- Fix gnome_read_generic_data_home_files()
- allow openshift_cgroup_t to read/write inherited openshift file types - Remove httpd_cobbler_content * from cobbler_admin interface - Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd - Allow httpd_t to read also git sys content symlinks - Allow init_t to read gnome home data - Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. - Allow virsh to execute systemctl - Fix for nagios_services plugins - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - Fix hypervkvp.te - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hy - Add hypervkvp_unit_file_t type - Fix logging policy - Allow syslog to bind to tls ports - Update labeling for /dev/cdc-wdm - Allow to su_domain to read init states - Allow init_t to read gnome home data - Make sure if systemd_logind creates nologin file with the correct label - Clean up ipsec.te
This commit is contained in:
parent
973ebb8068
commit
99c451355a
@ -1986,10 +1986,10 @@ index 03ec5ca..025c177 100644
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
|
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
|
||||||
index 85bb77e..0df3b43 100644
|
index 85bb77e..5f38282 100644
|
||||||
--- a/policy/modules/admin/su.te
|
--- a/policy/modules/admin/su.te
|
||||||
+++ b/policy/modules/admin/su.te
|
+++ b/policy/modules/admin/su.te
|
||||||
@@ -9,3 +9,81 @@ attribute su_domain_type;
|
@@ -9,3 +9,82 @@ attribute su_domain_type;
|
||||||
|
|
||||||
type su_exec_t;
|
type su_exec_t;
|
||||||
corecmd_executable_file(su_exec_t)
|
corecmd_executable_file(su_exec_t)
|
||||||
@ -2026,6 +2026,7 @@ index 85bb77e..0df3b43 100644
|
|||||||
+init_dontaudit_use_fds(su_domain_type)
|
+init_dontaudit_use_fds(su_domain_type)
|
||||||
+# Write to utmp.
|
+# Write to utmp.
|
||||||
+init_rw_utmp(su_domain_type)
|
+init_rw_utmp(su_domain_type)
|
||||||
|
+init_read_state(su_domain_type)
|
||||||
+
|
+
|
||||||
+userdom_use_user_terminals(su_domain_type)
|
+userdom_use_user_terminals(su_domain_type)
|
||||||
+userdom_search_user_home_dirs(su_domain_type)
|
+userdom_search_user_home_dirs(su_domain_type)
|
||||||
@ -5824,7 +5825,7 @@ index 3f6e168..51ad69a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
||||||
index b31c054..17e11e0 100644
|
index b31c054..e4d61f5 100644
|
||||||
--- a/policy/modules/kernel/devices.fc
|
--- a/policy/modules/kernel/devices.fc
|
||||||
+++ b/policy/modules/kernel/devices.fc
|
+++ b/policy/modules/kernel/devices.fc
|
||||||
@@ -15,15 +15,18 @@
|
@@ -15,15 +15,18 @@
|
||||||
@ -5880,7 +5881,7 @@ index b31c054..17e11e0 100644
|
|||||||
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
|
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
|
||||||
+/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:modem_device_t,s0)
|
+/dev/cdc-wdm[0-9] -c gen_context(system_u:object_r:modem_device_t,s0)
|
||||||
/dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
|
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
|
||||||
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||||
@ -27861,7 +27862,7 @@ index 24e7804..76da5dd 100644
|
|||||||
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||||
index dd3be8d..c4fe08b 100644
|
index dd3be8d..4d15ea1 100644
|
||||||
--- a/policy/modules/system/init.te
|
--- a/policy/modules/system/init.te
|
||||||
+++ b/policy/modules/system/init.te
|
+++ b/policy/modules/system/init.te
|
||||||
@@ -11,10 +11,24 @@ gen_require(`
|
@@ -11,10 +11,24 @@ gen_require(`
|
||||||
@ -28096,7 +28097,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
allow init_t self:process { getcap setcap };
|
allow init_t self:process { getcap setcap };
|
||||||
@@ -186,29 +275,203 @@ ifdef(`distro_gentoo',`
|
@@ -186,29 +275,204 @@ ifdef(`distro_gentoo',`
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
@ -28134,6 +28135,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gnome_filetrans_home_content(init_t)
|
+ gnome_filetrans_home_content(init_t)
|
||||||
|
+ gnome_manage_data(init_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -28308,7 +28310,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -216,7 +479,30 @@ optional_policy(`
|
@@ -216,7 +480,30 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28339,7 +28341,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -225,8 +511,9 @@ optional_policy(`
|
@@ -225,8 +512,9 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||||
@ -28351,7 +28353,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
allow initrc_t self:passwd rootok;
|
allow initrc_t self:passwd rootok;
|
||||||
allow initrc_t self:key manage_key_perms;
|
allow initrc_t self:key manage_key_perms;
|
||||||
|
|
||||||
@@ -257,12 +544,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
@@ -257,12 +545,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||||
|
|
||||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||||
@ -28368,7 +28370,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||||
@@ -278,23 +569,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
@@ -278,23 +570,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||||
