* Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-234
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017) - Tighten security on containe types - Make working cracklib_password_check for MariaDB service - Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505)
This commit is contained in:
Lukas Vrabec
parent
cb674ac32f
commit
a4801c838b
Binary file not shown.
@ -5948,7 +5948,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||
|
||||
define(`create_packet_interfaces',``
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index b191055..9729941 100644
|
||||
index b191055..4d57db3 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
|
||||
@ -6302,8 +6302,9 @@ index b191055..9729941 100644
|
||||
+network_port(swift, tcp,6200-6203,s0)
|
||||
network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
|
||||
-network_port(syslogd, udp,514,s0)
|
||||
+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
|
||||
network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
-network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0, tcp,20514,s0, udp,20514,s0)
|
||||
+network_port(syslog_tls, tcp,6514,s0, udp,6514,s0, tcp,10514,s0, udp,10514,s0)
|
||||
network_port(tcs, tcp, 30003, s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
@ -51833,7 +51834,7 @@ index db75976..c54480a 100644
|
||||
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index 9dc60c6..adc5f75 100644
|
||||
index 9dc60c6..269ce67 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||
@ -53002,11 +53003,12 @@ index 9dc60c6..adc5f75 100644
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
@@ -907,53 +1195,142 @@ template(`userdom_restricted_xwindows_user_template',`
|
||||
@@ -907,53 +1195,143 @@ template(`userdom_restricted_xwindows_user_template',`
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
+ allow $1_usertype self:cap_userns { sys_admin sys_chroot };
|
||||
+ dontaudit $1_usertype self:cap_userns sys_ptrace;
|
||||
+ allow $1_usertype self:dir { add_name write };
|
||||
|
||||
- auth_role($1_r, $1_t)
|
||||
@ -53159,7 +53161,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -987,27 +1364,33 @@ template(`userdom_unpriv_user_template', `
|
||||
@@ -987,27 +1365,33 @@ template(`userdom_unpriv_user_template', `
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
@ -53197,7 +53199,7 @@ index 9dc60c6..adc5f75 100644
|
||||
fs_manage_noxattr_fs_files($1_t)
|
||||
fs_manage_noxattr_fs_dirs($1_t)
|
||||
# Write floppies
|
||||
@@ -1018,23 +1401,63 @@ template(`userdom_unpriv_user_template', `
|
||||
@@ -1018,23 +1402,63 @@ template(`userdom_unpriv_user_template', `
|
||||
')
|
||||
')
|
||||
|
||||
@ -53271,7 +53273,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
# Run pppd in pppd_t by default for user
|
||||
@@ -1043,7 +1466,9 @@ template(`userdom_unpriv_user_template', `
|
||||
@@ -1043,7 +1467,9 @@ template(`userdom_unpriv_user_template', `
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -53282,7 +53284,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1079,7 +1504,9 @@ template(`userdom_unpriv_user_template', `
|
||||
@@ -1079,7 +1505,9 @@ template(`userdom_unpriv_user_template', `
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
attribute admindomain;
|
||||
@ -53293,7 +53295,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -1095,6 +1522,7 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1095,6 +1523,7 @@ template(`userdom_admin_user_template',`
|
||||
role system_r types $1_t;
|
||||
|
||||
typeattribute $1_t admindomain;
|
||||
@ -53301,7 +53303,7 @@ index 9dc60c6..adc5f75 100644
|
||||
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
domain_system_change_exemption($1_t)
|
||||
@@ -1105,14 +1533,8 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1105,14 +1534,8 @@ template(`userdom_admin_user_template',`
|
||||
# $1_t local policy
|
||||
#
|
||||
|
||||
@ -53318,7 +53320,7 @@ index 9dc60c6..adc5f75 100644
|
||||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1128,6 +1550,8 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1128,6 +1551,8 @@ template(`userdom_admin_user_template',`
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
@ -53327,7 +53329,7 @@ index 9dc60c6..adc5f75 100644
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
@@ -1145,10 +1569,15 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1145,10 +1570,15 @@ template(`userdom_admin_user_template',`
|
||||
dev_rename_all_blk_files($1_t)
|
||||
dev_rename_all_chr_files($1_t)
|
||||
dev_create_generic_symlinks($1_t)
|
||||
@ -53343,7 +53345,7 @@ index 9dc60c6..adc5f75 100644
|
||||
domain_dontaudit_ptrace_all_domains($1_t)
|
||||
# signal all domains:
|
||||
domain_kill_all_domains($1_t)
|
||||
@@ -1159,29 +1588,40 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1159,29 +1589,40 @@ template(`userdom_admin_user_template',`
|
||||
domain_sigchld_all_domains($1_t)
|
||||
# for lsof
|
||||
domain_getattr_all_sockets($1_t)
|
||||
@ -53388,7 +53390,7 @@ index 9dc60c6..adc5f75 100644
|
||||
|
||||
# The following rule is temporary until such time that a complete
|
||||
# policy management infrastructure is in place so that an administrator
|
||||
@@ -1191,6 +1631,8 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1191,6 +1632,8 @@ template(`userdom_admin_user_template',`
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
@ -53397,7 +53399,7 @@ index 9dc60c6..adc5f75 100644
|
||||
userdom_manage_user_home_content_dirs($1_t)
|
||||
userdom_manage_user_home_content_files($1_t)
|
||||
userdom_manage_user_home_content_symlinks($1_t)
|
||||
@@ -1198,13 +1640,21 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1198,13 +1641,21 @@ template(`userdom_admin_user_template',`
|
||||
userdom_manage_user_home_content_sockets($1_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
|
||||
|
||||
@ -53420,7 +53422,7 @@ index 9dc60c6..adc5f75 100644
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1240,7 +1690,7 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1240,7 +1691,7 @@ template(`userdom_admin_user_template',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -53429,7 +53431,7 @@ index 9dc60c6..adc5f75 100644
|
||||
allow $1 self:capability { dac_read_search dac_override };
|
||||
|
||||
corecmd_exec_shell($1)
|
||||
@@ -1250,6 +1700,8 @@ template(`userdom_security_admin_template',`
|
||||
@@ -1250,6 +1701,8 @@ template(`userdom_security_admin_template',`
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -53438,7 +53440,7 @@ index 9dc60c6..adc5f75 100644
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1262,8 +1714,10 @@ template(`userdom_security_admin_template',`
|
||||
@@ -1262,8 +1715,10 @@ template(`userdom_security_admin_template',`
|
||||
selinux_set_enforce_mode($1)
|
||||
selinux_set_all_booleans($1)
|
||||
selinux_set_parameters($1)
|
||||
@ -53450,7 +53452,7 @@ index 9dc60c6..adc5f75 100644
|
||||
auth_relabel_shadow($1)
|
||||
|
||||
init_exec($1)
|
||||
@@ -1274,29 +1728,31 @@ template(`userdom_security_admin_template',`
|
||||
@@ -1274,29 +1729,31 @@ template(`userdom_security_admin_template',`
|
||||
logging_read_audit_config($1)
|
||||
|
||||
seutil_manage_bin_policy($1)
|
||||
@ -53493,7 +53495,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -1357,14 +1813,17 @@ interface(`userdom_user_home_content',`
|
||||
@@ -1357,14 +1814,17 @@ interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
attribute user_home_content_type;
|
||||
type user_home_t;
|
||||
@ -53512,7 +53514,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1397,12 +1856,52 @@ interface(`userdom_user_tmp_file',`
|
||||
@@ -1397,12 +1857,52 @@ interface(`userdom_user_tmp_file',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_user_tmpfs_file',`
|
||||
@ -53566,7 +53568,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## Allow domain to attach to TUN devices created by administrative users.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1509,11 +2008,31 @@ interface(`userdom_search_user_home_dirs',`
|
||||
@@ -1509,11 +2009,31 @@ interface(`userdom_search_user_home_dirs',`
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
@ -53598,7 +53600,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## Do not audit attempts to search user home directories.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -1555,6 +2074,14 @@ interface(`userdom_list_user_home_dirs',`
|
||||
@@ -1555,6 +2075,14 @@ interface(`userdom_list_user_home_dirs',`
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
@ -53613,7 +53615,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1570,9 +2097,11 @@ interface(`userdom_list_user_home_dirs',`
|
||||
@@ -1570,9 +2098,11 @@ interface(`userdom_list_user_home_dirs',`
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
@ -53625,7 +53627,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1613,6 +2142,24 @@ interface(`userdom_manage_user_home_dirs',`
|
||||
@@ -1613,6 +2143,24 @@ interface(`userdom_manage_user_home_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -53650,7 +53652,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## Relabel to user home directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1631,6 +2178,59 @@ interface(`userdom_relabelto_user_home_dirs',`
|
||||
@@ -1631,6 +2179,59 @@ interface(`userdom_relabelto_user_home_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -53710,7 +53712,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## Create directories in the home dir root with
|
||||
## the user home directory type.
|
||||
## </summary>
|
||||
@@ -1704,10 +2304,12 @@ interface(`userdom_user_home_domtrans',`
|
||||
@@ -1704,10 +2305,12 @@ interface(`userdom_user_home_domtrans',`
|
||||
#
|
||||
interface(`userdom_dontaudit_search_user_home_content',`
|
||||
gen_require(`
|
||||
@ -53725,7 +53727,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1741,10 +2343,12 @@ interface(`userdom_list_all_user_home_content',`
|
||||
@@ -1741,10 +2344,12 @@ interface(`userdom_list_all_user_home_content',`
|
||||
#
|
||||
interface(`userdom_list_user_home_content',`
|
||||
gen_require(`
|
||||
@ -53740,7 +53742,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1769,7 +2373,7 @@ interface(`userdom_manage_user_home_content_dirs',`
|
||||
@@ -1769,7 +2374,7 @@ interface(`userdom_manage_user_home_content_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -53749,7 +53751,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1777,19 +2381,17 @@ interface(`userdom_manage_user_home_content_dirs',`
|
||||
@@ -1777,19 +2382,17 @@ interface(`userdom_manage_user_home_content_dirs',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -53773,7 +53775,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1797,55 +2399,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
|
||||
@@ -1797,55 +2400,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -53844,7 +53846,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1853,18 +2455,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
|
||||
@@ -1853,18 +2456,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -53872,7 +53874,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1872,13 +2475,163 @@ interface(`userdom_mmap_user_home_content_files',`
|
||||
@@ -1872,13 +2476,163 @@ interface(`userdom_mmap_user_home_content_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54043,7 +54045,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1893,11 +2646,14 @@ interface(`userdom_read_user_home_content_files',`
|
||||
@@ -1893,11 +2647,14 @@ interface(`userdom_read_user_home_content_files',`
|
||||
#
|
||||
interface(`userdom_dontaudit_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -54061,7 +54063,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1938,7 +2694,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
|
||||
@@ -1938,7 +2695,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -54070,7 +54072,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1946,10 +2702,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
|
||||
@@ -1946,10 +2703,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54083,7 +54085,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
userdom_search_user_home_content($1)
|
||||
@@ -1958,7 +2713,7 @@ interface(`userdom_delete_all_user_home_content_files',`
|
||||
@@ -1958,7 +2714,7 @@ interface(`userdom_delete_all_user_home_content_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -54092,7 +54094,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1966,12 +2721,66 @@ interface(`userdom_delete_all_user_home_content_files',`
|
||||
@@ -1966,12 +2722,66 @@ interface(`userdom_delete_all_user_home_content_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54161,7 +54163,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2007,8 +2816,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
@@ -2007,8 +2817,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
@ -54171,7 +54173,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2024,20 +2832,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
@@ -2024,20 +2833,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
#
|
||||
interface(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -54196,7 +54198,7 @@ index 9dc60c6..adc5f75 100644
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -2120,7 +2922,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
|
||||
@@ -2120,7 +2923,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -54205,7 +54207,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2128,19 +2930,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
|
||||
@@ -2128,19 +2931,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54229,7 +54231,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2148,12 +2948,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
|
||||
@@ -2148,12 +2949,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54245,7 +54247,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2388,18 +3188,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
|
||||
@@ -2388,18 +3189,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54303,7 +54305,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## Do not audit attempts to read users
|
||||
## temporary files.
|
||||
## </summary>
|
||||
@@ -2414,7 +3250,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
||||
@@ -2414,7 +3251,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
@ -54312,7 +54314,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2455,6 +3291,25 @@ interface(`userdom_rw_user_tmp_files',`
|
||||
@@ -2455,6 +3292,25 @@ interface(`userdom_rw_user_tmp_files',`
|
||||
rw_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
files_search_tmp($1)
|
||||
')
|
||||
@ -54338,7 +54340,7 @@ index 9dc60c6..adc5f75 100644
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -2538,7 +3393,27 @@ interface(`userdom_manage_user_tmp_files',`
|
||||
@@ -2538,7 +3394,27 @@ interface(`userdom_manage_user_tmp_files',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete user
|
||||
@ -54367,7 +54369,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2566,6 +3441,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
|
||||
@@ -2566,6 +3442,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54395,7 +54397,7 @@ index 9dc60c6..adc5f75 100644
|
||||
interface(`userdom_manage_user_tmp_pipes',`
|
||||
gen_require(`
|
||||
type user_tmp_t;
|
||||
@@ -2661,6 +3557,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||
@@ -2661,6 +3558,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||
files_tmp_filetrans($1, user_tmp_t, $2, $3)
|
||||
')
|
||||
|
||||
@ -54417,7 +54419,7 @@ index 9dc60c6..adc5f75 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Read user tmpfs files.
|
||||
@@ -2672,18 +3583,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||
@@ -2672,18 +3584,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_read_user_tmpfs_files',`
|
||||
@ -54439,7 +54441,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2692,19 +3598,13 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||
@@ -2692,19 +3599,13 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_rw_user_tmpfs_files',`
|
||||
@ -54462,7 +54464,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2713,13 +3613,56 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
@@ -2713,13 +3614,56 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_manage_user_tmpfs_files',`
|
||||
@ -54523,7 +54525,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2814,6 +3757,24 @@ interface(`userdom_use_user_ttys',`
|
||||
@@ -2814,6 +3758,24 @@ interface(`userdom_use_user_ttys',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -54548,7 +54550,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## Read and write a user domain pty.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2832,22 +3793,34 @@ interface(`userdom_use_user_ptys',`
|
||||
@@ -2832,22 +3794,34 @@ interface(`userdom_use_user_ptys',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -54591,7 +54593,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2856,14 +3829,33 @@ interface(`userdom_use_user_ptys',`
|
||||
@@ -2856,14 +3830,33 @@ interface(`userdom_use_user_ptys',`
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
@ -54629,7 +54631,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2882,8 +3874,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
|
||||
@@ -2882,8 +3875,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
|
||||
type user_tty_device_t, user_devpts_t;
|
||||
')
|
||||
|
||||
@ -54659,7 +54661,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2955,6 +3966,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
@@ -2955,6 +3967,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
allow unpriv_userdomain $1:process sigchld;
|
||||
')
|
||||
|
||||
@ -54702,7 +54704,7 @@ index 9dc60c6..adc5f75 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute an Xserver session in all unprivileged user domains. This
|
||||
@@ -2978,24 +4025,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
|
||||
@@ -2978,24 +4026,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
|
||||
allow unpriv_userdomain $1:process sigchld;
|
||||
')
|
||||
|
||||
@ -54727,7 +54729,7 @@ index 9dc60c6..adc5f75 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage unpriviledged user SysV sempaphores.
|
||||
@@ -3014,9 +4043,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
||||
@@ -3014,9 +4044,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
||||
allow $1 unpriv_userdomain:sem create_sem_perms;
|
||||
')
|
||||
|
||||
@ -54739,7 +54741,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## memory segments.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3025,17 +4054,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
||||
@@ -3025,17 +4055,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54760,7 +54762,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## memory segments.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3044,12 +4073,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
|
||||
@@ -3044,12 +4074,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54775,7 +54777,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3094,7 +4123,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
@@ -3094,7 +4124,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
|
||||
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
||||
allow unpriv_userdomain $1:fd use;
|
||||
@ -54784,7 +54786,7 @@ index 9dc60c6..adc5f75 100644
|
||||
allow unpriv_userdomain $1:process sigchld;
|
||||
')
|
||||
|
||||
@@ -3110,29 +4139,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
@@ -3110,29 +4140,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
#
|
||||
interface(`userdom_search_user_home_content',`
|
||||
gen_require(`
|
||||
@ -54818,7 +54820,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3214,7 +4227,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||
@@ -3214,7 +4228,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||
type user_devpts_t;
|
||||
')
|
||||
|
||||
@ -54845,7 +54847,7 @@ index 9dc60c6..adc5f75 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3269,12 +4300,13 @@ interface(`userdom_write_user_tmp_files',`
|
||||
@@ -3269,12 +4301,13 @@ interface(`userdom_write_user_tmp_files',`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
@ -54861,7 +54863,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3282,54 +4314,56 @@ interface(`userdom_write_user_tmp_files',`
|
||||
@@ -3282,54 +4315,56 @@ interface(`userdom_write_user_tmp_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54933,7 +54935,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3337,18 +4371,92 @@ interface(`userdom_getattr_all_users',`
|
||||
@@ -3337,18 +4372,92 @@ interface(`userdom_getattr_all_users',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -55030,7 +55032,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3382,6 +4490,42 @@ interface(`userdom_signal_all_users',`
|
||||
@@ -3382,6 +4491,42 @@ interface(`userdom_signal_all_users',`
|
||||
allow $1 userdomain:process signal;
|
||||
')
|
||||
|
||||
@ -55073,7 +55075,7 @@ index 9dc60c6..adc5f75 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to all user domains.
|
||||
@@ -3402,6 +4546,60 @@ interface(`userdom_sigchld_all_users',`
|
||||
@@ -3402,6 +4547,60 @@ interface(`userdom_sigchld_all_users',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -55134,7 +55136,7 @@ index 9dc60c6..adc5f75 100644
|
||||
## Create keys for all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3435,4 +4633,1817 @@ interface(`userdom_dbus_send_all_users',`
|
||||
@@ -3435,4 +4634,1817 @@ interface(`userdom_dbus_send_all_users',`
|
||||
')
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
|
||||
@ -56762,7 +56762,7 @@ index 687af38..5381f1b 100644
|
||||
+ mysql_stream_connect($1)
|
||||
')
|
||||
diff --git a/mysql.te b/mysql.te
|
||||
index 7584bbe..31069d2 100644
|
||||
index 7584bbe..1443a3a 100644
|
||||
--- a/mysql.te
|
||||
+++ b/mysql.te
|
||||
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
|
||||
@ -56850,11 +56850,13 @@ index 7584bbe..31069d2 100644
|
||||
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
|
||||
@@ -95,50 +100,64 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
@@ -95,50 +100,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
|
||||
|
||||
-kernel_read_kernel_sysctls(mysqld_t)
|
||||
+usermanage_read_crack_db(mysqld_t)
|
||||
+
|
||||
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
|
||||
+
|
||||
kernel_read_network_state(mysqld_t)
|
||||
@ -56933,7 +56935,7 @@ index 7584bbe..31069d2 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -146,6 +165,10 @@ optional_policy(`
|
||||
@@ -146,6 +167,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -56944,7 +56946,7 @@ index 7584bbe..31069d2 100644
|
||||
seutil_sigchld_newrole(mysqld_t)
|
||||
')
|
||||
|
||||
@@ -155,21 +178,20 @@ optional_policy(`
|
||||
@@ -155,21 +180,20 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -56972,7 +56974,7 @@ index 7584bbe..31069d2 100644
|
||||
|
||||
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
@@ -177,9 +199,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
@@ -177,9 +201,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
|
||||
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
@ -56983,7 +56985,7 @@ index 7584bbe..31069d2 100644
|
||||
|
||||
kernel_read_system_state(mysqld_safe_t)
|
||||
kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
@@ -187,21 +207,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
@@ -187,21 +209,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
corecmd_exec_bin(mysqld_safe_t)
|
||||
corecmd_exec_shell(mysqld_safe_t)
|
||||
|
||||
@ -56999,9 +57001,9 @@ index 7584bbe..31069d2 100644
|
||||
+files_dontaudit_access_check_root(mysqld_safe_t)
|
||||
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
|
||||
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
|
||||
|
||||
+files_write_root_dirs(mysqld_safe_t)
|
||||
+
|
||||
+files_write_root_dirs(mysqld_safe_t)
|
||||
|
||||
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
logging_send_syslog_msg(mysqld_safe_t)
|
||||
|
||||
@ -57019,7 +57021,7 @@ index 7584bbe..31069d2 100644
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(mysqld_safe_t)
|
||||
@@ -209,7 +237,7 @@ optional_policy(`
|
||||
@@ -209,7 +239,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -57028,7 +57030,7 @@ index 7584bbe..31069d2 100644
|
||||
#
|
||||
|
||||
allow mysqlmanagerd_t self:capability { dac_override kill };
|
||||
@@ -218,11 +246,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -218,11 +248,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -57046,7 +57048,7 @@ index 7584bbe..31069d2 100644
|
||||
|
||||
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
|
||||
|
||||
@@ -230,31 +259,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
@@ -230,31 +261,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
|
||||
|
||||
@ -69237,10 +69239,6 @@ index 0000000..80246e6
|
||||
+ can_exec($1, pcp_pmlogger_exec_t)
|
||||
+')
|
||||
+
|
||||
diff --git a/pcp.pp b/pcp.pp
|
||||
new file mode 100644
|
||||
index 0000000..fa4cfaa
|
||||
Binary files /dev/null and b/pcp.pp differ
|
||||
diff --git a/pcp.te b/pcp.te
|
||||
new file mode 100644
|
||||
index 0000000..04a0b20
|
||||
@ -91064,7 +91062,7 @@ index 0bf13c2..ed393a0 100644
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, gssd_tmp_t)
|
||||
diff --git a/rpc.te b/rpc.te
|
||||
index 2da9fca..6935f5c 100644
|
||||
index 2da9fca..a37f579 100644
|
||||
--- a/rpc.te
|
||||
+++ b/rpc.te
|
||||
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
|
||||
@ -91319,7 +91317,8 @@ index 2da9fca..6935f5c 100644
|
||||
-# fs_manage_nfsd_fs(nfsd_t)
|
||||
+fs_manage_nfsd_fs(nfsd_t)
|
||||
|
||||
storage_dontaudit_read_fixed_disk(nfsd_t)
|
||||
-storage_dontaudit_read_fixed_disk(nfsd_t)
|
||||
+storage_raw_read_fixed_disk(nfsd_t)
|
||||
storage_raw_read_removable_device(nfsd_t)
|
||||
|
||||
+allow nfsd_t nfsd_unit_file_t:file manage_file_perms;
|
||||
@ -114658,10 +114657,10 @@ index facdee8..2cff369 100644
|
||||
+ domtrans_pattern($1,container_file_t, $2)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf5..481f902 100644
|
||||
index f03dcf5..8036117 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,451 +1,403 @@
|
||||
@@ -1,451 +1,410 @@
|
||||
-policy_module(virt, 1.7.4)
|
||||
+policy_module(virt, 1.5.0)
|
||||
|
||||
@ -114744,6 +114743,13 @@ index f03dcf5..481f902 100644
|
||||
-## can use nfs file systems.
|
||||
-## </p>
|
||||
+## <p>
|
||||
+## Allow sandbox containers to share apache content
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(virt_sandbox_share_apache_content, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow sandbox containers manage fuse files
|
||||
+## </p>
|
||||
+## </desc>
|
||||
@ -114828,15 +114834,15 @@ index f03dcf5..481f902 100644
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(virt_sandbox_use_audit, true)
|
||||
+
|
||||
|
||||
-attribute svirt_lxc_domain;
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow sandbox containers to use netlink system calls
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(virt_sandbox_use_netlink, false)
|
||||
|
||||
-attribute svirt_lxc_domain;
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow sandbox containers to use sys_admin system calls, for example mount
|
||||
@ -114885,10 +114891,10 @@ index f03dcf5..481f902 100644
|
||||
+
|
||||
+virt_domain_template(svirt_tcg)
|
||||
+role system_r types svirt_tcg_t;
|
||||
+
|
||||
+type qemu_exec_t, virt_file_type;
|
||||
|
||||
-type virt_cache_t alias svirt_cache_t;
|
||||
+type qemu_exec_t, virt_file_type;
|
||||
+
|
||||
+type virt_cache_t alias svirt_cache_t, virt_file_type;
|
||||
files_type(virt_cache_t)
|
||||
|
||||
@ -115257,11 +115263,9 @@ index f03dcf5..481f902 100644
|
||||
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
+allow svirt_t self:process ptrace;
|
||||
|
||||
-
|
||||
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
|
||||
+# it was a part of auth_use_nsswitch
|
||||
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+allow svirt_t self:process ptrace;
|
||||
|
||||
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
|
||||
-
|
||||
@ -115269,7 +115273,9 @@ index f03dcf5..481f902 100644
|
||||
-corenet_udp_sendrecv_generic_node(svirt_t)
|
||||
-corenet_udp_sendrecv_all_ports(svirt_t)
|
||||
-corenet_udp_bind_generic_node(svirt_t)
|
||||
-
|
||||
+# it was a part of auth_use_nsswitch
|
||||
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(svirt_t)
|
||||
-corenet_all_recvfrom_netlabel(svirt_t)
|
||||
-corenet_tcp_sendrecv_generic_if(svirt_t)
|
||||
@ -115375,7 +115381,7 @@ index f03dcf5..481f902 100644
|
||||
|
||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
@@ -455,42 +407,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
@@ -455,42 +414,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
@ -115422,22 +115428,22 @@ index f03dcf5..481f902 100644
|
||||
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
|
||||
@@ -503,23 +442,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
@@ -503,23 +449,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
||||
|
||||
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||
-
|
||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
||||
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
|
||||
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
||||
|
||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||
-
|
||||
-can_exec(virtd_t, virt_tmp_t)
|
||||
+# libvirtd is permitted to talk to virtlogd
|
||||
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
|
||||
@ -115456,7 +115462,7 @@ index f03dcf5..481f902 100644
|
||||
|
||||
corecmd_exec_bin(virtd_t)
|
||||
corecmd_exec_shell(virtd_t)
|
||||
@@ -527,24 +467,16 @@ corecmd_exec_shell(virtd_t)
|
||||
@@ -527,24 +474,16 @@ corecmd_exec_shell(virtd_t)
|
||||
corenet_all_recvfrom_netlabel(virtd_t)
|
||||
corenet_tcp_sendrecv_generic_if(virtd_t)
|
||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||
@ -115484,7 +115490,7 @@ index f03dcf5..481f902 100644
|
||||
dev_rw_sysfs(virtd_t)
|
||||
dev_read_urand(virtd_t)
|
||||
dev_read_rand(virtd_t)
|
||||
@@ -555,20 +487,26 @@ dev_rw_vhost(virtd_t)
|
||||
@@ -555,20 +494,26 @@ dev_rw_vhost(virtd_t)
|
||||
dev_setattr_generic_usb_dev(virtd_t)
|
||||
dev_relabel_generic_usb_dev(virtd_t)
|
||||
|
||||
@ -115515,7 +115521,7 @@ index f03dcf5..481f902 100644
|
||||
fs_list_auto_mountpoints(virtd_t)
|
||||
fs_getattr_all_fs(virtd_t)
|
||||
fs_rw_anon_inodefs_files(virtd_t)
|
||||
@@ -601,15 +539,18 @@ term_use_ptmx(virtd_t)
|
||||
@@ -601,15 +546,18 @@ term_use_ptmx(virtd_t)
|
||||
|
||||
auth_use_nsswitch(virtd_t)
|
||||
|
||||
@ -115535,7 +115541,7 @@ index f03dcf5..481f902 100644
|
||||
|
||||
selinux_validate_context(virtd_t)
|
||||
|
||||
@@ -620,18 +561,26 @@ seutil_read_file_contexts(virtd_t)
|
||||
@@ -620,18 +568,26 @@ seutil_read_file_contexts(virtd_t)
|
||||
sysnet_signull_ifconfig(virtd_t)
|
||||
sysnet_signal_ifconfig(virtd_t)
|
||||
sysnet_domtrans_ifconfig(virtd_t)
|
||||
@ -115572,7 +115578,7 @@ index f03dcf5..481f902 100644
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virtd_t)
|
||||
@@ -640,7 +589,7 @@ tunable_policy(`virt_use_nfs',`
|
||||
@@ -640,7 +596,7 @@ tunable_policy(`virt_use_nfs',`
|
||||
')
|
||||
|
||||
tunable_policy(`virt_use_samba',`
|
||||
@ -115581,7 +115587,7 @@ index f03dcf5..481f902 100644
|
||||
fs_manage_cifs_files(virtd_t)
|
||||
fs_read_cifs_symlinks(virtd_t)
|
||||
')
|
||||
@@ -665,20 +614,12 @@ optional_policy(`
|
||||
@@ -665,20 +621,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -115602,7 +115608,7 @@ index f03dcf5..481f902 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -691,20 +632,26 @@ optional_policy(`
|
||||
@@ -691,20 +639,26 @@ optional_policy(`
|
||||
dnsmasq_kill(virtd_t)
|
||||
dnsmasq_signull(virtd_t)
|
||||
dnsmasq_create_pid_dirs(virtd_t)
|
||||
@ -115633,7 +115639,7 @@ index f03dcf5..481f902 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -712,11 +659,18 @@ optional_policy(`
|
||||
@@ -712,11 +666,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -115652,7 +115658,7 @@ index f03dcf5..481f902 100644
|
||||
policykit_domtrans_auth(virtd_t)
|
||||
policykit_domtrans_resolve(virtd_t)
|
||||
policykit_read_lib(virtd_t)
|
||||
@@ -727,10 +681,18 @@ optional_policy(`
|
||||
@@ -727,10 +688,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -115671,7 +115677,7 @@ index f03dcf5..481f902 100644
|
||||
kernel_read_xen_state(virtd_t)
|
||||
kernel_write_xen_state(virtd_t)
|
||||
|
||||
@@ -746,44 +708,336 @@ optional_policy(`
|
||||
@@ -746,44 +715,336 @@ optional_policy(`
|
||||
udev_read_pid_files(virtd_t)
|
||||
')
|
||||
|
||||
@ -115869,7 +115875,7 @@ index f03dcf5..481f902 100644
|
||||
+storage_raw_read_removable_device(virt_domain)
|
||||
+
|
||||
+sysnet_read_config(virt_domain)
|
||||
|
||||
+
|
||||
+term_use_all_inherited_terms(virt_domain)
|
||||
+term_getattr_pty_fs(virt_domain)
|
||||
+term_use_generic_ptys(virt_domain)
|
||||
@ -115986,7 +115992,7 @@ index f03dcf5..481f902 100644
|
||||
+init_system_domain(virsh_t, virsh_exec_t)
|
||||
+typealias virsh_t alias xm_t;
|
||||
+typealias virsh_exec_t alias xm_exec_t;
|
||||
+
|
||||
|
||||
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
|
||||
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
|
||||
+allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -116030,7 +116036,7 @@ index f03dcf5..481f902 100644
|
||||
kernel_read_system_state(virsh_t)
|
||||
kernel_read_network_state(virsh_t)
|
||||
kernel_read_kernel_sysctls(virsh_t)
|
||||
@@ -794,25 +1048,18 @@ kernel_write_xen_state(virsh_t)
|
||||
@@ -794,25 +1055,18 @@ kernel_write_xen_state(virsh_t)
|
||||
corecmd_exec_bin(virsh_t)
|
||||
corecmd_exec_shell(virsh_t)
|
||||
|
||||
@ -116057,7 +116063,7 @@ index f03dcf5..481f902 100644
|
||||
|
||||
fs_getattr_all_fs(virsh_t)
|
||||
fs_manage_xenfs_dirs(virsh_t)
|
||||
@@ -821,23 +1068,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
@@ -821,23 +1075,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
|
||||
storage_raw_read_fixed_disk(virsh_t)
|
||||
|
||||
@ -116074,10 +116080,10 @@ index f03dcf5..481f902 100644
|
||||
|
||||
-logging_send_syslog_msg(virsh_t)
|
||||
+systemd_exec_systemctl(virsh_t)
|
||||
+
|
||||
+auth_read_passwd(virsh_t)
|
||||
|
||||
-miscfiles_read_localization(virsh_t)
|
||||
+auth_read_passwd(virsh_t)
|
||||
+
|
||||
+logging_send_syslog_msg(virsh_t)
|
||||
|
||||
sysnet_dns_name_resolve(virsh_t)
|
||||
@ -116091,7 +116097,7 @@ index f03dcf5..481f902 100644
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virsh_t)
|
||||
@@ -856,14 +1105,20 @@ optional_policy(`
|
||||
@@ -856,14 +1112,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -116113,7 +116119,7 @@ index f03dcf5..481f902 100644
|
||||
xen_stream_connect(virsh_t)
|
||||
xen_stream_connect_xenstore(virsh_t)
|
||||
')
|
||||
@@ -888,49 +1143,66 @@ optional_policy(`
|
||||
@@ -888,49 +1150,66 @@ optional_policy(`
|
||||
kernel_read_xen_state(virsh_ssh_t)
|
||||
kernel_write_xen_state(virsh_ssh_t)
|
||||
|
||||
@ -116198,7 +116204,7 @@ index f03dcf5..481f902 100644
|
||||
|
||||
corecmd_exec_bin(virtd_lxc_t)
|
||||
corecmd_exec_shell(virtd_lxc_t)
|
||||
@@ -942,17 +1214,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
@@ -942,17 +1221,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
|
||||
domain_use_interactive_fds(virtd_lxc_t)
|
||||
|
||||
@ -116218,7 +116224,7 @@ index f03dcf5..481f902 100644
|
||||
fs_getattr_all_fs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||
@@ -964,8 +1235,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
@@ -964,8 +1242,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
fs_unmount_all_fs(virtd_lxc_t)
|
||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||
|
||||
@ -116242,7 +116248,7 @@ index f03dcf5..481f902 100644
|
||||
selinux_get_enforce_mode(virtd_lxc_t)
|
||||
selinux_get_fs_mount(virtd_lxc_t)
|
||||
selinux_validate_context(virtd_lxc_t)
|
||||
@@ -974,194 +1260,376 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
@@ -974,194 +1267,370 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
selinux_compute_relabel_context(virtd_lxc_t)
|
||||
selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
@ -116269,12 +116275,12 @@ index f03dcf5..481f902 100644
|
||||
+ hal_dbus_chat(virtd_lxc_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
|
||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||
+optional_policy(`
|
||||
+ container_exec_lib(virtd_lxc_t)
|
||||
+')
|
||||
|
||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_read_generic_cache_files(virtd_lxc_t)
|
||||
+')
|
||||
@ -116315,7 +116321,89 @@ index f03dcf5..481f902 100644
|
||||
+tunable_policy(`deny_ptrace',`',`
|
||||
+ allow svirt_sandbox_domain self:process ptrace;
|
||||
+')
|
||||
+
|
||||
|
||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||
-allow svirt_lxc_domain self:sem create_sem_perms;
|
||||
-allow svirt_lxc_domain self:shm create_shm_perms;
|
||||
-allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fd use;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virsh_t:fd use;
|
||||
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virsh_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
|
||||
-
|
||||
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
|
||||
-
|
||||
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
|
||||
-
|
||||
-kernel_getattr_proc(svirt_lxc_domain)
|
||||
-kernel_list_all_proc(svirt_lxc_domain)
|
||||
-kernel_read_kernel_sysctls(svirt_lxc_domain)
|
||||
-kernel_rw_net_sysctls(svirt_lxc_domain)
|
||||
-kernel_read_system_state(svirt_lxc_domain)
|
||||
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||
-
|
||||
-corecmd_exec_all_executables(svirt_lxc_domain)
|
||||
-
|
||||
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||
-# files_entrypoint_all_files(svirt_lxc_domain)
|
||||
-files_list_var(svirt_lxc_domain)
|
||||
-files_list_var_lib(svirt_lxc_domain)
|
||||
-files_search_all(svirt_lxc_domain)
|
||||
-files_read_config_files(svirt_lxc_domain)
|
||||
-files_read_usr_files(svirt_lxc_domain)
|
||||
-files_read_usr_symlinks(svirt_lxc_domain)
|
||||
-
|
||||
-fs_getattr_all_fs(svirt_lxc_domain)
|
||||
-fs_list_inotifyfs(svirt_lxc_domain)
|
||||
-
|
||||
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
|
||||
-
|
||||
-auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||
-auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
-auth_search_pam_console_data(svirt_lxc_domain)
|
||||
-
|
||||
-clock_read_adjtime(svirt_lxc_domain)
|
||||
-
|
||||
-init_read_utmp(svirt_lxc_domain)
|
||||
-init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||
-
|
||||
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||
-
|
||||
-miscfiles_read_localization(svirt_lxc_domain)
|
||||
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
|
||||
-miscfiles_read_fonts(svirt_lxc_domain)
|
||||
-
|
||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
|
||||
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
|
||||
@ -116413,96 +116501,12 @@ index f03dcf5..481f902 100644
|
||||
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
|
||||
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
|
||||
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
|
||||
|
||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||
-allow svirt_lxc_domain self:sem create_sem_perms;
|
||||
-allow svirt_lxc_domain self:shm create_shm_perms;
|
||||
-allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fd use;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virsh_t:fd use;
|
||||
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virsh_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
|
||||
-
|
||||
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
|
||||
-
|
||||
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
|
||||
-
|
||||
-kernel_getattr_proc(svirt_lxc_domain)
|
||||
-kernel_list_all_proc(svirt_lxc_domain)
|
||||
-kernel_read_kernel_sysctls(svirt_lxc_domain)
|
||||
-kernel_rw_net_sysctls(svirt_lxc_domain)
|
||||
-kernel_read_system_state(svirt_lxc_domain)
|
||||
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||
-
|
||||
-corecmd_exec_all_executables(svirt_lxc_domain)
|
||||
-
|
||||
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||
-# files_entrypoint_all_files(svirt_lxc_domain)
|
||||
-files_list_var(svirt_lxc_domain)
|
||||
-files_list_var_lib(svirt_lxc_domain)
|
||||
-files_search_all(svirt_lxc_domain)
|
||||
-files_read_config_files(svirt_lxc_domain)
|
||||
-files_read_usr_files(svirt_lxc_domain)
|
||||
-files_read_usr_symlinks(svirt_lxc_domain)
|
||||
-
|
||||
-fs_getattr_all_fs(svirt_lxc_domain)
|
||||
-fs_list_inotifyfs(svirt_lxc_domain)
|
||||
-
|
||||
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
|
||||
-
|
||||
-auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||
-auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
-auth_search_pam_console_data(svirt_lxc_domain)
|
||||
-
|
||||
-clock_read_adjtime(svirt_lxc_domain)
|
||||
-
|
||||
-init_read_utmp(svirt_lxc_domain)
|
||||
-init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||
-
|
||||
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||
-
|
||||
-miscfiles_read_localization(svirt_lxc_domain)
|
||||
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
|
||||
-miscfiles_read_fonts(svirt_lxc_domain)
|
||||
-
|
||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+ apache_exec_modules(svirt_sandbox_domain)
|
||||
+ apache_read_sys_content(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gear_read_pid_files(svirt_sandbox_domain)
|
||||
+tunable_policy(`virt_sandbox_share_apache_content',`
|
||||
+ apache_exec_modules(svirt_sandbox_domain)
|
||||
+ apache_read_sys_content(svirt_sandbox_domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -116592,15 +116596,11 @@ index f03dcf5..481f902 100644
|
||||
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
|
||||
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
|
||||
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+tunable_policy(`virt_sandbox_use_mknod',`
|
||||
+ allow container_t self:capability mknod;
|
||||
+')
|
||||
|
||||
-
|
||||
-kernel_read_network_state(svirt_lxc_net_t)
|
||||
-kernel_read_irq_sysctls(svirt_lxc_net_t)
|
||||
+tunable_policy(`virt_sandbox_use_all_caps',`
|
||||
+ allow container_t self:capability all_capability_perms;
|
||||
+ allow container_t self:capability2 all_capability2_perms;
|
||||
+tunable_policy(`virt_sandbox_use_mknod',`
|
||||
+ allow container_t self:capability mknod;
|
||||
+')
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
|
||||
@ -116613,6 +116613,14 @@ index f03dcf5..481f902 100644
|
||||
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
|
||||
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
|
||||
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
|
||||
+tunable_policy(`virt_sandbox_use_all_caps',`
|
||||
+ allow container_t self:capability all_capability_perms;
|
||||
+ allow container_t self:capability2 all_capability2_perms;
|
||||
+')
|
||||
|
||||
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
|
||||
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
|
||||
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
|
||||
+tunable_policy(`virt_sandbox_use_netlink',`
|
||||
+ allow container_t self:netlink_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||
@ -116629,32 +116637,30 @@ index f03dcf5..481f902 100644
|
||||
+ logging_dontaudit_send_audit_msgs(container_t)
|
||||
+')
|
||||
|
||||
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
|
||||
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
|
||||
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
|
||||
+allow container_t virt_lxc_var_run_t:dir list_dir_perms;
|
||||
+allow container_t virt_lxc_var_run_t:file read_file_perms;
|
||||
|
||||
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
|
||||
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
|
||||
+kernel_read_irq_sysctls(container_t)
|
||||
+kernel_read_messages(container_t)
|
||||
+allow container_t virt_lxc_var_run_t:dir list_dir_perms;
|
||||
+allow container_t virt_lxc_var_run_t:file read_file_perms;
|
||||
|
||||
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
|
||||
-dev_read_rand(svirt_lxc_net_t)
|
||||
-dev_read_sysfs(svirt_lxc_net_t)
|
||||
-dev_read_urand(svirt_lxc_net_t)
|
||||
+kernel_read_irq_sysctls(container_t)
|
||||
+kernel_read_messages(container_t)
|
||||
|
||||
-files_read_kernel_modules(svirt_lxc_net_t)
|
||||
+dev_read_sysfs(container_t)
|
||||
+dev_read_mtrr(container_t)
|
||||
+dev_read_rand(container_t)
|
||||
+dev_read_urand(container_t)
|
||||
|
||||
-files_read_kernel_modules(svirt_lxc_net_t)
|
||||
+files_read_kernel_modules(container_t)
|
||||
|
||||
-fs_mount_cgroup(svirt_lxc_net_t)
|
||||
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
|
||||
-fs_rw_cgroup_files(svirt_lxc_net_t)
|
||||
+files_read_kernel_modules(container_t)
|
||||
|
||||
-auth_use_nsswitch(svirt_lxc_net_t)
|
||||
+fs_noxattr_type(container_file_t)
|
||||
+# Do we actually need these?
|
||||
+fs_mount_cgroup(container_t)
|
||||
@ -116663,19 +116669,14 @@ index f03dcf5..481f902 100644
|
||||
+# Needed for docker
|
||||
+fs_unmount_xattr_fs(container_t)
|
||||
|
||||
-auth_use_nsswitch(svirt_lxc_net_t)
|
||||
-logging_send_audit_msgs(svirt_lxc_net_t)
|
||||
+term_pty(container_file_t)
|
||||
|
||||
-logging_send_audit_msgs(svirt_lxc_net_t)
|
||||
+auth_use_nsswitch(container_t)
|
||||
|
||||
-userdom_use_user_ptys(svirt_lxc_net_t)
|
||||
+rpm_read_db(container_t)
|
||||
+logging_send_syslog_msg(container_t)
|
||||
|
||||
-optional_policy(`
|
||||
- rpm_read_db(svirt_lxc_net_t)
|
||||
+logging_send_syslog_msg(container_t)
|
||||
+
|
||||
+tunable_policy(`virt_sandbox_use_audit',`
|
||||
+ logging_send_audit_msgs(container_t)
|
||||
')
|
||||
@ -116763,7 +116764,7 @@ index f03dcf5..481f902 100644
|
||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1174,12 +1642,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
@ -116778,7 +116779,7 @@ index f03dcf5..481f902 100644
|
||||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,7 +1660,7 @@ optional_policy(`
|
||||
@@ -1192,7 +1661,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -116787,7 +116788,7 @@ index f03dcf5..481f902 100644
|
||||
#
|
||||
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
@@ -1201,11 +1669,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1201,11 +1670,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 233%{?dist}
|
||||
Release: 234%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -675,6 +675,12 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-234
|
||||
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)
|
||||
- Tighten security on containe types
|
||||
- Make working cracklib_password_check for MariaDB service
|
||||
- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505)
|
||||
|
||||
* Sun Jan 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-233
|
||||
-Allow thumb domain sendto via dgram sockets. BZ(1398813)
|
||||
- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user