- Treat Bip with bitlbee policy
* Bip is an IRC proxy
- Add port definition for interwise port
- Add support for ipa_memcached socket
- systemd_jounald needs to getattr on all processes
- mdadmin fixes
* uses getpw
- amavisd calls getpwnam()
- denyhosts calls getpwall()
This commit is contained in:
Miroslav Grepl
parent
de9114f624
commit
8cd443307d
207
policy-F16.patch
207
policy-F16.patch
|
|
@ -14484,7 +14484,7 @@ index 4f3b542..f4e36ee 100644
|
|||
corenet_udp_recvfrom_labeled($1, $2)
|
||||
corenet_raw_recvfrom_labeled($1, $2)
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index 99b71cb..f7cc16e 100644
|
||||
index 99b71cb..58a5523 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -11,11 +11,15 @@ attribute netif_type;
|
||||
|
|
@ -14610,7 +14610,7 @@ index 99b71cb..f7cc16e 100644
|
|||
network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||
network_port(gpsd, tcp,2947,s0)
|
||||
network_port(hadoop_datanode, tcp,50010,s0)
|
||||
@@ -115,11 +157,12 @@ network_port(hddtemp, tcp,7634,s0)
|
||||
@@ -115,11 +157,13 @@ network_port(hddtemp, tcp,7634,s0)
|
||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
|
||||
|
|
@ -14620,11 +14620,12 @@ index 99b71cb..f7cc16e 100644
|
|||
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||
network_port(innd, tcp,119,s0)
|
||||
+network_port(interwise, tcp,7778,s0, udp,7778,s0)
|
||||
+network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
|
||||
network_port(ipmi, udp,623,s0, udp,664,s0)
|
||||
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
|
||||
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
|
||||
@@ -129,20 +172,27 @@ network_port(iscsi, tcp,3260,s0)
|
||||
@@ -129,20 +173,27 @@ network_port(iscsi, tcp,3260,s0)
|
||||
network_port(isns, tcp,3205,s0, udp,3205,s0)
|
||||
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
||||
network_port(jabber_interserver, tcp,5269,s0)
|
||||
|
|
@ -14655,7 +14656,7 @@ index 99b71cb..f7cc16e 100644
|
|||
network_port(mpd, tcp,6600,s0)
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
|
||||
@@ -152,21 +202,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
|
||||
@@ -152,21 +203,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
network_port(netport, tcp,3129,s0, udp,3129,s0)
|
||||
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
|
||||
|
|
@ -14688,7 +14689,7 @@ index 99b71cb..f7cc16e 100644
|
|||
network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
|
||||
network_port(printer, tcp,515,s0)
|
||||
@@ -179,34 +239,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||
@@ -179,34 +240,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||
network_port(radius, udp,1645,s0, udp,1812,s0)
|
||||
network_port(radsec, tcp,2083,s0)
|
||||
network_port(razor, tcp,2703,s0)
|
||||
|
|
@ -14734,7 +14735,7 @@ index 99b71cb..f7cc16e 100644
|
|||
network_port(traceroute, udp,64000-64010,s0)
|
||||
network_port(transproxy, tcp,8081,s0)
|
||||
network_port(ups, tcp,3493,s0)
|
||||
@@ -215,9 +281,11 @@ network_port(uucpd, tcp,540,s0)
|
||||
@@ -215,9 +282,11 @@ network_port(uucpd, tcp,540,s0)
|
||||
network_port(varnishd, tcp,6081-6082,s0)
|
||||
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
||||
network_port(virt_migration, tcp,49152-49216,s0)
|
||||
|
|
@ -14747,7 +14748,7 @@ index 99b71cb..f7cc16e 100644
|
|||
network_port(xdmcp, udp,177,s0, tcp,177,s0)
|
||||
network_port(xen, tcp,8002,s0)
|
||||
network_port(xfs, tcp,7100,s0)
|
||||
@@ -229,6 +297,7 @@ network_port(zookeeper_client, tcp,2181,s0)
|
||||
@@ -229,6 +298,7 @@ network_port(zookeeper_client, tcp,2181,s0)
|
||||
network_port(zookeeper_election, tcp,3888,s0)
|
||||
network_port(zookeeper_leader, tcp,2888,s0)
|
||||
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
|
||||
|
|
@ -14755,7 +14756,7 @@ index 99b71cb..f7cc16e 100644
|
|||
network_port(zope, tcp,8021,s0)
|
||||
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
@@ -238,6 +307,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
@@ -238,6 +308,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
|
|
@ -14768,7 +14769,7 @@ index 99b71cb..f7cc16e 100644
|
|||
|
||||
########################################
|
||||
#
|
||||
@@ -282,9 +357,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
@@ -282,9 +358,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
allow corenet_unconfined_type node_type:node *;
|
||||
allow corenet_unconfined_type netif_type:netif *;
|
||||
allow corenet_unconfined_type packet_type:packet *;
|
||||
|
|
@ -25244,7 +25245,7 @@ index e31d92a..e515cb8 100644
|
|||
domain_system_change_exemption($1)
|
||||
role_transition $2 amavis_initrc_exec_t system_r;
|
||||
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
|
||||
index deca9d3..ae8c579 100644
|
||||
index deca9d3..ac92fce 100644
|
||||
--- a/policy/modules/services/amavis.te
|
||||
+++ b/policy/modules/services/amavis.te
|
||||
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
|
||||
|
|
@ -25264,7 +25265,15 @@ index deca9d3..ae8c579 100644
|
|||
|
||||
domain_use_interactive_fds(amavis_t)
|
||||
|
||||
@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t)
|
||||
@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t)
|
||||
|
||||
fs_getattr_xattr_fs(amavis_t)
|
||||
|
||||
+auth_use_nsswitch(amavis_t)
|
||||
auth_dontaudit_read_shadow(amavis_t)
|
||||
|
||||
# uses uptime which reads utmp - redhat bug 561383
|
||||
@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t)
|
||||
|
||||
userdom_dontaudit_search_user_home_dirs(amavis_t)
|
||||
|
||||
|
|
@ -28230,16 +28239,23 @@ index 4deca04..7859fa1 100644
|
|||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
|
||||
index 0197980..f8bce2c 100644
|
||||
index 0197980..909ce04 100644
|
||||
--- a/policy/modules/services/bitlbee.fc
|
||||
+++ b/policy/modules/services/bitlbee.fc
|
||||
@@ -4,3 +4,6 @@
|
||||
@@ -1,6 +1,13 @@
|
||||
/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
|
||||
/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
|
||||
|
||||
+/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
|
||||
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
|
||||
|
||||
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
|
||||
+
|
||||
+/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0)
|
||||
+
|
||||
+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
|
||||
+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
|
||||
+/var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if
|
||||
index de0bd67..1df2048 100644
|
||||
--- a/policy/modules/services/bitlbee.if
|
||||
|
|
@ -28260,13 +28276,16 @@ index de0bd67..1df2048 100644
|
|||
domain_system_change_exemption($1)
|
||||
role_transition $2 bitlbee_initrc_exec_t system_r;
|
||||
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
|
||||
index f4e7ad3..2faf42a 100644
|
||||
index f4e7ad3..6b577c2 100644
|
||||
--- a/policy/modules/services/bitlbee.te
|
||||
+++ b/policy/modules/services/bitlbee.te
|
||||
@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
|
||||
@@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t)
|
||||
type bitlbee_var_t;
|
||||
files_type(bitlbee_var_t)
|
||||
|
||||
+type bitlbee_log_t;
|
||||
+logging_log_file(bitlbee_log_t)
|
||||
+
|
||||
+type bitlbee_var_run_t;
|
||||
+files_type(bitlbee_var_run_t)
|
||||
+
|
||||
|
|
@ -28277,7 +28296,7 @@ index f4e7ad3..2faf42a 100644
|
|||
|
||||
-allow bitlbee_t self:capability { setgid setuid };
|
||||
-allow bitlbee_t self:process signal;
|
||||
+allow bitlbee_t self:capability { dac_override setgid setuid sys_nice };
|
||||
+allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
|
||||
+allow bitlbee_t self:process { setsched signal };
|
||||
+
|
||||
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
|
||||
|
|
@ -28300,6 +28319,10 @@ index f4e7ad3..2faf42a 100644
|
|||
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
|
||||
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
|
||||
|
||||
+# log files
|
||||
+manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
||||
+manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
||||
+
|
||||
+manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
|
||||
+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
|
||||
+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
|
||||
|
|
@ -28308,7 +28331,7 @@ index f4e7ad3..2faf42a 100644
|
|||
kernel_read_system_state(bitlbee_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(bitlbee_t)
|
||||
@@ -52,6 +63,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
|
||||
@@ -52,6 +70,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
|
||||
corenet_udp_sendrecv_generic_node(bitlbee_t)
|
||||
