Make vdagent able to request loading kernel module
- Add support for cloud-init make it as unconfined domain - Allow snmpd to run smartctl in fsadm_t domain - remove duplicate openshift_search_lib() interface - Allow mysqld to search openshift lib files - Allow openshift cgroup to interact with passedin file descriptors - Allow colord to list directories inthe users homedir - aide executes prelink to check files - Make sure cupsd_t creates content in /etc/cups with the correct label - Lest dontaudit apache read all domains, so passenger will not cause this avc - Allow gssd to connect to gssproxy - systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS - Allow systemd-tmpfiles to relabel also lock files - Allow useradd to add homdir in /var/lib/openshift - Allow setfiles and semanage to write output to /run/files
This commit is contained in:
Dan Walsh
parent
9f52d7a4b1
commit
859a101f23
File diff suppressed because it is too large
Load Diff
@ -1468,7 +1468,7 @@ index 01cbb67..94a4a24 100644
|
||||
|
||||
files_list_etc($1)
|
||||
diff --git a/aide.te b/aide.te
|
||||
index 4b28ab3..cf64a9a 100644
|
||||
index 4b28ab3..6e8746f 100644
|
||||
--- a/aide.te
|
||||
+++ b/aide.te
|
||||
@@ -10,6 +10,7 @@ attribute_role aide_roles;
|
||||
@ -1479,7 +1479,16 @@ index 4b28ab3..cf64a9a 100644
|
||||
role aide_roles types aide_t;
|
||||
|
||||
type aide_log_t;
|
||||
@@ -34,11 +35,16 @@ logging_log_filetrans(aide_t, aide_log_t, file)
|
||||
@@ -23,7 +24,7 @@ files_type(aide_db_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow aide_t self:capability { dac_override fowner };
|
||||
+allow aide_t self:capability { dac_override fowner ipc_lock };
|
||||
|
||||
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
|
||||
|
||||
@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file)
|
||||
|
||||
files_read_all_files(aide_t)
|
||||
files_read_all_symlinks(aide_t)
|
||||
@ -1494,6 +1503,10 @@ index 4b28ab3..cf64a9a 100644
|
||||
|
||||
-userdom_use_user_terminals(aide_t)
|
||||
+userdom_use_inherited_user_terminals(aide_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ prelink_domtrans(aide_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
seutil_use_newrole_fds(aide_t)
|
||||
@ -4511,7 +4524,7 @@ index 83e899c..c5be77c 100644
|
||||
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
||||
')
|
||||
diff --git a/apache.te b/apache.te
|
||||
index 1a82e29..a434dfd 100644
|
||||
index 1a82e29..392480e 100644
|
||||
--- a/apache.te
|
||||
+++ b/apache.te
|
||||
@@ -1,297 +1,367 @@
|
||||
@ -5199,7 +5212,7 @@ index 1a82e29..a434dfd 100644
|
||||
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
@@ -445,140 +551,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@@ -445,140 +551,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
|
||||
@ -5275,6 +5288,7 @@ index 1a82e29..a434dfd 100644
|
||||
+corecmd_exec_shell(httpd_t)
|
||||
+
|
||||
+domain_use_interactive_fds(httpd_t)
|
||||
+domain_dontaudit_read_all_domains_state(httpd_t)
|
||||
|
||||
files_dontaudit_getattr_all_pids(httpd_t)
|
||||
-files_read_usr_files(httpd_t)
|
||||
@ -5427,7 +5441,7 @@ index 1a82e29..a434dfd 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
|
||||
@@ -589,28 +717,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
@@ -589,28 +718,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -5487,7 +5501,7 @@ index 1a82e29..a434dfd 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -619,68 +769,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -619,68 +770,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
@ -5572,7 +5586,7 @@ index 1a82e29..a434dfd 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_setrlimit',`
|
||||
@@ -690,49 +810,48 @@ tunable_policy(`httpd_setrlimit',`
|
||||
@@ -690,49 +811,48 @@ tunable_policy(`httpd_setrlimit',`
|
||||
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
|
||||
@ -5653,7 +5667,7 @@ index 1a82e29..a434dfd 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,14 +862,6 @@ optional_policy(`
|
||||
@@ -743,14 +863,6 @@ optional_policy(`
|
||||
ccs_read_config(httpd_t)
|
||||
')
|
||||
|
||||
@ -5668,7 +5682,7 @@ index 1a82e29..a434dfd 100644
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(httpd_t, httpd_exec_t)
|
||||
@@ -765,6 +876,23 @@ optional_policy(`
|
||||
@@ -765,6 +877,23 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -5692,7 +5706,7 @@ index 1a82e29..a434dfd 100644
|
||||
dbus_system_bus_client(httpd_t)
|
||||
|
||||
tunable_policy(`httpd_dbus_avahi',`
|
||||
@@ -781,34 +909,42 @@ optional_policy(`
|
||||
@@ -781,34 +910,42 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -5746,7 +5760,7 @@ index 1a82e29..a434dfd 100644
|
||||
|
||||
tunable_policy(`httpd_manage_ipa',`
|
||||
memcached_manage_pid_files(httpd_t)
|
||||
@@ -816,8 +952,18 @@ optional_policy(`
|
||||
@@ -816,8 +953,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -5765,7 +5779,7 @@ index 1a82e29..a434dfd 100644
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
mysql_tcp_connect(httpd_t)
|
||||
@@ -826,6 +972,7 @@ optional_policy(`
|
||||
@@ -826,6 +973,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nagios_read_config(httpd_t)
|
||||
@ -5773,7 +5787,7 @@ index 1a82e29..a434dfd 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -836,20 +983,38 @@ optional_policy(`
|
||||
@@ -836,20 +984,38 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -5818,7 +5832,7 @@ index 1a82e29..a434dfd 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -857,6 +1022,16 @@ optional_policy(`
|
||||
@@ -857,6 +1023,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -5835,7 +5849,7 @@ index 1a82e29..a434dfd 100644
|
||||
seutil_sigchld_newrole(httpd_t)
|
||||
')
|
||||
|
||||
@@ -865,11 +1040,16 @@ optional_policy(`
|
||||
@@ -865,11 +1041,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -5852,7 +5866,7 @@ index 1a82e29..a434dfd 100644
|
||||
udev_read_db(httpd_t)
|
||||
')
|
||||
|
||||
@@ -877,65 +1057,166 @@ optional_policy(`
|
||||
@@ -877,65 +1058,165 @@ optional_policy(`
|
||||
yam_read_content(httpd_t)
|
||||
')
|
||||
|
||||
@ -5891,7 +5905,6 @@ index 1a82e29..a434dfd 100644
|
||||
+ allow httpd_t self:process setexec;
|
||||
+
|
||||
+ files_dontaudit_getattr_all_files(httpd_t)
|
||||
+ domain_dontaudit_read_all_domains_state(httpd_t)
|
||||
+ domain_getpgid_all_domains(httpd_t)
|
||||
+')
|
||||
+
|
||||
@ -10891,7 +10904,7 @@ index 32e8265..0de4af3 100644
|
||||
+ allow $1 chronyd_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/chronyd.te b/chronyd.te
|
||||
index 914ee2d..6567c77 100644
|
||||
index 914ee2d..770ae51 100644
|
||||
--- a/chronyd.te
|
||||
+++ b/chronyd.te
|
||||
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
|
||||
@ -10904,7 +10917,7 @@ index 914ee2d..6567c77 100644
|
||||
type chronyd_var_lib_t;
|
||||
files_type(chronyd_var_lib_t)
|
||||
|
||||
@@ -32,11 +35,16 @@ files_pid_file(chronyd_var_run_t)
|
||||
@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
@ -10916,13 +10929,12 @@ index 914ee2d..6567c77 100644
|
||||
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow chronyd_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
+
|
||||
+allow chronyd_t chronyd_keys_t:file append_file_perms;
|
||||
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
|
||||
allow chronyd_t chronyd_keys_t:file read_file_perms;
|
||||
|
||||
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
|
||||
@@ -76,18 +84,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
|
||||
@@ -76,18 +83,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
|
||||
corenet_udp_bind_chronyd_port(chronyd_t)
|
||||
corenet_udp_sendrecv_chronyd_port(chronyd_t)
|
||||
|
||||
@ -11439,19 +11451,26 @@ index 29782b8..685edff 100644
|
||||
')
|
||||
diff --git a/cloudform.fc b/cloudform.fc
|
||||
new file mode 100644
|
||||
index 0000000..8a40857
|
||||
index 0000000..cc740da
|
||||
--- /dev/null
|
||||
+++ b/cloudform.fc
|
||||
@@ -0,0 +1,22 @@
|
||||
@@ -0,0 +1,29 @@
|
||||
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
|
||||
+
|
||||
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
|
||||
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
|
||||
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
|
||||
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+
|
||||
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
|
||||
+
|
||||
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
|
||||
+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0)
|
||||
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
|
||||
+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
|
||||
+
|
||||
@ -11515,10 +11534,10 @@ index 0000000..8ac848b
|
||||
+')
|
||||
diff --git a/cloudform.te b/cloudform.te
|
||||
new file mode 100644
|
||||
index 0000000..c158ef5
|
||||
index 0000000..a56e579
|
||||
--- /dev/null
|
||||
+++ b/cloudform.te
|
||||
@@ -0,0 +1,196 @@
|
||||
@@ -0,0 +1,296 @@
|
||||
+policy_module(cloudform, 1.0)
|
||||
+########################################
|
||||
+#
|
||||
@ -11530,6 +11549,19 @@ index 0000000..c158ef5
|
||||
+cloudform_domain_template(deltacloudd)
|
||||
+cloudform_domain_template(iwhd)
|
||||
+cloudform_domain_template(mongod)
|
||||
+cloudform_domain_template(cloud_init)
|
||||
+
|
||||
+type cloud_init_tmp_t;
|
||||
+files_tmp_file(cloud_init_tmp_t)
|
||||
+
|
||||
+type cloud_init_unit_file_t;
|
||||
+systemd_unit_file(cloud_init_unit_file_t)
|
||||
+
|
||||
+type cloud_var_lib_t;
|
||||
+files_type(cloud_var_lib_t)
|
||||
+
|
||||
+type cloud_log_t;
|
||||
+logging_log_file(cloud_log_t)
|
||||
+
|
||||
+type deltacloudd_log_t;
|
||||
+logging_log_file(deltacloudd_log_t)
|
||||
@ -11583,6 +11615,93 @@ index 0000000..c158ef5
|
||||
+
|
||||
+miscfiles_read_certs(cloudform_domain)
|
||||
+
|
||||
+#################################
|
||||
+#
|
||||
+# cloud-init local policy
|
||||
+#
|
||||
+
|
||||
+allow cloud_init_t self:capability { fowner chown fsetid dac_override };
|
||||
+
|
||||
+allow cloud_init_t self:udp_socket create_socket_perms;
|
||||
+
|
||||
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
|
||||
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
|
||||
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
|
||||
+
|
||||
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
|
||||
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
|
||||
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
|
||||
+
|
||||
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
|
||||
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
|
||||
+
|
||||
+kernel_read_network_state(cloud_init_t)
|
||||
+
|
||||
+corenet_tcp_connect_http_port(cloud_init_t)
|
||||
+
|
||||
+corecmd_exec_bin(cloud_init_t)
|
||||
+corecmd_exec_shell(cloud_init_t)
|
||||
+
|
||||
+fs_getattr_all_fs(cloud_init_t)
|
||||
+
|
||||
+storage_raw_read_fixed_disk(cloud_init_t)
|
||||
+
|
||||
+libs_exec_ldconfig(cloud_init_t)
|
||||
+
|
||||
+logging_send_syslog_msg(cloud_init_t)
|
||||
+
|
||||
+miscfiles_read_localization(cloud_init_t)
|
||||
+
|
||||
+selinux_validate_context(cloud_init_t)
|
||||
+
|
||||
+systemd_dbus_chat_hostnamed(cloud_init_t)
|
||||
+systemd_exec_systemctl(cloud_init_t)
|
||||
+systemd_start_all_services(cloud_init_t)
|
||||
+
|
||||
+usermanage_domtrans_passwd(cloud_init_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dmidecode_domtrans(cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ fstools_domtrans(cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ hostname_exec(cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mount_domtrans(cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ # it check file context and run restorecon
|
||||
+ seutil_read_file_contexts(cloud_init_t)
|
||||
+ seutil_domtrans_setfiles(cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ssh_exec_keygen(cloud_init_t)
|
||||
+ ssh_read_user_home_files(cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sysnet_domtrans_ifconfig(cloud_init_t)
|
||||
+ sysnet_read_dhcpc_state(cloud_init_t)
|
||||
+ sysnet_dns_name_resolve(cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# deltacloudd local policy
|
||||
@ -12252,7 +12371,7 @@ index 8e27a37..825f537 100644
|
||||
+ ps_process_pattern($1, colord_t)
|
||||
+')
|
||||
diff --git a/colord.te b/colord.te
|
||||
index 09f18e2..9d70983 100644
|
||||
index 09f18e2..3547d05 100644
|
||||
--- a/colord.te
|
||||
+++ b/colord.te
|
||||
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
|
||||
@ -12315,7 +12434,7 @@ index 09f18e2..9d70983 100644
|
||||
|
||||
storage_getattr_fixed_disk_dev(colord_t)
|
||||
storage_getattr_removable_dev(colord_t)
|
||||
@@ -98,25 +104,28 @@ storage_write_scsi_generic(colord_t)
|
||||
@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t)
|
||||
|
||||
auth_use_nsswitch(colord_t)
|
||||
|
||||
@ -12337,6 +12456,7 @@ index 09f18e2..9d70983 100644
|
||||
-')
|
||||
+userdom_rw_user_tmpfs_files(colord_t)
|
||||
+userdom_home_reader(colord_t)
|
||||
+userdom_list_user_home_content(colord_t)
|
||||
+userdom_read_inherited_user_home_content_files(colord_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -12354,7 +12474,7 @@ index 09f18e2..9d70983 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -133,3 +142,16 @@ optional_policy(`
|
||||
@@ -133,3 +143,16 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(colord_t)
|
||||
')
|
||||
@ -16587,7 +16707,7 @@ index 06da9a0..6d69a2f 100644
|
||||
+ ps_process_pattern($1, cupsd_t)
|
||||
')
|
||||
diff --git a/cups.te b/cups.te
|
||||
index 9f34c2e..c7268a7 100644
|
||||
index 9f34c2e..ab0eee9 100644
|
||||
--- a/cups.te
|
||||
+++ b/cups.te
|
||||
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
|
||||
@ -16729,7 +16849,7 @@ index 9f34c2e..c7268a7 100644
|
||||
allow cupsd_t self:appletalk_socket create_socket_perms;
|
||||
|
||||
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
|
||||
@@ -120,6 +145,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
|
||||
@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
|
||||
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
|
||||
|
||||
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
|
||||
@ -16737,7 +16857,13 @@ index 9f34c2e..c7268a7 100644
|
||||
|
||||
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
|
||||
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
|
||||
@@ -139,22 +165,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
|
||||
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
|
||||
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
|
||||
+cups_filetrans_named_content(cupsd_t)
|
||||
|
||||
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
|
||||
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
|
||||
@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
|
||||
setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
|
||||
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
|
||||
|
||||
@ -16765,7 +16891,7 @@ index 9f34c2e..c7268a7 100644
|
||||
|
||||
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
|
||||
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
|
||||
@@ -162,11 +189,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
|
||||
@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
|
||||
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
|
||||
|
||||
kernel_read_system_state(cupsd_t)
|
||||
@ -16777,7 +16903,7 @@ index 9f34c2e..c7268a7 100644
|
||||
corenet_all_recvfrom_netlabel(cupsd_t)
|
||||
corenet_tcp_sendrecv_generic_if(cupsd_t)
|
||||
corenet_udp_sendrecv_generic_if(cupsd_t)
|
||||
@@ -189,12 +214,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
|
||||
@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
|
||||
corenet_tcp_bind_all_rpc_ports(cupsd_t)
|
||||
corenet_tcp_connect_all_ports(cupsd_t)
|
||||
|
||||
@ -16802,7 +16928,7 @@ index 9f34c2e..c7268a7 100644
|
||||
dev_rw_input_dev(cupsd_t)
|
||||
dev_rw_generic_usb_dev(cupsd_t)
|
||||
dev_rw_usbfs(cupsd_t)
|
||||
@@ -206,7 +239,6 @@ domain_use_interactive_fds(cupsd_t)
|
||||
@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t)
|
||||
files_getattr_boot_dirs(cupsd_t)
|
||||
files_list_spool(cupsd_t)
|
||||
files_read_etc_runtime_files(cupsd_t)
|
||||
@ -16810,7 +16936,7 @@ index 9f34c2e..c7268a7 100644
|
||||
files_exec_usr_files(cupsd_t)
|
||||
# for /var/lib/defoma
|
||||
files_read_var_lib_files(cupsd_t)
|
||||
@@ -215,16 +247,17 @@ files_read_world_readable_files(cupsd_t)
|
||||
@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t)
|
||||
files_read_world_readable_symlinks(cupsd_t)
|
||||
files_read_var_files(cupsd_t)
|
||||
files_read_var_symlinks(cupsd_t)
|
||||
@ -16830,7 +16956,7 @@ index 9f34c2e..c7268a7 100644
|
||||
|
||||
mls_fd_use_all_levels(cupsd_t)
|
||||
mls_file_downgrade(cupsd_t)
|
||||
@@ -235,6 +268,8 @@ mls_socket_write_all_levels(cupsd_t)
|
||||
@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t)
|
||||
|
||||
term_search_ptys(cupsd_t)
|
||||
term_use_unallocated_ttys(cupsd_t)
|
||||
@ -16839,7 +16965,7 @@ index 9f34c2e..c7268a7 100644
|
||||
|
||||
selinux_compute_access_vector(cupsd_t)
|
||||
selinux_validate_context(cupsd_t)
|
||||
@@ -247,21 +282,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
|
||||
@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
|
||||
auth_rw_faillog(cupsd_t)
|
||||
auth_use_nsswitch(cupsd_t)
|
||||
|
||||
@ -16865,7 +16991,7 @@ index 9f34c2e..c7268a7 100644
|
||||
userdom_dontaudit_search_user_home_content(cupsd_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -275,6 +309,8 @@ optional_policy(`
|
||||
@@ -275,6 +310,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(cupsd_t)
|
||||
|
||||
@ -16874,7 +17000,7 @@ index 9f34c2e..c7268a7 100644
|
||||
userdom_dbus_send_all_users(cupsd_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -285,8 +321,10 @@ optional_policy(`
|
||||
@@ -285,8 +322,10 @@ optional_policy(`
|
||||
hal_dbus_chat(cupsd_t)
|
||||
')
|
||||
|
||||
@ -16885,7 +17011,7 @@ index 9f34c2e..c7268a7 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -299,8 +337,8 @@ optional_policy(`
|
||||
@@ -299,8 +338,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -16895,7 +17021,7 @@ index 9f34c2e..c7268a7 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -309,7 +347,6 @@ optional_policy(`
|
||||
@@ -309,7 +348,6 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
lpd_exec_lpr(cupsd_t)
|
||||
@ -16903,7 +17029,7 @@ index 9f34c2e..c7268a7 100644
|
||||
lpd_read_config(cupsd_t)
|
||||
lpd_relabel_spool(cupsd_t)
|
||||
')
|
||||
@@ -337,7 +374,11 @@ optional_policy(`
|
||||
@@ -337,7 +375,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -16916,7 +17042,7 @@ index 9f34c2e..c7268a7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -345,12 +386,11 @@ optional_policy(`
|
||||
@@ -345,12 +387,11 @@ optional_policy(`
|
||||
# Configuration daemon local policy
|
||||
#
|
||||
|
||||
@ -16932,7 +17058,7 @@ index 9f34c2e..c7268a7 100644
|
||||
allow cupsd_config_t cupsd_t:process signal;
|
||||
ps_process_pattern(cupsd_config_t, cupsd_t)
|
||||
|
||||
@@ -375,18 +415,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
|
||||
@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
|
||||
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
||||
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
|
||||
|
||||
@ -16953,7 +17079,7 @@ index 9f34c2e..c7268a7 100644
|
||||
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
||||
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
|
||||
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
|
||||
@@ -395,20 +433,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
|
||||
@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
|
||||
corenet_sendrecv_all_client_packets(cupsd_config_t)
|
||||
corenet_tcp_connect_all_ports(cupsd_config_t)
|
||||
|
||||
@ -16974,7 +17100,7 @@ index 9f34c2e..c7268a7 100644
|
||||
fs_search_auto_mountpoints(cupsd_config_t)
|
||||
|
||||
domain_use_interactive_fds(cupsd_config_t)
|
||||
@@ -420,11 +450,6 @@ auth_use_nsswitch(cupsd_config_t)
|
||||
@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t)
|
||||
|
||||
logging_send_syslog_msg(cupsd_config_t)
|
||||
|
||||
@ -16986,7 +17112,7 @@ index 9f34c2e..c7268a7 100644
|
||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
||||
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
||||
userdom_read_all_users_state(cupsd_config_t)
|
||||
@@ -452,9 +477,12 @@ optional_policy(`
|
||||
@@ -452,9 +478,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -17000,7 +17126,7 @@ index 9f34c2e..c7268a7 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -490,10 +518,6 @@ optional_policy(`
|
||||
@@ -490,10 +519,6 @@ optional_policy(`
|
||||
# Lpd local policy
|
||||
#
|
||||
|
||||
@ -17011,7 +17137,7 @@ index 9f34c2e..c7268a7 100644
|
||||
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
|
||||
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
|
||||
@@ -511,31 +535,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
||||
@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
||||
|
||||
kernel_read_kernel_sysctls(cupsd_lpd_t)
|
||||
kernel_read_system_state(cupsd_lpd_t)
|
||||
@ -17044,7 +17170,7 @@ index 9f34c2e..c7268a7 100644
|
||||
optional_policy(`
|
||||
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
|
||||
')
|
||||
@@ -546,7 +561,6 @@ optional_policy(`
|
||||
@@ -546,7 +562,6 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
|
||||
@ -17052,7 +17178,7 @@ index 9f34c2e..c7268a7 100644
|
||||
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
||||
@@ -562,148 +576,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
|
||||
@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
|
||||
|
||||
kernel_read_system_state(cups_pdf_t)
|
||||
|
||||
@ -17204,7 +17330,7 @@ index 9f34c2e..c7268a7 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -731,7 +620,6 @@ kernel_read_kernel_sysctls(ptal_t)
|
||||
@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t)
|
||||
kernel_list_proc(ptal_t)
|
||||
kernel_read_proc_symlinks(ptal_t)
|
||||
|
||||
@ -17212,7 +17338,7 @@ index 9f34c2e..c7268a7 100644
|
||||
corenet_all_recvfrom_netlabel(ptal_t)
|
||||
corenet_tcp_sendrecv_generic_if(ptal_t)
|
||||
corenet_tcp_sendrecv_generic_node(ptal_t)
|
||||
@@ -741,13 +629,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
|
||||
@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
|
||||
corenet_tcp_bind_ptal_port(ptal_t)
|
||||
corenet_tcp_sendrecv_ptal_port(ptal_t)
|
||||
|
||||
@ -17226,7 +17352,7 @@ index 9f34c2e..c7268a7 100644
|
||||
files_read_etc_runtime_files(ptal_t)
|
||||
|
||||
fs_getattr_all_fs(ptal_t)
|
||||
@@ -755,8 +641,6 @@ fs_search_auto_mountpoints(ptal_t)
|
||||
@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t)
|
||||
|
||||
logging_send_syslog_msg(ptal_t)
|
||||
|
||||
@ -17235,7 +17361,7 @@ index 9f34c2e..c7268a7 100644
|
||||
sysnet_read_config(ptal_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
|
||||
@@ -769,3 +653,4 @@ optional_policy(`
|
||||
@@ -769,3 +654,4 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(ptal_t)
|
||||
')
|
||||
@ -38237,7 +38363,7 @@ index 6194b80..af1201e 100644
|
||||
')
|
||||
+
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 6a306ee..550e8d7 100644
|
||||
index 6a306ee..0a31eec 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -38681,7 +38807,7 @@ index 6a306ee..550e8d7 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -300,221 +324,179 @@ optional_policy(`
|
||||
@@ -300,221 +324,180 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -38888,6 +39014,7 @@ index 6a306ee..550e8d7 100644
|
||||
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
|
||||
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
|
||||
+dev_rwx_zero(mozilla_plugin_t)
|
||||
+dev_dontaudit_read_mtrr(mozilla_plugin_t)
|
||||
+dev_dontaudit_rw_dri(mozilla_plugin_t)
|
||||
+dev_dontaudit_getattr_all(mozilla_plugin_t)
|
||||
|
||||
@ -39001,7 +39128,7 @@ index 6a306ee..550e8d7 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -523,36 +505,48 @@ optional_policy(`
|
||||
@@ -523,36 +506,48 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39063,7 +39190,7 @@ index 6a306ee..550e8d7 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -560,7 +554,7 @@ optional_policy(`
|
||||
@@ -560,7 +555,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39072,7 +39199,7 @@ index 6a306ee..550e8d7 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -568,108 +562,118 @@ optional_policy(`
|
||||
@@ -568,108 +563,118 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -42420,7 +42547,7 @@ index 687af38..404ed6d 100644
|
||||
+ mysql_stream_connect($1)
|
||||
')
|
||||
diff --git a/mysql.te b/mysql.te
|
||||
index 9f6179e..dfa6623 100644
|
||||
index 9f6179e..2b85b52 100644
|
||||
--- a/mysql.te
|
||||
+++ b/mysql.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -42578,7 +42705,18 @@ index 9f6179e..dfa6623 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -153,29 +154,22 @@ optional_policy(`
|
||||
@@ -144,6 +145,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ openshift_search_lib(mysqld_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
seutil_sigchld_newrole(mysqld_t)
|
||||
')
|
||||
|
||||
@@ -153,29 +158,22 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -42613,7 +42751,7 @@ index 9f6179e..dfa6623 100644
|
||||
|
||||
kernel_read_system_state(mysqld_safe_t)
|
||||
kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
@@ -187,17 +181,21 @@ dev_list_sysfs(mysqld_safe_t)
|
||||
@@ -187,17 +185,21 @@ dev_list_sysfs(mysqld_safe_t)
|
||||
|
||||
domain_read_all_domains_state(mysqld_safe_t)
|
||||
|
||||
@ -42629,10 +42767,10 @@ index 9f6179e..dfa6623 100644
|
||||
|
||||
-miscfiles_read_localization(mysqld_safe_t)
|
||||
+auth_read_passwd(mysqld_safe_t)
|
||||
+
|
||||
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
|
||||
|
||||
-userdom_search_user_home_dirs(mysqld_safe_t)
|
||||
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
|
||||
+
|
||||
+mysql_manage_db_files(mysqld_safe_t)
|
||||
+mysql_read_config(mysqld_safe_t)
|
||||
+mysql_search_pid_files(mysqld_safe_t)
|
||||
@ -42641,7 +42779,7 @@ index 9f6179e..dfa6623 100644
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(mysqld_safe_t)
|
||||
@@ -205,7 +203,7 @@ optional_policy(`
|
||||
@@ -205,7 +207,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -42650,7 +42788,7 @@ index 9f6179e..dfa6623 100644
|
||||
#
|
||||
|
||||
allow mysqlmanagerd_t self:capability { dac_override kill };
|
||||
@@ -214,11 +212,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -214,11 +216,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -42668,7 +42806,7 @@ index 9f6179e..dfa6623 100644
|
||||
|
||||
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
|
||||
|
||||
@@ -226,31 +225,22 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
@@ -226,31 +229,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
|
||||
|
||||
@ -42699,9 +42837,9 @@ index 9f6179e..dfa6623 100644
|
||||
-files_read_usr_files(mysqlmanagerd_t)
|
||||
-files_search_pids(mysqlmanagerd_t)
|
||||
-files_search_var_lib(mysqlmanagerd_t)
|
||||
|
||||
-
|
||||
-miscfiles_read_localization(mysqlmanagerd_t)
|
||||
|
||||
-
|
||||
-userdom_search_user_home_dirs(mysqlmanagerd_t)
|
||||
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
|
||||
diff --git a/mythtv.fc b/mythtv.fc
|
||||
@ -49852,10 +49990,10 @@ index 0000000..bddd4b3
|
||||
+')
|
||||
diff --git a/openshift.te b/openshift.te
|
||||
new file mode 100644
|
||||
index 0000000..d94eda8
|
||||
index 0000000..877c71a
|
||||
--- /dev/null
|
||||
+++ b/openshift.te
|
||||
@@ -0,0 +1,545 @@
|
||||
@@ -0,0 +1,546 @@
|
||||
+policy_module(openshift,1.0.0)
|
||||
+
|
||||
+gen_require(`
|
||||
@ -50325,6 +50463,7 @@ index 0000000..d94eda8
|
||||
+
|
||||
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
|
||||
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
|
||||
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
@ -69325,7 +69464,7 @@ index 3bd6446..a61764b 100644
|
||||
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
|
||||
')
|
||||
diff --git a/rpc.te b/rpc.te
|
||||
index e5212e6..ede6c81 100644
|
||||
index e5212e6..74f3e1b 100644
|
||||
--- a/rpc.te
|
||||
+++ b/rpc.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -69514,24 +69653,24 @@ index e5212e6..ede6c81 100644
|
||||
optional_policy(`
|
||||
- nis_read_ypserv_config(rpcd_t)
|
||||
+ domain_unconfined_signal(rpcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ quota_manage_db(rpcd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- quota_manage_db_files(rpcd_t)
|
||||
+ nis_read_ypserv_config(rpcd_t)
|
||||
+ quota_manage_db(rpcd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- rgmanager_manage_tmp_files(rpcd_t)
|
||||
+ quota_read_db(rpcd_t)
|
||||
+ nis_read_ypserv_config(rpcd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- unconfined_signal(rpcd_t)
|
||||
+ quota_read_db(rpcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rhcs_manage_cluster_tmp_files(rpcd_t)
|
||||
')
|
||||
|
||||
@ -69663,13 +69802,17 @@ index e5212e6..ede6c81 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -306,8 +270,7 @@ optional_policy(`
|
||||
@@ -306,8 +270,11 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
kerberos_keytab_template(gssd, gssd_t)
|
||||
- kerberos_manage_host_rcache(gssd_t)
|
||||
- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
|
||||
+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gssproxy_stream_connect(gssd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -78547,7 +78690,7 @@ index 7a9cc9d..86cbca9 100644
|
||||
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/snmp.te b/snmp.te
|
||||
index 81864ce..24fe118 100644
|
||||
index 81864ce..4b6b771 100644
|
||||
--- a/snmp.te
|
||||
+++ b/snmp.te
|
||||
@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
|
||||
@ -78617,11 +78760,15 @@ index 81864ce..24fe118 100644
|
||||
|
||||
seutil_dontaudit_search_config(snmpd_t)
|
||||
|
||||
@@ -131,7 +133,7 @@ optional_policy(`
|
||||
@@ -131,7 +133,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- corosync_stream_connect(snmpd_t)
|
||||
+ fstools_domtrans(snmpd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rhcs_stream_connect_cluster(snmpd_t)
|
||||
')
|
||||
|
||||
@ -86439,7 +86586,7 @@ index 31c752e..ef52235 100644
|
||||
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/vdagent.te b/vdagent.te
|
||||
index 77be35a..4abe2aa 100644
|
||||
index 77be35a..0e9a7d1 100644
|
||||
--- a/vdagent.te
|
||||
+++ b/vdagent.te
|
||||
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
|
||||
@ -86450,21 +86597,27 @@ index 77be35a..4abe2aa 100644
|
||||
allow vdagent_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vdagent_t self:unix_stream_socket { accept listen };
|
||||
|
||||
@@ -43,13 +44,15 @@ dev_rw_input_dev(vdagent_t)
|
||||
@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
||||
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
||||
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
|
||||
|
||||
+kernel_request_load_module(vdagent_t)
|
||||
+
|
||||
dev_rw_input_dev(vdagent_t)
|
||||
dev_read_sysfs(vdagent_t)
|
||||
dev_dontaudit_write_mtrr(vdagent_t)
|
||||
|
||||
-files_read_etc_files(vdagent_t)
|
||||
|
||||
-
|
||||
init_read_state(vdagent_t)
|
||||
|
||||
-logging_send_syslog_msg(vdagent_t)
|
||||
+systemd_read_logind_sessions_files(vdagent_t)
|
||||
+systemd_login_read_pid_files(vdagent_t)
|
||||
+
|
||||
+term_use_virtio_console(vdagent_t)
|
||||
|
||||
-miscfiles_read_localization(vdagent_t)
|
||||
+term_use_virtio_console(vdagent_t)
|
||||
+
|
||||
+logging_send_syslog_msg(vdagent_t)
|
||||
|
||||
userdom_read_all_users_state(vdagent_t)
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 52%{?dist}
|
||||
Release: 53%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -97,6 +97,7 @@ SELinux policy development and man page package
|
||||
|
||||
%post devel
|
||||
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
|
||||
exit 0
|
||||
|
||||
%package doc
|
||||
Summary: SELinux policy documentation
|
||||
@ -534,6 +535,23 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jun 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-53
|
||||
- Make vdagent able to request loading kernel module
|
||||
- Add support for cloud-init make it as unconfined domain
|
||||
- Allow snmpd to run smartctl in fsadm_t domain
|
||||
- remove duplicate openshift_search_lib() interface
|
||||
- Allow mysqld to search openshift lib files
|
||||
- Allow openshift cgroup to interact with passedin file descriptors
|
||||
- Allow colord to list directories inthe users homedir
|
||||
- aide executes prelink to check files
|
||||
- Make sure cupsd_t creates content in /etc/cups with the correct label
|
||||
- Lest dontaudit apache read all domains, so passenger will not cause this avc
|
||||
- Allow gssd to connect to gssproxy
|
||||
- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS
|
||||
- Allow systemd-tmpfiles to relabel also lock files
|
||||
- Allow useradd to add homdir in /var/lib/openshift
|
||||
- Allow setfiles and semanage to write output to /run/files
|
||||
|
||||
* Fri Jun 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-52
|
||||
- Add labeling for /dev/tgt
|
||||
- Dontaudit leak fd from firewalld for modprobe
|
||||
@ -726,7 +744,7 @@ SELinux Reference policy mls base module.
|
||||
- Allow certwatch to read net_config_t when it executes apache
|
||||
- Allow readahead to create /run/systemd and then create its own directory with the correct label
|
||||
|
||||
* Fri May 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-43
|
||||
* Mon May 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-43
|
||||
- Transition directories and files when in a user_tmp_t directory
|
||||
- Change certwatch to domtrans to apache instead of just execute
|
||||
- Allow virsh_t to read xen lib files
|
||||
|
||||
Loading…
Reference in New Issue
Block a user