* Tue Jun 28 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-199
- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. - Allow glusterd daemon to get systemd status - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Merge pull request #135 from rhatdan/rawip_socket - Allow logrotate dbus-chat with system_logind daemon - Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files - Add interface cron_read_pid_files() - Allow pcp_pmlogger to create unix dgram sockets - Add interface dirsrv_run() - Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t. - Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd() - Create label for openhpid log files. - Container processes need to be able to listen on rawip sockets - Label /var/lib/ganglia as httpd_var_lib_t - Allow firewalld_t to create entries in net_conf_t dirs. - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals - Label /etc/dhcp/scripts dir as bin_t - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
This commit is contained in:
Lukas Vrabec
parent
8037d64672
commit
962020bfff
Binary file not shown.
|
|
@ -3535,7 +3535,7 @@ index 7590165..d81185e 100644
|
|||
+ fs_mounton_fusefs(seunshare_domain)
|
||||
')
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 33e0f8d..b94f32f 100644
|
||||
index 33e0f8d..48f001d 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -1,9 +1,10 @@
|
||||
|
|
@ -3611,7 +3611,16 @@ index 33e0f8d..b94f32f 100644
|
|||
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -135,10 +153,12 @@ ifdef(`distro_debian',`
|
||||
@@ -128,6 +146,8 @@ ifdef(`distro_debian',`
|
||||
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
+/etc/dhcp/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
#
|
||||
# /lib
|
||||
#
|
||||
@@ -135,10 +155,12 @@ ifdef(`distro_debian',`
|
||||
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -3625,7 +3634,7 @@ index 33e0f8d..b94f32f 100644
|
|||
|
||||
ifdef(`distro_gentoo',`
|
||||
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -149,10 +169,12 @@ ifdef(`distro_gentoo',`
|
||||
@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',`
|
||||
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
|
|
@ -3639,7 +3648,7 @@ index 33e0f8d..b94f32f 100644
|
|||
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -168,6 +190,7 @@ ifdef(`distro_gentoo',`
|
||||
@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',`
|
||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -3647,7 +3656,7 @@ index 33e0f8d..b94f32f 100644
|
|||
|
||||
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@@ -179,34 +202,50 @@ ifdef(`distro_gentoo',`
|
||||
@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',`
|
||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
|
|
@ -3707,7 +3716,7 @@ index 33e0f8d..b94f32f 100644
|
|||
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -218,19 +257,32 @@ ifdef(`distro_gentoo',`
|
||||
@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -3747,7 +3756,7 @@ index 33e0f8d..b94f32f 100644
|
|||
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -245,26 +297,40 @@ ifdef(`distro_gentoo',`
|
||||
@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -3793,7 +3802,7 @@ index 33e0f8d..b94f32f 100644
|
|||
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@@ -280,10 +346,14 @@ ifdef(`distro_gentoo',`
|
||||
@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -3808,7 +3817,7 @@ index 33e0f8d..b94f32f 100644
|
|||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -298,16 +368,22 @@ ifdef(`distro_gentoo',`
|
||||
@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -3833,7 +3842,7 @@ index 33e0f8d..b94f32f 100644
|
|||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -325,20 +401,27 @@ ifdef(`distro_redhat', `
|
||||
@@ -325,20 +403,27 @@ ifdef(`distro_redhat', `
|
||||
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
|
|
@ -3862,7 +3871,7 @@ index 33e0f8d..b94f32f 100644
|
|||
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -346,6 +429,7 @@ ifdef(`distro_redhat', `
|
||||
@@ -346,6 +431,7 @@ ifdef(`distro_redhat', `
|
||||
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -3870,7 +3879,7 @@ index 33e0f8d..b94f32f 100644
|
|||
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -387,17 +471,34 @@ ifdef(`distro_suse', `
|
||||
@@ -387,17 +473,34 @@ ifdef(`distro_suse', `
|
||||
#
|
||||
# /var
|
||||
#
|
||||
|
|
|
|||
|
|
@ -3460,10 +3460,10 @@ index 0000000..d8b04b5
|
|||
+ spamassassin_read_pid_files(antivirus_domain)
|
||||
+')
|
||||
diff --git a/apache.fc b/apache.fc
|
||||
index 7caefc3..754c30f 100644
|
||||
index 7caefc3..2029082 100644
|
||||
--- a/apache.fc
|
||||
+++ b/apache.fc
|
||||
@@ -1,162 +1,214 @@
|
||||
@@ -1,162 +1,215 @@
|
||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
||||
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
|
|
@ -3672,6 +3672,7 @@ index 7caefc3..754c30f 100644
|
|||
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
+/var/lib/ganglia(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
+/var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
|
|
@ -9426,10 +9427,10 @@ index c3fd7b1..e189593 100644
|
|||
-
|
||||
-miscfiles_read_localization(bcfg2_t)
|
||||
diff --git a/bind.fc b/bind.fc
|
||||
index 2b9a3a1..49accb6 100644
|
||||
index 2b9a3a1..982ce9b 100644
|
||||
--- a/bind.fc
|
||||
+++ b/bind.fc
|
||||
@@ -1,54 +1,77 @@
|
||||
@@ -1,54 +1,78 @@
|
||||
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
|
|
@ -9508,6 +9509,7 @@ index 2b9a3a1..49accb6 100644
|
|||
+/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
+/var/lib/softhsm(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
||||
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
||||
+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
||||
+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
||||
|
|
@ -9731,7 +9733,7 @@ index 531a8f2..3fcf187 100644
|
|||
+ allow $1 named_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/bind.te b/bind.te
|
||||
index 1241123..bf5ad4a 100644
|
||||
index 1241123..ab9ec30 100644
|
||||
--- a/bind.te
|
||||
+++ b/bind.te
|
||||
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
|
||||
|
|
@ -9764,7 +9766,13 @@ index 1241123..bf5ad4a 100644
|
|||
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
|
||||
allow named_t self:fifo_file rw_fifo_file_perms;
|
||||
allow named_t self:unix_stream_socket { accept listen };
|
||||
@@ -89,9 +93,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
|
||||
@@ -84,14 +88,13 @@ allow named_t named_conf_t:dir list_dir_perms;
|
||||
read_files_pattern(named_t, named_conf_t, named_conf_t)
|
||||
read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
|
||||
|
||||
+manage_dirs_pattern(named_t, named_cache_t, named_cache_t)
|
||||
manage_files_pattern(named_t, named_cache_t, named_cache_t)
|
||||
manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
|
||||
|
||||
allow named_t named_keytab_t:file read_file_perms;
|
||||
|
||||
|
|
@ -9775,7 +9783,7 @@ index 1241123..bf5ad4a 100644
|
|||
logging_log_filetrans(named_t, named_log_t, file)
|
||||
|
||||
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
|
||||
@@ -112,10 +114,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
|
||||
@@ -112,10 +115,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
|
||||
kernel_read_kernel_sysctls(named_t)
|
||||
kernel_read_system_state(named_t)
|
||||
kernel_read_network_state(named_t)
|
||||
|
|
@ -9787,7 +9795,7 @@ index 1241123..bf5ad4a 100644
|
|||
corenet_all_recvfrom_netlabel(named_t)
|
||||
corenet_tcp_sendrecv_generic_if(named_t)
|
||||
corenet_udp_sendrecv_generic_if(named_t)
|
||||
@@ -141,9 +143,13 @@ corenet_sendrecv_all_client_packets(named_t)
|
||||
@@ -141,9 +144,13 @@ corenet_sendrecv_all_client_packets(named_t)
|
||||
corenet_tcp_connect_all_ports(named_t)
|
||||
corenet_tcp_sendrecv_all_ports(named_t)
|
||||
|
||||
|
|
@ -9801,7 +9809,7 @@ index 1241123..bf5ad4a 100644
|
|||
|
||||
domain_use_interactive_fds(named_t)
|
||||
|
||||
@@ -175,6 +181,19 @@ tunable_policy(`named_write_master_zones',`
|
||||
@@ -175,6 +182,19 @@ tunable_policy(`named_write_master_zones',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -9821,7 +9829,7 @@ index 1241123..bf5ad4a 100644
|
|||
dbus_system_domain(named_t, named_exec_t)
|
||||
|
||||
init_dbus_chat_script(named_t)
|
||||
@@ -187,7 +206,17 @@ optional_policy(`
|
||||
@@ -187,7 +207,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -9839,7 +9847,7 @@ index 1241123..bf5ad4a 100644
|
|||
kerberos_use(named_t)
|
||||
')
|
||||
|
||||
@@ -215,7 +244,8 @@ optional_policy(`
|
||||
@@ -215,7 +245,8 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow ndc_t self:capability { dac_override net_admin };
|
||||
|
|
@ -9849,7 +9857,7 @@ index 1241123..bf5ad4a 100644
|
|||
allow ndc_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ndc_t self:unix_stream_socket { accept listen };
|
||||
|
||||
@@ -229,10 +259,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
|
||||
@@ -229,10 +260,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow ndc_t named_zone_t:dir search_dir_perms;
|
||||
|
||||
|
|
@ -9861,7 +9869,7 @@ index 1241123..bf5ad4a 100644
|
|||
corenet_all_recvfrom_netlabel(ndc_t)
|
||||
corenet_tcp_sendrecv_generic_if(ndc_t)
|
||||
corenet_tcp_sendrecv_generic_node(ndc_t)
|
||||
@@ -242,6 +271,9 @@ corenet_tcp_bind_generic_node(ndc_t)
|
||||
@@ -242,6 +272,9 @@ corenet_tcp_bind_generic_node(ndc_t)
|
||||
corenet_tcp_connect_rndc_port(ndc_t)
|
||||
corenet_sendrecv_rndc_client_packets(ndc_t)
|
||||
|
||||
|
|
@ -9871,7 +9879,7 @@ index 1241123..bf5ad4a 100644
|
|||
domain_use_interactive_fds(ndc_t)
|
||||
|
||||
files_search_pids(ndc_t)
|
||||
@@ -257,7 +289,7 @@ init_use_script_ptys(ndc_t)
|
||||
@@ -257,7 +290,7 @@ init_use_script_ptys(ndc_t)
|
||||
|
||||
logging_send_syslog_msg(ndc_t)
|
||||
|
||||
|
|
@ -18019,7 +18027,7 @@ index ad0bae9..615a947 100644
|
|||
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
||||
')
|
||||
diff --git a/cron.if b/cron.if
|
||||
index 1303b30..759412f 100644
|
||||
index 1303b30..f13c532 100644
|
||||
--- a/cron.if
|
||||
+++ b/cron.if
|
||||
@@ -2,11 +2,12 @@
|
||||
|
|
@ -18205,15 +18213,6 @@ index 1303b30..759412f 100644
|
|||
- #
|
||||
- # Declarations
|
||||
- #
|
||||
-
|
||||
- role $1 types { unconfined_cronjob_t crontab_t };
|
||||
-
|
||||
- ##############################
|
||||
- #
|
||||
- # Local policy
|
||||
- #
|
||||
-
|
||||
- domtrans_pattern($2, crontab_exec_t, crontab_t)
|
||||
+ ##############################
|
||||
+ #
|
||||
+ # Declarations
|
||||
|
|
@ -18221,32 +18220,41 @@ index 1303b30..759412f 100644
|
|||
+
|
||||
+ role $1 types unconfined_cronjob_t;
|
||||
|
||||
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
||||
- allow $2 crond_t:process sigchld;
|
||||
- role $1 types { unconfined_cronjob_t crontab_t };
|
||||
+ ##############################
|
||||
+ #
|
||||
+ # Local policy
|
||||
+ #
|
||||
|
||||
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
|
||||
- ##############################
|
||||
- #
|
||||
- # Local policy
|
||||
- #
|
||||
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
||||
|
||||
- allow $2 crontab_t:process { ptrace signal_perms };
|
||||
- ps_process_pattern($2, crontab_t)
|
||||
- domtrans_pattern($2, crontab_exec_t, crontab_t)
|
||||
+ allow $2 crond_t:process sigchld;
|
||||
|
||||
- corecmd_exec_bin(crontab_t)
|
||||
- corecmd_exec_shell(crontab_t)
|
||||
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
||||
- allow $2 crond_t:process sigchld;
|
||||
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
|
||||
|
||||
- tunable_policy(`cron_userdomain_transition',`
|
||||
- allow crond_t $2:process transition;
|
||||
- allow crond_t $2:fd use;
|
||||
- allow crond_t $2:key manage_key_perms;
|
||||
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
|
||||
+ # cronjob shows up in user ps
|
||||
+ ps_process_pattern($2, unconfined_cronjob_t)
|
||||
+ allow $2 unconfined_cronjob_t:process signal_perms;
|
||||
|
||||
- allow $2 crontab_t:process { ptrace signal_perms };
|
||||
- ps_process_pattern($2, crontab_t)
|
||||
-
|
||||
- corecmd_exec_bin(crontab_t)
|
||||
- corecmd_exec_shell(crontab_t)
|
||||
-
|
||||
- tunable_policy(`cron_userdomain_transition',`
|
||||
- allow crond_t $2:process transition;
|
||||
- allow crond_t $2:fd use;
|
||||
- allow crond_t $2:key manage_key_perms;
|
||||
-
|
||||
- allow $2 user_cron_spool_t:file entrypoint;
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
+ allow $2 unconfined_cronjob_t:process ptrace;
|
||||
|
|
@ -18371,16 +18379,15 @@ index 1303b30..759412f 100644
|
|||
- allow crond_t $2:process transition;
|
||||
- allow crond_t $2:fd use;
|
||||
- allow crond_t $2:key manage_key_perms;
|
||||
-
|
||||
- allow $2 user_cron_spool_t:file entrypoint;
|
||||
+ tunable_policy(`cron_userdomain_transition',`
|
||||
+ allow crond_t $2:process transition;
|
||||
+ allow crond_t $2:fd use;
|
||||
+ allow crond_t $2:key manage_key_perms;
|
||||
|
||||
- allow $2 user_cron_spool_t:file entrypoint;
|
||||
+ allow $2 user_cron_spool_t:file entrypoint;
|
||||
|
||||
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
||||
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
||||
+ allow $2 user_cron_spool_t:file entrypoint;
|
||||
|
||||
- allow $2 cronjob_t:process { ptrace signal_perms };
|
||||
- ps_process_pattern($2, cronjob_t)
|
||||
|
|
@ -18388,6 +18395,9 @@ index 1303b30..759412f 100644
|
|||
- dontaudit crond_t $2:process transition;
|
||||
- dontaudit crond_t $2:fd use;
|
||||
- dontaudit crond_t $2:key manage_key_perms;
|
||||
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
||||
|
||||
- dontaudit $2 user_cron_spool_t:file entrypoint;
|
||||
+ allow $2 cronjob_t:process { signal_perms };
|
||||
+ ps_process_pattern($2, cronjob_t)
|
||||
+ ',`
|
||||
|
|
@ -18395,8 +18405,6 @@ index 1303b30..759412f 100644
|
|||
+ dontaudit crond_t $2:fd use;
|
||||
+ dontaudit crond_t $2:key manage_key_perms;
|
||||
|
||||
- dontaudit $2 user_cron_spool_t:file entrypoint;
|
||||
-
|
||||
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
||||
-
|
||||
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
|
||||
|
|
@ -18705,11 +18713,10 @@ index 1303b30..759412f 100644
|
|||
|
||||
- allow $1 crond_t:fifo_file rw_fifo_file_perms;
|
||||
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write crond TCP sockets.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write inherited spool files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
|
@ -18724,10 +18731,11 @@ index 1303b30..759412f 100644
|
|||
+ ')
|
||||
+
|
||||
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write crond TCP sockets.
|
||||
+## Read, and write cron daemon TCP sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
|
@ -18751,106 +18759,120 @@ index 1303b30..759412f 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -627,8 +675,26 @@ interface(`cron_search_spool',`
|
||||
@@ -627,8 +675,7 @@ interface(`cron_search_spool',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete
|
||||
-## crond pid files.
|
||||
+## Search the directory containing user cron tables.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`cron_manage_system_spool',`
|
||||
+ gen_require(`
|
||||
+ type cron_system_spool_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_spool($1)
|
||||
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage pid files used by cron
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -641,13 +707,13 @@ interface(`cron_manage_pid_files',`
|
||||
type crond_var_run_t;
|
||||
@@ -636,37 +683,37 @@ interface(`cron_search_spool',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_manage_pid_files',`
|
||||
+interface(`cron_manage_system_spool',`
|
||||
gen_require(`
|
||||
- type crond_var_run_t;
|
||||
+ type cron_system_spool_t;
|
||||
')
|
||||
|
||||
+ files_search_pids($1)
|
||||
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
|
||||
- manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
|
||||
+ files_search_spool($1)
|
||||
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Execute anacron in the cron
|
||||
-## system domain.
|
||||
+## Execute anacron in the cron system domain.
|
||||
+## Manage pid files used by cron
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -660,13 +726,13 @@ interface(`cron_anacron_domtrans_system_job',`
|
||||
type system_cronjob_t, anacron_exec_t;
|
||||
-## Domain allowed to transition.
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_anacron_domtrans_system_job',`
|
||||
+interface(`cron_manage_pid_files',`
|
||||
gen_require(`
|
||||
- type system_cronjob_t, anacron_exec_t;
|
||||
+ type crond_var_run_t;
|
||||
')
|
||||
|
||||
- corecmd_search_bin($1)
|
||||
domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
|
||||
- domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
|
||||
+ files_search_pids($1)
|
||||
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Use system cron job file descriptors.
|
||||
+## Inherit and use a file descriptor
|
||||
+## from system cron jobs.
|
||||
+## Read pid files used by cron
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -684,7 +750,7 @@ interface(`cron_use_system_job_fds',`
|
||||
@@ -674,37 +721,37 @@ interface(`cron_anacron_domtrans_system_job',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_use_system_job_fds',`
|
||||
+interface(`cron_read_pid_files',`
|
||||
gen_require(`
|
||||
- type system_cronjob_t;
|
||||
+ type crond_var_run_t;
|
||||
')
|
||||
|
||||
- allow $1 system_cronjob_t:fd use;
|
||||
+ files_search_pids($1)
|
||||
+ read_files_pattern($1, crond_var_run_t, crond_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read system cron job lib files.
|
||||
+## Write a system cron job unnamed pipe.
|
||||
+## Execute anacron in the cron system domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -692,19 +758,17 @@ interface(`cron_use_system_job_fds',`
|
||||
-## Domain allowed access.
|
||||
+## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_read_system_job_lib_files',`
|
||||
+interface(`cron_write_system_job_pipes',`
|
||||
+interface(`cron_anacron_domtrans_system_job',`
|
||||
gen_require(`
|
||||
- type system_cronjob_var_lib_t;
|
||||
+ type system_cronjob_t;
|
||||
+ type system_cronjob_t, anacron_exec_t;
|
||||
')
|
||||
|
||||
- files_search_var_lib($1)
|
||||
- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
||||
+ allow $1 system_cronjob_t:fifo_file write;
|
||||
+ domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete
|
||||
-## system cron job lib files.
|
||||
+## Read and write a system cron job unnamed pipe.
|
||||
+## Inherit and use a file descriptor
|
||||
+## from system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -712,18 +776,17 @@ interface(`cron_read_system_job_lib_files',`
|
||||
@@ -712,18 +759,17 @@ interface(`cron_read_system_job_lib_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_manage_system_job_lib_files',`
|
||||
+interface(`cron_rw_system_job_pipes',`
|
||||
+interface(`cron_use_system_job_fds',`
|
||||
gen_require(`
|
||||
- type system_cronjob_var_lib_t;
|
||||
+ type system_cronjob_t;
|
||||
|
|
@ -18858,52 +18880,67 @@ index 1303b30..759412f 100644
|
|||
|
||||
- files_search_var_lib($1)
|
||||
- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
||||
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
+ allow $1 system_cronjob_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Write system cron job unnamed pipes.
|
||||
+## Allow read/write unix stream sockets from the system cron jobs.
|
||||
+## Write a system cron job unnamed pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -731,18 +794,17 @@ interface(`cron_manage_system_job_lib_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_write_system_job_pipes',`
|
||||
+interface(`cron_rw_system_job_stream_sockets',`
|
||||
gen_require(`
|
||||
@@ -736,13 +782,12 @@ interface(`cron_write_system_job_pipes',`
|
||||
type system_cronjob_t;
|
||||
')
|
||||
|
||||
- allow $1 system_cronjob_t:file write;
|
||||
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
|
||||
+ allow $1 system_cronjob_t:fifo_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write system cron job
|
||||
-## unnamed pipes.
|
||||
+## Read and write a system cron job unnamed pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -755,13 +800,12 @@ interface(`cron_rw_system_job_pipes',`
|
||||
type system_cronjob_t;
|
||||
')
|
||||
|
||||
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
|
||||
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write inherited system cron
|
||||
-## job unix domain stream sockets.
|
||||
+## Allow read/write unix stream sockets from the system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -779,7 +823,7 @@ interface(`cron_rw_system_job_stream_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read system cron job temporary files.
|
||||
+## Read temporary files from the system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -750,86 +812,142 @@ interface(`cron_write_system_job_pipes',`
|
||||
## </summary>
|
||||
## </param>
|
||||
@@ -789,17 +833,20 @@ interface(`cron_rw_system_job_stream_sockets',`
|
||||
#
|
||||
-interface(`cron_rw_system_job_pipes',`
|
||||
+interface(`cron_read_system_job_tmp_files',`
|
||||
interface(`cron_read_system_job_tmp_files',`
|
||||
gen_require(`
|
||||
- type system_cronjob_t;
|
||||
- type system_cronjob_tmp_t;
|
||||
+ type system_cronjob_tmp_t, cron_var_run_t;
|
||||
')
|
||||
|
||||
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
|
||||
+ files_search_tmp($1)
|
||||
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
|
||||
files_search_tmp($1)
|
||||
allow $1 system_cronjob_tmp_t:file read_file_perms;
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ allow $1 cron_var_run_t:file read_file_perms;
|
||||
|
|
@ -18911,101 +18948,66 @@ index 1303b30..759412f 100644
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write inherited system cron
|
||||
-## job unix domain stream sockets.
|
||||
+## Do not audit attempts to append temporary
|
||||
## Do not audit attempts to append temporary
|
||||
-## system cron job files.
|
||||
+## files from the system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain allowed access.
|
||||
+## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_rw_system_job_stream_sockets',`
|
||||
+interface(`cron_dontaudit_append_system_job_tmp_files',`
|
||||
gen_require(`
|
||||
- type system_cronjob_t;
|
||||
+ type system_cronjob_tmp_t;
|
||||
')
|
||||
|
||||
- allow $1 system_cronjob_t:unix_stream_socket { read write };
|
||||
+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
|
||||
')
|
||||
|
||||
@@ -818,7 +865,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read system cron job temporary files.
|
||||
+## Do not audit attempts to write temporary
|
||||
## Do not audit attempts to write temporary
|
||||
-## system cron job files.
|
||||
+## files from the system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain allowed access.
|
||||
+## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_read_system_job_tmp_files',`
|
||||
+interface(`cron_dontaudit_write_system_job_tmp_files',`
|
||||
@@ -829,7 +876,97 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
|
||||
interface(`cron_dontaudit_write_system_job_tmp_files',`
|
||||
gen_require(`
|
||||
type system_cronjob_tmp_t;
|
||||
+ type cron_var_run_t;
|
||||
')
|
||||
|
||||
- files_search_tmp($1)
|
||||
- allow $1 system_cronjob_tmp_t:file read_file_perms;
|
||||
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
|
||||
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
|
||||
+ dontaudit $1 cron_var_run_t:file write_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to append temporary
|
||||
-## system cron job files.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read temporary files from the system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain to not audit.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_dontaudit_append_system_job_tmp_files',`
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`cron_read_system_job_lib_files',`
|
||||
gen_require(`
|
||||
- type system_cronjob_tmp_t;
|
||||
+ gen_require(`
|
||||
+ type system_cronjob_var_lib_t;
|
||||
')
|
||||
|
||||
- dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to write temporary
|
||||
-## system cron job files.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage files from the system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain to not audit.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`cron_dontaudit_write_system_job_tmp_files',`
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`cron_manage_system_job_lib_files',`
|
||||
gen_require(`
|
||||
- type system_cronjob_tmp_t;
|
||||
+ gen_require(`
|
||||
+ type system_cronjob_var_lib_t;
|
||||
')
|
||||
|
||||
- dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
||||
+')
|
||||
|
|
@ -24883,10 +24885,10 @@ index 0000000..5d30dab
|
|||
+/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
|
||||
diff --git a/dirsrv.if b/dirsrv.if
|
||||
new file mode 100644
|
||||
index 0000000..b214253
|
||||
index 0000000..b3784d8
|
||||
--- /dev/null
|
||||
+++ b/dirsrv.if
|
||||
@@ -0,0 +1,208 @@
|
||||
@@ -0,0 +1,232 @@
|
||||
+## <summary>policy for dirsrv</summary>
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -24907,6 +24909,30 @@ index 0000000..b214253
|
|||
+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute dirsrv in the dirsrv domain, and
|
||||
+## allow the specified role the dirsrv domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dirsrv_run',`
|
||||
+ gen_require(`
|
||||
+ type dirsrv_t;
|
||||
+ ')
|
||||
+
|
||||
+ dirsrv_domtrans($1)
|
||||
+ role $2 types dirsrv_t;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
|
|
@ -32050,10 +32076,10 @@ index 0000000..764ae00
|
|||
+
|
||||
diff --git a/glusterd.te b/glusterd.te
|
||||
new file mode 100644
|
||||
index 0000000..c31e40e
|
||||
index 0000000..3ba328e
|
||||
--- /dev/null
|
||||
+++ b/glusterd.te
|
||||
@@ -0,0 +1,302 @@
|
||||
@@ -0,0 +1,303 @@
|
||||
+policy_module(glusterd, 1.1.3)
|
||||
+
|
||||
+## <desc>
|
||||
|
|
@ -32240,6 +32266,7 @@ index 0000000..c31e40e
|
|||
+init_read_script_state(glusterd_t)
|
||||
+init_rw_script_tmp_files(glusterd_t)
|
||||
+init_manage_script_status_files(glusterd_t)
|
||||
+init_status(glusterd_t)
|
||||
+
|
||||
+systemd_config_systemd_services(glusterd_t)
|
||||
+systemd_signal_passwd_agent(glusterd_t)
|
||||
|
|
@ -39511,7 +39538,7 @@ index 59ad3b3..bd02cc8 100644
|
|||
+
|
||||
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
|
||||
diff --git a/jabber.if b/jabber.if
|
||||
index 7eb3811..629af1e 100644
|
||||
index 7eb3811..8075ba5 100644
|
||||
--- a/jabber.if
|
||||
+++ b/jabber.if
|
||||
@@ -1,29 +1,76 @@
|
||||
|
|
@ -39669,7 +39696,7 @@ index 7eb3811..629af1e 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -66,20 +137,27 @@ interface(`jabber_tcp_connect',`
|
||||
@@ -66,20 +137,28 @@ interface(`jabber_tcp_connect',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
|
|
@ -39687,6 +39714,7 @@ index 7eb3811..629af1e 100644
|
|||
+ type jabberd_t, jabberd_var_lib_t;
|
||||
+ type jabberd_initrc_exec_t, jabberd_router_t;
|
||||
+ type jabberd_lock_t;
|
||||
+ type jabberd_var_spool_t;
|
||||
')
|
||||
|
||||
- allow $1 jabberd_domain:process { ptrace signal_perms };
|
||||
|
|
@ -39703,7 +39731,7 @@ index 7eb3811..629af1e 100644
|
|||
|
||||
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
@@ -89,15 +167,9 @@ interface(`jabber_admin',`
|
||||
@@ -89,15 +168,9 @@ interface(`jabber_admin',`
|
||||
files_search_locks($1)
|
||||
admin_pattern($1, jabberd_lock_t)
|
||||
|
||||
|
|
@ -39711,7 +39739,8 @@ index 7eb3811..629af1e 100644
|
|||
- admin_pattern($1, jabberd_log_t)
|
||||
-
|
||||
files_search_spool($1)
|
||||
admin_pattern($1, jabberd_spool_t)
|
||||
- admin_pattern($1, jabberd_spool_t)
|
||||
+ admin_pattern($1, jabberd_var_spool_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, jabberd_var_lib_t)
|
||||
|
|
@ -45775,7 +45804,7 @@ index dd8e01a..9cd6b0b 100644
|
|||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/logrotate.te b/logrotate.te
|
||||
index be0ab84..688605e 100644
|
||||
index be0ab84..5160f96 100644
|
||||
--- a/logrotate.te
|
||||
+++ b/logrotate.te
|
||||
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
|
||||
|
|
@ -45900,7 +45929,7 @@ index be0ab84..688605e 100644
|
|||
files_manage_generic_spool(logrotate_t)
|
||||
files_manage_generic_spool_dirs(logrotate_t)
|
||||
files_getattr_generic_locks(logrotate_t)
|
||||
@@ -95,32 +126,54 @@ mls_process_write_to_clearance(logrotate_t)
|
||||
@@ -95,32 +126,55 @@ mls_process_write_to_clearance(logrotate_t)
|
||||
selinux_get_fs_mount(logrotate_t)
|
||||
selinux_get_enforce_mode(logrotate_t)
|
||||
|
||||
|
|
@ -45925,6 +45954,7 @@ index be0ab84..688605e 100644
|
|||
+systemd_start_all_unit_files(logrotate_t)
|
||||
+systemd_reload_all_services(logrotate_t)
|
||||
+systemd_status_all_unit_files(logrotate_t)
|
||||
+systemd_dbus_chat_logind(logrotate_t)
|
||||
+init_stream_connect(logrotate_t)
|
||||
|
||||
-seutil_dontaudit_read_config(logrotate_t)
|
||||
|
|
@ -45961,7 +45991,7 @@ index be0ab84..688605e 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -135,16 +188,17 @@ optional_policy(`
|
||||
@@ -135,16 +189,17 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
apache_read_config(logrotate_t)
|
||||
|
|
@ -45981,7 +46011,7 @@ index be0ab84..688605e 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -170,6 +224,11 @@ optional_policy(`
|
||||
@@ -170,6 +225,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -45993,7 +46023,7 @@ index be0ab84..688605e 100644
|
|||
fail2ban_stream_connect(logrotate_t)
|
||||
')
|
||||
|
||||
@@ -178,7 +237,7 @@ optional_policy(`
|
||||
@@ -178,7 +238,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -46002,7 +46032,7 @@ index be0ab84..688605e 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,17 +257,18 @@ optional_policy(`
|
||||
@@ -198,17 +258,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -46024,7 +46054,7 @@ index be0ab84..688605e 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,6 +276,14 @@ optional_policy(`
|
||||
@@ -216,6 +277,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -46039,7 +46069,7 @@ index be0ab84..688605e 100644
|
|||
samba_exec_log(logrotate_t)
|
||||
')
|
||||
|
||||
@@ -228,26 +296,43 @@ optional_policy(`
|
||||
@@ -228,26 +297,43 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -64262,10 +64292,10 @@ index 8de6191..1a01e99 100644
|
|||
+')
|
||||
diff --git a/openhpid.fc b/openhpid.fc
|
||||
new file mode 100644
|
||||
index 0000000..9441fd7
|
||||
index 0000000..df219e6
|
||||
--- /dev/null
|
||||
+++ b/openhpid.fc
|
||||
@@ -0,0 +1,8 @@
|
||||
@@ -0,0 +1,10 @@
|
||||
+
|
||||
+/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
|
||||
+
|
||||
|
|
@ -64273,6 +64303,8 @@ index 0000000..9441fd7
|
|||
+
|
||||
+/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
|
||||
+
|
||||
+/var/log/dynsim[0-9]*\.log -- gen_context(system_u:object_r:openhpid_log_t,s0)
|
||||
+
|
||||
+/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
|
||||
diff --git a/openhpid.if b/openhpid.if
|
||||
new file mode 100644
|
||||
|
|
@ -64441,10 +64473,10 @@ index 0000000..598789a
|
|||
+
|
||||
diff --git a/openhpid.te b/openhpid.te
|
||||
new file mode 100644
|
||||
index 0000000..b4f88f6
|
||||
index 0000000..a0e0eaf
|
||||
--- /dev/null
|
||||
+++ b/openhpid.te
|
||||
@@ -0,0 +1,60 @@
|
||||
@@ -0,0 +1,67 @@
|
||||
+policy_module(openhpid, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -64459,6 +64491,9 @@ index 0000000..b4f88f6
|
|||
+type openhpid_initrc_exec_t;
|
||||
+init_script_file(openhpid_initrc_exec_t)
|
||||
+
|
||||
+type openhpid_log_t;
|
||||
+logging_log_file(openhpid_log_t)
|
||||
+
|
||||
+type openhpid_var_lib_t;
|
||||
+files_type(openhpid_var_lib_t)
|
||||
+
|
||||
|
|
@ -64479,6 +64514,10 @@ index 0000000..b4f88f6
|
|||
+allow openhpid_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow openhpid_t self:udp_socket create_socket_perms;
|
||||
+
|
||||
+
|
||||
+manage_files_pattern(openhpid_t, openhpid_log_t, openhpid_log_t)
|
||||
+logging_log_filetrans(openhpid_t, openhpid_log_t, file)
|
||||
+
|
||||
+manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
|
||||
+manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
|
||||
+files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
|
||||
|
|
@ -68410,10 +68449,10 @@ index 0000000..80246e6
|
|||
+
|
||||
diff --git a/pcp.te b/pcp.te
|
||||
new file mode 100644
|
||||
index 0000000..5eb733c
|
||||
index 0000000..a9ca49d
|
||||
--- /dev/null
|
||||
+++ b/pcp.te
|
||||
@@ -0,0 +1,279 @@
|
||||
@@ -0,0 +1,285 @@
|
||||
+policy_module(pcp, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -68566,6 +68605,10 @@ index 0000000..5eb733c
|
|||
+userdom_read_user_tmp_files(pcp_pmcd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ cron_read_pid_files(pcp_pmcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ docker_manage_lib_files(pcp_pmcd_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -68682,8 +68725,10 @@ index 0000000..5eb733c
|
|||
+allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
|
||||
+
|
||||
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
|
||||
+allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+kernel_read_system_state(pcp_pmlogger_t)
|
||||
+kernel_read_network_state(pcp_pmlogger_t)
|
||||
+
|
||||
+corecmd_exec_bin(pcp_pmlogger_t)
|
||||
+
|
||||
|
|
@ -96580,7 +96625,7 @@ index 3df2a0f..7264d8a 100644
|
|||
-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0)
|
||||
+/usr/lib/systemd/system/sanlk-resetd\.service -- gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0)
|
||||
diff --git a/sanlock.if b/sanlock.if
|
||||
index cd6c213..372c7bb 100644
|
||||
index cd6c213..6d3cdc4 100644
|
||||
--- a/sanlock.if
|
||||
+++ b/sanlock.if
|
||||
@@ -1,4 +1,6 @@
|
||||
|
|
@ -96684,7 +96729,7 @@ index cd6c213..372c7bb 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -97,21 +120,125 @@ interface(`sanlock_stream_connect',`
|
||||
@@ -97,21 +120,121 @@ interface(`sanlock_stream_connect',`
|
||||
#
|
||||
interface(`sanlock_admin',`
|
||||
gen_require(`
|
||||
|
|
@ -96804,11 +96849,7 @@ index cd6c213..372c7bb 100644
|
|||
|
||||
- logging_search_logs($1)
|
||||
- admin_pattern($1, sanlock_log_t)
|
||||
+ sanlk_resetd_systemctl($1)
|
||||
+ admin_pattern($1, sanlk_resetd_unit_file_t)
|
||||
+ allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
|
||||
+
|
||||
+ sanlk_resetd_systemctl($1)
|
||||
+ sanlock_systemctl_sanlk_resetd($1)
|
||||
+ admin_pattern($1, sanlk_resetd_unit_file_t)
|
||||
+ allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
|
||||
+ optional_policy(`
|
||||
|
|
@ -112745,7 +112786,7 @@ index facdee8..816d860 100644
|
|||
+ ps_process_pattern(virtd_t, $1)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf5..8d090ad 100644
|
||||
index f03dcf5..4f5b8cd 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,451 +1,402 @@
|
||||
|
|
@ -115076,7 +115117,7 @@ index f03dcf5..8d090ad 100644
|
|||
+allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms;
|
||||
+allow sandbox_net_domain self:packet_socket create_socket_perms;
|
||||
+allow sandbox_net_domain self:socket create_socket_perms;
|
||||
+allow sandbox_net_domain self:rawip_socket create_socket_perms;
|
||||
+allow sandbox_net_domain self:rawip_socket create_stream_socket_perms;
|
||||
+allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+
|
||||
+corenet_tcp_bind_generic_node(sandbox_net_domain)
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 198%{?dist}
|
||||
Release: 199%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -647,6 +647,26 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jun 28 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-199
|
||||
- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
|
||||
- Allow glusterd daemon to get systemd status
|
||||
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
|
||||
- Merge pull request #135 from rhatdan/rawip_socket
|
||||
- Allow logrotate dbus-chat with system_logind daemon
|
||||
- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files
|
||||
- Add interface cron_read_pid_files()
|
||||
- Allow pcp_pmlogger to create unix dgram sockets
|
||||
- Add interface dirsrv_run()
|
||||
- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.
|
||||
- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()
|
||||
- Create label for openhpid log files.
|
||||
- Container processes need to be able to listen on rawip sockets
|
||||
- Label /var/lib/ganglia as httpd_var_lib_t
|
||||
- Allow firewalld_t to create entries in net_conf_t dirs.
|
||||
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
|
||||
- Label /etc/dhcp/scripts dir as bin_t
|
||||
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
|
||||
|
||||
* Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-198
|
||||
- Allow firewalld_t to create entries in net_conf_t dirs.
|
||||
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
|
||||
|
|
|
|||
Loading…
Reference in New Issue