- Fix lockdev_manage_files()
- Allow setroubleshootd to read var_lib_t to make email_alert working - Add lockdev_manage_files() - Call proper interface in virt.te - Allow gkeyring_domain to create /var/run/UID/config/dbus file - system dbus seems to be blocking suspend - Dontaudit attemps to sys_ptrace, which I believe gpsd does not need - When you enter a container from root, you generate avcs with a leaked file descriptor - Allow mpd getattr on file system directories - Make sure realmd creates content with the correct label - Allow systemd-tty-ask to write kmsg - Allow mgetty to use lockdev library for device locking - Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music - When you enter a container from root, you generate avcs with a leaked file descriptor - Make sure init.fc files are labeled correctly at creation - File name trans vconsole.conf - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t
This commit is contained in:
parent
aae6505e89
commit
d61e0b894f
@ -3021,7 +3021,7 @@ index 7590165..19aaaed 100644
|
||||
+ fs_mounton_fusefs(seunshare_domain)
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 644d4d7..d2dbf35 100644
|
||||
index 644d4d7..4debbf2 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -1,9 +1,10 @@
|
||||
@ -3179,7 +3179,7 @@ index 644d4d7..d2dbf35 100644
|
||||
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -215,18 +246,28 @@ ifdef(`distro_gentoo',`
|
||||
@@ -215,18 +246,30 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3189,7 +3189,9 @@ index 644d4d7..d2dbf35 100644
|
||||
-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
|
||||
-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
-/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3215,7 +3217,7 @@ index 644d4d7..d2dbf35 100644
|
||||
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -241,10 +282,15 @@ ifdef(`distro_gentoo',`
|
||||
@@ -241,10 +284,15 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3231,7 +3233,7 @@ index 644d4d7..d2dbf35 100644
|
||||
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -257,10 +303,17 @@ ifdef(`distro_gentoo',`
|
||||
@@ -257,10 +305,17 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -3252,7 +3254,7 @@ index 644d4d7..d2dbf35 100644
|
||||
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@@ -276,10 +329,15 @@ ifdef(`distro_gentoo',`
|
||||
@@ -276,10 +331,15 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3268,7 +3270,7 @@ index 644d4d7..d2dbf35 100644
|
||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -294,16 +352,22 @@ ifdef(`distro_gentoo',`
|
||||
@@ -294,16 +354,22 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3293,7 +3295,7 @@ index 644d4d7..d2dbf35 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -321,20 +385,27 @@ ifdef(`distro_redhat', `
|
||||
@@ -321,20 +387,27 @@ ifdef(`distro_redhat', `
|
||||
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -3322,7 +3324,7 @@ index 644d4d7..d2dbf35 100644
|
||||
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -383,11 +454,15 @@ ifdef(`distro_suse', `
|
||||
@@ -383,11 +456,15 @@ ifdef(`distro_suse', `
|
||||
#
|
||||
# /var
|
||||
#
|
||||
@ -3339,7 +3341,7 @@ index 644d4d7..d2dbf35 100644
|
||||
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -397,3 +472,12 @@ ifdef(`distro_suse', `
|
||||
@@ -397,3 +474,12 @@ ifdef(`distro_suse', `
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -7749,7 +7751,7 @@ index 6a1e4d1..adafd25 100644
|
||||
+ dontaudit $1 domain:socket_class_set { read write };
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..dc4207f 100644
|
||||
index cf04cb5..ff7b3f4 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
|
||||
@ -7875,7 +7877,7 @@ index cf04cb5..dc4207f 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -166,5 +227,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -7904,6 +7906,7 @@ index cf04cb5..dc4207f 100644
|
||||
+ init_reboot(unconfined_domain_type)
|
||||
+ init_halt(unconfined_domain_type)
|
||||
+ init_undefined(unconfined_domain_type)
|
||||
+ init_filetrans_named_content(unconfined_domain_type)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -18526,10 +18529,10 @@ index ff92430..36740ea 100644
|
||||
## <summary>
|
||||
## Execute a generic bin program in the sysadm domain.
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index 88d0028..83e6404 100644
|
||||
index 88d0028..4cc476f 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1)
|
||||
@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -18583,6 +18586,7 @@ index 88d0028..83e6404 100644
|
||||
|
||||
+application_exec(sysadm_t)
|
||||
+
|
||||
+init_filetrans_named_content(sysadm_t)
|
||||
init_exec(sysadm_t)
|
||||
+init_exec_script_files(sysadm_t)
|
||||
+init_dbus_chat(sysadm_t)
|
||||
@ -18619,7 +18623,7 @@ index 88d0028..83e6404 100644
|
||||
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
optional_policy(`
|
||||
@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',`
|
||||
@@ -55,13 +95,7 @@ ifdef(`distro_gentoo',`
|
||||
init_exec_rc(sysadm_t)
|
||||
')
|
||||
|
||||
@ -18634,7 +18638,7 @@ index 88d0028..83e6404 100644
|
||||
domain_ptrace_all_domains(sysadm_t)
|
||||
')
|
||||
|
||||
@@ -71,9 +104,9 @@ optional_policy(`
|
||||
@@ -71,9 +105,9 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
apache_run_helper(sysadm_t, sysadm_r)
|
||||
@ -18645,7 +18649,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -87,6 +120,7 @@ optional_policy(`
|
||||
@@ -87,6 +121,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
asterisk_stream_connect(sysadm_t)
|
||||
@ -18653,7 +18657,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -110,6 +144,10 @@ optional_policy(`
|
||||
@@ -110,6 +145,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18664,7 +18668,7 @@ index 88d0028..83e6404 100644
|
||||
certwatch_run(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@@ -122,11 +160,19 @@ optional_policy(`
|
||||
@@ -122,11 +161,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18686,7 +18690,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -140,6 +186,10 @@ optional_policy(`
|
||||
@@ -140,6 +187,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18697,7 +18701,7 @@ index 88d0028..83e6404 100644
|
||||
dmesg_exec(sysadm_t)
|
||||
')
|
||||
|
||||
@@ -156,11 +206,11 @@ optional_policy(`
|
||||
@@ -156,11 +207,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18711,7 +18715,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -179,6 +229,13 @@ optional_policy(`
|
||||
@@ -179,6 +230,13 @@ optional_policy(`
|
||||
ipsec_stream_connect(sysadm_t)
|
||||
# for lsof
|
||||
ipsec_getattr_key_sockets(sysadm_t)
|
||||
@ -18725,7 +18729,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -186,15 +243,20 @@ optional_policy(`
|
||||
@@ -186,15 +244,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18749,7 +18753,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -214,22 +276,20 @@ optional_policy(`
|
||||
@@ -214,22 +277,20 @@ optional_policy(`
|
||||
modutils_run_depmod(sysadm_t, sysadm_r)
|
||||
modutils_run_insmod(sysadm_t, sysadm_r)
|
||||
modutils_run_update_mods(sysadm_t, sysadm_r)
|
||||
@ -18778,7 +18782,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -241,14 +301,27 @@ optional_policy(`
|
||||
@@ -241,14 +302,27 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18806,7 +18810,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -256,10 +329,20 @@ optional_policy(`
|
||||
@@ -256,10 +330,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18827,7 +18831,7 @@ index 88d0028..83e6404 100644
|
||||
portage_run(sysadm_t, sysadm_r)
|
||||
portage_run_fetch(sysadm_t, sysadm_r)
|
||||
portage_run_gcc_config(sysadm_t, sysadm_r)
|
||||
@@ -270,31 +353,36 @@ optional_policy(`
|
||||
@@ -270,31 +354,36 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18871,7 +18875,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -319,12 +407,18 @@ optional_policy(`
|
||||
@@ -319,12 +408,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18891,7 +18895,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -349,7 +443,18 @@ optional_policy(`
|
||||
@@ -349,7 +444,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18911,7 +18915,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -360,19 +465,15 @@ optional_policy(`
|
||||
@@ -360,19 +466,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18933,7 +18937,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -384,10 +485,6 @@ optional_policy(`
|
||||
@@ -384,10 +486,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18944,7 +18948,7 @@ index 88d0028..83e6404 100644
|
||||
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
|
||||
usermanage_run_groupadd(sysadm_t, sysadm_r)
|
||||
usermanage_run_useradd(sysadm_t, sysadm_r)
|
||||
@@ -395,6 +492,9 @@ optional_policy(`
|
||||
@@ -395,6 +493,9 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
virt_stream_connect(sysadm_t)
|
||||
@ -18954,7 +18958,7 @@ index 88d0028..83e6404 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -402,31 +502,34 @@ optional_policy(`
|
||||
@@ -402,31 +503,34 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18995,7 +18999,7 @@ index 88d0028..83e6404 100644
|
||||
auth_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
|
||||
@@ -439,10 +542,6 @@ ifndef(`distro_redhat',`
|
||||
@@ -439,10 +543,6 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -19006,7 +19010,7 @@ index 88d0028..83e6404 100644
|
||||
dbus_role_template(sysadm, sysadm_r, sysadm_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -463,15 +562,75 @@ ifndef(`distro_redhat',`
|
||||
@@ -463,15 +563,75 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26810,7 +26814,7 @@ index e4376aa..2c98c56 100644
|
||||
+ allow $1 getty_unit_file_t:service start;
|
||||
+')
|
||||
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
|
||||
index fc38c9c..dce2d4e 100644
|
||||
index fc38c9c..61a1d24 100644
|
||||
--- a/policy/modules/system/getty.te
|
||||
+++ b/policy/modules/system/getty.te
|
||||
@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
|
||||
@ -26852,17 +26856,20 @@ index fc38c9c..dce2d4e 100644
|
||||
# Support logging in from /dev/console
|
||||
term_use_console(getty_t)
|
||||
',`
|
||||
@@ -125,10 +130,6 @@ optional_policy(`
|
||||
@@ -121,11 +126,11 @@ tunable_policy(`console_login',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mta_send_mail(getty_t)
|
||||
+ lockdev_manage_files(getty_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_use(getty_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
ppp_domtrans(getty_t)
|
||||
+ mta_send_mail(getty_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
|
||||
index 9dfecf7..6d00f5c 100644
|
||||
--- a/policy/modules/system/hostname.fc
|
||||
@ -27074,7 +27081,7 @@ index 9a4d3a7..9d960bb 100644
|
||||
')
|
||||
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||
index 24e7804..1894886 100644
|
||||
index 24e7804..d0780a9 100644
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -1,5 +1,21 @@
|
||||
@ -27959,7 +27966,7 @@ index 24e7804..1894886 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to daemon with a tcp socket
|
||||
@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
@@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
')
|
||||
corenet_udp_recvfrom_labeled($1, daemon)
|
||||
')
|
||||
@ -28244,6 +28251,28 @@ index 24e7804..1894886 100644
|
||||
+
|
||||
+ allow $1 init_t:system undefined;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Transition to init named content
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`init_filetrans_named_content',`
|
||||
+ gen_require(`
|
||||
+ type init_var_run_t;
|
||||
+ type initrc_var_run_t;
|
||||
+ type machineid_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
|
||||
+ files_pid_filetrans($1, init_var_run_t, file, "random-seed")
|
||||
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index dd3be8d..969bda2 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
@ -30065,7 +30094,7 @@ index 5dfa44b..aa4d8fc 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
|
||||
index 73bb3c0..aadfba0 100644
|
||||
index 73bb3c0..46439b4 100644
|
||||
--- a/policy/modules/system/libraries.fc
|
||||
+++ b/policy/modules/system/libraries.fc
|
||||
@@ -1,3 +1,4 @@
|
||||
@ -30227,7 +30256,7 @@ index 73bb3c0..aadfba0 100644
|
||||
|
||||
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@@ -299,17 +310,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
@@ -299,17 +310,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
#
|
||||
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
|
||||
|
||||
@ -30383,6 +30412,7 @@ index 73bb3c0..aadfba0 100644
|
||||
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
|
||||
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
|
||||
@ -32307,7 +32337,7 @@ index 9fe8e01..fa82aac 100644
|
||||
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
')
|
||||
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
|
||||
index fc28bc3..2f33076 100644
|
||||
index fc28bc3..2960ed7 100644
|
||||
--- a/policy/modules/system/miscfiles.if
|
||||
+++ b/policy/modules/system/miscfiles.if
|
||||
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
|
||||
@ -32445,7 +32475,7 @@ index fc28bc3..2f33076 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -809,3 +882,60 @@ interface(`miscfiles_manage_localization',`
|
||||
@@ -809,3 +882,61 @@ interface(`miscfiles_manage_localization',`
|
||||
manage_lnk_files_pattern($1, locale_t, locale_t)
|
||||
')
|
||||
|
||||
@ -32466,6 +32496,7 @@ index fc28bc3..2f33076 100644
|
||||
+
|
||||
+ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
|
||||
+ files_etc_filetrans($1, locale_t, file, "locale.conf")
|
||||
+ files_etc_filetrans($1, locale_t, file, "vconsole.conf")
|
||||
+ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
|
||||
+ files_etc_filetrans($1, locale_t, file, "timezone")
|
||||
+ files_etc_filetrans($1, locale_t, file, "clock")
|
||||
@ -37060,10 +37091,10 @@ index 0000000..5894afb
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..b3ea12d
|
||||
index 0000000..2c9ccbf
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,642 @@
|
||||
@@ -0,0 +1,643 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -37308,6 +37339,7 @@ index 0000000..b3ea12d
|
||||
+dev_create_generic_dirs(systemd_passwd_agent_t)
|
||||
+dev_read_generic_files(systemd_passwd_agent_t)
|
||||
+dev_write_generic_sock_files(systemd_passwd_agent_t)
|
||||
+dev_write_kmsg(systemd_passwd_agent_t)
|
||||
+
|
||||
+term_read_console(systemd_passwd_agent_t)
|
||||
+
|
||||
@ -39078,7 +39110,7 @@ index db75976..65191bd 100644
|
||||
+
|
||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index 3c5dba7..9799799 100644
|
||||
index 3c5dba7..b44b1c9 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||
@ -40360,7 +40392,7 @@ index 3c5dba7..9799799 100644
|
||||
- corenet_tcp_bind_generic_node($1_t)
|
||||
- corenet_tcp_bind_generic_port($1_t)
|
||||
+
|
||||
+ tunable_policy(`selinuxuser_user_share_music',`
|
||||
+ tunable_policy(`selinuxuser_share_music',`
|
||||
+ corenet_tcp_bind_daap_port($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
@ -41745,7 +41777,7 @@ index 3c5dba7..9799799 100644
|
||||
## Create keys for all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',`
|
||||
@@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',`
|
||||
')
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
@ -42306,6 +42338,42 @@ index 3c5dba7..9799799 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Dontaudit Read files inherited from the admin home dir.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_dontaudit_read_inherited_admin_home_files',`
|
||||
+ gen_require(`
|
||||
+ attribute admin_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 admin_home_t:file read_inherited_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Dontaudit append files inherited from the admin home dir.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_dontaudit_append_inherited_admin_home_file',`
|
||||
+ gen_require(`
|
||||
+ attribute admin_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 admin_home_t:file append_inherited_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read/Write files inherited
|
||||
+## in a user home subdirectory.
|
||||
+## </summary>
|
||||
@ -43104,7 +43172,7 @@ index 3c5dba7..9799799 100644
|
||||
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
|
||||
')
|
||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||
index e2b538b..6371ed6 100644
|
||||
index e2b538b..9e23738 100644
|
||||
--- a/policy/modules/system/userdomain.te
|
||||
+++ b/policy/modules/system/userdomain.te
|
||||
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
|
||||
@ -43143,7 +43211,7 @@ index e2b538b..6371ed6 100644
|
||||
## </p>
|
||||
## </desc>
|
||||
-gen_tunable(user_dmesg, false)
|
||||
+gen_tunable(selinuxuser_user_share_music, false)
|
||||
+gen_tunable(selinuxuser_share_music, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 32%{?dist}
|
||||
Release: 35%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -229,8 +229,12 @@ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
||||
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
|
||||
rm -f ${FILE_CONTEXT}.pre; \
|
||||
fi; \
|
||||
/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
|
||||
/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null; \
|
||||
if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
|
||||
continue; \
|
||||
fi; \
|
||||
if /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;then \
|
||||
continue; \
|
||||
fi;
|
||||
|
||||
%define preInstall() \
|
||||
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
|
||||
@ -526,6 +530,41 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Apr 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-35
|
||||
- Fix lockdev_manage_files()
|
||||
- Allow setroubleshootd to read var_lib_t to make email_alert working
|
||||
- Add lockdev_manage_files()
|
||||
- Call proper interface in virt.te
|
||||
- Allow gkeyring_domain to create /var/run/UID/config/dbus file
|
||||
- system dbus seems to be blocking suspend
|
||||
- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
|
||||
- When you enter a container from root, you generate avcs with a leaked file descriptor
|
||||
- Allow mpd getattr on file system directories
|
||||
- Make sure realmd creates content with the correct label
|
||||
- Allow systemd-tty-ask to write kmsg
|
||||
- Allow mgetty to use lockdev library for device locking
|
||||
- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music
|
||||
- When you enter a container from root, you generate avcs with a leaked file descriptor
|
||||
- Make sure init.fc files are labeled correctly at creation
|
||||
- File name trans vconsole.conf
|
||||
- Fix labeling for nagios plugins
|
||||
- label shared libraries in /opt/google/chrome as testrel_shlib_t
|
||||
|
||||
* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-34
|
||||
- Allow certmonger to dbus communicate with realmd
|
||||
- Make realmd working
|
||||
|
||||
* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-33
|
||||
- Fix mozilla specification of homedir content
|
||||
- Allow certmonger to read network state
|
||||
- Allow tmpwatch to read tmp in /var/spool/{cups,lpd}
|
||||
- Label all nagios plugin as unconfined by default
|
||||
- Add httpd_serve_cobbler_files()
|
||||
- Allow mdadm to read /dev/sr0 and create tmp files
|
||||
- Allow certwatch to send mails
|
||||
- Fix labeling for nagios plugins
|
||||
- label shared libraries in /opt/google/chrome as testrel_shlib_t
|
||||
|
||||
* Wed Apr 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-32
|
||||
- Allow realmd to run ipa, really needs to be an unconfined_domain
|
||||
- Allow sandbox domains to use inherted terminals
|
||||
|
Loading…
Reference in New Issue
Block a user