- Add lsmd_plugin_t for lsm plugins
- Allow dovecot-deliver to search mountpoints - Add labeling for /etc/mdadm.conf - Allow opelmi admin providers to dbus chat with init_t - Allow sblim domain to read /dev/urandom and /dev/random - Add back exec_content boolean for secadm, logadm, auditadm - Allow sulogin to getattr on /proc/kcore
This commit is contained in:
parent
04c55cf070
commit
d61adff49b
@ -9405,7 +9405,7 @@ index b876c48..bd5b58c 100644
|
|||||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||||
index f962f76..eda85f9 100644
|
index f962f76..7d12144 100644
|
||||||
--- a/policy/modules/kernel/files.if
|
--- a/policy/modules/kernel/files.if
|
||||||
+++ b/policy/modules/kernel/files.if
|
+++ b/policy/modules/kernel/files.if
|
||||||
@@ -19,6 +19,136 @@
|
@@ -19,6 +19,136 @@
|
||||||
@ -10598,7 +10598,7 @@ index f962f76..eda85f9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4217,6 +4848,173 @@ interface(`files_read_world_readable_sockets',`
|
@@ -4217,6 +4848,172 @@ interface(`files_read_world_readable_sockets',`
|
||||||
allow $1 readable_t:sock_file read_sock_file_perms;
|
allow $1 readable_t:sock_file read_sock_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10767,12 +10767,11 @@ index f962f76..eda85f9 100644
|
|||||||
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
|
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
|
||||||
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
|
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
|
||||||
+')
|
+')
|
||||||
+')
|
|
||||||
+
|
+
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the specified type to associate
|
## Allow the specified type to associate
|
||||||
@@ -4239,6 +5037,26 @@ interface(`files_associate_tmp',`
|
@@ -4239,6 +5036,26 @@ interface(`files_associate_tmp',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -10799,7 +10798,7 @@ index f962f76..eda85f9 100644
|
|||||||
## Get the attributes of the tmp directory (/tmp).
|
## Get the attributes of the tmp directory (/tmp).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4252,17 +5070,37 @@ interface(`files_getattr_tmp_dirs',`
|
@@ -4252,17 +5069,37 @@ interface(`files_getattr_tmp_dirs',`
|
||||||
type tmp_t;
|
type tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10838,7 +10837,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -4289,6 +5127,7 @@ interface(`files_search_tmp',`
|
@@ -4289,6 +5126,7 @@ interface(`files_search_tmp',`
|
||||||
type tmp_t;
|
type tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10846,7 +10845,7 @@ index f962f76..eda85f9 100644
|
|||||||
allow $1 tmp_t:dir search_dir_perms;
|
allow $1 tmp_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -4325,6 +5164,7 @@ interface(`files_list_tmp',`
|
@@ -4325,6 +5163,7 @@ interface(`files_list_tmp',`
|
||||||
type tmp_t;
|
type tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10854,7 +10853,7 @@ index f962f76..eda85f9 100644
|
|||||||
allow $1 tmp_t:dir list_dir_perms;
|
allow $1 tmp_t:dir list_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -4334,7 +5174,7 @@ interface(`files_list_tmp',`
|
@@ -4334,7 +5173,7 @@ interface(`files_list_tmp',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -10863,7 +10862,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -4346,6 +5186,25 @@ interface(`files_dontaudit_list_tmp',`
|
@@ -4346,6 +5185,25 @@ interface(`files_dontaudit_list_tmp',`
|
||||||
dontaudit $1 tmp_t:dir list_dir_perms;
|
dontaudit $1 tmp_t:dir list_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10889,7 +10888,7 @@ index f962f76..eda85f9 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Remove entries from the tmp directory.
|
## Remove entries from the tmp directory.
|
||||||
@@ -4361,6 +5220,7 @@ interface(`files_delete_tmp_dir_entry',`
|
@@ -4361,6 +5219,7 @@ interface(`files_delete_tmp_dir_entry',`
|
||||||
type tmp_t;
|
type tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -10897,7 +10896,7 @@ index f962f76..eda85f9 100644
|
|||||||
allow $1 tmp_t:dir del_entry_dir_perms;
|
allow $1 tmp_t:dir del_entry_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -4402,6 +5262,32 @@ interface(`files_manage_generic_tmp_dirs',`
|
@@ -4402,6 +5261,32 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -10930,7 +10929,7 @@ index f962f76..eda85f9 100644
|
|||||||
## Manage temporary files and directories in /tmp.
|
## Manage temporary files and directories in /tmp.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4456,7 +5342,7 @@ interface(`files_rw_generic_tmp_sockets',`
|
@@ -4456,7 +5341,7 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -10939,7 +10938,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -4464,17 +5350,17 @@ interface(`files_rw_generic_tmp_sockets',`
|
@@ -4464,17 +5349,17 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -10961,7 +10960,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -4482,33 +5368,123 @@ interface(`files_setattr_all_tmp_dirs',`
|
@@ -4482,34 +5367,124 @@ interface(`files_setattr_all_tmp_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -10997,6 +10996,7 @@ index f962f76..eda85f9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
- allow $1 var_t:dir search_dir_perms;
|
- allow $1 var_t:dir search_dir_perms;
|
||||||
|
- relabel_dirs_pattern($1, tmpfile, tmpfile)
|
||||||
+ allow $1 tmpfile:dir { search_dir_perms setattr };
|
+ allow $1 tmpfile:dir { search_dir_perms setattr };
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -11091,10 +11091,11 @@ index f962f76..eda85f9 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 var_t:dir search_dir_perms;
|
+ allow $1 var_t:dir search_dir_perms;
|
||||||
relabel_dirs_pattern($1, tmpfile, tmpfile)
|
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -4519,7 +5495,7 @@ interface(`files_relabel_all_tmp_dirs',`
|
########################################
|
||||||
|
@@ -4519,7 +5494,7 @@ interface(`files_relabel_all_tmp_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11103,7 +11104,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -4579,7 +5555,7 @@ interface(`files_relabel_all_tmp_files',`
|
@@ -4579,7 +5554,7 @@ interface(`files_relabel_all_tmp_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11112,7 +11113,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -4611,6 +5587,44 @@ interface(`files_read_all_tmp_files',`
|
@@ -4611,6 +5586,44 @@ interface(`files_read_all_tmp_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11157,7 +11158,7 @@ index f962f76..eda85f9 100644
|
|||||||
## Create an object in the tmp directories, with a private
|
## Create an object in the tmp directories, with a private
|
||||||
## type using a type transition.
|
## type using a type transition.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -4664,6 +5678,16 @@ interface(`files_purge_tmp',`
|
@@ -4664,6 +5677,16 @@ interface(`files_purge_tmp',`
|
||||||
delete_lnk_files_pattern($1, tmpfile, tmpfile)
|
delete_lnk_files_pattern($1, tmpfile, tmpfile)
|
||||||
delete_fifo_files_pattern($1, tmpfile, tmpfile)
|
delete_fifo_files_pattern($1, tmpfile, tmpfile)
|
||||||
delete_sock_files_pattern($1, tmpfile, tmpfile)
|
delete_sock_files_pattern($1, tmpfile, tmpfile)
|
||||||
@ -11174,7 +11175,7 @@ index f962f76..eda85f9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5241,6 +6265,24 @@ interface(`files_list_var',`
|
@@ -5241,6 +6264,24 @@ interface(`files_list_var',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11199,7 +11200,7 @@ index f962f76..eda85f9 100644
|
|||||||
## Create, read, write, and delete directories
|
## Create, read, write, and delete directories
|
||||||
## in the /var directory.
|
## in the /var directory.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -5596,6 +6638,25 @@ interface(`files_read_var_lib_symlinks',`
|
@@ -5596,6 +6637,25 @@ interface(`files_read_var_lib_symlinks',`
|
||||||
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
|
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11225,7 +11226,7 @@ index f962f76..eda85f9 100644
|
|||||||
# cjp: the next two interfaces really need to be fixed
|
# cjp: the next two interfaces really need to be fixed
|
||||||
# in some way. They really neeed their own types.
|
# in some way. They really neeed their own types.
|
||||||
|
|
||||||
@@ -5641,7 +6702,7 @@ interface(`files_manage_mounttab',`
|
@@ -5641,7 +6701,7 @@ interface(`files_manage_mounttab',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11234,7 +11235,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -5649,12 +6710,13 @@ interface(`files_manage_mounttab',`
|
@@ -5649,12 +6709,13 @@ interface(`files_manage_mounttab',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -11250,7 +11251,7 @@ index f962f76..eda85f9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5672,6 +6734,7 @@ interface(`files_search_locks',`
|
@@ -5672,6 +6733,7 @@ interface(`files_search_locks',`
|
||||||
type var_t, var_lock_t;
|
type var_t, var_lock_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11258,7 +11259,7 @@ index f962f76..eda85f9 100644
|
|||||||
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
|
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
|
||||||
search_dirs_pattern($1, var_t, var_lock_t)
|
search_dirs_pattern($1, var_t, var_lock_t)
|
||||||
')
|
')
|
||||||
@@ -5698,7 +6761,26 @@ interface(`files_dontaudit_search_locks',`
|
@@ -5698,7 +6760,26 @@ interface(`files_dontaudit_search_locks',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11286,7 +11287,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -5706,13 +6788,12 @@ interface(`files_dontaudit_search_locks',`
|
@@ -5706,13 +6787,12 @@ interface(`files_dontaudit_search_locks',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -11303,7 +11304,7 @@ index f962f76..eda85f9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5731,7 +6812,7 @@ interface(`files_rw_lock_dirs',`
|
@@ -5731,7 +6811,7 @@ interface(`files_rw_lock_dirs',`
|
||||||
type var_t, var_lock_t;
|
type var_t, var_lock_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11312,7 +11313,7 @@ index f962f76..eda85f9 100644
|
|||||||
rw_dirs_pattern($1, var_t, var_lock_t)
|
rw_dirs_pattern($1, var_t, var_lock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -5764,7 +6845,6 @@ interface(`files_create_lock_dirs',`
|
@@ -5764,7 +6844,6 @@ interface(`files_create_lock_dirs',`
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
@ -11320,7 +11321,7 @@ index f962f76..eda85f9 100644
|
|||||||
#
|
#
|
||||||
interface(`files_relabel_all_lock_dirs',`
|
interface(`files_relabel_all_lock_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@@ -5779,7 +6859,7 @@ interface(`files_relabel_all_lock_dirs',`
|
@@ -5779,7 +6858,7 @@ interface(`files_relabel_all_lock_dirs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11329,7 +11330,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -5787,13 +6867,33 @@ interface(`files_relabel_all_lock_dirs',`
|
@@ -5787,13 +6866,33 @@ interface(`files_relabel_all_lock_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -11364,7 +11365,7 @@ index f962f76..eda85f9 100644
|
|||||||
allow $1 var_lock_t:dir list_dir_perms;
|
allow $1 var_lock_t:dir list_dir_perms;
|
||||||
getattr_files_pattern($1, var_lock_t, var_lock_t)
|
getattr_files_pattern($1, var_lock_t, var_lock_t)
|
||||||
')
|
')
|
||||||
@@ -5809,13 +6909,12 @@ interface(`files_getattr_generic_locks',`
|
@@ -5809,13 +6908,12 @@ interface(`files_getattr_generic_locks',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_delete_generic_locks',`
|
interface(`files_delete_generic_locks',`
|
||||||
@ -11382,7 +11383,7 @@ index f962f76..eda85f9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5834,9 +6933,7 @@ interface(`files_manage_generic_locks',`
|
@@ -5834,9 +6932,7 @@ interface(`files_manage_generic_locks',`
|
||||||
type var_t, var_lock_t;
|
type var_t, var_lock_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11393,7 +11394,7 @@ index f962f76..eda85f9 100644
|
|||||||
manage_files_pattern($1, var_lock_t, var_lock_t)
|
manage_files_pattern($1, var_lock_t, var_lock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -5878,8 +6975,7 @@ interface(`files_read_all_locks',`
|
@@ -5878,8 +6974,7 @@ interface(`files_read_all_locks',`
|
||||||
type var_t, var_lock_t;
|
type var_t, var_lock_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11403,7 +11404,7 @@ index f962f76..eda85f9 100644
|
|||||||
allow $1 lockfile:dir list_dir_perms;
|
allow $1 lockfile:dir list_dir_perms;
|
||||||
read_files_pattern($1, lockfile, lockfile)
|
read_files_pattern($1, lockfile, lockfile)
|
||||||
read_lnk_files_pattern($1, lockfile, lockfile)
|
read_lnk_files_pattern($1, lockfile, lockfile)
|
||||||
@@ -5901,8 +6997,7 @@ interface(`files_manage_all_locks',`
|
@@ -5901,8 +6996,7 @@ interface(`files_manage_all_locks',`
|
||||||
type var_t, var_lock_t;
|
type var_t, var_lock_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11413,7 +11414,7 @@ index f962f76..eda85f9 100644
|
|||||||
manage_dirs_pattern($1, lockfile, lockfile)
|
manage_dirs_pattern($1, lockfile, lockfile)
|
||||||
manage_files_pattern($1, lockfile, lockfile)
|
manage_files_pattern($1, lockfile, lockfile)
|
||||||
manage_lnk_files_pattern($1, lockfile, lockfile)
|
manage_lnk_files_pattern($1, lockfile, lockfile)
|
||||||
@@ -5939,8 +7034,7 @@ interface(`files_lock_filetrans',`
|
@@ -5939,8 +7033,7 @@ interface(`files_lock_filetrans',`
|
||||||
type var_t, var_lock_t;
|
type var_t, var_lock_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11423,7 +11424,7 @@ index f962f76..eda85f9 100644
|
|||||||
filetrans_pattern($1, var_lock_t, $2, $3, $4)
|
filetrans_pattern($1, var_lock_t, $2, $3, $4)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -5979,7 +7073,7 @@ interface(`files_setattr_pid_dirs',`
|
@@ -5979,7 +7072,7 @@ interface(`files_setattr_pid_dirs',`
|
||||||
type var_run_t;
|
type var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11432,7 +11433,7 @@ index f962f76..eda85f9 100644
|
|||||||
allow $1 var_run_t:dir setattr;
|
allow $1 var_run_t:dir setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -5999,10 +7093,48 @@ interface(`files_search_pids',`
|
@@ -5999,10 +7092,48 @@ interface(`files_search_pids',`
|
||||||
type var_t, var_run_t;
|
type var_t, var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11481,7 +11482,7 @@ index f962f76..eda85f9 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to search
|
## Do not audit attempts to search
|
||||||
@@ -6025,6 +7157,25 @@ interface(`files_dontaudit_search_pids',`
|
@@ -6025,6 +7156,25 @@ interface(`files_dontaudit_search_pids',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11507,7 +11508,7 @@ index f962f76..eda85f9 100644
|
|||||||
## List the contents of the runtime process
|
## List the contents of the runtime process
|
||||||
## ID directories (/var/run).
|
## ID directories (/var/run).
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -6039,7 +7190,7 @@ interface(`files_list_pids',`
|
@@ -6039,7 +7189,7 @@ interface(`files_list_pids',`
|
||||||
type var_t, var_run_t;
|
type var_t, var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11516,7 +11517,7 @@ index f962f76..eda85f9 100644
|
|||||||
list_dirs_pattern($1, var_t, var_run_t)
|
list_dirs_pattern($1, var_t, var_run_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -6058,7 +7209,7 @@ interface(`files_read_generic_pids',`
|
@@ -6058,7 +7208,7 @@ interface(`files_read_generic_pids',`
|
||||||
type var_t, var_run_t;
|
type var_t, var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11525,7 +11526,7 @@ index f962f76..eda85f9 100644
|
|||||||
list_dirs_pattern($1, var_t, var_run_t)
|
list_dirs_pattern($1, var_t, var_run_t)
|
||||||
read_files_pattern($1, var_run_t, var_run_t)
|
read_files_pattern($1, var_run_t, var_run_t)
|
||||||
')
|
')
|
||||||
@@ -6078,7 +7229,7 @@ interface(`files_write_generic_pid_pipes',`
|
@@ -6078,7 +7228,7 @@ interface(`files_write_generic_pid_pipes',`
|
||||||
type var_run_t;
|
type var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11534,7 +11535,7 @@ index f962f76..eda85f9 100644
|
|||||||
allow $1 var_run_t:fifo_file write;
|
allow $1 var_run_t:fifo_file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -6140,7 +7291,6 @@ interface(`files_pid_filetrans',`
|
@@ -6140,7 +7290,6 @@ interface(`files_pid_filetrans',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search_dir_perms;
|
allow $1 var_t:dir search_dir_perms;
|
||||||
@ -11542,7 +11543,7 @@ index f962f76..eda85f9 100644
|
|||||||
filetrans_pattern($1, var_run_t, $2, $3, $4)
|
filetrans_pattern($1, var_run_t, $2, $3, $4)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -6169,7 +7319,7 @@ interface(`files_pid_filetrans_lock_dir',`
|
@@ -6169,7 +7318,7 @@ interface(`files_pid_filetrans_lock_dir',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11551,7 +11552,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -6177,20 +7327,38 @@ interface(`files_pid_filetrans_lock_dir',`
|
@@ -6177,19 +7326,37 @@ interface(`files_pid_filetrans_lock_dir',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -11571,7 +11572,6 @@ index f962f76..eda85f9 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
-## Do not audit attempts to get the attributes of
|
-## Do not audit attempts to get the attributes of
|
||||||
-## daemon runtime data files.
|
|
||||||
+## Read and write generic process ID files.
|
+## Read and write generic process ID files.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
@ -11593,11 +11593,10 @@ index f962f76..eda85f9 100644
|
|||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Do not audit attempts to get the attributes of
|
+## Do not audit attempts to get the attributes of
|
||||||
+## daemon runtime data files.
|
## daemon runtime data files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
@@ -6249,6 +7416,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||||
@@ -6249,6 +7417,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -11714,7 +11713,7 @@ index f962f76..eda85f9 100644
|
|||||||
## Read all process ID files.
|
## Read all process ID files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -6261,12 +7539,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
@@ -6261,12 +7538,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||||
interface(`files_read_all_pids',`
|
interface(`files_read_all_pids',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute pidfile;
|
attribute pidfile;
|
||||||
@ -11803,7 +11802,7 @@ index f962f76..eda85f9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -6286,8 +7638,8 @@ interface(`files_delete_all_pids',`
|
@@ -6286,8 +7637,8 @@ interface(`files_delete_all_pids',`
|
||||||
type var_t, var_run_t;
|
type var_t, var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11813,7 +11812,7 @@ index f962f76..eda85f9 100644
|
|||||||
allow $1 var_run_t:dir rmdir;
|
allow $1 var_run_t:dir rmdir;
|
||||||
allow $1 var_run_t:lnk_file delete_lnk_file_perms;
|
allow $1 var_run_t:lnk_file delete_lnk_file_perms;
|
||||||
delete_files_pattern($1, pidfile, pidfile)
|
delete_files_pattern($1, pidfile, pidfile)
|
||||||
@@ -6311,36 +7663,80 @@ interface(`files_delete_all_pid_dirs',`
|
@@ -6311,36 +7662,80 @@ interface(`files_delete_all_pid_dirs',`
|
||||||
type var_t, var_run_t;
|
type var_t, var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -11905,7 +11904,7 @@ index f962f76..eda85f9 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -6348,12 +7744,33 @@ interface(`files_manage_all_pids',`
|
@@ -6348,12 +7743,33 @@ interface(`files_manage_all_pids',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -11942,7 +11941,7 @@ index f962f76..eda85f9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -6580,3 +7997,492 @@ interface(`files_unconfined',`
|
@@ -6580,3 +7996,492 @@ interface(`files_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 files_unconfined_type;
|
typeattribute $1 files_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -30728,7 +30727,7 @@ index 0e3c2a9..ea9bd57 100644
|
|||||||
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
|
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
|
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
|
||||||
index 446fa99..6f7dc10 100644
|
index 446fa99..d4b6b3b 100644
|
||||||
--- a/policy/modules/system/locallogin.te
|
--- a/policy/modules/system/locallogin.te
|
||||||
+++ b/policy/modules/system/locallogin.te
|
+++ b/policy/modules/system/locallogin.te
|
||||||
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
|
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
|
||||||
@ -30852,10 +30851,11 @@ index 446fa99..6f7dc10 100644
|
|||||||
unconfined_shell_domtrans(local_login_t)
|
unconfined_shell_domtrans(local_login_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms;
|
@@ -215,37 +211,57 @@ allow sulogin_t self:sem create_sem_perms;
|
||||||
allow sulogin_t self:msgq create_msgq_perms;
|
allow sulogin_t self:msgq create_msgq_perms;
|
||||||
allow sulogin_t self:msg { send receive };
|
allow sulogin_t self:msg { send receive };
|
||||||
|
|
||||||
|
+kernel_getattr_core_if(sulogin_t)
|
||||||
+kernel_read_crypto_sysctls(sulogin_t)
|
+kernel_read_crypto_sysctls(sulogin_t)
|
||||||
kernel_read_system_state(sulogin_t)
|
kernel_read_system_state(sulogin_t)
|
||||||
|
|
||||||
@ -30911,7 +30911,7 @@ index 446fa99..6f7dc10 100644
|
|||||||
init_getpgid(sulogin_t)
|
init_getpgid(sulogin_t)
|
||||||
', `
|
', `
|
||||||
allow sulogin_t self:process setexec;
|
allow sulogin_t self:process setexec;
|
||||||
@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
|
@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
|
||||||
selinux_compute_relabel_context(sulogin_t)
|
selinux_compute_relabel_context(sulogin_t)
|
||||||
selinux_compute_user_contexts(sulogin_t)
|
selinux_compute_user_contexts(sulogin_t)
|
||||||
')
|
')
|
||||||
@ -39704,7 +39704,7 @@ index db75976..65191bd 100644
|
|||||||
+
|
+
|
||||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||||
index 9dc60c6..35bd5a5 100644
|
index 9dc60c6..dacbee8 100644
|
||||||
--- a/policy/modules/system/userdomain.if
|
--- a/policy/modules/system/userdomain.if
|
||||||
+++ b/policy/modules/system/userdomain.if
|
+++ b/policy/modules/system/userdomain.if
|
||||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||||
@ -42543,7 +42543,7 @@ index 9dc60c6..35bd5a5 100644
|
|||||||
## Create keys for all user domains.
|
## Create keys for all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -3435,4 +4322,1630 @@ interface(`userdom_dbus_send_all_users',`
|
@@ -3435,4 +4322,1646 @@ interface(`userdom_dbus_send_all_users',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
@ -44076,6 +44076,22 @@ index 9dc60c6..35bd5a5 100644
|
|||||||
+ ubac_constrained($1_t)
|
+ ubac_constrained($1_t)
|
||||||
+
|
+
|
||||||
+ auth_use_nsswitch($1_t)
|
+ auth_use_nsswitch($1_t)
|
||||||
|
+
|
||||||
|
+ ifelse(`$1',`unconfined',`',`
|
||||||
|
+ gen_tunable($1_exec_content, true)
|
||||||
|
+
|
||||||
|
+ tunable_policy(`$1_exec_content',`
|
||||||
|
+ userdom_exec_user_tmp_files($1_t)
|
||||||
|
+ userdom_exec_user_home_content_files($1_t)
|
||||||
|
+ ')
|
||||||
|
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
|
||||||
|
+ fs_exec_nfs_files($1_t)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
|
||||||
|
+ fs_exec_cifs_files($1_t)
|
||||||
|
+ ')
|
||||||
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -22695,7 +22695,7 @@ index d5badb7..b093baa 100644
|
|||||||
+ admin_pattern($1, dovecot_passwd_t)
|
+ admin_pattern($1, dovecot_passwd_t)
|
||||||
')
|
')
|
||||||
diff --git a/dovecot.te b/dovecot.te
|
diff --git a/dovecot.te b/dovecot.te
|
||||||
index 0aabc7e..ec5bd5d 100644
|
index 0aabc7e..71459e8 100644
|
||||||
--- a/dovecot.te
|
--- a/dovecot.te
|
||||||
+++ b/dovecot.te
|
+++ b/dovecot.te
|
||||||
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
|
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
|
||||||
@ -23021,7 +23021,7 @@ index 0aabc7e..ec5bd5d 100644
|
|||||||
mysql_stream_connect(dovecot_auth_t)
|
mysql_stream_connect(dovecot_auth_t)
|
||||||
mysql_read_config(dovecot_auth_t)
|
mysql_read_config(dovecot_auth_t)
|
||||||
mysql_tcp_connect(dovecot_auth_t)
|
mysql_tcp_connect(dovecot_auth_t)
|
||||||
@@ -277,53 +290,78 @@ optional_policy(`
|
@@ -277,53 +290,79 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23085,6 +23085,7 @@ index 0aabc7e..ec5bd5d 100644
|
|||||||
-logging_search_logs(dovecot_deliver_t)
|
-logging_search_logs(dovecot_deliver_t)
|
||||||
+files_search_tmp(dovecot_deliver_t)
|
+files_search_tmp(dovecot_deliver_t)
|
||||||
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
|
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
|
||||||
|
+files_search_all_mountpoints(dovecot_deliver_t)
|
||||||
|
|
||||||
-tunable_policy(`use_nfs_home_dirs',`
|
-tunable_policy(`use_nfs_home_dirs',`
|
||||||
- fs_manage_nfs_dirs(dovecot_deliver_t)
|
- fs_manage_nfs_dirs(dovecot_deliver_t)
|
||||||
@ -23119,7 +23120,7 @@ index 0aabc7e..ec5bd5d 100644
|
|||||||
mta_read_queue(dovecot_deliver_t)
|
mta_read_queue(dovecot_deliver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -332,5 +370,6 @@ optional_policy(`
|
@@ -332,5 +371,6 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -25821,7 +25822,7 @@ index 1e29af1..6c64f55 100644
|
|||||||
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
|
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
|
||||||
+')
|
+')
|
||||||
diff --git a/git.te b/git.te
|
diff --git a/git.te b/git.te
|
||||||
index dc49c71..2609364 100644
|
index dc49c71..654dbc5 100644
|
||||||
--- a/git.te
|
--- a/git.te
|
||||||
+++ b/git.te
|
+++ b/git.te
|
||||||
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
|
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
|
||||||
@ -25882,7 +25883,17 @@ index dc49c71..2609364 100644
|
|||||||
corenet_all_recvfrom_unlabeled(git_system_t)
|
corenet_all_recvfrom_unlabeled(git_system_t)
|
||||||
corenet_all_recvfrom_netlabel(git_system_t)
|
corenet_all_recvfrom_netlabel(git_system_t)
|
||||||
corenet_tcp_sendrecv_generic_if(git_system_t)
|
corenet_tcp_sendrecv_generic_if(git_system_t)
|
||||||
@@ -266,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
|
@@ -176,6 +171,9 @@ logging_send_syslog_msg(git_system_t)
|
||||||
|
|
||||||
|
tunable_policy(`git_system_enable_homedirs',`
|
||||||
|
userdom_search_user_home_dirs(git_system_t)
|
||||||
|
+ list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
|
||||||
|
+ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
|
||||||
|
+
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
|
||||||
|
@@ -266,12 +264,9 @@ tunable_policy(`git_cgi_use_nfs',`
|
||||||
|
|
||||||
allow git_daemon self:fifo_file rw_fifo_file_perms;
|
allow git_daemon self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
@ -37169,12 +37180,14 @@ index 39d3164..4b1b70c 100644
|
|||||||
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
|
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
|
||||||
')
|
')
|
||||||
diff --git a/lsm.fc b/lsm.fc
|
diff --git a/lsm.fc b/lsm.fc
|
||||||
index c455730..4b40274 100644
|
index c455730..6e14667 100644
|
||||||
--- a/lsm.fc
|
--- a/lsm.fc
|
||||||
+++ b/lsm.fc
|
+++ b/lsm.fc
|
||||||
@@ -1,3 +1,5 @@
|
@@ -1,3 +1,7 @@
|
||||||
/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
|
/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
|
||||||
|
|
||||||
|
+/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
|
||||||
|
+
|
||||||
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
|
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
|
||||||
+
|
+
|
||||||
/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
|
/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
|
||||||
@ -37289,26 +37302,55 @@ index d314333..da30c5d 100644
|
|||||||
+ ')
|
+ ')
|
||||||
')
|
')
|
||||||
diff --git a/lsm.te b/lsm.te
|
diff --git a/lsm.te b/lsm.te
|
||||||
index 4ec0eea..bc7d239 100644
|
index 4ec0eea..dc93265 100644
|
||||||
--- a/lsm.te
|
--- a/lsm.te
|
||||||
+++ b/lsm.te
|
+++ b/lsm.te
|
||||||
@@ -12,6 +12,9 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
|
@@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
|
||||||
type lsmd_var_run_t;
|
type lsmd_var_run_t;
|
||||||
files_pid_file(lsmd_var_run_t)
|
files_pid_file(lsmd_var_run_t)
|
||||||
|
|
||||||
+type lsmd_unit_file_t;
|
+type lsmd_unit_file_t;
|
||||||
+systemd_unit_file(lsmd_unit_file_t)
|
+systemd_unit_file(lsmd_unit_file_t)
|
||||||
|
+
|
||||||
|
+type lsmd_plugin_t;
|
||||||
|
+type lsmd_plugin_exec_t;
|
||||||
|
+application_domain(lsmd_plugin_t, lsmd_plugin_exec_t)
|
||||||
|
+role system_r types lsmd_plugin_t;
|
||||||
|
+
|
||||||
|
+type lsmd_plugin_tmp_t;
|
||||||
|
+files_tmp_file(lsmd_plugin_tmp_t)
|
||||||
+
|
+
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
@@ -26,4 +29,6 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
@@ -26,4 +37,27 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||||
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||||
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
|
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
|
||||||
|
|
||||||
+corecmd_exec_bin(lsmd_t)
|
+corecmd_exec_bin(lsmd_t)
|
||||||
+
|
+
|
||||||
logging_send_syslog_msg(lsmd_t)
|
logging_send_syslog_msg(lsmd_t)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# Local lsmd plugin policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
|
||||||
|
+
|
||||||
|
+allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
|
||||||
|
+
|
||||||
|
+manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
|
||||||
|
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
|
||||||
|
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
|
||||||
|
+
|
||||||
|
+kernel_read_system_state(lsmd_plugin_t)
|
||||||
|
+
|
||||||
|
+dev_read_urand(lsmd_plugin_t)
|
||||||
|
+
|
||||||
|
+corecmd_exec_bin(lsmd_plugin_t)
|
||||||
|
+
|
||||||
|
+sysnet_read_config(lsmd_plugin_t)
|
||||||
diff --git a/mailman.fc b/mailman.fc
|
diff --git a/mailman.fc b/mailman.fc
|
||||||
index 995d0a5..3d40d59 100644
|
index 995d0a5..3d40d59 100644
|
||||||
--- a/mailman.fc
|
--- a/mailman.fc
|
||||||
@ -52958,10 +53000,10 @@ index 0000000..cf03270
|
|||||||
+')
|
+')
|
||||||
diff --git a/openshift.te b/openshift.te
|
diff --git a/openshift.te b/openshift.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..0a6f091
|
index 0000000..3c4beaf
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/openshift.te
|
+++ b/openshift.te
|
||||||
@@ -0,0 +1,556 @@
|
@@ -0,0 +1,558 @@
|
||||||
+policy_module(openshift,1.0.0)
|
+policy_module(openshift,1.0.0)
|
||||||
+
|
+
|
||||||
+gen_require(`
|
+gen_require(`
|
||||||
@ -53104,6 +53146,8 @@ index 0000000..0a6f091
|
|||||||
+allow openshift_domain self:shm create_shm_perms;
|
+allow openshift_domain self:shm create_shm_perms;
|
||||||
+allow openshift_domain self:sem create_sem_perms;
|
+allow openshift_domain self:sem create_sem_perms;
|
||||||
+dontaudit openshift_domain self:dir write;
|
+dontaudit openshift_domain self:dir write;
|
||||||
|
+dontaudit openshift_domain self:rawip_socket create_socket_perms;
|
||||||
|
+
|
||||||
+dontaudit openshift_t self:unix_stream_socket recvfrom;
|
+dontaudit openshift_t self:unix_stream_socket recvfrom;
|
||||||
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
|
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
|
||||||
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
|
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
|
||||||
@ -55322,10 +55366,10 @@ index 1fb1964..f92c71a 100644
|
|||||||
+ virt_rw_svirt_dev(pcscd_t)
|
+ virt_rw_svirt_dev(pcscd_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/pegasus.fc b/pegasus.fc
|
diff --git a/pegasus.fc b/pegasus.fc
|
||||||
index dfd46e4..31122bd 100644
|
index dfd46e4..87bda41 100644
|
||||||
--- a/pegasus.fc
|
--- a/pegasus.fc
|
||||||
+++ b/pegasus.fc
|
+++ b/pegasus.fc
|
||||||
@@ -1,15 +1,26 @@
|
@@ -1,15 +1,25 @@
|
||||||
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||||
+
|
+
|
||||||
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||||
@ -55349,13 +55393,12 @@ index dfd46e4..31122bd 100644
|
|||||||
+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
|
+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
|
||||||
|
|
||||||
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
||||||
+#openlmi agents
|
|
||||||
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
|
||||||
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
|
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
@ -55461,7 +55504,7 @@ index d2fc677..ded726f 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/pegasus.te b/pegasus.te
|
diff --git a/pegasus.te b/pegasus.te
|
||||||
index 608f454..dfb2fb4 100644
|
index 608f454..357597f 100644
|
||||||
--- a/pegasus.te
|
--- a/pegasus.te
|
||||||
+++ b/pegasus.te
|
+++ b/pegasus.te
|
||||||
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
||||||
@ -55480,7 +55523,7 @@ index 608f454..dfb2fb4 100644
|
|||||||
type pegasus_cache_t;
|
type pegasus_cache_t;
|
||||||
files_type(pegasus_cache_t)
|
files_type(pegasus_cache_t)
|
||||||
|
|
||||||
@@ -30,20 +29,269 @@ files_type(pegasus_mof_t)
|
@@ -30,20 +29,277 @@ files_type(pegasus_mof_t)
|
||||||
type pegasus_var_run_t;
|
type pegasus_var_run_t;
|
||||||
files_pid_file(pegasus_var_run_t)
|
files_pid_file(pegasus_var_run_t)
|
||||||
|
|
||||||
@ -55661,6 +55704,14 @@ index 608f454..dfb2fb4 100644
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
|
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ init_dbus_chat(pegasus_openlmi_admin_t)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ sssd_search_lib(pegasus_openlmi_admin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
@ -55755,7 +55806,7 @@ index 608f454..dfb2fb4 100644
|
|||||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||||
@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
@@ -54,22 +310,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||||
@ -55786,7 +55837,7 @@ index 608f454..dfb2fb4 100644
|
|||||||
|
|
||||||
kernel_read_network_state(pegasus_t)
|
kernel_read_network_state(pegasus_t)
|
||||||
kernel_read_kernel_sysctls(pegasus_t)
|
kernel_read_kernel_sysctls(pegasus_t)
|
||||||
@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t)
|
@@ -80,27 +336,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||||
kernel_read_xen_state(pegasus_t)
|
kernel_read_xen_state(pegasus_t)
|
||||||
kernel_write_xen_state(pegasus_t)
|
kernel_write_xen_state(pegasus_t)
|
||||||
|
|
||||||
@ -55819,7 +55870,7 @@ index 608f454..dfb2fb4 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(pegasus_t)
|
corecmd_exec_bin(pegasus_t)
|
||||||
corecmd_exec_shell(pegasus_t)
|
corecmd_exec_shell(pegasus_t)
|
||||||
@@ -114,9 +356,11 @@ files_getattr_all_dirs(pegasus_t)
|
@@ -114,9 +364,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||||
|
|
||||||
auth_use_nsswitch(pegasus_t)
|
auth_use_nsswitch(pegasus_t)
|
||||||
auth_domtrans_chk_passwd(pegasus_t)
|
auth_domtrans_chk_passwd(pegasus_t)
|
||||||
@ -55831,7 +55882,7 @@ index 608f454..dfb2fb4 100644
|
|||||||
|
|
||||||
files_list_var_lib(pegasus_t)
|
files_list_var_lib(pegasus_t)
|
||||||
files_read_var_lib_files(pegasus_t)
|
files_read_var_lib_files(pegasus_t)
|
||||||
@@ -128,18 +372,29 @@ init_stream_connect_script(pegasus_t)
|
@@ -128,18 +380,29 @@ init_stream_connect_script(pegasus_t)
|
||||||
logging_send_audit_msgs(pegasus_t)
|
logging_send_audit_msgs(pegasus_t)
|
||||||
logging_send_syslog_msg(pegasus_t)
|
logging_send_syslog_msg(pegasus_t)
|
||||||
|
|
||||||
@ -55867,7 +55918,7 @@ index 608f454..dfb2fb4 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -151,16 +406,24 @@ optional_policy(`
|
@@ -151,16 +414,24 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -55896,7 +55947,7 @@ index 608f454..dfb2fb4 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -168,7 +431,7 @@ optional_policy(`
|
@@ -168,7 +439,7 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -68584,20 +68635,22 @@ index 6d162e4..889c0ed 100644
|
|||||||
userdom_dontaudit_search_user_home_dirs(radvd_t)
|
userdom_dontaudit_search_user_home_dirs(radvd_t)
|
||||||
|
|
||||||
diff --git a/raid.fc b/raid.fc
|
diff --git a/raid.fc b/raid.fc
|
||||||
index 5806046..5578653 100644
|
index 5806046..d83ec27 100644
|
||||||
--- a/raid.fc
|
--- a/raid.fc
|
||||||
+++ b/raid.fc
|
+++ b/raid.fc
|
||||||
@@ -3,6 +3,9 @@
|
@@ -3,6 +3,11 @@
|
||||||
|
|
||||||
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
|
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
|
||||||
|
|
||||||
|
+/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0)
|
||||||
|
+
|
||||||
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
|
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
|
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
|
||||||
+
|
+
|
||||||
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||||
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||||
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||||
@@ -16,6 +19,7 @@
|
@@ -16,6 +21,7 @@
|
||||||
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||||
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||||
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||||
@ -80894,7 +80947,7 @@ index 98c9e0a..df51942 100644
|
|||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
admin_pattern($1, sblim_var_run_t)
|
admin_pattern($1, sblim_var_run_t)
|
||||||
diff --git a/sblim.te b/sblim.te
|
diff --git a/sblim.te b/sblim.te
|
||||||
index 299756b..947d6b9 100644
|
index 299756b..1c63069 100644
|
||||||
--- a/sblim.te
|
--- a/sblim.te
|
||||||
+++ b/sblim.te
|
+++ b/sblim.te
|
||||||
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
|
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
|
||||||
@ -80931,7 +80984,7 @@ index 299756b..947d6b9 100644
|
|||||||
######################################
|
######################################
|
||||||
#
|
#
|
||||||
# Common sblim domain local policy
|
# Common sblim domain local policy
|
||||||
@@ -32,11 +39,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
@@ -32,31 +39,36 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
||||||
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
||||||
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
||||||
|
|
||||||
@ -80953,9 +81006,11 @@ index 299756b..947d6b9 100644
|
|||||||
corenet_tcp_sendrecv_generic_if(sblim_domain)
|
corenet_tcp_sendrecv_generic_if(sblim_domain)
|
||||||
corenet_tcp_sendrecv_generic_node(sblim_domain)
|
corenet_tcp_sendrecv_generic_node(sblim_domain)
|
||||||
|
|
||||||
@@ -44,19 +58,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
|
corenet_tcp_sendrecv_repository_port(sblim_domain)
|
||||||
|
|
||||||
dev_read_sysfs(sblim_domain)
|
dev_read_sysfs(sblim_domain)
|
||||||
|
+dev_read_rand(sblim_domain)
|
||||||
|
+dev_read_urand(sblim_domain)
|
||||||
|
|
||||||
-logging_send_syslog_msg(sblim_domain)
|
-logging_send_syslog_msg(sblim_domain)
|
||||||
-
|
-
|
||||||
@ -80976,7 +81031,7 @@ index 299756b..947d6b9 100644
|
|||||||
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
|
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
|
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
|
||||||
|
|
||||||
@@ -84,6 +94,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
|
@@ -84,6 +96,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
|
||||||
|
|
||||||
init_read_utmp(sblim_gatherd_t)
|
init_read_utmp(sblim_gatherd_t)
|
||||||
|
|
||||||
@ -80985,7 +81040,7 @@ index 299756b..947d6b9 100644
|
|||||||
sysnet_dns_name_resolve(sblim_gatherd_t)
|
sysnet_dns_name_resolve(sblim_gatherd_t)
|
||||||
|
|
||||||
term_getattr_pty_fs(sblim_gatherd_t)
|
term_getattr_pty_fs(sblim_gatherd_t)
|
||||||
@@ -103,8 +115,9 @@ optional_policy(`
|
@@ -103,8 +117,9 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -80996,7 +81051,7 @@ index 299756b..947d6b9 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -117,6 +130,32 @@ optional_policy(`
|
@@ -117,6 +132,32 @@ optional_policy(`
|
||||||
# Reposd local policy
|
# Reposd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -575,6 +575,15 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 26 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-7
|
||||||
|
- Add lsmd_plugin_t for lsm plugins
|
||||||
|
- Allow dovecot-deliver to search mountpoints
|
||||||
|
- Add labeling for /etc/mdadm.conf
|
||||||
|
- Allow opelmi admin providers to dbus chat with init_t
|
||||||
|
- Allow sblim domain to read /dev/urandom and /dev/random
|
||||||
|
- Add back exec_content boolean for secadm, logadm, auditadm
|
||||||
|
- Allow sulogin to getattr on /proc/kcore
|
||||||
|
|
||||||
* Tue Nov 26 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-6
|
* Tue Nov 26 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-6
|
||||||
- Add filename transition also for servicelog.db-journal
|
- Add filename transition also for servicelog.db-journal
|
||||||
- Add files_dontaudit_access_check_root()
|
- Add files_dontaudit_access_check_root()
|
||||||
|
Loading…
Reference in New Issue
Block a user