- Label sddm as xdm_exec_t to make KDE working again
- Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords
This commit is contained in:
parent
6337678e76
commit
8e18cc2081
@ -21013,7 +21013,7 @@ index 9d2f311..9e87525 100644
|
||||
+ postgresql_filetrans_named_content($1)
|
||||
')
|
||||
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
|
||||
index 0306134..68598c7 100644
|
||||
index 0306134..ae0d841 100644
|
||||
--- a/policy/modules/services/postgresql.te
|
||||
+++ b/policy/modules/services/postgresql.te
|
||||
@@ -19,25 +19,32 @@ gen_require(`
|
||||
@ -21087,7 +21087,13 @@ index 0306134..68598c7 100644
|
||||
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
|
||||
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
|
||||
|
||||
@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t)
|
||||
@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
|
||||
files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
|
||||
|
||||
kernel_read_kernel_sysctls(postgresql_t)
|
||||
+kernel_read_network_state(postgresql_t)
|
||||
kernel_read_system_state(postgresql_t)
|
||||
kernel_list_proc(postgresql_t)
|
||||
kernel_read_all_sysctls(postgresql_t)
|
||||
kernel_read_proc_symlinks(postgresql_t)
|
||||
|
||||
@ -21095,7 +21101,7 @@ index 0306134..68598c7 100644
|
||||
corenet_all_recvfrom_netlabel(postgresql_t)
|
||||
corenet_tcp_sendrecv_generic_if(postgresql_t)
|
||||
corenet_udp_sendrecv_generic_if(postgresql_t)
|
||||
@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
|
||||
@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
|
||||
domain_use_interactive_fds(postgresql_t)
|
||||
|
||||
files_dontaudit_search_home(postgresql_t)
|
||||
@ -21105,7 +21111,7 @@ index 0306134..68598c7 100644
|
||||
files_read_etc_runtime_files(postgresql_t)
|
||||
files_read_usr_files(postgresql_t)
|
||||
|
||||
@@ -354,20 +361,28 @@ init_read_utmp(postgresql_t)
|
||||
@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
|
||||
logging_send_syslog_msg(postgresql_t)
|
||||
logging_send_audit_msgs(postgresql_t)
|
||||
|
||||
@ -21137,7 +21143,7 @@ index 0306134..68598c7 100644
|
||||
allow postgresql_t self:process execmem;
|
||||
')
|
||||
|
||||
@@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
|
||||
@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
|
||||
# It is always allowed to operate temporary objects for any database client.
|
||||
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
|
||||
|
||||
@ -21194,7 +21200,7 @@ index 0306134..68598c7 100644
|
||||
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
|
||||
')
|
||||
|
||||
@@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
|
||||
@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
|
||||
|
||||
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
|
||||
|
||||
@ -21203,7 +21209,7 @@ index 0306134..68598c7 100644
|
||||
allow sepgsql_admin_type sepgsql_database_type:db_database *;
|
||||
|
||||
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
|
||||
@@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
|
||||
@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
|
||||
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
|
||||
|
||||
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
|
||||
@ -22607,7 +22613,7 @@ index cc877c7..a8b01bf 100644
|
||||
+ xserver_rw_xdm_pipes(ssh_agent_type)
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
||||
index 8274418..0069d82 100644
|
||||
index 8274418..522a2f0 100644
|
||||
--- a/policy/modules/services/xserver.fc
|
||||
+++ b/policy/modules/services/xserver.fc
|
||||
@@ -2,13 +2,35 @@
|
||||
@ -22669,7 +22675,7 @@ index 8274418..0069d82 100644
|
||||
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
|
||||
@@ -46,26 +76,33 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
# /tmp
|
