,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -15303,7 +15302,7 @@ index e100d88..ee4c057 100644
|
|||||||
## Do not audit attempts to receive TCP packets from an unlabeled
|
## Do not audit attempts to receive TCP packets from an unlabeled
|
||||||
## connection.
|
## connection.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2803,6 +2956,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
@@ -2803,6 +2955,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
||||||
|
|
||||||
allow $1 unlabeled_t:rawip_socket recvfrom;
|
allow $1 unlabeled_t:rawip_socket recvfrom;
|
||||||
')
|
')
|
||||||
@ -15337,7 +15336,7 @@ index e100d88..ee4c057 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2958,6 +3138,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
@@ -2958,6 +3137,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -15362,7 +15361,7 @@ index e100d88..ee4c057 100644
|
|||||||
## Unconfined access to kernel module resources.
|
## Unconfined access to kernel module resources.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2972,5 +3170,565 @@ interface(`kernel_unconfined',`
|
@@ -2972,5 +3169,565 @@ interface(`kernel_unconfined',`
|
||||||
')
|
')
|
||||||
|
|
||||||
typeattribute $1 kern_unconfined;
|
typeattribute $1 kern_unconfined;
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 21%{?dist}
|
Release: 22%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -578,6 +578,9 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-22
|
||||||
|
- Fix /dev/vfio/vfio labeling
|
||||||
|
|
||||||
* Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-21
|
* Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-21
|
||||||
- Add kernel_mounton_messages() interface
|
- Add kernel_mounton_messages() interface
|
||||||
- init wants to manage lock files for iscsi
|
- init wants to manage lock files for iscsi
|
||||||
|
Loading…
Reference in New Issue
Block a user