* Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
- Allow crond_t to read pcp lib files BZ(1525420) - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) - Allow certwatch_t to mmap generic certs. BZ(1527173) - Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876) - Add interface userdom_map_user_home_files() - Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202) - Allow xdm_t dbus chat with modemmanager_t BZ(1526722) - All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
This commit is contained in:
parent
270b6479cd
commit
73d7285c92
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -12792,10 +12792,10 @@ index 550b287ce..73104ec93 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
diff --git a/certwatch.te b/certwatch.te
|
diff --git a/certwatch.te b/certwatch.te
|
||||||
index 171fafb99..38614a0e9 100644
|
index 171fafb99..6cf8b7957 100644
|
||||||
--- a/certwatch.te
|
--- a/certwatch.te
|
||||||
+++ b/certwatch.te
|
+++ b/certwatch.te
|
||||||
@@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t;
|
@@ -18,35 +18,48 @@ role certwatch_roles types certwatch_t;
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -12827,6 +12827,7 @@ index 171fafb99..38614a0e9 100644
|
|||||||
miscfiles_read_all_certs(certwatch_t)
|
miscfiles_read_all_certs(certwatch_t)
|
||||||
-miscfiles_read_localization(certwatch_t)
|
-miscfiles_read_localization(certwatch_t)
|
||||||
+miscfiles_manage_generic_cert_dirs(certwatch_t)
|
+miscfiles_manage_generic_cert_dirs(certwatch_t)
|
||||||
|
+miscfiles_map_generic_certs(certwatch_t)
|
||||||
+
|
+
|
||||||
+sysnet_read_config(certwatch_t)
|
+sysnet_read_config(certwatch_t)
|
||||||
|
|
||||||
@ -20020,7 +20021,7 @@ index 1303b3036..f5bd4aee8 100644
|
|||||||
+ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
|
+ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
|
||||||
')
|
')
|
||||||
diff --git a/cron.te b/cron.te
|
diff --git a/cron.te b/cron.te
|
||||||
index 7de385956..46400791a 100644
|
index 7de385956..31053c2a9 100644
|
||||||
--- a/cron.te
|
--- a/cron.te
|
||||||
+++ b/cron.te
|
+++ b/cron.te
|
||||||
@@ -11,46 +11,54 @@ gen_require(`
|
@@ -11,46 +11,54 @@ gen_require(`
|
||||||
@ -20439,7 +20440,7 @@ index 7de385956..46400791a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -354,103 +314,141 @@ optional_policy(`
|
@@ -354,103 +314,145 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20448,22 +20449,20 @@ index 7de385956..46400791a 100644
|
|||||||
- optional_policy(`
|
- optional_policy(`
|
||||||
- hal_dbus_chat(crond_t)
|
- hal_dbus_chat(crond_t)
|
||||||
- ')
|
- ')
|
||||||
-
|
+ djbdns_search_tinydns_keys(crond_t)
|
||||||
|
+ djbdns_link_tinydns_keys(crond_t)
|
||||||
|
+')
|
||||||
|
|
||||||
- optional_policy(`
|
- optional_policy(`
|
||||||
- unconfined_dbus_send(crond_t)
|
- unconfined_dbus_send(crond_t)
|
||||||
- ')
|
- ')
|
||||||
+ djbdns_search_tinydns_keys(crond_t)
|
+optional_policy(`
|
||||||
+ djbdns_link_tinydns_keys(crond_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- amanda_search_var_lib(crond_t)
|
|
||||||
+ locallogin_search_keys(crond_t)
|
+ locallogin_search_keys(crond_t)
|
||||||
+ locallogin_link_keys(crond_t)
|
+ locallogin_link_keys(crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- amavis_search_lib(crond_t)
|
- amanda_search_var_lib(crond_t)
|
||||||
+ # these should probably be unconfined_crond_t
|
+ # these should probably be unconfined_crond_t
|
||||||
+ dbus_system_bus_client(crond_t)
|
+ dbus_system_bus_client(crond_t)
|
||||||
+ init_dbus_send_script(crond_t)
|
+ init_dbus_send_script(crond_t)
|
||||||
@ -20471,28 +20470,32 @@ index 7de385956..46400791a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- djbdns_search_tinydns_keys(crond_t)
|
- amavis_search_lib(crond_t)
|
||||||
- djbdns_link_tinydns_keys(crond_t)
|
|
||||||
+ amanda_search_var_lib(crond_t)
|
+ amanda_search_var_lib(crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- hal_write_log(crond_t)
|
- djbdns_search_tinydns_keys(crond_t)
|
||||||
|
- djbdns_link_tinydns_keys(crond_t)
|
||||||
+ antivirus_search_db(crond_t)
|
+ antivirus_search_db(crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ hal_dbus_chat(crond_t)
|
||||||
|
hal_write_log(crond_t)
|
||||||
|
+ hal_dbus_chat(system_cronjob_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- locallogin_search_keys(crond_t)
|
- locallogin_search_keys(crond_t)
|
||||||
- locallogin_link_keys(crond_t)
|
- locallogin_link_keys(crond_t)
|
||||||
+ hal_dbus_chat(crond_t)
|
+ # cjp: why?
