+- Add labeling for /var/run/systemd/journal/syslog
+- libvirt sends signals to ifconfig +- Allow domains that read logind session files to list them
This commit is contained in:
Miroslav
parent
ecab259899
commit
68079f6d89
@ -65286,7 +65286,7 @@ index 7c5d8d8..e6bb21e 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
|
||||
index 3eca020..bc0bf43 100644
|
||||
index 3eca020..c0eaf5e 100644
|
||||
--- a/policy/modules/services/virt.te
|
||||
+++ b/policy/modules/services/virt.te
|
||||
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
|
||||
@ -65688,7 +65688,7 @@ index 3eca020..bc0bf43 100644
|
||||
miscfiles_read_localization(virtd_t)
|
||||
miscfiles_read_generic_certs(virtd_t)
|
||||
miscfiles_read_hwdata(virtd_t)
|
||||
@@ -285,16 +423,30 @@ modutils_read_module_config(virtd_t)
|
||||
@@ -285,16 +423,31 @@ modutils_read_module_config(virtd_t)
|
||||
modutils_manage_module_config(virtd_t)
|
||||
|
||||
logging_send_syslog_msg(virtd_t)
|
||||
@ -65700,6 +65700,7 @@ index 3eca020..bc0bf43 100644
|
||||
seutil_read_default_contexts(virtd_t)
|
||||
+seutil_read_file_contexts(virtd_t)
|
||||
|
||||
+sysnet_signal_ifconfig(virtd_t)
|
||||
sysnet_domtrans_ifconfig(virtd_t)
|
||||
sysnet_read_config(virtd_t)
|
||||
|
||||
@ -65719,7 +65720,7 @@ index 3eca020..bc0bf43 100644
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virtd_t)
|
||||
@@ -313,6 +465,10 @@ optional_policy(`
|
||||
@@ -313,6 +466,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -65730,7 +65731,7 @@ index 3eca020..bc0bf43 100644
|
||||
dbus_system_bus_client(virtd_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -326,6 +482,14 @@ optional_policy(`
|
||||
@@ -326,6 +483,14 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
hal_dbus_chat(virtd_t)
|
||||
')
|
||||
@ -65745,7 +65746,7 @@ index 3eca020..bc0bf43 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -334,11 +498,14 @@ optional_policy(`
|
||||
@@ -334,11 +499,14 @@ optional_policy(`
|
||||
dnsmasq_kill(virtd_t)
|
||||
dnsmasq_read_pid_files(virtd_t)
|
||||
dnsmasq_signull(virtd_t)
|
||||
@ -65760,7 +65761,7 @@ index 3eca020..bc0bf43 100644
|
||||
|
||||
# Manages /etc/sysconfig/system-config-firewall
|
||||
iptables_manage_config(virtd_t)
|
||||
@@ -360,11 +527,11 @@ optional_policy(`
|
||||
@@ -360,11 +528,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -65777,7 +65778,7 @@ index 3eca020..bc0bf43 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -394,20 +561,36 @@ optional_policy(`
|
||||
@@ -394,20 +562,36 @@ optional_policy(`
|
||||
# virtual domains common policy
|
||||
#
|
||||
|
||||
@ -65817,7 +65818,7 @@ index 3eca020..bc0bf43 100644
|
||||
corecmd_exec_bin(virt_domain)
|
||||
corecmd_exec_shell(virt_domain)
|
||||
|
||||
@@ -418,10 +601,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
|
||||
@@ -418,10 +602,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
|
||||
corenet_tcp_sendrecv_all_ports(virt_domain)
|
||||
corenet_tcp_bind_generic_node(virt_domain)
|
||||
corenet_tcp_bind_vnc_port(virt_domain)
|
||||
@ -65830,7 +65831,7 @@ index 3eca020..bc0bf43 100644
|
||||
dev_read_rand(virt_domain)
|
||||
dev_read_sound(virt_domain)
|
||||
dev_read_urand(virt_domain)
|
||||
@@ -429,10 +613,12 @@ dev_write_sound(virt_domain)
|
||||
@@ -429,10 +614,12 @@ dev_write_sound(virt_domain)
|
||||
dev_rw_ksm(virt_domain)
|
||||
dev_rw_kvm(virt_domain)
|
||||
dev_rw_qemu(virt_domain)
|
||||
@ -65843,7 +65844,7 @@ index 3eca020..bc0bf43 100644
|
||||
files_read_usr_files(virt_domain)
|
||||
files_read_var_files(virt_domain)
|
||||
files_search_all(virt_domain)
|
||||
@@ -440,25 +626,365 @@ files_search_all(virt_domain)
|
||||
@@ -440,25 +627,365 @@ files_search_all(virt_domain)
|
||||
fs_getattr_tmpfs(virt_domain)
|
||||
fs_rw_anon_inodefs_files(virt_domain)
|
||||
fs_rw_tmpfs_files(virt_domain)
|
||||
@ -71376,7 +71377,7 @@ index 354ce93..4738083 100644
|
||||
')
|
||||
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||
index 94fd8dd..ef5a3c8 100644
|
||||
index 94fd8dd..5a52670 100644
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
|
||||
@ -72068,7 +72069,7 @@ index 94fd8dd..ef5a3c8 100644
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ filetrans_pattern($1, init_var_run_t, $2, $3)
|
||||
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
@ -74730,13 +74731,14 @@ index a0b379d..2291a13 100644
|
||||
- nscd_socket_use(sulogin_t)
|
||||
-')
|
||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||
index 02f4c97..314efca 100644
|
||||
index 02f4c97..170e2e0 100644
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -17,12 +17,26 @@
|
||||
@@ -17,12 +17,27 @@
|
||||
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
+/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
+/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
+
|
||||
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
@ -74761,7 +74763,7 @@ index 02f4c97..314efca 100644
|
||||
|
||||
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
@@ -38,7 +52,7 @@ ifdef(`distro_suse', `
|
||||
@@ -38,7 +53,7 @@ ifdef(`distro_suse', `
|
||||
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
|
||||
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
||||
@ -74770,7 +74772,15 @@ index 02f4c97..314efca 100644
|
||||
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
@@ -73,4 +87,8 @@ ifdef(`distro_redhat',`
|
||||
@@ -66,6 +81,7 @@ ifdef(`distro_redhat',`
|
||||
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
+/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
|
||||
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
|
||||
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
@@ -73,4 +89,9 @@ ifdef(`distro_redhat',`
|
||||
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
||||
@ -74779,8 +74789,9 @@ index 02f4c97..314efca 100644
|
||||
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
+
|
||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||
index 831b909..9889380 100644
|
||||
index 831b909..118f708 100644
|
||||
--- a/policy/modules/system/logging.if
|
||||
+++ b/policy/modules/system/logging.if
|
||||
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
||||
@ -74865,7 +74876,7 @@ index 831b909..9889380 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Send system log messages.
|
||||
@@ -545,6 +602,44 @@ interface(`logging_send_syslog_msg',`
|
||||
@@ -545,6 +602,45 @@ interface(`logging_send_syslog_msg',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -74884,6 +74895,7 @@ index 831b909..9889380 100644
|
||||
+
|
||||
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
|
||||
+ dev_filetrans($1, devlog_t, sock_file)
|
||||
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -74910,7 +74922,7 @@ index 831b909..9889380 100644
|
||||
## Read the auditd configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -734,7 +829,25 @@ interface(`logging_append_all_logs',`
|
||||
@@ -734,7 +830,25 @@ interface(`logging_append_all_logs',`
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
@ -74937,7 +74949,7 @@ index 831b909..9889380 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -817,7 +930,7 @@ interface(`logging_manage_all_logs',`
|
||||
@@ -817,7 +931,7 @@ interface(`logging_manage_all_logs',`
|
||||
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1, logfile, logfile)
|
||||
@ -74946,7 +74958,7 @@ index 831b909..9889380 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -843,6 +956,44 @@ interface(`logging_read_generic_logs',`
|
||||
@@ -843,6 +957,44 @@ interface(`logging_read_generic_logs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -74991,7 +75003,7 @@ index 831b909..9889380 100644
|
||||
## Write generic log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -944,9 +1095,13 @@ interface(`logging_admin_audit',`
|
||||
@@ -944,9 +1096,13 @@ interface(`logging_admin_audit',`
|
||||
type auditd_initrc_exec_t;
|
||||
')
|
||||
|
||||
@ -75006,7 +75018,7 @@ index 831b909..9889380 100644
|
||||
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
|
||||
@@ -990,10 +1145,15 @@ interface(`logging_admin_syslog',`
|
||||
@@ -990,10 +1146,15 @@ interface(`logging_admin_syslog',`
|
||||
type syslogd_initrc_exec_t;
|
||||
')
|
||||
|
||||
@ -75024,7 +75036,7 @@ index 831b909..9889380 100644
|
||||
|
||||
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
@@ -1015,6 +1175,8 @@ interface(`logging_admin_syslog',`
|
||||
@@ -1015,6 +1176,8 @@ interface(`logging_admin_syslog',`
|
||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
|
||||
logging_manage_all_logs($1)
|
||||
@ -78595,10 +78607,10 @@ index 0000000..0d3e625
|
||||
+/var/run/initramfs(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
new file mode 100644
|
||||
index 0000000..75e7f1c
|
||||
index 0000000..7581e7d
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -0,0 +1,542 @@
|
||||
@@ -0,0 +1,543 @@
|
||||
+## <summary>SELinux policy for systemd components</summary>
|
||||
+
|
||||
+#######################################
|
||||
@ -78823,6 +78835,7 @@ index 0000000..75e7f1c
|
||||
+ ')
|
||||
+
|
||||
+ init_search_pid_dirs($1)
|
||||
+ allow $1 systemd_logind_sessions_t:dir list_dir_perms;
|
||||
+ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
|
||||
+')
|
||||
+
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 73%{?dist}
|
||||
Release: 74%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -471,6 +471,11 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jan 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-74
|
||||
- Add labeling for /var/run/systemd/journal/syslog
|
||||
- libvirt sends signals to ifconfig
|
||||
- Allow domains that read logind session files to list them
|
||||
|
||||
* Wed Jan 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-73
|
||||
- Fixed destined form libvirt-sandbox
|
||||
- Allow apps that list sysfs to also read sympolicy links in this filesystem
|
||||
|
||||
Loading…
Reference in New Issue
Block a user