kernel_clear_ring_buffer(initrc_t)
|
kernel_clear_ring_buffer(initrc_t)
|
||||||
kernel_get_sysvipc_info(initrc_t)
|
kernel_get_sysvipc_info(initrc_t)
|
||||||
kernel_read_all_sysctls(initrc_t)
|
kernel_read_all_sysctls(initrc_t)
|
||||||
@ -28411,7 +28413,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_tcp_connect_all_ports(initrc_t)
|
corenet_tcp_connect_all_ports(initrc_t)
|
||||||
@@ -302,9 +606,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
@@ -302,9 +607,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||||
|
|
||||||
dev_read_rand(initrc_t)
|
dev_read_rand(initrc_t)
|
||||||
dev_read_urand(initrc_t)
|
dev_read_urand(initrc_t)
|
||||||
@ -28423,7 +28425,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
dev_rw_sysfs(initrc_t)
|
dev_rw_sysfs(initrc_t)
|
||||||
dev_list_usbfs(initrc_t)
|
dev_list_usbfs(initrc_t)
|
||||||
dev_read_framebuffer(initrc_t)
|
dev_read_framebuffer(initrc_t)
|
||||||
@@ -312,8 +618,10 @@ dev_write_framebuffer(initrc_t)
|
@@ -312,8 +619,10 @@ dev_write_framebuffer(initrc_t)
|
||||||
dev_read_realtime_clock(initrc_t)
|
dev_read_realtime_clock(initrc_t)
|
||||||
dev_read_sound_mixer(initrc_t)
|
dev_read_sound_mixer(initrc_t)
|
||||||
dev_write_sound_mixer(initrc_t)
|
dev_write_sound_mixer(initrc_t)
|
||||||
@ -28434,7 +28436,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
dev_delete_lvm_control_dev(initrc_t)
|
dev_delete_lvm_control_dev(initrc_t)
|
||||||
dev_manage_generic_symlinks(initrc_t)
|
dev_manage_generic_symlinks(initrc_t)
|
||||||
dev_manage_generic_files(initrc_t)
|
dev_manage_generic_files(initrc_t)
|
||||||
@@ -321,8 +629,7 @@ dev_manage_generic_files(initrc_t)
|
@@ -321,8 +630,7 @@ dev_manage_generic_files(initrc_t)
|
||||||
dev_delete_generic_symlinks(initrc_t)
|
dev_delete_generic_symlinks(initrc_t)
|
||||||
dev_getattr_all_blk_files(initrc_t)
|
dev_getattr_all_blk_files(initrc_t)
|
||||||
dev_getattr_all_chr_files(initrc_t)
|
dev_getattr_all_chr_files(initrc_t)
|
||||||
@ -28444,7 +28446,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
|
|
||||||
domain_kill_all_domains(initrc_t)
|
domain_kill_all_domains(initrc_t)
|
||||||
domain_signal_all_domains(initrc_t)
|
domain_signal_all_domains(initrc_t)
|
||||||
@@ -331,7 +638,6 @@ domain_sigstop_all_domains(initrc_t)
|
@@ -331,7 +639,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||||
domain_sigchld_all_domains(initrc_t)
|
domain_sigchld_all_domains(initrc_t)
|
||||||
domain_read_all_domains_state(initrc_t)
|
domain_read_all_domains_state(initrc_t)
|
||||||
domain_getattr_all_domains(initrc_t)
|
domain_getattr_all_domains(initrc_t)
|
||||||
@ -28452,7 +28454,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
domain_getsession_all_domains(initrc_t)
|
domain_getsession_all_domains(initrc_t)
|
||||||
domain_use_interactive_fds(initrc_t)
|
domain_use_interactive_fds(initrc_t)
|
||||||
# for lsof which is used by alsa shutdown:
|
# for lsof which is used by alsa shutdown:
|
||||||
@@ -339,6 +645,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
@@ -339,6 +646,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||||
@ -28460,7 +28462,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
|
|
||||||
files_getattr_all_dirs(initrc_t)
|
files_getattr_all_dirs(initrc_t)
|
||||||
files_getattr_all_files(initrc_t)
|
files_getattr_all_files(initrc_t)
|
||||||
@@ -346,14 +653,15 @@ files_getattr_all_symlinks(initrc_t)
|
@@ -346,14 +654,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||||
files_getattr_all_pipes(initrc_t)
|
files_getattr_all_pipes(initrc_t)
|
||||||
files_getattr_all_sockets(initrc_t)
|
files_getattr_all_sockets(initrc_t)
|
||||||
files_purge_tmp(initrc_t)
|
files_purge_tmp(initrc_t)
|
||||||
@ -28478,7 +28480,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
files_read_usr_files(initrc_t)
|
files_read_usr_files(initrc_t)
|
||||||
files_manage_urandom_seed(initrc_t)
|
files_manage_urandom_seed(initrc_t)
|
||||||
files_manage_generic_spool(initrc_t)
|
files_manage_generic_spool(initrc_t)
|
||||||
@@ -363,8 +671,12 @@ files_list_isid_type_dirs(initrc_t)
|
@@ -363,8 +672,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||||
files_mounton_isid_type_dirs(initrc_t)
|
files_mounton_isid_type_dirs(initrc_t)
|
||||||
files_list_default(initrc_t)
|
files_list_default(initrc_t)
|
||||||
files_mounton_default(initrc_t)
|
files_mounton_default(initrc_t)
|
||||||
@ -28492,7 +28494,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
fs_list_inotifyfs(initrc_t)
|
fs_list_inotifyfs(initrc_t)
|
||||||
fs_register_binary_executable_type(initrc_t)
|
fs_register_binary_executable_type(initrc_t)
|
||||||
# rhgb-console writes to ramfs
|
# rhgb-console writes to ramfs
|
||||||
@@ -374,10 +686,11 @@ fs_mount_all_fs(initrc_t)
|
@@ -374,10 +687,11 @@ fs_mount_all_fs(initrc_t)
|
||||||
fs_unmount_all_fs(initrc_t)
|
fs_unmount_all_fs(initrc_t)
|
||||||
fs_remount_all_fs(initrc_t)
|
fs_remount_all_fs(initrc_t)
|
||||||
fs_getattr_all_fs(initrc_t)
|
fs_getattr_all_fs(initrc_t)
|
||||||
@ -28506,7 +28508,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
mcs_process_set_categories(initrc_t)
|
mcs_process_set_categories(initrc_t)
|
||||||
|
|
||||||
mls_file_read_all_levels(initrc_t)
|
mls_file_read_all_levels(initrc_t)
|
||||||
@@ -386,6 +699,7 @@ mls_process_read_up(initrc_t)
|
@@ -386,6 +700,7 @@ mls_process_read_up(initrc_t)
|
||||||
mls_process_write_down(initrc_t)
|
mls_process_write_down(initrc_t)
|
||||||
mls_rangetrans_source(initrc_t)
|
mls_rangetrans_source(initrc_t)
|
||||||
mls_fd_share_all_levels(initrc_t)
|
mls_fd_share_all_levels(initrc_t)
|
||||||
@ -28514,7 +28516,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
|
|
||||||
selinux_get_enforce_mode(initrc_t)
|
selinux_get_enforce_mode(initrc_t)
|
||||||
|
|
||||||
@@ -397,6 +711,7 @@ term_use_all_terms(initrc_t)
|
@@ -397,6 +712,7 @@ term_use_all_terms(initrc_t)
|
||||||
term_reset_tty_labels(initrc_t)
|
term_reset_tty_labels(initrc_t)
|
||||||
|
|
||||||
auth_rw_login_records(initrc_t)
|
auth_rw_login_records(initrc_t)
|
||||||
@ -28522,7 +28524,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
auth_setattr_login_records(initrc_t)
|
auth_setattr_login_records(initrc_t)
|
||||||
auth_rw_lastlog(initrc_t)
|
auth_rw_lastlog(initrc_t)
|
||||||
auth_read_pam_pid(initrc_t)
|
auth_read_pam_pid(initrc_t)
|
||||||
@@ -415,20 +730,18 @@ logging_read_all_logs(initrc_t)
|
@@ -415,20 +731,18 @@ logging_read_all_logs(initrc_t)
|
||||||
logging_append_all_logs(initrc_t)
|
logging_append_all_logs(initrc_t)
|
||||||
logging_read_audit_config(initrc_t)
|
logging_read_audit_config(initrc_t)
|
||||||
|
|
||||||
@ -28546,7 +28548,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
dev_setattr_generic_dirs(initrc_t)
|
dev_setattr_generic_dirs(initrc_t)
|
||||||
@@ -450,7 +763,6 @@ ifdef(`distro_gentoo',`
|
@@ -450,7 +764,6 @@ ifdef(`distro_gentoo',`
|
||||||
allow initrc_t self:process setfscreate;
|
allow initrc_t self:process setfscreate;
|
||||||
dev_create_null_dev(initrc_t)
|
dev_create_null_dev(initrc_t)
|
||||||
dev_create_zero_dev(initrc_t)
|
dev_create_zero_dev(initrc_t)
|
||||||
@ -28554,7 +28556,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
term_create_console_dev(initrc_t)
|
term_create_console_dev(initrc_t)
|
||||||
|
|
||||||
# unfortunately /sbin/rc does stupid tricks
|
# unfortunately /sbin/rc does stupid tricks
|
||||||
@@ -485,6 +797,10 @@ ifdef(`distro_gentoo',`
|
@@ -485,6 +798,10 @@ ifdef(`distro_gentoo',`
|
||||||
sysnet_setattr_config(initrc_t)
|
sysnet_setattr_config(initrc_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28565,7 +28567,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
alsa_read_lib(initrc_t)
|
alsa_read_lib(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -505,7 +821,7 @@ ifdef(`distro_redhat',`
|
@@ -505,7 +822,7 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
@ -28574,7 +28576,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
files_dontaudit_read_root_files(initrc_t)
|
files_dontaudit_read_root_files(initrc_t)
|
||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
@@ -520,6 +836,7 @@ ifdef(`distro_redhat',`
|
@@ -520,6 +837,7 @@ ifdef(`distro_redhat',`
|
||||||
files_create_boot_dirs(initrc_t)
|
files_create_boot_dirs(initrc_t)
|
||||||
files_create_boot_flag(initrc_t)
|
files_create_boot_flag(initrc_t)
|
||||||
files_rw_boot_symlinks(initrc_t)
|
files_rw_boot_symlinks(initrc_t)
|
||||||
@ -28582,7 +28584,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
# wants to read /.fonts directory
|
# wants to read /.fonts directory
|
||||||
files_read_default_files(initrc_t)
|
files_read_default_files(initrc_t)
|
||||||
files_mountpoint(initrc_tmp_t)
|
files_mountpoint(initrc_tmp_t)
|
||||||
@@ -540,6 +857,7 @@ ifdef(`distro_redhat',`
|
@@ -540,6 +858,7 @@ ifdef(`distro_redhat',`
|
||||||
miscfiles_rw_localization(initrc_t)
|
miscfiles_rw_localization(initrc_t)
|
||||||
miscfiles_setattr_localization(initrc_t)
|
miscfiles_setattr_localization(initrc_t)
|
||||||
miscfiles_relabel_localization(initrc_t)
|
miscfiles_relabel_localization(initrc_t)
|
||||||
@ -28590,7 +28592,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
|
|
||||||
miscfiles_read_fonts(initrc_t)
|
miscfiles_read_fonts(initrc_t)
|
||||||
miscfiles_read_hwdata(initrc_t)
|
miscfiles_read_hwdata(initrc_t)
|
||||||
@@ -549,8 +867,44 @@ ifdef(`distro_redhat',`
|
@@ -549,8 +868,44 @@ ifdef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28635,7 +28637,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -558,14 +912,31 @@ ifdef(`distro_redhat',`
|
@@ -558,14 +913,31 @@ ifdef(`distro_redhat',`
|
||||||
rpc_write_exports(initrc_t)
|
rpc_write_exports(initrc_t)
|
||||||
rpc_manage_nfs_state_data(initrc_t)
|
rpc_manage_nfs_state_data(initrc_t)
|
||||||
')
|
')
|
||||||
@ -28667,7 +28669,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -576,6 +947,39 @@ ifdef(`distro_suse',`
|
@@ -576,6 +948,39 @@ ifdef(`distro_suse',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -28707,7 +28709,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_search_lib(initrc_t)
|
amavis_search_lib(initrc_t)
|
||||||
amavis_setattr_pid_files(initrc_t)
|
amavis_setattr_pid_files(initrc_t)
|
||||||
@@ -588,6 +992,8 @@ optional_policy(`
|
@@ -588,6 +993,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_read_config(initrc_t)
|
apache_read_config(initrc_t)
|
||||||
apache_list_modules(initrc_t)
|
apache_list_modules(initrc_t)
|
||||||
@ -28716,7 +28718,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -609,6 +1015,7 @@ optional_policy(`
|
@@ -609,6 +1016,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cgroup_stream_connect_cgred(initrc_t)
|
cgroup_stream_connect_cgred(initrc_t)
|
||||||
@ -28724,7 +28726,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -625,6 +1032,17 @@ optional_policy(`
|
@@ -625,6 +1033,17 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28742,7 +28744,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
dev_getattr_printer_dev(initrc_t)
|
dev_getattr_printer_dev(initrc_t)
|
||||||
|
|
||||||
cups_read_log(initrc_t)
|
cups_read_log(initrc_t)
|
||||||
@@ -641,9 +1059,13 @@ optional_policy(`
|
@@ -641,9 +1060,13 @@ optional_policy(`
|
||||||
dbus_connect_system_bus(initrc_t)
|
dbus_connect_system_bus(initrc_t)
|
||||||
dbus_system_bus_client(initrc_t)
|
dbus_system_bus_client(initrc_t)
|
||||||
dbus_read_config(initrc_t)
|
dbus_read_config(initrc_t)
|
||||||
@ -28756,7 +28758,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -656,15 +1078,11 @@ optional_policy(`
|
@@ -656,15 +1079,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28774,7 +28776,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -685,6 +1103,15 @@ optional_policy(`
|
@@ -685,6 +1104,15 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28790,7 +28792,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
inn_exec_config(initrc_t)
|
inn_exec_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -725,6 +1152,7 @@ optional_policy(`
|
@@ -725,6 +1153,7 @@ optional_policy(`
|
||||||
lpd_list_spool(initrc_t)
|
lpd_list_spool(initrc_t)
|
||||||
|
|
||||||
lpd_read_config(initrc_t)
|
lpd_read_config(initrc_t)
|
||||||
@ -28798,7 +28800,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -742,7 +1170,13 @@ optional_policy(`
|
@@ -742,7 +1171,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28813,7 +28815,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -765,6 +1199,10 @@ optional_policy(`
|
@@ -765,6 +1200,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28824,7 +28826,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
postgresql_manage_db(initrc_t)
|
postgresql_manage_db(initrc_t)
|
||||||
postgresql_read_config(initrc_t)
|
postgresql_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -774,10 +1212,20 @@ optional_policy(`
|
@@ -774,10 +1213,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28845,7 +28847,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
quota_manage_flags(initrc_t)
|
quota_manage_flags(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -786,6 +1234,10 @@ optional_policy(`
|
@@ -786,6 +1235,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28856,7 +28858,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
fs_write_ramfs_sockets(initrc_t)
|
fs_write_ramfs_sockets(initrc_t)
|
||||||
fs_search_ramfs(initrc_t)
|
fs_search_ramfs(initrc_t)
|
||||||
|
|
||||||
@@ -807,8 +1259,6 @@ optional_policy(`
|
@@ -807,8 +1260,6 @@ optional_policy(`
|
||||||
# bash tries ioctl for some reason
|
# bash tries ioctl for some reason
|
||||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||||
|
|
||||||
@ -28865,7 +28867,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -817,6 +1267,10 @@ optional_policy(`
|
@@ -817,6 +1268,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28876,7 +28878,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
# shorewall-init script run /var/lib/shorewall/firewall
|
# shorewall-init script run /var/lib/shorewall/firewall
|
||||||
shorewall_lib_domtrans(initrc_t)
|
shorewall_lib_domtrans(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -826,10 +1280,12 @@ optional_policy(`
|
@@ -826,10 +1281,12 @@ optional_policy(`
|
||||||
squid_manage_logs(initrc_t)
|
squid_manage_logs(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -28889,7 +28891,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
ssh_dontaudit_read_server_keys(initrc_t)
|
||||||
@@ -856,12 +1312,28 @@ optional_policy(`
|
@@ -856,12 +1313,28 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28919,7 +28921,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
# system-config-services causes avc messages that should be dontaudited
|
# system-config-services causes avc messages that should be dontaudited
|
||||||
@@ -871,6 +1343,18 @@ optional_policy(`
|
@@ -871,6 +1344,18 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mono_domtrans(initrc_t)
|
mono_domtrans(initrc_t)
|
||||||
')
|
')
|
||||||
@ -28938,7 +28940,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -886,6 +1370,10 @@ optional_policy(`
|
@@ -886,6 +1371,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28949,7 +28951,7 @@ index dd3be8d..c4fe08b 100644
