* Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
- Add fwupd policy for daemon to allow session software to update device firmware - Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930) - Allow systemd services to use PrivateNetwork feature - Add a type and genfscon for nsfs. - Fix SELinux context for rsyslog unit file. BZ(1284173)
This commit is contained in:
parent
3852fc17ea
commit
6d3ee17c0b
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -29627,6 +29627,340 @@ index 36838c2..8bfc879 100644
|
||||
- fs_read_nfs_files(sftpd_t)
|
||||
- fs_read_nfs_symlinks(ftpd_t)
|
||||
-')
|
||||
diff --git a/fwupd.fc b/fwupd.fc
|
||||
new file mode 100644
|
||||
index 0000000..1f13f70
|
||||
--- /dev/null
|
||||
+++ b/fwupd.fc
|
||||
@@ -0,0 +1,8 @@
|
||||
+/usr/lib/systemd/system/fwupd-offline-update.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/fwupd.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
|
||||
+
|
||||
+/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
|
||||
+
|
||||
+/var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
|
||||
+
|
||||
+/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0)
|
||||
diff --git a/fwupd.if b/fwupd.if
|
||||
new file mode 100644
|
||||
index 0000000..c4d2c2d
|
||||
--- /dev/null
|
||||
+++ b/fwupd.if
|
||||
@@ -0,0 +1,260 @@
|
||||
+
|
||||
+## <summary>fwupd is a daemon to allow session software to update device firmware</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute fwupd_exec_t in the fwupd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_t, fwupd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, fwupd_exec_t, fwupd_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute fwupd in the caller domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_exec',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ can_exec($1, fwupd_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search fwupd cache directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_search_cache',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_cache_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 fwupd_cache_t:dir search_dir_perms;
|
||||
+ files_search_var($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read fwupd cache files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_read_cache_files',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_cache_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var($1)
|
||||
+ read_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete
|
||||
+## fwupd cache files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_manage_cache_files',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_cache_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var($1)
|
||||
+ manage_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage fwupd cache dirs.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_manage_cache_dirs',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_cache_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var($1)
|
||||
+ manage_dirs_pattern($1, fwupd_cache_t, fwupd_cache_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search fwupd lib directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_search_lib',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 fwupd_var_lib_t:dir search_dir_perms;
|
||||
+ files_search_var_lib($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read fwupd lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_read_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage fwupd lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_manage_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage fwupd lib directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_manage_lib_dirs',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_dirs_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute fwupd server in the fwupd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_systemctl',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_t;
|
||||
+ type fwupd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ allow $1 fwupd_unit_file_t:file read_file_perms;
|
||||
+ allow $1 fwupd_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, fwupd_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an fwupd environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fwupd_admin',`
|
||||
+ gen_require(`
|
||||
+ type fwupd_t;
|
||||
+ type fwupd_cache_t;
|
||||
+ type fwupd_var_lib_t;
|
||||
+ type fwupd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 fwupd_t:process { signal_perms };
|
||||
+ ps_process_pattern($1, fwupd_t)
|
||||
+
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
+ allow $1 fwupd_t:process ptrace;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var($1)
|
||||
+ admin_pattern($1, fwupd_cache_t)
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ admin_pattern($1, fwupd_var_lib_t)
|
||||
+
|
||||
+ fwupd_systemctl($1)
|
||||
+ admin_pattern($1, fwupd_unit_file_t)
|
||||
+ allow $1 fwupd_unit_file_t:service all_service_perms;
|
||||
+ optional_policy(`
|
||||
+ systemd_passwd_agent_exec($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/fwupd.te b/fwupd.te
|
||||
new file mode 100644
|
||||
index 0000000..8937282
|
||||
--- /dev/null
|
||||
+++ b/fwupd.te
|
||||
@@ -0,0 +1,48 @@
|
||||
+policy_module(fwupd, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type fwupd_t;
|
||||
+type fwupd_exec_t;
|
||||
+init_daemon_domain(fwupd_t, fwupd_exec_t)
|
||||
+
|
||||
+type fwupd_cache_t;
|
||||
+files_type(fwupd_cache_t)
|
||||
+
|
||||
+type fwupd_var_lib_t;
|
||||
+files_type(fwupd_var_lib_t)
|
||||
+
|
||||
+type fwupd_unit_file_t;
|
||||
+systemd_unit_file(fwupd_unit_file_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# fwupd local policy
|
||||
+#
|
||||
+allow fwupd_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow fwupd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow fwupd_t self:netlink_kobject_uevent_socket create_socket_perms;;
|
||||
+
|
||||
+manage_dirs_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
|
||||
+manage_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
|
||||
+manage_lnk_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
|
||||
+files_var_filetrans(fwupd_t, fwupd_cache_t, { dir })
|
||||
+
|
||||
+manage_dirs_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
|
||||
+manage_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
|
||||
+manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
|
||||
+files_var_lib_filetrans(fwupd_t, fwupd_var_lib_t, { dir })
|
||||
+
|
||||
+auth_read_passwd(fwupd_t)
|
||||
+
|
||||
+dev_rw_sysfs(fwupd_t)
|
||||
+dev_rw_generic_usb_dev(fwupd_t)
|
||||
+
|
||||
+udev_read_pid_files(fwupd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_domain(fwupd_t,fwupd_exec_t)
|
||||
+')
|
||||
diff --git a/games.if b/games.if
|
||||
index e2a3e0d..50ebd40 100644
|
||||
--- a/games.if
|
||||
@ -37269,16 +37603,17 @@ index 0000000..61f2003
|
||||
+userdom_use_user_terminals(iotop_t)
|
||||
diff --git a/ipa.fc b/ipa.fc
|
||||
new file mode 100644
|
||||
index 0000000..3a71430
|
||||
index 0000000..ce135f3
|
||||
--- /dev/null
|
||||
+++ b/ipa.fc
|
||||
@@ -0,0 +1,13 @@
|
||||
@@ -0,0 +1,14 @@
|
||||
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
|
||||
+
|
||||
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
|
||||
+
|
||||
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
|
||||
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
|
||||
+/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
|
||||
+
|
||||
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
|
||||
+
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 166%{?dist}
|
||||
Release: 167%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -664,6 +664,13 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
|
||||
- Add fwupd policy for daemon to allow session software to update device firmware
|
||||
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
|
||||
- Allow systemd services to use PrivateNetwork feature
|
||||
- Add a type and genfscon for nsfs.
|
||||
- Fix SELinux context for rsyslog unit file. BZ(1284173)
|
||||
|
||||
* Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
|
||||
- Allow logrotate to systemctl rsyslog service. BZ(1284173)
|
||||
- Allow condor_master_t domain capability chown. BZ(1297048)
|
||||
|
Loading…
Reference in New Issue
Block a user