* Mon May 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit - ejabberd small fixes - Update targetd policy to accommodate changes in the service - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit - Allow glusterd_t domain start ganesha service - Made few cosmetic changes in sssd SELinux module - Merge pull request #11 from lslebodn/sssd_kcm - Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. - Allow keepalived_t domain read usermodehelper_t - Allow radius domain stream connec to postgresql - Merge pull request #8 from bowlofeggs/142-rawhide - Add fs_manage_configfs_lnk_files() interface
This commit is contained in:
Lukas Vrabec
parent
52a7727e8d
commit
c1e28f68d8
Binary file not shown.
File diff suppressed because it is too large
Load Diff
|
|
@ -27883,6 +27883,127 @@ index ef62363..0841716 100644
|
|||
+optional_policy(`
|
||||
+ procmail_domtrans(dspam_t)
|
||||
+')
|
||||
diff --git a/ejabberd.fc b/ejabberd.fc
|
||||
new file mode 100644
|
||||
index 0000000..e797d62
|
||||
--- /dev/null
|
||||
+++ b/ejabberd.fc
|
||||
@@ -0,0 +1,7 @@
|
||||
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:ejabberd_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:ejabberd_unit_t,s0)
|
||||
+
|
||||
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_lib_t,s0)
|
||||
+
|
||||
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_log_t,s0)
|
||||
diff --git a/ejabberd.if b/ejabberd.if
|
||||
new file mode 100644
|
||||
index 0000000..91ef4a4
|
||||
--- /dev/null
|
||||
+++ b/ejabberd.if
|
||||
@@ -0,0 +1,34 @@
|
||||
+## <summary>ejabberd is a Free and Open Source distributed fault-tolerant: Jabber/XMPP server. </summary>
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to
|
||||
+## administrate an ejabberd environment.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`ejabberd_admin',`
|
||||
+ gen_require(`
|
||||
+ type ejabberd_t, ejabberd_exec_t;
|
||||
+ type ejabberd_var_lib_t, ejabberd_var_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ admin_process_pattern($1, ejabberd_t)
|
||||
+
|
||||
+ init_startstop_service($1, $2, ejabberd_t, ejabberd_initrc_exec_t, ejabberd_unit_t)
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ admin_pattern($1, ejabberd_var_lib_t)
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ admin_pattern($1, ejabberd_var_log_t)
|
||||
+')
|
||||
diff --git a/ejabberd.te b/ejabberd.te
|
||||
new file mode 100644
|
||||
index 0000000..4498b11
|
||||
--- /dev/null
|
||||
+++ b/ejabberd.te
|
||||
@@ -0,0 +1,62 @@
|
||||
+policy_module(ejabberd,0.0)
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+# Private type declarations
|
||||
+type ejabberd_t;
|
||||
+type ejabberd_exec_t;
|
||||
+init_daemon_domain(ejabberd_t, ejabberd_exec_t)
|
||||
+
|
||||
+type ejabberd_unit_t;
|
||||
+systemd_unit_file(ejabberd_unit_t)
|
||||
+
|
||||
+type ejabberd_var_lib_t;
|
||||
+files_type(ejabberd_var_lib_t)
|
||||
+
|
||||
+type ejabberd_var_log_t;
|
||||
+logging_log_file(ejabberd_var_log_t)
|
||||
+
|
||||
+
|
||||
+# What will we allow
|
||||
+allow ejabberd_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
|
||||
+allow ejabberd_t self:udp_socket { bind connect create getattr getopt read setopt write };
|
||||
+allow ejabberd_t self:unix_dgram_socket { connect create getopt setopt write };
|
||||
+
|
||||
+auth_use_nsswitch(ejabberd_t)
|
||||
+
|
||||
+corecmd_exec_bin(ejabberd_t)
|
||||
+corecmd_exec_shell(ejabberd_t)
|
||||
+
|
||||
+corenet_tcp_bind_epmd_port(ejabberd_t)
|
||||
