- Allow rpcd_t to send signal to mount_t
- Allow libvirtd to run ranged
This commit is contained in:
parent
8c2b68a3e1
commit
8f6e4365ca
@ -3551,17 +3551,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dbus_system_bus_client(podsleuth_t)
|
dbus_system_bus_client(podsleuth_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.6/policy/modules/apps/qemu.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.6/policy/modules/apps/qemu.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400
|
||||||
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.fc 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.fc 2009-02-17 15:43:19.000000000 -0500
|
||||||
@@ -1,2 +1,6 @@
|
@@ -1,2 +1,6 @@
|
||||||
/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||||
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0)
|
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:qemu_cache_t,s0)
|
||||||
+
|
+
|
||||||
+/var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0)
|
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.6/policy/modules/apps/qemu.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.6/policy/modules/apps/qemu.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-17 17:18:08.000000000 -0500
|
||||||
@@ -40,6 +40,93 @@
|
@@ -40,6 +40,93 @@
|
||||||
|
|
||||||
qemu_domtrans($1)
|
qemu_domtrans($1)
|
||||||
@ -3748,7 +3748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -127,84 +290,73 @@
|
@@ -127,84 +290,85 @@
|
||||||
#
|
#
|
||||||
template(`qemu_domain_template',`
|
template(`qemu_domain_template',`
|
||||||
|
|
||||||
@ -3773,6 +3773,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
- #
|
- #
|
||||||
+ type $1_tmpfs_t;
|
+ type $1_tmpfs_t;
|
||||||
+ files_tmpfs_file($1_tmpfs_t)
|
+ files_tmpfs_file($1_tmpfs_t)
|
||||||
|
+
|
||||||
|
+ type $1_image_t;
|
||||||
|
+ virt_image($1_image_t)
|
||||||
|
|
||||||
- allow $1_t self:capability { dac_read_search dac_override };
|
- allow $1_t self:capability { dac_read_search dac_override };
|
||||||
- allow $1_t self:process { execstack execmem signal getsched };
|
- allow $1_t self:process { execstack execmem signal getsched };
|
||||||
@ -3780,8 +3783,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
- allow $1_t self:shm create_shm_perms;
|
- allow $1_t self:shm create_shm_perms;
|
||||||
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
- allow $1_t self:tcp_socket create_stream_socket_perms;
|
- allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||||
+ type $1_image_t;
|
+ allow $1_t self:capability kill;
|
||||||
+ virt_image($1_image_t)
|
+ allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
+
|
+
|
||||||
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
|
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
|
||||||
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
|
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
|
||||||
@ -3790,6 +3793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
||||||
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
||||||
|
+ manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
||||||
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
|
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
|
||||||
|
|
||||||
- kernel_read_system_state($1_t)
|
- kernel_read_system_state($1_t)
|
||||||
@ -3820,6 +3824,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
||||||
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
|
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
|
||||||
+ fs_getattr_tmpfs($1_t)
|
+ fs_getattr_tmpfs($1_t)
|
||||||
|
+
|
||||||
|
+ userdom_read_user_tmpfs_files($1_t)
|
||||||
|
+ userdom_signull_unpriv_users($1_t)
|
||||||
|
+ userdom_admin_home_dir_filetrans($1_t, $1_tmp_t, {file dir })
|
||||||
|
|
||||||
- storage_raw_write_removable_device($1_t)
|
- storage_raw_write_removable_device($1_t)
|
||||||
- storage_raw_read_removable_device($1_t)
|
- storage_raw_read_removable_device($1_t)
|
||||||
@ -3831,11 +3839,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
- miscfiles_read_localization($1_t)
|
- miscfiles_read_localization($1_t)
|
||||||
-
|
-
|
||||||
- sysnet_read_config($1_t)
|
- sysnet_read_config($1_t)
|
||||||
-
|
|
||||||
- userdom_use_user_terminals($1_t)
|
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ xserver_common_x_domain_template(user, $1_t)
|
+ xserver_common_x_domain_template(user, $1_t)
|
||||||
+ ')
|
+ ')
|
||||||
|
|
||||||
|
- userdom_use_user_terminals($1_t)
|
||||||
|
+ optional_policy(`
|
||||||
|
+ dbus_system_bus_client($1_t)
|
||||||
|
+ ')
|
||||||
+')
|
+')
|
||||||
|
|
||||||
-# optional_policy(`
|
-# optional_policy(`
|
||||||
@ -3887,7 +3898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.6/policy/modules/apps/qemu.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.6/policy/modules/apps/qemu.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-17 16:14:43.000000000 -0500
|
||||||
@@ -6,6 +6,8 @@
|
@@ -6,6 +6,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -7271,8 +7282,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
-')
|
-')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.6/policy/modules/roles/staff.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.6/policy/modules/roles/staff.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/roles/staff.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/roles/staff.te 2009-02-17 13:42:06.000000000 -0500
|
||||||
@@ -15,156 +15,87 @@
|
@@ -15,156 +15,88 @@
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -7354,6 +7365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
- mozilla_role(staff_r, staff_t)
|
- mozilla_role(staff_r, staff_t)
|
||||||
-')
|
-')
|
||||||
+seutil_run_newrole(staff_t, staff_r)
|
+seutil_run_newrole(staff_t, staff_r)
|
||||||
|
+netutils_run_ping(staff_t, staff_r)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- mplayer_role(staff_r, staff_t)
|
- mplayer_role(staff_r, staff_t)
|
||||||
@ -9049,7 +9061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.6/policy/modules/services/apache.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.6/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/apache.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/apache.te 2009-02-17 16:09:12.000000000 -0500
|
||||||
@@ -19,6 +19,8 @@
|
@@ -19,6 +19,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -11575,7 +11587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.6/policy/modules/services/cups.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.6/policy/modules/services/cups.te
|
||||||
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/cups.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/cups.te 2009-02-17 15:28:51.000000000 -0500
|
||||||
@@ -20,9 +20,18 @@
|
@@ -20,9 +20,18 @@
|
||||||
type cupsd_etc_t;
|
type cupsd_etc_t;
|
||||||
files_config_file(cupsd_etc_t)
|
files_config_file(cupsd_etc_t)
|
||||||
@ -12028,7 +12040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.6/policy/modules/services/dbus.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.6/policy/modules/services/dbus.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/dbus.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/dbus.if 2009-02-17 16:08:31.000000000 -0500
|
||||||
@@ -44,6 +44,7 @@
|
@@ -44,6 +44,7 @@
|
||||||
|
|
||||||
attribute session_bus_type;
|
attribute session_bus_type;
|
||||||
@ -18513,7 +18525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.6/policy/modules/services/postfix.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.6/policy/modules/services/postfix.te
|
||||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/postfix.te 2009-02-17 08:27:34.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/postfix.te 2009-02-17 12:58:06.000000000 -0500
|
||||||
@@ -6,6 +6,15 @@
|
@@ -6,6 +6,15 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -18829,7 +18841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
mailman_read_data_files(postfix_smtpd_t)
|
mailman_read_data_files(postfix_smtpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -572,12 +666,13 @@
|
@@ -572,15 +666,21 @@
|
||||||
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
|
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
|
||||||
|
|
||||||
# connect to master process
|
# connect to master process
|
||||||
@ -18844,6 +18856,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
mta_read_aliases(postfix_virtual_t)
|
mta_read_aliases(postfix_virtual_t)
|
||||||
mta_delete_spool(postfix_virtual_t)
|
mta_delete_spool(postfix_virtual_t)
|
||||||
|
# For reading spamassasin
|
||||||
|
mta_read_config(postfix_virtual_t)
|
||||||
|
mta_manage_spool(postfix_virtual_t)
|
||||||
|
+
|
||||||
|
+userdom_manage_user_home_dirs(postfix_virtual_t)
|
||||||
|
+userdom_manage_user_home_content(postfix_virtual_t)
|
||||||
|
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
|
||||||
|
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.6/policy/modules/services/postgresql.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.6/policy/modules/services/postgresql.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/postgresql.fc 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/postgresql.fc 2009-02-16 13:18:06.000000000 -0500
|
||||||
@ -20479,7 +20499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.6/policy/modules/services/rpc.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.6/policy/modules/services/rpc.if
|
||||||
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/rpc.if 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/rpc.if 2009-02-17 11:57:20.000000000 -0500
|
||||||
@@ -88,8 +88,11 @@
|
@@ -88,8 +88,11 @@
|
||||||
# bind to arbitary unused ports
|
# bind to arbitary unused ports
|
||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
@ -20493,7 +20513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
fs_rw_rpc_named_pipes($1_t)
|
fs_rw_rpc_named_pipes($1_t)
|
||||||
fs_search_auto_mountpoints($1_t)
|
fs_search_auto_mountpoints($1_t)
|
||||||
@@ -205,6 +208,24 @@
|
@@ -205,6 +208,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -20511,6 +20531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
|
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
|
||||||
|
+ allow rpcd_t $1:process signal;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -20518,7 +20539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Read NFS exported content.
|
## Read NFS exported content.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -335,3 +356,22 @@
|
@@ -335,3 +357,22 @@
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
||||||
')
|
')
|
||||||
@ -23273,7 +23294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.6/policy/modules/services/virt.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.6/policy/modules/services/virt.te
|
||||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/services/virt.te 2009-02-16 13:18:06.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/services/virt.te 2009-02-17 15:29:03.000000000 -0500
|
||||||
@@ -32,6 +32,10 @@
|
@@ -32,6 +32,10 @@
|
||||||
type virt_image_t, virt_image_type; # customizable
|
type virt_image_t, virt_image_type; # customizable
|
||||||
virt_image(virt_image_t)
|
virt_image(virt_image_t)
|
||||||
@ -23285,7 +23306,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
type virt_log_t;
|
type virt_log_t;
|
||||||
logging_log_file(virt_log_t)
|
logging_log_file(virt_log_t)
|
||||||
|
|
||||||
@@ -53,7 +57,7 @@
|
@@ -48,12 +52,20 @@
|
||||||
|
type virtd_initrc_exec_t;
|
||||||
|
init_script_file(virtd_initrc_exec_t)
|
||||||
|
|
||||||
|
+ifdef(`enable_mcs',`
|
||||||
|
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mcs_systemhigh)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+ifdef(`enable_mls',`
|
||||||
|
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mls_systemhigh)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
# virtd local policy
|
# virtd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -23294,7 +23328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow virtd_t self:process { getsched sigkill signal execmem };
|
allow virtd_t self:process { getsched sigkill signal execmem };
|
||||||
allow virtd_t self:fifo_file rw_file_perms;
|
allow virtd_t self:fifo_file rw_file_perms;
|
||||||
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
|
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@@ -69,6 +73,9 @@
|
@@ -69,6 +81,9 @@
|
||||||
|
|
||||||
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||||
|
|
||||||
@ -23304,7 +23338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||||
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
||||||
@@ -96,7 +103,7 @@
|
@@ -96,7 +111,7 @@
|
||||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||||
corenet_tcp_sendrecv_all_ports(virtd_t)
|
corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||||
corenet_tcp_bind_generic_node(virtd_t)
|
corenet_tcp_bind_generic_node(virtd_t)
|
||||||
@ -23313,7 +23347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_tcp_bind_vnc_port(virtd_t)
|
corenet_tcp_bind_vnc_port(virtd_t)
|
||||||
corenet_tcp_connect_vnc_port(virtd_t)
|
corenet_tcp_connect_vnc_port(virtd_t)
|
||||||
corenet_tcp_connect_soundd_port(virtd_t)
|
corenet_tcp_connect_soundd_port(virtd_t)
|
||||||
@@ -110,11 +117,13 @@
|
@@ -110,11 +125,13 @@
|
||||||
|
|
||||||
files_read_usr_files(virtd_t)
|
files_read_usr_files(virtd_t)
|
||||||
files_read_etc_files(virtd_t)
|
files_read_etc_files(virtd_t)
|
||||||
@ -23327,7 +23361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
storage_raw_write_removable_device(virtd_t)
|
storage_raw_write_removable_device(virtd_t)
|
||||||
storage_raw_read_removable_device(virtd_t)
|
storage_raw_read_removable_device(virtd_t)
|
||||||
@@ -129,7 +138,11 @@
|
@@ -129,7 +146,11 @@
|
||||||
|
|
||||||
logging_send_syslog_msg(virtd_t)
|
logging_send_syslog_msg(virtd_t)
|
||||||
|
|
||||||
@ -23339,7 +23373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virtd_t)
|
fs_manage_nfs_dirs(virtd_t)
|
||||||
@@ -173,16 +186,17 @@
|
@@ -173,16 +194,17 @@
|
||||||
iptables_domtrans(virtd_t)
|
iptables_domtrans(virtd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -29287,7 +29321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.6/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.6/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.6/policy/modules/system/userdomain.if 2009-02-16 17:24:41.000000000 -0500
|
+++ serefpolicy-3.6.6/policy/modules/system/userdomain.if 2009-02-17 17:06:13.000000000 -0500
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -30753,7 +30787,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
interface(`userdom_rw_user_tmpfs_files',`
|
interface(`userdom_rw_user_tmpfs_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_tmpfs_t;
|
type user_tmpfs_t;
|
||||||
@@ -2814,7 +3043,43 @@
|
@@ -2709,6 +2938,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Send signull to unprivileged user domains.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_signull_unpriv_users',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute unpriv_userdomain;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 unpriv_userdomain:process signull;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Inherit the file descriptors from unprivileged user domains.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -2814,7 +3061,43 @@
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -30798,7 +30857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2851,6 +3116,7 @@
|
@@ -2851,6 +3134,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1,userdomain,userdomain)
|
read_files_pattern($1,userdomain,userdomain)
|
||||||
@ -30806,7 +30865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -2965,6 +3231,24 @@
|
@@ -2965,6 +3249,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -30831,7 +30890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Send a dbus message to all user domains.
|
## Send a dbus message to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2981,3 +3265,313 @@
|
@@ -2981,3 +3283,313 @@
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.6
|
Version: 3.6.6
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -444,6 +444,10 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-4
|
||||||
|
- Allow rpcd_t to send signal to mount_t
|
||||||
|
- Allow libvirtd to run ranged
|
||||||
|
|
||||||
* Tue Feb 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-3
|
* Tue Feb 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-3
|
||||||
- Fix sysnet/net_conf_t
|
- Fix sysnet/net_conf_t
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user