* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
- Add few rules related to new policy for pkcs11proxyd - Added new policy for pkcs11proxyd daemon - We need to require sandbox_web_type attribute in sandbox_x_domain_template(). - Dontaudit abrt_t to rw lvm_lock_t dir. - Allow abrt_d domain to write to kernel msg device. - Add interface lvm_dontaudit_rw_lock_dir() - Merge pull request #35 from lkundrak/lr-libreswan
This commit is contained in:
parent
23d80687e0
commit
b03747cd87
@ -1,5 +1,5 @@
|
||||
diff --git a/Makefile b/Makefile
|
||||
index ec7b5cb..029dcaf 100644
|
||||
index ec7b5cb..a027110 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
|
||||
@ -19,7 +19,7 @@ index ec7b5cb..029dcaf 100644
|
||||
net_contexts := $(builddir)net_contexts
|
||||
|
||||
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
|
||||
@@ -609,15 +610,17 @@ resetlabels:
|
||||
@@ -609,15 +610,16 @@ resetlabels:
|
||||
# Clean everything
|
||||
#
|
||||
bare: clean
|
||||
@ -32,7 +32,6 @@ index ec7b5cb..029dcaf 100644
|
||||
- rm -f $(booleans)
|
||||
- rm -fR $(htmldir)
|
||||
- rm -f $(tags)
|
||||
+ echo "hehe kde jsem asi tak"
|
||||
+ pwd
|
||||
+ #rm -f $(polxml)
|
||||
+ #rm -f $(layerxml)
|
||||
@ -35357,7 +35356,7 @@ index 0d4c8d3..720ece8 100644
|
||||
+ ps_process_pattern($1, ipsec_mgmt_t)
|
||||
+')
|
||||
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
||||
index 312cd04..dd6638a 100644
|
||||
index 312cd04..30cecca 100644
|
||||
--- a/policy/modules/system/ipsec.te
|
||||
+++ b/policy/modules/system/ipsec.te
|
||||
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||
@ -35370,7 +35369,17 @@ index 312cd04..dd6638a 100644
|
||||
type ipsec_mgmt_lock_t;
|
||||
files_lock_file(ipsec_mgmt_lock_t)
|
||||
|
||||
@@ -72,24 +75,32 @@ role system_r types setkey_t;
|
||||
@@ -67,29 +70,42 @@ type setkey_exec_t;
|
||||
init_system_domain(setkey_t, setkey_exec_t)
|
||||
role system_r types setkey_t;
|
||||
|
||||
+# The NetworkManager helper communicates the password via PTY
|
||||
+type ipsec_mgmt_devpts_t;
|
||||
+term_pty(ipsec_mgmt_devpts_t)
|
||||
+files_type(ipsec_mgmt_devpts_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# ipsec Local policy
|
||||
#
|
||||
|
||||
@ -35408,7 +35417,7 @@ index 312cd04..dd6638a 100644
|
||||
|
||||
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||
@@ -110,10 +121,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
||||
@@ -110,10 +126,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
||||
allow ipsec_mgmt_t ipsec_t:fd use;
|
||||
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
||||
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
|
||||
@ -35421,7 +35430,7 @@ index 312cd04..dd6638a 100644
|
||||
kernel_list_proc(ipsec_t)
|
||||
kernel_read_proc_symlinks(ipsec_t)
|
||||
# allow pluto to access /proc/net/ipsec_eroute;
|
||||
@@ -128,20 +139,22 @@ corecmd_exec_shell(ipsec_t)
|
||||
@@ -128,20 +144,22 @@ corecmd_exec_shell(ipsec_t)
|
||||
corecmd_exec_bin(ipsec_t)
|
||||
|
||||
# Pluto needs network access
|
||||
@ -35451,7 +35460,7 @@ index 312cd04..dd6638a 100644
|
||||
|
||||
dev_read_sysfs(ipsec_t)
|
||||
dev_read_rand(ipsec_t)
|
||||
@@ -157,24 +170,32 @@ files_dontaudit_search_home(ipsec_t)
|
||||
@@ -157,24 +175,32 @@ files_dontaudit_search_home(ipsec_t)
|
||||
fs_getattr_all_fs(ipsec_t)
|
||||
fs_search_auto_mountpoints(ipsec_t)
|
||||
|
||||
@ -35486,7 +35495,7 @@ index 312cd04..dd6638a 100644
|
||||
seutil_sigchld_newrole(ipsec_t)
|
||||
')
|
||||
|
||||
@@ -187,10 +208,10 @@ optional_policy(`
|
||||
@@ -187,14 +213,15 @@ optional_policy(`
|
||||
# ipsec_mgmt Local policy
|
||||
#
|
||||
|
||||
@ -35501,7 +35510,12 @@ index 312cd04..dd6638a 100644
|
||||
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
||||
