* Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-281

- Allow domains reading raw memory also use mmap.
This commit is contained in:
Lukas Vrabec 2017-09-11 09:50:18 +02:00
parent b9bc43a953
commit 65f16bbe30
4 changed files with 74 additions and 55 deletions

Binary file not shown.

View File

@ -6866,7 +6866,7 @@ index b31c05491..a7b0f009a 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285ea6..ac044aea2 100644 index 76f285ea6..c28d65c08 100644
--- a/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -7649,7 +7649,15 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2532,6 +3038,24 @@ interface(`dev_read_raw_memory',` @@ -2525,6 +3031,7 @@ interface(`dev_read_raw_memory',`
')
read_chr_files_pattern($1, device_t, memory_device_t)
+ allow $1 memory_device_t:chr_file map;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
@@ -2532,6 +3039,24 @@ interface(`dev_read_raw_memory',`
######################################## ########################################
## <summary> ## <summary>
@ -7674,7 +7682,7 @@ index 76f285ea6..ac044aea2 100644
## Do not audit attempts to read raw memory devices ## Do not audit attempts to read raw memory devices
## (e.g. /dev/mem). ## (e.g. /dev/mem).
## </summary> ## </summary>
@@ -2573,6 +3097,24 @@ interface(`dev_write_raw_memory',` @@ -2573,6 +3098,24 @@ interface(`dev_write_raw_memory',`
######################################## ########################################
## <summary> ## <summary>
@ -7699,7 +7707,7 @@ index 76f285ea6..ac044aea2 100644
## Read and execute raw memory devices (e.g. /dev/mem). ## Read and execute raw memory devices (e.g. /dev/mem).
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2587,7 +3129,7 @@ interface(`dev_rx_raw_memory',` @@ -2587,7 +3130,7 @@ interface(`dev_rx_raw_memory',`
') ')
dev_read_raw_memory($1) dev_read_raw_memory($1)
@ -7708,7 +7716,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -2606,7 +3148,7 @@ interface(`dev_wx_raw_memory',` @@ -2606,7 +3149,7 @@ interface(`dev_wx_raw_memory',`
') ')
dev_write_raw_memory($1) dev_write_raw_memory($1)
@ -7717,7 +7725,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -2725,7 +3267,7 @@ interface(`dev_write_misc',` @@ -2725,7 +3268,7 @@ interface(`dev_write_misc',`
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -7726,7 +7734,7 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -2811,7 +3353,7 @@ interface(`dev_rw_modem',` @@ -2811,7 +3354,7 @@ interface(`dev_rw_modem',`
######################################## ########################################
## <summary> ## <summary>
@ -7735,7 +7743,7 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2819,17 +3361,17 @@ interface(`dev_rw_modem',` @@ -2819,17 +3362,17 @@ interface(`dev_rw_modem',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -7757,7 +7765,7 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2837,17 +3379,17 @@ interface(`dev_getattr_mouse_dev',` @@ -2837,17 +3380,17 @@ interface(`dev_getattr_mouse_dev',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -7779,7 +7787,7 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2855,12 +3397,84 @@ interface(`dev_setattr_mouse_dev',` @@ -2855,12 +3398,84 @@ interface(`dev_setattr_mouse_dev',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -7867,7 +7875,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -2903,20 +3517,20 @@ interface(`dev_getattr_mtrr_dev',` @@ -2903,20 +3518,20 @@ interface(`dev_getattr_mtrr_dev',`
######################################## ########################################
## <summary> ## <summary>
@ -7892,7 +7900,7 @@ index 76f285ea6..ac044aea2 100644
## </p> ## </p>
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
@@ -2925,43 +3539,34 @@ interface(`dev_getattr_mtrr_dev',` @@ -2925,43 +3540,34 @@ interface(`dev_getattr_mtrr_dev',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -7948,7 +7956,7 @@ index 76f285ea6..ac044aea2 100644
## range registers (MTRR). ## range registers (MTRR).
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2970,13 +3575,32 @@ interface(`dev_write_mtrr',` @@ -2970,13 +3576,32 @@ interface(`dev_write_mtrr',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -7984,7 +7992,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -3144,6 +3768,80 @@ interface(`dev_create_null_dev',` @@ -3144,6 +3769,80 @@ interface(`dev_create_null_dev',`
######################################## ########################################
## <summary> ## <summary>
@ -8065,7 +8073,7 @@ index 76f285ea6..ac044aea2 100644
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device. ## of the BIOS non-volatile RAM device.
## </summary> ## </summary>
@@ -3163,6 +3861,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` @@ -3163,6 +3862,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
######################################## ########################################
## <summary> ## <summary>
@ -8090,7 +8098,7 @@ index 76f285ea6..ac044aea2 100644
## Read and write BIOS non-volatile RAM. ## Read and write BIOS non-volatile RAM.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3254,7 +3970,25 @@ interface(`dev_rw_printer',` @@ -3254,7 +3971,25 @@ interface(`dev_rw_printer',`
######################################## ########################################
## <summary> ## <summary>
@ -8117,7 +8125,7 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3262,12 +3996,13 @@ interface(`dev_rw_printer',` @@ -3262,12 +3997,13 @@ interface(`dev_rw_printer',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -8134,7 +8142,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -3399,7 +4134,7 @@ interface(`dev_dontaudit_read_rand',` @@ -3399,7 +4135,7 @@ interface(`dev_dontaudit_read_rand',`
######################################## ########################################
## <summary> ## <summary>
@ -8143,7 +8151,7 @@ index 76f285ea6..ac044aea2 100644
## number generator devices (e.g., /dev/random) ## number generator devices (e.g., /dev/random)
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3413,7 +4148,7 @@ interface(`dev_dontaudit_append_rand',` @@ -3413,7 +4149,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t; type random_device_t;
') ')
@ -8152,7 +8160,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -3633,6 +4368,7 @@ interface(`dev_read_sound',` @@ -3633,6 +4369,7 @@ interface(`dev_read_sound',`
') ')
read_chr_files_pattern($1, device_t, sound_device_t) read_chr_files_pattern($1, device_t, sound_device_t)
@ -8160,7 +8168,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -3669,6 +4405,7 @@ interface(`dev_read_sound_mixer',` @@ -3669,6 +4406,7 @@ interface(`dev_read_sound_mixer',`
') ')
read_chr_files_pattern($1, device_t, sound_device_t) read_chr_files_pattern($1, device_t, sound_device_t)
@ -8168,7 +8176,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -3855,7 +4592,7 @@ interface(`dev_getattr_sysfs_dirs',` @@ -3855,7 +4593,7 @@ interface(`dev_getattr_sysfs_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -8177,7 +8185,7 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3863,91 +4600,89 @@ interface(`dev_getattr_sysfs_dirs',` @@ -3863,91 +4601,89 @@ interface(`dev_getattr_sysfs_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -8288,7 +8296,7 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3955,60 +4690,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` @@ -3955,60 +4691,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -8525,7 +8533,7 @@ index 76f285ea6..ac044aea2 100644
read_lnk_files_pattern($1, sysfs_t, sysfs_t) read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t)
@@ -4016,6 +4906,81 @@ interface(`dev_rw_sysfs',` @@ -4016,6 +4907,81 @@ interface(`dev_rw_sysfs',`
######################################## ########################################
## <summary> ## <summary>
@ -8607,7 +8615,7 @@ index 76f285ea6..ac044aea2 100644
## Read and write the TPM device. ## Read and write the TPM device.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4113,6 +5078,25 @@ interface(`dev_write_urand',` @@ -4113,6 +5079,25 @@ interface(`dev_write_urand',`
######################################## ########################################
## <summary> ## <summary>
@ -8633,7 +8641,7 @@ index 76f285ea6..ac044aea2 100644
## Getattr generic the USB devices. ## Getattr generic the USB devices.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4123,7 +5107,7 @@ interface(`dev_write_urand',` @@ -4123,7 +5108,7 @@ interface(`dev_write_urand',`
# #
interface(`dev_getattr_generic_usb_dev',` interface(`dev_getattr_generic_usb_dev',`
gen_require(` gen_require(`
@ -8642,7 +8650,7 @@ index 76f285ea6..ac044aea2 100644
') ')
getattr_chr_files_pattern($1, device_t, usb_device_t) getattr_chr_files_pattern($1, device_t, usb_device_t)
@@ -4409,9 +5393,9 @@ interface(`dev_rw_usbfs',` @@ -4409,9 +5394,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t) read_lnk_files_pattern($1, usbfs_t, usbfs_t)
') ')
@ -8654,7 +8662,7 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4419,17 +5403,17 @@ interface(`dev_rw_usbfs',` @@ -4419,17 +5404,17 @@ interface(`dev_rw_usbfs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -8677,7 +8685,7 @@ index 76f285ea6..ac044aea2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4437,12 +5421,12 @@ interface(`dev_getattr_video_dev',` @@ -4437,12 +5422,12 @@ interface(`dev_getattr_video_dev',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -8693,7 +8701,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -4539,6 +5523,134 @@ interface(`dev_write_video_dev',` @@ -4539,6 +5524,134 @@ interface(`dev_write_video_dev',`
######################################## ########################################
## <summary> ## <summary>
@ -8828,7 +8836,7 @@ index 76f285ea6..ac044aea2 100644
## Allow read/write the vhost net device ## Allow read/write the vhost net device
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4557,6 +5669,24 @@ interface(`dev_rw_vhost',` @@ -4557,6 +5670,24 @@ interface(`dev_rw_vhost',`
######################################## ########################################
## <summary> ## <summary>
@ -8853,7 +8861,7 @@ index 76f285ea6..ac044aea2 100644
## Read and write VMWare devices. ## Read and write VMWare devices.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4589,7 +5719,7 @@ interface(`dev_rwx_vmware',` @@ -4589,7 +5720,7 @@ interface(`dev_rwx_vmware',`
') ')
dev_rw_vmware($1) dev_rw_vmware($1)
@ -8862,7 +8870,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -4630,6 +5760,24 @@ interface(`dev_write_watchdog',` @@ -4630,6 +5761,24 @@ interface(`dev_write_watchdog',`
######################################## ########################################
## <summary> ## <summary>
@ -8887,7 +8895,7 @@ index 76f285ea6..ac044aea2 100644
## Read and write the the wireless device. ## Read and write the the wireless device.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4762,6 +5910,44 @@ interface(`dev_rw_xserver_misc',` @@ -4762,6 +5911,44 @@ interface(`dev_rw_xserver_misc',`
######################################## ########################################
## <summary> ## <summary>
@ -8932,7 +8940,7 @@ index 76f285ea6..ac044aea2 100644
## Read and write to the zero device (/dev/zero). ## Read and write to the zero device (/dev/zero).
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4794,7 +5980,7 @@ interface(`dev_rwx_zero',` @@ -4794,7 +5981,7 @@ interface(`dev_rwx_zero',`
') ')
dev_rw_zero($1) dev_rw_zero($1)
@ -8941,7 +8949,7 @@ index 76f285ea6..ac044aea2 100644
') ')
######################################## ########################################
@@ -4851,3 +6037,1064 @@ interface(`dev_unconfined',` @@ -4851,3 +6038,1064 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type; typeattribute $1 devices_unconfined_type;
') ')
@ -39239,7 +39247,7 @@ index c42fbc329..bf211dbee 100644
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
+') +')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e6c..91d1296b8 100644 index be8ed1e6c..73e51f7ef 100644
--- a/policy/modules/system/iptables.te --- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,21 @@ role iptables_roles types iptables_t; @@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
@ -39367,7 +39375,7 @@ index be8ed1e6c..91d1296b8 100644
') ')
optional_policy(` optional_policy(`
@@ -110,7 +138,15 @@ optional_policy(` @@ -110,7 +138,16 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39380,10 +39388,11 @@ index be8ed1e6c..91d1296b8 100644
+optional_policy(` +optional_policy(`
modutils_run_insmod(iptables_t, iptables_roles) modutils_run_insmod(iptables_t, iptables_roles)
+ modutils_list_module_config(iptables_t) + modutils_list_module_config(iptables_t)
+ modutils_read_module_config(iptables_t)
') ')
optional_policy(` optional_policy(`
@@ -119,11 +155,25 @@ optional_policy(` @@ -119,11 +156,25 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39409,7 +39418,7 @@ index be8ed1e6c..91d1296b8 100644
') ')
optional_policy(` optional_policy(`
@@ -135,9 +185,9 @@ optional_policy(` @@ -135,9 +186,9 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`

View File

@ -47515,15 +47515,19 @@ index dd8e01af3..9cd6b0b8e 100644
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
diff --git a/logrotate.te b/logrotate.te diff --git a/logrotate.te b/logrotate.te
index be0ab84b3..882160882 100644 index be0ab84b3..9ca958706 100644
--- a/logrotate.te --- a/logrotate.te
+++ b/logrotate.te +++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) @@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0)
# Declarations # Declarations
# #
-attribute_role logrotate_roles; -attribute_role logrotate_roles;
-roleattribute system_r logrotate_roles; -roleattribute system_r logrotate_roles;
+gen_require(`
+ class passwd passwd;
+')
+
+## <desc> +## <desc>
+## <p> +## <p>
+## Allow logrotate to manage nfs files +## Allow logrotate to manage nfs files
