- Allow init_t to setattr/relabelfrom dhcp state files
- Allow dmesg to read hwdata and memory dev - Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan - Dontaudit antivirus domains read access on all security files by default - Add missing alias for old amavis_etc_t type - Additional fixes for instack overcloud - Allow block_suspend cap for haproxy - Allow OpenStack to read mysqld_db links and connect to MySQL - Remove dup filename rules in gnome.te - Allow sys_chroot cap for httpd_t and setattr on httpd_log_t - Add labeling for /lib/systemd/system/thttpd.service - Allow iscsid to handle own unit files - Add iscsi_systemctl() - Allow mongod also create sock_file with correct labeling in /run - Allow aiccu stream connect to pcscd - Allow rabbitmq_beam to connect to httpd port - Allow httpd to send signull to apache script domains and don't audit leaks - Fix labeling in drbd.fc - Allow sssd to connect to the smbd port for handing logins using active directory, needs back - Allow all freeipmi domains to read/write ipmi devices - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow sblim_sfcbd to use also pegasus-https port - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Add httpd_run_preupgrade boolean - Add interfaces to access preupgrade_data_t - Add preupgrade policy - Add labeling for puppet helper scripts
This commit is contained in:
Miroslav Grepl
parent
d641991bb4
commit
7ca2b30721
@ -1601,7 +1601,7 @@ index d6cc2d9..0685b19 100644
|
|||||||
+
|
+
|
||||||
+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
|
+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
|
||||||
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
|
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
|
||||||
index 72bc6d8..17357e5 100644
|
index 72bc6d8..bb4a6f0 100644
|
||||||
--- a/policy/modules/admin/dmesg.te
|
--- a/policy/modules/admin/dmesg.te
|
||||||
+++ b/policy/modules/admin/dmesg.te
|
+++ b/policy/modules/admin/dmesg.te
|
||||||
@@ -9,6 +9,10 @@ type dmesg_t;
|
@@ -9,6 +9,10 @@ type dmesg_t;
|
||||||
@ -1615,7 +1615,7 @@ index 72bc6d8..17357e5 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config;
|
@@ -19,14 +23,18 @@ dontaudit dmesg_t self:capability sys_tty_config;
|
||||||
|
|
||||||
allow dmesg_t self:process signal_perms;
|
allow dmesg_t self:process signal_perms;
|
||||||
|
|
||||||
@ -1630,15 +1630,17 @@ index 72bc6d8..17357e5 100644
|
|||||||
|
|
||||||
dev_read_sysfs(dmesg_t)
|
dev_read_sysfs(dmesg_t)
|
||||||
+dev_read_kmsg(dmesg_t)
|
+dev_read_kmsg(dmesg_t)
|
||||||
|
+dev_read_raw_memory(dmesg_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(dmesg_t)
|
fs_search_auto_mountpoints(dmesg_t)
|
||||||
|
|
||||||
@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t)
|
@@ -44,10 +52,14 @@ init_use_script_ptys(dmesg_t)
|
||||||
logging_send_syslog_msg(dmesg_t)
|
logging_send_syslog_msg(dmesg_t)
|
||||||
logging_write_generic_logs(dmesg_t)
|
logging_write_generic_logs(dmesg_t)
|
||||||
|
|
||||||
-miscfiles_read_localization(dmesg_t)
|
-miscfiles_read_localization(dmesg_t)
|
||||||
-
|
+miscfiles_read_hwdata(dmesg_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
|
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
|
||||||
-userdom_use_user_terminals(dmesg_t)
|
-userdom_use_user_terminals(dmesg_t)
|
||||||
+userdom_use_inherited_user_terminals(dmesg_t)
|
+userdom_use_inherited_user_terminals(dmesg_t)
|
||||||
@ -29655,7 +29657,7 @@ index 79a45f6..89b43aa 100644
|
|||||||
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||||
index 17eda24..56e006c 100644
|
index 17eda24..e5c555c 100644
|
||||||
--- a/policy/modules/system/init.te
|
--- a/policy/modules/system/init.te
|
||||||
+++ b/policy/modules/system/init.te
|
+++ b/policy/modules/system/init.te
|
||||||
@@ -11,10 +11,31 @@ gen_require(`
|
@@ -11,10 +11,31 @@ gen_require(`
|
||||||
@ -29925,7 +29927,7 @@ index 17eda24..56e006c 100644
|
|||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
allow init_t self:process { getcap setcap };
|
allow init_t self:process { getcap setcap };
|
||||||
@@ -186,29 +301,230 @@ ifdef(`distro_gentoo',`
|
@@ -186,29 +301,235 @@ ifdef(`distro_gentoo',`
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
@ -30123,6 +30125,11 @@ index 17eda24..56e006c 100644
|
|||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ rpc_manage_nfs_state_data(init_t)
|
+ rpc_manage_nfs_state_data(init_t)
|
||||||
+ ')
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ sysnet_relabelfrom_dhcpc_state(init_t)
|
||||||
|
+ sysnet_setattr_dhcp_state(init_t)
|
||||||
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -30142,10 +30149,9 @@ index 17eda24..56e006c 100644
|
|||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ devicekit_dbus_chat_power(init_t)
|
+ devicekit_dbus_chat_power(init_t)
|
||||||
+ ')
|
+ ')
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
optional_policy(`
|
+optional_policy(`
|
||||||
- nscd_use(init_t)
|
|
||||||
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
|
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
|
||||||
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
|
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
|
||||||
+ # the directory. But we do not want to allow this.
|
+ # the directory. But we do not want to allow this.
|
||||||
@ -30155,16 +30161,17 @@ index 17eda24..56e006c 100644
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ networkmanager_stream_connect(init_t)
|
+ networkmanager_stream_connect(init_t)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
|
- nscd_use(init_t)
|
||||||
+ plymouthd_stream_connect(init_t)
|
+ plymouthd_stream_connect(init_t)
|
||||||
+ plymouthd_exec_plymouth(init_t)
|
+ plymouthd_exec_plymouth(init_t)
|
||||||
+ plymouthd_filetrans_named_content(init_t)
|
+ plymouthd_filetrans_named_content(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -216,7 +532,31 @@ optional_policy(`
|
@@ -216,7 +537,31 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30196,7 +30203,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -225,9 +565,9 @@ optional_policy(`
|
@@ -225,9 +570,9 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||||
@ -30208,7 +30215,7 @@ index 17eda24..56e006c 100644
|
|||||||
allow initrc_t self:passwd rootok;
|
allow initrc_t self:passwd rootok;
|
||||||
allow initrc_t self:key manage_key_perms;
|
allow initrc_t self:key manage_key_perms;
|
||||||
|
|
||||||
@@ -258,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
@@ -258,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||||
|
|
||||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||||
@ -30225,7 +30232,7 @@ index 17eda24..56e006c 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||||
@@ -279,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
@@ -279,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||||
kernel_clear_ring_buffer(initrc_t)
|
kernel_clear_ring_buffer(initrc_t)
|
||||||
kernel_get_sysvipc_info(initrc_t)
|
kernel_get_sysvipc_info(initrc_t)
|
||||||
kernel_read_all_sysctls(initrc_t)
|
kernel_read_all_sysctls(initrc_t)
|
||||||
@ -30268,7 +30275,7 @@ index 17eda24..56e006c 100644
|
|||||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_tcp_connect_all_ports(initrc_t)
|
corenet_tcp_connect_all_ports(initrc_t)
|
||||||
@@ -303,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
@@ -303,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||||
|
|
||||||
dev_read_rand(initrc_t)
|
dev_read_rand(initrc_t)
|
||||||
dev_read_urand(initrc_t)
|
dev_read_urand(initrc_t)
|
||||||
@ -30280,7 +30287,7 @@ index 17eda24..56e006c 100644
|
|||||||
dev_rw_sysfs(initrc_t)
|
dev_rw_sysfs(initrc_t)
|
||||||
dev_list_usbfs(initrc_t)
|
dev_list_usbfs(initrc_t)
|
||||||
dev_read_framebuffer(initrc_t)
|
dev_read_framebuffer(initrc_t)
|
||||||
@@ -313,8 +672,10 @@ dev_write_framebuffer(initrc_t)
|
@@ -313,8 +677,10 @@ dev_write_framebuffer(initrc_t)
|
||||||
dev_read_realtime_clock(initrc_t)
|
dev_read_realtime_clock(initrc_t)
|
||||||
dev_read_sound_mixer(initrc_t)
|
dev_read_sound_mixer(initrc_t)
|
||||||
dev_write_sound_mixer(initrc_t)
|
dev_write_sound_mixer(initrc_t)
|
||||||
@ -30291,7 +30298,7 @@ index 17eda24..56e006c 100644
|
|||||||
dev_delete_lvm_control_dev(initrc_t)
|
dev_delete_lvm_control_dev(initrc_t)
|
||||||
dev_manage_generic_symlinks(initrc_t)
|
dev_manage_generic_symlinks(initrc_t)
|
||||||
dev_manage_generic_files(initrc_t)
|
dev_manage_generic_files(initrc_t)
|
||||||
@@ -322,8 +683,7 @@ dev_manage_generic_files(initrc_t)
|
@@ -322,8 +688,7 @@ dev_manage_generic_files(initrc_t)
|
||||||
dev_delete_generic_symlinks(initrc_t)
|
dev_delete_generic_symlinks(initrc_t)
|
||||||
dev_getattr_all_blk_files(initrc_t)
|
dev_getattr_all_blk_files(initrc_t)
|
||||||
dev_getattr_all_chr_files(initrc_t)
|
dev_getattr_all_chr_files(initrc_t)
|
||||||
@ -30301,7 +30308,7 @@ index 17eda24..56e006c 100644
|
|||||||
|
|
||||||
domain_kill_all_domains(initrc_t)
|
domain_kill_all_domains(initrc_t)
|
||||||
domain_signal_all_domains(initrc_t)
|
domain_signal_all_domains(initrc_t)
|
||||||
@@ -332,7 +692,6 @@ domain_sigstop_all_domains(initrc_t)
|
@@ -332,7 +697,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||||
domain_sigchld_all_domains(initrc_t)
|
domain_sigchld_all_domains(initrc_t)
|
||||||
domain_read_all_domains_state(initrc_t)
|
domain_read_all_domains_state(initrc_t)
|
||||||
domain_getattr_all_domains(initrc_t)
|
domain_getattr_all_domains(initrc_t)
|
||||||
@ -30309,7 +30316,7 @@ index 17eda24..56e006c 100644
|
|||||||
domain_getsession_all_domains(initrc_t)
|
domain_getsession_all_domains(initrc_t)
|
||||||
domain_use_interactive_fds(initrc_t)
|
domain_use_interactive_fds(initrc_t)
|
||||||
# for lsof which is used by alsa shutdown:
|
# for lsof which is used by alsa shutdown:
|
||||||
@@ -340,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
@@ -340,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||||
@ -30317,7 +30324,7 @@ index 17eda24..56e006c 100644
|
|||||||
|
|
||||||
files_getattr_all_dirs(initrc_t)
|
files_getattr_all_dirs(initrc_t)
|
||||||
files_getattr_all_files(initrc_t)
|
files_getattr_all_files(initrc_t)
|
||||||
@@ -347,14 +707,15 @@ files_getattr_all_symlinks(initrc_t)
|
@@ -347,14 +712,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||||
files_getattr_all_pipes(initrc_t)
|
files_getattr_all_pipes(initrc_t)
|
||||||
files_getattr_all_sockets(initrc_t)
|
files_getattr_all_sockets(initrc_t)
|
||||||
files_purge_tmp(initrc_t)
|
files_purge_tmp(initrc_t)
|
||||||
@ -30335,7 +30342,7 @@ index 17eda24..56e006c 100644
|
|||||||
files_read_usr_files(initrc_t)
|
files_read_usr_files(initrc_t)
|
||||||
files_manage_urandom_seed(initrc_t)
|
files_manage_urandom_seed(initrc_t)
|
||||||
files_manage_generic_spool(initrc_t)
|
files_manage_generic_spool(initrc_t)
|
||||||
@@ -364,8 +725,12 @@ files_list_isid_type_dirs(initrc_t)
|
@@ -364,8 +730,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||||
files_mounton_isid_type_dirs(initrc_t)
|
files_mounton_isid_type_dirs(initrc_t)
|
||||||
files_list_default(initrc_t)
|
files_list_default(initrc_t)
|
||||||
files_mounton_default(initrc_t)
|
files_mounton_default(initrc_t)
|
||||||
@ -30349,7 +30356,7 @@ index 17eda24..56e006c 100644
|
|||||||
fs_list_inotifyfs(initrc_t)
|
fs_list_inotifyfs(initrc_t)
|
||||||
fs_register_binary_executable_type(initrc_t)
|
fs_register_binary_executable_type(initrc_t)
|
||||||
# rhgb-console writes to ramfs
|
# rhgb-console writes to ramfs
|
||||||
@@ -375,10 +740,11 @@ fs_mount_all_fs(initrc_t)
|
@@ -375,10 +745,11 @@ fs_mount_all_fs(initrc_t)
|
||||||
fs_unmount_all_fs(initrc_t)
|
fs_unmount_all_fs(initrc_t)
|
||||||
fs_remount_all_fs(initrc_t)
|
fs_remount_all_fs(initrc_t)
|
||||||
fs_getattr_all_fs(initrc_t)
|
fs_getattr_all_fs(initrc_t)
|
||||||
@ -30363,7 +30370,7 @@ index 17eda24..56e006c 100644
|
|||||||
mcs_process_set_categories(initrc_t)
|
mcs_process_set_categories(initrc_t)
|
||||||
|
|
||||||
mls_file_read_all_levels(initrc_t)
|
mls_file_read_all_levels(initrc_t)
|
||||||
@@ -387,8 +753,10 @@ mls_process_read_up(initrc_t)
|
@@ -387,8 +758,10 @@ mls_process_read_up(initrc_t)
|
||||||
mls_process_write_down(initrc_t)
|
mls_process_write_down(initrc_t)
|
||||||
mls_rangetrans_source(initrc_t)
|
mls_rangetrans_source(initrc_t)
|
||||||
mls_fd_share_all_levels(initrc_t)
|
mls_fd_share_all_levels(initrc_t)
|
||||||
@ -30374,7 +30381,7 @@ index 17eda24..56e006c 100644
|
|||||||
|
|
||||||
storage_getattr_fixed_disk_dev(initrc_t)
|
storage_getattr_fixed_disk_dev(initrc_t)
|
||||||
storage_setattr_fixed_disk_dev(initrc_t)
|
storage_setattr_fixed_disk_dev(initrc_t)
|
||||||
@@ -398,6 +766,7 @@ term_use_all_terms(initrc_t)
|
@@ -398,6 +771,7 @@ term_use_all_terms(initrc_t)
|
||||||
term_reset_tty_labels(initrc_t)
|
term_reset_tty_labels(initrc_t)
|
||||||
|
|
||||||
auth_rw_login_records(initrc_t)
|
auth_rw_login_records(initrc_t)
|
||||||
@ -30382,7 +30389,7 @@ index 17eda24..56e006c 100644
|
|||||||
auth_setattr_login_records(initrc_t)
|
auth_setattr_login_records(initrc_t)
|
||||||
auth_rw_lastlog(initrc_t)
|
auth_rw_lastlog(initrc_t)
|
||||||
auth_read_pam_pid(initrc_t)
|
auth_read_pam_pid(initrc_t)
|
||||||
@@ -416,20 +785,18 @@ logging_read_all_logs(initrc_t)
|
@@ -416,20 +790,18 @@ logging_read_all_logs(initrc_t)
|
||||||
logging_append_all_logs(initrc_t)
|
logging_append_all_logs(initrc_t)
|
||||||
logging_read_audit_config(initrc_t)
|
logging_read_audit_config(initrc_t)
