* Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886) - Add nrpe_dontaudit_write_pipes() - Merge pull request #129 from rhatdan/onload - Add support for onloadfs - Merge pull request #127 from rhatdan/device-node - Additional access required for unconfined domains - Dontaudit ping attempts to write to nrpe unnamed pipes - Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
This commit is contained in:
parent
2506c08574
commit
c2ab480fb0
Binary file not shown.
@ -1961,7 +1961,7 @@ index c6ca761..0c86bfd 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
|
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
|
||||||
index c44c359..5210ca5 100644
|
index c44c359..ae484a0 100644
|
||||||
--- a/policy/modules/admin/netutils.te
|
--- a/policy/modules/admin/netutils.te
|
||||||
+++ b/policy/modules/admin/netutils.te
|
+++ b/policy/modules/admin/netutils.te
|
||||||
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
|
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
|
||||||
@ -2077,7 +2077,11 @@ index c44c359..5210ca5 100644
|
|||||||
|
|
||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
init_dontaudit_use_fds(ping_t)
|
init_dontaudit_use_fds(ping_t)
|
||||||
@@ -149,11 +156,25 @@ ifdef(`hide_broken_symptoms',`
|
@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',`
|
||||||
|
optional_policy(`
|
||||||
|
nagios_dontaudit_rw_log(ping_t)
|
||||||
|
nagios_dontaudit_rw_pipes(ping_t)
|
||||||
|
+ nagios_dontaudit_write_pipes_nrpe(ping_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2103,7 +2107,7 @@ index c44c359..5210ca5 100644
|
|||||||
pcmcia_use_cardmgr_fds(ping_t)
|
pcmcia_use_cardmgr_fds(ping_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -161,6 +182,15 @@ optional_policy(`
|
@@ -161,6 +183,15 @@ optional_policy(`
|
||||||
hotplug_use_fds(ping_t)
|
hotplug_use_fds(ping_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -2119,7 +2123,7 @@ index c44c359..5210ca5 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Traceroute local policy
|
# Traceroute local policy
|
||||||
@@ -174,7 +204,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
|
@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
|
||||||
kernel_read_system_state(traceroute_t)
|
kernel_read_system_state(traceroute_t)
|
||||||
kernel_read_network_state(traceroute_t)
|
kernel_read_network_state(traceroute_t)
|
||||||
|
|
||||||
@ -2127,7 +2131,7 @@ index c44c359..5210ca5 100644
|
|||||||
corenet_all_recvfrom_netlabel(traceroute_t)
|
corenet_all_recvfrom_netlabel(traceroute_t)
|
||||||
corenet_tcp_sendrecv_generic_if(traceroute_t)
|
corenet_tcp_sendrecv_generic_if(traceroute_t)
|
||||||
corenet_udp_sendrecv_generic_if(traceroute_t)
|
corenet_udp_sendrecv_generic_if(traceroute_t)
|
||||||
@@ -198,6 +227,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
||||||
domain_use_interactive_fds(traceroute_t)
|
domain_use_interactive_fds(traceroute_t)
|
||||||
|
|
||||||
files_read_etc_files(traceroute_t)
|
files_read_etc_files(traceroute_t)
|
||||||
@ -2135,7 +2139,7 @@ index c44c359..5210ca5 100644
|
|||||||
files_dontaudit_search_var(traceroute_t)
|
files_dontaudit_search_var(traceroute_t)
|
||||||
|
|
||||||
init_use_fds(traceroute_t)
|
init_use_fds(traceroute_t)
|
||||||
@@ -206,11 +236,17 @@ auth_use_nsswitch(traceroute_t)
|
@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(traceroute_t)
|
logging_send_syslog_msg(traceroute_t)
|
||||||
|
|
||||||
@ -9743,7 +9747,7 @@ index 76f285e..5cd2702 100644
|
|||||||
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
|
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
||||||
index 0b1a871..8d4003a 100644
|
index 0b1a871..4cef59b 100644
|
||||||
--- a/policy/modules/kernel/devices.te
|
--- a/policy/modules/kernel/devices.te
|
||||||
+++ b/policy/modules/kernel/devices.te
|
+++ b/policy/modules/kernel/devices.te
|
||||||
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
|
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
|
||||||
@ -9899,7 +9903,7 @@ index 0b1a871..8d4003a 100644
|
|||||||
|
|
||||||
# Type for vmware devices.
|
# Type for vmware devices.
|
||||||
type vmware_device_t;
|
type vmware_device_t;
|
||||||
@@ -319,5 +371,6 @@ files_associate_tmp(device_node)
|
@@ -319,5 +371,8 @@ files_associate_tmp(device_node)
|
||||||
#
|
#
|
||||||
|
|
||||||
allow devices_unconfined_type self:capability sys_rawio;
|
allow devices_unconfined_type self:capability sys_rawio;
|
||||||
@ -9908,6 +9912,8 @@ index 0b1a871..8d4003a 100644
|
|||||||
+allow devices_unconfined_type device_node:{ blk_file lnk_file } *;
|
+allow devices_unconfined_type device_node:{ blk_file lnk_file } *;
|
||||||
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
|
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
|
||||||
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
|
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
|
||||||
|
+dev_getattr_all(devices_unconfined_type)
|
||||||
|
+
|
||||||
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
||||||
index 6a1e4d1..26e5558 100644
|
index 6a1e4d1..26e5558 100644
|
||||||
--- a/policy/modules/kernel/domain.if
|
--- a/policy/modules/kernel/domain.if
|
||||||
@ -17882,7 +17888,7 @@ index d7c11a0..6b3331d 100644
|
|||||||
/var/run/shm/.* <<none>>
|
/var/run/shm/.* <<none>>
|
||||||
-')
|
-')
|
||||||
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
||||||
index 8416beb..531dfef 100644
|
index 8416beb..761fbab 100644
|
||||||
--- a/policy/modules/kernel/filesystem.if
|
--- a/policy/modules/kernel/filesystem.if
|
||||||
+++ b/policy/modules/kernel/filesystem.if
|
+++ b/policy/modules/kernel/filesystem.if
|
||||||
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
|
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
|
||||||
@ -19654,16 +19660,11 @@ index 8416beb..531dfef 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount a NFS filesystem.
|
## Mount a NFS filesystem.
|
||||||
@@ -2356,44 +3283,62 @@ interface(`fs_remount_nfs',`
|
@@ -2361,39 +3288,57 @@ interface(`fs_remount_nfs',`
|
||||||
type nfs_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
- allow $1 nfs_t:filesystem remount;
|
########################################
|
||||||
+ allow $1 nfs_t:filesystem remount;
|
## <summary>
|
||||||
+')
|
-## Unmount a NFS filesystem.
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Unmount a NFS filesystem.
|
+## Unmount a NFS filesystem.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -19678,11 +19679,10 @@ index 8416beb..531dfef 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 nfs_t:filesystem unmount;
|
+ allow $1 nfs_t:filesystem unmount;
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## Unmount a NFS filesystem.
|
|
||||||
+## Get the attributes of a NFS filesystem.
|
+## Get the attributes of a NFS filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@ -20153,38 +20153,11 @@ index 8416beb..531dfef 100644
|
|||||||
## Get the attributes of a tmpfs
|
## Get the attributes of a tmpfs
|
||||||
## filesystem.
|
## filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -3839,39 +5047,76 @@ interface(`fs_getattr_tmpfs',`
|
@@ -3866,12 +5074,49 @@ interface(`fs_relabelfrom_tmpfs',`
|
||||||
## </summary>
|
type tmpfs_t;
|
||||||
## <param name="type">
|
')
|
||||||
## <summary>
|
|
||||||
-## The type of the object to be associated.
|
- allow $1 tmpfs_t:filesystem relabelfrom;
|
||||||
+## The type of the object to be associated.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+interface(`fs_associate_tmpfs',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type tmpfs_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ allow $1 tmpfs_t:filesystem associate;
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Relabel from tmpfs filesystem.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="type">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+interface(`fs_relabelfrom_tmpfs',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type tmpfs_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ allow $1 tmpfs_t:filesystem relabelfrom;
|
+ allow $1 tmpfs_t:filesystem relabelfrom;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -20195,40 +20168,33 @@ index 8416beb..531dfef 100644
|
|||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain allowed access.
|
+## Domain allowed access.
|
||||||
## </summary>
|
+## </summary>
|
||||||
## </param>
|
+## </param>
|
||||||
#
|
+#
|
||||||
-interface(`fs_associate_tmpfs',`
|
|
||||||
+interface(`fs_getattr_tmpfs_dirs',`
|
+interface(`fs_getattr_tmpfs_dirs',`
|
||||||
gen_require(`
|
+ gen_require(`
|
||||||
type tmpfs_t;
|
+ type tmpfs_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
- allow $1 tmpfs_t:filesystem associate;
|
|
||||||
+ allow $1 tmpfs_t:dir getattr;
|
+ allow $1 tmpfs_t:dir getattr;
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## Relabel from tmpfs filesystem.
|
|
||||||
+## Do not audit attempts to get the attributes
|
+## Do not audit attempts to get the attributes
|
||||||
+## of tmpfs directories.
|
+## of tmpfs directories.
|
||||||
## </summary>
|
+## </summary>
|
||||||
-## <param name="type">
|
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## Domain allowed access.
|
|
||||||
+## Domain to not audit.
|
+## Domain to not audit.
|
||||||
## </summary>
|
+## </summary>
|
||||||
## </param>
|
+## </param>
|
||||||
#
|
+#
|
||||||
-interface(`fs_relabelfrom_tmpfs',`
|
|
||||||
+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
|
+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
|
||||||
gen_require(`
|
+ gen_require(`
|
||||||
type tmpfs_t;
|
+ type tmpfs_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
- allow $1 tmpfs_t:filesystem relabelfrom;
|
|
||||||
+ dontaudit $1 tmpfs_t:dir getattr;
|
+ dontaudit $1 tmpfs_t:dir getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -20658,7 +20624,7 @@ index 8416beb..531dfef 100644
|
|||||||
## Search all directories with a filesystem type.
|
## Search all directories with a filesystem type.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4912,3 +6345,63 @@ interface(`fs_unconfined',`
|
@@ -4912,3 +6345,82 @@ interface(`fs_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 filesystem_unconfined_type;
|
typeattribute $1 filesystem_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -20722,8 +20688,27 @@ index 8416beb..531dfef 100644
|
|||||||
+
|
+
|
||||||
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
|
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read and write sockets of ONLOAD file system pipes.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`fs_rw_onload_sockets',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type onload_fs_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
||||||
index e7d1738..fc52817 100644
|
index e7d1738..59c1cb8 100644
|
||||||
--- a/policy/modules/kernel/filesystem.te
|
--- a/policy/modules/kernel/filesystem.te
|
||||||
+++ b/policy/modules/kernel/filesystem.te
|
+++ b/policy/modules/kernel/filesystem.te
|
||||||
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
||||||
@ -20817,7 +20802,7 @@ index e7d1738..fc52817 100644
|
|||||||
type mvfs_t;
|
type mvfs_t;
|
||||||
fs_noxattr_type(mvfs_t)
|
fs_noxattr_type(mvfs_t)
|
||||||
allow mvfs_t self:filesystem associate;
|
allow mvfs_t self:filesystem associate;
|
||||||
@@ -118,13 +148,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
|
@@ -118,13 +148,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
|
||||||
|
|
||||||
type nfsd_fs_t;
|
type nfsd_fs_t;
|
||||||
fs_type(nfsd_fs_t)
|
fs_type(nfsd_fs_t)
|
||||||
@ -20827,6 +20812,11 @@ index e7d1738..fc52817 100644
|
|||||||
+type nsfs_t;
|
+type nsfs_t;
|
||||||
+fs_type(nsfs_t)
|
+fs_type(nsfs_t)
|
||||||
+genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
|
+genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
|
||||||
|
+
|
||||||
|
