* Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080) - Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764) - Add interface dnssec_trigger_sigkill - Allow smsd use usb ttys. BZ(#1250536) - Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file. - Revert default_range change in targeted policy - Allow systemd-sysctl cap. sys_ptrace BZ(1253926)
This commit is contained in:
parent
f5f6812fa4
commit
96de5661d2
@ -1052,17 +1052,10 @@ index 4705ab6..b82865c 100644
|
|||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(mount_anyfile, false)
|
+gen_tunable(mount_anyfile, false)
|
||||||
diff --git a/policy/mcs b/policy/mcs
|
diff --git a/policy/mcs b/policy/mcs
|
||||||
index 216b3d1..064ec83 100644
|
index 216b3d1..78e56ed 100644
|
||||||
--- a/policy/mcs
|
--- a/policy/mcs
|
||||||
+++ b/policy/mcs
|
+++ b/policy/mcs
|
||||||
@@ -1,4 +1,6 @@
|
@@ -69,53 +69,56 @@ gen_levels(1,mcs_num_cats)
|
||||||
ifdef(`enable_mcs',`
|
|
||||||
+default_range dir_file_class_set target low;
|
|
||||||
+
|
|
||||||
#
|
|
||||||
# Define sensitivities
|
|
||||||
#
|
|
||||||
@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats)
|
|
||||||
# - /proc/pid operations are not constrained.
|
# - /proc/pid operations are not constrained.
|
||||||
|
|
||||||
mlsconstrain file { read ioctl lock execute execute_no_trans }
|
mlsconstrain file { read ioctl lock execute execute_no_trans }
|
||||||
@ -1139,7 +1132,7 @@ index 216b3d1..064ec83 100644
|
|||||||
|
|
||||||
mlsconstrain process { signal }
|
mlsconstrain process { signal }
|
||||||
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
|
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
|
||||||
@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
|
@@ -135,6 +138,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
|
||||||
mlsconstrain { db_tuple } { insert relabelto }
|
mlsconstrain { db_tuple } { insert relabelto }
|
||||||
(( h1 dom h2 ) and ( l2 eq h2 ));
|
(( h1 dom h2 ) and ( l2 eq h2 ));
|
||||||
|
|
||||||
@ -1149,7 +1142,7 @@ index 216b3d1..064ec83 100644
|
|||||||
# Access control for any database objects based on MCS rules.
|
# Access control for any database objects based on MCS rules.
|
||||||
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
|
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
|
||||||
( h1 dom h2 );
|
( h1 dom h2 );
|
||||||
@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
|
@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
|
||||||
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
|
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
|
||||||
( h1 dom h2 );
|
( h1 dom h2 );
|
||||||
|
|
||||||
@ -44536,7 +44529,7 @@ index 0000000..cde0261
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..11cbcf8
|
index 0000000..dff8d54
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,723 @@
|
@@ -0,0 +1,723 @@
|
||||||
@ -45209,7 +45202,7 @@ index 0000000..11cbcf8
|
|||||||
+#
|
+#
|
||||||
+# systemd_sysctl domains local policy
|
+# systemd_sysctl domains local policy
|
||||||
+#
|
+#
|
||||||
+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_rawio };
|
+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_rawio };
|
||||||
+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
|
+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
|
||||||
+kernel_dgram_send(systemd_sysctl_t)
|
+kernel_dgram_send(systemd_sysctl_t)
|
||||||
+kernel_request_load_module(systemd_sysctl_t)
|
+kernel_request_load_module(systemd_sysctl_t)
|
||||||
|
@ -25387,10 +25387,10 @@ index 0000000..1714fa6
|
|||||||
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
|
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
|
||||||
diff --git a/dnssec.if b/dnssec.if
|
diff --git a/dnssec.if b/dnssec.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..a846ce0
|
index 0000000..d22ed69
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/dnssec.if
|
+++ b/dnssec.if
|
||||||
@@ -0,0 +1,104 @@
|
@@ -0,0 +1,123 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for dnssec_trigger</summary>
|
+## <summary>policy for dnssec_trigger</summary>
|
||||||
+
|
+
|
||||||
@ -25474,6 +25474,25 @@ index 0000000..a846ce0
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Send sigkill to dnssec_trigger.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+interface(`dnssec_trigger_sigkill',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type dnssec_trigger_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 dnssec_trigger_t:process sigkill;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## All of the rules required to administrate
|
+## All of the rules required to administrate
|
||||||
+## an dnssec_trigger environment
|
+## an dnssec_trigger environment
|
||||||
+## </summary>
|
+## </summary>
|
||||||
@ -56978,7 +56997,7 @@ index 86dc29d..7380935 100644
|
|||||||
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
||||||
')
|
')
|
||||||
diff --git a/networkmanager.te b/networkmanager.te
|
diff --git a/networkmanager.te b/networkmanager.te
|
||||||
index 55f2009..e6182a2 100644
|
index 55f2009..b84767b 100644
|
||||||
--- a/networkmanager.te
|
--- a/networkmanager.te
|
||||||
+++ b/networkmanager.te
|
+++ b/networkmanager.te
|
||||||
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
||||||
@ -57055,11 +57074,11 @@ index 55f2009..e6182a2 100644
|
|||||||
+can_exec(NetworkManager_t, NetworkManager_exec_t)
|
+can_exec(NetworkManager_t, NetworkManager_exec_t)
|
||||||
+#wicd
|
+#wicd
|
||||||
+can_exec(NetworkManager_t, wpa_cli_exec_t)
|
+can_exec(NetworkManager_t, wpa_cli_exec_t)
|
||||||
+
|
|
||||||
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
||||||
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
||||||
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
||||||
|
+
|
||||||
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
||||||
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
||||||
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
||||||
@ -57138,7 +57157,7 @@ index 55f2009..e6182a2 100644
|
|||||||
fs_getattr_all_fs(NetworkManager_t)
|
fs_getattr_all_fs(NetworkManager_t)
|
||||||
fs_search_auto_mountpoints(NetworkManager_t)
|
fs_search_auto_mountpoints(NetworkManager_t)
|
||||||
fs_list_inotifyfs(NetworkManager_t)
|
fs_list_inotifyfs(NetworkManager_t)
|
||||||
@@ -140,18 +160,35 @@ mls_file_read_all_levels(NetworkManager_t)
|
@@ -140,18 +160,36 @@ mls_file_read_all_levels(NetworkManager_t)
|
||||||
|
|
||||||
selinux_dontaudit_search_fs(NetworkManager_t)
|
selinux_dontaudit_search_fs(NetworkManager_t)
|
||||||
|
|
||||||
@ -57169,13 +57188,14 @@ index 55f2009..e6182a2 100644
|
|||||||
+libs_exec_ldconfig(NetworkManager_t)
|
+libs_exec_ldconfig(NetworkManager_t)
|
||||||
+
|
+
|
||||||
logging_send_syslog_msg(NetworkManager_t)
|
logging_send_syslog_msg(NetworkManager_t)
|
||||||
|
+logging_send_audit_msgs(NetworkManager_t)
|
||||||
|
|
||||||
miscfiles_read_generic_certs(NetworkManager_t)
|
miscfiles_read_generic_certs(NetworkManager_t)
|
||||||
-miscfiles_read_localization(NetworkManager_t)
|
-miscfiles_read_localization(NetworkManager_t)
|
||||||
|
|
||||||
seutil_read_config(NetworkManager_t)
|
seutil_read_config(NetworkManager_t)
|
||||||
|
|
||||||
@@ -166,21 +203,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
@@ -166,21 +204,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
||||||
sysnet_read_dhcpc_state(NetworkManager_t)
|
sysnet_read_dhcpc_state(NetworkManager_t)
|
||||||
sysnet_delete_dhcpc_state(NetworkManager_t)
|
sysnet_delete_dhcpc_state(NetworkManager_t)
|
||||||
sysnet_search_dhcp_state(NetworkManager_t)
|
sysnet_search_dhcp_state(NetworkManager_t)
|
||||||
@ -57214,7 +57234,7 @@ index 55f2009..e6182a2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -196,10 +246,6 @@ optional_policy(`
|
@@ -196,10 +247,6 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57225,7 +57245,7 @@ index 55f2009..e6182a2 100644
|
|||||||
consoletype_exec(NetworkManager_t)
|
consoletype_exec(NetworkManager_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -210,17 +256,16 @@ optional_policy(`
|
@@ -210,16 +257,11 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||||
|
|
||||||
@ -57236,19 +57256,15 @@ index 55f2009..e6182a2 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consolekit_dbus_chat(NetworkManager_t)
|
consolekit_dbus_chat(NetworkManager_t)
|
||||||
+ consolekit_read_pid_files(NetworkManager_t)
|
- ')
|
||||||
')
|
-
|
||||||
+')
|
|
||||||
|
|
||||||
- optional_policy(`
|
- optional_policy(`
|
||||||
- policykit_dbus_chat(NetworkManager_t)
|
- policykit_dbus_chat(NetworkManager_t)
|
||||||
- ')
|
+ consolekit_read_pid_files(NetworkManager_t)
|
||||||
+optional_policy(`
|
')
|
||||||
+ dnssec_trigger_domtrans(NetworkManager_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
@@ -231,10 +273,17 @@ optional_policy(`
|
||||||
@@ -231,10 +276,15 @@ optional_policy(`
|
|
||||||
dnsmasq_kill(NetworkManager_t)
|
dnsmasq_kill(NetworkManager_t)
|
||||||
dnsmasq_signal(NetworkManager_t)
|
dnsmasq_signal(NetworkManager_t)
|
||||||
dnsmasq_signull(NetworkManager_t)
|
dnsmasq_signull(NetworkManager_t)
|
||||||
@ -57257,7 +57273,9 @@ index 55f2009..e6182a2 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
|
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
|
||||||
|
+ dnssec_trigger_domtrans(NetworkManager_t)
|
||||||
+ dnssec_trigger_signull(NetworkManager_t)
|
+ dnssec_trigger_signull(NetworkManager_t)
|
||||||
|
+ dnssec_trigger_sigkill(NetworkManager_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -57265,7 +57283,7 @@ index 55f2009..e6182a2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -246,10 +296,26 @@ optional_policy(`
|
@@ -246,10 +295,26 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57292,7 +57310,7 @@ index 55f2009..e6182a2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -257,15 +323,19 @@ optional_policy(`
|
@@ -257,15 +322,19 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57314,7 +57332,7 @@ index 55f2009..e6182a2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -274,10 +344,17 @@ optional_policy(`
|
@@ -274,10 +343,17 @@ optional_policy(`
|
||||||
nscd_signull(NetworkManager_t)
|
nscd_signull(NetworkManager_t)
|
||||||
nscd_kill(NetworkManager_t)
|
nscd_kill(NetworkManager_t)
|
||||||
nscd_initrc_domtrans(NetworkManager_t)
|
nscd_initrc_domtrans(NetworkManager_t)
|
||||||
@ -57332,7 +57350,7 @@ index 55f2009..e6182a2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -286,9 +363,12 @@ optional_policy(`
|
@@ -286,9 +362,12 @@ optional_policy(`
|
||||||
openvpn_kill(NetworkManager_t)
|
openvpn_kill(NetworkManager_t)
|
||||||
openvpn_signal(NetworkManager_t)
|
openvpn_signal(NetworkManager_t)
|
||||||
openvpn_signull(NetworkManager_t)
|
openvpn_signull(NetworkManager_t)
|
||||||
@ -57345,7 +57363,7 @@ index 55f2009..e6182a2 100644
|
|||||||
policykit_domtrans_auth(NetworkManager_t)
|
policykit_domtrans_auth(NetworkManager_t)
|
||||||
policykit_read_lib(NetworkManager_t)
|
policykit_read_lib(NetworkManager_t)
|
||||||
policykit_read_reload(NetworkManager_t)
|
policykit_read_reload(NetworkManager_t)
|
||||||
@@ -296,7 +376,7 @@ optional_policy(`
|
@@ -296,7 +375,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57354,7 +57372,7 @@ index 55f2009..e6182a2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -307,6 +387,7 @@ optional_policy(`
|
@@ -307,6 +386,7 @@ optional_policy(`
|
||||||
ppp_signal(NetworkManager_t)
|
ppp_signal(NetworkManager_t)
|
||||||
ppp_signull(NetworkManager_t)
|
ppp_signull(NetworkManager_t)
|
||||||
ppp_read_config(NetworkManager_t)
|
ppp_read_config(NetworkManager_t)
|
||||||
@ -57362,7 +57380,7 @@ index 55f2009..e6182a2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -320,14 +401,21 @@ optional_policy(`
|
@@ -320,14 +400,21 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -57389,7 +57407,7 @@ index 55f2009..e6182a2 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||||
init_dontaudit_use_fds(wpa_cli_t)
|
init_dontaudit_use_fds(wpa_cli_t)
|
||||||
init_use_script_ptys(wpa_cli_t)
|
init_use_script_ptys(wpa_cli_t)
|
||||||
|
|
||||||
@ -65817,10 +65835,10 @@ index 8176e4a..2df1789 100644
|
|||||||
|
|
||||||
diff --git a/pcp.fc b/pcp.fc
|
diff --git a/pcp.fc b/pcp.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..9b8cb6b
|
index 0000000..26a45e3
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pcp.fc
|
+++ b/pcp.fc
|
||||||
@@ -0,0 +1,28 @@
|
@@ -0,0 +1,29 @@
|
||||||
+/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
|
+/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
|
||||||
+/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
|
+/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
|
||||||
+/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
|
+/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
|
||||||
@ -65849,6 +65867,7 @@ index 0000000..9b8cb6b
|
|||||||
+
|
+
|
||||||
+/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0)
|
+/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||||
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
|
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||||
|
+/var/run/pmlogger\.primary\.socket -l gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||||
diff --git a/pcp.if b/pcp.if
|
diff --git a/pcp.if b/pcp.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..80246e6
|
index 0000000..80246e6
|
||||||
@ -66001,10 +66020,10 @@ index 0000000..80246e6
|
|||||||
+
|
+
|
||||||
diff --git a/pcp.te b/pcp.te
|
diff --git a/pcp.te b/pcp.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..e24db6b
|
index 0000000..684f7b0
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pcp.te
|
+++ b/pcp.te
|
||||||
@@ -0,0 +1,259 @@
|
@@ -0,0 +1,260 @@
|
||||||
+policy_module(pcp, 1.0.0)
|
+policy_module(pcp, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -66079,7 +66098,8 @@ index 0000000..e24db6b
|
|||||||
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
||||||
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
||||||
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
||||||
+files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file })
|
+manage_lnk_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
|
||||||
|
+files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file lnk_file })
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
|
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
|
||||||
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
|
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
|
||||||
@ -70497,7 +70517,7 @@ index cbe36c1..8ebeb87 100644
|
|||||||
|
|
||||||
auth_domtrans_chk_passwd(portslave_t)
|
auth_domtrans_chk_passwd(portslave_t)
|
||||||
diff --git a/postfix.fc b/postfix.fc
|
diff --git a/postfix.fc b/postfix.fc
|
||||||
index c0e8785..c0e0959 100644
|
index c0e8785..3070aa0 100644
|
||||||
--- a/postfix.fc
|
--- a/postfix.fc
|
||||||
+++ b/postfix.fc
|
+++ b/postfix.fc
|
||||||
@@ -1,38 +1,38 @@
|
@@ -1,38 +1,38 @@
|
||||||
@ -70579,15 +70599,16 @@ index c0e8785..c0e0959 100644
|
|||||||
-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
||||||
-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
||||||
-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
||||||
|
-/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
|
||||||
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
|
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||||
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||||
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||||
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||||
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
|
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
|
||||||
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
||||||
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
||||||
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
||||||
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
|
+/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||||
diff --git a/postfix.if b/postfix.if
|
diff --git a/postfix.if b/postfix.if
|
||||||
index ded95ec..3cf7146 100644
|
index ded95ec..3cf7146 100644
|
||||||
--- a/postfix.if
|
--- a/postfix.if
|
||||||
@ -97065,10 +97086,10 @@ index 0000000..52450c7
|
|||||||
+')
|
+')
|
||||||
diff --git a/smsd.te b/smsd.te
|
diff --git a/smsd.te b/smsd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..1fad7b8
|
index 0000000..d971935
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/smsd.te
|
+++ b/smsd.te
|
||||||
@@ -0,0 +1,73 @@
|
@@ -0,0 +1,75 @@
|
||||||
+policy_module(smsd, 1.0.0)
|
+policy_module(smsd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -97142,6 +97163,8 @@ index 0000000..1fad7b8
|
|||||||
+logging_send_syslog_msg(smsd_t)
|
+logging_send_syslog_msg(smsd_t)
|
||||||
+
|
+
|
||||||
+sysnet_dns_name_resolve(smsd_t)
|
+sysnet_dns_name_resolve(smsd_t)
|
||||||
|
+
|
||||||
|
+term_use_usb_ttys(smsd_t)
|
||||||
diff --git a/smstools.if b/smstools.if
|
diff --git a/smstools.if b/smstools.if
|
||||||
index cbfe369..6594af3 100644
|
index cbfe369..6594af3 100644
|
||||||
--- a/smstools.if
|
--- a/smstools.if
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 143%{?dist}
|
Release: 144%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -647,6 +647,15 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
|
||||||
|
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
|
||||||
|
- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)
|
||||||
|
- Add interface dnssec_trigger_sigkill
|
||||||
|
- Allow smsd use usb ttys. BZ(#1250536)
|
||||||
|
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
|
||||||
|
- Revert default_range change in targeted policy
|
||||||
|
- Allow systemd-sysctl cap. sys_ptrace BZ(1253926)
|
||||||
|
|
||||||
* Fri Aug 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-143
|
* Fri Aug 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-143
|
||||||
- Add ipmievd policy creaed by vmojzis@redhat.com
|
- Add ipmievd policy creaed by vmojzis@redhat.com
|
||||||
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
|
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
|
||||||
|
Loading…
Reference in New Issue
Block a user