- Allow init_t to stream connect to ipsec
- Add /usr/lib/systemd/systemd-networkd policy - Add sysnet_manage_config_dirs() - Add support for /var/run/systemd/network and labeled it as net_conf_t - Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Add support for /dev/vmcp and /dev/sclp - Add docker_connect_any boolean - Fix zabbix policy - Allow zabbix to send system log msgs - Allow pegasus_openlmi_storage_t to write lvm metadata - Updated pcp_bind_all_unreserved_ports - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
This commit is contained in:
parent
24a25f20cc
commit
ab84f40064
Binary file not shown.
@ -13,3 +13,10 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
permissive docker_t;
|
permissive docker_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gen_require(`
|
||||||
|
type systemd_networkd_t;
|
||||||
|
')
|
||||||
|
permissive systemd_networkd_t;
|
||||||
|
')
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -23461,19 +23461,28 @@ index 0000000..89401fe
|
|||||||
+')
|
+')
|
||||||
diff --git a/docker.te b/docker.te
|
diff --git a/docker.te b/docker.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..75d51ed
|
index 0000000..412e818
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/docker.te
|
+++ b/docker.te
|
||||||
@@ -0,0 +1,240 @@
|
@@ -0,0 +1,256 @@
|
||||||
+policy_module(docker, 1.0.0)
|
+policy_module(docker, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# Declarations
|
+# Declarations
|
||||||
+#
|
+#
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Determine whether docker can
|
||||||
|
+## connect to all TCP ports.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(docker_connect_any, false)
|
||||||
|
+
|
||||||
+## <desc>
|
+## <desc>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow docker to transition to unconfined conateiners
|
+## Allow docker to transition to unconfined containers.
|
||||||
+## </p>
|
+## </p>
|
||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(docker_transition_unconfined, false)
|
+gen_tunable(docker_transition_unconfined, false)
|
||||||
@ -23583,6 +23592,7 @@ index 0000000..75d51ed
|
|||||||
+corenet_tcp_sendrecv_generic_port(docker_t)
|
+corenet_tcp_sendrecv_generic_port(docker_t)
|
||||||
+corenet_tcp_bind_all_ports(docker_t)
|
+corenet_tcp_bind_all_ports(docker_t)
|
||||||
+corenet_tcp_connect_http_port(docker_t)
|
+corenet_tcp_connect_http_port(docker_t)
|
||||||
|
+corenet_tcp_connect_commplex_main_port(docker_t)
|
||||||
+corenet_udp_sendrecv_generic_if(docker_t)
|
+corenet_udp_sendrecv_generic_if(docker_t)
|
||||||
+corenet_udp_sendrecv_generic_node(docker_t)
|
+corenet_udp_sendrecv_generic_node(docker_t)
|
||||||
+corenet_udp_sendrecv_all_ports(docker_t)
|
+corenet_udp_sendrecv_all_ports(docker_t)
|
||||||
@ -23701,6 +23711,12 @@ index 0000000..75d51ed
|
|||||||
+ virt_mounton_sandbox_file(docker_t)
|
+ virt_mounton_sandbox_file(docker_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+tunable_policy(`docker_connect_any',`
|
||||||
|
+ corenet_tcp_connect_all_ports(docker_t)
|
||||||
|
+ corenet_sendrecv_all_packets(docker_t)
|
||||||
|
+ corenet_tcp_sendrecv_all_ports(docker_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+tunable_policy(`docker_transition_unconfined',`
|
+tunable_policy(`docker_transition_unconfined',`
|
||||||
+ unconfined_transition(docker_t, docker_share_t)
|
+ unconfined_transition(docker_t, docker_share_t)
|
||||||
+ unconfined_transition(docker_t, docker_var_lib_t)
|
+ unconfined_transition(docker_t, docker_var_lib_t)
|
||||||
@ -59105,10 +59121,10 @@ index 0000000..d9296b1
|
|||||||
+
|
+
|
||||||
diff --git a/pcp.te b/pcp.te
|
diff --git a/pcp.te b/pcp.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..fc9dd48
|
index 0000000..d4c7e21
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pcp.te
|
+++ b/pcp.te
|
||||||
@@ -0,0 +1,215 @@
|
@@ -0,0 +1,232 @@
|
||||||
+policy_module(pcp, 1.0.0)
|
+policy_module(pcp, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -59116,6 +59132,14 @@ index 0000000..fc9dd48
|
|||||||
+# Declarations
|
+# Declarations
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow pcp to bind to all unreserved_ports
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(pcp_bind_all_unreserved_ports, false)
|
||||||
|
+
|
||||||
+attribute pcp_domain;
|
+attribute pcp_domain;
|
||||||
+
|
+
|
||||||
+pcp_domain_template(pmcd)
|
+pcp_domain_template(pmcd)
|
||||||
@ -59185,6 +59209,15 @@ index 0000000..fc9dd48
|
|||||||
+
|
+
|
||||||
+sysnet_read_config(pcp_domain)
|
+sysnet_read_config(pcp_domain)
|
||||||
+
|
+
|
||||||
|
+tunable_policy(`pcp_bind_all_unreserved_ports',`
|
||||||
|
+ corenet_sendrecv_all_server_packets(pcp_pmcd_t)
|
||||||
|
+ corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
|
||||||
|
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
|
||||||
|
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
|
||||||
|
+
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# pcp_pmcd local policy
|
+# pcp_pmcd local policy
|
||||||
@ -59572,7 +59605,7 @@ index d2fc677..ded726f 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/pegasus.te b/pegasus.te
|
diff --git a/pegasus.te b/pegasus.te
|
||||||
index 608f454..b01f04d 100644
|
index 608f454..100a122 100644
|
||||||
--- a/pegasus.te
|
--- a/pegasus.te
|
||||||
+++ b/pegasus.te
|
+++ b/pegasus.te
|
||||||
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
||||||
@ -59591,7 +59624,7 @@ index 608f454..b01f04d 100644
|
|||||||
type pegasus_cache_t;
|
type pegasus_cache_t;
|
||||||
files_type(pegasus_cache_t)
|
files_type(pegasus_cache_t)
|
||||||
|
|
||||||
@@ -30,20 +29,318 @@ files_type(pegasus_mof_t)
|
@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
|
||||||
type pegasus_var_run_t;
|
type pegasus_var_run_t;
|
||||||
files_pid_file(pegasus_var_run_t)
|
files_pid_file(pegasus_var_run_t)
|
||||||
|
|
||||||
@ -59871,6 +59904,7 @@ index 608f454..b01f04d 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ lvm_domtrans(pegasus_openlmi_storage_t)
|
+ lvm_domtrans(pegasus_openlmi_storage_t)
|
||||||
+ lvm_read_metadata(pegasus_openlmi_storage_t)
|
+ lvm_read_metadata(pegasus_openlmi_storage_t)
|
||||||
|
+ lvm_write_metadata(pegasus_openlmi_storage_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -59915,7 +59949,7 @@ index 608f454..b01f04d 100644
|
|||||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||||
@@ -54,22 +351,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
@ -59946,7 +59980,7 @@ index 608f454..b01f04d 100644
|
|||||||
|
|
||||||
kernel_read_network_state(pegasus_t)
|
kernel_read_network_state(pegasus_t)
|
||||||
kernel_read_kernel_sysctls(pegasus_t)
|
kernel_read_kernel_sysctls(pegasus_t)
|
||||||
@@ -80,27 +377,21 @@ kernel_read_net_sysctls(pegasus_t)
|
@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||||
kernel_read_xen_state(pegasus_t)
|
kernel_read_xen_state(pegasus_t)
|
||||||
kernel_write_xen_state(pegasus_t)
|
kernel_write_xen_state(pegasus_t)
|
||||||
|
|
||||||
@ -59979,7 +60013,7 @@ index 608f454..b01f04d 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(pegasus_t)
|
corecmd_exec_bin(pegasus_t)
|
||||||
corecmd_exec_shell(pegasus_t)
|
corecmd_exec_shell(pegasus_t)
|
||||||
@@ -114,9 +405,11 @@ files_getattr_all_dirs(pegasus_t)
|
@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||||
|
|
||||||
auth_use_nsswitch(pegasus_t)
|
auth_use_nsswitch(pegasus_t)
|
||||||
auth_domtrans_chk_passwd(pegasus_t)
|
auth_domtrans_chk_passwd(pegasus_t)
|
||||||
@ -59991,7 +60025,7 @@ index 608f454..b01f04d 100644
|
|||||||
|
|
||||||
files_list_var_lib(pegasus_t)
|
files_list_var_lib(pegasus_t)
|
||||||
files_read_var_lib_files(pegasus_t)
|
files_read_var_lib_files(pegasus_t)
|
||||||
@@ -128,18 +421,29 @@ init_stream_connect_script(pegasus_t)
|
@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
|
||||||
logging_send_audit_msgs(pegasus_t)
|
logging_send_audit_msgs(pegasus_t)
|
||||||
logging_send_syslog_msg(pegasus_t)
|
logging_send_syslog_msg(pegasus_t)
|
||||||
|
|
||||||
@ -60027,7 +60061,7 @@ index 608f454..b01f04d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -151,16 +455,24 @@ optional_policy(`
|
@@ -151,16 +456,24 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -60056,7 +60090,7 @@ index 608f454..b01f04d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -168,7 +480,7 @@ optional_policy(`
|
@@ -168,7 +481,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -104778,7 +104812,7 @@ index dd63de0..38ce620 100644
|
|||||||
- admin_pattern($1, zabbix_tmpfs_t)
|
- admin_pattern($1, zabbix_tmpfs_t)
|
||||||
')
|
')
|
||||||
diff --git a/zabbix.te b/zabbix.te
|
diff --git a/zabbix.te b/zabbix.te
|
||||||
index 7f496c6..eac3196 100644
|
index 7f496c6..6a63c90 100644
|
||||||
--- a/zabbix.te
|
--- a/zabbix.te
|
||||||
+++ b/zabbix.te
|
+++ b/zabbix.te
|
||||||
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
|
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
|
||||||
@ -104865,17 +104899,17 @@ index 7f496c6..eac3196 100644
|
|||||||
-allow zabbix_t self:shm create_shm_perms;
|
-allow zabbix_t self:shm create_shm_perms;
|
||||||
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
|
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
|
||||||
+allow zabbix_t self:capability { dac_read_search dac_override };
|
+allow zabbix_t self:capability { dac_read_search dac_override };
|
||||||
+
|
|
||||||
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
|
||||||
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
|
||||||
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
|
||||||
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
|
|
||||||
|
|
||||||
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
|
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
|
||||||
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||||
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||||
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||||
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
|
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
|
||||||
|
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||||
|
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||||
|
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||||
|
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
|
||||||
|
+
|
||||||
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||||
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||||
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||||
@ -104897,7 +104931,7 @@ index 7f496c6..eac3196 100644
|
|||||||
|
|
||||||
corenet_sendrecv_ftp_client_packets(zabbix_t)
|
corenet_sendrecv_ftp_client_packets(zabbix_t)
|
||||||
corenet_tcp_connect_ftp_port(zabbix_t)
|
corenet_tcp_connect_ftp_port(zabbix_t)
|
||||||
@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
|
@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
|
||||||
corenet_sendrecv_http_client_packets(zabbix_t)
|
corenet_sendrecv_http_client_packets(zabbix_t)
|
||||||
corenet_tcp_connect_http_port(zabbix_t)
|
corenet_tcp_connect_http_port(zabbix_t)
|
||||||
corenet_tcp_sendrecv_http_port(zabbix_t)
|
corenet_tcp_sendrecv_http_port(zabbix_t)
|
||||||
@ -104920,8 +104954,12 @@ index 7f496c6..eac3196 100644
|
|||||||
-
|
-
|
||||||
zabbix_agent_tcp_connect(zabbix_t)
|
zabbix_agent_tcp_connect(zabbix_t)
|
||||||
|
|
||||||
|
+logging_send_syslog_msg(zabbix_t)
|
||||||
|
+
|
||||||
tunable_policy(`zabbix_can_network',`
|
tunable_policy(`zabbix_can_network',`
|
||||||
@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',`
|
corenet_sendrecv_all_client_packets(zabbix_t)
|
||||||
|
corenet_tcp_connect_all_ports(zabbix_t)
|
||||||
|
@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -104936,7 +104974,7 @@ index 7f496c6..eac3196 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -125,6 +143,7 @@ optional_policy(`
|
@@ -125,6 +145,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
snmp_read_snmp_var_lib_files(zabbix_t)
|
snmp_read_snmp_var_lib_files(zabbix_t)
|
||||||
@ -104944,7 +104982,7 @@ index 7f496c6..eac3196 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -132,18 +151,7 @@ optional_policy(`
|
@@ -132,18 +153,7 @@ optional_policy(`
|
||||||
# Agent local policy
|
# Agent local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -104964,7 +105002,7 @@ index 7f496c6..eac3196 100644
|
|||||||
|
|
||||||
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
|
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
||||||
@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
||||||
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
|
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
|
||||||
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
|
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
|
||||||
|
|
||||||
@ -104983,7 +105021,7 @@ index 7f496c6..eac3196 100644
|
|||||||
|
|
||||||
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
|
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
|
||||||
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
|
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
|
||||||
@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||||
dev_getattr_all_blk_files(zabbix_agent_t)
|
dev_getattr_all_blk_files(zabbix_agent_t)
|
||||||
dev_getattr_all_chr_files(zabbix_agent_t)
|
dev_getattr_all_chr_files(zabbix_agent_t)
|
||||||
|
|
||||||
@ -105259,7 +105297,7 @@ index 36e32df..3d08962 100644
|
|||||||
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
|
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
|
||||||
')
|
')
|
||||||
diff --git a/zarafa.te b/zarafa.te
|
diff --git a/zarafa.te b/zarafa.te
|
||||||
index 3fded1c..5729b83 100644
|
index 3fded1c..91ce270 100644
|
||||||
--- a/zarafa.te
|
--- a/zarafa.te
|
||||||
+++ b/zarafa.te
|
+++ b/zarafa.te
|
||||||
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
|
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
|
||||||
@ -105268,7 +105306,7 @@ index 3fded1c..5729b83 100644
|
|||||||
|
|
||||||
+## <desc>
|
+## <desc>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow zarafa domains to setrlimit/sys_rouserce.
|
+## Allow zarafa domains to setrlimit/sys_resource.
|
||||||
+## </p>
|
+## </p>
|
||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(zarafa_setrlimit, false)
|
+gen_tunable(zarafa_setrlimit, false)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 31%{?dist}
|
Release: 32%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -580,6 +580,25 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-33
|
||||||
|
- Allow init_t to stream connect to ipsec
|
||||||
|
- Add /usr/lib/systemd/systemd-networkd policy
|
||||||
|
- Add sysnet_manage_config_dirs()
|
||||||
|
- Add support for /var/run/systemd/network and labeled it as net_conf_t
|
||||||
|
- Allow unpriv SELinux users to dbus chat with firewalld
|
||||||
|
- Add lvm_write_metadata()
|
||||||
|
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
|
||||||
|
- Add support for /dev/vmcp and /dev/sclp
|
||||||
|
- Add docker_connect_any boolean
|
||||||
|
- Fix zabbix policy
|
||||||
|
- Allow zabbix to send system log msgs
|
||||||
|
- Allow pegasus_openlmi_storage_t to write lvm metadata
|
||||||
|
- Updated pcp_bind_all_unreserved_ports
|
||||||
|
- Allow numad to write scan_sleep_millisecs
|
||||||
|
- Turn on entropyd_use_audio boolean by default
|
||||||
|
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
|
||||||
|
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
|
||||||
|
|
||||||
* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32
|
* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32
|
||||||
- Allow numad to write scan_sleep_millisecs
|
- Allow numad to write scan_sleep_millisecs
|
||||||
- Turn on entropyd_use_audio boolean by default
|
- Turn on entropyd_use_audio boolean by default
|
||||||
|
Loading…
Reference in New Issue
Block a user