- Fix passenger_stream_connect interface
- setroubleshoot_fixit wants to read network state - Allow procmail_t to connect to dovecot stream sockets - Allow cimprovagt service providers to read network states - Add labeling for /var/run/mariadb - pwauth uses lastlog() to update system's lastlog - Allow account provider to read login records - Add support for texlive2013 - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - Allow passwd_t to connect to gnome keyring to change password - Update mls config files to have cronjobs in the user domains - Remove access checks that systemd does not actually do
This commit is contained in:
parent
e4104d9fc0
commit
73ec2c3819
@ -58,6 +58,19 @@ index 313d837..ef3c532 100644
|
|||||||
@echo "Success."
|
@echo "Success."
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
|
||||||
|
index 881a292..80110a4 100644
|
||||||
|
--- a/config/appconfig-mcs/staff_u_default_contexts
|
||||||
|
+++ b/config/appconfig-mcs/staff_u_default_contexts
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||||
|
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||||
|
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||||
|
-system_r:crond_t:s0 staff_r:cronjob_t:s0
|
||||||
|
+system_r:crond_t:s0 staff_r:staff_t:s0
|
||||||
|
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||||
|
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||||
|
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||||
diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
|
diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ff32acc
|
index 0000000..ff32acc
|
||||||
@ -65,6 +78,19 @@ index 0000000..ff32acc
|
|||||||
+++ b/config/appconfig-mcs/systemd_contexts
|
+++ b/config/appconfig-mcs/systemd_contexts
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
||||||
|
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
|
||||||
|
index cacbc93..4f59f94 100644
|
||||||
|
--- a/config/appconfig-mcs/user_u_default_contexts
|
||||||
|
+++ b/config/appconfig-mcs/user_u_default_contexts
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
system_r:local_login_t:s0 user_r:user_t:s0
|
||||||
|
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||||
|
system_r:sshd_t:s0 user_r:user_t:s0
|
||||||
|
-system_r:crond_t:s0 user_r:cronjob_t:s0
|
||||||
|
+system_r:crond_t:s0 user_r:user_t:s0
|
||||||
|
system_r:xdm_t:s0 user_r:user_t:s0
|
||||||
|
user_r:user_su_t:s0 user_r:user_t:s0
|
||||||
|
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||||
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
|
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
|
||||||
index d387b42..150f281 100644
|
index d387b42..150f281 100644
|
||||||
--- a/config/appconfig-mcs/virtual_domain_context
|
--- a/config/appconfig-mcs/virtual_domain_context
|
||||||
@ -72,6 +98,19 @@ index d387b42..150f281 100644
|
|||||||
@@ -1 +1,2 @@
|
@@ -1 +1,2 @@
|
||||||
system_u:system_r:svirt_t:s0
|
system_u:system_r:svirt_t:s0
|
||||||
+system_u:system_r:svirt_tcg_t:s0
|
+system_u:system_r:svirt_tcg_t:s0
|
||||||
|
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
|
||||||
|
index 881a292..80110a4 100644
|
||||||
|
--- a/config/appconfig-mls/staff_u_default_contexts
|
||||||
|
+++ b/config/appconfig-mls/staff_u_default_contexts
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||||
|
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||||
|
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||||
|
-system_r:crond_t:s0 staff_r:cronjob_t:s0
|
||||||
|
+system_r:crond_t:s0 staff_r:staff_t:s0
|
||||||
|
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||||
|
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||||
|
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||||
diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts
|
diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ff32acc
|
index 0000000..ff32acc
|
||||||
@ -79,6 +118,32 @@ index 0000000..ff32acc
|
|||||||
+++ b/config/appconfig-mls/systemd_contexts
|
+++ b/config/appconfig-mls/systemd_contexts
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
||||||
|
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
|
||||||
|
index cacbc93..4f59f94 100644
|
||||||
|
--- a/config/appconfig-mls/user_u_default_contexts
|
||||||
|
+++ b/config/appconfig-mls/user_u_default_contexts
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
system_r:local_login_t:s0 user_r:user_t:s0
|
||||||
|
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||||
|
system_r:sshd_t:s0 user_r:user_t:s0
|
||||||
|
-system_r:crond_t:s0 user_r:cronjob_t:s0
|
||||||
|
+system_r:crond_t:s0 user_r:user_t:s0
|
||||||
|
system_r:xdm_t:s0 user_r:user_t:s0
|
||||||
|
user_r:user_su_t:s0 user_r:user_t:s0
|
||||||
|
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||||
|
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
|
||||||
|
index c2a5ea8..f63999e 100644
|
||||||
|
--- a/config/appconfig-standard/staff_u_default_contexts
|
||||||
|
+++ b/config/appconfig-standard/staff_u_default_contexts
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
|
||||||
|
system_r:remote_login_t staff_r:staff_t
|
||||||
|
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
|
||||||
|
-system_r:crond_t staff_r:cronjob_t
|
||||||
|
+system_r:crond_t staff_r:staff_t
|
||||||
|
system_r:xdm_t staff_r:staff_t
|
||||||
|
staff_r:staff_su_t staff_r:staff_t
|
||||||
|
staff_r:staff_sudo_t staff_r:staff_t
|
||||||
diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
|
diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ff32acc
|
index 0000000..ff32acc
|
||||||
@ -86,6 +151,19 @@ index 0000000..ff32acc
|
|||||||
+++ b/config/appconfig-standard/systemd_contexts
|
+++ b/config/appconfig-standard/systemd_contexts
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
||||||
|
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
|
||||||
|
index f5bfac3..639555b 100644
|
||||||
|
--- a/config/appconfig-standard/user_u_default_contexts
|
||||||
|
+++ b/config/appconfig-standard/user_u_default_contexts
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
system_r:local_login_t user_r:user_t
|
||||||
|
system_r:remote_login_t user_r:user_t
|
||||||
|
system_r:sshd_t user_r:user_t
|
||||||
|
-system_r:crond_t user_r:cronjob_t
|
||||||
|
+system_r:crond_t user_r:user_t
|
||||||
|
system_r:xdm_t user_r:user_t
|
||||||
|
user_r:user_su_t user_r:user_t
|
||||||
|
user_r:user_sudo_t user_r:user_t
|
||||||
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
|
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
|
||||||
index c049e10..150f281 100644
|
index c049e10..150f281 100644
|
||||||
--- a/config/appconfig-standard/virtual_domain_context
|
--- a/config/appconfig-standard/virtual_domain_context
|
||||||
@ -689,7 +767,7 @@ index 3a45f23..f4754f0 100644
|
|||||||
# fork
|
# fork
|
||||||
# setexec
|
# setexec
|
||||||
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
|
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
|
||||||
index 28802c5..fdcb9a7 100644
|
index 28802c5..1afd77b 100644
|
||||||
--- a/policy/flask/access_vectors
|
--- a/policy/flask/access_vectors
|
||||||
+++ b/policy/flask/access_vectors
|
+++ b/policy/flask/access_vectors
|
||||||
@@ -329,6 +329,7 @@ class process
|
@@ -329,6 +329,7 @@ class process
|
||||||
@ -708,9 +786,9 @@ index 28802c5..fdcb9a7 100644
|
|||||||
+ reboot
|
+ reboot
|
||||||
+ status
|
+ status
|
||||||
+ undefined
|
+ undefined
|
||||||
+ enable
|
+ enable
|
||||||
+ disable
|
+ disable
|
||||||
+ reload
|
+ reload
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -747,7 +825,7 @@ index 28802c5..fdcb9a7 100644
|
|||||||
|
|
||||||
class x_pointer
|
class x_pointer
|
||||||
inherits x_device
|
inherits x_device
|
||||||
@@ -862,3 +877,20 @@ inherits database
|
@@ -862,3 +877,18 @@ inherits database
|
||||||
implement
|
implement
|
||||||
execute
|
execute
|
||||||
}
|
}
|
||||||
@ -758,8 +836,6 @@ index 28802c5..fdcb9a7 100644
|
|||||||
+ stop
|
+ stop
|
||||||
+ status
|
+ status
|
||||||
+ reload
|
+ reload
|
||||||
+ kill
|
|
||||||
+ load
|
|
||||||
+ enable
|
+ enable
|
||||||
+ disable
|
+ disable
|
||||||
+}
|
+}
|
||||||
@ -2615,7 +2691,7 @@ index 99e3903..7270808 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||||
index d555767..68f6887 100644
|
index d555767..3053e39 100644
|
||||||
--- a/policy/modules/admin/usermanage.te
|
--- a/policy/modules/admin/usermanage.te
|
||||||
+++ b/policy/modules/admin/usermanage.te
|
+++ b/policy/modules/admin/usermanage.te
|
||||||
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
|
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
|
||||||
@ -2897,7 +2973,7 @@ index d555767..68f6887 100644
|
|||||||
userdom_use_unpriv_users_fds(passwd_t)
|
userdom_use_unpriv_users_fds(passwd_t)
|
||||||
# make sure that getcon succeeds
|
# make sure that getcon succeeds
|
||||||
userdom_getattr_all_users(passwd_t)
|
userdom_getattr_all_users(passwd_t)
|
||||||
@@ -349,9 +389,16 @@ userdom_read_user_tmp_files(passwd_t)
|
@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
|
||||||
# user generally runs this from their home directory, so do not audit a search
|
# user generally runs this from their home directory, so do not audit a search
|
||||||
# on user home dir
|
# on user home dir
|
||||||
userdom_dontaudit_search_user_home_content(passwd_t)
|
userdom_dontaudit_search_user_home_content(passwd_t)
|
||||||
@ -2906,7 +2982,8 @@ index d555767..68f6887 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
- nscd_run(passwd_t, passwd_roles)
|
- nscd_run(passwd_t, passwd_roles)
|
||||||
+ gnome_exec_keyringd(passwd_t)
|
+ gnome_exec_keyringd(passwd_t)
|
||||||
+ gnome_manage_cache_home_dir(passwd_t)
|
+ gnome_manage_cache_home_dir(passwd_t)
|
||||||
|
+ gnome_stream_connect_gkeyringd(passwd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -2915,7 +2992,7 @@ index d555767..68f6887 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -398,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
|
@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
|
||||||
fs_getattr_xattr_fs(sysadm_passwd_t)
|
fs_getattr_xattr_fs(sysadm_passwd_t)
|
||||||
fs_search_auto_mountpoints(sysadm_passwd_t)
|
fs_search_auto_mountpoints(sysadm_passwd_t)
|
||||||
|
|
||||||
@ -2928,7 +3005,7 @@ index d555767..68f6887 100644
|
|||||||
auth_manage_shadow(sysadm_passwd_t)
|
auth_manage_shadow(sysadm_passwd_t)
|
||||||
auth_relabel_shadow(sysadm_passwd_t)
|
auth_relabel_shadow(sysadm_passwd_t)
|
||||||
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
||||||
@@ -413,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
|
@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(sysadm_passwd_t)
|
domain_use_interactive_fds(sysadm_passwd_t)
|
||||||
|
|
||||||
@ -2936,7 +3013,7 @@ index d555767..68f6887 100644
|
|||||||
files_relabel_etc_files(sysadm_passwd_t)
|
files_relabel_etc_files(sysadm_passwd_t)
