- Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon
This commit is contained in:
parent
7a208696f9
commit
9754f472c7
@ -1734,10 +1734,17 @@ unconfined = module
|
||||
#
|
||||
ulogd = module
|
||||
|
||||
# Layer: services
|
||||
# Module: vdagent
|
||||
#
|
||||
# vdagent
|
||||
#
|
||||
vdagent = module
|
||||
|
||||
# Layer: services
|
||||
# Module: vhostmd
|
||||
#
|
||||
# vhostmd - A metrics gathering daemon
|
||||
# vhostmd - spice guest agent daemon.
|
||||
#
|
||||
vhostmd = module
|
||||
|
||||
|
368
policy-F14.patch
368
policy-F14.patch
@ -2045,10 +2045,10 @@ index 7fd0900..899e234 100644
|
||||
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
|
||||
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
|
||||
new file mode 100644
|
||||
index 0000000..9bd4f45
|
||||
index 0000000..278b3a3
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/execmem.fc
|
||||
@@ -0,0 +1,48 @@
|
||||
@@ -0,0 +1,49 @@
|
||||
+
|
||||
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
@ -2081,6 +2081,7 @@ index 0000000..9bd4f45
|
||||
+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+
|
||||
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/opt/secondlife-install/bin/SLPlugin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+
|
||||
+/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+
|
||||
@ -12265,7 +12266,7 @@ index 0ecc786..dbf2710 100644
|
||||
userdom_dontaudit_search_user_home_dirs(webadm_t)
|
||||
|
||||
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
|
||||
index e88b95f..e76f7a7 100644
|
||||
index e88b95f..b8b5c15 100644
|
||||
--- a/policy/modules/roles/xguest.te
|
||||
+++ b/policy/modules/roles/xguest.te
|
||||
@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
|
||||
@ -12326,7 +12327,7 @@ index e88b95f..e76f7a7 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -76,23 +84,90 @@ optional_policy(`
|
||||
@@ -76,23 +84,95 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12345,23 +12346,28 @@ index e88b95f..e76f7a7 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mozilla_role(xguest_r, xguest_t)
|
||||
+ java_role_template(xguest, xguest_r, xguest_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mono_role_template(xguest, xguest_r, xguest_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mozilla_role(xguest_r, xguest_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mozilla_run_plugin(xguest_t, xguest_r)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nsplugin_role(xguest_r, xguest_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ pcscd_read_pub_files(xguest_usertype)
|
||||
+ pcscd_stream_connect(xguest_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -12404,7 +12410,7 @@ index e88b95f..e76f7a7 100644
|
||||
+ corenet_tcp_connect_speech_port(xguest_usertype)
|
||||
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
|
||||
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
|
||||
')
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ telepathy_dbus_session_role(xguest_r, xguest_t)
|
||||
@ -12414,7 +12420,7 @@ index e88b95f..e76f7a7 100644
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type mozilla_t;
|
||||
+ ')
|
||||
')
|
||||
+
|
||||
+ allow xguest_t mozilla_t:process transition;
|
||||
+ role xguest_r types mozilla_t;
|
||||
@ -13281,7 +13287,7 @@ index 9e39aa5..8603d4d 100644
|
||||
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
|
||||
index c9e1a44..6918ff2 100644
|
||||
index c9e1a44..ef353c7 100644
|
||||
--- a/policy/modules/services/apache.if
|
||||
+++ b/policy/modules/services/apache.if
|
||||
@@ -13,17 +13,13 @@
|
||||
@ -13305,7 +13311,7 @@ index c9e1a44..6918ff2 100644
|
||||
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
|
||||
files_type(httpd_$1_content_t)
|
||||
|
||||
@@ -36,25 +32,25 @@ template(`apache_content_template',`
|
||||
@@ -36,32 +32,32 @@ template(`apache_content_template',`
|
||||
domain_type(httpd_$1_script_t)
|
||||
role system_r types httpd_$1_script_t;
|
||||
|
||||