corenet_tcp_sendrecv_generic_if(bitlbee_t)
|
||||
corenet_tcp_sendrecv_generic_node(bitlbee_t)
|
||||
|
|
@ -28316,13 +28339,15 @@ index f4e7ad3..2faf42a 100644
|
|||
# Allow bitlbee to connect to jabber servers
|
||||
corenet_tcp_connect_jabber_client_port(bitlbee_t)
|
||||
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
|
||||
@@ -69,6 +81,9 @@ corenet_tcp_connect_http_port(bitlbee_t)
|
||||
@@ -69,6 +88,11 @@ corenet_tcp_connect_http_port(bitlbee_t)
|
||||
corenet_tcp_sendrecv_http_port(bitlbee_t)
|
||||
corenet_tcp_connect_http_cache_port(bitlbee_t)
|
||||
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
|
||||
+corenet_tcp_bind_ircd_port(bitlbee_t)
|
||||
+corenet_tcp_sendrecv_ircd_port(bitlbee_t)
|
||||
+corenet_sendrecv_ircd_server_packets(bitlbee_t)
|
||||
+corenet_tcp_bind_interwise_port(bitlbee_t)
|
||||
+corenet_tcp_sendrecv_interwise_port(bitlbee_t)
|
||||
|
||||
dev_read_rand(bitlbee_t)
|
||||
dev_read_urand(bitlbee_t)
|
||||
|
|
@ -35612,7 +35637,7 @@ index 567865f..3a57eb9 100644
|
|||
admin_pattern($1, denyhosts_var_lock_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
|
||||
index 8ba9425..b10da2c 100644
|
||||
index 8ba9425..555058a 100644
|
||||
--- a/policy/modules/services/denyhosts.te
|
||||
+++ b/policy/modules/services/denyhosts.te
|
||||
@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
|
||||
|
|
@ -35625,7 +35650,7 @@ index 8ba9425..b10da2c 100644
|
|||
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow denyhosts_t self:tcp_socket create_socket_perms;
|
||||
allow denyhosts_t self:udp_socket create_socket_perms;
|
||||
@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
|
||||
@@ -53,20 +54,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
|
||||
corenet_tcp_sendrecv_generic_node(denyhosts_t)
|
||||
corenet_tcp_bind_generic_node(denyhosts_t)
|
||||
corenet_tcp_connect_smtp_port(denyhosts_t)
|
||||
|
|
@ -35636,6 +35661,8 @@ index 8ba9425..b10da2c 100644
|
|||
|
||||
files_read_etc_files(denyhosts_t)
|
||||
+files_read_usr_files(denyhosts_t)
|
||||
+
|
||||
+auth_use_nsswitch(denyhosts_t)
|
||||
|
||||
# /var/log/secure
|
||||
logging_read_generic_logs(denyhosts_t)
|
||||
|
|
@ -45146,6 +45173,16 @@ index 98d28b4..1c1d012 100644
|
|||
+
|
||||
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc
|
||||
index 4d69477..4079870 100644
|
||||
--- a/policy/modules/services/memcached.fc
|
||||
+++ b/policy/modules/services/memcached.fc
|
||||
@@ -2,4 +2,5 @@
|
||||
|
||||
/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
|
||||
|
||||
+/var/run/ipa_memcached -s gen_context(system_u:object_r:memcached_var_run_t,s0)
|
||||
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
|
||||
index db4fd6f..ce07b3f 100644
|
||||
--- a/policy/modules/services/memcached.if
|
||||
|
|
@ -45194,7 +45231,7 @@ index db4fd6f..ce07b3f 100644
|
|||
admin_pattern($1, memcached_var_run_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te
|
||||
index b681608..08b1b49 100644
|
||||
index b681608..0934c95 100644
|
||||
--- a/policy/modules/services/memcached.te
|
||||
+++ b/policy/modules/services/memcached.te
|
||||
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
|
||||
|
|
@ -45206,6 +45243,16 @@ index b681608..08b1b49 100644
|
|||
dontaudit memcached_t self:capability sys_tty_config;
|
||||
allow memcached_t self:process { setrlimit signal_perms };
|
||||
allow memcached_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -42,7 +42,8 @@ corenet_udp_bind_memcache_port(memcached_t)
|
||||
|
||||
manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
-files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
|
||||
+manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
+files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(memcached_t)
|
||||
kernel_read_system_state(memcached_t)
|
||||
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
|
||||
index 55a3e2f..bc489e0 100644
|
||||
--- a/policy/modules/services/milter.fc
|
||||
|
|
@ -60717,7 +60764,7 @@ index bcdd16c..039b0c8 100644
|
|||
files_list_var_lib($1)
|
||||
admin_pattern($1, setroubleshoot_var_lib_t)
|
||||
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
|
||||
index 086cd5f..a181f01 100644
|
||||
index 086cd5f..6e66656 100644
|
||||
--- a/policy/modules/services/setroubleshoot.te
|
||||
+++ b/policy/modules/services/setroubleshoot.te
