* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/ - Additional fixes for seutil_manage_module_store() - dbus_system_domain() should be used with optional_policy - Fix svirt to be allowed to use fusefs file system - Allow login programs to read /run/ data created by systemd_login - sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM modu - Fix svirt to be allowed to use fusefs file system - Allow piranha domain to use nsswitch - Sanlock needs to send Kill Signals to non root processes - Pulseaudio wants to execute /run/user/PID/.orc
This commit is contained in:
parent
e2915aed43
commit
711b0e2035
|
@ -70640,7 +70640,7 @@ index cda5588..91d1e25 100644
|
||||||
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||||
+/usr/lib/udev/devices/shm/.* <<none>>
|
+/usr/lib/udev/devices/shm/.* <<none>>
|
||||||
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
||||||
index 7c6b791..aad6319 100644
|
index 7c6b791..b40a5a5 100644
|
||||||
--- a/policy/modules/kernel/filesystem.if
|
--- a/policy/modules/kernel/filesystem.if
|
||||||
+++ b/policy/modules/kernel/filesystem.if
|
+++ b/policy/modules/kernel/filesystem.if
|
||||||
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
|
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
|
||||||
|
@ -71137,7 +71137,7 @@ index 7c6b791..aad6319 100644
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount a FUSE filesystem.
|
## Mount a FUSE filesystem.
|
||||||
@@ -2025,6 +2387,68 @@ interface(`fs_read_fusefs_symlinks',`
|
@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71202,11 +71202,30 @@ index 7c6b791..aad6319 100644
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Get the attributes of a FUSEFS filesystem.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`fs_getattr_fusefs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type fusefs_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 fusefs_t:filesystem getattr;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
## Get the attributes of an hugetlbfs
|
## Get the attributes of an hugetlbfs
|
||||||
## filesystem.
|
## filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
|
@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71231,7 +71250,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Read and write hugetlbfs files.
|
## Read and write hugetlbfs files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
|
@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 inotifyfs_t:dir list_dir_perms;
|
allow $1 inotifyfs_t:dir list_dir_perms;
|
||||||
|
@ -71245,7 +71264,7 @@ index 7c6b791..aad6319 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',`
|
@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',`
|
||||||
type nfs_t;
|
type nfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -71253,7 +71272,7 @@ index 7c6b791..aad6319 100644
|
||||||
allow $1 nfs_t:dir list_dir_perms;
|
allow $1 nfs_t:dir list_dir_perms;
|
||||||
read_files_pattern($1, nfs_t, nfs_t)
|
read_files_pattern($1, nfs_t, nfs_t)
|
||||||
')
|
')
|
||||||
@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',`
|
@@ -2523,6 +2986,7 @@ interface(`fs_write_nfs_files',`
|
||||||
type nfs_t;
|
type nfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -71261,7 +71280,7 @@ index 7c6b791..aad6319 100644
|
||||||
allow $1 nfs_t:dir list_dir_perms;
|
allow $1 nfs_t:dir list_dir_perms;
|
||||||
write_files_pattern($1, nfs_t, nfs_t)
|
write_files_pattern($1, nfs_t, nfs_t)
|
||||||
')
|
')
|
||||||
@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',`
|
@@ -2549,6 +3013,25 @@ interface(`fs_exec_nfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71287,7 +71306,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Append files
|
## Append files
|
||||||
## on a NFS filesystem.
|
## on a NFS filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',`
|
@@ -2569,7 +3052,7 @@ interface(`fs_append_nfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71296,7 +71315,7 @@ index 7c6b791..aad6319 100644
|
||||||
## on a NFS filesystem.
|
## on a NFS filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',`
|
@@ -2589,6 +3072,42 @@ interface(`fs_dontaudit_append_nfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71339,7 +71358,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Do not audit attempts to read or
|
## Do not audit attempts to read or
|
||||||
## write files on a NFS filesystem.
|
## write files on a NFS filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
||||||
type nfs_t;
|
type nfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -71348,7 +71367,7 @@ index 7c6b791..aad6319 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',`
|
@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71357,7 +71376,7 @@ index 7c6b791..aad6319 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',`
|
@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71366,7 +71385,7 @@ index 7c6b791..aad6319 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',`
|
@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71375,7 +71394,7 @@ index 7c6b791..aad6319 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',`
|
@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',`
|
||||||
type nfs_t;
|
type nfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -71383,7 +71402,7 @@ index 7c6b791..aad6319 100644
|
||||||
allow $1 nfs_t:dir manage_dir_perms;
|
allow $1 nfs_t:dir manage_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',`
|
@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',`
|
||||||
type nfs_t;
|
type nfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -71391,7 +71410,7 @@ index 7c6b791..aad6319 100644
|
||||||
manage_files_pattern($1, nfs_t, nfs_t)
|
manage_files_pattern($1, nfs_t, nfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',`
|
@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',`
|
||||||
type nfs_t;
|
type nfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -71399,7 +71418,7 @@ index 7c6b791..aad6319 100644
|
||||||
manage_lnk_files_pattern($1, nfs_t, nfs_t)
|
manage_lnk_files_pattern($1, nfs_t, nfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',`
|
@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',`
|
||||||
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
|
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -71424,7 +71443,7 @@ index 7c6b791..aad6319 100644
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write NFS server files.
|
## Read and write NFS server files.
|
||||||
@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',`
|
@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71449,7 +71468,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Allow the type to associate to ramfs filesystems.
|
## Allow the type to associate to ramfs filesystems.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="type">
|
## <param name="type">
|
||||||
@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',`
|
@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71458,7 +71477,7 @@ index 7c6b791..aad6319 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',`
|
@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71467,7 +71486,7 @@ index 7c6b791..aad6319 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
|
@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71476,7 +71495,7 @@ index 7c6b791..aad6319 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',`
|
@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71501,7 +71520,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Get the attributes of a tmpfs
|
## Get the attributes of a tmpfs
|
||||||
## filesystem.
|
## filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',`
|
@@ -3963,6 +4539,42 @@ interface(`fs_dontaudit_list_tmpfs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71544,7 +71563,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Create, read, write, and delete
|
## Create, read, write, and delete
|
||||||
## tmpfs directories
|
## tmpfs directories
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
|
@@ -4069,7 +4681,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
|
||||||
type tmpfs_t;
|
type tmpfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -71553,7 +71572,7 @@ index 7c6b791..aad6319 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',`
|
@@ -4129,6 +4741,24 @@ interface(`fs_rw_tmpfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71578,7 +71597,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Read tmpfs link files.
|
## Read tmpfs link files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',`
|
@@ -4166,7 +4796,7 @@ interface(`fs_rw_tmpfs_chr_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71587,7 +71606,7 @@ index 7c6b791..aad6319 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
@@ -4185,6 +4815,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71630,7 +71649,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Relabel character nodes on tmpfs filesystems.
|
## Relabel character nodes on tmpfs filesystems.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4242,6 +4889,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
|
@@ -4242,6 +4908,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71674,7 +71693,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Read and write, create and delete generic
|
## Read and write, create and delete generic
|
||||||
## files on tmpfs filesystems.
|
## files on tmpfs filesystems.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -4261,6 +4945,25 @@ interface(`fs_manage_tmpfs_files',`
|
@@ -4261,6 +4964,25 @@ interface(`fs_manage_tmpfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -71700,7 +71719,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Read and write, create and delete symbolic
|
## Read and write, create and delete symbolic
|
||||||
## links on tmpfs filesystems.
|
## links on tmpfs filesystems.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -4467,6 +5170,8 @@ interface(`fs_mount_all_fs',`
|
@@ -4467,6 +5189,8 @@ interface(`fs_mount_all_fs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 filesystem_type:filesystem mount;
|
allow $1 filesystem_type:filesystem mount;
|
||||||
|
@ -71709,7 +71728,7 @@ index 7c6b791..aad6319 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4513,7 +5218,7 @@ interface(`fs_unmount_all_fs',`
|
@@ -4513,7 +5237,7 @@ interface(`fs_unmount_all_fs',`
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow the specified domain to
|
## Allow the specified domain to
|
||||||
|
@ -71718,7 +71737,7 @@ index 7c6b791..aad6319 100644
|
||||||
## Example attributes:
|
## Example attributes:
|
||||||
## </p>
|
## </p>
|
||||||
## <ul>
|
## <ul>
|
||||||
@@ -4876,3 +5581,43 @@ interface(`fs_unconfined',`
|
@@ -4876,3 +5600,43 @@ interface(`fs_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 filesystem_unconfined_type;
|
typeattribute $1 filesystem_unconfined_type;
|
||||||
')
|
')
|
||||||
|
@ -87697,14 +87716,15 @@ index cbbda4a..8dcc346 100644
|
||||||
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
|
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
|
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
|
||||||
index d43f3b1..5858c5f 100644
|
index d43f3b1..c4182e8 100644
|
||||||
--- a/policy/modules/system/selinuxutil.fc
|
--- a/policy/modules/system/selinuxutil.fc
|
||||||
+++ b/policy/modules/system/selinuxutil.fc
|
+++ b/policy/modules/system/selinuxutil.fc
|
||||||
@@ -6,13 +6,13 @@
|
@@ -6,13 +6,14 @@
|
||||||
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
||||||
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
||||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
||||||
-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
|
-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
|
||||||
|
+/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
|
||||||
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||||
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||||
|
@ -87717,7 +87737,7 @@ index d43f3b1..5858c5f 100644
|
||||||
|
|
||||||
#
|
#
|
||||||
# /root
|
# /root
|
||||||
@@ -35,12 +35,14 @@
|
@@ -35,12 +36,14 @@
|
||||||
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
|
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
|
||||||
|
|
||||||
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
||||||
|
@ -87733,7 +87753,7 @@ index d43f3b1..5858c5f 100644
|
||||||
|
|
||||||
#
|
#
|
||||||
# /var/lib
|
# /var/lib
|
||||||
@@ -51,3 +53,7 @@
|
@@ -51,3 +54,7 @@
|
||||||
# /var/run
|
# /var/run
|
||||||
#
|
#
|
||||||
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
|
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
|
||||||
|
@ -87742,7 +87762,7 @@ index d43f3b1..5858c5f 100644
|
||||||
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
|
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
|
||||||
index 3822072..cac0b1e 100644
|
index 3822072..beae2dc 100644
|
||||||
--- a/policy/modules/system/selinuxutil.if
|
--- a/policy/modules/system/selinuxutil.if
|
||||||
+++ b/policy/modules/system/selinuxutil.if
|
+++ b/policy/modules/system/selinuxutil.if
|
||||||
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
|
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
|
||||||
|
@ -87899,7 +87919,7 @@ index 3822072..cac0b1e 100644
|
||||||
## Execute setfiles in the caller domain.
|
## Execute setfiles in the caller domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -680,6 +776,7 @@ interface(`seutil_manage_config',`
|
@@ -680,10 +776,94 @@ interface(`seutil_manage_config',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
|
@ -87907,7 +87927,160 @@ index 3822072..cac0b1e 100644
|
||||||
manage_files_pattern($1, selinux_config_t, selinux_config_t)
|
manage_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||||
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
|
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||||
')
|
')
|
||||||
@@ -746,6 +843,29 @@ interface(`seutil_read_default_contexts',`
|
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Do not audit attempts to search the SELinux
|
||||||
|
+## login configuration directory.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`seutil_dontaudit_search_login_config',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type selinux_login_config_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Do not audit attempts to read the SELinux
|
||||||
|
+## login configuration.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`seutil_dontaudit_read_login_config',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type selinux_login_config_t;
|
||||||
|
+ ')
|
||||||
|
+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
|
||||||
|
+ dontaudit $1 selinux_login_config_t:file read_file_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read the SELinux login configuration files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`seutil_read_login_config',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type selinux_config_t;
|
||||||
|
+ type selinux_login_config_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_etc($1)
|
||||||
|
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||||
|
+ allow $1 selinux_login_config_t:dir list_dir_perms;
|
||||||
|
+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||||
|
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read and write the SELinux login configuration files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`seutil_rw_login_config',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type selinux_config_t;
|
||||||
|
+ type selinux_login_config_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_etc($1)
|
||||||
|
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||||
|
+ allow $1 selinux_login_config_t:dir list_dir_perms;
|
||||||
|
+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete
|
||||||
|
@@ -694,15 +874,62 @@ interface(`seutil_manage_config',`
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
-## <rolecap/>
|
||||||
|
#
|
||||||
|
-interface(`seutil_manage_config_dirs',`
|
||||||
|
+interface(`seutil_rw_login_config_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type selinux_config_t;
|
||||||
|
+ type selinux_login_config_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
- allow $1 selinux_config_t:dir manage_dir_perms;
|
||||||
|
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||||
|
+ allow $1 selinux_login_config_t:dir rw_dir_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Create, read, write, and delete
|
||||||
|
+## the general selinux configuration files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`seutil_manage_login_config',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type selinux_config_t;
|
||||||
|
+ type selinux_login_config_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_etc($1)
|
||||||
|
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||||
|
+ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||||
|
+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||||
|
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+######################################
|
||||||
|
+## <summary>
|
||||||
|
+## manage the login selinux configuration files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`seutil_manage_login_config_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type selinux_config_t;
|
||||||
|
+ type selinux_login_config_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_etc($1)
|
||||||
|
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||||
|
+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||||
|
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -746,6 +973,29 @@ interface(`seutil_read_default_contexts',`
|
||||||
read_files_pattern($1, default_context_t, default_context_t)
|
read_files_pattern($1, default_context_t, default_context_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -87937,7 +88110,7 @@ index 3822072..cac0b1e 100644
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete the default_contexts files.
|
## Create, read, write, and delete the default_contexts files.
|
||||||
@@ -999,6 +1119,26 @@ interface(`seutil_domtrans_semanage',`
|
@@ -999,6 +1249,26 @@ interface(`seutil_domtrans_semanage',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -87964,7 +88137,7 @@ index 3822072..cac0b1e 100644
|
||||||
## Execute semanage in the semanage domain, and
|
## Execute semanage in the semanage domain, and
|
||||||
## allow the specified role the semanage domain,
|
## allow the specified role the semanage domain,
|
||||||
## and use the caller's terminal.
|
## and use the caller's terminal.
|
||||||
@@ -1017,11 +1157,66 @@ interface(`seutil_domtrans_semanage',`
|
@@ -1017,11 +1287,66 @@ interface(`seutil_domtrans_semanage',`
|
||||||
#
|
#
|
||||||
interface(`seutil_run_semanage',`
|
interface(`seutil_run_semanage',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -88033,7 +88206,17 @@ index 3822072..cac0b1e 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1137,3 +1332,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
@@ -1044,6 +1369,9 @@ interface(`seutil_manage_module_store',`
|
||||||
|
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
|
||||||
|
manage_files_pattern($1, semanage_store_t, semanage_store_t)
|
||||||
|
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
|
||||||
|
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
|
||||||
|
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
|
||||||
|
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
@@ -1137,3 +1465,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
||||||
selinux_dontaudit_get_fs_mount($1)
|
selinux_dontaudit_get_fs_mount($1)
|
||||||
seutil_dontaudit_read_config($1)
|
seutil_dontaudit_read_config($1)
|
||||||
')
|
')
|
||||||
|
@ -88093,7 +88276,7 @@ index 3822072..cac0b1e 100644
|
||||||
+ auth_relabelto_shadow($1)
|
+ auth_relabelto_shadow($1)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||||
index ec01d0b..98094ae 100644
|
index ec01d0b..12ed3ea 100644
|
||||||
--- a/policy/modules/system/selinuxutil.te
|
--- a/policy/modules/system/selinuxutil.te
|
||||||
+++ b/policy/modules/system/selinuxutil.te
|
+++ b/policy/modules/system/selinuxutil.te
|
||||||
@@ -11,14 +11,17 @@ gen_require(`
|
@@ -11,14 +11,17 @@ gen_require(`
|
||||||
|
@ -88119,17 +88302,20 @@ index ec01d0b..98094ae 100644
|
||||||
|
|
||||||
#
|
#
|
||||||
# selinux_config_t is the type applied to
|
# selinux_config_t is the type applied to
|
||||||
@@ -30,6 +33,9 @@ roleattribute system_r semanage_roles;
|
@@ -30,6 +33,12 @@ roleattribute system_r semanage_roles;
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
files_type(selinux_config_t)
|
files_type(selinux_config_t)
|
||||||
|
|
||||||
|
+type selinux_login_config_t;
|
||||||
|
+files_type(selinux_login_config_t)
|
||||||
|
+
|
||||||
+type selinux_var_lib_t;
|
+type selinux_var_lib_t;
|
||||||
+files_type(selinux_var_lib_t)
|
+files_type(selinux_var_lib_t)
|
||||||
+
|
+
|
||||||
type checkpolicy_t, can_write_binary_policy;
|
type checkpolicy_t, can_write_binary_policy;
|
||||||
type checkpolicy_exec_t;
|
type checkpolicy_exec_t;
|
||||||
application_domain(checkpolicy_t, checkpolicy_exec_t)
|
application_domain(checkpolicy_t, checkpolicy_exec_t)
|
||||||
@@ -60,14 +66,20 @@ application_domain(newrole_t, newrole_exec_t)
|
@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
|
||||||
domain_role_change_exemption(newrole_t)
|
domain_role_change_exemption(newrole_t)
|
||||||
domain_obj_id_change_exemption(newrole_t)
|
domain_obj_id_change_exemption(newrole_t)
|
||||||
domain_interactive_fd(newrole_t)
|
domain_interactive_fd(newrole_t)
|
||||||
|
@ -88153,7 +88339,7 @@ index ec01d0b..98094ae 100644
|
||||||
|
|
