* Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-281
- Allow domains reading raw memory also use mmap.
This commit is contained in:
parent
b9bc43a953
commit
65f16bbe30
Binary file not shown.
@ -6866,7 +6866,7 @@ index b31c05491..a7b0f009a 100644
|
|||||||
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||||
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||||
index 76f285ea6..ac044aea2 100644
|
index 76f285ea6..c28d65c08 100644
|
||||||
--- a/policy/modules/kernel/devices.if
|
--- a/policy/modules/kernel/devices.if
|
||||||
+++ b/policy/modules/kernel/devices.if
|
+++ b/policy/modules/kernel/devices.if
|
||||||
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
|
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||||
@ -7649,7 +7649,15 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2532,6 +3038,24 @@ interface(`dev_read_raw_memory',`
|
@@ -2525,6 +3031,7 @@ interface(`dev_read_raw_memory',`
|
||||||
|
')
|
||||||
|
|
||||||
|
read_chr_files_pattern($1, device_t, memory_device_t)
|
||||||
|
+ allow $1 memory_device_t:chr_file map;
|
||||||
|
|
||||||
|
allow $1 self:capability sys_rawio;
|
||||||
|
typeattribute $1 memory_raw_read;
|
||||||
|
@@ -2532,6 +3039,24 @@ interface(`dev_read_raw_memory',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7674,7 +7682,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Do not audit attempts to read raw memory devices
|
## Do not audit attempts to read raw memory devices
|
||||||
## (e.g. /dev/mem).
|
## (e.g. /dev/mem).
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2573,6 +3097,24 @@ interface(`dev_write_raw_memory',`
|
@@ -2573,6 +3098,24 @@ interface(`dev_write_raw_memory',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7699,7 +7707,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Read and execute raw memory devices (e.g. /dev/mem).
|
## Read and execute raw memory devices (e.g. /dev/mem).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2587,7 +3129,7 @@ interface(`dev_rx_raw_memory',`
|
@@ -2587,7 +3130,7 @@ interface(`dev_rx_raw_memory',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_read_raw_memory($1)
|
dev_read_raw_memory($1)
|
||||||
@ -7708,7 +7716,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2606,7 +3148,7 @@ interface(`dev_wx_raw_memory',`
|
@@ -2606,7 +3149,7 @@ interface(`dev_wx_raw_memory',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_write_raw_memory($1)
|
dev_write_raw_memory($1)
|
||||||
@ -7717,7 +7725,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2725,7 +3267,7 @@ interface(`dev_write_misc',`
|
@@ -2725,7 +3268,7 @@ interface(`dev_write_misc',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7726,7 +7734,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -2811,7 +3353,7 @@ interface(`dev_rw_modem',`
|
@@ -2811,7 +3354,7 @@ interface(`dev_rw_modem',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7735,7 +7743,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2819,17 +3361,17 @@ interface(`dev_rw_modem',`
|
@@ -2819,17 +3362,17 @@ interface(`dev_rw_modem',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -7757,7 +7765,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2837,17 +3379,17 @@ interface(`dev_getattr_mouse_dev',`
|
@@ -2837,17 +3380,17 @@ interface(`dev_getattr_mouse_dev',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -7779,7 +7787,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2855,12 +3397,84 @@ interface(`dev_setattr_mouse_dev',`
|
@@ -2855,12 +3398,84 @@ interface(`dev_setattr_mouse_dev',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -7867,7 +7875,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2903,20 +3517,20 @@ interface(`dev_getattr_mtrr_dev',`
|
@@ -2903,20 +3518,20 @@ interface(`dev_getattr_mtrr_dev',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -7892,7 +7900,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2925,43 +3539,34 @@ interface(`dev_getattr_mtrr_dev',`
|
@@ -2925,43 +3540,34 @@ interface(`dev_getattr_mtrr_dev',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -7948,7 +7956,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## range registers (MTRR).
|
## range registers (MTRR).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2970,13 +3575,32 @@ interface(`dev_write_mtrr',`
|
@@ -2970,13 +3576,32 @@ interface(`dev_write_mtrr',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -7984,7 +7992,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3144,6 +3768,80 @@ interface(`dev_create_null_dev',`
|
@@ -3144,6 +3769,80 @@ interface(`dev_create_null_dev',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8065,7 +8073,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Do not audit attempts to get the attributes
|
## Do not audit attempts to get the attributes
|
||||||
## of the BIOS non-volatile RAM device.
|
## of the BIOS non-volatile RAM device.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -3163,6 +3861,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
|
@@ -3163,6 +3862,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8090,7 +8098,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Read and write BIOS non-volatile RAM.
|
## Read and write BIOS non-volatile RAM.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3254,7 +3970,25 @@ interface(`dev_rw_printer',`
|
@@ -3254,7 +3971,25 @@ interface(`dev_rw_printer',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8117,7 +8125,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3262,12 +3996,13 @@ interface(`dev_rw_printer',`
|
@@ -3262,12 +3997,13 @@ interface(`dev_rw_printer',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8134,7 +8142,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3399,7 +4134,7 @@ interface(`dev_dontaudit_read_rand',`
|
@@ -3399,7 +4135,7 @@ interface(`dev_dontaudit_read_rand',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8143,7 +8151,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## number generator devices (e.g., /dev/random)
|
## number generator devices (e.g., /dev/random)
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3413,7 +4148,7 @@ interface(`dev_dontaudit_append_rand',`
|
@@ -3413,7 +4149,7 @@ interface(`dev_dontaudit_append_rand',`
|
||||||
type random_device_t;
|
type random_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8152,7 +8160,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3633,6 +4368,7 @@ interface(`dev_read_sound',`
|
@@ -3633,6 +4369,7 @@ interface(`dev_read_sound',`
|
||||||
')
|
')
|
||||||
|
|
||||||
read_chr_files_pattern($1, device_t, sound_device_t)
|
read_chr_files_pattern($1, device_t, sound_device_t)
|
||||||
@ -8160,7 +8168,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3669,6 +4405,7 @@ interface(`dev_read_sound_mixer',`
|
@@ -3669,6 +4406,7 @@ interface(`dev_read_sound_mixer',`
|
||||||
')
|
')
|
||||||
|
|
||||||
read_chr_files_pattern($1, device_t, sound_device_t)
|
read_chr_files_pattern($1, device_t, sound_device_t)
|
||||||
@ -8168,7 +8176,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3855,7 +4592,7 @@ interface(`dev_getattr_sysfs_dirs',`
|
@@ -3855,7 +4593,7 @@ interface(`dev_getattr_sysfs_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8177,7 +8185,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3863,91 +4600,89 @@ interface(`dev_getattr_sysfs_dirs',`
|
@@ -3863,91 +4601,89 @@ interface(`dev_getattr_sysfs_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8288,7 +8296,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3955,60 +4690,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
|
@@ -3955,60 +4691,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8525,7 +8533,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
|
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
|
||||||
|
|
||||||
list_dirs_pattern($1, sysfs_t, sysfs_t)
|
list_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||||
@@ -4016,6 +4906,81 @@ interface(`dev_rw_sysfs',`
|
@@ -4016,6 +4907,81 @@ interface(`dev_rw_sysfs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8607,7 +8615,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Read and write the TPM device.
|
## Read and write the TPM device.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4113,6 +5078,25 @@ interface(`dev_write_urand',`
|
@@ -4113,6 +5079,25 @@ interface(`dev_write_urand',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8633,7 +8641,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Getattr generic the USB devices.
|
## Getattr generic the USB devices.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4123,7 +5107,7 @@ interface(`dev_write_urand',`
|
@@ -4123,7 +5108,7 @@ interface(`dev_write_urand',`
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_generic_usb_dev',`
|
interface(`dev_getattr_generic_usb_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -8642,7 +8650,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
getattr_chr_files_pattern($1, device_t, usb_device_t)
|
getattr_chr_files_pattern($1, device_t, usb_device_t)
|
||||||
@@ -4409,9 +5393,9 @@ interface(`dev_rw_usbfs',`
|
@@ -4409,9 +5394,9 @@ interface(`dev_rw_usbfs',`
|
||||||
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
|
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8654,7 +8662,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -4419,17 +5403,17 @@ interface(`dev_rw_usbfs',`
|
@@ -4419,17 +5404,17 @@ interface(`dev_rw_usbfs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8677,7 +8685,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -4437,12 +5421,12 @@ interface(`dev_getattr_video_dev',`
|
@@ -4437,12 +5422,12 @@ interface(`dev_getattr_video_dev',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8693,7 +8701,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4539,6 +5523,134 @@ interface(`dev_write_video_dev',`
|
@@ -4539,6 +5524,134 @@ interface(`dev_write_video_dev',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8828,7 +8836,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Allow read/write the vhost net device
|
## Allow read/write the vhost net device
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4557,6 +5669,24 @@ interface(`dev_rw_vhost',`
|
@@ -4557,6 +5670,24 @@ interface(`dev_rw_vhost',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8853,7 +8861,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Read and write VMWare devices.
|
## Read and write VMWare devices.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4589,7 +5719,7 @@ interface(`dev_rwx_vmware',`
|
@@ -4589,7 +5720,7 @@ interface(`dev_rwx_vmware',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_rw_vmware($1)
|
dev_rw_vmware($1)
|
||||||
@ -8862,7 +8870,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4630,6 +5760,24 @@ interface(`dev_write_watchdog',`
|
@@ -4630,6 +5761,24 @@ interface(`dev_write_watchdog',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8887,7 +8895,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Read and write the the wireless device.
|
## Read and write the the wireless device.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4762,6 +5910,44 @@ interface(`dev_rw_xserver_misc',`
|
@@ -4762,6 +5911,44 @@ interface(`dev_rw_xserver_misc',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -8932,7 +8940,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
## Read and write to the zero device (/dev/zero).
|
## Read and write to the zero device (/dev/zero).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4794,7 +5980,7 @@ interface(`dev_rwx_zero',`
|
@@ -4794,7 +5981,7 @@ interface(`dev_rwx_zero',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_rw_zero($1)
|
dev_rw_zero($1)
|
||||||
@ -8941,7 +8949,7 @@ index 76f285ea6..ac044aea2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4851,3 +6037,1064 @@ interface(`dev_unconfined',`
|
@@ -4851,3 +6038,1064 @@ interface(`dev_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 devices_unconfined_type;
|
typeattribute $1 devices_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -39239,7 +39247,7 @@ index c42fbc329..bf211dbee 100644
|
|||||||
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||||
index be8ed1e6c..91d1296b8 100644
|
index be8ed1e6c..73e51f7ef 100644
|
||||||
--- a/policy/modules/system/iptables.te
|
--- a/policy/modules/system/iptables.te
|
||||||
+++ b/policy/modules/system/iptables.te
|
+++ b/policy/modules/system/iptables.te
|
||||||
@@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
|
@@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
|
||||||
@ -39367,7 +39375,7 @@ index be8ed1e6c..91d1296b8 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -110,7 +138,15 @@ optional_policy(`
|
@@ -110,7 +138,16 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -39380,10 +39388,11 @@ index be8ed1e6c..91d1296b8 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
modutils_run_insmod(iptables_t, iptables_roles)
|
modutils_run_insmod(iptables_t, iptables_roles)
|
||||||
+ modutils_list_module_config(iptables_t)
|
+ modutils_list_module_config(iptables_t)
|
||||||
|
+ modutils_read_module_config(iptables_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -119,11 +155,25 @@ optional_policy(`
|
@@ -119,11 +156,25 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -39409,7 +39418,7 @@ index be8ed1e6c..91d1296b8 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -135,9 +185,9 @@ optional_policy(`
|
@@ -135,9 +186,9 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -47515,15 +47515,19 @@ index dd8e01af3..9cd6b0b8e 100644
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
diff --git a/logrotate.te b/logrotate.te
|
diff --git a/logrotate.te b/logrotate.te
|
||||||
index be0ab84b3..882160882 100644
|
index be0ab84b3..9ca958706 100644
|
||||||
--- a/logrotate.te
|
--- a/logrotate.te
|
||||||
+++ b/logrotate.te
|
+++ b/logrotate.te
|
||||||
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
|
@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0)
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
-attribute_role logrotate_roles;
|
-attribute_role logrotate_roles;
|
||||||
-roleattribute system_r logrotate_roles;
|
-roleattribute system_r logrotate_roles;
|
||||||
|
+gen_require(`
|
||||||
|
+ class passwd passwd;
|
||||||
|
+')
|
||||||
|
+
|
||||||
+## <desc>
|
+## <desc>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow logrotate to manage nfs files
|
+## Allow logrotate to manage nfs files
|
||||||
@ -47552,7 +47556,7 @@ index be0ab84b3..882160882 100644
|
|||||||
|
|
||||||
type logrotate_lock_t;
|
type logrotate_lock_t;
|
||||||
files_lock_file(logrotate_lock_t)
|
files_lock_file(logrotate_lock_t)
|
||||||
@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t)
|
@@ -25,21 +42,33 @@ files_tmp_file(logrotate_tmp_t)
|
||||||
type logrotate_var_lib_t;
|
type logrotate_var_lib_t;
|
||||||
files_type(logrotate_var_lib_t)
|
files_type(logrotate_var_lib_t)
|
||||||
|
|
||||||
@ -47575,6 +47579,8 @@ index be0ab84b3..882160882 100644
|
|||||||
+
|
+
|
||||||
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
+
|
+
|
||||||
|
+allow logrotate_t self:passwd { passwd };
|
||||||
|
+
|
||||||
+# Set a context other than the default one for newly created files.
|
+# Set a context other than the default one for newly created files.