@ -13336,6 +13342,14 @@ index c9e1a44..6918ff2 100644
|
||||
|
||||
allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
||||
allow httpd_$1_script_t self:unix_stream_socket connectto;
|
||||
|
||||
allow httpd_$1_script_t httpd_t:fifo_file write;
|
||||
# apache should set close-on-exec
|
||||
- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
|
||||
+ apache_dontaudit_leaks(httpd_$1_script_t)
|
||||
|
||||
# Allow the script process to search the cgi directory, and users directory
|
||||
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
|
||||
@@ -86,7 +82,6 @@ template(`apache_content_template',`
|
||||
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
@ -13799,7 +13813,7 @@ index c9e1a44..6918ff2 100644
|
||||
admin_pattern($1, httpd_log_t)
|
||||
|
||||
admin_pattern($1, httpd_modules_t)
|
||||
@@ -1200,14 +1367,41 @@ interface(`apache_admin',`
|
||||
@@ -1200,14 +1367,43 @@ interface(`apache_admin',`
|
||||
admin_pattern($1, httpd_var_run_t)
|
||||
files_pid_filetrans($1, httpd_var_run_t, file)
|
||||
|
||||
@ -13839,12 +13853,14 @@ index c9e1a44..6918ff2 100644
|
||||
+interface(`apache_dontaudit_leaks',`
|
||||
+ gen_require(`
|
||||
+ type httpd_t;
|
||||
+ type httpd_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
+ dontaudit $1 httpd_t:tcp_socket { read write };
|
||||
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
|
||||
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
|
||||
+ dontaudit $1 httpd_tmp_t:file { read write };
|
||||
')
|
||||
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
|
||||
index 08dfa0c..b9fc802 100644
|
||||
@ -16202,10 +16218,18 @@ index 7a6e5ba..d664be8 100644
|
||||
admin_pattern($1, certmonger_var_run_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
|
||||
index 1a65b5e..5595c96 100644
|
||||
index 1a65b5e..e281c74 100644
|
||||
--- a/policy/modules/services/certmonger.te
|
||||
+++ b/policy/modules/services/certmonger.te
|
||||
@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
@@ -24,6 +24,7 @@ files_type(certmonger_var_lib_t)
|
||||
#
|
||||
|
||||
allow certmonger_t self:capability { kill sys_nice };
|
||||
+dontaudit certmonger_t self:capability sys_tty_config;
|
||||
allow certmonger_t self:process { getsched setsched sigkill };
|
||||
allow certmonger_t self:fifo_file rw_file_perms;
|
||||
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -32,7 +33,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
|
||||
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
|
||||
@ -16214,7 +16238,16 @@ index 1a65b5e..5595c96 100644
|
||||
|
||||
manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
|
||||
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
|
||||
@@ -58,6 +58,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
|
||||
@@ -51,6 +52,8 @@ files_read_etc_files(certmonger_t)
|
||||
files_read_usr_files(certmonger_t)
|
||||
files_list_tmp(certmonger_t)
|
||||
|
||||
+auth_rw_cache(certmonger_t)
|
||||
+
|
||||
logging_send_syslog_msg(certmonger_t)
|
||||
|
||||
miscfiles_read_localization(certmonger_t)
|
||||
@@ -58,6 +61,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
|
||||
|
||||
sysnet_dns_name_resolve(certmonger_t)
|
||||
|
||||
@ -16231,8 +16264,11 @@ index 1a65b5e..5595c96 100644
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(certmonger_t)
|
||||
dbus_connect_system_bus(certmonger_t)
|
||||
@@ -70,3 +80,4 @@ optional_policy(`
|
||||
@@ -68,5 +81,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ pcscd_read_pub_files(certmonger_t)
|
||||
pcscd_stream_connect(certmonger_t)
|
||||
')
|
||||
+
|
||||
@ -18434,7 +18470,7 @@ index 305ddf4..777091a 100644
|
||||
|
||||
admin_pattern($1, ptal_etc_t)
|
||||
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
|
||||
index 0f28095..b3ab30f 100644
|
||||
index 0f28095..cf33683 100644
|
||||
--- a/policy/modules/services/cups.te
|
||||
+++ b/policy/modules/services/cups.te
|
||||
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
|
||||
