- Allow httpd_t to connect to osapi_compute port using httpd_use_openstac
- Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Allow consolehelper more access discovered by Tom London - Allow fsdaemon to send signull to all domain - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface
This commit is contained in:
parent
a48e548c78
commit
d8b4fa387f
@ -5074,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||
|
||||
define(`create_packet_interfaces',``
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index 4edc40d..fba95c8 100644
|
||||
index 4edc40d..a69e038 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
||||
@ -5259,7 +5259,7 @@ index 4edc40d..fba95c8 100644
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
|
||||
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
|
||||
@@ -188,13 +220,13 @@ network_port(mysqlmanagerd, tcp,2273,s0)
|
||||
@@ -188,21 +220,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
network_port(netport, tcp,3129,s0, udp,3129,s0)
|
||||
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
|
||||
@ -5276,7 +5276,9 @@ index 4edc40d..fba95c8 100644
|
||||
network_port(ocsp, tcp,9080,s0)
|
||||
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
|
||||
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
|
||||
@@ -203,6 +235,12 @@ network_port(pegasus_http, tcp,5988,s0)
|
||||
+network_port(osapi_compute, tcp, 8774, s0)
|
||||
network_port(pdps, tcp,1314,s0, udp,1314,s0)
|
||||
network_port(pegasus_http, tcp,5988,s0)
|
||||
network_port(pegasus_https, tcp,5989,s0)
|
||||
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
|
||||
network_port(pingd, tcp,9125,s0)
|
||||
@ -5289,7 +5291,7 @@ index 4edc40d..fba95c8 100644
|
||||
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
|
||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
@@ -214,38 +252,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
@@ -214,38 +253,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
|
||||
network_port(printer, tcp,515,s0)
|
||||
network_port(ptal, tcp,5703,s0)
|
||||
@ -5337,7 +5339,7 @@ index 4edc40d..fba95c8 100644
|
||||
network_port(ssh, tcp,22,s0)
|
||||
network_port(stunnel) # no defined portcon
|
||||
network_port(svn, tcp,3690,s0, udp,3690,s0)
|
||||
@@ -257,8 +298,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
@@ -257,8 +299,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
network_port(tcs, tcp, 30003, s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
@ -5348,7 +5350,7 @@ index 4edc40d..fba95c8 100644
|
||||
network_port(transproxy, tcp,8081,s0)
|
||||
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
|
||||
network_port(ups, tcp,3493,s0)
|
||||
@@ -268,10 +310,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
||||
@@ -268,10 +311,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
||||
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
||||
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
|
||||
network_port(virt_migration, tcp,49152-49216,s0)
|
||||
@ -5361,7 +5363,7 @@ index 4edc40d..fba95c8 100644
|
||||
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
|
||||
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
|
||||
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
|
||||
@@ -292,12 +334,16 @@ network_port(zope, tcp,8021,s0)
|
||||
@@ -292,12 +335,16 @@ network_port(zope, tcp,8021,s0)
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
# these entries just cover any remaining reserved ports not otherwise declared.
|
||||
|
||||
@ -5380,7 +5382,7 @@ index 4edc40d..fba95c8 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -330,6 +376,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
@@ -330,6 +377,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
|
||||
build_option(`enable_mls',`
|
||||
network_interface(lo, lo, s0 - mls_systemhigh)
|
||||
@ -5389,7 +5391,7 @@ index 4edc40d..fba95c8 100644
|
||||
',`
|
||||
typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
')
|
||||
@@ -342,9 +390,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
@@ -342,9 +391,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
allow corenet_unconfined_type node_type:node *;
|
||||
allow corenet_unconfined_type netif_type:netif *;
|
||||
allow corenet_unconfined_type packet_type:packet *;
|
||||
@ -7747,7 +7749,7 @@ index 6a1e4d1..adafd25 100644
|
||||
+ dontaudit $1 domain:socket_class_set { read write };
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..274ef6d 100644
|
||||
index cf04cb5..dc4207f 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
|
||||
@ -7873,7 +7875,7 @@ index cf04cb5..274ef6d 100644
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
@@ -166,5 +227,265 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
# act on all domains keys
|
||||
allow unconfined_domain_type domain:key *;
|
||||
|
||||
@ -8014,6 +8016,7 @@ index cf04cb5..274ef6d 100644
|
||||
+ systemd_login_reboot(unconfined_domain_type)
|
||||
+ systemd_login_halt(unconfined_domain_type)
|
||||
+ systemd_login_undefined(unconfined_domain_type)
|
||||
+ systemd_filetrans_named_hostname(unconfined_domain_type)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -35717,10 +35720,10 @@ index 0000000..4e12420
|
||||
+/var/run/initramfs(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
new file mode 100644
|
||||
index 0000000..2927875
|
||||
index 0000000..16c7767
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -0,0 +1,1103 @@
|
||||
@@ -0,0 +1,1122 @@
|
||||
+## <summary>SELinux policy for systemd components</summary>
|
||||
+
|
||||
+######################################
|
||||
@ -36574,6 +36577,25 @@ index 0000000..2927875
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Transition to systemd named content for /etc/hostname
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_filetrans_named_hostname',`
|
||||
+ gen_require(`
|
||||
+ type hostname_etc_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
|
||||
+ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Get the system status information from systemd_login
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
@ -3048,7 +3048,7 @@ index 550a69e..78579c0 100644
|
||||
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
diff --git a/apache.if b/apache.if
|
||||
index 83e899c..e3bed6a 100644
|
||||
index 83e899c..c0ece1b 100644
|
||||
--- a/apache.if
|
||||
+++ b/apache.if
|
||||
@@ -1,9 +1,9 @@
|
||||
@ -3865,7 +3865,7 @@ index 83e899c..e3bed6a 100644
|
||||
interface(`apache_manage_sys_content',`
|
||||
gen_require(`
|
||||
type httpd_sys_content_t;
|
||||
@@ -855,32 +922,78 @@ interface(`apache_manage_sys_content',`
|
||||
@@ -855,32 +922,98 @@ interface(`apache_manage_sys_content',`
|
||||
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||||
')
|
||||
|
||||
@ -3890,6 +3890,26 @@ index 83e899c..e3bed6a 100644
|
||||
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to read
|
||||
+## apache system content rw dirs.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`apache_read_sys_content_rw_dirs',`
|
||||
+ gen_require(`
|
||||
+ type httpd_sys_rw_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete
|
||||
@ -3952,7 +3972,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -888,10 +1001,17 @@ interface(`apache_manage_sys_rw_content',`
|
||||
@@ -888,10 +1021,17 @@ interface(`apache_manage_sys_rw_content',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -3971,7 +3991,7 @@ index 83e899c..e3bed6a 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
@@ -901,9 +1021,8 @@ interface(`apache_domtrans_sys_script',`
|
||||
@@ -901,9 +1041,8 @@ interface(`apache_domtrans_sys_script',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -3983,7 +4003,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -941,7 +1060,7 @@ interface(`apache_domtrans_all_scripts',`
|
||||
@@ -941,7 +1080,7 @@ interface(`apache_domtrans_all_scripts',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute all user scripts in the user
|
||||
@ -3992,7 +4012,7 @@ index 83e899c..e3bed6a 100644
|
||||
## to the specified role.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -954,6 +1073,7 @@ interface(`apache_domtrans_all_scripts',`
|
||||
@@ -954,6 +1093,7 @@ interface(`apache_domtrans_all_scripts',`
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -4000,7 +4020,7 @@ index 83e899c..e3bed6a 100644
|
||||
#
|
||||
interface(`apache_run_all_scripts',`
|
||||
gen_require(`
|
||||
@@ -966,7 +1086,8 @@ interface(`apache_run_all_scripts',`
|
||||
@@ -966,7 +1106,8 @@ interface(`apache_run_all_scripts',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -4010,7 +4030,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -979,12 +1100,13 @@ interface(`apache_read_squirrelmail_data',`
|
||||
@@ -979,12 +1120,13 @@ interface(`apache_read_squirrelmail_data',`
|
||||
type httpd_squirrelmail_t;
|
||||
')
|
||||
|
||||
@ -4026,7 +4046,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1002,7 +1124,7 @@ interface(`apache_append_squirrelmail_data',`
|
||||
@@ -1002,7 +1144,7 @@ interface(`apache_append_squirrelmail_data',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -4035,7 +4055,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1015,13 +1137,12 @@ interface(`apache_search_sys_content',`
|
||||
@@ -1015,13 +1157,12 @@ interface(`apache_search_sys_content',`
|
||||
type httpd_sys_content_t;
|
||||
')
|
||||
|
||||
@ -4050,7 +4070,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1041,7 +1162,7 @@ interface(`apache_read_sys_content',`
|
||||
@@ -1041,7 +1182,7 @@ interface(`apache_read_sys_content',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -4059,7 +4079,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1059,8 +1180,7 @@ interface(`apache_search_sys_scripts',`
|
||||
@@ -1059,8 +1200,7 @@ interface(`apache_search_sys_scripts',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -4069,7 +4089,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1070,13 +1190,22 @@ interface(`apache_search_sys_scripts',`
|
||||
@@ -1070,13 +1210,22 @@ interface(`apache_search_sys_scripts',`
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`apache_manage_all_user_content',`
|
||||
@ -4095,7 +4115,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1094,7 +1223,8 @@ interface(`apache_search_sys_script_state',`
|
||||
@@ -1094,7 +1243,8 @@ interface(`apache_search_sys_script_state',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -4105,7 +4125,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1111,10 +1241,29 @@ interface(`apache_read_tmp_files',`
|
||||
@@ -1111,10 +1261,29 @@ interface(`apache_read_tmp_files',`
|
||||
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
||||
')
|
||||
|
||||
@ -4137,7 +4157,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1127,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
|
||||
@@ -1127,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',`
|
||||
type httpd_tmp_t;
|
||||
')
|
||||
|
||||
@ -4146,7 +4166,7 @@ index 83e899c..e3bed6a 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1136,6 +1285,9 @@ interface(`apache_dontaudit_write_tmp_files',`
|
||||
@@ -1136,6 +1305,9 @@ interface(`apache_dontaudit_write_tmp_files',`
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -4156,7 +4176,7 @@ index 83e899c..e3bed6a 100644
|
||||
## This is an interface to support third party modules
|
||||
## and its use is not allowed in upstream reference
|
||||
## policy.
|
||||
@@ -1165,8 +1317,30 @@ interface(`apache_cgi_domain',`
|
||||
@@ -1165,8 +1337,30 @@ interface(`apache_cgi_domain',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -4189,7 +4209,7 @@ index 83e899c..e3bed6a 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1183,18 +1357,19 @@ interface(`apache_cgi_domain',`
|
||||
@@ -1183,18 +1377,19 @@ interface(`apache_cgi_domain',`
|
||||
interface(`apache_admin',`
|
||||
gen_require(`
|
||||
attribute httpdcontent, httpd_script_exec_type;
|
||||
@ -4218,7 +4238,7 @@ index 83e899c..e3bed6a 100644
|
||||
|
||||
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
@@ -1204,10 +1379,10 @@ interface(`apache_admin',`
|
||||
@@ -1204,10 +1399,10 @@ interface(`apache_admin',`
|
||||
apache_manage_all_content($1)
|
||||
miscfiles_manage_public_files($1)
|
||||
|
||||
@ -4232,7 +4252,7 @@ index 83e899c..e3bed6a 100644
|
||||
admin_pattern($1, httpd_log_t)
|
||||
|
||||
admin_pattern($1, httpd_modules_t)
|
||||
@@ -1218,9 +1393,129 @@ interface(`apache_admin',`
|
||||
@@ -1218,9 +1413,129 @@ interface(`apache_admin',`
|
||||
admin_pattern($1, httpd_var_run_t)
|
||||
files_pid_filetrans($1, httpd_var_run_t, file)
|
||||
|
||||
@ -4367,7 +4387,7 @@ index 83e899c..e3bed6a 100644
|
||||
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
||||
')
|
||||
diff --git a/apache.te b/apache.te
|
||||
index 1a82e29..5e167ca 100644
|
||||
index 1a82e29..dfaef83 100644
|
||||
--- a/apache.te
|
||||
+++ b/apache.te
|
||||
@@ -1,297 +1,353 @@
|
||||
@ -6034,13 +6054,13 @@ index 1a82e29..5e167ca 100644
|
||||
-
|
||||
-kernel_dontaudit_search_sysctl(httpd_script_domains)
|
||||
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
|
||||
+allow httpd_sys_script_t self:process getsched;
|
||||
|
||||
-
|
||||
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
|
||||
-corenet_all_recvfrom_netlabel(httpd_script_domains)
|
||||
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
|
||||
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
|
||||
-
|
||||
+allow httpd_sys_script_t self:process getsched;
|
||||
|
||||
-corecmd_exec_all_executables(httpd_script_domains)
|
||||
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
@ -6173,8 +6193,7 @@ index 1a82e29..5e167ca 100644
|
||||
-#
|
||||
-
|
||||
-allow httpd_sys_script_t self:tcp_socket { accept listen };
|
||||
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
|
||||
|
||||
-
|
||||
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
-
|
||||
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
@ -6204,7 +6223,8 @@ index 1a82e29..5e167ca 100644
|
||||
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
|
||||
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
|
||||
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
|
||||
-
|
||||
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
|
||||
|
||||
- mta_send_mail(httpd_sys_script_t)
|
||||
- mta_signal_system_mail(httpd_sys_script_t)
|
||||
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
@ -6417,7 +6437,7 @@ index 1a82e29..5e167ca 100644
|
||||
kernel_read_system_state(httpd_passwd_t)
|
||||
|
||||
corecmd_exec_bin(httpd_passwd_t)
|
||||
@@ -1376,38 +1501,94 @@ dev_read_urand(httpd_passwd_t)
|
||||
@@ -1376,38 +1501,99 @@ dev_read_urand(httpd_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(httpd_passwd_t)
|
||||
|
||||
@ -6435,23 +6455,33 @@ index 1a82e29..5e167ca 100644
|
||||
+systemd_manage_passwd_run(httpd_passwd_t)
|
||||
+systemd_manage_passwd_run(httpd_t)
|
||||
+#systemd_passwd_agent_dev_template(httpd)
|
||||
+
|
||||
|
||||
-allow httpd_gpg_t self:process setrlimit;
|
||||
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
|
||||
+dontaudit httpd_passwd_t httpd_config_t:file read;
|
||||
+
|
||||
|
||||
-allow httpd_gpg_t httpd_t:fd use;
|
||||
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
|
||||
-allow httpd_gpg_t httpd_t:process sigchld;
|
||||
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
|
||||
+corecmd_shell_entry_type(httpd_script_type)
|
||||
+
|
||||
|
||||
-dev_read_rand(httpd_gpg_t)
|
||||
-dev_read_urand(httpd_gpg_t)
|
||||
+allow httpd_script_type self:fifo_file rw_file_perms;
|
||||
+allow httpd_script_type self:unix_stream_socket connectto;
|
||||
+
|
||||
|
||||
-files_read_usr_files(httpd_gpg_t)
|
||||
+allow httpd_script_type httpd_t:fifo_file write;
|
||||
+# apache should set close-on-exec
|
||||
+apache_dontaudit_leaks(httpd_script_type)
|
||||
+
|
||||
|
||||
-miscfiles_read_localization(httpd_gpg_t)
|
||||
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
|
||||
+logging_search_logs(httpd_script_type)
|
||||
+
|
||||
|
||||
-tunable_policy(`httpd_gpg_anon_write',`
|
||||
- miscfiles_manage_public_files(httpd_gpg_t)
|
||||
+kernel_dontaudit_search_sysctl(httpd_script_type)
|
||||
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
|
||||
+
|
||||
@ -6466,34 +6496,24 @@ index 1a82e29..5e167ca 100644
|
||||
+
|
||||
+libs_exec_ld_so(httpd_script_type)
|
||||
+libs_exec_lib_files(httpd_script_type)
|
||||
|
||||
-allow httpd_gpg_t self:process setrlimit;
|
||||
+
|
||||
+miscfiles_read_fonts(httpd_script_type)
|
||||
+miscfiles_read_public_files(httpd_script_type)
|
||||
|
||||
-allow httpd_gpg_t httpd_t:fd use;
|
||||
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
|
||||
-allow httpd_gpg_t httpd_t:process sigchld;
|
||||
+
|
||||
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
|
||||
|
||||
-dev_read_rand(httpd_gpg_t)
|
||||
-dev_read_urand(httpd_gpg_t)
|
||||
+
|
||||
+allow httpd_t httpd_script_exec_type:file read_file_perms;
|
||||
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
|
||||
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
|
||||
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
|
||||
|
||||
-files_read_usr_files(httpd_gpg_t)
|
||||
+
|
||||
+allow httpd_script_type self:process { setsched signal_perms };
|
||||
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
-miscfiles_read_localization(httpd_gpg_t)
|
||||
+
|
||||
+allow httpd_script_type httpd_t:fd use;
|
||||
+allow httpd_script_type httpd_t:process sigchld;
|
||||
|
||||
-tunable_policy(`httpd_gpg_anon_write',`
|
||||
- miscfiles_manage_public_files(httpd_gpg_t)
|
||||
+
|
||||
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
|
||||
+
|
||||
+fs_getattr_xattr_fs(httpd_script_type)
|
||||
@ -6531,6 +6551,11 @@ index 1a82e29..5e167ca 100644
|
||||
+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
|
||||
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
||||
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
|
||||
+ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`httpd_use_openstack',`
|
||||
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
|
||||
')
|
||||
diff --git a/apcupsd.fc b/apcupsd.fc
|
||||
index 5ec0e13..2da2368 100644
|
||||
@ -9565,10 +9590,10 @@ index 0c53b18..ef29f6e 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 certmaster_initrc_exec_t system_r;
|
||||
diff --git a/certmaster.te b/certmaster.te
|
||||
index bf82163..5397bb9 100644
|
||||
index bf82163..2b571c7 100644
|
||||
--- a/certmaster.te
|
||||
+++ b/certmaster.te
|
||||
@@ -65,11 +65,8 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
|
||||
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
|
||||
dev_read_urand(certmaster_t)
|
||||
|
||||
files_list_var(certmaster_t)
|
||||
@ -9580,6 +9605,8 @@ index bf82163..5397bb9 100644
|
||||
-miscfiles_read_localization(certmaster_t)
|
||||
miscfiles_manage_generic_cert_dirs(certmaster_t)
|
||||
miscfiles_manage_generic_cert_files(certmaster_t)
|
||||
+
|
||||
+mta_send_mail(certmaster_t)
|
||||
diff --git a/certmonger.fc b/certmonger.fc
|
||||
index ed298d8..cd8eb4d 100644
|
||||
--- a/certmonger.fc
|
||||
@ -16063,7 +16090,7 @@ index 06da9a0..ca832e1 100644
|
||||
+ ps_process_pattern($1, cupsd_t)
|
||||
')
|
||||
diff --git a/cups.te b/cups.te
|
||||
index 9f34c2e..3b03f21 100644
|
||||
index 9f34c2e..fb69e2c 100644
|
||||
--- a/cups.te
|
||||
+++ b/cups.te
|
||||
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
|
||||
@ -16160,8 +16187,8 @@ index 9f34c2e..3b03f21 100644
|
||||
+# Cups general local policy
|
||||
+#
|
||||
+
|
||||
+allow cups_domain self:capability { setuid setgid };
|
||||
+allow cups_domain self:process signal_perms;
|
||||
+allow cups_domain self:capability { setuid setgid sys_nice };
|
||||
+allow cups_domain self:process { getsched setsched signal_perms };
|
||||
+allow cups_domain self:fifo_file rw_fifo_file_perms;
|
||||
+allow cups_domain self:tcp_socket { accept listen };
|
||||
+
|
||||
@ -32942,7 +32969,7 @@ index dd8e01a..9cd6b0b 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/logrotate.te b/logrotate.te
|
||||
index 7bab8e5..ed36684 100644
|
||||
index 7bab8e5..3baae66 100644
|
||||
--- a/logrotate.te
|
||||
+++ b/logrotate.te
|
||||
@@ -1,20 +1,18 @@
|
||||
@ -33126,7 +33153,13 @@ index 7bab8e5..ed36684 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -140,11 +159,11 @@ optional_policy(`
|
||||
@@ -135,16 +154,17 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
apache_read_config(logrotate_t)
|
||||
+ apache_read_sys_content_rw_dirs(logrotate_t)
|
||||
apache_domtrans(logrotate_t)
|
||||
apache_signull(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33140,7 +33173,7 @@ index 7bab8e5..ed36684 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -178,7 +197,7 @@ optional_policy(`
|
||||
@@ -178,7 +198,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33149,7 +33182,7 @@ index 7bab8e5..ed36684 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,21 +217,22 @@ optional_policy(`
|
||||
@@ -198,21 +218,22 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33176,7 +33209,7 @@ index 7bab8e5..ed36684 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -228,10 +248,20 @@ optional_policy(`
|
||||
@@ -228,10 +249,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33197,7 +33230,7 @@ index 7bab8e5..ed36684 100644
|
||||
su_exec(logrotate_t)
|
||||
')
|
||||
|
||||
@@ -241,13 +271,11 @@ optional_policy(`
|
||||
@@ -241,13 +272,11 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -54684,7 +54717,7 @@ index 2e23946..41da729 100644
|
||||
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
|
||||
')
|
||||
diff --git a/postfix.te b/postfix.te
|
||||
index 191a66f..b11469c 100644
|
||||
index 191a66f..7ceaec2 100644
|
||||
--- a/postfix.te
|
||||
+++ b/postfix.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -55284,7 +55317,7 @@ index 191a66f..b11469c 100644
|
||||
#
|
||||
|
||||
allow postfix_pipe_t self:process setrlimit;
|
||||
@@ -576,19 +495,24 @@ optional_policy(`
|
||||
@@ -576,19 +495,25 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55301,6 +55334,7 @@ index 191a66f..b11469c 100644
|
||||
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
|
||||
|
||||
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
|
||||
+rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
|
||||
|
||||
+postfix_list_spool(postfix_postdrop_t)
|
||||
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
||||
@ -55314,7 +55348,7 @@ index 191a66f..b11469c 100644
|
||||
|
||||
term_dontaudit_use_all_ptys(postfix_postdrop_t)
|
||||
term_dontaudit_use_all_ttys(postfix_postdrop_t)
|
||||
@@ -603,10 +527,7 @@ optional_policy(`
|
||||
@@ -603,10 +528,7 @@ optional_policy(`
|
||||
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
|
||||
')
|
||||
|
||||
@ -55326,7 +55360,7 @@ index 191a66f..b11469c 100644
|
||||
optional_policy(`
|
||||
fstools_read_pipes(postfix_postdrop_t)
|
||||
')
|
||||
@@ -621,17 +542,23 @@ optional_policy(`
|
||||
@@ -621,17 +543,23 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -55353,7 +55387,7 @@ index 191a66f..b11469c 100644
|
||||
|
||||
init_sigchld_script(postfix_postqueue_t)
|
||||
init_use_script_fds(postfix_postqueue_t)
|
||||
@@ -647,67 +574,77 @@ optional_policy(`
|
||||
@@ -647,67 +575,77 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55449,7 +55483,7 @@ index 191a66f..b11469c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -720,24 +657,27 @@ optional_policy(`
|
||||
@@ -720,24 +658,27 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55483,7 +55517,7 @@ index 191a66f..b11469c 100644
|
||||
fs_getattr_all_dirs(postfix_smtpd_t)
|
||||
fs_getattr_all_fs(postfix_smtpd_t)
|
||||
|
||||
@@ -754,6 +694,7 @@ optional_policy(`
|
||||
@@ -754,6 +695,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
milter_stream_connect_all(postfix_smtpd_t)
|
||||
@ -55491,7 +55525,7 @@ index 191a66f..b11469c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -764,31 +705,100 @@ optional_policy(`
|
||||
@@ -764,31 +706,100 @@ optional_policy(`
|
||||
sasl_connect(postfix_smtpd_t)
|
||||
')
|
||||
|
||||
@ -64957,7 +64991,7 @@ index 56bc01f..cbca7aa 100644
|
||||
+ allow $1 cluster_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/rhcs.te b/rhcs.te
|
||||
index 2c2de9a..bbe8875 100644
|
||||
index 2c2de9a..aa4480c 100644
|
||||
--- a/rhcs.te
|
||||
+++ b/rhcs.te
|
||||
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
|
||||
@ -65257,7 +65291,16 @@ index 2c2de9a..bbe8875 100644
|
||||
')
|
||||
|
||||
#####################################
|
||||
@@ -98,6 +354,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
|
||||
@@ -79,7 +335,7 @@ optional_policy(`
|
||||
# dlm_controld local policy
|
||||
#
|
||||
|
||||
-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
|
||||
+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
|
||||
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
|
||||
@@ -98,6 +354,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
|
||||
|
||||
init_rw_script_tmp_files(dlm_controld_t)
|
||||
|
||||
@ -65266,11 +65309,15 @@ index 2c2de9a..bbe8875 100644
|
||||
+optional_policy(`
|
||||
+ corosync_rw_tmpfs(dlm_controld_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rhcs_stream_connect_cluster(dlm_controld_t)
|
||||
+')
|
||||
+
|
||||
#######################################
|
||||
#
|
||||
# fenced local policy
|
||||
@@ -105,9 +367,13 @@ init_rw_script_tmp_files(dlm_controld_t)
|
||||
@@ -105,9 +371,13 @@ init_rw_script_tmp_files(dlm_controld_t)
|
||||
|
||||
allow fenced_t self:capability { sys_rawio sys_resource };
|
||||
allow fenced_t self:process { getsched signal_perms };
|
||||
@ -65285,7 +65332,7 @@ index 2c2de9a..bbe8875 100644
|
||||
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
|
||||
files_lock_filetrans(fenced_t, fenced_lock_t, file)
|
||||
|
||||
@@ -118,9 +384,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
|
||||
@@ -118,9 +388,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
|
||||
|
||||
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
||||
|
||||
@ -65296,7 +65343,7 @@ index 2c2de9a..bbe8875 100644
|
||||
|
||||
corecmd_exec_bin(fenced_t)
|
||||
corecmd_exec_shell(fenced_t)
|
||||
@@ -148,9 +413,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
|
||||
@@ -148,9 +417,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
|
||||
|
||||
dev_read_sysfs(fenced_t)
|
||||
dev_read_urand(fenced_t)
|
||||
@ -65307,7 +65354,7 @@ index 2c2de9a..bbe8875 100644
|
||||
|
||||
storage_raw_read_fixed_disk(fenced_t)
|
||||
storage_raw_write_fixed_disk(fenced_t)
|
||||
@@ -160,7 +423,7 @@ term_getattr_pty_fs(fenced_t)
|
||||
@@ -160,7 +427,7 @@ term_getattr_pty_fs(fenced_t)
|
||||
term_use_generic_ptys(fenced_t)
|
||||
term_use_ptmx(fenced_t)
|
||||
|
||||
@ -65316,7 +65363,7 @@ index 2c2de9a..bbe8875 100644
|
||||
|
||||
tunable_policy(`fenced_can_network_connect',`
|
||||
corenet_sendrecv_all_client_packets(fenced_t)
|
||||
@@ -190,10 +453,6 @@ optional_policy(`
|
||||
@@ -190,10 +457,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -65327,7 +65374,7 @@ index 2c2de9a..bbe8875 100644
|
||||
lvm_domtrans(fenced_t)
|
||||
lvm_read_config(fenced_t)
|
||||
')
|
||||
@@ -203,6 +462,13 @@ optional_policy(`
|
||||
@@ -203,6 +466,13 @@ optional_policy(`
|
||||
snmp_manage_var_lib_dirs(fenced_t)
|
||||
')
|
||||
|
||||
@ -65341,7 +65388,7 @@ index 2c2de9a..bbe8875 100644
|
||||
#######################################
|
||||
#
|
||||
# foghorn local policy
|
||||
@@ -223,7 +489,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
|
||||
@@ -223,7 +493,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
|
||||
|
||||
dev_read_urand(foghorn_t)
|
||||
|
||||
@ -65351,7 +65398,7 @@ index 2c2de9a..bbe8875 100644
|
||||
|
||||
optional_policy(`
|
||||
dbus_connect_system_bus(foghorn_t)
|
||||
@@ -257,6 +524,8 @@ storage_getattr_removable_dev(gfs_controld_t)
|
||||
@@ -257,6 +528,8 @@ storage_getattr_removable_dev(gfs_controld_t)
|
||||
|
||||
init_rw_script_tmp_files(gfs_controld_t)
|
||||
|
||||
@ -65360,7 +65407,7 @@ index 2c2de9a..bbe8875 100644
|
||||
optional_policy(`
|
||||
lvm_exec(gfs_controld_t)
|
||||
dev_rw_lvm_control(gfs_controld_t)
|
||||
@@ -275,10 +544,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||
@@ -275,10 +548,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||
|
||||
dev_list_sysfs(groupd_t)
|
||||
|
||||
@ -65373,7 +65420,7 @@ index 2c2de9a..bbe8875 100644
|
||||
######################################
|
||||
#
|
||||
# qdiskd local policy
|
||||
@@ -321,6 +590,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
@@ -321,6 +594,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
|
||||
auth_use_nsswitch(qdiskd_t)
|
||||
|
||||
@ -73079,7 +73126,7 @@ index cd6c213..34b861a 100644
|
||||
+ allow $1 sanlock_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/sanlock.te b/sanlock.te
|
||||
index a34eac4..25ad7ec 100644
|
||||
index a34eac4..b144d40 100644
|
||||
--- a/sanlock.te
|
||||
+++ b/sanlock.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -73219,7 +73266,7 @@ index a34eac4..25ad7ec 100644
|
||||
optional_policy(`
|
||||
- virt_kill_all_virt_domains(sanlock_t)
|
||||
+ virt_kill_svirt(sanlock_t)
|
||||
+ virt_kill(sanlock_t)
|
||||
+ virt_kill(sanlock_t)
|
||||
virt_manage_lib_files(sanlock_t)
|
||||
- virt_signal_all_virt_domains(sanlock_t)
|
||||
+ virt_signal_svirt(sanlock_t)
|
||||
@ -75771,7 +75818,7 @@ index e0644b5..ea347cc 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 fsdaemon_initrc_exec_t system_r;
|
||||
diff --git a/smartmon.te b/smartmon.te
|
||||
index 9ade9c5..efefceb 100644
|
||||
index 9ade9c5..60d6c41 100644
|
||||
--- a/smartmon.te
|
||||
+++ b/smartmon.te
|
||||
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
|
||||
@ -75804,15 +75851,17 @@ index 9ade9c5..efefceb 100644
|
||||
storage_raw_read_fixed_disk(fsdaemon_t)
|
||||
storage_raw_write_fixed_disk(fsdaemon_t)
|
||||
storage_raw_read_removable_device(fsdaemon_t)
|
||||
@@ -85,6 +91,8 @@ term_dontaudit_search_ptys(fsdaemon_t)
|
||||
@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t)
|
||||
|
||||
application_signull(fsdaemon_t)
|
||||
term_dontaudit_search_ptys(fsdaemon_t)
|
||||
|
||||
+auth_read_passwd(fsdaemon_t)
|
||||
-application_signull(fsdaemon_t)
|
||||
+domain_signull_all_domains(fsdaemon_t)
|
||||
+
|
||||
+auth_read_passwd(fsdaemon_t)
|
||||
|
||||
init_read_utmp(fsdaemon_t)
|
||||
|
||||
libs_exec_ld_so(fsdaemon_t)
|
||||
@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t)
|
||||
|
||||
logging_send_syslog_msg(fsdaemon_t)
|
||||
@ -76248,9 +76297,17 @@ index 0000000..92c3638
|
||||
+
|
||||
+sysnet_dns_name_resolve(smsd_t)
|
||||
diff --git a/snmp.fc b/snmp.fc
|
||||
index c73fa24..9018dbc 100644
|
||||
index c73fa24..408ff61 100644
|
||||
--- a/snmp.fc
|
||||
+++ b/snmp.fc
|
||||
@@ -1,6 +1,6 @@
|
||||
/etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
|
||||
|
||||
-/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
|
||||
+/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
|
||||
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
|
||||
|
||||
/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
||||
@@ -10,9 +10,12 @@
|
||||
|
||||
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
||||
@ -83495,7 +83552,7 @@ index cf118fd..cd80e83 100644
|
||||
+ can_exec($1, consolehelper_exec_t)
|
||||
+')
|
||||
diff --git a/userhelper.te b/userhelper.te
|
||||
index 274ed9c..9294dd6 100644
|
||||
index 274ed9c..57a9c3d 100644
|
||||
--- a/userhelper.te
|
||||
+++ b/userhelper.te
|
||||
@@ -1,15 +1,12 @@
|
||||
@ -83516,7 +83573,7 @@ index 274ed9c..9294dd6 100644
|
||||
|
||||
type userhelper_conf_t;
|
||||
files_config_file(userhelper_conf_t)
|
||||
@@ -22,141 +19,71 @@ application_executable_file(consolehelper_exec_t)
|
||||
@@ -22,141 +19,72 @@ application_executable_file(consolehelper_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -83533,8 +83590,8 @@ index 274ed9c..9294dd6 100644
|
||||
-dontaudit consolehelper_type userhelper_conf_t:file audit_access;
|
||||
-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
|
||||
+allow consolehelper_domain self:shm create_shm_perms;
|
||||
+allow consolehelper_domain self:capability { setgid setuid dac_override };
|
||||
+allow consolehelper_domain self:process signal;
|
||||
+allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice };
|
||||
+allow consolehelper_domain self:process { signal_perms getsched setsched };
|
||||
|
||||
-domain_use_interactive_fds(consolehelper_type)
|
||||
+allow consolehelper_domain userhelper_conf_t:file audit_access;
|
||||
@ -83600,6 +83657,7 @@ index 274ed9c..9294dd6 100644
|
||||
+userdom_use_user_ptys(consolehelper_domain)
|
||||
+userdom_use_user_ttys(consolehelper_domain)
|
||||
+userdom_read_user_home_content_files(consolehelper_domain)
|
||||
+userdom_search_admin_dir(consolehelper_domain)
|
||||
|
||||
-tunable_policy(`use_samba_home_dirs',`
|
||||
- fs_search_cifs(consolehelper_type)
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 27%{?dist}
|
||||
Release: 28%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -526,6 +526,20 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Apr 8 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-28
|
||||
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
|
||||
- Fixes for dlm_controld
|
||||
- Fix apache_read_sys_content_rw_dirs() interface
|
||||
- Allow logrotate to read /var/log/z-push dir
|
||||
- Allow postfix_postdrop to acces postfix_public socket
|
||||
- Allow sched_setscheduler for cupsd_t
|
||||
- Add missing context for /usr/sbin/snmpd
|
||||
- Allow consolehelper more access discovered by Tom London
|
||||
- Allow fsdaemon to send signull to all domain
|
||||
- Add port definition for osapi_compute port
|
||||
- Allow unconfined to create /etc/hostname with correct labeling
|
||||
- Add systemd_filetrans_named_hostname() interface
|
||||
|
||||
* Sat Apr 6 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-27
|
||||
- Fix file_contexts.subs to label /run/lock correctly
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user