||||
#
|
||||
|
||||
@ -22695,6 +22701,7 @@ index 8274418..0069d82 100644
|
||||
-/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
+/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
+
|
||||
+/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
+/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
||||
@ -22709,7 +22716,7 @@ index 8274418..0069d82 100644
|
||||
|
||||
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
|
||||
@@ -92,18 +129,31 @@ ifndef(`distro_debian',`
|
||||
@@ -92,18 +130,31 @@ ifndef(`distro_debian',`
|
||||
|
||||
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
@ -22745,7 +22752,7 @@ index 8274418..0069d82 100644
|
||||
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
@@ -112,6 +162,16 @@ ifndef(`distro_debian',`
|
||||
@@ -112,6 +163,16 @@ ifndef(`distro_debian',`
|
||||
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
|
||||
|
@ -11226,7 +11226,7 @@ index 85ca63f..1d1c99c 100644
|
||||
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
|
||||
files_list_etc($1)
|
||||
diff --git a/cgroup.te b/cgroup.te
|
||||
index 80a88a2..7cebead 100644
|
||||
index 80a88a2..ec869f5 100644
|
||||
--- a/cgroup.te
|
||||
+++ b/cgroup.te
|
||||
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
|
||||
@ -11279,7 +11279,7 @@ index 80a88a2..7cebead 100644
|
||||
allow cgred_t self:netlink_socket { write bind create read };
|
||||
allow cgred_t self:unix_dgram_socket { write create connect };
|
||||
|
||||
+allow cgred_t cgconfig_t:file read_file_perms;
|
||||
+allow cgred_t cgconfig_etc_t:file read_file_perms;
|
||||
allow cgred_t cgrules_etc_t:file read_file_perms;
|
||||
|
||||
allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
||||
@ -40690,10 +40690,10 @@ index e08c55d..24b56e9 100644
|
||||
+ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
|
||||
+')
|
||||
diff --git a/mandb.fc b/mandb.fc
|
||||
index 8ae78b5..16e55cd 100644
|
||||
index 8ae78b5..b365cdd 100644
|
||||
--- a/mandb.fc
|
||||
+++ b/mandb.fc
|
||||
@@ -1 +1,11 @@
|
||||
@@ -1 +1,12 @@
|
||||
+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
|
||||
+
|
||||
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
|
||||
@ -40705,6 +40705,7 @@ index 8ae78b5..16e55cd 100644
|
||||
+
|
||||
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
|
||||
+
|
||||
+/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
|
||||
diff --git a/mandb.if b/mandb.if
|
||||
index 327f3f7..4f61561 100644
|
||||
--- a/mandb.if
|
||||
@ -52430,7 +52431,7 @@ index 8f2ab09..bc2c7fe 100644
|
||||
+ allow $1 nscd_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/nscd.te b/nscd.te
|
||||
index bcd7d0a..8cc5de9 100644
|
||||
index bcd7d0a..0188086 100644
|
||||
--- a/nscd.te
|
||||
+++ b/nscd.te
|
||||
@@ -4,33 +4,34 @@ gen_require(`
|
||||
@ -52580,44 +52581,45 @@ index bcd7d0a..8cc5de9 100644
|
||||
userdom_dontaudit_use_user_terminals(nscd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(nscd_t)
|
||||
@@ -121,20 +131,31 @@ optional_policy(`
|
||||
@@ -121,13 +131,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- tunable_policy(`samba_domain_controller',`
|
||||
- samba_append_log(nscd_t)
|
||||
- samba_dontaudit_use_fds(nscd_t)
|
||||
- ')
|
||||
+ kerberos_use(nscd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ udev_read_db(nscd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
|
||||
+ xen_append_log(nscd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
tunable_policy(`samba_domain_controller',`
|
||||
samba_append_log(nscd_t)
|
||||
samba_dontaudit_use_fds(nscd_t)
|
||||
')
|
||||
-
|
||||
|
||||
- samba_read_config(nscd_t)
|
||||
- samba_read_var_files(nscd_t)
|
||||
+optional_policy(`
|
||||
+ nis_authenticate(nscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- udev_read_db(nscd_t)
|
||||
@@ -138,3 +146,20 @@ optional_policy(`
|
||||
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
|
||||
xen_append_log(nscd_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ tunable_policy(`samba_domain_controller',`
|
||||
+ samba_append_log(nscd_t)
|
||||
+ samba_dontaudit_use_fds(nscd_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ samba_read_config(nscd_t)
|
||||
+ samba_read_var_files(nscd_t)
|
||||
+ samba_stream_connect_nmbd(nscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
|
||||
- xen_append_log(nscd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
|
||||
')
|
||||
+')
|
||||
diff --git a/nsd.fc b/nsd.fc
|
||||
index 4f2b1b6..5348e92 100644
|
||||
--- a/nsd.fc
|
||||
@ -61401,10 +61403,10 @@ index 0000000..798efb6
|
||||
+')
|
||||
diff --git a/pki.te b/pki.te
|
||||
new file mode 100644
|
||||
index 0000000..5c64daf
|
||||
index 0000000..e8c6156
|
||||
--- /dev/null
|
||||
+++ b/pki.te
|
||||
@@ -0,0 +1,272 @@
|
||||
@@ -0,0 +1,273 @@
|
||||
+policy_module(pki,10.0.11)
|
||||
+
|
||||
+########################################
|
||||
@ -61516,6 +61518,7 @@ index 0000000..5c64daf
|
||||
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
|
||||
+
|
||||
+kernel_read_kernel_sysctls(pki_tomcat_t)
|
||||
+kernel_read_net_sysctls(pki_tomcat_t)
|
||||
+
|
||||
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
|
||||
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
|
||||
@ -72742,7 +72745,7 @@ index 2c3d338..cf3e5ad 100644
|
||||
|
||||
########################################
|
||||
diff --git a/rabbitmq.te b/rabbitmq.te
|
||||
index dc3b0ed..c77c09c 100644
|
||||
index dc3b0ed..e0806a1 100644
|
||||
--- a/rabbitmq.te
|
||||
+++ b/rabbitmq.te
|
||||
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
|
||||
@ -72785,7 +72788,7 @@ index dc3b0ed..c77c09c 100644
|
||||
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
|
||||
|
||||
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
|
||||
@@ -55,51 +64,63 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
|
||||
@@ -55,51 +64,64 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
|
||||
corecmd_exec_bin(rabbitmq_beam_t)
|
||||
corecmd_exec_shell(rabbitmq_beam_t)
|
||||
|
||||
@ -72797,6 +72800,7 @@ index dc3b0ed..c77c09c 100644
|
||||
corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
|
||||
corenet_tcp_bind_generic_node(rabbitmq_beam_t)
|
||||
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
|
||||
+corenet_tcp_bind_all_ephemeral_ports(rabbitmq_beam_t)
|
||||
|
||||
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
|
||||
-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
|
||||
@ -72865,7 +72869,7 @@ index dc3b0ed..c77c09c 100644
|
||||
allow rabbitmq_epmd_t self:process signal;
|
||||
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -107,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
|
||||
@@ -107,6 +129,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
|
||||
|
||||
allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
|
||||
|
||||
@ -72874,7 +72878,7 @@ index dc3b0ed..c77c09c 100644
|
||||
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
|
||||
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
|
||||
corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
|
||||
@@ -117,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
|
||||
@@ -117,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
|
||||
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
|
||||
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
|
||||
|
||||
@ -79183,7 +79187,7 @@ index 0bf13c2..d59aef7 100644
|
||||
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
|
||||
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
|
||||
diff --git a/rpc.te b/rpc.te
|
||||
index 2da9fca..09e0307 100644
|
||||
index 2da9fca..f47a20e 100644
|
||||
--- a/rpc.te
|
||||
+++ b/rpc.te
|
||||
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
|
||||
@ -79334,35 +79338,38 @@ index 2da9fca..09e0307 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
term_dontaudit_use_unallocated_ttys(rpcd_t)
|
||||
@@ -181,19 +180,23 @@ optional_policy(`
|
||||
@@ -181,19 +180,27 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_read_ypserv_config(rpcd_t)
|
||||
+ domain_unconfined_signal(rpcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ quota_manage_db(rpcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
nis_read_ypserv_config(rpcd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- quota_manage_db_files(rpcd_t)
|
||||
+ quota_manage_db(rpcd_t)
|
||||
+ quota_read_db(rpcd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- rgmanager_manage_tmp_files(rpcd_t)
|
||||
+ nis_read_ypserv_config(rpcd_t)
|
||||
+ rhcs_manage_cluster_tmp_files(rpcd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- unconfined_signal(rpcd_t)
|
||||
+ quota_read_db(rpcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rhcs_manage_cluster_tmp_files(rpcd_t)
|
||||
+ samba_stream_connect_nmbd(rpcd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -202,41 +205,56 @@ optional_policy(`
|
||||
@@ -202,41 +209,56 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
|
||||
@ -79428,7 +79435,7 @@ index 2da9fca..09e0307 100644
|
||||
miscfiles_manage_public_files(nfsd_t)
|
||||
')
|
||||
|
||||
@@ -245,7 +263,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
@@ -245,7 +267,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
dev_getattr_all_chr_files(nfsd_t)
|
||||
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
@ -79436,7 +79443,7 @@ index 2da9fca..09e0307 100644
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -257,12 +274,12 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -257,12 +278,12 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
|
||||
@ -79451,7 +79458,7 @@ index 2da9fca..09e0307 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -270,7 +287,7 @@ optional_policy(`
|
||||
@@ -270,7 +291,7 @@ optional_policy(`
|
||||
# GSSD local policy
|
||||
#
|
||||
|
||||
@ -79460,7 +79467,7 @@ index 2da9fca..09e0307 100644
|
||||
allow gssd_t self:process { getsched setsched };
|
||||
allow gssd_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@@ -280,6 +297,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
@@ -280,6 +301,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
||||
|
||||
@ -79468,7 +79475,7 @@ index 2da9fca..09e0307 100644
|
||||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
kernel_request_load_module(gssd_t)
|
||||
@@ -288,25 +306,30 @@ kernel_signal(gssd_t)
|
||||
@@ -288,25 +310,30 @@ kernel_signal(gssd_t)
|
||||
|
||||
corecmd_exec_bin(gssd_t)
|
||||
|
||||
@ -79502,7 +79509,7 @@ index 2da9fca..09e0307 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -314,9 +337,12 @@ optional_policy(`
|
||||
@@ -314,9 +341,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -82870,7 +82877,7 @@ index 50d07fb..bada62f 100644
|
||||
+ allow $1 samba_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/samba.te b/samba.te
|
||||
index 2b7c441..c80c3f6 100644
|
||||
index 2b7c441..127ac9e 100644
|
||||
--- a/samba.te
|
||||
+++ b/samba.te
|
||||
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
|
||||
@ -83591,14 +83598,14 @@ index 2b7c441..c80c3f6 100644
|
||||
-
|
||||
userdom_use_unpriv_users_fds(nmbd_t)
|
||||
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
|
||||
-
|
||||
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
|
||||
|
||||
-tunable_policy(`samba_export_all_ro',`
|
||||
- fs_read_noxattr_fs_files(nmbd_t)
|
||||
- files_list_non_auth_dirs(nmbd_t)
|
||||
- files_read_non_auth_files(nmbd_t)
|
||||
-')
|
||||
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
|
||||
|
||||
-
|
||||
-tunable_policy(`samba_export_all_rw',`
|
||||
- fs_read_noxattr_fs_files(nmbd_t)
|
||||
- files_manage_non_auth_files(nmbd_t)
|
||||
@ -83774,13 +83781,13 @@ index 2b7c441..c80c3f6 100644
|
||||
-allow swat_t { nmbd_t smbd_t }:process { signal signull };
|
||||
+samba_domtrans_smbd(swat_t)
|
||||
+allow swat_t smbd_t:process { signal signull };
|
||||
+
|
||||
+samba_domtrans_nmbd(swat_t)
|
||||
+allow swat_t nmbd_t:process { signal signull };
|
||||
+allow nmbd_t swat_t:process signal;
|
||||
|
||||
-allow swat_t smbd_var_run_t:file read_file_perms;
|
||||
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
|
||||
+samba_domtrans_nmbd(swat_t)
|
||||
+allow swat_t nmbd_t:process { signal signull };
|
||||
+allow nmbd_t swat_t:process signal;
|
||||
+
|
||||
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
|
||||
+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
|
||||
+
|
||||
@ -83994,7 +84001,7 @@ index 2b7c441..c80c3f6 100644
|
||||
|
||||
fs_getattr_all_fs(winbind_t)
|
||||
fs_search_auto_mountpoints(winbind_t)
|
||||
@@ -924,26 +954,39 @@ auth_domtrans_chk_passwd(winbind_t)
|
||||
@@ -924,26 +954,43 @@ auth_domtrans_chk_passwd(winbind_t)
|
||||
auth_use_nsswitch(winbind_t)
|
||||
auth_manage_cache(winbind_t)
|
||||
|
||||
@ -84033,10 +84040,14 @@ index 2b7c441..c80c3f6 100644
|
||||
optional_policy(`
|
||||
kerberos_use(winbind_t)
|
||||
+ kerberos_filetrans_named_content(winbind_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nis_authenticate(winbind_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -959,31 +1002,29 @@ optional_policy(`
|
||||
@@ -959,31 +1006,29 @@ optional_policy(`
|
||||
# Winbind helper local policy
|
||||
#
|
||||
|
||||
@ -84074,7 +84085,7 @@ index 2b7c441..c80c3f6 100644
|
||||
|
||||
optional_policy(`
|
||||
apache_append_log(winbind_helper_t)
|
||||
@@ -997,25 +1038,38 @@ optional_policy(`
|
||||
@@ -997,25 +1042,38 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -84095,24 +84106,24 @@ index 2b7c441..c80c3f6 100644
|
||||
+ role system_r types samba_unconfined_net_t;
|
||||
+
|
||||
+ unconfined_domain(samba_unconfined_net_t)
|
||||
+
|
||||
|
||||
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
|
||||
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
|
||||
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
|
||||
+')
|
||||
+
|
||||
|
||||
+type samba_unconfined_script_t;
|
||||
+type samba_unconfined_script_exec_t;
|
||||
+domain_type(samba_unconfined_script_t)
|
||||
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
|
||||
+corecmd_shell_entry_type(samba_unconfined_script_t)
|
||||
+role system_r types samba_unconfined_script_t;
|
||||
|
||||
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||
+
|
||||
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
||||
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
||||
|
||||
+
|
||||
+optional_policy(`
|
||||
unconfined_domain(samba_unconfined_script_t)
|
||||
+')
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 37%{?dist}
|
||||
Release: 38%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -580,6 +580,14 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-38
|
||||
- Label sddm as xdm_exec_t to make KDE working again
|
||||
- Allow postgresql to read network state
|
||||
- Allow java running as pki_tomcat to read network sysctls
|
||||
- Fix cgroup.te to allow cgred to read cgconfig_etc_t
|
||||
- Allow beam.smp to use ephemeral ports
|
||||
- Allow winbind to use the nis to authenticate passwords
|
||||
|
||||
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-37
|
||||
- Allow collectd to talk to libvirt
|
||||
- Allow chrome_sandbox to use leaked unix_stream_sockets
|
||||
|
Loading…
Reference in New Issue
Block a user