|
||||||
+ hal_write_log(crond_t)
|
+ munin_search_lib(crond_t)
|
||||||
+ hal_dbus_chat(system_cronjob_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- mta_send_mail(crond_t)
|
- mta_send_mail(crond_t)
|
||||||
+ # cjp: why?
|
+ pcp_read_lib_files(crond_t)
|
||||||
+ munin_search_lib(crond_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20613,7 +20616,7 @@ index 7de385956..46400791a 100644
|
|||||||
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
|
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
|
||||||
allow system_cronjob_t cron_spool_t:file rw_file_perms;
|
allow system_cronjob_t cron_spool_t:file rw_file_perms;
|
||||||
|
|
||||||
@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t)
|
@@ -461,11 +463,11 @@ kernel_read_network_state(system_cronjob_t)
|
||||||
kernel_read_system_state(system_cronjob_t)
|
kernel_read_system_state(system_cronjob_t)
|
||||||
kernel_read_software_raid_state(system_cronjob_t)
|
kernel_read_software_raid_state(system_cronjob_t)
|
||||||
|
|
||||||
@ -20626,7 +20629,7 @@ index 7de385956..46400791a 100644
|
|||||||
corenet_all_recvfrom_netlabel(system_cronjob_t)
|
corenet_all_recvfrom_netlabel(system_cronjob_t)
|
||||||
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
|
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
|
||||||
corenet_udp_sendrecv_generic_if(system_cronjob_t)
|
corenet_udp_sendrecv_generic_if(system_cronjob_t)
|
||||||
@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
|
@@ -485,6 +487,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
|
||||||
fs_getattr_all_pipes(system_cronjob_t)
|
fs_getattr_all_pipes(system_cronjob_t)
|
||||||
fs_getattr_all_sockets(system_cronjob_t)
|
fs_getattr_all_sockets(system_cronjob_t)
|
||||||
|
|
||||||
@ -20634,7 +20637,7 @@ index 7de385956..46400791a 100644
|
|||||||
domain_dontaudit_read_all_domains_state(system_cronjob_t)
|
domain_dontaudit_read_all_domains_state(system_cronjob_t)
|
||||||
|
|
||||||
files_exec_etc_files(system_cronjob_t)
|
files_exec_etc_files(system_cronjob_t)
|
||||||
@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t)
|
@@ -495,17 +498,22 @@ files_getattr_all_files(system_cronjob_t)
|
||||||
files_getattr_all_symlinks(system_cronjob_t)
|
files_getattr_all_symlinks(system_cronjob_t)
|
||||||
files_getattr_all_pipes(system_cronjob_t)
|
files_getattr_all_pipes(system_cronjob_t)
|
||||||
files_getattr_all_sockets(system_cronjob_t)
|
files_getattr_all_sockets(system_cronjob_t)
|
||||||
@ -20659,7 +20662,7 @@ index 7de385956..46400791a 100644
|
|||||||
|
|
||||||
auth_use_nsswitch(system_cronjob_t)
|
auth_use_nsswitch(system_cronjob_t)
|
||||||
|
|
||||||
@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t)
|
@@ -516,20 +524,28 @@ logging_read_generic_logs(system_cronjob_t)
|
||||||
logging_send_audit_msgs(system_cronjob_t)
|
logging_send_audit_msgs(system_cronjob_t)
|
||||||
logging_send_syslog_msg(system_cronjob_t)
|
logging_send_syslog_msg(system_cronjob_t)
|
||||||
|
|
||||||
@ -20690,7 +20693,7 @@ index 7de385956..46400791a 100644
|
|||||||
selinux_validate_context(system_cronjob_t)
|
selinux_validate_context(system_cronjob_t)
|
||||||
selinux_compute_access_vector(system_cronjob_t)
|
selinux_compute_access_vector(system_cronjob_t)
|
||||||
selinux_compute_create_context(system_cronjob_t)
|
selinux_compute_create_context(system_cronjob_t)
|
||||||
@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',`
|
@@ -539,10 +555,26 @@ tunable_policy(`cron_can_relabel',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20717,7 +20720,7 @@ index 7de385956..46400791a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -551,10 +579,6 @@ optional_policy(`
