- If I can create a socket I need to be able to set the attributes
- Add tcp/8775 port as neutron port - Add additional ports for swift ports - Added changes to fedora from bug bz#1082183 - Add support for tcp/6200 port - Allow collectd getattr access to configfs_t dir Fixes Bug 1115040 - Update neutron_manage_lib_files() interface - Allow glustered to connect to ephemeral ports - Allow apache to search ipa lib files by default - Allow neutron to domtrans to haproxy - Add rhcs_domtrans_haproxy() - Add support for openstack-glance-* unit files - Add initial support for /usr/bin/glance-scrubber - Allow swift to connect to keystone and memcache ports. - Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup - Add policies for openstack-cinder - Add support for /usr/bin/nova-conductor - Add neutron_can_network boolean - Allow neutron to connet to neutron port - Allow glance domain to use syslog - Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
This commit is contained in:
parent
24862fd309
commit
682896c0a1
@ -5452,7 +5452,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||
|
||||
define(`create_packet_interfaces',``
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index b191055..dab9975 100644
|
||||
index b191055..a19d634 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
|
||||
@ -5724,7 +5724,7 @@ index b191055..dab9975 100644
|
||||
network_port(puppet, tcp, 8140, s0)
|
||||
network_port(pxe, udp,4011,s0)
|
||||
network_port(pyzor, udp,24441,s0)
|
||||
+network_port(neutron, tcp,9696,s0, tcp,9697,s0)
|
||||
+network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
|
||||
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||
network_port(radius, udp,1645,s0, udp,1812,s0)
|
||||
network_port(radsec, tcp,2083,s0)
|
||||
@ -5770,7 +5770,7 @@ index b191055..dab9975 100644
|
||||
network_port(svn, tcp,3690,s0, udp,3690,s0)
|
||||
network_port(svrloc, tcp,427,s0, udp,427,s0)
|
||||
network_port(swat, tcp,901,s0)
|
||||
+network_port(swift, tcp,6200,s0)
|
||||
+network_port(swift, tcp,6200-6203,s0)
|
||||
network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
|
||||
-network_port(syslogd, udp,514,s0)
|
||||
+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
|
||||
@ -22165,7 +22165,7 @@ index fe0c682..eb9cefe 100644
|
||||
+ ps_process_pattern($1, sshd_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index cc877c7..bdb6d0e 100644
|
||||
index cc877c7..b4e231c 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
|
||||
@ -22673,7 +22673,7 @@ index cc877c7..bdb6d0e 100644
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ssh_keygen_t)
|
||||
@@ -341,3 +517,140 @@ optional_policy(`
|
||||
@@ -341,3 +517,147 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(ssh_keygen_t)
|
||||
')
|
||||
@ -22728,6 +22728,9 @@ index cc877c7..bdb6d0e 100644
|
||||
+
|
||||
+corecmd_exec_shell(chroot_user_t)
|
||||
+
|
||||
+domain_subj_id_change_exemption(chroot_user_t)
|
||||
+domain_role_change_exemption(chroot_user_t)
|
||||
+
|
||||
+term_search_ptys(chroot_user_t)
|
||||
+term_use_ptmx(chroot_user_t)
|
||||
+
|
||||
@ -22777,6 +22780,10 @@ index cc877c7..bdb6d0e 100644
|
||||
+ ssh_rw_dgram_sockets(chroot_user_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_shell_domtrans(chroot_user_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+#
|
||||
+# ssh_agent_type common policy local policy
|
||||
@ -29913,7 +29920,7 @@ index 79a45f6..89b43aa 100644
|
||||
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda24..7c66e96 100644
|
||||
index 17eda24..84a3fcf 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
@ -30034,7 +30041,7 @@ index 17eda24..7c66e96 100644
|
||||
# is ~sys_module really needed? observed:
|
||||
# sys_boot
|
||||
# sys_tty_config
|
||||
@@ -108,14 +157,42 @@ allow init_t self:capability ~sys_module;
|
||||
@@ -108,14 +157,43 @@ allow init_t self:capability ~sys_module;
|
||||
|
||||
allow init_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@ -30072,6 +30079,7 @@ index 17eda24..7c66e96 100644
|
||||
+manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
+manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
+manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
+manage_fifo_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
+files_pid_filetrans(init_t, init_var_run_t, { dir file })
|
||||
+allow init_t init_var_run_t:dir mounton;
|
||||
+allow init_t init_var_run_t:sock_file relabelto;
|
||||
@ -30083,7 +30091,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
||||
dev_filetrans(init_t, initctl_t, fifo_file)
|
||||
@@ -125,13 +202,22 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||
@@ -125,13 +203,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||
|
||||
kernel_read_system_state(init_t)
|
||||
kernel_share_state(init_t)
|
||||
@ -30097,6 +30105,7 @@ index 17eda24..7c66e96 100644
|
||||
+corenet_tcp_bind_all_ports(init_t)
|
||||
+corenet_udp_bind_all_ports(init_t)
|
||||
+
|
||||
+dev_create_all_chr_files(init_t)
|
||||
+dev_rw_sysfs(init_t)
|
||||
+dev_read_urand(init_t)
|
||||
+dev_read_raw_memory(init_t)
|
||||
@ -30107,7 +30116,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
domain_getpgid_all_domains(init_t)
|
||||
domain_kill_all_domains(init_t)
|
||||
@@ -139,14 +225,22 @@ domain_signal_all_domains(init_t)
|
||||
@@ -139,14 +227,22 @@ domain_signal_all_domains(init_t)
|
||||
domain_signull_all_domains(init_t)
|
||||
domain_sigstop_all_domains(init_t)
|
||||
domain_sigchld_all_domains(init_t)
|
||||
@ -30130,7 +30139,7 @@ index 17eda24..7c66e96 100644
|
||||
# file descriptors inherited from the rootfs:
|
||||
files_dontaudit_rw_root_files(init_t)
|
||||
files_dontaudit_rw_root_chr_files(init_t)
|
||||
@@ -156,28 +250,53 @@ fs_list_inotifyfs(init_t)
|
||||
@@ -156,28 +252,53 @@ fs_list_inotifyfs(init_t)
|
||||
fs_write_ramfs_sockets(init_t)
|
||||
|
||||
mcs_process_set_categories(init_t)
|
||||
@ -30187,7 +30196,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
@@ -186,29 +305,237 @@ ifdef(`distro_gentoo',`
|
||||
@@ -186,29 +307,237 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -30434,7 +30443,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +543,31 @@ optional_policy(`
|
||||
@@ -216,7 +545,31 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30466,7 +30475,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -225,9 +576,9 @@ optional_policy(`
|
||||
@@ -225,9 +578,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -30478,7 +30487,7 @@ index 17eda24..7c66e96 100644
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -258,12 +609,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -258,12 +611,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -30495,7 +30504,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -279,23 +634,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -279,23 +636,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -30538,7 +30547,7 @@ index 17eda24..7c66e96 100644
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -303,9 +671,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -303,9 +673,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
@ -30550,7 +30559,7 @@ index 17eda24..7c66e96 100644
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -313,8 +683,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -313,8 +685,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
@ -30561,7 +30570,7 @@ index 17eda24..7c66e96 100644
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +694,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +696,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -30571,7 +30580,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -332,7 +703,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -332,7 +705,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -30579,7 +30588,7 @@ index 17eda24..7c66e96 100644
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -340,6 +710,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -340,6 +712,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
@ -30587,7 +30596,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -347,14 +718,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -347,14 +720,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -30605,7 +30614,7 @@ index 17eda24..7c66e96 100644
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -364,8 +736,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -364,8 +738,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -30619,7 +30628,7 @@ index 17eda24..7c66e96 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -375,10 +751,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -375,10 +753,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -30633,7 +30642,7 @@ index 17eda24..7c66e96 100644
|
||||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -387,8 +764,10 @@ mls_process_read_up(initrc_t)
|
||||
@@ -387,8 +766,10 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -30644,7 +30653,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
storage_getattr_fixed_disk_dev(initrc_t)
|
||||
storage_setattr_fixed_disk_dev(initrc_t)
|
||||
@@ -398,6 +777,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -398,6 +779,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
@ -30652,7 +30661,7 @@ index 17eda24..7c66e96 100644
|
||||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -416,20 +796,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -416,20 +798,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
@ -30676,7 +30685,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -451,7 +829,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -451,7 +831,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
@ -30684,7 +30693,7 @@ index 17eda24..7c66e96 100644
|
||||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -486,6 +863,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -486,6 +865,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -30695,7 +30704,7 @@ index 17eda24..7c66e96 100644
|
||||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -506,7 +887,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -506,7 +889,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -30704,7 +30713,7 @@ index 17eda24..7c66e96 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -521,6 +902,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -521,6 +904,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
@ -30712,7 +30721,7 @@ index 17eda24..7c66e96 100644
|
||||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -541,6 +923,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -541,6 +925,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
@ -30720,7 +30729,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -550,8 +933,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -550,8 +935,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30765,7 +30774,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -559,14 +978,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -559,14 +980,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -30797,7 +30806,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -577,6 +1013,39 @@ ifdef(`distro_suse',`
|
||||
@@ -577,6 +1015,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -30837,7 +30846,7 @@ index 17eda24..7c66e96 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -589,6 +1058,8 @@ optional_policy(`
|
||||
@@ -589,6 +1060,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -30846,7 +30855,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -610,6 +1081,7 @@ optional_policy(`
|
||||
@@ -610,6 +1083,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -30854,7 +30863,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -626,6 +1098,17 @@ optional_policy(`
|
||||
@@ -626,6 +1100,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30872,7 +30881,7 @@ index 17eda24..7c66e96 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -642,9 +1125,13 @@ optional_policy(`
|
||||
@@ -642,9 +1127,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -30886,7 +30895,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -657,15 +1144,11 @@ optional_policy(`
|
||||
@@ -657,15 +1146,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30904,7 +30913,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -686,6 +1169,15 @@ optional_policy(`
|
||||
@@ -686,6 +1171,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30920,7 +30929,7 @@ index 17eda24..7c66e96 100644
|
||||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -726,6 +1218,7 @@ optional_policy(`
|
||||
@@ -726,6 +1220,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
@ -30928,7 +30937,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,7 +1236,13 @@ optional_policy(`
|
||||
@@ -743,7 +1238,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30943,7 +30952,7 @@ index 17eda24..7c66e96 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -766,6 +1265,10 @@ optional_policy(`
|
||||
@@ -766,6 +1267,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30954,7 +30963,7 @@ index 17eda24..7c66e96 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -775,10 +1278,20 @@ optional_policy(`
|
||||
@@ -775,10 +1280,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30975,7 +30984,7 @@ index 17eda24..7c66e96 100644
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1300,10 @@ optional_policy(`
|
||||
@@ -787,6 +1302,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30986,7 +30995,7 @@ index 17eda24..7c66e96 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -808,8 +1325,6 @@ optional_policy(`
|
||||
@@ -808,8 +1327,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -30995,7 +31004,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -818,6 +1333,10 @@ optional_policy(`
|
||||
@@ -818,6 +1335,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -31006,7 +31015,7 @@ index 17eda24..7c66e96 100644
|
||||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -827,10 +1346,12 @@ optional_policy(`
|
||||
@@ -827,10 +1348,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -31019,7 +31028,7 @@ index 17eda24..7c66e96 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -857,21 +1378,60 @@ optional_policy(`
|
||||
@@ -857,21 +1380,60 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -31081,7 +31090,7 @@ index 17eda24..7c66e96 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -887,6 +1447,10 @@ optional_policy(`
|
||||
@@ -887,6 +1449,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -31092,7 +31101,7 @@ index 17eda24..7c66e96 100644
|
||||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -897,3 +1461,218 @@ optional_policy(`
|
||||
@@ -897,3 +1463,218 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -47757,7 +47766,7 @@ index e79d545..101086d 100644
|
||||
')
|
||||
|
||||
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
||||
index 6e91317..018d0a6 100644
|
||||
index 6e91317..8fc985f 100644
|
||||
--- a/policy/support/obj_perm_sets.spt
|
||||
+++ b/policy/support/obj_perm_sets.spt
|
||||
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
||||
@ -47819,16 +47828,18 @@ index 6e91317..018d0a6 100644
|
||||
define(`create_fifo_file_perms',`{ getattr create open }')
|
||||
define(`rename_fifo_file_perms',`{ getattr rename }')
|
||||
define(`delete_fifo_file_perms',`{ getattr unlink }')
|
||||
@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
|
||||
@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
|
||||
define(`setattr_sock_file_perms',`{ setattr }')
|
||||
define(`read_sock_file_perms',`{ getattr open read }')
|
||||
define(`write_sock_file_perms',`{ getattr write open append }')
|
||||
-define(`rw_sock_file_perms',`{ getattr open read write append }')
|
||||
-define(`create_sock_file_perms',`{ getattr create open }')
|
||||
+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
|
||||
+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
|
||||
define(`create_sock_file_perms',`{ getattr create open }')
|
||||
+define(`create_sock_file_perms',`{ getattr setattr create open }')
|
||||
define(`rename_sock_file_perms',`{ getattr rename }')
|
||||
define(`delete_sock_file_perms',`{ getattr unlink }')
|
||||
define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
|
||||
@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
|
||||
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 62%{?dist}
|
||||
Release: 63%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -600,6 +600,29 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jul 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-63
|
||||
- If I can create a socket I need to be able to set the attributes
|
||||
- Add tcp/8775 port as neutron port
|
||||
- Add additional ports for swift ports
|
||||
- Added changes to fedora from bug bz#1082183
|
||||
- Add support for tcp/6200 port
|
||||
- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
|
||||
- Update neutron_manage_lib_files() interface
|
||||
- Allow glustered to connect to ephemeral ports
|
||||
- Allow apache to search ipa lib files by default
|
||||
- Allow neutron to domtrans to haproxy
|
||||
- Add rhcs_domtrans_haproxy()
|
||||
- Add support for openstack-glance-* unit files
|
||||
- Add initial support for /usr/bin/glance-scrubber
|
||||
- Allow swift to connect to keystone and memcache ports.
|
||||
- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
|
||||
- Add policies for openstack-cinder
|
||||
- Add support for /usr/bin/nova-conductor
|
||||
- Add neutron_can_network boolean
|
||||
- Allow neutron to connet to neutron port
|
||||
- Allow glance domain to use syslog
|
||||
- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
|
||||
|
||||
* Wed Jun 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-62
|
||||
- Allow swift to use tcp/6200 swift port
|
||||
- ALlow swift to search apache configs
|
||||
|
Loading…
Reference in New Issue
Block a user