|
||||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||||
# for nscd lookups
|
# for nscd lookups
|
||||||
@@ -423,19 +470,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
|
@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
|
||||||
# correctly without it. Do not audit write denials to utmp.
|
# correctly without it. Do not audit write denials to utmp.
|
||||||
init_dontaudit_rw_utmp(sysadm_passwd_t)
|
init_dontaudit_rw_utmp(sysadm_passwd_t)
|
||||||
|
|
||||||
@ -2958,7 +3035,7 @@ index d555767..68f6887 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -443,7 +488,8 @@ optional_policy(`
|
@@ -443,7 +489,8 @@ optional_policy(`
|
||||||
# Useradd local policy
|
# Useradd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -2968,7 +3045,7 @@ index d555767..68f6887 100644
|
|||||||
dontaudit useradd_t self:capability sys_tty_config;
|
dontaudit useradd_t self:capability sys_tty_config;
|
||||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow useradd_t self:process setfscreate;
|
allow useradd_t self:process setfscreate;
|
||||||
@@ -458,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow useradd_t self:unix_dgram_socket sendto;
|
allow useradd_t self:unix_dgram_socket sendto;
|
||||||
allow useradd_t self:unix_stream_socket connectto;
|
allow useradd_t self:unix_stream_socket connectto;
|
||||||
|
|
||||||
@ -2979,7 +3056,7 @@ index d555767..68f6887 100644
|
|||||||
# for getting the number of groups
|
# for getting the number of groups
|
||||||
kernel_read_kernel_sysctls(useradd_t)
|
kernel_read_kernel_sysctls(useradd_t)
|
||||||
|
|
||||||
@@ -465,36 +515,36 @@ corecmd_exec_shell(useradd_t)
|
@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
|
||||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||||
corecmd_exec_bin(useradd_t)
|
corecmd_exec_bin(useradd_t)
|
||||||
|
|
||||||
@ -3028,7 +3105,7 @@ index d555767..68f6887 100644
|
|||||||
auth_manage_shadow(useradd_t)
|
auth_manage_shadow(useradd_t)
|
||||||
auth_relabel_shadow(useradd_t)
|
auth_relabel_shadow(useradd_t)
|
||||||
auth_etc_filetrans_shadow(useradd_t)
|
auth_etc_filetrans_shadow(useradd_t)
|
||||||
@@ -505,33 +555,36 @@ init_rw_utmp(useradd_t)
|
@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
|
||||||
logging_send_audit_msgs(useradd_t)
|
logging_send_audit_msgs(useradd_t)
|
||||||
logging_send_syslog_msg(useradd_t)
|
logging_send_syslog_msg(useradd_t)
|
||||||
|
|
||||||
@ -3079,7 +3156,7 @@ index d555767..68f6887 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_manage_all_user_content(useradd_t)
|
apache_manage_all_user_content(useradd_t)
|
||||||
')
|
')
|
||||||
@@ -542,7 +595,12 @@ optional_policy(`
|
@@ -542,7 +596,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -3093,7 +3170,7 @@ index d555767..68f6887 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -550,6 +608,11 @@ optional_policy(`
|
@@ -550,6 +609,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -3105,7 +3182,7 @@ index d555767..68f6887 100644
|
|||||||
tunable_policy(`samba_domain_controller',`
|
tunable_policy(`samba_domain_controller',`
|
||||||
samba_append_log(useradd_t)
|
samba_append_log(useradd_t)
|
||||||
')
|
')
|
||||||
@@ -559,3 +622,12 @@ optional_policy(`
|
@@ -559,3 +623,12 @@ optional_policy(`
|
||||||
rpm_use_fds(useradd_t)
|
rpm_use_fds(useradd_t)
|
||||||
rpm_rw_pipes(useradd_t)
|
rpm_rw_pipes(useradd_t)
|
||||||
')
|
')
|
||||||
@ -44757,7 +44834,7 @@ index e79d545..101086d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
||||||
index 6e91317..936a91d 100644
|
index 6e91317..260ea6c 100644
|
||||||
--- a/policy/support/obj_perm_sets.spt
|
--- a/policy/support/obj_perm_sets.spt
|
||||||
+++ b/policy/support/obj_perm_sets.spt
|
+++ b/policy/support/obj_perm_sets.spt
|
||||||
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
||||||
@ -44867,7 +44944,7 @@ index 6e91317..936a91d 100644
|
|||||||
+#
|
+#
|
||||||
+# Service
|
+# Service
|
||||||
+#
|
+#
|
||||||
+define(`manage_service_perms', `{ start stop status reload kill load } ')
|
+define(`manage_service_perms', `{ start stop status reload } ')
|
||||||
diff --git a/policy/users b/policy/users
|
diff --git a/policy/users b/policy/users
|
||||||
