+- Add labeling for /var/run/systemd/journal/syslog
+- libvirt sends signals to ifconfig +- Allow domains that read logind session files to list them
This commit is contained in:
Miroslav
parent
ecab259899
commit
68079f6d89
@ -65286,7 +65286,7 @@ index 7c5d8d8..e6bb21e 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
|
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
|
||||||
index 3eca020..bc0bf43 100644
|
index 3eca020..c0eaf5e 100644
|
||||||
--- a/policy/modules/services/virt.te
|
--- a/policy/modules/services/virt.te
|
||||||
+++ b/policy/modules/services/virt.te
|
+++ b/policy/modules/services/virt.te
|
||||||
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
|
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
|
||||||
@ -65688,7 +65688,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
miscfiles_read_localization(virtd_t)
|
miscfiles_read_localization(virtd_t)
|
||||||
miscfiles_read_generic_certs(virtd_t)
|
miscfiles_read_generic_certs(virtd_t)
|
||||||
miscfiles_read_hwdata(virtd_t)
|
miscfiles_read_hwdata(virtd_t)
|
||||||
@@ -285,16 +423,30 @@ modutils_read_module_config(virtd_t)
|
@@ -285,16 +423,31 @@ modutils_read_module_config(virtd_t)
|
||||||
modutils_manage_module_config(virtd_t)
|
modutils_manage_module_config(virtd_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(virtd_t)
|
logging_send_syslog_msg(virtd_t)
|
||||||
@ -65700,6 +65700,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
seutil_read_default_contexts(virtd_t)
|
seutil_read_default_contexts(virtd_t)
|
||||||
+seutil_read_file_contexts(virtd_t)
|
+seutil_read_file_contexts(virtd_t)
|
||||||
|
|
||||||
|
+sysnet_signal_ifconfig(virtd_t)
|
||||||
sysnet_domtrans_ifconfig(virtd_t)
|
sysnet_domtrans_ifconfig(virtd_t)
|
||||||
sysnet_read_config(virtd_t)
|
sysnet_read_config(virtd_t)
|
||||||
|
|
||||||
@ -65719,7 +65720,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
|
|
||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virtd_t)
|
fs_manage_nfs_dirs(virtd_t)
|
||||||
@@ -313,6 +465,10 @@ optional_policy(`
|
@@ -313,6 +466,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -65730,7 +65731,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
dbus_system_bus_client(virtd_t)
|
dbus_system_bus_client(virtd_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -326,6 +482,14 @@ optional_policy(`
|
@@ -326,6 +483,14 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
hal_dbus_chat(virtd_t)
|
hal_dbus_chat(virtd_t)
|
||||||
')
|
')
|
||||||
@ -65745,7 +65746,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -334,11 +498,14 @@ optional_policy(`
|
@@ -334,11 +499,14 @@ optional_policy(`
|
||||||
dnsmasq_kill(virtd_t)
|
dnsmasq_kill(virtd_t)
|
||||||
dnsmasq_read_pid_files(virtd_t)
|
dnsmasq_read_pid_files(virtd_t)
|
||||||
dnsmasq_signull(virtd_t)
|
dnsmasq_signull(virtd_t)
|
||||||
@ -65760,7 +65761,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
|
|
||||||
# Manages /etc/sysconfig/system-config-firewall
|
# Manages /etc/sysconfig/system-config-firewall
|
||||||
iptables_manage_config(virtd_t)
|
iptables_manage_config(virtd_t)
|
||||||
@@ -360,11 +527,11 @@ optional_policy(`
|
@@ -360,11 +528,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -65777,7 +65778,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -394,20 +561,36 @@ optional_policy(`
|
@@ -394,20 +562,36 @@ optional_policy(`
|
||||||
# virtual domains common policy
|
# virtual domains common policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -65817,7 +65818,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
corecmd_exec_bin(virt_domain)
|
corecmd_exec_bin(virt_domain)
|
||||||
corecmd_exec_shell(virt_domain)
|
corecmd_exec_shell(virt_domain)
|
||||||
|
|
||||||
@@ -418,10 +601,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
|
@@ -418,10 +602,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
|
||||||
corenet_tcp_sendrecv_all_ports(virt_domain)
|
corenet_tcp_sendrecv_all_ports(virt_domain)
|
||||||
corenet_tcp_bind_generic_node(virt_domain)
|
corenet_tcp_bind_generic_node(virt_domain)
|
||||||
corenet_tcp_bind_vnc_port(virt_domain)
|
corenet_tcp_bind_vnc_port(virt_domain)
|
||||||
@ -65830,7 +65831,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
dev_read_rand(virt_domain)
|
dev_read_rand(virt_domain)
|
||||||
dev_read_sound(virt_domain)
|
dev_read_sound(virt_domain)
|
||||||
dev_read_urand(virt_domain)
|
dev_read_urand(virt_domain)
|
||||||
@@ -429,10 +613,12 @@ dev_write_sound(virt_domain)
|
@@ -429,10 +614,12 @@ dev_write_sound(virt_domain)
|
||||||
dev_rw_ksm(virt_domain)
|
dev_rw_ksm(virt_domain)
|
||||||
dev_rw_kvm(virt_domain)
|
dev_rw_kvm(virt_domain)
|
||||||
dev_rw_qemu(virt_domain)
|
dev_rw_qemu(virt_domain)
|
||||||
@ -65843,7 +65844,7 @@ index 3eca020..bc0bf43 100644
|
|||||||
files_read_usr_files(virt_domain)
|
files_read_usr_files(virt_domain)
|
||||||
files_read_var_files(virt_domain)
|
files_read_var_files(virt_domain)
|
||||||
files_search_all(virt_domain)
|
files_search_all(virt_domain)
|
||||||
@@ -440,25 +626,365 @@ files_search_all(virt_domain)
|
@@ -440,25 +627,365 @@ files_search_all(virt_domain)
|
||||||
fs_getattr_tmpfs(virt_domain)
|
fs_getattr_tmpfs(virt_domain)
|
||||||
fs_rw_anon_inodefs_files(virt_domain)
|
fs_rw_anon_inodefs_files(virt_domain)
|
||||||
fs_rw_tmpfs_files(virt_domain)
|
fs_rw_tmpfs_files(virt_domain)
|
||||||
@ -71376,7 +71377,7 @@ index 354ce93..4738083 100644
|
|||||||
')
|
')
|
||||||
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
||||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||||
index 94fd8dd..ef5a3c8 100644
|
index 94fd8dd..5a52670 100644
|
||||||
--- a/policy/modules/system/init.if
|
--- a/policy/modules/system/init.if
|
||||||
+++ b/policy/modules/system/init.if
|
+++ b/policy/modules/system/init.if
|
||||||
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
|
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
|
||||||
@ -72068,7 +72069,7 @@ index 94fd8dd..ef5a3c8 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_pids($1)
|
+ files_search_pids($1)
|
||||||
+ filetrans_pattern($1, init_var_run_t, $2, $3)
|
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -74730,13 +74731,14 @@ index a0b379d..2291a13 100644
|
|||||||
- nscd_socket_use(sulogin_t)
|
- nscd_socket_use(sulogin_t)
|
||||||
-')
|
-')
|
||||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||||
index 02f4c97..314efca 100644
|
index 02f4c97..170e2e0 100644
|
||||||
--- a/policy/modules/system/logging.fc
|
--- a/policy/modules/system/logging.fc
|
||||||
+++ b/policy/modules/system/logging.fc
|
+++ b/policy/modules/system/logging.fc
|
||||||
@@ -17,12 +17,26 @@
|
@@ -17,12 +17,27 @@
|
||||||
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||||
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||||
|
|
||||||
|
+/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||||
+/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
+/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
@ -74761,7 +74763,7 @@ index 02f4c97..314efca 100644
|
|||||||
|
|
||||||
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||||
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||||
@@ -38,7 +52,7 @@ ifdef(`distro_suse', `
|
@@ -38,7 +53,7 @@ ifdef(`distro_suse', `
|
||||||
|
|
||||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
|
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
|
||||||
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
||||||
@ -74770,7 +74772,15 @@ index 02f4c97..314efca 100644
|
|||||||
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||||
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||||
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||||
@@ -73,4 +87,8 @@ ifdef(`distro_redhat',`
|
@@ -66,6 +81,7 @@ ifdef(`distro_redhat',`
|
||||||
|
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||||
|
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||||
|
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||||
|
+/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||||
|
|
||||||
|
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
|
||||||
|
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
|
@@ -73,4 +89,9 @@ ifdef(`distro_redhat',`
|
||||||
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||||
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
|
|
||||||
@ -74779,8 +74789,9 @@ index 02f4c97..314efca 100644
|
|||||||
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
+
|
+
|
||||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
|
+
|
||||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||||
index 831b909..9889380 100644
|
index 831b909..118f708 100644
|
||||||
--- a/policy/modules/system/logging.if
|
--- a/policy/modules/system/logging.if
|
||||||
+++ b/policy/modules/system/logging.if
|
+++ b/policy/modules/system/logging.if
|
||||||
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
||||||
@ -74865,7 +74876,7 @@ index 831b909..9889380 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send system log messages.
|
## Send system log messages.
|
||||||
@@ -545,6 +602,44 @@ interface(`logging_send_syslog_msg',`
|
@@ -545,6 +602,45 @@ interface(`logging_send_syslog_msg',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -74884,6 +74895,7 @@ index 831b909..9889380 100644
|
|||||||
+
|
+
|
||||||
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
|
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
|
||||||
+ dev_filetrans($1, devlog_t, sock_file)
|
+ dev_filetrans($1, devlog_t, sock_file)
|
||||||
|
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -74910,7 +74922,7 @@ index 831b909..9889380 100644
|
|||||||
## Read the auditd configuration files.
|
## Read the auditd configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -734,7 +829,25 @@ interface(`logging_append_all_logs',`
|
@@ -734,7 +830,25 @@ interface(`logging_append_all_logs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
@ -74937,7 +74949,7 @@ index 831b909..9889380 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -817,7 +930,7 @@ interface(`logging_manage_all_logs',`
|
@@ -817,7 +931,7 @@ interface(`logging_manage_all_logs',`
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
manage_files_pattern($1, logfile, logfile)
|
manage_files_pattern($1, logfile, logfile)
|
||||||
@ -74946,7 +74958,7 @@ index 831b909..9889380 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -843,6 +956,44 @@ interface(`logging_read_generic_logs',`
|
@@ -843,6 +957,44 @@ interface(`logging_read_generic_logs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -74991,7 +75003,7 @@ index 831b909..9889380 100644
|
|||||||
## Write generic log files.
|
## Write generic log files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -944,9 +1095,13 @@ interface(`logging_admin_audit',`
|
@@ -944,9 +1096,13 @@ interface(`logging_admin_audit',`
|
||||||
type auditd_initrc_exec_t;
|
type auditd_initrc_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -75006,7 +75018,7 @@ index 831b909..9889380 100644
|
|||||||
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||||
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||||
|
|
||||||
@@ -990,10 +1145,15 @@ interface(`logging_admin_syslog',`
|
@@ -990,10 +1146,15 @@ interface(`logging_admin_syslog',`
|
||||||
type syslogd_initrc_exec_t;
|
type syslogd_initrc_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -75024,7 +75036,7 @@ index 831b909..9889380 100644
|
|||||||
|
|
||||||
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||||
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||||
@@ -1015,6 +1175,8 @@ interface(`logging_admin_syslog',`
|
@@ -1015,6 +1176,8 @@ interface(`logging_admin_syslog',`
|
||||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||||
|
|
||||||
logging_manage_all_logs($1)
|
logging_manage_all_logs($1)
|
||||||
@ -78595,10 +78607,10 @@ index 0000000..0d3e625
|
|||||||
+/var/run/initramfs(/.*)? <<none>>
|
+/var/run/initramfs(/.*)? <<none>>
|
||||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..75e7f1c
|
index 0000000..7581e7d
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.if
|
+++ b/policy/modules/system/systemd.if
|
||||||
@@ -0,0 +1,542 @@
|
@@ -0,0 +1,543 @@
|
||||||
+## <summary>SELinux policy for systemd components</summary>
|
+## <summary>SELinux policy for systemd components</summary>
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -78823,6 +78835,7 @@ index 0000000..75e7f1c
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ init_search_pid_dirs($1)
|
+ init_search_pid_dirs($1)
|
||||||
|
+ allow $1 systemd_logind_sessions_t:dir list_dir_perms;
|
||||||
+ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
|
+ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
|||||||
@ -16,7 +16,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.10.0
|
||||||
Release: 73%{?dist}
|
Release: 74%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -471,6 +471,11 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-74
|
||||||
|
- Add labeling for /var/run/systemd/journal/syslog
|
||||||
|
- libvirt sends signals to ifconfig
|
||||||
|
- Allow domains that read logind session files to list them
|
||||||
|
|
||||||
* Wed Jan 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-73
|
* Wed Jan 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-73
|
||||||
- Fixed destined form libvirt-sandbox
|
- Fixed destined form libvirt-sandbox
|
||||||
- Allow apps that list sysfs to also read sympolicy links in this filesystem
|
- Allow apps that list sysfs to also read sympolicy links in this filesystem
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user