* Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080) - Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764) - Add interface dnssec_trigger_sigkill - Allow smsd use usb ttys. BZ(#1250536) - Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file. - Revert default_range change in targeted policy - Allow systemd-sysctl cap. sys_ptrace BZ(1253926)
This commit is contained in:
parent
f5f6812fa4
commit
96de5661d2
@ -1052,17 +1052,10 @@ index 4705ab6..b82865c 100644
|
||||
+## </desc>
|
||||
+gen_tunable(mount_anyfile, false)
|
||||
diff --git a/policy/mcs b/policy/mcs
|
||||
index 216b3d1..064ec83 100644
|
||||
index 216b3d1..78e56ed 100644
|
||||
--- a/policy/mcs
|
||||
+++ b/policy/mcs
|
||||
@@ -1,4 +1,6 @@
|
||||
ifdef(`enable_mcs',`
|
||||
+default_range dir_file_class_set target low;
|
||||
+
|
||||
#
|
||||
# Define sensitivities
|
||||
#
|
||||
@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats)
|
||||
@@ -69,53 +69,56 @@ gen_levels(1,mcs_num_cats)
|
||||
# - /proc/pid operations are not constrained.
|
||||
|
||||
mlsconstrain file { read ioctl lock execute execute_no_trans }
|
||||
@ -1139,7 +1132,7 @@ index 216b3d1..064ec83 100644
|
||||
|
||||
mlsconstrain process { signal }
|
||||
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
|
||||
@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
|
||||
@@ -135,6 +138,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
|
||||
mlsconstrain { db_tuple } { insert relabelto }
|
||||
(( h1 dom h2 ) and ( l2 eq h2 ));
|
||||
|
||||
@ -1149,7 +1142,7 @@ index 216b3d1..064ec83 100644
|
||||
# Access control for any database objects based on MCS rules.
|
||||
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
|
||||
( h1 dom h2 );
|
||||
@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
|
||||
@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
|
||||
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
|
||||
( h1 dom h2 );
|
||||
|
||||
@ -44536,7 +44529,7 @@ index 0000000..cde0261
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..11cbcf8
|
||||
index 0000000..dff8d54
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,723 @@
|
||||
@ -45209,7 +45202,7 @@ index 0000000..11cbcf8
|
||||
+#
|
||||
+# systemd_sysctl domains local policy
|
||||
+#
|
||||
+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_rawio };
|
||||
+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_rawio };
|
||||
+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
|
||||
+kernel_dgram_send(systemd_sysctl_t)
|
||||
+kernel_request_load_module(systemd_sysctl_t)
|
||||
|
@ -25387,10 +25387,10 @@ index 0000000..1714fa6
|
||||
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
|
||||
diff --git a/dnssec.if b/dnssec.if
|
||||
new file mode 100644
|
||||
index 0000000..a846ce0
|
||||
index 0000000..d22ed69
|
||||
--- /dev/null
|
||||
+++ b/dnssec.if
|
||||
@@ -0,0 +1,104 @@
|
||||
@@ -0,0 +1,123 @@
|
||||
+
|
||||
+## <summary>policy for dnssec_trigger</summary>
|
||||
+
|
||||
@ -25474,6 +25474,25 @@ index 0000000..a846ce0
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send sigkill to dnssec_trigger.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+#
|
||||
+interface(`dnssec_trigger_sigkill',`
|
||||
+ gen_require(`
|
||||
+ type dnssec_trigger_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 dnssec_trigger_t:process sigkill;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an dnssec_trigger environment
|
||||
+## </summary>
|
||||
@ -56978,7 +56997,7 @@ index 86dc29d..7380935 100644
|
||||
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
||||
')
|
||||
diff --git a/networkmanager.te b/networkmanager.te
|
||||
index 55f2009..e6182a2 100644
|
||||
index 55f2009..b84767b 100644
|
||||
--- a/networkmanager.te
|
||||
+++ b/networkmanager.te
|
||||
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
||||
@ -57055,11 +57074,11 @@ index 55f2009..e6182a2 100644
|
||||
+can_exec(NetworkManager_t, NetworkManager_exec_t)
|
||||
+#wicd
|
||||
+can_exec(NetworkManager_t, wpa_cli_exec_t)
|
||||
+
|
||||
|
||||
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
||||
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
||||
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
||||
|
||||
+
|
||||
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
||||
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
||||
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
||||
@ -57138,7 +57157,7 @@ index 55f2009..e6182a2 100644