|
||||
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
|
||||
|
|
@ -60778,7 +60825,7 @@ index 086cd5f..a181f01 100644
|
|||
seutil_read_config(setroubleshootd_t)
|
||||
seutil_read_file_contexts(setroubleshootd_t)
|
||||
seutil_read_bin_policy(setroubleshootd_t)
|
||||
@@ -121,6 +128,18 @@ seutil_read_bin_policy(setroubleshootd_t)
|
||||
@@ -121,10 +128,23 @@ seutil_read_bin_policy(setroubleshootd_t)
|
||||
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -60797,7 +60844,12 @@ index 086cd5f..a181f01 100644
|
|||
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
|
||||
')
|
||||
|
||||
@@ -151,7 +170,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
|
||||
optional_policy(`
|
||||
+ rpm_exec(setroubleshootd_t)
|
||||
rpm_signull(setroubleshootd_t)
|
||||
rpm_read_db(setroubleshootd_t)
|
||||
rpm_dontaudit_manage_db(setroubleshootd_t)
|
||||
@@ -151,7 +171,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
|
||||
corecmd_exec_bin(setroubleshoot_fixit_t)
|
||||
corecmd_exec_shell(setroubleshoot_fixit_t)
|
||||
|
||||
|
|
@ -60809,7 +60861,7 @@ index 086cd5f..a181f01 100644
|
|||
|
||||
files_read_usr_files(setroubleshoot_fixit_t)
|
||||
files_read_etc_files(setroubleshoot_fixit_t)
|
||||
@@ -164,6 +187,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
|
||||
@@ -164,6 +188,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
|
||||
|
||||
miscfiles_read_localization(setroubleshoot_fixit_t)
|
||||
|
||||
|
|
@ -75252,7 +75304,7 @@ index 831b909..118f708 100644
|
|||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index b6ec597..688f59a 100644
|
||||
index b6ec597..dc551f4 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
|
||||
|
|
@ -75404,7 +75456,7 @@ index b6ec597..688f59a 100644
|
|||
# manage pid file
|
||||
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
||||
@@ -426,10 +466,21 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
@@ -426,10 +466,22 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
||||
|
||||
|
|
@ -75423,10 +75475,11 @@ index b6ec597..688f59a 100644
|
|||
+domain_read_all_domains_state(syslogd_t)
|
||||
domain_use_interactive_fds(syslogd_t)
|
||||
+domain_read_all_domains_state(syslogd_t)
|
||||
+domain_getattr_all_domains(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
files_read_usr_files(syslogd_t)
|
||||
@@ -447,7 +498,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
|
||||
@@ -447,7 +499,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
|
||||
term_write_console(syslogd_t)
|
||||
# Allow syslog to a terminal
|
||||
term_write_unallocated_ttys(syslogd_t)
|
||||
|
|
@ -75436,7 +75489,7 @@ index b6ec597..688f59a 100644
|
|||
# for sending messages to logged in users
|
||||
init_read_utmp(syslogd_t)
|
||||
init_dontaudit_write_utmp(syslogd_t)
|
||||
@@ -459,6 +512,7 @@ init_use_fds(syslogd_t)
|
||||
@@ -459,6 +513,7 @@ init_use_fds(syslogd_t)
|
||||
|
||||
# cjp: this doesnt make sense
|
||||
logging_send_syslog_msg(syslogd_t)
|
||||
|
|
@ -75444,7 +75497,7 @@ index b6ec597..688f59a 100644
|
|||
|
||||
miscfiles_read_localization(syslogd_t)
|
||||
|
||||
@@ -496,11 +550,20 @@ optional_policy(`
|
||||
@@ -496,11 +551,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -77105,7 +77158,7 @@ index b1a85b5..db0d815 100644
|
|||
## </summary>
|
||||
## <desc>
|
||||
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
|
||||
index a19ecea..99c4da1 100644
|
||||
index a19ecea..486d7f2 100644
|
||||
--- a/policy/modules/system/raid.te
|
||||
+++ b/policy/modules/system/raid.te
|
||||
@@ -10,11 +10,9 @@ type mdadm_exec_t;
|
||||
|
|
@ -77122,7 +77175,7 @@ index a19ecea..99c4da1 100644
|
|||
|
||||
########################################
|
||||
#
|
||||
@@ -23,18 +21,19 @@ files_pid_file(mdadm_var_run_t)
|
||||
@@ -23,18 +21,20 @@ files_pid_file(mdadm_var_run_t)
|
||||
|
||||
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
|
||||
dontaudit mdadm_t self:capability sys_tty_config;
|
||||
|
|
@ -77138,6 +77191,7 @@ index a19ecea..99c4da1 100644
|
|||
+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
||||
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
||||
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
|
||||
+manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
||||
+manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
||||
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
|
||||
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
|
||||
|
|
@ -77148,12 +77202,13 @@ index a19ecea..99c4da1 100644
|
|||
kernel_rw_software_raid_state(mdadm_t)
|
||||
kernel_getattr_core_if(mdadm_t)
|
||||
|
||||
@@ -52,13 +51,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
|
||||
@@ -52,13 +52,17 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
|
||||
dev_read_realtime_clock(mdadm_t)
|
||||
# unfortunately needed for DMI decoding:
|
||||
dev_read_raw_memory(mdadm_t)
|
||||
+dev_read_generic_files(mdadm_t)
|
||||
|
||||
+domain_read_all_domains_state(mdadm_t)
|
||||
domain_use_interactive_fds(mdadm_t)
|
||||
|
||||
files_read_etc_files(mdadm_t)
|
||||
|
|
@ -77166,7 +77221,7 @@ index a19ecea..99c4da1 100644
|
|||
fs_dontaudit_list_tmpfs(mdadm_t)
|
||||
|
||||
mls_file_read_all_levels(mdadm_t)
|
||||
@@ -68,6 +70,7 @@ mls_file_write_all_levels(mdadm_t)
|
||||
@@ -68,9 +72,12 @@ mls_file_write_all_levels(mdadm_t)
|
||||
storage_manage_fixed_disk(mdadm_t)
|
||||
storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
storage_read_scsi_generic(mdadm_t)
|
||||
|
|
@ -77174,7 +77229,12 @@ index a19ecea..99c4da1 100644
|
|||
|
||||
term_dontaudit_list_ptys(mdadm_t)
|
||||
|
||||
@@ -84,6 +87,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
|
||||
+auth_use_nsswitch(mdadm_t)
|
||||
+
|
||||
init_dontaudit_getattr_initctl(mdadm_t)
|
||||
|
||||
logging_send_syslog_msg(mdadm_t)
|
||||
@@ -84,6 +91,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
|
||||
mta_send_mail(mdadm_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -81035,7 +81095,7 @@ index db75976..ce61aed 100644
|
|||
+
|
||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index 4b2878a..330f877 100644
|
||||
index 4b2878a..eeb5b5a 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||
|
|
@ -82671,12 +82731,16 @@ index 4b2878a..330f877 100644
|
|||
## Mmap user home files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1700,12 +2186,32 @@ interface(`userdom_read_user_home_content_files',`
|
||||
@@ -1698,14 +2184,35 @@ interface(`userdom_mmap_user_home_content_files',`
|
||||
interface(`userdom_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
+ attribute user_home_type;
|
||||
')
|
||||
|
||||
+ list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
|
||||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
+ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
|
||||
+ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
|
||||
files_search_home($1)
|
||||
')
|
||||
|
||||
|
|
@ -82704,7 +82768,7 @@ index 4b2878a..330f877 100644
|
|||
## Do not audit attempts to read user home files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1716,11 +2222,14 @@ interface(`userdom_read_user_home_content_files',`
|
||||
@@ -1716,11 +2223,14 @@ interface(`userdom_read_user_home_content_files',`
|
||||
#
|
||||
interface(`userdom_dontaudit_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
|
|
@ -82722,7 +82786,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1779,6 +2288,60 @@ interface(`userdom_delete_user_home_content_files',`
|
||||
@@ -1779,6 +2289,60 @@ interface(`userdom_delete_user_home_content_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -82783,7 +82847,7 @@ index 4b2878a..330f877 100644
|
|||
## Do not audit attempts to write user home files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1810,8 +2373,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
@@ -1810,8 +2374,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
|
|
@ -82793,7 +82857,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1827,20 +2389,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
@@ -1827,20 +2390,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
#
|
||||
interface(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
|
|
@ -82818,7 +82882,16 @@ index 4b2878a..330f877 100644
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -1941,6 +2497,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
|
||||
@@ -1920,7 +2477,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
|
||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
files_search_home($1)
|
||||
')
|
||||
-
|
||||
+/
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete symbolic links in a user home directory.
