* Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251 - Allow sending dbus msgs between firewalld and system_cronjob domains. - Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354 - Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972) - Add support for systemd-gpt-auto-generator. rhbz#1314968 - Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices. - Add support for systemd-hwdb daemon. rhbz#1306243
This commit is contained in:
parent
d9322551de
commit
d14d3706d7
Binary file not shown.
@ -43837,15 +43837,16 @@ index a392fc4..78fa512 100644
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||
new file mode 100644
|
||||
index 0000000..849cdb8
|
||||
index 0000000..19617c7
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.fc
|
||||
@@ -0,0 +1,61 @@
|
||||
@@ -0,0 +1,64 @@
|
||||
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
|
||||
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
|
||||
+
|
||||
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
||||
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
||||
+/etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0)
|
||||
+
|
||||
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
|
||||
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
|
||||
@ -43858,6 +43859,7 @@ index 0000000..849cdb8
|
||||
+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
|
||||
+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
|
||||
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||
+/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hwdb_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||
@ -43866,6 +43868,7 @@ index 0000000..849cdb8
|
||||
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/systemd-hwdb.*\.service -- gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
||||
@ -45588,10 +45591,10 @@ index 0000000..21f7c14
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..11d2aa1
|
||||
index 0000000..551317f
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,843 @@
|
||||
@@ -0,0 +1,860 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -45632,6 +45635,11 @@ index 0000000..11d2aa1
|
||||
+type systemd_coredump_tmpfs_t;
|
||||
+files_tmpfs_file(systemd_coredump_tmpfs_t)
|
||||
+
|
||||
+systemd_domain_template(systemd_hwdb)
|
||||
+
|
||||
+type systemd_hwdb_unit_file_t;
|
||||
+systemd_unit_file(systemd_hwdb_unit_file_t)
|
||||
+
|
||||
+systemd_domain_template(systemd_networkd)
|
||||
+
|
||||
+type systemd_networkd_unit_file_t;
|
||||
@ -45675,6 +45683,9 @@ index 0000000..11d2aa1
|
||||
+type hostname_etc_t;
|
||||
+files_config_file(hostname_etc_t)
|
||||
+
|
||||
+type systemd_hwdb_etc_t;
|
||||
+files_config_file(systemd_hwdb_etc_t)
|
||||
+
|
||||
+systemd_domain_template(systemd_rfkill)
|
||||
+
|
||||
+type systemd_rfkill_unit_file_t;
|
||||
@ -46396,6 +46407,15 @@ index 0000000..11d2aa1
|
||||
+ unconfined_domain(systemd_coredump_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# systemd_hwdb domain
|
||||
+#
|
||||
+
|
||||
+manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
|
||||
+files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Common rules for systemd domains
|
||||
|
@ -18885,7 +18885,7 @@ index 1303b30..759412f 100644
|
||||
+ logging_log_filetrans($1, cron_log_t, $2, $3)
|
||||
')
|
||||
diff --git a/cron.te b/cron.te
|
||||
index 7de3859..9d2cd2d 100644
|
||||
index 7de3859..1444c2f 100644
|
||||
--- a/cron.te
|
||||
+++ b/cron.te
|
||||
@@ -11,46 +11,54 @@ gen_require(`
|
||||
@ -19580,7 +19580,18 @@ index 7de3859..9d2cd2d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -591,6 +602,7 @@ optional_policy(`
|
||||
@@ -567,6 +578,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ firewalld_dbus_chat(system_cronjob_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
ftp_read_log(system_cronjob_t)
|
||||
')
|
||||
|
||||
@@ -591,6 +606,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mta_read_config(system_cronjob_t)
|
||||
mta_send_mail(system_cronjob_t)
|
||||
@ -19588,7 +19599,7 @@ index 7de3859..9d2cd2d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -598,7 +610,23 @@ optional_policy(`
|
||||
@@ -598,7 +614,23 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -19612,7 +19623,7 @@ index 7de3859..9d2cd2d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -607,7 +635,12 @@ optional_policy(`
|
||||
@@ -607,7 +639,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -19625,7 +19636,7 @@ index 7de3859..9d2cd2d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -615,12 +648,27 @@ optional_policy(`
|
||||
@@ -615,12 +652,27 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -19655,7 +19666,7 @@ index 7de3859..9d2cd2d 100644
|
||||
#
|
||||
|
||||
allow cronjob_t self:process { signal_perms setsched };
|
||||
@@ -628,12 +676,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -628,12 +680,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow cronjob_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@ -19689,7 +19700,7 @@ index 7de3859..9d2cd2d 100644
|
||||
corenet_all_recvfrom_netlabel(cronjob_t)
|
||||
corenet_tcp_sendrecv_generic_if(cronjob_t)
|
||||
corenet_udp_sendrecv_generic_if(cronjob_t)
|
||||
@@ -641,66 +709,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
|
||||
@@ -641,66 +713,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
|
||||
corenet_udp_sendrecv_generic_node(cronjob_t)
|
||||
corenet_tcp_sendrecv_all_ports(cronjob_t)
|
||||
corenet_udp_sendrecv_all_ports(cronjob_t)
|
||||
@ -99518,10 +99529,10 @@ index 0000000..ed76979
|
||||
+
|
||||
diff --git a/snapper.te b/snapper.te
|
||||
new file mode 100644
|
||||
index 0000000..243fc96
|
||||
index 0000000..88805d7
|
||||
--- /dev/null
|
||||
+++ b/snapper.te
|
||||
@@ -0,0 +1,77 @@
|
||||
@@ -0,0 +1,78 @@
|
||||
+policy_module(snapper, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -99562,6 +99573,7 @@ index 0000000..243fc96
|
||||
+manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
|
||||
+manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
|
||||
+manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
|
||||
+allow snapperd_t snapperd_data_t:dir mounton;
|
||||
+snapper_filetrans_named_content(snapperd_t)
|
||||
+
|
||||
+domain_read_all_domains_state(snapperd_t)
|
||||
@ -109173,7 +109185,7 @@ index 31c752e..ef52235 100644
|
||||
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/vdagent.te b/vdagent.te
|
||||
index 87da8a2..13f2f44 100644
|
||||
index 87da8a2..4ca0271 100644
|
||||
--- a/vdagent.te
|
||||
+++ b/vdagent.te
|
||||
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
|
||||
@ -109184,7 +109196,7 @@ index 87da8a2..13f2f44 100644
|
||||
allow vdagent_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vdagent_t self:unix_stream_socket { accept listen };
|
||||
|
||||
@@ -39,23 +40,26 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
||||
@@ -39,23 +40,28 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
||||
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
||||
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
|
||||
|
||||
@ -109196,7 +109208,8 @@ index 87da8a2..13f2f44 100644
|
||||
dev_dontaudit_write_mtrr(vdagent_t)
|
||||
|
||||
-files_read_etc_files(vdagent_t)
|
||||
-
|
||||
+fs_getattr_tmpfs(vdagent_t)
|
||||
|
||||
term_use_virtio_console(vdagent_t)
|
||||
|
||||
init_read_state(vdagent_t)
|
||||
@ -117092,7 +117105,7 @@ index dd63de0..38ce620 100644
|
||||
- admin_pattern($1, zabbix_tmpfs_t)
|
||||
')
|
||||
diff --git a/zabbix.te b/zabbix.te
|
||||
index 7f496c6..d594e47 100644
|
||||
index 7f496c6..b23f29d 100644
|
||||
--- a/zabbix.te
|
||||
+++ b/zabbix.te
|
||||
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
|
||||
@ -117187,17 +117200,17 @@ index 7f496c6..d594e47 100644
|
||||
-allow zabbix_t self:shm create_shm_perms;
|
||||
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow zabbix_t self:capability { dac_read_search dac_override };
|
||||
+
|
||||
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
|
||||
|
||||
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
|
||||
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
|
||||
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
|
||||
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
|
||||
+
|
||||
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
@ -117310,7 +117323,34 @@ index 7f496c6..d594e47 100644
|
||||
|
||||
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
|
||||
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
|
||||
@@ -177,21 +192,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||
@@ -170,6 +185,26 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
|
||||
corenet_tcp_connect_ssh_port(zabbix_agent_t)
|
||||
corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
|
||||
|
||||
+corenet_sendrecv_ftp_client_packets(zabbix_agent_t)
|
||||
+corenet_tcp_connect_ftp_port(zabbix_agent_t)
|
||||
+corenet_tcp_sendrecv_ftp_port(zabbix_agent_t)
|
||||
+
|
||||
+corenet_sendrecv_http_client_packets(zabbix_agent_t)
|
||||
+corenet_tcp_connect_http_port(zabbix_agent_t)
|
||||
+corenet_tcp_sendrecv_http_port(zabbix_agent_t)
|
||||
+
|
||||
+corenet_sendrecv_innd_client_packets(zabbix_agent_t)
|
||||
+corenet_tcp_connect_innd_port(zabbix_agent_t)
|
||||
+corenet_tcp_sendrecv_innd_port(zabbix_agent_t)
|
||||
+
|
||||
+corenet_sendrecv_pop_client_packets(zabbix_agent_t)
|
||||
+corenet_tcp_connect_pop_port(zabbix_agent_t)
|
||||
+corenet_tcp_sendrecv_pop_port(zabbix_agent_t)
|
||||
+
|
||||
+corenet_sendrecv_smtp_client_packets(zabbix_agent_t)
|
||||
+corenet_tcp_connect_smtp_port(zabbix_agent_t)
|
||||
+corenet_tcp_sendrecv_smtp_port(zabbix_agent_t)
|
||||
+
|
||||
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
|
||||
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
|
||||
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||
@@ -177,21 +212,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
|
||||
dev_getattr_all_blk_files(zabbix_agent_t)
|
||||
dev_getattr_all_chr_files(zabbix_agent_t)
|
||||
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 176%{?dist}
|
||||
Release: 177%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -670,6 +670,15 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
|
||||
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
|
||||
- Allow sending dbus msgs between firewalld and system_cronjob domains.
|
||||
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
|
||||
- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
|
||||
- Add support for systemd-gpt-auto-generator. rhbz#1314968
|
||||
- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.
|
||||
- Add support for systemd-hwdb daemon. rhbz#1306243
|
||||
|
||||
* Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
|
||||
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
|
||||
- Merge pull request #105 from rhatdan/NO_NEW_PRIV
|
||||
|
Loading…
Reference in New Issue
Block a user