|
|||||||
# Set device ownerships/modes.
|
# Set device ownerships/modes.
|
||||||
xserver_setattr_console_pipes(initrc_t)
|
xserver_setattr_console_pipes(initrc_t)
|
||||||
|
|
||||||
@@ -896,3 +1384,196 @@ optional_policy(`
|
@@ -896,3 +1385,196 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@ -29387,7 +29389,7 @@ index 0d4c8d3..e6ffda3 100644
|
|||||||
+ ps_process_pattern($1, ipsec_mgmt_t)
|
+ ps_process_pattern($1, ipsec_mgmt_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
||||||
index 9e54bf9..523b613 100644
|
index 9e54bf9..ecc6d2c 100644
|
||||||
--- a/policy/modules/system/ipsec.te
|
--- a/policy/modules/system/ipsec.te
|
||||||
+++ b/policy/modules/system/ipsec.te
|
+++ b/policy/modules/system/ipsec.te
|
||||||
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||||
@ -29422,6 +29424,16 @@ index 9e54bf9..523b613 100644
|
|||||||
|
|
||||||
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
|
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
|
||||||
|
|
||||||
|
@@ -88,8 +95,8 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
||||||
|
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
||||||
|
|
||||||
|
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
|
||||||
|
-manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||||
|
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||||
|
+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||||
|
|
||||||
|
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||||
|
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||||
@@ -110,10 +117,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
@@ -110,10 +117,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
||||||
allow ipsec_mgmt_t ipsec_t:fd use;
|
allow ipsec_mgmt_t ipsec_t:fd use;
|
||||||
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
||||||
@ -31245,7 +31257,7 @@ index 4e94884..9b82ed0 100644
|
|||||||
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
|
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||||
index 39ea221..a55b140 100644
|
index 39ea221..0c383ca 100644
|
||||||
--- a/policy/modules/system/logging.te
|
--- a/policy/modules/system/logging.te
|
||||||
+++ b/policy/modules/system/logging.te
|
+++ b/policy/modules/system/logging.te
|
||||||
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
|
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
|
||||||
@ -31461,7 +31473,7 @@ index 39ea221..a55b140 100644
|
|||||||
|
|
||||||
# Allow access for syslog-ng
|
# Allow access for syslog-ng
|
||||||
allow syslogd_t var_log_t:dir { create setattr };
|
allow syslogd_t var_log_t:dir { create setattr };
|
||||||
@@ -386,22 +426,34 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
@@ -386,28 +426,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||||
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||||
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
||||||
|
|
||||||
@ -31499,7 +31511,22 @@ index 39ea221..a55b140 100644
|
|||||||
corenet_all_recvfrom_netlabel(syslogd_t)
|
corenet_all_recvfrom_netlabel(syslogd_t)
|
||||||
corenet_udp_sendrecv_generic_if(syslogd_t)
|
corenet_udp_sendrecv_generic_if(syslogd_t)
|
||||||
corenet_udp_sendrecv_generic_node(syslogd_t)
|
corenet_udp_sendrecv_generic_node(syslogd_t)
|
||||||
@@ -427,9 +479,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
corenet_udp_sendrecv_all_ports(syslogd_t)
|
||||||
|
corenet_udp_bind_generic_node(syslogd_t)
|
||||||
|
corenet_udp_bind_syslogd_port(syslogd_t)
|
||||||
|
+corenet_udp_bind_syslog_tls_port(syslogd_t)
|
||||||
|
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
||||||
|
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
||||||
|
@@ -417,6 +470,7 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
||||||
|
corenet_tcp_connect_rsh_port(syslogd_t)
|
||||||
|
# Allow users to define additional syslog ports to connect to
|
||||||
|
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||||
|
+corenet_tcp_bind_syslog_tls_port(syslogd_t)
|
||||||
|
corenet_tcp_connect_syslogd_port(syslogd_t)
|
||||||
|
corenet_tcp_connect_postgresql_port(syslogd_t)
|
||||||
|
corenet_tcp_connect_mysqld_port(syslogd_t)
|
||||||
|
@@ -427,9 +481,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||||
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
||||||
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
||||||
|
|
||||||
@ -31527,7 +31554,7 @@ index 39ea221..a55b140 100644
|
|||||||
domain_use_interactive_fds(syslogd_t)
|
domain_use_interactive_fds(syslogd_t)
|
||||||
|
|
||||||
files_read_etc_files(syslogd_t)
|
files_read_etc_files(syslogd_t)
|
||||||
@@ -442,14 +511,19 @@ files_read_kernel_symbol_table(syslogd_t)
|
@@ -442,14 +513,19 @@ files_read_kernel_symbol_table(syslogd_t)
|
||||||
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||||
|
|
||||||
fs_getattr_all_fs(syslogd_t)
|
fs_getattr_all_fs(syslogd_t)
|
||||||
@ -31547,7 +31574,7 @@ index 39ea221..a55b140 100644
|
|||||||
# for sending messages to logged in users
|
# for sending messages to logged in users
|
||||||
init_read_utmp(syslogd_t)
|
init_read_utmp(syslogd_t)
|
||||||
init_dontaudit_write_utmp(syslogd_t)
|
init_dontaudit_write_utmp(syslogd_t)
|
||||||
@@ -461,11 +535,11 @@ init_use_fds(syslogd_t)
|
@@ -461,11 +537,11 @@ init_use_fds(syslogd_t)
|
||||||
|
|
||||||
# cjp: this doesnt make sense
|
# cjp: this doesnt make sense
|
||||||
logging_send_syslog_msg(syslogd_t)
|
logging_send_syslog_msg(syslogd_t)
|
||||||
@ -31562,7 +31589,7 @@ index 39ea221..a55b140 100644
|
|||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
# default gentoo syslog-ng config appends kernel
|
# default gentoo syslog-ng config appends kernel
|
||||||
@@ -502,15 +576,40 @@ optional_policy(`
|
@@ -502,15 +578,40 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -31603,7 +31630,7 @@ index 39ea221..a55b140 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -521,3 +620,26 @@ optional_policy(`
|
@@ -521,3 +622,26 @@ optional_policy(`
|
||||||
# log to the xconsole
|
# log to the xconsole
|
||||||
xserver_rw_console(syslogd_t)
|
xserver_rw_console(syslogd_t)
|
||||||
')
|
')
|
||||||
@ -35994,10 +36021,10 @@ index 0000000..e9f1096
|
|||||||
+/var/run/initramfs(/.*)? <<none>>
|
+/var/run/initramfs(/.*)? <<none>>
|
||||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..7e80d22
|
index 0000000..685e79a
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.if
|
+++ b/policy/modules/system/systemd.if
|
||||||
@@ -0,0 +1,1373 @@
|
@@ -0,0 +1,1393 @@
|
||||||
+## <summary>SELinux policy for systemd components</summary>
|
+## <summary>SELinux policy for systemd components</summary>
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
@ -36279,6 +36306,26 @@ index 0000000..7e80d22
|
|||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
|
+interface(`systemd_login_manage_pid_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type systemd_logind_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