+type onload_fs_t;
|
||||||
|
+fs_type(onload_fs_t)
|
||||||
|
+files_mountpoint(onload_fs_t)
|
||||||
|
+genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0)
|
||||||
+
|
+
|
||||||
type oprofilefs_t;
|
type oprofilefs_t;
|
||||||
fs_type(oprofilefs_t)
|
fs_type(oprofilefs_t)
|
||||||
@ -20837,7 +20827,7 @@ index e7d1738..fc52817 100644
|
|||||||
fs_type(pstore_t)
|
fs_type(pstore_t)
|
||||||
files_mountpoint(pstore_t)
|
files_mountpoint(pstore_t)
|
||||||
dev_associate_sysfs(pstore_t)
|
dev_associate_sysfs(pstore_t)
|
||||||
@@ -150,17 +185,16 @@ fs_type(spufs_t)
|
@@ -150,17 +190,16 @@ fs_type(spufs_t)
|
||||||
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
||||||
files_mountpoint(spufs_t)
|
files_mountpoint(spufs_t)
|
||||||
|
|
||||||
@ -20859,7 +20849,7 @@ index e7d1738..fc52817 100644
|
|||||||
type vmblock_t;
|
type vmblock_t;
|
||||||
fs_noxattr_type(vmblock_t)
|
fs_noxattr_type(vmblock_t)
|
||||||
files_mountpoint(vmblock_t)
|
files_mountpoint(vmblock_t)
|
||||||
@@ -172,6 +206,8 @@ type vxfs_t;
|
@@ -172,6 +211,8 @@ type vxfs_t;
|
||||||
fs_noxattr_type(vxfs_t)
|
fs_noxattr_type(vxfs_t)
|
||||||
files_mountpoint(vxfs_t)
|
files_mountpoint(vxfs_t)
|
||||||
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
|
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
|
||||||
@ -20868,7 +20858,7 @@ index e7d1738..fc52817 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# tmpfs_t is the type for tmpfs filesystems
|
# tmpfs_t is the type for tmpfs filesystems
|
||||||
@@ -182,6 +218,8 @@ fs_type(tmpfs_t)
|
@@ -182,6 +223,8 @@ fs_type(tmpfs_t)
|
||||||
files_type(tmpfs_t)
|
files_type(tmpfs_t)
|
||||||
files_mountpoint(tmpfs_t)
|
files_mountpoint(tmpfs_t)
|
||||||
files_poly_parent(tmpfs_t)
|
files_poly_parent(tmpfs_t)
|
||||||
@ -20877,7 +20867,7 @@ index e7d1738..fc52817 100644
|
|||||||
|
|
||||||
# Use a transition SID based on the allocating task SID and the
|
# Use a transition SID based on the allocating task SID and the
|
||||||
# filesystem SID to label inodes in the following filesystem types,
|
# filesystem SID to label inodes in the following filesystem types,
|
||||||
@@ -261,6 +299,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
@@ -261,6 +304,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||||
type removable_t;
|
type removable_t;
|
||||||
allow removable_t noxattrfs:filesystem associate;
|
allow removable_t noxattrfs:filesystem associate;
|
||||||
fs_noxattr_type(removable_t)
|
fs_noxattr_type(removable_t)
|
||||||
@ -20886,7 +20876,7 @@ index e7d1738..fc52817 100644
|
|||||||
files_mountpoint(removable_t)
|
files_mountpoint(removable_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -280,6 +320,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
@@ -280,6 +325,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
@ -20894,7 +20884,7 @@ index e7d1738..fc52817 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -301,9 +342,10 @@ fs_associate_noxattr(noxattrfs)
|
@@ -301,9 +347,10 @@ fs_associate_noxattr(noxattrfs)
|
||||||
# Unconfined access to this module
|
# Unconfined access to this module
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -22211,7 +22201,7 @@ index e100d88..1428581 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||||
index 8dbab4c..092e065 100644
|
index 8dbab4c..5b93205 100644
|
||||||
--- a/policy/modules/kernel/kernel.te
|
--- a/policy/modules/kernel/kernel.te
|
||||||
+++ b/policy/modules/kernel/kernel.te
|
+++ b/policy/modules/kernel/kernel.te
|
||||||
@@ -25,6 +25,9 @@ attribute kern_unconfined;
|
@@ -25,6 +25,9 @@ attribute kern_unconfined;
|
||||||
@ -22516,7 +22506,7 @@ index 8dbab4c..092e065 100644
|
|||||||
|
|
||||||
-allow kern_unconfined sysctl_type:{ dir file } *;
|
-allow kern_unconfined sysctl_type:{ dir file } *;
|
||||||
+allow kern_unconfined sysctl_type:{ file } ~entrypoint;
|
+allow kern_unconfined sysctl_type:{ file } ~entrypoint;
|
||||||
+allow kern_unconfined sysctl_type:{ dir } *;
|
+allow kern_unconfined sysctl_type:{ dir lnk_file } *;
|
||||||
|
|
||||||
allow kern_unconfined kernel_t:system *;
|
allow kern_unconfined kernel_t:system *;
|
||||||
|
|
||||||
@ -45976,7 +45966,7 @@ index 2cea692..bf86a31 100644
|
|||||||
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
|
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||||
index a392fc4..78fa512 100644
|
index a392fc4..155d5ce 100644
|
||||||
--- a/policy/modules/system/sysnetwork.te
|
--- a/policy/modules/system/sysnetwork.te
|
||||||
+++ b/policy/modules/system/sysnetwork.te
|
+++ b/policy/modules/system/sysnetwork.te
|
||||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
|
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
|
||||||
@ -46210,7 +46200,7 @@ index a392fc4..78fa512 100644
|
|||||||
vmware_append_log(dhcpc_t)
|
vmware_append_log(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -264,12 +313,25 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
@@ -264,12 +313,26 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||||
allow ifconfig_t self:msg { send receive };
|
allow ifconfig_t self:msg { send receive };
|
||||||
# Create UDP sockets, necessary when called from dhcpc
|
# Create UDP sockets, necessary when called from dhcpc
|
||||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||||
@ -46232,11 +46222,12 @@ index a392fc4..78fa512 100644
|
|||||||
+create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
|
+create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
|
||||||
+files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
|
+files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
|
||||||
+allow ifconfig_t ifconfig_var_run_t:file mounton;
|
+allow ifconfig_t ifconfig_var_run_t:file mounton;
|
||||||
|
+allow ifconfig_t ifconfig_var_run_t:dir mounton;
|
||||||
+
|
+
|
||||||
kernel_use_fds(ifconfig_t)
|
kernel_use_fds(ifconfig_t)
|
||||||
kernel_read_system_state(ifconfig_t)
|
kernel_read_system_state(ifconfig_t)
|
||||||
kernel_read_network_state(ifconfig_t)
|
kernel_read_network_state(ifconfig_t)
|
||||||
@@ -279,14 +341,32 @@ kernel_rw_net_sysctls(ifconfig_t)
|
@@ -279,14 +342,32 @@ kernel_rw_net_sysctls(ifconfig_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||||
|
|
||||||
@ -46269,7 +46260,7 @@ index a392fc4..78fa512 100644
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(ifconfig_t)
|
fs_getattr_xattr_fs(ifconfig_t)
|
||||||
fs_search_auto_mountpoints(ifconfig_t)
|
fs_search_auto_mountpoints(ifconfig_t)
|
||||||
@@ -299,33 +379,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
@@ -299,33 +380,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||||
term_dontaudit_use_ptmx(ifconfig_t)
|
term_dontaudit_use_ptmx(ifconfig_t)
|
||||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||||
|
|
||||||
@ -46327,7 +46318,7 @@ index a392fc4..78fa512 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||||
')
|
')
|
||||||
@@ -336,7 +434,11 @@ ifdef(`hide_broken_symptoms',`
|
@@ -336,7 +435,11 @@ ifdef(`hide_broken_symptoms',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -46340,7 +46331,7 @@ index a392fc4..78fa512 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -350,7 +452,16 @@ optional_policy(`
|
@@ -350,7 +453,16 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -46358,7 +46349,7 @@ index a392fc4..78fa512 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -371,3 +482,13 @@ optional_policy(`
|
@@ -371,3 +483,13 @@ optional_policy(`
|
||||||
xen_append_log(ifconfig_t)
|
xen_append_log(ifconfig_t)
|
||||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||||
')
|
')
|
||||||
|
@ -10794,7 +10794,7 @@ index 02fefaa..308616e 100644
|
|||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
diff --git a/boinc.te b/boinc.te
|
diff --git a/boinc.te b/boinc.te
|
||||||
index 687d4c4..3c5a83a 100644
|
index 687d4c4..f668033 100644
|
||||||
--- a/boinc.te
|
--- a/boinc.te
|
||||||
+++ b/boinc.te
|
+++ b/boinc.te
|
||||||
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
|
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
|
||||||
@ -10887,7 +10887,7 @@ index 687d4c4..3c5a83a 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
||||||
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
||||||
@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
|
@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
|
||||||
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
|
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
|
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
|
||||||
|
|
||||||
@ -10925,6 +10925,7 @@ index 687d4c4..3c5a83a 100644
|
|||||||
|
|
||||||
-corenet_all_recvfrom_unlabeled(boinc_t)
|
-corenet_all_recvfrom_unlabeled(boinc_t)
|
||||||
+dev_getattr_mouse_dev(boinc_t)
|
+dev_getattr_mouse_dev(boinc_t)
|
||||||
|
+dev_rw_dri(boinc_t)
|
||||||
+
|
+
|
||||||
+files_getattr_all_dirs(boinc_t)
|
+files_getattr_all_dirs(boinc_t)
|
||||||
+files_getattr_all_files(boinc_t)
|
+files_getattr_all_files(boinc_t)
|
||||||
@ -10984,7 +10985,7 @@ index 687d4c4..3c5a83a 100644
|
|||||||
|
|
||||||
term_getattr_all_ptys(boinc_t)
|
term_getattr_all_ptys(boinc_t)
|
||||||
term_getattr_unallocated_ttys(boinc_t)
|
term_getattr_unallocated_ttys(boinc_t)
|
||||||
@@ -137,8 +151,9 @@ init_read_utmp(boinc_t)
|
@@ -137,8 +152,9 @@ init_read_utmp(boinc_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(boinc_t)
|
logging_send_syslog_msg(boinc_t)
|
||||||
|
|
||||||
@ -10996,7 +10997,7 @@ index 687d4c4..3c5a83a 100644
|
|||||||
|
|
||||||
tunable_policy(`boinc_execmem',`
|
tunable_policy(`boinc_execmem',`
|
||||||
allow boinc_t self:process { execstack execmem };
|
allow boinc_t self:process { execstack execmem };
|
||||||
@@ -148,48 +163,61 @@ optional_policy(`
|
@@ -148,48 +164,61 @@ optional_policy(`
|
||||||
mta_send_mail(boinc_t)
|
mta_send_mail(boinc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -57009,7 +57010,7 @@ index d78dfc3..40e1c77 100644
|
|||||||
|
|
||||||
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
||||||
diff --git a/nagios.if b/nagios.if
|
diff --git a/nagios.if b/nagios.if
|
||||||
index 0641e97..438eeb3 100644
|
index 0641e97..f3b1111 100644
|
||||||
--- a/nagios.if
|
--- a/nagios.if
|
||||||
+++ b/nagios.if
|
+++ b/nagios.if
|
||||||
@@ -1,12 +1,13 @@
|
@@ -1,12 +1,13 @@
|
||||||
@ -57058,12 +57059,10 @@ index 0641e97..438eeb3 100644
|
|||||||
+
|
+
|
||||||
+ kernel_read_system_state(nagios_$1_plugin_t)
|
+ kernel_read_system_state(nagios_$1_plugin_t)
|
||||||
+
|
+
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## Do not audit attempts to read or
|
|
||||||
-## write nagios unnamed pipes.
|
|
||||||
+## Execute the nagios unconfined plugins with
|
+## Execute the nagios unconfined plugins with
|
||||||
+## a domain transition.
|
+## a domain transition.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
@ -57080,10 +57079,12 @@ index 0641e97..438eeb3 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
+ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## Do not audit attempts to read or
|
||||||
|
-## write nagios unnamed pipes.
|
||||||
+## Do not audit attempts to read or write nagios
|
+## Do not audit attempts to read or write nagios
|
||||||
+## unnamed pipes.
|
+## unnamed pipes.
|
||||||
## </summary>
|
## </summary>
|
||||||
@ -57160,10 +57161,11 @@ index 0641e97..438eeb3 100644
|
|||||||
- files_search_spool($1)
|
- files_search_spool($1)
|
||||||
allow $1 nagios_spool_t:dir search_dir_perms;
|
allow $1 nagios_spool_t:dir search_dir_perms;
|
||||||
+ files_search_spool($1)
|
+ files_search_spool($1)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## Read nagios temporary files.
|
||||||
+## Append nagios spool files.
|
+## Append nagios spool files.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -57179,11 +57181,10 @@ index 0641e97..438eeb3 100644
|
|||||||
+
|
+
|
||||||
+ allow $1 nagios_spool_t:file append_file_perms;
|
+ allow $1 nagios_spool_t:file append_file_perms;
|
||||||
+ files_search_spool($1)
|
+ files_search_spool($1)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## Read nagios temporary files.
|
|
||||||
+## Allow the specified domain to read
|
+## Allow the specified domain to read
|
||||||
+## nagios temporary files.
|
+## nagios temporary files.
|
||||||
## </summary>
|
## </summary>
|
||||||
@ -57196,11 +57197,10 @@ index 0641e97..438eeb3 100644
|
|||||||
- files_search_tmp($1)
|
- files_search_tmp($1)
|
||||||
allow $1 nagios_tmp_t:file read_file_perms;
|
allow $1 nagios_tmp_t:file read_file_perms;
|
||||||
+ files_search_tmp($1)
|
+ files_search_tmp($1)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
-## Execute nrpe with a domain transition.
|
|
||||||
+## Allow the specified domain to read
|
+## Allow the specified domain to read
|
||||||
+## nagios temporary files.
|
+## nagios temporary files.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
@ -57217,16 +57217,17 @@ index 0641e97..438eeb3 100644
|
|||||||
+
|
+
|
||||||
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
|
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
|
||||||
+ files_search_tmp($1)
|
+ files_search_tmp($1)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## Execute nrpe with a domain transition.
|
||||||
+## Execute the nagios NRPE with
|
+## Execute the nagios NRPE with
|
||||||
+## a domain transition.
|
+## a domain transition.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -170,14 +243,13 @@ interface(`nagios_domtrans_nrpe',`
|
@@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',`
|
||||||
type nrpe_t, nrpe_exec_t;
|
type nrpe_t, nrpe_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -57234,6 +57235,24 @@ index 0641e97..438eeb3 100644
|
|||||||
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
|
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
+######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Do not audit attempts to write nrpe daemon unnamed pipes.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`nagios_dontaudit_write_pipes_nrpe',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type nrpe_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 nrpe_t:fifo_file write;
|
||||||
|
+')
|
||||||
|
+
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## All of the rules required to
|
-## All of the rules required to
|
||||||
@ -57243,7 +57262,7 @@ index 0641e97..438eeb3 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -186,44 +258,43 @@ interface(`nagios_domtrans_nrpe',`
|
@@ -186,44 +276,43 @@ interface(`nagios_domtrans_nrpe',`
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 193%{?dist}
|
Release: 194%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -647,6 +647,15 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
|
||||||
|
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
|
||||||
|
- Add nrpe_dontaudit_write_pipes()
|
||||||
|
- Merge pull request #129 from rhatdan/onload
|
||||||
|
- Add support for onloadfs
|
||||||
|
- Merge pull request #127 from rhatdan/device-node
|
||||||
|
- Additional access required for unconfined domains
|
||||||
|
- Dontaudit ping attempts to write to nrpe unnamed pipes
|
||||||
|
- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
|
||||||
* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
|
* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
|
||||||
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
|
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
|
||||||
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
|
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
|
||||||
|
Loading…
Reference in New Issue
Block a user