|
||||||
|
|
||||||
@ -30406,7 +30413,7 @@ index 17eda24..56e006c 100644
|
|||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
dev_setattr_generic_dirs(initrc_t)
|
dev_setattr_generic_dirs(initrc_t)
|
||||||
@@ -451,7 +818,6 @@ ifdef(`distro_gentoo',`
|
@@ -451,7 +823,6 @@ ifdef(`distro_gentoo',`
|
||||||
allow initrc_t self:process setfscreate;
|
allow initrc_t self:process setfscreate;
|
||||||
dev_create_null_dev(initrc_t)
|
dev_create_null_dev(initrc_t)
|
||||||
dev_create_zero_dev(initrc_t)
|
dev_create_zero_dev(initrc_t)
|
||||||
@ -30414,7 +30421,7 @@ index 17eda24..56e006c 100644
|
|||||||
term_create_console_dev(initrc_t)
|
term_create_console_dev(initrc_t)
|
||||||
|
|
||||||
# unfortunately /sbin/rc does stupid tricks
|
# unfortunately /sbin/rc does stupid tricks
|
||||||
@@ -486,6 +852,10 @@ ifdef(`distro_gentoo',`
|
@@ -486,6 +857,10 @@ ifdef(`distro_gentoo',`
|
||||||
sysnet_setattr_config(initrc_t)
|
sysnet_setattr_config(initrc_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30425,7 +30432,7 @@ index 17eda24..56e006c 100644
|
|||||||
alsa_read_lib(initrc_t)
|
alsa_read_lib(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -506,7 +876,7 @@ ifdef(`distro_redhat',`
|
@@ -506,7 +881,7 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
@ -30434,7 +30441,7 @@ index 17eda24..56e006c 100644
|
|||||||
files_dontaudit_read_root_files(initrc_t)
|
files_dontaudit_read_root_files(initrc_t)
|
||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
@@ -521,6 +891,7 @@ ifdef(`distro_redhat',`
|
@@ -521,6 +896,7 @@ ifdef(`distro_redhat',`
|
||||||
files_create_boot_dirs(initrc_t)
|
files_create_boot_dirs(initrc_t)
|
||||||
files_create_boot_flag(initrc_t)
|
files_create_boot_flag(initrc_t)
|
||||||
files_rw_boot_symlinks(initrc_t)
|
files_rw_boot_symlinks(initrc_t)
|
||||||
@ -30442,7 +30449,7 @@ index 17eda24..56e006c 100644
|
|||||||
# wants to read /.fonts directory
|
# wants to read /.fonts directory
|
||||||
files_read_default_files(initrc_t)
|
files_read_default_files(initrc_t)
|
||||||
files_mountpoint(initrc_tmp_t)
|
files_mountpoint(initrc_tmp_t)
|
||||||
@@ -541,6 +912,7 @@ ifdef(`distro_redhat',`
|
@@ -541,6 +917,7 @@ ifdef(`distro_redhat',`
|
||||||
miscfiles_rw_localization(initrc_t)
|
miscfiles_rw_localization(initrc_t)
|
||||||
miscfiles_setattr_localization(initrc_t)
|
miscfiles_setattr_localization(initrc_t)
|
||||||
miscfiles_relabel_localization(initrc_t)
|
miscfiles_relabel_localization(initrc_t)
|
||||||
@ -30450,7 +30457,7 @@ index 17eda24..56e006c 100644
|
|||||||
|
|
||||||
miscfiles_read_fonts(initrc_t)
|
miscfiles_read_fonts(initrc_t)
|
||||||
miscfiles_read_hwdata(initrc_t)
|
miscfiles_read_hwdata(initrc_t)
|
||||||
@@ -550,8 +922,44 @@ ifdef(`distro_redhat',`
|
@@ -550,8 +927,44 @@ ifdef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30495,7 +30502,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -559,14 +967,31 @@ ifdef(`distro_redhat',`
|
@@ -559,14 +972,31 @@ ifdef(`distro_redhat',`
|
||||||
rpc_write_exports(initrc_t)
|
rpc_write_exports(initrc_t)
|
||||||
rpc_manage_nfs_state_data(initrc_t)
|
rpc_manage_nfs_state_data(initrc_t)
|
||||||
')
|
')
|
||||||
@ -30527,7 +30534,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -577,6 +1002,39 @@ ifdef(`distro_suse',`
|
@@ -577,6 +1007,39 @@ ifdef(`distro_suse',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -30567,7 +30574,7 @@ index 17eda24..56e006c 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_search_lib(initrc_t)
|
amavis_search_lib(initrc_t)
|
||||||
amavis_setattr_pid_files(initrc_t)
|
amavis_setattr_pid_files(initrc_t)
|
||||||
@@ -589,6 +1047,8 @@ optional_policy(`
|
@@ -589,6 +1052,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_read_config(initrc_t)
|
apache_read_config(initrc_t)
|
||||||
apache_list_modules(initrc_t)
|
apache_list_modules(initrc_t)
|
||||||
@ -30576,7 +30583,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -610,6 +1070,7 @@ optional_policy(`
|
@@ -610,6 +1075,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cgroup_stream_connect_cgred(initrc_t)
|
cgroup_stream_connect_cgred(initrc_t)
|
||||||
@ -30584,7 +30591,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -626,6 +1087,17 @@ optional_policy(`
|
@@ -626,6 +1092,17 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30602,7 +30609,7 @@ index 17eda24..56e006c 100644
|
|||||||
dev_getattr_printer_dev(initrc_t)
|
dev_getattr_printer_dev(initrc_t)
|
||||||
|
|
||||||
cups_read_log(initrc_t)
|
cups_read_log(initrc_t)
|
||||||
@@ -642,9 +1114,13 @@ optional_policy(`
|
@@ -642,9 +1119,13 @@ optional_policy(`
|
||||||
dbus_connect_system_bus(initrc_t)
|
dbus_connect_system_bus(initrc_t)
|
||||||
dbus_system_bus_client(initrc_t)
|
dbus_system_bus_client(initrc_t)
|
||||||
dbus_read_config(initrc_t)
|
dbus_read_config(initrc_t)
|
||||||
@ -30616,7 +30623,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -657,15 +1133,11 @@ optional_policy(`
|
@@ -657,15 +1138,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30634,7 +30641,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -686,6 +1158,15 @@ optional_policy(`
|
@@ -686,6 +1163,15 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30650,7 +30657,7 @@ index 17eda24..56e006c 100644
|
|||||||
inn_exec_config(initrc_t)
|
inn_exec_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -726,6 +1207,7 @@ optional_policy(`
|
@@ -726,6 +1212,7 @@ optional_policy(`
|
||||||
lpd_list_spool(initrc_t)
|
lpd_list_spool(initrc_t)
|
||||||
|
|
||||||
lpd_read_config(initrc_t)
|
lpd_read_config(initrc_t)
|
||||||
@ -30658,7 +30665,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -743,7 +1225,13 @@ optional_policy(`
|
@@ -743,7 +1230,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30673,7 +30680,7 @@ index 17eda24..56e006c 100644
|
|||||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -766,6 +1254,10 @@ optional_policy(`
|
@@ -766,6 +1259,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30684,7 +30691,7 @@ index 17eda24..56e006c 100644
|
|||||||
postgresql_manage_db(initrc_t)
|
postgresql_manage_db(initrc_t)
|
||||||
postgresql_read_config(initrc_t)
|
postgresql_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -775,10 +1267,20 @@ optional_policy(`
|
@@ -775,10 +1272,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30705,7 +30712,7 @@ index 17eda24..56e006c 100644
|
|||||||
quota_manage_flags(initrc_t)
|
quota_manage_flags(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -787,6 +1289,10 @@ optional_policy(`
|
@@ -787,6 +1294,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30716,7 +30723,7 @@ index 17eda24..56e006c 100644
|
|||||||
fs_write_ramfs_sockets(initrc_t)
|
fs_write_ramfs_sockets(initrc_t)
|
||||||
fs_search_ramfs(initrc_t)
|
fs_search_ramfs(initrc_t)
|
||||||
|
|
||||||
@@ -808,8 +1314,6 @@ optional_policy(`
|
@@ -808,8 +1319,6 @@ optional_policy(`
|
||||||
# bash tries ioctl for some reason
|
# bash tries ioctl for some reason
|
||||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||||
|
|
||||||
@ -30725,7 +30732,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -818,6 +1322,10 @@ optional_policy(`
|
@@ -818,6 +1327,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30736,7 +30743,7 @@ index 17eda24..56e006c 100644
|
|||||||
# shorewall-init script run /var/lib/shorewall/firewall
|
# shorewall-init script run /var/lib/shorewall/firewall
|
||||||
shorewall_lib_domtrans(initrc_t)
|
shorewall_lib_domtrans(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -827,10 +1335,12 @@ optional_policy(`
|
@@ -827,10 +1340,12 @@ optional_policy(`
|
||||||
squid_manage_logs(initrc_t)
|
squid_manage_logs(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -30749,7 +30756,7 @@ index 17eda24..56e006c 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
ssh_dontaudit_read_server_keys(initrc_t)
|
||||||
@@ -857,21 +1367,60 @@ optional_policy(`
|
@@ -857,21 +1372,60 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30811,7 +30818,7 @@ index 17eda24..56e006c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -887,6 +1436,10 @@ optional_policy(`
|
@@ -887,6 +1441,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -30822,7 +30829,7 @@ index 17eda24..56e006c 100644
|
|||||||
# Set device ownerships/modes.
|
# Set device ownerships/modes.
|
||||||
xserver_setattr_console_pipes(initrc_t)
|
xserver_setattr_console_pipes(initrc_t)
|
||||||
|
|
||||||
@@ -897,3 +1450,218 @@ optional_policy(`
|
@@ -897,3 +1455,218 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@ -31289,7 +31296,7 @@ index 0d4c8d3..e6ffda3 100644
|
|||||||
+ ps_process_pattern($1, ipsec_mgmt_t)
|
+ ps_process_pattern($1, ipsec_mgmt_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
||||||
index 312cd04..a97e8da 100644
|
index 312cd04..d6d434a 100644
|
||||||
--- a/policy/modules/system/ipsec.te
|
--- a/policy/modules/system/ipsec.te
|
||||||
+++ b/policy/modules/system/ipsec.te
|
+++ b/policy/modules/system/ipsec.te
|
||||||
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||||
@ -31302,7 +31309,7 @@ index 312cd04..a97e8da 100644
|
|||||||
type ipsec_mgmt_lock_t;
|
type ipsec_mgmt_lock_t;
|
||||||
files_lock_file(ipsec_mgmt_lock_t)
|
files_lock_file(ipsec_mgmt_lock_t)
|
||||||
|
|
||||||
@@ -72,14 +75,18 @@ role system_r types setkey_t;
|
@@ -72,24 +75,32 @@ role system_r types setkey_t;
|
||||||
# ipsec Local policy
|
# ipsec Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -31324,8 +31331,10 @@ index 312cd04..a97e8da 100644
|
|||||||
|
|
||||||
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
|
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
|
||||||
|
|
||||||
@@ -88,8 +95,11 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
|
||||||
|
read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
||||||
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
||||||
|
+filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets")
|
||||||
|
|
||||||
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
|
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
|
||||||
-manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
-manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||||
@ -31337,7 +31346,7 @@ index 312cd04..a97e8da 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||||
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||||
@@ -110,10 +120,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
@@ -110,10 +121,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
||||||
allow ipsec_mgmt_t ipsec_t:fd use;
|
allow ipsec_mgmt_t ipsec_t:fd use;
|
||||||
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
||||||
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
|
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
|
||||||
@ -31350,7 +31359,7 @@ index 312cd04..a97e8da 100644
|
|||||||
kernel_list_proc(ipsec_t)
|
kernel_list_proc(ipsec_t)
|
||||||
kernel_read_proc_symlinks(ipsec_t)
|
kernel_read_proc_symlinks(ipsec_t)
|
||||||
# allow pluto to access /proc/net/ipsec_eroute;
|
# allow pluto to access /proc/net/ipsec_eroute;
|
||||||
@@ -128,20 +138,22 @@ corecmd_exec_shell(ipsec_t)
|
@@ -128,20 +139,22 @@ corecmd_exec_shell(ipsec_t)
|
||||||
corecmd_exec_bin(ipsec_t)
|
corecmd_exec_bin(ipsec_t)
|
||||||
|
|
||||||
# Pluto needs network access
|
# Pluto needs network access
|
||||||
@ -31380,7 +31389,7 @@ index 312cd04..a97e8da 100644
|
|||||||
|
|
||||||
dev_read_sysfs(ipsec_t)
|
dev_read_sysfs(ipsec_t)
|
||||||
dev_read_rand(ipsec_t)
|
dev_read_rand(ipsec_t)
|
||||||
@@ -157,24 +169,33 @@ files_dontaudit_search_home(ipsec_t)
|
@@ -157,24 +170,33 @@ files_dontaudit_search_home(ipsec_t)
|
||||||
fs_getattr_all_fs(ipsec_t)
|
fs_getattr_all_fs(ipsec_t)
|
||||||
fs_search_auto_mountpoints(ipsec_t)
|
fs_search_auto_mountpoints(ipsec_t)
|
||||||
|
|
||||||
@ -31415,7 +31424,7 @@ index 312cd04..a97e8da 100644
|
|||||||
seutil_sigchld_newrole(ipsec_t)
|
seutil_sigchld_newrole(ipsec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -187,10 +208,10 @@ optional_policy(`
|
@@ -187,10 +209,10 @@ optional_policy(`
|
||||||
# ipsec_mgmt Local policy
|
# ipsec_mgmt Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -31430,7 +31439,7 @@ index 312cd04..a97e8da 100644
|
|||||||
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
||||||
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
||||||
@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
@@ -208,12 +230,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||||
|
|
||||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||||
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
||||||
@ -31446,7 +31455,7 @@ index 312cd04..a97e8da 100644
|
|||||||
|
|
||||||
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
||||||
# run ps on that pid, and delete the file
|
# run ps on that pid, and delete the file
|
||||||
@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
@@ -246,6 +270,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||||
kernel_getattr_core_if(ipsec_mgmt_t)
|
kernel_getattr_core_if(ipsec_mgmt_t)
|
||||||
kernel_getattr_message_if(ipsec_mgmt_t)
|
kernel_getattr_message_if(ipsec_mgmt_t)
|
||||||
|
|
||||||
@ -31463,7 +31472,7 @@ index 312cd04..a97e8da 100644
|
|||||||
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
||||||
files_getattr_kernel_modules(ipsec_mgmt_t)
|
files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||||
|
|
||||||
@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
@@ -255,6 +289,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||||
corecmd_exec_bin(ipsec_mgmt_t)
|
corecmd_exec_bin(ipsec_mgmt_t)
|
||||||
corecmd_exec_shell(ipsec_mgmt_t)
|
corecmd_exec_shell(ipsec_mgmt_t)
|
||||||
|
|
||||||
@ -31472,7 +31481,7 @@ index 312cd04..a97e8da 100644
|
|||||||
dev_read_rand(ipsec_mgmt_t)
|
dev_read_rand(ipsec_mgmt_t)
|
||||||
dev_read_urand(ipsec_mgmt_t)
|
dev_read_urand(ipsec_mgmt_t)
|
||||||
|
|
||||||
@@ -278,9 +313,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||||
fs_list_tmpfs(ipsec_mgmt_t)
|
fs_list_tmpfs(ipsec_mgmt_t)
|
||||||
|
|
||||||
term_use_console(ipsec_mgmt_t)
|
term_use_console(ipsec_mgmt_t)
|
||||||
@ -31484,7 +31493,7 @@ index 312cd04..a97e8da 100644
|
|||||||
|
|
||||||
init_read_utmp(ipsec_mgmt_t)
|
init_read_utmp(ipsec_mgmt_t)
|
||||||
init_use_script_ptys(ipsec_mgmt_t)
|
init_use_script_ptys(ipsec_mgmt_t)
|
||||||
@@ -288,17 +324,22 @@ init_exec_script_files(ipsec_mgmt_t)
|
@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||||
init_use_fds(ipsec_mgmt_t)
|
init_use_fds(ipsec_mgmt_t)
|
||||||
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
||||||
|
|
||||||
@ -31512,7 +31521,7 @@ index 312cd04..a97e8da 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consoletype_exec(ipsec_mgmt_t)
|
consoletype_exec(ipsec_mgmt_t)
|
||||||
@@ -322,6 +363,10 @@ optional_policy(`
|
@@ -322,6 +364,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -31523,7 +31532,7 @@ index 312cd04..a97e8da 100644
|
|||||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -335,7 +380,7 @@ optional_policy(`
|
@@ -335,7 +381,7 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow racoon_t self:capability { net_admin net_bind_service };
|
allow racoon_t self:capability { net_admin net_bind_service };
|
||||||
@ -31532,7 +31541,7 @@ index 312cd04..a97e8da 100644
|
|||||||
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
||||||
allow racoon_t self:netlink_selinux_socket { bind create read };
|
allow racoon_t self:netlink_selinux_socket { bind create read };
|
||||||
allow racoon_t self:udp_socket create_socket_perms;
|
allow racoon_t self:udp_socket create_socket_perms;
|
||||||
@@ -370,13 +415,12 @@ kernel_request_load_module(racoon_t)
|
@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t)
|
||||||
corecmd_exec_shell(racoon_t)
|
corecmd_exec_shell(racoon_t)
|
||||||
corecmd_exec_bin(racoon_t)
|
corecmd_exec_bin(racoon_t)
|
||||||
|
|
||||||
@ -31552,7 +31561,7 @@ index 312cd04..a97e8da 100644
|
|||||||
corenet_udp_bind_isakmp_port(racoon_t)
|
corenet_udp_bind_isakmp_port(racoon_t)
|
||||||
corenet_udp_bind_ipsecnat_port(racoon_t)
|
corenet_udp_bind_ipsecnat_port(racoon_t)
|
||||||
|
|
||||||
@@ -401,10 +445,10 @@ locallogin_use_fds(racoon_t)
|
@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t)
|
||||||
logging_send_syslog_msg(racoon_t)
|
logging_send_syslog_msg(racoon_t)
|
||||||
logging_send_audit_msgs(racoon_t)
|
logging_send_audit_msgs(racoon_t)
|
||||||
|
|
||||||
@ -31565,7 +31574,7 @@ index 312cd04..a97e8da 100644
|
|||||||
auth_can_read_shadow_passwords(racoon_t)
|
auth_can_read_shadow_passwords(racoon_t)
|
||||||
tunable_policy(`racoon_read_shadow',`
|
tunable_policy(`racoon_read_shadow',`
|
||||||
auth_tunable_read_shadow(racoon_t)
|
auth_tunable_read_shadow(racoon_t)
|
||||||
@@ -438,9 +482,8 @@ corenet_setcontext_all_spds(setkey_t)
|
@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||||
|
|
||||||
locallogin_use_fds(setkey_t)
|
locallogin_use_fds(setkey_t)
|
||||||
|
|
||||||
@ -37497,7 +37506,7 @@ index 40edc18..a072ac2 100644
|
|||||||
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
||||||
index 2cea692..77f307f 100644
|
index 2cea692..1c0de21 100644
|
||||||
--- a/policy/modules/system/sysnetwork.if
|
--- a/policy/modules/system/sysnetwork.if
|
||||||
+++ b/policy/modules/system/sysnetwork.if
|
+++ b/policy/modules/system/sysnetwork.if
|
||||||
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
|
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
|
||||||
@ -37777,7 +37786,34 @@ index 2cea692..77f307f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -711,8 +897,6 @@ interface(`sysnet_dns_name_resolve',`
|
@@ -647,6 +833,26 @@ interface(`sysnet_search_dhcp_state',`
|
||||||
|
allow $1 dhcp_state_t:dir search_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Set the attributes of network config files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`sysnet_setattr_dhcp_state',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type dhcp_state_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ allow $1 dhcp_state_t:file setattr_file_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create DHCP state data.
|
||||||
|
@@ -711,8 +917,6 @@ interface(`sysnet_dns_name_resolve',`
|
||||||
allow $1 self:udp_socket create_socket_perms;
|
allow $1 self:udp_socket create_socket_perms;
|
||||||
allow $1 self:netlink_route_socket r_netlink_socket_perms;
|
allow $1 self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
@ -37786,7 +37822,7 @@ index 2cea692..77f307f 100644
|
|||||||
corenet_tcp_sendrecv_generic_if($1)
|
corenet_tcp_sendrecv_generic_if($1)
|
||||||
corenet_udp_sendrecv_generic_if($1)
|
corenet_udp_sendrecv_generic_if($1)
|
||||||
corenet_tcp_sendrecv_generic_node($1)
|
corenet_tcp_sendrecv_generic_node($1)
|
||||||
@@ -720,8 +904,11 @@ interface(`sysnet_dns_name_resolve',`
|
@@ -720,8 +924,11 @@ interface(`sysnet_dns_name_resolve',`
|
||||||
corenet_tcp_sendrecv_dns_port($1)
|
corenet_tcp_sendrecv_dns_port($1)
|
||||||
corenet_udp_sendrecv_dns_port($1)
|
corenet_udp_sendrecv_dns_port($1)
|
||||||
corenet_tcp_connect_dns_port($1)
|
corenet_tcp_connect_dns_port($1)
|
||||||
@ -37798,7 +37834,7 @@ index 2cea692..77f307f 100644
|
|||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -750,8 +937,6 @@ interface(`sysnet_use_ldap',`
|
@@ -750,8 +957,6 @@ interface(`sysnet_use_ldap',`
|
||||||
|
|
||||||
allow $1 self:tcp_socket create_socket_perms;
|
allow $1 self:tcp_socket create_socket_perms;
|
||||||
|
|
||||||
@ -37807,7 +37843,7 @@ index 2cea692..77f307f 100644
|
|||||||
corenet_tcp_sendrecv_generic_if($1)
|
corenet_tcp_sendrecv_generic_if($1)
|
||||||
corenet_tcp_sendrecv_generic_node($1)
|
corenet_tcp_sendrecv_generic_node($1)
|
||||||
corenet_tcp_sendrecv_ldap_port($1)
|
corenet_tcp_sendrecv_ldap_port($1)
|
||||||
@@ -763,6 +948,9 @@ interface(`sysnet_use_ldap',`
|
@@ -763,6 +968,9 @@ interface(`sysnet_use_ldap',`
|
||||||
dev_read_urand($1)
|
dev_read_urand($1)
|
||||||
|
|
||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
@ -37817,7 +37853,7 @@ index 2cea692..77f307f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -784,7 +972,6 @@ interface(`sysnet_use_portmap',`
|
@@ -784,7 +992,6 @@ interface(`sysnet_use_portmap',`
|
||||||
allow $1 self:udp_socket create_socket_perms;
|
allow $1 self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled($1)
|
corenet_all_recvfrom_unlabeled($1)
|
||||||
@ -37825,7 +37861,7 @@ index 2cea692..77f307f 100644
|
|||||||
corenet_tcp_sendrecv_generic_if($1)
|
corenet_tcp_sendrecv_generic_if($1)
|
||||||
corenet_udp_sendrecv_generic_if($1)
|
corenet_udp_sendrecv_generic_if($1)
|
||||||
corenet_tcp_sendrecv_generic_node($1)
|
corenet_tcp_sendrecv_generic_node($1)
|
||||||
@@ -796,3 +983,115 @@ interface(`sysnet_use_portmap',`
|
@@ -796,3 +1003,115 @@ interface(`sysnet_use_portmap',`
|
||||||
|
|
||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
')
|
')
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 45%{?dist}
|
Release: 46%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -588,6 +588,35 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-46
|
||||||
|
- Allow init_t to setattr/relabelfrom dhcp state files
|
||||||
|
- Allow dmesg to read hwdata and memory dev
|
||||||
|
- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan
|
||||||
|
- Dontaudit antivirus domains read access on all security files by default
|
||||||
|
- Add missing alias for old amavis_etc_t type
|
||||||
|
- Additional fixes for instack overcloud
|
||||||
|
- Allow block_suspend cap for haproxy
|
||||||
|
- Allow OpenStack to read mysqld_db links and connect to MySQL
|
||||||
|
- Remove dup filename rules in gnome.te
|
||||||
|
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
|
||||||
|
- Add labeling for /lib/systemd/system/thttpd.service
|
||||||
|
- Allow iscsid to handle own unit files
|
||||||
|
- Add iscsi_systemctl()
|
||||||
|
- Allow mongod also create sock_file with correct labeling in /run
|
||||||
|
- Allow aiccu stream connect to pcscd
|
||||||
|
- Allow rabbitmq_beam to connect to httpd port
|
||||||
|
- Allow httpd to send signull to apache script domains and don't audit leaks
|
||||||
|
- Fix labeling in drbd.fc
|
||||||
|
- Allow sssd to connect to the smbd port for handing logins using active directory, needs back port for rhel7
|
||||||
|
- Allow all freeipmi domains to read/write ipmi devices
|
||||||
|
- Allow rabbitmq_epmd to manage rabbit_var_log_t files
|
||||||
|
- Allow sblim_sfcbd to use also pegasus-https port
|
||||||
|
- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input
|
||||||
|
- Add httpd_run_preupgrade boolean
|
||||||
|
- Add interfaces to access preupgrade_data_t
|
||||||
|
- Add preupgrade policy
|
||||||
|
- Add labeling for puppet helper scripts
|
||||||
|
|
||||||
* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
|
* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
|
||||||
Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.
|
Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user