- Manage_service_perms should include enable and disable, need backport to RHEL7

- Allow also unpriv user to run vmtools
- Allow secadm to read /dev/urandom and meminfo
- Add userdom_tmp_role for secadm_t
- Allow postgresql to read network state
- Add a new file context for /var/named/chroot/run directory
- Add booleans to allow docker processes to use nfs and samba
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/b
- Allow puppet stream connect to mysql
- Fixed some rules related to puppet policy
- Allow vmware-user-sui to use user ttys
- Allow talk 2 users logged via console too
- Additional avcs for docker when running tests
- allow anaconda to dbus chat with systemd-localed
- clean up rhcs.te
- remove dup rules from haproxy.te
- Add fixes for haproxy based on bperkins@redhat.com
- Allow cmirrord to make dmsetup working
- Allow NM to execute arping
- Allow users to send messages through talk
- update rtas_errd policy
- Add support for /var/spool/rhsm/debug
- Make virt_sandbox_use_audit as True by default
- Allow svirt_sandbox_domains to ptrace themselves
- Allow snmpd to getattr on removeable and fixed disks
- Allow docker containers to manage /var/lib/docker content
This commit is contained in:
Miroslav Grepl 2014-03-25 09:50:55 +01:00
parent 3f115fd877
commit 8ad9144b00
3 changed files with 481 additions and 387 deletions

View File

@ -18395,10 +18395,10 @@ index 3a45a3e..7499f24 100644
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index da11120..d67bcca 100644
index da11120..621ec5a 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0)
@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
role secadm_r;
@ -18408,10 +18408,24 @@ index da11120..d67bcca 100644
+userdom_security_admin(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
+userdom_manage_tmp_role(secadm_r, secadm_t)
########################################
#
@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r)
allow secadm_t self:capability { dac_read_search dac_override };
+kernel_read_system_state(secadm_t)
+
corecmd_exec_shell(secadm_t)
dev_relabel_all_dev_nodes(secadm_t)
+dev_read_urand(secadm_t)
domain_obj_id_change_exemption(secadm_t)
@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
auth_role(secadm_r, secadm_t)
@ -20469,7 +20483,7 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6d77e81..8332fca 100644
index 6d77e81..c8df034 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@ -20621,22 +20635,15 @@ index 6d77e81..8332fca 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
@@ -153,6 +251,10 @@ ifndef(`distro_redhat',`
userhelper_role_template(user, user_r, user_t)
')
+ optional_policy(`
+ vmtools_run_helper(user_t, user_r)
+ ')
+
optional_policy(`
vmware_role(user_r, user_t)
')
@@ -161,3 +263,15 @@ ifndef(`distro_redhat',`
@@ -161,3 +259,19 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
+
+optional_policy(`
+ vmtools_run_helper(user_t, user_r)
+')
+
+
+optional_policy(`
+ virt_transition_svirt(user_t, user_r)
@ -39706,10 +39713,10 @@ index 0000000..8bca1d7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..ca13b14
index 0000000..898464f
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,680 @@
@@ -0,0 +1,679 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -40389,7 +40396,6 @@ index 0000000..ca13b14
+
+read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
+
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index f41857e..49fd32e 100644
--- a/policy/modules/system/udev.fc
@ -46842,7 +46848,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 6e91317..64e135a 100644
index 6e91317..018d0a6 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@ -46952,7 +46958,7 @@ index 6e91317..64e135a 100644
+#
+# Service
+#
+define(`manage_service_perms', `{ start stop status reload } ')
+define(`manage_service_perms', `{ start stop status reload enable disable } ')
diff --git a/policy/users b/policy/users
index c4ebc7e..30d6d7a 100644
--- a/policy/users

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 38%{?dist}
Release: 39%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -584,6 +584,34 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Mar 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-39
- Manage_service_perms should include enable and disable, need backport to RHEL7
- Allow also unpriv user to run vmtools
- Allow secadm to read /dev/urandom and meminfo
- Add userdom_tmp_role for secadm_t
- Allow postgresql to read network state
- Add a new file context for /var/named/chroot/run directory
- Add booleans to allow docker processes to use nfs and samba
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t
- Allow puppet stream connect to mysql
- Fixed some rules related to puppet policy
- Allow vmware-user-sui to use user ttys
- Allow talk 2 users logged via console too
- Additional avcs for docker when running tests
- allow anaconda to dbus chat with systemd-localed
- clean up rhcs.te
- remove dup rules from haproxy.te
- Add fixes for haproxy based on bperkins@redhat.com
- Allow cmirrord to make dmsetup working
- Allow NM to execute arping
- Allow users to send messages through talk
- update rtas_errd policy
- Add support for /var/spool/rhsm/debug
- Make virt_sandbox_use_audit as True by default
- Allow svirt_sandbox_domains to ptrace themselves
- Allow snmpd to getattr on removeable and fixed disks
- Allow docker containers to manage /var/lib/docker content
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-38
- Label sddm as xdm_exec_t to make KDE working again
- Allow postgresql to read network state