- New access needed to allow docker + lxc +SELinux to work together
- Allow apache to write to the owncloud data directory in /var/www/html... - Cleanup sandbox X AVC's - Allow consolekit to create log dir - Add support for icinga CGI scripts - Add support for icinga - Allow kdumpctl_t to create kdump lock file - Allow kdump to create lnk lock file - Allow ABRT write core_pattern - Allwo ABRT to read core_pattern - Add policy for Geoclue. Geoclue is a D-Bus service that provides location information - Allow nscd_t block_suspen capability - Allow unconfined domain types to manage own transient unit file - Allow systemd domains to handle transient init unit files - No longer need the rpm_script_roles line since rpm_transition_script now does this for us - Add/fix interfaces for usermodehelper_t - Add interfaces to handle transient - Fixes for new usermodehelper and proc_securit_t types
This commit is contained in:
parent
99d95cac6e
commit
d7f0c3cf54
@ -8705,7 +8705,7 @@ index 6a1e4d1..84e8030 100644
|
||||
+ dontaudit $1 domain:dir_file_class_set audit_access;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..4182845 100644
|
||||
index cf04cb5..dfb34a3 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
|
||||
@ -8822,7 +8822,7 @@ index cf04cb5..4182845 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -147,12 +206,18 @@ optional_policy(`
|
||||
@@ -147,12 +206,21 @@ optional_policy(`
|
||||
# Use/sendto/connectto sockets created by any domain.
|
||||
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
||||
|
||||
@ -8832,6 +8832,9 @@ index cf04cb5..4182845 100644
|
||||
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
||||
|
||||
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
|
||||
+
|
||||
+# Allow manage transient unit files
|
||||
+allow unconfined_domain_type self:service manage_service_perms;
|
||||
+
|
||||
# Act upon any other process.
|
||||
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
||||
@ -8842,7 +8845,7 @@ index cf04cb5..4182845 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -166,5 +231,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -166,5 +234,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -14897,7 +14900,7 @@ index 7be4ddf..d5ef507 100644
|
||||
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index e100d88..3910ec4 100644
|
||||
index e100d88..6f745f0 100644
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
+++ b/policy/modules/kernel/kernel.if
|
||||
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
|
||||
@ -15312,7 +15315,7 @@ index e100d88..3910ec4 100644
|
||||
## Unconfined access to kernel module resources.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2972,5 +3151,525 @@ interface(`kernel_unconfined',`
|
||||
@@ -2972,5 +3151,565 @@ interface(`kernel_unconfined',`
|
||||
')
|
||||
|
||||
typeattribute $1 kern_unconfined;
|
||||
@ -15660,12 +15663,8 @@ index e100d88..3910ec4 100644
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow the specified domain to read the securitying
|
||||
+## state information. This includes several pieces
|
||||
+## of securitying information, such as security interface
|
||||
+## names, securityfilter (iptables) statistics, protocol
|
||||
+## information, routes, and remote procedure call (RPC)
|
||||
+## information.
|
||||
+## Allow the specified domain to read the security
|
||||
+## state information.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+## <param name="domain">
|
||||
@ -15689,6 +15688,32 @@ index e100d88..3910ec4 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Write the security state information.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow the specified domain to write the security
|
||||
+## state information.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <infoflow type="write" weight="10"/>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`kernel_write_security_state',`
|
||||
+ gen_require(`
|
||||
+ type proc_t, proc_security_t;
|
||||
+ ')
|
||||
+
|
||||
+ write_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow caller to read the security state symbolic links.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -15729,27 +15754,6 @@ index e100d88..3910ec4 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write usermodehelper state
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`kernel_rw_usermodehelper_state',`
|
||||
+ gen_require(`
|
||||
+ type proc_t, usermodehelper_t;
|
||||
+ ')
|
||||
+
|
||||
+ dev_search_sysfs($1)
|
||||
+ rw_files_pattern($1, proc_t, usermodehelper_t)
|
||||
+ list_dirs_pattern($1, proc_t, usermodehelper_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to search the usermodehelper
|
||||
+## state directory.
|
||||
+## </summary>
|
||||
@ -15838,6 +15842,45 @@ index e100d88..3910ec4 100644
|
||||
+ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
|
||||
+
|
||||
+ list_dirs_pattern($1, proc_t, usermodehelper_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write usermodehelper state
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`kernel_rw_usermodehelper_state',`
|
||||
+ gen_require(`
|
||||
+ type proc_t, usermodehelper_t;
|
||||
+ ')
|
||||
+
|
||||
+ dev_search_sysfs($1)
|
||||
+ rw_files_pattern($1, proc_t, usermodehelper_t)
|
||||
+ list_dirs_pattern($1, proc_t, usermodehelper_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Relabel to usermodehelper context .
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_relabelto_usermodehelper',`
|
||||
+ gen_require(`
|
||||
+ type usermodehelper_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 usermodehelper_t:file relabelto;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 8dbab4c..4b6c9ad 100644
|
||||
@ -19854,10 +19897,10 @@ index 0000000..cf6582f
|
||||
+
|
||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||
new file mode 100644
|
||||
index 0000000..ca62aef
|
||||
index 0000000..dbb8afa
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/roles/unconfineduser.te
|
||||
@@ -0,0 +1,339 @@
|
||||
@@ -0,0 +1,332 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -20153,7 +20196,6 @@ index 0000000..ca62aef
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+# rpm_run(unconfined_t, unconfined_r)
|
||||
+ # Allow SELinux aware applications to request rpm_script execution
|
||||
+ rpm_transition_script(unconfined_t, unconfined_r)
|
||||
+ rpm_dbus_chat(unconfined_t)
|
||||
@ -20186,15 +20228,9 @@ index 0000000..ca62aef
|
||||
+optional_policy(`
|
||||
+ xserver_run(unconfined_t, unconfined_r)
|
||||
+ xserver_manage_home_fonts(unconfined_t)
|
||||
+ xserver_xsession_entry_type(unconfined_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+gen_require(`
|
||||
+ attribute_role rpm_script_roles;
|
||||
+')
|
||||
+
|
||||
+roleattribute unconfined_r rpm_script_roles;
|
||||
+
|
||||
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
+
|
||||
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
|
||||
@ -27754,7 +27790,7 @@ index bc0ffc8..8de430d 100644
|
||||
')
|
||||
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||
index 79a45f6..e1589ac 100644
|
||||
index 79a45f6..9a14d49 100644
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -1,5 +1,21 @@
|
||||
@ -28736,7 +28772,7 @@ index 79a45f6..e1589ac 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to daemon with a tcp socket
|
||||
@@ -1840,3 +2359,360 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
@@ -1840,3 +2359,432 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
')
|
||||
corenet_udp_recvfrom_labeled($1, daemon)
|
||||
')
|
||||
@ -29078,6 +29114,78 @@ index 79a45f6..e1589ac 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Tell init to do an unknown access.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`init_start_transient_unit',`
|
||||
+ gen_require(`
|
||||
+ type init_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 init_t:service start;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Tell init to do an unknown access.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`init_stop_transient_unit',`
|
||||
+ gen_require(`
|
||||
+ type init_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 init_t:service stop;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Tell init to do an unknown access.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`init_reload_transient_unit',`
|
||||
+ gen_require(`
|
||||
+ type init_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 init_t:service reload;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Tell init to do an unknown access.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`init_status_transient_unit',`
|
||||
+ gen_require(`
|
||||
+ type init_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 init_t:service status;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Transition to init named content
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -38962,10 +39070,10 @@ index 0000000..1d9bdfd
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..2109915
|
||||
index 0000000..e9b0d55
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,653 @@
|
||||
@@ -0,0 +1,659 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -39234,6 +39342,7 @@ index 0000000..2109915
|
||||
+
|
||||
+kernel_read_network_state(systemd_tmpfiles_t)
|
||||
+kernel_request_load_module(systemd_tmpfiles_t)
|
||||
+kernel_relabelto_usermodehelper(systemd_tmpfiles_t)
|
||||
+
|
||||
+dev_write_kmsg(systemd_tmpfiles_t)
|
||||
+dev_rw_sysfs(systemd_tmpfiles_t)
|
||||
@ -39583,6 +39692,7 @@ index 0000000..2109915
|
||||
+
|
||||
+kernel_dgram_send(systemd_sysctl_t)
|
||||
+kernel_rw_all_sysctls(systemd_sysctl_t)
|
||||
+kernel_write_security_state(systemd_sysctl_t)
|
||||
+
|
||||
+files_read_system_conf_files(systemd_sysctl_t)
|
||||
+
|
||||
@ -39607,6 +39717,10 @@ index 0000000..2109915
|
||||
+files_read_usr_files(systemd_domain)
|
||||
+
|
||||
+init_search_pid_dirs(systemd_domain)
|
||||
+init_start_transient_unit(systemd_domain)
|
||||
+init_stop_transient_unit(systemd_domain)
|
||||
+init_status_transient_unit(systemd_domain)
|
||||
+init_reload_transient_unit(systemd_domain)
|
||||
+
|
||||
+logging_stream_connect_syslog(systemd_domain)
|
||||
+
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 15%{?dist}
|
||||
Release: 16%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -579,6 +579,26 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jan 22 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-16
|
||||
- New access needed to allow docker + lxc +SELinux to work together
|
||||
- Allow apache to write to the owncloud data directory in /var/www/html...
|
||||
- Cleanup sandbox X AVC's
|
||||
- Allow consolekit to create log dir
|
||||
- Add support for icinga CGI scripts
|
||||
- Add support for icinga
|
||||
- Allow kdumpctl_t to create kdump lock file
|
||||
- Allow kdump to create lnk lock file
|
||||
- Allow ABRT write core_pattern
|
||||
- Allwo ABRT to read core_pattern
|
||||
- Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
|
||||
- Allow nscd_t block_suspen capability
|
||||
- Allow unconfined domain types to manage own transient unit file
|
||||
- Allow systemd domains to handle transient init unit files
|
||||
- No longer need the rpm_script_roles line since rpm_transition_script now does this for us
|
||||
- Add/fix interfaces for usermodehelper_t
|
||||
- Add interfaces to handle transient
|
||||
- Fixes for new usermodehelper and proc_securit_t types, added to increase security on /proc and /sys file systems
|
||||
|
||||
* Mon Jan 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-15
|
||||
- Add cron unconfined role support for uncofined SELinux user
|
||||
- Call kernel_rw_usermodehelper_state() in init.te
|
||||
|
Loading…
Reference in New Issue
Block a user