- Dontaudit sandbox sending sigkill to all user domains
- Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node - Fix label on /lib/systemd/*
This commit is contained in:
Dan Walsh
parent
2bb6181f15
commit
7a208696f9
1
.gitignore
vendored
1
.gitignore
vendored
@ -227,3 +227,4 @@ serefpolicy*
|
||||
/serefpolicy-3.9.4.tgz
|
||||
/serefpolicy-3.9.5.tgz
|
||||
/serefpolicy-3.9.6.tgz
|
||||
/config.tgz
|
||||
|
||||
407
policy-F14.patch
407
policy-F14.patch
@ -148,6 +148,42 @@ index 0000000..e9c43b1
|
||||
+This manual page was written by Dominick Grift <domg472@gmail.com>.
|
||||
+.SH "SEE ALSO"
|
||||
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
|
||||
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
|
||||
index 6760c95..34edd2a 100644
|
||||
--- a/policy/flask/access_vectors
|
||||
+++ b/policy/flask/access_vectors
|
||||
@@ -27,6 +27,8 @@ common file
|
||||
swapon
|
||||
quotaon
|
||||
mounton
|
||||
+ audit_access
|
||||
+ execmod
|
||||
}
|
||||
|
||||
|
||||
@@ -160,19 +162,20 @@ inherits file
|
||||
{
|
||||
execute_no_trans
|
||||
entrypoint
|
||||
- execmod
|
||||
open
|
||||
}
|
||||
|
||||
class lnk_file
|
||||
inherits file
|
||||
+{
|
||||
+ open
|
||||
+}
|
||||
|
||||
class chr_file
|
||||
inherits file
|
||||
{
|
||||
execute_no_trans
|
||||
entrypoint
|
||||
- execmod
|
||||
open
|
||||
}
|
||||
|
||||
diff --git a/policy/global_tunables b/policy/global_tunables
|
||||
index 3316f6e..6e82b1e 100644
|
||||
--- a/policy/global_tunables
|
||||
@ -479,7 +515,7 @@ index 3c7b1e8..1e155f5 100644
|
||||
+
|
||||
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
|
||||
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
|
||||
index 75ce30f..b845467 100644
|
||||
index 75ce30f..f3347aa 100644
|
||||
--- a/policy/modules/admin/logwatch.te
|
||||
+++ b/policy/modules/admin/logwatch.te
|
||||
@@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t)
|
||||
@ -502,14 +538,13 @@ index 75ce30f..b845467 100644
|
||||
kernel_read_fs_sysctls(logwatch_t)
|
||||
kernel_read_kernel_sysctls(logwatch_t)
|
||||
kernel_read_system_state(logwatch_t)
|
||||
@@ -92,8 +98,16 @@ sysnet_dns_name_resolve(logwatch_t)
|
||||
@@ -92,11 +98,20 @@ sysnet_dns_name_resolve(logwatch_t)
|
||||
sysnet_exec_ifconfig(logwatch_t)
|
||||
|
||||
userdom_dontaudit_search_user_home_dirs(logwatch_t)
|
||||
-
|
||||
-mta_send_mail(logwatch_t)
|
||||
+userdom_dontaudit_list_admin_dir(logwatch_t)
|
||||
+
|
||||
|
||||
-mta_send_mail(logwatch_t)
|
||||
+#mta_send_mail(logwatch_t)
|
||||
+mta_base_mail_template(logwatch)
|
||||
+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
|
||||
@ -521,6 +556,10 @@ index 75ce30f..b845467 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
files_search_all(logwatch_t)
|
||||
+ files_getattr_all_files(logwatch_t)
|
||||
files_getattr_all_file_type_fs(logwatch_t)
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
|
||||
index 0e19d80..9d58abe 100644
|
||||
--- a/policy/modules/admin/mrtg.te
|
||||
@ -5439,10 +5478,21 @@ index c1d5f50..989f88c 100644
|
||||
+
|
||||
+
|
||||
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
|
||||
index a3225d4..7551020 100644
|
||||
index a3225d4..9cd8b55 100644
|
||||
--- a/policy/modules/apps/qemu.te
|
||||
+++ b/policy/modules/apps/qemu.te
|
||||
@@ -102,6 +102,10 @@ optional_policy(`
|
||||
@@ -90,7 +90,9 @@ tunable_policy(`qemu_use_usb',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- samba_domtrans_smbd(qemu_t)
|
||||
+ tunable_policy(`qemu_use_cifs',`
|
||||
+ samba_domtrans_smbd(qemu_t)
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -102,6 +104,10 @@ optional_policy(`
|
||||
xen_rw_image_files(qemu_t)
|
||||
')
|
||||
|
||||
@ -5453,7 +5503,7 @@ index a3225d4..7551020 100644
|
||||
########################################
|
||||
#
|
||||
# Unconfined qemu local policy
|
||||
@@ -112,6 +116,8 @@ optional_policy(`
|
||||
@@ -112,6 +118,8 @@ optional_policy(`
|
||||
typealias unconfined_qemu_t alias qemu_unconfined_t;
|
||||
application_type(unconfined_qemu_t)
|
||||
unconfined_domain(unconfined_qemu_t)
|
||||
@ -5462,6 +5512,83 @@ index a3225d4..7551020 100644
|
||||
|
||||
allow unconfined_qemu_t self:process { execstack execmem };
|
||||
allow unconfined_qemu_t qemu_exec_t:file execmod;
|
||||
diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc
|
||||
index 4c091ca..a58f123 100644
|
||||
--- a/policy/modules/apps/rssh.fc
|
||||
+++ b/policy/modules/apps/rssh.fc
|
||||
@@ -1 +1,3 @@
|
||||
/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
|
||||
+
|
||||
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
|
||||
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
|
||||
index 7cdac1e..6f9f6e6 100644
|
||||
--- a/policy/modules/apps/rssh.if
|
||||
+++ b/policy/modules/apps/rssh.if
|
||||
@@ -64,3 +64,21 @@ interface(`rssh_read_ro_content',`
|
||||
read_files_pattern($1, rssh_ro_t, rssh_ro_t)
|
||||
read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run rssh_chroot_helper.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rssh_domtrans_chroot_helper',`
|
||||
+ gen_require(`
|
||||
+ type rssh_chroot_helper_t, rssh_chroot_helper_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t)
|
||||
+')
|
||||
diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
|
||||
index c605046..15c17a0 100644
|
||||
--- a/policy/modules/apps/rssh.te
|
||||
+++ b/policy/modules/apps/rssh.te
|
||||
@@ -31,6 +31,12 @@ typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
|
||||
typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
|
||||
userdom_user_home_content(rssh_rw_t)
|
||||
|
||||
+type rssh_chroot_helper_t;
|
||||
+type rssh_chroot_helper_exec_t;
|
||||
+init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)
|
||||
+
|
||||
+permissive rssh_chroot_helper_t;
|
||||
+
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
@@ -78,3 +84,25 @@ ssh_rw_stream_sockets(rssh_t)
|
||||
optional_policy(`
|
||||
nis_use_ypbind(rssh_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# rssh_chroot_helper local policy
|
||||
+#
|
||||
+rssh_domtrans_chroot_helper(rssh_t)
|
||||
+
|
||||
+allow rssh_chroot_helper_t self:capability { sys_chroot setuid };
|
||||
+
|
||||
+allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+domain_use_interactive_fds(rssh_chroot_helper_t)
|
||||
+
|
||||
+files_read_etc_files(rssh_chroot_helper_t)
|
||||
+
|
||||
+auth_use_nsswitch(rssh_chroot_helper_t)
|
||||
+
|
||||
+logging_send_syslog_msg(rssh_chroot_helper_t)
|
||||
+
|
||||
+miscfiles_read_localization(rssh_chroot_helper_t)
|
||||
+
|
||||
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
|
||||
index 9ec1478..26bb71c 100644
|
||||
--- a/policy/modules/apps/sambagui.te
|
||||
@ -5503,7 +5630,7 @@ index 0000000..15778fd
|
||||
+# No types are sandbox_exec_t
|
||||
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
|
||||
new file mode 100644
|
||||
index 0000000..587c440
|
||||
index 0000000..9783c8f
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/sandbox.if
|
||||
@@ -0,0 +1,339 @@
|
||||
@ -5558,7 +5685,7 @@ index 0000000..587c440
|
||||
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
|
||||
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
|
||||
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
|
||||
+ dontaudit sandbox_x_domain $1:process signal;
|
||||
+ dontaudit sandbox_x_domain $1:process { signal sigkill };
|
||||
+
|
||||
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
|
||||
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
|
||||
@ -5848,10 +5975,10 @@ index 0000000..587c440
|
||||
+')
|
||||
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
|
||||
new file mode 100644
|
||||
index 0000000..10b7c23
|
||||
index 0000000..c575b31
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/sandbox.te
|
||||
@@ -0,0 +1,427 @@
|
||||
@@ -0,0 +1,428 @@
|
||||
+policy_module(sandbox,1.0.0)
|
||||
+dbus_stub()
|
||||
+attribute sandbox_domain;
|
||||
@ -6053,6 +6180,7 @@ index 0000000..10b7c23
|
||||
+term_use_ptmx(sandbox_x_domain)
|
||||
+
|
||||
+application_dontaudit_signal(sandbox_x_domain)
|
||||
+application_dontaudit_sigkill(sandbox_x_domain)
|
||||
+
|
||||
+logging_send_syslog_msg(sandbox_x_domain)
|
||||
+logging_dontaudit_search_logs(sandbox_x_domain)
|
||||
@ -8404,7 +8532,7 @@ index 3517db2..bd4c23d 100644
|
||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index 5302dac..06efed6 100644
|
||||
index 5302dac..2e30bb2 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
|
||||
@ -8837,7 +8965,35 @@ index 5302dac..06efed6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5317,6 +5624,43 @@ interface(`files_search_pids',`
|
||||
@@ -5189,6 +5496,27 @@ interface(`files_delete_all_locks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Relabel all lock files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`files_relabel_all_lock_dirs',`
|
||||
+ gen_require(`
|
||||
+ attribute lockfile;
|
||||
+ type var_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 var_t:dir search_dir_perms;
|
||||
+ relabel_dirs_pattern($1, lockfile, lockfile)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read all lock files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5317,6 +5645,43 @@ interface(`files_search_pids',`
|
||||
search_dirs_pattern($1, var_t, var_run_t)
|
||||
')
|
||||
|
||||
@ -8881,7 +9037,7 @@ index 5302dac..06efed6 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search
|
||||
@@ -5524,6 +5868,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||
@@ -5524,6 +5889,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -8944,7 +9100,7 @@ index 5302dac..06efed6 100644
|
||||
## Read all process ID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5541,6 +5941,44 @@ interface(`files_read_all_pids',`
|
||||
@@ -5541,6 +5962,44 @@ interface(`files_read_all_pids',`
|
||||
|
||||
list_dirs_pattern($1, var_t, pidfile)
|
||||
read_files_pattern($1, pidfile, pidfile)
|
||||
@ -8989,7 +9145,7 @@ index 5302dac..06efed6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5826,3 +6264,247 @@ interface(`files_unconfined',`
|
||||
@@ -5826,3 +6285,247 @@ interface(`files_unconfined',`
|
||||
|
||||
typeattribute $1 files_unconfined_type;
|
||||
')
|
||||
@ -9695,7 +9851,7 @@ index 437a42a..54a884b 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
||||
index 0dff98e..a09ab47 100644
|
||||
index 0dff98e..7f1a558 100644
|
||||
--- a/policy/modules/kernel/filesystem.te
|
||||
+++ b/policy/modules/kernel/filesystem.te
|
||||
@@ -52,6 +52,7 @@ type anon_inodefs_t;
|
||||
@ -9763,11 +9919,12 @@ index 0dff98e..a09ab47 100644
|
||||
|
||||
# Use a transition SID based on the allocating task SID and the
|
||||
# filesystem SID to label inodes in the following filesystem types,
|
||||
@@ -247,6 +266,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||
@@ -247,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||
type removable_t;
|
||||
allow removable_t noxattrfs:filesystem associate;
|
||||
fs_noxattr_type(removable_t)
|
||||
+files_type(removable_t)
|
||||
+dev_node(removable_t)
|
||||
files_mountpoint(removable_t)
|
||||
|
||||
#
|
||||
@ -18497,7 +18654,7 @@ index e182bf4..f80e725 100644
|
||||
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
|
||||
snmp_stream_connect(cyrus_t)
|
||||
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
|
||||
index 0d5711c..ea74262 100644
|
||||
index 0d5711c..27a2b36 100644
|
||||
--- a/policy/modules/services/dbus.if
|
||||
+++ b/policy/modules/services/dbus.if
|
||||
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
|
||||
@ -18512,7 +18669,17 @@ index 0d5711c..ea74262 100644
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -76,7 +76,7 @@ template(`dbus_role_template',`
|
||||
@@ -52,8 +52,7 @@ template(`dbus_role_template',`
|
||||
#
|
||||
|
||||
type $1_dbusd_t, session_bus_type;
|
||||
- domain_type($1_dbusd_t)
|
||||
- domain_entry_file($1_dbusd_t, dbusd_exec_t)
|
||||
+ application_domain($1_dbusd_t, dbusd_exec_t)
|
||||
ubac_constrained($1_dbusd_t)
|
||||
role $2 types $1_dbusd_t;
|
||||
|
||||
@@ -76,7 +75,7 @@ template(`dbus_role_template',`
|
||||
allow $3 $1_dbusd_t:unix_stream_socket connectto;
|
||||
|
||||
# SE-DBus specific permissions
|
||||
@ -18521,7 +18688,7 @@ index 0d5711c..ea74262 100644
|
||||
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
|
||||
|
||||
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
||||
@@ -88,14 +88,15 @@ template(`dbus_role_template',`
|
||||
@@ -88,14 +87,15 @@ template(`dbus_role_template',`
|
||||
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
|
||||
|
||||
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
|
||||
@ -18540,7 +18707,7 @@ index 0d5711c..ea74262 100644
|
||||
|
||||
kernel_read_system_state($1_dbusd_t)
|
||||
kernel_read_kernel_sysctls($1_dbusd_t)
|
||||
@@ -116,7 +117,7 @@ template(`dbus_role_template',`
|
||||
@@ -116,7 +116,7 @@ template(`dbus_role_template',`
|
||||
|
||||
dev_read_urand($1_dbusd_t)
|
||||
|
||||
@ -18549,7 +18716,7 @@ index 0d5711c..ea74262 100644
|
||||
domain_read_all_domains_state($1_dbusd_t)
|
||||
|
||||
files_read_etc_files($1_dbusd_t)
|
||||
@@ -149,17 +150,25 @@ template(`dbus_role_template',`
|
||||
@@ -149,17 +149,25 @@ template(`dbus_role_template',`
|
||||
|
||||
term_use_all_terms($1_dbusd_t)
|
||||
|
||||
@ -18577,7 +18744,7 @@ index 0d5711c..ea74262 100644
|
||||
xserver_use_xdm_fds($1_dbusd_t)
|
||||
xserver_rw_xdm_pipes($1_dbusd_t)
|
||||
')
|
||||
@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
|
||||
@@ -181,10 +189,12 @@ interface(`dbus_system_bus_client',`
|
||||
type system_dbusd_t, system_dbusd_t;
|
||||
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
|
||||
class dbus send_msg;
|
||||
@ -18590,7 +18757,7 @@ index 0d5711c..ea74262 100644
|
||||
|
||||
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
files_search_var_lib($1)
|
||||
@@ -431,14 +442,27 @@ interface(`dbus_system_domain',`
|
||||
@@ -431,14 +441,27 @@ interface(`dbus_system_domain',`
|
||||
|
||||
domtrans_pattern(system_dbusd_t, $2, $1)
|
||||
|
||||
@ -18619,7 +18786,7 @@ index 0d5711c..ea74262 100644
|
||||
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
|
||||
')
|
||||
')
|
||||
@@ -497,3 +521,22 @@ interface(`dbus_unconfined',`
|
||||
@@ -497,3 +520,22 @@ interface(`dbus_unconfined',`
|
||||
|
||||
typeattribute $1 dbusd_unconfined;
|
||||
')
|
||||
@ -24435,7 +24602,7 @@ index da5b33d..b9ab551 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
|
||||
index 386543b..e0aab89 100644
|
||||
index 386543b..ee7bed8 100644
|
||||
--- a/policy/modules/services/networkmanager.fc
|
||||
+++ b/policy/modules/services/networkmanager.fc
|
||||
@@ -1,7 +1,13 @@
|
||||
@ -24452,6 +24619,16 @@ index 386543b..e0aab89 100644
|
||||
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
||||
|
||||
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
|
||||
@@ -16,7 +22,8 @@
|
||||
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
|
||||
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
|
||||
|
||||
-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
||||
+/var/log/wicd.*
|
||||
+
|
||||
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
||||
|
||||
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
|
||||
index 2324d9e..8069487 100644
|
||||
--- a/policy/modules/services/networkmanager.if
|
||||
@ -38179,10 +38356,10 @@ index f9a06d2..3d407c6 100644
|
||||
|
||||
files_read_etc_files(zos_remote_t)
|
||||
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
|
||||
index ac50333..a5678f1 100644
|
||||
index ac50333..9017b02 100644
|
||||
--- a/policy/modules/system/application.if
|
||||
+++ b/policy/modules/system/application.if
|
||||
@@ -130,3 +130,57 @@ interface(`application_signull',`
|
||||
@@ -130,3 +130,75 @@ interface(`application_signull',`
|
||||
|
||||
allow $1 application_domain_type:process signull;
|
||||
')
|
||||
@ -38225,6 +38402,24 @@ index ac50333..a5678f1 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Dontaudit kill signal sent to all application domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`application_dontaudit_sigkill',`
|
||||
+ gen_require(`
|
||||
+ attribute application_domain_type;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 application_domain_type:process sigkill;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send signal to all application domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -38288,7 +38483,7 @@ index 1c4b1e7..2997dd7 100644
|
||||
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||
|
||||
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
||||
index bea0ade..ce67a96 100644
|
||||
index bea0ade..a1069bf 100644
|
||||
--- a/policy/modules/system/authlogin.if
|
||||
+++ b/policy/modules/system/authlogin.if
|
||||
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
|
||||
@ -38481,7 +38676,34 @@ index bea0ade..ce67a96 100644
|
||||
## Manage var auth files. Used by various other applications
|
||||
## and pam applets etc.
|
||||
## </summary>
|
||||
@@ -1500,6 +1587,8 @@ interface(`auth_manage_login_records',`
|
||||
@@ -896,6 +983,26 @@ interface(`auth_manage_var_auth',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Relabel all var auth files. Used by various other applications
|
||||
+## and pam applets etc.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`auth_relabel_var_auth_dirs',`
|
||||
+ gen_require(`
|
||||
+ type var_auth_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var($1)
|
||||
+ relabel_dirs_pattern($1, var_auth_t, var_auth_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read PAM PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1500,6 +1607,8 @@ interface(`auth_manage_login_records',`
|
||||
#
|
||||
interface(`auth_use_nsswitch',`
|
||||
|
||||
@ -38490,7 +38712,7 @@ index bea0ade..ce67a96 100644
|
||||
files_list_var_lib($1)
|
||||
|
||||
# read /etc/nsswitch.conf
|
||||
@@ -1531,7 +1620,15 @@ interface(`auth_use_nsswitch',`
|
||||
@@ -1531,7 +1640,15 @@ interface(`auth_use_nsswitch',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38854,7 +39076,7 @@ index 15e02e4..7c6933f 100644
|
||||
files_read_kernel_modules(hotplug_t)
|
||||
|
||||
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
|
||||
index 9775375..51bde2a 100644
|
||||
index 9775375..36cc87d 100644
|
||||
--- a/policy/modules/system/init.fc
|
||||
+++ b/policy/modules/system/init.fc
|
||||
@@ -24,7 +24,19 @@ ifdef(`distro_gentoo',`
|
||||
@ -38867,7 +39089,7 @@ index 9775375..51bde2a 100644
|
||||
+#
|
||||
+# systemd init scripts
|
||||
+#
|
||||
+/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
+/lib/systemd/[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
+
|
||||
+#
|
||||
+# /sbin
|
||||
@ -39278,7 +39500,7 @@ index df3fa64..73dc579 100644
|
||||
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 8a105fd..aa33f57 100644
|
||||
index 8a105fd..fc65044 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -16,6 +16,27 @@ gen_require(`
|
||||
@ -39326,15 +39548,16 @@ index 8a105fd..aa33f57 100644
|
||||
type init_exec_t;
|
||||
domain_type(init_t)
|
||||
domain_entry_file(init_t, init_exec_t)
|
||||
@@ -63,6 +85,7 @@ role system_r types initrc_t;
|
||||
@@ -63,6 +85,8 @@ role system_r types initrc_t;
|
||||
# of the below init_upstart tunable
|
||||
# but this has a typeattribute in it
|
||||
corecmd_shell_entry_type(initrc_t)
|
||||
+corecmd_bin_entry_type(initrc_t)
|
||||
+corecmd_bin_domtrans(init_t, initrc_t)
|
||||
|
||||
type initrc_devpts_t;
|
||||
term_pty(initrc_devpts_t)
|
||||
@@ -87,7 +110,7 @@ ifdef(`enable_mls',`
|
||||
@@ -87,7 +111,7 @@ ifdef(`enable_mls',`
|
||||
#
|
||||
|
||||
# Use capabilities. old rule:
|
||||
@ -39343,7 +39566,7 @@ index 8a105fd..aa33f57 100644
|
||||
# is ~sys_module really needed? observed:
|
||||
# sys_boot
|
||||
# sys_tty_config
|
||||
@@ -100,7 +123,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -100,7 +124,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
|
||||
# Re-exec itself
|
||||
can_exec(init_t, init_exec_t)
