- Allow mozilla plugin to chat with policykit, needed for spice
- Allow gssprozy to change user and gid, as well as read user keyrings - Allow sandbox apps to attempt to set and get capabilties - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly - allow modemmanger to read /dev/urand - Allow polipo to connect to http_cache_ports - Allow cron jobs to manage apache var lib content - Allow yppassword to manage the passwd_file_t - Allow showall_t to send itself signals - Allow cobbler to restart dhcpc, dnsmasq and bind services - Allow rsync_t to manage all non auth files - Allow certmonger to manage home cert files - Allow user_mail_domains to write certain files to the /root and ~/ directories - Allow apcuspd_t to status and start the power unit file - Allow cgroupdrulesengd to create content in cgoups directories - Add new access for mythtv - Allow irc_t to execute shell and bin-t files: - Allow smbd_t to signull cluster - Allow sssd to read systemd_login_var_run_t - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t - Add label for /var/spool/cron.aquota.user - Allow sandbox_x domains to use work with the mozilla plugin semaphore - Added new policy for speech-dispatcher - Added dontaudit rule for insmod_exec_t in rasdaemon policy - Updated rasdaemon policy - Allow virt_domains to read cert files - Allow system_mail_t to transition to postfix_postdrop_t - Clean up mirrormanager policy - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Additional fixes for docker.te - Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot - Add tftp_write_rw_content/tftp_read_rw_content interfaces - Allow amanda to do backups over UDP
This commit is contained in:
parent
804870d8a3
commit
9d88e18305
@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 1d732f1..7ba0bd8 100644
|
||||
index 1d732f1..9647c14 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -26,6 +26,7 @@ type chfn_exec_t;
|
||||
@ -2851,7 +2851,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
userdom_use_unpriv_users_fds(passwd_t)
|
||||
# make sure that getcon succeeds
|
||||
userdom_getattr_all_users(passwd_t)
|
||||
@@ -352,6 +383,13 @@ userdom_read_user_tmp_files(passwd_t)
|
||||
@@ -352,6 +383,14 @@ userdom_read_user_tmp_files(passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_user_home_content(passwd_t)
|
||||
@ -2860,12 +2860,13 @@ index 1d732f1..7ba0bd8 100644
|
||||
+optional_policy(`
|
||||
+ gnome_exec_keyringd(passwd_t)
|
||||
+ gnome_manage_cache_home_dir(passwd_t)
|
||||
+ gnome_manage_generic_cache_sockets(passwd_t)
|
||||
+ gnome_stream_connect_gkeyringd(passwd_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
nscd_run(passwd_t, passwd_roles)
|
||||
@@ -401,9 +439,10 @@ dev_read_urand(sysadm_passwd_t)
|
||||
@@ -401,9 +440,10 @@ dev_read_urand(sysadm_passwd_t)
|
||||
fs_getattr_xattr_fs(sysadm_passwd_t)
|
||||
fs_search_auto_mountpoints(sysadm_passwd_t)
|
||||
|
||||
@ -2878,7 +2879,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
auth_manage_shadow(sysadm_passwd_t)
|
||||
auth_relabel_shadow(sysadm_passwd_t)
|
||||
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
||||
@@ -416,7 +455,6 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
@@ -416,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(sysadm_passwd_t)
|
||||
|
||||
@ -2886,7 +2887,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
files_relabel_etc_files(sysadm_passwd_t)
|
||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||
# for nscd lookups
|
||||
@@ -426,12 +464,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
|
||||
@@ -426,12 +465,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(sysadm_passwd_t)
|
||||
|
||||
@ -2899,7 +2900,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
userdom_use_unpriv_users_fds(sysadm_passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
@@ -446,7 +481,8 @@ optional_policy(`
|
||||
@@ -446,7 +482,8 @@ optional_policy(`
|
||||
# Useradd local policy
|
||||
#
|
||||
|
||||
@ -2909,7 +2910,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
dontaudit useradd_t self:capability sys_tty_config;
|
||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow useradd_t self:process setfscreate;
|
||||
@@ -461,6 +497,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -461,6 +498,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow useradd_t self:unix_dgram_socket sendto;
|
||||
allow useradd_t self:unix_stream_socket connectto;
|
||||
|
||||
@ -2920,7 +2921,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
# for getting the number of groups
|
||||
kernel_read_kernel_sysctls(useradd_t)
|
||||
|
||||
@@ -468,29 +508,27 @@ corecmd_exec_shell(useradd_t)
|
||||
@@ -468,29 +509,27 @@ corecmd_exec_shell(useradd_t)
|
||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||
corecmd_exec_bin(useradd_t)
|
||||
|
||||
@ -2959,7 +2960,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
|
||||
auth_run_chk_passwd(useradd_t, useradd_roles)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
@@ -498,6 +536,7 @@ auth_rw_faillog(useradd_t)
|
||||
@@ -498,6 +537,7 @@ auth_rw_faillog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
# these may be unnecessary due to the above
|
||||
# domtrans_chk_passwd() call.
|
||||
@ -2967,7 +2968,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
auth_manage_shadow(useradd_t)
|
||||
auth_relabel_shadow(useradd_t)
|
||||
auth_etc_filetrans_shadow(useradd_t)
|
||||
@@ -508,33 +547,32 @@ init_rw_utmp(useradd_t)
|
||||
@@ -508,33 +548,32 @@ init_rw_utmp(useradd_t)
|
||||
logging_send_audit_msgs(useradd_t)
|
||||
logging_send_syslog_msg(useradd_t)
|
||||
|
||||
@ -3012,7 +3013,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
optional_policy(`
|
||||
apache_manage_all_user_content(useradd_t)
|
||||
')
|
||||
@@ -549,10 +587,19 @@ optional_policy(`
|
||||
@@ -549,10 +588,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -3032,7 +3033,7 @@ index 1d732f1..7ba0bd8 100644
|
||||
tunable_policy(`samba_domain_controller',`
|
||||
samba_append_log(useradd_t)
|
||||
')
|
||||
@@ -562,3 +609,12 @@ optional_policy(`
|
||||
@@ -562,3 +610,12 @@ optional_policy(`
|
||||
rpm_use_fds(useradd_t)
|
||||
rpm_rw_pipes(useradd_t)
|
||||
')
|
||||
@ -8699,7 +8700,7 @@ index 6a1e4d1..84e8030 100644
|
||||
+ dontaudit $1 domain:dir_file_class_set audit_access;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..c47a578 100644
|
||||
index cf04cb5..4182845 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
|
||||
@ -8836,7 +8837,7 @@ index cf04cb5..c47a578 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -166,5 +231,314 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -166,5 +231,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -8933,6 +8934,10 @@ index cf04cb5..c47a578 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ cvs_filetrans_home_content(named_filetrans_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ devicekit_filetrans_named_content(named_filetrans_domain)
|
||||
+')
|
||||
+
|
||||
@ -9152,7 +9157,7 @@ index cf04cb5..c47a578 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
||||
index b876c48..bd5b58c 100644
|
||||
index b876c48..27f60c6 100644
|
||||
--- a/policy/modules/kernel/files.fc
|
||||
+++ b/policy/modules/kernel/files.fc
|
||||
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
|
||||
@ -9353,7 +9358,7 @@ index b876c48..bd5b58c 100644
|
||||
/var/.* gen_context(system_u:object_r:var_t,s0)
|
||||
/var/\.journal <<none>>
|
||||
|
||||
@@ -237,11 +245,24 @@ ifndef(`distro_redhat',`
|
||||
@@ -237,11 +245,25 @@ ifndef(`distro_redhat',`
|
||||
|
||||
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
@ -9371,7 +9376,8 @@ index b876c48..bd5b58c 100644
|
||||
+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
+
|
||||
+/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0)
|
||||
+/var/lib/servicelog/servicelog\.db -- gen_context(system_u:object_r:system_db_t,s0)
|
||||
+/var/lib/servicelog/servicelog\.db-journal -- gen_context(system_u:object_r:system_db_t,s0)
|
||||
+
|
||||
+/var/lock -d gen_context(system_u:object_r:var_lock_t,s0)
|
||||
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
|
||||
@ -9379,7 +9385,7 @@ index b876c48..bd5b58c 100644
|
||||
|
||||
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/log/lost\+found/.* <<none>>
|
||||
@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
|
||||
@@ -256,12 +278,14 @@ ifndef(`distro_redhat',`
|
||||
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.*\.*pid <<none>>
|
||||
@ -9394,14 +9400,14 @@ index b876c48..bd5b58c 100644
|
||||
/var/tmp/.* <<none>>
|
||||
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/tmp/lost\+found/.* <<none>>
|
||||
@@ -271,3 +294,5 @@ ifdef(`distro_debian',`
|
||||
@@ -271,3 +295,5 @@ ifdef(`distro_debian',`
|
||||
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
')
|
||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index f962f76..70fb827 100644
|
||||
index f962f76..35cd90c 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -19,6 +19,136 @@
|
||||
@ -12032,7 +12038,7 @@ index f962f76..70fb827 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6519,64 +7762,749 @@ interface(`files_spool_filetrans',`
|
||||
@@ -6519,64 +7762,767 @@ interface(`files_spool_filetrans',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -12639,6 +12645,24 @@ index f962f76..70fb827 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow domain to delete to all dirs
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_delete_all_non_security_dirs',`
|
||||
+ gen_require(`
|
||||
+ attribute non_security_file_type;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Transition named content in the var_run_t directory
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -21068,10 +21092,10 @@ index fe0c682..c0413e8 100644
|
||||
+ ps_process_pattern($1, sshd_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index cc877c7..f2db99e 100644
|
||||
index cc877c7..07f129b 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -6,43 +6,64 @@ policy_module(ssh, 2.4.2)
|
||||
@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
@ -21128,6 +21152,7 @@ index cc877c7..f2db99e 100644
|
||||
ssh_server_template(sshd)
|
||||
init_daemon_domain(sshd_t, sshd_exec_t)
|
||||
+mls_trusted_object(sshd_t)
|
||||
+mls_process_write_all_levels(sshd_t)
|
||||
+
|
||||
+type sshd_initrc_exec_t;
|
||||
+init_script_file(sshd_initrc_exec_t)
|
||||
@ -21150,7 +21175,7 @@ index cc877c7..f2db99e 100644
|
||||
|
||||
type ssh_t;
|
||||
type ssh_exec_t;
|
||||
@@ -73,9 +94,11 @@ type ssh_home_t;
|
||||
@@ -73,9 +95,11 @@ type ssh_home_t;
|
||||
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
|
||||
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
|
||||
userdom_user_home_content(ssh_home_t)
|
||||
@ -21164,7 +21189,7 @@ index cc877c7..f2db99e 100644
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -86,6 +109,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
||||
@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
||||
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow ssh_t self:fd use;
|
||||
allow ssh_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -21172,7 +21197,7 @@ index cc877c7..f2db99e 100644
|
||||
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow ssh_t self:shm create_shm_perms;
|
||||
@@ -93,15 +117,11 @@ allow ssh_t self:sem create_sem_perms;
|
||||
@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
|
||||
allow ssh_t self:msgq create_msgq_perms;
|
||||
allow ssh_t self:msg { send receive };
|
||||
allow ssh_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -21189,7 +21214,7 @@ index cc877c7..f2db99e 100644
|
||||
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
@@ -110,33 +130,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
|
||||
@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
|
||||
|
||||
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
||||
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
||||
@ -21237,7 +21262,7 @@ index cc877c7..f2db99e 100644
|
||||
dev_read_urand(ssh_t)
|
||||
|
||||
fs_getattr_all_fs(ssh_t)
|
||||
@@ -157,40 +186,46 @@ files_read_var_files(ssh_t)
|
||||
@@ -157,40 +187,46 @@ files_read_var_files(ssh_t)
|
||||
logging_send_syslog_msg(ssh_t)
|
||||
logging_read_generic_logs(ssh_t)
|
||||
|
||||
@ -21303,7 +21328,7 @@ index cc877c7..f2db99e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,6 +233,7 @@ optional_policy(`
|
||||
@@ -198,6 +234,7 @@ optional_policy(`
|
||||
xserver_domtrans_xauth(ssh_t)
|
||||
')
|
||||
|
||||
@ -21311,7 +21336,7 @@ index cc877c7..f2db99e 100644
|
||||
##############################
|
||||
#
|
||||
# ssh_keysign_t local policy
|
||||
@@ -209,6 +245,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||
@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||
allow ssh_keysign_t sshd_key_t:file { getattr read };
|
||||
|
||||
dev_read_urand(ssh_keysign_t)
|
||||
@ -21319,7 +21344,7 @@ index cc877c7..f2db99e 100644
|
||||
|
||||
files_read_etc_files(ssh_keysign_t)
|
||||
|
||||
@@ -226,39 +263,56 @@ optional_policy(`
|
||||
@@ -226,39 +264,56 @@ optional_policy(`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow sshd_t self:key { search link write };
|
||||
@ -21388,7 +21413,7 @@ index cc877c7..f2db99e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -266,6 +320,15 @@ optional_policy(`
|
||||
@@ -266,6 +321,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21404,7 +21429,7 @@ index cc877c7..f2db99e 100644
|
||||
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
|
||||
')
|
||||
|
||||
@@ -275,6 +338,18 @@ optional_policy(`
|
||||
@@ -275,6 +339,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21423,7 +21448,7 @@ index cc877c7..f2db99e 100644
|
||||
oddjob_domtrans_mkhomedir(sshd_t)
|
||||
')
|
||||
|
||||
@@ -289,13 +364,93 @@ optional_policy(`
|
||||
@@ -289,13 +365,93 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21517,7 +21542,7 @@ index cc877c7..f2db99e 100644
|
||||
########################################
|
||||
#
|
||||
# ssh_keygen local policy
|
||||
@@ -304,19 +459,29 @@ optional_policy(`
|
||||
@@ -304,19 +460,29 @@ optional_policy(`
|
||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||
# and by sysadm_t
|
||||
|
||||
@ -21548,7 +21573,7 @@ index cc877c7..f2db99e 100644
|
||||
dev_read_urand(ssh_keygen_t)
|
||||
|
||||
term_dontaudit_use_console(ssh_keygen_t)
|
||||
@@ -333,6 +498,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
@@ -333,6 +499,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
logging_send_syslog_msg(ssh_keygen_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||
@ -21561,7 +21586,7 @@ index cc877c7..f2db99e 100644
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ssh_keygen_t)
|
||||
@@ -341,3 +512,140 @@ optional_policy(`
|
||||
@@ -341,3 +513,140 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(ssh_keygen_t)
|
||||
')
|
||||
@ -25994,7 +26019,7 @@ index 3efd5b6..08c3e93 100644
|
||||
+ allow $1 login_pgm:process sigchld;
|
||||
+')
|
||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||
index 09b791d..7345117 100644
|
||||
index 09b791d..4f331be 100644
|
||||
--- a/policy/modules/system/authlogin.te
|
||||
+++ b/policy/modules/system/authlogin.te
|
||||
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
|
||||
@ -26191,7 +26216,7 @@ index 09b791d..7345117 100644
|
||||
miscfiles_read_generic_certs(pam_console_t)
|
||||
|
||||
seutil_read_file_contexts(pam_console_t)
|
||||
@@ -341,6 +362,10 @@ kernel_read_system_state(updpwd_t)
|
||||
@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
|
||||
dev_read_urand(updpwd_t)
|
||||
|
||||
files_manage_etc_files(updpwd_t)
|
||||
@ -26199,10 +26224,11 @@ index 09b791d..7345117 100644
|
||||
+
|
||||
+mls_file_read_all_levels(updpwd_t)
|
||||
+mls_file_write_all_levels(updpwd_t)
|
||||
+mls_file_downgrade(updpwd_t)
|
||||
|
||||
term_dontaudit_use_console(updpwd_t)
|
||||
term_dontaudit_use_unallocated_ttys(updpwd_t)
|
||||
@@ -350,9 +375,7 @@ auth_use_nsswitch(updpwd_t)
|
||||
@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
|
||||
|
||||
logging_send_syslog_msg(updpwd_t)
|
||||
|
||||
@ -26213,7 +26239,7 @@ index 09b791d..7345117 100644
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
@@ -380,13 +403,15 @@ term_dontaudit_use_all_ttys(utempter_t)
|
||||
@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
|
||||
term_dontaudit_use_all_ptys(utempter_t)
|
||||
term_dontaudit_use_ptmx(utempter_t)
|
||||
|
||||
@ -26230,7 +26256,7 @@ index 09b791d..7345117 100644
|
||||
# Allow utemper to write to /tmp/.xses-*
|
||||
userdom_write_user_tmp_files(utempter_t)
|
||||
|
||||
@@ -397,19 +422,29 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26264,7 +26290,7 @@ index 09b791d..7345117 100644
|
||||
files_list_var_lib(nsswitch_domain)
|
||||
|
||||
# read /etc/nsswitch.conf
|
||||
@@ -417,15 +452,21 @@ files_read_etc_files(nsswitch_domain)
|
||||
@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
|
||||
|
||||
sysnet_dns_name_resolve(nsswitch_domain)
|
||||
|
||||
@ -26288,7 +26314,7 @@ index 09b791d..7345117 100644
|
||||
ldap_stream_connect(nsswitch_domain)
|
||||
')
|
||||
')
|
||||
@@ -438,6 +479,7 @@ optional_policy(`
|
||||
@@ -438,6 +480,7 @@ optional_policy(`
|
||||
likewise_stream_connect_lsassd(nsswitch_domain)
|
||||
')
|
||||
|
||||
@ -26296,7 +26322,7 @@ index 09b791d..7345117 100644
|
||||
optional_policy(`
|
||||
kerberos_use(nsswitch_domain)
|
||||
')
|
||||
@@ -456,6 +498,8 @@ optional_policy(`
|
||||
@@ -456,6 +499,8 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
sssd_stream_connect(nsswitch_domain)
|
||||
@ -26305,7 +26331,7 @@ index 09b791d..7345117 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -463,3 +507,134 @@ optional_policy(`
|
||||
@@ -463,3 +508,134 @@ optional_policy(`
|
||||
samba_read_var_files(nsswitch_domain)
|
||||
samba_dontaudit_write_var_files(nsswitch_domain)
|
||||
')
|
||||
@ -28404,7 +28430,7 @@ index 79a45f6..edf52ea 100644
|
||||
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda24..3ac9985 100644
|
||||
index 17eda24..7acba2b 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
@ -28648,11 +28674,12 @@ index 17eda24..3ac9985 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
@@ -186,29 +284,209 @@ ifdef(`distro_gentoo',`
|
||||
@@ -186,29 +284,210 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
+ fs_manage_tmpfs_files(init_t)
|
||||
+ fs_manage_tmpfs_symlinks(init_t)
|
||||
+ fs_manage_tmpfs_sockets(init_t)
|
||||
+ fs_exec_tmpfs_files(init_t)
|
||||
fs_read_tmpfs_symlinks(init_t)
|
||||
@ -28866,7 +28893,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +494,30 @@ optional_policy(`
|
||||
@@ -216,7 +495,30 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28897,7 +28924,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -225,9 +526,9 @@ optional_policy(`
|
||||
@@ -225,9 +527,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -28909,7 +28936,7 @@ index 17eda24..3ac9985 100644
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -258,12 +559,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -258,12 +560,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -28926,7 +28953,7 @@ index 17eda24..3ac9985 100644
