- Allow sysadm_t to read login information
- Allow systemd_tmpfiles to setattr on var_log_t directories - Udpdate Makefile to include systemd_contexts - Add systemd_contexts - Add fs_exec_hugetlbfs_files() interface - Add daemons_enable_cluster_mode boolean - Fix rsync_filetrans_named_content() - Add rhcs_read_cluster_pid_files() interface - Update rhcs.if with additional interfaces from RHEL6 - Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t - Allow glusterd_t to mounton glusterd_tmp_t - Allow glusterd to unmout al filesystems - Allow xenstored to read virt config - Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct lab - Allow mozilla_plugin_t to mmap hugepages as an executable
This commit is contained in:
parent
4f67cf89e1
commit
bf4990489d
File diff suppressed because it is too large
Load Diff
@ -25988,10 +25988,10 @@ index 0000000..1ed97fe
|
||||
+
|
||||
diff --git a/glusterd.te b/glusterd.te
|
||||
new file mode 100644
|
||||
index 0000000..dd418db
|
||||
index 0000000..d6a2e10
|
||||
--- /dev/null
|
||||
+++ b/glusterd.te
|
||||
@@ -0,0 +1,185 @@
|
||||
@@ -0,0 +1,187 @@
|
||||
+policy_module(glusterfs, 1.0.1)
|
||||
+
|
||||
+## <desc>
|
||||
@ -26065,6 +26065,7 @@ index 0000000..dd418db
|
||||
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
||||
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
||||
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
|
||||
+allow glusterd_t glusterd_tmp_t:dir mounton;
|
||||
+
|
||||
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
||||
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
||||
@ -26130,6 +26131,7 @@ index 0000000..dd418db
|
||||
+domain_use_interactive_fds(glusterd_t)
|
||||
+
|
||||
+fs_mount_all_fs(glusterd_t)
|
||||
+fs_unmount_all_fs(glusterd_t)
|
||||
+fs_getattr_all_fs(glusterd_t)
|
||||
+
|
||||
+files_mounton_mnt(glusterd_t)
|
||||
@ -40908,7 +40910,7 @@ index 6194b80..d54c5ba 100644
|
||||
')
|
||||
+
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 6a306ee..11a0f02 100644
|
||||
index 6a306ee..b236449 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -41352,7 +41354,7 @@ index 6a306ee..11a0f02 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -300,259 +324,235 @@ optional_policy(`
|
||||
@@ -300,259 +324,236 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -41587,6 +41589,7 @@ index 6a306ee..11a0f02 100644
|
||||
+fs_list_dos(mozilla_plugin_t)
|
||||
+fs_read_noxattr_fs_files(mozilla_plugin_t)
|
||||
+fs_read_hugetlbfs_files(mozilla_plugin_t)
|
||||
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
|
||||
|
||||
application_exec(mozilla_plugin_t)
|
||||
+application_dontaudit_signull(mozilla_plugin_t)
|
||||
@ -41739,7 +41742,7 @@ index 6a306ee..11a0f02 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -560,7 +560,7 @@ optional_policy(`
|
||||
@@ -560,7 +561,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -41748,7 +41751,7 @@ index 6a306ee..11a0f02 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -568,108 +568,130 @@ optional_policy(`
|
||||
@@ -568,108 +569,130 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -71063,7 +71066,7 @@ index 47de2d6..98a4280 100644
|
||||
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
||||
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
|
||||
diff --git a/rhcs.if b/rhcs.if
|
||||
index 56bc01f..b8d154e 100644
|
||||
index 56bc01f..2e4d698 100644
|
||||
--- a/rhcs.if
|
||||
+++ b/rhcs.if
|
||||
@@ -1,19 +1,19 @@
|
||||
@ -71108,7 +71111,7 @@ index 56bc01f..b8d154e 100644
|
||||
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
||||
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
||||
- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
|
||||
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
|
||||
+ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
|
||||
|
||||
- optional_policy(`
|
||||
- dbus_system_bus_client($1_t)
|
||||
@ -71287,121 +71290,13 @@ index 56bc01f..b8d154e 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -342,10 +331,9 @@ interface(`rhcs_stream_connect_groupd',`
|
||||
@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',`
|
||||
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
||||
')
|
||||
|
||||
-########################################
|
||||
+#####################################
|
||||
## <summary>
|
||||
-## Read and write all cluster domains
|
||||
-## shared memory.
