-
This commit is contained in:
parent
9754f472c7
commit
9896599663
223
policy-F14.patch
223
policy-F14.patch
@ -34897,14 +34897,16 @@ index 32a3c13..7baeb6f 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
|
||||
index 2124b6a..be4b00f 100644
|
||||
index 2124b6a..6546d6e 100644
|
||||
--- a/policy/modules/services/virt.fc
|
||||
+++ b/policy/modules/services/virt.fc
|
||||
@@ -1,3 +1,4 @@
|
||||
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
@@ -1,4 +1,5 @@
|
||||
-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||
+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||
HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
||||
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
|
||||
@@ -13,17 +14,19 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
|
||||
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
||||
|
||||
@ -35196,10 +35198,10 @@ index 7c5d8d8..dbdc0e0 100644
|
||||
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
|
||||
index 3eca020..62e349a 100644
|
||||
index 3eca020..500f8e9 100644
|
||||
--- a/policy/modules/services/virt.te
|
||||
+++ b/policy/modules/services/virt.te
|
||||
@@ -5,57 +5,66 @@ policy_module(virt, 1.4.0)
|
||||
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -35287,7 +35289,12 @@ index 3eca020..62e349a 100644
|
||||
type virt_etc_t;
|
||||
files_config_file(virt_etc_t)
|
||||
|
||||
@@ -65,20 +74,25 @@ files_type(virt_etc_rw_t)
|
||||
type virt_etc_rw_t;
|
||||
files_type(virt_etc_rw_t)
|
||||
|
||||
+type virt_home_t;
|
||||
+userdom_user_home_content(virt_home_t)
|
||||
+
|
||||
# virt Image files
|
||||
type virt_image_t; # customizable
|
||||
virt_image(virt_image_t)
|
||||
@ -35314,7 +35321,7 @@ index 3eca020..62e349a 100644
|
||||
|
||||
type virtd_t;
|
||||
type virtd_exec_t;
|
||||
@@ -89,6 +103,11 @@ domain_subj_id_change_exemption(virtd_t)
|
||||
@@ -89,6 +106,11 @@ domain_subj_id_change_exemption(virtd_t)
|
||||
type virtd_initrc_exec_t;
|
||||
init_script_file(virtd_initrc_exec_t)
|
||||
|
||||
@ -35326,7 +35333,7 @@ index 3eca020..62e349a 100644
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
@@ -104,15 +123,12 @@ ifdef(`enable_mls',`
|
||||
@@ -104,15 +126,12 @@ ifdef(`enable_mls',`
|
||||
|
||||
allow svirt_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -35343,7 +35350,15 @@ index 3eca020..62e349a 100644
|
||||
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
|
||||
|
||||
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
|
||||
@@ -147,11 +163,15 @@ tunable_policy(`virt_use_fusefs',`
|
||||
@@ -133,6 +152,7 @@ dev_list_sysfs(svirt_t)
|
||||
userdom_search_user_home_content(svirt_t)
|
||||
userdom_read_user_home_content_symlinks(svirt_t)
|
||||
userdom_read_all_users_state(svirt_t)
|
||||
+append_files_pattern(svirt_t, virt_home_t, virt_home_t)
|
||||
|
||||
tunable_policy(`virt_use_comm',`
|
||||
term_use_unallocated_ttys(svirt_t)
|
||||
@@ -147,11 +167,15 @@ tunable_policy(`virt_use_fusefs',`
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(svirt_t)
|
||||
fs_manage_nfs_files(svirt_t)
|
||||
@ -35359,7 +35374,7 @@ index 3eca020..62e349a 100644
|
||||
')
|
||||
|
||||
tunable_policy(`virt_use_sysfs',`
|
||||
@@ -160,11 +180,22 @@ tunable_policy(`virt_use_sysfs',`
|
||||
@@ -160,11 +184,22 @@ tunable_policy(`virt_use_sysfs',`
|
||||
|
||||
tunable_policy(`virt_use_usb',`
|
||||
dev_rw_usbfs(svirt_t)
|
||||
@ -35382,7 +35397,7 @@ index 3eca020..62e349a 100644
|
||||
xen_rw_image_files(svirt_t)
|
||||
')
|
||||
|
||||
@@ -174,22 +205,28 @@ optional_policy(`
|
||||
@@ -174,22 +209,28 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
|
||||
@ -35415,7 +35430,7 @@ index 3eca020..62e349a 100644
|
||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
|
||||
@@ -200,8 +237,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
@@ -200,8 +241,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
@ -35432,7 +35447,7 @@ index 3eca020..62e349a 100644
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
@@ -220,6 +263,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
||||
@@ -220,6 +267,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
||||
kernel_read_system_state(virtd_t)
|
||||
kernel_read_network_state(virtd_t)
|
||||
kernel_rw_net_sysctls(virtd_t)
|
||||
@ -35440,7 +35455,7 @@ index 3eca020..62e349a 100644
|
||||
kernel_request_load_module(virtd_t)
|
||||
kernel_search_debugfs(virtd_t)
|
||||
|
||||
@@ -243,18 +287,27 @@ dev_read_rand(virtd_t)
|
||||
@@ -243,18 +291,27 @@ dev_read_rand(virtd_t)
|
||||
dev_rw_kvm(virtd_t)
|
||||
dev_getattr_all_chr_files(virtd_t)
|
||||
dev_rw_mtrr(virtd_t)
|
||||
@ -35469,7 +35484,7 @@ index 3eca020..62e349a 100644
|
||||
|
||||
fs_list_auto_mountpoints(virtd_t)
|
||||
fs_getattr_xattr_fs(virtd_t)
|
||||
@@ -262,6 +315,18 @@ fs_rw_anon_inodefs_files(virtd_t)
|
||||
@@ -262,6 +319,18 @@ fs_rw_anon_inodefs_files(virtd_t)
|
||||
fs_list_inotifyfs(virtd_t)
|
||||
fs_manage_cgroup_dirs(virtd_t)
|
||||
fs_rw_cgroup_files(virtd_t)
|
||||
@ -35488,14 +35503,14 @@ index 3eca020..62e349a 100644
|
||||
|
||||
mcs_process_set_categories(virtd_t)
|
||||
|
||||
@@ -285,16 +350,26 @@ modutils_read_module_config(virtd_t)
|
||||
@@ -285,16 +354,30 @@ modutils_read_module_config(virtd_t)
|
||||
modutils_manage_module_config(virtd_t)
|
||||
|
||||
logging_send_syslog_msg(virtd_t)
|
||||
+logging_send_audit_msgs(virtd_t)
|
||||
|
||||
+selinux_validate_context(virtd_t)
|
||||
+
|
||||
+selinux_validate_context(virtd_t)
|
||||
|
||||
+seutil_read_config(virtd_t)
|
||||
seutil_read_default_contexts(virtd_t)
|
||||
+seutil_read_file_contexts(virtd_t)
|
||||
@ -35510,12 +35525,16 @@ index 3eca020..62e349a 100644
|
||||
userdom_read_user_home_content_files(virtd_t)
|
||||
+userdom_relabel_user_home_files(virtd_t)
|
||||
+userdom_setattr_user_home_content_files(virtd_t)
|
||||
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
|
||||
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
|
||||
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
|
||||
+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
|
||||
+
|
||||
+consoletype_exec(virtd_t)
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virtd_t)
|
||||
@@ -365,6 +440,8 @@ optional_policy(`
|
||||
@@ -365,6 +448,8 @@ optional_policy(`
|
||||
qemu_signal(virtd_t)
|
||||
qemu_kill(virtd_t)
|
||||
qemu_setsched(virtd_t)
|
||||
@ -35524,7 +35543,7 @@ index 3eca020..62e349a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -396,12 +473,25 @@ optional_policy(`
|
||||
@@ -396,12 +481,25 @@ optional_policy(`
|
||||
|
||||
allow virt_domain self:capability { dac_read_search dac_override kill };
|
||||
allow virt_domain self:process { execmem execstack signal getsched signull };
|
||||
@ -35551,7 +35570,7 @@ index 3eca020..62e349a 100644
|
||||
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
|
||||
|
||||
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
||||
@@ -422,6 +512,7 @@ corenet_rw_tun_tap_dev(virt_domain)
|
||||
@@ -422,6 +520,7 @@ corenet_rw_tun_tap_dev(virt_domain)
|
||||
corenet_tcp_bind_virt_migration_port(virt_domain)
|
||||
corenet_tcp_connect_virt_migration_port(virt_domain)
|
||||
|
||||
@ -35559,7 +35578,7 @@ index 3eca020..62e349a 100644
|
||||
dev_read_rand(virt_domain)
|
||||
dev_read_sound(virt_domain)
|
||||
dev_read_urand(virt_domain)
|
||||
@@ -429,10 +520,12 @@ dev_write_sound(virt_domain)
|
||||
@@ -429,10 +528,12 @@ dev_write_sound(virt_domain)
|
||||
dev_rw_ksm(virt_domain)
|
||||
dev_rw_kvm(virt_domain)
|
||||
dev_rw_qemu(virt_domain)
|
||||
@ -35572,7 +35591,7 @@ index 3eca020..62e349a 100644
|
||||
files_read_usr_files(virt_domain)
|
||||
files_read_var_files(virt_domain)
|
||||
files_search_all(virt_domain)
|
||||
@@ -440,6 +533,11 @@ files_search_all(virt_domain)
|
||||
@@ -440,6 +541,11 @@ files_search_all(virt_domain)
|
||||
fs_getattr_tmpfs(virt_domain)
|
||||
fs_rw_anon_inodefs_files(virt_domain)
|
||||
fs_rw_tmpfs_files(virt_domain)
|
||||
@ -35584,7 +35603,7 @@ index 3eca020..62e349a 100644
|
||||
|
||||
term_use_all_terms(virt_domain)
|
||||
term_getattr_pty_fs(virt_domain)
|
||||
@@ -457,8 +555,117 @@ optional_policy(`
|
||||
@@ -457,8 +563,117 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36110,7 +36129,7 @@ index 6f1e3c7..6a160b2 100644
|
||||
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
|
||||
index da2601a..0ad10f7 100644
|
||||
index da2601a..19018ae 100644
|
||||
--- a/policy/modules/services/xserver.if
|
||||
+++ b/policy/modules/services/xserver.if
|
||||
@@ -19,9 +19,10 @@
|
||||
@ -36584,7 +36603,7 @@ index da2601a..0ad10f7 100644
|
||||
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||
')
|
||||
|
||||
@@ -1038,6 +1141,24 @@ interface(`xserver_manage_xdm_tmp_files',`
|
||||
@@ -1038,6 +1141,42 @@ interface(`xserver_manage_xdm_tmp_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -36596,6 +36615,24 @@ index da2601a..0ad10f7 100644
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`xserver_relabel_xdm_tmp_dirs',`
|
||||
+ gen_require(`
|
||||
+ type xdm_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow initrc_t initrc_tmp_t:dir relabel_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete xdm temporary dirs.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`xserver_manage_xdm_tmp_dirs',`
|
||||
+ gen_require(`
|
||||
+ type xdm_tmp_t;
|
||||
@ -36609,7 +36646,7 @@ index da2601a..0ad10f7 100644
|
||||
## Do not audit attempts to get the attributes of
|
||||
## xdm temporary named sockets.
|
||||
## </summary>
|
||||
@@ -1052,7 +1173,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
|
||||
@@ -1052,7 +1191,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
|
||||
type xdm_tmp_t;
|
||||
')
|
||||
|
||||
@ -36618,7 +36655,7 @@ index da2601a..0ad10f7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1070,8 +1191,10 @@ interface(`xserver_domtrans',`
|
||||
@@ -1070,8 +1209,10 @@ interface(`xserver_domtrans',`
|
||||
type xserver_t, xserver_exec_t;
|
||||
')
|
||||
|
||||
@ -36630,7 +36667,7 @@ index da2601a..0ad10f7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1185,6 +1308,7 @@ interface(`xserver_stream_connect',`
|
||||
@@ -1185,6 +1326,7 @@ interface(`xserver_stream_connect',`
|
||||
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||
@ -36638,7 +36675,7 @@ index da2601a..0ad10f7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1210,7 +1334,7 @@ interface(`xserver_read_tmp_files',`
|
||||
@@ -1210,7 +1352,7 @@ interface(`xserver_read_tmp_files',`
|
||||
## <summary>
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
## an X client domain. Gives the domain permission to read the
|
||||
@ -36647,7 +36684,7 @@ index da2601a..0ad10f7 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1220,13 +1344,23 @@ interface(`xserver_read_tmp_files',`
|
||||
@@ -1220,13 +1362,23 @@ interface(`xserver_read_tmp_files',`
|
||||
#
|
||||
interface(`xserver_manage_core_devices',`
|
||||
gen_require(`
|
||||
@ -36672,7 +36709,7 @@ index da2601a..0ad10f7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1243,10 +1377,355 @@ interface(`xserver_manage_core_devices',`
|
||||
@@ -1243,10 +1395,355 @@ interface(`xserver_manage_core_devices',`
|
||||
#
|
||||
interface(`xserver_unconfined',`
|
||||
gen_require(`
|
||||
@ -39676,7 +39713,7 @@ index df3fa64..73dc579 100644
|
||||
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 8a105fd..fc65044 100644
|
||||
index 8a105fd..08817a8 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -16,6 +16,27 @@ gen_require(`
|
||||
@ -39906,7 +39943,7 @@ index 8a105fd..fc65044 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -199,10 +321,23 @@ optional_policy(`
|
||||
@@ -199,10 +321,25 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39923,14 +39960,16 @@ index 8a105fd..fc65044 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_relabel_xdm_tmp_dirs(init_t)
|
||||
+ xserver_manage_xdm_tmp_dirs(init_t)
|
||||
+ xserver_setattr_xdm_tmp_dirs(initrc_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
unconfined_domain(init_t)
|
||||
')
|
||||
|
||||
@@ -212,7 +347,7 @@ optional_policy(`
|
||||
@@ -212,7 +349,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -39939,7 +39978,7 @@ index 8a105fd..fc65044 100644
|
||||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
@@ -241,6 +376,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -241,12 +378,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -39947,7 +39986,14 @@ index 8a105fd..fc65044 100644
|
||||
|
||||
can_exec(initrc_t, initrc_tmp_t)
|
||||
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
@@ -258,11 +394,23 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
|
||||
+allow initrc_t initrc_tmp_t:dir relabelfrom;
|
||||
|
||||
init_write_initctl(initrc_t)
|
||||
|
||||
@@ -258,11 +397,23 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -39971,7 +40017,7 @@ index 8a105fd..fc65044 100644
|
||||
|
||||
corecmd_exec_all_executables(initrc_t)
|
||||
|
||||
@@ -291,6 +439,7 @@ dev_read_sound_mixer(initrc_t)
|
||||
@@ -291,6 +442,7 @@ dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
dev_setattr_all_chr_files(initrc_t)
|
||||
dev_rw_lvm_control(initrc_t)
|
||||
@ -39979,7 +40025,7 @@ index 8a105fd..fc65044 100644
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -298,13 +447,13 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -298,13 +450,13 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -39995,7 +40041,7 @@ index 8a105fd..fc65044 100644
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@@ -323,8 +472,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -323,8 +475,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -40007,7 +40053,7 @@ index 8a105fd..fc65044 100644
|
||||
files_delete_all_pids(initrc_t)
|
||||
files_delete_all_pid_dirs(initrc_t)
|
||||
files_read_etc_files(initrc_t)
|
||||
@@ -340,8 +491,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -340,8 +494,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -40021,7 +40067,7 @@ index 8a105fd..fc65044 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -351,6 +506,8 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -351,6 +509,8 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -40030,7 +40076,7 @@ index 8a105fd..fc65044 100644
|
||||
|
||||
# initrc_t needs to do a pidof which requires ptrace
|
||||
mcs_ptrace_all(initrc_t)
|
||||
@@ -363,6 +520,7 @@ mls_process_read_up(initrc_t)
|
||||
@@ -363,6 +523,7 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -40038,7 +40084,7 @@ index 8a105fd..fc65044 100644
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@@ -380,6 +538,7 @@ auth_read_pam_pid(initrc_t)
|
||||
@@ -380,6 +541,7 @@ auth_read_pam_pid(initrc_t)
|
||||
auth_delete_pam_pid(initrc_t)
|
||||
auth_delete_pam_console_data(initrc_t)
|
||||
auth_use_nsswitch(initrc_t)
|
||||
@ -40046,7 +40092,7 @@ index 8a105fd..fc65044 100644
|
||||
|
||||
libs_rw_ld_so_cache(initrc_t)
|
||||
libs_exec_lib_files(initrc_t)
|
||||
@@ -394,13 +553,14 @@ logging_read_audit_config(initrc_t)
|
||||
@@ -394,13 +556,14 @@ logging_read_audit_config(initrc_t)
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
# slapd needs to read cert files from its initscript
|
||||
@ -40062,7 +40108,7 @@ index 8a105fd..fc65044 100644
|
||||
userdom_read_user_home_content_files(initrc_t)
|
||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||
@@ -473,7 +633,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -473,7 +636,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -40071,7 +40117,7 @@ index 8a105fd..fc65044 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -519,6 +679,19 @@ ifdef(`distro_redhat',`
|
||||
@@ -519,6 +682,19 @@ ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
bind_manage_config_dirs(initrc_t)
|
||||
bind_write_config(initrc_t)
|
||||
@ -40091,7 +40137,7 @@ index 8a105fd..fc65044 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -526,10 +699,17 @@ ifdef(`distro_redhat',`
|
||||
@@ -526,10 +702,17 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -40109,7 +40155,7 @@ index 8a105fd..fc65044 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -544,6 +724,35 @@ ifdef(`distro_suse',`
|
||||
@@ -544,6 +727,35 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -40145,7 +40191,7 @@ index 8a105fd..fc65044 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -556,6 +765,8 @@ optional_policy(`
|
||||
@@ -556,6 +768,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -40154,7 +40200,7 @@ index 8a105fd..fc65044 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -572,6 +783,7 @@ optional_policy(`
|
||||
@@ -572,6 +786,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -40162,7 +40208,7 @@ index 8a105fd..fc65044 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -584,6 +796,11 @@ optional_policy(`
|
||||
@@ -584,6 +799,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40174,7 +40220,7 @@ index 8a105fd..fc65044 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -600,6 +817,9 @@ optional_policy(`
|
||||
@@ -600,9 +820,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -40184,7 +40230,11 @@ index 8a105fd..fc65044 100644
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(initrc_t)
|
||||
@@ -701,7 +921,13 @@ optional_policy(`
|
||||
+ consolekit_manage_log(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -701,7 +925,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40198,7 +40248,7 @@ index 8a105fd..fc65044 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -724,6 +950,10 @@ optional_policy(`
|
||||
@@ -724,6 +954,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40209,7 +40259,7 @@ index 8a105fd..fc65044 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -745,6 +975,10 @@ optional_policy(`
|
||||
@@ -745,6 +979,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40220,7 +40270,7 @@ index 8a105fd..fc65044 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -766,8 +1000,6 @@ optional_policy(`
|
||||
@@ -766,8 +1004,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -40229,7 +40279,7 @@ index 8a105fd..fc65044 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -776,14 +1008,21 @@ optional_policy(`
|
||||
@@ -776,14 +1012,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40251,7 +40301,7 @@ index 8a105fd..fc65044 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -805,11 +1044,19 @@ optional_policy(`
|
||||
@@ -805,11 +1048,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40272,7 +40322,7 @@ index 8a105fd..fc65044 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
@@ -819,6 +1066,25 @@ optional_policy(`
|
||||
@@ -819,6 +1070,25 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
@ -40298,7 +40348,7 @@ index 8a105fd..fc65044 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -844,3 +1110,59 @@ optional_policy(`
|
||||
@@ -844,3 +1114,59 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -44162,7 +44212,7 @@ index 0291685..44fe366 100644
|
||||
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
|
||||
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
|
||||
index 025348a..65971f9 100644
|
||||
index 025348a..cea695c 100644
|
||||
--- a/policy/modules/system/udev.if
|
||||
+++ b/policy/modules/system/udev.if
|
||||
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
|
||||
@ -44183,7 +44233,22 @@ index 025348a..65971f9 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -231,3 +231,36 @@ interface(`udev_manage_pid_files',`
|
||||
@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',`
|
||||
interface(`udev_read_db',`
|
||||
gen_require(`
|
||||
type udev_tbl_t;
|
||||
+ type device_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 udev_tbl_t:dir list_dir_perms;
|
||||
read_files_pattern($1, udev_tbl_t, udev_tbl_t)
|
||||
read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
|
||||
+ allow $1 device_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -231,3 +233,36 @@ interface(`udev_manage_pid_files',`
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
|
||||
')
|
||||
@ -44221,7 +44286,7 @@ index 025348a..65971f9 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index a054cf5..f24ab6b 100644
|
||||
index a054cf5..4fc2837 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
|
||||
@ -44242,7 +44307,15 @@ index a054cf5..f24ab6b 100644
|
||||
|
||||
kernel_read_system_state(udev_t)
|
||||
kernel_request_load_module(udev_t)
|
||||
@@ -111,15 +113,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
||||
@@ -87,6 +89,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
|
||||
kernel_dgram_send(udev_t)
|
||||
kernel_signal(udev_t)
|
||||
kernel_search_debugfs(udev_t)
|
||||
+kernel_stream_connect(udev_t)
|
||||
|
||||
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
|
||||
kernel_rw_net_sysctls(udev_t)
|
||||
@@ -111,15 +114,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
||||
|
||||
files_read_usr_files(udev_t)
|
||||
files_read_etc_runtime_files(udev_t)
|
||||
@ -44264,7 +44337,15 @@ index a054cf5..f24ab6b 100644
|
||||
|
||||
mcs_ptrace_all(udev_t)
|
||||
|
||||
@@ -186,6 +193,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -143,6 +151,7 @@ auth_use_nsswitch(udev_t)
|
||||
init_read_utmp(udev_t)
|
||||
init_dontaudit_write_utmp(udev_t)
|
||||
init_getattr_initctl(udev_t)
|
||||
+init_stream_connect(udev_t)
|
||||
|
||||
logging_search_logs(udev_t)
|
||||
logging_send_syslog_msg(udev_t)
|
||||
@@ -186,6 +195,7 @@ ifdef(`distro_redhat',`
|
||||
fs_manage_tmpfs_chr_files(udev_t)
|
||||
fs_relabel_tmpfs_blk_file(udev_t)
|
||||
fs_relabel_tmpfs_chr_file(udev_t)
|
||||
@ -44272,7 +44353,7 @@ index a054cf5..f24ab6b 100644
|
||||
|
||||
term_search_ptys(udev_t)
|
||||
|
||||
@@ -216,11 +224,16 @@ optional_policy(`
|
||||
@@ -216,11 +226,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44289,7 +44370,7 @@ index a054cf5..f24ab6b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -233,6 +246,10 @@ optional_policy(`
|
||||
@@ -233,6 +248,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44300,7 +44381,7 @@ index a054cf5..f24ab6b 100644
|
||||
lvm_domtrans(udev_t)
|
||||
')
|
||||
|
||||
@@ -259,6 +276,10 @@ optional_policy(`
|
||||
@@ -259,6 +278,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44311,7 +44392,7 @@ index a054cf5..f24ab6b 100644
|
||||
openct_read_pid_files(udev_t)
|
||||
openct_domtrans(udev_t)
|
||||
')
|
||||
@@ -273,6 +294,11 @@ optional_policy(`
|
||||
@@ -273,6 +296,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -21,7 +21,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.7
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -470,6 +470,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Nov 2 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-9
|
||||
-
|
||||
|
||||
* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-8
|
||||
- Allow NetworkManager to read openvpn_etc_t
|
||||
- Dontaudit hplip to write of /usr dirs
|
||||
|
Loading…
Reference in New Issue
Block a user