|
||||
|
||||
@ -39354,7 +39577,7 @@ index 8a105fd..aa33f57 100644
|
||||
|
||||
# For /var/run/shutdown.pid.
|
||||
allow init_t init_var_run_t:file manage_file_perms;
|
||||
@@ -114,11 +139,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||
@@ -114,11 +140,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||
|
||||
kernel_read_system_state(init_t)
|
||||
kernel_share_state(init_t)
|
||||
@ -39368,7 +39591,7 @@ index 8a105fd..aa33f57 100644
|
||||
# Early devtmpfs
|
||||
dev_rw_generic_chr_files(init_t)
|
||||
|
||||
@@ -127,9 +154,13 @@ domain_kill_all_domains(init_t)
|
||||
@@ -127,9 +155,13 @@ domain_kill_all_domains(init_t)
|
||||
domain_signal_all_domains(init_t)
|
||||
domain_signull_all_domains(init_t)
|
||||
domain_sigstop_all_domains(init_t)
|
||||
@ -39382,7 +39605,7 @@ index 8a105fd..aa33f57 100644
|
||||
files_rw_generic_pids(init_t)
|
||||
files_dontaudit_search_isid_type_dirs(init_t)
|
||||
files_manage_etc_runtime_files(init_t)
|
||||
@@ -162,12 +193,15 @@ init_domtrans_script(init_t)
|
||||
@@ -162,12 +194,15 @@ init_domtrans_script(init_t)
|
||||
libs_rw_ld_so_cache(init_t)
|
||||
|
||||
logging_send_syslog_msg(init_t)
|
||||
@ -39398,7 +39621,7 @@ index 8a105fd..aa33f57 100644
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
')
|
||||
@@ -178,7 +212,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -178,7 +213,7 @@ ifdef(`distro_redhat',`
|
||||
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
||||
')
|
||||
|
||||
@ -39407,7 +39630,7 @@ index 8a105fd..aa33f57 100644
|
||||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
',`
|
||||
# Run the shell in the sysadm role for single-user mode.
|
||||
@@ -186,12 +220,96 @@ tunable_policy(`init_upstart',`
|
||||
@@ -186,12 +221,99 @@ tunable_policy(`init_upstart',`
|
||||
sysadm_shell_domtrans(init_t)
|
||||
')
|
||||
|
||||
@ -39469,16 +39692,19 @@ index 8a105fd..aa33f57 100644
|
||||
+
|
||||
+ seutil_read_file_contexts(init_t)
|
||||
+
|
||||
+ # Permissions for systemd-tmpfiles, needs its own policy.
|
||||
+ files_relabel_all_pid_files(init_t)
|
||||
+ files_relabel_all_pid_files(init_t)
|
||||
+ files_manage_all_pids(init_t)
|
||||
+ files_manage_all_locks(init_t)
|
||||
+ files_manage_generic_tmp_dirs(init_t)
|
||||
+ files_manage_generic_tmp_files(init_t)
|
||||
+ files_relabelfrom_tmp_files(init_t)
|
||||
+
|
||||
+ auth_manage_var_auth(init_t)
|
||||
+ # Permissions for systemd-tmpfiles, needs its own policy.
|
||||
+ files_relabel_all_lock_dirs(initrc_t)
|
||||
+ files_relabel_all_pid_files(initrc_t)
|
||||
+ files_relabel_all_pid_files(initrc_t)
|
||||
+ files_manage_all_pids(initrc_t)
|
||||
+ files_manage_all_locks(initrc_t)
|
||||
+ files_manage_generic_tmp_files(initrc_t)
|
||||
+ files_manage_generic_tmp_dirs(initrc_t)
|
||||
+ files_relabelfrom_tmp_files(initrc_t)
|
||||
+
|
||||
+ auth_manage_var_auth(initrc_t)
|
||||
+ auth_relabel_var_auth_dirs(initrc_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
@ -39504,7 +39730,7 @@ index 8a105fd..aa33f57 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -199,10 +317,23 @@ optional_policy(`
|
||||
@@ -199,10 +321,23 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39528,7 +39754,7 @@ index 8a105fd..aa33f57 100644
|
||||
unconfined_domain(init_t)
|
||||
')
|
||||
|
||||
@@ -212,7 +343,7 @@ optional_policy(`
|
||||
@@ -212,7 +347,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -39537,7 +39763,7 @@ index 8a105fd..aa33f57 100644
|
||||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
@@ -241,6 +372,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -241,6 +376,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -39545,7 +39771,7 @@ index 8a105fd..aa33f57 100644
|
||||
|
||||
can_exec(initrc_t, initrc_tmp_t)
|
||||
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
@@ -258,11 +390,23 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -258,11 +394,23 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -39569,7 +39795,7 @@ index 8a105fd..aa33f57 100644
|
||||
|
||||
corecmd_exec_all_executables(initrc_t)
|
||||
|
||||
@@ -291,6 +435,7 @@ dev_read_sound_mixer(initrc_t)
|
||||
@@ -291,6 +439,7 @@ dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
dev_setattr_all_chr_files(initrc_t)
|
||||
dev_rw_lvm_control(initrc_t)
|
||||
@ -39577,7 +39803,7 @@ index 8a105fd..aa33f57 100644
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -298,13 +443,13 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -298,13 +447,13 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -39593,7 +39819,7 @@ index 8a105fd..aa33f57 100644
