- firewalld needs to relabel own config files. BZ(#1250537)
- Allow rhsmcertd to send signull to unconfined_service - Allow lsm_plugin_t to rw raw_fixed_disk. - Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device - Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
This commit is contained in:
Miroslav Grepl
parent
cfb63d8e0e
commit
d8af5a753a
|
|
@ -37060,7 +37060,7 @@ index 6b91740..5c1669a 100644
|
|||
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
|
||||
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
|
||||
index 58bc27f..a4ec06e 100644
|
||||
index 58bc27f..4e1936d 100644
|
||||
--- a/policy/modules/system/lvm.if
|
||||
+++ b/policy/modules/system/lvm.if
|
||||
@@ -1,5 +1,22 @@
|
||||
|
|
@ -37163,7 +37163,7 @@ index 58bc27f..a4ec06e 100644
|
|||
######################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run clvmd.
|
||||
@@ -123,3 +203,131 @@ interface(`lvm_domtrans_clvmd',`
|
||||
@@ -123,3 +203,154 @@ interface(`lvm_domtrans_clvmd',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
|
||||
')
|
||||
|
|
@ -37295,6 +37295,29 @@ index 58bc27f..a4ec06e 100644
|
|||
+ ps_process_pattern($1, lvm_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete
|
||||
+## lvm lock files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`lvm_manage_lock',`
|
||||
+ gen_require(`
|
||||
+ type lvm_lock_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_locks($1)
|
||||
+ manage_files_pattern($1, lvm_lock_t, lvm_lock_t)
|
||||
+ manage_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+
|
||||
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
|
||||
index 79048c4..6cf8b94 100644
|
||||
--- a/policy/modules/system/lvm.te
|
||||
|
|
|
|||
|
|
@ -27934,7 +27934,7 @@ index c62c567..6460877 100644
|
|||
+ allow $1 firewalld_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/firewalld.te b/firewalld.te
|
||||
index 98072a3..a0c36b3 100644
|
||||
index 98072a3..1b550dd 100644
|
||||
--- a/firewalld.te
|
||||
+++ b/firewalld.te
|
||||
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
|
||||
|
|
@ -27957,7 +27957,7 @@ index 98072a3..a0c36b3 100644
|
|||
|
||||
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
||||
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
||||
+relabelfrom_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
||||
+relabel_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
||||
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
||||
|
||||
allow firewalld_t firewalld_var_log_t:file append_file_perms;
|
||||
|
|
@ -44249,7 +44249,7 @@ index d314333..27ede09 100644
|
|||
+ ')
|
||||
')
|
||||
diff --git a/lsm.te b/lsm.te
|
||||
index 4ec0eea..0c195ed 100644
|
||||
index 4ec0eea..022172c 100644
|
||||
--- a/lsm.te
|
||||
+++ b/lsm.te
|
||||
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
|
||||
|
|
@ -44284,7 +44284,7 @@ index 4ec0eea..0c195ed 100644
|
|||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -26,4 +44,61 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
@@ -26,4 +44,67 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
|
||||
|
||||
|
|
@ -44303,6 +44303,7 @@ index 4ec0eea..0c195ed 100644
|
|||
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
|
||||
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow lsmd_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+allow lsmd_plugin_t self:capability { sys_rawio } ;
|
||||
+
|
||||
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
|
||||
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
|
||||
|
|
@ -44325,6 +44326,7 @@ index 4ec0eea..0c195ed 100644
|
|||
+auth_read_passwd(lsmd_plugin_t)
|
||||
+
|
||||
+dev_read_urand(lsmd_plugin_t)
|
||||
+dev_read_sysfs(lsmd_plugin_t)
|
||||
+
|
||||
+corecmd_exec_bin(lsmd_plugin_t)
|
||||
+
|
||||
|
|
@ -44343,9 +44345,13 @@ index 4ec0eea..0c195ed 100644
|
|||
+logging_send_syslog_msg(lsmd_plugin_t)
|
||||
+
|
||||
+miscfiles_read_certs(lsmd_plugin_t)
|
||||
+miscfiles_read_hwdata(lsmd_plugin_t)
|
||||
+
|
||||
+sysnet_read_config(lsmd_plugin_t)
|
||||
+
|
||||
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
|
||||
+storage_read_scsi_generic(lsmd_plugin_t)
|
||||
+storage_write_scsi_generic(lsmd_plugin_t)
|
||||
diff --git a/mailman.fc b/mailman.fc
|
||||
index 995d0a5..3d40d59 100644
|
||||
--- a/mailman.fc
|
||||
|
|
@ -61002,17 +61008,22 @@ index 3b6920e..3e9b17f 100644
|
|||
userdom_dontaudit_search_user_home_dirs(openct_t)
|
||||
|
||||
diff --git a/openhpi.te b/openhpi.te
|
||||
index 8de6191..13fa6d2 100644
|
||||
index 8de6191..af7f2a8 100644
|
||||
--- a/openhpi.te
|
||||
+++ b/openhpi.te
|
||||
@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
|
||||
@@ -50,8 +50,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
|
||||
|
||||
dev_read_urand(openhpid_t)
|
||||
|
||||
-files_read_etc_files(openhpid_t)
|
||||
|
||||
-
|
||||
logging_send_syslog_msg(openhpid_t)
|
||||
|
||||
miscfiles_read_localization(openhpid_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ snmp_read_snmp_var_lib_files(openhpid_t)
|
||||
+')
|
||||
diff --git a/openhpid.fc b/openhpid.fc
|
||||
new file mode 100644
|
||||
index 0000000..9441fd7
|
||||
|
|
@ -84654,7 +84665,7 @@ index 6dbc905..4b17c93 100644
|
|||
- admin_pattern($1, rhsmcertd_lock_t)
|
||||
')
|
||||
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
||||
index d32e1a2..96227fa 100644
|
||||
index d32e1a2..e44a0d9 100644
|
||||
--- a/rhsmcertd.te
|
||||
+++ b/rhsmcertd.te
|
||||
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
|
||||
|
|
@ -84693,7 +84704,7 @@ index d32e1a2..96227fa 100644
|
|||
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
|
||||
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
|
||||
|
||||
@@ -50,25 +56,71 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
|
||||
@@ -50,25 +56,75 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
|
||||
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
||||
|
||||
kernel_read_network_state(rhsmcertd_t)
|
||||
|
|
@ -84769,6 +84780,10 @@ index d32e1a2..96227fa 100644
|
|||
+
|
||||
+optional_policy(`
|
||||
+ virt_signull(rhsmcertd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_signull(rhsmcertd_t)
|
||||
')
|
||||
diff --git a/ricci.if b/ricci.if
|
||||
index 2ab3ed1..23d579c 100644
|
||||
|
|
@ -100963,6 +100978,258 @@ index ffde368..0000000
|
|||
-optional_policy(`
|
||||
- rpm_exec(stapserver_t)
|
||||
-')
|
||||
diff --git a/targetd.fc b/targetd.fc
|
||||
new file mode 100644
|
||||
index 0000000..c1ef053
|
||||
--- /dev/null
|
||||
+++ b/targetd.fc
|
||||
@@ -0,0 +1,5 @@
|
||||
+/etc/target(/.*)? gen_context(system_u:object_r:targetd_etc_rw_t,s0)
|
||||
+
|
||||
+/usr/bin/targetd -- gen_context(system_u:object_r:targetd_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/targetd.* -- gen_context(system_u:object_r:targetd_unit_file_t,s0)
|
||||
diff --git a/targetd.if b/targetd.if
|
||||
new file mode 100644
|
||||
index 0000000..a6e216c
|
||||
--- /dev/null
|
||||
+++ b/targetd.if
|
||||
@@ -0,0 +1,167 @@
|
||||
+
|
||||
+## <summary> Targetd is a service to allow the remote configuration of block device volumes and file systems within dedicated pools </summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute targetd_exec_t in the targetd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`targetd_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type targetd_t, targetd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, targetd_exec_t, targetd_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute targetd in the caller domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`targetd_exec',`
|
||||
+ gen_require(`
|
||||
+ type targetd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ can_exec($1, targetd_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search targetd conf directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`targetd_search_conf',`
|
||||
+ gen_require(`
|
||||
+ type targetd_etc_rw_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 targetd_etc_rw_t:dir search_dir_perms;
|
||||
+ files_search_etc($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read targetd conf files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`targetd_read_conf_files',`
|
||||
+ gen_require(`
|
||||
+ type targetd_etc_rw_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 targetd_etc_rw_t:dir list_dir_perms;
|
||||
+ read_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
|
||||
+ files_search_etc($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage targetd conf files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`targetd_manage_conf_files',`
|
||||
+ gen_require(`
|
||||
+ type targetd_etc_rw_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
|
||||
+ files_search_etc($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute targetd server in the targetd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`targetd_systemctl',`
|
||||
+ gen_require(`
|
||||
+ type targetd_t;
|
||||
+ type targetd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ allow $1 targetd_unit_file_t:file read_file_perms;
|
||||
+ allow $1 targetd_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, targetd_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an targetd environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`targetd_admin',`
|
||||
+ gen_require(`
|
||||
+ type targetd_t;
|
||||
+ type targetd_etc_rw_t;
|
||||
+ type targetd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 targetd_t:process { signal_perms };
|
||||
+ ps_process_pattern($1, targetd_t)
|
||||
+
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
+ allow $1 targetd_t:process ptrace;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ admin_pattern($1, targetd_etc_rw_t)
|
||||
+
|
||||
+ targetd_systemctl($1)
|
||||
+ admin_pattern($1, targetd_unit_file_t)
|
||||
+ allow $1 targetd_unit_file_t:service all_service_perms;
|
||||
+ optional_policy(`
|
||||
+ systemd_passwd_agent_exec($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
diff --git a/targetd.te b/targetd.te
|
||||
new file mode 100644
|
||||
index 0000000..a2cb50c
|
||||
--- /dev/null
|
||||
+++ b/targetd.te
|
||||
@@ -0,0 +1,62 @@
|
||||
+policy_module(targetd, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type targetd_t;
|
||||
+type targetd_exec_t;
|
||||
+init_daemon_domain(targetd_t, targetd_exec_t)
|
||||
+
|
||||
+type targetd_etc_rw_t;
|
||||
+files_type(targetd_etc_rw_t)
|
||||
+
|
||||
+type targetd_unit_file_t;
|
||||
+systemd_unit_file(targetd_unit_file_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# targetd local policy
|
||||
+#
|
||||
+
|
||||
+allow targetd_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow targetd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow targetd_t self:tcp_socket listen;
|
||||
+allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+allow targetd_t self:process setfscreate;
|
||||
+
|
||||
+manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
|
||||
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
|
||||
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
|
||||
+
|
||||
+kernel_read_system_state(targetd_t)
|
||||
+
|
||||
+auth_use_nsswitch(targetd_t)
|
||||
+
|
||||
+corecmd_exec_shell(targetd_t)
|
||||
+
|
||||
+corenet_tcp_bind_generic_node(targetd_t)
|
||||
+corenet_tcp_bind_lsm_plugin_port(targetd_t)
|
||||
+
|
||||
+dev_read_sysfs(targetd_t)
|
||||
+dev_read_urand(targetd_t)
|
||||
+
|
||||
+libs_exec_ldconfig(targetd_t)
|
||||
+
|
||||
+storage_getattr_fixed_disk_dev(targetd_t)
|
||||
+storage_getattr_removable_dev(targetd_t)
|
||||
+
|
||||
+sysnet_read_config(targetd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ lvm_read_config(targetd_t)
|
||||
+ lvm_read_metadata(targetd_t)
|
||||
+ lvm_manage_lock(targetd_t)
|
||||
+ lvm_stream_connect(targetd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ udev_read_pid_files(targetd_t)
|
||||
+')
|
||||
+
|
||||
diff --git a/tcpd.te b/tcpd.te
|
||||
index 2d6d2c2..db18a80 100644
|
||||
--- a/tcpd.te
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 139%{?dist}
|
||||
Release: 140%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -647,6 +647,14 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Aug 05 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-140
|
||||
- firewalld needs to relabel own config files. BZ(#1250537)
|
||||
- Allow rhsmcertd to send signull to unconfined_service
|
||||
- Allow lsm_plugin_t to rw raw_fixed_disk.
|
||||
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
|
||||
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
|
||||
|
||||
|
||||
* Tue Aug 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-139
|
||||
- Add header for sslh.if file
|
||||
- Fix sslh_admin() interface
|
||||
|
|
|
|||
Loading…
Reference in New Issue