||||||
|
+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read systemd_login PID files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
+interface(`systemd_login_list_pid_dirs',`
|
+interface(`systemd_login_list_pid_dirs',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type systemd_logind_var_run_t;
|
+ type systemd_logind_var_run_t;
|
||||||
@ -37373,10 +37420,10 @@ index 0000000..7e80d22
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..666a9eb
|
index 0000000..5842807
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,648 @@
|
@@ -0,0 +1,649 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -37476,6 +37523,7 @@ index 0000000..666a9eb
|
|||||||
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
|
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
|
||||||
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
|
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
|
||||||
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
|
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
|
||||||
|
+files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin")
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||||||
+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||||||
|
@ -12274,7 +12274,7 @@ index 973d208..2b650a7 100644
|
|||||||
|
|
||||||
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
diff --git a/cobbler.if b/cobbler.if
|
diff --git a/cobbler.if b/cobbler.if
|
||||||
index c223f81..3bcdf6a 100644
|
index c223f81..8b567c1 100644
|
||||||
--- a/cobbler.if
|
--- a/cobbler.if
|
||||||
+++ b/cobbler.if
|
+++ b/cobbler.if
|
||||||
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
|
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
|
||||||
@ -12323,6 +12323,17 @@ index c223f81..3bcdf6a 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
|
||||||
|
interface(`cobbler_admin',`
|
||||||
|
gen_require(`
|
||||||
|
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
|
||||||
|
- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
|
||||||
|
- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
|
||||||
|
+ type cobbler_etc_t, cobblerd_initrc_exec_t;
|
||||||
|
+ type cobbler_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 cobblerd_t:process { ptrace signal_perms };
|
||||||
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
|
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
|
||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
@ -25096,7 +25107,7 @@ index 395238e..af76abb 100644
|
|||||||
+userdom_use_inherited_user_terminals(giftd_t)
|
+userdom_use_inherited_user_terminals(giftd_t)
|
||||||
+userdom_home_manager(gitd_t)
|
+userdom_home_manager(gitd_t)
|
||||||
diff --git a/git.if b/git.if
|
diff --git a/git.if b/git.if
|
||||||
index 1e29af1..c67e44e 100644
|
index 1e29af1..6c64f55 100644
|
||||||
--- a/git.if
|
--- a/git.if
|
||||||
+++ b/git.if
|
+++ b/git.if
|
||||||
@@ -37,7 +37,10 @@ template(`git_role',`
|
@@ -37,7 +37,10 @@ template(`git_role',`
|
||||||
@ -25111,7 +25122,15 @@ index 1e29af1..c67e44e 100644
|
|||||||
ps_process_pattern($2, git_session_t)
|
ps_process_pattern($2, git_session_t)
|
||||||
|
|
||||||
tunable_policy(`git_session_users',`
|
tunable_policy(`git_session_users',`
|
||||||
@@ -79,3 +82,21 @@ interface(`git_read_generic_sys_content_files',`
|
@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',`
|
||||||
|
|
||||||
|
list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
|
||||||
|
read_files_pattern($1, git_sys_content_t, git_sys_content_t)
|
||||||
|
+ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
|
||||||
|
@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',`
|
||||||
fs_read_nfs_files($1)
|
fs_read_nfs_files($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@ -26050,7 +26069,7 @@ index e39de43..5818f74 100644
|
|||||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
diff --git a/gnome.if b/gnome.if
|
diff --git a/gnome.if b/gnome.if
|
||||||
index d03fd43..e137b73 100644
|
index d03fd43..0e04529 100644
|
||||||
--- a/gnome.if
|
--- a/gnome.if
|
||||||
+++ b/gnome.if
|
+++ b/gnome.if
|
||||||
@@ -1,123 +1,157 @@
|
@@ -1,123 +1,157 @@
|
||||||
@ -26875,7 +26894,7 @@ index d03fd43..e137b73 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="name" optional="true">
|
## <param name="name" optional="true">
|
||||||
@@ -557,52 +594,76 @@ interface(`gnome_home_filetrans_gconf_home',`
|
@@ -557,52 +594,77 @@ interface(`gnome_home_filetrans_gconf_home',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26919,6 +26938,7 @@ index d03fd43..e137b73 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
|
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
|
||||||
|
+ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
@ -26960,10 +26980,10 @@ index d03fd43..e137b73 100644
|
|||||||
|
|
||||||
- userdom_search_user_home_dirs($1)
|
- userdom_search_user_home_dirs($1)
|
||||||
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
|
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
|
||||||
+ allow $1 gconf_home_t:dir search_dir_perms;
|
+ allow $1 gconf_home_t:dir search_dir_perms;
|
||||||
+ manage_dirs_pattern($1, data_home_t, data_home_t)
|
+ manage_dirs_pattern($1, data_home_t, data_home_t)
|
||||||
+ manage_files_pattern($1, data_home_t, data_home_t)
|
+ manage_files_pattern($1, data_home_t, data_home_t)
|
||||||
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
|
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -26973,7 +26993,7 @@ index d03fd43..e137b73 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -610,93 +671,126 @@ interface(`gnome_gconf_home_filetrans',`
|
@@ -610,93 +672,126 @@ interface(`gnome_gconf_home_filetrans',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -27134,7 +27154,7 @@ index d03fd43..e137b73 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -704,12 +798,872 @@ interface(`gnome_stream_connect_gkeyringd',`
|
@@ -704,12 +799,872 @@ interface(`gnome_stream_connect_gkeyringd',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -52367,10 +52387,10 @@ index 0000000..fdc4a03
|
|||||||
+')
|
+')
|
||||||
diff --git a/openshift.te b/openshift.te
|
diff --git a/openshift.te b/openshift.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..1911441
|
index 0000000..cd25e8e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/openshift.te
|
+++ b/openshift.te
|
||||||
@@ -0,0 +1,551 @@
|
@@ -0,0 +1,555 @@
|
||||||
+policy_module(openshift,1.0.0)
|
+policy_module(openshift,1.0.0)
|
||||||
+
|
+
|
||||||
+gen_require(`
|
+gen_require(`
|
||||||
@ -52382,6 +52402,7 @@ index 0000000..1911441
|
|||||||
+# Declarations
|
+# Declarations
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
|
+
|
||||||
+# openshift applications that can use the network.
|
+# openshift applications that can use the network.
|
||||||
+attribute openshift_net_domain;
|
+attribute openshift_net_domain;
|
||||||
+# Attribute representing all openshift user processes (excludes apache processes)
|
+# Attribute representing all openshift user processes (excludes apache processes)
|
||||||
@ -52806,6 +52827,8 @@ index 0000000..1911441
|
|||||||
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
|
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
|
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
|
||||||
+
|
+
|
||||||
|
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
|
||||||
|
+
|
||||||
+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
|
+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
|
||||||
+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
|
+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
|
||||||
+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
|
+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
|
||||||
@ -52922,6 +52945,7 @@ index 0000000..1911441
|
|||||||
+ ssh_domtrans_keygen(openshift_cron_t)
|
+ ssh_domtrans_keygen(openshift_cron_t)
|
||||||
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
|
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
diff --git a/openvpn.fc b/openvpn.fc
|
diff --git a/openvpn.fc b/openvpn.fc
|
||||||
index 300213f..4cdfe09 100644
|
index 300213f..4cdfe09 100644
|
||||||
--- a/openvpn.fc
|
--- a/openvpn.fc
|
||||||
@ -81329,7 +81353,7 @@ index 3a9a70b..039b0c8 100644
|
|||||||
logging_list_logs($1)
|
logging_list_logs($1)
|
||||||
admin_pattern($1, setroubleshoot_var_log_t)
|
admin_pattern($1, setroubleshoot_var_log_t)
|
||||||
diff --git a/setroubleshoot.te b/setroubleshoot.te
|
diff --git a/setroubleshoot.te b/setroubleshoot.te
|
||||||
index 49b12ae..2da8cf7 100644
|
index 49b12ae..d47e356 100644
|
||||||
--- a/setroubleshoot.te
|
--- a/setroubleshoot.te
|
||||||
+++ b/setroubleshoot.te
|
+++ b/setroubleshoot.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -81490,7 +81514,7 @@ index 49b12ae..2da8cf7 100644
|
|||||||
rpm_exec(setroubleshootd_t)
|
rpm_exec(setroubleshootd_t)
|
||||||
rpm_signull(setroubleshootd_t)
|
rpm_signull(setroubleshootd_t)
|
||||||
rpm_read_db(setroubleshootd_t)
|
rpm_read_db(setroubleshootd_t)
|
||||||
@@ -148,15 +160,17 @@ optional_policy(`
|
@@ -148,15 +160,18 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -81500,6 +81524,7 @@ index 49b12ae..2da8cf7 100644
|
|||||||
|
|
||||||
allow setroubleshoot_fixit_t self:capability sys_nice;
|
allow setroubleshoot_fixit_t self:capability sys_nice;
|
||||||
allow setroubleshoot_fixit_t self:process { setsched getsched };
|
allow setroubleshoot_fixit_t self:process { setsched getsched };
|
||||||
|
+dontaudit setroubleshoot_fixit_t self:process execmem;
|
||||||
allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
|
allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
|
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
@ -81509,7 +81534,7 @@ index 49b12ae..2da8cf7 100644
|
|||||||
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
|
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
kernel_read_system_state(setroubleshoot_fixit_t)
|
kernel_read_system_state(setroubleshoot_fixit_t)
|
||||||
@@ -165,9 +179,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
|
@@ -165,9 +180,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
|
||||||
corecmd_exec_shell(setroubleshoot_fixit_t)
|
corecmd_exec_shell(setroubleshoot_fixit_t)
|
||||||
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
|
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
@ -81526,7 +81551,7 @@ index 49b12ae..2da8cf7 100644
|
|||||||
files_list_tmp(setroubleshoot_fixit_t)
|
files_list_tmp(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
auth_use_nsswitch(setroubleshoot_fixit_t)
|
auth_use_nsswitch(setroubleshoot_fixit_t)
|
||||||
@@ -175,23 +195,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
|
@@ -175,23 +196,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
|
||||||
logging_send_audit_msgs(setroubleshoot_fixit_t)
|
logging_send_audit_msgs(setroubleshoot_fixit_t)
|
||||||
logging_send_syslog_msg(setroubleshoot_fixit_t)
|
logging_send_syslog_msg(setroubleshoot_fixit_t)
|
||||||
|
|
||||||
@ -93183,7 +93208,7 @@ index 9dec06c..73549fd 100644
|
|||||||
+ virt_stream_connect($1)
|
+ virt_stream_connect($1)
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index 1f22fba..0a4c5f6 100644
|
index 1f22fba..64b3da9 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,147 +1,167 @@
|
@@ -1,147 +1,167 @@
|
||||||
@ -94400,7 +94425,7 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
|
|
||||||
fs_getattr_all_fs(virsh_t)
|
fs_getattr_all_fs(virsh_t)
|
||||||
fs_manage_xenfs_dirs(virsh_t)
|
fs_manage_xenfs_dirs(virsh_t)
|
||||||
@@ -812,24 +888,22 @@ fs_search_auto_mountpoints(virsh_t)
|
@@ -812,23 +888,23 @@ fs_search_auto_mountpoints(virsh_t)
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(virsh_t)
|
storage_raw_read_fixed_disk(virsh_t)
|
||||||
|
|
||||||
@ -94416,23 +94441,24 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
init_use_fds(virsh_t)
|
init_use_fds(virsh_t)
|
||||||
|
|
||||||
-logging_send_syslog_msg(virsh_t)
|
-logging_send_syslog_msg(virsh_t)
|
||||||
+auth_read_passwd(virsh_t)
|
+systemd_exec_systemctl(virsh_t)
|
||||||
|
|
||||||
-miscfiles_read_localization(virsh_t)
|
-miscfiles_read_localization(virsh_t)
|
||||||
+logging_send_syslog_msg(virsh_t)
|
+auth_read_passwd(virsh_t)
|
||||||
|
|
||||||
sysnet_dns_name_resolve(virsh_t)
|
-sysnet_dns_name_resolve(virsh_t)
|
||||||
|
+logging_send_syslog_msg(virsh_t)
|
||||||
|
|
||||||
-tunable_policy(`virt_use_fusefs',`
|
-tunable_policy(`virt_use_fusefs',`
|
||||||
- fs_manage_fusefs_dirs(virsh_t)
|
- fs_manage_fusefs_dirs(virsh_t)
|
||||||
- fs_manage_fusefs_files(virsh_t)
|
- fs_manage_fusefs_files(virsh_t)
|
||||||
- fs_read_fusefs_symlinks(virsh_t)
|
- fs_read_fusefs_symlinks(virsh_t)
|
||||||
-')
|
-')
|
||||||
-
|
+sysnet_dns_name_resolve(virsh_t)
|
||||||
|
|
||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virsh_t)
|
fs_manage_nfs_dirs(virsh_t)
|
||||||
fs_manage_nfs_files(virsh_t)
|
@@ -847,14 +923,20 @@ optional_policy(`
|
||||||
@@ -847,14 +921,20 @@ optional_policy(`
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -94454,7 +94480,7 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
xen_stream_connect(virsh_t)
|
xen_stream_connect(virsh_t)
|
||||||
xen_stream_connect_xenstore(virsh_t)
|
xen_stream_connect_xenstore(virsh_t)
|
||||||
')
|
')
|
||||||
@@ -879,49 +959,65 @@ optional_policy(`
|
@@ -879,49 +961,65 @@ optional_policy(`
|
||||||
kernel_read_xen_state(virsh_ssh_t)
|
kernel_read_xen_state(virsh_ssh_t)
|
||||||
kernel_write_xen_state(virsh_ssh_t)
|
kernel_write_xen_state(virsh_ssh_t)
|
||||||
|
|
||||||
@ -94538,7 +94564,7 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_lxc_t)
|
corecmd_exec_bin(virtd_lxc_t)
|
||||||
corecmd_exec_shell(virtd_lxc_t)
|
corecmd_exec_shell(virtd_lxc_t)
|
||||||
@@ -933,17 +1029,16 @@ dev_read_urand(virtd_lxc_t)
|
@@ -933,17 +1031,16 @@ dev_read_urand(virtd_lxc_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(virtd_lxc_t)
|
domain_use_interactive_fds(virtd_lxc_t)
|
||||||
|
|
||||||
@ -94558,7 +94584,7 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
fs_getattr_all_fs(virtd_lxc_t)
|
fs_getattr_all_fs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||||
@@ -955,8 +1050,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
@@ -955,8 +1052,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||||
fs_unmount_all_fs(virtd_lxc_t)
|
fs_unmount_all_fs(virtd_lxc_t)
|
||||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||||
|
|
||||||
@ -94582,7 +94608,7 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
selinux_get_enforce_mode(virtd_lxc_t)
|
selinux_get_enforce_mode(virtd_lxc_t)
|
||||||
selinux_get_fs_mount(virtd_lxc_t)
|
selinux_get_fs_mount(virtd_lxc_t)
|
||||||
selinux_validate_context(virtd_lxc_t)
|
selinux_validate_context(virtd_lxc_t)
|
||||||
@@ -965,194 +1075,235 @@ selinux_compute_create_context(virtd_lxc_t)
|
@@ -965,194 +1077,238 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||||
selinux_compute_relabel_context(virtd_lxc_t)
|
selinux_compute_relabel_context(virtd_lxc_t)
|
||||||
selinux_compute_user_contexts(virtd_lxc_t)
|
selinux_compute_user_contexts(virtd_lxc_t)
|
||||||
|
|
||||||
@ -94649,7 +94675,10 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
|
||||||
+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+
|
||||||
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
|
||||||
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
|
+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
|
||||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
|
||||||
@ -94954,7 +94983,7 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
@@ -1165,12 +1316,12 @@ dev_read_sysfs(virt_qmf_t)
|
@@ -1165,12 +1321,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||||
dev_read_rand(virt_qmf_t)
|
dev_read_rand(virt_qmf_t)
|
||||||
dev_read_urand(virt_qmf_t)
|
dev_read_urand(virt_qmf_t)
|
||||||
|
|
||||||
@ -94969,7 +94998,7 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
sysnet_read_config(virt_qmf_t)
|
sysnet_read_config(virt_qmf_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1183,9 +1334,8 @@ optional_policy(`
|
@@ -1183,9 +1339,8 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -94980,7 +95009,7 @@ index 1f22fba..0a4c5f6 100644
|
|||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -1198,5 +1348,194 @@ kernel_read_network_state(virt_bridgehelper_t)
|
@@ -1198,5 +1353,194 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 88%{?dist}
|
Release: 89%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -572,7 +572,33 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-88
|
* Mon Oct 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-89
|
||||||
|
- Fix gnome_read_generic_data_home_files()
|
||||||
|
- allow openshift_cgroup_t to read/write inherited openshift file types
|
||||||
|
- Remove httpd_cobbler_content * from cobbler_admin interface
|
||||||
|
- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container
|
||||||
|
- Allow httpd_t to read also git sys content symlinks
|
||||||
|
- Allow init_t to read gnome home data
|
||||||
|
- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it.
|
||||||
|
- Allow virsh to execute systemctl
|
||||||
|
- Fix for nagios_services plugins
|
||||||
|
- add type defintion for ctdbd_var_t
|
||||||
|
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
|
||||||
|
- Allow net_admin/netlink_socket all hyperv_domain domains
|
||||||
|
- Add labeling for zarafa-search.log and zarafa-search.pid
|
||||||
|
- Fix hypervkvp.te
|
||||||
|
- Fix nscd_shm_use()
|
||||||
|
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.
|
||||||
|
- Add hypervkvp_unit_file_t type
|
||||||
|
- Fix logging policy
|
||||||
|
- Allow syslog to bind to tls ports
|
||||||
|
- Update labeling for /dev/cdc-wdm
|
||||||
|
- Allow to su_domain to read init states
|
||||||
|
- Allow init_t to read gnome home data
|
||||||
|
- Make sure if systemd_logind creates nologin file with the correct label
|
||||||
|
- Clean up ipsec.te
|
||||||
|
|
||||||
|
* Tue Oct 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-88
|
||||||
- Add auth_exec_chkpwd interface
|
- Add auth_exec_chkpwd interface
|
||||||
- Fix port definition for ctdb ports
|
- Fix port definition for ctdb ports
|
||||||
- Allow systemd domains to read /dev/urand
|
- Allow systemd domains to read /dev/urand
|
||||||
|
Loading…
Reference in New Issue
Block a user