@ -18564,6 +18600,14 @@ index 0f28095..b3ab30f 100644
|
||||
|
||||
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
||||
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
||||
@@ -685,6 +703,7 @@ domain_use_interactive_fds(hplip_t)
|
||||
files_read_etc_files(hplip_t)
|
||||
files_read_etc_runtime_files(hplip_t)
|
||||
files_read_usr_files(hplip_t)
|
||||
+files_dontaudit_write_usr_dirs(hplip_t)
|
||||
|
||||
logging_send_syslog_msg(hplip_t)
|
||||
|
||||
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
|
||||
index c43ff4c..5bf3e60 100644
|
||||
--- a/policy/modules/services/cvs.if
|
||||
@ -21956,7 +22000,7 @@ index 6fd0b4c..b733e45 100644
|
||||
-
|
||||
')
|
||||
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
|
||||
index a73b7a1..01adbed 100644
|
||||
index a73b7a1..83a4f38 100644
|
||||
--- a/policy/modules/services/ksmtuned.te
|
||||
+++ b/policy/modules/services/ksmtuned.te
|
||||
@@ -9,6 +9,9 @@ type ksmtuned_t;
|
||||
@ -21980,7 +22024,7 @@ index a73b7a1..01adbed 100644
|
||||
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
|
||||
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
|
||||
|
||||
@@ -31,9 +38,14 @@ kernel_read_system_state(ksmtuned_t)
|
||||
@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
|
||||
dev_rw_sysfs(ksmtuned_t)
|
||||
|
||||
domain_read_all_domains_state(ksmtuned_t)
|
||||
@ -21993,6 +22037,8 @@ index a73b7a1..01adbed 100644
|
||||
+mls_file_read_to_clearance(ksmtuned_t)
|
||||
+
|
||||
+term_use_all_terms(ksmtuned_t)
|
||||
+
|
||||
+logging_send_syslog_msg(ksmtuned_t)
|
||||
+
|
||||
miscfiles_read_localization(ksmtuned_t)
|
||||
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
|
||||
@ -23822,7 +23868,7 @@ index 343cee3..2f948ad 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
|
||||
index 64268e4..7521b9e 100644
|
||||
index 64268e4..1acd149 100644
|
||||
--- a/policy/modules/services/mta.te
|
||||
+++ b/policy/modules/services/mta.te
|
||||
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
|
||||
@ -23859,17 +23905,18 @@ index 64268e4..7521b9e 100644
|
||||
dev_read_sysfs(system_mail_t)
|
||||
dev_read_rand(system_mail_t)
|
||||
dev_read_urand(system_mail_t)
|
||||
@@ -82,6 +69,9 @@ init_use_script_ptys(system_mail_t)
|
||||
@@ -82,6 +69,10 @@ init_use_script_ptys(system_mail_t)
|
||||
|
||||
userdom_use_user_terminals(system_mail_t)
|
||||
userdom_dontaudit_search_user_home_dirs(system_mail_t)
|
||||
+userdom_dontaudit_list_admin_dir(system_mail_t)
|
||||
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
|
||||
+
|
||||
+logging_append_all_logs(system_mail_t)
|
||||
|
||||
optional_policy(`
|
||||
apache_read_squirrelmail_data(system_mail_t)
|
||||
@@ -92,17 +82,28 @@ optional_policy(`
|
||||
@@ -92,17 +83,28 @@ optional_policy(`
|
||||
apache_dontaudit_rw_stream_sockets(system_mail_t)
|
||||
apache_dontaudit_rw_tcp_sockets(system_mail_t)
|
||||
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
|
||||
@ -23899,7 +23946,7 @@ index 64268e4..7521b9e 100644
|
||||
clamav_stream_connect(system_mail_t)
|
||||
clamav_append_log(system_mail_t)
|
||||
')
|
||||
@@ -111,6 +112,8 @@ optional_policy(`
|
||||
@@ -111,6 +113,8 @@ optional_policy(`
|
||||
cron_read_system_job_tmp_files(system_mail_t)
|
||||
cron_dontaudit_write_pipes(system_mail_t)
|
||||
cron_rw_system_job_stream_sockets(system_mail_t)
|
||||
@ -23908,7 +23955,7 @@ index 64268e4..7521b9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -124,12 +127,8 @@ optional_policy(`
|
||||
@@ -124,12 +128,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23922,7 +23969,7 @@ index 64268e4..7521b9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -146,6 +145,10 @@ optional_policy(`
|
||||
@@ -146,6 +146,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23933,7 +23980,7 @@ index 64268e4..7521b9e 100644
|
||||
nagios_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -158,18 +161,6 @@ optional_policy(`
|
||||
@@ -158,18 +162,6 @@ optional_policy(`
|
||||
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
|
||||
|
||||
domain_use_interactive_fds(system_mail_t)
|
||||
@ -23952,7 +23999,7 @@ index 64268e4..7521b9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -189,6 +180,10 @@ optional_policy(`
|
||||
@@ -189,6 +181,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23963,7 +24010,7 @@ index 64268e4..7521b9e 100644
|
||||
smartmon_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -199,7 +194,7 @@ optional_policy(`
|
||||
@@ -199,7 +195,7 @@ optional_policy(`
|
||||
arpwatch_search_data(mailserver_delivery)
|
||||
arpwatch_manage_tmp_files(mta_user_agent)
|
||||
|
||||
@ -23972,7 +24019,7 @@ index 64268e4..7521b9e 100644
|
||||
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
|
||||
')
|
||||
|
||||
@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
@@ -220,7 +216,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
|
||||
@ -23982,7 +24029,7 @@ index 64268e4..7521b9e 100644
|
||||
|
||||
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
|
||||
|
||||
@@ -249,11 +245,16 @@ optional_policy(`
|
||||
@@ -249,11 +246,16 @@ optional_policy(`
|
||||
mailman_read_data_symlinks(mailserver_delivery)
|
||||
')
|
||||
|
||||
@ -23999,7 +24046,7 @@ index 64268e4..7521b9e 100644
|
||||
domain_use_interactive_fds(user_mail_t)
|
||||
|
||||
userdom_use_user_terminals(user_mail_t)
|
||||
@@ -292,3 +293,44 @@ optional_policy(`
|
||||
@@ -292,3 +294,44 @@ optional_policy(`
|
||||
postfix_read_config(user_mail_t)
|
||||
postfix_list_spool(user_mail_t)
|
||||
')
|
||||
@ -24727,7 +24774,7 @@ index 2324d9e..8069487 100644
|
||||
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
|
||||
index 0619395..a074153 100644
|
||||
index 0619395..4898ef8 100644
|
||||
--- a/policy/modules/services/networkmanager.te
|
||||
+++ b/policy/modules/services/networkmanager.te
|
||||
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||
@ -24844,7 +24891,15 @@ index 0619395..a074153 100644
|
||||
iptables_domtrans(NetworkManager_t)
|
||||
')
|
||||
|
||||
@@ -263,6 +298,7 @@ optional_policy(`
|
||||
@@ -219,6 +254,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ openvpn_read_config(NetworkManager_t)
|
||||
openvpn_domtrans(NetworkManager_t)
|
||||
openvpn_kill(NetworkManager_t)
|
||||
openvpn_signal(NetworkManager_t)
|
||||
@@ -263,6 +299,7 @@ optional_policy(`
|
||||
vpn_kill(NetworkManager_t)
|
||||
vpn_signal(NetworkManager_t)
|
||||
vpn_signull(NetworkManager_t)
|
||||
@ -32299,10 +32354,10 @@ index 93fe7bf..4a15633 100644
|
||||
|
||||
allow $1 soundd_t:process { ptrace signal_perms };
|
||||
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
|
||||
index 6b3abf9..540981f 100644
|
||||
index 6b3abf9..d445f78 100644
|
||||
--- a/policy/modules/services/spamassassin.fc
|
||||
+++ b/policy/modules/services/spamassassin.fc
|
||||
@@ -1,15 +1,26 @@
|
||||
@@ -1,15 +1,27 @@
|
||||
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
|
||||
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
||||
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
||||
@ -32317,6 +32372,7 @@ index 6b3abf9..540981f 100644
|
||||
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
||||
|
||||
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
||||
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
||||
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
||||
|
||||
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
|
||||
@ -34643,6 +34699,105 @@ index 1cc80e8..c6bf70e 100644
|
||||
|
||||
manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
|
||||
manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
|
||||
diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
|
||||
new file mode 100644
|
||||
index 0000000..bb0a79c
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/vdagent.fc
|
||||
@@ -0,0 +1,4 @@
|
||||
+
|
||||
+/sbin/vdagent -- gen_context(system_u:object_r:vdagent_exec_t,s0)
|
||||
+
|
||||
+/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
|
||||
new file mode 100644
|
||||
