rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-212 

- udisk2 module is part of devicekit module now
- Fix file context for /etc/pki/pki-tomcat/ca/
- new interface oddjob_mkhomedir_entrypoint()
- Allow mdadm to get attributes from all devices.
- Label /etc/puppetlabs as puppet_etc_t.
- quota: allow init to run quota tools
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow VirtualBox to manage udev rules.
- Allow systemd_resolved to send dbus msgs to userdomains
- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t
- Label all files in /dev/oracleasmfs/ as oracleasmfs_t
This commit is contained in:
Lukas Vrabec 2016-08-31 12:07:56 +02:00
parent acb4d9f0be
commit 69374e6e65
4 changed files with 169 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docker-selinux.tgz
View File

Binary file not shown.

135
policy-rawhide-base.patch
View File

@ -17860,10 +17860,10 @@ index 1a03abd..3221f80 100644
allow files_unconfined_type file_type:file execmod; allow files_unconfined_type file_type:file execmod;
') ')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index d7c11a0..efcd377 100644 index d7c11a0..f521a50 100644
--- a/policy/modules/kernel/filesystem.fc --- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc
@@ -1,23 +1,29 @@ @@ -1,23 +1,28 @@
-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
-/cgroup/.* <<none>> -/cgroup/.* <<none>>
+# ecryptfs does not support xattr +# ecryptfs does not support xattr
@ -17882,8 +17882,7 @@ index d7c11a0..efcd377 100644
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh)
+/dev/shm/.* <<none>> +/dev/shm/.* <<none>>
+/dev/oracleasm -d gen_context(system_u:object_r:oracleasmfs_t,s0) +/dev/oracleasm(/.*)? gen_context(system_u:object_r:oracleasmfs_t,s0)
+/dev/oracleasm/.* <<none>>
+ +
+/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/usr/lib/udev/devices/hugepages/.* <<none>> +/usr/lib/udev/devices/hugepages/.* <<none>>
@ -27189,10 +27188,10 @@ index 0000000..15b42ae
+ +
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644 new file mode 100644
index 0000000..a298e23 index 0000000..79f40da
--- /dev/null --- /dev/null
+++ b/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,354 @@ @@ -0,0 +1,358 @@
+policy_module(unconfineduser, 1.0.0) +policy_module(unconfineduser, 1.0.0)
+ +
+######################################## +########################################
@ -27392,6 +27391,10 @@ index 0000000..a298e23
+') +')
+ +
+optional_policy(` +optional_policy(`
+ oddjob_mkhomedir_entrypoint(unconfined_t)
+')
+
+optional_policy(`
+ dbus_role_template(unconfined, unconfined_r, unconfined_t) + dbus_role_template(unconfined, unconfined_r, unconfined_t)
+ role system_r types unconfined_dbusd_t; + role system_r types unconfined_dbusd_t;
+ +
@ -37422,7 +37425,7 @@ index 79a45f6..d092e6e 100644
+ allow $1 init_var_lib_t:dir search_dir_perms; + allow $1 init_var_lib_t:dir search_dir_perms;
+') +')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..97e35aa 100644 index 17eda24..022bbb7 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(` @@ -11,10 +11,31 @@ gen_require(`
@ -37652,7 +37655,7 @@ index 17eda24..97e35aa 100644
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t) files_dontaudit_rw_root_chr_files(init_t)
@@ -155,29 +261,70 @@ fs_list_inotifyfs(init_t) @@ -155,29 +261,72 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log # cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t) fs_write_ramfs_sockets(init_t)
@ -37714,6 +37717,8 @@ index 17eda24..97e35aa 100644
+ +
+miscfiles_manage_localization(init_t) +miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t) +miscfiles_filetrans_named_content(init_t)
+
+udev_manage_rules_files(init_t)
-miscfiles_read_localization(init_t) -miscfiles_read_localization(init_t)
+userdom_use_user_ttys(init_t) +userdom_use_user_ttys(init_t)
@ -37728,7 +37733,7 @@ index 17eda24..97e35aa 100644
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap }; allow init_t self:process { getcap setcap };
@@ -186,29 +333,264 @@ ifdef(`distro_gentoo',` @@ -186,29 +335,264 @@ ifdef(`distro_gentoo',`
') ')
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@ -37783,13 +37788,14 @@ index 17eda24..97e35aa 100644
+ +
+optional_policy(` +optional_policy(`
+ ipa_delete_tmp(init_t) + ipa_delete_tmp(init_t)
+') ')
+
+optional_policy(` optional_policy(`
- auth_rw_login_records(init_t)
+ rpm_read_db(init_t) + rpm_read_db(init_t)
+') ')
+
+optional_policy(` optional_policy(`
+ iscsi_read_lib_files(init_t) + iscsi_read_lib_files(init_t)
+ iscsi_manage_lock(init_t) + iscsi_manage_lock(init_t)
+') +')
@ -37955,15 +37961,14 @@ index 17eda24..97e35aa 100644
+ sysnet_relabelfrom_dhcpc_state(init_t) + sysnet_relabelfrom_dhcpc_state(init_t)
+ sysnet_setattr_dhcp_state(init_t) + sysnet_setattr_dhcp_state(init_t)
+ ') + ')
') +')
+
optional_policy(` +optional_policy(`
- auth_rw_login_records(init_t)
+ lvm_rw_pipes(init_t) + lvm_rw_pipes(init_t)
+ lvm_read_config(init_t) + lvm_read_config(init_t)
') +')
+
optional_policy(` +optional_policy(`
+ consolekit_manage_log(init_t) + consolekit_manage_log(init_t)
+') +')
+ +
@ -38002,7 +38007,7 @@ index 17eda24..97e35aa 100644
') ')
optional_policy(` optional_policy(`
@@ -216,7 +598,30 @@ optional_policy(` @@ -216,7 +600,30 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38034,7 +38039,7 @@ index 17eda24..97e35aa 100644
') ')
######################################## ########################################
@@ -225,9 +630,9 @@ optional_policy(` @@ -225,9 +632,9 @@ optional_policy(`
# #
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38046,7 +38051,7 @@ index 17eda24..97e35aa 100644
allow initrc_t self:passwd rootok; allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms; allow initrc_t self:key manage_key_perms;
@@ -258,12 +663,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) @@ -258,12 +665,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms; allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file) files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38063,7 +38068,7 @@ index 17eda24..97e35aa 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +688,36 @@ kernel_change_ring_buffer_level(initrc_t) @@ -279,23 +690,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t) kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t) kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t) kernel_read_all_sysctls(initrc_t)
@ -38106,7 +38111,7 @@ index 17eda24..97e35aa 100644
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +725,11 @@ corenet_sendrecv_all_client_packets(initrc_t) @@ -303,9 +727,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t) dev_read_rand(initrc_t)
dev_read_urand(initrc_t) dev_read_urand(initrc_t)
@ -38118,7 +38123,7 @@ index 17eda24..97e35aa 100644
dev_rw_sysfs(initrc_t) dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t) dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t) dev_read_framebuffer(initrc_t)
@@ -313,8 +737,10 @@ dev_write_framebuffer(initrc_t) @@ -313,8 +739,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t) dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t) dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t)
@ -38129,7 +38134,7 @@ index 17eda24..97e35aa 100644
dev_delete_lvm_control_dev(initrc_t) dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t) dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t) dev_manage_generic_files(initrc_t)
@@ -322,8 +748,7 @@ dev_manage_generic_files(initrc_t) @@ -322,8 +750,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t) dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t) dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t) dev_getattr_all_chr_files(initrc_t)
@ -38139,7 +38144,7 @@ index 17eda24..97e35aa 100644
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t) domain_signal_all_domains(initrc_t)
@@ -332,7 +757,6 @@ domain_sigstop_all_domains(initrc_t) @@ -332,7 +759,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t) domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t) domain_getattr_all_domains(initrc_t)
@ -38147,7 +38152,7 @@ index 17eda24..97e35aa 100644
domain_getsession_all_domains(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t) domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
@@ -340,6 +764,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) @@ -340,6 +766,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38155,7 +38160,7 @@ index 17eda24..97e35aa 100644
files_getattr_all_dirs(initrc_t) files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t) files_getattr_all_files(initrc_t)
@@ -347,14 +772,15 @@ files_getattr_all_symlinks(initrc_t) @@ -347,14 +774,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t) files_purge_tmp(initrc_t)
@ -38173,7 +38178,7 @@ index 17eda24..97e35aa 100644
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t) files_manage_generic_spool(initrc_t)
@@ -364,8 +790,12 @@ files_list_isid_type_dirs(initrc_t) @@ -364,8 +792,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t) files_list_default(initrc_t)
files_mounton_default(initrc_t) files_mounton_default(initrc_t)
@ -38187,7 +38192,7 @@ index 17eda24..97e35aa 100644
fs_list_inotifyfs(initrc_t) fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t) fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs # rhgb-console writes to ramfs
@@ -375,10 +805,11 @@ fs_mount_all_fs(initrc_t) @@ -375,10 +807,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t) fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t) fs_getattr_all_fs(initrc_t)
@ -38201,7 +38206,7 @@ index 17eda24..97e35aa 100644
mcs_process_set_categories(initrc_t) mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t) mls_file_read_all_levels(initrc_t)
@@ -387,8 +818,10 @@ mls_process_read_up(initrc_t) @@ -387,8 +820,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t) mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t) mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t) mls_fd_share_all_levels(initrc_t)
@ -38212,7 +38217,7 @@ index 17eda24..97e35aa 100644
storage_getattr_fixed_disk_dev(initrc_t) storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +831,7 @@ term_use_all_terms(initrc_t) @@ -398,6 +833,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t) term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t) auth_rw_login_records(initrc_t)
@ -38220,7 +38225,7 @@ index 17eda24..97e35aa 100644
auth_setattr_login_records(initrc_t) auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t) auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t) auth_read_pam_pid(initrc_t)
@@ -416,20 +850,18 @@ logging_read_all_logs(initrc_t) @@ -416,20 +852,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t) logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t) logging_read_audit_config(initrc_t)
@ -38244,7 +38249,7 @@ index 17eda24..97e35aa 100644
ifdef(`distro_debian',` ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t) dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +883,6 @@ ifdef(`distro_gentoo',` @@ -451,7 +885,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate; allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t) dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t) dev_create_zero_dev(initrc_t)
@ -38252,7 +38257,7 @@ index 17eda24..97e35aa 100644
term_create_console_dev(initrc_t) term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks # unfortunately /sbin/rc does stupid tricks
@@ -486,6 +917,10 @@ ifdef(`distro_gentoo',` @@ -486,6 +919,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t) sysnet_setattr_config(initrc_t)
optional_policy(` optional_policy(`
@ -38263,7 +38268,7 @@ index 17eda24..97e35aa 100644
alsa_read_lib(initrc_t) alsa_read_lib(initrc_t)
') ')
@@ -506,7 +941,7 @@ ifdef(`distro_redhat',` @@ -506,7 +943,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -38272,7 +38277,7 @@ index 17eda24..97e35aa 100644
files_dontaudit_read_root_files(initrc_t) files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd # These seem to be from the initrd
@@ -521,6 +956,7 @@ ifdef(`distro_redhat',` @@ -521,6 +958,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t) files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
@ -38280,7 +38285,7 @@ index 17eda24..97e35aa 100644
# wants to read /.fonts directory # wants to read /.fonts directory
files_read_default_files(initrc_t) files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t) files_mountpoint(initrc_tmp_t)
@@ -541,6 +977,7 @@ ifdef(`distro_redhat',` @@ -541,6 +979,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t) miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t) miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t) miscfiles_relabel_localization(initrc_t)
@ -38288,7 +38293,7 @@ index 17eda24..97e35aa 100644
miscfiles_read_fonts(initrc_t) miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t) miscfiles_read_hwdata(initrc_t)
@@ -550,8 +987,44 @@ ifdef(`distro_redhat',` @@ -550,8 +989,44 @@ ifdef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -38333,7 +38338,7 @@ index 17eda24..97e35aa 100644
') ')
optional_policy(` optional_policy(`
@@ -559,14 +1032,31 @@ ifdef(`distro_redhat',` @@ -559,14 +1034,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t) rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t) rpc_manage_nfs_state_data(initrc_t)
') ')
@ -38365,7 +38370,7 @@ index 17eda24..97e35aa 100644
') ')
') ')
@@ -577,6 +1067,39 @@ ifdef(`distro_suse',` @@ -577,6 +1069,39 @@ ifdef(`distro_suse',`
') ')
') ')
@ -38405,7 +38410,7 @@ index 17eda24..97e35aa 100644
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1112,8 @@ optional_policy(` @@ -589,6 +1114,8 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(initrc_t) apache_read_config(initrc_t)
apache_list_modules(initrc_t) apache_list_modules(initrc_t)
@ -38414,7 +38419,7 @@ index 17eda24..97e35aa 100644
') ')
optional_policy(` optional_policy(`
@@ -610,6 +1135,7 @@ optional_policy(` @@ -610,6 +1137,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cgroup_stream_connect_cgred(initrc_t) cgroup_stream_connect_cgred(initrc_t)
@ -38422,7 +38427,7 @@ index 17eda24..97e35aa 100644
') ')
optional_policy(` optional_policy(`
@@ -626,6 +1152,17 @@ optional_policy(` @@ -626,6 +1154,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38440,7 +38445,7 @@ index 17eda24..97e35aa 100644
dev_getattr_printer_dev(initrc_t) dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t) cups_read_log(initrc_t)
@@ -642,9 +1179,13 @@ optional_policy(` @@ -642,9 +1181,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t) dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
@ -38454,7 +38459,7 @@ index 17eda24..97e35aa 100644
') ')
optional_policy(` optional_policy(`
@@ -657,15 +1198,11 @@ optional_policy(` @@ -657,15 +1200,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38472,7 +38477,7 @@ index 17eda24..97e35aa 100644
') ')
optional_policy(` optional_policy(`
@@ -686,6 +1223,15 @@ optional_policy(` @@ -686,6 +1225,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38488,7 +38493,7 @@ index 17eda24..97e35aa 100644
inn_exec_config(initrc_t) inn_exec_config(initrc_t)
') ')
@@ -726,6 +1272,7 @@ optional_policy(` @@ -726,6 +1274,7 @@ optional_policy(`
lpd_list_spool(initrc_t) lpd_list_spool(initrc_t)
lpd_read_config(initrc_t) lpd_read_config(initrc_t)
@ -38496,7 +38501,7 @@ index 17eda24..97e35aa 100644
') ')
optional_policy(` optional_policy(`
@@ -743,7 +1290,13 @@ optional_policy(` @@ -743,7 +1292,13 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38511,7 +38516,7 @@ index 17eda24..97e35aa 100644
mta_dontaudit_read_spool_symlinks(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t)
') ')
@@ -766,6 +1319,10 @@ optional_policy(` @@ -766,6 +1321,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38522,7 +38527,7 @@ index 17eda24..97e35aa 100644
postgresql_manage_db(initrc_t) postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t) postgresql_read_config(initrc_t)
') ')
@@ -775,10 +1332,20 @@ optional_policy(` @@ -775,10 +1334,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38543,7 +38548,7 @@ index 17eda24..97e35aa 100644
quota_manage_flags(initrc_t) quota_manage_flags(initrc_t)
') ')
@@ -787,6 +1354,10 @@ optional_policy(` @@ -787,6 +1356,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38554,7 +38559,7 @@ index 17eda24..97e35aa 100644
fs_write_ramfs_sockets(initrc_t) fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t) fs_search_ramfs(initrc_t)
@@ -808,8 +1379,6 @@ optional_policy(` @@ -808,8 +1381,6 @@ optional_policy(`
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -38563,7 +38568,7 @@ index 17eda24..97e35aa 100644
') ')
optional_policy(` optional_policy(`
@@ -818,6 +1387,10 @@ optional_policy(` @@ -818,6 +1389,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38574,7 +38579,7 @@ index 17eda24..97e35aa 100644
# shorewall-init script run /var/lib/shorewall/firewall # shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t) shorewall_lib_domtrans(initrc_t)
') ')
@@ -827,10 +1400,12 @@ optional_policy(` @@ -827,10 +1402,12 @@ optional_policy(`
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -38587,7 +38592,7 @@ index 17eda24..97e35aa 100644
optional_policy(` optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1432,62 @@ optional_policy(` @@ -857,21 +1434,62 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38651,7 +38656,7 @@ index 17eda24..97e35aa 100644
') ')
optional_policy(` optional_policy(`
@@ -887,6 +1503,10 @@ optional_policy(` @@ -887,6 +1505,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38662,7 +38667,7 @@ index 17eda24..97e35aa 100644
# Set device ownerships/modes. # Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t) xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1517,218 @@ optional_policy(` @@ -897,3 +1519,218 @@ optional_policy(`
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')
@ -49030,10 +49035,10 @@ index 0000000..16cd1ac
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..7abdaa0 index 0000000..d141c81
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,967 @@ @@ -0,0 +1,969 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -49943,6 +49948,8 @@ index 0000000..7abdaa0
+ +
+sysnet_manage_config(systemd_resolved_t) +sysnet_manage_config(systemd_resolved_t)
+ +
+userdom_dbus_send_all_users(systemd_resolved_t)
+
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(systemd_resolved_t) + dbus_system_bus_client(systemd_resolved_t)
+ dbus_connect_system_bus(systemd_resolved_t) + dbus_connect_system_bus(systemd_resolved_t)

116
policy-rawhide-contrib.patch
View File

@ -23749,6 +23749,24 @@ index 583a527..91c4104 100644
+optional_policy(` +optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t) + gnome_dontaudit_search_config(denyhosts_t)
+') +')
diff --git a/devicekit.fc b/devicekit.fc
index ae49c9d..6eb0842 100644
--- a/devicekit.fc
+++ b/devicekit.fc
@@ -11,6 +11,8 @@
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/bin/udisksctl -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
@@ -24,3 +26,4 @@
/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+
diff --git a/devicekit.if b/devicekit.if diff --git a/devicekit.if b/devicekit.if
index 8ce99ff..1bc5d3a 100644 index 8ce99ff..1bc5d3a 100644
--- a/devicekit.if --- a/devicekit.if
@ -24167,7 +24185,7 @@ index 8ce99ff..1bc5d3a 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
') ')
diff --git a/devicekit.te b/devicekit.te diff --git a/devicekit.te b/devicekit.te
index 77a5003..9e56e3e 100644 index 77a5003..360db40 100644
--- a/devicekit.te --- a/devicekit.te
+++ b/devicekit.te +++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@ -24189,7 +24207,18 @@ index 77a5003..9e56e3e 100644
type devicekit_tmp_t; type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t) files_tmp_file(devicekit_tmp_t)
@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t) @@ -29,6 +29,10 @@ files_type(devicekit_var_lib_t)
type devicekit_var_log_t;
logging_log_file(devicekit_var_log_t)
+typealias devicekit_t alias { udisks2_t };
+typealias devicekit_var_lib_t alias { udisks2_var_lib_t };
+typealias devicekit_var_run_t alias { udisks2_var_run_t };
+
########################################
#
# Local policy
@@ -45,11 +49,8 @@ kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t) dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t) dev_read_urand(devicekit_t)
@ -24202,7 +24231,7 @@ index 77a5003..9e56e3e 100644
dbus_system_bus_client(devicekit_t) dbus_system_bus_client(devicekit_t)
allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
@@ -64,7 +61,8 @@ optional_policy(` @@ -64,7 +65,8 @@ optional_policy(`
# Disk local policy # Disk local policy
# #
@ -24212,7 +24241,7 @@ index 77a5003..9e56e3e 100644
allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -81,17 +79,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; @@ -81,17 +83,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@ -24233,7 +24262,7 @@ index 77a5003..9e56e3e 100644
corecmd_exec_bin(devicekit_disk_t) corecmd_exec_bin(devicekit_disk_t)
corecmd_exec_shell(devicekit_disk_t) corecmd_exec_shell(devicekit_disk_t)
@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) @@ -99,6 +102,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t)
@ -24242,7 +24271,7 @@ index 77a5003..9e56e3e 100644
dev_getattr_usbfs_dirs(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t) dev_read_urand(devicekit_disk_t)
@@ -117,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t) @@ -117,8 +122,8 @@ files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t) files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t)
@ -24252,7 +24281,7 @@ index 77a5003..9e56e3e 100644
fs_getattr_all_fs(devicekit_disk_t) fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t) fs_list_inotifyfs(devicekit_disk_t)
@@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) @@ -135,18 +140,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t)
@ -24274,7 +24303,7 @@ index 77a5003..9e56e3e 100644
dbus_system_bus_client(devicekit_disk_t) dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg; allow devicekit_disk_t devicekit_t:dbus send_msg;
@@ -170,6 +171,7 @@ optional_policy(` @@ -170,6 +175,7 @@ optional_policy(`
optional_policy(` optional_policy(`
mount_domtrans(devicekit_disk_t) mount_domtrans(devicekit_disk_t)
@ -24282,7 +24311,7 @@ index 77a5003..9e56e3e 100644
') ')
optional_policy(` optional_policy(`
@@ -183,6 +185,11 @@ optional_policy(` @@ -183,6 +189,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24294,7 +24323,7 @@ index 77a5003..9e56e3e 100644
udev_domtrans(devicekit_disk_t) udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t) udev_read_db(devicekit_disk_t)
udev_read_pid_files(devicekit_disk_t) udev_read_pid_files(devicekit_disk_t)
@@ -192,12 +199,19 @@ optional_policy(` @@ -192,12 +203,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t) virt_manage_images(devicekit_disk_t)
') ')
@ -24315,7 +24344,7 @@ index 77a5003..9e56e3e 100644
allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) @@ -212,9 +230,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@ -24326,7 +24355,7 @@ index 77a5003..9e56e3e 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -224,12 +236,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) @@ -224,12 +240,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
kernel_read_fs_sysctls(devicekit_power_t) kernel_read_fs_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t) kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t) kernel_read_system_state(devicekit_power_t)
@ -24341,7 +24370,7 @@ index 77a5003..9e56e3e 100644
corecmd_exec_bin(devicekit_power_t) corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t) corecmd_exec_shell(devicekit_power_t)
@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t) @@ -248,21 +264,18 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t) files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t)
@ -24364,7 +24393,7 @@ index 77a5003..9e56e3e 100644
sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t)
@@ -277,6 +286,12 @@ optional_policy(` @@ -277,6 +290,12 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24377,7 +24406,7 @@ index 77a5003..9e56e3e 100644
dbus_system_bus_client(devicekit_power_t) dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg; allow devicekit_power_t devicekit_t:dbus send_msg;
@@ -307,8 +322,11 @@ optional_policy(` @@ -307,8 +326,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24390,7 +24419,7 @@ index 77a5003..9e56e3e 100644
hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t) hal_manage_pid_files(devicekit_power_t)
') ')
@@ -347,3 +365,9 @@ optional_policy(` @@ -347,3 +369,9 @@ optional_policy(`
optional_policy(` optional_policy(`
vbetool_domtrans(devicekit_power_t) vbetool_domtrans(devicekit_power_t)
') ')
@ -63813,7 +63842,7 @@ index dd1d9ef..c48733a 100644
-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if diff --git a/oddjob.if b/oddjob.if
index c87bd2a..284e4de 100644 index c87bd2a..6180fba 100644
--- a/oddjob.if --- a/oddjob.if
+++ b/oddjob.if +++ b/oddjob.if
@@ -1,4 +1,8 @@ @@ -1,4 +1,8 @@
@ -63925,7 +63954,7 @@ index c87bd2a..284e4de 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -105,46 +141,96 @@ interface(`oddjob_domtrans_mkhomedir',` @@ -105,46 +141,114 @@ interface(`oddjob_domtrans_mkhomedir',`
# #
interface(`oddjob_run_mkhomedir',` interface(`oddjob_run_mkhomedir',`
gen_require(` gen_require(`
@ -63971,8 +64000,7 @@ index c87bd2a..284e4de 100644
-###################################### -######################################
+####################################### +#######################################
## <summary> +## <summary>
-## Send child terminated signals to oddjob.
+## Execute oddjob in the oddjob domain. +## Execute oddjob in the oddjob domain.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -63996,7 +64024,8 @@ index c87bd2a..284e4de 100644
+') +')
+ +
+######################################## +########################################
+## <summary> ## <summary>
-## Send child terminated signals to oddjob.
+## Create a domain which can be started by init, +## Create a domain which can be started by init,
+## with a range transition. +## with a range transition.
## </summary> ## </summary>
@ -64034,6 +64063,24 @@ index c87bd2a..284e4de 100644
+ range_transition oddjob_t $2:process $3; + range_transition oddjob_t $2:process $3;
+ mls_rangetrans_target($1) + mls_rangetrans_target($1)
+ ') + ')
+')
+
+########################################
+## <summary>
+## Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`oddjob_mkhomedir_entrypoint',`
+ gen_require(`
+ type oddjob_mkhomedir_exec_t;
+ ')
+ allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
') ')
diff --git a/oddjob.te b/oddjob.te diff --git a/oddjob.te b/oddjob.te
index e403097..45d387d 100644 index e403097..45d387d 100644
@ -71277,12 +71324,12 @@ index 0000000..a2cb118
+ +
diff --git a/pki.fc b/pki.fc diff --git a/pki.fc b/pki.fc
new file mode 100644 new file mode 100644
index 0000000..b2b20f0 index 0000000..47cd0f8
--- /dev/null --- /dev/null
+++ b/pki.fc +++ b/pki.fc
@@ -0,0 +1,57 @@ @@ -0,0 +1,57 @@
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) +/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/etc/pki/pki-tomcat/ca/(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) +/etc/pki/pki-tomcat/ca(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
@ -79106,12 +79153,13 @@ index 6643b49..dd0c3d3 100644
optional_policy(` optional_policy(`
diff --git a/puppet.fc b/puppet.fc diff --git a/puppet.fc b/puppet.fc
index d68e26d..d2c4d2a 100644 index d68e26d..2542f5a 100644
--- a/puppet.fc --- a/puppet.fc
+++ b/puppet.fc +++ b/puppet.fc
@@ -1,18 +1,21 @@ @@ -1,18 +1,22 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
@ -83115,7 +83163,7 @@ index da64218..3fb8575 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
') ')
diff --git a/quota.te b/quota.te diff --git a/quota.te b/quota.te
index f47c8e8..3710974 100644 index f47c8e8..d4e9042 100644
--- a/quota.te --- a/quota.te
+++ b/quota.te +++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0) @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@ -83177,7 +83225,7 @@ index f47c8e8..3710974 100644
fs_get_xattr_fs_quotas(quota_t) fs_get_xattr_fs_quotas(quota_t)
fs_set_xattr_fs_quotas(quota_t) fs_set_xattr_fs_quotas(quota_t)
fs_getattr_xattr_fs(quota_t) fs_getattr_xattr_fs(quota_t)
@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t) @@ -80,17 +67,29 @@ term_dontaudit_use_console(quota_t)
domain_use_interactive_fds(quota_t) domain_use_interactive_fds(quota_t)
@ -83190,6 +83238,7 @@ index f47c8e8..3710974 100644
+# Read /etc/mtab. +# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t) +files_read_etc_runtime_files(quota_t)
+ +
+init_domain(quota_t, quota_exec_t)
init_use_fds(quota_t) init_use_fds(quota_t)
init_use_script_ptys(quota_t) init_use_script_ptys(quota_t)
@ -83209,7 +83258,7 @@ index f47c8e8..3710974 100644
') ')
optional_policy(` optional_policy(`
@@ -103,12 +101,12 @@ optional_policy(` @@ -103,12 +102,12 @@ optional_policy(`
####################################### #######################################
# #
@ -83224,7 +83273,7 @@ index f47c8e8..3710974 100644
manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
@@ -121,11 +119,9 @@ init_read_utmp(quota_nld_t) @@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t)
logging_send_syslog_msg(quota_nld_t) logging_send_syslog_msg(quota_nld_t)
@ -83990,10 +84039,10 @@ index 951db7f..00e699d 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
') ')
diff --git a/raid.te b/raid.te diff --git a/raid.te b/raid.te
index c99753f..357db0b 100644 index c99753f..31ff402 100644
--- a/raid.te --- a/raid.te
+++ b/raid.te +++ b/raid.te
@@ -15,54 +15,103 @@ role mdadm_roles types mdadm_t; @@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t; type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t) init_script_file(mdadm_initrc_exec_t)
@ -84074,6 +84123,7 @@ index c99753f..357db0b 100644
-dev_dontaudit_getattr_all_chr_files(mdadm_t) -dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_read_all_blk_files(mdadm_t) +dev_dontaudit_read_all_blk_files(mdadm_t)
+dev_dontaudit_read_all_chr_files(mdadm_t) +dev_dontaudit_read_all_chr_files(mdadm_t)
+dev_getattr_generic_chr_files(mdadm_t)
+dev_read_crash(mdadm_t) +dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t) +dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t) dev_read_realtime_clock(mdadm_t)
@ -84106,7 +84156,7 @@ index c99753f..357db0b 100644
mls_file_read_all_levels(mdadm_t) mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t)
@@ -71,15 +120,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) @@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t) storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t)
@ -84133,7 +84183,7 @@ index c99753f..357db0b 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t)
@@ -90,17 +149,38 @@ optional_policy(` @@ -90,17 +150,38 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`

16
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 211%{?dist} Release: 212%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -648,6 +648,20 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-212
- udisk2 module is part of devicekit module now
- Fix file context for /etc/pki/pki-tomcat/ca/
- new interface oddjob_mkhomedir_entrypoint()
- Allow mdadm to get attributes from all devices.
- Label /etc/puppetlabs as puppet_etc_t.
- quota: allow init to run quota tools
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow VirtualBox to manage udev rules.
- Allow systemd_resolved to send dbus msgs to userdomains
- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t
- Label all files in /dev/oracleasmfs/ as oracleasmfs_t
* Thu Aug 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-211 * Thu Aug 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-211
- Add new domain ipa_ods_exporter_t BZ(1366640) - Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect() - Create new interface opendnssec_stream_connect()