* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759 - Allow keepalived to create netlink generic sockets. rhbz#1311756 - Allow modemmanager to read /etc/passwd file. - Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t. - Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255 - Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019 - Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444 - Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
This commit is contained in:
parent
352a55a547
commit
7ac3a50aaf
Binary file not shown.
@ -35871,7 +35871,7 @@ index 0d4c8d3..537aa42 100644
|
||||
+ ps_process_pattern($1, ipsec_mgmt_t)
|
||||
+')
|
||||
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
||||
index 312cd04..34f5262 100644
|
||||
index 312cd04..324b3af 100644
|
||||
--- a/policy/modules/system/ipsec.te
|
||||
+++ b/policy/modules/system/ipsec.te
|
||||
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||
@ -35978,7 +35978,7 @@ index 312cd04..34f5262 100644
|
||||
|
||||
dev_read_sysfs(ipsec_t)
|
||||
dev_read_rand(ipsec_t)
|
||||
@@ -157,24 +178,32 @@ files_dontaudit_search_home(ipsec_t)
|
||||
@@ -157,22 +178,31 @@ files_dontaudit_search_home(ipsec_t)
|
||||
fs_getattr_all_fs(ipsec_t)
|
||||
fs_search_auto_mountpoints(ipsec_t)
|
||||
|
||||
@ -36004,16 +36004,15 @@ index 312cd04..34f5262 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
|
||||
userdom_dontaudit_search_user_home_dirs(ipsec_t)
|
||||
|
||||
optional_policy(`
|
||||
+ iptables_domtrans(ipsec_t)
|
||||
+')
|
||||
+userdom_read_home_certs(ipsec_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
seutil_sigchld_newrole(ipsec_t)
|
||||
')
|
||||
+ iptables_domtrans(ipsec_t)
|
||||
+')
|
||||
|
||||
@@ -182,19 +211,30 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ipsec_t)
|
||||
@@ -182,19 +212,30 @@ optional_policy(`
|
||||
udev_read_db(ipsec_t)
|
||||
')
|
||||
|
||||
@ -36048,7 +36047,7 @@ index 312cd04..34f5262 100644
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
||||
@@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||
@@ -208,12 +249,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
||||
@ -36064,7 +36063,7 @@ index 312cd04..34f5262 100644
|
||||
|
||||
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
||||
# run ps on that pid, and delete the file
|
||||
@@ -246,6 +288,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||
@@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||
kernel_getattr_core_if(ipsec_mgmt_t)
|
||||
kernel_getattr_message_if(ipsec_mgmt_t)
|
||||
|
||||
@ -36081,7 +36080,7 @@ index 312cd04..34f5262 100644
|
||||
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
||||
files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
|
||||
@@ -255,6 +307,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
@@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
corecmd_exec_bin(ipsec_mgmt_t)
|
||||
corecmd_exec_shell(ipsec_mgmt_t)
|
||||
|
||||
@ -36090,7 +36089,7 @@ index 312cd04..34f5262 100644
|
||||
dev_read_rand(ipsec_mgmt_t)
|
||||
dev_read_urand(ipsec_mgmt_t)
|
||||
|
||||
@@ -269,6 +323,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
||||
@@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
||||
files_read_etc_files(ipsec_mgmt_t)
|
||||
files_exec_etc_files(ipsec_mgmt_t)
|
||||
files_read_etc_runtime_files(ipsec_mgmt_t)
|
||||
@ -36098,7 +36097,7 @@ index 312cd04..34f5262 100644
|
||||
files_read_usr_files(ipsec_mgmt_t)
|
||||
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
|
||||
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
||||
@@ -278,9 +333,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
@@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
fs_list_tmpfs(ipsec_mgmt_t)
|
||||
|
||||
term_use_console(ipsec_mgmt_t)
|
||||
@ -36110,7 +36109,7 @@ index 312cd04..34f5262 100644
|
||||
|
||||
init_read_utmp(ipsec_mgmt_t)
|
||||
init_use_script_ptys(ipsec_mgmt_t)
|
||||
@@ -288,17 +344,28 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||
@@ -288,17 +345,28 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||
init_use_fds(ipsec_mgmt_t)
|
||||
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
||||
|
||||
@ -36144,7 +36143,7 @@ index 312cd04..34f5262 100644
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ipsec_mgmt_t)
|
||||
@@ -322,6 +389,10 @@ optional_policy(`
|
||||
@@ -322,6 +390,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36155,7 +36154,7 @@ index 312cd04..34f5262 100644
|
||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
@@ -335,7 +406,7 @@ optional_policy(`
|
||||
@@ -335,7 +407,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow racoon_t self:capability { net_admin net_bind_service };
|
||||
@ -36164,7 +36163,7 @@ index 312cd04..34f5262 100644
|
||||
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
||||
allow racoon_t self:netlink_selinux_socket { bind create read };
|
||||
allow racoon_t self:udp_socket create_socket_perms;
|
||||
@@ -370,13 +441,12 @@ kernel_request_load_module(racoon_t)
|
||||
@@ -370,13 +442,12 @@ kernel_request_load_module(racoon_t)
|
||||
corecmd_exec_shell(racoon_t)
|
||||
corecmd_exec_bin(racoon_t)
|
||||
|
||||
@ -36184,7 +36183,7 @@ index 312cd04..34f5262 100644
|
||||
corenet_udp_bind_isakmp_port(racoon_t)
|
||||
corenet_udp_bind_ipsecnat_port(racoon_t)
|
||||
|
||||
@@ -401,10 +471,10 @@ locallogin_use_fds(racoon_t)
|
||||
@@ -401,10 +472,10 @@ locallogin_use_fds(racoon_t)
|
||||
logging_send_syslog_msg(racoon_t)
|
||||
logging_send_audit_msgs(racoon_t)
|
||||
|
||||
@ -36197,7 +36196,7 @@ index 312cd04..34f5262 100644
|
||||
auth_can_read_shadow_passwords(racoon_t)
|
||||
tunable_policy(`racoon_read_shadow',`
|
||||
auth_tunable_read_shadow(racoon_t)
|
||||
@@ -438,9 +508,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
@@ -438,9 +509,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
|
||||
locallogin_use_fds(setkey_t)
|
||||
|
||||
@ -43785,7 +43784,7 @@ index a392fc4..78fa512 100644
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||
new file mode 100644
|
||||
index 0000000..b53de2b
|
||||
index 0000000..849cdb8
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.fc
|
||||
@@ -0,0 +1,61 @@
|
||||
@ -43839,7 +43838,7 @@ index 0000000..b53de2b
|
||||
+/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
|
||||
+/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
|
||||
+
|
||||
+/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
+/var/run/.*nologin.* gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
|
||||
+/var/run/systemd/shutdown(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
@ -43852,10 +43851,10 @@ index 0000000..b53de2b
|
||||
+/var/run/initramfs(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
new file mode 100644
|
||||
index 0000000..300bf59
|
||||
index 0000000..21f7c14
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -0,0 +1,1676 @@
|
||||
@@ -0,0 +1,1678 @@
|
||||
+## <summary>SELinux policy for systemd components</summary>
|
||||
+
|
||||
+######################################
|
||||
@ -44970,6 +44969,7 @@ index 0000000..300bf59
|
||||
+ type systemd_logind_var_run_t;
|
||||
+ type hostname_etc_t;
|
||||
+ type systemd_home_t;
|
||||
+ type systemd_rfkill_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
|
||||
@ -44978,6 +44978,7 @@ index 0000000..300bf59
|
||||
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
|
||||
+ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
|
||||
+ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
|
||||
+ init_var_lib_filetrans($1, systemd_rfkill_var_lib_t, dir, "rfkill" )
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -45534,10 +45535,10 @@ index 0000000..300bf59
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..eb1b3c3
|
||||
index 0000000..bf93dba
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,842 @@
|
||||
@@ -0,0 +1,843 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -45687,7 +45688,7 @@ index 0000000..eb1b3c3
|
||||
+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
|
||||
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
|
||||
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
|
||||
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
|
||||
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, { file dir })
|
||||
+files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin")
|
||||
+
|
||||
+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||||
@ -45896,6 +45897,7 @@ index 0000000..eb1b3c3
|
||||
+fs_read_xenfs_files(systemd_networkd_t)
|
||||
+
|
||||
+dev_read_sysfs(systemd_networkd_t)
|
||||
+dev_write_kmsg(systemd_networkd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(systemd_networkd_t)
|
||||
+
|
||||
|
@ -2267,7 +2267,7 @@ index 7f4dfbc..e5c9f45 100644
|
||||
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
|
||||
|
||||
diff --git a/amanda.te b/amanda.te
|
||||
index 519051c..f5784a5 100644
|
||||
index 519051c..0f871e6 100644
|
||||
--- a/amanda.te
|
||||
+++ b/amanda.te
|
||||
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
|
||||
@ -2330,7 +2330,15 @@ index 519051c..f5784a5 100644
|
||||
|
||||
files_read_etc_runtime_files(amanda_t)
|
||||
files_list_all(amanda_t)
|
||||
@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
|
||||
@@ -130,6 +137,7 @@ fs_list_all(amanda_t)
|
||||
storage_raw_read_fixed_disk(amanda_t)
|
||||
storage_read_tape(amanda_t)
|
||||
storage_write_tape(amanda_t)
|
||||
+storage_write_scsi_generic(amanda_t)
|
||||
|
||||
auth_use_nsswitch(amanda_t)
|
||||
auth_read_shadow(amanda_t)
|
||||
@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t)
|
||||
corecmd_exec_shell(amanda_recover_t)
|
||||
corecmd_exec_bin(amanda_recover_t)
|
||||
|
||||
@ -2338,7 +2346,7 @@ index 519051c..f5784a5 100644
|
||||
corenet_all_recvfrom_netlabel(amanda_recover_t)
|
||||
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
|
||||
corenet_udp_sendrecv_generic_if(amanda_recover_t)
|
||||
@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
|
||||
@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t)
|
||||
|
||||
auth_use_nsswitch(amanda_recover_t)
|
||||
|
||||
@ -41006,10 +41014,10 @@ index 0000000..bd7e7fa
|
||||
+')
|
||||
diff --git a/keepalived.te b/keepalived.te
|
||||
new file mode 100644
|
||||
index 0000000..8ab40b5
|
||||
index 0000000..66e747b
|
||||
--- /dev/null
|
||||
+++ b/keepalived.te
|
||||
@@ -0,0 +1,91 @@
|
||||
@@ -0,0 +1,92 @@
|
||||
+policy_module(keepalived, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -41038,6 +41046,7 @@ index 0000000..8ab40b5
|
||||
+allow keepalived_t self:capability { net_admin net_raw kill };
|
||||
+allow keepalived_t self:process { signal_perms };
|
||||
+allow keepalived_t self:netlink_socket create_socket_perms;
|
||||
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
|
||||
+allow keepalived_t self:netlink_route_socket nlmsg_write;
|
||||
+allow keepalived_t self:packet_socket create_socket_perms;
|
||||
+allow keepalived_t self:rawip_socket create_socket_perms;
|
||||
@ -49397,7 +49406,7 @@ index b1ac8b5..24782b3 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/modemmanager.te b/modemmanager.te
|
||||
index d15eb5b..25f2cfe 100644
|
||||
index d15eb5b..6e2a403 100644
|
||||
--- a/modemmanager.te
|
||||
+++ b/modemmanager.te
|
||||
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
|
||||
@ -49410,7 +49419,7 @@ index d15eb5b..25f2cfe 100644
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
|
||||
@@ -19,20 +22,24 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
|
||||
allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
|
||||
allow modemmanager_t self:process { getsched signal };
|
||||
allow modemmanager_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -49420,6 +49429,8 @@ index d15eb5b..25f2cfe 100644
|
||||
|
||||
kernel_read_system_state(modemmanager_t)
|
||||
|
||||
+auth_read_passwd(modemmanager_t)
|
||||
+
|
||||
+corecmd_exec_bin(modemmanager_t)
|
||||
+
|
||||
dev_read_sysfs(modemmanager_t)
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 172%{?dist}
|
||||
Release: 173%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -673,6 +673,16 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
|
||||
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
|
||||
- Allow keepalived to create netlink generic sockets. rhbz#1311756
|
||||
- Allow modemmanager to read /etc/passwd file.
|
||||
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
|
||||
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
|
||||
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
|
||||
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
|
||||
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
|
||||
|
||||
* Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
|
||||
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
|
||||
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
|
||||
|
Loading…
Reference in New Issue
Block a user