* Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424) - Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld - Allow rabbitmq to read nfs state data. BZ(1122412) - Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t. - Add rolekit policy - ALlow rolekit domtrans to sssd_t. - Add kerberos_tmp_filetrans_kadmin() interface. - rolekit should be noaudit. - Add rolekit_manage_keys(). - Need to label rpmnew file correctly - Allow modemmanger to connectto itself
This commit is contained in:
parent
317f5a18dc
commit
af3cfa7b5c
@ -5481,7 +5481,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||
|
||||
define(`create_packet_interfaces',``
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index b191055..57afd42 100644
|
||||
index b191055..2f2f2b9 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
|
||||
@ -5555,11 +5555,13 @@ index b191055..57afd42 100644
|
||||
# reserved_port_t is the type of INET port numbers below 1024.
|
||||
#
|
||||
type reserved_port_t, port_type, reserved_port_type;
|
||||
@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
|
||||
@@ -83,56 +106,70 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
|
||||
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
|
||||
network_port(amavisd_recv, tcp,10024,s0)
|
||||
network_port(amavisd_send, tcp,10025,s0)
|
||||
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
|
||||
-network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
|
||||
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
|
||||
+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0)
|
||||
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
|
||||
+network_port(apc, tcp,3052,s0, udp,3052,s0)
|
||||
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
||||
@ -8936,7 +8938,7 @@ index 6a1e4d1..1b9b0b5 100644
|
||||
+ dontaudit $1 domain:dir_file_class_set audit_access;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..16c88de 100644
|
||||
index cf04cb5..c2776d0 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
|
||||
@ -9085,7 +9087,7 @@ index cf04cb5..16c88de 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -166,5 +238,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -166,5 +238,352 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -9380,6 +9382,10 @@ index cf04cb5..16c88de 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rolekit_dbus_chat(domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ssh_rw_pipes(domain)
|
||||
+')
|
||||
+
|
||||
@ -15685,7 +15691,7 @@ index 7be4ddf..71e675a 100644
|
||||
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index e100d88..227ae89 100644
|
||||
index e100d88..85da370 100644
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
+++ b/policy/modules/kernel/kernel.if
|
||||
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
|
||||
@ -15823,10 +15829,29 @@ index e100d88..227ae89 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1025,6 +1094,25 @@ interface(`kernel_write_proc_files',`
|
||||
@@ -1025,6 +1094,44 @@ interface(`kernel_write_proc_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Do not audit attempts to write the
|
||||
+## file in /proc.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_dontaudit_write_proc_files',`
|
||||
+ gen_require(`
|
||||
+ type proc_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 proc_t:file write;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to check the
|
||||
+## access on generic proc entries.
|
||||
+## </summary>
|
||||
@ -15849,7 +15874,7 @@ index e100d88..227ae89 100644
|
||||
## Do not audit attempts by caller to
|
||||
## read system state information in proc.
|
||||
## </summary>
|
||||
@@ -1208,6 +1296,24 @@ interface(`kernel_read_messages',`
|
||||
@@ -1208,6 +1315,24 @@ interface(`kernel_read_messages',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15874,7 +15899,7 @@ index e100d88..227ae89 100644
|
||||
## Allow caller to get the attributes of kernel message
|
||||
## interface (/proc/kmsg).
|
||||
## </summary>
|
||||
@@ -1458,6 +1564,25 @@ interface(`kernel_list_all_proc',`
|
||||
@@ -1458,6 +1583,25 @@ interface(`kernel_list_all_proc',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15900,7 +15925,7 @@ index e100d88..227ae89 100644
|
||||
## Do not audit attempts to list all proc directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',`
|
||||
@@ -1477,6 +1621,24 @@ interface(`kernel_dontaudit_list_all_proc',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15925,7 +15950,7 @@ index e100d88..227ae89 100644
|
||||
## Do not audit attempts by caller to search
|
||||
## the base directory of sysctls.
|
||||
## </summary>
|
||||
@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',`
|
||||
@@ -1672,7 +1834,7 @@ interface(`kernel_read_net_sysctls',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
|
||||
@ -15934,7 +15959,7 @@ index e100d88..227ae89 100644
|
||||
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
|
||||
')
|
||||
|
||||
@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',`
|
||||
@@ -1693,7 +1855,7 @@ interface(`kernel_rw_net_sysctls',`
|
||||
')
|
||||
|
||||
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
|
||||
@ -15943,7 +15968,7 @@ index e100d88..227ae89 100644
|
||||
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
|
||||
')
|
||||
|
||||
@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',`
|
||||
@@ -1715,7 +1877,6 @@ interface(`kernel_read_unix_sysctls',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
|
||||
@ -15951,7 +15976,7 @@ index e100d88..227ae89 100644
|
||||
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
|
||||
')
|
||||
|
||||
@@ -1750,16 +1892,9 @@ interface(`kernel_rw_unix_sysctls',`
|
||||
@@ -1750,16 +1911,9 @@ interface(`kernel_rw_unix_sysctls',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -15969,7 +15994,7 @@ index e100d88..227ae89 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1771,16 +1906,9 @@ interface(`kernel_read_hotplug_sysctls',`
|
||||
@@ -1771,16 +1925,9 @@ interface(`kernel_read_hotplug_sysctls',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -15987,7 +16012,7 @@ index e100d88..227ae89 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1792,16 +1920,9 @@ interface(`kernel_rw_hotplug_sysctls',`
|
||||
@@ -1792,16 +1939,9 @@ interface(`kernel_rw_hotplug_sysctls',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -16005,7 +16030,7 @@ index e100d88..227ae89 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1813,16 +1934,9 @@ interface(`kernel_read_modprobe_sysctls',`
|
||||
@@ -1813,16 +1953,9 @@ interface(`kernel_read_modprobe_sysctls',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -16023,7 +16048,7 @@ index e100d88..227ae89 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2085,9 +2199,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
||||
@@ -2085,9 +2218,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
||||
')
|
||||
|
||||
dontaudit $1 sysctl_type:dir list_dir_perms;
|
||||
@ -16053,7 +16078,7 @@ index e100d88..227ae89 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow caller to read all sysctls.
|
||||
@@ -2282,6 +2415,25 @@ interface(`kernel_list_unlabeled',`
|
||||
@@ -2282,6 +2434,25 @@ interface(`kernel_list_unlabeled',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -16079,7 +16104,7 @@ index e100d88..227ae89 100644
|
||||
## Read the process state (/proc/pid) of all unlabeled_t.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2306,7 +2458,7 @@ interface(`kernel_read_unlabeled_state',`
|
||||
@@ -2306,7 +2477,7 @@ interface(`kernel_read_unlabeled_state',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -16088,7 +16113,7 @@ index e100d88..227ae89 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -2488,6 +2640,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||
@@ -2488,6 +2659,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -16113,7 +16138,7 @@ index e100d88..227ae89 100644
|
||||
## Do not audit attempts by caller to get attributes for
|
||||
## unlabeled character devices.
|
||||
## </summary>
|
||||
@@ -2525,6 +2695,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
@@ -2525,6 +2714,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -16138,7 +16163,7 @@ index e100d88..227ae89 100644
|
||||
## Allow caller to relabel unlabeled files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2667,6 +2855,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||
@@ -2667,6 +2874,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -16163,13 +16188,23 @@ index e100d88..227ae89 100644
|
||||
## Receive TCP packets from an unlabeled connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -2694,6 +2900,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||
@@ -2694,18 +2919,37 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to receive TCP packets from an unlabeled
|
||||
+## Do not audit attempts to receive DCCP packets from an unlabeled
|
||||
+## connection.
|
||||
+## </summary>
|
||||
## connection.
|
||||
## </summary>
|
||||
-## <desc>
|
||||
-## <p>
|
||||
-## Do not audit attempts to receive TCP packets from an unlabeled
|
||||
-## connection.
|
||||
-## </p>
|
||||
-## <p>
|
||||
-## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
|
||||
-## should be used instead of this one.
|
||||
-## </p>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
@ -16186,29 +16221,34 @@ index e100d88..227ae89 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts to receive TCP packets from an unlabeled
|
||||
## connection.
|
||||
## </summary>
|
||||
@@ -2803,20 +3028,47 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
||||
+## Do not audit attempts to receive TCP packets from an unlabeled
|
||||
+## connection.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Do not audit attempts to receive TCP packets from an unlabeled
|
||||
+## connection.
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
|
||||
+## should be used instead of this one.
|
||||
+## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2803,6 +3047,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
||||
|
||||
allow $1 unlabeled_t:rawip_socket recvfrom;
|
||||
')
|
||||
-
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to receive Raw IP packets from an unlabeled
|
||||
-## connection.
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read/Write Raw IP packets from an unlabeled connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
-## Do not audit attempts to receive Raw IP packets from an unlabeled
|
||||
-## connection.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Receive Raw IP packets from an unlabeled connection.
|
||||
## </p>
|
||||
## <p>
|
||||
-## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
|
||||
-## should be used instead of this one.
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## The corenetwork interface corenet_raw_recv_unlabeled() should
|
||||
+## be used instead of this one.
|
||||
+## </p>
|
||||
@ -16227,24 +16267,10 @@ index e100d88..227ae89 100644
|
||||
+ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to receive Raw IP packets from an unlabeled
|
||||
+## connection.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Do not audit attempts to receive Raw IP packets from an unlabeled
|
||||
+## connection.
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
|
||||
+## should be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
@@ -2958,6 +3210,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -2958,6 +3229,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -16269,7 +16295,7 @@ index e100d88..227ae89 100644
|
||||
## Unconfined access to kernel module resources.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2972,5 +3242,565 @@ interface(`kernel_unconfined',`
|
||||
@@ -2972,5 +3261,565 @@ interface(`kernel_unconfined',`
|
||||
')
|
||||
|
||||
typeattribute $1 kern_unconfined;
|
||||
@ -28059,7 +28085,7 @@ index 3efd5b6..12dca57 100644
|
||||
+ allow $1 login_pgm:key manage_key_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||
index 09b791d..dbf639e 100644
|
||||
index 09b791d..03657db 100644
|
||||
--- a/policy/modules/system/authlogin.te
|
||||
+++ b/policy/modules/system/authlogin.te
|
||||
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
|
||||
@ -28337,12 +28363,12 @@ index 09b791d..dbf639e 100644
|
||||
+systemd_hostnamed_read_config(nsswitch_domain)
|
||||
+
|
||||
+
|
||||
tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
- files_list_var_lib(nsswitch_domain)
|
||||
+tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
+ allow nsswitch_domain self:tcp_socket create_socket_perms;
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
tunable_policy(`authlogin_nsswitch_use_ldap',`
|
||||
- files_list_var_lib(nsswitch_domain)
|
||||
+ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
|
||||
+ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
|
||||
+ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
|
||||
@ -28383,7 +28409,7 @@ index 09b791d..dbf639e 100644
|
||||
optional_policy(`
|
||||
kerberos_use(nsswitch_domain)
|
||||
')
|
||||
@@ -456,10 +520,151 @@ optional_policy(`
|
||||
@@ -456,10 +520,155 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
sssd_stream_connect(nsswitch_domain)
|
||||
@ -28395,6 +28421,10 @@ index 09b791d..dbf639e 100644
|
||||
+userdom_manage_all_users_keys(nsswitch_domain)
|
||||
+optional_policy(`
|
||||
+ sssd_manage_keys(nsswitch_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rolekit_manage_keys(nsswitch_domain)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 88%{?dist}
|
||||
Release: 89%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -604,6 +604,19 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
|
||||
- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
|
||||
- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
|
||||
- Allow rabbitmq to read nfs state data. BZ(1122412)
|
||||
- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
|
||||
- Add rolekit policy
|
||||
- ALlow rolekit domtrans to sssd_t.
|
||||
- Add kerberos_tmp_filetrans_kadmin() interface.
|
||||
- rolekit should be noaudit.
|
||||
- Add rolekit_manage_keys().
|
||||
- Need to label rpmnew file correctly
|
||||
- Allow modemmanger to connectto itself
|
||||
|
||||
* Tue Oct 21 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-88
|
||||
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
|
||||
- Allow osad to connect to jabber client port. BZ (1154242)
|
||||
|
Loading…
Reference in New Issue
Block a user