+corenet_tcp_bind_generic_node(ejabberd_t)
|
||||
+corenet_tcp_bind_generic_port(ejabberd_t)
|
||||
+corenet_tcp_bind_jabber_client_port(ejabberd_t)
|
||||
+corenet_tcp_bind_jabber_interserver_port(ejabberd_t)
|
||||
+corenet_tcp_connect_epmd_port(ejabberd_t)
|
||||
+corenet_tcp_connect_generic_port(ejabberd_t)
|
||||
+corenet_tcp_connect_jabber_interserver_port(ejabberd_t)
|
||||
+
|
||||
+corenet_udp_bind_generic_node(ejabberd_t)
|
||||
+
|
||||
+dev_read_rand(ejabberd_t)
|
||||
+dev_read_sysfs(ejabberd_t)
|
||||
+
|
||||
+files_search_var_lib(ejabberd_t, ejabberd_var_lib_t, dir)
|
||||
+
|
||||
+kernel_dgram_send(ejabberd_t)
|
||||
+
|
||||
+logging_create_devlog_dev(ejabberd_t)
|
||||
+logging_log_filetrans(ejabberd_t, ejabberd_var_log_t, { dir file })
|
||||
+
|
||||
+manage_dirs_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t)
|
||||
+manage_dirs_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t)
|
||||
+manage_files_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t)
|
||||
+manage_files_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t)
|
||||
+
|
||||
+miscfiles_read_generic_certs(ejabberd_t)
|
||||
+
|
||||
+sysnet_read_config(ejabberd_t)
|
||||
diff --git a/entropyd.te b/entropyd.te
|
||||
index b8b8328..111084c 100644
|
||||
--- a/entropyd.te
|
||||
|
|
@ -32826,10 +32947,10 @@ index 0000000..764ae00
|
|||
+
|
||||
diff --git a/glusterd.te b/glusterd.te
|
||||
new file mode 100644
|
||||
index 0000000..03db2af
|
||||
index 0000000..ce9dd75
|
||||
--- /dev/null
|
||||
+++ b/glusterd.te
|
||||
@@ -0,0 +1,308 @@
|
||||
@@ -0,0 +1,312 @@
|
||||
+policy_module(glusterd, 1.1.3)
|
||||
+
|
||||
+## <desc>
|
||||
|
|
@ -33081,6 +33202,10 @@ index 0000000..03db2af
|
|||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ganesha_systemctl(glusterd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ hostname_exec(glusterd_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -42725,10 +42850,10 @@ index 0000000..bd7e7fa
|
|||
+')
|
||||
diff --git a/keepalived.te b/keepalived.te
|
||||
new file mode 100644
|
||||
index 0000000..66e747b
|
||||
index 0000000..82772f2
|
||||
--- /dev/null
|
||||
+++ b/keepalived.te
|
||||
@@ -0,0 +1,92 @@
|
||||
@@ -0,0 +1,93 @@
|
||||
+policy_module(keepalived, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -42768,6 +42893,7 @@ index 0000000..66e747b
|
|||
+kernel_read_system_state(keepalived_t)
|
||||
+kernel_read_network_state(keepalived_t)
|
||||
+kernel_request_load_module(keepalived_t)
|
||||
+kernel_read_usermodehelper_state(keepalived_t)
|
||||
+
|
||||
+auth_use_nsswitch(keepalived_t)
|
||||
+
|
||||
|
|
@ -84339,30 +84465,20 @@ index f47c8e8..af09c76 100644
|
|||
+ dbus_connect_system_bus(quota_nld_t)
|
||||
')
|
||||
diff --git a/rabbitmq.fc b/rabbitmq.fc
|
||||
index c5ad6de..af2d46f 100644
|
||||
index c5ad6de..44135d4 100644
|
||||
--- a/rabbitmq.fc
|
||||
+++ b/rabbitmq.fc
|
||||
@@ -1,10 +1,18 @@
|
||||
@@ -1,7 +1,8 @@
|
||||
/etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
|
||||
|
||||
-/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
|
||||
-/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
|
||||
+/usr/lib/systemd/system/rabbitmq-server.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
|
||||
+
|
||||
+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
|
||||
+
|
||||
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
|
||||
|
||||
/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
|
||||
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
|
||||
+
|
||||
+/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0)
|
||||
|
||||
/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
|
||||
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
|
||||
|
||||
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
|
||||
diff --git a/rabbitmq.if b/rabbitmq.if
|
||||
index 2c3d338..7d49554 100644
|
||||
--- a/rabbitmq.if
|
||||
|
|
@ -84682,7 +84798,7 @@ index 4460582..4c66c25 100644
|
|||
+
|
||||
')
|
||||
diff --git a/radius.te b/radius.te
|
||||
index 403a4fe..b1668fa 100644
|
||||
index 403a4fe..c659271 100644
|
||||
--- a/radius.te
|
||||
+++ b/radius.te
|
||||
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
|
||||
|
|
@ -84805,10 +84921,11 @@ index 403a4fe..b1668fa 100644
|
|||
logrotate_exec(radiusd_t)
|
||||
')
|
||||
|
||||
@@ -132,6 +159,10 @@ optional_policy(`
|
||||
@@ -132,6 +159,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ postgresql_stream_connect(radiusd_t)
|
||||
+ postgresql_tcp_connect(radiusd_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -84816,7 +84933,7 @@ index 403a4fe..b1668fa 100644
|
|||
samba_domtrans_winbind_helper(radiusd_t)
|
||||
')
|
||||
|
||||
@@ -140,5 +171,10 @@ optional_policy(`
|
||||
@@ -140,5 +172,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -105585,10 +105702,10 @@ index 0000000..821e158
|
|||
+')
|
||||
+
|
||||
diff --git a/sssd.fc b/sssd.fc
|
||||
index dbb005a..25d119e 100644
|
||||
index dbb005a..47b49ea 100644
|
||||
--- a/sssd.fc
|
||||
+++ b/sssd.fc
|
||||
@@ -1,15 +1,28 @@
|
||||
@@ -1,15 +1,30 @@
|
||||
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
|
||||
|
||||
-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
|
||||
|
|
@ -105599,6 +105716,7 @@ index dbb005a..25d119e 100644
|
|||
+/usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
+/usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
+/usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
+/usr/libexec/sssd/sssd_kcm -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
+/usr/libexec/sssd/sssd_pac -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
+/usr/libexec/sssd/sssd_pam -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
+/usr/libexec/sssd/sssd_secrets -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
|
|
@ -105623,8 +105741,9 @@ index dbb005a..25d119e 100644
|
|||
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||
+/var/run/secrets.socket gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||
+/var/run/.heim_org.h5l.kcm-socket -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||
diff --git a/sssd.if b/sssd.if
|
||||
index a240455..277f8f2 100644
|
||||
index a240455..aac2584 100644
|
||||
--- a/sssd.if
|
||||
+++ b/sssd.if
|
||||
@@ -1,21 +1,21 @@
|
||||
|
|
@ -105753,13 +105872,13 @@ index a240455..277f8f2 100644
|
|||
+ gen_require(`
|
||||
+ type sssd_conf_t;
|
||||
+ ')
|
||||
|
||||
- files_search_etc($1)
|
||||
- write_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ write_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
||||
+')
|
||||
+
|
||||
|
||||
- files_search_etc($1)
|
||||
- write_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
||||
+#####################################
|
||||
+## <summary>
|
||||
+## Write sssd configuration.
|
||||
|
|
@ -105836,10 +105955,11 @@ index a240455..277f8f2 100644
|
|||
sssd_search_lib($1)
|
||||
- manage_files_pattern($1, sssd_public_t, sssd_public_t)
|
||||
+ allow $1 sssd_public_t:file unlink;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read sssd pid files.
|
||||
+## Dontaudit read sssd public files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
|
@ -105873,11 +105993,10 @@ index a240455..277f8f2 100644
|
|||
+
|
||||
+ sssd_search_lib($1)
|
||||
+ manage_files_pattern($1, sssd_public_t, sssd_public_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read sssd pid files.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read sssd PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
|
@ -105937,7 +106056,7 @@ index a240455..277f8f2 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -317,8 +408,92 @@ interface(`sssd_stream_connect',`
|
||||
@@ -317,8 +408,130 @@ interface(`sssd_stream_connect',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -105960,6 +106079,44 @@ index a240455..277f8f2 100644
|
|||
+ dontaudit $1 sssd_var_lib_t:sock_file { read write };
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect to sssd over a unix stream socket in /var/run.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_run_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t, sssd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, sssd_var_run_t, sssd_var_run_t, sssd_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Dontaudit attempts to connect to sssd over a unix stream socket in /var/run.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sssd_dontaudit_run_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t, sssd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 sssd_t:unix_stream_socket connectto;
|
||||
+ dontaudit $1 sssd_var_run_t:sock_file { read write };
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Manage keys for all user domains.
|
||||
|
|
@ -106032,7 +106189,7 @@ index a240455..277f8f2 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -327,7 +502,7 @@ interface(`sssd_stream_connect',`
|
||||
@@ -327,7 +540,7 @@ interface(`sssd_stream_connect',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
|
|
@ -106041,7 +106198,7 @@ index a240455..277f8f2 100644
|
|||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
@@ -335,27 +510,29 @@ interface(`sssd_stream_connect',`
|
||||
@@ -335,27 +548,29 @@ interface(`sssd_stream_connect',`
|
||||
interface(`sssd_admin',`
|
||||
gen_require(`
|
||||
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
||||
|
|
@ -106083,7 +106240,7 @@ index a240455..277f8f2 100644
|
|||
- admin_pattern($1, sssd_log_t)
|
||||
')
|
||||
diff --git a/sssd.te b/sssd.te
|
||||
index 2d8db1f..d4fee07 100644
|
||||
index 2d8db1f..f0f3862 100644
|
||||
--- a/sssd.te
|
||||
+++ b/sssd.te
|
||||
@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
|
||||
|
|
@ -106122,7 +106279,7 @@ index 2d8db1f..d4fee07 100644
|
|||
|
||||
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
||||
manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
||||
@@ -51,9 +63,11 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
@@ -51,28 +63,28 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
|
||||
|
||||
|
|
@ -106137,7 +106294,9 @@ index 2d8db1f..d4fee07 100644
|
|||
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
|
||||
|
||||
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
@@ -62,17 +76,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
|
||||
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
+manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
|
||||
|
||||
kernel_read_network_state(sssd_t)
|
||||
kernel_read_system_state(sssd_t)
|
||||
|
|
@ -106160,7 +106319,7 @@ index 2d8db1f..d4fee07 100644
|
|||
|
||||
corecmd_exec_bin(sssd_t)
|
||||
|
||||
@@ -83,28 +94,36 @@ domain_read_all_domains_state(sssd_t)
|
||||
@@ -83,28 +95,36 @@ domain_read_all_domains_state(sssd_t)
|
||||
domain_obj_id_change_exemption(sssd_t)
|
||||
|
||||
files_list_tmp(sssd_t)
|
||||
|
|
@ -106201,7 +106360,7 @@ index 2d8db1f..d4fee07 100644
|
|||
|
||||
init_read_utmp(sssd_t)
|
||||
|
||||
@@ -112,18 +131,67 @@ logging_send_syslog_msg(sssd_t)
|
||||
@@ -112,18 +132,67 @@ logging_send_syslog_msg(sssd_t)
|
||||
logging_send_audit_msgs(sssd_t)
|
||||
|
||||
miscfiles_read_generic_certs(sssd_t)
|
||||
|
|
@ -107573,10 +107732,10 @@ index 0000000..a6e216c
|
|||
+
|
||||
diff --git a/targetd.te b/targetd.te
|
||||
new file mode 100644
|
||||
index 0000000..e187320
|
||||
index 0000000..0315421
|
||||
--- /dev/null
|
||||
+++ b/targetd.te
|
||||
@@ -0,0 +1,68 @@
|
||||
@@ -0,0 +1,81 @@
|
||||
+policy_module(targetd, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -107599,21 +107758,33 @@ index 0000000..e187320
|
|||
+# targetd local policy
|
||||
+#
|
||||
+
|
||||
+allow targetd_t self:capability { sys_admin };
|
||||
+allow targetd_t self:capability { ipc_lock sys_admin sys_nice };
|
||||
+allow targetd_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow targetd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow targetd_t self:unix_dgram_socket create_socket_perms;
|
||||
+allow targetd_t self:tcp_socket listen;
|
||||
+allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+allow targetd_t self:process setfscreate;
|
||||
+allow targetd_t self:process { setfscreate setsched };
|
||||
+
|
||||
+manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
|
||||
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
|
||||
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
|
||||
+
|
||||
+fs_getattr_xattr_fs(targetd_t)
|
||||
+fs_manage_configfs_files(targetd_t)
|
||||
+fs_manage_configfs_lnk_files(targetd_t)
|
||||
+fs_manage_configfs_dirs(targetd_t)
|
||||
+fs_read_nfsd_files(targetd_t)
|
||||
+
|
||||
+kernel_rw_rpc_sysctls(targetd_t)
|
||||
+kernel_get_sysvipc_info(targetd_t)
|
||||
+kernel_read_system_state(targetd_t)
|
||||
+kernel_read_network_state(targetd_t)
|
||||
+
|
||||
+rpc_read_exports(targetd_t)
|
||||
+
|
||||
+storage_raw_rw_fixed_disk(targetd_t)
|
||||
+
|
||||
+auth_use_nsswitch(targetd_t)
|
||||
+
|
||||
+corecmd_exec_shell(targetd_t)
|
||||
|
|
@ -107622,7 +107793,7 @@ index 0000000..e187320
|
|||
+corenet_tcp_bind_generic_node(targetd_t)
|
||||
+corenet_tcp_bind_lsm_plugin_port(targetd_t)
|
||||
+
|
||||
+dev_read_sysfs(targetd_t)
|
||||
+dev_rw_sysfs(targetd_t)
|
||||
+dev_read_urand(targetd_t)
|
||||
+dev_rw_lvm_control(targetd_t)
|
||||
+dev_getattr_loop_control(targetd_t)
|
||||
|
|
@ -107636,8 +107807,9 @@ index 0000000..e187320
|
|||
+
|
||||
+optional_policy(`
|
||||
+ lvm_read_config(targetd_t)
|
||||
+ lvm_read_metadata(targetd_t)
|
||||
+ lvm_write_metadata(targetd_t)
|
||||
+ lvm_manage_lock(targetd_t)
|
||||
+ lvm_rw_pipes(targetd_t)
|
||||
+ lvm_stream_connect(targetd_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -110850,10 +111022,10 @@ index 0000000..e5cec8f
|
|||
+')
|
||||
diff --git a/tomcat.te b/tomcat.te
|
||||
new file mode 100644
|
||||
index 0000000..71e14ac
|
||||
index 0000000..cc0c5fe
|
||||
--- /dev/null
|
||||
+++ b/tomcat.te
|
||||
@@ -0,0 +1,86 @@
|
||||
@@ -0,0 +1,89 @@
|
||||
+policy_module(tomcat, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -110912,6 +111084,7 @@ index 0000000..71e14ac
|
|||
+can_exec(tomcat_domain, tomcat_exec_t)
|
||||
+
|
||||
+kernel_read_network_state(tomcat_domain)
|
||||
+kernel_read_net_sysctls(tomcat_domain)
|
||||
+
|
||||
+corecmd_exec_bin(tomcat_domain)
|
||||
+corecmd_exec_shell(tomcat_domain)
|
||||
|
|
@ -110925,6 +111098,8 @@ index 0000000..71e14ac
|
|||
+corenet_tcp_connect_ldap_port(tomcat_domain)
|
||||
+corenet_tcp_connect_mxi_port(tomcat_domain)
|
||||
+corenet_tcp_connect_http_cache_port(tomcat_domain)
|
||||
+corenet_tcp_connect_postgresql_port(tomcat_domain)
|
||||
+corenet_tcp_connect_amqp_port(tomcat_domain)
|
||||
+
|
||||
+dev_read_rand(tomcat_domain)
|
||||
+dev_read_urand(tomcat_domain)
|
||||
|
|
@ -113341,7 +113516,7 @@ index a4f20bc..9777de2 100644
|
|||
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||
diff --git a/virt.if b/virt.if
|
||||
index facdee8..487857a 100644
|
||||
index facdee8..b5a815a 100644
|
||||
--- a/virt.if
|
||||
+++ b/virt.if
|
||||
@@ -1,120 +1,111 @@
|
||||
|
|
@ -113775,7 +113950,7 @@ index facdee8..487857a 100644
|
|||
- allow svirt_lxc_domain $1:fd use;
|
||||
- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
|
||||
- allow svirt_lxc_domain $1:process sigchld;
|
||||
+ allow $1 svirt_t:unix_stream_socket { read write };
|
||||
+ allow $1 svirt_t:unix_stream_socket { setopt getopt read write };
|
||||
')
|
||||
|
||||
-#######################################
|
||||
|
|
@ -115541,10 +115716,10 @@ index facdee8..487857a 100644
|
|||
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf5..fee0027 100644
|
||||
index f03dcf5..6e0d11b 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,451 +1,413 @@
|
||||
@@ -1,451 +1,415 @@
|
||||
-policy_module(virt, 1.7.4)
|
||||
+policy_module(virt, 1.5.0)
|
||||
|
||||
|
|
@ -116182,6 +116357,8 @@ index f03dcf5..fee0027 100644
|
|||
+
|
||||
+virt_dontaudit_read_state(svirt_t)
|
||||
+
|
||||
+storage_raw_read_fixed_disk(svirt_t)
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# svirt_prot_exec local policy
|
||||
|
|
@ -116268,7 +116445,7 @@ index f03dcf5..fee0027 100644
|
|||
|
||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
@@ -455,42 +417,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
@@ -455,42 +419,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
|
|
@ -116315,27 +116492,27 @@ index f03dcf5..fee0027 100644
|
|||
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
|
||||
@@ -503,23 +452,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
@@ -503,23 +454,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
||||
|
||||
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||
-
|
||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
||||
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
|
||||
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
||||
|
||||
-can_exec(virtd_t, virt_tmp_t)
|
||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||
+# libvirtd is permitted to talk to virtlogd
|
||||
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
|
||||
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
|
||||
-can_exec(virtd_t, virt_tmp_t)
|
||||
-
|
||||
-kernel_read_crypto_sysctls(virtd_t)
|
||||
kernel_read_system_state(virtd_t)
|
||||
kernel_read_network_state(virtd_t)
|
||||
|
|
@ -116349,7 +116526,7 @@ index f03dcf5..fee0027 100644
|
|||
|
||||
corecmd_exec_bin(virtd_t)
|
||||
corecmd_exec_shell(virtd_t)
|
||||
@@ -527,24 +477,16 @@ corecmd_exec_shell(virtd_t)
|
||||
@@ -527,24 +479,16 @@ corecmd_exec_shell(virtd_t)
|
||||
corenet_all_recvfrom_netlabel(virtd_t)
|
||||
corenet_tcp_sendrecv_generic_if(virtd_t)
|
||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||
|
|
@ -116377,7 +116554,7 @@ index f03dcf5..fee0027 100644
|
|||
dev_rw_sysfs(virtd_t)
|
||||
dev_read_urand(virtd_t)
|
||||
dev_read_rand(virtd_t)
|
||||
@@ -555,20 +497,26 @@ dev_rw_vhost(virtd_t)
|
||||
@@ -555,20 +499,26 @@ dev_rw_vhost(virtd_t)
|
||||
dev_setattr_generic_usb_dev(virtd_t)
|
||||
dev_relabel_generic_usb_dev(virtd_t)
|
||||
|
||||
|
|
@ -116408,7 +116585,7 @@ index f03dcf5..fee0027 100644
|
|||
fs_list_auto_mountpoints(virtd_t)
|
||||
fs_getattr_all_fs(virtd_t)
|
||||
fs_rw_anon_inodefs_files(virtd_t)
|
||||
@@ -601,15 +549,18 @@ term_use_ptmx(virtd_t)
|
||||
@@ -601,15 +551,18 @@ term_use_ptmx(virtd_t)
|
||||
|
||||
auth_use_nsswitch(virtd_t)
|
||||
|
||||
|
|
@ -116428,7 +116605,7 @@ index f03dcf5..fee0027 100644
|
|||
|
||||
selinux_validate_context(virtd_t)
|
||||
|
||||
@@ -620,18 +571,26 @@ seutil_read_file_contexts(virtd_t)
|
||||
@@ -620,18 +573,26 @@ seutil_read_file_contexts(virtd_t)
|
||||
sysnet_signull_ifconfig(virtd_t)
|
||||
sysnet_signal_ifconfig(virtd_t)
|
||||
sysnet_domtrans_ifconfig(virtd_t)
|
||||
|
|
@ -116465,7 +116642,7 @@ index f03dcf5..fee0027 100644
|
|||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virtd_t)
|
||||
@@ -640,7 +599,7 @@ tunable_policy(`virt_use_nfs',`
|
||||
@@ -640,7 +601,7 @@ tunable_policy(`virt_use_nfs',`
|
||||
')
|
||||
|
||||
tunable_policy(`virt_use_samba',`
|
||||
|
|
@ -116474,7 +116651,7 @@ index f03dcf5..fee0027 100644
|
|||
fs_manage_cifs_files(virtd_t)
|
||||
fs_read_cifs_symlinks(virtd_t)
|
||||
')
|
||||
@@ -665,20 +624,12 @@ optional_policy(`
|
||||
@@ -665,20 +626,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -116496,7 +116673,7 @@ index f03dcf5..fee0027 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -691,20 +642,26 @@ optional_policy(`
|
||||
@@ -691,20 +644,26 @@ optional_policy(`
|
||||
dnsmasq_kill(virtd_t)
|
||||
dnsmasq_signull(virtd_t)
|
||||
dnsmasq_create_pid_dirs(virtd_t)
|
||||
|
|
@ -116527,7 +116704,7 @@ index f03dcf5..fee0027 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -712,11 +669,18 @@ optional_policy(`
|
||||
@@ -712,11 +671,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -116546,7 +116723,7 @@ index f03dcf5..fee0027 100644
|
|||
policykit_domtrans_auth(virtd_t)
|
||||
policykit_domtrans_resolve(virtd_t)
|
||||
policykit_read_lib(virtd_t)
|
||||
@@ -727,10 +691,18 @@ optional_policy(`
|
||||
@@ -727,10 +693,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -116565,7 +116742,7 @@ index f03dcf5..fee0027 100644
|
|||
kernel_read_xen_state(virtd_t)
|
||||
kernel_write_xen_state(virtd_t)
|
||||
|
||||
@@ -746,44 +718,344 @@ optional_policy(`
|
||||
@@ -746,44 +720,344 @@ optional_policy(`
|
||||
udev_read_pid_files(virtd_t)
|
||||
')
|
||||
|
||||
|
|
@ -116678,7 +116855,7 @@ index f03dcf5..fee0027 100644
|
|||
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
|
||||
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
|
||||
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
|
||||
+
|
||||
|
||||
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
||||
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
||||
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
|
||||
|
|
@ -116839,7 +117016,7 @@ index f03dcf5..fee0027 100644
|
|||
+ fs_read_nfs_symlinks(virt_domain)
|
||||
+ fs_getattr_nfs(virt_domain)
|
||||
+')
|
||||
|
||||
+
|
||||
+tunable_policy(`virt_use_samba',`
|
||||
+ fs_manage_cifs_dirs(virt_domain)
|
||||
+ fs_manage_cifs_files(virt_domain)
|
||||
|
|
@ -116932,7 +117109,7 @@ index f03dcf5..fee0027 100644
|
|||
kernel_read_system_state(virsh_t)
|
||||
kernel_read_network_state(virsh_t)
|
||||
kernel_read_kernel_sysctls(virsh_t)
|
||||
@@ -794,25 +1066,18 @@ kernel_write_xen_state(virsh_t)
|
||||
@@ -794,25 +1068,18 @@ kernel_write_xen_state(virsh_t)
|
||||
corecmd_exec_bin(virsh_t)
|
||||
corecmd_exec_shell(virsh_t)
|
||||
|
||||
|
|
@ -116959,7 +117136,7 @@ index f03dcf5..fee0027 100644
|
|||
|
||||
fs_getattr_all_fs(virsh_t)
|
||||
fs_manage_xenfs_dirs(virsh_t)
|
||||
@@ -821,23 +1086,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
@@ -821,23 +1088,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
|
||||
storage_raw_read_fixed_disk(virsh_t)
|
||||
|
||||
|
|
@ -116993,7 +117170,7 @@ index f03dcf5..fee0027 100644
|
|||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virsh_t)
|
||||
@@ -856,14 +1123,20 @@ optional_policy(`
|
||||
@@ -856,14 +1125,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -117015,7 +117192,7 @@ index f03dcf5..fee0027 100644
|
|||
xen_stream_connect(virsh_t)
|
||||
xen_stream_connect_xenstore(virsh_t)
|
||||
')
|
||||
@@ -888,49 +1161,66 @@ optional_policy(`
|
||||
@@ -888,49 +1163,66 @@ optional_policy(`
|
||||
kernel_read_xen_state(virsh_ssh_t)
|
||||
kernel_write_xen_state(virsh_ssh_t)
|
||||
|
||||
|
|
@ -117100,7 +117277,7 @@ index f03dcf5..fee0027 100644
|
|||
|
||||
corecmd_exec_bin(virtd_lxc_t)
|
||||
corecmd_exec_shell(virtd_lxc_t)
|
||||
@@ -942,17 +1232,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
@@ -942,17 +1234,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
|
||||
domain_use_interactive_fds(virtd_lxc_t)
|
||||
|
||||
|
|
@ -117120,7 +117297,7 @@ index f03dcf5..fee0027 100644
|
|||
fs_getattr_all_fs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||
@@ -964,8 +1253,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
@@ -964,8 +1255,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
fs_unmount_all_fs(virtd_lxc_t)
|
||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||
|
||||
|
|
@ -117144,7 +117321,7 @@ index f03dcf5..fee0027 100644
|
|||
selinux_get_enforce_mode(virtd_lxc_t)
|
||||
selinux_get_fs_mount(virtd_lxc_t)
|
||||
selinux_validate_context(virtd_lxc_t)
|
||||
@@ -974,194 +1278,296 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
@@ -974,194 +1280,296 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
selinux_compute_relabel_context(virtd_lxc_t)
|
||||
selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
|
|
@ -117588,7 +117765,7 @@ index f03dcf5..fee0027 100644
|
|||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1174,12 +1580,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1174,12 +1582,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
|
|
@ -117603,7 +117780,7 @@ index f03dcf5..fee0027 100644
|
|||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,7 +1598,7 @@ optional_policy(`
|
||||
@@ -1192,7 +1600,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -117612,7 +117789,7 @@ index f03dcf5..fee0027 100644
|
|||
#
|
||||
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
@@ -1201,11 +1607,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1201,11 +1609,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 253%{?dist}
|
||||
Release: 254%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -689,6 +689,21 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon May 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254
|
||||
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
|
||||
- ejabberd small fixes
|
||||
- Update targetd policy to accommodate changes in the service
|
||||
- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls
|
||||
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
|
||||
- Allow glusterd_t domain start ganesha service
|
||||
- Made few cosmetic changes in sssd SELinux module
|
||||
- Merge pull request #11 from lslebodn/sssd_kcm
|
||||
- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options.
|
||||
- Allow keepalived_t domain read usermodehelper_t
|
||||
- Allow radius domain stream connec to postgresql
|
||||
- Merge pull request #8 from bowlofeggs/142-rawhide
|
||||
- Add fs_manage_configfs_lnk_files() interface
|
||||
|
||||
* Fri May 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-253
|
||||
- auth_use_nsswitch can call only domain not attribute
|
||||
- Dontaudit net_admin cap for winbind_t
|
||||
|
|
|
|||
Loading…
Reference in New Issue