- Allow systemd-networkd to be running as dhcp client.
- Label /usr/bin/cockpit-bridge as shell_exec_t. - Add label for /var/run/systemd/resolve/resolv.conf. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. - Allow systemd-networkd to be running as dhcp client. - Label /usr/bin/cockpit-bridge as shell_exec_t. - Add label for /var/run/systemd/resolve/resolv.conf. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
This commit is contained in:
		
							parent
							
								
									8db354a9b7
								
							
						
					
					
						commit
						650be6afbf
					
				
							
								
								
									
										12
									
								
								policy-rawhide-base-cockpit.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								policy-rawhide-base-cockpit.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,12 @@ | |||||||
|  | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
 | ||||||
|  | index 9a8ff3e..593281c 100644
 | ||||||
|  | --- a/policy/modules/kernel/corecommands.fc
 | ||||||
|  | +++ b/policy/modules/kernel/corecommands.fc
 | ||||||
|  | @@ -308,7 +308,6 @@ ifdef(`distro_gentoo',`
 | ||||||
|  |  /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0) | ||||||
|  |   | ||||||
|  |  /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0) | ||||||
|  | -/usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
 | ||||||
|  |  /usr/bin/cockpit-bridge         -- gen_context(system_u:object_r:shell_exec_t,s0) | ||||||
|  |  /usr/libexec/sesh		        --	gen_context(system_u:object_r:shell_exec_t,s0) | ||||||
|  |   | ||||||
| @ -2397,10 +2397,10 @@ index 0960199..aa51ab2 100644 | |||||||
| +	can_exec($1, sudo_exec_t)
 | +	can_exec($1, sudo_exec_t)
 | ||||||
| +')
 | +')
 | ||||||
| diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
 | diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
 | ||||||
| index d9fce57..612503a 100644
 | index d9fce57..5c4a213 100644
 | ||||||
| --- a/policy/modules/admin/sudo.te
 | --- a/policy/modules/admin/sudo.te
 | ||||||
| +++ b/policy/modules/admin/sudo.te
 | +++ b/policy/modules/admin/sudo.te
 | ||||||
| @@ -7,3 +7,105 @@ attribute sudodomain;
 | @@ -7,3 +7,110 @@ attribute sudodomain;
 | ||||||
|   |   | ||||||
|  type sudo_exec_t; |  type sudo_exec_t; | ||||||
|  application_executable_file(sudo_exec_t) |  application_executable_file(sudo_exec_t) | ||||||
| @ -2419,6 +2419,7 @@ index d9fce57..612503a 100644 | |||||||
| +
 | +
 | ||||||
| +# Use capabilities.
 | +# Use capabilities.
 | ||||||
| +allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
 | +allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
 | ||||||
|  | +dontaudit sudodomain self:capability net_admin;
 | ||||||
| +allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 | +allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 | ||||||
| +allow sudodomain self:process { setexec setrlimit };
 | +allow sudodomain self:process { setexec setrlimit };
 | ||||||
| +allow sudodomain self:fd use;
 | +allow sudodomain self:fd use;
 | ||||||
| @ -2501,6 +2502,10 @@ index d9fce57..612503a 100644 | |||||||
| +
 | +
 | ||||||
| +optional_policy(`
 | +optional_policy(`
 | ||||||
| +	dbus_system_bus_client(sudodomain)
 | +	dbus_system_bus_client(sudodomain)
 | ||||||
|  | +
 | ||||||
|  | +	optional_policy(`
 | ||||||
|  | +		systemd_dbus_chat_logind(sudodomain)
 | ||||||
|  | +	')
 | ||||||
| +')
 | +')
 | ||||||
| +
 | +
 | ||||||
| +optional_policy(`
 | +optional_policy(`
 | ||||||
| @ -3274,7 +3279,7 @@ index 7590165..85186a9 100644 | |||||||
| +	fs_mounton_fusefs(seunshare_domain)
 | +	fs_mounton_fusefs(seunshare_domain)
 | ||||||
|  ') |  ') | ||||||
| diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
 | ||||||
| index 33e0f8d..885da9a 100644
 | index 33e0f8d..9a8ff3e 100644
 | ||||||
| --- a/policy/modules/kernel/corecommands.fc
 | --- a/policy/modules/kernel/corecommands.fc
 | ||||||
| +++ b/policy/modules/kernel/corecommands.fc
 | +++ b/policy/modules/kernel/corecommands.fc
 | ||||||
| @@ -1,9 +1,10 @@
 | @@ -1,9 +1,10 @@
 | ||||||
| @ -3478,7 +3483,7 @@ index 33e0f8d..885da9a 100644 | |||||||
|  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) |  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0) |  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0) |  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0) | ||||||
| @@ -245,26 +291,39 @@ ifdef(`distro_gentoo',`
 | @@ -245,26 +291,40 @@ ifdef(`distro_gentoo',`
 | ||||||
|  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0) |  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0) |  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0) |  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0) | ||||||
| @ -3502,6 +3507,7 @@ index 33e0f8d..885da9a 100644 | |||||||
|  /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0) |  /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0) | ||||||
| -/usr/libexec/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
 | -/usr/libexec/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
 | ||||||
| +/usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
 | +/usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
 | ||||||
|  | +/usr/bin/cockpit-bridge         -- gen_context(system_u:object_r:shell_exec_t,s0)
 | ||||||
| +/usr/libexec/sesh		        --	gen_context(system_u:object_r:shell_exec_t,s0)
 | +/usr/libexec/sesh		        --	gen_context(system_u:object_r:shell_exec_t,s0)
 | ||||||
|   |   | ||||||
|  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0) |  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0) | ||||||
| @ -3523,7 +3529,7 @@ index 33e0f8d..885da9a 100644 | |||||||
|  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0) |  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0) | ||||||
|  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0) |  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0) | ||||||
|  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0) |  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0) | ||||||
| @@ -280,10 +339,15 @@ ifdef(`distro_gentoo',`
 | @@ -280,10 +340,15 @@ ifdef(`distro_gentoo',`
 | ||||||
|  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0) |  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0) |  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0) |  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0) | ||||||
| @ -3539,7 +3545,7 @@ index 33e0f8d..885da9a 100644 | |||||||
|  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) | ||||||
| @@ -298,16 +362,22 @@ ifdef(`distro_gentoo',`
 | @@ -298,16 +363,22 @@ ifdef(`distro_gentoo',`
 | ||||||
|  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0) |  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0) |  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0) | ||||||
| @ -3564,7 +3570,7 @@ index 33e0f8d..885da9a 100644 | |||||||
|   |   | ||||||
|  ifdef(`distro_debian',` |  ifdef(`distro_debian',` | ||||||
|  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0) |  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0) | ||||||
| @@ -325,20 +395,27 @@ ifdef(`distro_redhat', `
 | @@ -325,20 +396,27 @@ ifdef(`distro_redhat', `
 | ||||||
|  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0) |  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0) |  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0) | ||||||
|   |   | ||||||
| @ -3593,7 +3599,7 @@ index 33e0f8d..885da9a 100644 | |||||||
|  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0) |  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0) |  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) | ||||||
| @@ -346,6 +423,7 @@ ifdef(`distro_redhat', `
 | @@ -346,6 +424,7 @@ ifdef(`distro_redhat', `
 | ||||||
|  /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0) |  /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) | ||||||
| @ -3601,7 +3607,7 @@ index 33e0f8d..885da9a 100644 | |||||||
|  /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) | ||||||
|  /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) |  /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) | ||||||
| @@ -387,11 +465,16 @@ ifdef(`distro_suse', `
 | @@ -387,11 +466,16 @@ ifdef(`distro_suse', `
 | ||||||
|  # |  # | ||||||
|  # /var |  # /var | ||||||
|  # |  # | ||||||
| @ -3619,7 +3625,7 @@ index 33e0f8d..885da9a 100644 | |||||||
|  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0) |  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0) | ||||||
|   |   | ||||||
|  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0) |  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0) | ||||||
| @@ -401,3 +484,12 @@ ifdef(`distro_suse', `
 | @@ -401,3 +485,12 @@ ifdef(`distro_suse', `
 | ||||||
|  ifdef(`distro_suse',` |  ifdef(`distro_suse',` | ||||||
|  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0) |  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0) | ||||||
|  ') |  ') | ||||||
| @ -30738,7 +30744,7 @@ index 79a45f6..f142c45 100644 | |||||||
| +	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
 | +	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
 | ||||||
| +')
 | +')
 | ||||||
| diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 | ||||||
| index 17eda24..dd417eb 100644
 | index 17eda24..d4113cc 100644
 | ||||||
| --- a/policy/modules/system/init.te
 | --- a/policy/modules/system/init.te
 | ||||||
| +++ b/policy/modules/system/init.te
 | +++ b/policy/modules/system/init.te
 | ||||||
| @@ -11,10 +11,31 @@ gen_require(`
 | @@ -11,10 +11,31 @@ gen_require(`
 | ||||||
| @ -30848,18 +30854,19 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  type initrc_devpts_t; |  type initrc_devpts_t; | ||||||
|  term_pty(initrc_devpts_t) |  term_pty(initrc_devpts_t) | ||||||
| @@ -98,7 +145,9 @@ ifdef(`enable_mls',`
 | @@ -98,7 +145,10 @@ ifdef(`enable_mls',`
 | ||||||
|  # |  # | ||||||
|   |   | ||||||
|  # Use capabilities. old rule: |  # Use capabilities. old rule: | ||||||
| -allow init_t self:capability ~sys_module;
 | -allow init_t self:capability ~sys_module;
 | ||||||
| +allow init_t self:capability ~{ audit_control audit_write sys_module };
 | +allow init_t self:capability ~{ audit_control audit_write sys_module };
 | ||||||
| +allow init_t self:capability2 ~{ mac_admin mac_override };
 | +allow init_t self:capability2 ~{ mac_admin mac_override };
 | ||||||
|  | +allow init_t self:tcp_socket { listen accept };
 | ||||||
| +allow init_t self:key manage_key_perms;
 | +allow init_t self:key manage_key_perms;
 | ||||||
|  # is ~sys_module really needed? observed: |  # is ~sys_module really needed? observed: | ||||||
|  # sys_boot |  # sys_boot | ||||||
|  # sys_tty_config |  # sys_tty_config | ||||||
| @@ -108,14 +157,43 @@ allow init_t self:capability ~sys_module;
 | @@ -108,14 +158,43 @@ allow init_t self:capability ~sys_module;
 | ||||||
|   |   | ||||||
|  allow init_t self:fifo_file rw_fifo_file_perms; |  allow init_t self:fifo_file rw_fifo_file_perms; | ||||||
|   |   | ||||||
| @ -30909,7 +30916,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  allow init_t initctl_t:fifo_file manage_fifo_file_perms; |  allow init_t initctl_t:fifo_file manage_fifo_file_perms; | ||||||
|  dev_filetrans(init_t, initctl_t, fifo_file) |  dev_filetrans(init_t, initctl_t, fifo_file) | ||||||
| @@ -125,13 +203,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 | @@ -125,13 +204,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 | ||||||
|   |   | ||||||
|  kernel_read_system_state(init_t) |  kernel_read_system_state(init_t) | ||||||
|  kernel_share_state(init_t) |  kernel_share_state(init_t) | ||||||
| @ -30934,7 +30941,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  domain_getpgid_all_domains(init_t) |  domain_getpgid_all_domains(init_t) | ||||||
|  domain_kill_all_domains(init_t) |  domain_kill_all_domains(init_t) | ||||||
| @@ -139,14 +227,22 @@ domain_signal_all_domains(init_t)
 | @@ -139,14 +228,22 @@ domain_signal_all_domains(init_t)
 | ||||||
|  domain_signull_all_domains(init_t) |  domain_signull_all_domains(init_t) | ||||||
|  domain_sigstop_all_domains(init_t) |  domain_sigstop_all_domains(init_t) | ||||||
|  domain_sigchld_all_domains(init_t) |  domain_sigchld_all_domains(init_t) | ||||||
| @ -30958,7 +30965,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  # file descriptors inherited from the rootfs: |  # file descriptors inherited from the rootfs: | ||||||
|  files_dontaudit_rw_root_files(init_t) |  files_dontaudit_rw_root_files(init_t) | ||||||
|  files_dontaudit_rw_root_chr_files(init_t) |  files_dontaudit_rw_root_chr_files(init_t) | ||||||
| @@ -156,28 +252,53 @@ fs_list_inotifyfs(init_t)
 | @@ -156,28 +253,53 @@ fs_list_inotifyfs(init_t)
 | ||||||
|  fs_write_ramfs_sockets(init_t) |  fs_write_ramfs_sockets(init_t) | ||||||
|   |   | ||||||
|  mcs_process_set_categories(init_t) |  mcs_process_set_categories(init_t) | ||||||
| @ -31016,7 +31023,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  ifdef(`distro_gentoo',` |  ifdef(`distro_gentoo',` | ||||||
|  	allow init_t self:process { getcap setcap }; |  	allow init_t self:process { getcap setcap }; | ||||||
| @@ -186,29 +307,241 @@ ifdef(`distro_gentoo',`
 | @@ -186,29 +308,241 @@ ifdef(`distro_gentoo',`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  ifdef(`distro_redhat',` |  ifdef(`distro_redhat',` | ||||||
| @ -31267,7 +31274,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -216,7 +549,31 @@ optional_policy(`
 | @@ -216,7 +550,31 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31299,7 +31306,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  ######################################## |  ######################################## | ||||||
| @@ -225,9 +582,9 @@ optional_policy(`
 | @@ -225,9 +583,9 @@ optional_policy(`
 | ||||||
|  # |  # | ||||||
|   |   | ||||||
|  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; |  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; | ||||||
| @ -31311,7 +31318,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  allow initrc_t self:passwd rootok; |  allow initrc_t self:passwd rootok; | ||||||
|  allow initrc_t self:key manage_key_perms; |  allow initrc_t self:key manage_key_perms; | ||||||
|   |   | ||||||
| @@ -258,12 +615,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 | @@ -258,12 +616,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 | ||||||
|   |   | ||||||
|  allow initrc_t initrc_var_run_t:file manage_file_perms; |  allow initrc_t initrc_var_run_t:file manage_file_perms; | ||||||
|  files_pid_filetrans(initrc_t, initrc_var_run_t, file) |  files_pid_filetrans(initrc_t, initrc_var_run_t, file) | ||||||
| @ -31328,7 +31335,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) |  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) | ||||||
|  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) |  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) | ||||||
| @@ -279,23 +640,36 @@ kernel_change_ring_buffer_level(initrc_t)
 | @@ -279,23 +641,36 @@ kernel_change_ring_buffer_level(initrc_t)
 | ||||||
|  kernel_clear_ring_buffer(initrc_t) |  kernel_clear_ring_buffer(initrc_t) | ||||||
|  kernel_get_sysvipc_info(initrc_t) |  kernel_get_sysvipc_info(initrc_t) | ||||||
|  kernel_read_all_sysctls(initrc_t) |  kernel_read_all_sysctls(initrc_t) | ||||||
| @ -31371,7 +31378,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  corenet_tcp_sendrecv_all_ports(initrc_t) |  corenet_tcp_sendrecv_all_ports(initrc_t) | ||||||
|  corenet_udp_sendrecv_all_ports(initrc_t) |  corenet_udp_sendrecv_all_ports(initrc_t) | ||||||
|  corenet_tcp_connect_all_ports(initrc_t) |  corenet_tcp_connect_all_ports(initrc_t) | ||||||
| @@ -303,9 +677,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 | @@ -303,9 +678,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 | ||||||
|   |   | ||||||
|  dev_read_rand(initrc_t) |  dev_read_rand(initrc_t) | ||||||
|  dev_read_urand(initrc_t) |  dev_read_urand(initrc_t) | ||||||
| @ -31383,7 +31390,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  dev_rw_sysfs(initrc_t) |  dev_rw_sysfs(initrc_t) | ||||||
|  dev_list_usbfs(initrc_t) |  dev_list_usbfs(initrc_t) | ||||||
|  dev_read_framebuffer(initrc_t) |  dev_read_framebuffer(initrc_t) | ||||||
| @@ -313,8 +689,10 @@ dev_write_framebuffer(initrc_t)
 | @@ -313,8 +690,10 @@ dev_write_framebuffer(initrc_t)
 | ||||||
|  dev_read_realtime_clock(initrc_t) |  dev_read_realtime_clock(initrc_t) | ||||||
|  dev_read_sound_mixer(initrc_t) |  dev_read_sound_mixer(initrc_t) | ||||||
|  dev_write_sound_mixer(initrc_t) |  dev_write_sound_mixer(initrc_t) | ||||||
| @ -31394,7 +31401,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  dev_delete_lvm_control_dev(initrc_t) |  dev_delete_lvm_control_dev(initrc_t) | ||||||
|  dev_manage_generic_symlinks(initrc_t) |  dev_manage_generic_symlinks(initrc_t) | ||||||
|  dev_manage_generic_files(initrc_t) |  dev_manage_generic_files(initrc_t) | ||||||
| @@ -322,8 +700,7 @@ dev_manage_generic_files(initrc_t)
 | @@ -322,8 +701,7 @@ dev_manage_generic_files(initrc_t)
 | ||||||
|  dev_delete_generic_symlinks(initrc_t) |  dev_delete_generic_symlinks(initrc_t) | ||||||
|  dev_getattr_all_blk_files(initrc_t) |  dev_getattr_all_blk_files(initrc_t) | ||||||
|  dev_getattr_all_chr_files(initrc_t) |  dev_getattr_all_chr_files(initrc_t) | ||||||
| @ -31404,7 +31411,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  domain_kill_all_domains(initrc_t) |  domain_kill_all_domains(initrc_t) | ||||||
|  domain_signal_all_domains(initrc_t) |  domain_signal_all_domains(initrc_t) | ||||||
| @@ -332,7 +709,6 @@ domain_sigstop_all_domains(initrc_t)
 | @@ -332,7 +710,6 @@ domain_sigstop_all_domains(initrc_t)
 | ||||||
|  domain_sigchld_all_domains(initrc_t) |  domain_sigchld_all_domains(initrc_t) | ||||||
|  domain_read_all_domains_state(initrc_t) |  domain_read_all_domains_state(initrc_t) | ||||||
|  domain_getattr_all_domains(initrc_t) |  domain_getattr_all_domains(initrc_t) | ||||||
| @ -31412,7 +31419,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  domain_getsession_all_domains(initrc_t) |  domain_getsession_all_domains(initrc_t) | ||||||
|  domain_use_interactive_fds(initrc_t) |  domain_use_interactive_fds(initrc_t) | ||||||
|  # for lsof which is used by alsa shutdown: |  # for lsof which is used by alsa shutdown: | ||||||
| @@ -340,6 +716,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 | @@ -340,6 +717,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 | ||||||
|  domain_dontaudit_getattr_all_tcp_sockets(initrc_t) |  domain_dontaudit_getattr_all_tcp_sockets(initrc_t) | ||||||
|  domain_dontaudit_getattr_all_dgram_sockets(initrc_t) |  domain_dontaudit_getattr_all_dgram_sockets(initrc_t) | ||||||
|  domain_dontaudit_getattr_all_pipes(initrc_t) |  domain_dontaudit_getattr_all_pipes(initrc_t) | ||||||
| @ -31420,7 +31427,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  files_getattr_all_dirs(initrc_t) |  files_getattr_all_dirs(initrc_t) | ||||||
|  files_getattr_all_files(initrc_t) |  files_getattr_all_files(initrc_t) | ||||||
| @@ -347,14 +724,15 @@ files_getattr_all_symlinks(initrc_t)
 | @@ -347,14 +725,15 @@ files_getattr_all_symlinks(initrc_t)
 | ||||||
|  files_getattr_all_pipes(initrc_t) |  files_getattr_all_pipes(initrc_t) | ||||||
|  files_getattr_all_sockets(initrc_t) |  files_getattr_all_sockets(initrc_t) | ||||||
|  files_purge_tmp(initrc_t) |  files_purge_tmp(initrc_t) | ||||||
| @ -31438,7 +31445,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  files_read_usr_files(initrc_t) |  files_read_usr_files(initrc_t) | ||||||
|  files_manage_urandom_seed(initrc_t) |  files_manage_urandom_seed(initrc_t) | ||||||
|  files_manage_generic_spool(initrc_t) |  files_manage_generic_spool(initrc_t) | ||||||
| @@ -364,8 +742,12 @@ files_list_isid_type_dirs(initrc_t)
 | @@ -364,8 +743,12 @@ files_list_isid_type_dirs(initrc_t)
 | ||||||
|  files_mounton_isid_type_dirs(initrc_t) |  files_mounton_isid_type_dirs(initrc_t) | ||||||
|  files_list_default(initrc_t) |  files_list_default(initrc_t) | ||||||
|  files_mounton_default(initrc_t) |  files_mounton_default(initrc_t) | ||||||
| @ -31452,7 +31459,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  fs_list_inotifyfs(initrc_t) |  fs_list_inotifyfs(initrc_t) | ||||||
|  fs_register_binary_executable_type(initrc_t) |  fs_register_binary_executable_type(initrc_t) | ||||||
|  # rhgb-console writes to ramfs |  # rhgb-console writes to ramfs | ||||||
| @@ -375,10 +757,11 @@ fs_mount_all_fs(initrc_t)
 | @@ -375,10 +758,11 @@ fs_mount_all_fs(initrc_t)
 | ||||||
|  fs_unmount_all_fs(initrc_t) |  fs_unmount_all_fs(initrc_t) | ||||||
|  fs_remount_all_fs(initrc_t) |  fs_remount_all_fs(initrc_t) | ||||||
|  fs_getattr_all_fs(initrc_t) |  fs_getattr_all_fs(initrc_t) | ||||||
| @ -31466,7 +31473,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  mcs_process_set_categories(initrc_t) |  mcs_process_set_categories(initrc_t) | ||||||
|   |   | ||||||
|  mls_file_read_all_levels(initrc_t) |  mls_file_read_all_levels(initrc_t) | ||||||
| @@ -387,8 +770,10 @@ mls_process_read_up(initrc_t)
 | @@ -387,8 +771,10 @@ mls_process_read_up(initrc_t)
 | ||||||
|  mls_process_write_down(initrc_t) |  mls_process_write_down(initrc_t) | ||||||
|  mls_rangetrans_source(initrc_t) |  mls_rangetrans_source(initrc_t) | ||||||
|  mls_fd_share_all_levels(initrc_t) |  mls_fd_share_all_levels(initrc_t) | ||||||
| @ -31477,7 +31484,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  storage_getattr_fixed_disk_dev(initrc_t) |  storage_getattr_fixed_disk_dev(initrc_t) | ||||||
|  storage_setattr_fixed_disk_dev(initrc_t) |  storage_setattr_fixed_disk_dev(initrc_t) | ||||||
| @@ -398,6 +783,7 @@ term_use_all_terms(initrc_t)
 | @@ -398,6 +784,7 @@ term_use_all_terms(initrc_t)
 | ||||||
|  term_reset_tty_labels(initrc_t) |  term_reset_tty_labels(initrc_t) | ||||||
|   |   | ||||||
|  auth_rw_login_records(initrc_t) |  auth_rw_login_records(initrc_t) | ||||||
| @ -31485,7 +31492,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  auth_setattr_login_records(initrc_t) |  auth_setattr_login_records(initrc_t) | ||||||
|  auth_rw_lastlog(initrc_t) |  auth_rw_lastlog(initrc_t) | ||||||
|  auth_read_pam_pid(initrc_t) |  auth_read_pam_pid(initrc_t) | ||||||
| @@ -416,20 +802,18 @@ logging_read_all_logs(initrc_t)
 | @@ -416,20 +803,18 @@ logging_read_all_logs(initrc_t)
 | ||||||
|  logging_append_all_logs(initrc_t) |  logging_append_all_logs(initrc_t) | ||||||
|  logging_read_audit_config(initrc_t) |  logging_read_audit_config(initrc_t) | ||||||
|   |   | ||||||
| @ -31509,7 +31516,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  ifdef(`distro_debian',` |  ifdef(`distro_debian',` | ||||||
|  	dev_setattr_generic_dirs(initrc_t) |  	dev_setattr_generic_dirs(initrc_t) | ||||||
| @@ -451,7 +835,6 @@ ifdef(`distro_gentoo',`
 | @@ -451,7 +836,6 @@ ifdef(`distro_gentoo',`
 | ||||||
|  	allow initrc_t self:process setfscreate; |  	allow initrc_t self:process setfscreate; | ||||||
|  	dev_create_null_dev(initrc_t) |  	dev_create_null_dev(initrc_t) | ||||||
|  	dev_create_zero_dev(initrc_t) |  	dev_create_zero_dev(initrc_t) | ||||||
| @ -31517,7 +31524,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	term_create_console_dev(initrc_t) |  	term_create_console_dev(initrc_t) | ||||||
|   |   | ||||||
|  	# unfortunately /sbin/rc does stupid tricks |  	# unfortunately /sbin/rc does stupid tricks | ||||||
| @@ -486,6 +869,10 @@ ifdef(`distro_gentoo',`
 | @@ -486,6 +870,10 @@ ifdef(`distro_gentoo',`
 | ||||||
|  	sysnet_setattr_config(initrc_t) |  	sysnet_setattr_config(initrc_t) | ||||||
|   |   | ||||||
|  	optional_policy(` |  	optional_policy(` | ||||||
| @ -31528,7 +31535,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  		alsa_read_lib(initrc_t) |  		alsa_read_lib(initrc_t) | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
| @@ -506,7 +893,7 @@ ifdef(`distro_redhat',`
 | @@ -506,7 +894,7 @@ ifdef(`distro_redhat',`
 | ||||||
|   |   | ||||||
|  	# Red Hat systems seem to have a stray |  	# Red Hat systems seem to have a stray | ||||||
|  	# fd open from the initrd |  	# fd open from the initrd | ||||||
| @ -31537,7 +31544,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	files_dontaudit_read_root_files(initrc_t) |  	files_dontaudit_read_root_files(initrc_t) | ||||||
|   |   | ||||||
|  	# These seem to be from the initrd |  	# These seem to be from the initrd | ||||||
| @@ -521,6 +908,7 @@ ifdef(`distro_redhat',`
 | @@ -521,6 +909,7 @@ ifdef(`distro_redhat',`
 | ||||||
|  	files_create_boot_dirs(initrc_t) |  	files_create_boot_dirs(initrc_t) | ||||||
|  	files_create_boot_flag(initrc_t) |  	files_create_boot_flag(initrc_t) | ||||||
|  	files_rw_boot_symlinks(initrc_t) |  	files_rw_boot_symlinks(initrc_t) | ||||||
| @ -31545,7 +31552,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	# wants to read /.fonts directory |  	# wants to read /.fonts directory | ||||||
|  	files_read_default_files(initrc_t) |  	files_read_default_files(initrc_t) | ||||||
|  	files_mountpoint(initrc_tmp_t) |  	files_mountpoint(initrc_tmp_t) | ||||||
| @@ -541,6 +929,7 @@ ifdef(`distro_redhat',`
 | @@ -541,6 +930,7 @@ ifdef(`distro_redhat',`
 | ||||||
|  	miscfiles_rw_localization(initrc_t) |  	miscfiles_rw_localization(initrc_t) | ||||||
|  	miscfiles_setattr_localization(initrc_t) |  	miscfiles_setattr_localization(initrc_t) | ||||||
|  	miscfiles_relabel_localization(initrc_t) |  	miscfiles_relabel_localization(initrc_t) | ||||||
| @ -31553,7 +31560,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  	miscfiles_read_fonts(initrc_t) |  	miscfiles_read_fonts(initrc_t) | ||||||
|  	miscfiles_read_hwdata(initrc_t) |  	miscfiles_read_hwdata(initrc_t) | ||||||
| @@ -550,8 +939,44 @@ ifdef(`distro_redhat',`
 | @@ -550,8 +940,44 @@ ifdef(`distro_redhat',`
 | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
|  	optional_policy(` |  	optional_policy(` | ||||||
| @ -31598,7 +31605,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	') |  	') | ||||||
|   |   | ||||||
|  	optional_policy(` |  	optional_policy(` | ||||||
| @@ -559,14 +984,31 @@ ifdef(`distro_redhat',`
 | @@ -559,14 +985,31 @@ ifdef(`distro_redhat',`
 | ||||||
|  		rpc_write_exports(initrc_t) |  		rpc_write_exports(initrc_t) | ||||||
|  		rpc_manage_nfs_state_data(initrc_t) |  		rpc_manage_nfs_state_data(initrc_t) | ||||||
|  	') |  	') | ||||||
| @ -31630,7 +31637,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	') |  	') | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
| @@ -577,6 +1019,39 @@ ifdef(`distro_suse',`
 | @@ -577,6 +1020,39 @@ ifdef(`distro_suse',`
 | ||||||
|  	') |  	') | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
| @ -31670,7 +31677,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  optional_policy(` |  optional_policy(` | ||||||
|  	amavis_search_lib(initrc_t) |  	amavis_search_lib(initrc_t) | ||||||
|  	amavis_setattr_pid_files(initrc_t) |  	amavis_setattr_pid_files(initrc_t) | ||||||
| @@ -589,6 +1064,8 @@ optional_policy(`
 | @@ -589,6 +1065,8 @@ optional_policy(`
 | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
|  	apache_read_config(initrc_t) |  	apache_read_config(initrc_t) | ||||||
|  	apache_list_modules(initrc_t) |  	apache_list_modules(initrc_t) | ||||||
| @ -31679,7 +31686,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -610,6 +1087,7 @@ optional_policy(`
 | @@ -610,6 +1088,7 @@ optional_policy(`
 | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
|  	cgroup_stream_connect_cgred(initrc_t) |  	cgroup_stream_connect_cgred(initrc_t) | ||||||
| @ -31687,7 +31694,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -626,6 +1104,17 @@ optional_policy(`
 | @@ -626,6 +1105,17 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31705,7 +31712,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	dev_getattr_printer_dev(initrc_t) |  	dev_getattr_printer_dev(initrc_t) | ||||||
|   |   | ||||||
|  	cups_read_log(initrc_t) |  	cups_read_log(initrc_t) | ||||||
| @@ -642,9 +1131,13 @@ optional_policy(`
 | @@ -642,9 +1132,13 @@ optional_policy(`
 | ||||||
|  	dbus_connect_system_bus(initrc_t) |  	dbus_connect_system_bus(initrc_t) | ||||||
|  	dbus_system_bus_client(initrc_t) |  	dbus_system_bus_client(initrc_t) | ||||||
|  	dbus_read_config(initrc_t) |  	dbus_read_config(initrc_t) | ||||||
| @ -31719,7 +31726,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	') |  	') | ||||||
|   |   | ||||||
|  	optional_policy(` |  	optional_policy(` | ||||||
| @@ -657,15 +1150,11 @@ optional_policy(`
 | @@ -657,15 +1151,11 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31737,7 +31744,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -686,6 +1175,15 @@ optional_policy(`
 | @@ -686,6 +1176,15 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31753,7 +31760,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	inn_exec_config(initrc_t) |  	inn_exec_config(initrc_t) | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
| @@ -726,6 +1224,7 @@ optional_policy(`
 | @@ -726,6 +1225,7 @@ optional_policy(`
 | ||||||
|  	lpd_list_spool(initrc_t) |  	lpd_list_spool(initrc_t) | ||||||
|   |   | ||||||
|  	lpd_read_config(initrc_t) |  	lpd_read_config(initrc_t) | ||||||
| @ -31761,7 +31768,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -743,7 +1242,13 @@ optional_policy(`
 | @@ -743,7 +1243,13 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31776,7 +31783,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	mta_dontaudit_read_spool_symlinks(initrc_t) |  	mta_dontaudit_read_spool_symlinks(initrc_t) | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
| @@ -766,6 +1271,10 @@ optional_policy(`
 | @@ -766,6 +1272,10 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31787,7 +31794,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	postgresql_manage_db(initrc_t) |  	postgresql_manage_db(initrc_t) | ||||||
|  	postgresql_read_config(initrc_t) |  	postgresql_read_config(initrc_t) | ||||||
|  ') |  ') | ||||||
| @@ -775,10 +1284,20 @@ optional_policy(`
 | @@ -775,10 +1285,20 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31808,7 +31815,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	quota_manage_flags(initrc_t) |  	quota_manage_flags(initrc_t) | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
| @@ -787,6 +1306,10 @@ optional_policy(`
 | @@ -787,6 +1307,10 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31819,7 +31826,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	fs_write_ramfs_sockets(initrc_t) |  	fs_write_ramfs_sockets(initrc_t) | ||||||
|  	fs_search_ramfs(initrc_t) |  	fs_search_ramfs(initrc_t) | ||||||
|   |   | ||||||
| @@ -808,8 +1331,6 @@ optional_policy(`
 | @@ -808,8 +1332,6 @@ optional_policy(`
 | ||||||
|  	# bash tries ioctl for some reason |  	# bash tries ioctl for some reason | ||||||
|  	files_dontaudit_ioctl_all_pids(initrc_t) |  	files_dontaudit_ioctl_all_pids(initrc_t) | ||||||
|   |   | ||||||
| @ -31828,7 +31835,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -818,6 +1339,10 @@ optional_policy(`
 | @@ -818,6 +1340,10 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31839,7 +31846,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	# shorewall-init script run /var/lib/shorewall/firewall |  	# shorewall-init script run /var/lib/shorewall/firewall | ||||||
|  	shorewall_lib_domtrans(initrc_t) |  	shorewall_lib_domtrans(initrc_t) | ||||||
|  ') |  ') | ||||||
| @@ -827,10 +1352,12 @@ optional_policy(`
 | @@ -827,10 +1353,12 @@ optional_policy(`
 | ||||||
|  	squid_manage_logs(initrc_t) |  	squid_manage_logs(initrc_t) | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
| @ -31852,7 +31859,7 @@ index 17eda24..dd417eb 100644 | |||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
|  	ssh_dontaudit_read_server_keys(initrc_t) |  	ssh_dontaudit_read_server_keys(initrc_t) | ||||||
| @@ -857,21 +1384,60 @@ optional_policy(`
 | @@ -857,21 +1385,60 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31914,7 +31921,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -887,6 +1453,10 @@ optional_policy(`
 | @@ -887,6 +1454,10 @@ optional_policy(`
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -31925,7 +31932,7 @@ index 17eda24..dd417eb 100644 | |||||||
|  	# Set device ownerships/modes. |  	# Set device ownerships/modes. | ||||||
|  	xserver_setattr_console_pipes(initrc_t) |  	xserver_setattr_console_pipes(initrc_t) | ||||||
|   |   | ||||||
| @@ -897,3 +1467,218 @@ optional_policy(`
 | @@ -897,3 +1468,218 @@ optional_policy(`
 | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
|  	zebra_read_config(initrc_t) |  	zebra_read_config(initrc_t) | ||||||
|  ') |  ') | ||||||
| @ -37796,7 +37803,7 @@ index 3822072..270bde3 100644 | |||||||
| +	allow semanage_t $1:dbus send_msg;
 | +	allow semanage_t $1:dbus send_msg;
 | ||||||
| +')
 | +')
 | ||||||
| diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
 | ||||||
| index dc46420..86595e5 100644
 | index dc46420..4cc658b 100644
 | ||||||
| --- a/policy/modules/system/selinuxutil.te
 | --- a/policy/modules/system/selinuxutil.te
 | ||||||
| +++ b/policy/modules/system/selinuxutil.te
 | +++ b/policy/modules/system/selinuxutil.te
 | ||||||
| @@ -11,14 +11,16 @@ gen_require(`
 | @@ -11,14 +11,16 @@ gen_require(`
 | ||||||
| @ -38227,16 +38234,16 @@ index dc46420..86595e5 100644 | |||||||
| +can_exec(semanage_t, semanage_exec_t)
 | +can_exec(semanage_t, semanage_exec_t)
 | ||||||
|   |   | ||||||
| -term_use_all_terms(semanage_t)
 | -term_use_all_terms(semanage_t)
 | ||||||
| -
 | +# Admins are creating pp files in random locations
 | ||||||
|  | +files_read_non_security_files(semanage_t)
 | ||||||
|  |   | ||||||
| -# Running genhomedircon requires this for finding all users
 | -# Running genhomedircon requires this for finding all users
 | ||||||
| -auth_use_nsswitch(semanage_t)
 | -auth_use_nsswitch(semanage_t)
 | ||||||
| -
 | -
 | ||||||
| -locallogin_use_fds(semanage_t)
 | -locallogin_use_fds(semanage_t)
 | ||||||
| -
 | -
 | ||||||
| -logging_send_syslog_msg(semanage_t)
 | -logging_send_syslog_msg(semanage_t)
 | ||||||
| +# Admins are creating pp files in random locations
 | -
 | ||||||
| +files_read_non_security_files(semanage_t)
 |  | ||||||
|   |  | ||||||
| -miscfiles_read_localization(semanage_t)
 | -miscfiles_read_localization(semanage_t)
 | ||||||
| -
 | -
 | ||||||
| -seutil_libselinux_linked(semanage_t)
 | -seutil_libselinux_linked(semanage_t)
 | ||||||
| @ -38324,7 +38331,7 @@ index dc46420..86595e5 100644 | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  ######################################## |  ######################################## | ||||||
| @@ -522,111 +598,192 @@ ifdef(`distro_ubuntu',`
 | @@ -522,111 +598,196 @@ ifdef(`distro_ubuntu',`
 | ||||||
|  # Setfiles local policy |  # Setfiles local policy | ||||||
|  # |  # | ||||||
|   |   | ||||||
| @ -38401,6 +38408,11 @@ index dc46420..86595e5 100644 | |||||||
|   |   | ||||||
| -miscfiles_read_localization(setfiles_t)
 | -miscfiles_read_localization(setfiles_t)
 | ||||||
| +optional_policy(`
 | +optional_policy(`
 | ||||||
|  | +    cloudform_dontaudit_write_cloud_log(setfiles_t)
 | ||||||
|  | +')
 | ||||||
|  |   | ||||||
|  | -seutil_libselinux_linked(setfiles_t)
 | ||||||
|  | +optional_policy(`
 | ||||||
| +	devicekit_dontaudit_read_pid_files(setfiles_t)
 | +	devicekit_dontaudit_read_pid_files(setfiles_t)
 | ||||||
| +	devicekit_dontaudit_rw_log(setfiles_t)
 | +	devicekit_dontaudit_rw_log(setfiles_t)
 | ||||||
| +')
 | +')
 | ||||||
| @ -38416,7 +38428,7 @@ index dc46420..86595e5 100644 | |||||||
| +
 | +
 | ||||||
| +ifdef(`hide_broken_symptoms',`
 | +ifdef(`hide_broken_symptoms',`
 | ||||||
|   |   | ||||||
| -seutil_libselinux_linked(setfiles_t)
 | -userdom_use_all_users_fds(setfiles_t)
 | ||||||
| +	optional_policy(`
 | +	optional_policy(`
 | ||||||
| +		setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
 | +		setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
 | ||||||
| +		setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
 | +		setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
 | ||||||
| @ -38428,8 +38440,7 @@ index dc46420..86595e5 100644 | |||||||
| +		unconfined_domain(setfiles_t)
 | +		unconfined_domain(setfiles_t)
 | ||||||
| +	')
 | +	')
 | ||||||
| +')
 | +')
 | ||||||
|   | +
 | ||||||
| -userdom_use_all_users_fds(setfiles_t)
 |  | ||||||
| +########################################
 | +########################################
 | ||||||
| +#
 | +#
 | ||||||
| +# Setfiles common policy
 | +# Setfiles common policy
 | ||||||
| @ -38662,10 +38673,10 @@ index 1447687..d5e6fb9 100644 | |||||||
|  seutil_read_config(setrans_t) |  seutil_read_config(setrans_t) | ||||||
|   |   | ||||||
| diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
 | ||||||
| index 40edc18..b39e137 100644
 | index 40edc18..04ea6dd 100644
 | ||||||
| --- a/policy/modules/system/sysnetwork.fc
 | --- a/policy/modules/system/sysnetwork.fc
 | ||||||
| +++ b/policy/modules/system/sysnetwork.fc
 | +++ b/policy/modules/system/sysnetwork.fc
 | ||||||
| @@ -17,22 +17,24 @@ ifdef(`distro_debian',`
 | @@ -17,22 +17,25 @@ ifdef(`distro_debian',`
 | ||||||
|  /etc/dhclient.*conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0) |  /etc/dhclient.*conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0) | ||||||
|  /etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0) |  /etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0) | ||||||
|  /etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0) |  /etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0) | ||||||
| @ -38691,10 +38702,11 @@ index 40edc18..b39e137 100644 | |||||||
|  /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) |  /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) | ||||||
|  /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) |  /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) | ||||||
| +/var/run/systemd/network(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
 | +/var/run/systemd/network(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
 | ||||||
|  | +/var/run/systemd/resolve/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  # |  # | ||||||
| @@ -55,6 +57,21 @@ ifdef(`distro_redhat',`
 | @@ -55,6 +58,21 @@ ifdef(`distro_redhat',`
 | ||||||
|  # |  # | ||||||
|  # /usr |  # /usr | ||||||
|  # |  # | ||||||
| @ -38716,7 +38728,7 @@ index 40edc18..b39e137 100644 | |||||||
|  /usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0) |  /usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||||||
|   |   | ||||||
|  # |  # | ||||||
| @@ -77,3 +94,6 @@ ifdef(`distro_debian',`
 | @@ -77,3 +95,6 @@ ifdef(`distro_debian',`
 | ||||||
|  /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0) |  /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0) | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
| @ -41115,10 +41127,10 @@ index 0000000..d2a8fc7 | |||||||
| +')
 | +')
 | ||||||
| diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 | ||||||
| new file mode 100644 | new file mode 100644 | ||||||
| index 0000000..4fa43d7
 | index 0000000..5b904b0
 | ||||||
| --- /dev/null
 | --- /dev/null
 | ||||||
| +++ b/policy/modules/system/systemd.te
 | +++ b/policy/modules/system/systemd.te
 | ||||||
| @@ -0,0 +1,695 @@
 | @@ -0,0 +1,699 @@
 | ||||||
| +policy_module(systemd, 1.0.0)
 | +policy_module(systemd, 1.0.0)
 | ||||||
| +
 | +
 | ||||||
| +#######################################
 | +#######################################
 | ||||||
| @ -41355,12 +41367,14 @@ index 0000000..4fa43d7 | |||||||
| +# systemd-networkd local policy
 | +# systemd-networkd local policy
 | ||||||
| +#
 | +#
 | ||||||
| +
 | +
 | ||||||
| +allow systemd_networkd_t self:capability { net_admin net_raw };
 | +allow systemd_networkd_t self:capability { net_admin net_raw setuid fowner chown setgid setpcap };
 | ||||||
|  | +allow systemd_networkd_t self:process { getcap setcap };
 | ||||||
| +
 | +
 | ||||||
| +allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
 | +allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
 | ||||||
| +allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
 | +allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
 | ||||||
| +allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
 | +allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
 | ||||||
| +allow systemd_networkd_t self:packet_socket create_socket_perms;
 | +allow systemd_networkd_t self:packet_socket create_socket_perms;
 | ||||||
|  | +allow systemd_networkd_t self:udp_socket create_socket_perms;
 | ||||||
| +
 | +
 | ||||||
| +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
 | +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
 | ||||||
| +manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
 | +manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
 | ||||||
| @ -41370,6 +41384,8 @@ index 0000000..4fa43d7 | |||||||
| +
 | +
 | ||||||
| +dev_read_sysfs(systemd_networkd_t)
 | +dev_read_sysfs(systemd_networkd_t)
 | ||||||
| +
 | +
 | ||||||
|  | +auth_read_passwd(systemd_networkd_t)
 | ||||||
|  | +
 | ||||||
| +sysnet_filetrans_named_content(systemd_networkd_t)
 | +sysnet_filetrans_named_content(systemd_networkd_t)
 | ||||||
| +sysnet_manage_config(systemd_networkd_t)
 | +sysnet_manage_config(systemd_networkd_t)
 | ||||||
| +sysnet_manage_config_dirs(systemd_networkd_t)
 | +sysnet_manage_config_dirs(systemd_networkd_t)
 | ||||||
|  | |||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -19,12 +19,13 @@ | |||||||
| Summary: SELinux policy configuration | Summary: SELinux policy configuration | ||||||
| Name: selinux-policy | Name: selinux-policy | ||||||
| Version: 3.13.1 | Version: 3.13.1 | ||||||
| Release: 86%{?dist} | Release: 87%{?dist} | ||||||
| License: GPLv2+ | License: GPLv2+ | ||||||
| Group: System Environment/Base | Group: System Environment/Base | ||||||
| Source: serefpolicy-%{version}.tgz | Source: serefpolicy-%{version}.tgz | ||||||
| patch: policy-rawhide-base.patch | patch: policy-rawhide-base.patch | ||||||
| patch1: policy-rawhide-contrib.patch | patch1: policy-rawhide-contrib.patch | ||||||
|  | patch2: policy-rawhide-base-cockpit.patch | ||||||
| Source1: modules-targeted-base.conf  | Source1: modules-targeted-base.conf  | ||||||
| Source31: modules-targeted-contrib.conf | Source31: modules-targeted-contrib.conf | ||||||
| Source2: booleans-targeted.conf | Source2: booleans-targeted.conf | ||||||
| @ -333,6 +334,7 @@ Based off of reference policy: Checked out revision  2.20091117 | |||||||
| contrib_path=`pwd` | contrib_path=`pwd` | ||||||
| %setup -n serefpolicy-%{version} -q | %setup -n serefpolicy-%{version} -q | ||||||
| %patch -p1 | %patch -p1 | ||||||
|  | %patch2 -p1 | ||||||
| refpolicy_path=`pwd` | refpolicy_path=`pwd` | ||||||
| cp $contrib_path/* $refpolicy_path/policy/modules/contrib | cp $contrib_path/* $refpolicy_path/policy/modules/contrib | ||||||
| 
 | 
 | ||||||
| @ -602,6 +604,16 @@ SELinux Reference policy mls base module. | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Fri Oct 17 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-87 | ||||||
|  | - Allow systemd-networkd to be running as dhcp client. | ||||||
|  | - Label /usr/bin/cockpit-bridge as shell_exec_t. | ||||||
|  | - Add label for /var/run/systemd/resolve/resolv.conf. | ||||||
|  | - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. | ||||||
|  | - Allow systemd-networkd to be running as dhcp client. | ||||||
|  | - Label /usr/bin/cockpit-bridge as shell_exec_t. | ||||||
|  | - Add label for /var/run/systemd/resolve/resolv.conf. | ||||||
|  | - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. | ||||||
|  | 
 | ||||||
| * Tue Oct 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-86 | * Tue Oct 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-86 | ||||||
| - Dontaudit aicuu to search home config dir. BZ (#1104076) | - Dontaudit aicuu to search home config dir. BZ (#1104076) | ||||||
| - couchdb is using erlang so it needs execmem privs | - couchdb is using erlang so it needs execmem privs | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user