* Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." - Allow arping running as netutils_t sys_module capability for removing tap devices. - Add userdom_connectto_stream() interface. - Allow systemd-logind to read /run/utmp. BZ(#1278662) - Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." - Allow arping running as netutils_t sys_module capability for removing tap devices. - Add userdom_connectto_stream() interface. - Allow systemd-logind to read /run/utmp. BZ(#1278662)
This commit is contained in:
parent
f1750fb373
commit
936bb7a648
Binary file not shown.
@ -26517,10 +26517,10 @@ index cc877c7..b8e6e98 100644
|
||||
+ xserver_rw_xdm_pipes(ssh_agent_type)
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
||||
index 8274418..b3baa75 100644
|
||||
index 8274418..12a5645 100644
|
||||
--- a/policy/modules/services/xserver.fc
|
||||
+++ b/policy/modules/services/xserver.fc
|
||||
@@ -2,13 +2,36 @@
|
||||
@@ -2,13 +2,38 @@
|
||||
# HOME_DIR
|
||||
#
|
||||
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
|
||||
@ -26538,6 +26538,7 @@ index 8274418..b3baa75 100644
|
||||
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
+HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+HOME_DIR/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+
|
||||
+/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
|
||||
@ -26553,11 +26554,12 @@ index 8274418..b3baa75 100644
|
||||
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
+/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
+/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+/root/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
|
||||
#
|
||||
# /dev
|
||||
@@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
@@ -22,13 +47,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
/etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
|
||||
@ -26580,7 +26582,7 @@ index 8274418..b3baa75 100644
|
||||
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
|
||||
@@ -46,26 +77,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
@@ -46,26 +79,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
# /tmp
|
||||
#
|
||||
|
||||
@ -26621,7 +26623,7 @@ index 8274418..b3baa75 100644
|
||||
|
||||
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
|
||||
@@ -91,19 +130,34 @@ ifndef(`distro_debian',`
|
||||
@@ -91,19 +132,34 @@ ifndef(`distro_debian',`
|
||||
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
|
||||
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
@ -26660,7 +26662,7 @@ index 8274418..b3baa75 100644
|
||||
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
@@ -111,7 +165,18 @@ ifndef(`distro_debian',`
|
||||
@@ -111,7 +167,18 @@ ifndef(`distro_debian',`
|
||||
/var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
@ -26680,7 +26682,7 @@ index 8274418..b3baa75 100644
|
||||
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
|
||||
index 6bf0ecc..f2bbe7e 100644
|
||||
index 6bf0ecc..7d0c3c3 100644
|
||||
--- a/policy/modules/services/xserver.if
|
||||
+++ b/policy/modules/services/xserver.if
|
||||
@@ -18,100 +18,36 @@
|
||||
@ -27756,7 +27758,7 @@ index 6bf0ecc..f2bbe7e 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1284,10 +1640,660 @@ interface(`xserver_manage_core_devices',`
|
||||
@@ -1284,10 +1640,662 @@ interface(`xserver_manage_core_devices',`
|
||||
#
|
||||
interface(`xserver_unconfined',`
|
||||
gen_require(`
|
||||
@ -28290,6 +28292,7 @@ index 6bf0ecc..f2bbe7e 100644
|
||||
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
|
||||
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
|
||||
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
|
||||
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
|
||||
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
|
||||
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
|
||||
+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
|
||||
@ -28334,6 +28337,7 @@ index 6bf0ecc..f2bbe7e 100644
|
||||
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
|
||||
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
|
||||
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old")
|
||||
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
|
||||
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
|
||||
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
|
||||
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
|
||||
@ -45258,10 +45262,10 @@ index 0000000..c253b33
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..56ba5a6
|
||||
index 0000000..b4a073f
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,824 @@
|
||||
@@ -0,0 +1,825 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -45463,6 +45467,7 @@ index 0000000..56ba5a6
|
||||
+init_undefined(systemd_logind_t)
|
||||
+init_signal_script(systemd_logind_t)
|
||||
+init_getattr_script_status_files(systemd_logind_t)
|
||||
+init_read_utmp(systemd_logind_t)
|
||||
+
|
||||
+getty_systemctl(systemd_logind_t)
|
||||
+
|
||||
@ -47499,7 +47504,7 @@ index db75976..c54480a 100644
|
||||
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index 9dc60c6..cb235f4 100644
|
||||
index 9dc60c6..e6556aa 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||
@ -50801,7 +50806,7 @@ index 9dc60c6..cb235f4 100644
|
||||
## Create keys for all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3435,4 +4622,1763 @@ interface(`userdom_dbus_send_all_users',`
|
||||
@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',`
|
||||
')
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
@ -51369,6 +51374,24 @@ index 9dc60c6..cb235f4 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write userdomain stream.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_connectto_stream',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 userdomain:unix_stream_socket connectto;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to read and write
|
||||
+## unserdomain datagram socket.
|
||||
+## </summary>
|
||||
|
@ -3799,7 +3799,7 @@ index 7caefc3..b25689b 100644
|
||||
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
diff --git a/apache.if b/apache.if
|
||||
index f6eb485..c55558a 100644
|
||||
index f6eb485..f1f976b 100644
|
||||
--- a/apache.if
|
||||
+++ b/apache.if
|
||||
@@ -1,9 +1,9 @@
|
||||
@ -3948,7 +3948,7 @@ index f6eb485..c55558a 100644
|
||||
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||||
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||||
+
|
||||
+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
|
||||
+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown };
|
||||
+
|
||||
+ # Allow the web server to run scripts and serve pages
|
||||
tunable_policy(`httpd_builtin_scripting',`
|
||||
@ -20497,7 +20497,7 @@ index 3023be7..0317731 100644
|
||||
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
|
||||
')
|
||||
diff --git a/cups.te b/cups.te
|
||||
index c91813c..999581c 100644
|
||||
index c91813c..3d89006 100644
|
||||
--- a/cups.te
|
||||
+++ b/cups.te
|
||||
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
|
||||
@ -20771,13 +20771,14 @@ index c91813c..999581c 100644
|
||||
|
||||
selinux_compute_access_vector(cupsd_t)
|
||||
selinux_validate_context(cupsd_t)
|
||||
@@ -244,22 +288,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
|
||||
@@ -244,22 +288,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
|
||||
auth_rw_faillog(cupsd_t)
|
||||
auth_use_nsswitch(cupsd_t)
|
||||
|
||||
-libs_read_lib_files(cupsd_t)
|
||||
libs_exec_lib_files(cupsd_t)
|
||||
+libs_exec_ldconfig(cupsd_t)
|
||||
+libs_exec_ld_so(cupsd_t)
|
||||
|
||||
logging_send_audit_msgs(cupsd_t)
|
||||
logging_send_syslog_msg(cupsd_t)
|
||||
@ -20804,7 +20805,7 @@ index c91813c..999581c 100644
|
||||
|
||||
optional_policy(`
|
||||
apm_domtrans_client(cupsd_t)
|
||||
@@ -272,6 +321,8 @@ optional_policy(`
|
||||
@@ -272,6 +322,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(cupsd_t)
|
||||
|
||||
@ -20813,7 +20814,7 @@ index c91813c..999581c 100644
|
||||
userdom_dbus_send_all_users(cupsd_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -279,11 +330,17 @@ optional_policy(`
|
||||
@@ -279,11 +331,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20831,7 +20832,7 @@ index c91813c..999581c 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -296,8 +353,8 @@ optional_policy(`
|
||||
@@ -296,8 +354,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20841,7 +20842,7 @@ index c91813c..999581c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -306,7 +363,6 @@ optional_policy(`
|
||||
@@ -306,7 +364,6 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
lpd_exec_lpr(cupsd_t)
|
||||
@ -20849,7 +20850,7 @@ index c91813c..999581c 100644
|
||||
lpd_read_config(cupsd_t)
|
||||
lpd_relabel_spool(cupsd_t)
|
||||
')
|
||||
@@ -316,6 +372,10 @@ optional_policy(`
|
||||
@@ -316,6 +373,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20860,7 +20861,7 @@ index c91813c..999581c 100644
|
||||
samba_read_config(cupsd_t)
|
||||
samba_rw_var_files(cupsd_t)
|
||||
samba_stream_connect_nmbd(cupsd_t)
|
||||
@@ -334,7 +394,11 @@ optional_policy(`
|
||||
@@ -334,7 +395,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20873,7 +20874,7 @@ index c91813c..999581c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -342,12 +406,11 @@ optional_policy(`
|
||||
@@ -342,12 +407,11 @@ optional_policy(`
|
||||
# Configuration daemon local policy
|
||||
#
|
||||
|
||||
@ -20889,7 +20890,7 @@ index c91813c..999581c 100644
|
||||
allow cupsd_config_t cupsd_t:process signal;
|
||||
ps_process_pattern(cupsd_config_t, cupsd_t)
|
||||
|
||||
@@ -372,18 +435,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
|
||||
@@ -372,18 +436,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
|
||||
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
||||
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
|
||||
|
||||
@ -20910,7 +20911,7 @@ index c91813c..999581c 100644
|
||||
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
||||
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
|
||||
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
|
||||
@@ -392,20 +453,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
|
||||
@@ -392,20 +454,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
|
||||
corenet_sendrecv_all_client_packets(cupsd_config_t)
|
||||
corenet_tcp_connect_all_ports(cupsd_config_t)
|
||||
|
||||
@ -20931,7 +20932,7 @@ index c91813c..999581c 100644
|
||||
fs_search_auto_mountpoints(cupsd_config_t)
|
||||
|
||||
domain_use_interactive_fds(cupsd_config_t)
|
||||
@@ -417,11 +470,6 @@ auth_use_nsswitch(cupsd_config_t)
|
||||
@@ -417,11 +471,6 @@ auth_use_nsswitch(cupsd_config_t)
|
||||
|
||||
logging_send_syslog_msg(cupsd_config_t)
|
||||
|
||||
@ -20943,7 +20944,7 @@ index c91813c..999581c 100644
|
||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
||||
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
||||
userdom_read_all_users_state(cupsd_config_t)
|
||||
@@ -449,9 +497,12 @@ optional_policy(`
|
||||
@@ -449,9 +498,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20957,7 +20958,7 @@ index c91813c..999581c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -467,6 +518,10 @@ optional_policy(`
|
||||
@@ -467,6 +519,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20968,7 +20969,7 @@ index c91813c..999581c 100644
|
||||
rpm_read_db(cupsd_config_t)
|
||||
')
|
||||
|
||||
@@ -487,10 +542,6 @@ optional_policy(`
|
||||
@@ -487,10 +543,6 @@ optional_policy(`
|
||||
# Lpd local policy
|
||||
#
|
||||
|
||||
@ -20979,7 +20980,7 @@ index c91813c..999581c 100644
|
||||
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
|
||||
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
|
||||
@@ -508,15 +559,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
||||
@@ -508,15 +560,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
||||
|
||||
kernel_read_kernel_sysctls(cupsd_lpd_t)
|
||||
kernel_read_system_state(cupsd_lpd_t)
|
||||
@ -20997,7 +20998,7 @@ index c91813c..999581c 100644
|
||||
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
|
||||
|
||||
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
|
||||
@@ -537,9 +588,6 @@ auth_use_nsswitch(cupsd_lpd_t)
|
||||
@@ -537,9 +589,6 @@ auth_use_nsswitch(cupsd_lpd_t)
|
||||
|
||||
logging_send_syslog_msg(cupsd_lpd_t)
|
||||
|
||||
@ -21007,7 +21008,7 @@ index c91813c..999581c 100644
|
||||
optional_policy(`
|
||||
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
|
||||
')
|
||||
@@ -550,7 +598,6 @@ optional_policy(`
|
||||
@@ -550,7 +599,6 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
|
||||
@ -21015,7 +21016,7 @@ index c91813c..999581c 100644
|
||||
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
||||
@@ -566,148 +613,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
|
||||
@@ -566,148 +614,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
|
||||
|
||||
kernel_read_system_state(cups_pdf_t)
|
||||
|
||||
@ -21167,7 +21168,7 @@ index c91813c..999581c 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -735,7 +657,6 @@ kernel_read_kernel_sysctls(ptal_t)
|
||||
@@ -735,7 +658,6 @@ kernel_read_kernel_sysctls(ptal_t)
|
||||
kernel_list_proc(ptal_t)
|
||||
kernel_read_proc_symlinks(ptal_t)
|
||||
|
||||
@ -21175,7 +21176,7 @@ index c91813c..999581c 100644
|
||||
corenet_all_recvfrom_netlabel(ptal_t)
|
||||
corenet_tcp_sendrecv_generic_if(ptal_t)
|
||||
corenet_tcp_sendrecv_generic_node(ptal_t)
|
||||
@@ -745,13 +666,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
|
||||
@@ -745,13 +667,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
|
||||
corenet_tcp_bind_ptal_port(ptal_t)
|
||||
corenet_tcp_sendrecv_ptal_port(ptal_t)
|
||||
|
||||
@ -21189,7 +21190,7 @@ index c91813c..999581c 100644
|
||||
files_read_etc_runtime_files(ptal_t)
|
||||
|
||||
fs_getattr_all_fs(ptal_t)
|
||||
@@ -759,8 +678,6 @@ fs_search_auto_mountpoints(ptal_t)
|
||||
@@ -759,8 +679,6 @@ fs_search_auto_mountpoints(ptal_t)
|
||||
|
||||
logging_send_syslog_msg(ptal_t)
|
||||
|
||||
@ -21198,7 +21199,7 @@ index c91813c..999581c 100644
|
||||
sysnet_read_config(ptal_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
|
||||
@@ -773,3 +690,4 @@ optional_policy(`
|
||||
@@ -773,3 +691,4 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(ptal_t)
|
||||
')
|
||||
@ -24084,7 +24085,7 @@ index c697edb..954c090 100644
|
||||
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/dhcp.te b/dhcp.te
|
||||
index 98a24b9..5a24c3a 100644
|
||||
index 98a24b9..cb5795e 100644
|
||||
--- a/dhcp.te
|
||||
+++ b/dhcp.te
|
||||
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
|
||||
@ -24122,7 +24123,7 @@ index 98a24b9..5a24c3a 100644
|
||||
files_read_etc_runtime_files(dhcpd_t)
|
||||
files_search_var_lib(dhcpd_t)
|
||||
|
||||
@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
|
||||
@@ -102,22 +103,44 @@ auth_use_nsswitch(dhcpd_t)
|
||||
|
||||
logging_send_syslog_msg(dhcpd_t)
|
||||
|
||||
@ -24145,17 +24146,19 @@ index 98a24b9..5a24c3a 100644
|
||||
+ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
|
||||
+ corenet_tcp_connect_ldap_port(dhcpd_t)
|
||||
+ corenet_sendrecv_ldap_client_packets(dhcpd_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`dhcpd_use_ldap',`
|
||||
+ ldap_read_certs(dhcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ tunable_policy(`dhcpd_use_ldap',`
|
||||
+ ldap_read_certs(dhcpd_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+ifdef(`distro_gentoo',`
|
||||
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ # used for dynamic DNS
|
||||
bind_read_dnssec_keys(dhcpd_t)
|
||||
')
|
||||
@ -36395,10 +36398,10 @@ index 6517fad..f183748 100644
|
||||
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/hypervkvp.te b/hypervkvp.te
|
||||
index 4eb7041..3ba4a51 100644
|
||||
index 4eb7041..76a5802 100644
|
||||
--- a/hypervkvp.te
|
||||
+++ b/hypervkvp.te
|
||||
@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0)
|
||||
@@ -5,24 +5,142 @@ policy_module(hypervkvp, 1.0.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -36436,7 +36439,7 @@ index 4eb7041..3ba4a51 100644
|
||||
#
|
||||
-# Local policy
|
||||
+# hyperv domain local policy
|
||||
#
|
||||
+#
|
||||
+
|
||||
+allow hyperv_domain self:capability net_admin;
|
||||
+allow hyperv_domain self:netlink_socket create_socket_perms;
|
||||
@ -36452,10 +36455,8 @@ index 4eb7041..3ba4a51 100644
|
||||
+########################################
|
||||
+#
|
||||
+# hypervkvp local policy
|
||||
#
|
||||
|
||||
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+#
|
||||
+
|
||||
+allow hypervkvp_t self:capability sys_ptrace;
|
||||
+allow hypervkvp_t self:process setfscreate;
|
||||
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
@ -36537,16 +36538,21 @@ index 4eb7041..3ba4a51 100644
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
#
|
||||
+# hypervvssd local policy
|
||||
+#
|
||||
#
|
||||
|
||||
-logging_send_syslog_msg(hypervkvpd_t)
|
||||
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow hypervvssd_t self:capability sys_admin;
|
||||
|
||||
-miscfiles_read_localization(hypervkvpd_t)
|
||||
-logging_send_syslog_msg(hypervkvpd_t)
|
||||
+files_list_boot(hypervvssd_t)
|
||||
|
||||
-miscfiles_read_localization(hypervkvpd_t)
|
||||
+files_list_all_mountpoints(hypervvssd_t)
|
||||
+files_write_all_mountpoints(hypervvssd_t)
|
||||
|
||||
-sysnet_dns_name_resolve(hypervkvpd_t)
|
||||
+logging_send_syslog_msg(hypervvssd_t)
|
||||
diff --git a/i18n_input.te b/i18n_input.te
|
||||
@ -37242,15 +37248,16 @@ index 0000000..61f2003
|
||||
+userdom_use_user_terminals(iotop_t)
|
||||
diff --git a/ipa.fc b/ipa.fc
|
||||
new file mode 100644
|
||||
index 0000000..db194ec
|
||||
index 0000000..749756a
|
||||
--- /dev/null
|
||||
+++ b/ipa.fc
|
||||
@@ -0,0 +1,10 @@
|
||||
@@ -0,0 +1,11 @@
|
||||
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
|
||||
+
|
||||
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
|
||||
+
|
||||
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
|
||||
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
|
||||
+
|
||||
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
|
||||
+
|
||||
@ -61471,10 +61478,10 @@ index 57c0161..c554eb6 100644
|
||||
+ ps_process_pattern($1, nut_t)
|
||||
')
|
||||
diff --git a/nut.te b/nut.te
|
||||
index 5b2cb0d..ad16c77 100644
|
||||
index 5b2cb0d..7655e0b 100644
|
||||
--- a/nut.te
|
||||
+++ b/nut.te
|
||||
@@ -7,154 +7,143 @@ policy_module(nut, 1.3.0)
|
||||
@@ -7,154 +7,148 @@ policy_module(nut, 1.3.0)
|
||||
|
||||
attribute nut_domain;
|
||||
|
||||
@ -61584,12 +61591,13 @@ index 5b2cb0d..ad16c77 100644
|
||||
|
||||
-allow nut_upsmon_t self:capability dac_read_search;
|
||||
-allow nut_upsmon_t self:unix_stream_socket connectto;
|
||||
+allow nut_upsmon_t self:capability kill;
|
||||
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
|
||||
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
|
||||
|
||||
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
|
||||
+
|
||||
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
|
||||
|
||||
+kernel_read_kernel_sysctls(nut_upsmon_t)
|
||||
kernel_read_system_state(nut_upsmon_t)
|
||||
|
||||
@ -61609,6 +61617,9 @@ index 5b2cb0d..ad16c77 100644
|
||||
-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
|
||||
corenet_tcp_connect_generic_port(nut_upsmon_t)
|
||||
|
||||
+dev_read_rand(nut_upsmon_t)
|
||||
+dev_read_urand(nut_upsmon_t)
|
||||
+
|
||||
+# Creates /etc/killpower
|
||||
files_manage_etc_runtime_files(nut_upsmon_t)
|
||||
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
|
||||
@ -61655,6 +61666,7 @@ index 5b2cb0d..ad16c77 100644
|
||||
|
||||
dev_read_sysfs(nut_upsdrvctl_t)
|
||||
-dev_read_urand(nut_upsdrvctl_t)
|
||||
+dev_read_usbfs(nut_upsdrvctl_t)
|
||||
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
|
||||
|
||||
term_use_unallocated_ttys(nut_upsdrvctl_t)
|
||||
@ -76890,7 +76902,7 @@ index d68e26d..d2c4d2a 100644
|
||||
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
||||
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
|
||||
diff --git a/puppet.if b/puppet.if
|
||||
index 7cb8b1f..9422c90 100644
|
||||
index 7cb8b1f..bef7217 100644
|
||||
--- a/puppet.if
|
||||
+++ b/puppet.if
|
||||
@@ -1,4 +1,32 @@
|
||||
@ -76971,7 +76983,7 @@ index 7cb8b1f..9422c90 100644
|
||||
')
|
||||
|
||||
################################################
|
||||
@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
|
||||
@@ -78,158 +107,165 @@ interface(`puppet_read_config',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -77202,8 +77214,9 @@ index 7cb8b1f..9422c90 100644
|
||||
- files_search_var_lib($1)
|
||||
- admin_pattern($1, puppet_var_lib_t)
|
||||
+ files_search_etc($1)
|
||||
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
|
||||
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
|
||||
+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
|
||||
+ read_lnk_files_pattern($1, puppet_etc_t, puppet_etc_t)
|
||||
+')
|
||||
|
||||
+#####################################
|
||||
@ -81711,10 +81724,10 @@ index 951db7f..00e699d 100644
|
||||
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
|
||||
')
|
||||
diff --git a/raid.te b/raid.te
|
||||
index c99753f..c8696d7 100644
|
||||
index c99753f..c7b77bc 100644
|
||||
--- a/raid.te
|
||||
+++ b/raid.te
|
||||
@@ -15,54 +15,101 @@ role mdadm_roles types mdadm_t;
|
||||
@@ -15,54 +15,102 @@ role mdadm_roles types mdadm_t;
|
||||
type mdadm_initrc_exec_t;
|
||||
init_script_file(mdadm_initrc_exec_t)
|
||||
|
||||
@ -81822,10 +81835,11 @@ index c99753f..c8696d7 100644
|
||||
fs_rw_cgroup_files(mdadm_t)
|
||||
fs_dontaudit_list_tmpfs(mdadm_t)
|
||||
+fs_manage_cgroup_files(mdadm_t)
|
||||
+fs_read_efivarfs_files(mdadm_t)
|
||||
|
||||
mls_file_read_all_levels(mdadm_t)
|
||||
mls_file_write_all_levels(mdadm_t)
|
||||
@@ -71,15 +118,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
@@ -71,15 +119,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
storage_manage_fixed_disk(mdadm_t)
|
||||
storage_read_scsi_generic(mdadm_t)
|
||||
storage_write_scsi_generic(mdadm_t)
|
||||
@ -81852,7 +81866,7 @@ index c99753f..c8696d7 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
|
||||
userdom_dontaudit_search_user_home_content(mdadm_t)
|
||||
@@ -90,17 +147,38 @@ optional_policy(`
|
||||
@@ -90,17 +148,38 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -93982,10 +93996,10 @@ index 0000000..3e89d71
|
||||
+')
|
||||
diff --git a/sandboxX.te b/sandboxX.te
|
||||
new file mode 100644
|
||||
index 0000000..c9449b4
|
||||
index 0000000..3dc39bf
|
||||
--- /dev/null
|
||||
+++ b/sandboxX.te
|
||||
@@ -0,0 +1,505 @@
|
||||
@@ -0,0 +1,506 @@
|
||||
+policy_module(sandboxX,1.0.0)
|
||||
+
|
||||
+dbus_stub()
|
||||
@ -94282,6 +94296,7 @@ index 0000000..c9449b4
|
||||
+#1103622
|
||||
+corenet_tcp_connect_xserver_port(sandbox_x_domain)
|
||||
+xserver_stream_connect(sandbox_x_domain)
|
||||
+userdom_connectto_stream(sandbox_x_domain)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
@ -98580,10 +98595,10 @@ index 0000000..ed76979
|
||||
+
|
||||
diff --git a/snapper.te b/snapper.te
|
||||
new file mode 100644
|
||||
index 0000000..90903a9
|
||||
index 0000000..243fc96
|
||||
--- /dev/null
|
||||
+++ b/snapper.te
|
||||
@@ -0,0 +1,75 @@
|
||||
@@ -0,0 +1,77 @@
|
||||
+policy_module(snapper, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -98609,6 +98624,8 @@ index 0000000..90903a9
|
||||
+# snapperd local policy
|
||||
+#
|
||||
+
|
||||
+allow snapperd_t self:capability dac_override;
|
||||
+
|
||||
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
@ -110492,7 +110509,7 @@ index facdee8..19b6ffb 100644
|
||||
+ ps_process_pattern(virtd_t, $1)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf5..a9548bd 100644
|
||||
index f03dcf5..7056171 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,150 +1,248 @@
|
||||
@ -112081,7 +112098,7 @@ index f03dcf5..a9548bd 100644
|
||||
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
|
||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
|
||||
+
|
||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
|
||||
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
@ -112497,24 +112514,30 @@ index f03dcf5..a9548bd 100644
|
||||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,9 +1546,8 @@ optional_policy(`
|
||||
@@ -1192,7 +1546,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
-# Bridgehelper local policy
|
||||
+# virt_bridgehelper local policy
|
||||
#
|
||||
-
|
||||
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1205,7 +1558,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
|
||||
@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
+allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write };
|
||||
+
|
||||
manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
|
||||
|
||||
kernel_read_network_state(virt_bridgehelper_t)
|
||||
|
||||
+kernel_read_system_state(virt_bridgehelper_t)
|
||||
+
|
||||
+dev_read_urand(virt_bridgehelper_t)
|
||||
+dev_read_rand(virt_bridgehelper_t)
|
||||
+
|
||||
+dev_read_sysfs(virt_bridgehelper_t)
|
||||
|
||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||
|
||||
-userdom_search_user_home_dirs(virt_bridgehelper_t)
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 164%{?dist}
|
||||
Release: 165%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -664,6 +664,18 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
|
||||
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
|
||||
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
|
||||
- Allow arping running as netutils_t sys_module capability for removing tap devices.
|
||||
- Add userdom_connectto_stream() interface.
|
||||
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
|
||||
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
|
||||
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
|
||||
- Allow arping running as netutils_t sys_module capability for removing tap devices.
|
||||
- Add userdom_connectto_stream() interface.
|
||||
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
|
||||
|
||||
* Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
|
||||
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
|
||||
- Add interface firewalld_read_pid_files()
|
||||
|
Loading…
Reference in New Issue
Block a user