|
||||||
+allow logrotate_t self:process setfscreate;
|
+allow logrotate_t self:process setfscreate;
|
||||||
+
|
+
|
||||||
@ -47590,7 +47596,7 @@ index be0ab84b3..882160882 100644
|
|||||||
allow logrotate_t self:shm create_shm_perms;
|
allow logrotate_t self:shm create_shm_perms;
|
||||||
allow logrotate_t self:sem create_sem_perms;
|
allow logrotate_t self:sem create_sem_perms;
|
||||||
allow logrotate_t self:msgq create_msgq_perms;
|
allow logrotate_t self:msgq create_msgq_perms;
|
||||||
@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive };
|
@@ -48,36 +77,54 @@ allow logrotate_t self:msg { send receive };
|
||||||
allow logrotate_t logrotate_lock_t:file manage_file_perms;
|
allow logrotate_t logrotate_lock_t:file manage_file_perms;
|
||||||
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
|
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
|
||||||
|
|
||||||
@ -47650,7 +47656,7 @@ index be0ab84b3..882160882 100644
|
|||||||
files_manage_generic_spool(logrotate_t)
|
files_manage_generic_spool(logrotate_t)
|
||||||
files_manage_generic_spool_dirs(logrotate_t)
|
files_manage_generic_spool_dirs(logrotate_t)
|
||||||
files_getattr_generic_locks(logrotate_t)
|
files_getattr_generic_locks(logrotate_t)
|
||||||
@@ -95,32 +136,57 @@ mls_process_write_to_clearance(logrotate_t)
|
@@ -95,32 +142,58 @@ mls_process_write_to_clearance(logrotate_t)
|
||||||
selinux_get_fs_mount(logrotate_t)
|
selinux_get_fs_mount(logrotate_t)
|
||||||
selinux_get_enforce_mode(logrotate_t)
|
selinux_get_enforce_mode(logrotate_t)
|
||||||
|
|
||||||
@ -47662,6 +47668,7 @@ index be0ab84b3..882160882 100644
|
|||||||
|
|
||||||
init_all_labeled_script_domtrans(logrotate_t)
|
init_all_labeled_script_domtrans(logrotate_t)
|
||||||
+init_reload_services(logrotate_t)
|
+init_reload_services(logrotate_t)
|
||||||
|
+init_reload_transient_unit(logrotate_t)
|
||||||
|
|
||||||
logging_manage_all_logs(logrotate_t)
|
logging_manage_all_logs(logrotate_t)
|
||||||
logging_send_syslog_msg(logrotate_t)
|
logging_send_syslog_msg(logrotate_t)
|
||||||
@ -47714,7 +47721,7 @@ index be0ab84b3..882160882 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -135,16 +201,17 @@ optional_policy(`
|
@@ -135,16 +208,17 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_read_config(logrotate_t)
|
apache_read_config(logrotate_t)
|
||||||
@ -47734,7 +47741,7 @@ index be0ab84b3..882160882 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -170,6 +237,11 @@ optional_policy(`
|
@@ -170,6 +244,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -47746,7 +47753,7 @@ index be0ab84b3..882160882 100644
|
|||||||
fail2ban_stream_connect(logrotate_t)
|
fail2ban_stream_connect(logrotate_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -178,7 +250,8 @@ optional_policy(`
|
@@ -178,7 +257,8 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -47756,7 +47763,7 @@ index be0ab84b3..882160882 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -198,17 +271,18 @@ optional_policy(`
|
@@ -198,17 +278,18 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -47778,7 +47785,7 @@ index be0ab84b3..882160882 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -216,6 +290,14 @@ optional_policy(`
|
@@ -216,6 +297,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -47793,7 +47800,7 @@ index be0ab84b3..882160882 100644
|
|||||||
samba_exec_log(logrotate_t)
|
samba_exec_log(logrotate_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -228,26 +310,50 @@ optional_policy(`
|
@@ -228,26 +317,50 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -73824,7 +73831,7 @@ index 000000000..9c27847b2
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/plymouthd.fc b/plymouthd.fc
|
diff --git a/plymouthd.fc b/plymouthd.fc
|
||||||
index 735500fd1..2ba6832cc 100644
|
index 735500fd1..7f694728c 100644
|
||||||
--- a/plymouthd.fc
|
--- a/plymouthd.fc
|
||||||
+++ b/plymouthd.fc
|
+++ b/plymouthd.fc
|
||||||
@@ -1,15 +1,14 @@
|
@@ -1,15 +1,14 @@
|
||||||
@ -73842,7 +73849,7 @@ index 735500fd1..2ba6832cc 100644
|
|||||||
|
|
||||||
-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
|
-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
|
||||||
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
|
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
|
||||||
+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
|
+/var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
|
||||||
|
|
||||||
-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
|
-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
|
||||||
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
|
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 280%{?dist}
|
Release: 281%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -681,6 +681,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-281
|
||||||
|
- Allow domains reading raw memory also use mmap.
|
||||||
|
|
||||||
* Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280
|
* Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280
|
||||||
- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
|
- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
|
||||||
- Fix denials during ipa-server-install process on F27+
|
- Fix denials during ipa-server-install process on F27+
|
||||||
|
Loading…
Reference in New Issue
Block a user