* Tue Aug 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-210
- Add few interfaces to cloudform.if file - Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module - Allow krb5kdc_t to read krb4kdc_conf_t dirs. - Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run. - Make confined users working again - Fix hypervkvp module - Allow ipmievd domain to create lock files in /var/lock/subsys/ - Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t - A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init. - Allow systemd to stop systemd-machined daemon. This allows stop virtual machines. - Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
This commit is contained in:
Lukas Vrabec
parent
6140a0daa8
commit
ba0eef5c75
Binary file not shown.
|
|
@ -37342,7 +37342,7 @@ index 79a45f6..d092e6e 100644
|
|||
+ allow $1 init_var_lib_t:dir search_dir_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda24..5bee7df 100644
|
||||
index 17eda24..01ef803 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
|
|
@ -37570,11 +37570,13 @@ index 17eda24..5bee7df 100644
|
|||
# file descriptors inherited from the rootfs:
|
||||
files_dontaudit_rw_root_files(init_t)
|
||||
files_dontaudit_rw_root_chr_files(init_t)
|
||||
@@ -155,29 +259,68 @@ fs_list_inotifyfs(init_t)
|
||||
@@ -155,29 +259,70 @@ fs_list_inotifyfs(init_t)
|
||||
# cjp: this may be related to /dev/log
|
||||
fs_write_ramfs_sockets(init_t)
|
||||
|
||||
+fs_read_efivarfs_files(init_t)
|
||||
+
|
||||
+fstools_getattr_swap_files(init_t)
|
||||
+
|
||||
mcs_process_set_categories(init_t)
|
||||
-mcs_killall(init_t)
|
||||
|
|
@ -37630,12 +37632,12 @@ index 17eda24..5bee7df 100644
|
|||
+
|
||||
+miscfiles_manage_localization(init_t)
|
||||
+miscfiles_filetrans_named_content(init_t)
|
||||
+
|
||||
|
||||
-miscfiles_read_localization(init_t)
|
||||
+userdom_use_user_ttys(init_t)
|
||||
+userdom_manage_tmp_dirs(init_t)
|
||||
+userdom_manage_tmp_sockets(init_t)
|
||||
|
||||
-miscfiles_read_localization(init_t)
|
||||
+
|
||||
+userdom_transition_login_userdomain(init_t)
|
||||
+userdom_noatsecure_login_userdomain(init_t)
|
||||
+userdom_sigchld_login_userdomain(init_t)
|
||||
|
|
@ -37644,7 +37646,7 @@ index 17eda24..5bee7df 100644
|
|||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
@@ -186,29 +329,264 @@ ifdef(`distro_gentoo',`
|
||||
@@ -186,29 +331,264 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
|
@ -37918,7 +37920,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +594,30 @@ optional_policy(`
|
||||
@@ -216,7 +596,30 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -37950,7 +37952,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -225,9 +626,9 @@ optional_policy(`
|
||||
@@ -225,9 +628,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
|
|
@ -37962,7 +37964,7 @@ index 17eda24..5bee7df 100644
|
|||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -258,12 +659,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -258,12 +661,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
|
|
@ -37979,7 +37981,7 @@ index 17eda24..5bee7df 100644
|
|||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -279,23 +684,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -279,23 +686,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
|
|
@ -38022,7 +38024,7 @@ index 17eda24..5bee7df 100644
|
|||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -303,9 +721,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -303,9 +723,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
|
|
@ -38034,7 +38036,7 @@ index 17eda24..5bee7df 100644
|
|||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -313,8 +733,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -313,8 +735,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
|
|
@ -38045,7 +38047,7 @@ index 17eda24..5bee7df 100644
|
|||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +744,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +746,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
|
|
@ -38055,7 +38057,7 @@ index 17eda24..5bee7df 100644
|
|||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -332,7 +753,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -332,7 +755,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
|
|
@ -38063,7 +38065,7 @@ index 17eda24..5bee7df 100644
|
|||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -340,6 +760,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -340,6 +762,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
|
|
@ -38071,7 +38073,7 @@ index 17eda24..5bee7df 100644
|
|||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -347,14 +768,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -347,14 +770,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
|
|
@ -38089,7 +38091,7 @@ index 17eda24..5bee7df 100644
|
|||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -364,8 +786,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -364,8 +788,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
|
|
@ -38103,7 +38105,7 @@ index 17eda24..5bee7df 100644
|
|||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -375,10 +801,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -375,10 +803,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
|
|
@ -38117,7 +38119,7 @@ index 17eda24..5bee7df 100644
|
|||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -387,8 +814,10 @@ mls_process_read_up(initrc_t)
|
||||
@@ -387,8 +816,10 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
|
|
@ -38128,7 +38130,7 @@ index 17eda24..5bee7df 100644
|
|||
|
||||
storage_getattr_fixed_disk_dev(initrc_t)
|
||||
storage_setattr_fixed_disk_dev(initrc_t)
|
||||
@@ -398,6 +827,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -398,6 +829,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
|
|
@ -38136,7 +38138,7 @@ index 17eda24..5bee7df 100644
|
|||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -416,20 +846,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -416,20 +848,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
|
|
@ -38160,7 +38162,7 @@ index 17eda24..5bee7df 100644
|
|||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -451,7 +879,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -451,7 +881,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
|
|
@ -38168,7 +38170,7 @@ index 17eda24..5bee7df 100644
|
|||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -486,6 +913,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -486,6 +915,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38179,7 +38181,7 @@ index 17eda24..5bee7df 100644
|
|||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -506,7 +937,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -506,7 +939,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
|
|
@ -38188,7 +38190,7 @@ index 17eda24..5bee7df 100644
|
|||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -521,6 +952,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -521,6 +954,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
|
|
@ -38196,7 +38198,7 @@ index 17eda24..5bee7df 100644
|
|||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -541,6 +973,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -541,6 +975,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
|
|
@ -38204,7 +38206,7 @@ index 17eda24..5bee7df 100644
|
|||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -550,8 +983,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -550,8 +985,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38249,7 +38251,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -559,14 +1028,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -559,14 +1030,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
|
|
@ -38281,7 +38283,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
')
|
||||
|
||||
@@ -577,6 +1063,39 @@ ifdef(`distro_suse',`
|
||||
@@ -577,6 +1065,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -38321,7 +38323,7 @@ index 17eda24..5bee7df 100644
|
|||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -589,6 +1108,8 @@ optional_policy(`
|
||||
@@ -589,6 +1110,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
|
|
@ -38330,7 +38332,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -610,6 +1131,7 @@ optional_policy(`
|
||||
@@ -610,6 +1133,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
|
|
@ -38338,7 +38340,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -626,6 +1148,17 @@ optional_policy(`
|
||||
@@ -626,6 +1150,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38356,7 +38358,7 @@ index 17eda24..5bee7df 100644
|
|||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -642,9 +1175,13 @@ optional_policy(`
|
||||
@@ -642,9 +1177,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
|
|
@ -38370,7 +38372,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -657,15 +1194,11 @@ optional_policy(`
|
||||
@@ -657,15 +1196,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38388,7 +38390,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -686,6 +1219,15 @@ optional_policy(`
|
||||
@@ -686,6 +1221,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38404,7 +38406,7 @@ index 17eda24..5bee7df 100644
|
|||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -726,6 +1268,7 @@ optional_policy(`
|
||||
@@ -726,6 +1270,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
|
|
@ -38412,7 +38414,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,7 +1286,13 @@ optional_policy(`
|
||||
@@ -743,7 +1288,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38427,7 +38429,7 @@ index 17eda24..5bee7df 100644
|
|||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -766,6 +1315,10 @@ optional_policy(`
|
||||
@@ -766,6 +1317,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38438,7 +38440,7 @@ index 17eda24..5bee7df 100644
|
|||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -775,10 +1328,20 @@ optional_policy(`
|
||||
@@ -775,10 +1330,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38459,7 +38461,7 @@ index 17eda24..5bee7df 100644
|
|||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1350,10 @@ optional_policy(`
|
||||
@@ -787,6 +1352,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38470,7 +38472,7 @@ index 17eda24..5bee7df 100644
|
|||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -808,8 +1375,6 @@ optional_policy(`
|
||||
@@ -808,8 +1377,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
|
|
@ -38479,7 +38481,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -818,6 +1383,10 @@ optional_policy(`
|
||||
@@ -818,6 +1385,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38490,7 +38492,7 @@ index 17eda24..5bee7df 100644
|
|||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -827,10 +1396,12 @@ optional_policy(`
|
||||
@@ -827,10 +1398,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
|
|
@ -38503,7 +38505,7 @@ index 17eda24..5bee7df 100644
|
|||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -857,21 +1428,62 @@ optional_policy(`
|
||||
@@ -857,21 +1430,62 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38567,7 +38569,7 @@ index 17eda24..5bee7df 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -887,6 +1499,10 @@ optional_policy(`
|
||||
@@ -887,6 +1501,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38578,7 +38580,7 @@ index 17eda24..5bee7df 100644
|
|||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -897,3 +1513,218 @@ optional_policy(`
|
||||
@@ -897,3 +1515,218 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
|
@ -39441,10 +39443,10 @@ index 312cd04..102b975 100644
|
|||
+userdom_use_inherited_user_terminals(setkey_t)
|
||||
+userdom_read_user_tmp_files(setkey_t)
|
||||
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
|
||||
index 73a1c4e..a143623 100644
|
||||
index 73a1c4e..63c7fc0 100644
|
||||
--- a/policy/modules/system/iptables.fc
|
||||
+++ b/policy/modules/system/iptables.fc
|
||||
@@ -1,22 +1,45 @@
|
||||
@@ -1,22 +1,48 @@
|
||||
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
|
||||
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
|
||||
|
|
@ -39458,6 +39460,7 @@ index 73a1c4e..a143623 100644
|
|||
+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
|
||||
+
|
||||
+/usr/libexec/iptables/iptables.init -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
+
|
||||
+/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
+
|
||||
|
|
@ -39505,6 +39508,8 @@ index 73a1c4e..a143623 100644
|
|||
+
|
||||
+/var/lib/ebtables(/.*)? gen_context(system_u:object_r:iptables_var_lib_t,s0)
|
||||
+
|
||||
+/var/lock/subsys/iptables -- gen_context(system_u:object_r:iptables_lock_t,s0)
|
||||
+
|
||||
+/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
|
||||
index c42fbc3..bf211db 100644
|
||||
|
|
@ -39575,10 +39580,10 @@ index c42fbc3..bf211db 100644
|
|||
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
||||
+')
|
||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||
index be8ed1e..fa11d0f 100644
|
||||
index be8ed1e..218750e 100644
|
||||
--- a/policy/modules/system/iptables.te
|
||||
+++ b/policy/modules/system/iptables.te
|
||||
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
|
||||
@@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
|
||||
type iptables_initrc_exec_t;
|
||||
init_script_file(iptables_initrc_exec_t)
|
||||
|
||||
|
|
@ -39594,13 +39599,16 @@ index be8ed1e..fa11d0f 100644
|
|||
+type iptables_var_lib_t;
|
||||
+files_pid_file(iptables_var_lib_t)
|
||||
+
|
||||
+type iptables_lock_t;
|
||||
+files_lock_file(iptables_lock_t)
|
||||
+
|
||||
+type iptables_unit_file_t;
|
||||
+systemd_unit_file(iptables_unit_file_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Iptables local policy
|
||||
@@ -35,25 +38,33 @@ dontaudit iptables_t self:capability sys_tty_config;
|
||||
@@ -35,25 +41,36 @@ dontaudit iptables_t self:capability sys_tty_config;
|
||||
allow iptables_t self:fifo_file rw_fifo_file_perms;
|
||||
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||
allow iptables_t self:netlink_socket create_socket_perms;
|
||||
|
|
@ -39623,6 +39631,9 @@ index be8ed1e..fa11d0f 100644
|
|||
+
|
||||
can_exec(iptables_t, iptables_exec_t)
|
||||
|
||||
+manage_files_pattern(iptables_t, iptables_lock_t, iptables_lock_t)
|
||||
+files_lock_filetrans(iptables_t, iptables_lock_t, file)
|
||||
+
|
||||
allow iptables_t iptables_tmp_t:dir manage_dir_perms;
|
||||
allow iptables_t iptables_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
|
||||
|
|
@ -39637,7 +39648,7 @@ index be8ed1e..fa11d0f 100644
|
|||
kernel_use_fds(iptables_t)
|
||||
|
||||
# needed by ipvsadm
|
||||
@@ -64,19 +75,23 @@ corenet_relabelto_all_packets(iptables_t)
|
||||
@@ -64,19 +81,23 @@ corenet_relabelto_all_packets(iptables_t)
|
||||
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
|
||||
|
||||
dev_read_sysfs(iptables_t)
|
||||
|
|
@ -39663,7 +39674,7 @@ index be8ed1e..fa11d0f 100644
|
|||
|
||||
auth_use_nsswitch(iptables_t)
|
||||
|
||||
@@ -85,15 +100,14 @@ init_use_script_ptys(iptables_t)
|
||||
@@ -85,15 +106,14 @@ init_use_script_ptys(iptables_t)
|
||||
# to allow rules to be saved on reboot:
|
||||
init_rw_script_tmp_files(iptables_t)
|
||||
init_rw_script_stream_sockets(iptables_t)
|
||||
|
|
@ -39681,7 +39692,7 @@ index be8ed1e..fa11d0f 100644
|
|||
userdom_use_all_users_fds(iptables_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
@@ -102,6 +116,9 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -102,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
|
||||
|
||||
optional_policy(`
|
||||
fail2ban_append_log(iptables_t)
|
||||
|
|
@ -39691,7 +39702,7 @@ index be8ed1e..fa11d0f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -110,6 +127,13 @@ optional_policy(`
|
||||
@@ -110,6 +133,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39705,7 +39716,7 @@ index be8ed1e..fa11d0f 100644
|
|||
modutils_run_insmod(iptables_t, iptables_roles)
|
||||
')
|
||||
|
||||
@@ -124,6 +148,16 @@ optional_policy(`
|
||||
@@ -124,6 +154,16 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
psad_rw_tmp_files(iptables_t)
|
||||
|
|
@ -39722,7 +39733,7 @@ index be8ed1e..fa11d0f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -135,9 +169,9 @@ optional_policy(`
|
||||
@@ -135,9 +175,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -46677,7 +46688,7 @@ index 2cea692..8edb742 100644
|
|||
+ files_etc_filetrans($1, net_conf_t, file)
|
||||
+')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index a392fc4..79fadfc 100644
|
||||
index a392fc4..de79419 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
|
||||
|
|
@ -46802,7 +46813,7 @@ index a392fc4..79fadfc 100644
|
|||
|
||||
fs_getattr_all_fs(dhcpc_t)
|
||||
fs_search_auto_mountpoints(dhcpc_t)
|
||||
@@ -137,11 +157,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
|
||||
@@ -137,11 +157,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
|
||||
term_dontaudit_use_unallocated_ttys(dhcpc_t)
|
||||
term_dontaudit_use_generic_ptys(dhcpc_t)
|
||||
|
||||
|
|
@ -46811,6 +46822,8 @@ index a392fc4..79fadfc 100644
|
|||
init_rw_utmp(dhcpc_t)
|
||||
+init_stream_connect(dhcpc_t)
|
||||
+init_stream_send(dhcpc_t)
|
||||
+
|
||||
+libs_exec_ldconfig(dhcpc_t)
|
||||
|
||||
logging_send_syslog_msg(dhcpc_t)
|
||||
|
||||
|
|
@ -46819,7 +46832,7 @@ index a392fc4..79fadfc 100644
|
|||
|
||||
modutils_run_insmod(dhcpc_t, dhcpc_roles)
|
||||
|
||||
@@ -161,7 +185,15 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -161,7 +187,21 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -46831,12 +46844,18 @@ index a392fc4..79fadfc 100644
|
|||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ cloudform_init_domtrans(dhcpc_t)
|
||||
+ cloudform_read_var_lib_files(dhcpc_t)
|
||||
+ cloudform_read_var_lib_lnk_files(dhcpc_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ devicekit_dontaudit_rw_log(dhcpc_t)
|
||||
+ devicekit_dontaudit_read_pid_files(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -179,10 +211,6 @@ optional_policy(`
|
||||
@@ -179,10 +219,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -46847,7 +46866,7 @@ index a392fc4..79fadfc 100644
|
|||
hotplug_getattr_config_dirs(dhcpc_t)
|
||||
hotplug_search_config(dhcpc_t)
|
||||
|
||||
@@ -195,23 +223,31 @@ optional_policy(`
|
||||
@@ -195,23 +231,31 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
netutils_run_ping(dhcpc_t, dhcpc_roles)
|
||||
netutils_run(dhcpc_t, dhcpc_roles)
|
||||
|
|
@ -46882,7 +46901,7 @@ index a392fc4..79fadfc 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -221,7 +257,16 @@ optional_policy(`
|
||||
@@ -221,7 +265,16 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(dhcpc_t)
|
||||
|
|
@ -46900,7 +46919,7 @@ index a392fc4..79fadfc 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -233,6 +278,10 @@ optional_policy(`
|
||||
@@ -233,6 +286,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -46911,7 +46930,7 @@ index a392fc4..79fadfc 100644
|
|||
vmware_append_log(dhcpc_t)
|
||||
')
|
||||
|
||||
@@ -264,29 +313,66 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
@@ -264,29 +321,66 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
allow ifconfig_t self:msg { send receive };
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
|
|
@ -46978,7 +46997,7 @@ index a392fc4..79fadfc 100644
|
|||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
@@ -299,33 +385,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
@@ -299,33 +393,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
term_dontaudit_use_ptmx(ifconfig_t)
|
||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
|
|
@ -47036,7 +47055,7 @@ index a392fc4..79fadfc 100644
|
|||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
')
|
||||
@@ -336,7 +440,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -336,7 +448,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -47049,7 +47068,7 @@ index a392fc4..79fadfc 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -350,7 +458,16 @@ optional_policy(`
|
||||
@@ -350,7 +466,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -47067,7 +47086,7 @@ index a392fc4..79fadfc 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -371,3 +488,13 @@ optional_policy(`
|
||||
@@ -371,3 +496,13 @@ optional_policy(`
|
||||
xen_append_log(ifconfig_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||
')
|
||||
|
|
@ -48929,10 +48948,10 @@ index 0000000..16cd1ac
|
|||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..e77911b
|
||||
index 0000000..7abdaa0
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,965 @@
|
||||
@@ -0,0 +1,967 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
|
|
@ -49261,6 +49280,8 @@ index 0000000..e77911b
|
|||
+
|
||||
+init_dbus_chat(systemd_machined_t)
|
||||
+init_status(systemd_machined_t)
|
||||
+init_start(systemd_machined_t)
|
||||
+init_stop(systemd_machined_t)
|
||||
+
|
||||
+userdom_dbus_send_all_users(systemd_machined_t)
|
||||
+
|
||||
|
|
|
|||
|
|
@ -14386,10 +14386,10 @@ index 0000000..3849f13
|
|||
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
|
||||
diff --git a/cloudform.if b/cloudform.if
|
||||
new file mode 100644
|
||||
index 0000000..a06f04b
|
||||
index 0000000..55fe0d6
|
||||
--- /dev/null
|
||||
+++ b/cloudform.if
|
||||
@@ -0,0 +1,60 @@
|
||||
@@ -0,0 +1,116 @@
|
||||
+## <summary>cloudform policy</summary>
|
||||
+
|
||||
+#######################################
|
||||
|
|
@ -14415,6 +14415,24 @@ index 0000000..a06f04b
|
|||
+ kernel_read_system_state($1_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run cloud_init.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`cloudform_init_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type cloud_init_t, cloud_init_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, cloud_init_exec_t, cloud_init_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute mongod in the caller domain.
|
||||
|
|
@ -14433,6 +14451,44 @@ index 0000000..a06f04b
|
|||
+ can_exec($1, mongod_exec_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Allow read to cloud lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`cloudform_read_lib_files',`
|
||||
+ gen_require(`
|
||||
+ type cloud_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Allow read to cloud lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`cloudform_read_lib_lnk_files',`
|
||||
+ gen_require(`
|
||||
+ type cloud_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute mongod in the caller domain.
|
||||
|
|
@ -22042,7 +22098,7 @@ index dda905b..5587295 100644
|
|||
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||
+')
|
||||
diff --git a/dbus.if b/dbus.if
|
||||
index 62d22cb..d2ff291 100644
|
||||
index 62d22cb..a5ea200 100644
|
||||
--- a/dbus.if
|
||||
+++ b/dbus.if
|
||||
@@ -1,4 +1,4 @@
|
||||
|
|
@ -22077,7 +22133,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="role_prefix">
|
||||
## <summary>
|
||||
@@ -41,59 +58,68 @@ interface(`dbus_stub',`
|
||||
@@ -41,59 +58,69 @@ interface(`dbus_stub',`
|
||||
template(`dbus_role_template',`
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
|
|
@ -22121,6 +22177,7 @@ index 62d22cb..d2ff291 100644
|
|||
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
|
||||
+ # For connecting to the bus
|
||||
+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
+ allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt };
|
||||
|
||||
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
||||
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
|
||||
|
|
@ -22168,7 +22225,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -103,91 +129,88 @@ template(`dbus_role_template',`
|
||||
@@ -103,91 +130,88 @@ template(`dbus_role_template',`
|
||||
#
|
||||
interface(`dbus_system_bus_client',`
|
||||
gen_require(`
|
||||
|
|
@ -22298,7 +22355,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -195,15 +218,18 @@ interface(`dbus_connect_spec_session_bus',`
|
||||
@@ -195,15 +219,18 @@ interface(`dbus_connect_spec_session_bus',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -22323,7 +22380,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -211,57 +237,39 @@ interface(`dbus_session_bus_client',`
|
||||
@@ -211,57 +238,39 @@ interface(`dbus_session_bus_client',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -22395,7 +22452,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -269,15 +277,19 @@ interface(`dbus_spec_session_bus_client',`
|
||||
@@ -269,15 +278,19 @@ interface(`dbus_spec_session_bus_client',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -22421,7 +22478,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -285,44 +297,52 @@ interface(`dbus_send_session_bus',`
|
||||
@@ -285,44 +298,52 @@ interface(`dbus_send_session_bus',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -22488,7 +22545,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -330,18 +350,18 @@ interface(`dbus_send_spec_session_bus',`
|
||||
@@ -330,18 +351,18 @@ interface(`dbus_send_spec_session_bus',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -22512,7 +22569,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -349,20 +369,18 @@ interface(`dbus_read_config',`
|
||||
@@ -349,20 +370,18 @@ interface(`dbus_read_config',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -22538,7 +22595,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -370,26 +388,20 @@ interface(`dbus_read_lib_files',`
|
||||
@@ -370,26 +389,20 @@ interface(`dbus_read_lib_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -22571,7 +22628,7 @@ index 62d22cb..d2ff291 100644
|
|||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
@@ -397,81 +409,67 @@ interface(`dbus_manage_lib_files',`
|
||||
@@ -397,81 +410,67 @@ interface(`dbus_manage_lib_files',`
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
## <summary>
|
||||
|
|
@ -22681,7 +22738,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -479,18 +477,18 @@ interface(`dbus_spec_session_domain',`
|
||||
@@ -479,18 +478,18 @@ interface(`dbus_spec_session_domain',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -22705,7 +22762,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -498,98 +496,121 @@ interface(`dbus_connect_system_bus',`
|
||||
@@ -498,98 +497,121 @@ interface(`dbus_connect_system_bus',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -22868,7 +22925,7 @@ index 62d22cb..d2ff291 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -597,28 +618,50 @@ interface(`dbus_use_system_bus_fds',`
|
||||
@@ -597,28 +619,50 @@ interface(`dbus_use_system_bus_fds',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -32769,7 +32826,7 @@ index e39de43..5edcb83 100644
|
|||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||
diff --git a/gnome.if b/gnome.if
|
||||
index ab09d61..cfd00e3 100644
|
||||
index ab09d61..1a07290 100644
|
||||
--- a/gnome.if
|
||||
+++ b/gnome.if
|
||||
@@ -1,52 +1,76 @@
|
||||
|
|
@ -32921,7 +32978,7 @@ index ab09d61..cfd00e3 100644
|
|||
+ allow $3 $1_gkeyringd_t:fd use;
|
||||
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
|
||||
+
|
||||
+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
|
||||
+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write connectto};
|
||||
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
|
||||
+
|
||||
+ kernel_read_system_state($1_gkeyringd_t)
|
||||
|
|
@ -37516,10 +37573,10 @@ index 6517fad..f183748 100644
|
|||
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/hypervkvp.te b/hypervkvp.te
|
||||
index 4eb7041..572b64b 100644
|
||||
index 4eb7041..de9cd55 100644
|
||||
--- a/hypervkvp.te
|
||||
+++ b/hypervkvp.te
|
||||
@@ -5,24 +5,152 @@ policy_module(hypervkvp, 1.0.0)
|
||||
@@ -5,24 +5,153 @@ policy_module(hypervkvp, 1.0.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
|
|
@ -37605,6 +37662,7 @@ index 4eb7041..572b64b 100644
|
|||
+dev_read_urand(hypervkvp_t)
|
||||
+
|
||||
+files_dontaudit_search_home(hypervkvp_t)
|
||||
+files_dontaudit_getattr_non_security_files(hypervkvp_t)
|
||||
+
|
||||
+fs_getattr_all_fs(hypervkvp_t)
|
||||
+fs_read_hugetlbfs_files(hypervkvp_t)
|
||||
|
|
@ -38856,10 +38914,10 @@ index 0000000..81f38fe
|
|||
+')
|
||||
diff --git a/ipmievd.fc b/ipmievd.fc
|
||||
new file mode 100644
|
||||
index 0000000..afe4e83
|
||||
index 0000000..0f598ca
|
||||
--- /dev/null
|
||||
+++ b/ipmievd.fc
|
||||
@@ -0,0 +1,7 @@
|
||||
@@ -0,0 +1,9 @@
|
||||
+/usr/lib/systemd/system/ipmievd\.service -- gen_context(system_u:object_r:ipmievd_unit_file_t,s0)
|
||||
+
|
||||
+/usr/sbin/ipmievd -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
|
||||
|
|
@ -38867,6 +38925,8 @@ index 0000000..afe4e83
|
|||
+/usr/libexec/openipmi-helper -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
|
||||
+
|
||||
+/var/run/ipmievd\.pid -- gen_context(system_u:object_r:ipmievd_var_run_t,s0)
|
||||
+
|
||||
+/var/lock/subsys/ipmi -- gen_context(system_u:object_r:ipmievd_lock_t,s0)
|
||||
diff --git a/ipmievd.if b/ipmievd.if
|
||||
new file mode 100644
|
||||
index 0000000..e86db54
|
||||
|
|
@ -38995,10 +39055,10 @@ index 0000000..e86db54
|
|||
+')
|
||||
diff --git a/ipmievd.te b/ipmievd.te
|
||||
new file mode 100644
|
||||
index 0000000..32d7f6c
|
||||
index 0000000..a2c9648
|
||||
--- /dev/null
|
||||
+++ b/ipmievd.te
|
||||
@@ -0,0 +1,33 @@
|
||||
@@ -0,0 +1,51 @@
|
||||
+policy_module(ipmievd, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -39013,6 +39073,9 @@ index 0000000..32d7f6c
|
|||
+type ipmievd_var_run_t;
|
||||
+files_pid_file(ipmievd_var_run_t)
|
||||
+
|
||||
+type ipmievd_lock_t;
|
||||
+files_lock_file(ipmievd_lock_t)
|
||||
+
|
||||
+type ipmievd_unit_file_t;
|
||||
+systemd_unit_file(ipmievd_unit_file_t)
|
||||
+
|
||||
|
|
@ -39027,11 +39090,26 @@ index 0000000..32d7f6c
|
|||
+manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t)
|
||||
+files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file })
|
||||
+
|
||||
+manage_files_pattern(ipmievd_t, ipmievd_lock_t, ipmievd_lock_t)
|
||||
+files_lock_filetrans(ipmievd_t, ipmievd_lock_t, file)
|
||||
+
|
||||
+kernel_read_system_state(ipmievd_t)
|
||||
+
|
||||
+auth_read_passwd(ipmievd_t)
|
||||
+
|
||||
+corecmd_exec_bin(ipmievd_t)
|
||||
+
|
||||
+dev_manage_ipmi_dev(ipmievd_t)
|
||||
+dev_filetrans_ipmi(ipmievd_t)
|
||||
+dev_read_sysfs(ipmievd_t)
|
||||
+
|
||||
+files_read_kernel_modules(ipmievd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(ipmievd_t)
|
||||
+
|
||||
+modutils_exec_insmod(ipmievd_t)
|
||||
+modutils_read_module_config(ipmievd_t)
|
||||
+
|
||||
diff --git a/irc.fc b/irc.fc
|
||||
index 48e7739..1bf0326 100644
|
||||
--- a/irc.fc
|
||||
|
|
@ -42778,7 +42856,7 @@ index f6c00d8..e3cb4f1 100644
|
|||
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
|
||||
')
|
||||
diff --git a/kerberos.te b/kerberos.te
|
||||
index 8833d59..a6356be 100644
|
||||
index 8833d59..3fde8ee 100644
|
||||
--- a/kerberos.te
|
||||
+++ b/kerberos.te
|
||||
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
|
||||
|
|
@ -42955,7 +43033,7 @@ index 8833d59..a6356be 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -174,24 +205,27 @@ optional_policy(`
|
||||
@@ -174,24 +205,28 @@ optional_policy(`
|
||||
# Krb5kdc local policy
|
||||
#
|
||||
|
||||
|
|
@ -42976,6 +43054,7 @@ index 8833d59..a6356be 100644
|
|||
|
||||
+can_exec(krb5kdc_t, krb5kdc_exec_t)
|
||||
+
|
||||
+list_dirs_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||
-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms;
|
||||
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
|
||||
|
|
@ -42987,7 +43066,7 @@ index 8833d59..a6356be 100644
|
|||
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
|
||||
|
||||
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
|
||||
@@ -201,71 +235,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
@@ -201,71 +236,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
|
||||
|
|
@ -43081,7 +43160,7 @@ index 8833d59..a6356be 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -273,6 +315,10 @@ optional_policy(`
|
||||
@@ -273,6 +316,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -43092,7 +43171,7 @@ index 8833d59..a6356be 100644
|
|||
udev_read_db(krb5kdc_t)
|
||||
')
|
||||
|
||||
@@ -281,10 +327,12 @@ optional_policy(`
|
||||
@@ -281,10 +328,12 @@ optional_policy(`
|
||||
# kpropd local policy
|
||||
#
|
||||
|
||||
|
|
@ -43108,7 +43187,7 @@ index 8833d59..a6356be 100644
|
|||
|
||||
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
|
||||
|
||||
@@ -301,27 +349,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
@@ -301,27 +350,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
|
||||
|
||||
|
|
@ -58491,7 +58570,7 @@ index 94b9734..448a7e8 100644
|
|||
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
diff --git a/networkmanager.if b/networkmanager.if
|
||||
index 86dc29d..7380935 100644
|
||||
index 86dc29d..c7d9376 100644
|
||||
--- a/networkmanager.if
|
||||
+++ b/networkmanager.if
|
||||
@@ -2,7 +2,7 @@
|
||||
|
|
@ -58823,7 +58902,7 @@ index 86dc29d..7380935 100644
|
|||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
@@ -287,33 +427,189 @@ interface(`networkmanager_stream_connect',`
|
||||
@@ -287,33 +427,190 @@ interface(`networkmanager_stream_connect',`
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
|
|
@ -59026,6 +59105,7 @@ index 86dc29d..7380935 100644
|
|||
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
|
||||
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
|
||||
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
|
||||
+ files_pid_filetrans($1, NetworkManager_var_run_t, dir, "teamd")
|
||||
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
|
||||
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
|
||||
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
|
||||
|
|
@ -86270,10 +86350,10 @@ index c8a1e16..2d409bf 100644
|
|||
xen_domtrans_xm(rgmanager_t)
|
||||
')
|
||||
diff --git a/rhcs.fc b/rhcs.fc
|
||||
index 47de2d6..aa2272c 100644
|
||||
index 47de2d6..c2bc05a 100644
|
||||
--- a/rhcs.fc
|
||||
+++ b/rhcs.fc
|
||||
@@ -1,31 +1,101 @@
|
||||
@@ -1,31 +1,104 @@
|
||||
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
|
||||
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
|
||||
|
|
@ -86391,6 +86471,9 @@ index 47de2d6..aa2272c 100644
|
|||
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
|
||||
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
|
||||
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
|
||||
+/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
|
||||
+/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
|
||||
+
|
||||
+
|
||||
+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
||||
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 209%{?dist}
|
||||
Release: 210%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -648,6 +648,19 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Aug 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-210
|
||||
- Add few interfaces to cloudform.if file
|
||||
- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module
|
||||
- Allow krb5kdc_t to read krb4kdc_conf_t dirs.
|
||||
- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.
|
||||
- Make confined users working again
|
||||
- Fix hypervkvp module
|
||||
- Allow ipmievd domain to create lock files in /var/lock/subsys/
|
||||
- Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t
|
||||
- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.
|
||||
- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.
|
||||
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
|
||||
|
||||
* Tue Aug 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-209
|
||||
- Fix lsm SELinux module
|
||||
- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
|
||||
|
|
|
|||
Loading…
Reference in New Issue