Rename badly used userhelper_t in kernel.if to usermodehelper
This commit is contained in:
Miroslav Grepl
parent
fa5dd278c2
commit
93e99e4693
|
|
@ -14897,7 +14897,7 @@ index 7be4ddf..d5ef507 100644
|
|||
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index e100d88..854e39d 100644
|
||||
index e100d88..3910ec4 100644
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
+++ b/policy/modules/kernel/kernel.if
|
||||
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
|
||||
|
|
@ -15054,7 +15054,7 @@ index e100d88..854e39d 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1771,21 +1834,42 @@ interface(`kernel_read_hotplug_sysctls',`
|
||||
@@ -1771,16 +1834,9 @@ interface(`kernel_read_hotplug_sysctls',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
|
|
@ -15064,88 +15064,51 @@ index e100d88..854e39d 100644
|
|||
- gen_require(`
|
||||
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
|
||||
- ')
|
||||
+ refpolicywarn(`$0($*) has been deprecated.')
|
||||
+')
|
||||
|
||||
-
|
||||
- rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read the modprobe sysctl.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_read_modprobe_sysctls',`
|
||||
+ refpolicywarn(`$0($*) has been deprecated.')
|
||||
+')
|
||||
|
||||
-
|
||||
- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write the modprobe sysctl.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_rw_modprobe_sysctls',`
|
||||
+ refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read the modprobe sysctl.
|
||||
+## Read the hotplug sysctl.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1794,33 +1878,32 @@ interface(`kernel_rw_hotplug_sysctls',`
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
-interface(`kernel_read_modprobe_sysctls',`
|
||||
+interface(`kernel_read_usermodehelper',`
|
||||
gen_require(`
|
||||
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
|
||||
+ type proc_t, sysctl_t, sysctl_kernel_t, usermodehelper_t;
|
||||
')
|
||||
|
||||
- read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
|
||||
+ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, usermodehelper_t)
|
||||
|
||||
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write the modprobe sysctl.
|
||||
+## Read and write the hotplug sysctl.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1792,16 +1848,9 @@ interface(`kernel_rw_hotplug_sysctls',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <rolecap/>
|
||||
#
|
||||
-interface(`kernel_rw_modprobe_sysctls',`
|
||||
+interface(`kernel_rw_usermodehelper',`
|
||||
gen_require(`
|
||||
interface(`kernel_read_modprobe_sysctls',`
|
||||
- gen_require(`
|
||||
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
|
||||
+ type proc_t, sysctl_t, sysctl_kernel_t, usermodehelper_t;
|
||||
')
|
||||
|
||||
- rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
|
||||
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, usermodehelper_t)
|
||||
|
||||
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
|
||||
- ')
|
||||
-
|
||||
- read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
|
||||
-
|
||||
- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
|
||||
+ refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
@@ -2085,7 +2168,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
||||
|
||||
########################################
|
||||
@@ -1813,16 +1862,9 @@ interface(`kernel_read_modprobe_sysctls',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <rolecap/>
|
||||
#
|
||||
interface(`kernel_rw_modprobe_sysctls',`
|
||||
- gen_require(`
|
||||
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
|
||||
- ')
|
||||
-
|
||||
- rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
|
||||
-
|
||||
- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
|
||||
+ refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2085,7 +2127,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
||||
')
|
||||
|
||||
dontaudit $1 sysctl_type:dir list_dir_perms;
|
||||
|
|
@ -15154,7 +15117,7 @@ index e100d88..854e39d 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2282,6 +2365,25 @@ interface(`kernel_list_unlabeled',`
|
||||
@@ -2282,6 +2324,25 @@ interface(`kernel_list_unlabeled',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -15180,7 +15143,7 @@ index e100d88..854e39d 100644
|
|||
## Read the process state (/proc/pid) of all unlabeled_t.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2306,7 +2408,7 @@ interface(`kernel_read_unlabeled_state',`
|
||||
@@ -2306,7 +2367,7 @@ interface(`kernel_read_unlabeled_state',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
|
@ -15189,7 +15152,7 @@ index e100d88..854e39d 100644
|
|||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -2488,6 +2590,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||
@@ -2488,6 +2549,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -15214,7 +15177,7 @@ index e100d88..854e39d 100644
|
|||
## Do not audit attempts by caller to get attributes for
|
||||
## unlabeled character devices.
|
||||
## </summary>
|
||||
@@ -2525,6 +2645,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
@@ -2525,6 +2604,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -15239,7 +15202,7 @@ index e100d88..854e39d 100644
|
|||
## Allow caller to relabel unlabeled files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2667,6 +2805,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||
@@ -2667,6 +2764,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -15264,7 +15227,7 @@ index e100d88..854e39d 100644
|
|||
## Receive TCP packets from an unlabeled connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -2694,6 +2850,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||
@@ -2694,6 +2809,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -15290,7 +15253,7 @@ index e100d88..854e39d 100644
|
|||
## Do not audit attempts to receive TCP packets from an unlabeled
|
||||
## connection.
|
||||
## </summary>
|
||||
@@ -2803,6 +2978,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
||||
@@ -2803,6 +2937,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
||||
|
||||
allow $1 unlabeled_t:rawip_socket recvfrom;
|
||||
')
|
||||
|
|
@ -15324,7 +15287,7 @@ index e100d88..854e39d 100644
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -2958,6 +3160,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
@@ -2958,6 +3119,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -15349,7 +15312,7 @@ index e100d88..854e39d 100644
|
|||
## Unconfined access to kernel module resources.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2972,5 +3192,525 @@ interface(`kernel_unconfined',`
|
||||
@@ -2972,5 +3151,525 @@ interface(`kernel_unconfined',`
|
||||
')
|
||||
|
||||
typeattribute $1 kern_unconfined;
|
||||
|
|
@ -15766,7 +15729,7 @@ index e100d88..854e39d 100644
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write userhelper state
|
||||
+## Read and write usermodehelper state
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
|
|
@ -15775,19 +15738,19 @@ index e100d88..854e39d 100644
|
|||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`kernel_rw_userhelper_state',`
|
||||
+interface(`kernel_rw_usermodehelper_state',`
|
||||
+ gen_require(`
|
||||
+ type proc_t, userhelper_t;
|
||||
+ type proc_t, usermodehelper_t;
|
||||
+ ')
|
||||
+
|
||||
+ dev_search_sysfs($1)
|
||||
+ rw_files_pattern($1, proc_t, userhelper_t)
|
||||
+ list_dirs_pattern($1, proc_t, userhelper_t)
|
||||
+ rw_files_pattern($1, proc_t, usermodehelper_t)
|
||||
+ list_dirs_pattern($1, proc_t, usermodehelper_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to search the userhelper
|
||||
+## Do not audit attempts to search the usermodehelper
|
||||
+## state directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
|
@ -15797,17 +15760,17 @@ index e100d88..854e39d 100644
|
|||
+## </param>
|
||||
+##
|
||||
+#
|
||||
+interface(`kernel_dontaudit_search_userhelper_state',`
|
||||
+interface(`kernel_dontaudit_search_usermodehelper_state',`
|
||||
+ gen_require(`
|
||||
+ type userhelper_t;
|
||||
+ type usermodehelper_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 userhelper_t:dir search;
|
||||
+ dontaudit $1 usermodehelper_t:dir search;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow searching of userhelper state directory.
|
||||
+## Allow searching of usermodehelper state directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
|
|
@ -15816,24 +15779,24 @@ index e100d88..854e39d 100644
|
|||
+## </param>
|
||||
+##
|
||||
+#
|
||||
+interface(`kernel_search_userhelper_state',`
|
||||
+interface(`kernel_search_usermodehelper_state',`
|
||||
+ gen_require(`
|
||||
+ type userhelper_t;
|
||||
+ type usermodehelper_t;
|
||||
+ ')
|
||||
+
|
||||
+ search_dirs_pattern($1, proc_t, userhelper_t)
|
||||
+ search_dirs_pattern($1, proc_t, usermodehelper_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read the userhelper state information.
|
||||
+## Read the usermodehelper state information.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow the specified domain to read the userhelpering
|
||||
+## Allow the specified domain to read the usermodehelpering
|
||||
+## state information. This includes several pieces
|
||||
+## of userhelpering information, such as userhelper interface
|
||||
+## names, userhelperfilter (iptables) statistics, protocol
|
||||
+## of usermodehelpering information, such as usermodehelper interface
|
||||
+## names, usermodehelperfilter (iptables) statistics, protocol
|
||||
+## information, routes, and remote procedure call (RPC)
|
||||
+## information.
|
||||
+## </p>
|
||||
|
|
@ -15846,20 +15809,20 @@ index e100d88..854e39d 100644
|
|||
+## <infoflow type="read" weight="10"/>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`kernel_read_userhelper_state',`
|
||||
+interface(`kernel_read_usermodehelper_state',`
|
||||
+ gen_require(`
|
||||
+ type proc_t, userhelper_t;
|
||||
+ type proc_t, usermodehelper_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1, { proc_t userhelper_t }, userhelper_t)
|
||||
+ read_lnk_files_pattern($1, { proc_t userhelper_t }, userhelper_t)
|
||||
+ read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
|
||||
+ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
|
||||
+
|
||||
+ list_dirs_pattern($1, proc_t, userhelper_t)
|
||||
+ list_dirs_pattern($1, proc_t, usermodehelper_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow caller to read the userhelper state symbolic links.
|
||||
+## Allow caller to read the usermodehelper state symbolic links.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
|
|
@ -15867,14 +15830,14 @@ index e100d88..854e39d 100644
|
|||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_read_userhelper_state_symlinks',`
|
||||
+interface(`kernel_read_usermodehelper_state_symlinks',`
|
||||
+ gen_require(`
|
||||
+ type proc_t, userhelper_t;
|
||||
+ type proc_t, usermodehelper_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_lnk_files_pattern($1, { proc_t userhelper_t }, userhelper_t)
|
||||
+ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
|
||||
+
|
||||
+ list_dirs_pattern($1, proc_t, userhelper_t)
|
||||
+ list_dirs_pattern($1, proc_t, usermodehelper_t)
|
||||
')
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 8dbab4c..4b6c9ad 100644
|
||||
|
|
@ -24130,7 +24093,7 @@ index 6bf0ecc..115c533 100644
|
|||
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index 8b40377..ea6dc13 100644
|
||||
index 8b40377..ef809dd 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,28 +26,59 @@ gen_require(`
|
||||
|
|
@ -25174,7 +25137,7 @@ index 8b40377..ea6dc13 100644
|
|||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
-kernel_read_modprobe_sysctls(xserver_t)
|
||||
+kernel_read_usermodehelper(xserver_t)
|
||||
+kernel_read_usermodehelper_state(xserver_t)
|
||||
# Xorg wants to check if kernel is tainted
|
||||
kernel_read_kernel_sysctls(xserver_t)
|
||||
kernel_write_proc_files(xserver_t)
|
||||
|
|
@ -29131,7 +29094,7 @@ index 79a45f6..e1589ac 100644
|
|||
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda24..b4a2519 100644
|
||||
index 17eda24..a627baf 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
|
|
@ -29456,7 +29419,7 @@ index 17eda24..b4a2519 100644
|
|||
+kernel_read_network_state(init_t)
|
||||
+kernel_rw_all_sysctls(init_t)
|
||||
+kernel_rw_security_state(init_t)
|
||||
+kernel_rw_userhelper_state(init_t)
|
||||
+kernel_rw_usermodehelper_state(init_t)
|
||||
+kernel_read_software_raid_state(init_t)
|
||||
+kernel_unmount_debugfs(init_t)
|
||||
+kernel_setsched(init_t)
|
||||
|
|
@ -31094,7 +31057,7 @@ index c42fbc3..174cfdb 100644
|
|||
## <summary>
|
||||
## Set the attributes of iptables config files.
|
||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||
index be8ed1e..50b3d56 100644
|
||||
index be8ed1e..5e28da7 100644
|
||||
--- a/policy/modules/system/iptables.te
|
||||
+++ b/policy/modules/system/iptables.te
|
||||
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
|
||||
|
|
@ -31137,7 +31100,7 @@ index be8ed1e..50b3d56 100644
|
|||
kernel_read_network_state(iptables_t)
|
||||
kernel_read_kernel_sysctls(iptables_t)
|
||||
-kernel_read_modprobe_sysctls(iptables_t)
|
||||
+kernel_read_usermodehelper(iptables_t)
|
||||
+kernel_read_usermodehelper_state(iptables_t)
|
||||
kernel_use_fds(iptables_t)
|
||||
|
||||
# needed by ipvsadm
|
||||
|
|
@ -34054,7 +34017,7 @@ index 7449974..28cb8a3 100644
|
|||
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
|
||||
+')
|
||||
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
|
||||
index 7a363b8..70c672e 100644
|
||||
index 7a363b8..ba534ac 100644
|
||||
--- a/policy/modules/system/modutils.te
|
||||
+++ b/policy/modules/system/modutils.te
|
||||
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
|
||||
|
|
@ -34196,7 +34159,7 @@ index 7a363b8..70c672e 100644
|
|||
kernel_read_kernel_sysctls(insmod_t)
|
||||
kernel_rw_kernel_sysctl(insmod_t)
|
||||
-kernel_read_hotplug_sysctls(insmod_t)
|
||||
+kernel_read_usermodehelper(insmod_t)
|
||||
+kernel_read_usermodehelper_state(insmod_t)
|
||||
kernel_setsched(insmod_t)
|
||||
|
||||
corecmd_exec_bin(insmod_t)
|
||||
|
|
@ -39950,7 +39913,7 @@ index 9a1650d..d7e8a01 100644
|
|||
|
||||
########################################
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index 39f185f..5aa688d 100644
|
||||
index 39f185f..f5aa25f 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
|
||||
|
|
@ -40031,7 +39994,7 @@ index 39f185f..5aa688d 100644
|
|||
+kernel_read_fs_sysctls(udev_t)
|
||||
kernel_read_kernel_sysctls(udev_t)
|
||||
-kernel_rw_hotplug_sysctls(udev_t)
|
||||
+kernel_rw_usermodehelper(udev_t)
|
||||
+kernel_rw_usermodehelper_state(udev_t)
|
||||
kernel_rw_unix_dgram_sockets(udev_t)
|
||||
kernel_dgram_send(udev_t)
|
||||
-kernel_signal(udev_t)
|
||||
|
|
|
|||
|
|
@ -10053,10 +10053,10 @@ index 0000000..de66654
|
|||
+')
|
||||
diff --git a/bumblebee.te b/bumblebee.te
|
||||
new file mode 100644
|
||||
index 0000000..3de0f69
|
||||
index 0000000..92e9d8b
|
||||
--- /dev/null
|
||||
+++ b/bumblebee.te
|
||||
@@ -0,0 +1,55 @@
|
||||
@@ -0,0 +1,56 @@
|
||||
+policy_module(bumblebee, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -10094,6 +10094,7 @@ index 0000000..3de0f69
|
|||
+kernel_dontaudit_access_check_proc(bumblebee_t)
|
||||
+
|
||||
+corecmd_exec_shell(bumblebee_t)
|
||||
+corecmd_exec_bin(bumblebee_t)
|
||||
+
|
||||
+dev_read_sysfs(bumblebee_t)
|
||||
+
|
||||
|
|
@ -10965,7 +10966,7 @@ index a731122..5279d4e 100644
|
|||
')
|
||||
+
|
||||
diff --git a/cfengine.te b/cfengine.te
|
||||
index fbe3ad9..5fe3fdb 100644
|
||||
index fbe3ad9..21ab8e1 100644
|
||||
--- a/cfengine.te
|
||||
+++ b/cfengine.te
|
||||
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
|
||||
|
|
@ -10993,7 +10994,7 @@ index fbe3ad9..5fe3fdb 100644
|
|||
#
|
||||
|
||||
-kernel_read_hotplug_sysctls(cfengine_monitord_t)
|
||||
+kernel_read_usermodehelper(cfengine_monitord_t)
|
||||
+kernel_read_usermodehelper_state(cfengine_monitord_t)
|
||||
kernel_read_network_state(cfengine_monitord_t)
|
||||
|
||||
domain_read_all_domains_state(cfengine_monitord_t)
|
||||
|
|
@ -20963,7 +20964,7 @@ index 8ce99ff..0819898 100644
|
|||
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
|
||||
')
|
||||
diff --git a/devicekit.te b/devicekit.te
|
||||
index 77a5003..df3d66e 100644
|
||||
index 77a5003..73f2867 100644
|
||||
--- a/devicekit.te
|
||||
+++ b/devicekit.te
|
||||
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
|
||||
|
|
@ -21119,7 +21120,7 @@ index 77a5003..df3d66e 100644
|
|||
kernel_read_network_state(devicekit_power_t)
|
||||
kernel_read_system_state(devicekit_power_t)
|
||||
-kernel_rw_hotplug_sysctls(devicekit_power_t)
|
||||
+kernel_rw_usermodehelper(devicekit_power_t)
|
||||
+kernel_rw_usermodehelper_state(devicekit_power_t)
|
||||
kernel_rw_kernel_sysctl(devicekit_power_t)
|
||||
kernel_rw_vm_sysctls(devicekit_power_t)
|
||||
kernel_search_debugfs(devicekit_power_t)
|
||||
|
|
@ -36544,7 +36545,7 @@ index 5297064..6ba8108 100644
|
|||
domain_system_change_exemption($1)
|
||||
role_transition $2 kudzu_initrc_exec_t system_r;
|
||||
diff --git a/kudzu.te b/kudzu.te
|
||||
index 1664036..b7b07a3 100644
|
||||
index 1664036..51dd14f 100644
|
||||
--- a/kudzu.te
|
||||
+++ b/kudzu.te
|
||||
@@ -47,7 +47,7 @@ kernel_read_device_sysctls(kudzu_t)
|
||||
|
|
@ -36552,7 +36553,7 @@ index 1664036..b7b07a3 100644
|
|||
kernel_read_network_state(kudzu_t)
|
||||
kernel_read_system_state(kudzu_t)
|
||||
-kernel_rw_hotplug_sysctls(kudzu_t)
|
||||
+kernel_rw_usermodehelper(kudzu_t)
|
||||
+kernel_rw_usermodehelper_state(kudzu_t)
|
||||
kernel_rw_kernel_sysctl(kudzu_t)
|
||||
|
||||
corecmd_exec_all_executables(kudzu_t)
|
||||
|
|
@ -37857,7 +37858,7 @@ index dd8e01a..9cd6b0b 100644
|
|||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/logrotate.te b/logrotate.te
|
||||
index be0ab84..8c532a6 100644
|
||||
index be0ab84..e4d6e6f 100644
|
||||
--- a/logrotate.te
|
||||
+++ b/logrotate.te
|
||||
@@ -5,16 +5,14 @@ policy_module(logrotate, 1.15.0)
|
||||
|
|
@ -38085,7 +38086,7 @@ index be0ab84..8c532a6 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -228,10 +268,20 @@ optional_policy(`
|
||||
@@ -228,10 +268,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38099,6 +38100,7 @@ index be0ab84..8c532a6 100644
|
|||
+
|
||||
+optional_policy(`
|
||||
squid_domtrans(logrotate_t)
|
||||
+ squid_read_config(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38106,7 +38108,7 @@ index be0ab84..8c532a6 100644
|
|||
su_exec(logrotate_t)
|
||||
')
|
||||
|
||||
@@ -241,13 +291,11 @@ optional_policy(`
|
||||
@@ -241,13 +292,11 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
|
|
@ -48722,7 +48724,7 @@ index db9578f..4309e3d 100644
|
|||
')
|
||||
+
|
||||
diff --git a/ncftool.te b/ncftool.te
|
||||
index 71f30ba..d177ab5 100644
|
||||
index 71f30ba..d616860 100644
|
||||
--- a/ncftool.te
|
||||
+++ b/ncftool.te
|
||||
@@ -22,13 +22,14 @@ role ncftool_roles types ncftool_t;
|
||||
|
|
@ -48737,7 +48739,7 @@ index 71f30ba..d177ab5 100644
|
|||
|
||||
kernel_read_kernel_sysctls(ncftool_t)
|
||||
-kernel_read_modprobe_sysctls(ncftool_t)
|
||||
+kernel_read_usermodehelper(ncftool_t)
|
||||
+kernel_read_usermodehelper_state(ncftool_t)
|
||||
kernel_read_network_state(ncftool_t)
|
||||
kernel_read_system_state(ncftool_t)
|
||||
kernel_request_load_module(ncftool_t)
|
||||
|
|
@ -93935,7 +93937,7 @@ index e29db63..061fb98 100644
|
|||
domain_system_change_exemption($1)
|
||||
role_transition $2 tuned_initrc_exec_t system_r;
|
||||
diff --git a/tuned.te b/tuned.te
|
||||
index 393a330..f30d191 100644
|
||||
index 393a330..fc018c1 100644
|
||||
--- a/tuned.te
|
||||
+++ b/tuned.te
|
||||
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
||||
|
|
@ -93993,7 +93995,7 @@ index 393a330..f30d191 100644
|
|||
kernel_request_load_module(tuned_t)
|
||||
kernel_rw_kernel_sysctl(tuned_t)
|
||||
-kernel_rw_hotplug_sysctls(tuned_t)
|
||||
+kernel_rw_usermodehelper(tuned_t)
|
||||
+kernel_rw_usermodehelper_state(tuned_t)
|
||||
kernel_rw_vm_sysctls(tuned_t)
|
||||
+kernel_setsched(tuned_t)
|
||||
+kernel_rw_all_sysctls(tuned_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue