- Manage_service_perms should include enable and disable, need backport to RHEL7
- Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo - Add userdom_tmp_role for secadm_t - Allow postgresql to read network state - Add a new file context for /var/named/chroot/run directory - Add booleans to allow docker processes to use nfs and samba - Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/b - Allow puppet stream connect to mysql - Fixed some rules related to puppet policy - Allow vmware-user-sui to use user ttys - Allow talk 2 users logged via console too - Additional avcs for docker when running tests - allow anaconda to dbus chat with systemd-localed - clean up rhcs.te - remove dup rules from haproxy.te - Add fixes for haproxy based on bperkins@redhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - update rtas_errd policy - Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves - Allow snmpd to getattr on removeable and fixed disks - Allow docker containers to manage /var/lib/docker content
This commit is contained in:
parent
3f115fd877
commit
8ad9144b00
@ -18395,10 +18395,10 @@ index 3a45a3e..7499f24 100644
|
|||||||
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
|
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
|
||||||
logging_admin(logadm_t, logadm_r)
|
logging_admin(logadm_t, logadm_r)
|
||||||
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
|
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
|
||||||
index da11120..d67bcca 100644
|
index da11120..621ec5a 100644
|
||||||
--- a/policy/modules/roles/secadm.te
|
--- a/policy/modules/roles/secadm.te
|
||||||
+++ b/policy/modules/roles/secadm.te
|
+++ b/policy/modules/roles/secadm.te
|
||||||
@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0)
|
@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
|
||||||
|
|
||||||
role secadm_r;
|
role secadm_r;
|
||||||
|
|
||||||
@ -18408,10 +18408,24 @@ index da11120..d67bcca 100644
|
|||||||
+userdom_security_admin(secadm_t, secadm_r)
|
+userdom_security_admin(secadm_t, secadm_r)
|
||||||
+userdom_inherit_append_admin_home_files(secadm_t)
|
+userdom_inherit_append_admin_home_files(secadm_t)
|
||||||
+userdom_read_admin_home_files(secadm_t)
|
+userdom_read_admin_home_files(secadm_t)
|
||||||
|
+userdom_manage_tmp_role(secadm_r, secadm_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
|
@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r)
|
||||||
|
|
||||||
|
allow secadm_t self:capability { dac_read_search dac_override };
|
||||||
|
|
||||||
|
+kernel_read_system_state(secadm_t)
|
||||||
|
+
|
||||||
|
corecmd_exec_shell(secadm_t)
|
||||||
|
|
||||||
|
dev_relabel_all_dev_nodes(secadm_t)
|
||||||
|
+dev_read_urand(secadm_t)
|
||||||
|
|
||||||
|
domain_obj_id_change_exemption(secadm_t)
|
||||||
|
|
||||||
|
@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t)
|
||||||
mls_file_downgrade(secadm_t)
|
mls_file_downgrade(secadm_t)
|
||||||
|
|
||||||
auth_role(secadm_r, secadm_t)
|
auth_role(secadm_r, secadm_t)
|
||||||
@ -20469,7 +20483,7 @@ index 3835596..fbca2be 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
|
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
|
||||||
index 6d77e81..8332fca 100644
|
index 6d77e81..c8df034 100644
|
||||||
--- a/policy/modules/roles/unprivuser.te
|
--- a/policy/modules/roles/unprivuser.te
|
||||||
+++ b/policy/modules/roles/unprivuser.te
|
+++ b/policy/modules/roles/unprivuser.te
|
||||||
@@ -1,5 +1,12 @@
|
@@ -1,5 +1,12 @@
|
||||||
@ -20621,22 +20635,15 @@ index 6d77e81..8332fca 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
su_role_template(user, user_r, user_t)
|
su_role_template(user, user_r, user_t)
|
||||||
')
|
')
|
||||||
@@ -153,6 +251,10 @@ ifndef(`distro_redhat',`
|
@@ -161,3 +259,19 @@ ifndef(`distro_redhat',`
|
||||||
userhelper_role_template(user, user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
+ optional_policy(`
|
|
||||||
+ vmtools_run_helper(user_t, user_r)
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
optional_policy(`
|
|
||||||
vmware_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
@@ -161,3 +263,15 @@ ifndef(`distro_redhat',`
|
|
||||||
wireshark_role(user_r, user_t)
|
wireshark_role(user_r, user_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ vmtools_run_helper(user_t, user_r)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ virt_transition_svirt(user_t, user_r)
|
+ virt_transition_svirt(user_t, user_r)
|
||||||
@ -39706,10 +39713,10 @@ index 0000000..8bca1d7
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ca13b14
|
index 0000000..898464f
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,680 @@
|
@@ -0,0 +1,679 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -40389,7 +40396,6 @@ index 0000000..ca13b14
|
|||||||
+
|
+
|
||||||
+read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
|
+read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
|
||||||
+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
|
+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
|
||||||
+
|
|
||||||
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
|
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
|
||||||
index f41857e..49fd32e 100644
|
index f41857e..49fd32e 100644
|
||||||
--- a/policy/modules/system/udev.fc
|
--- a/policy/modules/system/udev.fc
|
||||||
@ -46842,7 +46848,7 @@ index e79d545..101086d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
||||||
index 6e91317..64e135a 100644
|
index 6e91317..018d0a6 100644
|
||||||
--- a/policy/support/obj_perm_sets.spt
|
--- a/policy/support/obj_perm_sets.spt
|
||||||
+++ b/policy/support/obj_perm_sets.spt
|
+++ b/policy/support/obj_perm_sets.spt
|
||||||
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
||||||
@ -46952,7 +46958,7 @@ index 6e91317..64e135a 100644
|
|||||||
+#
|
+#
|
||||||
+# Service
|
+# Service
|
||||||
+#
|
+#
|
||||||
+define(`manage_service_perms', `{ start stop status reload } ')
|
+define(`manage_service_perms', `{ start stop status reload enable disable } ')
|
||||||
diff --git a/policy/users b/policy/users
|
diff --git a/policy/users b/policy/users
|
||||||
index c4ebc7e..30d6d7a 100644
|
index c4ebc7e..30d6d7a 100644
|
||||||
--- a/policy/users
|
--- a/policy/users
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 38%{?dist}
|
Release: 39%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -584,6 +584,34 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-39
|
||||||
|
- Manage_service_perms should include enable and disable, need backport to RHEL7
|
||||||
|
- Allow also unpriv user to run vmtools
|
||||||
|
- Allow secadm to read /dev/urandom and meminfo
|
||||||
|
- Add userdom_tmp_role for secadm_t
|
||||||
|
- Allow postgresql to read network state
|
||||||
|
- Add a new file context for /var/named/chroot/run directory
|
||||||
|
- Add booleans to allow docker processes to use nfs and samba
|
||||||
|
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t
|
||||||
|
- Allow puppet stream connect to mysql
|
||||||
|
- Fixed some rules related to puppet policy
|
||||||
|
- Allow vmware-user-sui to use user ttys
|
||||||
|
- Allow talk 2 users logged via console too
|
||||||
|
- Additional avcs for docker when running tests
|
||||||
|
- allow anaconda to dbus chat with systemd-localed
|
||||||
|
- clean up rhcs.te
|
||||||
|
- remove dup rules from haproxy.te
|
||||||
|
- Add fixes for haproxy based on bperkins@redhat.com
|
||||||
|
- Allow cmirrord to make dmsetup working
|
||||||
|
- Allow NM to execute arping
|
||||||
|
- Allow users to send messages through talk
|
||||||
|
- update rtas_errd policy
|
||||||
|
- Add support for /var/spool/rhsm/debug
|
||||||
|
- Make virt_sandbox_use_audit as True by default
|
||||||
|
- Allow svirt_sandbox_domains to ptrace themselves
|
||||||
|
- Allow snmpd to getattr on removeable and fixed disks
|
||||||
|
- Allow docker containers to manage /var/lib/docker content
|
||||||
|
|
||||||
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-38
|
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-38
|
||||||
- Label sddm as xdm_exec_t to make KDE working again
|
- Label sddm as xdm_exec_t to make KDE working again
|
||||||
- Allow postgresql to read network state
|
- Allow postgresql to read network state
|
||||||
|
Loading…
Reference in New Issue
Block a user