* Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
This commit is contained in:
parent
2d3bd44103
commit
bb6a1f3c7f
@ -890,7 +890,7 @@ index 4705ab6..b7e7ea5 100644
|
|||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(mount_anyfile, false)
|
+gen_tunable(mount_anyfile, false)
|
||||||
diff --git a/policy/mcs b/policy/mcs
|
diff --git a/policy/mcs b/policy/mcs
|
||||||
index 216b3d1..81bc8c4 100644
|
index 216b3d1..275d3d9 100644
|
||||||
--- a/policy/mcs
|
--- a/policy/mcs
|
||||||
+++ b/policy/mcs
|
+++ b/policy/mcs
|
||||||
@@ -1,4 +1,6 @@
|
@@ -1,4 +1,6 @@
|
||||||
@ -971,7 +971,17 @@ index 216b3d1..81bc8c4 100644
|
|||||||
|
|
||||||
mlsconstrain process { signal }
|
mlsconstrain process { signal }
|
||||||
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
|
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
|
||||||
@@ -166,4 +165,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
|
@@ -135,6 +134,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
|
||||||
|
mlsconstrain { db_tuple } { insert relabelto }
|
||||||
|
(( h1 dom h2 ) and ( l2 eq h2 ));
|
||||||
|
|
||||||
|
+mlsconstrain context contains
|
||||||
|
+ (( h1 dom h2 ) and ( l1 domby l2));
|
||||||
|
+
|
||||||
|
# Access control for any database objects based on MCS rules.
|
||||||
|
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
|
||||||
|
( h1 dom h2 );
|
||||||
|
@@ -166,4 +168,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
|
||||||
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
|
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
|
||||||
( h1 dom h2 );
|
( h1 dom h2 );
|
||||||
|
|
||||||
@ -5426,7 +5436,7 @@ index 8e0f9cd..b9f45b9 100644
|
|||||||
|
|
||||||
define(`create_packet_interfaces',``
|
define(`create_packet_interfaces',``
|
||||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||||
index 4edc40d..dc853a1 100644
|
index 4edc40d..9455a13 100644
|
||||||
--- a/policy/modules/kernel/corenetwork.te.in
|
--- a/policy/modules/kernel/corenetwork.te.in
|
||||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
||||||
@ -5620,7 +5630,7 @@ index 4edc40d..dc853a1 100644
|
|||||||
network_port(matahari, tcp,49000,s0, udp,49000,s0)
|
network_port(matahari, tcp,49000,s0, udp,49000,s0)
|
||||||
network_port(memcache, tcp,11211,s0, udp,11211,s0)
|
network_port(memcache, tcp,11211,s0, udp,11211,s0)
|
||||||
-network_port(milter) # no defined portcon
|
-network_port(milter) # no defined portcon
|
||||||
+network_port(milter, tcp, 8891, s0) # no defined portcon
|
+network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon
|
||||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||||
+network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
|
+network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
|
||||||
network_port(monopd, tcp,1234,s0)
|
network_port(monopd, tcp,1234,s0)
|
||||||
@ -18117,7 +18127,7 @@ index 0000000..bd83148
|
|||||||
+## <summary>No Interfaces</summary>
|
+## <summary>No Interfaces</summary>
|
||||||
diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te
|
diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..3175fd7
|
index 0000000..63bc797
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/roles/sysadm_secadm.te
|
+++ b/policy/modules/roles/sysadm_secadm.te
|
||||||
@@ -0,0 +1,25 @@
|
@@ -0,0 +1,25 @@
|
||||||
@ -18133,7 +18143,7 @@ index 0000000..3175fd7
|
|||||||
+ role sysadm_r;
|
+ role sysadm_r;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+userdom_admin_user_template(sysadm_t, sysadm_r)
|
+userdom_security_admin_template(sysadm_t, sysadm_r)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
+#
|
+#
|
||||||
@ -18781,10 +18791,10 @@ index 0000000..cf6582f
|
|||||||
+
|
+
|
||||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..36f6ee2
|
index 0000000..539c163
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/roles/unconfineduser.te
|
+++ b/policy/modules/roles/unconfineduser.te
|
||||||
@@ -0,0 +1,332 @@
|
@@ -0,0 +1,328 @@
|
||||||
+policy_module(unconfineduser, 1.0.0)
|
+policy_module(unconfineduser, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -19103,10 +19113,6 @@ index 0000000..36f6ee2
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ usermanage_run_useradd(unconfined_t, unconfined_r)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ virt_transition_svirt(unconfined_t, unconfined_r)
|
+ virt_transition_svirt(unconfined_t, unconfined_r)
|
||||||
+ virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
|
+ virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
|
||||||
+')
|
+')
|
||||||
@ -20611,7 +20617,7 @@ index fe0c682..225aaa7 100644
|
|||||||
+ ps_process_pattern($1, sshd_t)
|
+ ps_process_pattern($1, sshd_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||||
index 5fc0391..1386603 100644
|
index 5fc0391..692569b 100644
|
||||||
--- a/policy/modules/services/ssh.te
|
--- a/policy/modules/services/ssh.te
|
||||||
+++ b/policy/modules/services/ssh.te
|
+++ b/policy/modules/services/ssh.te
|
||||||
@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3)
|
@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3)
|
||||||
@ -21101,7 +21107,7 @@ index 5fc0391..1386603 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(ssh_keygen_t)
|
seutil_sigchld_newrole(ssh_keygen_t)
|
||||||
@@ -331,3 +506,138 @@ optional_policy(`
|
@@ -331,3 +506,140 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(ssh_keygen_t)
|
udev_read_db(ssh_keygen_t)
|
||||||
')
|
')
|
||||||
@ -21112,8 +21118,10 @@ index 5fc0391..1386603 100644
|
|||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
|
+allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
|
||||||
|
+allow ssh_dyntransition_domain self:unix_dgram_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
|
+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
|
||||||
|
+allow ssh_dyntransition_domain sshd_t:fd use;
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ ssh_rw_stream_sockets(ssh_dyntransition_domain)
|
+ ssh_rw_stream_sockets(ssh_dyntransition_domain)
|
||||||
@ -26361,20 +26369,28 @@ index e4376aa..2c98c56 100644
|
|||||||
+ allow $1 getty_unit_file_t:service start;
|
+ allow $1 getty_unit_file_t:service start;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
|
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
|
||||||
index fc38c9c..1c9f909 100644
|
index fc38c9c..4740426 100644
|
||||||
--- a/policy/modules/system/getty.te
|
--- a/policy/modules/system/getty.te
|
||||||
+++ b/policy/modules/system/getty.te
|
+++ b/policy/modules/system/getty.te
|
||||||
@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
|
@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
|
||||||
type getty_var_run_t;
|
type getty_var_run_t;
|
||||||
files_pid_file(getty_var_run_t)
|
files_pid_file(getty_var_run_t)
|
||||||
|
|
||||||
+type getty_unit_file_t;
|
+type getty_unit_file_t;
|
||||||
+systemd_unit_file(getty_unit_file_t)
|
+systemd_unit_file(getty_unit_file_t)
|
||||||
|
+
|
||||||
|
+ifdef(`enable_mcs',`
|
||||||
|
+ init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mcs_systemhigh)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+ifdef(`enable_mls',`
|
||||||
|
+ init_ranged_daemon_domain(getty_t, getty_exec_t, mls_systemhigh)
|
||||||
|
+')
|
||||||
+
|
+
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Getty local policy
|
# Getty local policy
|
||||||
@@ -83,8 +86,11 @@ term_use_unallocated_ttys(getty_t)
|
@@ -83,8 +94,11 @@ term_use_unallocated_ttys(getty_t)
|
||||||
term_setattr_all_ttys(getty_t)
|
term_setattr_all_ttys(getty_t)
|
||||||
term_setattr_unallocated_ttys(getty_t)
|
term_setattr_unallocated_ttys(getty_t)
|
||||||
term_setattr_console(getty_t)
|
term_setattr_console(getty_t)
|
||||||
@ -26386,7 +26402,7 @@ index fc38c9c..1c9f909 100644
|
|||||||
|
|
||||||
init_rw_utmp(getty_t)
|
init_rw_utmp(getty_t)
|
||||||
init_use_script_ptys(getty_t)
|
init_use_script_ptys(getty_t)
|
||||||
@@ -94,7 +100,6 @@ locallogin_domtrans(getty_t)
|
@@ -94,7 +108,6 @@ locallogin_domtrans(getty_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(getty_t)
|
logging_send_syslog_msg(getty_t)
|
||||||
|
|
||||||
@ -26394,7 +26410,7 @@ index fc38c9c..1c9f909 100644
|
|||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
# Gentoo default /etc/issue makes agetty
|
# Gentoo default /etc/issue makes agetty
|
||||||
@@ -113,7 +118,7 @@ ifdef(`distro_ubuntu',`
|
@@ -113,7 +126,7 @@ ifdef(`distro_ubuntu',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26403,20 +26419,20 @@ index fc38c9c..1c9f909 100644
|
|||||||
# Support logging in from /dev/console
|
# Support logging in from /dev/console
|
||||||
term_use_console(getty_t)
|
term_use_console(getty_t)
|
||||||
',`
|
',`
|
||||||
@@ -121,11 +126,15 @@ tunable_policy(`console_login',`
|
@@ -121,11 +134,15 @@ tunable_policy(`console_login',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- mta_send_mail(getty_t)
|
- mta_send_mail(getty_t)
|
||||||
+ hostname_exec(getty_t)
|
+ hostname_exec(getty_t)
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ lockdev_manage_files(getty_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- nscd_use(getty_t)
|
- nscd_use(getty_t)
|
||||||
|
+ lockdev_manage_files(getty_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ mta_send_mail(getty_t)
|
+ mta_send_mail(getty_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -39578,7 +39594,7 @@ index db75976..65191bd 100644
|
|||||||
+
|
+
|
||||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 3c5dba7..9b2cdf7 100644
|
index 3c5dba7..5b93224 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||||
@ -42444,7 +42460,7 @@ index 3c5dba7..9b2cdf7 100644
|
|||||||
## Create keys for all user domains.
|
## Create keys for all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3438,4 +4299,1533 @@ interface(`userdom_dbus_send_all_users',`
|
@@ -3438,4 +4299,1630 @@ interface(`userdom_dbus_send_all_users',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
@ -42665,7 +42681,7 @@ index 3c5dba7..9b2cdf7 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
|
+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
|
||||||
+')
|
')
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -43977,7 +43993,104 @@ index 3c5dba7..9b2cdf7 100644
|
|||||||
+ ubac_constrained($1_t)
|
+ ubac_constrained($1_t)
|
||||||
+
|
+
|
||||||
+ auth_use_nsswitch($1_t)
|
+ auth_use_nsswitch($1_t)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow user to run as a secadm
|
||||||
|
+## </summary>
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Create objects in a user home directory
|
||||||
|
+## with an automatic type transition to
|
||||||
|
+## a specified private type.
|
||||||
|
+## </p>
|
||||||
|
+## <p>
|
||||||
|
+## This is a templated interface, and should only
|
||||||
|
+## be called from a per-userdomain template.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="role">
|
||||||
|
+## <summary>
|
||||||
|
+## The role of the object to create.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+template(`userdom_security_admin_template',`
|
||||||
|
+ allow $1 self:capability { dac_read_search dac_override };
|
||||||
|
+
|
||||||
|
+ corecmd_exec_shell($1)
|
||||||
|
+
|
||||||
|
+ domain_obj_id_change_exemption($1)
|
||||||
|
+
|
||||||
|
+ dev_relabel_all_dev_nodes($1)
|
||||||
|
+
|
||||||
|
+ files_create_boot_flag($1)
|
||||||
|
+ files_create_default_dir($1)
|
||||||
|
+ files_root_filetrans_default($1, dir)
|
||||||
|
+
|
||||||
|
+ # Necessary for managing /boot/efi
|
||||||
|
+ fs_manage_dos_files($1)
|
||||||
|
+
|
||||||
|
+ mls_process_read_up($1)
|
||||||
|
+ mls_file_read_all_levels($1)
|
||||||
|
+ mls_file_upgrade($1)
|
||||||
|
+ mls_file_downgrade($1)
|
||||||
|
+
|
||||||
|
+ selinux_set_enforce_mode($1)
|
||||||
|
+ selinux_set_all_booleans($1)
|
||||||
|
+ selinux_set_parameters($1)
|
||||||
|
+ selinux_read_policy($1)
|
||||||
|
+
|
||||||
|
+ files_relabel_all_files($1)
|
||||||
|
+
|
||||||
|
+ auth_relabel_shadow($1)
|
||||||
|
+
|
||||||
|
+ init_exec($1)
|
||||||
|
+
|
||||||
|
+ logging_send_syslog_msg($1)
|
||||||
|
+ logging_read_audit_log($1)
|
||||||
|
+ logging_read_generic_logs($1)
|
||||||
|
+ logging_read_audit_config($1)
|
||||||
|
+
|
||||||
|
+ seutil_manage_bin_policy($1)
|
||||||
|
+ seutil_manage_default_contexts($1)
|
||||||
|
+ seutil_manage_file_contexts($1)
|
||||||
|
+ seutil_manage_module_store($1)
|
||||||
|
+ seutil_manage_config($1)
|
||||||
|
+ seutil_manage_login_config($1)
|
||||||
|
+ seutil_run_checkpolicy($1,$2)
|
||||||
|
+ seutil_run_loadpolicy($1,$2)
|
||||||
|
+ seutil_run_semanage($1,$2)
|
||||||
|
+ seutil_run_setsebool($1,$2)
|
||||||
|
+ seutil_run_setfiles($1, $2)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ aide_run($1,$2)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ consoletype_exec($1)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ ipsec_run_setkey($1,$2)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ netlabel_run_mgmt($1,$2)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ samhain_run($1, $2)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||||
index e2b538b..e0c6eeb 100644
|
index e2b538b..e0c6eeb 100644
|
||||||
--- a/policy/modules/system/userdomain.te
|
--- a/policy/modules/system/userdomain.te
|
||||||
|
@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644
|
|||||||
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
||||||
')
|
')
|
||||||
diff --git a/apache.te b/apache.te
|
diff --git a/apache.te b/apache.te
|
||||||
index 1a82e29..e84c56d 100644
|
index 1a82e29..d0d7c0b 100644
|
||||||
--- a/apache.te
|
--- a/apache.te
|
||||||
+++ b/apache.te
|
+++ b/apache.te
|
||||||
@@ -1,297 +1,367 @@
|
@@ -1,297 +1,367 @@
|
||||||
@ -6066,7 +6066,7 @@ index 1a82e29..e84c56d 100644
|
|||||||
udev_read_db(httpd_t)
|
udev_read_db(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -877,65 +1074,172 @@ optional_policy(`
|
@@ -877,65 +1074,173 @@ optional_policy(`
|
||||||
yam_read_content(httpd_t)
|
yam_read_content(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -6077,6 +6077,7 @@ index 1a82e29..e84c56d 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ zoneminder_append_log(httpd_t)
|
||||||
+ zoneminder_manage_lib_dirs(httpd_t)
|
+ zoneminder_manage_lib_dirs(httpd_t)
|
||||||
+ zoneminder_manage_lib_files(httpd_t)
|
+ zoneminder_manage_lib_files(httpd_t)
|
||||||
+ zoneminder_stream_connect(httpd_t)
|
+ zoneminder_stream_connect(httpd_t)
|
||||||
@ -6261,7 +6262,7 @@ index 1a82e29..e84c56d 100644
|
|||||||
files_dontaudit_search_pids(httpd_suexec_t)
|
files_dontaudit_search_pids(httpd_suexec_t)
|
||||||
files_search_home(httpd_suexec_t)
|
files_search_home(httpd_suexec_t)
|
||||||
|
|
||||||
@@ -944,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t)
|
@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t)
|
||||||
logging_search_logs(httpd_suexec_t)
|
logging_search_logs(httpd_suexec_t)
|
||||||
logging_send_syslog_msg(httpd_suexec_t)
|
logging_send_syslog_msg(httpd_suexec_t)
|
||||||
|
|
||||||
@ -6416,7 +6417,7 @@ index 1a82e29..e84c56d 100644
|
|||||||
mysql_read_config(httpd_suexec_t)
|
mysql_read_config(httpd_suexec_t)
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect_db',`
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
@@ -1077,172 +1332,104 @@ optional_policy(`
|
@@ -1077,172 +1333,104 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -6652,7 +6653,7 @@ index 1a82e29..e84c56d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_read_user_content',`
|
tunable_policy(`httpd_read_user_content',`
|
||||||
@@ -1250,64 +1437,74 @@ tunable_policy(`httpd_read_user_content',`
|
@@ -1250,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',`
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_use_cifs',`
|
tunable_policy(`httpd_use_cifs',`
|
||||||
@ -6749,7 +6750,7 @@ index 1a82e29..e84c56d 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -1315,8 +1512,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
@@ -1315,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
||||||
#
|
#
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -6766,7 +6767,7 @@ index 1a82e29..e84c56d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1324,49 +1528,38 @@ optional_policy(`
|
@@ -1324,49 +1529,38 @@ optional_policy(`
|
||||||
# User content local policy
|
# User content local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -6831,7 +6832,7 @@ index 1a82e29..e84c56d 100644
|
|||||||
kernel_read_system_state(httpd_passwd_t)
|
kernel_read_system_state(httpd_passwd_t)
|
||||||
|
|
||||||
corecmd_exec_bin(httpd_passwd_t)
|
corecmd_exec_bin(httpd_passwd_t)
|
||||||
@@ -1376,38 +1569,99 @@ dev_read_urand(httpd_passwd_t)
|
@@ -1376,38 +1570,99 @@ dev_read_urand(httpd_passwd_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(httpd_passwd_t)
|
domain_use_interactive_fds(httpd_passwd_t)
|
||||||
|
|
||||||
@ -21897,6 +21898,369 @@ index ef36d73..fddd51f 100644
|
|||||||
sysnet_dns_name_resolve(dnssec_triggerd_t)
|
sysnet_dns_name_resolve(dnssec_triggerd_t)
|
||||||
sysnet_manage_config(dnssec_triggerd_t)
|
sysnet_manage_config(dnssec_triggerd_t)
|
||||||
sysnet_etc_filetrans_config(dnssec_triggerd_t)
|
sysnet_etc_filetrans_config(dnssec_triggerd_t)
|
||||||
|
diff --git a/docker.fc b/docker.fc
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..484dd44
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/docker.fc
|
||||||
|
@@ -0,0 +1,12 @@
|
||||||
|
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
|
||||||
|
+
|
||||||
|
+/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
|
||||||
|
+
|
||||||
|
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
|
||||||
|
+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
|
||||||
|
+
|
||||||
|
+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
|
||||||
|
+
|
||||||
|
+/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0)
|
||||||
|
\ No newline at end of file
|
||||||
|
diff --git a/docker.if b/docker.if
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..097c75c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/docker.if
|
||||||
|
@@ -0,0 +1,202 @@
|
||||||
|
+
|
||||||
|
+## <summary>policy for docker</summary>
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute TEMPLATE in the docker domin.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`docker_domtrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_t, docker_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ corecmd_search_bin($1)
|
||||||
|
+ domtrans_pattern($1, docker_exec_t, docker_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Search docker lib directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`docker_search_lib',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 docker_var_lib_t:dir search_dir_perms;
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read docker lib files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`docker_read_lib_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage docker lib files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`docker_manage_lib_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage docker lib directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`docker_manage_lib_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read docker PID files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`docker_read_pid_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ read_files_pattern($1, docker_var_run_t, docker_var_run_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute docker server in the docker domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`docker_systemctl',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_t;
|
||||||
|
+ type docker_unit_file_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ systemd_exec_systemctl($1)
|
||||||
|
+ systemd_read_fifo_file_passwd_run($1)
|
||||||
|
+ allow $1 docker_unit_file_t:file read_file_perms;
|
||||||
|
+ allow $1 docker_unit_file_t:service manage_service_perms;
|
||||||
|
+
|
||||||
|
+ ps_process_pattern($1, docker_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## All of the rules required to administrate
|
||||||
|
+## an docker environment
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="role">
|
||||||
|
+## <summary>
|
||||||
|
+## Role allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`docker_admin',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_t;
|
||||||
|
+ type docker_var_lib_t;
|
||||||
|
+ type docker_var_run_t;
|
||||||
|
+ type docker_unit_file_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 docker_t:process { ptrace signal_perms };
|
||||||
|
+ ps_process_pattern($1, docker_t)
|
||||||
|
+
|
||||||
|
+ files_search_var_lib($1)
|
||||||
|
+ admin_pattern($1, docker_var_lib_t)
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ admin_pattern($1, docker_var_run_t)
|
||||||
|
+
|
||||||
|
+ docker_systemctl($1)
|
||||||
|
+ admin_pattern($1, docker_unit_file_t)
|
||||||
|
+ allow $1 docker_unit_file_t:service all_service_perms;
|
||||||
|
+ optional_policy(`
|
||||||
|
+ systemd_passwd_agent_exec($1)
|
||||||
|
+ systemd_read_fifo_file_passwd_run($1)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read and write docker shared memory.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`docker_rw_sem',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type docker_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 docker_t:sem rw_sem_perms;
|
||||||
|
+')
|
||||||
|
diff --git a/docker.te b/docker.te
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..939365d
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/docker.te
|
||||||
|
@@ -0,0 +1,130 @@
|
||||||
|
+policy_module(docker, 1.0.0)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# Declarations
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+type docker_t;
|
||||||
|
+type docker_exec_t;
|
||||||
|
+init_daemon_domain(docker_t, docker_exec_t)
|
||||||
|
+
|
||||||
|
+type docker_var_lib_t;
|
||||||
|
+files_type(docker_var_lib_t)
|
||||||
|
+
|
||||||
|
+type docker_log_t;
|
||||||
|
+logging_log_file(docker_log_t)
|
||||||
|
+
|
||||||
|
+type docker_tmp_t;
|
||||||
|
+files_tmp_file(docker_tmp_t)
|
||||||
|
+
|
||||||
|
+type docker_var_run_t;
|
||||||
|
+files_pid_file(docker_var_run_t)
|
||||||
|
+
|
||||||
|
+type docker_unit_file_t;
|
||||||
|
+systemd_unit_file(docker_unit_file_t)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# docker local policy
|
||||||
|
+#
|
||||||
|
+allow docker_t self:capability { chown fowner fsetid mknod net_admin };
|
||||||
|
+allow docker_t self:process signal_perms;
|
||||||
|
+allow docker_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
+allow docker_t self:capability2 block_suspend;
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
|
||||||
|
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
|
||||||
|
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
|
||||||
|
+logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
|
||||||
|
+manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
|
||||||
|
+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
|
||||||
|
+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
||||||
|
+manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
||||||
|
+manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
||||||
|
+manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
||||||
|
+manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
||||||
|
+files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
|
||||||
|
+manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
|
||||||
|
+manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
|
||||||
|
+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
|
||||||
|
+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
|
||||||
|
+
|
||||||
|
+kernel_read_system_state(docker_t)
|
||||||
|
+kernel_read_network_state(docker_t)
|
||||||
|
+kernel_read_all_sysctls(docker_t)
|
||||||
|
+
|
||||||
|
+domain_use_interactive_fds(docker_t)
|
||||||
|
+
|
||||||
|
+corecmd_exec_bin(docker_t)
|
||||||
|
+corecmd_exec_shell(docker_t)
|
||||||
|
+
|
||||||
|
+corenet_tcp_bind_generic_node(docker_t)
|
||||||
|
+
|
||||||
|
+files_read_etc_files(docker_t)
|
||||||
|
+
|
||||||
|
+fs_read_cgroup_files(docker_t)
|
||||||
|
+
|
||||||
|
+auth_use_nsswitch(docker_t)
|
||||||
|
+
|
||||||
|
+miscfiles_read_localization(docker_t)
|
||||||
|
+
|
||||||
|
+mount_domtrans(docker_t)
|
||||||
|
+
|
||||||
|
+sysnet_dns_name_resolve(docker_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ fstools_domtrans(docker_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ iptables_domtrans(docker_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# lxc rules
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
|
||||||
|
+allow docker_t self:process setsched;
|
||||||
|
+allow docker_t self:netlink_route_socket nlmsg_write;
|
||||||
|
+allow docker_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
+
|
||||||
|
+allow docker_t docker_var_lib_t:dir mounton;
|
||||||
|
+
|
||||||
|
+kernel_setsched(docker_t)
|
||||||
|
+
|
||||||
|
+dev_getattr_all_blk_files(docker_t)
|
||||||
|
+dev_read_urand(docker_t)
|
||||||
|
+
|
||||||
|
+files_manage_isid_type_dirs(docker_t)
|
||||||
|
+files_manage_isid_type_files(docker_t)
|
||||||
|
+files_manage_isid_type_symlinks(docker_t)
|
||||||
|
+files_manage_isid_type_chr_files(docker_t)
|
||||||
|
+files_exec_isid_files(docker_t)
|
||||||
|
+files_mounton_isid(docker_t)
|
||||||
|
+files_mounton_non_security(docker_t)
|
||||||
|
+
|
||||||
|
+fs_mount_all_fs(docker_t)
|
||||||
|
+fs_unmount_all_fs(docker_t)
|
||||||
|
+fs_remount_all_fs(docker_t)
|
||||||
|
+fs_manage_cgroup_dirs(docker_t)
|
||||||
|
+fs_manage_cgroup_files(docker_t)
|
||||||
|
+
|
||||||
|
+term_use_generic_ptys(docker_t)
|
||||||
|
+term_use_ptmx(docker_t)
|
||||||
|
+term_getattr_pty_fs(docker_t)
|
||||||
|
+
|
||||||
|
+dev_read_lvm_control(docker_t)
|
||||||
|
+
|
||||||
|
+gen_require(`
|
||||||
|
+type lvm_t;
|
||||||
|
+')
|
||||||
|
+docker_rw_sem(lvm_t)
|
||||||
diff --git a/dovecot.fc b/dovecot.fc
|
diff --git a/dovecot.fc b/dovecot.fc
|
||||||
index c880070..4448055 100644
|
index c880070..4448055 100644
|
||||||
--- a/dovecot.fc
|
--- a/dovecot.fc
|
||||||
@ -51749,7 +52113,7 @@ index 0000000..f2d6119
|
|||||||
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
|
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
|
||||||
diff --git a/openshift.if b/openshift.if
|
diff --git a/openshift.if b/openshift.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..fdc4a03
|
index 0000000..e03de01
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/openshift.if
|
+++ b/openshift.if
|
||||||
@@ -0,0 +1,700 @@
|
@@ -0,0 +1,700 @@
|
||||||
@ -52032,7 +52396,7 @@ index 0000000..fdc4a03
|
|||||||
+
|
+
|
||||||
+ files_search_var_lib($1)
|
+ files_search_var_lib($1)
|
||||||
+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
||||||
+ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
+ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -54717,7 +55081,7 @@ index d2fc677..ded726f 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/pegasus.te b/pegasus.te
|
diff --git a/pegasus.te b/pegasus.te
|
||||||
index 7bcf327..ba2f9bb 100644
|
index 7bcf327..c1e0a6f 100644
|
||||||
--- a/pegasus.te
|
--- a/pegasus.te
|
||||||
+++ b/pegasus.te
|
+++ b/pegasus.te
|
||||||
@@ -1,17 +1,16 @@
|
@@ -1,17 +1,16 @@
|
||||||
@ -54741,7 +55105,7 @@ index 7bcf327..ba2f9bb 100644
|
|||||||
type pegasus_cache_t;
|
type pegasus_cache_t;
|
||||||
files_type(pegasus_cache_t)
|
files_type(pegasus_cache_t)
|
||||||
|
|
||||||
@@ -30,20 +29,260 @@ files_type(pegasus_mof_t)
|
@@ -30,20 +29,262 @@ files_type(pegasus_mof_t)
|
||||||
type pegasus_var_run_t;
|
type pegasus_var_run_t;
|
||||||
files_pid_file(pegasus_var_run_t)
|
files_pid_file(pegasus_var_run_t)
|
||||||
|
|
||||||
@ -54862,9 +55226,11 @@ index 7bcf327..ba2f9bb 100644
|
|||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
+#
|
+#
|
||||||
+# pegasus openlmi networking local policy
|
+# pegasus openlmi services local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
|
+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_system_bus_client(pegasus_openlmi_services_t)
|
+ dbus_system_bus_client(pegasus_openlmi_services_t)
|
||||||
+')
|
+')
|
||||||
@ -54875,12 +55241,12 @@ index 7bcf327..ba2f9bb 100644
|
|||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
+#
|
+#
|
||||||
+# pegasus openlmi networking local policy
|
+# pegasus openlmi system (networking) local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow pegasus_openlmi_system_t self:capability { net_admin };
|
+allow pegasus_openlmi_system_t self:capability { net_admin };
|
||||||
+
|
+
|
||||||
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;;
|
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
+
|
+
|
||||||
+kernel_read_network_state(pegasus_openlmi_system_t)
|
+kernel_read_network_state(pegasus_openlmi_system_t)
|
||||||
+
|
+
|
||||||
@ -55007,7 +55373,7 @@ index 7bcf327..ba2f9bb 100644
|
|||||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||||
@@ -54,22 +293,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
@@ -54,22 +295,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
@ -55038,7 +55404,7 @@ index 7bcf327..ba2f9bb 100644
|
|||||||
|
|
||||||
kernel_read_network_state(pegasus_t)
|
kernel_read_network_state(pegasus_t)
|
||||||
kernel_read_kernel_sysctls(pegasus_t)
|
kernel_read_kernel_sysctls(pegasus_t)
|
||||||
@@ -80,27 +319,21 @@ kernel_read_net_sysctls(pegasus_t)
|
@@ -80,27 +321,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||||
kernel_read_xen_state(pegasus_t)
|
kernel_read_xen_state(pegasus_t)
|
||||||
kernel_write_xen_state(pegasus_t)
|
kernel_write_xen_state(pegasus_t)
|
||||||
|
|
||||||
@ -55071,7 +55437,7 @@ index 7bcf327..ba2f9bb 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(pegasus_t)
|
corecmd_exec_bin(pegasus_t)
|
||||||
corecmd_exec_shell(pegasus_t)
|
corecmd_exec_shell(pegasus_t)
|
||||||
@@ -114,6 +347,7 @@ files_getattr_all_dirs(pegasus_t)
|
@@ -114,6 +349,7 @@ files_getattr_all_dirs(pegasus_t)
|
||||||
|
|
||||||
auth_use_nsswitch(pegasus_t)
|
auth_use_nsswitch(pegasus_t)
|
||||||
auth_domtrans_chk_passwd(pegasus_t)
|
auth_domtrans_chk_passwd(pegasus_t)
|
||||||
@ -55079,7 +55445,7 @@ index 7bcf327..ba2f9bb 100644
|
|||||||
|
|
||||||
domain_use_interactive_fds(pegasus_t)
|
domain_use_interactive_fds(pegasus_t)
|
||||||
domain_read_all_domains_state(pegasus_t)
|
domain_read_all_domains_state(pegasus_t)
|
||||||
@@ -128,18 +362,25 @@ init_stream_connect_script(pegasus_t)
|
@@ -128,18 +364,25 @@ init_stream_connect_script(pegasus_t)
|
||||||
logging_send_audit_msgs(pegasus_t)
|
logging_send_audit_msgs(pegasus_t)
|
||||||
logging_send_syslog_msg(pegasus_t)
|
logging_send_syslog_msg(pegasus_t)
|
||||||
|
|
||||||
@ -55111,7 +55477,7 @@ index 7bcf327..ba2f9bb 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -151,16 +392,24 @@ optional_policy(`
|
@@ -151,16 +394,24 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -55140,7 +55506,7 @@ index 7bcf327..ba2f9bb 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -168,7 +417,7 @@ optional_policy(`
|
@@ -168,7 +419,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -73104,7 +73470,7 @@ index 050479d..0e1b364 100644
|
|||||||
type rlogind_home_t;
|
type rlogind_home_t;
|
||||||
')
|
')
|
||||||
diff --git a/rlogin.te b/rlogin.te
|
diff --git a/rlogin.te b/rlogin.te
|
||||||
index d34cdec..33f56c0 100644
|
index d34cdec..15d7ca6 100644
|
||||||
--- a/rlogin.te
|
--- a/rlogin.te
|
||||||
+++ b/rlogin.te
|
+++ b/rlogin.te
|
||||||
@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
|
@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
|
||||||
@ -73134,15 +73500,16 @@ index d34cdec..33f56c0 100644
|
|||||||
corenet_all_recvfrom_netlabel(rlogind_t)
|
corenet_all_recvfrom_netlabel(rlogind_t)
|
||||||
corenet_tcp_sendrecv_generic_if(rlogind_t)
|
corenet_tcp_sendrecv_generic_if(rlogind_t)
|
||||||
corenet_udp_sendrecv_generic_if(rlogind_t)
|
corenet_udp_sendrecv_generic_if(rlogind_t)
|
||||||
@@ -58,6 +58,7 @@ corenet_tcp_sendrecv_generic_node(rlogind_t)
|
@@ -58,6 +58,8 @@ corenet_tcp_sendrecv_generic_node(rlogind_t)
|
||||||
corenet_udp_sendrecv_generic_node(rlogind_t)
|
corenet_udp_sendrecv_generic_node(rlogind_t)
|
||||||
corenet_tcp_sendrecv_all_ports(rlogind_t)
|
corenet_tcp_sendrecv_all_ports(rlogind_t)
|
||||||
corenet_udp_sendrecv_all_ports(rlogind_t)
|
corenet_udp_sendrecv_all_ports(rlogind_t)
|
||||||
+corenet_tcp_bind_rlogin_port(rlogind_t)
|
+corenet_tcp_bind_rlogin_port(rlogind_t)
|
||||||
|
+corenet_tcp_bind_rlogind_port(rlogind_t)
|
||||||
|
|
||||||
dev_read_urand(rlogind_t)
|
dev_read_urand(rlogind_t)
|
||||||
|
|
||||||
@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t)
|
@@ -67,6 +69,7 @@ fs_getattr_all_fs(rlogind_t)
|
||||||
fs_search_auto_mountpoints(rlogind_t)
|
fs_search_auto_mountpoints(rlogind_t)
|
||||||
|
|
||||||
auth_domtrans_chk_passwd(rlogind_t)
|
auth_domtrans_chk_passwd(rlogind_t)
|
||||||
@ -73150,7 +73517,7 @@ index d34cdec..33f56c0 100644
|
|||||||
auth_rw_login_records(rlogind_t)
|
auth_rw_login_records(rlogind_t)
|
||||||
auth_use_nsswitch(rlogind_t)
|
auth_use_nsswitch(rlogind_t)
|
||||||
|
|
||||||
@@ -77,30 +79,23 @@ init_rw_utmp(rlogind_t)
|
@@ -77,30 +80,23 @@ init_rw_utmp(rlogind_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(rlogind_t)
|
logging_send_syslog_msg(rlogind_t)
|
||||||
|
|
||||||
@ -79374,10 +79741,10 @@ index 0000000..5da5bff
|
|||||||
+')
|
+')
|
||||||
diff --git a/sandboxX.te b/sandboxX.te
|
diff --git a/sandboxX.te b/sandboxX.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..23af146
|
index 0000000..710df6b
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/sandboxX.te
|
+++ b/sandboxX.te
|
||||||
@@ -0,0 +1,482 @@
|
@@ -0,0 +1,483 @@
|
||||||
+policy_module(sandboxX,1.0.0)
|
+policy_module(sandboxX,1.0.0)
|
||||||
+
|
+
|
||||||
+dbus_stub()
|
+dbus_stub()
|
||||||
@ -79391,7 +79758,8 @@ index 0000000..23af146
|
|||||||
+files_type(sandbox_exec_t)
|
+files_type(sandbox_exec_t)
|
||||||
+
|
+
|
||||||
+type sandbox_file_t, sandbox_file_type;
|
+type sandbox_file_t, sandbox_file_type;
|
||||||
+files_type(sandbox_file_t)
|
+userdom_user_home_content(sandbox_file_t)
|
||||||
|
+
|
||||||
+typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
|
+typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -88659,7 +89027,7 @@ index 5406b6e..dc5b46e 100644
|
|||||||
admin_pattern($1, tgtd_tmpfs_t)
|
admin_pattern($1, tgtd_tmpfs_t)
|
||||||
')
|
')
|
||||||
diff --git a/tgtd.te b/tgtd.te
|
diff --git a/tgtd.te b/tgtd.te
|
||||||
index c93c973..4ec1eb0 100644
|
index c93c973..60f4ce9 100644
|
||||||
--- a/tgtd.te
|
--- a/tgtd.te
|
||||||
+++ b/tgtd.te
|
+++ b/tgtd.te
|
||||||
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
|
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
|
||||||
@ -88667,7 +89035,7 @@ index c93c973..4ec1eb0 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
-allow tgtd_t self:capability sys_resource;
|
-allow tgtd_t self:capability sys_resource;
|
||||||
+allow tgtd_t self:capability { dac_override sys_resource sys_rawio sys_admin };
|
+allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin };
|
||||||
allow tgtd_t self:capability2 block_suspend;
|
allow tgtd_t self:capability2 block_suspend;
|
||||||
allow tgtd_t self:process { setrlimit signal };
|
allow tgtd_t self:process { setrlimit signal };
|
||||||
allow tgtd_t self:fifo_file rw_fifo_file_perms;
|
allow tgtd_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 92%{?dist}
|
Release: 93%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -572,6 +572,9 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93
|
||||||
|
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
|
||||||
|
|
||||||
* Tue Oct 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-92
|
* Tue Oct 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-92
|
||||||
- Allow sshd_t to read openshift content, needs backport to RHEL6.5
|
- Allow sshd_t to read openshift content, needs backport to RHEL6.5
|
||||||
- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
|
- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
|
||||||
|
Loading…
Reference in New Issue
Block a user