- Manage_service_perms should include enable and disable, need backport to RHEL7
- Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo - Add userdom_tmp_role for secadm_t - Allow postgresql to read network state - Add a new file context for /var/named/chroot/run directory - Add booleans to allow docker processes to use nfs and samba - Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/b - Allow puppet stream connect to mysql - Fixed some rules related to puppet policy - Allow vmware-user-sui to use user ttys - Allow talk 2 users logged via console too - Additional avcs for docker when running tests - allow anaconda to dbus chat with systemd-localed - clean up rhcs.te - remove dup rules from haproxy.te - Add fixes for haproxy based on bperkins@redhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - update rtas_errd policy - Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves - Allow snmpd to getattr on removeable and fixed disks - Allow docker containers to manage /var/lib/docker content
This commit is contained in:
parent
3f115fd877
commit
8ad9144b00
@ -18395,10 +18395,10 @@ index 3a45a3e..7499f24 100644
|
||||
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
|
||||
logging_admin(logadm_t, logadm_r)
|
||||
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
|
||||
index da11120..d67bcca 100644
|
||||
index da11120..621ec5a 100644
|
||||
--- a/policy/modules/roles/secadm.te
|
||||
+++ b/policy/modules/roles/secadm.te
|
||||
@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0)
|
||||
@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
|
||||
|
||||
role secadm_r;
|
||||
|
||||
@ -18408,10 +18408,24 @@ index da11120..d67bcca 100644
|
||||
+userdom_security_admin(secadm_t, secadm_r)
|
||||
+userdom_inherit_append_admin_home_files(secadm_t)
|
||||
+userdom_read_admin_home_files(secadm_t)
|
||||
+userdom_manage_tmp_role(secadm_r, secadm_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
|
||||
@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r)
|
||||
|
||||
allow secadm_t self:capability { dac_read_search dac_override };
|
||||
|
||||
+kernel_read_system_state(secadm_t)
|
||||
+
|
||||
corecmd_exec_shell(secadm_t)
|
||||
|
||||
dev_relabel_all_dev_nodes(secadm_t)
|
||||
+dev_read_urand(secadm_t)
|
||||
|
||||
domain_obj_id_change_exemption(secadm_t)
|
||||
|
||||
@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t)
|
||||
mls_file_downgrade(secadm_t)
|
||||
|
||||
auth_role(secadm_r, secadm_t)
|
||||
@ -20469,7 +20483,7 @@ index 3835596..fbca2be 100644
|
||||
########################################
|
||||
## <summary>
|
||||
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
|
||||
index 6d77e81..8332fca 100644
|
||||
index 6d77e81..c8df034 100644
|
||||
--- a/policy/modules/roles/unprivuser.te
|
||||
+++ b/policy/modules/roles/unprivuser.te
|
||||
@@ -1,5 +1,12 @@
|
||||
@ -20621,22 +20635,15 @@ index 6d77e81..8332fca 100644
|
||||
optional_policy(`
|
||||
su_role_template(user, user_r, user_t)
|
||||
')
|
||||
@@ -153,6 +251,10 @@ ifndef(`distro_redhat',`
|
||||
userhelper_role_template(user, user_r, user_t)
|
||||
')
|
||||
|
||||
+ optional_policy(`
|
||||
+ vmtools_run_helper(user_t, user_r)
|
||||
+ ')
|
||||
+
|
||||
optional_policy(`
|
||||
vmware_role(user_r, user_t)
|
||||
')
|
||||
@@ -161,3 +263,15 @@ ifndef(`distro_redhat',`
|
||||
@@ -161,3 +259,19 @@ ifndef(`distro_redhat',`
|
||||
wireshark_role(user_r, user_t)
|
||||
')
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ vmtools_run_helper(user_t, user_r)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ virt_transition_svirt(user_t, user_r)
|
||||
@ -39706,10 +39713,10 @@ index 0000000..8bca1d7
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..ca13b14
|
||||
index 0000000..898464f
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,680 @@
|
||||
@@ -0,0 +1,679 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -40389,7 +40396,6 @@ index 0000000..ca13b14
|
||||
+
|
||||
+read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
|
||||
+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
|
||||
+
|
||||
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
|
||||
index f41857e..49fd32e 100644
|
||||
--- a/policy/modules/system/udev.fc
|
||||
@ -46842,7 +46848,7 @@ index e79d545..101086d 100644
|
||||
')
|
||||
|
||||
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
||||
index 6e91317..64e135a 100644
|
||||
index 6e91317..018d0a6 100644
|
||||
--- a/policy/support/obj_perm_sets.spt
|
||||
+++ b/policy/support/obj_perm_sets.spt
|
||||
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
||||
@ -46952,7 +46958,7 @@ index 6e91317..64e135a 100644
|
||||
+#
|
||||
+# Service
|
||||
+#
|
||||
+define(`manage_service_perms', `{ start stop status reload } ')
|
||||
+define(`manage_service_perms', `{ start stop status reload enable disable } ')
|
||||
diff --git a/policy/users b/policy/users
|
||||
index c4ebc7e..30d6d7a 100644
|
||||
--- a/policy/users
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 38%{?dist}
|
||||
Release: 39%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -584,6 +584,34 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Mar 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-39
|
||||
- Manage_service_perms should include enable and disable, need backport to RHEL7
|
||||
- Allow also unpriv user to run vmtools
|
||||
- Allow secadm to read /dev/urandom and meminfo
|
||||
- Add userdom_tmp_role for secadm_t
|
||||
- Allow postgresql to read network state
|
||||
- Add a new file context for /var/named/chroot/run directory
|
||||
- Add booleans to allow docker processes to use nfs and samba
|
||||
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t
|
||||
- Allow puppet stream connect to mysql
|
||||
- Fixed some rules related to puppet policy
|
||||
- Allow vmware-user-sui to use user ttys
|
||||
- Allow talk 2 users logged via console too
|
||||
- Additional avcs for docker when running tests
|
||||
- allow anaconda to dbus chat with systemd-localed
|
||||
- clean up rhcs.te
|
||||
- remove dup rules from haproxy.te
|
||||
- Add fixes for haproxy based on bperkins@redhat.com
|
||||
- Allow cmirrord to make dmsetup working
|
||||
- Allow NM to execute arping
|
||||
- Allow users to send messages through talk
|
||||
- update rtas_errd policy
|
||||
- Add support for /var/spool/rhsm/debug
|
||||
- Make virt_sandbox_use_audit as True by default
|
||||
- Allow svirt_sandbox_domains to ptrace themselves
|
||||
- Allow snmpd to getattr on removeable and fixed disks
|
||||
- Allow docker containers to manage /var/lib/docker content
|
||||
|
||||
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-38
|
||||
- Label sddm as xdm_exec_t to make KDE working again
|
||||
- Allow postgresql to read network state
|
||||
|
Loading…
Reference in New Issue
Block a user