- Allow init_t to stream connect to ipsec
- Add /usr/lib/systemd/systemd-networkd policy - Add sysnet_manage_config_dirs() - Add support for /var/run/systemd/network and labeled it as net_conf_t - Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Add support for /dev/vmcp and /dev/sclp - Add docker_connect_any boolean - Fix zabbix policy - Allow zabbix to send system log msgs - Allow pegasus_openlmi_storage_t to write lvm metadata - Updated pcp_bind_all_unreserved_ports - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
This commit is contained in:
parent
24a25f20cc
commit
ab84f40064
Binary file not shown.
@ -13,3 +13,10 @@ optional_policy(`
|
||||
')
|
||||
permissive docker_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type systemd_networkd_t;
|
||||
')
|
||||
permissive systemd_networkd_t;
|
||||
')
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -23461,19 +23461,28 @@ index 0000000..89401fe
|
||||
+')
|
||||
diff --git a/docker.te b/docker.te
|
||||
new file mode 100644
|
||||
index 0000000..75d51ed
|
||||
index 0000000..412e818
|
||||
--- /dev/null
|
||||
+++ b/docker.te
|
||||
@@ -0,0 +1,240 @@
|
||||
@@ -0,0 +1,256 @@
|
||||
+policy_module(docker, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow docker to transition to unconfined conateiners
|
||||
+## Determine whether docker can
|
||||
+## connect to all TCP ports.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(docker_connect_any, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow docker to transition to unconfined containers.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(docker_transition_unconfined, false)
|
||||
@ -23583,6 +23592,7 @@ index 0000000..75d51ed
|
||||
+corenet_tcp_sendrecv_generic_port(docker_t)
|
||||
+corenet_tcp_bind_all_ports(docker_t)
|
||||
+corenet_tcp_connect_http_port(docker_t)
|
||||
+corenet_tcp_connect_commplex_main_port(docker_t)
|
||||
+corenet_udp_sendrecv_generic_if(docker_t)
|
||||
+corenet_udp_sendrecv_generic_node(docker_t)
|
||||
+corenet_udp_sendrecv_all_ports(docker_t)
|
||||
@ -23701,6 +23711,12 @@ index 0000000..75d51ed
|
||||
+ virt_mounton_sandbox_file(docker_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`docker_connect_any',`
|
||||
+ corenet_tcp_connect_all_ports(docker_t)
|
||||
+ corenet_sendrecv_all_packets(docker_t)
|
||||
+ corenet_tcp_sendrecv_all_ports(docker_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`docker_transition_unconfined',`
|
||||
+ unconfined_transition(docker_t, docker_share_t)
|
||||
+ unconfined_transition(docker_t, docker_var_lib_t)
|
||||
@ -59105,10 +59121,10 @@ index 0000000..d9296b1
|
||||
+
|
||||
diff --git a/pcp.te b/pcp.te
|
||||
new file mode 100644
|
||||
index 0000000..fc9dd48
|
||||
index 0000000..d4c7e21
|
||||
--- /dev/null
|
||||
+++ b/pcp.te
|
||||
@@ -0,0 +1,215 @@
|
||||
@@ -0,0 +1,232 @@
|
||||
+policy_module(pcp, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -59116,6 +59132,14 @@ index 0000000..fc9dd48
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow pcp to bind to all unreserved_ports
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(pcp_bind_all_unreserved_ports, false)
|
||||
+
|
||||
+attribute pcp_domain;
|
||||
+
|
||||
+pcp_domain_template(pmcd)
|
||||
@ -59185,6 +59209,15 @@ index 0000000..fc9dd48
|
||||
+
|
||||
+sysnet_read_config(pcp_domain)
|
||||
+
|
||||
+tunable_policy(`pcp_bind_all_unreserved_ports',`
|
||||
+ corenet_sendrecv_all_server_packets(pcp_pmcd_t)
|
||||
+ corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
|
||||
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
|
||||
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
|
||||
+
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# pcp_pmcd local policy
|
||||
@ -59572,7 +59605,7 @@ index d2fc677..ded726f 100644
|
||||
')
|
||||
+
|
||||
diff --git a/pegasus.te b/pegasus.te
|
||||
index 608f454..b01f04d 100644
|
||||
index 608f454..100a122 100644
|
||||
--- a/pegasus.te
|
||||
+++ b/pegasus.te
|
||||
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
||||
@ -59591,7 +59624,7 @@ index 608f454..b01f04d 100644
|
||||
type pegasus_cache_t;
|
||||
files_type(pegasus_cache_t)
|
||||
|
||||
@@ -30,20 +29,318 @@ files_type(pegasus_mof_t)
|
||||
@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
|
||||
type pegasus_var_run_t;
|
||||
files_pid_file(pegasus_var_run_t)
|
||||
|
||||
@ -59871,6 +59904,7 @@ index 608f454..b01f04d 100644
|
||||
+optional_policy(`
|
||||
+ lvm_domtrans(pegasus_openlmi_storage_t)
|
||||
+ lvm_read_metadata(pegasus_openlmi_storage_t)
|
||||
+ lvm_write_metadata(pegasus_openlmi_storage_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -59915,7 +59949,7 @@ index 608f454..b01f04d 100644
|
||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||
@@ -54,22 +351,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
@ -59946,7 +59980,7 @@ index 608f454..b01f04d 100644
|
||||
|
||||
kernel_read_network_state(pegasus_t)
|
||||
kernel_read_kernel_sysctls(pegasus_t)
|
||||
@@ -80,27 +377,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
kernel_read_xen_state(pegasus_t)
|
||||
kernel_write_xen_state(pegasus_t)
|
||||
|
||||
@ -59979,7 +60013,7 @@ index 608f454..b01f04d 100644
|
||||
|
||||
corecmd_exec_bin(pegasus_t)
|
||||
corecmd_exec_shell(pegasus_t)
|
||||
@@ -114,9 +405,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
|
||||
auth_use_nsswitch(pegasus_t)
|
||||
auth_domtrans_chk_passwd(pegasus_t)
|
||||
@ -59991,7 +60025,7 @@ index 608f454..b01f04d 100644
|
||||
|
||||
files_list_var_lib(pegasus_t)
|
||||
files_read_var_lib_files(pegasus_t)
|
||||
@@ -128,18 +421,29 @@ init_stream_connect_script(pegasus_t)
|
||||
@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
|
||||
logging_send_audit_msgs(pegasus_t)
|
||||
logging_send_syslog_msg(pegasus_t)
|
||||
|
||||
@ -60027,7 +60061,7 @@ index 608f454..b01f04d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -151,16 +455,24 @@ optional_policy(`
|
||||
@@ -151,16 +456,24 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -60056,7 +60090,7 @@ index 608f454..b01f04d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -168,7 +480,7 @@ optional_policy(`
|
||||
@@ -168,7 +481,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -104778,7 +104812,7 @@ index dd63de0..38ce620 100644
|
||||
- admin_pattern($1, zabbix_tmpfs_t)
|
||||
')
|
||||
diff --git a/zabbix.te b/zabbix.te
|
||||
index 7f496c6..eac3196 100644
|
||||
index 7f496c6..6a63c90 100644
|
||||
--- a/zabbix.te
|
||||
+++ b/zabbix.te
|
||||
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
|
||||
@ -104865,17 +104899,17 @@ index 7f496c6..eac3196 100644
|
||||
-allow zabbix_t self:shm create_shm_perms;
|
||||
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow zabbix_t self:capability { dac_read_search dac_override };
|
||||
+
|
||||
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
|
||||
|
||||
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
|
||||
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
|
||||
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
|
||||
+
|
||||
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
@ -104897,7 +104931,7 @@ index 7f496c6..eac3196 100644
|
||||
|
||||
corenet_sendrecv_ftp_client_packets(zabbix_t)
|
||||
corenet_tcp_connect_ftp_port(zabbix_t)
|
||||
@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
|
||||
@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
|
||||
corenet_sendrecv_http_client_packets(zabbix_t)
|
||||
corenet_tcp_connect_http_port(zabbix_t)
|
||||
corenet_tcp_sendrecv_http_port(zabbix_t)
|
||||
@ -104920,8 +104954,12 @@ index 7f496c6..eac3196 100644
|
||||
-
|
||||
zabbix_agent_tcp_connect(zabbix_t)
|
||||
|
||||
+logging_send_syslog_msg(zabbix_t)
|
||||
+
|
||||
tunable_policy(`zabbix_can_network',`
|
||||
@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',`
|
||||
corenet_sendrecv_all_client_packets(zabbix_t)
|
||||
corenet_tcp_connect_all_ports(zabbix_t)
|
||||
@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -104936,7 +104974,7 @@ index 7f496c6..eac3196 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -125,6 +143,7 @@ optional_policy(`
|
||||
@@ -125,6 +145,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
snmp_read_snmp_var_lib_files(zabbix_t)
|
||||
@ -104944,7 +104982,7 @@ index 7f496c6..eac3196 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -132,18 +151,7 @@ optional_policy(`
|
||||
@@ -132,18 +153,7 @@ optional_policy(`
|
||||
# Agent local policy
|
||||
#
|
||||
|
||||
@ -104964,7 +105002,7 @@ index 7f496c6..eac3196 100644
|
||||
|
||||
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
|
||||
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
||||
@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
||||
@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
||||
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
|
||||
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
|
||||
|
||||
@ -104983,7 +105021,7 @@ index 7f496c6..eac3196 100644
|
||||
|
||||
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
|
||||
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
|
||||
@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||
@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||
dev_getattr_all_blk_files(zabbix_agent_t)
|
||||
dev_getattr_all_chr_files(zabbix_agent_t)
|
||||
|
||||
@ -105259,7 +105297,7 @@ index 36e32df..3d08962 100644
|
||||
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
|
||||
')
|
||||
diff --git a/zarafa.te b/zarafa.te
|
||||
index 3fded1c..5729b83 100644
|
||||
index 3fded1c..91ce270 100644
|
||||
--- a/zarafa.te
|
||||
+++ b/zarafa.te
|
||||
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
|
||||
@ -105268,7 +105306,7 @@ index 3fded1c..5729b83 100644
|
||||
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow zarafa domains to setrlimit/sys_rouserce.
|
||||
+## Allow zarafa domains to setrlimit/sys_resource.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(zarafa_setrlimit, false)
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 31%{?dist}
|
||||
Release: 32%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -580,6 +580,25 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-33
|
||||
- Allow init_t to stream connect to ipsec
|
||||
- Add /usr/lib/systemd/systemd-networkd policy
|
||||
- Add sysnet_manage_config_dirs()
|
||||
- Add support for /var/run/systemd/network and labeled it as net_conf_t
|
||||
- Allow unpriv SELinux users to dbus chat with firewalld
|
||||
- Add lvm_write_metadata()
|
||||
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
|
||||
- Add support for /dev/vmcp and /dev/sclp
|
||||
- Add docker_connect_any boolean
|
||||
- Fix zabbix policy
|
||||
- Allow zabbix to send system log msgs
|
||||
- Allow pegasus_openlmi_storage_t to write lvm metadata
|
||||
- Updated pcp_bind_all_unreserved_ports
|
||||
- Allow numad to write scan_sleep_millisecs
|
||||
- Turn on entropyd_use_audio boolean by default
|
||||
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
|
||||
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
|
||||
|
||||
* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32
|
||||
- Allow numad to write scan_sleep_millisecs
|
||||
- Turn on entropyd_use_audio boolean by default
|
||||
|
Loading…
Reference in New Issue
Block a user