* Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-274
- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain - Allow nscd_t domain to search network sysctls - Allow iscsid_t domain to read mount pid files - Allow ksmtuned_t domain manage sysfs_t files/dirs - Allow keepalived_t domain domtrans into iptables_t - Allow rshd_t domain reads net sysctls - Allow systemd to create syslog netlink audit socket - Allow ifconfig_t domain unmount fs_t - Label /dev/gpiochip* devices as gpio_device_t
This commit is contained in:
Lukas Vrabec
parent
681ffa2e20
commit
b7314cadde
Binary file not shown.
@ -6673,7 +6673,7 @@ index 3f6e16889..abd046c56 100644
|
||||
+ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
||||
index b31c05491..3ad1127cc 100644
|
||||
index b31c05491..3b3faeeae 100644
|
||||
--- a/policy/modules/kernel/devices.fc
|
||||
+++ b/policy/modules/kernel/devices.fc
|
||||
@@ -15,15 +15,18 @@
|
||||
@ -6697,8 +6697,11 @@ index b31c05491..3ad1127cc 100644
|
||||
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
@@ -44,6 +47,12 @@
|
||||
@@ -42,8 +45,15 @@
|
||||
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
+/dev/gpiochip[0-9]+ -c gen_context(system_u:object_r:gpio_device_t,s0)
|
||||
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
|
||||
/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
+/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
|
||||
@ -6710,7 +6713,7 @@ index b31c05491..3ad1127cc 100644
|
||||
/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
|
||||
/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
|
||||
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
@@ -61,8 +70,10 @@
|
||||
@@ -61,8 +71,10 @@
|
||||
/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
|
||||
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
||||
@ -6722,7 +6725,7 @@ index b31c05491..3ad1127cc 100644
|
||||
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
@@ -72,7 +83,9 @@
|
||||
@@ -72,7 +84,9 @@
|
||||
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
|
||||
@ -6732,7 +6735,7 @@ index b31c05491..3ad1127cc 100644
|
||||
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||
/dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
|
||||
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||
@@ -80,7 +93,10 @@
|
||||
@@ -80,7 +94,10 @@
|
||||
/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
|
||||
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
@ -6743,7 +6746,7 @@ index b31c05491..3ad1127cc 100644
|
||||
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
@@ -90,9 +106,11 @@
|
||||
@@ -90,9 +107,11 @@
|
||||
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
|
||||
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
@ -6755,7 +6758,7 @@ index b31c05491..3ad1127cc 100644
|
||||
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
@@ -106,6 +124,7 @@
|
||||
@@ -106,6 +125,7 @@
|
||||
/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
|
||||
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
@ -6763,7 +6766,7 @@ index b31c05491..3ad1127cc 100644
|
||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
|
||||
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
|
||||
@@ -118,6 +137,12 @@
|
||||
@@ -118,6 +138,12 @@
|
||||
ifdef(`distro_suse', `
|
||||
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
')
|
||||
@ -6776,7 +6779,7 @@ index b31c05491..3ad1127cc 100644
|
||||
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
|
||||
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
@@ -129,12 +154,14 @@ ifdef(`distro_suse', `
|
||||
@@ -129,12 +155,14 @@ ifdef(`distro_suse', `
|
||||
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
|
||||
@ -6791,7 +6794,7 @@ index b31c05491..3ad1127cc 100644
|
||||
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
|
||||
|
||||
@@ -169,18 +196,26 @@ ifdef(`distro_suse', `
|
||||
@@ -169,18 +197,26 @@ ifdef(`distro_suse', `
|
||||
|
||||
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
|
||||
@ -6818,7 +6821,7 @@ index b31c05491..3ad1127cc 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
# this is a static /dev dir "backup mount"
|
||||
@@ -198,12 +233,27 @@ ifdef(`distro_debian',`
|
||||
@@ -198,12 +234,27 @@ ifdef(`distro_debian',`
|
||||
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||
|
||||
@ -6849,7 +6852,7 @@ index b31c05491..3ad1127cc 100644
|
||||
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||
index 76f285ea6..917fc3cc5 100644
|
||||
index 76f285ea6..ac044aea2 100644
|
||||
--- a/policy/modules/kernel/devices.if
|
||||
+++ b/policy/modules/kernel/devices.if
|
||||
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
@ -8924,7 +8927,7 @@ index 76f285ea6..917fc3cc5 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4851,3 +6037,1042 @@ interface(`dev_unconfined',`
|
||||
@@ -4851,3 +6037,1064 @@ interface(`dev_unconfined',`
|
||||
|
||||
typeattribute $1 devices_unconfined_type;
|
||||
')
|
||||
@ -9059,6 +9062,24 @@ index 76f285ea6..917fc3cc5 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow read/write the gpiochip device
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_read_gpio',`
|
||||
+ gen_require(`
|
||||
+ type device_t, gpio_device_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_chr_files_pattern($1, device_t, gpio_device_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow read/write the hypervvssd device
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -9197,6 +9218,7 @@ index 76f285ea6..917fc3cc5 100644
|
||||
+ type hypervkvp_device_t;
|
||||
+ type hypervvssd_device_t;
|
||||
+ type gpfs_device_t;
|
||||
+ type gpio_device_t;
|
||||
+')
|
||||
+
|
||||
+ dev_filetrans_printer_named_dev($1)
|
||||
@ -9900,6 +9922,9 @@ index 76f285ea6..917fc3cc5 100644
|
||||
+ filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp")
|
||||
+ filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss")
|
||||
+ filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0")
|
||||
+ filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip0")
|
||||
+ filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip1")
|
||||
+ filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip2")
|
||||
+ dev_filetrans_xserver_named_dev($1)
|
||||
+')
|
||||
+
|
||||
@ -9968,7 +9993,7 @@ index 76f285ea6..917fc3cc5 100644
|
||||
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
||||
index 0b1a8715a..db382e7c2 100644
|
||||
index 0b1a8715a..5c45b9323 100644
|
||||
--- a/policy/modules/kernel/devices.te
|
||||
+++ b/policy/modules/kernel/devices.te
|
||||
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
|
||||
@ -10015,7 +10040,7 @@ index 0b1a8715a..db382e7c2 100644
|
||||
type event_device_t;
|
||||
dev_node(event_device_t)
|
||||
|
||||
@@ -88,12 +92,39 @@ type framebuf_device_t;
|
||||
@@ -88,12 +92,45 @@ type framebuf_device_t;
|
||||
dev_node(framebuf_device_t)
|
||||
|
||||
#
|
||||
@ -10033,6 +10058,12 @@ index 0b1a8715a..db382e7c2 100644
|
||||
+type gpfs_device_t;
|
||||
+dev_node(gpfs_device_t)
|
||||
+
|
||||
+#
|
||||
+# Type for /dev/gpiochip*
|
||||
+#
|
||||
+type gpio_device_t;
|
||||
+dev_node(gpio_device_t)
|
||||
+
|
||||
+#
|
||||
# Type for /dev/ipmi/0
|
||||
#
|
||||
@ -10055,7 +10086,7 @@ index 0b1a8715a..db382e7c2 100644
|
||||
# Type for /dev/kmsg
|
||||
#
|
||||
type kmsg_device_t;
|
||||
@@ -111,6 +142,7 @@ dev_node(ksm_device_t)
|
||||
@@ -111,6 +148,7 @@ dev_node(ksm_device_t)
|
||||
#
|
||||
type kvm_device_t;
|
||||
dev_node(kvm_device_t)
|
||||
@ -10063,7 +10094,7 @@ index 0b1a8715a..db382e7c2 100644
|
||||
|
||||
#
|
||||
# Type for /dev/lirc
|
||||
@@ -118,6 +150,9 @@ dev_node(kvm_device_t)
|
||||
@@ -118,6 +156,9 @@ dev_node(kvm_device_t)
|
||||
type lirc_device_t;
|
||||
dev_node(lirc_device_t)
|
||||
|
||||
@ -10073,7 +10104,7 @@ index 0b1a8715a..db382e7c2 100644
|
||||
type loop_control_device_t;
|
||||
dev_node(loop_control_device_t)
|
||||
|
||||
@@ -150,16 +185,29 @@ type modem_device_t;
|
||||
@@ -150,16 +191,29 @@ type modem_device_t;
|
||||
dev_node(modem_device_t)
|
||||
|
||||
#
|
||||
@ -10103,7 +10134,7 @@ index 0b1a8715a..db382e7c2 100644
|
||||
genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
|
||||
|
||||
#
|
||||
@@ -183,6 +231,12 @@ type nvram_device_t;
|
||||
@@ -183,6 +237,12 @@ type nvram_device_t;
|
||||
dev_node(nvram_device_t)
|
||||
|
||||
#
|
||||
@ -10116,7 +10147,7 @@ index 0b1a8715a..db382e7c2 100644
|
||||
# Type for /dev/pmu
|
||||
#
|
||||
type power_device_t;
|
||||
@@ -227,6 +281,10 @@ files_mountpoint(sysfs_t)
|
||||
@@ -227,6 +287,10 @@ files_mountpoint(sysfs_t)
|
||||
fs_type(sysfs_t)
|
||||
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
||||
|
||||
@ -10127,7 +10158,7 @@ index 0b1a8715a..db382e7c2 100644
|
||||
#
|
||||
# Type for /dev/tpm
|
||||
#
|
||||
@@ -266,6 +324,15 @@ dev_node(usbmon_device_t)
|
||||
@@ -266,6 +330,15 @@ dev_node(usbmon_device_t)
|
||||
type userio_device_t;
|
||||
dev_node(userio_device_t)
|
||||
|
||||
@ -10143,7 +10174,7 @@ index 0b1a8715a..db382e7c2 100644
|
||||
type v4l_device_t;
|
||||
dev_node(v4l_device_t)
|
||||
|
||||
@@ -274,6 +341,7 @@ dev_node(v4l_device_t)
|
||||
@@ -274,6 +347,7 @@ dev_node(v4l_device_t)
|
||||
#
|
||||
type vhost_device_t;
|
||||
dev_node(vhost_device_t)
|
||||
@ -10151,7 +10182,7 @@ index 0b1a8715a..db382e7c2 100644
|
||||
|
||||
# Type for vmware devices.
|
||||
type vmware_device_t;
|
||||
@@ -319,5 +387,8 @@ files_associate_tmp(device_node)
|
||||
@@ -319,5 +393,8 @@ files_associate_tmp(device_node)
|
||||
#
|
||||
|
||||
allow devices_unconfined_type self:capability sys_rawio;
|
||||
@ -36483,7 +36514,7 @@ index 79a45f62e..6ed0c399a 100644
|
||||
+ allow $1 init_var_lib_t:dir search_dir_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda2480..c9e91f8e1 100644
|
||||
index 17eda2480..a980b4d3f 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
@ -36693,7 +36724,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
|
||||
domain_getpgid_all_domains(init_t)
|
||||
domain_kill_all_domains(init_t)
|
||||
@@ -139,45 +241,102 @@ domain_signal_all_domains(init_t)
|
||||
@@ -139,45 +241,103 @@ domain_signal_all_domains(init_t)
|
||||
domain_signull_all_domains(init_t)
|
||||
domain_sigstop_all_domains(init_t)
|
||||
domain_sigchld_all_domains(init_t)
|
||||
@ -36780,6 +36811,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
logging_rw_generic_logs(init_t)
|
||||
+logging_relabel_devlog_dev(init_t)
|
||||
+logging_manage_audit_config(init_t)
|
||||
+logging_create_syslog_netlink_audit_socket(init_t)
|
||||
|
||||
seutil_read_config(init_t)
|
||||
+seutil_read_default_contexts(init_t)
|
||||
@ -36803,7 +36835,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
@@ -186,29 +345,283 @@ ifdef(`distro_gentoo',`
|
||||
@@ -186,29 +346,283 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -37096,7 +37128,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +629,30 @@ optional_policy(`
|
||||
@@ -216,7 +630,30 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37128,7 +37160,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -225,9 +661,9 @@ optional_policy(`
|
||||
@@ -225,9 +662,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -37140,7 +37172,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -258,12 +694,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -258,12 +695,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -37157,7 +37189,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -279,23 +719,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -279,23 +720,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -37200,7 +37232,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -303,9 +756,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -303,9 +757,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
@ -37212,7 +37244,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -313,8 +768,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -313,8 +769,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
@ -37223,7 +37255,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +779,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +780,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -37233,7 +37265,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -332,7 +788,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -332,7 +789,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -37241,7 +37273,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -340,6 +795,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -340,6 +796,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
@ -37249,7 +37281,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -347,14 +803,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -347,14 +804,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -37267,7 +37299,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -364,8 +821,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -364,8 +822,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -37281,7 +37313,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -375,10 +836,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -375,10 +837,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -37295,7 +37327,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -387,8 +849,10 @@ mls_process_read_up(initrc_t)
|
||||
@@ -387,8 +850,10 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -37306,7 +37338,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
|
||||
storage_getattr_fixed_disk_dev(initrc_t)
|
||||
storage_setattr_fixed_disk_dev(initrc_t)
|
||||
@@ -398,6 +862,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -398,6 +863,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
@ -37314,7 +37346,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -416,20 +881,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -416,20 +882,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
@ -37338,7 +37370,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -451,7 +914,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -451,7 +915,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
@ -37346,7 +37378,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -486,6 +948,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -486,6 +949,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -37357,7 +37389,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -506,7 +972,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -506,7 +973,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -37366,7 +37398,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -521,6 +987,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -521,6 +988,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
@ -37374,7 +37406,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -541,6 +1008,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -541,6 +1009,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
@ -37382,7 +37414,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -550,8 +1018,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -550,8 +1019,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37427,7 +37459,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -559,14 +1063,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -559,14 +1064,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -37459,7 +37491,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -577,6 +1098,39 @@ ifdef(`distro_suse',`
|
||||
@@ -577,6 +1099,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -37499,7 +37531,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -589,6 +1143,8 @@ optional_policy(`
|
||||
@@ -589,6 +1144,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -37508,7 +37540,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -610,6 +1166,7 @@ optional_policy(`
|
||||
@@ -610,6 +1167,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -37516,7 +37548,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -626,6 +1183,17 @@ optional_policy(`
|
||||
@@ -626,6 +1184,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37534,7 +37566,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -642,9 +1210,13 @@ optional_policy(`
|
||||
@@ -642,9 +1211,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -37548,7 +37580,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -657,15 +1229,11 @@ optional_policy(`
|
||||
@@ -657,15 +1230,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37566,7 +37598,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -686,6 +1254,15 @@ optional_policy(`
|
||||
@@ -686,6 +1255,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37582,7 +37614,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -726,6 +1303,7 @@ optional_policy(`
|
||||
@@ -726,6 +1304,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
@ -37590,7 +37622,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,7 +1321,13 @@ optional_policy(`
|
||||
@@ -743,7 +1322,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37605,7 +37637,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -766,6 +1350,10 @@ optional_policy(`
|
||||
@@ -766,6 +1351,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37616,7 +37648,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -775,10 +1363,20 @@ optional_policy(`
|
||||
@@ -775,10 +1364,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37637,7 +37669,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1385,10 @@ optional_policy(`
|
||||
@@ -787,6 +1386,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37648,7 +37680,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -808,8 +1410,6 @@ optional_policy(`
|
||||
@@ -808,8 +1411,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -37657,7 +37689,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -818,6 +1418,10 @@ optional_policy(`
|
||||
@@ -818,6 +1419,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37668,7 +37700,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -827,10 +1431,12 @@ optional_policy(`
|
||||
@@ -827,10 +1432,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -37681,7 +37713,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -857,21 +1463,62 @@ optional_policy(`
|
||||
@@ -857,21 +1464,62 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37745,7 +37777,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -887,6 +1534,10 @@ optional_policy(`
|
||||
@@ -887,6 +1535,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37756,7 +37788,7 @@ index 17eda2480..c9e91f8e1 100644
|
||||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -897,3 +1548,218 @@ optional_policy(`
|
||||
@@ -897,3 +1549,218 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -40052,10 +40084,35 @@ index b50c5fe81..9eacd9ba1 100644
|
||||
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||
index 4e9488463..5f5045ae1 100644
|
||||
index 4e9488463..e7d5f42a5 100644
|
||||
--- a/policy/modules/system/logging.if
|
||||
+++ b/policy/modules/system/logging.if
|
||||
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
|
||||
@@ -81,6 +81,24 @@ interface(`logging_dontaudit_send_audit_msgs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Create netlink audit socket
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`logging_create_syslog_netlink_audit_socket',`
|
||||
+ gen_require(`
|
||||
+ type syslogd_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 syslogd_t:netlink_audit_socket create_netlink_socket_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Set login uid
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -233,7 +251,7 @@ interface(`logging_run_auditd',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -40064,7 +40121,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',`
|
||||
@@ -318,7 +336,7 @@ interface(`logging_dispatcher_domain',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -40073,7 +40130,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -496,6 +496,68 @@ interface(`logging_log_filetrans',`
|
||||
@@ -496,6 +514,68 @@ interface(`logging_log_filetrans',`
|
||||
filetrans_pattern($1, var_log_t, $2, $3, $4)
|
||||
')
|
||||
|
||||
@ -40142,7 +40199,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Send system log messages.
|
||||
@@ -530,22 +592,107 @@ interface(`logging_log_filetrans',`
|
||||
@@ -530,22 +610,107 @@ interface(`logging_log_filetrans',`
|
||||
#
|
||||
interface(`logging_send_syslog_msg',`
|
||||
gen_require(`
|
||||
@ -40188,19 +40245,12 @@ index 4e9488463..5f5045ae1 100644
|
||||
+interface(`logging_relabel_devlog_dev',`
|
||||
+ gen_require(`
|
||||
+ type devlog_t;
|
||||
')
|
||||
|
||||
- allow $1 devlog_t:lnk_file read_lnk_file_perms;
|
||||
- allow $1 devlog_t:sock_file write_sock_file_perms;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
|
||||
+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
|
||||
+')
|
||||
|
||||
- # the type of socket depends on the syslog daemon
|
||||
- allow $1 syslogd_t:unix_dgram_socket sendto;
|
||||
- allow $1 syslogd_t:unix_stream_socket connectto;
|
||||
- allow $1 self:unix_dgram_socket create_socket_perms;
|
||||
- allow $1 self:unix_stream_socket create_socket_perms;
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow domain to read the syslog pid files.
|
||||
@ -40215,11 +40265,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
+ gen_require(`
|
||||
+ type syslogd_var_run_t;
|
||||
+ ')
|
||||
|
||||
- # If syslog is down, the glibc syslog() function
|
||||
- # will write to the console.
|
||||
- term_write_console($1)
|
||||
- term_dontaudit_read_console($1)
|
||||
+
|
||||
+ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
+ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
+')
|
||||
@ -40237,11 +40283,18 @@ index 4e9488463..5f5045ae1 100644
|
||||
+interface(`logging_relabel_syslog_pid_socket',`
|
||||
+ gen_require(`
|
||||
+ type syslogd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
- allow $1 devlog_t:lnk_file read_lnk_file_perms;
|
||||
- allow $1 devlog_t:sock_file write_sock_file_perms;
|
||||
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
|
||||
+')
|
||||
+
|
||||
|
||||
- # the type of socket depends on the syslog daemon
|
||||
- allow $1 syslogd_t:unix_dgram_socket sendto;
|
||||
- allow $1 syslogd_t:unix_stream_socket connectto;
|
||||
- allow $1 self:unix_dgram_socket create_socket_perms;
|
||||
- allow $1 self:unix_stream_socket create_socket_perms;
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect to the syslog control unix stream socket.
|
||||
@ -40256,13 +40309,17 @@ index 4e9488463..5f5045ae1 100644
|
||||
+ gen_require(`
|
||||
+ type syslogd_t, syslogd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
|
||||
- # If syslog is down, the glibc syslog() function
|
||||
- # will write to the console.
|
||||
- term_write_console($1)
|
||||
- term_dontaudit_read_console($1)
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -571,6 +718,25 @@ interface(`logging_read_audit_config',`
|
||||
@@ -571,6 +736,25 @@ interface(`logging_read_audit_config',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -40288,7 +40345,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
## dontaudit search of auditd configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -609,6 +775,25 @@ interface(`logging_read_syslog_config',`
|
||||
@@ -609,6 +793,25 @@ interface(`logging_read_syslog_config',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -40314,7 +40371,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
## Allows the domain to open a file in the
|
||||
## log directory, but does not allow the listing
|
||||
## of the contents of the log directory.
|
||||
@@ -722,6 +907,25 @@ interface(`logging_setattr_all_log_dirs',`
|
||||
@@ -722,6 +925,25 @@ interface(`logging_setattr_all_log_dirs',`
|
||||
allow $1 logfile:dir setattr;
|
||||
')
|
||||
|
||||
@ -40340,7 +40397,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
@@ -776,7 +980,25 @@ interface(`logging_append_all_logs',`
|
||||
@@ -776,7 +998,25 @@ interface(`logging_append_all_logs',`
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
@ -40367,7 +40424,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -859,7 +1081,7 @@ interface(`logging_manage_all_logs',`
|
||||
@@ -859,7 +1099,7 @@ interface(`logging_manage_all_logs',`
|
||||
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1, logfile, logfile)
|
||||
@ -40376,7 +40433,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -880,11 +1102,69 @@ interface(`logging_read_generic_logs',`
|
||||
@@ -880,11 +1120,69 @@ interface(`logging_read_generic_logs',`
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
@ -40446,7 +40503,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
## Write generic log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -905,6 +1185,24 @@ interface(`logging_write_generic_logs',`
|
||||
@@ -905,6 +1203,24 @@ interface(`logging_write_generic_logs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -40471,7 +40528,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
## Dontaudit Write generic log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -984,11 +1282,16 @@ interface(`logging_admin_audit',`
|
||||
@@ -984,11 +1300,16 @@ interface(`logging_admin_audit',`
|
||||
type auditd_t, auditd_etc_t, auditd_log_t;
|
||||
type auditd_var_run_t;
|
||||
type auditd_initrc_exec_t;
|
||||
@ -40489,7 +40546,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
|
||||
@@ -1004,6 +1307,55 @@ interface(`logging_admin_audit',`
|
||||
@@ -1004,6 +1325,55 @@ interface(`logging_admin_audit',`
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 auditd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
@ -40545,7 +40602,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1032,10 +1384,15 @@ interface(`logging_admin_syslog',`
|
||||
@@ -1032,10 +1402,15 @@ interface(`logging_admin_syslog',`
|
||||
type syslogd_initrc_exec_t;
|
||||
')
|
||||
|
||||
@ -40563,7 +40620,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
|
||||
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
@@ -1057,6 +1414,8 @@ interface(`logging_admin_syslog',`
|
||||
@@ -1057,6 +1432,8 @@ interface(`logging_admin_syslog',`
|
||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
|
||||
logging_manage_all_logs($1)
|
||||
@ -40572,7 +40629,7 @@ index 4e9488463..5f5045ae1 100644
|
||||
|
||||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
@@ -1085,3 +1444,110 @@ interface(`logging_admin',`
|
||||
@@ -1085,3 +1462,110 @@ interface(`logging_admin',`
|
||||
logging_admin_audit($1, $2)
|
||||
logging_admin_syslog($1, $2)
|
||||
')
|
||||
@ -46140,7 +46197,7 @@ index 2cea692c0..e3cb4f2ef 100644
|
||||
+ files_etc_filetrans($1, net_conf_t, file)
|
||||
+')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index a392fc4bc..41a5b082f 100644
|
||||
index a392fc4bc..95c64150b 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
|
||||
@ -46385,7 +46442,7 @@ index a392fc4bc..41a5b082f 100644
|
||||
vmware_append_log(dhcpc_t)
|
||||
')
|
||||
|
||||
@@ -264,32 +322,72 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
@@ -264,32 +322,73 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
allow ifconfig_t self:msg { send receive };
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
@ -46451,6 +46508,7 @@ index a392fc4bc..41a5b082f 100644
|
||||
+files_read_usr_files(ifconfig_t)
|
||||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
+fs_unmount_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
+fs_read_nsfs_files(ifconfig_t)
|
||||
+fs_mount_nsfs(ifconfig_t)
|
||||
@ -46458,7 +46516,7 @@ index a392fc4bc..41a5b082f 100644
|
||||
|
||||
selinux_dontaudit_getattr_fs(ifconfig_t)
|
||||
|
||||
@@ -299,33 +397,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
@@ -299,33 +398,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
term_dontaudit_use_ptmx(ifconfig_t)
|
||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
@ -46516,7 +46574,7 @@ index a392fc4bc..41a5b082f 100644
|
||||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
')
|
||||
@@ -336,7 +452,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -336,7 +453,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -46529,7 +46587,7 @@ index a392fc4bc..41a5b082f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -350,7 +470,16 @@ optional_policy(`
|
||||
@@ -350,7 +471,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -46547,7 +46605,7 @@ index a392fc4bc..41a5b082f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -371,3 +500,17 @@ optional_policy(`
|
||||
@@ -371,3 +501,17 @@ optional_policy(`
|
||||
xen_append_log(ifconfig_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||
')
|
||||
|
||||
@ -40879,7 +40879,7 @@ index 1a354203e..8101022be 100644
|
||||
logging_search_logs($1)
|
||||
admin_pattern($1, iscsi_log_t)
|
||||
diff --git a/iscsi.te b/iscsi.te
|
||||
index ca020faa9..9c628b22e 100644
|
||||
index ca020faa9..c53375b3b 100644
|
||||
--- a/iscsi.te
|
||||
+++ b/iscsi.te
|
||||
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
|
||||
@ -40944,7 +40944,7 @@ index ca020faa9..9c628b22e 100644
|
||||
corenet_all_recvfrom_netlabel(iscsid_t)
|
||||
corenet_tcp_sendrecv_generic_if(iscsid_t)
|
||||
corenet_tcp_sendrecv_generic_node(iscsid_t)
|
||||
@@ -85,22 +90,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
|
||||
@@ -85,22 +90,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
|
||||
corenet_tcp_connect_isns_port(iscsid_t)
|
||||
corenet_tcp_sendrecv_isns_port(iscsid_t)
|
||||
|
||||
@ -40975,6 +40975,8 @@ index ca020faa9..9c628b22e 100644
|
||||
-miscfiles_read_localization(iscsid_t)
|
||||
+modutils_read_module_config(iscsid_t)
|
||||
+
|
||||
+mount_read_pid_files(iscsid_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ iscsi_systemctl(iscsid_t)
|
||||
+')
|
||||
@ -43238,10 +43240,10 @@ index 000000000..bd7e7fa17
|
||||
+')
|
||||
diff --git a/keepalived.te b/keepalived.te
|
||||
new file mode 100644
|
||||
index 000000000..04c46e714
|
||||
index 000000000..202ac2b59
|
||||
--- /dev/null
|
||||
+++ b/keepalived.te
|
||||
@@ -0,0 +1,95 @@
|
||||
@@ -0,0 +1,99 @@
|
||||
+policy_module(keepalived, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -43306,6 +43308,10 @@ index 000000000..04c46e714
|
||||
+logging_send_syslog_msg(keepalived_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ iptables_domtrans(keepalived_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rhcs_signull_haproxy(keepalived_t)
|
||||
+')
|
||||
+
|
||||
@ -45304,7 +45310,7 @@ index 93a64bc50..af6d741d6 100644
|
||||
+ allow $1 ksmtuned_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/ksmtuned.te b/ksmtuned.te
|
||||
index 8eef134ac..a2ca1a009 100644
|
||||
index 8eef134ac..9636a5343 100644
|
||||
--- a/ksmtuned.te
|
||||
+++ b/ksmtuned.te
|
||||
@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1)
|
||||
@ -45335,8 +45341,12 @@ index 8eef134ac..a2ca1a009 100644
|
||||
type ksmtuned_initrc_exec_t;
|
||||
init_script_file(ksmtuned_initrc_exec_t)
|
||||
|
||||
@@ -43,6 +60,7 @@ corecmd_exec_shell(ksmtuned_t)
|
||||
dev_rw_sysfs(ksmtuned_t)
|
||||
@@ -40,9 +57,10 @@ kernel_read_system_state(ksmtuned_t)
|
||||
corecmd_exec_bin(ksmtuned_t)
|
||||
corecmd_exec_shell(ksmtuned_t)
|
||||
|
||||
-dev_rw_sysfs(ksmtuned_t)
|
||||
+dev_manage_sysfs(ksmtuned_t)
|
||||
|
||||
domain_read_all_domains_state(ksmtuned_t)
|
||||
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
|
||||
@ -62506,7 +62516,7 @@ index 8f2ab09f5..8ca8a6f26 100644
|
||||
+ allow $1 nscd_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/nscd.te b/nscd.te
|
||||
index bcd7d0a7d..0188086f9 100644
|
||||
index bcd7d0a7d..9b397fdd7 100644
|
||||
--- a/nscd.te
|
||||
+++ b/nscd.te
|
||||
@@ -4,33 +4,34 @@ gen_require(`
|
||||
@ -62554,7 +62564,7 @@ index bcd7d0a7d..0188086f9 100644
|
||||
type nscd_log_t;
|
||||
logging_log_file(nscd_log_t)
|
||||
|
||||
@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t)
|
||||
@@ -40,56 +41,59 @@ logging_log_file(nscd_log_t)
|
||||
#
|
||||
|
||||
allow nscd_t self:capability { kill setgid setuid };
|
||||
@ -62590,6 +62600,7 @@ index bcd7d0a7d..0188086f9 100644
|
||||
-kernel_read_kernel_sysctls(nscd_t)
|
||||
kernel_read_network_state(nscd_t)
|
||||
+kernel_read_kernel_sysctls(nscd_t)
|
||||
+kernel_search_network_sysctl(nscd_t)
|
||||
+kernel_list_proc(nscd_t)
|
||||
kernel_read_proc_symlinks(nscd_t)
|
||||
|
||||
@ -62631,7 +62642,7 @@ index bcd7d0a7d..0188086f9 100644
|
||||
corenet_rw_tun_tap_dev(nscd_t)
|
||||
|
||||
selinux_get_fs_mount(nscd_t)
|
||||
@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t)
|
||||
@@ -98,16 +102,23 @@ selinux_compute_access_vector(nscd_t)
|
||||
selinux_compute_create_context(nscd_t)
|
||||
selinux_compute_relabel_context(nscd_t)
|
||||
selinux_compute_user_contexts(nscd_t)
|
||||
@ -62656,7 +62667,7 @@ index bcd7d0a7d..0188086f9 100644
|
||||
userdom_dontaudit_use_user_terminals(nscd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(nscd_t)
|
||||
@@ -121,13 +131,11 @@ optional_policy(`
|
||||
@@ -121,13 +132,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -62674,7 +62685,7 @@ index bcd7d0a7d..0188086f9 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -138,3 +146,20 @@ optional_policy(`
|
||||
@@ -138,3 +147,20 @@ optional_policy(`
|
||||
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
|
||||
xen_append_log(nscd_t)
|
||||
')
|
||||
@ -77578,7 +77589,7 @@ index b9e71b537..a7502cd0e 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 postgrey_initrc_exec_t system_r;
|
||||
diff --git a/postgrey.te b/postgrey.te
|
||||
index fd58805e5..2ff8a1e4c 100644
|
||||
index fd58805e5..248d22985 100644
|
||||
--- a/postgrey.te
|
||||
+++ b/postgrey.te
|
||||
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
|
||||
@ -77599,15 +77610,20 @@ index fd58805e5..2ff8a1e4c 100644
|
||||
dontaudit postgrey_t self:capability sys_tty_config;
|
||||
allow postgrey_t self:process signal_perms;
|
||||
allow postgrey_t self:fifo_file create_fifo_file_perms;
|
||||
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t)
|
||||
@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
|
||||
kernel_read_system_state(postgrey_t)
|
||||
kernel_read_kernel_sysctls(postgrey_t)
|
||||
|
||||
corecmd_search_bin(postgrey_t)
|
||||
-corecmd_search_bin(postgrey_t)
|
||||
+auth_use_nsswitch(postgrey_t)
|
||||
+
|
||||
+corecmd_exec_bin(postgrey_t)
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(postgrey_t)
|
||||
corenet_all_recvfrom_netlabel(postgrey_t)
|
||||
corenet_tcp_sendrecv_generic_if(postgrey_t)
|
||||
corenet_tcp_sendrecv_generic_node(postgrey_t)
|
||||
@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t)
|
||||
@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t)
|
||||
|
||||
domain_use_interactive_fds(postgrey_t)
|
||||
|
||||
@ -94704,7 +94720,7 @@ index 7ad29c046..2e87d76b4 100644
|
||||
domtrans_pattern($1, rshd_exec_t, rshd_t)
|
||||
')
|
||||
diff --git a/rshd.te b/rshd.te
|
||||
index 864e089a0..a28dccd64 100644
|
||||
index 864e089a0..f919bc537 100644
|
||||
--- a/rshd.te
|
||||
+++ b/rshd.te
|
||||
@@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1)
|
||||
@ -94722,7 +94738,7 @@ index 864e089a0..a28dccd64 100644
|
||||
|
||||
type rshd_keytab_t;
|
||||
files_type(rshd_keytab_t)
|
||||
@@ -17,9 +18,8 @@ files_type(rshd_keytab_t)
|
||||
@@ -17,51 +18,66 @@ files_type(rshd_keytab_t)
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
@ -94734,9 +94750,10 @@ index 864e089a0..a28dccd64 100644
|
||||
allow rshd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rshd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
@@ -27,41 +27,56 @@ allow rshd_t rshd_keytab_t:file read_file_perms;
|
||||
allow rshd_t rshd_keytab_t:file read_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(rshd_t)
|
||||
+kernel_read_net_sysctls(rshd_t)
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(rshd_t)
|
||||
corenet_all_recvfrom_netlabel(rshd_t)
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 273%{?dist}
|
||||
Release: 274%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -681,6 +681,17 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-274
|
||||
- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain
|
||||
- Allow nscd_t domain to search network sysctls
|
||||
- Allow iscsid_t domain to read mount pid files
|
||||
- Allow ksmtuned_t domain manage sysfs_t files/dirs
|
||||
- Allow keepalived_t domain domtrans into iptables_t
|
||||
- Allow rshd_t domain reads net sysctls
|
||||
- Allow systemd to create syslog netlink audit socket
|
||||
- Allow ifconfig_t domain unmount fs_t
|
||||
- Label /dev/gpiochip* devices as gpio_device_t
|
||||
|
||||
* Tue Aug 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-273
|
||||
- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)
|
||||
- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user