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -279,23 +584,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -279,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -28969,7 +28996,7 @@ index 17eda24..3ac9985 100644
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -303,9 +621,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -303,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
@ -28981,7 +29008,7 @@ index 17eda24..3ac9985 100644
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -313,8 +633,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -313,8 +634,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
@ -28992,7 +29019,7 @@ index 17eda24..3ac9985 100644
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +644,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +645,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -29002,7 +29029,7 @@ index 17eda24..3ac9985 100644
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -332,7 +653,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -332,7 +654,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -29010,7 +29037,7 @@ index 17eda24..3ac9985 100644
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -340,6 +660,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -340,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
@ -29018,7 +29045,7 @@ index 17eda24..3ac9985 100644
|
||||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -347,14 +668,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -347,14 +669,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -29036,7 +29063,7 @@ index 17eda24..3ac9985 100644
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -364,8 +686,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -364,8 +687,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -29050,7 +29077,7 @@ index 17eda24..3ac9985 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -375,10 +701,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -375,10 +702,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -29064,7 +29091,7 @@ index 17eda24..3ac9985 100644
|
||||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -387,6 +714,7 @@ mls_process_read_up(initrc_t)
|
||||
@@ -387,6 +715,7 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -29072,7 +29099,7 @@ index 17eda24..3ac9985 100644
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@@ -398,6 +726,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -398,6 +727,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
@ -29080,7 +29107,7 @@ index 17eda24..3ac9985 100644
|
||||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -416,20 +745,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -416,20 +746,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
@ -29104,7 +29131,7 @@ index 17eda24..3ac9985 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -451,7 +778,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -451,7 +779,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
@ -29112,7 +29139,7 @@ index 17eda24..3ac9985 100644
|
||||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -486,6 +812,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -486,6 +813,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -29123,7 +29150,7 @@ index 17eda24..3ac9985 100644
|
||||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -506,7 +836,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -506,7 +837,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -29132,7 +29159,7 @@ index 17eda24..3ac9985 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -521,6 +851,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -521,6 +852,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
@ -29140,7 +29167,7 @@ index 17eda24..3ac9985 100644
|
||||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -541,6 +872,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -541,6 +873,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
@ -29148,7 +29175,7 @@ index 17eda24..3ac9985 100644
|
||||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -550,8 +882,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -550,8 +883,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29193,7 +29220,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -559,14 +927,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -559,14 +928,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -29225,7 +29252,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -577,6 +962,39 @@ ifdef(`distro_suse',`
|
||||
@@ -577,6 +963,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -29265,7 +29292,7 @@ index 17eda24..3ac9985 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -589,6 +1007,8 @@ optional_policy(`
|
||||
@@ -589,6 +1008,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -29274,7 +29301,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -610,6 +1030,7 @@ optional_policy(`
|
||||
@@ -610,6 +1031,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -29282,7 +29309,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -626,6 +1047,17 @@ optional_policy(`
|
||||
@@ -626,6 +1048,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29300,7 +29327,7 @@ index 17eda24..3ac9985 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -642,9 +1074,13 @@ optional_policy(`
|
||||
@@ -642,9 +1075,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -29314,7 +29341,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -657,15 +1093,11 @@ optional_policy(`
|
||||
@@ -657,15 +1094,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29332,7 +29359,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -686,6 +1118,15 @@ optional_policy(`
|
||||
@@ -686,6 +1119,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29348,7 +29375,7 @@ index 17eda24..3ac9985 100644
|
||||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -726,6 +1167,7 @@ optional_policy(`
|
||||
@@ -726,6 +1168,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
@ -29356,7 +29383,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,7 +1185,13 @@ optional_policy(`
|
||||
@@ -743,7 +1186,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29371,7 +29398,7 @@ index 17eda24..3ac9985 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -766,6 +1214,10 @@ optional_policy(`
|
||||
@@ -766,6 +1215,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29382,7 +29409,7 @@ index 17eda24..3ac9985 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -775,10 +1227,20 @@ optional_policy(`
|
||||
@@ -775,10 +1228,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29403,7 +29430,7 @@ index 17eda24..3ac9985 100644
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1249,10 @@ optional_policy(`
|
||||
@@ -787,6 +1250,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29414,7 +29441,7 @@ index 17eda24..3ac9985 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -808,8 +1274,6 @@ optional_policy(`
|
||||
@@ -808,8 +1275,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -29423,7 +29450,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -818,6 +1282,10 @@ optional_policy(`
|
||||
@@ -818,6 +1283,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29434,7 +29461,7 @@ index 17eda24..3ac9985 100644
|
||||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -827,10 +1295,12 @@ optional_policy(`
|
||||
@@ -827,10 +1296,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -29447,7 +29474,7 @@ index 17eda24..3ac9985 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -857,12 +1327,35 @@ optional_policy(`
|
||||
@@ -857,12 +1328,35 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29484,7 +29511,7 @@ index 17eda24..3ac9985 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
@@ -872,6 +1365,18 @@ optional_policy(`
|
||||
@@ -872,6 +1366,18 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
@ -29503,7 +29530,7 @@ index 17eda24..3ac9985 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -887,6 +1392,10 @@ optional_policy(`
|
||||
@@ -887,6 +1393,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29514,7 +29541,7 @@ index 17eda24..3ac9985 100644
|
||||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -897,3 +1406,218 @@ optional_policy(`
|
||||
@@ -897,3 +1407,218 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -33153,7 +33180,7 @@ index 9933677..ca14c17 100644
|
||||
+
|
||||
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
|
||||
index 7449974..6375786 100644
|
||||
index 7449974..28cb8a3 100644
|
||||
--- a/policy/modules/system/modutils.if
|
||||
+++ b/policy/modules/system/modutils.if
|
||||
@@ -12,7 +12,7 @@
|
||||
@ -33210,7 +33237,32 @@ index 7449974..6375786 100644
|
||||
## Read the configuration options used when
|
||||
## loading modules.
|
||||
## </summary>
|
||||
@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',`
|
||||
@@ -208,6 +246,24 @@ interface(`modutils_exec_insmod',`
|
||||
can_exec($1, insmod_exec_t)
|
||||
')
|
||||
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Don't audit execute insmod in the caller domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`modutils_dontaudit_exec_insmod',`
|
||||
+ gen_require(`
|
||||
+ type insmod_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 insmod_exec_t:file exec_file_perms;
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute depmod in the depmod domain.
|
||||
@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
|
||||
#
|
||||
interface(`modutils_run_update_mods',`
|
||||
gen_require(`
|
||||
@ -33231,7 +33283,7 @@ index 7449974..6375786 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',`
|
||||
@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, update_modules_exec_t)
|
||||
')
|
||||
@ -35968,7 +36020,7 @@ index 40edc18..7cc0c8a 100644
|
||||
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
||||
index 2cea692..7bb31c4 100644
|
||||
index 2cea692..b324c5c 100644
|
||||
--- a/policy/modules/system/sysnetwork.if
|
||||
+++ b/policy/modules/system/sysnetwork.if
|
||||
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
|
||||
@ -36001,6 +36053,15 @@ index 2cea692..7bb31c4 100644
|
||||
+ seutil_run_setfiles(dhcpc_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -231,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
- allow $1 dhcp_etc_t:file rw_file_perms;
|
||||
+ rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',`
|
||||
type dhcpc_state_t;
|
||||
@ -36757,10 +36818,10 @@ index 0000000..e9f1096
|
||||
+/var/run/initramfs(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
new file mode 100644
|
||||
index 0000000..35b4178
|
||||
index 0000000..1d9bdfd
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -0,0 +1,1400 @@
|
||||
@@ -0,0 +1,1419 @@
|
||||
+## <summary>SELinux policy for systemd components</summary>
|
||||
+
|
||||
+######################################
|
||||
@ -38039,6 +38100,25 @@ index 0000000..35b4178
|
||||
+ allow $1 power_unit_file_t:service start;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Status power unit files domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_status_power_services',`
|
||||
+ gen_require(`
|
||||
+ type power_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ allow $1 power_unit_file_t:service status;
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Start power unit files domain.
|
||||
@ -38163,10 +38243,10 @@ index 0000000..35b4178
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..c31945a
|
||||
index 0000000..2109915
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,652 @@
|
||||
@@ -0,0 +1,653 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -38466,6 +38546,7 @@ index 0000000..c31945a
|
||||
+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
|
||||
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
|
||||
+files_delete_boot_flag(systemd_tmpfiles_t)
|
||||
+files_delete_all_non_security_dirs(systemd_tmpfiles_t)
|
||||
+files_delete_all_non_security_files(systemd_tmpfiles_t)
|
||||
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
|
||||
+files_delete_all_pid_pipes(systemd_tmpfiles_t)
|
||||
@ -38778,7 +38859,7 @@ index 0000000..c31945a
|
||||
+#
|
||||
+# systemd_sysctl domains local policy
|
||||
+#
|
||||
+allow systemd_sysctl_t self:capability net_admin;
|
||||
+allow systemd_sysctl_t self:capability { sys_admin net_admin };
|
||||
+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+kernel_dgram_send(systemd_sysctl_t)
|
||||
@ -39117,7 +39198,7 @@ index 9a1650d..d7e8a01 100644
|
||||
|
||||
########################################
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index 39f185f..ef4c635 100644
|
||||
index 39f185f..d3c9fcc 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
|
||||
@ -39314,7 +39395,7 @@ index 39f185f..ef4c635 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -249,17 +270,27 @@ optional_policy(`
|
||||
@@ -249,17 +270,31 @@ optional_policy(`
|
||||
dbus_use_system_bus_fds(udev_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -39336,6 +39417,10 @@ index 39f185f..ef4c635 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gpsd_domtrans(udev_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kdump_systemctl(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39344,7 +39429,7 @@ index 39f185f..ef4c635 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -289,6 +320,10 @@ optional_policy(`
|
||||
@@ -289,6 +324,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39355,7 +39440,7 @@ index 39f185f..ef4c635 100644
|
||||
openct_read_pid_files(udev_t)
|
||||
openct_domtrans(udev_t)
|
||||
')
|
||||
@@ -303,6 +338,15 @@ optional_policy(`
|
||||
@@ -303,6 +342,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39371,7 +39456,7 @@ index 39f185f..ef4c635 100644
|
||||
unconfined_signal(udev_t)
|
||||
')
|
||||
|
||||
@@ -315,6 +359,7 @@ optional_policy(`
|
||||
@@ -315,6 +363,7 @@ optional_policy(`
|
||||
kernel_read_xen_state(udev_t)
|
||||
xen_manage_log(udev_t)
|
||||
xen_read_image_files(udev_t)
|
||||
@ -44699,7 +44784,7 @@ index 9dc60c6..daee32c 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||
index f4ac38d..cf1296e 100644
|
||||
index f4ac38d..99c8197 100644
|
||||
--- a/policy/modules/system/userdomain.te
|
||||
+++ b/policy/modules/system/userdomain.te
|
||||
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
|
||||
@ -44788,7 +44873,7 @@ index f4ac38d..cf1296e 100644
|
||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
||||
fs_associate_tmpfs(user_home_dir_t)
|
||||
files_type(user_home_dir_t)
|
||||
@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t)
|
||||
@@ -70,26 +83,370 @@ ubac_constrained(user_home_dir_t)
|
||||
|
||||
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
|
||||
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
|
||||
@ -44968,6 +45053,10 @@ index f4ac38d..cf1296e 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ cvs_filetrans_home_content(userdom_filetrans_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_filetrans_home_content(userdom_filetrans_type)
|
||||
+')
|
||||
+
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -576,6 +576,62 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jan 6 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-11
|
||||
- passwd to create gnome-keyring passwd socket
|
||||
- systemd_systemctl needs sys_admin capability
|
||||
- Allow cobbler to search dhcp_etc_t directory
|
||||
- Allow sytemd_tmpfiles_t to delete all directories
|
||||
- allow sshd to write to all process levels in order to change passwd when running at a level
|
||||
- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
|
||||
- Allow apcuspd_t to status and start the power unit file
|
||||
- Allow udev to manage kdump unit file
|
||||
- Added new interface modutils_dontaudit_exec_insmod
|
||||
- Add labeling for /var/lib/servicelog/servicelog.db-journal
|
||||
- Allow init_t to create tmpfs_t lnk_file
|
||||
- Add label for ~/.cvsignore
|
||||
- Allow fprintd_t to send syslog messages
|
||||
- Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
|
||||
- Allow mozilla plugin to chat with policykit, needed for spice
|
||||
- Allow gssprozy to change user and gid, as well as read user keyrings
|
||||
- Allow sandbox apps to attempt to set and get capabilties
|
||||
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
|
||||
- allow modemmanger to read /dev/urand
|
||||
- Allow polipo to connect to http_cache_ports
|
||||
- Allow cron jobs to manage apache var lib content
|
||||
- Allow yppassword to manage the passwd_file_t
|
||||
- Allow showall_t to send itself signals
|
||||
- Allow cobbler to restart dhcpc, dnsmasq and bind services
|
||||
- Allow rsync_t to manage all non auth files
|
||||
- Allow certmonger to manage home cert files
|
||||
- Allow user_mail_domains to write certain files to the /root and ~/ directories
|
||||
- Allow apcuspd_t to status and start the power unit file
|
||||
- Allow cgroupdrulesengd to create content in cgoups directories
|
||||
- Add new access for mythtv
|
||||
- Allow irc_t to execute shell and bin-t files:
|
||||
- Allow smbd_t to signull cluster
|
||||
- Allow sssd to read systemd_login_var_run_t
|
||||
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
|
||||
- Add label for /var/spool/cron.aquota.user
|
||||
- Allow sandbox_x domains to use work with the mozilla plugin semaphore
|
||||
- Added new policy for speech-dispatcher
|
||||
- Added dontaudit rule for insmod_exec_t in rasdaemon policy
|
||||
- Updated rasdaemon policy
|
||||
- Allow virt_domains to read cert files
|
||||
- Allow system_mail_t to transition to postfix_postdrop_t
|
||||
- Clean up mirrormanager policy
|
||||
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
|
||||
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
|
||||
- New rules required to run docker images within libivrt
|
||||
- Fixed bumblebee_admin() and mip6d_admin()
|
||||
- Add log support for sensord
|
||||
- Add label for ~/.cvsignore
|
||||
- Change mirrormanager to be run by cron
|
||||
- Add mirrormanager policy
|
||||
- Additional fixes for docker.te
|
||||
- Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot
|
||||
- Add tftp_write_rw_content/tftp_read_rw_content interfaces
|
||||
- Allow amanda to do backups over UDP
|
||||
|
||||
* Thu Dec 13 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-10
|
||||
- Allow freeipmi_ipmidetectd_t to use freeipmi port
|
||||
- Update freeipmi_domain_template()
|
||||
|
Loading…
Reference in New Issue
Block a user