* Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
- Allow crond_t to read pcp lib files BZ(1525420) - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) - Allow certwatch_t to mmap generic certs. BZ(1527173) - Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876) - Add interface userdom_map_user_home_files() - Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202) - Allow xdm_t dbus chat with modemmanager_t BZ(1526722) - All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
This commit is contained in:
parent
270b6479cd
commit
73d7285c92
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -12792,10 +12792,10 @@ index 550b287ce..73104ec93 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/certwatch.te b/certwatch.te
|
||||
index 171fafb99..38614a0e9 100644
|
||||
index 171fafb99..6cf8b7957 100644
|
||||
--- a/certwatch.te
|
||||
+++ b/certwatch.te
|
||||
@@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t;
|
||||
@@ -18,35 +18,48 @@ role certwatch_roles types certwatch_t;
|
||||
# Local policy
|
||||
#
|
||||
|
||||
@ -12827,6 +12827,7 @@ index 171fafb99..38614a0e9 100644
|
||||
miscfiles_read_all_certs(certwatch_t)
|
||||
-miscfiles_read_localization(certwatch_t)
|
||||
+miscfiles_manage_generic_cert_dirs(certwatch_t)
|
||||
+miscfiles_map_generic_certs(certwatch_t)
|
||||
+
|
||||
+sysnet_read_config(certwatch_t)
|
||||
|
||||
@ -20020,7 +20021,7 @@ index 1303b3036..f5bd4aee8 100644
|
||||
+ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
|
||||
')
|
||||
diff --git a/cron.te b/cron.te
|
||||
index 7de385956..46400791a 100644
|
||||
index 7de385956..31053c2a9 100644
|
||||
--- a/cron.te
|
||||
+++ b/cron.te
|
||||
@@ -11,46 +11,54 @@ gen_require(`
|
||||
@ -20439,7 +20440,7 @@ index 7de385956..46400791a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -354,103 +314,141 @@ optional_policy(`
|
||||
@@ -354,103 +314,145 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20448,22 +20449,20 @@ index 7de385956..46400791a 100644
|
||||
- optional_policy(`
|
||||
- hal_dbus_chat(crond_t)
|
||||
- ')
|
||||
-
|
||||
+ djbdns_search_tinydns_keys(crond_t)
|
||||
+ djbdns_link_tinydns_keys(crond_t)
|
||||
+')
|
||||
|
||||
- optional_policy(`
|
||||
- unconfined_dbus_send(crond_t)
|
||||
- ')
|
||||
+ djbdns_search_tinydns_keys(crond_t)
|
||||
+ djbdns_link_tinydns_keys(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- amanda_search_var_lib(crond_t)
|
||||
+optional_policy(`
|
||||
+ locallogin_search_keys(crond_t)
|
||||
+ locallogin_link_keys(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- amavis_search_lib(crond_t)
|
||||
- amanda_search_var_lib(crond_t)
|
||||
+ # these should probably be unconfined_crond_t
|
||||
+ dbus_system_bus_client(crond_t)
|
||||
+ init_dbus_send_script(crond_t)
|
||||
@ -20471,28 +20470,32 @@ index 7de385956..46400791a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- djbdns_search_tinydns_keys(crond_t)
|
||||
- djbdns_link_tinydns_keys(crond_t)
|
||||
- amavis_search_lib(crond_t)
|
||||
+ amanda_search_var_lib(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- hal_write_log(crond_t)
|
||||
- djbdns_search_tinydns_keys(crond_t)
|
||||
- djbdns_link_tinydns_keys(crond_t)
|
||||
+ antivirus_search_db(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ hal_dbus_chat(crond_t)
|
||||
hal_write_log(crond_t)
|
||||
+ hal_dbus_chat(system_cronjob_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- locallogin_search_keys(crond_t)
|
||||
- locallogin_link_keys(crond_t)
|
||||
+ hal_dbus_chat(crond_t)
|
||||
+ hal_write_log(crond_t)
|
||||
+ hal_dbus_chat(system_cronjob_t)
|
||||
+ # cjp: why?
|
||||
+ munin_search_lib(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mta_send_mail(crond_t)
|
||||
+ # cjp: why?
|
||||
+ munin_search_lib(crond_t)
|
||||
+ pcp_read_lib_files(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20613,7 +20616,7 @@ index 7de385956..46400791a 100644
|
||||
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
|
||||
allow system_cronjob_t cron_spool_t:file rw_file_perms;
|
||||
|
||||
@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t)
|
||||
@@ -461,11 +463,11 @@ kernel_read_network_state(system_cronjob_t)
|
||||
kernel_read_system_state(system_cronjob_t)
|
||||
kernel_read_software_raid_state(system_cronjob_t)
|
||||
|
||||
@ -20626,7 +20629,7 @@ index 7de385956..46400791a 100644
|
||||
corenet_all_recvfrom_netlabel(system_cronjob_t)
|
||||
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
|
||||
corenet_udp_sendrecv_generic_if(system_cronjob_t)
|
||||
@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
|
||||
@@ -485,6 +487,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
|
||||
fs_getattr_all_pipes(system_cronjob_t)
|
||||
fs_getattr_all_sockets(system_cronjob_t)
|
||||
|
||||
@ -20634,7 +20637,7 @@ index 7de385956..46400791a 100644
|
||||
domain_dontaudit_read_all_domains_state(system_cronjob_t)
|
||||
|
||||
files_exec_etc_files(system_cronjob_t)
|
||||
@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t)
|
||||
@@ -495,17 +498,22 @@ files_getattr_all_files(system_cronjob_t)
|
||||
files_getattr_all_symlinks(system_cronjob_t)
|
||||
files_getattr_all_pipes(system_cronjob_t)
|
||||
files_getattr_all_sockets(system_cronjob_t)
|
||||
@ -20659,7 +20662,7 @@ index 7de385956..46400791a 100644
|
||||
|
||||
auth_use_nsswitch(system_cronjob_t)
|
||||
|
||||
@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t)
|
||||
@@ -516,20 +524,28 @@ logging_read_generic_logs(system_cronjob_t)
|
||||
logging_send_audit_msgs(system_cronjob_t)
|
||||
logging_send_syslog_msg(system_cronjob_t)
|
||||
|
||||
@ -20690,7 +20693,7 @@ index 7de385956..46400791a 100644
|
||||
selinux_validate_context(system_cronjob_t)
|
||||
selinux_compute_access_vector(system_cronjob_t)
|
||||
selinux_compute_create_context(system_cronjob_t)
|
||||
@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',`
|
||||
@@ -539,10 +555,26 @@ tunable_policy(`cron_can_relabel',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20717,7 +20720,7 @@ index 7de385956..46400791a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -551,10 +579,6 @@ optional_policy(`
|
||||
@@ -551,10 +583,6 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(system_cronjob_t)
|
||||
@ -20728,7 +20731,7 @@ index 7de385956..46400791a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -567,6 +591,10 @@ optional_policy(`
|
||||
@@ -567,6 +595,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20739,7 +20742,7 @@ index 7de385956..46400791a 100644
|
||||
ftp_read_log(system_cronjob_t)
|
||||
')
|
||||
|
||||
@@ -591,6 +619,8 @@ optional_policy(`
|
||||
@@ -591,6 +623,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mta_read_config(system_cronjob_t)
|
||||
mta_send_mail(system_cronjob_t)
|
||||
@ -20748,7 +20751,7 @@ index 7de385956..46400791a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -598,7 +628,31 @@ optional_policy(`
|
||||
@@ -598,7 +632,31 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20780,7 +20783,7 @@ index 7de385956..46400791a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -607,7 +661,12 @@ optional_policy(`
|
||||
@@ -607,7 +665,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20793,7 +20796,7 @@ index 7de385956..46400791a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -615,12 +674,27 @@ optional_policy(`
|
||||
@@ -615,12 +678,27 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20823,7 +20826,7 @@ index 7de385956..46400791a 100644
|
||||
#
|
||||
|
||||
allow cronjob_t self:process { signal_perms setsched };
|
||||
@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -628,12 +706,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow cronjob_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@ -20857,7 +20860,7 @@ index 7de385956..46400791a 100644
|
||||
corenet_all_recvfrom_netlabel(cronjob_t)
|
||||
corenet_tcp_sendrecv_generic_if(cronjob_t)
|
||||
corenet_udp_sendrecv_generic_if(cronjob_t)
|
||||
@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
|
||||
@@ -641,66 +739,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
|
||||
corenet_udp_sendrecv_generic_node(cronjob_t)
|
||||
corenet_tcp_sendrecv_all_ports(cronjob_t)
|
||||
corenet_udp_sendrecv_all_ports(cronjob_t)
|
||||
@ -23031,7 +23034,7 @@ index dda905b9c..60806a524 100644
|
||||
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||
+')
|
||||
diff --git a/dbus.if b/dbus.if
|
||||
index 62d22cb46..c0c2ed47d 100644
|
||||
index 62d22cb46..d9c0343da 100644
|
||||
--- a/dbus.if
|
||||
+++ b/dbus.if
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -23109,7 +23112,7 @@ index 62d22cb46..c0c2ed47d 100644
|
||||
-
|
||||
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
|
||||
+ # For connecting to the bus
|
||||
+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms create };
|
||||
+ allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write };
|
||||
|
||||
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
||||
@ -23561,7 +23564,7 @@ index 62d22cb46..c0c2ed47d 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
@@ -397,199 +410,250 @@ interface(`dbus_manage_lib_files',`
|
||||
@@ -397,199 +410,251 @@ interface(`dbus_manage_lib_files',`
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
## <summary>
|
||||
@ -23881,6 +23884,7 @@ index 62d22cb46..c0c2ed47d 100644
|
||||
|
||||
- allow $1 system_dbusd_t:fd use;
|
||||
+ dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
|
||||
+ dontaudit $1 system_dbusd_t:sock_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -23892,7 +23896,7 @@ index 62d22cb46..c0c2ed47d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
|
||||
@@ -597,28 +662,68 @@ interface(`dbus_use_system_bus_fds',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -23970,7 +23974,7 @@ index 62d22cb46..c0c2ed47d 100644
|
||||
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
|
||||
')
|
||||
diff --git a/dbus.te b/dbus.te
|
||||
index c9998c80d..328aa81d2 100644
|
||||
index c9998c80d..5a9dfdf1e 100644
|
||||
--- a/dbus.te
|
||||
+++ b/dbus.te
|
||||
@@ -4,17 +4,15 @@ gen_require(`
|
||||
@ -24004,7 +24008,15 @@ index c9998c80d..328aa81d2 100644
|
||||
type session_dbusd_tmp_t;
|
||||
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
|
||||
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
|
||||
@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
|
||||
@@ -36,12 +31,16 @@ init_system_domain(system_dbusd_t, dbusd_exec_t)
|
||||
type system_dbusd_tmp_t;
|
||||
files_tmp_file(system_dbusd_tmp_t)
|
||||
|
||||
+type system_dbusd_tmpfs_t;
|
||||
+files_tmpfs_file(system_dbusd_tmpfs_t)
|
||||
+
|
||||
type system_dbusd_var_lib_t;
|
||||
files_type(system_dbusd_var_lib_t)
|
||||
|
||||
type system_dbusd_var_run_t;
|
||||
files_pid_file(system_dbusd_var_run_t)
|
||||
@ -24014,7 +24026,7 @@ index c9998c80d..328aa81d2 100644
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
|
||||
@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
|
||||
@@ -51,59 +50,69 @@ ifdef(`enable_mls',`
|
||||
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
|
||||
')
|
||||
|
||||
@ -24050,6 +24062,11 @@ index c9998c80d..328aa81d2 100644
|
||||
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
|
||||
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
|
||||
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
||||
+
|
||||
+manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
|
||||
+manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(system_dbusd_t, system_dbusd_tmpfs_t, { dir file })
|
||||
+allow system_dbusd_t system_dbusd_tmpfs_t:file map;
|
||||
|
||||
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
|
||||
@ -24097,7 +24114,7 @@ index c9998c80d..328aa81d2 100644
|
||||
mls_fd_use_all_levels(system_dbusd_t)
|
||||
mls_rangetrans_target(system_dbusd_t)
|
||||
mls_file_read_all_levels(system_dbusd_t)
|
||||
@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t)
|
||||
@@ -123,66 +132,177 @@ term_dontaudit_use_console(system_dbusd_t)
|
||||
auth_use_nsswitch(system_dbusd_t)
|
||||
auth_read_pam_console_data(system_dbusd_t)
|
||||
|
||||
@ -24175,14 +24192,14 @@ index c9998c80d..328aa81d2 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ snapper_read_inherited_pipe(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sysnet_domtrans_dhcpc(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- seutil_sigchld_newrole(system_dbusd_t)
|
||||
+ sysnet_domtrans_dhcpc(system_dbusd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ systemd_use_fds_logind(system_dbusd_t)
|
||||
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
|
||||
+ systemd_write_inhibit_pipes(system_dbusd_t)
|
||||
@ -24216,7 +24233,7 @@ index c9998c80d..328aa81d2 100644
|
||||
#
|
||||
+role system_r types system_bus_type;
|
||||
+dontaudit system_bus_type self:capability net_admin;
|
||||
+
|
||||
|
||||
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
|
||||
+
|
||||
+fs_search_all(system_bus_type)
|
||||
@ -24250,7 +24267,7 @@ index c9998c80d..328aa81d2 100644
|
||||
+ifdef(`hide_broken_symptoms',`
|
||||
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
|
||||
+')
|
||||
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# session_bus_type rules
|
||||
@ -24289,7 +24306,7 @@ index c9998c80d..328aa81d2 100644
|
||||
kernel_read_kernel_sysctls(session_bus_type)
|
||||
|
||||
corecmd_list_bin(session_bus_type)
|
||||
@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type)
|
||||
@@ -191,23 +311,18 @@ corecmd_read_bin_files(session_bus_type)
|
||||
corecmd_read_bin_pipes(session_bus_type)
|
||||
corecmd_read_bin_sockets(session_bus_type)
|
||||
|
||||
@ -24314,7 +24331,7 @@ index c9998c80d..328aa81d2 100644
|
||||
files_dontaudit_search_var(session_bus_type)
|
||||
|
||||
fs_getattr_romfs(session_bus_type)
|
||||
@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
||||
@@ -215,7 +330,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
||||
fs_list_inotifyfs(session_bus_type)
|
||||
fs_dontaudit_list_nfs(session_bus_type)
|
||||
|
||||
@ -24322,7 +24339,7 @@ index c9998c80d..328aa81d2 100644
|
||||
selinux_validate_context(session_bus_type)
|
||||
selinux_compute_access_vector(session_bus_type)
|
||||
selinux_compute_create_context(session_bus_type)
|
||||
@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type)
|
||||
@@ -225,18 +339,36 @@ selinux_compute_user_contexts(session_bus_type)
|
||||
auth_read_pam_console_data(session_bus_type)
|
||||
|
||||
logging_send_audit_msgs(session_bus_type)
|
||||
@ -24364,7 +24381,7 @@ index c9998c80d..328aa81d2 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -244,5 +368,9 @@ optional_policy(`
|
||||
@@ -244,5 +376,9 @@ optional_policy(`
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
@ -28598,7 +28615,7 @@ index 18f245250..a446210f0 100644
|
||||
+
|
||||
')
|
||||
diff --git a/dspam.te b/dspam.te
|
||||
index ef6236335..084171673 100644
|
||||
index ef6236335..25dcb975a 100644
|
||||
--- a/dspam.te
|
||||
+++ b/dspam.te
|
||||
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
|
||||
@ -28624,7 +28641,7 @@ index ef6236335..084171673 100644
|
||||
|
||||
files_search_spool(dspam_t)
|
||||
|
||||
@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
|
||||
@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t)
|
||||
|
||||
logging_send_syslog_msg(dspam_t)
|
||||
|
||||
@ -28634,6 +28651,9 @@ index ef6236335..084171673 100644
|
||||
apache_content_template(dspam)
|
||||
+ apache_content_alias_template(dspam, dspam)
|
||||
+
|
||||
+ manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
|
||||
+ manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
|
||||
+
|
||||
+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
|
||||
+
|
||||
+ auth_read_passwd(dspam_script_t)
|
||||
@ -28641,14 +28661,14 @@ index ef6236335..084171673 100644
|
||||
+ files_search_var_lib(dspam_script_t)
|
||||
+
|
||||
+ domain_dontaudit_read_all_domains_state(dspam_script_t)
|
||||
+
|
||||
+ term_dontaudit_search_ptys(dspam_script_t)
|
||||
+ term_dontaudit_getattr_all_ttys(dspam_script_t)
|
||||
+ term_dontaudit_getattr_all_ptys(dspam_script_t)
|
||||
|
||||
- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
|
||||
- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
|
||||
- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
|
||||
+ term_dontaudit_search_ptys(dspam_script_t)
|
||||
+ term_dontaudit_getattr_all_ttys(dspam_script_t)
|
||||
+ term_dontaudit_getattr_all_ptys(dspam_script_t)
|
||||
+
|
||||
+ init_read_utmp(dspam_script_t)
|
||||
+
|
||||
+ logging_send_syslog_msg(dspam_script_t)
|
||||
@ -28662,7 +28682,7 @@ index ef6236335..084171673 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -87,3 +114,12 @@ optional_policy(`
|
||||
@@ -87,3 +117,12 @@ optional_policy(`
|
||||
|
||||
postgresql_tcp_connect(dspam_t)
|
||||
')
|
||||
@ -50810,7 +50830,7 @@ index 1d4eb19b8..650014e0f 100644
|
||||
admin_pattern($1, memcached_var_run_t)
|
||||
')
|
||||
diff --git a/memcached.te b/memcached.te
|
||||
index 29b752160..8c41e59db 100644
|
||||
index 29b752160..5000dd91c 100644
|
||||
--- a/memcached.te
|
||||
+++ b/memcached.te
|
||||
@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
|
||||
@ -50830,7 +50850,16 @@ index 29b752160..8c41e59db 100644
|
||||
dontaudit memcached_t self:capability sys_tty_config;
|
||||
allow memcached_t self:process { setrlimit signal_perms };
|
||||
allow memcached_t self:tcp_socket { accept listen };
|
||||
@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t)
|
||||
@@ -28,6 +29,8 @@ allow memcached_t self:udp_socket { accept listen };
|
||||
allow memcached_t self:fifo_file rw_fifo_file_perms;
|
||||
allow memcached_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
+allow memcached_t memcached_exec_t:file map;
|
||||
+
|
||||
manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
@@ -59,4 +62,3 @@ term_dontaudit_use_console(memcached_t)
|
||||
|
||||
auth_use_nsswitch(memcached_t)
|
||||
|
||||
@ -54082,7 +54111,7 @@ index 6194b806b..e27c53d6e 100644
|
||||
')
|
||||
+
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 11ac8e4fc..bb6533dae 100644
|
||||
index 11ac8e4fc..7e6607cab 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
|
||||
@ -54536,7 +54565,7 @@ index 11ac8e4fc..bb6533dae 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -300,259 +340,265 @@ optional_policy(`
|
||||
@@ -300,259 +340,266 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -54833,6 +54862,7 @@ index 11ac8e4fc..bb6533dae 100644
|
||||
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
|
||||
+userdom_stream_connect(mozilla_plugin_t)
|
||||
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
|
||||
+userdom_map_user_home_files(mozilla_plugin_t)
|
||||
|
||||
-ifndef(`enable_mls',`
|
||||
- fs_list_dos(mozilla_plugin_t)
|
||||
@ -54948,7 +54978,7 @@ index 11ac8e4fc..bb6533dae 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -560,7 +606,11 @@ optional_policy(`
|
||||
@@ -560,7 +607,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -54961,7 +54991,7 @@ index 11ac8e4fc..bb6533dae 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -568,108 +618,144 @@ optional_policy(`
|
||||
@@ -568,108 +619,144 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 306%{?dist}
|
||||
Release: 307%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -717,6 +717,16 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
|
||||
- Allow crond_t to read pcp lib files BZ(1525420)
|
||||
- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)
|
||||
- Allow certwatch_t to mmap generic certs. BZ(1527173)
|
||||
- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)
|
||||
- Add interface userdom_map_user_home_files()
|
||||
- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)
|
||||
- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)
|
||||
- All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
|
||||
|
||||
* Wed Dec 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-306
|
||||
- Allow thumb_t domain to dosfs_t BZ(1517720)
|
||||
- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)
|
||||
|
Loading…
Reference in New Issue
Block a user