- Allow gpg to read fips_enabled
- Add support for /var/cache/realmd - Add support for /usr/sbin/blazer_usb and systemd support for nut - Add labeling for fenced_sanlock and allow sanclok transition to fen - bitlbee wants to read own log file - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Allow pacemaker to execute heartbeat lib files - cleanup new swift policy
This commit is contained in:
Miroslav Grepl
parent
d4e203ba2f
commit
ad094338a5
@ -235863,10 +235863,10 @@ index 0000000..a4b0917
|
||||
+
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..9b74225
|
||||
index 0000000..1131866
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,612 @@
|
||||
@@ -0,0 +1,616 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -236474,10 +236474,14 @@ index 0000000..9b74225
|
||||
+
|
||||
+files_read_system_conf_files(systemd_sysctl_t)
|
||||
+
|
||||
+dev_write_kmsg(systemd_sysctl_t)
|
||||
+
|
||||
+domain_use_interactive_fds(systemd_sysctl_t)
|
||||
+
|
||||
+files_read_etc_files(systemd_sysctl_t)
|
||||
+
|
||||
+init_stream_connect(systemd_sysctl_t)
|
||||
+
|
||||
+logging_stream_connect_syslog(systemd_sysctl_t)
|
||||
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
|
||||
index 40928d8..49fd32e 100644
|
||||
|
||||
@ -8023,7 +8023,7 @@ index e73fb79..2badfc0 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 bitlbee_initrc_exec_t system_r;
|
||||
diff --git a/bitlbee.te b/bitlbee.te
|
||||
index ac8c91e..a63f4c2 100644
|
||||
index ac8c91e..80ecd7e 100644
|
||||
--- a/bitlbee.te
|
||||
+++ b/bitlbee.te
|
||||
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
|
||||
@ -8041,7 +8041,15 @@ index ac8c91e..a63f4c2 100644
|
||||
|
||||
allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
|
||||
allow bitlbee_t bitlbee_conf_t:file read_file_perms;
|
||||
@@ -59,8 +62,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
|
||||
@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
|
||||
manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
||||
append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
||||
create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
||||
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
||||
setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
||||
|
||||
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
|
||||
@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
|
||||
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
|
||||
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
|
||||
|
||||
@ -8051,7 +8059,7 @@ index ac8c91e..a63f4c2 100644
|
||||
|
||||
corenet_all_recvfrom_unlabeled(bitlbee_t)
|
||||
corenet_all_recvfrom_netlabel(bitlbee_t)
|
||||
@@ -109,16 +112,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
|
||||
@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
|
||||
dev_read_rand(bitlbee_t)
|
||||
dev_read_urand(bitlbee_t)
|
||||
|
||||
@ -23395,7 +23403,7 @@ index 9eacb2c..229782f 100644
|
||||
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/glance.te b/glance.te
|
||||
index e0a4f46..be03e22 100644
|
||||
index e0a4f46..70277e8 100644
|
||||
--- a/glance.te
|
||||
+++ b/glance.te
|
||||
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
|
||||
@ -23421,7 +23429,15 @@ index e0a4f46..be03e22 100644
|
||||
init_daemon_domain(glance_api_t, glance_api_exec_t)
|
||||
|
||||
type glance_api_initrc_exec_t;
|
||||
@@ -56,10 +57,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
|
||||
@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
|
||||
# Common local policy
|
||||
#
|
||||
|
||||
+allow glance_domain self:process signal_perms;
|
||||
allow glance_domain self:fifo_file rw_fifo_file_perms;
|
||||
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
allow glance_domain self:tcp_socket { accept listen };
|
||||
@@ -56,10 +58,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
|
||||
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
||||
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
||||
|
||||
@ -23432,7 +23448,7 @@ index e0a4f46..be03e22 100644
|
||||
corenet_tcp_sendrecv_generic_if(glance_domain)
|
||||
corenet_tcp_sendrecv_generic_node(glance_domain)
|
||||
corenet_tcp_sendrecv_all_ports(glance_domain)
|
||||
@@ -70,13 +67,10 @@ corecmd_exec_shell(glance_domain)
|
||||
@@ -70,13 +68,10 @@ corecmd_exec_shell(glance_domain)
|
||||
|
||||
dev_read_urand(glance_domain)
|
||||
|
||||
@ -23447,7 +23463,7 @@ index e0a4f46..be03e22 100644
|
||||
sysnet_dns_name_resolve(glance_domain)
|
||||
|
||||
########################################
|
||||
@@ -88,8 +82,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
|
||||
@@ -88,8 +83,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
|
||||
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
|
||||
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
|
||||
|
||||
@ -23463,7 +23479,7 @@ index e0a4f46..be03e22 100644
|
||||
|
||||
logging_send_syslog_msg(glance_registry_t)
|
||||
|
||||
@@ -108,13 +109,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||
@@ -108,13 +110,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
|
||||
can_exec(glance_api_t, glance_tmp_t)
|
||||
|
||||
@ -26764,7 +26780,7 @@ index 180f1b7..951b790 100644
|
||||
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
|
||||
+')
|
||||
diff --git a/gpg.te b/gpg.te
|
||||
index 44cf341..c47fa5f 100644
|
||||
index 44cf341..8424d09 100644
|
||||
--- a/gpg.te
|
||||
+++ b/gpg.te
|
||||
@@ -1,47 +1,47 @@
|
||||
@ -26836,7 +26852,7 @@ index 44cf341..c47fa5f 100644
|
||||
|
||||
type gpg_secret_t;
|
||||
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
|
||||
@@ -52,112 +52,115 @@ type gpg_helper_t;
|
||||
@@ -52,112 +52,116 @@ type gpg_helper_t;
|
||||
type gpg_helper_exec_t;
|
||||
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
|
||||
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
|
||||
@ -26912,6 +26928,7 @@ index 44cf341..c47fa5f 100644
|
||||
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
|
||||
|
||||
kernel_read_sysctl(gpg_t)
|
||||
+kernel_read_system_state(gpg_t)
|
||||
+kernel_getattr_core_if(gpg_t)
|
||||
|
||||
corecmd_exec_shell(gpg_t)
|
||||
@ -27000,7 +27017,7 @@ index 44cf341..c47fa5f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -165,37 +168,51 @@ optional_policy(`
|
||||
@@ -165,37 +169,51 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27063,7 +27080,7 @@ index 44cf341..c47fa5f 100644
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_dontaudit_rw_nfs_files(gpg_helper_t)
|
||||
@@ -207,29 +224,35 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -27105,7 +27122,7 @@ index 44cf341..c47fa5f 100644
|
||||
corecmd_exec_shell(gpg_agent_t)
|
||||
|
||||
dev_read_rand(gpg_agent_t)
|
||||
@@ -239,31 +262,30 @@ domain_use_interactive_fds(gpg_agent_t)
|
||||
@@ -239,31 +263,30 @@ domain_use_interactive_fds(gpg_agent_t)
|
||||
|
||||
fs_dontaudit_list_inotifyfs(gpg_agent_t)
|
||||
|
||||
@ -27148,7 +27165,7 @@ index 44cf341..c47fa5f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -277,8 +299,17 @@ optional_policy(`
|
||||
@@ -277,8 +300,17 @@ optional_policy(`
|
||||
|
||||
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
|
||||
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -27167,7 +27184,7 @@ index 44cf341..c47fa5f 100644
|
||||
|
||||
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
|
||||
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
|
||||
@@ -287,53 +318,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
|
||||
@@ -287,53 +319,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
|
||||
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
|
||||
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
|
||||
|
||||
@ -45643,10 +45660,10 @@ index f5d145d..97e1148 100644
|
||||
+ virt_ptrace(numad_t)
|
||||
+')
|
||||
diff --git a/nut.fc b/nut.fc
|
||||
index 379af96..371119d 100644
|
||||
index 379af96..41ff159 100644
|
||||
--- a/nut.fc
|
||||
+++ b/nut.fc
|
||||
@@ -1,23 +1,13 @@
|
||||
@@ -1,23 +1,16 @@
|
||||
-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
|
||||
-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
|
||||
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
|
||||
@ -45657,14 +45674,16 @@ index 379af96..371119d 100644
|
||||
-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
|
||||
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
|
||||
-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
|
||||
-
|
||||
|
||||
-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
||||
-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
||||
-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
||||
+/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0)
|
||||
|
||||
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
|
||||
/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
|
||||
-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
|
||||
+/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
|
||||
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
|
||||
|
||||
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
|
||||
@ -45676,29 +45695,35 @@ index 379af96..371119d 100644
|
||||
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
||||
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
||||
diff --git a/nut.if b/nut.if
|
||||
index 57c0161..56660c5 100644
|
||||
index 57c0161..d5ad79d 100644
|
||||
--- a/nut.if
|
||||
+++ b/nut.if
|
||||
@@ -1,39 +1 @@
|
||||
@@ -1,39 +1,25 @@
|
||||
-## <summary>Network UPS Tools </summary>
|
||||
-
|
||||
+## <summary>nut - Network UPS Tools </summary>
|
||||
|
||||
-########################################
|
||||
-## <summary>
|
||||
+#######################################
|
||||
## <summary>
|
||||
-## All of the rules required to
|
||||
-## administrate an nut environment.
|
||||
-## </summary>
|
||||
-## <param name="domain">
|
||||
+## Execute swift server in the swift domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
-## <summary>
|
||||
-## Domain allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
## </param>
|
||||
-## <param name="role">
|
||||
-## <summary>
|
||||
-## Role allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-## <rolecap/>
|
||||
-#
|
||||
#
|
||||
-interface(`nut_admin',`
|
||||
- gen_require(`
|
||||
- attribute nut_domain;
|
||||
@ -45712,19 +45737,28 @@ index 57c0161..56660c5 100644
|
||||
- domain_system_change_exemption($1)
|
||||
- role_transition $2 nut_initrc_exec_t system_r;
|
||||
- allow $2 system_r;
|
||||
-
|
||||
+interface(`nut_systemctl',`
|
||||
+ gen_require(`
|
||||
+ type nut_t;
|
||||
+ type nut_unit_file_t;
|
||||
+ ')
|
||||
|
||||
- files_search_etc($1)
|
||||
- admin_pattern($1, nut_conf_t)
|
||||
-
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ systemd_read_fifo_file_password_run($1)
|
||||
+ allow $1 nut_unit_file_t:file read_file_perms;
|
||||
+ allow $1 nut_unit_file_t:service manage_service_perms;
|
||||
|
||||
- files_search_pids($1)
|
||||
- admin_pattern($1, nut_var_run_t)
|
||||
-')
|
||||
+## <summary>nut - Network UPS Tools </summary>
|
||||
+ ps_process_pattern($1, swift_t)
|
||||
')
|
||||
diff --git a/nut.te b/nut.te
|
||||
index 0c9deb7..87c7eb7 100644
|
||||
index 0c9deb7..dbc52a1 100644
|
||||
--- a/nut.te
|
||||
+++ b/nut.te
|
||||
@@ -1,121 +1,105 @@
|
||||
@@ -1,121 +1,108 @@
|
||||
-policy_module(nut, 1.2.4)
|
||||
+policy_module(nut, 1.2.0)
|
||||
|
||||
@ -45759,6 +45793,9 @@ index 0c9deb7..87c7eb7 100644
|
||||
type nut_var_run_t;
|
||||
files_pid_file(nut_var_run_t)
|
||||
-init_daemon_run_dir(nut_var_run_t, "nut")
|
||||
+
|
||||
+type nut_unit_file_t;
|
||||
+systemd_unit_file(nut_unit_file_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -45774,20 +45811,20 @@ index 0c9deb7..87c7eb7 100644
|
||||
-allow nut_domain nut_conf_t:dir list_dir_perms;
|
||||
-allow nut_domain nut_conf_t:file read_file_perms;
|
||||
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
|
||||
-
|
||||
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
|
||||
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
|
||||
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
|
||||
+allow nut_upsd_t self:capability { setgid setuid dac_override };
|
||||
+allow nut_upsd_t self:process signal_perms;
|
||||
|
||||
-kernel_read_kernel_sysctls(nut_domain)
|
||||
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
|
||||
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
|
||||
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
|
||||
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
|
||||
|
||||
-logging_send_syslog_msg(nut_domain)
|
||||
-kernel_read_kernel_sysctls(nut_domain)
|
||||
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
|
||||
|
||||
-logging_send_syslog_msg(nut_domain)
|
||||
-
|
||||
-miscfiles_read_localization(nut_domain)
|
||||
-
|
||||
-########################################
|
||||
@ -45803,18 +45840,18 @@ index 0c9deb7..87c7eb7 100644
|
||||
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
|
||||
manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
|
||||
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
|
||||
-
|
||||
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
|
||||
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
|
||||
|
||||
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
|
||||
+kernel_read_kernel_sysctls(nut_upsd_t)
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
|
||||
-corenet_all_recvfrom_netlabel(nut_upsd_t)
|
||||
-corenet_tcp_sendrecv_generic_if(nut_upsd_t)
|
||||
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
|
||||
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
|
||||
-corenet_tcp_bind_generic_node(nut_upsd_t)
|
||||
+kernel_read_kernel_sysctls(nut_upsd_t)
|
||||
|
||||
-
|
||||
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
|
||||
corenet_tcp_bind_ups_port(nut_upsd_t)
|
||||
-
|
||||
@ -45842,9 +45879,9 @@ index 0c9deb7..87c7eb7 100644
|
||||
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
|
||||
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
|
||||
|
||||
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
|
||||
+
|
||||
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
|
||||
|
||||
+# pid file
|
||||
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
|
||||
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
|
||||
@ -45889,7 +45926,7 @@ index 0c9deb7..87c7eb7 100644
|
||||
mta_send_mail(nut_upsmon_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -124,14 +108,27 @@ optional_policy(`
|
||||
@@ -124,14 +111,27 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -45919,7 +45956,7 @@ index 0c9deb7..87c7eb7 100644
|
||||
corecmd_exec_bin(nut_upsdrvctl_t)
|
||||
|
||||
dev_read_sysfs(nut_upsdrvctl_t)
|
||||
@@ -144,17 +141,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
|
||||
@@ -144,17 +144,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
|
||||
|
||||
init_sigchld(nut_upsdrvctl_t)
|
||||
|
||||
@ -47570,7 +47607,7 @@ index 0000000..1a26cd5
|
||||
+')
|
||||
diff --git a/openshift.te b/openshift.te
|
||||
new file mode 100644
|
||||
index 0000000..4bc6574
|
||||
index 0000000..b89f7fc
|
||||
--- /dev/null
|
||||
+++ b/openshift.te
|
||||
@@ -0,0 +1,463 @@
|
||||
@ -47970,7 +48007,7 @@ index 0000000..4bc6574
|
||||
+#
|
||||
+# openshift_cron local policy
|
||||
+#
|
||||
+allow openshift_cron_t self:capability net_admin;
|
||||
+allow openshift_cron_t self:capability { net_admin sys_admin };
|
||||
+allow openshift_cron_t self:process signal_perms;
|
||||
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow openshift_cron_t self:udp_socket create_socket_perms;
|
||||
@ -48762,7 +48799,7 @@ index 9682d9a..d47f913 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/pacemaker.te b/pacemaker.te
|
||||
index 3dd8ada..9683812 100644
|
||||
index 3dd8ada..993c92c 100644
|
||||
--- a/pacemaker.te
|
||||
+++ b/pacemaker.te
|
||||
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2)
|
||||
@ -48839,7 +48876,7 @@ index 3dd8ada..9683812 100644
|
||||
files_read_kernel_symbol_table(pacemaker_t)
|
||||
|
||||
fs_getattr_all_fs(pacemaker_t)
|
||||
@@ -75,9 +87,16 @@ auth_use_nsswitch(pacemaker_t)
|
||||
@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t)
|
||||
|
||||
logging_send_syslog_msg(pacemaker_t)
|
||||
|
||||
@ -48855,8 +48892,12 @@ index 3dd8ada..9683812 100644
|
||||
+ corosync_setattr_log(pacemaker_t)
|
||||
corosync_stream_connect(pacemaker_t)
|
||||
+ corosync_rw_tmpfs(pacemaker_t)
|
||||
')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ #executes heartbeat lib files
|
||||
+ rgmanager_execute_lib(pacemaker_t)
|
||||
')
|
||||
diff --git a/pads.if b/pads.if
|
||||
index 6e097c9..503c97a 100644
|
||||
--- a/pads.if
|
||||
@ -62321,12 +62362,14 @@ index f1512d6..93f1ee6 100644
|
||||
userdom_dontaudit_search_user_home_dirs(readahead_t)
|
||||
|
||||
diff --git a/realmd.fc b/realmd.fc
|
||||
index 04babe3..3c24ce4 100644
|
||||
index 04babe3..02a1f34 100644
|
||||
--- a/realmd.fc
|
||||
+++ b/realmd.fc
|
||||
@@ -1 +1 @@
|
||||
@@ -1 +1,3 @@
|
||||
-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
|
||||
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
|
||||
+
|
||||
+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
|
||||
diff --git a/realmd.if b/realmd.if
|
||||
index bff31df..e38693b 100644
|
||||
--- a/realmd.if
|
||||
@ -62344,7 +62387,7 @@ index bff31df..e38693b 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/realmd.te b/realmd.te
|
||||
index 9a8f052..5372646 100644
|
||||
index 9a8f052..ecd8eaf 100644
|
||||
--- a/realmd.te
|
||||
+++ b/realmd.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -62353,13 +62396,16 @@ index 9a8f052..5372646 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -7,11 +7,12 @@ policy_module(realmd, 1.0.2)
|
||||
@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2)
|
||||
|
||||
type realmd_t;
|
||||
type realmd_exec_t;
|
||||
-init_system_domain(realmd_t, realmd_exec_t)
|
||||
+application_domain(realmd_t, realmd_exec_t)
|
||||
+role system_r types realmd_t;
|
||||
+
|
||||
+type realmd_var_cache_t;
|
||||
+files_type(realmd_var_cache_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -62368,7 +62414,13 @@ index 9a8f052..5372646 100644
|
||||
#
|
||||
|
||||
allow realmd_t self:capability sys_nice;
|
||||
@@ -22,28 +23,30 @@ kernel_read_system_state(realmd_t)
|
||||
allow realmd_t self:process setsched;
|
||||
|
||||
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
|
||||
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
|
||||
+
|
||||
kernel_read_system_state(realmd_t)
|
||||
|
||||
corecmd_exec_bin(realmd_t)
|
||||
corecmd_exec_shell(realmd_t)
|
||||
|
||||
@ -62408,7 +62460,7 @@ index 9a8f052..5372646 100644
|
||||
optional_policy(`
|
||||
dbus_system_domain(realmd_t, realmd_exec_t)
|
||||
|
||||
@@ -67,17 +70,21 @@ optional_policy(`
|
||||
@@ -67,17 +76,21 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nis_exec_ypbind(realmd_t)
|
||||
@ -62433,7 +62485,7 @@ index 9a8f052..5372646 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -86,5 +93,9 @@ optional_policy(`
|
||||
@@ -86,5 +99,9 @@ optional_policy(`
|
||||
sssd_manage_lib_files(realmd_t)
|
||||
sssd_manage_public_files(realmd_t)
|
||||
sssd_read_pid_files(realmd_t)
|
||||
@ -62698,7 +62750,7 @@ index 5421af0..91e69b8 100644
|
||||
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
||||
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
||||
diff --git a/rgmanager.if b/rgmanager.if
|
||||
index 1c2f9aa..5bd6fdb 100644
|
||||
index 1c2f9aa..7d70a46 100644
|
||||
--- a/rgmanager.if
|
||||
+++ b/rgmanager.if
|
||||
@@ -1,13 +1,13 @@
|
||||
@ -62801,7 +62853,7 @@ index 1c2f9aa..5bd6fdb 100644
|
||||
|
||||
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
@@ -121,3 +139,27 @@ interface(`rgmanager_admin',`
|
||||
@@ -121,3 +139,47 @@ interface(`rgmanager_admin',`
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, rgmanager_var_run_t)
|
||||
')
|
||||
@ -62829,6 +62881,26 @@ index 1c2f9aa..5bd6fdb 100644
|
||||
+ files_list_pids($1)
|
||||
+ admin_pattern($1, rgmanager_var_run_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to execute rgmanager's lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rgmanager_execute_lib',`
|
||||
+ gen_require(`
|
||||
+ type rgmanager_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_list_var_lib($1)
|
||||
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
|
||||
+ can_exec($1, rgmanager_var_lib_t)
|
||||
+')
|
||||
diff --git a/rgmanager.te b/rgmanager.te
|
||||
index b418d1c..1ad9c12 100644
|
||||
--- a/rgmanager.te
|
||||
@ -63054,15 +63126,16 @@ index b418d1c..1ad9c12 100644
|
||||
xen_domtrans_xm(rgmanager_t)
|
||||
')
|
||||
diff --git a/rhcs.fc b/rhcs.fc
|
||||
index 47de2d6..977f2eb 100644
|
||||
index 47de2d6..d022603 100644
|
||||
--- a/rhcs.fc
|
||||
+++ b/rhcs.fc
|
||||
@@ -1,31 +1,30 @@
|
||||
@@ -1,31 +1,31 @@
|
||||
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
|
||||
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
|
||||
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
||||
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
||||
+/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
||||
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
||||
+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
||||
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
|
||||
@ -71365,7 +71438,7 @@ index cd6c213..34b861a 100644
|
||||
+ allow $1 sanlock_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/sanlock.te b/sanlock.te
|
||||
index a34eac4..4f4eaf4 100644
|
||||
index a34eac4..114c9d2 100644
|
||||
--- a/sanlock.te
|
||||
+++ b/sanlock.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -71460,7 +71533,7 @@ index a34eac4..4f4eaf4 100644
|
||||
auth_use_nsswitch(sanlock_t)
|
||||
|
||||
init_read_utmp(sanlock_t)
|
||||
@@ -79,20 +87,25 @@ init_dontaudit_write_utmp(sanlock_t)
|
||||
@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t)
|
||||
|
||||
logging_send_syslog_msg(sanlock_t)
|
||||
|
||||
@ -71492,10 +71565,14 @@ index a34eac4..4f4eaf4 100644
|
||||
+ fs_manage_cifs_files(sanlock_t)
|
||||
+ fs_manage_cifs_named_sockets(sanlock_t)
|
||||
+ fs_read_cifs_symlinks(sanlock_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rhcs_domtrans_fenced(sanlock_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -100,7 +113,7 @@ optional_policy(`
|
||||
@@ -100,7 +117,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -87038,7 +87115,7 @@ index f93558c..cc73c96 100644
|
||||
|
||||
files_search_pids($1)
|
||||
diff --git a/xen.te b/xen.te
|
||||
index ed40676..8042769 100644
|
||||
index ed40676..0706207 100644
|
||||
--- a/xen.te
|
||||
+++ b/xen.te
|
||||
@@ -1,42 +1,34 @@
|
||||
@ -87360,7 +87437,12 @@ index ed40676..8042769 100644
|
||||
|
||||
kernel_read_kernel_sysctls(xend_t)
|
||||
kernel_read_system_state(xend_t)
|
||||
@@ -228,57 +275,39 @@ kernel_read_network_state(xend_t)
|
||||
@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t)
|
||||
kernel_read_xen_state(xend_t)
|
||||
kernel_rw_net_sysctls(xend_t)
|
||||
kernel_read_network_state(xend_t)
|
||||
+kernel_request_load_module(xend_t)
|
||||
|
||||
corecmd_exec_bin(xend_t)
|
||||
corecmd_exec_shell(xend_t)
|
||||
|
||||
@ -87424,7 +87506,7 @@ index ed40676..8042769 100644
|
||||
|
||||
storage_read_scsi_generic(xend_t)
|
||||
|
||||
@@ -295,7 +324,8 @@ locallogin_dontaudit_use_fds(xend_t)
|
||||
@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t)
|
||||
|
||||
logging_send_syslog_msg(xend_t)
|
||||
|
||||
@ -87434,7 +87516,7 @@ index ed40676..8042769 100644
|
||||
miscfiles_read_hwdata(xend_t)
|
||||
|
||||
sysnet_domtrans_dhcpc(xend_t)
|
||||
@@ -308,23 +338,7 @@ sysnet_rw_dhcp_config(xend_t)
|
||||
@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t)
|
||||
|
||||
userdom_dontaudit_search_user_home_dirs(xend_t)
|
||||
|
||||
@ -87459,7 +87541,7 @@ index ed40676..8042769 100644
|
||||
|
||||
optional_policy(`
|
||||
brctl_domtrans(xend_t)
|
||||
@@ -342,7 +356,7 @@ optional_policy(`
|
||||
@@ -342,7 +357,7 @@ optional_policy(`
|
||||
mount_domtrans(xend_t)
|
||||
')
|
||||
|
||||
@ -87468,7 +87550,7 @@ index ed40676..8042769 100644
|
||||
netutils_domtrans(xend_t)
|
||||
')
|
||||
|
||||
@@ -351,6 +365,7 @@ optional_policy(`
|
||||
@@ -351,6 +366,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -87476,7 +87558,7 @@ index ed40676..8042769 100644
|
||||
virt_search_images(xend_t)
|
||||
virt_read_config(xend_t)
|
||||
')
|
||||
@@ -365,13 +380,9 @@ allow xenconsoled_t self:process setrlimit;
|
||||
@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit;
|
||||
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@ -87492,7 +87574,7 @@ index ed40676..8042769 100644
|
||||
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
|
||||
manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
|
||||
files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
|
||||
@@ -384,10 +395,6 @@ dev_rw_xen(xenconsoled_t)
|
||||
@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t)
|
||||
dev_filetrans_xen(xenconsoled_t)
|
||||
dev_rw_sysfs(xenconsoled_t)
|
||||
|
||||
@ -87503,7 +87585,7 @@ index ed40676..8042769 100644
|
||||
|
||||
fs_list_tmpfs(xenconsoled_t)
|
||||
fs_manage_xenfs_dirs(xenconsoled_t)
|
||||
@@ -395,15 +402,13 @@ fs_manage_xenfs_files(xenconsoled_t)
|
||||
@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t)
|
||||
|
||||
term_create_pty(xenconsoled_t, xen_devpts_t)
|
||||
term_use_generic_ptys(xenconsoled_t)
|
||||
@ -87521,7 +87603,7 @@ index ed40676..8042769 100644
|
||||
xen_stream_connect_xenstore(xenconsoled_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -416,24 +421,26 @@ optional_policy(`
|
||||
@@ -416,24 +422,26 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
|
||||
@ -87552,7 +87634,7 @@ index ed40676..8042769 100644
|
||||
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
|
||||
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
|
||||
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
|
||||
@@ -448,157 +455,36 @@ dev_filetrans_xen(xenstored_t)
|
||||
@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t)
|
||||
dev_rw_xen(xenstored_t)
|
||||
dev_read_sysfs(xenstored_t)
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -521,6 +521,17 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Feb 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-11
|
||||
- Allow gpg to read fips_enabled
|
||||
- Add support for /var/cache/realmd
|
||||
- Add support for /usr/sbin/blazer_usb and systemd support for nut
|
||||
- Add labeling for fenced_sanlock and allow sanclok transition to fenced_t
|
||||
- bitlbee wants to read own log file
|
||||
- Allow glance domain to send a signal itself
|
||||
- Allow xend_t to request that the kernel load a kernel module
|
||||
- Allow pacemaker to execute heartbeat lib files
|
||||
- cleanup new swift policy
|
||||
|
||||
* Tue Feb 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-10
|
||||
- Fix smartmontools
|
||||
- Fix userdom_restricted_xwindows_user_template() interface
|
||||
|
||||
Loading…
Reference in New Issue
Block a user