scratch build
This commit is contained in:
parent
af7d966e90
commit
cd5d972925
@ -5461,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644
|
|||||||
|
|
||||||
define(`create_packet_interfaces',``
|
define(`create_packet_interfaces',``
|
||||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||||
index 4edc40d..9455a13 100644
|
index 4edc40d..cc71e95 100644
|
||||||
--- a/policy/modules/kernel/corenetwork.te.in
|
--- a/policy/modules/kernel/corenetwork.te.in
|
||||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
||||||
@ -5714,7 +5714,7 @@ index 4edc40d..9455a13 100644
|
|||||||
network_port(puppet, tcp, 8140, s0)
|
network_port(puppet, tcp, 8140, s0)
|
||||||
network_port(pxe, udp,4011,s0)
|
network_port(pxe, udp,4011,s0)
|
||||||
network_port(pyzor, udp,24441,s0)
|
network_port(pyzor, udp,24441,s0)
|
||||||
+network_port(quantum, tcp,9696,s0)
|
+network_port(neutron, tcp,9696,s0)
|
||||||
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||||
network_port(radius, udp,1645,s0, udp,1812,s0)
|
network_port(radius, udp,1645,s0, udp,1812,s0)
|
||||||
network_port(radsec, tcp,2083,s0)
|
network_port(radsec, tcp,2083,s0)
|
||||||
@ -5810,7 +5810,7 @@ index 4edc40d..9455a13 100644
|
|||||||
',`
|
',`
|
||||||
typealias netif_t alias { lo_netif_t netif_lo_t };
|
typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||||
')
|
')
|
||||||
@@ -342,9 +400,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
@@ -342,9 +400,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||||
allow corenet_unconfined_type node_type:node *;
|
allow corenet_unconfined_type node_type:node *;
|
||||||
allow corenet_unconfined_type netif_type:netif *;
|
allow corenet_unconfined_type netif_type:netif *;
|
||||||
allow corenet_unconfined_type packet_type:packet *;
|
allow corenet_unconfined_type packet_type:packet *;
|
||||||
@ -5837,6 +5837,10 @@ index 4edc40d..9455a13 100644
|
|||||||
+allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
|
+allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
|
||||||
+allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress };
|
+allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress };
|
||||||
+allow netlabel_peer_t node_t:node recvfrom;
|
+allow netlabel_peer_t node_t:node recvfrom;
|
||||||
|
+
|
||||||
|
+typealias neutron_port_t alias quantum_port_t;
|
||||||
|
+typealias neutron_server_packet_t alias quantum_server_packet_t;
|
||||||
|
+typealias neutron_client_packet_t alias quantum_client_packet_t;
|
||||||
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
|
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
|
||||||
index 3f6e168..51ad69a 100644
|
index 3f6e168..51ad69a 100644
|
||||||
--- a/policy/modules/kernel/corenetwork.te.m4
|
--- a/policy/modules/kernel/corenetwork.te.m4
|
||||||
@ -14159,10 +14163,10 @@ index 8416beb..c6cd3eb 100644
|
|||||||
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
|
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
||||||
index 9e603f5..e0209df 100644
|
index 9e603f5..1198b51 100644
|
||||||
--- a/policy/modules/kernel/filesystem.te
|
--- a/policy/modules/kernel/filesystem.te
|
||||||
+++ b/policy/modules/kernel/filesystem.te
|
+++ b/policy/modules/kernel/filesystem.te
|
||||||
@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
|
@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
|
||||||
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
|
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
|
||||||
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
||||||
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
|
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
|
||||||
@ -14170,9 +14174,11 @@ index 9e603f5..e0209df 100644
|
|||||||
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
||||||
+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
|
+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
|
||||||
fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
|
fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
|
||||||
|
+fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0);
|
||||||
|
|
||||||
# Use the allocating task SID to label inodes in the following filesystem
|
# Use the allocating task SID to label inodes in the following filesystem
|
||||||
@@ -53,6 +55,7 @@ type anon_inodefs_t;
|
# types, and label the filesystem itself with the specified context.
|
||||||
|
@@ -53,6 +56,7 @@ type anon_inodefs_t;
|
||||||
fs_type(anon_inodefs_t)
|
fs_type(anon_inodefs_t)
|
||||||
files_mountpoint(anon_inodefs_t)
|
files_mountpoint(anon_inodefs_t)
|
||||||
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
|
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
|
||||||
@ -14180,7 +14186,7 @@ index 9e603f5..e0209df 100644
|
|||||||
|
|
||||||
type bdev_t;
|
type bdev_t;
|
||||||
fs_type(bdev_t)
|
fs_type(bdev_t)
|
||||||
@@ -63,12 +66,17 @@ fs_type(binfmt_misc_fs_t)
|
@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t)
|
||||||
files_mountpoint(binfmt_misc_fs_t)
|
files_mountpoint(binfmt_misc_fs_t)
|
||||||
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
|
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
|
||||||
|
|
||||||
@ -14199,7 +14205,7 @@ index 9e603f5..e0209df 100644
|
|||||||
fs_type(cgroup_t)
|
fs_type(cgroup_t)
|
||||||
files_type(cgroup_t)
|
files_type(cgroup_t)
|
||||||
files_mountpoint(cgroup_t)
|
files_mountpoint(cgroup_t)
|
||||||
@@ -89,6 +97,11 @@ fs_noxattr_type(ecryptfs_t)
|
@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t)
|
||||||
files_mountpoint(ecryptfs_t)
|
files_mountpoint(ecryptfs_t)
|
||||||
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
|
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
|
||||||
|
|
||||||
@ -14211,7 +14217,7 @@ index 9e603f5..e0209df 100644
|
|||||||
type futexfs_t;
|
type futexfs_t;
|
||||||
fs_type(futexfs_t)
|
fs_type(futexfs_t)
|
||||||
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
|
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
|
||||||
@@ -97,6 +110,7 @@ type hugetlbfs_t;
|
@@ -97,6 +111,7 @@ type hugetlbfs_t;
|
||||||
fs_type(hugetlbfs_t)
|
fs_type(hugetlbfs_t)
|
||||||
files_mountpoint(hugetlbfs_t)
|
files_mountpoint(hugetlbfs_t)
|
||||||
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
|
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
|
||||||
@ -14219,7 +14225,7 @@ index 9e603f5..e0209df 100644
|
|||||||
|
|
||||||
type ibmasmfs_t;
|
type ibmasmfs_t;
|
||||||
fs_type(ibmasmfs_t)
|
fs_type(ibmasmfs_t)
|
||||||
@@ -119,12 +133,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
|
@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
|
||||||
|
|
||||||
type nfsd_fs_t;
|
type nfsd_fs_t;
|
||||||
fs_type(nfsd_fs_t)
|
fs_type(nfsd_fs_t)
|
||||||
@ -14237,7 +14243,7 @@ index 9e603f5..e0209df 100644
|
|||||||
type ramfs_t;
|
type ramfs_t;
|
||||||
fs_type(ramfs_t)
|
fs_type(ramfs_t)
|
||||||
files_mountpoint(ramfs_t)
|
files_mountpoint(ramfs_t)
|
||||||
@@ -145,11 +164,6 @@ fs_type(spufs_t)
|
@@ -145,11 +165,6 @@ fs_type(spufs_t)
|
||||||
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
||||||
files_mountpoint(spufs_t)
|
files_mountpoint(spufs_t)
|
||||||
|
|
||||||
@ -14249,7 +14255,7 @@ index 9e603f5..e0209df 100644
|
|||||||
type sysv_t;
|
type sysv_t;
|
||||||
fs_noxattr_type(sysv_t)
|
fs_noxattr_type(sysv_t)
|
||||||
files_mountpoint(sysv_t)
|
files_mountpoint(sysv_t)
|
||||||
@@ -167,6 +181,8 @@ type vxfs_t;
|
@@ -167,6 +182,8 @@ type vxfs_t;
|
||||||
fs_noxattr_type(vxfs_t)
|
fs_noxattr_type(vxfs_t)
|
||||||
files_mountpoint(vxfs_t)
|
files_mountpoint(vxfs_t)
|
||||||
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
|
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
|
||||||
@ -14258,7 +14264,7 @@ index 9e603f5..e0209df 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# tmpfs_t is the type for tmpfs filesystems
|
# tmpfs_t is the type for tmpfs filesystems
|
||||||
@@ -176,6 +192,8 @@ fs_type(tmpfs_t)
|
@@ -176,6 +193,8 @@ fs_type(tmpfs_t)
|
||||||
files_type(tmpfs_t)
|
files_type(tmpfs_t)
|
||||||
files_mountpoint(tmpfs_t)
|
files_mountpoint(tmpfs_t)
|
||||||
files_poly_parent(tmpfs_t)
|
files_poly_parent(tmpfs_t)
|
||||||
@ -14267,7 +14273,7 @@ index 9e603f5..e0209df 100644
|
|||||||
|
|
||||||
# Use a transition SID based on the allocating task SID and the
|
# Use a transition SID based on the allocating task SID and the
|
||||||
# filesystem SID to label inodes in the following filesystem types,
|
# filesystem SID to label inodes in the following filesystem types,
|
||||||
@@ -255,6 +273,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||||
type removable_t;
|
type removable_t;
|
||||||
allow removable_t noxattrfs:filesystem associate;
|
allow removable_t noxattrfs:filesystem associate;
|
||||||
fs_noxattr_type(removable_t)
|
fs_noxattr_type(removable_t)
|
||||||
@ -14276,7 +14282,7 @@ index 9e603f5..e0209df 100644
|
|||||||
files_mountpoint(removable_t)
|
files_mountpoint(removable_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -274,6 +294,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
@ -35461,7 +35467,7 @@ index 346a7cc..42a48b6 100644
|
|||||||
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
|
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
|
||||||
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
||||||
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
||||||
index 6944526..b82ccf1 100644
|
index 6944526..0bd8d93 100644
|
||||||
--- a/policy/modules/system/sysnetwork.if
|
--- a/policy/modules/system/sysnetwork.if
|
||||||
+++ b/policy/modules/system/sysnetwork.if
|
+++ b/policy/modules/system/sysnetwork.if
|
||||||
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
|
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
|
||||||
@ -35736,7 +35742,7 @@ index 6944526..b82ccf1 100644
|
|||||||
corenet_tcp_sendrecv_generic_if($1)
|
corenet_tcp_sendrecv_generic_if($1)
|
||||||
corenet_udp_sendrecv_generic_if($1)
|
corenet_udp_sendrecv_generic_if($1)
|
||||||
corenet_tcp_sendrecv_generic_node($1)
|
corenet_tcp_sendrecv_generic_node($1)
|
||||||
@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',`
|
@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
|
||||||
|
|
||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
')
|
')
|
||||||
@ -35804,6 +35810,8 @@ index 6944526..b82ccf1 100644
|
|||||||
+
|
+
|
||||||
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
|
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
|
||||||
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
|
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
|
||||||
|
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
|
||||||
|
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
|
||||||
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
|
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
|
||||||
+ files_etc_filetrans($1, net_conf_t, file, "hosts")
|
+ files_etc_filetrans($1, net_conf_t, file, "hosts")
|
||||||
+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
|
+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
|
||||||
|
@ -2728,7 +2728,7 @@ index 0000000..df5b3be
|
|||||||
+')
|
+')
|
||||||
diff --git a/antivirus.te b/antivirus.te
|
diff --git a/antivirus.te b/antivirus.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..784557c
|
index 0000000..8ba9c95
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/antivirus.te
|
+++ b/antivirus.te
|
||||||
@@ -0,0 +1,274 @@
|
@@ -0,0 +1,274 @@
|
||||||
@ -2825,7 +2825,7 @@ index 0000000..784557c
|
|||||||
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
||||||
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
|
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
|
||||||
+
|
+
|
||||||
+allow antivirus_domain antivirus_log_t:dir setattr_dir_perms;
|
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
||||||
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
||||||
+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
||||||
+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
|
+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
|
||||||
@ -55084,7 +55084,7 @@ index d2fc677..ded726f 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/pegasus.te b/pegasus.te
|
diff --git a/pegasus.te b/pegasus.te
|
||||||
index 7bcf327..c1e0a6f 100644
|
index 7bcf327..c19ce47 100644
|
||||||
--- a/pegasus.te
|
--- a/pegasus.te
|
||||||
+++ b/pegasus.te
|
+++ b/pegasus.te
|
||||||
@@ -1,17 +1,16 @@
|
@@ -1,17 +1,16 @@
|
||||||
@ -55108,7 +55108,7 @@ index 7bcf327..c1e0a6f 100644
|
|||||||
type pegasus_cache_t;
|
type pegasus_cache_t;
|
||||||
files_type(pegasus_cache_t)
|
files_type(pegasus_cache_t)
|
||||||
|
|
||||||
@@ -30,20 +29,262 @@ files_type(pegasus_mof_t)
|
@@ -30,20 +29,266 @@ files_type(pegasus_mof_t)
|
||||||
type pegasus_var_run_t;
|
type pegasus_var_run_t;
|
||||||
files_pid_file(pegasus_var_run_t)
|
files_pid_file(pegasus_var_run_t)
|
||||||
|
|
||||||
@ -55242,6 +55242,10 @@ index 7bcf327..c1e0a6f 100644
|
|||||||
+ realmd_dbus_chat(pegasus_openlmi_services_t)
|
+ realmd_dbus_chat(pegasus_openlmi_services_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ sssd_stream_connect(pegasus_openlmi_services_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+######################################
|
+######################################
|
||||||
+#
|
+#
|
||||||
+# pegasus openlmi system (networking) local policy
|
+# pegasus openlmi system (networking) local policy
|
||||||
@ -55376,7 +55380,7 @@ index 7bcf327..c1e0a6f 100644
|
|||||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||||
@@ -54,22 +295,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
@@ -54,22 +299,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
@ -55407,7 +55411,7 @@ index 7bcf327..c1e0a6f 100644
|
|||||||
|
|
||||||
kernel_read_network_state(pegasus_t)
|
kernel_read_network_state(pegasus_t)
|
||||||
kernel_read_kernel_sysctls(pegasus_t)
|
kernel_read_kernel_sysctls(pegasus_t)
|
||||||
@@ -80,27 +321,21 @@ kernel_read_net_sysctls(pegasus_t)
|
@@ -80,27 +325,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||||
kernel_read_xen_state(pegasus_t)
|
kernel_read_xen_state(pegasus_t)
|
||||||
kernel_write_xen_state(pegasus_t)
|
kernel_write_xen_state(pegasus_t)
|
||||||
|
|
||||||
@ -55440,7 +55444,7 @@ index 7bcf327..c1e0a6f 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(pegasus_t)
|
corecmd_exec_bin(pegasus_t)
|
||||||
corecmd_exec_shell(pegasus_t)
|
corecmd_exec_shell(pegasus_t)
|
||||||
@@ -114,6 +349,7 @@ files_getattr_all_dirs(pegasus_t)
|
@@ -114,6 +353,7 @@ files_getattr_all_dirs(pegasus_t)
|
||||||
|
|
||||||
auth_use_nsswitch(pegasus_t)
|
auth_use_nsswitch(pegasus_t)
|
||||||
auth_domtrans_chk_passwd(pegasus_t)
|
auth_domtrans_chk_passwd(pegasus_t)
|
||||||
@ -55448,7 +55452,7 @@ index 7bcf327..c1e0a6f 100644
|
|||||||
|
|
||||||
domain_use_interactive_fds(pegasus_t)
|
domain_use_interactive_fds(pegasus_t)
|
||||||
domain_read_all_domains_state(pegasus_t)
|
domain_read_all_domains_state(pegasus_t)
|
||||||
@@ -128,18 +364,25 @@ init_stream_connect_script(pegasus_t)
|
@@ -128,18 +368,25 @@ init_stream_connect_script(pegasus_t)
|
||||||
logging_send_audit_msgs(pegasus_t)
|
logging_send_audit_msgs(pegasus_t)
|
||||||
logging_send_syslog_msg(pegasus_t)
|
logging_send_syslog_msg(pegasus_t)
|
||||||
|
|
||||||
@ -55480,7 +55484,7 @@ index 7bcf327..c1e0a6f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -151,16 +394,24 @@ optional_policy(`
|
@@ -151,16 +398,24 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -55509,7 +55513,7 @@ index 7bcf327..c1e0a6f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -168,7 +419,7 @@ optional_policy(`
|
@@ -168,7 +423,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -67640,7 +67644,7 @@ index afc0068..3105104 100644
|
|||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
diff --git a/quantum.te b/quantum.te
|
diff --git a/quantum.te b/quantum.te
|
||||||
index 769d1fd..801835e 100644
|
index 769d1fd..acee489 100644
|
||||||
--- a/quantum.te
|
--- a/quantum.te
|
||||||
+++ b/quantum.te
|
+++ b/quantum.te
|
||||||
@@ -1,96 +1,109 @@
|
@@ -1,96 +1,109 @@
|
||||||
@ -67661,7 +67665,7 @@ index 769d1fd..801835e 100644
|
|||||||
|
|
||||||
-type quantum_initrc_exec_t;
|
-type quantum_initrc_exec_t;
|
||||||
-init_script_file(quantum_initrc_exec_t)
|
-init_script_file(quantum_initrc_exec_t)
|
||||||
+type neutron_initrc_exec_t alias qauntum_initrc_exec_t;
|
+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
|
||||||
+init_script_file(neutron_initrc_exec_t)
|
+init_script_file(neutron_initrc_exec_t)
|
||||||
|
|
||||||
-type quantum_log_t;
|
-type quantum_log_t;
|
||||||
@ -67751,7 +67755,7 @@ index 769d1fd..801835e 100644
|
|||||||
|
|
||||||
-dev_list_sysfs(quantum_t)
|
-dev_list_sysfs(quantum_t)
|
||||||
-dev_read_urand(quantum_t)
|
-dev_read_urand(quantum_t)
|
||||||
+corenet_tcp_bind_quantum_port(neutron_t)
|
+corenet_tcp_bind_neutron_port(neutron_t)
|
||||||
+corenet_tcp_connect_keystone_port(neutron_t)
|
+corenet_tcp_connect_keystone_port(neutron_t)
|
||||||
+corenet_tcp_connect_amqp_port(neutron_t)
|
+corenet_tcp_connect_amqp_port(neutron_t)
|
||||||
+corenet_tcp_connect_mysqld_port(neutron_t)
|
+corenet_tcp_connect_mysqld_port(neutron_t)
|
||||||
@ -85923,7 +85927,7 @@ index dbb005a..45291bb 100644
|
|||||||
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||||
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||||
diff --git a/sssd.if b/sssd.if
|
diff --git a/sssd.if b/sssd.if
|
||||||
index a240455..54c5c1f 100644
|
index a240455..02ad8a9 100644
|
||||||
--- a/sssd.if
|
--- a/sssd.if
|
||||||
+++ b/sssd.if
|
+++ b/sssd.if
|
||||||
@@ -1,21 +1,21 @@
|
@@ -1,21 +1,21 @@
|
||||||
@ -86051,7 +86055,9 @@ index a240455..54c5c1f 100644
|
|||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type sssd_conf_t;
|
+ type sssd_conf_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
|
||||||
|
- files_search_etc($1)
|
||||||
|
- write_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
||||||
+ files_search_etc($1)
|
+ files_search_etc($1)
|
||||||
+ write_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
+ write_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
||||||
+')
|
+')
|
||||||
@ -86070,9 +86076,7 @@ index a240455..54c5c1f 100644
|
|||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type sssd_conf_t;
|
+ type sssd_conf_t;
|
||||||
+ ')
|
+ ')
|
||||||
|
+
|
||||||
- files_search_etc($1)
|
|
||||||
- write_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
||||||
+ files_search_etc($1)
|
+ files_search_etc($1)
|
||||||
+ create_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
+ create_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
||||||
')
|
')
|
||||||
@ -86168,7 +86172,32 @@ index a240455..54c5c1f 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -297,8 +333,7 @@ interface(`sssd_dbus_chat',`
|
@@ -235,6 +271,24 @@ interface(`sssd_dontaudit_search_lib',`
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Do not audit attempts to read sssd lib files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`sssd_dontaudit_read_lib',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type sssd_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 sssd_var_lib_t:file read_file_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Read sssd lib files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -297,8 +351,7 @@ interface(`sssd_dbus_chat',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -86178,7 +86207,7 @@ index a240455..54c5c1f 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -317,8 +352,27 @@ interface(`sssd_stream_connect',`
|
@@ -317,8 +370,27 @@ interface(`sssd_stream_connect',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -86198,7 +86227,7 @@ index a240455..54c5c1f 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ dontaudit $1 sssd_t:unix_stream_socket connectto;
|
+ dontaudit $1 sssd_t:unix_stream_socket connectto;
|
||||||
+ dontaudit $1 sssd_var_lib_t:sock_file write;
|
+ dontaudit $1 sssd_var_lib_t:sock_file { read write };
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -86208,7 +86237,7 @@ index a240455..54c5c1f 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -327,7 +381,7 @@ interface(`sssd_stream_connect',`
|
@@ -327,7 +399,7 @@ interface(`sssd_stream_connect',`
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -86217,7 +86246,7 @@ index a240455..54c5c1f 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
@@ -335,27 +389,29 @@ interface(`sssd_stream_connect',`
|
@@ -335,27 +407,29 @@ interface(`sssd_stream_connect',`
|
||||||
interface(`sssd_admin',`
|
interface(`sssd_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
||||||
@ -93995,7 +94024,7 @@ index 9dec06c..73549fd 100644
|
|||||||
+ virt_stream_connect($1)
|
+ virt_stream_connect($1)
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index 1f22fba..a77dab1 100644
|
index 1f22fba..d798c85 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,147 +1,167 @@
|
@@ -1,147 +1,167 @@
|
||||||
@ -94239,7 +94268,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
ifdef(`enable_mcs',`
|
ifdef(`enable_mcs',`
|
||||||
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
|
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
|
||||||
')
|
')
|
||||||
@@ -150,295 +170,140 @@ ifdef(`enable_mls',`
|
@@ -150,295 +170,141 @@ ifdef(`enable_mls',`
|
||||||
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
|
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -94497,6 +94526,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
- xen_rw_image_files(virt_domain)
|
- xen_rw_image_files(virt_domain)
|
||||||
+ sssd_dontaudit_stream_connect(svirt_t)
|
+ sssd_dontaudit_stream_connect(svirt_t)
|
||||||
|
+ sssd_dontaudit_read_lib(svirt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
-########################################
|
-########################################
|
||||||
@ -94619,7 +94649,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
|
|
||||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
@@ -448,42 +313,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
@@ -448,42 +314,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||||
|
|
||||||
@ -94666,7 +94696,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
||||||
|
|
||||||
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
|
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
|
||||||
@@ -496,16 +348,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
@@ -496,16 +349,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||||
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||||
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
||||||
|
|
||||||
@ -94688,7 +94718,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
kernel_read_system_state(virtd_t)
|
kernel_read_system_state(virtd_t)
|
||||||
kernel_read_network_state(virtd_t)
|
kernel_read_network_state(virtd_t)
|
||||||
kernel_rw_net_sysctls(virtd_t)
|
kernel_rw_net_sysctls(virtd_t)
|
||||||
@@ -513,6 +361,7 @@ kernel_read_kernel_sysctls(virtd_t)
|
@@ -513,6 +362,7 @@ kernel_read_kernel_sysctls(virtd_t)
|
||||||
kernel_request_load_module(virtd_t)
|
kernel_request_load_module(virtd_t)
|
||||||
kernel_search_debugfs(virtd_t)
|
kernel_search_debugfs(virtd_t)
|
||||||
kernel_setsched(virtd_t)
|
kernel_setsched(virtd_t)
|
||||||
@ -94696,7 +94726,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_t)
|
corecmd_exec_bin(virtd_t)
|
||||||
corecmd_exec_shell(virtd_t)
|
corecmd_exec_shell(virtd_t)
|
||||||
@@ -520,24 +369,16 @@ corecmd_exec_shell(virtd_t)
|
@@ -520,24 +370,16 @@ corecmd_exec_shell(virtd_t)
|
||||||
corenet_all_recvfrom_netlabel(virtd_t)
|
corenet_all_recvfrom_netlabel(virtd_t)
|
||||||
corenet_tcp_sendrecv_generic_if(virtd_t)
|
corenet_tcp_sendrecv_generic_if(virtd_t)
|
||||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||||
@ -94724,7 +94754,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
dev_rw_sysfs(virtd_t)
|
dev_rw_sysfs(virtd_t)
|
||||||
dev_read_urand(virtd_t)
|
dev_read_urand(virtd_t)
|
||||||
dev_read_rand(virtd_t)
|
dev_read_rand(virtd_t)
|
||||||
@@ -548,22 +389,27 @@ dev_rw_vhost(virtd_t)
|
@@ -548,22 +390,27 @@ dev_rw_vhost(virtd_t)
|
||||||
dev_setattr_generic_usb_dev(virtd_t)
|
dev_setattr_generic_usb_dev(virtd_t)
|
||||||
dev_relabel_generic_usb_dev(virtd_t)
|
dev_relabel_generic_usb_dev(virtd_t)
|
||||||
|
|
||||||
@ -94757,7 +94787,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
fs_rw_anon_inodefs_files(virtd_t)
|
fs_rw_anon_inodefs_files(virtd_t)
|
||||||
fs_list_inotifyfs(virtd_t)
|
fs_list_inotifyfs(virtd_t)
|
||||||
fs_manage_cgroup_dirs(virtd_t)
|
fs_manage_cgroup_dirs(virtd_t)
|
||||||
@@ -594,15 +440,18 @@ term_use_ptmx(virtd_t)
|
@@ -594,15 +441,18 @@ term_use_ptmx(virtd_t)
|
||||||
|
|
||||||
auth_use_nsswitch(virtd_t)
|
auth_use_nsswitch(virtd_t)
|
||||||
|
|
||||||
@ -94777,7 +94807,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
|
|
||||||
selinux_validate_context(virtd_t)
|
selinux_validate_context(virtd_t)
|
||||||
|
|
||||||
@@ -613,18 +462,26 @@ seutil_read_file_contexts(virtd_t)
|
@@ -613,18 +463,26 @@ seutil_read_file_contexts(virtd_t)
|
||||||
sysnet_signull_ifconfig(virtd_t)
|
sysnet_signull_ifconfig(virtd_t)
|
||||||
sysnet_signal_ifconfig(virtd_t)
|
sysnet_signal_ifconfig(virtd_t)
|
||||||
sysnet_domtrans_ifconfig(virtd_t)
|
sysnet_domtrans_ifconfig(virtd_t)
|
||||||
@ -94814,7 +94844,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
|
|
||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virtd_t)
|
fs_manage_nfs_dirs(virtd_t)
|
||||||
@@ -633,7 +490,7 @@ tunable_policy(`virt_use_nfs',`
|
@@ -633,7 +491,7 @@ tunable_policy(`virt_use_nfs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`virt_use_samba',`
|
tunable_policy(`virt_use_samba',`
|
||||||
@ -94823,7 +94853,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
fs_manage_cifs_files(virtd_t)
|
fs_manage_cifs_files(virtd_t)
|
||||||
fs_read_cifs_symlinks(virtd_t)
|
fs_read_cifs_symlinks(virtd_t)
|
||||||
')
|
')
|
||||||
@@ -658,20 +515,12 @@ optional_policy(`
|
@@ -658,20 +516,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -94844,7 +94874,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -684,14 +533,20 @@ optional_policy(`
|
@@ -684,14 +534,20 @@ optional_policy(`
|
||||||
dnsmasq_kill(virtd_t)
|
dnsmasq_kill(virtd_t)
|
||||||
dnsmasq_signull(virtd_t)
|
dnsmasq_signull(virtd_t)
|
||||||
dnsmasq_create_pid_dirs(virtd_t)
|
dnsmasq_create_pid_dirs(virtd_t)
|
||||||
@ -94867,7 +94897,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
iptables_manage_config(virtd_t)
|
iptables_manage_config(virtd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -704,11 +559,13 @@ optional_policy(`
|
@@ -704,11 +560,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -94881,7 +94911,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
policykit_domtrans_auth(virtd_t)
|
policykit_domtrans_auth(virtd_t)
|
||||||
policykit_domtrans_resolve(virtd_t)
|
policykit_domtrans_resolve(virtd_t)
|
||||||
policykit_read_lib(virtd_t)
|
policykit_read_lib(virtd_t)
|
||||||
@@ -719,10 +576,18 @@ optional_policy(`
|
@@ -719,10 +577,18 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -94900,7 +94930,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
kernel_read_xen_state(virtd_t)
|
kernel_read_xen_state(virtd_t)
|
||||||
kernel_write_xen_state(virtd_t)
|
kernel_write_xen_state(virtd_t)
|
||||||
|
|
||||||
@@ -737,44 +602,264 @@ optional_policy(`
|
@@ -737,44 +603,264 @@ optional_policy(`
|
||||||
udev_read_db(virtd_t)
|
udev_read_db(virtd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -95187,7 +95217,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
kernel_read_system_state(virsh_t)
|
kernel_read_system_state(virsh_t)
|
||||||
kernel_read_network_state(virsh_t)
|
kernel_read_network_state(virsh_t)
|
||||||
kernel_read_kernel_sysctls(virsh_t)
|
kernel_read_kernel_sysctls(virsh_t)
|
||||||
@@ -785,25 +870,18 @@ kernel_write_xen_state(virsh_t)
|
@@ -785,25 +871,18 @@ kernel_write_xen_state(virsh_t)
|
||||||
corecmd_exec_bin(virsh_t)
|
corecmd_exec_bin(virsh_t)
|
||||||
corecmd_exec_shell(virsh_t)
|
corecmd_exec_shell(virsh_t)
|
||||||
|
|
||||||
@ -95214,7 +95244,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
|
|
||||||
fs_getattr_all_fs(virsh_t)
|
fs_getattr_all_fs(virsh_t)
|
||||||
fs_manage_xenfs_dirs(virsh_t)
|
fs_manage_xenfs_dirs(virsh_t)
|
||||||
@@ -812,23 +890,23 @@ fs_search_auto_mountpoints(virsh_t)
|
@@ -812,23 +891,23 @@ fs_search_auto_mountpoints(virsh_t)
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(virsh_t)
|
storage_raw_read_fixed_disk(virsh_t)
|
||||||
|
|
||||||
@ -95247,7 +95277,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
|
|
||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virsh_t)
|
fs_manage_nfs_dirs(virsh_t)
|
||||||
@@ -847,14 +925,20 @@ optional_policy(`
|
@@ -847,14 +926,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -95269,7 +95299,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
xen_stream_connect(virsh_t)
|
xen_stream_connect(virsh_t)
|
||||||
xen_stream_connect_xenstore(virsh_t)
|
xen_stream_connect_xenstore(virsh_t)
|
||||||
')
|
')
|
||||||
@@ -879,49 +963,65 @@ optional_policy(`
|
@@ -879,49 +964,65 @@ optional_policy(`
|
||||||
kernel_read_xen_state(virsh_ssh_t)
|
kernel_read_xen_state(virsh_ssh_t)
|
||||||
kernel_write_xen_state(virsh_ssh_t)
|
kernel_write_xen_state(virsh_ssh_t)
|
||||||
|
|
||||||
@ -95353,7 +95383,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_lxc_t)
|
corecmd_exec_bin(virtd_lxc_t)
|
||||||
corecmd_exec_shell(virtd_lxc_t)
|
corecmd_exec_shell(virtd_lxc_t)
|
||||||
@@ -933,17 +1033,16 @@ dev_read_urand(virtd_lxc_t)
|
@@ -933,17 +1034,16 @@ dev_read_urand(virtd_lxc_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(virtd_lxc_t)
|
domain_use_interactive_fds(virtd_lxc_t)
|
||||||
|
|
||||||
@ -95373,7 +95403,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
fs_getattr_all_fs(virtd_lxc_t)
|
fs_getattr_all_fs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||||
@@ -955,8 +1054,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
@@ -955,8 +1055,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||||
fs_unmount_all_fs(virtd_lxc_t)
|
fs_unmount_all_fs(virtd_lxc_t)
|
||||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||||
|
|
||||||
@ -95397,7 +95427,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
selinux_get_enforce_mode(virtd_lxc_t)
|
selinux_get_enforce_mode(virtd_lxc_t)
|
||||||
selinux_get_fs_mount(virtd_lxc_t)
|
selinux_get_fs_mount(virtd_lxc_t)
|
||||||
selinux_validate_context(virtd_lxc_t)
|
selinux_validate_context(virtd_lxc_t)
|
||||||
@@ -965,194 +1079,238 @@ selinux_compute_create_context(virtd_lxc_t)
|
@@ -965,194 +1080,238 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||||
selinux_compute_relabel_context(virtd_lxc_t)
|
selinux_compute_relabel_context(virtd_lxc_t)
|
||||||
selinux_compute_user_contexts(virtd_lxc_t)
|
selinux_compute_user_contexts(virtd_lxc_t)
|
||||||
|
|
||||||
@ -95772,7 +95802,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
@@ -1165,12 +1323,12 @@ dev_read_sysfs(virt_qmf_t)
|
@@ -1165,12 +1324,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||||
dev_read_rand(virt_qmf_t)
|
dev_read_rand(virt_qmf_t)
|
||||||
dev_read_urand(virt_qmf_t)
|
dev_read_urand(virt_qmf_t)
|
||||||
|
|
||||||
@ -95787,7 +95817,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
sysnet_read_config(virt_qmf_t)
|
sysnet_read_config(virt_qmf_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1183,9 +1341,8 @@ optional_policy(`
|
@@ -1183,9 +1342,8 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -95798,7 +95828,7 @@ index 1f22fba..a77dab1 100644
|
|||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -1198,5 +1355,194 @@ kernel_read_network_state(virt_bridgehelper_t)
|
@@ -1198,5 +1356,194 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 94%{?dist}
|
Release: 95%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -573,6 +573,15 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-95
|
||||||
|
- Fix alias decl in corenetwork.te.in
|
||||||
|
- Add support for fuse.glusterfs
|
||||||
|
- Add file transition rules for content created by f5link
|
||||||
|
- Rename quantum_port information to neutron
|
||||||
|
- Allow all antivirus domains to manage also own log dirs
|
||||||
|
- Rename quantum_port information to neutron
|
||||||
|
- Allow pegasus_openlmi_services_t to stream connect to sssd_t
|
||||||
|
|
||||||
* Mon Oct 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94
|
* Mon Oct 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94
|
||||||
- Allow sysadm_t to read login information
|
- Allow sysadm_t to read login information
|
||||||
- Allow systemd_tmpfiles to setattr on var_log_t directories
|
- Allow systemd_tmpfiles to setattr on var_log_t directories
|
||||||
|
Loading…
Reference in New Issue
Block a user