- Until we figure out how to fix systemd issues, allow all apps that send syslog messag
- Add init_access_check() interface - Fix label on /usr/bin/pingus to not be labeled as ping_exec_t - Allow tcpdump to create a netlink_socket - Label newusers like useradd - Change xdm log files to be labeled xdm_log_t - Allow sshd_t with privsep to work in MLS - Allow freshclam to update databases thru HTTP proxy - Allow s-m-config to access check on systemd - Allow abrt to read public files by default - Fix amavis_create_pid_files() interface - Add labeling and filename transition for dbomatic.log - Allow system_dbusd_t to stream connect to bluetooth, and use its socket - Allow amavisd to execute fsav - Allow tuned to use sys_admin and sys_nice capabilities - Add php-fpm policy from Bryan - Add labeling for aeolus-configserver-thinwrapper - Allow thin domains to execute shell - Fix gnome_role_gkeyringd() interface description - Lot of interface fixes - Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files - Allow OpenMPI job to use kerberos - Make deltacloudd_t as nsswitch_domain
This commit is contained in:
parent
770036a507
commit
98ec5a124e
@ -58436,6 +58436,20 @@ index f477c7f..d80599b 100644
|
||||
+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
|
||||
+
|
||||
') dnl end enable_mcs
|
||||
diff --git a/policy/mls b/policy/mls
|
||||
index d218387..c406594 100644
|
||||
--- a/policy/mls
|
||||
+++ b/policy/mls
|
||||
@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
- ( t1 == mlsnetwrite ));
|
||||
+ ( t1 == mlsnetwrite ) or
|
||||
+ ( t2 == mlstrustedobject ));
|
||||
|
||||
# used by netlabel to restrict normal domains to same level connections
|
||||
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
|
||||
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
|
||||
index 7a6f06f..48fc840 100644
|
||||
--- a/policy/modules/admin/bootloader.fc
|
||||
@ -58906,10 +58920,18 @@ index c6ca761..46e0767 100644
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
|
||||
index e0791b9..9f49d01 100644
|
||||
index e0791b9..98d188e 100644
|
||||
--- a/policy/modules/admin/netutils.te
|
||||
+++ b/policy/modules/admin/netutils.te
|
||||
@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
|
||||
@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms;
|
||||
allow netutils_t self:udp_socket create_socket_perms;
|
||||
allow netutils_t self:tcp_socket create_stream_socket_perms;
|
||||
allow netutils_t self:socket create_socket_perms;
|
||||
+allow netutils_t self:netlink_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
|
||||
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
|
||||
@@ -48,6 +49,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
|
||||
|
||||
kernel_search_proc(netutils_t)
|
||||
kernel_read_all_sysctls(netutils_t)
|
||||
@ -58918,7 +58940,7 @@ index e0791b9..9f49d01 100644
|
||||
|
||||
corenet_all_recvfrom_unlabeled(netutils_t)
|
||||
corenet_all_recvfrom_netlabel(netutils_t)
|
||||
@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
|
||||
@@ -64,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
|
||||
corenet_udp_bind_generic_node(netutils_t)
|
||||
|
||||
dev_read_sysfs(netutils_t)
|
||||
@ -58928,7 +58950,7 @@ index e0791b9..9f49d01 100644
|
||||
|
||||
fs_getattr_xattr_fs(netutils_t)
|
||||
|
||||
@@ -83,7 +88,7 @@ logging_send_syslog_msg(netutils_t)
|
||||
@@ -83,7 +89,7 @@ logging_send_syslog_msg(netutils_t)
|
||||
miscfiles_read_localization(netutils_t)
|
||||
|
||||
term_dontaudit_use_console(netutils_t)
|
||||
@ -58937,7 +58959,7 @@ index e0791b9..9f49d01 100644
|
||||
userdom_use_all_users_fds(netutils_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -104,6 +109,8 @@ optional_policy(`
|
||||
@@ -104,6 +110,8 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow ping_t self:capability { setuid net_raw };
|
||||
@ -58946,7 +58968,7 @@ index e0791b9..9f49d01 100644
|
||||
dontaudit ping_t self:capability sys_tty_config;
|
||||
allow ping_t self:tcp_socket create_socket_perms;
|
||||
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
