- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
- Label /etc/yum.repos.d as system_conf_t - Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t - Allow dac_override for sysadm_screen_t - Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. - Allow netlabel-config to read meminfo - Add interface to allow docker to mounton file_t - Add new interface to exec unlabeled files - Allow lvm to use docker semaphores - Setup transitons for .xsessions-errors.old - Change labels of files in /var/lib/*/.ssh to transition properly - Allow staff_t and user_t to look at logs using journalctl - pluto wants to manage own log file - Allow pluto running as ipsec_t to create pluto.log - Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Allow dmidecode to read/write /run/lock/subsys/rhsmcertd - Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. - Additional access for docker - Added more rules to sblim policy - Fix kdumpgui_run_bootloader boolean - Allow dspam to connect to lmtp port - Included sfcbd service into sblim policy - rhsmcertd wants to manaage /etc/pki/consumer dir - Add kdumpgui_run_bootloader boolean - Add support for /var/cache/watchdog - Remove virt_domain attribute for virt_qemu_ga_unconfined_t - Fixes for handling libvirt containes - Dontaudit attempts by mysql_safe to write content into / - Dontaudit attempts by system_mail to modify network config - Allow dspam to bind to lmtp ports - Add new policy to allow staff_t and user_t to look at logs using journalctl - Allow apache cgi scripts to list sysfs - Dontaudit attempts to write/delete user_tmp_t files
This commit is contained in:
parent
47a93c4a0b
commit
c5e7e5bb30
File diff suppressed because it is too large
Load Diff
@ -520,7 +520,7 @@ index 058d908..702b716 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/abrt.te b/abrt.te
|
||||
index cc43d25..097a770 100644
|
||||
index cc43d25..924daba 100644
|
||||
--- a/abrt.te
|
||||
+++ b/abrt.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -685,7 +685,7 @@ index cc43d25..097a770 100644
|
||||
|
||||
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
|
||||
-dontaudit abrt_t self:capability sys_rawio;
|
||||
+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
|
||||
+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
|
||||
+dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
|
||||
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
|
||||
+
|
||||
@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644
|
||||
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
||||
')
|
||||
diff --git a/apache.te b/apache.te
|
||||
index 1a82e29..d0d7c0b 100644
|
||||
index 1a82e29..bfe87eb 100644
|
||||
--- a/apache.te
|
||||
+++ b/apache.te
|
||||
@@ -1,297 +1,367 @@
|
||||
@ -6417,7 +6417,7 @@ index 1a82e29..d0d7c0b 100644
|
||||
mysql_read_config(httpd_suexec_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
@@ -1077,172 +1333,104 @@ optional_policy(`
|
||||
@@ -1077,172 +1333,106 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
@ -6437,13 +6437,13 @@ index 1a82e29..d0d7c0b 100644
|
||||
|
||||
-allow httpd_script_domains self:fifo_file rw_file_perms;
|
||||
-allow httpd_script_domains self:unix_stream_socket connectto;
|
||||
+allow httpd_sys_script_t self:process getsched;
|
||||
|
||||
-
|
||||
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
|
||||
-
|
||||
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
|
||||
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
|
||||
-
|
||||
+allow httpd_sys_script_t self:process getsched;
|
||||
|
||||
-kernel_dontaudit_search_sysctl(httpd_script_domains)
|
||||
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
|
||||
-
|
||||
@ -6451,29 +6451,30 @@ index 1a82e29..d0d7c0b 100644
|
||||
-corenet_all_recvfrom_netlabel(httpd_script_domains)
|
||||
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
|
||||
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
|
||||
-
|
||||
-corecmd_exec_all_executables(httpd_script_domains)
|
||||
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
-corecmd_exec_all_executables(httpd_script_domains)
|
||||
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
-dev_read_rand(httpd_script_domains)
|
||||
-dev_read_urand(httpd_script_domains)
|
||||
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
|
||||
|
||||
-files_exec_etc_files(httpd_script_domains)
|
||||
-files_read_etc_files(httpd_script_domains)
|
||||
-files_search_home(httpd_script_domains)
|
||||
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
|
||||
|
||||
-libs_exec_ld_so(httpd_script_domains)
|
||||
-libs_exec_lib_files(httpd_script_domains)
|
||||
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
|
||||
-logging_search_logs(httpd_script_domains)
|
||||
-libs_exec_ld_so(httpd_script_domains)
|
||||
-libs_exec_lib_files(httpd_script_domains)
|
||||
+kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
|
||||
-logging_search_logs(httpd_script_domains)
|
||||
+dev_list_sysfs(httpd_sys_script_t)
|
||||
|
||||
-miscfiles_read_fonts(httpd_script_domains)
|
||||
-miscfiles_read_public_files(httpd_script_domains)
|
||||
+files_read_var_symlinks(httpd_sys_script_t)
|
||||
@ -6653,7 +6654,7 @@ index 1a82e29..d0d7c0b 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_read_user_content',`
|
||||
@@ -1250,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',`
|
||||
@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_use_cifs',`
|
||||
@ -6750,7 +6751,7 @@ index 1a82e29..d0d7c0b 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -1315,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
@ -6767,7 +6768,7 @@ index 1a82e29..d0d7c0b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1324,49 +1529,38 @@ optional_policy(`
|
||||
@@ -1324,49 +1531,38 @@ optional_policy(`
|
||||
# User content local policy
|
||||
#
|
||||
|
||||
@ -6832,7 +6833,7 @@ index 1a82e29..d0d7c0b 100644
|
||||
kernel_read_system_state(httpd_passwd_t)
|
||||
|
||||
corecmd_exec_bin(httpd_passwd_t)
|
||||
@@ -1376,38 +1570,99 @@ dev_read_urand(httpd_passwd_t)
|
||||
@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(httpd_passwd_t)
|
||||
|
||||
@ -21394,15 +21395,19 @@ index 41c3f67..653a1ec 100644
|
||||
## <summary>
|
||||
## Execute dmidecode in the dmidecode
|
||||
diff --git a/dmidecode.te b/dmidecode.te
|
||||
index c947c2c..441d3f4 100644
|
||||
index c947c2c..8d4d843 100644
|
||||
--- a/dmidecode.te
|
||||
+++ b/dmidecode.te
|
||||
@@ -29,4 +29,4 @@ files_list_usr(dmidecode_t)
|
||||
@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t)
|
||||
|
||||
locallogin_use_fds(dmidecode_t)
|
||||
|
||||
-userdom_use_user_terminals(dmidecode_t)
|
||||
+userdom_use_inherited_user_terminals(dmidecode_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rhsmcertd_rw_inherited_lock_files(dmidecode_t)
|
||||
+')
|
||||
diff --git a/dnsmasq.fc b/dnsmasq.fc
|
||||
index 23ab808..4a801b5 100644
|
||||
--- a/dnsmasq.fc
|
||||
@ -22127,10 +22132,10 @@ index 0000000..097c75c
|
||||
+')
|
||||
diff --git a/docker.te b/docker.te
|
||||
new file mode 100644
|
||||
index 0000000..939365d
|
||||
index 0000000..1229d66
|
||||
--- /dev/null
|
||||
+++ b/docker.te
|
||||
@@ -0,0 +1,130 @@
|
||||
@@ -0,0 +1,133 @@
|
||||
+policy_module(docker, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -22212,6 +22217,7 @@ index 0000000..939365d
|
||||
+mount_domtrans(docker_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(docker_t)
|
||||
+sysnet_exec_ifconfig(docker_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ fstools_domtrans(docker_t)
|
||||
@ -22226,7 +22232,7 @@ index 0000000..939365d
|
||||
+#
|
||||
+
|
||||
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
|
||||
+allow docker_t self:process setsched;
|
||||
+allow docker_t self:process { setsched signal_perms };
|
||||
+allow docker_t self:netlink_route_socket nlmsg_write;
|
||||
+allow docker_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
@ -22236,6 +22242,8 @@ index 0000000..939365d
|
||||
+
|
||||
+dev_getattr_all_blk_files(docker_t)
|
||||
+dev_read_urand(docker_t)
|
||||
+dev_read_lvm_control(docker_t)
|
||||
+dev_read_sysfs(docker_t)
|
||||
+
|
||||
+files_manage_isid_type_dirs(docker_t)
|
||||
+files_manage_isid_type_files(docker_t)
|
||||
@ -22255,12 +22263,12 @@ index 0000000..939365d
|
||||
+term_use_ptmx(docker_t)
|
||||
+term_getattr_pty_fs(docker_t)
|
||||
+
|
||||
+dev_read_lvm_control(docker_t)
|
||||
+modutils_domtrans_insmod(docker_t)
|
||||
+
|
||||
+gen_require(`
|
||||
+type lvm_t;
|
||||
+optional_policy(`
|
||||
+ virt_read_config(docker_t)
|
||||
+ virt_exec(docker_t)
|
||||
+')
|
||||
+docker_rw_sem(lvm_t)
|
||||
diff --git a/dovecot.fc b/dovecot.fc
|
||||
index c880070..4448055 100644
|
||||
--- a/dovecot.fc
|
||||
@ -23429,7 +23437,7 @@ index 18f2452..a446210 100644
|
||||
+
|
||||
')
|
||||
diff --git a/dspam.te b/dspam.te
|
||||
index 266cb8f..c736297 100644
|
||||
index 266cb8f..b619351 100644
|
||||
--- a/dspam.te
|
||||
+++ b/dspam.te
|
||||
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
|
||||
@ -23442,17 +23450,20 @@ index 266cb8f..c736297 100644
|
||||
allow dspam_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dspam_t self:unix_stream_socket { accept listen };
|
||||
|
||||
@@ -58,20 +61,42 @@ corenet_tcp_bind_spamd_port(dspam_t)
|
||||
@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
|
||||
corenet_tcp_bind_spamd_port(dspam_t)
|
||||
corenet_tcp_connect_spamd_port(dspam_t)
|
||||
corenet_tcp_sendrecv_spamd_port(dspam_t)
|
||||
|
||||
+corenet_tcp_bind_lmtp_port(dspam_t)
|
||||
+corenet_tcp_connect_lmtp_port(dspam_t)
|
||||
+
|
||||
+kernel_read_system_state(dspam_t)
|
||||
+
|
||||
+corecmd_exec_shell(dspam_t)
|
||||
+
|
||||
|
||||
files_search_spool(dspam_t)
|
||||
|
||||
auth_use_nsswitch(dspam_t)
|
||||
@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
|
||||
|
||||
logging_send_syslog_msg(dspam_t)
|
||||
|
||||
@ -23489,7 +23500,7 @@ index 266cb8f..c736297 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -87,3 +112,12 @@ optional_policy(`
|
||||
@@ -87,3 +114,12 @@ optional_policy(`
|
||||
|
||||
postgresql_tcp_connect(dspam_t)
|
||||
')
|
||||
@ -32392,6 +32403,145 @@ index d59ec10..dec1b3b 100644
|
||||
modutils_read_module_config(jockey_t)
|
||||
+ modutils_list_module_config(jockey_t)
|
||||
')
|
||||
diff --git a/journalctl.fc b/journalctl.fc
|
||||
new file mode 100644
|
||||
index 0000000..f270652
|
||||
--- /dev/null
|
||||
+++ b/journalctl.fc
|
||||
@@ -0,0 +1 @@
|
||||
+/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0)
|
||||
diff --git a/journalctl.if b/journalctl.if
|
||||
new file mode 100644
|
||||
index 0000000..9d32f23
|
||||
--- /dev/null
|
||||
+++ b/journalctl.if
|
||||
@@ -0,0 +1,76 @@
|
||||
+
|
||||
+## <summary>policy for journalctl</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute TEMPLATE in the journalctl domin.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`journalctl_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type journalctl_t, journalctl_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, journalctl_exec_t, journalctl_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute journalctl in the journalctl domain, and
|
||||
+## allow the specified role the journalctl domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed the journalctl domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`journalctl_run',`
|
||||
+ gen_require(`
|
||||
+ type journalctl_t;
|
||||
+ attribute_role journalctl_roles;
|
||||
+ ')
|
||||
+
|
||||
+ journalctl_domtrans($1)
|
||||
+ roleattribute $2 journalctl_roles;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Role access for journalctl
|
||||
+## </summary>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## User domain for the role
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`journalctl_role',`
|
||||
+ gen_require(`
|
||||
+ type journalctl_t;
|
||||
+ attribute_role journalctl_roles;
|
||||
+ ')
|
||||
+
|
||||
+ roleattribute $1 journalctl_roles;
|
||||
+
|
||||
+ journalctl_domtrans($2)
|
||||
+
|
||||
+ ps_process_pattern($2, journalctl_t)
|
||||
+ allow $2 journalctl_t:process { signull signal sigkill };
|
||||
+')
|
||||
diff --git a/journalctl.te b/journalctl.te
|
||||
new file mode 100644
|
||||
index 0000000..5de3229
|
||||
--- /dev/null
|
||||
+++ b/journalctl.te
|
||||
@@ -0,0 +1,44 @@
|
||||
+policy_module(journalctl, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+attribute_role journalctl_roles;
|
||||
+roleattribute system_r journalctl_roles;
|
||||
+
|
||||
+type journalctl_t;
|
||||
+type journalctl_exec_t;
|
||||
+application_domain(journalctl_t, journalctl_exec_t)
|
||||
+
|
||||
+role journalctl_roles types journalctl_t;
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# journalctl local policy
|
||||
+#
|
||||
+allow journalctl_t self:process { fork signal_perms };
|
||||
+
|
||||
+allow journalctl_t self:fifo_file manage_fifo_file_perms;
|
||||
+allow journalctl_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+kernel_read_system_state(journalctl_t)
|
||||
+
|
||||
+corecmd_exec_bin(journalctl_t)
|
||||
+
|
||||
+domain_use_interactive_fds(journalctl_t)
|
||||
+
|
||||
+files_read_etc_files(journalctl_t)
|
||||
+
|
||||
+fs_getattr_all_fs(journalctl_t)
|
||||
+
|
||||
+userdom_list_user_home_dirs(journalctl_t)
|
||||
+userdom_read_user_home_content_files(journalctl_t)
|
||||
+userdom_use_inherited_user_ptys(journalctl_t)
|
||||
+userdom_write_inherited_user_tmp_files(journalctl_t)
|
||||
+userdom_rw_inherited_user_tmpfs_files(journalctl_t)
|
||||
+userdom_rw_inherited_user_home_content_files(journalctl_t)
|
||||
+
|
||||
+miscfiles_read_localization(journalctl_t)
|
||||
+logging_read_generic_logs(journalctl_t)
|
||||
diff --git a/kde.fc b/kde.fc
|
||||
new file mode 100644
|
||||
index 0000000..25e4b68
|
||||
@ -32965,17 +33115,25 @@ index 182ab8b..8b1d9c2 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/kdumpgui.te b/kdumpgui.te
|
||||
index e7f5c81..1a8d69e 100644
|
||||
index e7f5c81..8c75bc8 100644
|
||||
--- a/kdumpgui.te
|
||||
+++ b/kdumpgui.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@@ -1,83 +1,92 @@
|
||||
-policy_module(kdumpgui, 1.1.4)
|
||||
+policy_module(kdumpgui, 1.1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -7,77 +7,73 @@ policy_module(kdumpgui, 1.1.4)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow s-c-kdump to run bootloader in bootloader_t.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(kdumpgui_run_bootloader, false)
|
||||
+
|
||||
type kdumpgui_t;
|
||||
type kdumpgui_exec_t;
|
||||
-init_system_domain(kdumpgui_t, kdumpgui_exec_t)
|
||||
@ -33054,8 +33212,14 @@ index e7f5c81..1a8d69e 100644
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_exec(kdumpgui_t)
|
||||
+ tunable_policy(`kdumpgui_run_bootloader',`
|
||||
+ bootloader_domtrans(kdumpgui_t)
|
||||
+ #if s-c-kdump is involved
|
||||
+ bootloader_manage_config(kdumpgui_t)
|
||||
+ ',`
|
||||
+ bootloader_exec(kdumpgui_t)
|
||||
+ bootloader_manage_config(kdumpgui_t)
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33067,7 +33231,7 @@ index e7f5c81..1a8d69e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -87,4 +83,10 @@ optional_policy(`
|
||||
@@ -87,4 +96,10 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
kdump_manage_config(kdumpgui_t)
|
||||
kdump_initrc_domtrans(kdumpgui_t)
|
||||
@ -43460,7 +43624,7 @@ index ed81cac..566684a 100644
|
||||
+ mta_filetrans_admin_home_content($1)
|
||||
+')
|
||||
diff --git a/mta.te b/mta.te
|
||||
index afd2fad..79fe381 100644
|
||||
index afd2fad..09ebbbe 100644
|
||||
--- a/mta.te
|
||||
+++ b/mta.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -43490,7 +43654,7 @@ index afd2fad..79fe381 100644
|
||||
|
||||
type sendmail_exec_t;
|
||||
mta_agent_executable(sendmail_exec_t)
|
||||
@@ -43,178 +43,78 @@ role system_r types system_mail_t;
|
||||
@@ -43,178 +43,79 @@ role system_r types system_mail_t;
|
||||
mta_base_mail_template(user)
|
||||
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
|
||||
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
|
||||
@ -43624,11 +43788,12 @@ index afd2fad..79fe381 100644
|
||||
|
||||
+# newalias required this, not sure if it is needed in 'if' file
|
||||
allow system_mail_t self:capability { dac_override fowner };
|
||||
|
||||
-
|
||||
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
|
||||
-
|
||||
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
|
||||
-
|
||||
+dontaudit system_mail_t self:capability net_admin;
|
||||
|
||||
allow system_mail_t mail_home_t:file manage_file_perms;
|
||||
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
|
||||
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
|
||||
@ -43705,7 +43870,7 @@ index afd2fad..79fe381 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -223,18 +123,18 @@ optional_policy(`
|
||||
@@ -223,18 +124,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43727,7 +43892,7 @@ index afd2fad..79fe381 100644
|
||||
courier_manage_spool_dirs(system_mail_t)
|
||||
courier_manage_spool_files(system_mail_t)
|
||||
courier_rw_spool_pipes(system_mail_t)
|
||||
@@ -245,13 +145,8 @@ optional_policy(`
|
||||
@@ -245,13 +146,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43742,7 +43907,7 @@ index afd2fad..79fe381 100644
|
||||
fail2ban_rw_inherited_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -264,10 +159,15 @@ optional_policy(`
|
||||
@@ -264,10 +160,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43758,7 +43923,7 @@ index afd2fad..79fe381 100644
|
||||
nagios_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -278,6 +178,15 @@ optional_policy(`
|
||||
@@ -278,6 +179,15 @@ optional_policy(`
|
||||
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
||||
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
||||
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
|
||||
@ -43774,7 +43939,7 @@ index afd2fad..79fe381 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -293,42 +202,36 @@ optional_policy(`
|
||||
@@ -293,42 +203,36 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43827,7 +43992,7 @@ index afd2fad..79fe381 100644
|
||||
|
||||
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
|
||||
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
@@ -337,40 +240,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
|
||||
@ -43876,7 +44041,7 @@ index afd2fad..79fe381 100644
|
||||
files_search_var_lib(mailserver_delivery)
|
||||
|
||||
mailman_domtrans(mailserver_delivery)
|
||||
@@ -387,24 +276,173 @@ optional_policy(`
|
||||
@@ -387,24 +277,173 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -45201,7 +45366,7 @@ index 687af38..404ed6d 100644
|
||||
+ mysql_stream_connect($1)
|
||||
')
|
||||
diff --git a/mysql.te b/mysql.te
|
||||
index 9f6179e..cc14cbc 100644
|
||||
index 9f6179e..4383f87 100644
|
||||
--- a/mysql.te
|
||||
+++ b/mysql.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -45412,7 +45577,7 @@ index 9f6179e..cc14cbc 100644
|
||||
|
||||
kernel_read_system_state(mysqld_safe_t)
|
||||
kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
@@ -183,21 +185,26 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
corecmd_exec_bin(mysqld_safe_t)
|
||||
corecmd_exec_shell(mysqld_safe_t)
|
||||
|
||||
@ -45427,6 +45592,7 @@ index 9f6179e..cc14cbc 100644
|
||||
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
|
||||
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
|
||||
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
|
||||
+files_dontaudit_write_root_dirs(mysqld_safe_t)
|
||||
|
||||
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
logging_send_syslog_msg(mysqld_safe_t)
|
||||
@ -45445,7 +45611,7 @@ index 9f6179e..cc14cbc 100644
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(mysqld_safe_t)
|
||||
@@ -205,7 +212,7 @@ optional_policy(`
|
||||
@@ -205,7 +213,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -45454,7 +45620,7 @@ index 9f6179e..cc14cbc 100644
|
||||
#
|
||||
|
||||
allow mysqlmanagerd_t self:capability { dac_override kill };
|
||||
@@ -214,11 +221,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -45472,7 +45638,7 @@ index 9f6179e..cc14cbc 100644
|
||||
|
||||
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
|
||||
|
||||
@@ -226,31 +234,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
|
||||
|
||||
@ -72825,7 +72991,7 @@ index 0000000..0e965c3
|
||||
+ rpm_domtrans(rhnsd_t)
|
||||
+')
|
||||
diff --git a/rhsmcertd.if b/rhsmcertd.if
|
||||
index 6dbc905..d803796 100644
|
||||
index 6dbc905..78746ef 100644
|
||||
--- a/rhsmcertd.if
|
||||
+++ b/rhsmcertd.if
|
||||
@@ -1,8 +1,8 @@
|
||||
@ -72921,26 +73087,47 @@ index 6dbc905..d803796 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -198,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',`
|
||||
@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',`
|
||||
allow $1 rhsmcertd_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
####################################
|
||||
-####################################
|
||||
+########################################
|
||||
## <summary>
|
||||
-## Connect to rhsmcertd with a
|
||||
-## unix domain stream socket.
|
||||
+## Connect to rhsmcertd over a unix domain
|
||||
+## stream socket.
|
||||
+## Read/wirte inherited lock files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
-## <summary>
|
||||
-## Domain allowed access.
|
||||
-## </summary>
|
||||
## <summary>
|
||||
@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
+interface(`rhsmcertd_rw_inherited_lock_files',`
|
||||
+ gen_require(`
|
||||
+ type rhsmcertd_lock_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_locks($1)
|
||||
+ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
|
||||
+')
|
||||
+
|
||||
+####################################
|
||||
+## <summary>
|
||||
+## Connect to rhsmcertd over a unix domain
|
||||
+## stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
## </param>
|
||||
#
|
||||
+## </param>
|
||||
+#
|
||||
interface(`rhsmcertd_stream_connect',`
|
||||
@@ -239,30 +235,29 @@ interface(`rhsmcertd_dbus_chat',`
|
||||
gen_require(`
|
||||
type rhsmcertd_t, rhsmcertd_var_run_t;
|
||||
@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',`
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
@ -72984,7 +73171,7 @@ index 6dbc905..d803796 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -270,35 +265,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
|
||||
@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
@ -73016,24 +73203,24 @@ index 6dbc905..d803796 100644
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
+ allow $1 rhsmcertd_t:process ptrace;
|
||||
+ ')
|
||||
+
|
||||
|
||||
- logging_search_logs($1)
|
||||
- admin_pattern($1, rhsmcertd_log_t)
|
||||
+ rhsmcertd_initrc_domtrans($1)
|
||||
+ domain_system_change_exemption($1)
|
||||
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
|
||||
+ allow $2 system_r;
|
||||
|
||||
- logging_search_logs($1)
|
||||
- admin_pattern($1, rhsmcertd_log_t)
|
||||
- files_search_var_lib($1)
|
||||
- admin_pattern($1, rhsmcertd_var_lib_t)
|
||||
+ logging_search_logs($1)
|
||||
+ admin_pattern($1, rhsmcertd_log_t)
|
||||
|
||||
- files_search_var_lib($1)
|
||||
- admin_pattern($1, rhsmcertd_var_lib_t)
|
||||
+ files_search_var_lib($1)
|
||||
+ admin_pattern($1, rhsmcertd_var_lib_t)
|
||||
|
||||
- files_search_pids($1)
|
||||
- admin_pattern($1, rhsmcertd_var_run_t)
|
||||
+ files_search_var_lib($1)
|
||||
+ admin_pattern($1, rhsmcertd_var_lib_t)
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ admin_pattern($1, rhsmcertd_var_run_t)
|
||||
+
|
||||
@ -73044,10 +73231,10 @@ index 6dbc905..d803796 100644
|
||||
- admin_pattern($1, rhsmcertd_lock_t)
|
||||
')
|
||||
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
||||
index 1cedd70..6508b1e 100644
|
||||
index 1cedd70..0369e30 100644
|
||||
--- a/rhsmcertd.te
|
||||
+++ b/rhsmcertd.te
|
||||
@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
|
||||
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
|
||||
#
|
||||
|
||||
allow rhsmcertd_t self:capability sys_nice;
|
||||
@ -73057,7 +73244,15 @@ index 1cedd70..6508b1e 100644
|
||||
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
||||
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
||||
-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
||||
-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
||||
-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
||||
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
||||
|
||||
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
|
||||
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
|
||||
@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
||||
kernel_read_network_state(rhsmcertd_t)
|
||||
kernel_read_system_state(rhsmcertd_t)
|
||||
|
||||
@ -73075,6 +73270,7 @@ index 1cedd70..6508b1e 100644
|
||||
-files_read_etc_files(rhsmcertd_t)
|
||||
-files_read_usr_files(rhsmcertd_t)
|
||||
+files_manage_generic_locks(rhsmcertd_t)
|
||||
+files_manage_system_conf_files(rhsmcertd_t)
|
||||
+
|
||||
+auth_read_passwd(rhsmcertd_t)
|
||||
|
||||
@ -73084,7 +73280,8 @@ index 1cedd70..6508b1e 100644
|
||||
+
|
||||
+logging_send_syslog_msg(rhsmcertd_t)
|
||||
+
|
||||
+miscfiles_read_certs(rhsmcertd_t)
|
||||
+miscfiles_manage_cert_files(rhsmcertd_t)
|
||||
+miscfiles_manage_cert_dirs(rhsmcertd_t)
|
||||
|
||||
sysnet_dns_name_resolve(rhsmcertd_t)
|
||||
|
||||
@ -80756,6 +80953,21 @@ index a63b875..1c9e41b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/sblim.fc b/sblim.fc
|
||||
index 68a550d..e976fc6 100644
|
||||
--- a/sblim.fc
|
||||
+++ b/sblim.fc
|
||||
@@ -1,6 +1,10 @@
|
||||
/etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/sblim-sfcbd -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
|
||||
/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
|
||||
+/usr/sbin/sfcbd -- gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0)
|
||||
+
|
||||
+/var/lib/sfcb(/.*)? gen_context(system_u:object_r:sblim_var_lib_t,s0)
|
||||
|
||||
/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
|
||||
diff --git a/sblim.if b/sblim.if
|
||||
index 98c9e0a..df51942 100644
|
||||
--- a/sblim.if
|
||||
@ -80858,10 +81070,10 @@ index 98c9e0a..df51942 100644
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, sblim_var_run_t)
|
||||
diff --git a/sblim.te b/sblim.te
|
||||
index 4a23d84..d90604c 100644
|
||||
index 4a23d84..fcd1610 100644
|
||||
--- a/sblim.te
|
||||
+++ b/sblim.te
|
||||
@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3)
|
||||
@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
|
||||
|
||||
attribute sblim_domain;
|
||||
|
||||
@ -80874,12 +81086,38 @@ index 4a23d84..d90604c 100644
|
||||
-type sblim_reposd_exec_t;
|
||||
-init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
|
||||
+sblim_domain_template(reposd)
|
||||
+
|
||||
+sblim_domain_template(sfcbd)
|
||||
|
||||
type sblim_initrc_exec_t;
|
||||
init_script_file(sblim_initrc_exec_t)
|
||||
@@ -33,10 +29,7 @@ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
||||
@@ -21,6 +19,12 @@ init_script_file(sblim_initrc_exec_t)
|
||||
type sblim_var_run_t;
|
||||
files_pid_file(sblim_var_run_t)
|
||||
|
||||
+type sblim_var_lib_t;
|
||||
+files_type(sblim_var_lib_t)
|
||||
+
|
||||
+type sblim_tmp_t;
|
||||
+files_tmp_file(sblim_tmp_t)
|
||||
+
|
||||
######################################
|
||||
#
|
||||
# Common sblim domain local policy
|
||||
@@ -32,11 +36,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
||||
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
||||
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
||||
|
||||
+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
|
||||
+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
|
||||
+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
|
||||
+files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file })
|
||||
+
|
||||
+manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
|
||||
+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
|
||||
+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
|
||||
+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
|
||||
+
|
||||
kernel_read_network_state(sblim_domain)
|
||||
-kernel_read_system_state(sblim_domain)
|
||||
|
||||
@ -80888,7 +81126,7 @@ index 4a23d84..d90604c 100644
|
||||
corenet_tcp_sendrecv_generic_if(sblim_domain)
|
||||
corenet_tcp_sendrecv_generic_node(sblim_domain)
|
||||
|
||||
@@ -44,19 +37,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
|
||||
@@ -44,19 +55,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
|
||||
|
||||
dev_read_sysfs(sblim_domain)
|
||||
|
||||
@ -80911,7 +81149,7 @@ index 4a23d84..d90604c 100644
|
||||
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
|
||||
|
||||
@@ -84,6 +73,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
|
||||
@@ -84,6 +91,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
|
||||
|
||||
init_read_utmp(sblim_gatherd_t)
|
||||
|
||||
@ -80920,7 +81158,7 @@ index 4a23d84..d90604c 100644
|
||||
sysnet_dns_name_resolve(sblim_gatherd_t)
|
||||
|
||||
term_getattr_pty_fs(sblim_gatherd_t)
|
||||
@@ -103,8 +94,9 @@ optional_policy(`
|
||||
@@ -103,8 +112,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -80931,7 +81169,7 @@ index 4a23d84..d90604c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -117,6 +109,10 @@ optional_policy(`
|
||||
@@ -117,6 +127,25 @@ optional_policy(`
|
||||
# Reposd local policy
|
||||
#
|
||||
|
||||
@ -80943,6 +81181,21 @@ index 4a23d84..d90604c 100644
|
||||
+
|
||||
+logging_send_syslog_msg(sblim_reposd_t)
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# Sfcbd local policy
|
||||
+#
|
||||
+
|
||||
+allow sblim_sfcbd_t self:capability { sys_ptrace setgid };
|
||||
+allow sblim_sfcbd_t self:process signal;
|
||||
+
|
||||
+auth_use_nsswitch(sblim_sfcbd_t)
|
||||
+
|
||||
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
|
||||
+
|
||||
+domain_read_all_domains_state(sblim_sfcbd_t)
|
||||
+domain_use_interactive_fds(sblim_sfcbd_t)
|
||||
+
|
||||
diff --git a/screen.fc b/screen.fc
|
||||
index ac04d27..b73334e 100644
|
||||
--- a/screen.fc
|
||||
@ -89522,10 +89775,10 @@ index 0000000..c1fd8b4
|
||||
+')
|
||||
diff --git a/thumb.te b/thumb.te
|
||||
new file mode 100644
|
||||
index 0000000..1a7c61d
|
||||
index 0000000..b57cc3c
|
||||
--- /dev/null
|
||||
+++ b/thumb.te
|
||||
@@ -0,0 +1,148 @@
|
||||
@@ -0,0 +1,149 @@
|
||||
+policy_module(thumb, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -89625,7 +89878,8 @@ index 0000000..1a7c61d
|
||||
+userdom_read_user_tmp_files(thumb_t)
|
||||
+userdom_read_user_home_content_files(thumb_t)
|
||||
+userdom_exec_user_home_content_files(thumb_t)
|
||||
+userdom_write_user_tmp_files(thumb_t)
|
||||
+userdom_dontaudit_write_user_tmp_files(thumb_t)
|
||||
+userdom_dontaudit_delete_user_tmp_files(thumb_t)
|
||||
+userdom_read_home_audio_files(thumb_t)
|
||||
+userdom_home_reader(thumb_t)
|
||||
+
|
||||
@ -94024,7 +94278,7 @@ index 9dec06c..73549fd 100644
|
||||
+ virt_stream_connect($1)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index 1f22fba..d798c85 100644
|
||||
index 1f22fba..62390bf 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,147 +1,167 @@
|
||||
@ -95921,7 +96175,7 @@ index 1f22fba..d798c85 100644
|
||||
+#
|
||||
+
|
||||
+optional_policy(`
|
||||
+ type virt_qemu_ga_unconfined_t, virt_domain;
|
||||
+ type virt_qemu_ga_unconfined_t;
|
||||
+ domain_type(virt_qemu_ga_unconfined_t)
|
||||
+
|
||||
+ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
|
||||
@ -96446,13 +96700,40 @@ index 9329eae..824e86f 100644
|
||||
-optional_policy(`
|
||||
- seutil_use_newrole_fds(vpnc_t)
|
||||
-')
|
||||
diff --git a/watchdog.fc b/watchdog.fc
|
||||
index eecd0e0..50248a7 100644
|
||||
--- a/watchdog.fc
|
||||
+++ b/watchdog.fc
|
||||
@@ -2,6 +2,8 @@
|
||||
|
||||
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
|
||||
|
||||
+/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0)
|
||||
+
|
||||
/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
|
||||
|
||||
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
|
||||
diff --git a/watchdog.te b/watchdog.te
|
||||
index 29f79e8..9e403ee 100644
|
||||
index 29f79e8..1d43690 100644
|
||||
--- a/watchdog.te
|
||||
+++ b/watchdog.te
|
||||
@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -12,6 +12,9 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
|
||||
type watchdog_initrc_exec_t;
|
||||
init_script_file(watchdog_initrc_exec_t)
|
||||
|
||||
+type watchdog_cache_t;
|
||||
+files_type(watchdog_cache_t)
|
||||
+
|
||||
type watchdog_log_t;
|
||||
logging_log_file(watchdog_log_t)
|
||||
|
||||
@@ -29,8 +32,12 @@ allow watchdog_t self:process { setsched signal_perms };
|
||||
allow watchdog_t self:fifo_file rw_fifo_file_perms;
|
||||
allow watchdog_t self:tcp_socket { accept listen };
|
||||
|
||||
+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
|
||||
+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
|
||||
+
|
||||
allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
||||
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
|
||||
+manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
|
||||
@ -96460,7 +96741,7 @@ index 29f79e8..9e403ee 100644
|
||||
|
||||
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
|
||||
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
|
||||
@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t)
|
||||
@@ -63,7 +70,6 @@ domain_signull_all_domains(watchdog_t)
|
||||
domain_signal_all_domains(watchdog_t)
|
||||
domain_kill_all_domains(watchdog_t)
|
||||
|
||||
@ -96468,7 +96749,7 @@ index 29f79e8..9e403ee 100644
|
||||
files_manage_etc_runtime_files(watchdog_t)
|
||||
files_etc_filetrans_etc_runtime(watchdog_t, file)
|
||||
|
||||
@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t)
|
||||
@@ -75,8 +81,6 @@ auth_append_login_records(watchdog_t)
|
||||
|
||||
logging_send_syslog_msg(watchdog_t)
|
||||
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 96%{?dist}
|
||||
Release: 97%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -573,6 +573,44 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-97
|
||||
- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
|
||||
- Label /etc/yum.repos.d as system_conf_t
|
||||
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
|
||||
- Allow dac_override for sysadm_screen_t
|
||||
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
|
||||
- Allow netlabel-config to read meminfo
|
||||
- Add interface to allow docker to mounton file_t
|
||||
- Add new interface to exec unlabeled files
|
||||
- Allow lvm to use docker semaphores
|
||||
- Setup transitons for .xsessions-errors.old
|
||||
- Change labels of files in /var/lib/*/.ssh to transition properly
|
||||
- Allow staff_t and user_t to look at logs using journalctl
|
||||
- pluto wants to manage own log file
|
||||
- Allow pluto running as ipsec_t to create pluto.log
|
||||
- Fix alias decl in corenetwork.te.in
|
||||
- Add support for fuse.glusterfs
|
||||
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
|
||||
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
|
||||
- Additional access for docker
|
||||
- Added more rules to sblim policy
|
||||
- Fix kdumpgui_run_bootloader boolean
|
||||
- Allow dspam to connect to lmtp port
|
||||
- Included sfcbd service into sblim policy
|
||||
- rhsmcertd wants to manaage /etc/pki/consumer dir
|
||||
- Add kdumpgui_run_bootloader boolean
|
||||
- Add support for /var/cache/watchdog
|
||||
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
|
||||
- Fixes for handling libvirt containes
|
||||
- Dontaudit attempts by mysql_safe to write content into /
|
||||
- Dontaudit attempts by system_mail to modify network config
|
||||
- Allow dspam to bind to lmtp ports
|
||||
- Add new policy to allow staff_t and user_t to look at logs using journalctl
|
||||
- Allow apache cgi scripts to list sysfs
|
||||
- Dontaudit attempts to write/delete user_tmp_t files
|
||||
- Allow all antivirus domains to manage also own log dirs
|
||||
- Allow pegasus_openlmi_services_t to stream connect to sssd_t
|
||||
|
||||
* Fri Nov 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
|
||||
- Add missing permission checks for nscd
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user