- Allow sysadm_t to read login information

- Allow systemd_tmpfiles to setattr on var_log_t directories
- Udpdate Makefile to include systemd_contexts
- Add systemd_contexts
- Add fs_exec_hugetlbfs_files() interface
- Add daemons_enable_cluster_mode boolean
- Fix rsync_filetrans_named_content()
- Add rhcs_read_cluster_pid_files() interface
- Update rhcs.if with additional interfaces from RHEL6
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
- Allow glusterd_t to mounton glusterd_tmp_t
- Allow glusterd to unmout al filesystems
- Allow xenstored to read virt config
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct lab
- Allow mozilla_plugin_t to mmap hugepages as an executable
This commit is contained in:
Miroslav Grepl 2013-10-28 10:06:40 +01:00
parent 4f67cf89e1
commit bf4990489d
3 changed files with 477 additions and 315 deletions

File diff suppressed because it is too large Load Diff

View File

@ -25988,10 +25988,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
index 0000000..dd418db
index 0000000..d6a2e10
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,185 @@
@@ -0,0 +1,187 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@ -26065,6 +26065,7 @@ index 0000000..dd418db
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
@ -26130,6 +26131,7 @@ index 0000000..dd418db
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
+files_mounton_mnt(glusterd_t)
@ -40908,7 +40910,7 @@ index 6194b80..d54c5ba 100644
')
+
diff --git a/mozilla.te b/mozilla.te
index 6a306ee..11a0f02 100644
index 6a306ee..b236449 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@ -41352,7 +41354,7 @@ index 6a306ee..11a0f02 100644
')
optional_policy(`
@@ -300,259 +324,235 @@ optional_policy(`
@@ -300,259 +324,236 @@ optional_policy(`
########################################
#
@ -41587,6 +41589,7 @@ index 6a306ee..11a0f02 100644
+fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
application_exec(mozilla_plugin_t)
+application_dontaudit_signull(mozilla_plugin_t)
@ -41739,7 +41742,7 @@ index 6a306ee..11a0f02 100644
')
optional_policy(`
@@ -560,7 +560,7 @@ optional_policy(`
@@ -560,7 +561,7 @@ optional_policy(`
')
optional_policy(`
@ -41748,7 +41751,7 @@ index 6a306ee..11a0f02 100644
')
optional_policy(`
@@ -568,108 +568,130 @@ optional_policy(`
@@ -568,108 +569,130 @@ optional_policy(`
')
optional_policy(`
@ -71063,7 +71066,7 @@ index 47de2d6..98a4280 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
index 56bc01f..b8d154e 100644
index 56bc01f..2e4d698 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@ -71108,7 +71111,7 @@ index 56bc01f..b8d154e 100644
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
+ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
- optional_policy(`
- dbus_system_bus_client($1_t)
@ -71287,121 +71290,13 @@ index 56bc01f..b8d154e 100644
## </summary>
## <param name="domain">
## <summary>
@@ -342,10 +331,9 @@ interface(`rhcs_stream_connect_groupd',`
@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',`
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
')
-########################################
+#####################################
## <summary>
-## Read and write all cluster domains
-## shared memory.
+## Allow read and write access to groupd semaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -353,21 +341,20 @@ interface(`rhcs_stream_connect_groupd',`
## </summary>
## </param>
#
-interface(`rhcs_rw_cluster_shm',`
+interface(`rhcs_rw_groupd_semaphores',`
gen_require(`
- attribute cluster_domain, cluster_tmpfs;
+ type groupd_t, groupd_tmpfs_t;
')
- allow $1 cluster_domain:shm { rw_shm_perms destroy };
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
fs_search_tmpfs($1)
- manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
-####################################
+########################################
## <summary>
-## Read and write all cluster
-## domains semaphores.
+## Read and write to group shared memory.
## </summary>
## <param name="domain">
## <summary>
@@ -375,17 +362,20 @@ interface(`rhcs_rw_cluster_shm',`
## </summary>
## </param>
#
-interface(`rhcs_rw_cluster_semaphores',`
+interface(`rhcs_rw_groupd_shm',`
gen_require(`
- attribute cluster_domain;
+ type groupd_t, groupd_tmpfs_t;
')
- allow $1 cluster_domain:sem { rw_sem_perms destroy };
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
-#####################################
+########################################
## <summary>
-## Read and write groupd semaphores.
+## Read and write to group shared memory.
## </summary>
## <param name="domain">
## <summary>
@@ -393,20 +383,20 @@ interface(`rhcs_rw_cluster_semaphores',`
## </summary>
## </param>
#
-interface(`rhcs_rw_groupd_semaphores',`
+interface(`rhcs_rw_cluster_shm',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain, cluster_tmpfs;
')
- allow $1 groupd_t:sem { rw_sem_perms destroy };
+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
')
-########################################
+####################################
## <summary>
-## Read and write groupd shared memory.
+## Read and write access to cluster domains semaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -414,15 +404,32 @@ interface(`rhcs_rw_groupd_semaphores',`
## </summary>
## </param>
#
-interface(`rhcs_rw_groupd_shm',`
+interface(`rhcs_rw_cluster_semaphores',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain;
')
- allow $1 groupd_t:shm { rw_shm_perms destroy };
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
+')
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+####################################
+## <summary>
+## Connect to cluster domains over a unix domain
+## stream socket.
+## Allow read and write access to groupd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
@ -71409,17 +71304,124 @@ index 56bc01f..b8d154e 100644
+## </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_cluster',`
+interface(`rhcs_rw_groupd_semaphores',`
+ gen_require(`
+ attribute cluster_domain, cluster_pid;
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_groupd_shm',`
+ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
########################################
## <summary>
-## Read and write all cluster domains
-## shared memory.
+## Read and write to group shared memory.
## </summary>
## <param name="domain">
## <summary>
@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',`
####################################
## <summary>
-## Read and write all cluster
-## domains semaphores.
+## Read and write access to cluster domains semaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',`
allow $1 cluster_domain:sem { rw_sem_perms destroy };
')
-#####################################
+####################################
## <summary>
-## Read and write groupd semaphores.
+## Connect to cluster domains over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',`
## </summary>
## </param>
#
-interface(`rhcs_rw_groupd_semaphores',`
+interface(`rhcs_stream_connect_cluster',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain, cluster_pid;
')
- allow $1 groupd_t:sem { rw_sem_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
')
-########################################
+#####################################
## <summary>
-## Read and write groupd shared memory.
+## Connect to cluster domains over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
#
-interface(`rhcs_rw_groupd_shm',`
+interface(`rhcs_stream_connect_cluster_to',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain;
+ attribute cluster_pid;
')
- allow $1 groupd_t:shm { rw_shm_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
')
######################################
@@ -446,52 +453,322 @@ interface(`rhcs_domtrans_qdiskd',`
@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@ -71470,11 +71472,7 @@ index 56bc01f..b8d154e 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
+
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
@ -71490,14 +71488,16 @@ index 56bc01f..b8d154e 100644
+ type cluster_var_lib_t;
+ ')
- files_search_pids($1)
- admin_pattern($1, cluster_pid)
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
- files_search_locks($1)
- admin_pattern($1, fenced_lock_t)
- files_search_pids($1)
- admin_pattern($1, cluster_pid)
+####################################
+## <summary>
+## Allow domain to relabel cluster lib files
@ -71518,8 +71518,8 @@ index 56bc01f..b8d154e 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
- files_search_tmp($1)
- admin_pattern($1, fenced_tmp_t)
- files_search_locks($1)
- admin_pattern($1, fenced_lock_t)
+######################################
+## <summary>
+## Execute a domain transition to run cluster administrative domain.
@ -71535,14 +71535,14 @@ index 56bc01f..b8d154e 100644
+ type cluster_t, cluster_exec_t;
+ ')
- files_search_var_lib($1)
- admin_pattern($1, qdiskd_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, fenced_tmp_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
- fs_search_tmpfs($1)
- admin_pattern($1, cluster_tmpfs)
- files_search_var_lib($1)
- admin_pattern($1, qdiskd_var_lib_t)
+#######################################
+## <summary>
+## Execute cluster init scripts in
@ -71558,7 +71558,9 @@ index 56bc01f..b8d154e 100644
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
+
- fs_search_tmpfs($1)
- admin_pattern($1, cluster_tmpfs)
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
+
@ -71621,6 +71623,24 @@ index 56bc01f..b8d154e 100644
+
+#####################################
+## <summary>
+## Allow the specified domain to read/write inherited cluster's tmpf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_inherited_cluster_tmp_files',`
+ gen_require(`
+ type cluster_tmp_t;
+ ')
+
+ allow $1 cluster_tmp_t:file rw_inherited_file_perms;
+')
+
+#####################################
+## <summary>
+## Allow manage cluster tmp files.
+## </summary>
+## <param name="domain">
@ -71677,6 +71697,26 @@ index 56bc01f..b8d154e 100644
+
+#####################################
+## <summary>
+## Allow read cluster pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_read_cluster_pid_files',`
+ gen_require(`
+ type cluster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
+')
+
+
+#####################################
+## <summary>
+## Allow manage cluster pid files.
+## </summary>
+## <param name="domain">
@ -71771,7 +71811,7 @@ index 56bc01f..b8d154e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
index 2c2de9a..b978814 100644
index 2c2de9a..26fba30 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@ -71802,7 +71842,7 @@ index 2c2de9a..b978814 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
@@ -44,34 +65,281 @@ type foghorn_initrc_exec_t;
@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
@ -71965,8 +72005,10 @@ index 2c2de9a..b978814 100644
+ corenet_tcp_connect_all_ports(cluster_t)
+')
+
+tunable_policy(`cluster_manage_all_files',`
+# we need to have dirs created with var_run_t in /run/cluster
+files_create_var_run_dirs(cluster_t)
+
+tunable_policy(`cluster_manage_all_files',`
+ files_getattr_all_symlinks(cluster_t)
+ files_list_all(cluster_t)
+ files_manage_mnt_dirs(cluster_t)
@ -72088,7 +72130,7 @@ index 2c2de9a..b978814 100644
')
#####################################
@@ -79,7 +347,7 @@ optional_policy(`
@@ -79,7 +349,7 @@ optional_policy(`
# dlm_controld local policy
#
@ -72097,7 +72139,7 @@ index 2c2de9a..b978814 100644
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
@@ -98,16 +366,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@ -72130,7 +72172,7 @@ index 2c2de9a..b978814 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
@@ -118,9 +400,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@ -72141,7 +72183,7 @@ index 2c2de9a..b978814 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
@@ -148,9 +429,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@ -72152,7 +72194,7 @@ index 2c2de9a..b978814 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
@@ -160,7 +439,7 @@ term_getattr_pty_fs(fenced_t)
@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@ -72161,7 +72203,7 @@ index 2c2de9a..b978814 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
@@ -182,7 +461,8 @@ optional_policy(`
@@ -182,7 +463,8 @@ optional_policy(`
')
optional_policy(`
@ -72171,7 +72213,7 @@ index 2c2de9a..b978814 100644
')
optional_policy(`
@@ -190,12 +470,12 @@ optional_policy(`
@@ -190,12 +472,12 @@ optional_policy(`
')
optional_policy(`
@ -72187,7 +72229,7 @@ index 2c2de9a..b978814 100644
')
optional_policy(`
@@ -203,6 +483,13 @@ optional_policy(`
@@ -203,6 +485,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@ -72201,7 +72243,7 @@ index 2c2de9a..b978814 100644
#######################################
#
# foghorn local policy
@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@ -72222,7 +72264,7 @@ index 2c2de9a..b978814 100644
snmp_stream_connect(foghorn_t)
')
@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t)
@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@ -72231,7 +72273,7 @@ index 2c2de9a..b978814 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@ -72273,7 +72315,7 @@ index 2c2de9a..b978814 100644
######################################
#
# qdiskd local policy
@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@ -76106,10 +76148,10 @@ index d1fd97f..7ee8502 100644
-
-miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/rsync.fc b/rsync.fc
index d25301b..d92f567 100644
index d25301b..f3eeec7 100644
--- a/rsync.fc
+++ b/rsync.fc
@@ -1,7 +1,7 @@
@@ -1,7 +1,8 @@
/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
@ -76119,8 +76161,9 @@ index d25301b..d92f567 100644
+/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0)
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
+/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
index f1140ef..02de8a5 100644
index f1140ef..8afe362 100644
--- a/rsync.if
+++ b/rsync.if
@@ -1,16 +1,32 @@
@ -76345,34 +76388,36 @@ index f1140ef..02de8a5 100644
## with rsync etc type.
## </summary>
## <param name="domain">
@@ -236,46 +224,3 @@ interface(`rsync_etc_filetrans_config',`
@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',`
files_etc_filetrans($1, rsync_etc_t, $2, $3)
')
-
-########################################
-## <summary>
########################################
## <summary>
-## All of the rules required to
-## administrate an rsync environment.
-## </summary>
-## <param name="domain">
-## <summary>
+## Transition to rsync named content
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
+## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
-#
#
-interface(`rsync_admin',`
- gen_require(`
+interface(`rsync_filetrans_named_content',`
gen_require(`
- type rsync_t, rsync_etc_t, rsync_data_t;
- type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
- ')
-
+ type rsync_etc_t;
+ type rsync_var_run_t;
')
- allow $1 rsync_t:process { ptrace signal_perms };
- ps_process_pattern($1, rsync_t)
-
@ -76391,7 +76436,10 @@ index f1140ef..02de8a5 100644
- admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
-')
+ files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond")
+ files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock")
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
index e3e7c96..ec50426 100644
--- a/rsync.te
@ -97216,10 +97264,10 @@ index 7c7f7fa..20ce90b 100644
+ xserver_manage_core_devices(wm_domain)
+')
diff --git a/xen.fc b/xen.fc
index 42d83b0..5f18f6e 100644
index 42d83b0..651d1cb 100644
--- a/xen.fc
+++ b/xen.fc
@@ -1,38 +1,41 @@
@@ -1,38 +1,42 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
@ -97246,6 +97294,7 @@ index 42d83b0..5f18f6e 100644
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
-/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+')
-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
@ -97545,7 +97594,7 @@ index f93558c..16e29c1 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
index ed40676..0706207 100644
index ed40676..3fe3e35 100644
--- a/xen.te
+++ b/xen.te
@@ -1,42 +1,34 @@
@ -98064,7 +98113,7 @@ index ed40676..0706207 100644
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t)
@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
@ -98087,11 +98136,10 @@ index ed40676..0706207 100644
-
xen_append_log(xenstored_t)
########################################
#
-########################################
-#
-# xm local policy
+# SSH component local policy
#
-#
-
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
@ -98187,9 +98235,14 @@ index ed40676..0706207 100644
-
optional_policy(`
- cron_system_entry(xm_t, xm_exec_t)
-')
-
-optional_policy(`
+ virt_read_config(xenstored_t)
')
+########################################
+#
+# SSH component local policy
+#
optional_policy(`
- dbus_system_bus_client(xm_t)
-
- optional_policy(`

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 93%{?dist}
Release: 94%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -573,6 +573,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Oct 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94
- Allow sysadm_t to read login information
- Allow systemd_tmpfiles to setattr on var_log_t directories
- Udpdate Makefile to include systemd_contexts
- Add systemd_contexts
- Add fs_exec_hugetlbfs_files() interface
- Add daemons_enable_cluster_mode boolean
- Fix rsync_filetrans_named_content()
- Add rhcs_read_cluster_pid_files() interface
- Update rhcs.if with additional interfaces from RHEL6
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
- Allow glusterd_t to mounton glusterd_tmp_t
- Allow glusterd to unmout al filesystems
- Allow xenstored to read virt config
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label
- Allow mozilla_plugin_t to mmap hugepages as an executable
* Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp