* Wed Dec 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229
- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service - Allot tlp domain to create unix_dgram sockets BZ(1401233) - Allow antivirus domain to create lnk_files in /tmp - Allow cupsd_t to create lnk_files in /tmp. BZ(1401634) - Allow svnserve_t domain to read /dev/random BZ(1401827) - Allow lircd to use nsswitch. BZ(1401375) - Allow hostname_t domain to manage cluster_tmp_t files
This commit is contained in:
Lukas Vrabec
parent
cb2fd77b56
commit
68b689158d
Binary file not shown.
|
|
@ -35720,7 +35720,7 @@ index 187f04f..cf0af09 100644
|
|||
interface(`hostname_exec',`
|
||||
gen_require(`
|
||||
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
|
||||
index 24a7889..a3d8f1a 100644
|
||||
index 24a7889..619b32e 100644
|
||||
--- a/policy/modules/system/hostname.te
|
||||
+++ b/policy/modules/system/hostname.te
|
||||
@@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config;
|
||||
|
|
@ -35763,7 +35763,7 @@ index 24a7889..a3d8f1a 100644
|
|||
|
||||
sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
|
||||
sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
|
||||
@@ -57,6 +60,14 @@ sysnet_read_config(hostname_t)
|
||||
@@ -57,10 +60,22 @@ sysnet_read_config(hostname_t)
|
||||
sysnet_dns_name_resolve(hostname_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -35778,6 +35778,14 @@ index 24a7889..a3d8f1a 100644
|
|||
nis_use_ypbind(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ rhcs_manage_cluster_tmp_files(hostname_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
xen_append_log(hostname_t)
|
||||
xen_dontaudit_use_fds(hostname_t)
|
||||
')
|
||||
diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
|
||||
index caf736b..91c4c6f 100644
|
||||
--- a/policy/modules/system/hotplug.fc
|
||||
|
|
|
|||
|
|
@ -3203,10 +3203,10 @@ index 0000000..36251b9
|
|||
+')
|
||||
diff --git a/antivirus.te b/antivirus.te
|
||||
new file mode 100644
|
||||
index 0000000..6bd2eb9
|
||||
index 0000000..c679dd3
|
||||
--- /dev/null
|
||||
+++ b/antivirus.te
|
||||
@@ -0,0 +1,273 @@
|
||||
@@ -0,0 +1,274 @@
|
||||
+policy_module(antivirus, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -3298,7 +3298,8 @@ index 0000000..6bd2eb9
|
|||
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
||||
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
||||
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
||||
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
|
||||
+manage_lnk_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
||||
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir lnk_file sock_file } )
|
||||
+
|
||||
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
||||
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
||||
|
|
@ -20913,7 +20914,7 @@ index 3023be7..5afde80 100644
|
|||
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
|
||||
')
|
||||
diff --git a/cups.te b/cups.te
|
||||
index c91813c..c3820a5 100644
|
||||
index c91813c..6f66ea4 100644
|
||||
--- a/cups.te
|
||||
+++ b/cups.te
|
||||
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
|
||||
|
|
@ -21095,7 +21096,8 @@ index c91813c..c3820a5 100644
|
|||
manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||
+manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
|
||||
-files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
|
||||
+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file lnk_file })
|
||||
|
||||
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
|
||||
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
||||
|
|
@ -45951,7 +45953,7 @@ index dff21a7..b6981c8 100644
|
|||
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/lircd.te b/lircd.te
|
||||
index 483c87b..0a54c6d 100644
|
||||
index 483c87b..f68ee3a 100644
|
||||
--- a/lircd.te
|
||||
+++ b/lircd.te
|
||||
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
|
||||
|
|
@ -45992,7 +45994,7 @@ index 483c87b..0a54c6d 100644
|
|||
+term_use_unallocated_ttys(lircd_t)
|
||||
|
||||
-logging_send_syslog_msg(lircd_t)
|
||||
+auth_read_passwd(lircd_t)
|
||||
+auth_use_nsswitch(lircd_t)
|
||||
|
||||
-miscfiles_read_localization(lircd_t)
|
||||
+logging_send_syslog_msg(lircd_t)
|
||||
|
|
@ -91366,6 +91368,20 @@ index 2da9fca..6935f5c 100644
|
|||
kerberos_use(gssd_t)
|
||||
')
|
||||
|
||||
diff --git a/rpcbind.fc b/rpcbind.fc
|
||||
index d31220e..c84a461 100644
|
||||
--- a/rpcbind.fc
|
||||
+++ b/rpcbind.fc
|
||||
@@ -1,6 +1,9 @@
|
||||
/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
|
||||
|
||||
+/usr/lib/systemd/system/rpcbind\.service -- gen_context(system_u:object_r:rpcbind_unit_file_t,s0)
|
||||
+
|
||||
/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
|
||||
+/bin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
|
||||
|
||||
/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
|
||||
|
||||
diff --git a/rpcbind.if b/rpcbind.if
|
||||
index 3b5e9ee..ff1163f 100644
|
||||
--- a/rpcbind.if
|
||||
|
|
@ -91521,7 +91537,7 @@ index 3b5e9ee..ff1163f 100644
|
|||
+ admin_pattern($1, rpcbind_var_run_t)
|
||||
')
|
||||
diff --git a/rpcbind.te b/rpcbind.te
|
||||
index 54de77c..0ee4cc1 100644
|
||||
index 54de77c..4ce4fb9 100644
|
||||
--- a/rpcbind.te
|
||||
+++ b/rpcbind.te
|
||||
@@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
|
||||
|
|
@ -91534,7 +91550,15 @@ index 54de77c..0ee4cc1 100644
|
|||
type rpcbind_var_run_t;
|
||||
files_pid_file(rpcbind_var_run_t)
|
||||
init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
|
||||
@@ -24,11 +27,15 @@ files_type(rpcbind_var_lib_t)
|
||||
@@ -19,16 +22,23 @@ init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
|
||||
type rpcbind_var_lib_t;
|
||||
files_type(rpcbind_var_lib_t)
|
||||
|
||||
+type rpcbind_unit_file_t;
|
||||
+systemd_unit_file(rpcbind_unit_file_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
|
|
@ -91551,7 +91575,7 @@ index 54de77c..0ee4cc1 100644
|
|||
manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
|
||||
manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
|
||||
files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
|
||||
@@ -42,7 +49,6 @@ kernel_read_system_state(rpcbind_t)
|
||||
@@ -42,7 +52,6 @@ kernel_read_system_state(rpcbind_t)
|
||||
kernel_read_network_state(rpcbind_t)
|
||||
kernel_request_load_module(rpcbind_t)
|
||||
|
||||
|
|
@ -91559,7 +91583,7 @@ index 54de77c..0ee4cc1 100644
|
|||
corenet_all_recvfrom_netlabel(rpcbind_t)
|
||||
corenet_tcp_sendrecv_generic_if(rpcbind_t)
|
||||
corenet_udp_sendrecv_generic_if(rpcbind_t)
|
||||
@@ -68,7 +74,11 @@ auth_use_nsswitch(rpcbind_t)
|
||||
@@ -68,7 +77,11 @@ auth_use_nsswitch(rpcbind_t)
|
||||
|
||||
logging_send_syslog_msg(rpcbind_t)
|
||||
|
||||
|
|
@ -105766,7 +105790,7 @@ index 2ac91b6..a97033d 100644
|
|||
')
|
||||
+
|
||||
diff --git a/svnserve.te b/svnserve.te
|
||||
index 49d688d..f07cc80 100644
|
||||
index 49d688d..451a647 100644
|
||||
--- a/svnserve.te
|
||||
+++ b/svnserve.te
|
||||
@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
|
||||
|
|
@ -105810,11 +105834,12 @@ index 49d688d..f07cc80 100644
|
|||
corenet_all_recvfrom_unlabeled(svnserve_t)
|
||||
corenet_all_recvfrom_netlabel(svnserve_t)
|
||||
corenet_tcp_sendrecv_generic_if(svnserve_t)
|
||||
@@ -52,8 +60,8 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
|
||||
@@ -52,8 +60,9 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
|
||||
corenet_udp_bind_svn_port(svnserve_t)
|
||||
corenet_udp_sendrecv_svn_port(svnserve_t)
|
||||
|
||||
-logging_send_syslog_msg(svnserve_t)
|
||||
+dev_read_rand(svnserve_t)
|
||||
+dev_read_urand(svnserve_t)
|
||||
|
||||
-miscfiles_read_localization(svnserve_t)
|
||||
|
|
@ -109267,10 +109292,10 @@ index 0000000..46f12a4
|
|||
+')
|
||||
diff --git a/tlp.te b/tlp.te
|
||||
new file mode 100644
|
||||
index 0000000..7c81c68
|
||||
index 0000000..98e708a
|
||||
--- /dev/null
|
||||
+++ b/tlp.te
|
||||
@@ -0,0 +1,54 @@
|
||||
@@ -0,0 +1,55 @@
|
||||
+policy_module(tlp, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -109295,6 +109320,7 @@ index 0000000..7c81c68
|
|||
+allow tlp_t self:capability { net_admin sys_rawio };
|
||||
+allow tlp_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow tlp_t self:udp_socket create_socket_perms;
|
||||
+allow tlp_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
|
||||
+manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 228%{?dist}
|
||||
Release: 229%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -675,6 +675,15 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Dec 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229
|
||||
- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
|
||||
- Allot tlp domain to create unix_dgram sockets BZ(1401233)
|
||||
- Allow antivirus domain to create lnk_files in /tmp
|
||||
- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
|
||||
- Allow svnserve_t domain to read /dev/random BZ(1401827)
|
||||
- Allow lircd to use nsswitch. BZ(1401375)
|
||||
- Allow hostname_t domain to manage cluster_tmp_t files
|
||||
|
||||
* Mon Dec 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-228
|
||||
- Fix some boolean descriptions.
|
||||
- Add fwupd_dbus_chat() interface
|
||||
|
|
|
|||
Loading…
Reference in New Issue