|
||||
@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t)
|
||||
@@ -134,8 +142,6 @@ logging_send_syslog_msg(ping_t)
|
||||
|
||||
miscfiles_read_localization(ping_t)
|
||||
|
||||
@ -58955,7 +58977,7 @@ index e0791b9..9f49d01 100644
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
init_dontaudit_use_fds(ping_t)
|
||||
|
||||
@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -145,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -58981,7 +59003,7 @@ index e0791b9..9f49d01 100644
|
||||
pcmcia_use_cardmgr_fds(ping_t)
|
||||
')
|
||||
|
||||
@@ -157,6 +176,10 @@ optional_policy(`
|
||||
@@ -157,6 +177,10 @@ optional_policy(`
|
||||
hotplug_use_fds(ping_t)
|
||||
')
|
||||
|
||||
@ -58992,7 +59014,7 @@ index e0791b9..9f49d01 100644
|
||||
########################################
|
||||
#
|
||||
# Traceroute local policy
|
||||
@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
||||
@@ -194,6 +218,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
||||
domain_use_interactive_fds(traceroute_t)
|
||||
|
||||
files_read_etc_files(traceroute_t)
|
||||
@ -59000,7 +59022,7 @@ index e0791b9..9f49d01 100644
|
||||
files_dontaudit_search_var(traceroute_t)
|
||||
|
||||
init_use_fds(traceroute_t)
|
||||
@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t)
|
||||
@@ -204,9 +229,16 @@ logging_send_syslog_msg(traceroute_t)
|
||||
|
||||
miscfiles_read_localization(traceroute_t)
|
||||
|
||||
@ -59359,6 +59381,18 @@ index 1bd7d84..4f57935 100644
|
||||
+optional_policy(`
|
||||
+ fprintd_dbus_chat(sudodomain)
|
||||
+')
|
||||
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
|
||||
index f82f0ce..204bdc8 100644
|
||||
--- a/policy/modules/admin/usermanage.fc
|
||||
+++ b/policy/modules/admin/usermanage.fc
|
||||
@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
|
||||
/usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
|
||||
/usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
|
||||
/usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
|
||||
+/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0)
|
||||
/usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
|
||||
/usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
|
||||
/usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
|
||||
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
|
||||
index 98b8b2d..da75471 100644
|
||||
--- a/policy/modules/admin/usermanage.if
|
||||
@ -60162,7 +60196,7 @@ index 7590165..59539e8 100644
|
||||
+ fs_mounton_fusefs(seunshare_domain)
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index db981df..b77f19f 100644
|
||||
index db981df..b0ff71c 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -1,9 +1,10 @@
|
||||
@ -60240,7 +60274,7 @@ index db981df..b77f19f 100644
|
||||
|
||||
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@@ -174,53 +183,76 @@ ifdef(`distro_gentoo',`
|
||||
@@ -174,53 +183,77 @@ ifdef(`distro_gentoo',`
|
||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
@ -60262,6 +60296,7 @@ index db981df..b77f19f 100644
|
||||
+/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
+/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/bin/pingus -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
+/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@ -60334,7 +60369,7 @@ index db981df..b77f19f 100644
|
||||
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -235,10 +267,15 @@ ifdef(`distro_gentoo',`
|
||||
@@ -235,10 +268,15 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -60350,7 +60385,7 @@ index db981df..b77f19f 100644
|
||||
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -251,11 +288,18 @@ ifdef(`distro_gentoo',`
|
||||
@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -60370,7 +60405,7 @@ index db981df..b77f19f 100644
|
||||
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -60381,7 +60416,7 @@ index db981df..b77f19f 100644
|
||||
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',`
|
||||