||||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||||
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||||
@@ -83,7 +95,6 @@ type restorecond_t;
|
@@ -83,7 +98,6 @@ type restorecond_t;
|
||||||
type restorecond_exec_t;
|
type restorecond_exec_t;
|
||||||
init_daemon_domain(restorecond_t, restorecond_exec_t)
|
init_daemon_domain(restorecond_t, restorecond_exec_t)
|
||||||
domain_obj_id_change_exemption(restorecond_t)
|
domain_obj_id_change_exemption(restorecond_t)
|
||||||
|
@ -88161,7 +88347,7 @@ index ec01d0b..98094ae 100644
|
||||||
|
|
||||||
type restorecond_var_run_t;
|
type restorecond_var_run_t;
|
||||||
files_pid_file(restorecond_var_run_t)
|
files_pid_file(restorecond_var_run_t)
|
||||||
@@ -92,25 +103,33 @@ type run_init_t;
|
@@ -92,25 +106,32 @@ type run_init_t;
|
||||||
type run_init_exec_t;
|
type run_init_exec_t;
|
||||||
application_domain(run_init_t, run_init_exec_t)
|
application_domain(run_init_t, run_init_exec_t)
|
||||||
domain_system_change_exemption(run_init_t)
|
domain_system_change_exemption(run_init_t)
|
||||||
|
@ -88172,7 +88358,6 @@ index ec01d0b..98094ae 100644
|
||||||
type semanage_t;
|
type semanage_t;
|
||||||
type semanage_exec_t;
|
type semanage_exec_t;
|
||||||
application_domain(semanage_t, semanage_exec_t)
|
application_domain(semanage_t, semanage_exec_t)
|
||||||
+dbus_system_domain(semanage_t, semanage_exec_t)
|
|
||||||
+init_daemon_domain(semanage_t, semanage_exec_t)
|
+init_daemon_domain(semanage_t, semanage_exec_t)
|
||||||
domain_interactive_fd(semanage_t)
|
domain_interactive_fd(semanage_t)
|
||||||
-role semanage_roles types semanage_t;
|
-role semanage_roles types semanage_t;
|
||||||
|
@ -88200,7 +88385,7 @@ index ec01d0b..98094ae 100644
|
||||||
|
|
||||||
type semanage_var_lib_t;
|
type semanage_var_lib_t;
|
||||||
files_type(semanage_var_lib_t)
|
files_type(semanage_var_lib_t)
|
||||||
@@ -120,6 +139,11 @@ type setfiles_exec_t alias restorecon_exec_t;
|
@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
|
||||||
init_system_domain(setfiles_t, setfiles_exec_t)
|
init_system_domain(setfiles_t, setfiles_exec_t)
|
||||||
domain_obj_id_change_exemption(setfiles_t)
|
domain_obj_id_change_exemption(setfiles_t)
|
||||||
|
|
||||||
|
@ -88212,7 +88397,15 @@ index ec01d0b..98094ae 100644
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Checkpolicy local policy
|
# Checkpolicy local policy
|
||||||
@@ -151,7 +175,7 @@ term_use_console(checkpolicy_t)
|
@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
|
||||||
|
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||||
|
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||||
|
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
|
||||||
|
+allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
|
||||||
|
|
||||||
|
domain_use_interactive_fds(checkpolicy_t)
|
||||||
|
|
||||||
|
@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
|
||||||
init_use_fds(checkpolicy_t)
|
init_use_fds(checkpolicy_t)
|
||||||
init_use_script_ptys(checkpolicy_t)
|
init_use_script_ptys(checkpolicy_t)
|
||||||
|
|
||||||
|
@ -88221,7 +88414,7 @@ index ec01d0b..98094ae 100644
|
||||||
userdom_use_all_users_fds(checkpolicy_t)
|
userdom_use_all_users_fds(checkpolicy_t)
|
||||||
|
|
||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
@@ -188,13 +212,15 @@ term_list_ptys(load_policy_t)
|
@@ -188,13 +215,15 @@ term_list_ptys(load_policy_t)
|
||||||
|
|
||||||
init_use_script_fds(load_policy_t)
|
init_use_script_fds(load_policy_t)
|
||||||
init_use_script_ptys(load_policy_t)
|
init_use_script_ptys(load_policy_t)
|
||||||
|
@ -88238,7 +88431,15 @@ index ec01d0b..98094ae 100644
|
||||||
|
|
||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -220,7 +246,7 @@ optional_policy(`
|
@@ -205,6 +234,7 @@ ifdef(`distro_ubuntu',`
|
||||||
|
ifdef(`hide_broken_symptoms',`
|
||||||
|
# cjp: cover up stray file descriptors.
|
||||||
|
dontaudit load_policy_t selinux_config_t:file write;
|
||||||
|
+ dontaudit load_policy_t selinux_login_config_t:file write;
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
unconfined_dontaudit_read_pipes(load_policy_t)
|
||||||
|
@@ -220,7 +250,7 @@ optional_policy(`
|
||||||
# Newrole local policy
|
# Newrole local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -88247,7 +88448,7 @@ index ec01d0b..98094ae 100644
|
||||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||||
allow newrole_t self:process setexec;
|
allow newrole_t self:process setexec;
|
||||||
allow newrole_t self:fd use;
|
allow newrole_t self:fd use;
|
||||||
@@ -232,7 +258,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
@@ -232,7 +262,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
||||||
allow newrole_t self:msg { send receive };
|
allow newrole_t self:msg { send receive };
|
||||||
allow newrole_t self:unix_dgram_socket sendto;
|
allow newrole_t self:unix_dgram_socket sendto;
|
||||||
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
|
@ -88256,7 +88457,7 @@ index ec01d0b..98094ae 100644
|
||||||
|
|
||||||
read_files_pattern(newrole_t, default_context_t, default_context_t)
|
read_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||||
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
|
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||||
@@ -249,6 +275,7 @@ domain_use_interactive_fds(newrole_t)
|
@@ -249,6 +279,7 @@ domain_use_interactive_fds(newrole_t)
|
||||||
# for when the user types "exec newrole" at the command line:
|
# for when the user types "exec newrole" at the command line:
|
||||||
domain_sigchld_interactive_fds(newrole_t)
|
domain_sigchld_interactive_fds(newrole_t)
|
||||||
|
|
||||||
|
@ -88264,7 +88465,7 @@ index ec01d0b..98094ae 100644
|
||||||
files_read_etc_files(newrole_t)
|
files_read_etc_files(newrole_t)
|
||||||
files_read_var_files(newrole_t)
|
files_read_var_files(newrole_t)
|
||||||
files_read_var_symlinks(newrole_t)
|
files_read_var_symlinks(newrole_t)
|
||||||
@@ -276,25 +303,39 @@ term_relabel_all_ptys(newrole_t)
|
@@ -276,25 +307,39 @@ term_relabel_all_ptys(newrole_t)
|
||||||
term_getattr_unallocated_ttys(newrole_t)
|
term_getattr_unallocated_ttys(newrole_t)
|
||||||
term_dontaudit_use_unallocated_ttys(newrole_t)
|
term_dontaudit_use_unallocated_ttys(newrole_t)
|
||||||
|
|
||||||
|
@ -88310,7 +88511,7 @@ index ec01d0b..98094ae 100644
|
||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(newrole_t)
|
unconfined_domain(newrole_t)
|
||||||
@@ -309,7 +350,7 @@ if(secure_mode) {
|
@@ -309,7 +354,7 @@ if(secure_mode) {
|
||||||
userdom_spec_domtrans_all_users(newrole_t)
|
userdom_spec_domtrans_all_users(newrole_t)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -88319,7 +88520,7 @@ index ec01d0b..98094ae 100644
|
||||||
files_polyinstantiate_all(newrole_t)
|
files_polyinstantiate_all(newrole_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -328,9 +369,13 @@ kernel_use_fds(restorecond_t)
|
@@ -328,9 +373,13 @@ kernel_use_fds(restorecond_t)
|
||||||
kernel_rw_pipes(restorecond_t)
|
kernel_rw_pipes(restorecond_t)
|
||||||
kernel_read_system_state(restorecond_t)
|
kernel_read_system_state(restorecond_t)
|
||||||
|
|
||||||
|
@ -88334,7 +88535,7 @@ index ec01d0b..98094ae 100644
|
||||||
fs_list_inotifyfs(restorecond_t)
|
fs_list_inotifyfs(restorecond_t)
|
||||||
|
|
||||||
selinux_validate_context(restorecond_t)
|
selinux_validate_context(restorecond_t)
|
||||||
@@ -341,6 +386,7 @@ selinux_compute_user_contexts(restorecond_t)
|
@@ -341,6 +390,7 @@ selinux_compute_user_contexts(restorecond_t)
|
||||||
|
|
||||||
files_relabel_non_auth_files(restorecond_t )
|
files_relabel_non_auth_files(restorecond_t )
|
||||||
files_read_non_auth_files(restorecond_t)
|
files_read_non_auth_files(restorecond_t)
|
||||||
|
@ -88342,7 +88543,7 @@ index ec01d0b..98094ae 100644
|
||||||
auth_use_nsswitch(restorecond_t)
|
auth_use_nsswitch(restorecond_t)
|
||||||
|
|
||||||
locallogin_dontaudit_use_fds(restorecond_t)
|
locallogin_dontaudit_use_fds(restorecond_t)
|
||||||
@@ -351,6 +397,8 @@ miscfiles_read_localization(restorecond_t)
|
@@ -351,6 +401,8 @@ miscfiles_read_localization(restorecond_t)
|
||||||
|
|
||||||
seutil_libselinux_linked(restorecond_t)
|
seutil_libselinux_linked(restorecond_t)
|
||||||
|
|
||||||
|
@ -88351,7 +88552,7 @@ index ec01d0b..98094ae 100644
|
||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(restorecond_t)
|
unconfined_domain(restorecond_t)
|
||||||
@@ -366,21 +414,24 @@ optional_policy(`
|
@@ -366,21 +418,24 @@ optional_policy(`
|
||||||
# Run_init local policy
|
# Run_init local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -88378,7 +88579,7 @@ index ec01d0b..98094ae 100644
|
||||||
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(run_init_t)
|
domain_use_interactive_fds(run_init_t)
|
||||||
@@ -398,14 +449,23 @@ selinux_compute_create_context(run_init_t)
|
@@ -398,14 +453,23 @@ selinux_compute_create_context(run_init_t)
|
||||||
selinux_compute_relabel_context(run_init_t)
|
selinux_compute_relabel_context(run_init_t)
|
||||||
selinux_compute_user_contexts(run_init_t)
|
selinux_compute_user_contexts(run_init_t)
|
||||||
|
|
||||||
|
@ -88404,7 +88605,7 @@ index ec01d0b..98094ae 100644
|
||||||
|
|
||||||
logging_send_syslog_msg(run_init_t)
|
logging_send_syslog_msg(run_init_t)
|
||||||
|
|
||||||
@@ -414,7 +474,7 @@ miscfiles_read_localization(run_init_t)
|
@@ -414,7 +478,7 @@ miscfiles_read_localization(run_init_t)
|
||||||
seutil_libselinux_linked(run_init_t)
|
seutil_libselinux_linked(run_init_t)
|
||||||
seutil_read_default_contexts(run_init_t)
|
seutil_read_default_contexts(run_init_t)
|
||||||
|
|
||||||
|
@ -88413,7 +88614,7 @@ index ec01d0b..98094ae 100644
|
||||||
|
|
||||||
ifndef(`direct_sysadm_daemon',`
|
ifndef(`direct_sysadm_daemon',`
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
@@ -425,6 +485,19 @@ ifndef(`direct_sysadm_daemon',`
|
@@ -425,6 +489,19 @@ ifndef(`direct_sysadm_daemon',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -88433,7 +88634,7 @@ index ec01d0b..98094ae 100644
|
||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(run_init_t)
|
unconfined_domain(run_init_t)
|
||||||
@@ -440,81 +513,83 @@ optional_policy(`
|
@@ -440,81 +517,87 @@ optional_policy(`
|
||||||
# semodule local policy
|
# semodule local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -88480,11 +88681,11 @@ index ec01d0b..98094ae 100644
|
||||||
-
|
-
|
||||||
-# Running genhomedircon requires this for finding all users
|
-# Running genhomedircon requires this for finding all users
|
||||||
-auth_use_nsswitch(semanage_t)
|
-auth_use_nsswitch(semanage_t)
|
||||||
|
-
|
||||||
|
-locallogin_use_fds(semanage_t)
|
||||||
+# Admins are creating pp files in random locations
|
+# Admins are creating pp files in random locations
|
||||||
+files_read_non_security_files(semanage_t)
|
+files_read_non_security_files(semanage_t)
|
||||||
|
|
||||||
-locallogin_use_fds(semanage_t)
|
|
||||||
-
|
|
||||||
-logging_send_syslog_msg(semanage_t)
|
-logging_send_syslog_msg(semanage_t)
|
||||||
-
|
-
|
||||||
-miscfiles_read_localization(semanage_t)
|
-miscfiles_read_localization(semanage_t)
|
||||||
|
@ -88527,6 +88728,10 @@ index ec01d0b..98094ae 100644
|
||||||
- unconfined_domain(semanage_t)
|
- unconfined_domain(semanage_t)
|
||||||
- ')
|
- ')
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ dbus_system_domain(semanage_t, semanage_exec_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ mock_manage_lib_files(semanage_t)
|
+ mock_manage_lib_files(semanage_t)
|
||||||
+ mock_manage_lib_dirs(semanage_t)
|
+ mock_manage_lib_dirs(semanage_t)
|
||||||
+')
|
+')
|
||||||
|
@ -88570,7 +88775,7 @@ index ec01d0b..98094ae 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -522,108 +597,184 @@ ifdef(`distro_ubuntu',`
|
@@ -522,108 +605,184 @@ ifdef(`distro_ubuntu',`
|
||||||
# Setfiles local policy
|
# Setfiles local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -88647,14 +88852,15 @@ index ec01d0b..98094ae 100644
|
||||||
+ devicekit_dontaudit_read_pid_files(setfiles_t)
|
+ devicekit_dontaudit_read_pid_files(setfiles_t)
|
||||||
+ devicekit_dontaudit_rw_log(setfiles_t)
|
+ devicekit_dontaudit_rw_log(setfiles_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
-seutil_libselinux_linked(setfiles_t)
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ xserver_append_xdm_tmp_files(setfiles_t)
|
+ xserver_append_xdm_tmp_files(setfiles_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
|
-seutil_libselinux_linked(setfiles_t)
|
||||||
+ifdef(`hide_broken_symptoms',`
|
+ifdef(`hide_broken_symptoms',`
|
||||||
+
|
|
||||||
|
-userdom_use_all_users_fds(setfiles_t)
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
|
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
|
||||||
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
|
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
|
||||||
|
@ -88665,8 +88871,7 @@ index ec01d0b..98094ae 100644
|
||||||
+ unconfined_domain(setfiles_t)
|
+ unconfined_domain(setfiles_t)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
-userdom_use_all_users_fds(setfiles_t)
|
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# Setfiles common policy
|
+# Setfiles common policy
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -19,7 +19,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.11.1
|
Version: 3.11.1
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -491,6 +491,18 @@ SELinux Reference policy mls base module.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
|
||||||
|
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
|
||||||
|
- Additional fixes for seutil_manage_module_store()
|
||||||
|
- dbus_system_domain() should be used with optional_policy
|
||||||
|
- Fix svirt to be allowed to use fusefs file system
|
||||||
|
- Allow login programs to read /run/ data created by systemd_login
|
||||||
|
- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
|
||||||
|
- Fix svirt to be allowed to use fusefs file system
|
||||||
|
- Allow piranha domain to use nsswitch
|
||||||
|
- Sanlock needs to send Kill Signals to non root processes
|
||||||
|
- Pulseaudio wants to execute /run/user/PID/.orc
|
||||||
|
|
||||||
* Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-1
|
* Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-1
|
||||||
- Fix saslauthd when it tries to read /etc/shadow
|
- Fix saslauthd when it tries to read /etc/shadow
|
||||||
- Label gnome-boxes as a virt homedir
|
- Label gnome-boxes as a virt homedir
|
||||||
|
|
Loading…
Reference in New Issue