|
||||
+## Allow read and write access to groupd semaphores.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -353,21 +341,20 @@ interface(`rhcs_stream_connect_groupd',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`rhcs_rw_cluster_shm',`
|
||||
+interface(`rhcs_rw_groupd_semaphores',`
|
||||
gen_require(`
|
||||
- attribute cluster_domain, cluster_tmpfs;
|
||||
+ type groupd_t, groupd_tmpfs_t;
|
||||
')
|
||||
|
||||
- allow $1 cluster_domain:shm { rw_shm_perms destroy };
|
||||
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
|
||||
|
||||
fs_search_tmpfs($1)
|
||||
- manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
|
||||
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
||||
')
|
||||
|
||||
-####################################
|
||||
+########################################
|
||||
## <summary>
|
||||
-## Read and write all cluster
|
||||
-## domains semaphores.
|
||||
+## Read and write to group shared memory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -375,17 +362,20 @@ interface(`rhcs_rw_cluster_shm',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`rhcs_rw_cluster_semaphores',`
|
||||
+interface(`rhcs_rw_groupd_shm',`
|
||||
gen_require(`
|
||||
- attribute cluster_domain;
|
||||
+ type groupd_t, groupd_tmpfs_t;
|
||||
')
|
||||
|
||||
- allow $1 cluster_domain:sem { rw_sem_perms destroy };
|
||||
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
|
||||
+
|
||||
+ fs_search_tmpfs($1)
|
||||
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
||||
')
|
||||
|
||||
-#####################################
|
||||
+########################################
|
||||
## <summary>
|
||||
-## Read and write groupd semaphores.
|
||||
+## Read and write to group shared memory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -393,20 +383,20 @@ interface(`rhcs_rw_cluster_semaphores',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`rhcs_rw_groupd_semaphores',`
|
||||
+interface(`rhcs_rw_cluster_shm',`
|
||||
gen_require(`
|
||||
- type groupd_t, groupd_tmpfs_t;
|
||||
+ attribute cluster_domain, cluster_tmpfs;
|
||||
')
|
||||
|
||||
- allow $1 groupd_t:sem { rw_sem_perms destroy };
|
||||
+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
|
||||
|
||||
fs_search_tmpfs($1)
|
||||
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
||||
+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
|
||||
')
|
||||
|
||||
-########################################
|
||||
+####################################
|
||||
## <summary>
|
||||
-## Read and write groupd shared memory.
|
||||
+## Read and write access to cluster domains semaphores.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -414,15 +404,32 @@ interface(`rhcs_rw_groupd_semaphores',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`rhcs_rw_groupd_shm',`
|
||||
+interface(`rhcs_rw_cluster_semaphores',`
|
||||
gen_require(`
|
||||
- type groupd_t, groupd_tmpfs_t;
|
||||
+ attribute cluster_domain;
|
||||
')
|
||||
|
||||
- allow $1 groupd_t:shm { rw_shm_perms destroy };
|
||||
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
|
||||
+')
|
||||
|
||||
- fs_search_tmpfs($1)
|
||||
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
||||
+####################################
|
||||
+## <summary>
|
||||
+## Connect to cluster domains over a unix domain
|
||||
+## stream socket.
|
||||
+## Allow read and write access to groupd semaphores.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
@ -71409,17 +71304,124 @@ index 56bc01f..b8d154e 100644
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rhcs_stream_connect_cluster',`
|
||||
+interface(`rhcs_rw_groupd_semaphores',`
|
||||
+ gen_require(`
|
||||
+ attribute cluster_domain, cluster_pid;
|
||||
+ type groupd_t, groupd_tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
|
||||
+
|
||||
+ fs_search_tmpfs($1)
|
||||
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write to group shared memory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rhcs_rw_groupd_shm',`
|
||||
+ gen_require(`
|
||||
+ type groupd_t, groupd_tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
|
||||
+
|
||||
+ fs_search_tmpfs($1)
|
||||
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write all cluster domains
|
||||
-## shared memory.
|
||||
+## Read and write to group shared memory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',`
|
||||
|
||||
####################################
|
||||
## <summary>
|
||||
-## Read and write all cluster
|
||||
-## domains semaphores.
|
||||
+## Read and write access to cluster domains semaphores.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',`
|
||||
allow $1 cluster_domain:sem { rw_sem_perms destroy };
|
||||
')
|
||||
|
||||
-#####################################
|
||||
+####################################
|
||||
## <summary>
|
||||
-## Read and write groupd semaphores.
|
||||
+## Connect to cluster domains over a unix domain
|
||||
+## stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`rhcs_rw_groupd_semaphores',`
|
||||
+interface(`rhcs_stream_connect_cluster',`
|
||||
gen_require(`
|
||||
- type groupd_t, groupd_tmpfs_t;
|
||||
+ attribute cluster_domain, cluster_pid;
|
||||
')
|
||||
|
||||
- allow $1 groupd_t:sem { rw_sem_perms destroy };
|
||||
-
|
||||
- fs_search_tmpfs($1)
|
||||
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
|
||||
')
|
||||
|
||||
-########################################
|
||||
+#####################################
|
||||
## <summary>
|
||||
-## Read and write groupd shared memory.
|
||||
+## Connect to cluster domains over a unix domain
|
||||
+## stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
#
|
||||
-interface(`rhcs_rw_groupd_shm',`
|
||||
+interface(`rhcs_stream_connect_cluster_to',`
|
||||
gen_require(`
|
||||
- type groupd_t, groupd_tmpfs_t;
|
||||
+ attribute cluster_domain;
|
||||
+ attribute cluster_pid;
|
||||
')
|
||||
|
||||
- allow $1 groupd_t:shm { rw_shm_perms destroy };
|
||||
-
|
||||
- fs_search_tmpfs($1)
|
||||
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
|
||||
')
|
||||
|
||||
######################################
|
||||
@@ -446,52 +453,322 @@ interface(`rhcs_domtrans_qdiskd',`
|
||||
@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71470,11 +71472,7 @@ index 56bc01f..b8d154e 100644
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
||||
+')
|
||||
|
||||
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
|
||||
- domain_system_change_exemption($1)
|
||||
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
|
||||
- allow $2 system_r;
|
||||
+
|
||||
+#####################################
|
||||
+## <summary>
|
||||
+## Allow domain to manage cluster lib files
|
||||
@ -71490,14 +71488,16 @@ index 56bc01f..b8d154e 100644
|
||||
+ type cluster_var_lib_t;
|
||||
+ ')
|
||||
|
||||
- files_search_pids($1)
|
||||
- admin_pattern($1, cluster_pid)
|
||||
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
|
||||
- domain_system_change_exemption($1)
|
||||
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
|
||||
- allow $2 system_r;
|
||||
+ files_search_var_lib($1)
|
||||
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
||||
+')
|
||||
|
||||
- files_search_locks($1)
|
||||
- admin_pattern($1, fenced_lock_t)
|
||||
- files_search_pids($1)
|
||||
- admin_pattern($1, cluster_pid)
|
||||
+####################################
|
||||
+## <summary>
|
||||
+## Allow domain to relabel cluster lib files
|
||||
@ -71518,8 +71518,8 @@ index 56bc01f..b8d154e 100644
|
||||
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
||||
+')
|
||||
|
||||
- files_search_tmp($1)
|
||||
- admin_pattern($1, fenced_tmp_t)
|
||||
- files_search_locks($1)
|
||||
- admin_pattern($1, fenced_lock_t)
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run cluster administrative domain.
|
||||
@ -71535,14 +71535,14 @@ index 56bc01f..b8d154e 100644
|
||||
+ type cluster_t, cluster_exec_t;
|
||||
+ ')
|
||||
|
||||
- files_search_var_lib($1)
|
||||
- admin_pattern($1, qdiskd_var_lib_t)
|
||||
- files_search_tmp($1)
|
||||
- admin_pattern($1, fenced_tmp_t)
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
|
||||
+')
|
||||
|
||||
- fs_search_tmpfs($1)
|
||||
- admin_pattern($1, cluster_tmpfs)
|
||||
- files_search_var_lib($1)
|
||||
- admin_pattern($1, qdiskd_var_lib_t)
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Execute cluster init scripts in
|
||||
@ -71558,7 +71558,9 @@ index 56bc01f..b8d154e 100644
|
||||
+ gen_require(`
|
||||
+ type cluster_initrc_exec_t;
|
||||
+ ')
|
||||
+
|
||||
|
||||
- fs_search_tmpfs($1)
|
||||
- admin_pattern($1, cluster_tmpfs)
|
||||
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
|
||||
+')
|
||||
+
|
||||
@ -71621,6 +71623,24 @@ index 56bc01f..b8d154e 100644
|
||||
+
|
||||
+#####################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to read/write inherited cluster's tmpf files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rhcs_rw_inherited_cluster_tmp_files',`
|
||||
+ gen_require(`
|
||||
+ type cluster_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 cluster_tmp_t:file rw_inherited_file_perms;
|
||||
+')
|
||||
+
|
||||
+#####################################
|
||||
+## <summary>
|
||||
+## Allow manage cluster tmp files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -71677,6 +71697,26 @@ index 56bc01f..b8d154e 100644
|
||||
+
|
||||
+#####################################
|
||||
+## <summary>
|
||||
+## Allow read cluster pid files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rhcs_read_cluster_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type cluster_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ read_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+#####################################
|
||||
+## <summary>
|
||||
+## Allow manage cluster pid files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -71771,7 +71811,7 @@ index 56bc01f..b8d154e 100644
|
||||
+ allow $1 cluster_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/rhcs.te b/rhcs.te
|
||||
index 2c2de9a..b978814 100644
|
||||
index 2c2de9a..26fba30 100644
|
||||
--- a/rhcs.te
|
||||
+++ b/rhcs.te
|
||||
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
|
||||
@ -71802,7 +71842,7 @@ index 2c2de9a..b978814 100644
|
||||
attribute cluster_domain;
|
||||
attribute cluster_log;
|
||||
attribute cluster_pid;
|
||||
@@ -44,34 +65,281 @@ type foghorn_initrc_exec_t;
|
||||
@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
|
||||
init_script_file(foghorn_initrc_exec_t)
|
||||
|
||||
rhcs_domain_template(gfs_controld)
|
||||
@ -71965,8 +72005,10 @@ index 2c2de9a..b978814 100644
|
||||
+ corenet_tcp_connect_all_ports(cluster_t)
|
||||
+')
|
||||
+
|
||||
+# we need to have dirs created with var_run_t in /run/cluster
|
||||
+files_create_var_run_dirs(cluster_t)
|
||||
+
|
||||
+tunable_policy(`cluster_manage_all_files',`
|
||||
+ files_create_var_run_dirs(cluster_t)
|
||||
+ files_getattr_all_symlinks(cluster_t)
|
||||
+ files_list_all(cluster_t)
|
||||
+ files_manage_mnt_dirs(cluster_t)
|
||||
@ -72088,7 +72130,7 @@ index 2c2de9a..b978814 100644
|
||||
')
|
||||
|
||||
#####################################
|
||||
@@ -79,7 +347,7 @@ optional_policy(`
|
||||
@@ -79,7 +349,7 @@ optional_policy(`
|
||||
# dlm_controld local policy
|
||||
#
|
||||
|
||||
@ -72097,7 +72139,7 @@ index 2c2de9a..b978814 100644
|
||||
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
|
||||
@@ -98,16 +366,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
|
||||
@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
|
||||
|
||||
init_rw_script_tmp_files(dlm_controld_t)
|
||||
|
||||
@ -72130,7 +72172,7 @@ index 2c2de9a..b978814 100644
|
||||
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
|
||||
files_lock_filetrans(fenced_t, fenced_lock_t, file)
|
||||
|
||||
@@ -118,9 +400,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
|
||||
@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
|
||||
|
||||
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