index c4ebc7e..30d6d7a 100644
|
index c4ebc7e..30d6d7a 100644
|
||||||
--- a/policy/users
|
--- a/policy/users
|
||||||
|
@ -40198,10 +40198,10 @@ index 0000000..b694afc
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/mozilla.fc b/mozilla.fc
|
diff --git a/mozilla.fc b/mozilla.fc
|
||||||
index 6ffaba2..2c1c0e0 100644
|
index 6ffaba2..a4d75bf 100644
|
||||||
--- a/mozilla.fc
|
--- a/mozilla.fc
|
||||||
+++ b/mozilla.fc
|
+++ b/mozilla.fc
|
||||||
@@ -1,38 +1,68 @@
|
@@ -1,38 +1,69 @@
|
||||||
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
||||||
@ -40244,6 +40244,7 @@ index 6ffaba2..2c1c0e0 100644
|
|||||||
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
|
+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||||
@ -40304,7 +40305,7 @@ index 6ffaba2..2c1c0e0 100644
|
|||||||
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
||||||
+')
|
+')
|
||||||
diff --git a/mozilla.if b/mozilla.if
|
diff --git a/mozilla.if b/mozilla.if
|
||||||
index 6194b80..d54c5ba 100644
|
index 6194b80..ada96f0 100644
|
||||||
--- a/mozilla.if
|
--- a/mozilla.if
|
||||||
+++ b/mozilla.if
|
+++ b/mozilla.if
|
||||||
@@ -1,146 +1,75 @@
|
@@ -1,146 +1,75 @@
|
||||||
@ -40995,7 +40996,7 @@ index 6194b80..d54c5ba 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -530,45 +499,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -41065,6 +41066,7 @@ index 6194b80..d54c5ba 100644
|
|||||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
|
||||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
|
||||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
|
||||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
|
||||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
|
||||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
|
||||||
@ -44778,7 +44780,7 @@ index 97370e4..3549b8f 100644
|
|||||||
+ apache_search_sys_content(munin_t)
|
+ apache_search_sys_content(munin_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/mysql.fc b/mysql.fc
|
diff --git a/mysql.fc b/mysql.fc
|
||||||
index c48dc17..6355fb4 100644
|
index c48dc17..43d56e3 100644
|
||||||
--- a/mysql.fc
|
--- a/mysql.fc
|
||||||
+++ b/mysql.fc
|
+++ b/mysql.fc
|
||||||
@@ -1,11 +1,24 @@
|
@@ -1,11 +1,24 @@
|
||||||
@ -44814,7 +44816,7 @@ index c48dc17..6355fb4 100644
|
|||||||
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
|
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
|
||||||
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
||||||
|
|
||||||
@@ -13,13 +26,16 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
|
@@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
|
||||||
|
|
||||||
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
||||||
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
|
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
|
||||||
@ -44836,6 +44838,7 @@ index c48dc17..6355fb4 100644
|
|||||||
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
||||||
-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
||||||
-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
||||||
|
+/var/run/mariadb(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
||||||
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
||||||
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
||||||
diff --git a/mysql.if b/mysql.if
|
diff --git a/mysql.if b/mysql.if
|
||||||
@ -54755,7 +54758,7 @@ index 2c389ea..9155bd0 100644
|
|||||||
+
|
+
|
||||||
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
|
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
|
||||||
diff --git a/passenger.if b/passenger.if
|
diff --git a/passenger.if b/passenger.if
|
||||||
index bf59ef7..c050b37 100644
|
index bf59ef7..0ec51d4 100644
|
||||||
--- a/passenger.if
|
--- a/passenger.if
|
||||||
+++ b/passenger.if
|
+++ b/passenger.if
|
||||||
@@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
|
@@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
|
||||||
@ -54811,7 +54814,7 @@ index bf59ef7..c050b37 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -53,6 +69,88 @@ interface(`passenger_read_lib_files',`
|
@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',`
|
||||||
type passenger_var_lib_t;
|
