* Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075) - /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224) - Label all run tgtd files, not just socket files. - Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody. - Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815) - Allow targetd to read/write to /dev/mapper/control device. BZ(1241415) - Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t. - Allow systemd_resolved to read systemd_networkd run files. BZ(1322921) - New cgroup2 file system in Rawhide
This commit is contained in:
parent
fac3fc97fa
commit
c1300100ed
Binary file not shown.
@ -20639,7 +20639,7 @@ index 8416beb..99002ca 100644
|
|||||||
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
|
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
||||||
index e7d1738..b00be59 100644
|
index e7d1738..7e37941 100644
|
||||||
--- a/policy/modules/kernel/filesystem.te
|
--- a/policy/modules/kernel/filesystem.te
|
||||||
+++ b/policy/modules/kernel/filesystem.te
|
+++ b/policy/modules/kernel/filesystem.te
|
||||||
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
||||||
@ -20670,7 +20670,7 @@ index e7d1738..b00be59 100644
|
|||||||
|
|
||||||
type bdev_t;
|
type bdev_t;
|
||||||
fs_type(bdev_t)
|
fs_type(bdev_t)
|
||||||
@@ -63,12 +69,18 @@ fs_type(binfmt_misc_fs_t)
|
@@ -63,16 +69,23 @@ fs_type(binfmt_misc_fs_t)
|
||||||
files_mountpoint(binfmt_misc_fs_t)
|
files_mountpoint(binfmt_misc_fs_t)
|
||||||
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
|
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
|
||||||
|
|
||||||
@ -20690,7 +20690,12 @@ index e7d1738..b00be59 100644
|
|||||||
fs_type(cgroup_t)
|
fs_type(cgroup_t)
|
||||||
files_mountpoint(cgroup_t)
|
files_mountpoint(cgroup_t)
|
||||||
dev_associate_sysfs(cgroup_t)
|
dev_associate_sysfs(cgroup_t)
|
||||||
@@ -88,6 +100,11 @@ fs_noxattr_type(ecryptfs_t)
|
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
|
||||||
|
+genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
|
||||||
|
|
||||||
|
type configfs_t;
|
||||||
|
fs_type(configfs_t)
|
||||||
|
@@ -88,6 +101,11 @@ fs_noxattr_type(ecryptfs_t)
|
||||||
files_mountpoint(ecryptfs_t)
|
files_mountpoint(ecryptfs_t)
|
||||||
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
|
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
|
||||||
|
|
||||||
@ -20702,7 +20707,7 @@ index e7d1738..b00be59 100644
|
|||||||
type futexfs_t;
|
type futexfs_t;
|
||||||
fs_type(futexfs_t)
|
fs_type(futexfs_t)
|
||||||
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
|
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
|
||||||
@@ -96,6 +113,7 @@ type hugetlbfs_t;
|
@@ -96,6 +114,7 @@ type hugetlbfs_t;
|
||||||
fs_type(hugetlbfs_t)
|
fs_type(hugetlbfs_t)
|
||||||
files_mountpoint(hugetlbfs_t)
|
files_mountpoint(hugetlbfs_t)
|
||||||
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
|
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
|
||||||
@ -20710,7 +20715,7 @@ index e7d1738..b00be59 100644
|
|||||||
|
|
||||||
type ibmasmfs_t;
|
type ibmasmfs_t;
|
||||||
fs_type(ibmasmfs_t)
|
fs_type(ibmasmfs_t)
|
||||||
@@ -111,6 +129,12 @@ type inotifyfs_t;
|
@@ -111,6 +130,12 @@ type inotifyfs_t;
|
||||||
fs_type(inotifyfs_t)
|
fs_type(inotifyfs_t)
|
||||||
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
|
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
|
||||||
|
|
||||||
@ -20723,7 +20728,7 @@ index e7d1738..b00be59 100644
|
|||||||
type mvfs_t;
|
type mvfs_t;
|
||||||
fs_noxattr_type(mvfs_t)
|
fs_noxattr_type(mvfs_t)
|
||||||
allow mvfs_t self:filesystem associate;
|
allow mvfs_t self:filesystem associate;
|
||||||
@@ -118,13 +142,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
|
@@ -118,13 +143,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
|
||||||
|
|
||||||
type nfsd_fs_t;
|
type nfsd_fs_t;
|
||||||
fs_type(nfsd_fs_t)
|
fs_type(nfsd_fs_t)
|
||||||
@ -20743,7 +20748,7 @@ index e7d1738..b00be59 100644
|
|||||||
fs_type(pstore_t)
|
fs_type(pstore_t)
|
||||||
files_mountpoint(pstore_t)
|
files_mountpoint(pstore_t)
|
||||||
dev_associate_sysfs(pstore_t)
|
dev_associate_sysfs(pstore_t)
|
||||||
@@ -150,17 +179,16 @@ fs_type(spufs_t)
|
@@ -150,17 +180,16 @@ fs_type(spufs_t)
|
||||||
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
||||||
files_mountpoint(spufs_t)
|
files_mountpoint(spufs_t)
|
||||||
|
|
||||||
@ -20765,7 +20770,7 @@ index e7d1738..b00be59 100644
|
|||||||
type vmblock_t;
|
type vmblock_t;
|
||||||
fs_noxattr_type(vmblock_t)
|
fs_noxattr_type(vmblock_t)
|
||||||
files_mountpoint(vmblock_t)
|
files_mountpoint(vmblock_t)
|
||||||
@@ -172,6 +200,8 @@ type vxfs_t;
|
@@ -172,6 +201,8 @@ type vxfs_t;
|
||||||
fs_noxattr_type(vxfs_t)
|
fs_noxattr_type(vxfs_t)
|
||||||
files_mountpoint(vxfs_t)
|
files_mountpoint(vxfs_t)
|
||||||
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
|
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
|
||||||
@ -20774,7 +20779,7 @@ index e7d1738..b00be59 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# tmpfs_t is the type for tmpfs filesystems
|
# tmpfs_t is the type for tmpfs filesystems
|
||||||
@@ -182,6 +212,8 @@ fs_type(tmpfs_t)
|
@@ -182,6 +213,8 @@ fs_type(tmpfs_t)
|
||||||
files_type(tmpfs_t)
|
files_type(tmpfs_t)
|
||||||
files_mountpoint(tmpfs_t)
|
files_mountpoint(tmpfs_t)
|
||||||
files_poly_parent(tmpfs_t)
|
files_poly_parent(tmpfs_t)
|
||||||
@ -20783,7 +20788,7 @@ index e7d1738..b00be59 100644
|
|||||||
|
|
||||||
# Use a transition SID based on the allocating task SID and the
|
# Use a transition SID based on the allocating task SID and the
|
||||||
# filesystem SID to label inodes in the following filesystem types,
|
# filesystem SID to label inodes in the following filesystem types,
|
||||||
@@ -261,6 +293,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
@@ -261,6 +294,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||||
type removable_t;
|
type removable_t;
|
||||||
allow removable_t noxattrfs:filesystem associate;
|
allow removable_t noxattrfs:filesystem associate;
|
||||||
fs_noxattr_type(removable_t)
|
fs_noxattr_type(removable_t)
|
||||||
@ -20792,7 +20797,7 @@ index e7d1738..b00be59 100644
|
|||||||
files_mountpoint(removable_t)
|
files_mountpoint(removable_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -280,6 +314,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
@@ -280,6 +315,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
@ -20800,7 +20805,7 @@ index e7d1738..b00be59 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -301,9 +336,10 @@ fs_associate_noxattr(noxattrfs)
|
@@ -301,9 +337,10 @@ fs_associate_noxattr(noxattrfs)
|
||||||
# Unconfined access to this module
|
# Unconfined access to this module
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -43490,10 +43495,10 @@ index cbbda4a..d7c67bc 100644
|
|||||||
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
|
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
|
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
|
||||||
index d43f3b1..04743dc 100644
|
index d43f3b1..c5053db 100644
|
||||||
--- a/policy/modules/system/selinuxutil.fc
|
--- a/policy/modules/system/selinuxutil.fc
|
||||||
+++ b/policy/modules/system/selinuxutil.fc
|
+++ b/policy/modules/system/selinuxutil.fc
|
||||||
@@ -6,13 +6,14 @@
|
@@ -6,13 +6,15 @@
|
||||||
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
||||||
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
||||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
||||||
@ -43504,6 +43509,7 @@ index d43f3b1..04743dc 100644
|
|||||||
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||||
+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0)
|
+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0)
|
||||||
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
|
+/etc/selinux/(minimum|mls|targeted)/active(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||||
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||||
-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||||
@ -43511,7 +43517,7 @@ index d43f3b1..04743dc 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# /root
|
# /root
|
||||||
@@ -35,19 +36,30 @@
|
@@ -35,19 +37,30 @@
|
||||||
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
|
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
|
||||||
|
|
||||||
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
||||||
@ -48017,10 +48023,10 @@ index 0000000..3380372
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..45fcf4c
|
index 0000000..d8fdd7b
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,919 @@
|
@@ -0,0 +1,920 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -48889,6 +48895,7 @@ index 0000000..45fcf4c
|
|||||||
+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
|
+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
|
||||||
+
|
+
|
||||||
+list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
+list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
||||||
|
+read_files_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
||||||
+
|
+
|
||||||
+kernel_dgram_send(systemd_resolved_t)
|
+kernel_dgram_send(systemd_resolved_t)
|
||||||
+
|
+
|
||||||
|
@ -2540,10 +2540,10 @@ index 16d0d66..60abfd0 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
nscd_dontaudit_search_pid(amtu_t)
|
nscd_dontaudit_search_pid(amtu_t)
|
||||||
diff --git a/anaconda.fc b/anaconda.fc
|
diff --git a/anaconda.fc b/anaconda.fc
|
||||||
index b098089..37d428c 100644
|
index b098089..fe35beb 100644
|
||||||
--- a/anaconda.fc
|
--- a/anaconda.fc
|
||||||
+++ b/anaconda.fc
|
+++ b/anaconda.fc
|
||||||
@@ -1 +1,12 @@
|
@@ -1 +1,13 @@
|
||||||
# No file context specifications.
|
# No file context specifications.
|
||||||
+
|
+
|
||||||
+/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
|
+/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
|
||||||
@ -2552,6 +2552,7 @@ index b098089..37d428c 100644
|
|||||||
+/usr/bin/initial-setup -- gen_context(system_u:object_r:install_exec_t,s0)
|
+/usr/bin/initial-setup -- gen_context(system_u:object_r:install_exec_t,s0)
|
||||||
+/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
|
+/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
|
||||||
+/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
|
+/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
|
||||||
|
+/usr/libexec/rpm-ostreed -- gen_context(system_u:object_r:install_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0)
|
+/usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0)
|
||||||
+/var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
|
+/var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
|
||||||
@ -52603,10 +52604,10 @@ index 65a246a..fa86320 100644
|
|||||||
netutils_domtrans_ping(mrtg_t)
|
netutils_domtrans_ping(mrtg_t)
|
||||||
|
|
||||||
diff --git a/mta.fc b/mta.fc
|
diff --git a/mta.fc b/mta.fc
|
||||||
index f42896c..bd1eb52 100644
|
index f42896c..2cf0c23 100644
|
||||||
--- a/mta.fc
|
--- a/mta.fc
|
||||||
+++ b/mta.fc
|
+++ b/mta.fc
|
||||||
@@ -1,34 +1,44 @@
|
@@ -1,34 +1,41 @@
|
||||||
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
|
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
|
||||||
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
|
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
|
||||||
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
|
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
|
||||||
@ -52618,10 +52619,8 @@ index f42896c..bd1eb52 100644
|
|||||||
+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
||||||
|
|
||||||
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||||
|
-
|
||||||
-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||||
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
||||||
+
|
|
||||||
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||||
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||||
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
|
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
|
||||||
@ -76605,10 +76604,10 @@ index 0000000..8231f4f
|
|||||||
+')
|
+')
|
||||||
diff --git a/prosody.te b/prosody.te
|
diff --git a/prosody.te b/prosody.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..d531fa5
|
index 0000000..3ef4a99
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/prosody.te
|
+++ b/prosody.te
|
||||||
@@ -0,0 +1,92 @@
|
@@ -0,0 +1,97 @@
|
||||||
+policy_module(prosody, 1.0.0)
|
+policy_module(prosody, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -76684,6 +76683,7 @@ index 0000000..d531fa5
|
|||||||
+corenet_tcp_bind_jabber_client_port(prosody_t)
|
+corenet_tcp_bind_jabber_client_port(prosody_t)
|
||||||
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
|
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
|
||||||
+corenet_tcp_bind_jabber_router_port(prosody_t)
|
+corenet_tcp_bind_jabber_router_port(prosody_t)
|
||||||
|
+corenet_tcp_bind_commplex_main_port(prosody_t)
|
||||||
+
|
+
|
||||||
+tunable_policy(`prosody_bind_http_port',`
|
+tunable_policy(`prosody_bind_http_port',`
|
||||||
+ corenet_tcp_bind_http_port(prosody_t)
|
+ corenet_tcp_bind_http_port(prosody_t)
|
||||||
@ -76701,6 +76701,10 @@ index 0000000..d531fa5
|
|||||||
+logging_send_syslog_msg(prosody_t)
|
+logging_send_syslog_msg(prosody_t)
|
||||||
+
|
+
|
||||||
+miscfiles_read_localization(prosody_t)
|
+miscfiles_read_localization(prosody_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ sasl_connect(prosody_t)
|
||||||
|
+')
|
||||||
diff --git a/psad.if b/psad.if
|
diff --git a/psad.if b/psad.if
|
||||||
index d4dcf78..3cce82e 100644
|
index d4dcf78..3cce82e 100644
|
||||||
--- a/psad.if
|
--- a/psad.if
|
||||||
@ -104430,10 +104434,10 @@ index 0000000..a6e216c
|
|||||||
+
|
+
|
||||||
diff --git a/targetd.te b/targetd.te
|
diff --git a/targetd.te b/targetd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6768bda
|
index 0000000..e372bd7
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/targetd.te
|
+++ b/targetd.te
|
||||||
@@ -0,0 +1,62 @@
|
@@ -0,0 +1,63 @@
|
||||||
+policy_module(targetd, 1.0.0)
|
+policy_module(targetd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -104477,6 +104481,7 @@ index 0000000..6768bda
|
|||||||
+
|
+
|
||||||
+dev_read_sysfs(targetd_t)
|
+dev_read_sysfs(targetd_t)
|
||||||
+dev_read_urand(targetd_t)
|
+dev_read_urand(targetd_t)
|
||||||
|
+dev_rw_lvm_control(targetd_t)
|
||||||
+
|
+
|
||||||
+libs_exec_ldconfig(targetd_t)
|
+libs_exec_ldconfig(targetd_t)
|
||||||
+
|
+
|
||||||
@ -106127,7 +106132,7 @@ index cfaa2a1..a9bc6f1 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --git a/tgtd.fc b/tgtd.fc
|
diff --git a/tgtd.fc b/tgtd.fc
|
||||||
index 38389e6..4847b43 100644
|
index 38389e6..ae0f9ab 100644
|
||||||
--- a/tgtd.fc
|
--- a/tgtd.fc
|
||||||
+++ b/tgtd.fc
|
+++ b/tgtd.fc
|
||||||
@@ -1,7 +1,4 @@
|
@@ -1,7 +1,4 @@
|
||||||
@ -106141,7 +106146,7 @@ index 38389e6..4847b43 100644
|
|||||||
+/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
|
+/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
|
||||||
+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
|
+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
|
||||||
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
|
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
|
||||||
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
|
+/var/run/tgtd.* gen_context(system_u:object_r:tgtd_var_run_t,s0)
|
||||||
diff --git a/tgtd.if b/tgtd.if
|
diff --git a/tgtd.if b/tgtd.if
|
||||||
index 5406b6e..dc5b46e 100644
|
index 5406b6e..dc5b46e 100644
|
||||||
--- a/tgtd.if
|
--- a/tgtd.if
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 180%{?dist}
|
Release: 181%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -653,6 +653,17 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
|
||||||
|
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
|
||||||
|
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
|
||||||
|
- Label all run tgtd files, not just socket files.
|
||||||
|
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
|
||||||
|
- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
|
||||||
|
- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)
|
||||||
|
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.
|
||||||
|
- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)
|
||||||
|
- New cgroup2 file system in Rawhide
|
||||||
|
|
||||||
* Wed Mar 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-180
|
* Wed Mar 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-180
|
||||||
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
|
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
|
||||||
- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514
|
- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514
|
||||||
|
Loading…
Reference in New Issue
Block a user