- fixes to allow /var/run and /var/lock as tmpfs
- Allow chrome sandbox to connect to web ports - Allow dovecot to listem on lmtp and sieve ports - Allov ddclient to search sysctl_net_t - Transition back to original domain if you execute the shell
This commit is contained in:
Miroslav Grepl
parent
b63541e55b
commit
954ef8ad92
241
policy-F15.patch
241
policy-F15.patch
|
|
@ -1985,10 +1985,10 @@ index 0000000..5ef90cd
|
|||
+
|
||||
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
|
||||
new file mode 100644
|
||||
index 0000000..41a9493
|
||||
index 0000000..8dd672a
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/chrome.te
|
||||
@@ -0,0 +1,93 @@
|
||||
@@ -0,0 +1,106 @@
|
||||
+policy_module(chrome,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -2035,6 +2035,19 @@ index 0000000..41a9493
|
|||
+
|
||||
+corecmd_exec_bin(chrome_sandbox_t)
|
||||
+
|
||||
+corenet_all_recvfrom_unlabeled(chrome_sandbox_t)
|
||||
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_streaming_port(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_http_port(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
|
||||
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
|
||||
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
|
||||
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
|
||||
+
|
||||
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
|
||||
+
|
||||
+dev_read_urand(chrome_sandbox_t)
|
||||
|
|
@ -2055,7 +2068,7 @@ index 0000000..41a9493
|
|||
+miscfiles_read_localization(chrome_sandbox_t)
|
||||
+miscfiles_read_fonts(chrome_sandbox_t)
|
||||
+
|
||||
+sysnet_dontaudit_read_config(chrome_sandbox_t)
|
||||
+sysnet_dns_name_resolve(chrome_sandbox_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ execmem_exec(chrome_sandbox_t)
|
||||
|
|
@ -18968,7 +18981,7 @@ index e182bf4..f80e725 100644
|
|||
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
|
||||
snmp_stream_connect(cyrus_t)
|
||||
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
|
||||
index 0d5711c..72fe7a8 100644
|
||||
index 0d5711c..3874025 100644
|
||||
--- a/policy/modules/services/dbus.if
|
||||
+++ b/policy/modules/services/dbus.if
|
||||
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
|
||||
|
|
@ -19002,7 +19015,7 @@ index 0d5711c..72fe7a8 100644
|
|||
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
|
||||
|
||||
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
||||
@@ -88,14 +87,15 @@ template(`dbus_role_template',`
|
||||
@@ -88,14 +87,16 @@ template(`dbus_role_template',`
|
||||
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
|
||||
|
||||
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
|
||||
|
|
@ -19014,6 +19027,7 @@ index 0d5711c..72fe7a8 100644
|
|||
# cjp: this seems very broken
|
||||
- corecmd_bin_domtrans($1_dbusd_t, $3)
|
||||
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
|
||||
+ corecmd_shell_domtrans($1_dbusd_t, $1_t)
|
||||
allow $1_dbusd_t $3:process sigkill;
|
||||
allow $3 $1_dbusd_t:fd use;
|
||||
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
||||
|
|
@ -19021,7 +19035,7 @@ index 0d5711c..72fe7a8 100644
|
|||
|
||||
kernel_read_system_state($1_dbusd_t)
|
||||
kernel_read_kernel_sysctls($1_dbusd_t)
|
||||
@@ -116,7 +116,7 @@ template(`dbus_role_template',`
|
||||
@@ -116,7 +117,7 @@ template(`dbus_role_template',`
|
||||
|
||||
dev_read_urand($1_dbusd_t)
|
||||
|
||||
|
|
@ -19030,7 +19044,7 @@ index 0d5711c..72fe7a8 100644
|
|||
domain_read_all_domains_state($1_dbusd_t)
|
||||
|
||||
files_read_etc_files($1_dbusd_t)
|
||||
@@ -149,17 +149,25 @@ template(`dbus_role_template',`
|
||||
@@ -149,17 +150,25 @@ template(`dbus_role_template',`
|
||||
|
||||
term_use_all_terms($1_dbusd_t)
|
||||
|
||||
|
|
@ -19058,7 +19072,7 @@ index 0d5711c..72fe7a8 100644
|
|||
xserver_use_xdm_fds($1_dbusd_t)
|
||||
xserver_rw_xdm_pipes($1_dbusd_t)
|
||||
')
|
||||
@@ -181,10 +189,12 @@ interface(`dbus_system_bus_client',`
|
||||
@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
|
||||
type system_dbusd_t, system_dbusd_t;
|
||||
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
|
||||
class dbus send_msg;
|
||||
|
|
@ -19071,7 +19085,7 @@ index 0d5711c..72fe7a8 100644
|
|||
|
||||
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
files_search_var_lib($1)
|
||||
@@ -431,14 +441,28 @@ interface(`dbus_system_domain',`
|
||||
@@ -431,14 +442,28 @@ interface(`dbus_system_domain',`
|
||||
|
||||
domtrans_pattern(system_dbusd_t, $2, $1)
|
||||
|
||||
|
|
@ -19101,7 +19115,7 @@ index 0d5711c..72fe7a8 100644
|
|||
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
|
||||
')
|
||||
')
|
||||
@@ -497,3 +521,22 @@ interface(`dbus_unconfined',`
|
||||
@@ -497,3 +522,22 @@ interface(`dbus_unconfined',`
|
||||
|
||||
typeattribute $1 dbusd_unconfined;
|
||||
')
|
||||
|
|
@ -19207,7 +19221,7 @@ index 0a1a61b..da508f4 100644
|
|||
|
||||
allow $1 ddclient_t:process { ptrace signal_perms };
|
||||
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
|
||||
index 24ba98a..41559cf 100644
|
||||
index 24ba98a..b8d064a 100644
|
||||
--- a/policy/modules/services/ddclient.te
|
||||
+++ b/policy/modules/services/ddclient.te
|
||||
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
|
||||
|
|
@ -19239,7 +19253,15 @@ index 24ba98a..41559cf 100644
|
|||
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
@@ -74,6 +82,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
|
||||
@@ -62,6 +70,7 @@ kernel_read_software_raid_state(ddclient_t)
|
||||
kernel_getattr_core_if(ddclient_t)
|
||||
kernel_getattr_message_if(ddclient_t)
|
||||
kernel_read_kernel_sysctls(ddclient_t)
|
||||
+kernel_search_network_sysctl(ddclient_t)
|
||||
|
||||
corecmd_exec_shell(ddclient_t)
|
||||
corecmd_exec_bin(ddclient_t)
|
||||
@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
|
||||
corenet_udp_sendrecv_generic_node(ddclient_t)
|
||||
corenet_tcp_sendrecv_all_ports(ddclient_t)
|
||||
corenet_udp_sendrecv_all_ports(ddclient_t)
|
||||
|
|
@ -19248,7 +19270,7 @@ index 24ba98a..41559cf 100644
|
|||
corenet_tcp_connect_all_ports(ddclient_t)
|
||||
corenet_sendrecv_all_client_packets(ddclient_t)
|
||||
|
||||
@@ -89,6 +99,8 @@ files_read_usr_files(ddclient_t)
|
||||
@@ -89,6 +100,8 @@ files_read_usr_files(ddclient_t)
|
||||
fs_getattr_all_fs(ddclient_t)
|
||||
fs_search_auto_mountpoints(ddclient_t)
|
||||
|
||||
|
|
@ -19445,7 +19467,7 @@ index f706b99..c1ba3f2 100644
|
|||
')
|
||||
+
|
||||
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
|
||||
index f231f17..3aaa784 100644
|
||||
index f231f17..14921ca 100644
|
||||
--- a/policy/modules/services/devicekit.te
|
||||
+++ b/policy/modules/services/devicekit.te
|
||||
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
|
|
@ -19473,7 +19495,7 @@ index f231f17..3aaa784 100644
|
|||
files_manage_isid_type_dirs(devicekit_disk_t)
|
||||
files_manage_mnt_dirs(devicekit_disk_t)
|
||||
files_read_etc_files(devicekit_disk_t)
|
||||
@@ -178,25 +182,37 @@ optional_policy(`
|
||||
@@ -178,25 +182,41 @@ optional_policy(`
|
||||
virt_manage_images(devicekit_disk_t)
|
||||
')
|
||||
|
||||
|
|
@ -19503,6 +19525,10 @@ index f231f17..3aaa784 100644
|
|||
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
|
||||
|
||||
+manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
+manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
+files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir)
|
||||
+
|
||||
+kernel_read_fs_sysctls(devicekit_power_t)
|
||||
kernel_read_network_state(devicekit_power_t)
|
||||
kernel_read_system_state(devicekit_power_t)
|
||||
|
|
@ -19512,7 +19538,7 @@ index f231f17..3aaa784 100644
|
|||
kernel_search_debugfs(devicekit_power_t)
|
||||
kernel_write_proc_files(devicekit_power_t)
|
||||
|
||||
@@ -212,12 +228,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
|
||||
@@ -212,12 +232,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
|
||||
dev_rw_generic_chr_files(devicekit_power_t)
|
||||
dev_rw_netcontrol(devicekit_power_t)
|
||||
dev_rw_sysfs(devicekit_power_t)
|
||||
|
|
@ -19529,7 +19555,7 @@ index f231f17..3aaa784 100644
|
|||
|
||||
term_use_all_terms(devicekit_power_t)
|
||||
|
||||
@@ -225,8 +245,11 @@ auth_use_nsswitch(devicekit_power_t)
|
||||
@@ -225,8 +249,11 @@ auth_use_nsswitch(devicekit_power_t)
|
||||
|
||||
miscfiles_read_localization(devicekit_power_t)
|
||||
|
||||
|
|
@ -19541,7 +19567,7 @@ index f231f17..3aaa784 100644
|
|||
|
||||
userdom_read_all_users_state(devicekit_power_t)
|
||||
|
||||
@@ -261,6 +284,10 @@ optional_policy(`
|
||||
@@ -261,6 +288,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -19552,7 +19578,7 @@ index f231f17..3aaa784 100644
|
|||
hal_domtrans_mac(devicekit_power_t)
|
||||
hal_manage_log(devicekit_power_t)
|
||||
hal_manage_pid_dirs(devicekit_power_t)
|
||||
@@ -269,6 +296,10 @@ optional_policy(`
|
||||
@@ -269,6 +300,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -19563,7 +19589,7 @@ index f231f17..3aaa784 100644
|
|||
policykit_dbus_chat(devicekit_power_t)
|
||||
policykit_domtrans_auth(devicekit_power_t)
|
||||
policykit_read_lib(devicekit_power_t)
|
||||
@@ -276,9 +307,21 @@ optional_policy(`
|
||||
@@ -276,9 +311,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -20327,10 +20353,21 @@ index 9bd812b..c808b31 100644
|
|||
')
|
||||
|
||||
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
|
||||
index fdaeeba..1f6f6f3 100644
|
||||
index fdaeeba..c516b94 100644
|
||||
--- a/policy/modules/services/dnsmasq.te
|
||||
+++ b/policy/modules/services/dnsmasq.te
|
||||
@@ -96,10 +96,18 @@ optional_policy(`
|
||||
@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
|
||||
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
|
||||
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
|
||||
|
||||
+manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
||||
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
||||
-files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
|
||||
+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
|
||||
|
||||
kernel_read_kernel_sysctls(dnsmasq_t)
|
||||
kernel_read_system_state(dnsmasq_t)
|
||||
@@ -96,10 +97,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -20349,6 +20386,12 @@ index fdaeeba..1f6f6f3 100644
|
|||
seutil_sigchld_newrole(dnsmasq_t)
|
||||
')
|
||||
|
||||
@@ -114,4 +123,5 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
virt_manage_lib_files(dnsmasq_t)
|
||||
virt_read_pid_files(dnsmasq_t)
|
||||
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
|
||||
')
|
||||
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
|
||||
index bfc880b..9a1dcba 100644
|
||||
--- a/policy/modules/services/dovecot.fc
|
||||
|
|
@ -20431,7 +20474,7 @@ index e1d7dc5..ee51a19 100644
|
|||
admin_pattern($1, dovecot_var_run_t)
|
||||
|
||||
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
|
||||
index cbe14e4..e74c9fe 100644
|
||||
index cbe14e4..da1c6bf 100644
|
||||
--- a/policy/modules/services/dovecot.te
|
||||
+++ b/policy/modules/services/dovecot.te
|
||||
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
|
||||
|
|
@ -20485,7 +20528,16 @@ index cbe14e4..e74c9fe 100644
|
|||
|
||||
kernel_read_kernel_sysctls(dovecot_t)
|
||||
kernel_read_system_state(dovecot_t)
|
||||
@@ -159,6 +164,11 @@ optional_policy(`
|
||||
@@ -110,6 +115,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
|
||||
corenet_tcp_bind_generic_node(dovecot_t)
|
||||
corenet_tcp_bind_mail_port(dovecot_t)
|
||||
corenet_tcp_bind_pop_port(dovecot_t)
|
||||
+corenet_tcp_bind_lmtp_port(dovecot_t)
|
||||
+corenet_tcp_bind_sieve_port(dovecot_t)
|
||||
corenet_tcp_connect_all_ports(dovecot_t)
|
||||
corenet_tcp_connect_postgresql_port(dovecot_t)
|
||||
corenet_sendrecv_pop_server_packets(dovecot_t)
|
||||
@@ -159,6 +166,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -20497,7 +20549,7 @@ index cbe14e4..e74c9fe 100644
|
|||
postgresql_stream_connect(dovecot_t)
|
||||
')
|
||||
|
||||
@@ -179,7 +189,7 @@ optional_policy(`
|
||||
@@ -179,7 +191,7 @@ optional_policy(`
|
||||
# dovecot auth local policy
|
||||
#
|
||||
|
||||
|
|
@ -20506,7 +20558,7 @@ index cbe14e4..e74c9fe 100644
|
|||
allow dovecot_auth_t self:process { signal_perms getcap setcap };
|
||||
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -189,6 +199,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
|
||||
@@ -189,6 +201,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
|
||||
|
||||
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
|
||||
|
||||
|
|
@ -20515,7 +20567,7 @@ index cbe14e4..e74c9fe 100644
|
|||
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
||||
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
||||
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
|
||||
@@ -242,6 +254,7 @@ optional_policy(`
|
||||
@@ -242,6 +256,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -20523,7 +20575,7 @@ index cbe14e4..e74c9fe 100644
|
|||
postfix_search_spool(dovecot_auth_t)
|
||||
')
|
||||
|
||||
@@ -253,19 +266,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -253,19 +268,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow dovecot_deliver_t dovecot_t:process signull;
|
||||
|
||||
|
|
@ -20559,7 +20611,7 @@ index cbe14e4..e74c9fe 100644
|
|||
|
||||
miscfiles_read_localization(dovecot_deliver_t)
|
||||
|
||||
@@ -302,4 +329,5 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -302,4 +331,5 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
|
||||
optional_policy(`
|
||||
mta_manage_spool(dovecot_deliver_t)
|
||||
|
|
@ -27493,10 +27545,10 @@ index 0000000..6403c17
|
|||
+')
|
||||
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
|
||||
new file mode 100644
|
||||
index 0000000..6b69f38
|
||||
index 0000000..6716b5e
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/piranha.te
|
||||
@@ -0,0 +1,214 @@
|
||||
@@ -0,0 +1,219 @@
|
||||
+policy_module(piranha, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -27620,6 +27672,11 @@ index 0000000..6b69f38
|
|||
+ sasl_connect(piranha_web_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
|
||||
+ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+#
|
||||
+# piranha-lvs local policy
|
||||
|
|
@ -35874,7 +35931,7 @@ index 2124b6a..6546d6e 100644
|
|||
|
||||
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
|
||||
index 7c5d8d8..dbdc0e0 100644
|
||||
index 7c5d8d8..2ac9e34 100644
|
||||
--- a/policy/modules/services/virt.if
|
||||
+++ b/policy/modules/services/virt.if
|
||||
@@ -14,13 +14,14 @@
|
||||
|
|
@ -36005,7 +36062,44 @@ index 7c5d8d8..dbdc0e0 100644
|
|||
## Read virt PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -308,6 +316,24 @@ interface(`virt_read_lib_files',`
|
||||
@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Create objects in the pid directory
|
||||
+## with a private type with a type transition.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="file">
|
||||
+## <summary>
|
||||
+## Type to which the created node will be transitioned.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="class">
|
||||
+## <summary>
|
||||
+## Object class(es) (single or set including {}) for which this
|
||||
+## the transition will occur.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virt_pid_filetrans',`
|
||||
+ gen_require(`
|
||||
+ type virt_vaar_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ filetrans_pattern($1, virt_var_run_t, $2, $3)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Search virt lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -36030,7 +36124,7 @@ index 7c5d8d8..dbdc0e0 100644
|
|||
## Create, read, write, and delete
|
||||
## virt lib files.
|
||||
## </summary>
|
||||
@@ -352,9 +378,9 @@ interface(`virt_read_log',`
|
||||
@@ -352,9 +408,9 @@ interface(`virt_read_log',`
|
||||
## virt log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
|
@ -36042,7 +36136,7 @@ index 7c5d8d8..dbdc0e0 100644
|
|||
## </param>
|
||||
#
|
||||
interface(`virt_append_log',`
|
||||
@@ -424,6 +450,24 @@ interface(`virt_read_images',`
|
||||
@@ -424,6 +480,24 @@ interface(`virt_read_images',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -36067,7 +36161,7 @@ index 7c5d8d8..dbdc0e0 100644
|
|||
## Create, read, write, and delete
|
||||
## svirt cache files.
|
||||
## </summary>
|
||||
@@ -433,15 +477,15 @@ interface(`virt_read_images',`
|
||||
@@ -433,15 +507,15 @@ interface(`virt_read_images',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -36088,7 +36182,7 @@ index 7c5d8d8..dbdc0e0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -516,3 +560,51 @@ interface(`virt_admin',`
|
||||
@@ -516,3 +590,51 @@ interface(`virt_admin',`
|
||||
|
||||
virt_manage_log($1)
|
||||
')
|
||||
|
|
@ -40736,7 +40830,7 @@ index df3fa64..36da732 100644
|
|||
+ allow $1 init_t:unix_dgram_socket sendto;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 8a105fd..2981ece 100644
|
||||
index 8a105fd..334ddd0 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -16,6 +16,27 @@ gen_require(`
|
||||
|
|
@ -40932,7 +41026,7 @@ index 8a105fd..2981ece 100644
|
|||
+
|
||||
+ # Permissions for systemd-tmpfiles, needs its own policy.
|
||||
+ files_relabel_all_lock_dirs(init_t)
|
||||
+ files_relabel_all_pid_files(init_t)
|
||||
+ files_relabel_all_pid_dirs(init_t)
|
||||
+ files_relabel_all_pid_files(init_t)
|
||||
+ files_manage_all_pids(init_t)
|
||||
+ files_manage_all_locks(init_t)
|
||||
|
|
@ -42748,7 +42842,7 @@ index 58bc27f..b4f0663 100644
|
|||
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
|
||||
index 86ef2da..7f649d5 100644
|
||||
index 86ef2da..f1fe005 100644
|
||||
--- a/policy/modules/system/lvm.te
|
||||
+++ b/policy/modules/system/lvm.te
|
||||
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
|
||||
|
|
@ -42792,7 +42886,18 @@ index 86ef2da..7f649d5 100644
|
|||
allow lvm_t self:file rw_file_perms;
|
||||
allow lvm_t self:fifo_file manage_fifo_file_perms;
|
||||
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -210,12 +223,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
|
||||
@@ -190,8 +203,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
|
||||
can_exec(lvm_t, lvm_exec_t)
|
||||
|
||||
# Creating lock files
|
||||
+manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
|
||||
manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
|
||||
-files_lock_filetrans(lvm_t, lvm_lock_t, file)
|
||||
+files_lock_filetrans(lvm_t, lvm_lock_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
|
||||
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
|
||||
@@ -210,12 +224,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
|
||||
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
|
||||
files_search_mnt(lvm_t)
|
||||
|
||||
|
|
@ -42808,7 +42913,7 @@ index 86ef2da..7f649d5 100644
|
|||
kernel_search_debugfs(lvm_t)
|
||||
|
||||
corecmd_exec_bin(lvm_t)
|
||||
@@ -242,6 +258,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
|
||||
@@ -242,6 +259,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
|
||||
dev_dontaudit_getattr_generic_blk_files(lvm_t)
|
||||
dev_dontaudit_getattr_generic_pipes(lvm_t)
|
||||
dev_create_generic_dirs(lvm_t)
|
||||
|
|
@ -42816,7 +42921,7 @@ index 86ef2da..7f649d5 100644
|
|||
|
||||
domain_use_interactive_fds(lvm_t)
|
||||
domain_read_all_domains_state(lvm_t)
|
||||
@@ -251,8 +268,9 @@ files_read_etc_files(lvm_t)
|
||||
@@ -251,8 +269,9 @@ files_read_etc_files(lvm_t)
|
||||
files_read_etc_runtime_files(lvm_t)
|
||||
# for when /usr is not mounted:
|
||||
files_dontaudit_search_isid_type_dirs(lvm_t)
|
||||
|
|
@ -42827,7 +42932,7 @@ index 86ef2da..7f649d5 100644
|
|||
fs_search_auto_mountpoints(lvm_t)
|
||||
fs_list_tmpfs(lvm_t)
|
||||
fs_read_tmpfs_symlinks(lvm_t)
|
||||
@@ -262,6 +280,7 @@ fs_rw_anon_inodefs_files(lvm_t)
|
||||
@@ -262,6 +281,7 @@ fs_rw_anon_inodefs_files(lvm_t)
|
||||
|
||||
mls_file_read_all_levels(lvm_t)
|
||||
mls_file_write_to_clearance(lvm_t)
|
||||
|
|
@ -42835,7 +42940,7 @@ index 86ef2da..7f649d5 100644
|
|||
|
||||
selinux_get_fs_mount(lvm_t)
|
||||
selinux_validate_context(lvm_t)
|
||||
@@ -309,6 +328,11 @@ ifdef(`distro_redhat',`
|
||||
@@ -309,6 +329,11 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -42847,7 +42952,7 @@ index 86ef2da..7f649d5 100644
|
|||
bootloader_rw_tmp_files(lvm_t)
|
||||
')
|
||||
|
||||
@@ -329,6 +353,10 @@ optional_policy(`
|
||||
@@ -329,6 +354,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -43298,7 +43403,7 @@ index 8b5c196..b195f9d 100644
|
|||
+ role $2 types showmount_t;
|
||||
')
|
||||
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
||||
index 6fe8471..be5821a 100644
|
||||
index 6fe8471..139e2c9 100644
|
||||
--- a/policy/modules/system/mount.te
|
||||
+++ b/policy/modules/system/mount.te
|
||||
@@ -17,8 +17,15 @@ type mount_exec_t;
|
||||
|
|
@ -43348,7 +43453,7 @@ index 6fe8471..be5821a 100644
|
|||
|
||||
allow mount_t mount_loopback_t:file read_file_perms;
|
||||
|
||||
@@ -46,8 +68,23 @@ can_exec(mount_t, mount_exec_t)
|
||||
@@ -46,59 +68,96 @@ can_exec(mount_t, mount_exec_t)
|
||||
|
||||
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
|
||||
|
||||
|
|
@ -43365,14 +43470,14 @@ index 6fe8471..be5821a 100644
|
|||
kernel_read_system_state(mount_t)
|
||||
+kernel_read_network_state(mount_t)
|
||||
kernel_read_kernel_sysctls(mount_t)
|
||||
-kernel_dontaudit_getattr_core_if(mount_t)
|
||||
+kernel_manage_debugfs(mount_t)
|
||||
+kernel_setsched(mount_t)
|
||||
+kernel_use_fds(mount_t)
|
||||
+kernel_request_load_module(mount_t)
|
||||
kernel_dontaudit_getattr_core_if(mount_t)
|
||||
kernel_dontaudit_write_debugfs_dirs(mount_t)
|
||||
kernel_dontaudit_write_proc_dirs(mount_t)
|
||||
@@ -55,46 +92,68 @@ kernel_dontaudit_write_proc_dirs(mount_t)
|
||||
|
||||
# required for mount.smbfs
|
||||
corecmd_exec_bin(mount_t)
|
||||
|
||||
|
|
@ -43381,7 +43486,6 @@ index 6fe8471..be5821a 100644
|
|||
dev_list_all_dev_nodes(mount_t)
|
||||
+dev_read_usbfs(mount_t)
|
||||
+dev_read_rand(mount_t)
|
||||
+dev_read_sysfs(mount_t)
|
||||
dev_read_sysfs(mount_t)
|
||||
dev_dontaudit_write_sysfs_dirs(mount_t)
|
||||
dev_rw_lvm_control(mount_t)
|
||||
|
|
@ -43422,6 +43526,7 @@ index 6fe8471..be5821a 100644
|
|||
# For reading cert files
|
||||
files_read_usr_files(mount_t)
|
||||
files_list_mnt(mount_t)
|
||||
+files_write_all_dirs(mount_t)
|
||||
files_dontaudit_write_root_dirs(mount_t)
|
||||
|
||||
-fs_getattr_xattr_fs(mount_t)
|
||||
|
|
@ -43446,7 +43551,14 @@ index 6fe8471..be5821a 100644
|
|||
+fs_manage_cgroup_files(mount_t)
|
||||
fs_dontaudit_write_tmpfs_dirs(mount_t)
|
||||
|
||||
mls_file_read_all_levels(mount_t)
|
||||
-mls_file_read_all_levels(mount_t)
|
||||
-mls_file_write_all_levels(mount_t)
|
||||
+mls_file_read_to_clearance(mount_t)
|
||||
+mls_file_write_to_clearance(mount_t)
|
||||
+mls_process_write_to_clearance(mount_t)
|
||||
|
||||
selinux_get_enforce_mode(mount_t)
|
||||
|
||||
@@ -106,6 +165,7 @@ storage_raw_read_fixed_disk(mount_t)
|
||||
storage_raw_write_fixed_disk(mount_t)
|
||||
storage_raw_read_removable_device(mount_t)
|
||||
|
|
@ -48808,19 +48920,20 @@ index 22ca011..df6b5de 100644
|
|||
|
||||
#
|
||||
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
||||
index f7380b3..cabc009 100644
|
||||
index f7380b3..51867f6 100644
|
||||
--- a/policy/support/obj_perm_sets.spt
|
||||
+++ b/policy/support/obj_perm_sets.spt
|
||||
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
||||
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
||||
#
|
||||
# All socket classes.
|
||||
#
|
||||
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
|
||||
-
|
||||
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
|
||||
|
||||
|
||||
#
|
||||
@@ -105,7 +105,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
|
||||
# Datagram socket classes.
|
||||
@@ -105,7 +104,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
|
||||
#
|
||||
# Permissions for using sockets.
|
||||
#
|
||||
|
|
@ -48829,7 +48942,7 @@ index f7380b3..cabc009 100644
|
|||
|
||||
#
|
||||
# Permissions for creating and using sockets.
|
||||
@@ -199,12 +199,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
|
||||
@@ -199,12 +198,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
|
||||
#
|
||||
define(`getattr_file_perms',`{ getattr }')
|
||||
define(`setattr_file_perms',`{ setattr }')
|
||||
|
|
@ -48846,7 +48959,7 @@ index f7380b3..cabc009 100644
|
|||
define(`create_file_perms',`{ getattr create open }')
|
||||
define(`rename_file_perms',`{ getattr rename }')
|
||||
define(`delete_file_perms',`{ getattr unlink }')
|
||||
@@ -225,7 +227,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
|
||||
@@ -225,7 +226,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
|
||||
define(`create_lnk_file_perms',`{ create getattr }')
|
||||
define(`rename_lnk_file_perms',`{ getattr rename }')
|
||||
define(`delete_lnk_file_perms',`{ getattr unlink }')
|
||||
|
|
@ -48855,7 +48968,7 @@ index f7380b3..cabc009 100644
|
|||
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
|
||||
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
|
||||
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
|
||||
@@ -238,7 +240,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
|
||||
@@ -238,7 +239,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
|
||||
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
|
||||
|
|
@ -48865,7 +48978,7 @@ index f7380b3..cabc009 100644
|
|||
define(`create_fifo_file_perms',`{ getattr create open }')
|
||||
define(`rename_fifo_file_perms',`{ getattr rename }')
|
||||
define(`delete_fifo_file_perms',`{ getattr unlink }')
|
||||
@@ -254,7 +257,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
|
||||
@@ -254,7 +256,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
|
||||
define(`setattr_sock_file_perms',`{ setattr }')
|
||||
define(`read_sock_file_perms',`{ getattr open read }')
|
||||
define(`write_sock_file_perms',`{ getattr write open append }')
|
||||
|
|
@ -48875,7 +48988,7 @@ index f7380b3..cabc009 100644
|
|||
define(`create_sock_file_perms',`{ getattr create open }')
|
||||
define(`rename_sock_file_perms',`{ getattr rename }')
|
||||
define(`delete_sock_file_perms',`{ getattr unlink }')
|
||||
@@ -271,7 +275,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
|
||||
@@ -271,7 +274,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
|
||||
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
|
||||
|
|
@ -48885,7 +48998,7 @@ index f7380b3..cabc009 100644
|
|||
define(`create_blk_file_perms',`{ getattr create }')
|
||||
define(`rename_blk_file_perms',`{ getattr rename }')
|
||||
define(`delete_blk_file_perms',`{ getattr unlink }')
|
||||
@@ -288,7 +293,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
|
||||
@@ -288,7 +292,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
|
||||
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
|
||||
|
|
@ -48895,7 +49008,7 @@ index f7380b3..cabc009 100644
|
|||
define(`create_chr_file_perms',`{ getattr create }')
|
||||
define(`rename_chr_file_perms',`{ getattr rename }')
|
||||
define(`delete_chr_file_perms',`{ getattr unlink }')
|
||||
@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
|
||||
@@ -305,7 +310,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
|
||||
#
|
||||
# Use (read and write) terminals
|
||||
#
|
||||
|
|
@ -48905,7 +49018,7 @@ index f7380b3..cabc009 100644
|
|||
|
||||
#
|
||||
# Sockets
|
||||
@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
|
||||
@@ -317,3 +323,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
|
||||
# Keys
|
||||
#
|
||||
define(`manage_key_perms', `{ create link read search setattr view write } ')
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.10
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -471,6 +471,13 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Nov 30 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-3
|
||||
- fixes to allow /var/run and /var/lock as tmpfs
|
||||
- Allow chrome sandbox to connect to web ports
|
||||
- Allow dovecot to listem on lmtp and sieve ports
|
||||
- Allov ddclient to search sysctl_net_t
|
||||
- Transition back to original domain if you execute the shell
|
||||
|
||||
* Thu Nov 25 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-2
|
||||
- Remove duplicate declaration
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue