* Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-80
- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21. - Since docker will now label volumes we can tighten the security of docker
This commit is contained in:
parent
6c07cc84bd
commit
ae5a648040
|
@ -29903,7 +29903,7 @@ index 3efd5b6..12dca57 100644
|
||||||
+ allow $1 login_pgm:key manage_key_perms;
|
+ allow $1 login_pgm:key manage_key_perms;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||||
index 09b791d..ff0708e 100644
|
index 09b791d..49d8c47 100644
|
||||||
--- a/policy/modules/system/authlogin.te
|
--- a/policy/modules/system/authlogin.te
|
||||||
+++ b/policy/modules/system/authlogin.te
|
+++ b/policy/modules/system/authlogin.te
|
||||||
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
|
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
|
||||||
|
@ -30227,7 +30227,7 @@ index 09b791d..ff0708e 100644
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(nsswitch_domain)
|
kerberos_use(nsswitch_domain)
|
||||||
')
|
')
|
||||||
@@ -456,10 +520,145 @@ optional_policy(`
|
@@ -456,10 +520,151 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
sssd_stream_connect(nsswitch_domain)
|
sssd_stream_connect(nsswitch_domain)
|
||||||
|
@ -30235,6 +30235,12 @@ index 09b791d..ff0708e 100644
|
||||||
+ sssd_read_lib_files(nsswitch_domain)
|
+ sssd_read_lib_files(nsswitch_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
+#1134389
|
||||||
|
+userdom_manage_all_users_keys(nsswitch_domain)
|
||||||
|
+optional_policy(`
|
||||||
|
+ sssd_manage_keys(nsswitch_domain)
|
||||||
|
+")
|
||||||
|
+
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_stream_connect_winbind(nsswitch_domain)
|
samba_stream_connect_winbind(nsswitch_domain)
|
||||||
+ samba_stream_connect_nmbd(nsswitch_domain)
|
+ samba_stream_connect_nmbd(nsswitch_domain)
|
||||||
|
|
|
@ -24183,7 +24183,7 @@ index 0000000..a952041
|
||||||
+')
|
+')
|
||||||
diff --git a/dnssec.te b/dnssec.te
|
diff --git a/dnssec.te b/dnssec.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..7f715f8
|
index 0000000..c1ab586
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/dnssec.te
|
+++ b/dnssec.te
|
||||||
@@ -0,0 +1,58 @@
|
@@ -0,0 +1,58 @@
|
||||||
|
@ -24234,7 +24234,7 @@ index 0000000..7f715f8
|
||||||
+
|
+
|
||||||
+logging_send_syslog_msg(dnssec_trigger_t)
|
+logging_send_syslog_msg(dnssec_trigger_t)
|
||||||
+
|
+
|
||||||
+auth_read_passwd(dnssec_trigger_t)
|
+auth_use_nsswitch(dnssec_trigger_t)
|
||||||
+
|
+
|
||||||
+sysnet_dns_name_resolve(dnssec_trigger_t)
|
+sysnet_dns_name_resolve(dnssec_trigger_t)
|
||||||
+sysnet_manage_config(dnssec_trigger_t)
|
+sysnet_manage_config(dnssec_trigger_t)
|
||||||
|
@ -95487,7 +95487,7 @@ index dbb005a..45291bb 100644
|
||||||
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||||
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||||
diff --git a/sssd.if b/sssd.if
|
diff --git a/sssd.if b/sssd.if
|
||||||
index a240455..16a04bf 100644
|
index a240455..f4d8c79 100644
|
||||||
--- a/sssd.if
|
--- a/sssd.if
|
||||||
+++ b/sssd.if
|
+++ b/sssd.if
|
||||||
@@ -1,21 +1,21 @@
|
@@ -1,21 +1,21 @@
|
||||||
|
@ -95781,7 +95781,7 @@ index a240455..16a04bf 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',`
|
@@ -317,8 +388,46 @@ interface(`sssd_stream_connect',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -95804,6 +95804,25 @@ index a240455..16a04bf 100644
|
||||||
+ dontaudit $1 sssd_var_lib_t:sock_file { read write };
|
+ dontaudit $1 sssd_var_lib_t:sock_file { read write };
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage keys for all user domains.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`sssd_manage_keys',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type sssd_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 sssd_t:key manage_key_perms;
|
||||||
|
+ allow sssd_t $1:key manage_key_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## All of the rules required to administrate
|
+## All of the rules required to administrate
|
||||||
|
@ -95811,7 +95830,7 @@ index a240455..16a04bf 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',`
|
@@ -327,7 +436,7 @@ interface(`sssd_stream_connect',`
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -95820,7 +95839,7 @@ index a240455..16a04bf 100644
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',`
|
@@ -335,27 +444,29 @@ interface(`sssd_stream_connect',`
|
||||||
interface(`sssd_admin',`
|
interface(`sssd_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
||||||
|
@ -103952,7 +103971,7 @@ index facdee8..c43ef2e 100644
|
||||||
+ typeattribute $1 sandbox_caps_domain;
|
+ typeattribute $1 sandbox_caps_domain;
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index f03dcf5..58d42f6 100644
|
index f03dcf5..7b38f46 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,150 +1,227 @@
|
@@ -1,150 +1,227 @@
|
||||||
|
@ -105439,7 +105458,7 @@ index f03dcf5..58d42f6 100644
|
||||||
selinux_get_enforce_mode(virtd_lxc_t)
|
selinux_get_enforce_mode(virtd_lxc_t)
|
||||||
selinux_get_fs_mount(virtd_lxc_t)
|
selinux_get_fs_mount(virtd_lxc_t)
|
||||||
selinux_validate_context(virtd_lxc_t)
|
selinux_validate_context(virtd_lxc_t)
|
||||||
@@ -974,194 +1155,319 @@ selinux_compute_create_context(virtd_lxc_t)
|
@@ -974,194 +1155,316 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||||
selinux_compute_relabel_context(virtd_lxc_t)
|
selinux_compute_relabel_context(virtd_lxc_t)
|
||||||
selinux_compute_user_contexts(virtd_lxc_t)
|
selinux_compute_user_contexts(virtd_lxc_t)
|
||||||
|
|
||||||
|
@ -105468,12 +105487,12 @@ index f03dcf5..58d42f6 100644
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ docker_exec_lib(virtd_lxc_t)
|
+ docker_exec_lib(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gnome_read_generic_cache_files(virtd_lxc_t)
|
+ gnome_read_generic_cache_files(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
|
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ setrans_manage_pid_files(virtd_lxc_t)
|
+ setrans_manage_pid_files(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
|
@ -105503,6 +105522,97 @@ index f03dcf5..58d42f6 100644
|
||||||
+tunable_policy(`deny_ptrace',`',`
|
+tunable_policy(`deny_ptrace',`',`
|
||||||
+ allow svirt_sandbox_domain self:process ptrace;
|
+ allow svirt_sandbox_domain self:process ptrace;
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
|
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
|
||||||
|
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
|
||||||
|
+
|
||||||
|
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
|
||||||
|
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
|
||||||
|
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
|
||||||
|
+
|
||||||
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
|
||||||
|
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
|
||||||
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
|
||||||
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
|
||||||
|
+
|
||||||
|
+kernel_getattr_proc(svirt_sandbox_domain)
|
||||||
|
+kernel_list_all_proc(svirt_sandbox_domain)
|
||||||
|
+kernel_read_all_sysctls(svirt_sandbox_domain)
|
||||||
|
+kernel_rw_net_sysctls(svirt_sandbox_domain)
|
||||||
|
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
|
||||||
|
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+corecmd_exec_all_executables(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
|
||||||
|
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
|
||||||
|
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
|
||||||
|
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
|
||||||
|
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
|
||||||
|
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
|
||||||
|
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
|
||||||
|
+files_entrypoint_all_files(svirt_sandbox_domain)
|
||||||
|
+files_list_var(svirt_sandbox_domain)
|
||||||
|
+files_list_var_lib(svirt_sandbox_domain)
|
||||||
|
+files_search_all(svirt_sandbox_domain)
|
||||||
|
+files_read_config_files(svirt_sandbox_domain)
|
||||||
|
+files_read_usr_symlinks(svirt_sandbox_domain)
|
||||||
|
+files_search_locks(svirt_sandbox_domain)
|
||||||
|
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+fs_getattr_all_fs(svirt_sandbox_domain)
|
||||||
|
+fs_list_inotifyfs(svirt_sandbox_domain)
|
||||||
|
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
|
||||||
|
+fs_read_fusefs_files(svirt_sandbox_domain)
|
||||||
|
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+auth_dontaudit_read_passwd(svirt_sandbox_domain)
|
||||||
|
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
|
||||||
|
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
|
||||||
|
+auth_search_pam_console_data(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+clock_read_adjtime(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+init_read_utmp(svirt_sandbox_domain)
|
||||||
|
+init_dontaudit_write_utmp(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
|
||||||
|
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
|
||||||
|
+miscfiles_read_fonts(svirt_sandbox_domain)
|
||||||
|
+miscfiles_read_hwdata(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+systemd_read_unit_files(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
|
||||||
|
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
|
||||||
|
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ apache_exec_modules(svirt_sandbox_domain)
|
||||||
|
+ apache_read_sys_content(svirt_sandbox_domain)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ docker_read_share_files(svirt_sandbox_domain)
|
||||||
|
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
|
||||||
|
+ docker_use_ptys(svirt_sandbox_domain)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ gear_read_pid_files(svirt_sandbox_domain)
|
||||||
|
+')
|
||||||
|
|
||||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||||
|
@ -105586,103 +105696,6 @@ index f03dcf5..58d42f6 100644
|
||||||
-miscfiles_read_fonts(svirt_lxc_domain)
|
-miscfiles_read_fonts(svirt_lxc_domain)
|
||||||
-
|
-
|
||||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||||
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
|
|
||||||
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
|
|
||||||
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
|
|
||||||
+
|
|
||||||
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
|
|
||||||
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
|
|
||||||
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
|
||||||
+
|
|
||||||
+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
||||||
+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
||||||
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
||||||
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
||||||
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
||||||
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
||||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
|
|
||||||
+
|
|
||||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
|
|
||||||
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
||||||
+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
|
|
||||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
|
|
||||||
+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
|
|
||||||
+
|
|
||||||
+kernel_getattr_proc(svirt_sandbox_domain)
|
|
||||||
+kernel_list_all_proc(svirt_sandbox_domain)
|
|
||||||
+kernel_read_all_sysctls(svirt_sandbox_domain)
|
|
||||||
+kernel_rw_net_sysctls(svirt_sandbox_domain)
|
|
||||||
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
|
|
||||||
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+corecmd_exec_all_executables(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
|
|
||||||
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
|
|
||||||
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
|
|
||||||
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
|
|
||||||
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
|
|
||||||
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
|
|
||||||
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
|
|
||||||
+files_entrypoint_all_files(svirt_sandbox_domain)
|
|
||||||
+files_list_var(svirt_sandbox_domain)
|
|
||||||
+files_list_var_lib(svirt_sandbox_domain)
|
|
||||||
+files_search_all(svirt_sandbox_domain)
|
|
||||||
+files_read_config_files(svirt_sandbox_domain)
|
|
||||||
+files_read_usr_symlinks(svirt_sandbox_domain)
|
|
||||||
+files_search_locks(svirt_sandbox_domain)
|
|
||||||
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+fs_getattr_all_fs(svirt_sandbox_domain)
|
|
||||||
+fs_list_inotifyfs(svirt_sandbox_domain)
|
|
||||||
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
|
|
||||||
+fs_read_fusefs_files(svirt_sandbox_domain)
|
|
||||||
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+auth_dontaudit_read_passwd(svirt_sandbox_domain)
|
|
||||||
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
|
|
||||||
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
|
|
||||||
+auth_search_pam_console_data(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+clock_read_adjtime(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+init_read_utmp(svirt_sandbox_domain)
|
|
||||||
+init_dontaudit_write_utmp(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
|
|
||||||
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
|
|
||||||
+miscfiles_read_fonts(svirt_sandbox_domain)
|
|
||||||
+miscfiles_read_hwdata(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+systemd_read_unit_files(svirt_sandbox_domain)
|
|
||||||
+
|
|
||||||
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
|
|
||||||
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
|
|
||||||
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- udev_read_pid_files(svirt_lxc_domain)
|
|
||||||
+ apache_exec_modules(svirt_sandbox_domain)
|
|
||||||
+ apache_read_sys_content(svirt_sandbox_domain)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- apache_exec_modules(svirt_lxc_domain)
|
|
||||||
- apache_read_sys_content(svirt_lxc_domain)
|
|
||||||
+ docker_manage_lib_files(svirt_lxc_net_t)
|
|
||||||
+ docker_manage_lib_dirs(svirt_lxc_net_t)
|
|
||||||
+ docker_read_share_files(svirt_sandbox_domain)
|
|
||||||
+ docker_exec_lib(svirt_sandbox_domain)
|
|
||||||
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
|
|
||||||
+ docker_use_ptys(svirt_sandbox_domain)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gear_read_pid_files(svirt_sandbox_domain)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
|
@ -105690,12 +105703,15 @@ index f03dcf5..58d42f6 100644
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ ssh_use_ptys(svirt_sandbox_domain)
|
+ ssh_use_ptys(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
|
- udev_read_pid_files(svirt_lxc_domain)
|
||||||
+ udev_read_pid_files(svirt_sandbox_domain)
|
+ udev_read_pid_files(svirt_sandbox_domain)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
|
- apache_exec_modules(svirt_lxc_domain)
|
||||||
|
- apache_read_sys_content(svirt_lxc_domain)
|
||||||
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -105718,12 +105734,19 @@ index f03dcf5..58d42f6 100644
|
||||||
-# Lxc net local policy
|
-# Lxc net local policy
|
||||||
+# svirt_lxc_net_t local policy
|
+# svirt_lxc_net_t local policy
|
||||||
#
|
#
|
||||||
-
|
|
||||||
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
|
||||||
+virt_sandbox_domain_template(svirt_lxc_net)
|
+virt_sandbox_domain_template(svirt_lxc_net)
|
||||||
+virt_default_capabilities(svirt_lxc_net_t)
|
+virt_default_capabilities(svirt_lxc_net_t)
|
||||||
+typeattribute svirt_lxc_net_t sandbox_net_domain;
|
+typeattribute svirt_lxc_net_t sandbox_net_domain;
|
||||||
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
|
+dontaudit svirt_lxc_net_t self:capability2 {fsetid block_suspend };
|
||||||
|
+allow svirt_lxc_net_t self:process { execstack execmem };
|
||||||
|
+manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
|
+
|
||||||
|
+tunable_policy(`virt_sandbox_use_sys_admin',`
|
||||||
|
+ allow svirt_lxc_net_t self:capability sys_admin;
|
||||||
|
+')
|
||||||
|
|
||||||
|
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
||||||
|
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
|
||||||
-allow svirt_lxc_net_t self:process setrlimit;
|
-allow svirt_lxc_net_t self:process setrlimit;
|
||||||
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
|
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
|
||||||
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
|
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
|
||||||
|
@ -105736,8 +105759,9 @@ index f03dcf5..58d42f6 100644
|
||||||
-
|
-
|
||||||
-kernel_read_network_state(svirt_lxc_net_t)
|
-kernel_read_network_state(svirt_lxc_net_t)
|
||||||
-kernel_read_irq_sysctls(svirt_lxc_net_t)
|
-kernel_read_irq_sysctls(svirt_lxc_net_t)
|
||||||
+allow svirt_lxc_net_t self:process { execstack execmem };
|
+tunable_policy(`virt_sandbox_use_mknod',`
|
||||||
+manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
+ allow svirt_lxc_net_t self:capability mknod;
|
||||||
|
+')
|
||||||
|
|
||||||
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
|
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
|
||||||
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
|
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
|
||||||
|
@ -105749,14 +105773,6 @@ index f03dcf5..58d42f6 100644
|
||||||
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
|
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
|
||||||
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
|
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
|
||||||
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
|
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
|
||||||
+tunable_policy(`virt_sandbox_use_sys_admin',`
|
|
||||||
+ allow svirt_lxc_net_t self:capability sys_admin;
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+tunable_policy(`virt_sandbox_use_mknod',`
|
|
||||||
+ allow svirt_lxc_net_t self:capability mknod;
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+tunable_policy(`virt_sandbox_use_all_caps',`
|
+tunable_policy(`virt_sandbox_use_all_caps',`
|
||||||
+ allow svirt_lxc_net_t self:capability all_capability_perms;
|
+ allow svirt_lxc_net_t self:capability all_capability_perms;
|
||||||
+ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
|
+ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
|
||||||
|
@ -105846,10 +105862,10 @@ index f03dcf5..58d42f6 100644
|
||||||
+term_use_ptmx(svirt_qemu_net_t)
|
+term_use_ptmx(svirt_qemu_net_t)
|
||||||
+
|
+
|
||||||
+dev_rw_kvm(svirt_qemu_net_t)
|
+dev_rw_kvm(svirt_qemu_net_t)
|
||||||
|
+
|
||||||
|
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
|
||||||
|
|
||||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||||
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
|
|
||||||
+
|
|
||||||
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
||||||
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
||||||
+
|
+
|
||||||
|
@ -105897,7 +105913,7 @@ index f03dcf5..58d42f6 100644
|
||||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
@@ -1174,12 +1480,12 @@ dev_read_sysfs(virt_qmf_t)
|
@@ -1174,12 +1477,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||||
dev_read_rand(virt_qmf_t)
|
dev_read_rand(virt_qmf_t)
|
||||||
dev_read_urand(virt_qmf_t)
|
dev_read_urand(virt_qmf_t)
|
||||||
|
|
||||||
|
@ -105912,7 +105928,7 @@ index f03dcf5..58d42f6 100644
|
||||||
sysnet_read_config(virt_qmf_t)
|
sysnet_read_config(virt_qmf_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1192,9 +1498,8 @@ optional_policy(`
|
@@ -1192,9 +1495,8 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -105923,7 +105939,7 @@ index f03dcf5..58d42f6 100644
|
||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -1207,5 +1512,219 @@ kernel_read_network_state(virt_bridgehelper_t)
|
@@ -1207,5 +1509,219 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 79%{?dist}
|
Release: 80%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -602,6 +602,10 @@ SELinux Reference policy mls base module.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-80
|
||||||
|
- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21.
|
||||||
|
- Since docker will now label volumes we can tighten the security of docker
|
||||||
|
|
||||||
* Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-79
|
* Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-79
|
||||||
- Re-arange openshift_net_read_t rules.
|
- Re-arange openshift_net_read_t rules.
|
||||||
- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide
|
- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide
|
||||||
|
|
Loading…
Reference in New Issue