- Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain i - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain at - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean
This commit is contained in:
parent
961ad881ae
commit
d1027c54b9
@ -2250,3 +2250,10 @@ pesign = module
|
|||||||
# Fast and lean authoritative DNS Name Server
|
# Fast and lean authoritative DNS Name Server
|
||||||
#
|
#
|
||||||
nsd = module
|
nsd = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: iodine
|
||||||
|
#
|
||||||
|
# Fast and lean authoritative DNS Name Server
|
||||||
|
#
|
||||||
|
iodine = module
|
||||||
|
@ -5170,7 +5170,7 @@ index 8e0f9cd..b9f45b9 100644
|
|||||||
|
|
||||||
define(`create_packet_interfaces',``
|
define(`create_packet_interfaces',``
|
||||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||||
index 4edc40d..68176bb 100644
|
index 4edc40d..b48abbe 100644
|
||||||
--- a/policy/modules/kernel/corenetwork.te.in
|
--- a/policy/modules/kernel/corenetwork.te.in
|
||||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
||||||
@ -5400,7 +5400,7 @@ index 4edc40d..68176bb 100644
|
|||||||
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
|
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
|
||||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||||
@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
@@ -214,38 +255,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||||
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
|
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
|
||||||
network_port(printer, tcp,515,s0)
|
network_port(printer, tcp,515,s0)
|
||||||
network_port(ptal, tcp,5703,s0)
|
network_port(ptal, tcp,5703,s0)
|
||||||
@ -5415,6 +5415,7 @@ index 4edc40d..68176bb 100644
|
|||||||
network_port(radsec, tcp,2083,s0)
|
network_port(radsec, tcp,2083,s0)
|
||||||
network_port(razor, tcp,2703,s0)
|
network_port(razor, tcp,2703,s0)
|
||||||
+network_port(time, tcp,37,s0, udp,37,s0)
|
+network_port(time, tcp,37,s0, udp,37,s0)
|
||||||
|
+network_port(redis, tcp,6379,s0)
|
||||||
network_port(repository, tcp, 6363, s0)
|
network_port(repository, tcp, 6363, s0)
|
||||||
network_port(ricci, tcp,11111,s0, udp,11111,s0)
|
network_port(ricci, tcp,11111,s0, udp,11111,s0)
|
||||||
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
||||||
@ -5449,7 +5450,7 @@ index 4edc40d..68176bb 100644
|
|||||||
network_port(ssh, tcp,22,s0)
|
network_port(ssh, tcp,22,s0)
|
||||||
network_port(stunnel) # no defined portcon
|
network_port(stunnel) # no defined portcon
|
||||||
network_port(svn, tcp,3690,s0, udp,3690,s0)
|
network_port(svn, tcp,3690,s0, udp,3690,s0)
|
||||||
@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
@@ -257,8 +303,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||||
network_port(tcs, tcp, 30003, s0)
|
network_port(tcs, tcp, 30003, s0)
|
||||||
network_port(telnetd, tcp,23,s0)
|
network_port(telnetd, tcp,23,s0)
|
||||||
network_port(tftp, udp,69,s0)
|
network_port(tftp, udp,69,s0)
|
||||||
@ -5460,7 +5461,7 @@ index 4edc40d..68176bb 100644
|
|||||||
network_port(transproxy, tcp,8081,s0)
|
network_port(transproxy, tcp,8081,s0)
|
||||||
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
|
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
|
||||||
network_port(ups, tcp,3493,s0)
|
network_port(ups, tcp,3493,s0)
|
||||||
@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
@@ -268,10 +315,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
||||||
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
||||||
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
|
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
|
||||||
network_port(virt_migration, tcp,49152-49216,s0)
|
network_port(virt_migration, tcp,49152-49216,s0)
|
||||||
@ -5473,7 +5474,7 @@ index 4edc40d..68176bb 100644
|
|||||||
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
|
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
|
||||||
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
|
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
|
||||||
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
|
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
|
||||||
@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0)
|
@@ -292,12 +339,16 @@ network_port(zope, tcp,8021,s0)
|
||||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||||
# these entries just cover any remaining reserved ports not otherwise declared.
|
# these entries just cover any remaining reserved ports not otherwise declared.
|
||||||
|
|
||||||
@ -5492,7 +5493,7 @@ index 4edc40d..68176bb 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
@@ -330,6 +381,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||||
|
|
||||||
build_option(`enable_mls',`
|
build_option(`enable_mls',`
|
||||||
network_interface(lo, lo, s0 - mls_systemhigh)
|
network_interface(lo, lo, s0 - mls_systemhigh)
|
||||||
@ -5501,7 +5502,7 @@ index 4edc40d..68176bb 100644
|
|||||||
',`
|
',`
|
||||||
typealias netif_t alias { lo_netif_t netif_lo_t };
|
typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||||
')
|
')
|
||||||
@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
@@ -342,9 +395,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||||
allow corenet_unconfined_type node_type:node *;
|
allow corenet_unconfined_type node_type:node *;
|
||||||
allow corenet_unconfined_type netif_type:netif *;
|
allow corenet_unconfined_type netif_type:netif *;
|
||||||
allow corenet_unconfined_type packet_type:packet *;
|
allow corenet_unconfined_type packet_type:packet *;
|
||||||
@ -33356,15 +33357,14 @@ index 3822072..1029e3b 100644
|
|||||||
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
|
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||||
index ec01d0b..64db314 100644
|
index ec01d0b..e2b829b 100644
|
||||||
--- a/policy/modules/system/selinuxutil.te
|
--- a/policy/modules/system/selinuxutil.te
|
||||||
+++ b/policy/modules/system/selinuxutil.te
|
+++ b/policy/modules/system/selinuxutil.te
|
||||||
@@ -11,14 +11,17 @@ gen_require(`
|
@@ -11,14 +11,16 @@ gen_require(`
|
||||||
|
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
attribute can_relabelto_binary_policy;
|
attribute can_relabelto_binary_policy;
|
||||||
+attribute setfiles_domain;
|
+attribute setfiles_domain;
|
||||||
+attribute seutil_semanage_domain;
|
|
||||||
+attribute policy_manager_domain;
|
+attribute policy_manager_domain;
|
||||||
|
|
||||||
-attribute_role newrole_roles;
|
-attribute_role newrole_roles;
|
||||||
@ -33382,7 +33382,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# selinux_config_t is the type applied to
|
# selinux_config_t is the type applied to
|
||||||
@@ -28,7 +31,13 @@ roleattribute system_r semanage_roles;
|
@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles;
|
||||||
# in the domain_type interface
|
# in the domain_type interface
|
||||||
# (fix dup decl)
|
# (fix dup decl)
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
@ -33397,7 +33397,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
type checkpolicy_t, can_write_binary_policy;
|
type checkpolicy_t, can_write_binary_policy;
|
||||||
type checkpolicy_exec_t;
|
type checkpolicy_exec_t;
|
||||||
@@ -40,14 +49,14 @@ role system_r types checkpolicy_t;
|
@@ -40,14 +48,14 @@ role system_r types checkpolicy_t;
|
||||||
# /etc/selinux/*/contexts/*
|
# /etc/selinux/*/contexts/*
|
||||||
#
|
#
|
||||||
type default_context_t;
|
type default_context_t;
|
||||||
@ -33414,7 +33414,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
type load_policy_t;
|
type load_policy_t;
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
|
@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t)
|
||||||
domain_role_change_exemption(newrole_t)
|
domain_role_change_exemption(newrole_t)
|
||||||
domain_obj_id_change_exemption(newrole_t)
|
domain_obj_id_change_exemption(newrole_t)
|
||||||
domain_interactive_fd(newrole_t)
|
domain_interactive_fd(newrole_t)
|
||||||
@ -33438,7 +33438,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||||
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||||
@@ -83,7 +98,6 @@ type restorecond_t;
|
@@ -83,7 +97,6 @@ type restorecond_t;
|
||||||
type restorecond_exec_t;
|
type restorecond_exec_t;
|
||||||
init_daemon_domain(restorecond_t, restorecond_exec_t)
|
init_daemon_domain(restorecond_t, restorecond_exec_t)
|
||||||
domain_obj_id_change_exemption(restorecond_t)
|
domain_obj_id_change_exemption(restorecond_t)
|
||||||
@ -33446,7 +33446,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
type restorecond_var_run_t;
|
type restorecond_var_run_t;
|
||||||
files_pid_file(restorecond_var_run_t)
|
files_pid_file(restorecond_var_run_t)
|
||||||
@@ -92,25 +106,32 @@ type run_init_t;
|
@@ -92,25 +105,32 @@ type run_init_t;
|
||||||
type run_init_exec_t;
|
type run_init_exec_t;
|
||||||
application_domain(run_init_t, run_init_exec_t)
|
application_domain(run_init_t, run_init_exec_t)
|
||||||
domain_system_change_exemption(run_init_t)
|
domain_system_change_exemption(run_init_t)
|
||||||
@ -33485,7 +33485,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
type semanage_var_lib_t;
|
type semanage_var_lib_t;
|
||||||
files_type(semanage_var_lib_t)
|
files_type(semanage_var_lib_t)
|
||||||
@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
|
@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t;
|
||||||
init_system_domain(setfiles_t, setfiles_exec_t)
|
init_system_domain(setfiles_t, setfiles_exec_t)
|
||||||
domain_obj_id_change_exemption(setfiles_t)
|
domain_obj_id_change_exemption(setfiles_t)
|
||||||
|
|
||||||
@ -33497,7 +33497,7 @@ index ec01d0b..64db314 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Checkpolicy local policy
|
# Checkpolicy local policy
|
||||||
@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
|
@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
|
||||||
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||||
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||||
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
|
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
|
||||||
@ -33505,7 +33505,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
domain_use_interactive_fds(checkpolicy_t)
|
domain_use_interactive_fds(checkpolicy_t)
|
||||||
|
|
||||||
@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
|
@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t)
|
||||||
init_use_fds(checkpolicy_t)
|
init_use_fds(checkpolicy_t)
|
||||||
init_use_script_ptys(checkpolicy_t)
|
init_use_script_ptys(checkpolicy_t)
|
||||||
|
|
||||||
@ -33514,7 +33514,7 @@ index ec01d0b..64db314 100644
|
|||||||
userdom_use_all_users_fds(checkpolicy_t)
|
userdom_use_all_users_fds(checkpolicy_t)
|
||||||
|
|
||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
@@ -188,13 +215,13 @@ term_list_ptys(load_policy_t)
|
@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t)
|
||||||
|
|
||||||
init_use_script_fds(load_policy_t)
|
init_use_script_fds(load_policy_t)
|
||||||
init_use_script_ptys(load_policy_t)
|
init_use_script_ptys(load_policy_t)
|
||||||
@ -33531,7 +33531,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -205,6 +232,7 @@ ifdef(`distro_ubuntu',`
|
@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',`
|
||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
# cjp: cover up stray file descriptors.
|
# cjp: cover up stray file descriptors.
|
||||||
dontaudit load_policy_t selinux_config_t:file write;
|
dontaudit load_policy_t selinux_config_t:file write;
|
||||||
@ -33539,7 +33539,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_dontaudit_read_pipes(load_policy_t)
|
unconfined_dontaudit_read_pipes(load_policy_t)
|
||||||
@@ -215,12 +243,17 @@ optional_policy(`
|
@@ -215,12 +242,17 @@ optional_policy(`
|
||||||
portage_dontaudit_use_fds(load_policy_t)
|
portage_dontaudit_use_fds(load_policy_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -33558,7 +33558,7 @@ index ec01d0b..64db314 100644
|
|||||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||||
allow newrole_t self:process setexec;
|
allow newrole_t self:process setexec;
|
||||||
allow newrole_t self:fd use;
|
allow newrole_t self:fd use;
|
||||||
@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
||||||
allow newrole_t self:msg { send receive };
|
allow newrole_t self:msg { send receive };
|
||||||
allow newrole_t self:unix_dgram_socket sendto;
|
allow newrole_t self:unix_dgram_socket sendto;
|
||||||
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
@ -33567,7 +33567,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
read_files_pattern(newrole_t, default_context_t, default_context_t)
|
read_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||||
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
|
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||||
@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t)
|
@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t)
|
||||||
# for when the user types "exec newrole" at the command line:
|
# for when the user types "exec newrole" at the command line:
|
||||||
domain_sigchld_interactive_fds(newrole_t)
|
domain_sigchld_interactive_fds(newrole_t)
|
||||||
|
|
||||||
@ -33575,7 +33575,7 @@ index ec01d0b..64db314 100644
|
|||||||
files_read_etc_files(newrole_t)
|
files_read_etc_files(newrole_t)
|
||||||
files_read_var_files(newrole_t)
|
files_read_var_files(newrole_t)
|
||||||
files_read_var_symlinks(newrole_t)
|
files_read_var_symlinks(newrole_t)
|
||||||
@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t)
|
@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t)
|
||||||
term_getattr_unallocated_ttys(newrole_t)
|
term_getattr_unallocated_ttys(newrole_t)
|
||||||
term_dontaudit_use_unallocated_ttys(newrole_t)
|
term_dontaudit_use_unallocated_ttys(newrole_t)
|
||||||
|
|
||||||
@ -33617,7 +33617,7 @@ index ec01d0b..64db314 100644
|
|||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(newrole_t)
|
unconfined_domain(newrole_t)
|
||||||
@@ -309,7 +352,7 @@ if(secure_mode) {
|
@@ -309,7 +351,7 @@ if(secure_mode) {
|
||||||
userdom_spec_domtrans_all_users(newrole_t)
|
userdom_spec_domtrans_all_users(newrole_t)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -33626,7 +33626,7 @@ index ec01d0b..64db314 100644
|
|||||||
files_polyinstantiate_all(newrole_t)
|
files_polyinstantiate_all(newrole_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t)
|
@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t)
|
||||||
kernel_rw_pipes(restorecond_t)
|
kernel_rw_pipes(restorecond_t)
|
||||||
kernel_read_system_state(restorecond_t)
|
kernel_read_system_state(restorecond_t)
|
||||||
|
|
||||||
@ -33641,7 +33641,7 @@ index ec01d0b..64db314 100644
|
|||||||
fs_list_inotifyfs(restorecond_t)
|
fs_list_inotifyfs(restorecond_t)
|
||||||
|
|
||||||
selinux_validate_context(restorecond_t)
|
selinux_validate_context(restorecond_t)
|
||||||
@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t)
|
@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t)
|
||||||
|
|
||||||
files_relabel_non_auth_files(restorecond_t )
|
files_relabel_non_auth_files(restorecond_t )
|
||||||
files_read_non_auth_files(restorecond_t)
|
files_read_non_auth_files(restorecond_t)
|
||||||
@ -33661,7 +33661,7 @@ index ec01d0b..64db314 100644
|
|||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(restorecond_t)
|
unconfined_domain(restorecond_t)
|
||||||
@@ -366,21 +414,24 @@ optional_policy(`
|
@@ -366,21 +413,24 @@ optional_policy(`
|
||||||
# Run_init local policy
|
# Run_init local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -33688,7 +33688,7 @@ index ec01d0b..64db314 100644
|
|||||||
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(run_init_t)
|
domain_use_interactive_fds(run_init_t)
|
||||||
@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t)
|
@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t)
|
||||||
selinux_compute_relabel_context(run_init_t)
|
selinux_compute_relabel_context(run_init_t)
|
||||||
selinux_compute_user_contexts(run_init_t)
|
selinux_compute_user_contexts(run_init_t)
|
||||||
|
|
||||||
@ -33724,7 +33724,7 @@ index ec01d0b..64db314 100644
|
|||||||
|
|
||||||
ifndef(`direct_sysadm_daemon',`
|
ifndef(`direct_sysadm_daemon',`
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',`
|
@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -33744,7 +33744,7 @@ index ec01d0b..64db314 100644
|
|||||||
ifdef(`distro_ubuntu',`
|
ifdef(`distro_ubuntu',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(run_init_t)
|
unconfined_domain(run_init_t)
|
||||||
@@ -440,81 +511,87 @@ optional_policy(`
|
@@ -440,81 +510,87 @@ optional_policy(`
|
||||||
# semodule local policy
|
# semodule local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -33885,7 +33885,7 @@ index ec01d0b..64db314 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',`
|
@@ -522,108 +598,181 @@ ifdef(`distro_ubuntu',`
|
||||||
# Setfiles local policy
|
# Setfiles local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -34151,7 +34151,7 @@ index ec01d0b..64db314 100644
|
|||||||
+userdom_use_user_ptys(policy_manager_domain)
|
+userdom_use_user_ptys(policy_manager_domain)
|
||||||
+
|
+
|
||||||
+files_rw_inherited_generic_pid_files(setfiles_domain)
|
+files_rw_inherited_generic_pid_files(setfiles_domain)
|
||||||
+files_rw_inherited_generic_pid_files(seutil_semanage_domain)
|
+files_rw_inherited_generic_pid_files(policy_manager_domain)
|
||||||
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
|
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
|
||||||
index bea4629..06e2834 100644
|
index bea4629..06e2834 100644
|
||||||
--- a/policy/modules/system/setrans.fc
|
--- a/policy/modules/system/setrans.fc
|
||||||
@ -38249,7 +38249,7 @@ index db75976..65191bd 100644
|
|||||||
+
|
+
|
||||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 3c5dba7..4f43578 100644
|
index 3c5dba7..4129aa6 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||||
@ -39192,7 +39192,7 @@ index 3c5dba7..4f43578 100644
|
|||||||
+ allow $1_t self:process ~{ ptrace execmem execstack execheap };
|
+ allow $1_t self:process ~{ ptrace execmem execstack execheap };
|
||||||
+
|
+
|
||||||
+ tunable_policy(`selinuxuser_use_ssh_chroot',`
|
+ tunable_policy(`selinuxuser_use_ssh_chroot',`
|
||||||
+ allow $1_t self:capability { setuid sys_chroot };
|
+ allow $1_t self:capability { setuid setgid sys_chroot };
|
||||||
+ ')
|
+ ')
|
||||||
|
|
||||||
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
|
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 58%{?dist}
|
Release: 59%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -539,6 +539,47 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
|
||||||
|
- Add prosody policy written by Michael Scherer
|
||||||
|
- Allow nagios plugins to read /sys info
|
||||||
|
- ntpd needs to manage own log files
|
||||||
|
- Add support for HOME_DIR/.IBMERS
|
||||||
|
- Allow iptables commands to read firewalld config
|
||||||
|
- Allow consolekit_t to read utmp
|
||||||
|
- Fix filename transitions on .razor directory
|
||||||
|
- Add additional fixes to make DSPAM with LDA working
|
||||||
|
- Allow snort to read /etc/passwd
|
||||||
|
- Allow fail2ban to communicate with firewalld over dbus
|
||||||
|
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
|
||||||
|
- Allow nfsd to use mountd port
|
||||||
|
- Call th proper interface
|
||||||
|
- Allow openvswitch to read sys and execute plymouth
|
||||||
|
- Allow tmpwatch to read /var/spool/cups/tmp
|
||||||
|
- Add support for /usr/libexec/telepathy-rakia
|
||||||
|
- Add systemd support for zoneminder
|
||||||
|
- Allow mysql to create files/directories under /var/log/mysql
|
||||||
|
- Allow zoneminder apache scripts to rw zoneminder tmpfs
|
||||||
|
- Allow httpd to manage zoneminder lib files
|
||||||
|
- Add zoneminder_run_sudo boolean to allow to start zoneminder
|
||||||
|
- Allow zoneminder to send mails
|
||||||
|
- gssproxy_t sock_file can be under /var/lib
|
||||||
|
- Allow web domains to connect to whois port.
|
||||||
|
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
|
||||||
|
- We really need to add an interface to corenet to define what a web_client_domain is and
|
||||||
|
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
|
||||||
|
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
|
||||||
|
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
|
||||||
|
- Update policy rules for pegasus_openlmi_logicalfile_t
|
||||||
|
- Add initial types for logicalfile/unconfined OpenLMI providers
|
||||||
|
- mailmanctl needs to read own log
|
||||||
|
- Allow logwatch manage own lock files
|
||||||
|
- Allow nrpe to read meminfo
|
||||||
|
- Allow httpd to read certs located in pki-ca
|
||||||
|
- Add pki_read_tomcat_cert() interface
|
||||||
|
- Add support for nagios openshift plugins
|
||||||
|
- Add port definition for redis port
|
||||||
|
- fix selinuxuser_use_ssh_chroot boolean
|
||||||
|
|
||||||
* Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
|
* Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
|
||||||
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
|
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
|
||||||
- Allow bootloader to manage generic log files
|
- Allow bootloader to manage generic log files
|
||||||
|
Loading…
Reference in New Issue
Block a user