- Add lsmd_plugin_t for lsm plugins

- Allow dovecot-deliver to search mountpoints
- Add labeling for /etc/mdadm.conf
- Allow opelmi admin providers to dbus chat with init_t
- Allow sblim domain to read /dev/urandom and /dev/random
- Add back exec_content boolean for secadm, logadm, auditadm
- Allow sulogin to getattr on /proc/kcore
This commit is contained in:
Miroslav Grepl 2013-11-26 18:41:01 +01:00
parent 04c55cf070
commit d61adff49b
3 changed files with 172 additions and 92 deletions

View File

@ -9405,7 +9405,7 @@ index b876c48..bd5b58c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f962f76..eda85f9 100644 index f962f76..7d12144 100644
--- a/policy/modules/kernel/files.if --- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@ @@ -19,6 +19,136 @@
@ -10598,7 +10598,7 @@ index f962f76..eda85f9 100644
') ')
######################################## ########################################
@@ -4217,6 +4848,173 @@ interface(`files_read_world_readable_sockets',` @@ -4217,6 +4848,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms; allow $1 readable_t:sock_file read_sock_file_perms;
') ')
@ -10767,12 +10767,11 @@ index f962f76..eda85f9 100644
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
+') +')
+')
+ +
######################################## ########################################
## <summary> ## <summary>
## Allow the specified type to associate ## Allow the specified type to associate
@@ -4239,6 +5037,26 @@ interface(`files_associate_tmp',` @@ -4239,6 +5036,26 @@ interface(`files_associate_tmp',`
######################################## ########################################
## <summary> ## <summary>
@ -10799,7 +10798,7 @@ index f962f76..eda85f9 100644
## Get the attributes of the tmp directory (/tmp). ## Get the attributes of the tmp directory (/tmp).
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4252,17 +5070,37 @@ interface(`files_getattr_tmp_dirs',` @@ -4252,17 +5069,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t; type tmp_t;
') ')
@ -10838,7 +10837,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -4289,6 +5127,7 @@ interface(`files_search_tmp',` @@ -4289,6 +5126,7 @@ interface(`files_search_tmp',`
type tmp_t; type tmp_t;
') ')
@ -10846,7 +10845,7 @@ index f962f76..eda85f9 100644
allow $1 tmp_t:dir search_dir_perms; allow $1 tmp_t:dir search_dir_perms;
') ')
@@ -4325,6 +5164,7 @@ interface(`files_list_tmp',` @@ -4325,6 +5163,7 @@ interface(`files_list_tmp',`
type tmp_t; type tmp_t;
') ')
@ -10854,7 +10853,7 @@ index f962f76..eda85f9 100644
allow $1 tmp_t:dir list_dir_perms; allow $1 tmp_t:dir list_dir_perms;
') ')
@@ -4334,7 +5174,7 @@ interface(`files_list_tmp',` @@ -4334,7 +5173,7 @@ interface(`files_list_tmp',`
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -10863,7 +10862,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -4346,6 +5186,25 @@ interface(`files_dontaudit_list_tmp',` @@ -4346,6 +5185,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms; dontaudit $1 tmp_t:dir list_dir_perms;
') ')
@ -10889,7 +10888,7 @@ index f962f76..eda85f9 100644
######################################## ########################################
## <summary> ## <summary>
## Remove entries from the tmp directory. ## Remove entries from the tmp directory.
@@ -4361,6 +5220,7 @@ interface(`files_delete_tmp_dir_entry',` @@ -4361,6 +5219,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t; type tmp_t;
') ')
@ -10897,7 +10896,7 @@ index f962f76..eda85f9 100644
allow $1 tmp_t:dir del_entry_dir_perms; allow $1 tmp_t:dir del_entry_dir_perms;
') ')
@@ -4402,6 +5262,32 @@ interface(`files_manage_generic_tmp_dirs',` @@ -4402,6 +5261,32 @@ interface(`files_manage_generic_tmp_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -10930,7 +10929,7 @@ index f962f76..eda85f9 100644
## Manage temporary files and directories in /tmp. ## Manage temporary files and directories in /tmp.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4456,7 +5342,7 @@ interface(`files_rw_generic_tmp_sockets',` @@ -4456,7 +5341,7 @@ interface(`files_rw_generic_tmp_sockets',`
######################################## ########################################
## <summary> ## <summary>
@ -10939,7 +10938,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4464,17 +5350,17 @@ interface(`files_rw_generic_tmp_sockets',` @@ -4464,17 +5349,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -10961,7 +10960,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4482,33 +5368,123 @@ interface(`files_setattr_all_tmp_dirs',` @@ -4482,34 +5367,124 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -10997,6 +10996,7 @@ index f962f76..eda85f9 100644
') ')
- allow $1 var_t:dir search_dir_perms; - allow $1 var_t:dir search_dir_perms;
- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:dir { search_dir_perms setattr }; + allow $1 tmpfile:dir { search_dir_perms setattr };
+') +')
+ +
@ -11091,10 +11091,11 @@ index f962f76..eda85f9 100644
+ ') + ')
+ +
+ allow $1 var_t:dir search_dir_perms; + allow $1 var_t:dir search_dir_perms;
relabel_dirs_pattern($1, tmpfile, tmpfile) + relabel_dirs_pattern($1, tmpfile, tmpfile)
') ')
@@ -4519,7 +5495,7 @@ interface(`files_relabel_all_tmp_dirs',` ########################################
@@ -4519,7 +5494,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -11103,7 +11104,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -4579,7 +5555,7 @@ interface(`files_relabel_all_tmp_files',` @@ -4579,7 +5554,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -11112,7 +11113,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -4611,6 +5587,44 @@ interface(`files_read_all_tmp_files',` @@ -4611,6 +5586,44 @@ interface(`files_read_all_tmp_files',`
######################################## ########################################
## <summary> ## <summary>
@ -11157,7 +11158,7 @@ index f962f76..eda85f9 100644
## Create an object in the tmp directories, with a private ## Create an object in the tmp directories, with a private
## type using a type transition. ## type using a type transition.
## </summary> ## </summary>
@@ -4664,6 +5678,16 @@ interface(`files_purge_tmp',` @@ -4664,6 +5677,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -11174,7 +11175,7 @@ index f962f76..eda85f9 100644
') ')
######################################## ########################################
@@ -5241,6 +6265,24 @@ interface(`files_list_var',` @@ -5241,6 +6264,24 @@ interface(`files_list_var',`
######################################## ########################################
## <summary> ## <summary>
@ -11199,7 +11200,7 @@ index f962f76..eda85f9 100644
## Create, read, write, and delete directories ## Create, read, write, and delete directories
## in the /var directory. ## in the /var directory.
## </summary> ## </summary>
@@ -5596,6 +6638,25 @@ interface(`files_read_var_lib_symlinks',` @@ -5596,6 +6637,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
') ')
@ -11225,7 +11226,7 @@ index f962f76..eda85f9 100644
# cjp: the next two interfaces really need to be fixed # cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types. # in some way. They really neeed their own types.
@@ -5641,7 +6702,7 @@ interface(`files_manage_mounttab',` @@ -5641,7 +6701,7 @@ interface(`files_manage_mounttab',`
######################################## ########################################
## <summary> ## <summary>
@ -11234,7 +11235,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -5649,12 +6710,13 @@ interface(`files_manage_mounttab',` @@ -5649,12 +6709,13 @@ interface(`files_manage_mounttab',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -11250,7 +11251,7 @@ index f962f76..eda85f9 100644
') ')
######################################## ########################################
@@ -5672,6 +6734,7 @@ interface(`files_search_locks',` @@ -5672,6 +6733,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t; type var_t, var_lock_t;
') ')
@ -11258,7 +11259,7 @@ index f962f76..eda85f9 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t) search_dirs_pattern($1, var_t, var_lock_t)
') ')
@@ -5698,7 +6761,26 @@ interface(`files_dontaudit_search_locks',` @@ -5698,7 +6760,26 @@ interface(`files_dontaudit_search_locks',`
######################################## ########################################
## <summary> ## <summary>
@ -11286,7 +11287,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -5706,13 +6788,12 @@ interface(`files_dontaudit_search_locks',` @@ -5706,13 +6787,12 @@ interface(`files_dontaudit_search_locks',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -11303,7 +11304,7 @@ index f962f76..eda85f9 100644
') ')
######################################## ########################################
@@ -5731,7 +6812,7 @@ interface(`files_rw_lock_dirs',` @@ -5731,7 +6811,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t; type var_t, var_lock_t;
') ')
@ -11312,7 +11313,7 @@ index f962f76..eda85f9 100644
rw_dirs_pattern($1, var_t, var_lock_t) rw_dirs_pattern($1, var_t, var_lock_t)
') ')
@@ -5764,7 +6845,6 @@ interface(`files_create_lock_dirs',` @@ -5764,7 +6844,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
@ -11320,7 +11321,7 @@ index f962f76..eda85f9 100644
# #
interface(`files_relabel_all_lock_dirs',` interface(`files_relabel_all_lock_dirs',`
gen_require(` gen_require(`
@@ -5779,7 +6859,7 @@ interface(`files_relabel_all_lock_dirs',` @@ -5779,7 +6858,7 @@ interface(`files_relabel_all_lock_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -11329,7 +11330,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -5787,13 +6867,33 @@ interface(`files_relabel_all_lock_dirs',` @@ -5787,13 +6866,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -11364,7 +11365,7 @@ index f962f76..eda85f9 100644
allow $1 var_lock_t:dir list_dir_perms; allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t) getattr_files_pattern($1, var_lock_t, var_lock_t)
') ')
@@ -5809,13 +6909,12 @@ interface(`files_getattr_generic_locks',` @@ -5809,13 +6908,12 @@ interface(`files_getattr_generic_locks',`
## </param> ## </param>
# #
interface(`files_delete_generic_locks',` interface(`files_delete_generic_locks',`
@ -11382,7 +11383,7 @@ index f962f76..eda85f9 100644
') ')
######################################## ########################################
@@ -5834,9 +6933,7 @@ interface(`files_manage_generic_locks',` @@ -5834,9 +6932,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t; type var_t, var_lock_t;
') ')
@ -11393,7 +11394,7 @@ index f962f76..eda85f9 100644
manage_files_pattern($1, var_lock_t, var_lock_t) manage_files_pattern($1, var_lock_t, var_lock_t)
') ')
@@ -5878,8 +6975,7 @@ interface(`files_read_all_locks',` @@ -5878,8 +6974,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t; type var_t, var_lock_t;
') ')
@ -11403,7 +11404,7 @@ index f962f76..eda85f9 100644
allow $1 lockfile:dir list_dir_perms; allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile) read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile)
@@ -5901,8 +6997,7 @@ interface(`files_manage_all_locks',` @@ -5901,8 +6996,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t; type var_t, var_lock_t;
') ')
@ -11413,7 +11414,7 @@ index f962f76..eda85f9 100644
manage_dirs_pattern($1, lockfile, lockfile) manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile)
@@ -5939,8 +7034,7 @@ interface(`files_lock_filetrans',` @@ -5939,8 +7033,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t; type var_t, var_lock_t;
') ')
@ -11423,7 +11424,7 @@ index f962f76..eda85f9 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4) filetrans_pattern($1, var_lock_t, $2, $3, $4)
') ')
@@ -5979,7 +7073,7 @@ interface(`files_setattr_pid_dirs',` @@ -5979,7 +7072,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t; type var_run_t;
') ')
@ -11432,7 +11433,7 @@ index f962f76..eda85f9 100644
allow $1 var_run_t:dir setattr; allow $1 var_run_t:dir setattr;
') ')
@@ -5999,10 +7093,48 @@ interface(`files_search_pids',` @@ -5999,10 +7092,48 @@ interface(`files_search_pids',`
type var_t, var_run_t; type var_t, var_run_t;
') ')
@ -11481,7 +11482,7 @@ index f962f76..eda85f9 100644
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to search ## Do not audit attempts to search
@@ -6025,6 +7157,25 @@ interface(`files_dontaudit_search_pids',` @@ -6025,6 +7156,25 @@ interface(`files_dontaudit_search_pids',`
######################################## ########################################
## <summary> ## <summary>
@ -11507,7 +11508,7 @@ index f962f76..eda85f9 100644
## List the contents of the runtime process ## List the contents of the runtime process
## ID directories (/var/run). ## ID directories (/var/run).
## </summary> ## </summary>
@@ -6039,7 +7190,7 @@ interface(`files_list_pids',` @@ -6039,7 +7189,7 @@ interface(`files_list_pids',`
type var_t, var_run_t; type var_t, var_run_t;
') ')
@ -11516,7 +11517,7 @@ index f962f76..eda85f9 100644
list_dirs_pattern($1, var_t, var_run_t) list_dirs_pattern($1, var_t, var_run_t)
') ')
@@ -6058,7 +7209,7 @@ interface(`files_read_generic_pids',` @@ -6058,7 +7208,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t; type var_t, var_run_t;
') ')
@ -11525,7 +11526,7 @@ index f962f76..eda85f9 100644
list_dirs_pattern($1, var_t, var_run_t) list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t)
') ')
@@ -6078,7 +7229,7 @@ interface(`files_write_generic_pid_pipes',` @@ -6078,7 +7228,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t; type var_run_t;
') ')
@ -11534,7 +11535,7 @@ index f962f76..eda85f9 100644
allow $1 var_run_t:fifo_file write; allow $1 var_run_t:fifo_file write;
') ')
@@ -6140,7 +7291,6 @@ interface(`files_pid_filetrans',` @@ -6140,7 +7290,6 @@ interface(`files_pid_filetrans',`
') ')
allow $1 var_t:dir search_dir_perms; allow $1 var_t:dir search_dir_perms;
@ -11542,7 +11543,7 @@ index f962f76..eda85f9 100644
filetrans_pattern($1, var_run_t, $2, $3, $4) filetrans_pattern($1, var_run_t, $2, $3, $4)
') ')
@@ -6169,7 +7319,7 @@ interface(`files_pid_filetrans_lock_dir',` @@ -6169,7 +7318,7 @@ interface(`files_pid_filetrans_lock_dir',`
######################################## ########################################
## <summary> ## <summary>
@ -11551,7 +11552,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -6177,20 +7327,38 @@ interface(`files_pid_filetrans_lock_dir',` @@ -6177,19 +7326,37 @@ interface(`files_pid_filetrans_lock_dir',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -11571,7 +11572,6 @@ index f962f76..eda85f9 100644
######################################## ########################################
## <summary> ## <summary>
-## Do not audit attempts to get the attributes of -## Do not audit attempts to get the attributes of
-## daemon runtime data files.
+## Read and write generic process ID files. +## Read and write generic process ID files.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -11593,11 +11593,10 @@ index f962f76..eda85f9 100644
+######################################## +########################################
+## <summary> +## <summary>
+## Do not audit attempts to get the attributes of +## Do not audit attempts to get the attributes of
+## daemon runtime data files. ## daemon runtime data files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> @@ -6249,6 +7416,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
@@ -6249,6 +7417,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
######################################## ########################################
## <summary> ## <summary>
@ -11714,7 +11713,7 @@ index f962f76..eda85f9 100644
## Read all process ID files. ## Read all process ID files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -6261,12 +7539,86 @@ interface(`files_dontaudit_ioctl_all_pids',` @@ -6261,12 +7538,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
interface(`files_read_all_pids',` interface(`files_read_all_pids',`
gen_require(` gen_require(`
attribute pidfile; attribute pidfile;
@ -11803,7 +11802,7 @@ index f962f76..eda85f9 100644
') ')
######################################## ########################################
@@ -6286,8 +7638,8 @@ interface(`files_delete_all_pids',` @@ -6286,8 +7637,8 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t; type var_t, var_run_t;
') ')
@ -11813,7 +11812,7 @@ index f962f76..eda85f9 100644
allow $1 var_run_t:dir rmdir; allow $1 var_run_t:dir rmdir;
allow $1 var_run_t:lnk_file delete_lnk_file_perms; allow $1 var_run_t:lnk_file delete_lnk_file_perms;
delete_files_pattern($1, pidfile, pidfile) delete_files_pattern($1, pidfile, pidfile)
@@ -6311,36 +7663,80 @@ interface(`files_delete_all_pid_dirs',` @@ -6311,36 +7662,80 @@ interface(`files_delete_all_pid_dirs',`
type var_t, var_run_t; type var_t, var_run_t;
') ')
@ -11905,7 +11904,7 @@ index f962f76..eda85f9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -6348,12 +7744,33 @@ interface(`files_manage_all_pids',` @@ -6348,12 +7743,33 @@ interface(`files_manage_all_pids',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -11942,7 +11941,7 @@ index f962f76..eda85f9 100644
') ')
######################################## ########################################
@@ -6580,3 +7997,492 @@ interface(`files_unconfined',` @@ -6580,3 +7996,492 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type; typeattribute $1 files_unconfined_type;
') ')
@ -30728,7 +30727,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+') +')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 446fa99..6f7dc10 100644 index 446fa99..d4b6b3b 100644
--- a/policy/modules/system/locallogin.te --- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@ -30852,10 +30851,11 @@ index 446fa99..6f7dc10 100644
unconfined_shell_domtrans(local_login_t) unconfined_shell_domtrans(local_login_t)
') ')
@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms; @@ -215,37 +211,57 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive }; allow sulogin_t self:msg { send receive };
+kernel_getattr_core_if(sulogin_t)
+kernel_read_crypto_sysctls(sulogin_t) +kernel_read_crypto_sysctls(sulogin_t)
kernel_read_system_state(sulogin_t) kernel_read_system_state(sulogin_t)
@ -30911,7 +30911,7 @@ index 446fa99..6f7dc10 100644
init_getpgid(sulogin_t) init_getpgid(sulogin_t)
', ` ', `
allow sulogin_t self:process setexec; allow sulogin_t self:process setexec;
@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', ` @@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t) selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t) selinux_compute_user_contexts(sulogin_t)
') ')
@ -39704,7 +39704,7 @@ index db75976..65191bd 100644
+ +
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..35bd5a5 100644 index 9dc60c6..dacbee8 100644
--- a/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -42543,7 +42543,7 @@ index 9dc60c6..35bd5a5 100644
## Create keys for all user domains. ## Create keys for all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3435,4 +4322,1630 @@ interface(`userdom_dbus_send_all_users',` @@ -3435,4 +4322,1646 @@ interface(`userdom_dbus_send_all_users',`
') ')
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
@ -44076,6 +44076,22 @@ index 9dc60c6..35bd5a5 100644
+ ubac_constrained($1_t) + ubac_constrained($1_t)
+ +
+ auth_use_nsswitch($1_t) + auth_use_nsswitch($1_t)
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
+
+ tunable_policy(`$1_exec_content',`
+ userdom_exec_user_tmp_files($1_t)
+ userdom_exec_user_home_content_files($1_t)
+ ')
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_t)
+ ')
+
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_t)
+ ')
+ ')
+') +')
+ +
+######################################## +########################################

View File

@ -22695,7 +22695,7 @@ index d5badb7..b093baa 100644
+ admin_pattern($1, dovecot_passwd_t) + admin_pattern($1, dovecot_passwd_t)
') ')
diff --git a/dovecot.te b/dovecot.te diff --git a/dovecot.te b/dovecot.te
index 0aabc7e..ec5bd5d 100644 index 0aabc7e..71459e8 100644
--- a/dovecot.te --- a/dovecot.te
+++ b/dovecot.te +++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
@ -23021,7 +23021,7 @@ index 0aabc7e..ec5bd5d 100644
mysql_stream_connect(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t) mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t)
@@ -277,53 +290,78 @@ optional_policy(` @@ -277,53 +290,79 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23085,6 +23085,7 @@ index 0aabc7e..ec5bd5d 100644
-logging_search_logs(dovecot_deliver_t) -logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t) +files_search_tmp(dovecot_deliver_t)
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t) +files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+files_search_all_mountpoints(dovecot_deliver_t)
-tunable_policy(`use_nfs_home_dirs',` -tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t) - fs_manage_nfs_dirs(dovecot_deliver_t)
@ -23119,7 +23120,7 @@ index 0aabc7e..ec5bd5d 100644
mta_read_queue(dovecot_deliver_t) mta_read_queue(dovecot_deliver_t)
') ')
@@ -332,5 +370,6 @@ optional_policy(` @@ -332,5 +371,6 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -25821,7 +25822,7 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+') +')
diff --git a/git.te b/git.te diff --git a/git.te b/git.te
index dc49c71..2609364 100644 index dc49c71..654dbc5 100644
--- a/git.te --- a/git.te
+++ b/git.te +++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@ -25882,7 +25883,17 @@ index dc49c71..2609364 100644
corenet_all_recvfrom_unlabeled(git_system_t) corenet_all_recvfrom_unlabeled(git_system_t)
corenet_all_recvfrom_netlabel(git_system_t) corenet_all_recvfrom_netlabel(git_system_t)
corenet_tcp_sendrecv_generic_if(git_system_t) corenet_tcp_sendrecv_generic_if(git_system_t)
@@ -266,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',` @@ -176,6 +171,9 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
+ list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
+ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
@@ -266,12 +264,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms; allow git_daemon self:fifo_file rw_fifo_file_perms;
@ -37169,12 +37180,14 @@ index 39d3164..4b1b70c 100644
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
') ')
diff --git a/lsm.fc b/lsm.fc diff --git a/lsm.fc b/lsm.fc
index c455730..4b40274 100644 index c455730..6e14667 100644
--- a/lsm.fc --- a/lsm.fc
+++ b/lsm.fc +++ b/lsm.fc
@@ -1,3 +1,5 @@ @@ -1,3 +1,7 @@
/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) /usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) +/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+ +
/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) /var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
@ -37289,26 +37302,55 @@ index d314333..da30c5d 100644
+ ') + ')
') ')
diff --git a/lsm.te b/lsm.te diff --git a/lsm.te b/lsm.te
index 4ec0eea..bc7d239 100644 index 4ec0eea..dc93265 100644
--- a/lsm.te --- a/lsm.te
+++ b/lsm.te +++ b/lsm.te
@@ -12,6 +12,9 @@ init_daemon_domain(lsmd_t, lsmd_exec_t) @@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t; type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t) files_pid_file(lsmd_var_run_t)
+type lsmd_unit_file_t; +type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t) +systemd_unit_file(lsmd_unit_file_t)
+
+type lsmd_plugin_t;
+type lsmd_plugin_exec_t;
+application_domain(lsmd_plugin_t, lsmd_plugin_exec_t)
+role system_r types lsmd_plugin_t;
+
+type lsmd_plugin_tmp_t;
+files_tmp_file(lsmd_plugin_tmp_t)
+ +
######################################## ########################################
# #
# Local policy # Local policy
@@ -26,4 +29,6 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) @@ -26,4 +37,27 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+corecmd_exec_bin(lsmd_t) +corecmd_exec_bin(lsmd_t)
+ +
logging_send_syslog_msg(lsmd_t) logging_send_syslog_msg(lsmd_t)
+
+########################################
+#
+# Local lsmd plugin policy
+#
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+
+allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
+
+manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
+
+kernel_read_system_state(lsmd_plugin_t)
+
+dev_read_urand(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
+sysnet_read_config(lsmd_plugin_t)
diff --git a/mailman.fc b/mailman.fc diff --git a/mailman.fc b/mailman.fc
index 995d0a5..3d40d59 100644 index 995d0a5..3d40d59 100644
--- a/mailman.fc --- a/mailman.fc
@ -52958,10 +53000,10 @@ index 0000000..cf03270
+') +')
diff --git a/openshift.te b/openshift.te diff --git a/openshift.te b/openshift.te
new file mode 100644 new file mode 100644
index 0000000..0a6f091 index 0000000..3c4beaf
--- /dev/null --- /dev/null
+++ b/openshift.te +++ b/openshift.te
@@ -0,0 +1,556 @@ @@ -0,0 +1,558 @@
+policy_module(openshift,1.0.0) +policy_module(openshift,1.0.0)
+ +
+gen_require(` +gen_require(`
@ -53104,6 +53146,8 @@ index 0000000..0a6f091
+allow openshift_domain self:shm create_shm_perms; +allow openshift_domain self:shm create_shm_perms;
+allow openshift_domain self:sem create_sem_perms; +allow openshift_domain self:sem create_sem_perms;
+dontaudit openshift_domain self:dir write; +dontaudit openshift_domain self:dir write;
+dontaudit openshift_domain self:rawip_socket create_socket_perms;
+
+dontaudit openshift_t self:unix_stream_socket recvfrom; +dontaudit openshift_t self:unix_stream_socket recvfrom;
+dontaudit openshift_domain self:netlink_tcpdiag_socket create; +dontaudit openshift_domain self:netlink_tcpdiag_socket create;
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write; +dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
@ -55322,10 +55366,10 @@ index 1fb1964..f92c71a 100644
+ virt_rw_svirt_dev(pcscd_t) + virt_rw_svirt_dev(pcscd_t)
+') +')
diff --git a/pegasus.fc b/pegasus.fc diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4..31122bd 100644 index dfd46e4..87bda41 100644
--- a/pegasus.fc --- a/pegasus.fc
+++ b/pegasus.fc +++ b/pegasus.fc
@@ -1,15 +1,26 @@ @@ -1,15 +1,25 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+ +
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@ -55349,13 +55393,12 @@ index dfd46e4..31122bd 100644
+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) +/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
+#openlmi agents
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+ +
+ +
@ -55461,7 +55504,7 @@ index d2fc677..ded726f 100644
') ')
+ +
diff --git a/pegasus.te b/pegasus.te diff --git a/pegasus.te b/pegasus.te
index 608f454..dfb2fb4 100644 index 608f454..357597f 100644
--- a/pegasus.te --- a/pegasus.te
+++ b/pegasus.te +++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -55480,7 +55523,7 @@ index 608f454..dfb2fb4 100644
type pegasus_cache_t; type pegasus_cache_t;
files_type(pegasus_cache_t) files_type(pegasus_cache_t)
@@ -30,20 +29,269 @@ files_type(pegasus_mof_t) @@ -30,20 +29,277 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t; type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t) files_pid_file(pegasus_var_run_t)
@ -55661,6 +55704,14 @@ index 608f454..dfb2fb4 100644
+ +
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_admin_t) + dbus_system_bus_client(pegasus_openlmi_admin_t)
+
+ optional_policy(`
+ init_dbus_chat(pegasus_openlmi_admin_t)
+ ')
+')
+
+optional_policy(`
+ sssd_search_lib(pegasus_openlmi_admin_t)
+') +')
+ +
+###################################### +######################################
@ -55755,7 +55806,7 @@ index 608f454..dfb2fb4 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) @@ -54,22 +310,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -55786,7 +55837,7 @@ index 608f454..dfb2fb4 100644
kernel_read_network_state(pegasus_t) kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t) kernel_read_kernel_sysctls(pegasus_t)
@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t) @@ -80,27 +336,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t) kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t)
@ -55819,7 +55870,7 @@ index 608f454..dfb2fb4 100644
corecmd_exec_bin(pegasus_t) corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t) corecmd_exec_shell(pegasus_t)
@@ -114,9 +356,11 @@ files_getattr_all_dirs(pegasus_t) @@ -114,9 +364,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t) auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t) auth_domtrans_chk_passwd(pegasus_t)
@ -55831,7 +55882,7 @@ index 608f454..dfb2fb4 100644
files_list_var_lib(pegasus_t) files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t) files_read_var_lib_files(pegasus_t)
@@ -128,18 +372,29 @@ init_stream_connect_script(pegasus_t) @@ -128,18 +380,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t) logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t) logging_send_syslog_msg(pegasus_t)
@ -55867,7 +55918,7 @@ index 608f454..dfb2fb4 100644
') ')
optional_policy(` optional_policy(`
@@ -151,16 +406,24 @@ optional_policy(` @@ -151,16 +414,24 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -55896,7 +55947,7 @@ index 608f454..dfb2fb4 100644
') ')
optional_policy(` optional_policy(`
@@ -168,7 +431,7 @@ optional_policy(` @@ -168,7 +439,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -68584,20 +68635,22 @@ index 6d162e4..889c0ed 100644
userdom_dontaudit_search_user_home_dirs(radvd_t) userdom_dontaudit_search_user_home_dirs(radvd_t)
diff --git a/raid.fc b/raid.fc diff --git a/raid.fc b/raid.fc
index 5806046..5578653 100644 index 5806046..d83ec27 100644
--- a/raid.fc --- a/raid.fc
+++ b/raid.fc +++ b/raid.fc
@@ -3,6 +3,9 @@ @@ -3,6 +3,11 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0) /etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
+/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0)
+
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0) +/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0) +/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+ +
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -16,6 +19,7 @@ @@ -16,6 +21,7 @@
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@ -80894,7 +80947,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1) files_search_pids($1)
admin_pattern($1, sblim_var_run_t) admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te diff --git a/sblim.te b/sblim.te
index 299756b..947d6b9 100644 index 299756b..1c63069 100644
--- a/sblim.te --- a/sblim.te
+++ b/sblim.te +++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@ -80931,7 +80984,7 @@ index 299756b..947d6b9 100644
###################################### ######################################
# #
# Common sblim domain local policy # Common sblim domain local policy
@@ -32,11 +39,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) @@ -32,31 +39,36 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
@ -80953,9 +81006,11 @@ index 299756b..947d6b9 100644
corenet_tcp_sendrecv_generic_if(sblim_domain) corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain) corenet_tcp_sendrecv_generic_node(sblim_domain)
@@ -44,19 +58,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain) dev_read_sysfs(sblim_domain)
+dev_read_rand(sblim_domain)
+dev_read_urand(sblim_domain)
-logging_send_syslog_msg(sblim_domain) -logging_send_syslog_msg(sblim_domain)
- -
@ -80976,7 +81031,7 @@ index 299756b..947d6b9 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen }; allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@@ -84,6 +94,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) @@ -84,6 +96,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t) init_read_utmp(sblim_gatherd_t)
@ -80985,7 +81040,7 @@ index 299756b..947d6b9 100644
sysnet_dns_name_resolve(sblim_gatherd_t) sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t) term_getattr_pty_fs(sblim_gatherd_t)
@@ -103,8 +115,9 @@ optional_policy(` @@ -103,8 +117,9 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -80996,7 +81051,7 @@ index 299756b..947d6b9 100644
') ')
optional_policy(` optional_policy(`
@@ -117,6 +130,32 @@ optional_policy(` @@ -117,6 +132,32 @@ optional_policy(`
# Reposd local policy # Reposd local policy
# #

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 6%{?dist} Release: 7%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -575,6 +575,15 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Nov 26 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-7
- Add lsmd_plugin_t for lsm plugins
- Allow dovecot-deliver to search mountpoints
- Add labeling for /etc/mdadm.conf
- Allow opelmi admin providers to dbus chat with init_t
- Allow sblim domain to read /dev/urandom and /dev/random
- Add back exec_content boolean for secadm, logadm, auditadm
- Allow sulogin to getattr on /proc/kcore
* Tue Nov 26 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-6 * Tue Nov 26 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-6
- Add filename transition also for servicelog.db-journal - Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root() - Add files_dontaudit_access_check_root()