index 0000000..35020c8
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/vdagent.if
|
||||
@@ -0,0 +1,39 @@
|
||||
+## <summary>The spice guest agent daemon.</summary>
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run vdagent.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`vdagent_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type vdagent_t, vdagent_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, vdagent_exec_t, vdagent_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect to vdagent over an unix stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`vdagent_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type vdagent_t, vdagent_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
|
||||
new file mode 100644
|
||||
index 0000000..87d5c8c
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/vdagent.te
|
||||
@@ -0,0 +1,38 @@
|
||||
+policy_module(vdagent,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type vdagent_t;
|
||||
+type vdagent_exec_t;
|
||||
+udev_system_domain(vdagent_t, vdagent_exec_t)
|
||||
+
|
||||
+type vdagent_var_run_t;
|
||||
+files_pid_file(vdagent_var_run_t)
|
||||
+
|
||||
+permissive vdagent_t;
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# vdagent local policy
|
||||
+#
|
||||
+allow vdagent_t self:process { fork };
|
||||
+
|
||||
+allow vdagent_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
|
||||
+manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
|
||||
+manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
|
||||
+manage_lnk_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
|
||||
+files_pid_filetrans(vdagent_t, vdagent_var_run_t, { file dir sock_file })
|
||||
+
|
||||
+domain_use_interactive_fds(vdagent_t)
|
||||
+
|
||||
+files_read_etc_files(vdagent_t)
|
||||
+
|
||||
+miscfiles_read_localization(vdagent_t)
|
||||
+
|
||||
+userdom_use_user_ptys(vdagent_t)
|
||||
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
|
||||
index 1f872b5..da605ba 100644
|
||||
--- a/policy/modules/services/vhostmd.if
|
||||
@ -38483,7 +38638,7 @@ index 1c4b1e7..2997dd7 100644
|
||||
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||
|
||||
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
||||
index bea0ade..a1069bf 100644
|
||||
index bea0ade..6f47773 100644
|
||||
--- a/policy/modules/system/authlogin.if
|
||||
+++ b/policy/modules/system/authlogin.if
|
||||
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
|
||||
@ -38530,7 +38685,18 @@ index bea0ade..a1069bf 100644
|
||||
manage_files_pattern($1, var_auth_t, var_auth_t)
|
||||
|
||||
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
|
||||
@@ -126,6 +137,8 @@ interface(`auth_login_pgm_domain',`
|
||||
@@ -119,6 +130,10 @@ interface(`auth_login_pgm_domain',`
|
||||
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
|
||||
kernel_rw_afs_state($1)
|
||||
|
||||
+ tunable_policy(`authlogin_radius',`
|
||||
+ corenet_udp_bind_all_unreserved_ports($1)
|
||||
+ ')
|
||||
+
|
||||
# for fingerprint readers
|
||||
dev_rw_input_dev($1)
|
||||
dev_rw_generic_usb_dev($1)
|
||||
@@ -126,6 +141,8 @@ interface(`auth_login_pgm_domain',`
|
||||
files_read_etc_files($1)
|
||||
|
||||
fs_list_auto_mountpoints($1)
|
||||
@ -38539,7 +38705,7 @@ index bea0ade..a1069bf 100644
|
||||
|
||||
selinux_get_fs_mount($1)
|
||||
selinux_validate_context($1)
|
||||
@@ -141,6 +154,7 @@ interface(`auth_login_pgm_domain',`
|
||||
@@ -141,6 +158,7 @@ interface(`auth_login_pgm_domain',`
|
||||
mls_process_set_level($1)
|
||||
mls_fd_share_all_levels($1)
|
||||
|
||||
@ -38547,7 +38713,7 @@ index bea0ade..a1069bf 100644
|
||||
auth_use_pam($1)
|
||||
|
||||
init_rw_utmp($1)
|
||||
@@ -151,8 +165,39 @@ interface(`auth_login_pgm_domain',`
|
||||
@@ -151,8 +169,39 @@ interface(`auth_login_pgm_domain',`
|
||||
seutil_read_config($1)
|
||||
seutil_read_default_contexts($1)
|
||||
|
||||
@ -38589,7 +38755,7 @@ index bea0ade..a1069bf 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -365,13 +410,15 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
@@ -365,13 +414,15 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38606,7 +38772,7 @@ index bea0ade..a1069bf 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -418,6 +465,7 @@ interface(`auth_run_chk_passwd',`
|
||||
@@ -418,6 +469,7 @@ interface(`auth_run_chk_passwd',`
|
||||
|
||||
auth_domtrans_chk_passwd($1)
|
||||
role $2 types chkpwd_t;
|
||||
@ -38614,7 +38780,7 @@ index bea0ade..a1069bf 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -694,7 +742,7 @@ interface(`auth_relabel_shadow',`
|
||||
@@ -694,7 +746,7 @@ interface(`auth_relabel_shadow',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -38623,7 +38789,7 @@ index bea0ade..a1069bf 100644
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
||||
@@ -736,6 +784,25 @@ interface(`auth_rw_faillog',`
|
||||
@@ -736,6 +788,25 @@ interface(`auth_rw_faillog',`
|
||||
allow $1 faillog_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
@ -38649,7 +38815,7 @@ index bea0ade..a1069bf 100644
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read the last logins log.
|
||||
@@ -874,6 +941,26 @@ interface(`auth_exec_pam',`
|
||||
@@ -874,6 +945,26 @@ interface(`auth_exec_pam',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -38676,7 +38842,7 @@ index bea0ade..a1069bf 100644
|
||||
## Manage var auth files. Used by various other applications
|
||||
## and pam applets etc.
|
||||
## </summary>
|
||||
@@ -896,6 +983,26 @@ interface(`auth_manage_var_auth',`
|
||||
@@ -896,6 +987,26 @@ interface(`auth_manage_var_auth',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -38703,7 +38869,7 @@ index bea0ade..a1069bf 100644
|
||||
## Read PAM PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1500,6 +1607,8 @@ interface(`auth_manage_login_records',`
|
||||
@@ -1500,6 +1611,8 @@ interface(`auth_manage_login_records',`
|
||||
#
|
||||
interface(`auth_use_nsswitch',`
|
||||
|
||||
@ -38712,7 +38878,7 @@ index bea0ade..a1069bf 100644
|
||||
files_list_var_lib($1)
|
||||
|
||||
# read /etc/nsswitch.conf
|
||||
@@ -1531,7 +1640,15 @@ interface(`auth_use_nsswitch',`
|
||||
@@ -1531,7 +1644,15 @@ interface(`auth_use_nsswitch',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38730,10 +38896,20 @@ index bea0ade..a1069bf 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||
index 54d122b..ee0fe55 100644
|
||||
index 54d122b..87ad058 100644
|
||||
--- a/policy/modules/system/authlogin.te
|
||||
+++ b/policy/modules/system/authlogin.te
|
||||
@@ -8,6 +8,7 @@ policy_module(authlogin, 2.2.0)
|
||||
@@ -5,9 +5,17 @@ policy_module(authlogin, 2.2.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow users to login using a radius server
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(authlogin_radius, false)
|
||||
+
|
||||
attribute can_read_shadow_passwords;
|
||||
attribute can_write_shadow_passwords;
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
@ -38741,7 +38917,7 @@ index 54d122b..ee0fe55 100644
|
||||
|
||||
type auth_cache_t;
|
||||
logging_log_file(auth_cache_t)
|
||||
@@ -83,7 +84,7 @@ logging_log_file(wtmp_t)
|
||||
@@ -83,7 +91,7 @@ logging_log_file(wtmp_t)
|
||||
|
||||
allow chkpwd_t self:capability { dac_override setuid };
|
||||
dontaudit chkpwd_t self:capability sys_tty_config;
|
||||
@ -38750,7 +38926,7 @@ index 54d122b..ee0fe55 100644
|
||||
|
||||
allow chkpwd_t shadow_t:file read_file_perms;
|
||||
files_list_etc(chkpwd_t)
|
||||
@@ -394,3 +395,11 @@ optional_policy(`
|
||||
@@ -394,3 +402,11 @@ optional_policy(`
|
||||
xserver_use_xdm_fds(utempter_t)
|
||||
xserver_rw_xdm_pipes(utempter_t)
|
||||
')
|
||||
@ -40686,7 +40862,7 @@ index 57c645b..7682697 100644
|
||||
dev_read_framebuffer(kdump_t)
|
||||
dev_read_sysfs(kdump_t)
|
||||
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
|
||||
index 9df8c4d..b93f65a 100644
|
||||
index 9df8c4d..7a942fc 100644
|
||||
--- a/policy/modules/system/libraries.fc
|
||||
+++ b/policy/modules/system/libraries.fc
|
||||
@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
|
||||
@ -40697,7 +40873,15 @@ index 9df8c4d..b93f65a 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/lib32 -l gen_context(system_u:object_r:lib_t,s0)
|
||||
@@ -129,15 +130,13 @@ ifdef(`distro_redhat',`
|
||||
@@ -90,6 +91,7 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
+/opt/Adobe.*/libcurl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
|
||||
@@ -129,15 +131,13 @@ ifdef(`distro_redhat',`
|
||||
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -40716,7 +40900,7 @@ index 9df8c4d..b93f65a 100644
|
||||
/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -151,6 +150,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -151,6 +151,7 @@ ifdef(`distro_redhat',`
|
||||
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -40724,7 +40908,7 @@ index 9df8c4d..b93f65a 100644
|
||||
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -208,6 +208,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
@@ -208,6 +209,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
|
||||
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -40732,7 +40916,7 @@ index 9df8c4d..b93f65a 100644
|
||||
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -247,6 +248,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
@@ -247,6 +249,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -40740,7 +40924,7 @@ index 9df8c4d..b93f65a 100644
|
||||
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
||||
@@ -302,13 +304,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
@@ -302,13 +305,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -40756,7 +40940,7 @@ index 9df8c4d..b93f65a 100644
|
||||
') dnl end distro_redhat
|
||||
|
||||
#
|
||||
@@ -319,14 +316,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
@@ -319,14 +317,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
||||
@ -43978,7 +44162,7 @@ index 0291685..44fe366 100644
|
||||
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
|
||||
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
|
||||
index 025348a..5b277ea 100644
|
||||
index 025348a..65971f9 100644
|
||||
--- a/policy/modules/system/udev.if
|
||||
+++ b/policy/modules/system/udev.if
|
||||
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
|
||||
@ -43999,6 +44183,43 @@ index 025348a..5b277ea 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -231,3 +231,36 @@ interface(`udev_manage_pid_files',`
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create a domain for processes
|
||||
+## which can be started by udev.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Type to be used as a domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="entry_point">
|
||||
+## <summary>
|
||||
+## Type of the program to be used as an entry point to this domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`udev_system_domain',`
|
||||
+ gen_require(`
|
||||
+ type udev_t;
|
||||
+ role system_r;
|
||||
+ ')
|
||||
+
|
||||
+ domain_type($1)
|
||||
+ domain_entry_file($1, $2)
|
||||
+
|
||||
+ role system_r types $1;
|
||||
+
|
||||
+ domtrans_pattern(udev_t, $2, $1)
|
||||
+
|
||||
+ dontaudit $1 udev_t:unix_dgram_socket { read write };
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index a054cf5..f24ab6b 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
@ -44123,10 +44344,10 @@ index ce2fbb9..8b34dbc 100644
|
||||
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
-')
|
||||
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
|
||||
index 416e668..c6e8ffe 100644
|
||||
index 416e668..20a28e7 100644
|
||||
--- a/policy/modules/system/unconfined.if
|
||||
+++ b/policy/modules/system/unconfined.if
|
||||
@@ -12,14 +12,13 @@
|
||||
@@ -12,27 +12,33 @@
|
||||
#
|
||||
interface(`unconfined_domain_noaudit',`
|
||||
gen_require(`
|
||||
@ -44134,15 +44355,20 @@ index 416e668..c6e8ffe 100644
|
||||
class dbus all_dbus_perms;
|
||||
class nscd all_nscd_perms;
|
||||
class passwd all_passwd_perms;
|
||||
+ bool secure_mode_insmod;
|
||||
')
|
||||
|
||||
# Use any Linux capability.
|
||||
- allow $1 self:capability *;
|
||||
+ allow $1 self:capability all_capabilities;
|
||||
+ allow $1 self:capability ~sys_module;
|
||||
allow $1 self:fifo_file manage_fifo_file_perms;
|
||||
|
||||
+ if (!secure_mode_insmod) {
|
||||
+ allow $1 self:capability sys_module;
|
||||
+ }
|
||||
+
|
||||
# Transition to myself, to make get_ordered_context_list happy.
|
||||
@@ -27,12 +26,14 @@ interface(`unconfined_domain_noaudit',`
|
||||
allow $1 self:process transition;
|
||||
|
||||
# Write access is for setting attributes under /proc/self/attr.
|
||||
allow $1 self:file rw_file_perms;
|
||||
@ -44161,7 +44387,7 @@ index 416e668..c6e8ffe 100644
|
||||
|
||||
kernel_unconfined($1)
|
||||
corenet_unconfined($1)
|
||||
@@ -44,6 +45,12 @@ interface(`unconfined_domain_noaudit',`
|
||||
@@ -44,6 +50,12 @@ interface(`unconfined_domain_noaudit',`
|
||||
fs_unconfined($1)
|
||||
selinux_unconfined($1)
|
||||
|
||||
@ -44174,7 +44400,7 @@ index 416e668..c6e8ffe 100644
|
||||
tunable_policy(`allow_execheap',`
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1 self:process execheap;
|
||||
@@ -69,6 +76,7 @@ interface(`unconfined_domain_noaudit',`
|
||||
@@ -69,6 +81,7 @@ interface(`unconfined_domain_noaudit',`
|
||||
optional_policy(`
|
||||
# Communicate via dbusd.
|
||||
dbus_system_bus_unconfined($1)
|
||||
@ -44182,7 +44408,7 @@ index 416e668..c6e8ffe 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -122,6 +130,10 @@ interface(`unconfined_domain_noaudit',`
|
||||
@@ -122,6 +135,10 @@ interface(`unconfined_domain_noaudit',`
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_domain',`
|
||||
@ -44193,7 +44419,7 @@ index 416e668..c6e8ffe 100644
|
||||
unconfined_domain_noaudit($1)
|
||||
|
||||
tunable_policy(`allow_execheap',`
|
||||
@@ -178,412 +190,3 @@ interface(`unconfined_alias_domain',`
|
||||
@@ -178,412 +195,3 @@ interface(`unconfined_alias_domain',`
|
||||
interface(`unconfined_execmem_alias_program',`
|
||||
refpolicywarn(`$0($1) has been deprecated.')
|
||||
')
|
||||
|
@ -21,7 +21,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.7
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -470,6 +470,12 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-8
|
||||
- Allow NetworkManager to read openvpn_etc_t
|
||||
- Dontaudit hplip to write of /usr dirs
|
||||
- Allow system_mail_t to create /root/dead.letter as mail_home_t
|
||||
- Add vdagent policy for spice agent daemon
|
||||
|
||||
* Thu Oct 28 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-7
|
||||
- Dontaudit sandbox sending sigkill to all user domains
|
||||
- Add policy for rssh_chroot_helper
|
||||
|
Loading…
Reference in New Issue
Block a user