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
||||
@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
||||
@@ -208,12 +235,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
||||
@ -35517,7 +35531,7 @@ index 312cd04..dd6638a 100644
|
||||
|
||||
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
||||
# run ps on that pid, and delete the file
|
||||
@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||
@@ -246,6 +275,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||
kernel_getattr_core_if(ipsec_mgmt_t)
|
||||
kernel_getattr_message_if(ipsec_mgmt_t)
|
||||
|
||||
@ -35534,7 +35548,7 @@ index 312cd04..dd6638a 100644
|
||||
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
||||
files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
|
||||
@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
@@ -255,6 +294,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
corecmd_exec_bin(ipsec_mgmt_t)
|
||||
corecmd_exec_shell(ipsec_mgmt_t)
|
||||
|
||||
@ -35543,7 +35557,7 @@ index 312cd04..dd6638a 100644
|
||||
dev_read_rand(ipsec_mgmt_t)
|
||||
dev_read_urand(ipsec_mgmt_t)
|
||||
|
||||
@@ -269,6 +304,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
||||
@@ -269,6 +310,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
||||
files_read_etc_files(ipsec_mgmt_t)
|
||||
files_exec_etc_files(ipsec_mgmt_t)
|
||||
files_read_etc_runtime_files(ipsec_mgmt_t)
|
||||
@ -35551,7 +35565,7 @@ index 312cd04..dd6638a 100644
|
||||
files_read_usr_files(ipsec_mgmt_t)
|
||||
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
|
||||
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
||||
@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
@@ -278,9 +320,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
fs_list_tmpfs(ipsec_mgmt_t)
|
||||
|
||||
term_use_console(ipsec_mgmt_t)
|
||||
@ -35563,7 +35577,7 @@ index 312cd04..dd6638a 100644
|
||||
|
||||
init_read_utmp(ipsec_mgmt_t)
|
||||
init_use_script_ptys(ipsec_mgmt_t)
|
||||
@@ -288,17 +325,25 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||
@@ -288,17 +331,28 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||
init_use_fds(ipsec_mgmt_t)
|
||||
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
||||
|
||||
@ -35585,6 +35599,9 @@ index 312cd04..dd6638a 100644
|
||||
+
|
||||
+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
|
||||
+
|
||||
+allow ipsec_mgmt_t ipsec_mgmt_devpts_t:chr_file rw_term_perms;
|
||||
+term_create_pty(ipsec_mgmt_t,ipsec_mgmt_devpts_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ bind_domtrans(ipsec_mgmt_t)
|
||||
+ bind_read_dnssec_keys(ipsec_mgmt_t)
|
||||
@ -35594,7 +35611,7 @@ index 312cd04..dd6638a 100644
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ipsec_mgmt_t)
|
||||
@@ -322,6 +367,10 @@ optional_policy(`
|
||||
@@ -322,6 +376,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -35605,7 +35622,7 @@ index 312cd04..dd6638a 100644
|
||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
@@ -335,7 +384,7 @@ optional_policy(`
|
||||
@@ -335,7 +393,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow racoon_t self:capability { net_admin net_bind_service };
|
||||
@ -35614,7 +35631,7 @@ index 312cd04..dd6638a 100644
|
||||
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
||||
allow racoon_t self:netlink_selinux_socket { bind create read };
|
||||
allow racoon_t self:udp_socket create_socket_perms;
|
||||
@@ -370,13 +419,12 @@ kernel_request_load_module(racoon_t)
|
||||
@@ -370,13 +428,12 @@ kernel_request_load_module(racoon_t)
|
||||
corecmd_exec_shell(racoon_t)
|
||||
corecmd_exec_bin(racoon_t)
|
||||
|
||||
@ -35634,7 +35651,7 @@ index 312cd04..dd6638a 100644
|
||||
corenet_udp_bind_isakmp_port(racoon_t)
|
||||
corenet_udp_bind_ipsecnat_port(racoon_t)
|
||||
|
||||
@@ -401,10 +449,10 @@ locallogin_use_fds(racoon_t)
|
||||
@@ -401,10 +458,10 @@ locallogin_use_fds(racoon_t)
|
||||
logging_send_syslog_msg(racoon_t)
|
||||
logging_send_audit_msgs(racoon_t)
|
||||
|
||||
@ -35647,7 +35664,7 @@ index 312cd04..dd6638a 100644
|
||||
auth_can_read_shadow_passwords(racoon_t)
|
||||
tunable_policy(`racoon_read_shadow',`
|
||||
auth_tunable_read_shadow(racoon_t)
|
||||
@@ -438,9 +486,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
@@ -438,9 +495,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
|
||||
locallogin_use_fds(setkey_t)
|
||||
|
||||
@ -38136,7 +38153,7 @@ index 6b91740..5c1669a 100644
|
||||
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
|
||||
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
|
||||
index 58bc27f..6293110 100644
|
||||
index 58bc27f..8f7b119 100644
|
||||
--- a/policy/modules/system/lvm.if
|
||||
+++ b/policy/modules/system/lvm.if
|
||||
@@ -1,5 +1,22 @@
|
||||
@ -38239,7 +38256,7 @@ index 58bc27f..6293110 100644
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run clvmd.
|
||||
@@ -123,3 +203,157 @@ interface(`lvm_domtrans_clvmd',`
|
||||
@@ -123,3 +203,175 @@ interface(`lvm_domtrans_clvmd',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
|
||||
')
|
||||
@ -38355,6 +38372,24 @@ index 58bc27f..6293110 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Dontaudit read and write to lvm_lock_t dir.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`lvm_dontaudit_rw_lock_dir',`
|
||||
+ gen_require(`
|
||||
+ type lvm_lock_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 lvm_lock_t:dir rw_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read the process state (/proc/pid) of lvm.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
@ -572,7 +572,7 @@ index 058d908..7da78c7 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/abrt.te b/abrt.te
|
||||
index eb50f07..f93be3c 100644
|
||||
index eb50f07..9bd797b 100644
|
||||
--- a/abrt.te
|
||||
+++ b/abrt.te
|
||||
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
||||
@ -720,7 +720,7 @@ index eb50f07..f93be3c 100644
|
||||
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
|
||||
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
|
||||
|
||||
@@ -125,48 +135,56 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
@@ -125,48 +135,57 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
|
||||
@ -781,10 +781,11 @@ index eb50f07..f93be3c 100644
|
||||
dev_rw_sysfs(abrt_t)
|
||||
-dev_dontaudit_read_raw_memory(abrt_t)
|
||||
+dev_read_raw_memory(abrt_t)
|
||||
+dev_write_kmsg(abrt_t)
|
||||
|
||||
domain_getattr_all_domains(abrt_t)
|
||||
domain_read_all_domains_state(abrt_t)
|
||||
@@ -176,29 +194,43 @@ files_getattr_all_files(abrt_t)
|
||||
@@ -176,29 +195,43 @@ files_getattr_all_files(abrt_t)
|
||||
files_read_config_files(abrt_t)
|
||||
files_read_etc_runtime_files(abrt_t)
|
||||
files_read_var_symlinks(abrt_t)
|
||||
@ -816,11 +817,11 @@ index eb50f07..f93be3c 100644
|
||||
+logging_send_syslog_msg(abrt_t)
|
||||
+logging_stream_connect_syslog(abrt_t)
|
||||
+logging_read_syslog_pid(abrt_t)
|
||||
|
||||
+
|
||||
+auth_use_nsswitch(abrt_t)
|
||||
+
|
||||
+init_read_utmp(abrt_t)
|
||||
+
|
||||
|
||||
+miscfiles_read_generic_certs(abrt_t)
|
||||
miscfiles_read_public_files(abrt_t)
|
||||
+miscfiles_dontaudit_access_check_cert(abrt_t)
|
||||
@ -831,7 +832,7 @@ index eb50f07..f93be3c 100644
|
||||
|
||||
tunable_policy(`abrt_anon_write',`
|
||||
miscfiles_manage_public_files(abrt_t)
|
||||
@@ -206,15 +238,11 @@ tunable_policy(`abrt_anon_write',`
|
||||
@@ -206,15 +239,11 @@ tunable_policy(`abrt_anon_write',`
|
||||
|
||||
optional_policy(`
|
||||
apache_list_modules(abrt_t)
|
||||
@ -848,7 +849,7 @@ index eb50f07..f93be3c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -222,6 +250,24 @@ optional_policy(`
|
||||
@@ -222,6 +251,28 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -856,6 +857,10 @@ index eb50f07..f93be3c 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ lvm_dontaudit_rw_lock_dir(abrt_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mcelog_read_log(abrt_t)
|
||||
+')
|
||||
+
|
||||
@ -873,7 +878,7 @@ index eb50f07..f93be3c 100644
|
||||
policykit_domtrans_auth(abrt_t)
|
||||
policykit_read_lib(abrt_t)
|
||||
policykit_read_reload(abrt_t)
|
||||
@@ -234,6 +280,11 @@ optional_policy(`
|
||||
@@ -234,6 +285,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -885,7 +890,7 @@ index eb50f07..f93be3c 100644
|
||||
rpm_exec(abrt_t)
|
||||
rpm_dontaudit_manage_db(abrt_t)
|
||||
rpm_manage_cache(abrt_t)
|
||||
@@ -243,6 +294,7 @@ optional_policy(`
|
||||
@@ -243,6 +299,7 @@ optional_policy(`
|
||||
rpm_signull(abrt_t)
|
||||
')
|
||||
|
||||
@ -893,7 +898,7 @@ index eb50f07..f93be3c 100644
|
||||
optional_policy(`
|
||||
sendmail_domtrans(abrt_t)
|
||||
')
|
||||
@@ -253,9 +305,21 @@ optional_policy(`
|
||||
@@ -253,9 +310,21 @@ optional_policy(`
|
||||
sosreport_delete_tmp_files(abrt_t)
|
||||
')
|
||||
|
||||
@ -916,7 +921,7 @@ index eb50f07..f93be3c 100644
|
||||
#
|
||||
|
||||
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -266,9 +330,13 @@ tunable_policy(`abrt_handle_event',`
|
||||
@@ -266,9 +335,13 @@ tunable_policy(`abrt_handle_event',`
|
||||
can_exec(abrt_t, abrt_handle_event_exec_t)
|
||||
')
|
||||
|
||||
@ -931,7 +936,7 @@ index eb50f07..f93be3c 100644
|
||||
#
|
||||
|
||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||
@@ -281,6 +349,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
@@ -281,6 +354,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||
@ -939,7 +944,7 @@ index eb50f07..f93be3c 100644
|
||||
|
||||
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
@@ -289,15 +358,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
||||
@@ -289,15 +363,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
||||
|
||||
domain_read_all_domains_state(abrt_helper_t)
|
||||
|
||||
@ -960,7 +965,7 @@ index eb50f07..f93be3c 100644
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||
@@ -305,11 +379,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -305,11 +384,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||
@ -987,7 +992,7 @@ index eb50f07..f93be3c 100644
|
||||
#
|
||||
|
||||
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -327,10 +415,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
||||
@@ -327,10 +420,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
||||
|
||||
dev_read_urand(abrt_retrace_coredump_t)
|
||||
|
||||
@ -1001,7 +1006,7 @@ index eb50f07..f93be3c 100644
|
||||
optional_policy(`
|
||||
rpm_exec(abrt_retrace_coredump_t)
|
||||
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
||||
@@ -343,10 +433,11 @@ optional_policy(`
|
||||
@@ -343,10 +438,11 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -1015,7 +1020,7 @@ index eb50f07..f93be3c 100644
|
||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||
@@ -365,38 +456,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||
@@ -365,38 +461,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||
|
||||
dev_read_urand(abrt_retrace_worker_t)
|
||||
|
||||
@ -1084,7 +1089,7 @@ index eb50f07..f93be3c 100644
|
||||
|
||||
#######################################
|
||||
#
|
||||
@@ -404,25 +521,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||
@@ -404,25 +526,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||
#
|
||||
|
||||
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -1147,7 +1152,7 @@ index eb50f07..f93be3c 100644
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -430,10 +582,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||
@@ -430,10 +587,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||
# Global local policy
|
||||
#
|
||||
|
||||
@ -5273,7 +5278,7 @@ index f6eb485..c55558a 100644
|
||||
+ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
|
||||
')
|
||||
diff --git a/apache.te b/apache.te
|
||||
index 6649962..7abf562 100644
|
||||
index 6649962..1862dfb 100644
|
||||
--- a/apache.te
|
||||
+++ b/apache.te
|
||||
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
|
||||
@ -5991,7 +5996,7 @@ index 6649962..7abf562 100644
|
||||
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
|
||||
|
||||
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
@@ -450,140 +575,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@@ -450,140 +575,176 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
|
||||
@ -6047,7 +6052,8 @@ index 6649962..7abf562 100644
|
||||
dev_rw_crypto(httpd_t)
|
||||
|
||||
-domain_use_interactive_fds(httpd_t)
|
||||
-
|
||||
+files_dontaudit_write_all_mountpoints(httpd_t)
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
-
|
||||
@ -6231,7 +6237,7 @@ index 6649962..7abf562 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
|
||||
@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -6291,7 +6297,7 @@ index 6649962..7abf562 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
@ -6352,17 +6358,17 @@ index 6649962..7abf562 100644
|
||||
- tunable_policy(`httpd_can_network_connect_zabbix',`
|
||||
- zabbix_tcp_connect(httpd_t)
|
||||
- ')
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
|
||||
- spamassassin_domtrans_client(httpd_t)
|
||||
- ')
|
||||
+ tunable_policy(`httpd_can_sendmail',`
|
||||
+ postfix_rw_spool_maildrop_files(httpd_t)
|
||||
+ ')
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
|
||||
- spamassassin_domtrans_client(httpd_t)
|
||||
- ')
|
||||
-')
|
||||
-
|
||||
-tunable_policy(`httpd_graceful_shutdown',`
|
||||
- corenet_sendrecv_http_client_packets(httpd_t)
|
||||
- corenet_tcp_connect_http_port(httpd_t)
|
||||
@ -6394,7 +6400,7 @@ index 6649962..7abf562 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_setrlimit',`
|
||||
@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',`
|
||||
@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',`
|
||||
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
|
||||
@ -6475,7 +6481,7 @@ index 6649962..7abf562 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -749,24 +917,32 @@ optional_policy(`
|
||||
@@ -749,24 +919,32 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6514,7 +6520,7 @@ index 6649962..7abf562 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -775,6 +951,10 @@ optional_policy(`
|
||||
@@ -775,6 +953,10 @@ optional_policy(`
|
||||
tunable_policy(`httpd_dbus_avahi',`
|
||||
avahi_dbus_chat(httpd_t)
|
||||
')
|
||||
@ -6525,7 +6531,7 @@ index 6649962..7abf562 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -786,35 +966,60 @@ optional_policy(`
|
||||
@@ -786,35 +968,60 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6599,7 +6605,7 @@ index 6649962..7abf562 100644
|
||||
|
||||
tunable_policy(`httpd_manage_ipa',`
|
||||
memcached_manage_pid_files(httpd_t)
|
||||
@@ -822,8 +1027,30 @@ optional_policy(`
|
||||
@@ -822,8 +1029,30 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6630,7 +6636,7 @@ index 6649962..7abf562 100644
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
mysql_tcp_connect(httpd_t)
|
||||
@@ -832,6 +1059,8 @@ optional_policy(`
|
||||
@@ -832,6 +1061,8 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nagios_read_config(httpd_t)
|
||||
@ -6639,7 +6645,7 @@ index 6649962..7abf562 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -842,20 +1071,40 @@ optional_policy(`
|
||||
@@ -842,20 +1073,44 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6661,6 +6667,13 @@ index 6649962..7abf562 100644
|
||||
optional_policy(`
|
||||
- postgresql_stream_connect(httpd_t)
|
||||
- postgresql_unpriv_client(httpd_t)
|
||||
+ pkcs11proxyd_stream_connect(httpd_t)
|
||||
+')
|
||||
|
||||
- tunable_policy(`httpd_can_network_connect_db',`
|
||||
- postgresql_tcp_connect(httpd_t)
|
||||
- ')
|
||||
+optional_policy(`
|
||||
+ pki_apache_domain_signal(httpd_t)
|
||||
+ pki_manage_apache_config_files(httpd_t)
|
||||
+ pki_manage_apache_lib(httpd_t)
|
||||
@ -6668,25 +6681,22 @@ index 6649962..7abf562 100644
|
||||
+ pki_manage_apache_run(httpd_t)
|
||||
+ pki_read_tomcat_cert(httpd_t)
|
||||
+')
|
||||
|
||||
- tunable_policy(`httpd_can_network_connect_db',`
|
||||
- postgresql_tcp_connect(httpd_t)
|
||||
- ')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ puppet_read_lib(httpd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ pwauth_domtrans(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- puppet_read_lib_files(httpd_t)
|
||||
+ pwauth_domtrans(httpd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_dontaudit_read_db(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -863,16 +1112,31 @@ optional_policy(`
|
||||
@@ -863,16 +1118,31 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6706,21 +6716,21 @@ index 6649962..7abf562 100644
|
||||
optional_policy(`
|
||||
smokeping_read_lib_files(httpd_t)
|
||||
+ smokeping_read_pid_files(httpd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ files_dontaudit_rw_usr_dirs(httpd_t)
|
||||
+ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
- snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
+ files_dontaudit_rw_usr_dirs(httpd_t)
|
||||
+ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ thin_stream_connect(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -883,65 +1147,189 @@ optional_policy(`
|
||||
@@ -883,65 +1153,189 @@ optional_policy(`
|
||||
yam_read_content(httpd_t)
|
||||
')
|
||||
|
||||
@ -6932,7 +6942,7 @@ index 6649962..7abf562 100644
|
||||
files_dontaudit_search_pids(httpd_suexec_t)
|
||||
files_search_home(httpd_suexec_t)
|
||||
|
||||
@@ -950,123 +1338,75 @@ auth_use_nsswitch(httpd_suexec_t)
|
||||
@@ -950,123 +1344,75 @@ auth_use_nsswitch(httpd_suexec_t)
|
||||
logging_search_logs(httpd_suexec_t)
|
||||
logging_send_syslog_msg(httpd_suexec_t)
|
||||
|
||||
@ -7086,7 +7096,7 @@ index 6649962..7abf562 100644
|
||||
mysql_read_config(httpd_suexec_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
@@ -1083,172 +1423,107 @@ optional_policy(`
|
||||
@@ -1083,172 +1429,107 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
@ -7253,7 +7263,8 @@ index 6649962..7abf562 100644
|
||||
-#
|
||||
-# System script local policy
|
||||
-#
|
||||
-
|
||||
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
|
||||
|
||||
-allow httpd_sys_script_t self:tcp_socket { accept listen };
|
||||
-
|
||||
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
@ -7269,8 +7280,7 @@ index 6649962..7abf562 100644
|
||||
-kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
-
|
||||
-fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
|
||||
|
||||
-
|
||||
-files_read_var_symlinks(httpd_sys_script_t)
|
||||
-files_search_var_lib(httpd_sys_script_t)
|
||||
-files_search_spool(httpd_sys_script_t)
|
||||
@ -7324,7 +7334,7 @@ index 6649962..7abf562 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_read_user_content',`
|
||||
@@ -1256,64 +1531,74 @@ tunable_policy(`httpd_read_user_content',`
|
||||
@@ -1256,64 +1537,74 @@ tunable_policy(`httpd_read_user_content',`
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_use_cifs',`
|
||||
@ -7421,7 +7431,7 @@ index 6649962..7abf562 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -1321,8 +1606,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
@@ -1321,8 +1612,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
@ -7438,7 +7448,7 @@ index 6649962..7abf562 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1330,49 +1622,38 @@ optional_policy(`
|
||||
@@ -1330,49 +1628,38 @@ optional_policy(`
|
||||
# User content local policy
|
||||
#
|
||||
|
||||
@ -7503,7 +7513,7 @@ index 6649962..7abf562 100644
|
||||
kernel_read_system_state(httpd_passwd_t)
|
||||
|
||||
corecmd_exec_bin(httpd_passwd_t)
|
||||
@@ -1382,38 +1663,109 @@ dev_read_urand(httpd_passwd_t)
|
||||
@@ -1382,38 +1669,109 @@ dev_read_urand(httpd_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(httpd_passwd_t)
|
||||
|
||||
@ -68410,6 +68420,247 @@ index 8eb3f7b..ee837c6 100644
|
||||
|
||||
-miscfiles_read_localization(pkcs_slotd_t)
|
||||
+userdom_read_all_users_state(pkcs_slotd_t)
|
||||
diff --git a/pkcs11proxyd.fc b/pkcs11proxyd.fc
|
||||
new file mode 100644
|
||||
index 0000000..ca1160a
|
||||
--- /dev/null
|
||||
+++ b/pkcs11proxyd.fc
|
||||
@@ -0,0 +1,7 @@
|
||||
+/usr/lib/systemd/system/pkcs11proxyd-softhsm.* -- gen_context(system_u:object_r:pkcs11proxyd_unit_file_t,s0)
|
||||
+
|
||||
+/usr/sbin/pkcs11proxyd -- gen_context(system_u:object_r:pkcs11proxyd_exec_t,s0)
|
||||
+
|
||||
+/var/lib/pkcs11proxyd(/.*)? gen_context(system_u:object_r:pkcs11proxyd_var_lib_t,s0)
|
||||
+
|
||||
+/var/run/pkcs11proxyd\.socket -s gen_context(system_u:object_r:pkcs11proxyd_var_run_t,s0)
|
||||
diff --git a/pkcs11proxyd.if b/pkcs11proxyd.if
|
||||
new file mode 100644
|
||||
index 0000000..1fa6db2
|
||||
--- /dev/null
|
||||
+++ b/pkcs11proxyd.if
|
||||
@@ -0,0 +1,175 @@
|
||||
+
|
||||
+## <summary>pkcs11proxyd-softhsm-ctl - manage the isolated PKCS #11 daemon with softhsm</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute pkcs11proxyd_exec_t in the pkcs11proxyd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`pkcs11proxyd_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type pkcs11proxyd_t, pkcs11proxyd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, pkcs11proxyd_exec_t, pkcs11proxyd_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute pkcs11proxyd in the caller domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`pkcs11proxyd_exec',`
|
||||
+ gen_require(`
|
||||
+ type pkcs11proxyd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ can_exec($1, pkcs11proxyd_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search pkcs11proxyd lib directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`pkcs11proxyd_search_lib',`
|
||||
+ gen_require(`
|
||||
+ type pkcs11proxyd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 pkcs11proxyd_var_lib_t:dir search_dir_perms;
|
||||
+ files_search_var_lib($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read pkcs11proxyd lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`pkcs11proxyd_read_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type pkcs11proxyd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage pkcs11proxyd lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`pkcs11proxyd_manage_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type pkcs11proxyd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage pkcs11proxyd lib directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`pkcs11proxyd_manage_lib_dirs',`
|
||||
+ gen_require(`
|
||||
+ type pkcs11proxyd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_dirs_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an pkcs11proxyd environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`pkcs11proxyd_admin',`
|
||||
+ gen_require(`
|
||||
+ type pkcs11proxyd_t;
|
||||
+ type pkcs11proxyd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 pkcs11proxyd_t:process { signal_perms };
|
||||
+ ps_process_pattern($1, pkcs11proxyd_t)
|
||||
+
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
+ allow $1 pkcs11proxyd_t:process ptrace;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ admin_pattern($1, pkcs11proxyd_var_lib_t)
|
||||
+ optional_policy(`
|
||||
+ systemd_passwd_agent_exec($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect to pkcs11proxyd over an unix
|
||||
+## stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`pkcs11proxyd_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type pkcs11proxyd_t, pkcs11proxyd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t, pkcs11proxyd_t)
|
||||
+')
|
||||
diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te
|
||||
new file mode 100644
|
||||
index 0000000..6b49e41
|
||||
--- /dev/null
|
||||
+++ b/pkcs11proxyd.te
|
||||
@@ -0,0 +1,41 @@
|
||||
+policy_module(pkcs11proxyd, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type pkcs11proxyd_t;
|
||||
+type pkcs11proxyd_exec_t;
|
||||
+init_daemon_domain(pkcs11proxyd_t, pkcs11proxyd_exec_t)
|
||||
+
|
||||
+type pkcs11proxyd_unit_file_t;
|
||||
+systemd_unit_file(pkcs11proxyd_unit_file_t)
|
||||
+
|
||||
+type pkcs11proxyd_var_lib_t;
|
||||
+files_type(pkcs11proxyd_var_lib_t)
|
||||
+
|
||||
+type pkcs11proxyd_var_run_t;
|
||||
+files_pid_file(pkcs11proxyd_var_run_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# pkcs11proxyd local policy
|
||||
+#
|
||||
+allow pkcs11proxyd_t self:capability { kill setuid setgid };
|
||||
+allow pkcs11proxyd_t self:process { getpgid setpgid };
|
||||
+
|
||||
+manage_dirs_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
|
||||
+manage_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
|
||||
+manage_lnk_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
|
||||
+files_var_lib_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, { dir })
|
||||
+
|
||||
+manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t)
|
||||
+files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file })
|
||||
+
|
||||
+auth_use_nsswitch(pkcs11proxyd_t)
|
||||
+
|
||||
+dev_read_urand(pkcs11proxyd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(pkcs11proxyd_t)
|
||||
+
|
||||
diff --git a/pki.fc b/pki.fc
|
||||
new file mode 100644
|
||||
index 0000000..e6592ea
|
||||
@ -92902,10 +93153,10 @@ index 0000000..6caef63
|
||||
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
|
||||
diff --git a/sandboxX.if b/sandboxX.if
|
||||
new file mode 100644
|
||||
index 0000000..5b65b7c
|
||||
index 0000000..3e89d71
|
||||
--- /dev/null
|
||||
+++ b/sandboxX.if
|
||||
@@ -0,0 +1,395 @@
|
||||
@@ -0,0 +1,396 @@
|
||||
+
|
||||
+## <summary>policy for sandboxX </summary>
|
||||
+
|
||||
@ -92991,6 +93242,7 @@ index 0000000..5b65b7c
|
||||
+ attribute sandbox_x_domain;
|
||||
+ attribute sandbox_tmpfs_type;
|
||||
+ attribute sandbox_type;
|
||||
+ attribute sandbox_web_type;
|
||||
+ ')
|
||||
+
|
||||
+ type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type;
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 148%{?dist}
|
||||
Release: 149%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -656,6 +656,15 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
|
||||
- Add few rules related to new policy for pkcs11proxyd
|
||||
- Added new policy for pkcs11proxyd daemon
|
||||
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
|
||||
- Dontaudit abrt_t to rw lvm_lock_t dir.
|
||||
- Allow abrt_d domain to write to kernel msg device.
|
||||
- Add interface lvm_dontaudit_rw_lock_dir()
|
||||
- Merge pull request #35 from lkundrak/lr-libreswan
|
||||
|
||||
* Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
|
||||
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
|
||||
- Added support for permissive domains
|
||||
|
Loading…
Reference in New Issue
Block a user