rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194 

- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
- Add nrpe_dontaudit_write_pipes()
- Merge pull request #129 from rhatdan/onload
- Add support for onloadfs
- Merge pull request #127 from rhatdan/device-node
- Additional access required for unconfined domains
- Dontaudit ping attempts to write to nrpe unnamed pipes
- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
This commit is contained in:
Lukas Vrabec 2016-06-07 15:57:53 +02:00
parent 2506c08574
commit c2ab480fb0
4 changed files with 155 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docker-selinux.tgz
View File

Binary file not shown.

191
policy-rawhide-base.patch
View File

@ -1961,7 +1961,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c44c359..5210ca5 100644
index c44c359..ae484a0 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@ -2077,7 +2077,11 @@ index c44c359..5210ca5 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
@@ -149,11 +156,25 @@ ifdef(`hide_broken_symptoms',`
@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
nagios_dontaudit_rw_log(ping_t)
nagios_dontaudit_rw_pipes(ping_t)
+ nagios_dontaudit_write_pipes_nrpe(ping_t)
')
')
@ -2103,7 +2107,7 @@ index c44c359..5210ca5 100644
pcmcia_use_cardmgr_fds(ping_t)
')
@@ -161,6 +182,15 @@ optional_policy(`
@@ -161,6 +183,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@ -2119,7 +2123,7 @@ index c44c359..5210ca5 100644
########################################
#
# Traceroute local policy
@@ -174,7 +204,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@ -2127,7 +2131,7 @@ index c44c359..5210ca5 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
@@ -198,6 +227,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@ -2135,7 +2139,7 @@ index c44c359..5210ca5 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
@@ -206,11 +236,17 @@ auth_use_nsswitch(traceroute_t)
@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@ -9743,7 +9747,7 @@ index 76f285e..5cd2702 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 0b1a871..8d4003a 100644
index 0b1a871..4cef59b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@ -9899,7 +9903,7 @@ index 0b1a871..8d4003a 100644
# Type for vmware devices.
type vmware_device_t;
@@ -319,5 +371,6 @@ files_associate_tmp(device_node)
@@ -319,5 +371,8 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@ -9908,6 +9912,8 @@ index 0b1a871..8d4003a 100644
+allow devices_unconfined_type device_node:{ blk_file lnk_file } *;
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
+dev_getattr_all(devices_unconfined_type)
+
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..26e5558 100644
--- a/policy/modules/kernel/domain.if
@ -17882,7 +17888,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..531dfef 100644
index 8416beb..761fbab 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -19654,16 +19660,11 @@ index 8416beb..531dfef 100644
########################################
## <summary>
## Mount a NFS filesystem.
@@ -2356,44 +3283,62 @@ interface(`fs_remount_nfs',`
type nfs_t;
')
@@ -2361,39 +3288,57 @@ interface(`fs_remount_nfs',`
- allow $1 nfs_t:filesystem remount;
+ allow $1 nfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
########################################
## <summary>
-## Unmount a NFS filesystem.
+## Unmount a NFS filesystem.
+## </summary>
+## <param name="domain">
@ -19678,11 +19679,10 @@ index 8416beb..531dfef 100644
+ ')
+
+ allow $1 nfs_t:filesystem unmount;
')
########################################
## <summary>
-## Unmount a NFS filesystem.
+')
+
+########################################
+## <summary>
+## Get the attributes of a NFS filesystem.
## </summary>
## <param name="domain">
@ -20153,38 +20153,11 @@ index 8416beb..531dfef 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
@@ -3839,39 +5047,76 @@ interface(`fs_getattr_tmpfs',`
## </summary>
## <param name="type">
## <summary>
-## The type of the object to be associated.
+## The type of the object to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Relabel from tmpfs filesystem.
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
@@ -3866,12 +5074,49 @@ interface(`fs_relabelfrom_tmpfs',`
type tmpfs_t;
')
- allow $1 tmpfs_t:filesystem relabelfrom;
+ allow $1 tmpfs_t:filesystem relabelfrom;
+')
+
@ -20195,40 +20168,33 @@ index 8416beb..531dfef 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_associate_tmpfs',`
+## </summary>
+## </param>
+#
+interface(`fs_getattr_tmpfs_dirs',`
gen_require(`
type tmpfs_t;
')
- allow $1 tmpfs_t:filesystem associate;
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir getattr;
')
########################################
## <summary>
-## Relabel from tmpfs filesystem.
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of tmpfs directories.
## </summary>
-## <param name="type">
+## </summary>
+## <param name="domain">
## <summary>
-## Domain allowed access.
+## <summary>
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`fs_relabelfrom_tmpfs',`
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
gen_require(`
type tmpfs_t;
')
- allow $1 tmpfs_t:filesystem relabelfrom;
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:dir getattr;
')
@ -20658,7 +20624,7 @@ index 8416beb..531dfef 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
@@ -4912,3 +6345,63 @@ interface(`fs_unconfined',`
@@ -4912,3 +6345,82 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@ -20722,8 +20688,27 @@ index 8416beb..531dfef 100644
+
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
+')
+
+########################################
+## <summary>
+## Read and write sockets of ONLOAD file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_onload_sockets',`
+ gen_require(`
+ type onload_fs_t;
+ ')
+
+ rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index e7d1738..fc52817 100644
index e7d1738..59c1cb8 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@ -20817,7 +20802,7 @@ index e7d1738..fc52817 100644
type mvfs_t;
fs_noxattr_type(mvfs_t)
allow mvfs_t self:filesystem associate;
@@ -118,13 +148,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
@@ -118,13 +148,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@ -20827,6 +20812,11 @@ index e7d1738..fc52817 100644
+type nsfs_t;
+fs_type(nsfs_t)
+genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
+
+type onload_fs_t;
+fs_type(onload_fs_t)
+files_mountpoint(onload_fs_t)
+genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0)
+
type oprofilefs_t;
fs_type(oprofilefs_t)
@ -20837,7 +20827,7 @@ index e7d1738..fc52817 100644
fs_type(pstore_t)
files_mountpoint(pstore_t)
dev_associate_sysfs(pstore_t)
@@ -150,17 +185,16 @@ fs_type(spufs_t)
@@ -150,17 +190,16 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@ -20859,7 +20849,7 @@ index e7d1738..fc52817 100644
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
@@ -172,6 +206,8 @@ type vxfs_t;
@@ -172,6 +211,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@ -20868,7 +20858,7 @@ index e7d1738..fc52817 100644
#
# tmpfs_t is the type for tmpfs filesystems
@@ -182,6 +218,8 @@ fs_type(tmpfs_t)
@@ -182,6 +223,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@ -20877,7 +20867,7 @@ index e7d1738..fc52817 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
@@ -261,6 +299,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
@@ -261,6 +304,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@ -20886,7 +20876,7 @@ index e7d1738..fc52817 100644
files_mountpoint(removable_t)
#
@@ -280,6 +320,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -280,6 +325,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@ -20894,7 +20884,7 @@ index e7d1738..fc52817 100644
########################################
#
@@ -301,9 +342,10 @@ fs_associate_noxattr(noxattrfs)
@@ -301,9 +347,10 @@ fs_associate_noxattr(noxattrfs)
# Unconfined access to this module
#
@ -22211,7 +22201,7 @@ index e100d88..1428581 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..092e065 100644
index 8dbab4c..5b93205 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -22516,7 +22506,7 @@ index 8dbab4c..092e065 100644
-allow kern_unconfined sysctl_type:{ dir file } *;
+allow kern_unconfined sysctl_type:{ file } ~entrypoint;
+allow kern_unconfined sysctl_type:{ dir } *;
+allow kern_unconfined sysctl_type:{ dir lnk_file } *;
allow kern_unconfined kernel_t:system *;
@ -45976,7 +45966,7 @@ index 2cea692..bf86a31 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..78fa512 100644
index a392fc4..155d5ce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -46210,7 +46200,7 @@ index a392fc4..78fa512 100644
vmware_append_log(dhcpc_t)
')
@@ -264,12 +313,25 @@ allow ifconfig_t self:msgq create_msgq_perms;
@@ -264,12 +313,26 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@ -46232,11 +46222,12 @@ index a392fc4..78fa512 100644
+create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
+allow ifconfig_t ifconfig_var_run_t:file mounton;
+allow ifconfig_t ifconfig_var_run_t:dir mounton;
+
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
@@ -279,14 +341,32 @@ kernel_rw_net_sysctls(ifconfig_t)
@@ -279,14 +342,32 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@ -46269,7 +46260,7 @@ index a392fc4..78fa512 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -299,33 +379,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
@@ -299,33 +380,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@ -46327,7 +46318,7 @@ index a392fc4..78fa512 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
@@ -336,7 +434,11 @@ ifdef(`hide_broken_symptoms',`
@@ -336,7 +435,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@ -46340,7 +46331,7 @@ index a392fc4..78fa512 100644
')
optional_policy(`
@@ -350,7 +452,16 @@ optional_policy(`
@@ -350,7 +453,16 @@ optional_policy(`
')
optional_policy(`
@ -46358,7 +46349,7 @@ index a392fc4..78fa512 100644
')
optional_policy(`
@@ -371,3 +482,13 @@ optional_policy(`
@@ -371,3 +483,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')

89
policy-rawhide-contrib.patch
View File

@ -10794,7 +10794,7 @@ index 02fefaa..308616e 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
index 687d4c4..3c5a83a 100644
index 687d4c4..f668033 100644
--- a/boinc.te
+++ b/boinc.te
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
@ -10887,7 +10887,7 @@ index 687d4c4..3c5a83a 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@ -10925,6 +10925,7 @@ index 687d4c4..3c5a83a 100644
-corenet_all_recvfrom_unlabeled(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+dev_rw_dri(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
@ -10984,7 +10985,7 @@ index 687d4c4..3c5a83a 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
@@ -137,8 +151,9 @@ init_read_utmp(boinc_t)
@@ -137,8 +152,9 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@ -10996,7 +10997,7 @@ index 687d4c4..3c5a83a 100644
tunable_policy(`boinc_execmem',`
allow boinc_t self:process { execstack execmem };
@@ -148,48 +163,61 @@ optional_policy(`
@@ -148,48 +164,61 @@ optional_policy(`
mta_send_mail(boinc_t)
')
@ -57009,7 +57010,7 @@ index d78dfc3..40e1c77 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
index 0641e97..438eeb3 100644
index 0641e97..f3b1111 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
@ -57058,12 +57059,10 @@ index 0641e97..438eeb3 100644
+
+ kernel_read_system_state(nagios_$1_plugin_t)
+
')
########################################
## <summary>
-## Do not audit attempts to read or
-## write nagios unnamed pipes.
+')
+
+########################################
+## <summary>
+## Execute the nagios unconfined plugins with
+## a domain transition.
+## </summary>
@ -57080,10 +57079,12 @@ index 0641e97..438eeb3 100644
+ ')
+
+ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Do not audit attempts to read or
-## write nagios unnamed pipes.
+## Do not audit attempts to read or write nagios
+## unnamed pipes.
## </summary>
@ -57160,10 +57161,11 @@ index 0641e97..438eeb3 100644
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Read nagios temporary files.
+## Append nagios spool files.
+## </summary>
+## <param name="domain">
@ -57179,11 +57181,10 @@ index 0641e97..438eeb3 100644
+
+ allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1)
')
########################################
## <summary>
-## Read nagios temporary files.
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
## </summary>
@ -57196,11 +57197,10 @@ index 0641e97..438eeb3 100644
- files_search_tmp($1)
allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
')
########################################
## <summary>
-## Execute nrpe with a domain transition.
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
@ -57217,16 +57217,17 @@ index 0641e97..438eeb3 100644
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Execute nrpe with a domain transition.
+## Execute the nagios NRPE with
+## a domain transition.
## </summary>
## <param name="domain">
## <summary>
@@ -170,14 +243,13 @@ interface(`nagios_domtrans_nrpe',`
@@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
@ -57234,6 +57235,24 @@ index 0641e97..438eeb3 100644
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')
+######################################
+## <summary>
+## Do not audit attempts to write nrpe daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_dontaudit_write_pipes_nrpe',`
+ gen_require(`
+ type nrpe_t;
+ ')
+
+ dontaudit $1 nrpe_t:fifo_file write;
+')
+
########################################
## <summary>
-## All of the rules required to
@ -57243,7 +57262,7 @@ index 0641e97..438eeb3 100644
## </summary>
## <param name="domain">
## <summary>
@@ -186,44 +258,43 @@ interface(`nagios_domtrans_nrpe',`
@@ -186,44 +276,43 @@ interface(`nagios_domtrans_nrpe',`
## </param>
## <param name="role">
## <summary>

11
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 193%{?dist}
Release: 194%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -647,6 +647,15 @@ exit 0
%endif
%changelog
* Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
- Add nrpe_dontaudit_write_pipes()
- Merge pull request #129 from rhatdan/onload
- Add support for onloadfs
- Merge pull request #127 from rhatdan/device-node
- Additional access required for unconfined domains
- Dontaudit ping attempts to write to nrpe unnamed pipes
- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs