- Merge with upstream
This commit is contained in:
Dan Walsh
parent
6578cf7413
commit
a7a2367a59
1
.gitignore
vendored
1
.gitignore
vendored
@ -221,3 +221,4 @@ serefpolicy-3.8.8.tgz
|
||||
*.rpm
|
||||
serefpolicy*
|
||||
/serefpolicy-3.9.0.tgz
|
||||
/serefpolicy-3.9.1.tgz
|
||||
|
||||
230
policy-F14.patch
230
policy-F14.patch
@ -188,7 +188,7 @@ index 3316f6e..cf3a77b 100644
|
||||
+gen_tunable(mmap_low_allowed, false)
|
||||
+
|
||||
diff --git a/policy/mcs b/policy/mcs
|
||||
index af90ef2..ebe5833 100644
|
||||
index af90ef2..fbd2c40 100644
|
||||
--- a/policy/mcs
|
||||
+++ b/policy/mcs
|
||||
@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
|
||||
@ -204,6 +204,15 @@ index af90ef2..ebe5833 100644
|
||||
(( h1 dom h2 ) and ( l2 eq h2 ));
|
||||
|
||||
mlsconstrain process { transition dyntransition }
|
||||
@@ -98,7 +98,7 @@ mlsconstrain process { transition dyntransition }
|
||||
mlsconstrain process { ptrace }
|
||||
(( h1 dom h2) or ( t1 == mcsptraceall ));
|
||||
|
||||
-mlsconstrain process { sigkill sigstop }
|
||||
+mlsconstrain process { signal sigkill sigstop }
|
||||
(( h1 dom h2 ) or ( t1 == mcskillall ));
|
||||
|
||||
#
|
||||
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
|
||||
index 30a0ac7..f5fc753 100644
|
||||
--- a/policy/modules/admin/alsa.fc
|
||||
@ -991,10 +1000,10 @@ index aa0dcc6..0154b77 100644
|
||||
rpm_read_db(prelink_cron_system_t)
|
||||
')
|
||||
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
|
||||
index c5c7852..947df2b 100644
|
||||
index 2df2f1d..c1aaa79 100644
|
||||
--- a/policy/modules/admin/readahead.te
|
||||
+++ b/policy/modules/admin/readahead.te
|
||||
@@ -51,6 +51,7 @@ domain_read_all_domains_state(readahead_t)
|
||||
@@ -53,6 +53,7 @@ domain_read_all_domains_state(readahead_t)
|
||||
|
||||
files_list_non_security(readahead_t)
|
||||
files_read_non_security_files(readahead_t)
|
||||
@ -1002,7 +1011,7 @@ index c5c7852..947df2b 100644
|
||||
files_create_boot_flag(readahead_t)
|
||||
files_getattr_all_pipes(readahead_t)
|
||||
files_dontaudit_getattr_all_sockets(readahead_t)
|
||||
@@ -64,6 +65,7 @@ fs_read_cgroup_files(readahead_t)
|
||||
@@ -66,6 +67,7 @@ fs_read_cgroup_files(readahead_t)
|
||||
fs_read_tmpfs_files(readahead_t)
|
||||
fs_read_tmpfs_symlinks(readahead_t)
|
||||
fs_list_inotifyfs(readahead_t)
|
||||
@ -5100,10 +5109,10 @@ index 0000000..15778fd
|
||||
+# No types are sandbox_exec_t
|
||||
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
|
||||
new file mode 100644
|
||||
index 0000000..d104714
|
||||
index 0000000..c20d303
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/sandbox.if
|
||||
@@ -0,0 +1,334 @@
|
||||
@@ -0,0 +1,335 @@
|
||||
+
|
||||
+## <summary>policy for sandbox</summary>
|
||||
+
|
||||
@ -5155,6 +5164,7 @@ index 0000000..d104714
|
||||
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
|
||||
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
|
||||
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
|
||||
+ dontaudit sandbox_x_domain $1:process signal;
|
||||
+
|
||||
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
|
||||
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
|
||||
@ -7178,10 +7188,10 @@ index 3b2da10..7eed11d 100644
|
||||
+#
|
||||
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||
index cac0c64..d0aaa1c 100644
|
||||
index 8b09281..e896bf7 100644
|
||||
--- a/policy/modules/kernel/devices.if
|
||||
+++ b/policy/modules/kernel/devices.if
|
||||
@@ -461,6 +461,24 @@ interface(`dev_getattr_generic_chr_files',`
|
||||
@@ -498,6 +498,24 @@ interface(`dev_getattr_generic_chr_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7206,7 +7216,7 @@ index cac0c64..d0aaa1c 100644
|
||||
## Dontaudit getattr for generic character device files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -497,6 +515,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
|
||||
@@ -534,6 +552,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7231,7 +7241,7 @@ index cac0c64..d0aaa1c 100644
|
||||
## Read and write generic character device files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -515,6 +551,24 @@ interface(`dev_rw_generic_chr_files',`
|
||||
@@ -552,6 +588,24 @@ interface(`dev_rw_generic_chr_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7253,10 +7263,10 @@ index cac0c64..d0aaa1c 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Create generic character device files.
|
||||
## Dontaudit attempts to read/write generic character device files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -606,6 +660,24 @@ interface(`dev_delete_generic_symlinks',`
|
||||
@@ -661,6 +715,24 @@ interface(`dev_delete_generic_symlinks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7281,7 +7291,7 @@ index cac0c64..d0aaa1c 100644
|
||||
## Create, delete, read, and write symbolic links in device directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1015,6 +1087,42 @@ interface(`dev_create_all_chr_files',`
|
||||
@@ -1070,6 +1142,42 @@ interface(`dev_create_all_chr_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7324,7 +7334,7 @@ index cac0c64..d0aaa1c 100644
|
||||
## Delete all block device files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1277,6 +1385,24 @@ interface(`dev_getattr_autofs_dev',`
|
||||
@@ -1332,6 +1440,24 @@ interface(`dev_getattr_autofs_dev',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7349,7 +7359,7 @@ index cac0c64..d0aaa1c 100644
|
||||
## Do not audit attempts to get the attributes of
|
||||
## the autofs device node.
|
||||
## </summary>
|
||||
@@ -3540,6 +3666,24 @@ interface(`dev_manage_smartcard',`
|
||||
@@ -3595,6 +3721,24 @@ interface(`dev_manage_smartcard',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7374,7 +7384,7 @@ index cac0c64..d0aaa1c 100644
|
||||
## Get the attributes of sysfs directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3682,6 +3826,24 @@ interface(`dev_rw_sysfs',`
|
||||
@@ -3737,6 +3881,24 @@ interface(`dev_rw_sysfs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7399,7 +7409,7 @@ index cac0c64..d0aaa1c 100644
|
||||
## Read from pseudo random number generator devices (e.g., /dev/urandom).
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -3851,6 +4013,24 @@ interface(`dev_read_usbmon_dev',`
|
||||
@@ -3906,6 +4068,24 @@ interface(`dev_read_usbmon_dev',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7424,7 +7434,7 @@ index cac0c64..d0aaa1c 100644
|
||||
## Mount a usbfs filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4161,11 +4341,10 @@ interface(`dev_write_video_dev',`
|
||||
@@ -4216,11 +4396,10 @@ interface(`dev_write_video_dev',`
|
||||
#
|
||||
interface(`dev_rw_vhost',`
|
||||
gen_require(`
|
||||
@ -7439,10 +7449,10 @@ index cac0c64..d0aaa1c 100644
|
||||
|
||||
########################################
|
||||
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
||||
index 102d130..ec8eb73 100644
|
||||
index eb9c360..20c2d34 100644
|
||||
--- a/policy/modules/kernel/devices.te
|
||||
+++ b/policy/modules/kernel/devices.te
|
||||
@@ -100,6 +100,7 @@ dev_node(ksm_device_t)
|
||||
@@ -102,6 +102,7 @@ dev_node(ksm_device_t)
|
||||
#
|
||||
type kvm_device_t;
|
||||
dev_node(kvm_device_t)
|
||||
@ -7450,7 +7460,7 @@ index 102d130..ec8eb73 100644
|
||||
|
||||
#
|
||||
# Type for /dev/lirc
|
||||
@@ -300,5 +301,5 @@ files_associate_tmp(device_node)
|
||||
@@ -304,5 +305,5 @@ files_associate_tmp(device_node)
|
||||
#
|
||||
|
||||
allow devices_unconfined_type self:capability sys_rawio;
|
||||
@ -8722,7 +8732,7 @@ index e3e17ba..3b34959 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
||||
index fb63c3a..3561f03 100644
|
||||
index 56c3408..30bc860 100644
|
||||
--- a/policy/modules/kernel/filesystem.te
|
||||
+++ b/policy/modules/kernel/filesystem.te
|
||||
@@ -52,6 +52,7 @@ type anon_inodefs_t;
|
||||
@ -8775,7 +8785,7 @@ index fb63c3a..3561f03 100644
|
||||
type vmblock_t;
|
||||
fs_noxattr_type(vmblock_t)
|
||||
files_mountpoint(vmblock_t)
|
||||
@@ -248,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||
@@ -247,6 +264,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||
type removable_t;
|
||||
allow removable_t noxattrfs:filesystem associate;
|
||||
fs_noxattr_type(removable_t)
|
||||
@ -8873,7 +8883,7 @@ index ed7667a..d676187 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 6fa55f2..90ee6db 100644
|
||||
index e4f98ce..806026c 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -156,6 +156,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
||||
@ -8884,7 +8894,7 @@ index 6fa55f2..90ee6db 100644
|
||||
|
||||
# These initial sids are no longer used, and can be removed:
|
||||
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
@@ -255,7 +256,8 @@ fs_unmount_all_fs(kernel_t)
|
||||
@@ -254,7 +255,8 @@ fs_unmount_all_fs(kernel_t)
|
||||
|
||||
selinux_load_policy(kernel_t)
|
||||
|
||||
@ -8894,7 +8904,7 @@ index 6fa55f2..90ee6db 100644
|
||||
|
||||
corecmd_exec_shell(kernel_t)
|
||||
corecmd_list_bin(kernel_t)
|
||||
@@ -269,19 +271,29 @@ files_list_root(kernel_t)
|
||||
@@ -268,19 +270,29 @@ files_list_root(kernel_t)
|
||||
files_list_etc(kernel_t)
|
||||
files_list_home(kernel_t)
|
||||
files_read_usr_files(kernel_t)
|
||||
@ -8924,7 +8934,7 @@ index 6fa55f2..90ee6db 100644
|
||||
optional_policy(`
|
||||
hotplug_search_config(kernel_t)
|
||||
')
|
||||
@@ -358,6 +370,10 @@ optional_policy(`
|
||||
@@ -357,6 +369,10 @@ optional_policy(`
|
||||
unconfined_domain_noaudit(kernel_t)
|
||||
')
|
||||
|
||||
@ -11693,7 +11703,7 @@ index 9e39aa5..b37de8e 100644
|
||||
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
|
||||
index c9e1a44..7260bf6 100644
|
||||
index c9e1a44..c96d035 100644
|
||||
--- a/policy/modules/services/apache.if
|
||||
+++ b/policy/modules/services/apache.if
|
||||
@@ -13,17 +13,13 @@
|
||||
@ -11843,7 +11853,16 @@ index c9e1a44..7260bf6 100644
|
||||
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
@@ -312,6 +307,25 @@ interface(`apache_domtrans',`
|
||||
@@ -243,6 +238,8 @@ interface(`apache_role',`
|
||||
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
|
||||
+ apache_exec_modules($2)
|
||||
+
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
# If a user starts a script by hand it gets the proper context
|
||||
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
|
||||
@@ -312,6 +309,25 @@ interface(`apache_domtrans',`
|
||||
domtrans_pattern($1, httpd_exec_t, httpd_t)
|
||||
')
|
||||
|
||||
@ -11869,7 +11888,7 @@ index c9e1a44..7260bf6 100644
|
||||
#######################################
|
||||
## <summary>
|
||||
## Send a generic signal to apache.
|
||||
@@ -400,7 +414,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
|
||||
@@ -400,7 +416,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
|
||||
type httpd_t;
|
||||
')
|
||||
|
||||
@ -11878,7 +11897,7 @@ index c9e1a44..7260bf6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -526,6 +540,25 @@ interface(`apache_rw_cache_files',`
|
||||
@@ -526,6 +542,25 @@ interface(`apache_rw_cache_files',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to delete
|
||||
@ -11904,7 +11923,7 @@ index c9e1a44..7260bf6 100644
|
||||
## Apache cache.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -740,6 +773,25 @@ interface(`apache_dontaudit_search_modules',`
|
||||
@@ -740,6 +775,25 @@ interface(`apache_dontaudit_search_modules',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11930,7 +11949,7 @@ index c9e1a44..7260bf6 100644
|
||||
## Allow the specified domain to list
|
||||
## the contents of the apache modules
|
||||
## directory.
|
||||
@@ -756,6 +808,7 @@ interface(`apache_list_modules',`
|
||||
@@ -756,6 +810,7 @@ interface(`apache_list_modules',`
|
||||
')
|
||||
|
||||
allow $1 httpd_modules_t:dir list_dir_perms;
|
||||
@ -11938,7 +11957,7 @@ index c9e1a44..7260bf6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -814,6 +867,7 @@ interface(`apache_list_sys_content',`
|
||||
@@ -814,6 +869,7 @@ interface(`apache_list_sys_content',`
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||||
@ -11946,7 +11965,7 @@ index c9e1a44..7260bf6 100644
|
||||
files_search_var($1)
|
||||
')
|
||||
|
||||
@@ -836,11 +890,80 @@ interface(`apache_manage_sys_content',`
|
||||
@@ -836,11 +892,80 @@ interface(`apache_manage_sys_content',`
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
@ -12027,7 +12046,7 @@ index c9e1a44..7260bf6 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute all web scripts in the system
|
||||
@@ -858,6 +981,11 @@ interface(`apache_domtrans_sys_script',`
|
||||
@@ -858,6 +983,11 @@ interface(`apache_domtrans_sys_script',`
|
||||
gen_require(`
|
||||
attribute httpdcontent;
|
||||
type httpd_sys_script_t;
|
||||
@ -12039,7 +12058,7 @@ index c9e1a44..7260bf6 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
@@ -945,7 +1073,7 @@ interface(`apache_read_squirrelmail_data',`
|
||||
@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',`
|
||||
type httpd_squirrelmail_t;
|
||||
')
|
||||
|
||||
@ -12048,7 +12067,7 @@ index c9e1a44..7260bf6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1086,6 +1214,25 @@ interface(`apache_read_tmp_files',`
|
||||
@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',`
|
||||
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
||||
')
|
||||
|
||||
@ -12074,7 +12093,7 @@ index c9e1a44..7260bf6 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Dontaudit attempts to write
|
||||
@@ -1102,7 +1249,7 @@ interface(`apache_dontaudit_write_tmp_files',`
|
||||
@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',`
|
||||
type httpd_tmp_t;
|
||||
')
|
||||
|
||||
@ -12083,7 +12102,7 @@ index c9e1a44..7260bf6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1172,7 +1319,7 @@ interface(`apache_admin',`
|
||||
@@ -1172,7 +1321,7 @@ interface(`apache_admin',`
|
||||
type httpd_modules_t, httpd_lock_t;
|
||||
type httpd_var_run_t, httpd_php_tmp_t;
|
||||
type httpd_suexec_tmp_t, httpd_tmp_t;
|
||||
@ -12092,7 +12111,7 @@ index c9e1a44..7260bf6 100644
|
||||
')
|
||||
|
||||
allow $1 httpd_t:process { getattr ptrace signal_perms };
|
||||
@@ -1202,12 +1349,43 @@ interface(`apache_admin',`
|
||||
@@ -1202,12 +1351,43 @@ interface(`apache_admin',`
|
||||
|
||||
kernel_search_proc($1)
|
||||
allow $1 httpd_t:dir list_dir_perms;
|
||||
@ -17340,7 +17359,7 @@ index 7cf6763..5b9771e 100644
|
||||
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
|
||||
index 24c6253..0a54d67 100644
|
||||
index 24c6253..188cd75 100644
|
||||
--- a/policy/modules/services/hal.te
|
||||
+++ b/policy/modules/services/hal.te
|
||||
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
|
||||
@ -17370,7 +17389,7 @@ index 24c6253..0a54d67 100644
|
||||
dev_rw_generic_usb_dev(hald_t)
|
||||
dev_setattr_generic_usb_dev(hald_t)
|
||||
dev_setattr_usbfs_files(hald_t)
|
||||
@@ -211,10 +215,13 @@ seutil_read_config(hald_t)
|
||||
@@ -211,14 +215,19 @@ seutil_read_config(hald_t)
|
||||
seutil_read_default_contexts(hald_t)
|
||||
seutil_read_file_contexts(hald_t)
|
||||
|
||||
@ -17385,7 +17404,13 @@ index 24c6253..0a54d67 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||
userdom_dontaudit_search_user_home_dirs(hald_t)
|
||||
@@ -268,6 +275,10 @@ optional_policy(`
|
||||
|
||||
+netutils_domtrans(hald_t)
|
||||
+
|
||||
optional_policy(`
|
||||
alsa_domtrans(hald_t)
|
||||
alsa_read_rw_config(hald_t)
|
||||
@@ -268,6 +277,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -17396,7 +17421,7 @@ index 24c6253..0a54d67 100644
|
||||
gpm_dontaudit_getattr_gpmctl(hald_t)
|
||||
')
|
||||
|
||||
@@ -318,6 +329,10 @@ optional_policy(`
|
||||
@@ -318,6 +331,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -17407,7 +17432,7 @@ index 24c6253..0a54d67 100644
|
||||
udev_domtrans(hald_t)
|
||||
udev_read_db(hald_t)
|
||||
')
|
||||
@@ -338,6 +353,10 @@ optional_policy(`
|
||||
@@ -338,6 +355,10 @@ optional_policy(`
|
||||
virt_manage_images(hald_t)
|
||||
')
|
||||
|
||||
@ -17418,7 +17443,7 @@ index 24c6253..0a54d67 100644
|
||||
########################################
|
||||
#
|
||||
# Hal acl local policy
|
||||
@@ -358,6 +377,7 @@ files_search_var_lib(hald_acl_t)
|
||||
@@ -358,6 +379,7 @@ files_search_var_lib(hald_acl_t)
|
||||
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
|
||||
@ -17426,7 +17451,7 @@ index 24c6253..0a54d67 100644
|
||||
|
||||
corecmd_exec_bin(hald_acl_t)
|
||||
|
||||
@@ -470,6 +490,10 @@ files_read_usr_files(hald_keymap_t)
|
||||
@@ -470,6 +492,10 @@ files_read_usr_files(hald_keymap_t)
|
||||
|
||||
miscfiles_read_localization(hald_keymap_t)
|
||||
|
||||
@ -28755,12 +28780,12 @@ index 408f4e6..55c2d03 100644
|
||||
auth_rw_login_records(getty_t)
|
||||
|
||||
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
|
||||
index b9efd1b..f1edb15 100644
|
||||
index 1fd31c1..683494c 100644
|
||||
--- a/policy/modules/system/hostname.te
|
||||
+++ b/policy/modules/system/hostname.te
|
||||
@@ -26,15 +26,18 @@ kernel_read_proc_symlinks(hostname_t)
|
||||
|
||||
dev_read_sysfs(hostname_t)
|
||||
@@ -28,15 +28,18 @@ dev_read_sysfs(hostname_t)
|
||||
# Early devtmpfs, before udev relabel
|
||||
dev_dontaudit_rw_generic_chr_files(hostname_t)
|
||||
|
||||
+domain_dontaudit_leaks(hostname_t)
|
||||
domain_use_interactive_fds(hostname_t)
|
||||
@ -28777,7 +28802,7 @@ index b9efd1b..f1edb15 100644
|
||||
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
|
||||
|
||||
term_dontaudit_use_console(hostname_t)
|
||||
@@ -53,6 +56,10 @@ sysnet_read_config(hostname_t)
|
||||
@@ -55,6 +58,10 @@ sysnet_read_config(hostname_t)
|
||||
sysnet_dns_name_resolve(hostname_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -29216,7 +29241,7 @@ index f6aafe7..7da8294 100644
|
||||
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index bd45076..a100eb6 100644
|
||||
index abab4cf..9f9b812 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -16,6 +16,27 @@ gen_require(`
|
||||
@ -29292,14 +29317,15 @@ index bd45076..a100eb6 100644
|
||||
|
||||
# For /var/run/shutdown.pid.
|
||||
allow init_t init_var_run_t:file manage_file_perms;
|
||||
@@ -120,15 +145,19 @@ corecmd_exec_chroot(init_t)
|
||||
@@ -119,6 +144,7 @@ corecmd_exec_chroot(init_t)
|
||||
corecmd_exec_bin(init_t)
|
||||
|
||||
dev_read_sysfs(init_t)
|
||||
+dev_read_urand(init_t)
|
||||
# Early devtmpfs
|
||||
dev_rw_generic_chr_files(init_t)
|
||||
|
||||
domain_getpgid_all_domains(init_t)
|
||||
domain_kill_all_domains(init_t)
|
||||
@@ -127,9 +153,12 @@ domain_kill_all_domains(init_t)
|
||||
domain_signal_all_domains(init_t)
|
||||
domain_signull_all_domains(init_t)
|
||||
domain_sigstop_all_domains(init_t)
|
||||
@ -29312,7 +29338,7 @@ index bd45076..a100eb6 100644
|
||||
files_rw_generic_pids(init_t)
|
||||
files_dontaudit_search_isid_type_dirs(init_t)
|
||||
files_manage_etc_runtime_files(init_t)
|
||||
@@ -167,6 +196,8 @@ seutil_read_config(init_t)
|
||||
@@ -168,6 +197,8 @@ seutil_read_config(init_t)
|
||||
|
||||
miscfiles_read_localization(init_t)
|
||||
|
||||
@ -29321,7 +29347,7 @@ index bd45076..a100eb6 100644
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
')
|
||||
@@ -177,7 +208,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -178,7 +209,7 @@ ifdef(`distro_redhat',`
|
||||
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
||||
')
|
||||
|
||||
@ -29330,7 +29356,7 @@ index bd45076..a100eb6 100644
|
||||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
',`
|
||||
# Run the shell in the sysadm role for single-user mode.
|
||||
@@ -185,23 +216,92 @@ tunable_policy(`init_upstart',`
|
||||
@@ -186,23 +217,92 @@ tunable_policy(`init_upstart',`
|
||||
sysadm_shell_domtrans(init_t)
|
||||
')
|
||||
|
||||
@ -29423,7 +29449,7 @@ index bd45076..a100eb6 100644
|
||||
unconfined_domain(init_t)
|
||||
')
|
||||
|
||||
@@ -211,7 +311,7 @@ optional_policy(`
|
||||
@@ -212,7 +312,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -29432,7 +29458,7 @@ index bd45076..a100eb6 100644
|
||||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
@@ -240,6 +340,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -241,6 +341,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -29440,7 +29466,7 @@ index bd45076..a100eb6 100644
|
||||
|
||||
can_exec(initrc_t, initrc_tmp_t)
|
||||
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
@@ -257,11 +358,22 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -258,11 +359,22 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -29463,10 +29489,20 @@ index bd45076..a100eb6 100644
|
||||
|
||||
corecmd_exec_all_executables(initrc_t)
|
||||
|
||||
@@ -297,11 +409,13 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -291,6 +403,7 @@ dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
dev_setattr_all_chr_files(initrc_t)
|
||||
dev_rw_lvm_control(initrc_t)
|
||||
+dev_rw_generic_chr_files(initrc_t)
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -298,13 +411,13 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
-# Early devtmpfs
|
||||
-dev_rw_generic_chr_files(initrc_t)
|
||||
+dev_rw_xserver_misc(initrc_t)
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
@ -29477,7 +29513,7 @@ index bd45076..a100eb6 100644
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@@ -320,8 +434,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -323,8 +436,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -29489,7 +29525,7 @@ index bd45076..a100eb6 100644
|
||||
files_delete_all_pids(initrc_t)
|
||||
files_delete_all_pid_dirs(initrc_t)
|
||||
files_read_etc_files(initrc_t)
|
||||
@@ -337,8 +453,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -340,8 +455,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -29503,7 +29539,7 @@ index bd45076..a100eb6 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -348,6 +468,8 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -351,6 +470,8 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -29512,7 +29548,7 @@ index bd45076..a100eb6 100644
|
||||
|
||||
# initrc_t needs to do a pidof which requires ptrace
|
||||
mcs_ptrace_all(initrc_t)
|
||||
@@ -360,6 +482,7 @@ mls_process_read_up(initrc_t)
|
||||
@@ -363,6 +484,7 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -29520,7 +29556,7 @@ index bd45076..a100eb6 100644
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@@ -391,13 +514,14 @@ logging_read_audit_config(initrc_t)
|
||||
@@ -394,13 +516,14 @@ logging_read_audit_config(initrc_t)
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
# slapd needs to read cert files from its initscript
|
||||
@ -29536,7 +29572,7 @@ index bd45076..a100eb6 100644
|
||||
userdom_read_user_home_content_files(initrc_t)
|
||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||
@@ -470,7 +594,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -473,7 +596,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -29545,7 +29581,7 @@ index bd45076..a100eb6 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -516,6 +640,19 @@ ifdef(`distro_redhat',`
|
||||
@@ -519,6 +642,19 @@ ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
bind_manage_config_dirs(initrc_t)
|
||||
bind_write_config(initrc_t)
|
||||
@ -29565,7 +29601,7 @@ index bd45076..a100eb6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -523,10 +660,17 @@ ifdef(`distro_redhat',`
|
||||
@@ -526,10 +662,17 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -29583,7 +29619,7 @@ index bd45076..a100eb6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -541,6 +685,35 @@ ifdef(`distro_suse',`
|
||||
@@ -544,6 +687,35 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -29619,7 +29655,7 @@ index bd45076..a100eb6 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -553,6 +726,8 @@ optional_policy(`
|
||||
@@ -556,6 +728,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -29628,7 +29664,7 @@ index bd45076..a100eb6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -569,6 +744,7 @@ optional_policy(`
|
||||
@@ -572,6 +746,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -29636,7 +29672,7 @@ index bd45076..a100eb6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -581,6 +757,11 @@ optional_policy(`
|
||||
@@ -584,6 +759,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29648,7 +29684,7 @@ index bd45076..a100eb6 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -597,6 +778,7 @@ optional_policy(`
|
||||
@@ -600,6 +780,7 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -29656,7 +29692,7 @@ index bd45076..a100eb6 100644
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(initrc_t)
|
||||
@@ -698,7 +880,12 @@ optional_policy(`
|
||||
@@ -701,7 +882,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29669,7 +29705,7 @@ index bd45076..a100eb6 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -721,6 +908,10 @@ optional_policy(`
|
||||
@@ -724,6 +910,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29680,7 +29716,7 @@ index bd45076..a100eb6 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -742,6 +933,10 @@ optional_policy(`
|
||||
@@ -745,6 +935,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29691,7 +29727,7 @@ index bd45076..a100eb6 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -763,8 +958,6 @@ optional_policy(`
|
||||
@@ -766,8 +960,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -29700,7 +29736,7 @@ index bd45076..a100eb6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -773,14 +966,21 @@ optional_policy(`
|
||||
@@ -776,14 +968,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29722,7 +29758,7 @@ index bd45076..a100eb6 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -802,11 +1002,19 @@ optional_policy(`
|
||||
@@ -805,11 +1004,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29743,7 +29779,7 @@ index bd45076..a100eb6 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
@@ -816,6 +1024,25 @@ optional_policy(`
|
||||
@@ -819,6 +1026,25 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
@ -29769,7 +29805,7 @@ index bd45076..a100eb6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -841,3 +1068,55 @@ optional_policy(`
|
||||
@@ -844,3 +1070,55 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -31557,7 +31593,7 @@ index 8b5c196..3490497 100644
|
||||
+ role $2 types showmount_t;
|
||||
')
|
||||
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
||||
index ee6520c..e36909c 100644
|
||||
index fca6947..24ffd8a 100644
|
||||
--- a/policy/modules/system/mount.te
|
||||
+++ b/policy/modules/system/mount.te
|
||||
@@ -17,8 +17,15 @@ type mount_exec_t;
|
||||
@ -31607,7 +31643,7 @@ index ee6520c..e36909c 100644
|
||||
|
||||
allow mount_t mount_loopback_t:file read_file_perms;
|
||||
|
||||
@@ -46,30 +68,54 @@ can_exec(mount_t, mount_exec_t)
|
||||
@@ -46,32 +68,56 @@ can_exec(mount_t, mount_exec_t)
|
||||
|
||||
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
|
||||
|
||||
@ -31646,6 +31682,8 @@ index ee6520c..e36909c 100644
|
||||
+ifdef(`hide_broken_symptoms',`
|
||||
+ dev_rw_generic_blk_files(mount_t)
|
||||
+')
|
||||
# Early devtmpfs, before udev relabel
|
||||
dev_dontaudit_rw_generic_chr_files(mount_t)
|
||||
|
||||
domain_use_interactive_fds(mount_t)
|
||||
+domain_dontaudit_search_all_domains_state(mount_t)
|
||||
@ -31664,7 +31702,7 @@ index ee6520c..e36909c 100644
|
||||
files_mount_all_file_type_fs(mount_t)
|
||||
files_unmount_all_file_type_fs(mount_t)
|
||||
# for when /etc/mtab loses its type
|
||||
@@ -79,25 +125,32 @@ files_read_isid_type_files(mount_t)
|
||||
@@ -81,25 +127,32 @@ files_read_isid_type_files(mount_t)
|
||||
files_read_usr_files(mount_t)
|
||||
files_list_mnt(mount_t)
|
||||
|
||||
@ -31700,7 +31738,7 @@ index ee6520c..e36909c 100644
|
||||
|
||||
term_use_all_terms(mount_t)
|
||||
|
||||
@@ -106,6 +159,8 @@ auth_use_nsswitch(mount_t)
|
||||
@@ -108,6 +161,8 @@ auth_use_nsswitch(mount_t)
|
||||
init_use_fds(mount_t)
|
||||
init_use_script_ptys(mount_t)
|
||||
init_dontaudit_getattr_initctl(mount_t)
|
||||
@ -31709,7 +31747,7 @@ index ee6520c..e36909c 100644
|
||||
|
||||
logging_send_syslog_msg(mount_t)
|
||||
|
||||
@@ -116,6 +171,12 @@ sysnet_use_portmap(mount_t)
|
||||
@@ -118,6 +173,12 @@ sysnet_use_portmap(mount_t)
|
||||
seutil_read_config(mount_t)
|
||||
|
||||
userdom_use_all_users_fds(mount_t)
|
||||
@ -31722,7 +31760,7 @@ index ee6520c..e36909c 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -131,10 +192,17 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -133,10 +194,17 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -31740,7 +31778,7 @@ index ee6520c..e36909c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -164,6 +232,8 @@ optional_policy(`
|
||||
@@ -166,6 +234,8 @@ optional_policy(`
|
||||
fs_search_rpc(mount_t)
|
||||
|
||||
rpc_stub(mount_t)
|
||||
@ -31749,7 +31787,7 @@ index ee6520c..e36909c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -171,6 +241,25 @@ optional_policy(`
|
||||
@@ -173,6 +243,25 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -31775,7 +31813,7 @@ index ee6520c..e36909c 100644
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# for a bug in the X server
|
||||
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
||||
@@ -178,6 +267,11 @@ optional_policy(`
|
||||
@@ -180,6 +269,11 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
@ -31787,7 +31825,7 @@ index ee6520c..e36909c 100644
|
||||
# for kernel package installation
|
||||
optional_policy(`
|
||||
rpm_rw_pipes(mount_t)
|
||||
@@ -185,6 +279,19 @@ optional_policy(`
|
||||
@@ -187,6 +281,19 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
samba_domtrans_smbmount(mount_t)
|
||||
@ -31807,7 +31845,7 @@ index ee6520c..e36909c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -193,6 +300,42 @@ optional_policy(`
|
||||
@@ -195,6 +302,42 @@ optional_policy(`
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -19,8 +19,8 @@
|
||||
%define CHECKPOLICYVER 2.0.21-1
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.0
|
||||
Release: 2%{?dist}
|
||||
Version: 3.9.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -469,6 +469,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-1
|
||||
- Merge with upstream
|
||||
|
||||
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-2
|
||||
- More access needed for devicekit
|
||||
- Add dbadm policy
|
||||
|
||||
Loading…
Reference in New Issue
Block a user