||||
|
||||
@ -72141,7 +72183,7 @@ index 2c2de9a..b978814 100644
|
||||
|
||||
corecmd_exec_bin(fenced_t)
|
||||
corecmd_exec_shell(fenced_t)
|
||||
@@ -148,9 +429,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
|
||||
@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
|
||||
|
||||
dev_read_sysfs(fenced_t)
|
||||
dev_read_urand(fenced_t)
|
||||
@ -72152,7 +72194,7 @@ index 2c2de9a..b978814 100644
|
||||
|
||||
storage_raw_read_fixed_disk(fenced_t)
|
||||
storage_raw_write_fixed_disk(fenced_t)
|
||||
@@ -160,7 +439,7 @@ term_getattr_pty_fs(fenced_t)
|
||||
@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t)
|
||||
term_use_generic_ptys(fenced_t)
|
||||
term_use_ptmx(fenced_t)
|
||||
|
||||
@ -72161,7 +72203,7 @@ index 2c2de9a..b978814 100644
|
||||
|
||||
tunable_policy(`fenced_can_network_connect',`
|
||||
corenet_sendrecv_all_client_packets(fenced_t)
|
||||
@@ -182,7 +461,8 @@ optional_policy(`
|
||||
@@ -182,7 +463,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -72171,7 +72213,7 @@ index 2c2de9a..b978814 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -190,12 +470,12 @@ optional_policy(`
|
||||
@@ -190,12 +472,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -72187,7 +72229,7 @@ index 2c2de9a..b978814 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -203,6 +483,13 @@ optional_policy(`
|
||||
@@ -203,6 +485,13 @@ optional_policy(`
|
||||
snmp_manage_var_lib_dirs(fenced_t)
|
||||
')
|
||||
|
||||
@ -72201,7 +72243,7 @@ index 2c2de9a..b978814 100644
|
||||
#######################################
|
||||
#
|
||||
# foghorn local policy
|
||||
@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
|
||||
@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
|
||||
corenet_tcp_connect_agentx_port(foghorn_t)
|
||||
corenet_tcp_sendrecv_agentx_port(foghorn_t)
|
||||
|
||||
@ -72222,7 +72264,7 @@ index 2c2de9a..b978814 100644
|
||||
snmp_stream_connect(foghorn_t)
|
||||
')
|
||||
|
||||
@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t)
|
||||
@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t)
|
||||
|
||||
init_rw_script_tmp_files(gfs_controld_t)
|
||||
|
||||
@ -72231,7 +72273,7 @@ index 2c2de9a..b978814 100644
|
||||
optional_policy(`
|
||||
lvm_exec(gfs_controld_t)
|
||||
dev_rw_lvm_control(gfs_controld_t)
|
||||
@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||
@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||
|
||||
dev_list_sysfs(groupd_t)
|
||||
|
||||
@ -72273,7 +72315,7 @@ index 2c2de9a..b978814 100644
|
||||
######################################
|
||||
#
|
||||
# qdiskd local policy
|
||||
@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
|
||||
auth_use_nsswitch(qdiskd_t)
|
||||
|
||||
@ -76106,10 +76148,10 @@ index d1fd97f..7ee8502 100644
|
||||
-
|
||||
-miscfiles_read_localization(rssh_chroot_helper_t)
|
||||
diff --git a/rsync.fc b/rsync.fc
|
||||
index d25301b..d92f567 100644
|
||||
index d25301b..f3eeec7 100644
|
||||
--- a/rsync.fc
|
||||
+++ b/rsync.fc
|
||||
@@ -1,7 +1,7 @@
|
||||
@@ -1,7 +1,8 @@
|
||||
/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
|
||||
|
||||
-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
|
||||
@ -76119,8 +76161,9 @@ index d25301b..d92f567 100644
|
||||
+/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0)
|
||||
|
||||
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
|
||||
+/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
|
||||
diff --git a/rsync.if b/rsync.if
|
||||
index f1140ef..02de8a5 100644
|
||||
index f1140ef..8afe362 100644
|
||||
--- a/rsync.if
|
||||
+++ b/rsync.if
|
||||
@@ -1,16 +1,32 @@
|
||||
@ -76345,34 +76388,36 @@ index f1140ef..02de8a5 100644
|
||||
## with rsync etc type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -236,46 +224,3 @@ interface(`rsync_etc_filetrans_config',`
|
||||
@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',`
|
||||
|
||||
files_etc_filetrans($1, rsync_etc_t, $2, $3)
|
||||
')
|
||||
-
|
||||
-########################################
|
||||
-## <summary>
|
||||
########################################
|
||||
## <summary>
|
||||
-## All of the rules required to
|
||||
-## administrate an rsync environment.
|
||||
-## </summary>
|
||||
-## <param name="domain">
|
||||
-## <summary>
|
||||
+## Transition to rsync named content
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-## <param name="role">
|
||||
-## <summary>
|
||||
-## Role allowed access.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <rolecap/>
|
||||
-#
|
||||
#
|
||||
-interface(`rsync_admin',`
|
||||
- gen_require(`
|
||||
+interface(`rsync_filetrans_named_content',`
|
||||
gen_require(`
|
||||
- type rsync_t, rsync_etc_t, rsync_data_t;
|
||||
- type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
|
||||
- ')
|
||||
-
|
||||
+ type rsync_etc_t;
|
||||
+ type rsync_var_run_t;
|
||||
')
|
||||
|
||||
- allow $1 rsync_t:process { ptrace signal_perms };
|
||||
- ps_process_pattern($1, rsync_t)
|
||||
-
|
||||
@ -76391,7 +76436,10 @@ index f1140ef..02de8a5 100644
|
||||
- admin_pattern($1, rsync_var_run_t)
|
||||
-
|
||||
- rsync_run($1, $2)
|
||||
-')
|
||||
+ files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond")
|
||||
+ files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock")
|
||||
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
|
||||
')
|
||||
diff --git a/rsync.te b/rsync.te
|
||||
index e3e7c96..ec50426 100644
|
||||
--- a/rsync.te
|
||||
@ -97216,10 +97264,10 @@ index 7c7f7fa..20ce90b 100644
|
||||
+ xserver_manage_core_devices(wm_domain)
|
||||
+')
|
||||
diff --git a/xen.fc b/xen.fc
|
||||
index 42d83b0..5f18f6e 100644
|
||||
index 42d83b0..651d1cb 100644
|
||||
--- a/xen.fc
|
||||
+++ b/xen.fc
|
||||
@@ -1,38 +1,41 @@
|
||||
@@ -1,38 +1,42 @@
|
||||
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
|
||||
|
||||
-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
||||
@ -97246,6 +97294,7 @@ index 42d83b0..5f18f6e 100644
|
||||
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
||||
-/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
|
||||
-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
|
||||
+/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
||||
+')
|
||||
|
||||
-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
||||
@ -97545,7 +97594,7 @@ index f93558c..16e29c1 100644
|
||||
|
||||
files_search_pids($1)
|
||||
diff --git a/xen.te b/xen.te
|
||||
index ed40676..0706207 100644
|
||||
index ed40676..3fe3e35 100644
|
||||
--- a/xen.te
|
||||
+++ b/xen.te
|
||||
@@ -1,42 +1,34 @@
|
||||
@ -98064,7 +98113,7 @@ index ed40676..0706207 100644
|
||||
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
|
||||
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
|
||||
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
|
||||
@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t)
|
||||
@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t)
|
||||
dev_rw_xen(xenstored_t)
|
||||
dev_read_sysfs(xenstored_t)
|
||||
|
||||
@ -98087,11 +98136,10 @@ index ed40676..0706207 100644
|
||||
-
|
||||
xen_append_log(xenstored_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
-########################################
|
||||
-#
|
||||
-# xm local policy
|
||||
+# SSH component local policy
|
||||
#
|
||||
-#
|
||||
-
|
||||
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
|
||||
-allow xm_t self:process { getcap getsched setsched setcap signal };
|
||||
@ -98187,9 +98235,14 @@ index ed40676..0706207 100644
|
||||
-
|
||||
optional_policy(`
|
||||
- cron_system_entry(xm_t, xm_exec_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
+ virt_read_config(xenstored_t)
|
||||
')
|
||||
|
||||
+########################################
|
||||
+#
|
||||
+# SSH component local policy
|
||||
+#
|
||||
optional_policy(`
|
||||
- dbus_system_bus_client(xm_t)
|
||||
-
|
||||
- optional_policy(`
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 93%{?dist}
|
||||
Release: 94%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -573,6 +573,23 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Oct 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94
|
||||
- Allow sysadm_t to read login information
|
||||
- Allow systemd_tmpfiles to setattr on var_log_t directories
|
||||
- Udpdate Makefile to include systemd_contexts
|
||||
- Add systemd_contexts
|
||||
- Add fs_exec_hugetlbfs_files() interface
|
||||
- Add daemons_enable_cluster_mode boolean
|
||||
- Fix rsync_filetrans_named_content()
|
||||
- Add rhcs_read_cluster_pid_files() interface
|
||||
- Update rhcs.if with additional interfaces from RHEL6
|
||||
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
|
||||
- Allow glusterd_t to mounton glusterd_tmp_t
|
||||
- Allow glusterd to unmout al filesystems
|
||||
- Allow xenstored to read virt config
|
||||
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label
|
||||
- Allow mozilla_plugin_t to mmap hugepages as an executable
|
||||
|
||||
* Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93
|
||||
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user