- Fix description of deny_ptrace boolean

- Remove allow for execmod lib_t for now
- Allow quantum to connect to keystone port
- Allow nova-console to talk with mysql over unix stream socket
- Allow dirsrv to stream connect to uuidd
- thumb_t needs to be able to create ~/.cache if it does not exist
- virtd needs to be able to sys_ptrace when starting and stoping containers
This commit is contained in:
Miroslav Grepl 2013-04-16 13:24:49 +02:00
parent 1d348dfc25
commit d42d1657e3
3 changed files with 325 additions and 261 deletions

View File

@ -765,14 +765,14 @@ index 66e85ea..d02654d 100644
## user domains. ## user domains.
## </p> ## </p>
diff --git a/policy/global_tunables b/policy/global_tunables diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..11a1ae6 100644 index 4705ab6..629fe1b 100644
--- a/policy/global_tunables --- a/policy/global_tunables
+++ b/policy/global_tunables +++ b/policy/global_tunables
@@ -6,52 +6,59 @@ @@ -6,52 +6,59 @@
## <desc> ## <desc>
## <p> ## <p>
+## Allow sysadm to debug or ptrace all processes. +## Deny any process from ptracing or debugging any other processes.
+## </p> +## </p>
+## </desc> +## </desc>
+gen_tunable(deny_ptrace, false) +gen_tunable(deny_ptrace, false)
@ -22234,7 +22234,7 @@ index d1f64a0..3be3d00 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ +
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..2706448 100644 index 6bf0ecc..ab37b7e 100644
--- a/policy/modules/services/xserver.if --- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@ @@ -19,9 +19,10 @@
@ -23102,7 +23102,7 @@ index 6bf0ecc..2706448 100644
+ type xdm_t; + type xdm_t;
+ ') + ')
+ +
+ dontaudit $1 xdm_t:unix_stream_socket { read write }; + dontaudit $1 xdm_t:unix_stream_socket { ioctl read write };
+') +')
+ +
+######################################## +########################################
@ -30338,7 +30338,7 @@ index 73bb3c0..aadfba0 100644
+ +
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 808ba93..7b506f2 100644 index 808ba93..9d8f729 100644
--- a/policy/modules/system/libraries.if --- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if
@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@ -30451,7 +30451,7 @@ index 808ba93..7b506f2 100644
') ')
######################################## ########################################
@@ -440,9 +463,9 @@ interface(`libs_use_shared_libs',` @@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',`
') ')
files_search_usr($1) files_search_usr($1)
@ -30461,10 +30461,11 @@ index 808ba93..7b506f2 100644
+ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms; + allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
+ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+# allow $1 lib_t:file execmod;
allow $1 textrel_shlib_t:file execmod; allow $1 textrel_shlib_t:file execmod;
') ')
@@ -483,7 +506,7 @@ interface(`libs_relabel_shared_libs',` @@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',`
type lib_t, textrel_shlib_t; type lib_t, textrel_shlib_t;
') ')
@ -30473,7 +30474,7 @@ index 808ba93..7b506f2 100644
') ')
######################################## ########################################
@@ -534,3 +557,26 @@ interface(`lib_filetrans_shared_lib',` @@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',` interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')

View File

@ -19854,10 +19854,10 @@ index 0000000..b214253
+') +')
diff --git a/dirsrv.te b/dirsrv.te diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644 new file mode 100644
index 0000000..217b0ef index 0000000..8cf8ddd
--- /dev/null --- /dev/null
+++ b/dirsrv.te +++ b/dirsrv.te
@@ -0,0 +1,190 @@ @@ -0,0 +1,194 @@
+policy_module(dirsrv,1.0.0) +policy_module(dirsrv,1.0.0)
+ +
+######################################## +########################################
@ -20005,6 +20005,10 @@ index 0000000..217b0ef
+ rpcbind_stream_connect(dirsrv_t) + rpcbind_stream_connect(dirsrv_t)
+') +')
+ +
+optional_policy(`
+ uuidd_stream_connect_manager(dirsrv_t)
+')
+
+######################################## +########################################
+# +#
+# dirsrv-snmp local policy +# dirsrv-snmp local policy
@ -24581,7 +24585,7 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if diff --git a/gnome.if b/gnome.if
index d03fd43..b000017 100644 index d03fd43..26023f7 100644
--- a/gnome.if --- a/gnome.if
+++ b/gnome.if +++ b/gnome.if
@@ -1,123 +1,154 @@ @@ -1,123 +1,154 @@
@ -25152,7 +25156,7 @@ index d03fd43..b000017 100644
## <summary> ## <summary>
-## Create, read, write, and delete -## Create, read, write, and delete
-## generic gnome home content. -## generic gnome home content.
+## Set attributes of cache home dir (.cache) +## Create generic cache home dir (.cache)
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -25161,25 +25165,26 @@ index d03fd43..b000017 100644
## </param> ## </param>
# #
-interface(`gnome_manage_generic_home_content',` -interface(`gnome_manage_generic_home_content',`
+interface(`gnome_setattr_cache_home_dir',` +interface(`gnome_create_generic_cache_dir',`
gen_require(` gen_require(`
- type gnome_home_t; - type gnome_home_t;
+ type cache_home_t; + type cache_home_t;
') ')
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1)
userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir manage_dir_perms; - allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms; - allow $1 gnome_home_t:file manage_file_perms;
- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; - allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; - allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gnome_home_t:sock_file manage_sock_file_perms; - allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+ allow $1 cache_home_t:dir create_dir_perms;
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
') ')
######################################## ########################################
## <summary> ## <summary>
-## Search generic gnome home directories. -## Search generic gnome home directories.
+## Manage cache home dir (.cache) +## Set attributes of cache home dir (.cache)
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -25188,13 +25193,13 @@ index d03fd43..b000017 100644
## </param> ## </param>
# #
-interface(`gnome_search_generic_home',` -interface(`gnome_search_generic_home',`
+interface(`gnome_manage_cache_home_dir',` +interface(`gnome_setattr_cache_home_dir',`
gen_require(` gen_require(`
- type gnome_home_t; - type gnome_home_t;
+ type cache_home_t; + type cache_home_t;
') ')
+ manage_dirs_pattern($1, cache_home_t, cache_home_t) + setattr_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1) userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir search_dir_perms; - allow $1 gnome_home_t:dir search_dir_perms;
') ')
@ -25203,7 +25208,7 @@ index d03fd43..b000017 100644
## <summary> ## <summary>
-## Create objects in gnome user home -## Create objects in gnome user home
-## directories with a private type. -## directories with a private type.
+## append to generic cache home files (.cache) +## Manage cache home dir (.cache)
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -25227,13 +25232,13 @@ index d03fd43..b000017 100644
-## </param> -## </param>
# #
-interface(`gnome_home_filetrans',` -interface(`gnome_home_filetrans',`
+interface(`gnome_append_generic_cache_files',` +interface(`gnome_manage_cache_home_dir',`
gen_require(` gen_require(`
- type gnome_home_t; - type gnome_home_t;
+ type cache_home_t; + type cache_home_t;
') ')
+ append_files_pattern($1, cache_home_t, cache_home_t) + manage_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1) userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gnome_home_t, $2, $3, $4) - filetrans_pattern($1, gnome_home_t, $2, $3, $4)
') ')
@ -25241,7 +25246,7 @@ index d03fd43..b000017 100644
######################################## ########################################
## <summary> ## <summary>
-## Create generic gconf home directories. -## Create generic gconf home directories.
+## write to generic cache home files (.cache) +## append to generic cache home files (.cache)
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -25250,29 +25255,57 @@ index d03fd43..b000017 100644
## </param> ## </param>
# #
-interface(`gnome_create_generic_gconf_home_dirs',` -interface(`gnome_create_generic_gconf_home_dirs',`
+interface(`gnome_write_generic_cache_files',` +interface(`gnome_append_generic_cache_files',`
gen_require(` gen_require(`
- type gconf_home_t; - type gconf_home_t;
+ type cache_home_t; + type cache_home_t;
') ')
- allow $1 gconf_home_t:dir create_dir_perms; - allow $1 gconf_home_t:dir create_dir_perms;
+ write_files_pattern($1, cache_home_t, cache_home_t) + append_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1)
') ')
######################################## ########################################
## <summary> ## <summary>
-## Read generic gconf home content. -## Read generic gconf home content.
+## Manage a sock_file in the generic cache home files (.cache) +## write to generic cache home files (.cache)
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -449,46 +497,36 @@ interface(`gnome_create_generic_gconf_home_dirs',` @@ -449,23 +497,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`gnome_read_generic_gconf_home_content',` -interface(`gnome_read_generic_gconf_home_content',`
+interface(`gnome_write_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
+ write_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir list_dir_perms;
- allow $1 gconf_home_t:file read_file_perms;
- allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
- allow $1 gconf_home_t:sock_file read_sock_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## generic gconf home content.
+## Manage a sock_file in the generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -473,82 +516,72 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
-interface(`gnome_manage_generic_gconf_home_content',`
+interface(`gnome_manage_generic_cache_sockets',` +interface(`gnome_manage_generic_cache_sockets',`
gen_require(` gen_require(`
- type gconf_home_t; - type gconf_home_t;
@ -25280,18 +25313,17 @@ index d03fd43..b000017 100644
') ')
userdom_search_user_home_dirs($1) userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir list_dir_perms; - allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file read_file_perms; - allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file read_fifo_file_perms; - allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file read_lnk_file_perms; - allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file read_sock_file_perms; - allow $1 gconf_home_t:sock_file manage_sock_file_perms;
+ manage_sock_files_pattern($1, cache_home_t, cache_home_t) + manage_sock_files_pattern($1, cache_home_t, cache_home_t)
') ')
######################################## ########################################
## <summary> ## <summary>
-## Create, read, write, and delete -## Search generic gconf home directories.
-## generic gconf home content.
+## Dontaudit read/write to generic cache home files (.cache) +## Dontaudit read/write to generic cache home files (.cache)
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@ -25301,7 +25333,7 @@ index d03fd43..b000017 100644
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`gnome_manage_generic_gconf_home_content',` -interface(`gnome_search_generic_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',` +interface(`gnome_dontaudit_rw_generic_cache_files',`
gen_require(` gen_require(`
- type gconf_home_t; - type gconf_home_t;
@ -25309,34 +25341,41 @@ index d03fd43..b000017 100644
') ')
- userdom_search_user_home_dirs($1) - userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir manage_dir_perms; - allow $1 gconf_home_t:dir search_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms; + dontaudit $1 cache_home_t:file rw_inherited_file_perms;
') ')
######################################## ########################################
## <summary> ## <summary>
-## Search generic gconf home directories. -## Create objects in user home
-## directories with the generic gconf
-## home type.
+## read gnome homedir content (.config) +## read gnome homedir content (.config)
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -496,29 +534,35 @@ interface(`gnome_manage_generic_gconf_home_content',` ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
# #
-interface(`gnome_search_generic_gconf_home',` -interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_read_config',` +interface(`gnome_read_config',`
gen_require(` gen_require(`
- type gconf_home_t; - type gconf_home_t;
+ attribute gnome_home_type; + attribute gnome_home_type;
') ')
- userdom_search_user_home_dirs($1) - userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
- allow $1 gconf_home_t:dir search_dir_perms;
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type) + list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
@ -25345,7 +25384,7 @@ index d03fd43..b000017 100644
######################################## ########################################
## <summary> ## <summary>
-## Create objects in user home -## Create objects in user home
-## directories with the generic gconf -## directories with the generic gnome
-## home type. -## home type.
+## Create objects in a Gnome gconf home directory +## Create objects in a Gnome gconf home directory
+## with an automatic type transition to +## with an automatic type transition to
@ -25368,18 +25407,18 @@ index d03fd43..b000017 100644
## </summary> ## </summary>
## </param> ## </param>
## <param name="name" optional="true"> ## <param name="name" optional="true">
@@ -527,62 +571,125 @@ interface(`gnome_search_generic_gconf_home',` @@ -557,52 +590,76 @@ interface(`gnome_home_filetrans_gconf_home',`
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`gnome_home_filetrans_gconf_home',` -interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_data_filetrans',` +interface(`gnome_data_filetrans',`
gen_require(` gen_require(`
- type gconf_home_t; - type gnome_home_t;
+ type data_home_t; + type data_home_t;
') ')
- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) - userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ filetrans_pattern($1, data_home_t, $2, $3, $4) + filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1) + gnome_search_gconf($1)
') ')
@ -25387,9 +25426,8 @@ index d03fd43..b000017 100644
-######################################## -########################################
+####################################### +#######################################
## <summary> ## <summary>
-## Create objects in user home -## Create objects in gnome gconf home
-## directories with the generic gnome -## directories with a private type.
-## home type.
+## Read generic data home files. +## Read generic data home files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@ -25397,7 +25435,15 @@ index d03fd43..b000017 100644
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
-## <param name="private_type">
-## <summary>
-## Private file type.
-## </summary>
-## </param>
-## <param name="object_class"> -## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
+# +#
+interface(`gnome_read_generic_data_home_files',` +interface(`gnome_read_generic_data_home_files',`
+ gen_require(` + gen_require(`
@ -25415,7 +25461,8 @@ index d03fd43..b000017 100644
+## <summary> +## <summary>
+## Domain allowed access. +## Domain allowed access.
+## </summary> +## </summary>
+## </param> ## </param>
-## <param name="name" optional="true">
+# +#
+interface(`gnome_read_generic_data_home_dirs',` +interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(` + gen_require(`
@ -25429,30 +25476,6 @@ index d03fd43..b000017 100644
+## <summary> +## <summary>
+## Manage gconf data home files +## Manage gconf data home files
+## </summary> +## </summary>
+## <param name="domain">
## <summary>
-## Class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
+#
+interface(`gnome_manage_data',`
+ gen_require(`
+ type data_home_t;
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+## Read icc data home content.
+## </summary>
+## <param name="domain"> +## <param name="domain">
## <summary> ## <summary>
-## The name of the object being created. -## The name of the object being created.
@ -25460,104 +25483,52 @@ index d03fd43..b000017 100644
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`gnome_home_filetrans_gnome_home',` -interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_manage_data',`
gen_require(`
+ type data_home_t;
type gconf_home_t;
')
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
')
########################################
## <summary>
-## Read generic gnome keyring home files.
+## Read icc data home content.
## </summary>
## <param name="domain">
## <summary>
@@ -610,93 +667,126 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_home_icc_data_content',` +interface(`gnome_read_home_icc_data_content',`
gen_require(` gen_require(`
- type gnome_home_t; - type gnome_home_t, gnome_keyring_home_t;
+ type icc_data_home_t, gconf_home_t, data_home_t; + type icc_data_home_t, gconf_home_t, data_home_t;
') ')
- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) userdom_search_user_home_dirs($1)
+ userdom_search_user_home_dirs($1) - read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; + allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) + list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t) + read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) + read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
') ')
########################################
## <summary>
-## Create objects in gnome gconf home
-## directories with a private type.
+## Read inherited icc data home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="private_type">
+#
+interface(`gnome_read_inherited_home_icc_data_files',`
+ gen_require(`
+ type icc_data_home_t;
+ ')
+
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
## <summary>
-## Private file type.
+## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
-## Class of the object being created.
+## The class of the object to be created.
## </summary>
## </param>
## <param name="name" optional="true">
@@ -591,65 +698,76 @@ interface(`gnome_home_filetrans_gnome_home',`
## </summary>
## </param>
#
-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_admin_home_gconf_filetrans',`
gen_require(`
type gconf_home_t;
')
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
')
########################################
## <summary>
-## Read generic gnome keyring home files.
+## Do not audit attempts to read
+## inherited gconf config files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- type gnome_home_t, gnome_keyring_home_t;
+ type gconf_etc_t;
')
- userdom_search_user_home_dirs($1)
- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
-## Send and receive messages from -## Send and receive messages from
-## gnome keyring daemon over dbus. -## gnome keyring daemon over dbus.
+## read gconf config files +## Read inherited icc data home files.