|
||||
@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -82843,7 +82916,7 @@ index 4b2878a..330f877 100644
|
|||
## Create, read, write, and delete named pipes
|
||||
## in a user home subdirectory.
|
||||
## </summary>
|
||||
@@ -2008,7 +2582,7 @@ interface(`userdom_user_home_dir_filetrans',`
|
||||
@@ -2008,7 +2583,7 @@ interface(`userdom_user_home_dir_filetrans',`
|
||||
type user_home_dir_t;
|
||||
')
|
||||
|
||||
|
|
@ -82852,7 +82925,7 @@ index 4b2878a..330f877 100644
|
|||
files_search_home($1)
|
||||
')
|
||||
|
||||
@@ -2039,7 +2613,7 @@ interface(`userdom_user_home_content_filetrans',`
|
||||
@@ -2039,7 +2614,7 @@ interface(`userdom_user_home_content_filetrans',`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
|
|
@ -82861,7 +82934,7 @@ index 4b2878a..330f877 100644
|
|||
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
files_search_home($1)
|
||||
')
|
||||
@@ -2182,7 +2756,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
||||
@@ -2182,7 +2757,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
|
|
@ -82870,7 +82943,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2390,7 +2964,7 @@ interface(`userdom_user_tmp_filetrans',`
|
||||
@@ -2390,7 +2965,7 @@ interface(`userdom_user_tmp_filetrans',`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
|
|
@ -82879,7 +82952,7 @@ index 4b2878a..330f877 100644
|
|||
files_search_tmp($1)
|
||||
')
|
||||
|
||||
@@ -2419,6 +2993,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||
@@ -2419,6 +2994,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||
files_tmp_filetrans($1, user_tmp_t, $2)
|
||||
')
|
||||
|
||||
|
|
@ -82905,7 +82978,7 @@ index 4b2878a..330f877 100644
|
|||
########################################
|
||||
## <summary>
|
||||
## Read user tmpfs files.
|
||||
@@ -2435,13 +3028,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||
@@ -2435,13 +3029,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||
|
|
@ -82921,7 +82994,7 @@ index 4b2878a..330f877 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2462,7 +3056,7 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
@@ -2462,7 +3057,7 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -82930,7 +83003,7 @@ index 4b2878a..330f877 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2470,14 +3064,30 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
@@ -2470,14 +3065,30 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -82965,7 +83038,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2572,6 +3182,24 @@ interface(`userdom_use_user_ttys',`
|
||||
@@ -2572,6 +3183,24 @@ interface(`userdom_use_user_ttys',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -82990,7 +83063,7 @@ index 4b2878a..330f877 100644
|
|||
## Read and write a user domain pty.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2590,22 +3218,34 @@ interface(`userdom_use_user_ptys',`
|
||||
@@ -2590,22 +3219,34 @@ interface(`userdom_use_user_ptys',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -83033,7 +83106,7 @@ index 4b2878a..330f877 100644
|
|||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2614,14 +3254,33 @@ interface(`userdom_use_user_ptys',`
|
||||
@@ -2614,14 +3255,33 @@ interface(`userdom_use_user_ptys',`
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
|
|
@ -83071,7 +83144,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2640,8 +3299,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
|
||||
@@ -2640,8 +3300,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
|
||||
type user_tty_device_t, user_devpts_t;
|
||||
')
|
||||
|
||||
|
|
@ -83101,7 +83174,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2713,45 +3391,45 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
@@ -2713,45 +3392,45 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
allow unpriv_userdomain $1:process sigchld;
|
||||
')
|
||||
|
||||
|
|
@ -83167,7 +83240,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2772,25 +3450,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
||||
@@ -2772,25 +3451,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
||||
allow $1 unpriv_userdomain:sem create_sem_perms;
|
||||
')
|
||||
|
||||
|
|
@ -83193,7 +83266,7 @@ index 4b2878a..330f877 100644
|
|||
########################################
|
||||
## <summary>
|
||||
## Manage unpriviledged user SysV shared
|
||||
@@ -2852,7 +3511,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
@@ -2852,7 +3512,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
|
||||
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
||||
allow unpriv_userdomain $1:fd use;
|
||||
|
|
@ -83202,7 +83275,7 @@ index 4b2878a..330f877 100644
|
|||
allow unpriv_userdomain $1:process sigchld;
|
||||
')
|
||||
|
||||
@@ -2868,29 +3527,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
@@ -2868,29 +3528,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
#
|
||||
interface(`userdom_search_user_home_content',`
|
||||
gen_require(`
|
||||
|
|
@ -83236,7 +83309,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2972,7 +3615,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||
@@ -2972,7 +3616,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||
type user_devpts_t;
|
||||
')
|
||||
|
||||
|
|
@ -83245,7 +83318,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -3027,7 +3670,45 @@ interface(`userdom_write_user_tmp_files',`
|
||||
@@ -3027,7 +3671,45 @@ interface(`userdom_write_user_tmp_files',`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
|
|
@ -83292,7 +83365,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -3045,7 +3726,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
|
||||
@@ -3045,7 +3727,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
|
||||
type user_tty_device_t;
|
||||
')
|
||||
|
||||
|
|
@ -83301,7 +83374,7 @@ index 4b2878a..330f877 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -3064,6 +3745,7 @@ interface(`userdom_read_all_users_state',`
|
||||
@@ -3064,6 +3746,7 @@ interface(`userdom_read_all_users_state',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, userdomain, userdomain)
|
||||
|
|
@ -83309,7 +83382,7 @@ index 4b2878a..330f877 100644
|
|||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -3142,6 +3824,24 @@ interface(`userdom_signal_all_users',`
|
||||
@@ -3142,6 +3825,24 @@ interface(`userdom_signal_all_users',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -83334,7 +83407,7 @@ index 4b2878a..330f877 100644
|
|||
## Send a SIGCHLD signal to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3160,6 +3860,24 @@ interface(`userdom_sigchld_all_users',`
|
||||
@@ -3160,6 +3861,24 @@ interface(`userdom_sigchld_all_users',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -83359,7 +83432,7 @@ index 4b2878a..330f877 100644
|
|||
## Create keys for all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3194,3 +3912,1236 @@ interface(`userdom_dbus_send_all_users',`
|
||||
@@ -3194,3 +3913,1236 @@ interface(`userdom_dbus_send_all_users',`
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 76%{?dist}
|
||||
Release: 77%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -471,6 +471,17 @@ SELinux Reference policy mls base module.
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jan 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-77
|
||||
- Treat Bip with bitlbee policy
|
||||
* Bip is an IRC proxy
|
||||
- Add port definition for interwise port
|
||||
- Add support for ipa_memcached socket
|
||||
- systemd_jounald needs to getattr on all processes
|
||||
- mdadmin fixes
|
||||
* uses getpw
|
||||
- amavisd calls getpwnam()
|
||||
- denyhosts calls getpwall()
|
||||
|
||||
* Fri Jan 20 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-76
|
||||
- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there
|
||||
- bluetooth says they do not use /tmp and want to remove the type
|
||||
|
|
@ -479,7 +490,7 @@ SELinux Reference policy mls base module.
|
|||
- Allow postfix_smtpd_t to connect to spamd
|
||||
- Add boolean to allow ftp to connect to all ports > 1023
|
||||
- Allow sendmain to write to inherited dovecot tmp files
|
||||
|
||||
- setroubleshoot needs to be able to execute rpm to see what version of packages
|
||||
* Mon Jan 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-75
|
||||
- Merge systemd patch
|
||||
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online
|
||||
|
|
|
|||
Loading…
Reference in New Issue