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@@ -323,8 +468,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -323,8 +472,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -39605,7 +39831,7 @@ index 8a105fd..aa33f57 100644
|
||||
files_delete_all_pids(initrc_t)
|
||||
files_delete_all_pid_dirs(initrc_t)
|
||||
files_read_etc_files(initrc_t)
|
||||
@@ -340,8 +487,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -340,8 +491,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -39619,7 +39845,7 @@ index 8a105fd..aa33f57 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -351,6 +502,8 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -351,6 +506,8 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -39628,7 +39854,7 @@ index 8a105fd..aa33f57 100644
|
||||
|
||||
# initrc_t needs to do a pidof which requires ptrace
|
||||
mcs_ptrace_all(initrc_t)
|
||||
@@ -363,6 +516,7 @@ mls_process_read_up(initrc_t)
|
||||
@@ -363,6 +520,7 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -39636,7 +39862,7 @@ index 8a105fd..aa33f57 100644
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@@ -380,6 +534,7 @@ auth_read_pam_pid(initrc_t)
|
||||
@@ -380,6 +538,7 @@ auth_read_pam_pid(initrc_t)
|
||||
auth_delete_pam_pid(initrc_t)
|
||||
auth_delete_pam_console_data(initrc_t)
|
||||
auth_use_nsswitch(initrc_t)
|
||||
@ -39644,7 +39870,7 @@ index 8a105fd..aa33f57 100644
|
||||
|
||||
libs_rw_ld_so_cache(initrc_t)
|
||||
libs_exec_lib_files(initrc_t)
|
||||
@@ -394,13 +549,14 @@ logging_read_audit_config(initrc_t)
|
||||
@@ -394,13 +553,14 @@ logging_read_audit_config(initrc_t)
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
# slapd needs to read cert files from its initscript
|
||||
@ -39660,7 +39886,7 @@ index 8a105fd..aa33f57 100644
|
||||
userdom_read_user_home_content_files(initrc_t)
|
||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||
@@ -473,7 +629,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -473,7 +633,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -39669,7 +39895,7 @@ index 8a105fd..aa33f57 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -519,6 +675,19 @@ ifdef(`distro_redhat',`
|
||||
@@ -519,6 +679,19 @@ ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
bind_manage_config_dirs(initrc_t)
|
||||
bind_write_config(initrc_t)
|
||||
@ -39689,7 +39915,7 @@ index 8a105fd..aa33f57 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -526,10 +695,17 @@ ifdef(`distro_redhat',`
|
||||
@@ -526,10 +699,17 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -39707,7 +39933,7 @@ index 8a105fd..aa33f57 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -544,6 +720,35 @@ ifdef(`distro_suse',`
|
||||
@@ -544,6 +724,35 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -39743,7 +39969,7 @@ index 8a105fd..aa33f57 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -556,6 +761,8 @@ optional_policy(`
|
||||
@@ -556,6 +765,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -39752,7 +39978,7 @@ index 8a105fd..aa33f57 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -572,6 +779,7 @@ optional_policy(`
|
||||
@@ -572,6 +783,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -39760,7 +39986,7 @@ index 8a105fd..aa33f57 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -584,6 +792,11 @@ optional_policy(`
|
||||
@@ -584,6 +796,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39772,7 +39998,7 @@ index 8a105fd..aa33f57 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -600,6 +813,9 @@ optional_policy(`
|
||||
@@ -600,6 +817,9 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -39782,7 +40008,7 @@ index 8a105fd..aa33f57 100644
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(initrc_t)
|
||||
@@ -701,7 +917,13 @@ optional_policy(`
|
||||
@@ -701,7 +921,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39796,7 +40022,7 @@ index 8a105fd..aa33f57 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -724,6 +946,10 @@ optional_policy(`
|
||||
@@ -724,6 +950,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39807,7 +40033,7 @@ index 8a105fd..aa33f57 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -745,6 +971,10 @@ optional_policy(`
|
||||
@@ -745,6 +975,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39818,7 +40044,7 @@ index 8a105fd..aa33f57 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -766,8 +996,6 @@ optional_policy(`
|
||||
@@ -766,8 +1000,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -39827,7 +40053,7 @@ index 8a105fd..aa33f57 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -776,14 +1004,21 @@ optional_policy(`
|
||||
@@ -776,14 +1008,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39849,7 +40075,7 @@ index 8a105fd..aa33f57 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -805,11 +1040,19 @@ optional_policy(`
|
||||
@@ -805,11 +1044,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39870,14 +40096,13 @@ index 8a105fd..aa33f57 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
@@ -819,6 +1062,25 @@ optional_policy(`
|
||||
@@ -819,6 +1066,25 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
+
|
||||
+ # Allow SELinux aware applications to request rpm_script_t execution
|
||||
+ rpm_transition_script(initrc_t)
|
||||
+
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ gen_require(`
|
||||
@ -39892,11 +40117,12 @@ index 8a105fd..aa33f57 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_read_db(initrc_t)
|
||||
+ rpm_delete_db(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -844,3 +1106,59 @@ optional_policy(`
|
||||
@@ -844,3 +1110,59 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -43774,7 +44000,7 @@ index 025348a..5b277ea 100644
|
||||
|
||||
########################################
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index a054cf5..4867243 100644
|
||||
index a054cf5..f24ab6b 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
|
||||
@ -43785,16 +44011,17 @@ index a054cf5..4867243 100644
|
||||
|
||||
allow udev_t udev_exec_t:file write;
|
||||
can_exec(udev_t, udev_exec_t)
|
||||
@@ -72,7 +73,7 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
|
||||
@@ -72,7 +73,8 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
|
||||
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
||||
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
||||
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
||||
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
|
||||
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
|
||||
+allow udev_t udev_var_run_t:file mounton;
|
||||
|
||||
kernel_read_system_state(udev_t)
|
||||
kernel_request_load_module(udev_t)
|
||||
@@ -111,15 +112,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
||||
@@ -111,15 +113,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
||||
|
||||
files_read_usr_files(udev_t)
|
||||
files_read_etc_runtime_files(udev_t)
|
||||
@ -43816,7 +44043,7 @@ index a054cf5..4867243 100644
|
||||
|
||||
mcs_ptrace_all(udev_t)
|
||||
|
||||
@@ -186,6 +192,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -186,6 +193,7 @@ ifdef(`distro_redhat',`
|
||||
fs_manage_tmpfs_chr_files(udev_t)
|
||||
fs_relabel_tmpfs_blk_file(udev_t)
|
||||
fs_relabel_tmpfs_chr_file(udev_t)
|
||||
@ -43824,7 +44051,7 @@ index a054cf5..4867243 100644
|
||||
|
||||
term_search_ptys(udev_t)
|
||||
|
||||
@@ -216,11 +223,16 @@ optional_policy(`
|
||||
@@ -216,11 +224,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43841,7 +44068,7 @@ index a054cf5..4867243 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -233,6 +245,10 @@ optional_policy(`
|
||||
@@ -233,6 +246,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43852,7 +44079,7 @@ index a054cf5..4867243 100644
|
||||
lvm_domtrans(udev_t)
|
||||
')
|
||||
|
||||
@@ -259,6 +275,10 @@ optional_policy(`
|
||||
@@ -259,6 +276,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43863,7 +44090,7 @@ index a054cf5..4867243 100644
|
||||
openct_read_pid_files(udev_t)
|
||||
openct_domtrans(udev_t)
|
||||
')
|
||||
@@ -273,6 +293,11 @@ optional_policy(`
|
||||
@@ -273,6 +294,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.7
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -470,6 +470,17 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Oct 28 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-7
|
||||
- Dontaudit sandbox sending sigkill to all user domains
|
||||
- Add policy for rssh_chroot_helper
|
||||
- Add missing flask definitions
|
||||
- Allow udev to relabelto removable_t
|
||||
- Fix label on /var/log/wicd.log
|
||||
- Transition to initrc_t from init when executing bin_t
|
||||
- Add audit_access permissions to file
|
||||
- Make removable_t a device_node
|
||||
- Fix label on /lib/systemd/*
|
||||
|
||||
* Fri Oct 22 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-6
|
||||
- Fixes for systemd to manage /var/run
|
||||
- Dontaudit leaks by firstboot
|
||||
|
||||
Loading…
Reference in New Issue
Block a user