@ -47552,7 +47556,7 @@ index be0ab84b3..882160882 100644
type logrotate_lock_t; type logrotate_lock_t;
files_lock_file(logrotate_lock_t) files_lock_file(logrotate_lock_t)
@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t) @@ -25,21 +42,33 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t; type logrotate_var_lib_t;
files_type(logrotate_var_lib_t) files_type(logrotate_var_lib_t)
@ -47575,6 +47579,8 @@ index be0ab84b3..882160882 100644
+ +
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ +
+allow logrotate_t self:passwd { passwd };
+
+# Set a context other than the default one for newly created files. +# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate; +allow logrotate_t self:process setfscreate;
+ +
@ -47590,7 +47596,7 @@ index be0ab84b3..882160882 100644
allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms; allow logrotate_t self:msgq create_msgq_perms;
@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive }; @@ -48,36 +77,54 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms; allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file) files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@ -47650,7 +47656,7 @@ index be0ab84b3..882160882 100644
files_manage_generic_spool(logrotate_t) files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t) files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t) files_getattr_generic_locks(logrotate_t)
@@ -95,32 +136,57 @@ mls_process_write_to_clearance(logrotate_t) @@ -95,32 +142,58 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t) selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t) selinux_get_enforce_mode(logrotate_t)
@ -47662,6 +47668,7 @@ index be0ab84b3..882160882 100644
init_all_labeled_script_domtrans(logrotate_t) init_all_labeled_script_domtrans(logrotate_t)
+init_reload_services(logrotate_t) +init_reload_services(logrotate_t)
+init_reload_transient_unit(logrotate_t)
logging_manage_all_logs(logrotate_t) logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t) logging_send_syslog_msg(logrotate_t)
@ -47714,7 +47721,7 @@ index be0ab84b3..882160882 100644
') ')
optional_policy(` optional_policy(`
@@ -135,16 +201,17 @@ optional_policy(` @@ -135,16 +208,17 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(logrotate_t) apache_read_config(logrotate_t)
@ -47734,7 +47741,7 @@ index be0ab84b3..882160882 100644
') ')
optional_policy(` optional_policy(`
@@ -170,6 +237,11 @@ optional_policy(` @@ -170,6 +244,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -47746,7 +47753,7 @@ index be0ab84b3..882160882 100644
fail2ban_stream_connect(logrotate_t) fail2ban_stream_connect(logrotate_t)
') ')
@@ -178,7 +250,8 @@ optional_policy(` @@ -178,7 +257,8 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -47756,7 +47763,7 @@ index be0ab84b3..882160882 100644
') ')
optional_policy(` optional_policy(`
@@ -198,17 +271,18 @@ optional_policy(` @@ -198,17 +278,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -47778,7 +47785,7 @@ index be0ab84b3..882160882 100644
') ')
optional_policy(` optional_policy(`
@@ -216,6 +290,14 @@ optional_policy(` @@ -216,6 +297,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -47793,7 +47800,7 @@ index be0ab84b3..882160882 100644
samba_exec_log(logrotate_t) samba_exec_log(logrotate_t)
') ')
@@ -228,26 +310,50 @@ optional_policy(` @@ -228,26 +317,50 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -73824,7 +73831,7 @@ index 000000000..9c27847b2
+') +')
+ +
diff --git a/plymouthd.fc b/plymouthd.fc diff --git a/plymouthd.fc b/plymouthd.fc
index 735500fd1..2ba6832cc 100644 index 735500fd1..7f694728c 100644
--- a/plymouthd.fc --- a/plymouthd.fc
+++ b/plymouthd.fc +++ b/plymouthd.fc
@@ -1,15 +1,14 @@ @@ -1,15 +1,14 @@
@ -73842,7 +73849,7 @@ index 735500fd1..2ba6832cc 100644
-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) +/var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) -/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) +/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 280%{?dist} Release: 281%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -681,6 +681,9 @@ exit 0
%endif %endif
%changelog %changelog
* Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-281
- Allow domains reading raw memory also use mmap.
* Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280 * Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280
- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404) - Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
- Fix denials during ipa-server-install process on F27+ - Fix denials during ipa-server-install process on F27+