|
@@ -551,10 +583,6 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(system_cronjob_t)
|
dbus_system_bus_client(system_cronjob_t)
|
||||||
@ -20728,7 +20731,7 @@ index 7de385956..46400791a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -567,6 +591,10 @@ optional_policy(`
|
@@ -567,6 +595,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20739,7 +20742,7 @@ index 7de385956..46400791a 100644
|
|||||||
ftp_read_log(system_cronjob_t)
|
ftp_read_log(system_cronjob_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -591,6 +619,8 @@ optional_policy(`
|
@@ -591,6 +623,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mta_read_config(system_cronjob_t)
|
mta_read_config(system_cronjob_t)
|
||||||
mta_send_mail(system_cronjob_t)
|
mta_send_mail(system_cronjob_t)
|
||||||
@ -20748,7 +20751,7 @@ index 7de385956..46400791a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -598,7 +628,31 @@ optional_policy(`
|
@@ -598,7 +632,31 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20780,7 +20783,7 @@ index 7de385956..46400791a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -607,7 +661,12 @@ optional_policy(`
|
@@ -607,7 +665,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20793,7 +20796,7 @@ index 7de385956..46400791a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -615,12 +674,27 @@ optional_policy(`
|
@@ -615,12 +678,27 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -20823,7 +20826,7 @@ index 7de385956..46400791a 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow cronjob_t self:process { signal_perms setsched };
|
allow cronjob_t self:process { signal_perms setsched };
|
||||||
@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
@@ -628,12 +706,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow cronjob_t self:unix_dgram_socket create_socket_perms;
|
allow cronjob_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
@ -20857,7 +20860,7 @@ index 7de385956..46400791a 100644
|
|||||||
corenet_all_recvfrom_netlabel(cronjob_t)
|
corenet_all_recvfrom_netlabel(cronjob_t)
|
||||||
corenet_tcp_sendrecv_generic_if(cronjob_t)
|
corenet_tcp_sendrecv_generic_if(cronjob_t)
|
||||||
corenet_udp_sendrecv_generic_if(cronjob_t)
|
corenet_udp_sendrecv_generic_if(cronjob_t)
|
||||||
@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
|
@@ -641,66 +739,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
|
||||||
corenet_udp_sendrecv_generic_node(cronjob_t)
|
corenet_udp_sendrecv_generic_node(cronjob_t)
|
||||||
corenet_tcp_sendrecv_all_ports(cronjob_t)
|
corenet_tcp_sendrecv_all_ports(cronjob_t)
|
||||||
corenet_udp_sendrecv_all_ports(cronjob_t)
|
corenet_udp_sendrecv_all_ports(cronjob_t)
|
||||||
@ -23031,7 +23034,7 @@ index dda905b9c..60806a524 100644
|
|||||||
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||||
+')
|
+')
|
||||||
diff --git a/dbus.if b/dbus.if
|
diff --git a/dbus.if b/dbus.if
|
||||||
index 62d22cb46..c0c2ed47d 100644
|
index 62d22cb46..d9c0343da 100644
|
||||||
--- a/dbus.if
|
--- a/dbus.if
|
||||||
+++ b/dbus.if
|
+++ b/dbus.if
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -23109,7 +23112,7 @@ index 62d22cb46..c0c2ed47d 100644
|
|||||||
-
|
-
|
||||||
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
|
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
|
||||||
+ # For connecting to the bus
|
+ # For connecting to the bus
|
||||||
+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
|
+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms create };
|
||||||
+ allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write };
|
+ allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write };
|
||||||
|
|
||||||
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
||||||
@ -23561,7 +23564,7 @@ index 62d22cb46..c0c2ed47d 100644
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
## Type to be used as a domain.
|
## Type to be used as a domain.
|
||||||
@@ -397,199 +410,250 @@ interface(`dbus_manage_lib_files',`
|
@@ -397,199 +410,251 @@ interface(`dbus_manage_lib_files',`
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="entry_point">
|
## <param name="entry_point">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -23881,6 +23884,7 @@ index 62d22cb46..c0c2ed47d 100644
|
|||||||
|
|
||||||
- allow $1 system_dbusd_t:fd use;
|
- allow $1 system_dbusd_t:fd use;
|
||||||
+ dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
|
+ dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
|
||||||
|
+ dontaudit $1 system_dbusd_t:sock_file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -23892,7 +23896,7 @@ index 62d22cb46..c0c2ed47d 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
|
@@ -597,28 +662,68 @@ interface(`dbus_use_system_bus_fds',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -23970,7 +23974,7 @@ index 62d22cb46..c0c2ed47d 100644
|
|||||||
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
|
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
|
||||||
')
|
')
|
||||||
diff --git a/dbus.te b/dbus.te
|
diff --git a/dbus.te b/dbus.te
|
||||||
index c9998c80d..328aa81d2 100644
|
index c9998c80d..5a9dfdf1e 100644
|
||||||
--- a/dbus.te
|
--- a/dbus.te
|
||||||
+++ b/dbus.te
|
+++ b/dbus.te
|
||||||
@@ -4,17 +4,15 @@ gen_require(`
|
@@ -4,17 +4,15 @@ gen_require(`
|
||||||
@ -24004,7 +24008,15 @@ index c9998c80d..328aa81d2 100644
|
|||||||
type session_dbusd_tmp_t;
|
type session_dbusd_tmp_t;
|
||||||
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
|
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
|
||||||
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
|
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
|
||||||
@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
|
@@ -36,12 +31,16 @@ init_system_domain(system_dbusd_t, dbusd_exec_t)
|
||||||
|
type system_dbusd_tmp_t;
|
||||||
|
files_tmp_file(system_dbusd_tmp_t)
|
||||||
|
|
||||||
|
+type system_dbusd_tmpfs_t;
|
||||||
|
+files_tmpfs_file(system_dbusd_tmpfs_t)
|
||||||
|
+
|
||||||
|
type system_dbusd_var_lib_t;
|
||||||
|
files_type(system_dbusd_var_lib_t)
|
||||||
|
|
||||||
type system_dbusd_var_run_t;
|
type system_dbusd_var_run_t;
|
||||||
files_pid_file(system_dbusd_var_run_t)
|
files_pid_file(system_dbusd_var_run_t)
|
||||||
@ -24014,7 +24026,7 @@ index c9998c80d..328aa81d2 100644
|
|||||||
|
|
||||||
ifdef(`enable_mcs',`
|
ifdef(`enable_mcs',`
|
||||||
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
|
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
|
||||||
@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
|
@@ -51,59 +50,69 @@ ifdef(`enable_mls',`
|
||||||
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
|
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -24050,6 +24062,11 @@ index c9998c80d..328aa81d2 100644
|
|||||||
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
|
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
|
||||||
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
|
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
|
||||||
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
||||||
|
+
|
||||||
|
+manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
|
||||||
|
+manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
|
||||||
|
+fs_tmpfs_filetrans(system_dbusd_t, system_dbusd_tmpfs_t, { dir file })
|
||||||
|
+allow system_dbusd_t system_dbusd_tmpfs_t:file map;
|
||||||
|
|
||||||
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||||
|
|
||||||
@ -24097,7 +24114,7 @@ index c9998c80d..328aa81d2 100644
|
|||||||
mls_fd_use_all_levels(system_dbusd_t)
|
mls_fd_use_all_levels(system_dbusd_t)
|
||||||
mls_rangetrans_target(system_dbusd_t)
|
mls_rangetrans_target(system_dbusd_t)
|
||||||
mls_file_read_all_levels(system_dbusd_t)
|
mls_file_read_all_levels(system_dbusd_t)
|
||||||
@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t)
|
@@ -123,66 +132,177 @@ term_dontaudit_use_console(system_dbusd_t)
|
||||||
auth_use_nsswitch(system_dbusd_t)
|
auth_use_nsswitch(system_dbusd_t)
|
||||||
auth_read_pam_console_data(system_dbusd_t)
|
auth_read_pam_console_data(system_dbusd_t)
|
||||||
|
|
||||||
@ -24175,14 +24192,14 @@ index c9998c80d..328aa81d2 100644
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ snapper_read_inherited_pipe(system_dbusd_t)
|
+ snapper_read_inherited_pipe(system_dbusd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ sysnet_domtrans_dhcpc(system_dbusd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- seutil_sigchld_newrole(system_dbusd_t)
|
- seutil_sigchld_newrole(system_dbusd_t)
|
||||||
+ sysnet_domtrans_dhcpc(system_dbusd_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ systemd_use_fds_logind(system_dbusd_t)
|
+ systemd_use_fds_logind(system_dbusd_t)
|
||||||
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
|
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
|
||||||
+ systemd_write_inhibit_pipes(system_dbusd_t)
|
+ systemd_write_inhibit_pipes(system_dbusd_t)
|
||||||
@ -24216,7 +24233,7 @@ index c9998c80d..328aa81d2 100644
|
|||||||
#
|
#
|
||||||
+role system_r types system_bus_type;
|
+role system_r types system_bus_type;
|
||||||
+dontaudit system_bus_type self:capability net_admin;
|
+dontaudit system_bus_type self:capability net_admin;
|
||||||
+
|
|
||||||
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
|
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
|
||||||
+
|
+
|
||||||
+fs_search_all(system_bus_type)
|
+fs_search_all(system_bus_type)
|
||||||
@ -24250,7 +24267,7 @@ index c9998c80d..328aa81d2 100644
|
|||||||
+ifdef(`hide_broken_symptoms',`
|
+ifdef(`hide_broken_symptoms',`
|
||||||
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
|
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# session_bus_type rules
|
+# session_bus_type rules
|
||||||
@ -24289,7 +24306,7 @@ index c9998c80d..328aa81d2 100644
|
|||||||
kernel_read_kernel_sysctls(session_bus_type)
|
kernel_read_kernel_sysctls(session_bus_type)
|
||||||
|
|
||||||
corecmd_list_bin(session_bus_type)
|
corecmd_list_bin(session_bus_type)
|
||||||
@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type)
|
@@ -191,23 +311,18 @@ corecmd_read_bin_files(session_bus_type)
|
||||||
corecmd_read_bin_pipes(session_bus_type)
|
corecmd_read_bin_pipes(session_bus_type)
|
||||||
corecmd_read_bin_sockets(session_bus_type)
|
corecmd_read_bin_sockets(session_bus_type)
|
||||||
|
|
||||||
@ -24314,7 +24331,7 @@ index c9998c80d..328aa81d2 100644
|
|||||||
files_dontaudit_search_var(session_bus_type)
|
files_dontaudit_search_var(session_bus_type)
|
||||||
|
|
||||||
fs_getattr_romfs(session_bus_type)
|
fs_getattr_romfs(session_bus_type)
|
||||||
@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
@@ -215,7 +330,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
||||||
fs_list_inotifyfs(session_bus_type)
|
fs_list_inotifyfs(session_bus_type)
|
||||||
fs_dontaudit_list_nfs(session_bus_type)
|
fs_dontaudit_list_nfs(session_bus_type)
|
||||||
|
|
||||||
@ -24322,7 +24339,7 @@ index c9998c80d..328aa81d2 100644
|
|||||||
selinux_validate_context(session_bus_type)
|
selinux_validate_context(session_bus_type)
|
||||||
selinux_compute_access_vector(session_bus_type)
|
selinux_compute_access_vector(session_bus_type)
|
||||||
selinux_compute_create_context(session_bus_type)
|
selinux_compute_create_context(session_bus_type)
|
||||||
@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type)
|
@@ -225,18 +339,36 @@ selinux_compute_user_contexts(session_bus_type)
|
||||||
auth_read_pam_console_data(session_bus_type)
|
auth_read_pam_console_data(session_bus_type)
|
||||||
|
|
||||||
logging_send_audit_msgs(session_bus_type)
|
logging_send_audit_msgs(session_bus_type)
|
||||||
@ -24364,7 +24381,7 @@ index c9998c80d..328aa81d2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -244,5 +368,9 @@ optional_policy(`
|
@@ -244,5 +376,9 @@ optional_policy(`
|
||||||
# Unconfined access to this module
|
# Unconfined access to this module
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -28598,7 +28615,7 @@ index 18f245250..a446210f0 100644
|
|||||||
+
|
+
|
||||||
')
|
')
|
||||||
diff --git a/dspam.te b/dspam.te
|
diff --git a/dspam.te b/dspam.te
|
||||||
index ef6236335..084171673 100644
|
index ef6236335..25dcb975a 100644
|
||||||
--- a/dspam.te
|
--- a/dspam.te
|
||||||
+++ b/dspam.te
|
+++ b/dspam.te
|
||||||
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
|
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
|
||||||
@ -28624,7 +28641,7 @@ index ef6236335..084171673 100644
|
|||||||
|
|
||||||
files_search_spool(dspam_t)
|
files_search_spool(dspam_t)
|
||||||
|
|
||||||
@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
|
@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(dspam_t)
|
logging_send_syslog_msg(dspam_t)
|
||||||
|
|
||||||
@ -28634,6 +28651,9 @@ index ef6236335..084171673 100644
|
|||||||
apache_content_template(dspam)
|
apache_content_template(dspam)
|
||||||
+ apache_content_alias_template(dspam, dspam)
|
+ apache_content_alias_template(dspam, dspam)
|
||||||
+
|
+
|
||||||
|
+ manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
|
||||||
|
+ manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
|
||||||
|
+
|
||||||
+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
|
+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
|
||||||
+
|
+
|
||||||
+ auth_read_passwd(dspam_script_t)
|
+ auth_read_passwd(dspam_script_t)
|
||||||
@ -28641,14 +28661,14 @@ index ef6236335..084171673 100644
|
|||||||
+ files_search_var_lib(dspam_script_t)
|
+ files_search_var_lib(dspam_script_t)
|
||||||
+
|
+
|
||||||
+ domain_dontaudit_read_all_domains_state(dspam_script_t)
|
+ domain_dontaudit_read_all_domains_state(dspam_script_t)
|
||||||
+
|
|
||||||
+ term_dontaudit_search_ptys(dspam_script_t)
|
|
||||||
+ term_dontaudit_getattr_all_ttys(dspam_script_t)
|
|
||||||
+ term_dontaudit_getattr_all_ptys(dspam_script_t)
|
|
||||||
|
|
||||||
- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
|
- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
|
||||||
- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
|
- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
|
||||||
- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
|
- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
|
||||||
|
+ term_dontaudit_search_ptys(dspam_script_t)
|
||||||
|
+ term_dontaudit_getattr_all_ttys(dspam_script_t)
|
||||||
|
+ term_dontaudit_getattr_all_ptys(dspam_script_t)
|
||||||
|
+
|
||||||
+ init_read_utmp(dspam_script_t)
|
+ init_read_utmp(dspam_script_t)
|
||||||
+
|
+
|
||||||
+ logging_send_syslog_msg(dspam_script_t)
|
+ logging_send_syslog_msg(dspam_script_t)
|
||||||
@ -28662,7 +28682,7 @@ index ef6236335..084171673 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -87,3 +114,12 @@ optional_policy(`
|
@@ -87,3 +117,12 @@ optional_policy(`
|
||||||
|
|
||||||
postgresql_tcp_connect(dspam_t)
|
postgresql_tcp_connect(dspam_t)
|
||||||
')
|
')
|
||||||
@ -50810,7 +50830,7 @@ index 1d4eb19b8..650014e0f 100644
|
|||||||
admin_pattern($1, memcached_var_run_t)
|
admin_pattern($1, memcached_var_run_t)
|
||||||
')
|
')
|
||||||
diff --git a/memcached.te b/memcached.te
|
diff --git a/memcached.te b/memcached.te
|
||||||
index 29b752160..8c41e59db 100644
|
index 29b752160..5000dd91c 100644
|
||||||
--- a/memcached.te
|
--- a/memcached.te
|
||||||
+++ b/memcached.te
|
+++ b/memcached.te
|
||||||
@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
|
@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
|
||||||
@ -50830,7 +50850,16 @@ index 29b752160..8c41e59db 100644
|
|||||||
dontaudit memcached_t self:capability sys_tty_config;
|
dontaudit memcached_t self:capability sys_tty_config;
|
||||||
allow memcached_t self:process { setrlimit signal_perms };
|
allow memcached_t self:process { setrlimit signal_perms };
|
||||||
allow memcached_t self:tcp_socket { accept listen };
|
allow memcached_t self:tcp_socket { accept listen };
|
||||||
@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t)
|
@@ -28,6 +29,8 @@ allow memcached_t self:udp_socket { accept listen };
|
||||||
|
allow memcached_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow memcached_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
+allow memcached_t memcached_exec_t:file map;
|
||||||
|
+
|
||||||
|
manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||||
|
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||||
|
manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||||
|
@@ -59,4 +62,3 @@ term_dontaudit_use_console(memcached_t)
|
||||||
|
|
||||||
auth_use_nsswitch(memcached_t)
|
auth_use_nsswitch(memcached_t)
|
||||||
|
|
||||||
@ -54082,7 +54111,7 @@ index 6194b806b..e27c53d6e 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/mozilla.te b/mozilla.te
|
diff --git a/mozilla.te b/mozilla.te
|
||||||
index 11ac8e4fc..bb6533dae 100644
|
index 11ac8e4fc..7e6607cab 100644
|
||||||
--- a/mozilla.te
|
--- a/mozilla.te
|
||||||
+++ b/mozilla.te
|
+++ b/mozilla.te
|
||||||
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
|
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
|
||||||
@ -54536,7 +54565,7 @@ index 11ac8e4fc..bb6533dae 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -300,259 +340,265 @@ optional_policy(`
|
@@ -300,259 +340,266 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -54833,6 +54862,7 @@ index 11ac8e4fc..bb6533dae 100644
|
|||||||
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
|
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
|
||||||
+userdom_stream_connect(mozilla_plugin_t)
|
+userdom_stream_connect(mozilla_plugin_t)
|
||||||
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
|
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
|
||||||
|
+userdom_map_user_home_files(mozilla_plugin_t)
|
||||||
|
|
||||||
-ifndef(`enable_mls',`
|
-ifndef(`enable_mls',`
|
||||||
- fs_list_dos(mozilla_plugin_t)
|
- fs_list_dos(mozilla_plugin_t)
|
||||||
@ -54948,7 +54978,7 @@ index 11ac8e4fc..bb6533dae 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -560,7 +606,11 @@ optional_policy(`
|
@@ -560,7 +607,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -54961,7 +54991,7 @@ index 11ac8e4fc..bb6533dae 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -568,108 +618,144 @@ optional_policy(`
|
@@ -568,108 +619,144 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 306%{?dist}
|
Release: 307%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -717,6 +717,16 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
|
||||||
|
- Allow crond_t to read pcp lib files BZ(1525420)
|
||||||
|
- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)
|
||||||
|
- Allow certwatch_t to mmap generic certs. BZ(1527173)
|
||||||
|
- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)
|
||||||
|
- Add interface userdom_map_user_home_files()
|
||||||
|
- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)
|
||||||
|
- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)
|
||||||
|
- All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
|
||||||
|
|
||||||
* Wed Dec 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-306
|
* Wed Dec 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-306
|
||||||
- Allow thumb_t domain to dosfs_t BZ(1517720)
|
- Allow thumb_t domain to dosfs_t BZ(1517720)
|
||||||
- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)
|
- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)
|
||||||
|
Loading…
Reference in New Issue
Block a user