- Allow abrt to request the kernel to load a module
- Make sure mozilla content is labeled correctly - Allow tgtd to read system state - More fixes for boinc * allow to resolve dns name * re-write boinc policy to use boinc_domain attribute - Allow munin services plugins to use NSCD services
This commit is contained in:
Miroslav
parent
202bb4cfa3
commit
d17f759dd0
216
policy-F16.patch
216
policy-F16.patch
@ -5446,7 +5446,7 @@ index 00a19e3..9f6139c 100644
|
|||||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
|
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
|
||||||
index f5afe78..9b1de02 100644
|
index f5afe78..c57fc1e 100644
|
||||||
--- a/policy/modules/apps/gnome.if
|
--- a/policy/modules/apps/gnome.if
|
||||||
+++ b/policy/modules/apps/gnome.if
|
+++ b/policy/modules/apps/gnome.if
|
||||||
@@ -1,44 +1,862 @@
|
@@ -1,44 +1,862 @@
|
||||||
@ -6521,7 +6521,7 @@ index f5afe78..9b1de02 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -140,51 +1029,299 @@ interface(`gnome_domtrans_gconfd',`
|
@@ -140,51 +1029,298 @@ interface(`gnome_domtrans_gconfd',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -6715,7 +6715,6 @@ index f5afe78..9b1de02 100644
|
|||||||
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
|
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+
|
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Create gnome content in the user home directory
|
+## Create gnome content in the user home directory
|
||||||
@ -7931,7 +7930,7 @@ index 93ac529..800b5c8 100644
|
|||||||
+
|
+
|
||||||
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
||||||
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
|
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
|
||||||
index fbb5c5a..e187982 100644
|
index fbb5c5a..ffeec16 100644
|
||||||
--- a/policy/modules/apps/mozilla.if
|
--- a/policy/modules/apps/mozilla.if
|
||||||
+++ b/policy/modules/apps/mozilla.if
|
+++ b/policy/modules/apps/mozilla.if
|
||||||
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
|
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
|
||||||
@ -7943,7 +7942,7 @@ index fbb5c5a..e187982 100644
|
|||||||
# Allow the user domain to signal/ps.
|
# Allow the user domain to signal/ps.
|
||||||
ps_process_pattern($2, mozilla_t)
|
ps_process_pattern($2, mozilla_t)
|
||||||
allow $2 mozilla_t:process signal_perms;
|
allow $2 mozilla_t:process signal_perms;
|
||||||
@@ -49,8 +51,16 @@ interface(`mozilla_role',`
|
@@ -49,9 +51,19 @@ interface(`mozilla_role',`
|
||||||
mozilla_run_plugin(mozilla_t, $1)
|
mozilla_run_plugin(mozilla_t, $1)
|
||||||
mozilla_dbus_chat($2)
|
mozilla_dbus_chat($2)
|
||||||
|
|
||||||
@ -7958,9 +7957,12 @@ index fbb5c5a..e187982 100644
|
|||||||
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
|
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
|
||||||
+ pulseaudio_filetrans_home_content(mozilla_t)
|
+ pulseaudio_filetrans_home_content(mozilla_t)
|
||||||
')
|
')
|
||||||
|
+
|
||||||
|
+ mozilla_filetrans_home_content($2)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -109,7 +119,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
|
########################################
|
||||||
|
@@ -109,7 +121,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
|
||||||
type mozilla_home_t;
|
type mozilla_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -7969,7 +7971,7 @@ index fbb5c5a..e187982 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -197,12 +207,29 @@ interface(`mozilla_domtrans',`
|
@@ -197,12 +209,31 @@ interface(`mozilla_domtrans',`
|
||||||
#
|
#
|
||||||
interface(`mozilla_domtrans_plugin',`
|
interface(`mozilla_domtrans_plugin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -7997,10 +7999,12 @@ index fbb5c5a..e187982 100644
|
|||||||
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||||
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||||
+ can_exec($1, mozilla_plugin_rw_t)
|
+ can_exec($1, mozilla_plugin_rw_t)
|
||||||
|
+
|
||||||
|
+ #mozilla_filetrans_home_content($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -228,6 +255,27 @@ interface(`mozilla_run_plugin',`
|
@@ -228,6 +259,27 @@ interface(`mozilla_run_plugin',`
|
||||||
|
|
||||||
mozilla_domtrans_plugin($1)
|
mozilla_domtrans_plugin($1)
|
||||||
role $2 types mozilla_plugin_t;
|
role $2 types mozilla_plugin_t;
|
||||||
@ -8028,7 +8032,7 @@ index fbb5c5a..e187982 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -269,9 +317,27 @@ interface(`mozilla_rw_tcp_sockets',`
|
@@ -269,9 +321,27 @@ interface(`mozilla_rw_tcp_sockets',`
|
||||||
allow $1 mozilla_t:tcp_socket rw_socket_perms;
|
allow $1 mozilla_t:tcp_socket rw_socket_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8057,7 +8061,7 @@ index fbb5c5a..e187982 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -279,28 +345,48 @@ interface(`mozilla_rw_tcp_sockets',`
|
@@ -279,28 +349,79 @@ interface(`mozilla_rw_tcp_sockets',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -8113,6 +8117,37 @@ index fbb5c5a..e187982 100644
|
|||||||
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
|
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
|
||||||
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
|
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
|
||||||
')
|
')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Create mozilla content in the user home directory
|
||||||
|
+## with an correct label.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`mozilla_filetrans_home_content',`
|
||||||
|
+
|
||||||
|
+ gen_require(`
|
||||||
|
+ type mozilla_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
|
||||||
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
||||||
index 2e9318b..bb90a3b 100644
|
index 2e9318b..bb90a3b 100644
|
||||||
--- a/policy/modules/apps/mozilla.te
|
--- a/policy/modules/apps/mozilla.te
|
||||||
@ -16430,7 +16465,7 @@ index 6a1e4d1..3ded83e 100644
|
|||||||
+ dontaudit $1 domain:socket_class_set { read write };
|
+ dontaudit $1 domain:socket_class_set { read write };
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||||
index fae1ab1..facd6a8 100644
|
index fae1ab1..b3fbad5 100644
|
||||||
--- a/policy/modules/kernel/domain.te
|
--- a/policy/modules/kernel/domain.te
|
||||||
+++ b/policy/modules/kernel/domain.te
|
+++ b/policy/modules/kernel/domain.te
|
||||||
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
|
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
|
||||||
@ -16531,7 +16566,7 @@ index fae1ab1..facd6a8 100644
|
|||||||
|
|
||||||
# Create/access any System V IPC objects.
|
# Create/access any System V IPC objects.
|
||||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||||
@@ -158,5 +199,219 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
@@ -158,5 +199,223 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||||
# act on all domains keys
|
# act on all domains keys
|
||||||
allow unconfined_domain_type domain:key *;
|
allow unconfined_domain_type domain:key *;
|
||||||
|
|
||||||
@ -16595,6 +16630,10 @@ index fae1ab1..facd6a8 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ mozilla_filetrans_home_content(unconfined_domain_type)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ networkmanager_filetrans_named_content(unconfined_domain_type)
|
+ networkmanager_filetrans_named_content(unconfined_domain_type)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -23987,7 +24026,7 @@ index 0b827c5..d83d4dc 100644
|
|||||||
+ dontaudit $1 abrt_t:sock_file write;
|
+ dontaudit $1 abrt_t:sock_file write;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
||||||
index 30861ec..e203cd3 100644
|
index 30861ec..939e294 100644
|
||||||
--- a/policy/modules/services/abrt.te
|
--- a/policy/modules/services/abrt.te
|
||||||
+++ b/policy/modules/services/abrt.te
|
+++ b/policy/modules/services/abrt.te
|
||||||
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
|
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
|
||||||
@ -24095,7 +24134,7 @@ index 30861ec..e203cd3 100644
|
|||||||
|
|
||||||
# abrt var/cache files
|
# abrt var/cache files
|
||||||
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
@@ -82,10 +133,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
@ -24104,10 +24143,11 @@ index 30861ec..e203cd3 100644
|
|||||||
|
|
||||||
kernel_read_ring_buffer(abrt_t)
|
kernel_read_ring_buffer(abrt_t)
|
||||||
-kernel_read_system_state(abrt_t)
|
-kernel_read_system_state(abrt_t)
|
||||||
|
+kernel_request_load_module(abrt_t)
|
||||||
kernel_rw_kernel_sysctl(abrt_t)
|
kernel_rw_kernel_sysctl(abrt_t)
|
||||||
|
|
||||||
corecmd_exec_bin(abrt_t)
|
corecmd_exec_bin(abrt_t)
|
||||||
@@ -104,6 +154,8 @@ corenet_tcp_connect_all_ports(abrt_t)
|
@@ -104,6 +155,8 @@ corenet_tcp_connect_all_ports(abrt_t)
|
||||||
corenet_sendrecv_http_client_packets(abrt_t)
|
corenet_sendrecv_http_client_packets(abrt_t)
|
||||||
|
|
||||||
dev_getattr_all_chr_files(abrt_t)
|
dev_getattr_all_chr_files(abrt_t)
|
||||||
@ -24116,7 +24156,7 @@ index 30861ec..e203cd3 100644
|
|||||||
dev_read_urand(abrt_t)
|
dev_read_urand(abrt_t)
|
||||||
dev_rw_sysfs(abrt_t)
|
dev_rw_sysfs(abrt_t)
|
||||||
dev_dontaudit_read_raw_memory(abrt_t)
|
dev_dontaudit_read_raw_memory(abrt_t)
|
||||||
@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t)
|
@@ -113,7 +166,8 @@ domain_read_all_domains_state(abrt_t)
|
||||||
domain_signull_all_domains(abrt_t)
|
domain_signull_all_domains(abrt_t)
|
||||||
|
|
||||||
files_getattr_all_files(abrt_t)
|
files_getattr_all_files(abrt_t)
|
||||||
@ -24126,7 +24166,7 @@ index 30861ec..e203cd3 100644
|
|||||||
files_read_var_symlinks(abrt_t)
|
files_read_var_symlinks(abrt_t)
|
||||||
files_read_var_lib_files(abrt_t)
|
files_read_var_lib_files(abrt_t)
|
||||||
files_read_usr_files(abrt_t)
|
files_read_usr_files(abrt_t)
|
||||||
@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t)
|
@@ -121,6 +175,8 @@ files_read_generic_tmp_files(abrt_t)
|
||||||
files_read_kernel_modules(abrt_t)
|
files_read_kernel_modules(abrt_t)
|
||||||
files_dontaudit_list_default(abrt_t)
|
files_dontaudit_list_default(abrt_t)
|
||||||
files_dontaudit_read_default_files(abrt_t)
|
files_dontaudit_read_default_files(abrt_t)
|
||||||
@ -24135,7 +24175,7 @@ index 30861ec..e203cd3 100644
|
|||||||
|
|
||||||
fs_list_inotifyfs(abrt_t)
|
fs_list_inotifyfs(abrt_t)
|
||||||
fs_getattr_all_fs(abrt_t)
|
fs_getattr_all_fs(abrt_t)
|
||||||
@@ -131,22 +186,26 @@ fs_read_nfs_files(abrt_t)
|
@@ -131,22 +187,26 @@ fs_read_nfs_files(abrt_t)
|
||||||
fs_read_nfs_symlinks(abrt_t)
|
fs_read_nfs_symlinks(abrt_t)
|
||||||
fs_search_all(abrt_t)
|
fs_search_all(abrt_t)
|
||||||
|
|
||||||
@ -24168,7 +24208,7 @@ index 30861ec..e203cd3 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -167,6 +226,7 @@ optional_policy(`
|
@@ -167,6 +227,7 @@ optional_policy(`
|
||||||
rpm_exec(abrt_t)
|
rpm_exec(abrt_t)
|
||||||
rpm_dontaudit_manage_db(abrt_t)
|
rpm_dontaudit_manage_db(abrt_t)
|
||||||
rpm_manage_cache(abrt_t)
|
rpm_manage_cache(abrt_t)
|
||||||
@ -24176,7 +24216,7 @@ index 30861ec..e203cd3 100644
|
|||||||
rpm_manage_pid_files(abrt_t)
|
rpm_manage_pid_files(abrt_t)
|
||||||
rpm_read_db(abrt_t)
|
rpm_read_db(abrt_t)
|
||||||
rpm_signull(abrt_t)
|
rpm_signull(abrt_t)
|
||||||
@@ -178,12 +238,35 @@ optional_policy(`
|
@@ -178,12 +239,35 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24213,7 +24253,7 @@ index 30861ec..e203cd3 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||||
@@ -200,23 +283,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
@@ -200,23 +284,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||||
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
|
|
||||||
@ -24242,7 +24282,7 @@ index 30861ec..e203cd3 100644
|
|||||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||||
@@ -224,4 +306,128 @@ ifdef(`hide_broken_symptoms', `
|
@@ -224,4 +307,128 @@ ifdef(`hide_broken_symptoms', `
|
||||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||||
@ -28274,10 +28314,10 @@ index 0000000..9fe3f9e
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
|
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..61db909
|
index 0000000..788087e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/services/boinc.te
|
+++ b/policy/modules/services/boinc.te
|
||||||
@@ -0,0 +1,178 @@
|
@@ -0,0 +1,173 @@
|
||||||
+policy_module(boinc, 1.0.0)
|
+policy_module(boinc, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -28285,6 +28325,8 @@ index 0000000..61db909
|
|||||||
+# Declarations
|
+# Declarations
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
|
+attribute boinc_domain;
|
||||||
|
+
|
||||||
+type boinc_t;
|
+type boinc_t;
|
||||||
+type boinc_exec_t;
|
+type boinc_exec_t;
|
||||||
+init_daemon_domain(boinc_t, boinc_exec_t)
|
+init_daemon_domain(boinc_t, boinc_exec_t)
|
||||||
@ -28311,6 +28353,37 @@ index 0000000..61db909
|
|||||||
+type boinc_project_var_lib_t;
|
+type boinc_project_var_lib_t;
|
||||||
+files_type(boinc_project_var_lib_t)
|
+files_type(boinc_project_var_lib_t)
|
||||||
+
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# boinc domain local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
|
||||||
|
+allow boinc_domain self:sem create_sem_perms;
|
||||||
|
+
|
||||||
|
+# needs read /proc/interrupts
|
||||||
|
+kernel_read_system_state(boinc_domain)
|
||||||
|
+
|
||||||
|
+corecmd_exec_bin(boinc_domain)
|
||||||
|
+corecmd_exec_shell(boinc_domain)
|
||||||
|
+
|
||||||
|
+dev_read_rand(boinc_domain)
|
||||||
|
+dev_read_urand(boinc_domain)
|
||||||
|
+dev_read_sysfs(boinc_domain)
|
||||||
|
+
|
||||||
|
+domain_read_all_domains_state(boinc_domain)
|
||||||
|
+
|
||||||
|
+files_read_etc_files(boinc_domain)
|
||||||
|
+files_read_etc_runtime_files(boinc_domain)
|
||||||
|
+files_read_usr_files(boinc_domain)
|
||||||
|
+
|
||||||
|
+miscfiles_read_fonts(boinc_domain)
|
||||||
|
+miscfiles_read_localization(boinc_domain)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ sysnet_dns_name_resolve(boinc_domain)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# boinc local policy
|
+# boinc local policy
|
||||||
@ -28319,10 +28392,8 @@ index 0000000..61db909
|
|||||||
+allow boinc_t self:capability { kill };
|
+allow boinc_t self:capability { kill };
|
||||||
+allow boinc_t self:process { setsched sigkill };
|
+allow boinc_t self:process { setsched sigkill };
|
||||||
+
|
+
|
||||||
+allow boinc_t self:fifo_file rw_fifo_file_perms;
|
|
||||||
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
|
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+allow boinc_t self:tcp_socket create_stream_socket_perms;
|
+allow boinc_t self:tcp_socket create_stream_socket_perms;
|
||||||
+allow boinc_t self:sem create_sem_perms;
|
|
||||||
+allow boinc_t self:shm create_shm_perms;
|
+allow boinc_t self:shm create_shm_perms;
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
||||||
@ -28340,15 +28411,9 @@ index 0000000..61db909
|
|||||||
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||||
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||||
+
|
+
|
||||||
+# needs read /proc/interrupts
|
|
||||||
+kernel_read_system_state(boinc_t)
|
|
||||||
+
|
|
||||||
+files_getattr_all_dirs(boinc_t)
|
+files_getattr_all_dirs(boinc_t)
|
||||||
+files_getattr_all_files(boinc_t)
|
+files_getattr_all_files(boinc_t)
|
||||||
+
|
+
|
||||||
+corecmd_exec_bin(boinc_t)
|
|
||||||
+corecmd_exec_shell(boinc_t)
|
|
||||||
+
|
|
||||||
+corenet_all_recvfrom_unlabeled(boinc_t)
|
+corenet_all_recvfrom_unlabeled(boinc_t)
|
||||||
+corenet_all_recvfrom_netlabel(boinc_t)
|
+corenet_all_recvfrom_netlabel(boinc_t)
|
||||||
+corenet_tcp_sendrecv_generic_if(boinc_t)
|
+corenet_tcp_sendrecv_generic_if(boinc_t)
|
||||||
@ -28365,18 +28430,8 @@ index 0000000..61db909
|
|||||||
+corenet_tcp_connect_http_port(boinc_t)
|
+corenet_tcp_connect_http_port(boinc_t)
|
||||||
+corenet_tcp_connect_http_cache_port(boinc_t)
|
+corenet_tcp_connect_http_cache_port(boinc_t)
|
||||||
+
|
+
|
||||||
+dev_list_sysfs(boinc_t)
|
|
||||||
+dev_read_rand(boinc_t)
|
|
||||||
+dev_read_urand(boinc_t)
|
|
||||||
+dev_read_sysfs(boinc_t)
|
|
||||||
+
|
|
||||||
+domain_read_all_domains_state(boinc_t)
|
|
||||||
+
|
|
||||||
+files_dontaudit_getattr_boot_dirs(boinc_t)
|
+files_dontaudit_getattr_boot_dirs(boinc_t)
|
||||||
+
|
+
|
||||||
+files_read_etc_files(boinc_t)
|
|
||||||
+files_read_usr_files(boinc_t)
|
|
||||||
+
|
|
||||||
+fs_getattr_all_fs(boinc_t)
|
+fs_getattr_all_fs(boinc_t)
|
||||||
+
|
+
|
||||||
+term_getattr_all_ptys(boinc_t)
|
+term_getattr_all_ptys(boinc_t)
|
||||||
@ -28384,14 +28439,11 @@ index 0000000..61db909
|
|||||||
+
|
+
|
||||||
+init_read_utmp(boinc_t)
|
+init_read_utmp(boinc_t)
|
||||||
+
|
+
|
||||||
+miscfiles_read_localization(boinc_t)
|
|
||||||
+miscfiles_read_generic_certs(boinc_t)
|
|
||||||
+
|
|
||||||
+logging_send_syslog_msg(boinc_t)
|
+logging_send_syslog_msg(boinc_t)
|
||||||
+
|
+
|
||||||
+sysnet_dns_name_resolve(boinc_t)
|
+optional_policy(`
|
||||||
+
|
+ mta_send_mail(boinc_t)
|
||||||
+mta_send_mail(boinc_t)
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -28408,9 +28460,6 @@ index 0000000..61db909
|
|||||||
+ allow boinc_project_t self:process ptrace;
|
+ allow boinc_project_t self:process ptrace;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
|
|
||||||
+allow boinc_project_t self:sem create_sem_perms;
|
|
||||||
+
|
|
||||||
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
||||||
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
||||||
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
|
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
|
||||||
@ -28429,29 +28478,15 @@ index 0000000..61db909
|
|||||||
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
|
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||||
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
|
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||||
+
|
+
|
||||||
+kernel_read_system_state(boinc_project_t)
|
|
||||||
+kernel_read_kernel_sysctls(boinc_project_t)
|
+kernel_read_kernel_sysctls(boinc_project_t)
|
||||||
+kernel_search_vm_sysctl(boinc_project_t)
|
+kernel_search_vm_sysctl(boinc_project_t)
|
||||||
+kernel_read_network_state(boinc_project_t)
|
+kernel_read_network_state(boinc_project_t)
|
||||||
+
|
+
|
||||||
+corecmd_exec_bin(boinc_project_t)
|
|
||||||
+corecmd_exec_shell(boinc_project_t)
|
|
||||||
+
|
|
||||||
+corenet_tcp_connect_boinc_port(boinc_project_t)
|
+corenet_tcp_connect_boinc_port(boinc_project_t)
|
||||||
+
|
+
|
||||||
+domain_read_all_domains_state(boinc_project_t)
|
|
||||||
+
|
|
||||||
+dev_read_rand(boinc_project_t)
|
|
||||||
+dev_read_urand(boinc_project_t)
|
|
||||||
+dev_read_sysfs(boinc_project_t)
|
|
||||||
+dev_rw_xserver_misc(boinc_project_t)
|
+dev_rw_xserver_misc(boinc_project_t)
|
||||||
+
|
+
|
||||||
+files_read_etc_files(boinc_project_t)
|
+files_dontaudit_search_home(boinc_project_t)
|
||||||
+files_read_etc_runtime_files(boinc_project_t)
|
|
||||||
+files_read_usr_files(boinc_project_t)
|
|
||||||
+
|
|
||||||
+miscfiles_read_fonts(boinc_project_t)
|
|
||||||
+miscfiles_read_localization(boinc_project_t)
|
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ java_exec(boinc_project_t)
|
+ java_exec(boinc_project_t)
|
||||||
@ -46347,7 +46382,7 @@ index c358d8f..7c097ec 100644
|
|||||||
init_labeled_script_domtrans($1, munin_initrc_exec_t)
|
init_labeled_script_domtrans($1, munin_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
|
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
|
||||||
index f17583b..9850f4d 100644
|
index f17583b..171ebec 100644
|
||||||
--- a/policy/modules/services/munin.te
|
--- a/policy/modules/services/munin.te
|
||||||
+++ b/policy/modules/services/munin.te
|
+++ b/policy/modules/services/munin.te
|
||||||
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
|
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
|
||||||
@ -46442,7 +46477,7 @@ index f17583b..9850f4d 100644
|
|||||||
|
|
||||||
sysnet_read_config(disk_munin_plugin_t)
|
sysnet_read_config(disk_munin_plugin_t)
|
||||||
|
|
||||||
@@ -221,19 +231,17 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
@@ -221,19 +231,23 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
||||||
|
|
||||||
dev_read_urand(mail_munin_plugin_t)
|
dev_read_urand(mail_munin_plugin_t)
|
||||||
|
|
||||||
@ -46452,10 +46487,19 @@ index f17583b..9850f4d 100644
|
|||||||
-
|
-
|
||||||
logging_read_generic_logs(mail_munin_plugin_t)
|
logging_read_generic_logs(mail_munin_plugin_t)
|
||||||
|
|
||||||
mta_read_config(mail_munin_plugin_t)
|
-mta_read_config(mail_munin_plugin_t)
|
||||||
mta_send_mail(mail_munin_plugin_t)
|
-mta_send_mail(mail_munin_plugin_t)
|
||||||
+mta_list_queue(mail_munin_plugin_t)
|
-mta_read_queue(mail_munin_plugin_t)
|
||||||
mta_read_queue(mail_munin_plugin_t)
|
+optional_policy(`
|
||||||
|
+ mta_read_config(mail_munin_plugin_t)
|
||||||
|
+ mta_send_mail(mail_munin_plugin_t)
|
||||||
|
+ mta_list_queue(mail_munin_plugin_t)
|
||||||
|
+ mta_read_queue(mail_munin_plugin_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ nscd_socket_use(mail_munin_plugin_t)
|
||||||
|
+')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
postfix_read_config(mail_munin_plugin_t)
|
postfix_read_config(mail_munin_plugin_t)
|
||||||
@ -46464,7 +46508,7 @@ index f17583b..9850f4d 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -245,6 +253,8 @@ optional_policy(`
|
@@ -245,6 +259,8 @@ optional_policy(`
|
||||||
# local policy for service plugins
|
# local policy for service plugins
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -46473,7 +46517,7 @@ index f17583b..9850f4d 100644
|
|||||||
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow services_munin_plugin_t self:udp_socket create_socket_perms;
|
allow services_munin_plugin_t self:udp_socket create_socket_perms;
|
||||||
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
@@ -255,13 +265,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
|
@@ -255,13 +271,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
|
||||||
dev_read_urand(services_munin_plugin_t)
|
dev_read_urand(services_munin_plugin_t)
|
||||||
dev_read_rand(services_munin_plugin_t)
|
dev_read_rand(services_munin_plugin_t)
|
||||||
|
|
||||||
@ -46488,7 +46532,18 @@ index f17583b..9850f4d 100644
|
|||||||
cups_stream_connect(services_munin_plugin_t)
|
cups_stream_connect(services_munin_plugin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -286,6 +293,10 @@ optional_policy(`
|
@@ -279,6 +292,10 @@ optional_policy(`
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ nscd_socket_use(services_munin_plugin_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
postgresql_stream_connect(services_munin_plugin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -286,6 +303,10 @@ optional_policy(`
|
||||||
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
|
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -46499,7 +46554,7 @@ index f17583b..9850f4d 100644
|
|||||||
##################################
|
##################################
|
||||||
#
|
#
|
||||||
# local policy for system plugins
|
# local policy for system plugins
|
||||||
@@ -295,13 +306,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
|
@@ -295,13 +316,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
||||||
|
|
||||||
@ -46516,7 +46571,7 @@ index f17583b..9850f4d 100644
|
|||||||
dev_read_sysfs(system_munin_plugin_t)
|
dev_read_sysfs(system_munin_plugin_t)
|
||||||
dev_read_urand(system_munin_plugin_t)
|
dev_read_urand(system_munin_plugin_t)
|
||||||
|
|
||||||
@@ -313,3 +323,31 @@ init_read_utmp(system_munin_plugin_t)
|
@@ -313,3 +333,31 @@ init_read_utmp(system_munin_plugin_t)
|
||||||
sysnet_exec_ifconfig(system_munin_plugin_t)
|
sysnet_exec_ifconfig(system_munin_plugin_t)
|
||||||
|
|
||||||
term_getattr_unallocated_ttys(system_munin_plugin_t)
|
term_getattr_unallocated_ttys(system_munin_plugin_t)
|
||||||
@ -62829,7 +62884,7 @@ index 8294f6f..4847b43 100644
|
|||||||
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
|
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
|
||||||
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
|
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
|
||||||
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
|
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
|
||||||
index 665bf7c..d100080 100644
|
index 665bf7c..a1ea37a 100644
|
||||||
--- a/policy/modules/services/tgtd.te
|
--- a/policy/modules/services/tgtd.te
|
||||||
+++ b/policy/modules/services/tgtd.te
|
+++ b/policy/modules/services/tgtd.te
|
||||||
@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
|
@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
|
||||||
@ -62851,7 +62906,7 @@ index 665bf7c..d100080 100644
|
|||||||
allow tgtd_t self:shm create_shm_perms;
|
allow tgtd_t self:shm create_shm_perms;
|
||||||
allow tgtd_t self:sem create_sem_perms;
|
allow tgtd_t self:sem create_sem_perms;
|
||||||
allow tgtd_t self:tcp_socket create_stream_socket_perms;
|
allow tgtd_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -46,6 +49,11 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
@@ -46,6 +49,12 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
||||||
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
||||||
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
|
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
|
||||||
|
|
||||||
@ -62860,10 +62915,11 @@ index 665bf7c..d100080 100644
|
|||||||
+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
|
+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
|
||||||
+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
|
+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
|
||||||
+
|
+
|
||||||
|
+kernel_read_system_state(tgtd_t)
|
||||||
kernel_read_fs_sysctls(tgtd_t)
|
kernel_read_fs_sysctls(tgtd_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_netlabel(tgtd_t)
|
corenet_all_recvfrom_netlabel(tgtd_t)
|
||||||
@@ -57,10 +65,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
|
@@ -57,10 +66,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
|
||||||
corenet_tcp_bind_iscsi_port(tgtd_t)
|
corenet_tcp_bind_iscsi_port(tgtd_t)
|
||||||
corenet_sendrecv_iscsi_server_packets(tgtd_t)
|
corenet_sendrecv_iscsi_server_packets(tgtd_t)
|
||||||
|
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.10.0
|
||||||
Release: 67%{?dist}
|
Release: 68%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -470,6 +470,15 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-68
|
||||||
|
- Allow abrt to request the kernel to load a module
|
||||||
|
- Make sure mozilla content is labeled correctly
|
||||||
|
- Allow tgtd to read system state
|
||||||
|
- More fixes for boinc
|
||||||
|
* allow to resolve dns name
|
||||||
|
* re-write boinc policy to use boinc_domain attribute
|
||||||
|
- Allow munin services plugins to use NSCD services
|
||||||
|
|
||||||
* Thu Dec 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-67
|
* Thu Dec 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-67
|
||||||
- Allow mozilla_plugin_t to manage mozilla_home_t
|
- Allow mozilla_plugin_t to manage mozilla_home_t
|
||||||
- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain
|
- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user