type passenger_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -54877,9 +54880,14 @@ index bf59ef7..c050b37 100644
|
|||||||
+interface(`passenger_stream_connect',`
|
+interface(`passenger_stream_connect',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type passenger_t;
|
+ type passenger_t;
|
||||||
|
+ type passenger_tmp_t;
|
||||||
|
+ type passenger_var_run_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 passenger_t:unix_stream_socket connectto;
|
+
|
||||||
|
+
|
||||||
|
+ stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t)
|
||||||
|
+ stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -55254,7 +55262,7 @@ index d2fc677..ded726f 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/pegasus.te b/pegasus.te
|
diff --git a/pegasus.te b/pegasus.te
|
||||||
index 7bcf327..2254bf5 100644
|
index 7bcf327..22a5b66 100644
|
||||||
--- a/pegasus.te
|
--- a/pegasus.te
|
||||||
+++ b/pegasus.te
|
+++ b/pegasus.te
|
||||||
@@ -1,17 +1,16 @@
|
@@ -1,17 +1,16 @@
|
||||||
@ -55278,7 +55286,7 @@ index 7bcf327..2254bf5 100644
|
|||||||
type pegasus_cache_t;
|
type pegasus_cache_t;
|
||||||
files_type(pegasus_cache_t)
|
files_type(pegasus_cache_t)
|
||||||
|
|
||||||
@@ -30,20 +29,266 @@ files_type(pegasus_mof_t)
|
@@ -30,20 +29,269 @@ files_type(pegasus_mof_t)
|
||||||
type pegasus_var_run_t;
|
type pegasus_var_run_t;
|
||||||
files_pid_file(pegasus_var_run_t)
|
files_pid_file(pegasus_var_run_t)
|
||||||
|
|
||||||
@ -55341,6 +55349,7 @@ index 7bcf327..2254bf5 100644
|
|||||||
+auth_manage_passwd(pegasus_openlmi_account_t)
|
+auth_manage_passwd(pegasus_openlmi_account_t)
|
||||||
+auth_manage_shadow(pegasus_openlmi_account_t)
|
+auth_manage_shadow(pegasus_openlmi_account_t)
|
||||||
+auth_relabel_shadow(pegasus_openlmi_account_t)
|
+auth_relabel_shadow(pegasus_openlmi_account_t)
|
||||||
|
+auth_read_login_records(pegasus_openlmi_account_t)
|
||||||
+auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
|
+auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
|
||||||
+
|
+
|
||||||
+logging_send_audit_msgs(pegasus_openlmi_account_t)
|
+logging_send_audit_msgs(pegasus_openlmi_account_t)
|
||||||
@ -55404,6 +55413,8 @@ index 7bcf327..2254bf5 100644
|
|||||||
+
|
+
|
||||||
+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
|
+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
+
|
+
|
||||||
|
+kernel_read_network_state(pegasus_openlmi_services_t)
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_system_bus_client(pegasus_openlmi_services_t)
|
+ dbus_system_bus_client(pegasus_openlmi_services_t)
|
||||||
+')
|
+')
|
||||||
@ -55550,7 +55561,7 @@ index 7bcf327..2254bf5 100644
|
|||||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||||
@@ -54,22 +299,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
@ -55581,7 +55592,7 @@ index 7bcf327..2254bf5 100644
|
|||||||
|
|
||||||
kernel_read_network_state(pegasus_t)
|
kernel_read_network_state(pegasus_t)
|
||||||
kernel_read_kernel_sysctls(pegasus_t)
|
kernel_read_kernel_sysctls(pegasus_t)
|
||||||
@@ -80,27 +325,21 @@ kernel_read_net_sysctls(pegasus_t)
|
@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||||
kernel_read_xen_state(pegasus_t)
|
kernel_read_xen_state(pegasus_t)
|
||||||
kernel_write_xen_state(pegasus_t)
|
kernel_write_xen_state(pegasus_t)
|
||||||
|
|
||||||
@ -55614,7 +55625,7 @@ index 7bcf327..2254bf5 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(pegasus_t)
|
corecmd_exec_bin(pegasus_t)
|
||||||
corecmd_exec_shell(pegasus_t)
|
corecmd_exec_shell(pegasus_t)
|
||||||
@@ -114,6 +353,7 @@ files_getattr_all_dirs(pegasus_t)
|
@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t)
|
||||||
|
|
||||||
auth_use_nsswitch(pegasus_t)
|
auth_use_nsswitch(pegasus_t)
|
||||||
auth_domtrans_chk_passwd(pegasus_t)
|
auth_domtrans_chk_passwd(pegasus_t)
|
||||||
@ -55622,7 +55633,7 @@ index 7bcf327..2254bf5 100644
|
|||||||
|
|
||||||
domain_use_interactive_fds(pegasus_t)
|
domain_use_interactive_fds(pegasus_t)
|
||||||
domain_read_all_domains_state(pegasus_t)
|
domain_read_all_domains_state(pegasus_t)
|
||||||
@@ -128,18 +368,25 @@ init_stream_connect_script(pegasus_t)
|
@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t)
|
||||||
logging_send_audit_msgs(pegasus_t)
|
logging_send_audit_msgs(pegasus_t)
|
||||||
logging_send_syslog_msg(pegasus_t)
|
logging_send_syslog_msg(pegasus_t)
|
||||||
|
|
||||||
@ -55654,7 +55665,7 @@ index 7bcf327..2254bf5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -151,16 +398,24 @@ optional_policy(`
|
@@ -151,16 +401,24 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -55683,7 +55694,7 @@ index 7bcf327..2254bf5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -168,7 +423,7 @@ optional_policy(`
|
@@ -168,7 +426,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -63019,7 +63030,7 @@ index 00edeab..166e9c3 100644
|
|||||||
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
|
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
|
||||||
')
|
')
|
||||||
diff --git a/procmail.te b/procmail.te
|
diff --git a/procmail.te b/procmail.te
|
||||||
index d447152..a911295 100644
|
index d447152..73c437c 100644
|
||||||
--- a/procmail.te
|
--- a/procmail.te
|
||||||
+++ b/procmail.te
|
+++ b/procmail.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -63054,7 +63065,7 @@ index d447152..a911295 100644
|
|||||||
allow procmail_t procmail_log_t:dir setattr_dir_perms;
|
allow procmail_t procmail_log_t:dir setattr_dir_perms;
|
||||||
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
||||||
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
||||||
@@ -40,59 +44,76 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
|
@@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
|
||||||
allow procmail_t procmail_tmp_t:file manage_file_perms;
|
allow procmail_t procmail_tmp_t:file manage_file_perms;
|
||||||
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
|
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
|
||||||
|
|
||||||
@ -63158,7 +63169,8 @@ index d447152..a911295 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -100,12 +121,7 @@ optional_policy(`
|
- cyrus_stream_connect(procmail_t)
|
||||||
|
+ dovecot_stream_connect(procmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -63168,18 +63180,20 @@ index d447152..a911295 100644
|
|||||||
- mta_manage_mail_home_rw_content(procmail_t)
|
- mta_manage_mail_home_rw_content(procmail_t)
|
||||||
- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
|
- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
|
||||||
- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
|
- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
|
||||||
|
+ cyrus_stream_connect(procmail_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- munin_dontaudit_search_lib(procmail_t)
|
||||||
+ gnome_manage_data(procmail_t)
|
+ gnome_manage_data(procmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -113,16 +129,17 @@ optional_policy(`
|
- nagios_search_spool(procmail_t)
|
||||||
|
+ munin_dontaudit_search_lib(procmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- nagios_search_spool(procmail_t)
|
|
||||||
-')
|
|
||||||
-
|
|
||||||
-optional_policy(`
|
|
||||||
+ # for a bug in the postfix local program
|
+ # for a bug in the postfix local program
|
||||||
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
|
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
|
||||||
postfix_dontaudit_use_fds(procmail_t)
|
postfix_dontaudit_use_fds(procmail_t)
|
||||||
@ -63195,7 +63209,7 @@ index d447152..a911295 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -131,6 +148,8 @@ optional_policy(`
|
@@ -131,6 +152,8 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -65393,10 +65407,10 @@ index 1148dce..86d25ea 100644
|
|||||||
+ allow $2 pwauth_t:process signal;
|
+ allow $2 pwauth_t:process signal;
|
||||||
')
|
')
|
||||||
diff --git a/pwauth.te b/pwauth.te
|
diff --git a/pwauth.te b/pwauth.te
|
||||||
index 3078e34..8f357cc 100644
|
index 3078e34..215df88 100644
|
||||||
--- a/pwauth.te
|
--- a/pwauth.te
|
||||||
+++ b/pwauth.te
|
+++ b/pwauth.te
|
||||||
@@ -5,38 +5,35 @@ policy_module(pwauth, 1.0.0)
|
@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -65427,13 +65441,12 @@ index 3078e34..8f357cc 100644
|
|||||||
|
|
||||||
manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
|
manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
|
||||||
files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
|
files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
|
||||||
|
@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(pwauth_t)
|
|
||||||
|
|
||||||
+
|
|
||||||
auth_domtrans_chkpwd(pwauth_t)
|
auth_domtrans_chkpwd(pwauth_t)
|
||||||
auth_use_nsswitch(pwauth_t)
|
auth_use_nsswitch(pwauth_t)
|
||||||
+auth_read_shadow(pwauth_t)
|
+auth_read_shadow(pwauth_t)
|
||||||
|
+auth_rw_lastlog(pwauth_t)
|
||||||
|
|
||||||
init_read_utmp(pwauth_t)
|
init_read_utmp(pwauth_t)
|
||||||
|
|
||||||
@ -82400,7 +82413,7 @@ index 3a9a70b..039b0c8 100644
|
|||||||
logging_list_logs($1)
|
logging_list_logs($1)
|
||||||
admin_pattern($1, setroubleshoot_var_log_t)
|
admin_pattern($1, setroubleshoot_var_log_t)
|
||||||
diff --git a/setroubleshoot.te b/setroubleshoot.te
|
diff --git a/setroubleshoot.te b/setroubleshoot.te
|
||||||
index 49b12ae..d47e356 100644
|
index 49b12ae..d686e4a 100644
|
||||||
--- a/setroubleshoot.te
|
--- a/setroubleshoot.te
|
||||||
+++ b/setroubleshoot.te
|
+++ b/setroubleshoot.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -82561,7 +82574,7 @@ index 49b12ae..d47e356 100644
|
|||||||
rpm_exec(setroubleshootd_t)
|
rpm_exec(setroubleshootd_t)
|
||||||
rpm_signull(setroubleshootd_t)
|
rpm_signull(setroubleshootd_t)
|
||||||
rpm_read_db(setroubleshootd_t)
|
rpm_read_db(setroubleshootd_t)
|
||||||
@@ -148,15 +160,18 @@ optional_policy(`
|
@@ -148,26 +160,36 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -82581,7 +82594,9 @@ index 49b12ae..d47e356 100644
|
|||||||
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
|
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
kernel_read_system_state(setroubleshoot_fixit_t)
|
kernel_read_system_state(setroubleshoot_fixit_t)
|
||||||
@@ -165,9 +180,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
|
+kernel_read_network_state(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(setroubleshoot_fixit_t)
|
||||||
corecmd_exec_shell(setroubleshoot_fixit_t)
|
corecmd_exec_shell(setroubleshoot_fixit_t)
|
||||||
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
|
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
@ -82598,7 +82613,7 @@ index 49b12ae..d47e356 100644
|
|||||||
files_list_tmp(setroubleshoot_fixit_t)
|
files_list_tmp(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
auth_use_nsswitch(setroubleshoot_fixit_t)
|
auth_use_nsswitch(setroubleshoot_fixit_t)
|
||||||
@@ -175,23 +196,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
|
@@ -175,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
|
||||||
logging_send_audit_msgs(setroubleshoot_fixit_t)
|
logging_send_audit_msgs(setroubleshoot_fixit_t)
|
||||||
logging_send_syslog_msg(setroubleshoot_fixit_t)
|
logging_send_syslog_msg(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 99%{?dist}
|
Release: 100%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -573,6 +573,22 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-100
|
||||||
|
- Fix passenger_stream_connect interface
|
||||||
|
- setroubleshoot_fixit wants to read network state
|
||||||
|
- Allow procmail_t to connect to dovecot stream sockets
|
||||||
|
- Allow cimprovagt service providers to read network states
|
||||||
|
- Add labeling for /var/run/mariadb
|
||||||
|
- pwauth uses lastlog() to update system's lastlog
|
||||||
|
- Allow account provider to read login records
|
||||||
|
- Add support for texlive2013
|
||||||
|
- More fixes for user config files to make crond_t running in userdomain
|
||||||
|
- Add back disable/reload/enable permissions for system class
|
||||||
|
- Fix manage_service_perms macro
|
||||||
|
- Allow passwd_t to connect to gnome keyring to change password
|
||||||
|
- Update mls config files to have cronjobs in the user domains
|
||||||
|
- Remove access checks that systemd does not actually do
|
||||||
|
|
||||||
* Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
|
* Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
|
||||||
- Add support for yubikey in homedir
|
- Add support for yubikey in homedir
|
||||||
- Add support for upd/3052 port
|
- Add support for upd/3052 port
|
||||||
|
Loading…
Reference in New Issue
Block a user