@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -60402,7 +60437,7 @@ index db981df..b77f19f 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -314,8 +366,12 @@ ifdef(`distro_redhat', `
|
||||
@@ -314,8 +367,12 @@ ifdef(`distro_redhat', `
|
||||
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -60415,7 +60450,7 @@ index db981df..b77f19f 100644
|
||||
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -325,9 +381,11 @@ ifdef(`distro_redhat', `
|
||||
@@ -325,9 +382,11 @@ ifdef(`distro_redhat', `
|
||||
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -60427,7 +60462,7 @@ index db981df..b77f19f 100644
|
||||
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -376,11 +434,14 @@ ifdef(`distro_suse', `
|
||||
@@ -376,11 +435,14 @@ ifdef(`distro_suse', `
|
||||
#
|
||||
# /var
|
||||
#
|
||||
@ -60443,7 +60478,7 @@ index db981df..b77f19f 100644
|
||||
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -390,3 +451,12 @@ ifdef(`distro_suse', `
|
||||
@@ -390,3 +452,12 @@ ifdef(`distro_suse', `
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -72824,10 +72859,10 @@ index fe0c682..93ec53f 100644
|
||||
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index b17e27a..d193a52 100644
|
||||
index b17e27a..9dbbafe 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -6,26 +6,37 @@ policy_module(ssh, 2.3.0)
|
||||
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
@ -72872,13 +72907,14 @@ index b17e27a..d193a52 100644
|
||||
|
||||
type sshd_exec_t;
|
||||
corecmd_executable_file(sshd_exec_t)
|
||||
@@ -33,17 +44,12 @@ corecmd_executable_file(sshd_exec_t)
|
||||
|
||||
ssh_server_template(sshd)
|
||||
init_daemon_domain(sshd_t, sshd_exec_t)
|
||||
|
||||
+mls_trusted_object(sshd_t)
|
||||
+
|
||||
+type sshd_initrc_exec_t;
|
||||
+init_script_file(sshd_initrc_exec_t)
|
||||
+
|
||||
|
||||
type sshd_key_t;
|
||||
files_type(sshd_key_t)
|
||||
|
||||
@ -72893,7 +72929,7 @@ index b17e27a..d193a52 100644
|
||||
type ssh_t;
|
||||
type ssh_exec_t;
|
||||
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
|
||||
@@ -73,6 +79,11 @@ type ssh_home_t;
|
||||
@@ -73,6 +80,11 @@ type ssh_home_t;
|
||||
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
|
||||
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
|
||||
userdom_user_home_content(ssh_home_t)
|
||||
@ -72905,7 +72941,7 @@ index b17e27a..d193a52 100644
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -83,6 +94,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
||||
@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
||||
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow ssh_t self:fd use;
|
||||
allow ssh_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -72913,7 +72949,7 @@ index b17e27a..d193a52 100644
|
||||
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow ssh_t self:shm create_shm_perms;
|
||||
@@ -90,15 +102,11 @@ allow ssh_t self:sem create_sem_perms;
|
||||
@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms;
|
||||
allow ssh_t self:msgq create_msgq_perms;
|
||||
allow ssh_t self:msg { send receive };
|
||||
allow ssh_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -72930,7 +72966,7 @@ index b17e27a..d193a52 100644
|
||||
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
@@ -108,20 +116,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
|
||||
@@ -108,20 +117,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
|
||||
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
||||
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
||||
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
|
||||
@ -72960,7 +72996,7 @@ index b17e27a..d193a52 100644
|
||||
|
||||
kernel_read_kernel_sysctls(ssh_t)
|
||||
kernel_read_system_state(ssh_t)
|
||||
@@ -133,7 +147,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
|
||||
@@ -133,7 +148,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
|
||||
corenet_tcp_sendrecv_all_ports(ssh_t)
|
||||
corenet_tcp_connect_ssh_port(ssh_t)
|
||||
corenet_sendrecv_ssh_client_packets(ssh_t)
|
||||
@ -72972,7 +73008,7 @@ index b17e27a..d193a52 100644
|
||||
dev_read_urand(ssh_t)
|
||||
|
||||
fs_getattr_all_fs(ssh_t)
|
||||
@@ -157,37 +175,36 @@ logging_read_generic_logs(ssh_t)
|
||||
@@ -157,37 +176,36 @@ logging_read_generic_logs(ssh_t)
|
||||
auth_use_nsswitch(ssh_t)
|
||||
|
||||
miscfiles_read_localization(ssh_t)
|
||||
@ -73027,7 +73063,7 @@ index b17e27a..d193a52 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -195,28 +212,24 @@ optional_policy(`
|
||||
@@ -195,28 +213,24 @@ optional_policy(`
|
||||
xserver_domtrans_xauth(ssh_t)
|
||||
')
|
||||
|
||||
@ -73060,7 +73096,7 @@ index b17e27a..d193a52 100644
|
||||
#################################
|
||||
#
|
||||
# sshd local policy
|
||||
@@ -227,33 +240,46 @@ optional_policy(`
|
||||
@@ -227,33 +241,46 @@ optional_policy(`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow sshd_t self:key { search link write };
|
||||
@ -73116,7 +73152,7 @@ index b17e27a..d193a52 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -261,11 +287,24 @@ optional_policy(`
|
||||
@@ -261,11 +288,24 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -73142,7 +73178,7 @@ index b17e27a..d193a52 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -283,6 +322,15 @@ optional_policy(`
|
||||
@@ -283,6 +323,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -73158,7 +73194,7 @@ index b17e27a..d193a52 100644
|
||||
unconfined_shell_domtrans(sshd_t)
|
||||
')
|
||||
|
||||
@@ -290,6 +338,29 @@ optional_policy(`
|
||||
@@ -290,6 +339,29 @@ optional_policy(`
|
||||
xserver_domtrans_xauth(sshd_t)
|
||||
')
|
||||
|
||||
@ -73188,7 +73224,7 @@ index b17e27a..d193a52 100644
|
||||
########################################
|
||||
#
|
||||
# ssh_keygen local policy
|
||||
@@ -298,19 +369,26 @@ optional_policy(`
|
||||
@@ -298,19 +370,26 @@ optional_policy(`
|
||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||
# and by sysadm_t
|
||||
|
||||
@ -73216,7 +73252,7 @@ index b17e27a..d193a52 100644
|
||||
dev_read_urand(ssh_keygen_t)
|
||||
|
||||
term_dontaudit_use_console(ssh_keygen_t)
|
||||
@@ -327,9 +405,11 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
@@ -327,9 +406,11 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
logging_send_syslog_msg(ssh_keygen_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||
@ -73230,7 +73266,7 @@ index b17e27a..d193a52 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -339,3 +419,83 @@ optional_policy(`
|
||||
@@ -339,3 +420,83 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(ssh_keygen_t)
|
||||
')
|
||||
@ -73315,7 +73351,7 @@ index b17e27a..d193a52 100644
|
||||
+ ssh_rw_dgram_sockets(chroot_user_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
||||
index fc86b7c..f393f76 100644
|
||||
index fc86b7c..3347d48 100644
|
||||
--- a/policy/modules/services/xserver.fc
|
||||
+++ b/policy/modules/services/xserver.fc
|
||||
@@ -2,13 +2,35 @@
|
||||
@ -73421,11 +73457,12 @@ index fc86b7c..f393f76 100644
|
||||
-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
-/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
|
||||
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
|
||||
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
|
||||
+/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
|
||||
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
@ -77506,7 +77543,7 @@ index d2e40b8..3ba2e4c 100644
|
||||
')
|
||||
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||
index d26fe81..3ff8fef 100644
|
||||
index d26fe81..3f3a57f 100644
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
|
||||
@ -77748,7 +77785,7 @@ index d26fe81..3ff8fef 100644
|
||||
#
|
||||
interface(`init_exec',`
|
||||
gen_require(`
|
||||
@@ -451,6 +522,29 @@ interface(`init_exec',`
|
||||
@@ -451,6 +522,48 @@ interface(`init_exec',`
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, init_exec_t)
|
||||
@ -77760,6 +77797,25 @@ index d26fe81..3ff8fef 100644
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Check access to the init/systemd executable.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`init_access_check',`
|
||||
+ gen_require(`
|
||||
+ type init_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ allow $1 init_exec_t:file { getattr_file_perms execute };
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Dontaudit getattr on the init program.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -77778,7 +77834,7 @@ index d26fe81..3ff8fef 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -539,6 +633,24 @@ interface(`init_sigchld',`
|
||||
@@ -539,6 +652,24 @@ interface(`init_sigchld',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -77803,7 +77859,7 @@ index d26fe81..3ff8fef 100644
|
||||
## Connect to init with a unix socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -549,10 +661,66 @@ interface(`init_sigchld',`
|
||||
@@ -549,10 +680,66 @@ interface(`init_sigchld',`
|
||||
#
|
||||
interface(`init_stream_connect',`
|
||||
gen_require(`
|
||||
@ -77872,7 +77928,7 @@ index d26fe81..3ff8fef 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -718,19 +886,25 @@ interface(`init_telinit',`
|
||||
@@ -718,19 +905,25 @@ interface(`init_telinit',`
|
||||
type initctl_t;
|
||||
')
|
||||
|
||||
@ -77899,7 +77955,7 @@ index d26fe81..3ff8fef 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -760,7 +934,7 @@ interface(`init_rw_initctl',`
|
||||
@@ -760,7 +953,7 @@ interface(`init_rw_initctl',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -77908,7 +77964,7 @@ index d26fe81..3ff8fef 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -803,11 +977,12 @@ interface(`init_script_file_entry_type',`
|
||||
@@ -803,11 +996,12 @@ interface(`init_script_file_entry_type',`
|
||||
#
|
||||
interface(`init_spec_domtrans_script',`
|
||||
gen_require(`
|
||||
@ -77923,7 +77979,7 @@ index d26fe81..3ff8fef 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
gen_require(`
|
||||
@@ -818,11 +993,11 @@ interface(`init_spec_domtrans_script',`
|
||||
@@ -818,11 +1012,11 @@ interface(`init_spec_domtrans_script',`
|
||||
')
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
@ -77937,7 +77993,7 @@ index d26fe81..3ff8fef 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -838,19 +1013,41 @@ interface(`init_spec_domtrans_script',`
|
||||
@@ -838,19 +1032,41 @@ interface(`init_spec_domtrans_script',`
|
||||
#
|
||||
interface(`init_domtrans_script',`
|
||||
gen_require(`
|
||||
@ -77983,7 +78039,7 @@ index d26fe81..3ff8fef 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -906,9 +1103,14 @@ interface(`init_script_file_domtrans',`
|
||||
@@ -906,9 +1122,14 @@ interface(`init_script_file_domtrans',`
|
||||
interface(`init_labeled_script_domtrans',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
@ -77998,7 +78054,7 @@ index d26fe81..3ff8fef 100644
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
@@ -999,7 +1201,9 @@ interface(`init_ptrace',`
|
||||
@@ -999,7 +1220,9 @@ interface(`init_ptrace',`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
@ -78009,7 +78065,7 @@ index d26fe81..3ff8fef 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1117,6 +1321,24 @@ interface(`init_read_all_script_files',`
|
||||
@@ -1117,6 +1340,24 @@ interface(`init_read_all_script_files',`
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
@ -78034,7 +78090,7 @@ index d26fe81..3ff8fef 100644
|
||||
## Dontaudit read all init script files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1168,12 +1390,7 @@ interface(`init_read_script_state',`
|
||||
@@ -1168,12 +1409,7 @@ interface(`init_read_script_state',`
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
@ -78048,7 +78104,7 @@ index d26fe81..3ff8fef 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1413,6 +1630,27 @@ interface(`init_dbus_send_script',`
|
||||
@@ -1413,6 +1649,27 @@ interface(`init_dbus_send_script',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
@ -78076,7 +78132,7 @@ index d26fe81..3ff8fef 100644
|
||||
## init scripts over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1499,6 +1737,25 @@ interface(`init_getattr_script_status_files',`
|
||||
@@ -1499,6 +1756,25 @@ interface(`init_getattr_script_status_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -78102,7 +78158,7 @@ index d26fe81..3ff8fef 100644
|
||||
## Do not audit attempts to read init script
|
||||
## status files.
|
||||
## </summary>
|
||||
@@ -1557,6 +1814,24 @@ interface(`init_rw_script_tmp_files',`
|
||||
@@ -1557,6 +1833,24 @@ interface(`init_rw_script_tmp_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -78127,7 +78183,7 @@ index d26fe81..3ff8fef 100644
|
||||
## Create files in a init script
|
||||
## temporary data directory.
|
||||
## </summary>
|
||||
@@ -1629,6 +1904,43 @@ interface(`init_read_utmp',`
|
||||
@@ -1629,6 +1923,43 @@ interface(`init_read_utmp',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -78171,7 +78227,7 @@ index d26fe81..3ff8fef 100644
|
||||
## Do not audit attempts to write utmp.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1717,7 +2029,7 @@ interface(`init_dontaudit_rw_utmp',`
|
||||
@@ -1717,7 +2048,7 @@ interface(`init_dontaudit_rw_utmp',`
|
||||
type initrc_var_run_t;
|
||||
')
|
||||
|
||||
@ -78180,7 +78236,7 @@ index d26fe81..3ff8fef 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1758,6 +2070,128 @@ interface(`init_pid_filetrans_utmp',`
|
||||
@@ -1758,6 +2089,128 @@ interface(`init_pid_filetrans_utmp',`
|
||||
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
|
||||
')
|
||||
|
||||
@ -78309,7 +78365,7 @@ index d26fe81..3ff8fef 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to daemon with a tcp socket
|
||||
@@ -1792,3 +2226,284 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
@@ -1792,3 +2245,284 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
')
|
||||
corenet_udp_recvfrom_labeled($1, daemon)
|
||||
')
|
||||
@ -81014,7 +81070,7 @@ index 02f4c97..54c74fe 100644
|
||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||
index 321bb13..4d8e1a9 100644
|
||||
index 321bb13..e9c2da9 100644
|
||||
--- a/policy/modules/system/logging.if
|
||||
+++ b/policy/modules/system/logging.if
|
||||
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
||||
@ -81099,10 +81155,17 @@ index 321bb13..4d8e1a9 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Send system log messages.
|
||||
@@ -550,6 +607,45 @@ interface(`logging_send_syslog_msg',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -546,6 +603,48 @@ interface(`logging_send_syslog_msg',`
|
||||
# will write to the console.
|
||||
term_write_console($1)
|
||||
term_dontaudit_read_console($1)
|
||||
+ ifdef(`hide_broken_symptoms',`
|
||||
+ kernel_dgram_send($1)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect to the syslog control unix stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -81138,14 +81201,10 @@ index 321bb13..4d8e1a9 100644
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read the auditd configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -739,7 +835,25 @@ interface(`logging_append_all_logs',`
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -739,7 +838,25 @@ interface(`logging_append_all_logs',`
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
@ -81172,7 +81231,7 @@ index 321bb13..4d8e1a9 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -822,7 +936,7 @@ interface(`logging_manage_all_logs',`
|
||||
@@ -822,7 +939,7 @@ interface(`logging_manage_all_logs',`
|
||||
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1, logfile, logfile)
|
||||
@ -81181,7 +81240,7 @@ index 321bb13..4d8e1a9 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -848,6 +962,44 @@ interface(`logging_read_generic_logs',`
|
||||
@@ -848,6 +965,44 @@ interface(`logging_read_generic_logs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -81226,7 +81285,7 @@ index 321bb13..4d8e1a9 100644
|
||||
## Write generic log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -947,11 +1099,16 @@ interface(`logging_admin_audit',`
|
||||
@@ -947,11 +1102,16 @@ interface(`logging_admin_audit',`
|
||||
type auditd_t, auditd_etc_t, auditd_log_t;
|
||||
type auditd_var_run_t;
|
||||
type auditd_initrc_exec_t;
|
||||
@ -81244,7 +81303,7 @@ index 321bb13..4d8e1a9 100644
|
||||
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
|
||||
@@ -967,6 +1124,33 @@ interface(`logging_admin_audit',`
|
||||
@@ -967,6 +1127,33 @@ interface(`logging_admin_audit',`
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 auditd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
@ -81278,7 +81337,7 @@ index 321bb13..4d8e1a9 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -995,10 +1179,15 @@ interface(`logging_admin_syslog',`
|
||||
@@ -995,10 +1182,15 @@ interface(`logging_admin_syslog',`
|
||||
type syslogd_initrc_exec_t;
|
||||
')
|
||||
|
||||
@ -81296,7 +81355,7 @@ index 321bb13..4d8e1a9 100644
|
||||
|
||||
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
@@ -1020,6 +1209,8 @@ interface(`logging_admin_syslog',`
|
||||
@@ -1020,6 +1212,8 @@ interface(`logging_admin_syslog',`
|
||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
|
||||
logging_manage_all_logs($1)
|
||||
@ -81305,7 +81364,7 @@ index 321bb13..4d8e1a9 100644
|
||||
|
||||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
@@ -1048,3 +1239,25 @@ interface(`logging_admin',`
|
||||
@@ -1048,3 +1242,25 @@ interface(`logging_admin',`
|
||||
logging_admin_audit($1, $2)
|
||||
logging_admin_syslog($1, $2)
|
||||
')
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.11.0
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -491,6 +491,37 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jul 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-9
|
||||
- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
|
||||
- Add init_access_check() interface
|
||||
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
|
||||
- Allow tcpdump to create a netlink_socket
|
||||
- Label newusers like useradd
|
||||
- Change xdm log files to be labeled xdm_log_t
|
||||
- Allow sshd_t with privsep to work in MLS
|
||||
- Allow freshclam to update databases thru HTTP proxy
|
||||
- Allow s-m-config to access check on systemd
|
||||
- Allow abrt to read public files by default
|
||||
- Fix amavis_create_pid_files() interface
|
||||
- Add labeling and filename transition for dbomatic.log
|
||||
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
|
||||
- Allow amavisd to execute fsav
|
||||
- Allow tuned to use sys_admin and sys_nice capabilities
|
||||
- Add php-fpm policy from Bryan
|
||||
- Add labeling for aeolus-configserver-thinwrapper
|
||||
- Allow thin domains to execute shell
|
||||
- Fix gnome_role_gkeyringd() interface description
|
||||
- Lot of interface fixes
|
||||
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
|
||||
- Allow OpenMPI job to use kerberos
|
||||
- Make deltacloudd_t as nsswitch_domain
|
||||
- Allow xend_t to run lsscsi
|
||||
- Allow qemu-dm running as xend_t to create tun_socket
|
||||
- Add labeling for /opt/brother/Printers(.*/)?inf
|
||||
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
|
||||
- Fix clamscan_can_scan_system boolean
|
||||
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
|
||||
|
||||
* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
|
||||
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
|
||||
- Fixes for passenger running within openshift.
|
||||
|
Loading…
Reference in New Issue
Block a user