- Allow abrt to request the kernel to load a module
- Make sure mozilla content is labeled correctly - Allow tgtd to read system state - More fixes for boinc * allow to resolve dns name * re-write boinc policy to use boinc_domain attribute - Allow munin services plugins to use NSCD services
This commit is contained in:
parent
202bb4cfa3
commit
d17f759dd0
216
policy-F16.patch
216
policy-F16.patch
@ -5446,7 +5446,7 @@ index 00a19e3..9f6139c 100644
|
||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
|
||||
index f5afe78..9b1de02 100644
|
||||
index f5afe78..c57fc1e 100644
|
||||
--- a/policy/modules/apps/gnome.if
|
||||
+++ b/policy/modules/apps/gnome.if
|
||||
@@ -1,44 +1,862 @@
|
||||
@ -6521,7 +6521,7 @@ index f5afe78..9b1de02 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -140,51 +1029,299 @@ interface(`gnome_domtrans_gconfd',`
|
||||
@@ -140,51 +1029,298 @@ interface(`gnome_domtrans_gconfd',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -6715,7 +6715,6 @@ index f5afe78..9b1de02 100644
|
||||
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create gnome content in the user home directory
|
||||
@ -7931,7 +7930,7 @@ index 93ac529..800b5c8 100644
|
||||
+
|
||||
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
||||
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
|
||||
index fbb5c5a..e187982 100644
|
||||
index fbb5c5a..ffeec16 100644
|
||||
--- a/policy/modules/apps/mozilla.if
|
||||
+++ b/policy/modules/apps/mozilla.if
|
||||
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
|
||||
@ -7943,7 +7942,7 @@ index fbb5c5a..e187982 100644
|
||||
# Allow the user domain to signal/ps.
|
||||
ps_process_pattern($2, mozilla_t)
|
||||
allow $2 mozilla_t:process signal_perms;
|
||||
@@ -49,8 +51,16 @@ interface(`mozilla_role',`
|
||||
@@ -49,9 +51,19 @@ interface(`mozilla_role',`
|
||||
mozilla_run_plugin(mozilla_t, $1)
|
||||
mozilla_dbus_chat($2)
|
||||
|
||||
@ -7958,9 +7957,12 @@ index fbb5c5a..e187982 100644
|
||||
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
|
||||
+ pulseaudio_filetrans_home_content(mozilla_t)
|
||||
')
|
||||
+
|
||||
+ mozilla_filetrans_home_content($2)
|
||||
')
|
||||
|
||||
@@ -109,7 +119,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
|
||||
########################################
|
||||
@@ -109,7 +121,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
|
||||
type mozilla_home_t;
|
||||
')
|
||||
|
||||
@ -7969,7 +7971,7 @@ index fbb5c5a..e187982 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -197,12 +207,29 @@ interface(`mozilla_domtrans',`
|
||||
@@ -197,12 +209,31 @@ interface(`mozilla_domtrans',`
|
||||
#
|
||||
interface(`mozilla_domtrans_plugin',`
|
||||
gen_require(`
|
||||
@ -7997,10 +7999,12 @@ index fbb5c5a..e187982 100644
|
||||
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
+ can_exec($1, mozilla_plugin_rw_t)
|
||||
+
|
||||
+ #mozilla_filetrans_home_content($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -228,6 +255,27 @@ interface(`mozilla_run_plugin',`
|
||||
@@ -228,6 +259,27 @@ interface(`mozilla_run_plugin',`
|
||||
|
||||
mozilla_domtrans_plugin($1)
|
||||
role $2 types mozilla_plugin_t;
|
||||
@ -8028,7 +8032,7 @@ index fbb5c5a..e187982 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -269,9 +317,27 @@ interface(`mozilla_rw_tcp_sockets',`
|
||||
@@ -269,9 +321,27 @@ interface(`mozilla_rw_tcp_sockets',`
|
||||
allow $1 mozilla_t:tcp_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
@ -8057,7 +8061,7 @@ index fbb5c5a..e187982 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -279,28 +345,48 @@ interface(`mozilla_rw_tcp_sockets',`
|
||||
@@ -279,28 +349,79 @@ interface(`mozilla_rw_tcp_sockets',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -8113,6 +8117,37 @@ index fbb5c5a..e187982 100644
|
||||
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
|
||||
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create mozilla content in the user home directory
|
||||
+## with an correct label.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mozilla_filetrans_home_content',`
|
||||
+
|
||||
+ gen_require(`
|
||||
+ type mozilla_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
|
||||
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
||||
index 2e9318b..bb90a3b 100644
|
||||
--- a/policy/modules/apps/mozilla.te
|
||||
@ -16430,7 +16465,7 @@ index 6a1e4d1..3ded83e 100644
|
||||
+ dontaudit $1 domain:socket_class_set { read write };
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index fae1ab1..facd6a8 100644
|
||||
index fae1ab1..b3fbad5 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
|
||||
@ -16531,7 +16566,7 @@ index fae1ab1..facd6a8 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -158,5 +199,219 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -158,5 +199,223 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -16595,6 +16630,10 @@ index fae1ab1..facd6a8 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mozilla_filetrans_home_content(unconfined_domain_type)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ networkmanager_filetrans_named_content(unconfined_domain_type)
|
||||
+')
|
||||
+
|
||||
@ -23987,7 +24026,7 @@ index 0b827c5..d83d4dc 100644
|
||||
+ dontaudit $1 abrt_t:sock_file write;
|
||||
+')
|
||||
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
||||
index 30861ec..e203cd3 100644
|
||||
index 30861ec..939e294 100644
|
||||
--- a/policy/modules/services/abrt.te
|
||||
+++ b/policy/modules/services/abrt.te
|
||||
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
|
||||
@ -24095,7 +24134,7 @@ index 30861ec..e203cd3 100644
|
||||
|
||||
# abrt var/cache files
|
||||
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
||||
@@ -82,10 +133,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
||||
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
||||
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
||||
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
||||
@ -24104,10 +24143,11 @@ index 30861ec..e203cd3 100644
|
||||
|
||||
kernel_read_ring_buffer(abrt_t)
|
||||
-kernel_read_system_state(abrt_t)
|
||||
+kernel_request_load_module(abrt_t)
|
||||
kernel_rw_kernel_sysctl(abrt_t)
|
||||
|
||||
corecmd_exec_bin(abrt_t)
|
||||
@@ -104,6 +154,8 @@ corenet_tcp_connect_all_ports(abrt_t)
|
||||
@@ -104,6 +155,8 @@ corenet_tcp_connect_all_ports(abrt_t)
|
||||
corenet_sendrecv_http_client_packets(abrt_t)
|
||||
|
||||
dev_getattr_all_chr_files(abrt_t)
|
||||
@ -24116,7 +24156,7 @@ index 30861ec..e203cd3 100644
|
||||
dev_read_urand(abrt_t)
|
||||
dev_rw_sysfs(abrt_t)
|
||||
dev_dontaudit_read_raw_memory(abrt_t)
|
||||
@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t)
|
||||
@@ -113,7 +166,8 @@ domain_read_all_domains_state(abrt_t)
|
||||
domain_signull_all_domains(abrt_t)
|
||||
|
||||
files_getattr_all_files(abrt_t)
|
||||
@ -24126,7 +24166,7 @@ index 30861ec..e203cd3 100644
|
||||
files_read_var_symlinks(abrt_t)
|
||||
files_read_var_lib_files(abrt_t)
|
||||
files_read_usr_files(abrt_t)
|
||||
@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t)
|
||||
@@ -121,6 +175,8 @@ files_read_generic_tmp_files(abrt_t)
|
||||
files_read_kernel_modules(abrt_t)
|
||||
files_dontaudit_list_default(abrt_t)
|
||||
files_dontaudit_read_default_files(abrt_t)
|
||||
@ -24135,7 +24175,7 @@ index 30861ec..e203cd3 100644
|
||||
|
||||
fs_list_inotifyfs(abrt_t)
|
||||
fs_getattr_all_fs(abrt_t)
|
||||
@@ -131,22 +186,26 @@ fs_read_nfs_files(abrt_t)
|
||||
@@ -131,22 +187,26 @@ fs_read_nfs_files(abrt_t)
|
||||
fs_read_nfs_symlinks(abrt_t)
|
||||
fs_search_all(abrt_t)
|
||||
|
||||
@ -24168,7 +24208,7 @@ index 30861ec..e203cd3 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -167,6 +226,7 @@ optional_policy(`
|
||||
@@ -167,6 +227,7 @@ optional_policy(`
|
||||
rpm_exec(abrt_t)
|
||||
rpm_dontaudit_manage_db(abrt_t)
|
||||
rpm_manage_cache(abrt_t)
|
||||
@ -24176,7 +24216,7 @@ index 30861ec..e203cd3 100644
|
||||
rpm_manage_pid_files(abrt_t)
|
||||
rpm_read_db(abrt_t)
|
||||
rpm_signull(abrt_t)
|
||||
@@ -178,12 +238,35 @@ optional_policy(`
|
||||
@@ -178,12 +239,35 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24213,7 +24253,7 @@ index 30861ec..e203cd3 100644
|
||||
#
|
||||
|
||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||
@@ -200,23 +283,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||
@@ -200,23 +284,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
|
||||
@ -24242,7 +24282,7 @@ index 30861ec..e203cd3 100644
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||
@@ -224,4 +306,128 @@ ifdef(`hide_broken_symptoms', `
|
||||
@@ -224,4 +307,128 @@ ifdef(`hide_broken_symptoms', `
|
||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||
@ -28274,10 +28314,10 @@ index 0000000..9fe3f9e
|
||||
+')
|
||||
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
|
||||
new file mode 100644
|
||||
index 0000000..61db909
|
||||
index 0000000..788087e
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/boinc.te
|
||||
@@ -0,0 +1,178 @@
|
||||
@@ -0,0 +1,173 @@
|
||||
+policy_module(boinc, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -28285,6 +28325,8 @@ index 0000000..61db909
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+attribute boinc_domain;
|
||||
+
|
||||
+type boinc_t;
|
||||
+type boinc_exec_t;
|
||||
+init_daemon_domain(boinc_t, boinc_exec_t)
|
||||
@ -28311,6 +28353,37 @@ index 0000000..61db909
|
||||
+type boinc_project_var_lib_t;
|
||||
+files_type(boinc_project_var_lib_t)
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# boinc domain local policy
|
||||
+#
|
||||
+
|
||||
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
|
||||
+allow boinc_domain self:sem create_sem_perms;
|
||||
+
|
||||
+# needs read /proc/interrupts
|
||||
+kernel_read_system_state(boinc_domain)
|
||||
+
|
||||
+corecmd_exec_bin(boinc_domain)
|
||||
+corecmd_exec_shell(boinc_domain)
|
||||
+
|
||||
+dev_read_rand(boinc_domain)
|
||||
+dev_read_urand(boinc_domain)
|
||||
+dev_read_sysfs(boinc_domain)
|
||||
+
|
||||
+domain_read_all_domains_state(boinc_domain)
|
||||
+
|
||||
+files_read_etc_files(boinc_domain)
|
||||
+files_read_etc_runtime_files(boinc_domain)
|
||||
+files_read_usr_files(boinc_domain)
|
||||
+
|
||||
+miscfiles_read_fonts(boinc_domain)
|
||||
+miscfiles_read_localization(boinc_domain)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sysnet_dns_name_resolve(boinc_domain)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# boinc local policy
|
||||
@ -28319,10 +28392,8 @@ index 0000000..61db909
|
||||
+allow boinc_t self:capability { kill };
|
||||
+allow boinc_t self:process { setsched sigkill };
|
||||
+
|
||||
+allow boinc_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow boinc_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow boinc_t self:sem create_sem_perms;
|
||||
+allow boinc_t self:shm create_shm_perms;
|
||||
+
|
||||
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
||||
@ -28340,15 +28411,9 @@ index 0000000..61db909
|
||||
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||
+
|
||||
+# needs read /proc/interrupts
|
||||
+kernel_read_system_state(boinc_t)
|
||||
+
|
||||
+files_getattr_all_dirs(boinc_t)
|
||||
+files_getattr_all_files(boinc_t)
|
||||
+
|
||||
+corecmd_exec_bin(boinc_t)
|
||||
+corecmd_exec_shell(boinc_t)
|
||||
+
|
||||
+corenet_all_recvfrom_unlabeled(boinc_t)
|
||||
+corenet_all_recvfrom_netlabel(boinc_t)
|
||||
+corenet_tcp_sendrecv_generic_if(boinc_t)
|
||||
@ -28365,18 +28430,8 @@ index 0000000..61db909
|
||||
+corenet_tcp_connect_http_port(boinc_t)
|
||||
+corenet_tcp_connect_http_cache_port(boinc_t)
|
||||
+
|
||||
+dev_list_sysfs(boinc_t)
|
||||
+dev_read_rand(boinc_t)
|
||||
+dev_read_urand(boinc_t)
|
||||
+dev_read_sysfs(boinc_t)
|
||||
+
|
||||
+domain_read_all_domains_state(boinc_t)
|
||||
+
|
||||
+files_dontaudit_getattr_boot_dirs(boinc_t)
|
||||
+
|
||||
+files_read_etc_files(boinc_t)
|
||||
+files_read_usr_files(boinc_t)
|
||||
+
|
||||
+fs_getattr_all_fs(boinc_t)
|
||||
+
|
||||
+term_getattr_all_ptys(boinc_t)
|
||||
@ -28384,14 +28439,11 @@ index 0000000..61db909
|
||||
+
|
||||
+init_read_utmp(boinc_t)
|
||||
+
|
||||
+miscfiles_read_localization(boinc_t)
|
||||
+miscfiles_read_generic_certs(boinc_t)
|
||||
+
|
||||
+logging_send_syslog_msg(boinc_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(boinc_t)
|
||||
+
|
||||
+mta_send_mail(boinc_t)
|
||||
+optional_policy(`
|
||||
+ mta_send_mail(boinc_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
@ -28408,9 +28460,6 @@ index 0000000..61db909
|
||||
+ allow boinc_project_t self:process ptrace;
|
||||
+')
|
||||
+
|
||||
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow boinc_project_t self:sem create_sem_perms;
|
||||
+
|
||||
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
||||
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
||||
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
|
||||
@ -28429,29 +28478,15 @@ index 0000000..61db909
|
||||
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
+
|
||||
+kernel_read_system_state(boinc_project_t)
|
||||
+kernel_read_kernel_sysctls(boinc_project_t)
|
||||
+kernel_search_vm_sysctl(boinc_project_t)
|
||||
+kernel_read_network_state(boinc_project_t)
|
||||
+
|
||||
+corecmd_exec_bin(boinc_project_t)
|
||||
+corecmd_exec_shell(boinc_project_t)
|
||||
+
|
||||
+corenet_tcp_connect_boinc_port(boinc_project_t)
|
||||
+
|
||||
+domain_read_all_domains_state(boinc_project_t)
|
||||
+
|
||||
+dev_read_rand(boinc_project_t)
|
||||
+dev_read_urand(boinc_project_t)
|
||||
+dev_read_sysfs(boinc_project_t)
|
||||
+dev_rw_xserver_misc(boinc_project_t)
|
||||
+
|
||||
+files_read_etc_files(boinc_project_t)
|
||||
+files_read_etc_runtime_files(boinc_project_t)
|
||||
+files_read_usr_files(boinc_project_t)
|
||||
+
|
||||
+miscfiles_read_fonts(boinc_project_t)
|
||||
+miscfiles_read_localization(boinc_project_t)
|
||||
+files_dontaudit_search_home(boinc_project_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ java_exec(boinc_project_t)
|
||||
@ -46347,7 +46382,7 @@ index c358d8f..7c097ec 100644
|
||||
init_labeled_script_domtrans($1, munin_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
|
||||
index f17583b..9850f4d 100644
|
||||
index f17583b..171ebec 100644
|
||||
--- a/policy/modules/services/munin.te
|
||||
+++ b/policy/modules/services/munin.te
|
||||
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
|
||||
@ -46442,7 +46477,7 @@ index f17583b..9850f4d 100644
|
||||
|
||||
sysnet_read_config(disk_munin_plugin_t)
|
||||
|
||||
@@ -221,19 +231,17 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
||||
@@ -221,19 +231,23 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
||||
|
||||
dev_read_urand(mail_munin_plugin_t)
|
||||
|
||||
@ -46452,10 +46487,19 @@ index f17583b..9850f4d 100644
|
||||
-
|
||||
logging_read_generic_logs(mail_munin_plugin_t)
|
||||
|
||||
mta_read_config(mail_munin_plugin_t)
|
||||
mta_send_mail(mail_munin_plugin_t)
|
||||
+mta_list_queue(mail_munin_plugin_t)
|
||||
mta_read_queue(mail_munin_plugin_t)
|
||||
-mta_read_config(mail_munin_plugin_t)
|
||||
-mta_send_mail(mail_munin_plugin_t)
|
||||
-mta_read_queue(mail_munin_plugin_t)
|
||||
+optional_policy(`
|
||||
+ mta_read_config(mail_munin_plugin_t)
|
||||
+ mta_send_mail(mail_munin_plugin_t)
|
||||
+ mta_list_queue(mail_munin_plugin_t)
|
||||
+ mta_read_queue(mail_munin_plugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nscd_socket_use(mail_munin_plugin_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
postfix_read_config(mail_munin_plugin_t)
|
||||
@ -46464,7 +46508,7 @@ index f17583b..9850f4d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -245,6 +253,8 @@ optional_policy(`
|
||||
@@ -245,6 +259,8 @@ optional_policy(`
|
||||
# local policy for service plugins
|
||||
#
|
||||
|
||||
@ -46473,7 +46517,7 @@ index f17583b..9850f4d 100644
|
||||
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||
allow services_munin_plugin_t self:udp_socket create_socket_perms;
|
||||
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
@@ -255,13 +265,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
|
||||
@@ -255,13 +271,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
|
||||
dev_read_urand(services_munin_plugin_t)
|
||||
dev_read_rand(services_munin_plugin_t)
|
||||
|
||||
@ -46488,7 +46532,18 @@ index f17583b..9850f4d 100644
|
||||
cups_stream_connect(services_munin_plugin_t)
|
||||
')
|
||||
|
||||
@@ -286,6 +293,10 @@ optional_policy(`
|
||||
@@ -279,6 +292,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ nscd_socket_use(services_munin_plugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
postgresql_stream_connect(services_munin_plugin_t)
|
||||
')
|
||||
|
||||
@@ -286,6 +303,10 @@ optional_policy(`
|
||||
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
|
||||
')
|
||||
|
||||
@ -46499,7 +46554,7 @@ index f17583b..9850f4d 100644
|
||||
##################################
|
||||
#
|
||||
# local policy for system plugins
|
||||
@@ -295,13 +306,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
|
||||
@@ -295,13 +316,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
|
||||
|
||||
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
||||
|
||||
@ -46516,7 +46571,7 @@ index f17583b..9850f4d 100644
|
||||
dev_read_sysfs(system_munin_plugin_t)
|
||||
dev_read_urand(system_munin_plugin_t)
|
||||
|
||||
@@ -313,3 +323,31 @@ init_read_utmp(system_munin_plugin_t)
|
||||
@@ -313,3 +333,31 @@ init_read_utmp(system_munin_plugin_t)
|
||||
sysnet_exec_ifconfig(system_munin_plugin_t)
|
||||
|
||||
term_getattr_unallocated_ttys(system_munin_plugin_t)
|
||||
@ -62829,7 +62884,7 @@ index 8294f6f..4847b43 100644
|
||||
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
|
||||
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
|
||||
index 665bf7c..d100080 100644
|
||||
index 665bf7c..a1ea37a 100644
|
||||
--- a/policy/modules/services/tgtd.te
|
||||
+++ b/policy/modules/services/tgtd.te
|
||||
@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
|
||||
@ -62851,7 +62906,7 @@ index 665bf7c..d100080 100644
|
||||
allow tgtd_t self:shm create_shm_perms;
|
||||
allow tgtd_t self:sem create_sem_perms;
|
||||
allow tgtd_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -46,6 +49,11 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
||||
@@ -46,6 +49,12 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
||||
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
||||
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
|
||||
|
||||
@ -62860,10 +62915,11 @@ index 665bf7c..d100080 100644
|
||||
+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
|
||||
+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
|
||||
+
|
||||
+kernel_read_system_state(tgtd_t)
|
||||
kernel_read_fs_sysctls(tgtd_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(tgtd_t)
|
||||
@@ -57,10 +65,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
|
||||
@@ -57,10 +66,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
|
||||
corenet_tcp_bind_iscsi_port(tgtd_t)
|
||||
corenet_sendrecv_iscsi_server_packets(tgtd_t)
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 67%{?dist}
|
||||
Release: 68%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -470,6 +470,15 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Dec 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-68
|
||||
- Allow abrt to request the kernel to load a module
|
||||
- Make sure mozilla content is labeled correctly
|
||||
- Allow tgtd to read system state
|
||||
- More fixes for boinc
|
||||
* allow to resolve dns name
|
||||
* re-write boinc policy to use boinc_domain attribute
|
||||
- Allow munin services plugins to use NSCD services
|
||||
|
||||
* Thu Dec 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-67
|
||||
- Allow mozilla_plugin_t to manage mozilla_home_t
|
||||
- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain
|
||||
|
Loading…
Reference in New Issue
Block a user