|
||||
fs_getattr_all_fs(NetworkManager_t)
|
||||
fs_search_auto_mountpoints(NetworkManager_t)
|
||||
fs_list_inotifyfs(NetworkManager_t)
|
||||
@@ -140,18 +160,35 @@ mls_file_read_all_levels(NetworkManager_t)
|
||||
@@ -140,18 +160,36 @@ mls_file_read_all_levels(NetworkManager_t)
|
||||
|
||||
selinux_dontaudit_search_fs(NetworkManager_t)
|
||||
|
||||
@ -57169,13 +57188,14 @@ index 55f2009..e6182a2 100644
|
||||
+libs_exec_ldconfig(NetworkManager_t)
|
||||
+
|
||||
logging_send_syslog_msg(NetworkManager_t)
|
||||
+logging_send_audit_msgs(NetworkManager_t)
|
||||
|
||||
miscfiles_read_generic_certs(NetworkManager_t)
|
||||
-miscfiles_read_localization(NetworkManager_t)
|
||||
|
||||
seutil_read_config(NetworkManager_t)
|
||||
|
||||
@@ -166,21 +203,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
||||
@@ -166,21 +204,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
||||
sysnet_read_dhcpc_state(NetworkManager_t)
|
||||
sysnet_delete_dhcpc_state(NetworkManager_t)
|
||||
sysnet_search_dhcp_state(NetworkManager_t)
|
||||
@ -57214,7 +57234,7 @@ index 55f2009..e6182a2 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -196,10 +246,6 @@ optional_policy(`
|
||||
@@ -196,10 +247,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57225,7 +57245,7 @@ index 55f2009..e6182a2 100644
|
||||
consoletype_exec(NetworkManager_t)
|
||||
')
|
||||
|
||||
@@ -210,17 +256,16 @@ optional_policy(`
|
||||
@@ -210,16 +257,11 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||
|
||||
@ -57236,19 +57256,15 @@ index 55f2009..e6182a2 100644
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(NetworkManager_t)
|
||||
+ consolekit_read_pid_files(NetworkManager_t)
|
||||
')
|
||||
+')
|
||||
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- policykit_dbus_chat(NetworkManager_t)
|
||||
- ')
|
||||
+optional_policy(`
|
||||
+ dnssec_trigger_domtrans(NetworkManager_t)
|
||||
+ consolekit_read_pid_files(NetworkManager_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -231,10 +276,15 @@ optional_policy(`
|
||||
@@ -231,10 +273,17 @@ optional_policy(`
|
||||
dnsmasq_kill(NetworkManager_t)
|
||||
dnsmasq_signal(NetworkManager_t)
|
||||
dnsmasq_signull(NetworkManager_t)
|
||||
@ -57257,7 +57273,9 @@ index 55f2009..e6182a2 100644
|
||||
|
||||
optional_policy(`
|
||||
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
|
||||
+ dnssec_trigger_domtrans(NetworkManager_t)
|
||||
+ dnssec_trigger_signull(NetworkManager_t)
|
||||
+ dnssec_trigger_sigkill(NetworkManager_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -57265,7 +57283,7 @@ index 55f2009..e6182a2 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -246,10 +296,26 @@ optional_policy(`
|
||||
@@ -246,10 +295,26 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57292,7 +57310,7 @@ index 55f2009..e6182a2 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -257,15 +323,19 @@ optional_policy(`
|
||||
@@ -257,15 +322,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57314,7 +57332,7 @@ index 55f2009..e6182a2 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -274,10 +344,17 @@ optional_policy(`
|
||||
@@ -274,10 +343,17 @@ optional_policy(`
|
||||
nscd_signull(NetworkManager_t)
|
||||
nscd_kill(NetworkManager_t)
|
||||
nscd_initrc_domtrans(NetworkManager_t)
|
||||
@ -57332,7 +57350,7 @@ index 55f2009..e6182a2 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -286,9 +363,12 @@ optional_policy(`
|
||||
@@ -286,9 +362,12 @@ optional_policy(`
|
||||
openvpn_kill(NetworkManager_t)
|
||||
openvpn_signal(NetworkManager_t)
|
||||
openvpn_signull(NetworkManager_t)
|
||||
@ -57345,7 +57363,7 @@ index 55f2009..e6182a2 100644
|
||||
policykit_domtrans_auth(NetworkManager_t)
|
||||
policykit_read_lib(NetworkManager_t)
|
||||
policykit_read_reload(NetworkManager_t)
|
||||
@@ -296,7 +376,7 @@ optional_policy(`
|
||||
@@ -296,7 +375,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57354,7 +57372,7 @@ index 55f2009..e6182a2 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -307,6 +387,7 @@ optional_policy(`
|
||||
@@ -307,6 +386,7 @@ optional_policy(`
|
||||
ppp_signal(NetworkManager_t)
|
||||
ppp_signull(NetworkManager_t)
|
||||
ppp_read_config(NetworkManager_t)
|
||||
@ -57362,7 +57380,7 @@ index 55f2009..e6182a2 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -320,14 +401,21 @@ optional_policy(`
|
||||
@@ -320,14 +400,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -57389,7 +57407,7 @@ index 55f2009..e6182a2 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
init_dontaudit_use_fds(wpa_cli_t)
|
||||
init_use_script_ptys(wpa_cli_t)
|
||||
|
||||
@ -65817,10 +65835,10 @@ index 8176e4a..2df1789 100644
|
||||
|
||||
diff --git a/pcp.fc b/pcp.fc
|
||||
new file mode 100644
|
||||
index 0000000..9b8cb6b
|
||||
index 0000000..26a45e3
|
||||
--- /dev/null
|
||||
+++ b/pcp.fc
|
||||
@@ -0,0 +1,28 @@
|
||||
@@ -0,0 +1,29 @@
|
||||
+/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
|
||||
@ -65849,6 +65867,7 @@ index 0000000..9b8cb6b
|
||||
+
|
||||
+/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||
+/var/run/pmlogger\.primary\.socket -l gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||
diff --git a/pcp.if b/pcp.if
|
||||
new file mode 100644
|
||||
index 0000000..80246e6
|
||||
@ -66001,10 +66020,10 @@ index 0000000..80246e6
|
||||
+
|
||||
diff --git a/pcp.te b/pcp.te
|
||||
new file mode 100644
|
||||
index 0000000..e24db6b
|
||||
index 0000000..684f7b0
|
||||
--- /dev/null
|
||||
+++ b/pcp.te
|
||||
@@ -0,0 +1,259 @@
|
||||
@@ -0,0 +1,260 @@
|
||||
+policy_module(pcp, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -66079,7 +66098,8 @@ index 0000000..e24db6b
|
||||
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
||||
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
||||
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
||||
+files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file })
|
||||
+manage_lnk_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
||||
+files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file lnk_file })
|
||||
+
|
||||
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
|
||||
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
|
||||
@ -70497,7 +70517,7 @@ index cbe36c1..8ebeb87 100644
|
||||
|
||||
auth_domtrans_chk_passwd(portslave_t)
|
||||
diff --git a/postfix.fc b/postfix.fc
|
||||
index c0e8785..c0e0959 100644
|
||||
index c0e8785..3070aa0 100644
|
||||
--- a/postfix.fc
|
||||
+++ b/postfix.fc
|
||||
@@ -1,38 +1,38 @@
|
||||
@ -70579,15 +70599,16 @@ index c0e8785..c0e0959 100644
|
||||
-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
||||
-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
||||
-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
||||
-/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
|
||||
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
||||
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
||||
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
||||
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
|
||||
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
||||
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
||||
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
||||
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
|
||||
+/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
diff --git a/postfix.if b/postfix.if
|
||||
index ded95ec..3cf7146 100644
|
||||
--- a/postfix.if
|
||||
@ -97065,10 +97086,10 @@ index 0000000..52450c7
|
||||
+')
|
||||
diff --git a/smsd.te b/smsd.te
|
||||
new file mode 100644
|
||||
index 0000000..1fad7b8
|
||||
index 0000000..d971935
|
||||
--- /dev/null
|
||||
+++ b/smsd.te
|
||||
@@ -0,0 +1,73 @@
|
||||
@@ -0,0 +1,75 @@
|
||||
+policy_module(smsd, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -97142,6 +97163,8 @@ index 0000000..1fad7b8
|
||||
+logging_send_syslog_msg(smsd_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(smsd_t)
|
||||
+
|
||||
+term_use_usb_ttys(smsd_t)
|
||||
diff --git a/smstools.if b/smstools.if
|
||||
index cbfe369..6594af3 100644
|
||||
--- a/smstools.if
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 143%{?dist}
|
||||
Release: 144%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -647,6 +647,15 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
|
||||
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
|
||||
- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)
|
||||
- Add interface dnssec_trigger_sigkill
|
||||
- Allow smsd use usb ttys. BZ(#1250536)
|
||||
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
|
||||
- Revert default_range change in targeted policy
|
||||
- Allow systemd-sysctl cap. sys_ptrace BZ(1253926)
|
||||
|
||||
* Fri Aug 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-143
|
||||
- Add ipmievd policy creaed by vmojzis@redhat.com
|
||||
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
|
||||
|
Loading…
Reference in New Issue
Block a user