## </summary> ## </summary>
-## <param name="role_prefix"> -## <param name="role_prefix">
-## <summary> -## <summary>
@ -25572,15 +25543,96 @@ index d03fd43..b000017 100644
## </param> ## </param>
# #
-interface(`gnome_dbus_chat_gkeyringd',` -interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_read_gconf_config',` +interface(`gnome_read_inherited_home_icc_data_files',`
gen_require(` gen_require(`
- type $1_gkeyringd_t; - type $1_gkeyringd_t;
- class dbus send_msg; - class dbus send_msg;
+ type gconf_etc_t; + type icc_data_home_t;
') ')
- allow $2 $1_gkeyringd_t:dbus send_msg; - allow $2 $1_gkeyringd_t:dbus send_msg;
- allow $1_gkeyringd_t $2:dbus send_msg; - allow $1_gkeyringd_t $2:dbus send_msg;
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
## <summary>
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
+## Create gconf_home_t objects in the /root directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_admin_home_gconf_filetrans',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
+ type gconf_home_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
')
########################################
## <summary>
-## Connect to gnome keyring daemon
-## with a unix stream socket.
+## Do not audit attempts to read
+## inherited gconf config files.
## </summary>
-## <param name="role_prefix">
+## <param name="domain">
## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Domain to not audit.
## </summary>
## </param>
+#
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## read gconf config files
+## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_read_gconf_config',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gconf_etc_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+ allow $1 gconf_etc_t:dir list_dir_perms; + allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t) + read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1) + files_search_etc($1)
@ -25607,78 +25659,59 @@ index d03fd43..b000017 100644
######################################## ########################################
## <summary> ## <summary>
-## Send and receive messages from all -## Connect to all gnome keyring daemon
-## gnome keyring daemon over dbus. -## with a unix stream socket.
+## Execute gconf programs in +## Execute gconf programs in
+## in the caller domain. +## in the caller domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -657,46 +775,36 @@ interface(`gnome_dbus_chat_gkeyringd',` @@ -704,12 +794,811 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_exec_gconf',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
+ type gconfd_exec_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
+ can_exec($1, gconfd_exec_t)
')
########################################
## <summary>
-## Connect to gnome keyring daemon
-## with a unix stream socket.
+## Execute gnome keyringd in the caller domain.
## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_exec_keyringd',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gkeyringd_exec_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
')
########################################
## <summary>
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
+## Read gconf home files
## </summary>
## <param name="domain">
## <summary>
@@ -704,12 +812,774 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`gnome_stream_connect_all_gkeyringd',` -interface(`gnome_stream_connect_all_gkeyringd',`
+interface(`gnome_read_gconf_home_files',` +interface(`gnome_exec_gconf',`
gen_require(` gen_require(`
- attribute gkeyringd_domain; - attribute gkeyringd_domain;
- type gnome_keyring_tmp_t; - type gnome_keyring_tmp_t;
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute gnome keyringd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_keyringd',`
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Read gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t; + type gconf_home_t;
+ type data_home_t; + type data_home_t;
+ ') + ')
@ -25705,10 +25738,9 @@ index d03fd43..b000017 100644
+interface(`gnome_search_gkeyringd_tmp_dirs',` +interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(` + gen_require(`
+ type gkeyringd_tmp_t; + type gkeyringd_tmp_t;
') + ')
+
files_search_tmp($1) + files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_tmp_t:dir search_dir_perms; + allow $1 gkeyringd_tmp_t:dir search_dir_perms;
+') +')
+ +
@ -25725,9 +25757,10 @@ index d03fd43..b000017 100644
+interface(`gnome_list_gkeyringd_tmp_dirs',` +interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(` + gen_require(`
+ type gkeyringd_tmp_t; + type gkeyringd_tmp_t;
+ ') ')
+
+ files_search_tmp($1) files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms; + allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+') +')
+ +
@ -44014,10 +44047,10 @@ index 0000000..7d11148
+') +')
diff --git a/nova.te b/nova.te diff --git a/nova.te b/nova.te
new file mode 100644 new file mode 100644
index 0000000..c3a9a89 index 0000000..061a689
--- /dev/null --- /dev/null
+++ b/nova.te +++ b/nova.te
@@ -0,0 +1,325 @@ @@ -0,0 +1,329 @@
+policy_module(nova, 1.0.0) +policy_module(nova, 1.0.0)
+ +
+######################################## +########################################
@ -44196,6 +44229,10 @@ index 0000000..c3a9a89
+ +
+auth_use_nsswitch(nova_console_t) +auth_use_nsswitch(nova_console_t)
+ +
+optional_policy(`
+ mysql_stream_connect(nova_console_t)
+')
+
+####################################### +#######################################
+# +#
+# nova direct local policy +# nova direct local policy
@ -62034,7 +62071,7 @@ index afc0068..7616aa4 100644
+ ') + ')
') ')
diff --git a/quantum.te b/quantum.te diff --git a/quantum.te b/quantum.te
index 769d1fd..5bbd65f 100644 index 769d1fd..bf3f16f 100644
--- a/quantum.te --- a/quantum.te
+++ b/quantum.te +++ b/quantum.te
@@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t) @@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
@ -62047,11 +62084,12 @@ index 769d1fd..5bbd65f 100644
######################################## ########################################
# #
# Local policy # Local policy
@@ -61,11 +64,12 @@ corenet_tcp_sendrecv_generic_node(quantum_t) @@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
corenet_tcp_sendrecv_all_ports(quantum_t) corenet_tcp_sendrecv_all_ports(quantum_t)
corenet_tcp_bind_generic_node(quantum_t) corenet_tcp_bind_generic_node(quantum_t)
+corenet_tcp_bind_quantum_port(quantum_t) +corenet_tcp_bind_quantum_port(quantum_t)
+corenet_tcp_connect_keystone_port(quantum_t)
+corenet_tcp_connect_mysqld_port(quantum_t) +corenet_tcp_connect_mysqld_port(quantum_t)
+ +
dev_list_sysfs(quantum_t) dev_list_sysfs(quantum_t)
@ -62062,7 +62100,7 @@ index 769d1fd..5bbd65f 100644
auth_use_nsswitch(quantum_t) auth_use_nsswitch(quantum_t)
libs_exec_ldconfig(quantum_t) libs_exec_ldconfig(quantum_t)
@@ -73,8 +77,6 @@ libs_exec_ldconfig(quantum_t) @@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t)
logging_send_audit_msgs(quantum_t) logging_send_audit_msgs(quantum_t)
logging_send_syslog_msg(quantum_t) logging_send_syslog_msg(quantum_t)
@ -62071,7 +62109,7 @@ index 769d1fd..5bbd65f 100644
sysnet_domtrans_ifconfig(quantum_t) sysnet_domtrans_ifconfig(quantum_t)
optional_policy(` optional_policy(`
@@ -94,3 +96,12 @@ optional_policy(` @@ -94,3 +97,12 @@ optional_policy(`
postgresql_tcp_connect(quantum_t) postgresql_tcp_connect(quantum_t)
') ')
@ -81934,10 +81972,10 @@ index 0000000..bfcd2c7
+') +')
diff --git a/thumb.te b/thumb.te diff --git a/thumb.te b/thumb.te
new file mode 100644 new file mode 100644
index 0000000..797d761 index 0000000..4e9dc5e
--- /dev/null --- /dev/null
+++ b/thumb.te +++ b/thumb.te
@@ -0,0 +1,142 @@ @@ -0,0 +1,143 @@
+policy_module(thumb, 1.0.0) +policy_module(thumb, 1.0.0)
+ +
+######################################## +########################################
@ -82060,6 +82098,7 @@ index 0000000..797d761
+ gnome_manage_gstreamer_home_files(thumb_t) + gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t) + gnome_manage_gstreamer_home_dirs(thumb_t)
+ gnome_exec_gstreamer_home_files(thumb_t) + gnome_exec_gstreamer_home_files(thumb_t)
+ gnome_create_generic_cache_dir(thumb_t)
+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails") + gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
+ gnome_cache_filetrans(thumb_t, thumb_home_t, file) + gnome_cache_filetrans(thumb_t, thumb_home_t, file)
+') +')
@ -84231,10 +84270,24 @@ index 380902c..75545d6 100644
+ postfix_rw_inherited_master_pipes(uux_t) + postfix_rw_inherited_master_pipes(uux_t)
+') +')
diff --git a/uuidd.if b/uuidd.if diff --git a/uuidd.if b/uuidd.if
index 6e48653..29e3648 100644 index 6e48653..6abf74a 100644
--- a/uuidd.if --- a/uuidd.if
+++ b/uuidd.if +++ b/uuidd.if
@@ -180,6 +180,9 @@ interface(`uuidd_admin',` @@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',`
#
interface(`uuidd_stream_connect_manager',`
gen_require(`
- type uuidd_t, uuidd_var_run_t;
+ type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
+ stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t)
')
########################################
@@ -180,6 +181,9 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms; allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t) ps_process_pattern($1, uuidd_t)
@ -86320,7 +86373,7 @@ index 9dec06c..fa2c674 100644
+ allow svirt_lxc_domain $1:process sigchld; + allow svirt_lxc_domain $1:process sigchld;
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index 1f22fba..64e638c 100644 index 1f22fba..f42e134 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -1,94 +1,98 @@ @@ -1,94 +1,98 @@
@ -86526,7 +86579,7 @@ index 1f22fba..64e638c 100644
ifdef(`enable_mcs',` ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
') ')
@@ -155,251 +165,82 @@ type virt_qmf_exec_t; @@ -155,290 +165,125 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t; type virt_bridgehelper_t;
@ -86616,9 +86669,7 @@ index 1f22fba..64e638c 100644
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
- -
-kernel_read_system_state(virt_domain) -kernel_read_system_state(virt_domain)
+# it was a part of auth_use_nsswitch -
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-fs_getattr_xattr_fs(virt_domain) -fs_getattr_xattr_fs(virt_domain)
- -
-corecmd_exec_bin(virt_domain) -corecmd_exec_bin(virt_domain)
@ -86736,17 +86787,15 @@ index 1f22fba..64e638c 100644
- fs_manage_dos_dirs(virt_domain) - fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain) - fs_manage_dos_files(virt_domain)
-') -')
- +# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-optional_policy(` -optional_policy(`
- tunable_policy(`virt_use_xserver',` - tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain) - xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain) - xserver_stream_connect(virt_domain)
- ') - ')
-') -')
-
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
+corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t)
@ -86756,20 +86805,24 @@ index 1f22fba..64e638c 100644
+corenet_tcp_connect_all_ports(svirt_t) +corenet_tcp_connect_all_ports(svirt_t)
-optional_policy(` -optional_policy(`
- nscd_use(virt_domain) - dbus_read_lib_files(virt_domain)
-') -')
+miscfiles_read_generic_certs(svirt_t) +miscfiles_read_generic_certs(svirt_t)
optional_policy(` optional_policy(`
- samba_domtrans_smbd(virt_domain) - nscd_use(virt_domain)
+ xen_rw_image_files(svirt_t) + xen_rw_image_files(svirt_t)
') ')
optional_policy(` optional_policy(`
- xen_rw_image_files(virt_domain) - samba_domtrans_smbd(virt_domain)
+ nscd_use(svirt_t) + nscd_use(svirt_t)
') ')
-optional_policy(`
- xen_rw_image_files(virt_domain)
-')
-
-######################################## -########################################
+####################################### +#######################################
# #
@ -86787,11 +86840,11 @@ index 1f22fba..64e638c 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+allow svirt_tcg_t self:process { execmem execstack }; +allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
- -
-corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_if(svirt_t)
@ -86826,15 +86879,16 @@ index 1f22fba..64e638c 100644
######################################## ########################################
# #
@@ -407,38 +248,42 @@ corenet_tcp_connect_all_ports(svirt_t) # virtd local policy
# #
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:capability2 compromise_kernel; +allow virtd_t self:capability2 compromise_kernel;
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',` +ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code + # caused by some bogus kernel code
+ dontaudit virtd_t self:capability { sys_module sys_ptrace }; + dontaudit virtd_t self:capability { sys_module };
+') +')
+ +
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 30%{?dist} Release: 31%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -526,6 +526,15 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Apr 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-31
- Fix description of deny_ptrace boolean
- Remove allow for execmod lib_t for now
- Allow quantum to connect to keystone port
- Allow nova-console to talk with mysql over unix stream socket
- Allow dirsrv to stream connect to uuidd
- thumb_t needs to be able to create ~/.cache if it does not exist
- virtd needs to be able to sys_ptrace when starting and stoping containers
* Mon Apr 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-30 * Mon Apr 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-30
- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... - Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms...
- Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets