* Tue Apr 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-38
- Allow thumbnails to share memory with apps which run thumbnails - Allow postfix-postqueue block_suspend - Add lib interfaces for smsd - Add support for nginx - Allow s2s running as jabberd_t to connect to jabber_interserver_port_t - Allow pki apache domain to create own tmp files and execute httpd_suexec - Allow procmail to manger user tmp files/dirs/lnk_files - Add virt_stream_connect_svirt() interface - Allow dovecot-auth to execute bin_t - Allow iscsid to request that kernel load a kernel module - Add labeling support for /var/lib/mod_security - Allow iw running as tuned_t to create netlink socket - Dontaudit sys_tty_config for thumb_t - Add labeling for nm-l2tp-service - Allow httpd running as certwatch_t to open tcp socket - Allow useradd to manager smsd lib files - Allow useradd_t to add homedirs in /var/lib - Fix typo in userdomain.te - Cleanup userdom_read_home_certs - Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t - Allow staff to stream connect to svirt_t to make gnome-boxes working
This commit is contained in:
parent
ac58d9fab2
commit
a97fbb2332
@ -2367,7 +2367,7 @@ index 99e3903..7270808 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||||
index d555767..fdd0567 100644
|
index d555767..4165b4d 100644
|
||||||
--- a/policy/modules/admin/usermanage.te
|
--- a/policy/modules/admin/usermanage.te
|
||||||
+++ b/policy/modules/admin/usermanage.te
|
+++ b/policy/modules/admin/usermanage.te
|
||||||
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
|
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
|
||||||
@ -2653,13 +2653,13 @@ index d555767..fdd0567 100644
|
|||||||
# on user home dir
|
# on user home dir
|
||||||
userdom_dontaudit_search_user_home_content(passwd_t)
|
userdom_dontaudit_search_user_home_content(passwd_t)
|
||||||
+userdom_stream_connect(passwd_t)
|
+userdom_stream_connect(passwd_t)
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gnome_exec_keyringd(passwd_t)
|
|
||||||
+')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- nscd_run(passwd_t, passwd_roles)
|
- nscd_run(passwd_t, passwd_roles)
|
||||||
|
+ gnome_exec_keyringd(passwd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ #nscd_run(passwd_t, passwd_roles)
|
+ #nscd_run(passwd_t, passwd_roles)
|
||||||
+ nscd_domtrans(passwd_t)
|
+ nscd_domtrans(passwd_t)
|
||||||
')
|
')
|
||||||
@ -2729,7 +2729,7 @@ index d555767..fdd0567 100644
|
|||||||
# for getting the number of groups
|
# for getting the number of groups
|
||||||
kernel_read_kernel_sysctls(useradd_t)
|
kernel_read_kernel_sysctls(useradd_t)
|
||||||
|
|
||||||
@@ -465,36 +513,35 @@ corecmd_exec_shell(useradd_t)
|
@@ -465,36 +513,36 @@ corecmd_exec_shell(useradd_t)
|
||||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||||
corecmd_exec_bin(useradd_t)
|
corecmd_exec_bin(useradd_t)
|
||||||
|
|
||||||
@ -2745,6 +2745,7 @@ index d555767..fdd0567 100644
|
|||||||
files_relabel_etc_files(useradd_t)
|
files_relabel_etc_files(useradd_t)
|
||||||
files_read_etc_runtime_files(useradd_t)
|
files_read_etc_runtime_files(useradd_t)
|
||||||
+files_manage_etc_files(useradd_t)
|
+files_manage_etc_files(useradd_t)
|
||||||
|
+files_rw_var_lib_dirs(useradd_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(useradd_t)
|
fs_search_auto_mountpoints(useradd_t)
|
||||||
fs_getattr_xattr_fs(useradd_t)
|
fs_getattr_xattr_fs(useradd_t)
|
||||||
@ -2777,7 +2778,7 @@ index d555767..fdd0567 100644
|
|||||||
auth_manage_shadow(useradd_t)
|
auth_manage_shadow(useradd_t)
|
||||||
auth_relabel_shadow(useradd_t)
|
auth_relabel_shadow(useradd_t)
|
||||||
auth_etc_filetrans_shadow(useradd_t)
|
auth_etc_filetrans_shadow(useradd_t)
|
||||||
@@ -505,33 +552,36 @@ init_rw_utmp(useradd_t)
|
@@ -505,33 +553,36 @@ init_rw_utmp(useradd_t)
|
||||||
logging_send_audit_msgs(useradd_t)
|
logging_send_audit_msgs(useradd_t)
|
||||||
logging_send_syslog_msg(useradd_t)
|
logging_send_syslog_msg(useradd_t)
|
||||||
|
|
||||||
@ -2828,7 +2829,7 @@ index d555767..fdd0567 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_manage_all_user_content(useradd_t)
|
apache_manage_all_user_content(useradd_t)
|
||||||
')
|
')
|
||||||
@@ -542,7 +592,8 @@ optional_policy(`
|
@@ -542,7 +593,8 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -2838,7 +2839,7 @@ index d555767..fdd0567 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -550,6 +601,11 @@ optional_policy(`
|
@@ -550,6 +602,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -2850,12 +2851,17 @@ index d555767..fdd0567 100644
|
|||||||
tunable_policy(`samba_domain_controller',`
|
tunable_policy(`samba_domain_controller',`
|
||||||
samba_append_log(useradd_t)
|
samba_append_log(useradd_t)
|
||||||
')
|
')
|
||||||
@@ -559,3 +615,7 @@ optional_policy(`
|
@@ -559,3 +616,12 @@ optional_policy(`
|
||||||
rpm_use_fds(useradd_t)
|
rpm_use_fds(useradd_t)
|
||||||
rpm_rw_pipes(useradd_t)
|
rpm_rw_pipes(useradd_t)
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ smsd_manage_lib_files(useradd_t)
|
||||||
|
+ smsd_manage_lib_dirs(useradd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ stapserver_manage_lib(useradd_t)
|
+ stapserver_manage_lib(useradd_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
|
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
|
||||||
@ -18190,7 +18196,7 @@ index 234a940..d340f20 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
|
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
|
||||||
index 5da7870..b66bc2a 100644
|
index 5da7870..8bd910a 100644
|
||||||
--- a/policy/modules/roles/staff.te
|
--- a/policy/modules/roles/staff.te
|
||||||
+++ b/policy/modules/roles/staff.te
|
+++ b/policy/modules/roles/staff.te
|
||||||
@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
|
@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
|
||||||
@ -18510,7 +18516,7 @@ index 5da7870..b66bc2a 100644
|
|||||||
spamassassin_role(staff_r, staff_t)
|
spamassassin_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -176,3 +363,20 @@ ifndef(`distro_redhat',`
|
@@ -176,3 +363,21 @@ ifndef(`distro_redhat',`
|
||||||
wireshark_role(staff_r, staff_t)
|
wireshark_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@ -18529,6 +18535,7 @@ index 5da7870..b66bc2a 100644
|
|||||||
+ allow staff_t self:fifo_file relabelfrom;
|
+ allow staff_t self:fifo_file relabelfrom;
|
||||||
+ dev_rw_kvm(staff_t)
|
+ dev_rw_kvm(staff_t)
|
||||||
+ virt_manage_images(staff_t)
|
+ virt_manage_images(staff_t)
|
||||||
|
+ virt_stream_connect_svirt(staff_t)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
|
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
|
||||||
@ -39203,7 +39210,7 @@ index db75976..65191bd 100644
|
|||||||
+
|
+
|
||||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 3c5dba7..b44b1c9 100644
|
index 3c5dba7..df7407b 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||||
@ -41870,7 +41877,7 @@ index 3c5dba7..b44b1c9 100644
|
|||||||
## Create keys for all user domains.
|
## Create keys for all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',`
|
@@ -3438,4 +4197,1390 @@ interface(`userdom_dbus_send_all_users',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
@ -42687,13 +42694,10 @@ index 3c5dba7..b44b1c9 100644
|
|||||||
+#
|
+#
|
||||||
+interface(`userdom_read_home_certs',`
|
+interface(`userdom_read_home_certs',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type home_cert_t;
|
+ attribute userdom_home_reader_certs_type;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ userdom_search_user_home_content($1)
|
+ typeattribute $1 userdom_home_reader_certs_type;
|
||||||
+ allow $1 home_cert_t:dir list_dir_perms;
|
|
||||||
+ read_files_pattern($1, home_cert_t, home_cert_t)
|
|
||||||
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
|
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -43265,7 +43269,7 @@ index 3c5dba7..b44b1c9 100644
|
|||||||
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
|
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||||
index e2b538b..9e23738 100644
|
index e2b538b..2582882 100644
|
||||||
--- a/policy/modules/system/userdomain.te
|
--- a/policy/modules/system/userdomain.te
|
||||||
+++ b/policy/modules/system/userdomain.te
|
+++ b/policy/modules/system/userdomain.te
|
||||||
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
|
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
|
||||||
@ -43290,36 +43294,36 @@ index e2b538b..9e23738 100644
|
|||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
-## Allow regular users direct mouse access
|
-## Allow regular users direct mouse access
|
||||||
|
-## </p>
|
||||||
|
-## </desc>
|
||||||
|
-gen_tunable(user_direct_mouse, false)
|
||||||
|
-
|
||||||
|
-## <desc>
|
||||||
|
-## <p>
|
||||||
|
-## Allow users to read system messages.
|
||||||
+## Allow user to r/w files on filesystems
|
+## Allow user to r/w files on filesystems
|
||||||
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
|
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
-gen_tunable(user_direct_mouse, false)
|
|
||||||
+gen_tunable(selinuxuser_rw_noexattrfile, false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
-## Allow users to read system messages.
|
|
||||||
+## Allow user music sharing
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
-gen_tunable(user_dmesg, false)
|
-gen_tunable(user_dmesg, false)
|
||||||
+gen_tunable(selinuxuser_share_music, false)
|
+gen_tunable(selinuxuser_rw_noexattrfile, false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
-## Allow user to r/w files on filesystems
|
-## Allow user to r/w files on filesystems
|
||||||
-## that do not have extended attributes (FAT, CDROM, FLOPPY)
|
-## that do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||||
+## Allow user to use ssh chroot environment.
|
+## Allow user music sharing
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
-gen_tunable(user_rw_noexattrfile, false)
|
-gen_tunable(user_rw_noexattrfile, false)
|
||||||
-
|
+gen_tunable(selinuxuser_share_music, false)
|
||||||
-## <desc>
|
|
||||||
-## <p>
|
## <desc>
|
||||||
|
## <p>
|
||||||
-## Allow w to display everyone
|
-## Allow w to display everyone
|
||||||
-## </p>
|
+## Allow user to use ssh chroot environment.
|
||||||
-## </desc>
|
## </p>
|
||||||
|
## </desc>
|
||||||
-gen_tunable(user_ttyfile_stat, false)
|
-gen_tunable(user_ttyfile_stat, false)
|
||||||
+gen_tunable(selinuxuser_use_ssh_chroot, false)
|
+gen_tunable(selinuxuser_use_ssh_chroot, false)
|
||||||
|
|
||||||
@ -43328,10 +43332,11 @@ index e2b538b..9e23738 100644
|
|||||||
|
|
||||||
# all user domains
|
# all user domains
|
||||||
attribute userdomain;
|
attribute userdomain;
|
||||||
@@ -58,6 +52,23 @@ attribute unpriv_userdomain;
|
@@ -58,6 +52,24 @@ attribute unpriv_userdomain;
|
||||||
|
|
||||||
attribute user_home_content_type;
|
attribute user_home_content_type;
|
||||||
|
|
||||||
|
+attribute userdom_home_reader_certs_type;
|
||||||
+attribute userdom_home_reader_type;
|
+attribute userdom_home_reader_type;
|
||||||
+attribute userdom_home_manager_type;
|
+attribute userdom_home_manager_type;
|
||||||
+attribute userdom_filetrans_type;
|
+attribute userdom_filetrans_type;
|
||||||
@ -43352,7 +43357,7 @@ index e2b538b..9e23738 100644
|
|||||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
||||||
fs_associate_tmpfs(user_home_dir_t)
|
fs_associate_tmpfs(user_home_dir_t)
|
||||||
files_type(user_home_dir_t)
|
files_type(user_home_dir_t)
|
||||||
@@ -70,26 +81,207 @@ ubac_constrained(user_home_dir_t)
|
@@ -70,26 +82,218 @@ ubac_constrained(user_home_dir_t)
|
||||||
|
|
||||||
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
|
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
|
||||||
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
|
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
|
||||||
@ -43436,6 +43441,17 @@ index e2b538b..9e23738 100644
|
|||||||
+ xserver_filetrans_home_content(userdomain)
|
+ xserver_filetrans_home_content(userdomain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+
|
||||||
|
+# rules for types which can read home certs
|
||||||
|
+allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms;
|
||||||
|
+read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
|
||||||
|
+read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
|
||||||
|
+userdom_search_user_home_content(userdom_home_reader_certs_type)
|
||||||
|
+
|
||||||
|
+tunable_policy(`use_ecryptfs_home_dirs',`
|
||||||
|
+ fs_read_ecryptfs_files(userdom_home_reader_certs_type)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+tunable_policy(`use_nfs_home_dirs',`
|
+tunable_policy(`use_nfs_home_dirs',`
|
||||||
+ fs_list_auto_mountpoints(userdom_home_reader_type)
|
+ fs_list_auto_mountpoints(userdom_home_reader_type)
|
||||||
+ fs_read_nfs_files(userdom_home_reader_type)
|
+ fs_read_nfs_files(userdom_home_reader_type)
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 37%{?dist}
|
Release: 38%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -530,6 +530,29 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-38
|
||||||
|
- Allow thumbnails to share memory with apps which run thumbnails
|
||||||
|
- Allow postfix-postqueue block_suspend
|
||||||
|
- Add lib interfaces for smsd
|
||||||
|
- Add support for nginx
|
||||||
|
- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t
|
||||||
|
- Allow pki apache domain to create own tmp files and execute httpd_suexec
|
||||||
|
- Allow procmail to manger user tmp files/dirs/lnk_files
|
||||||
|
- Add virt_stream_connect_svirt() interface
|
||||||
|
- Allow dovecot-auth to execute bin_t
|
||||||
|
- Allow iscsid to request that kernel load a kernel module
|
||||||
|
- Add labeling support for /var/lib/mod_security
|
||||||
|
- Allow iw running as tuned_t to create netlink socket
|
||||||
|
- Dontaudit sys_tty_config for thumb_t
|
||||||
|
- Add labeling for nm-l2tp-service
|
||||||
|
- Allow httpd running as certwatch_t to open tcp socket
|
||||||
|
- Allow useradd to manager smsd lib files
|
||||||
|
- Allow useradd_t to add homedirs in /var/lib
|
||||||
|
- Fix typo in userdomain.te
|
||||||
|
- Cleanup userdom_read_home_certs
|
||||||
|
- Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t
|
||||||
|
- Allow staff to stream connect to svirt_t to make gnome-boxes working
|
||||||
|
|
||||||
* Fri Apr 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-37
|
* Fri Apr 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-37
|
||||||
- Allow lvm to create its own unit files
|
- Allow lvm to create its own unit files
|
||||||
- Label /var/lib/sepolgen as selinux_config_t
|
- Label /var/lib/sepolgen as selinux_config_t
|
||||||
|
Loading…
Reference in New Issue
Block a user