- Allow realmd to create tmp files
- FIx ircssi_home_t type to irssi_home_t - Allow adcli running as realmd_t to connect to ldap port - Allow NetworkManager to transition to ipsec_t, for running strongswan - Make openshift_initrc_t an lxc_domain - Allow gssd to manage user_tmp_t files - Fix handling of irclogs in users homedir - Fix labeling for drupal an wp-content in subdirs of /var/www/html - Allow abrt to read utmp_t file - Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a - fix labeling for (oo|rhc)-restorer-wrapper.sh - firewalld needs to be able to write to network sysctls - Fix mozilla_plugin_dontaudit_rw_sem() interface - Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains - Add mozilla_plugin_dontaudit_rw_sem() interface - Allow svirt_lxc_t to transition to openshift domains - Allow condor domains block_suspend and dac_override caps - Allow condor_master to read passd - Allow condor_master to read system state - Allow NetworkManager to transition to ipsec_t, for running strongswan - Lots of access required by lvm_t to created encrypted usb device - Allow xdm_t to dbus communicate with systemd_localed_t - Label strongswan content as ipsec_exec_mgmt_t for now - Allow users to dbus chat with systemd_localed - Fix handling of .xsession-errors in xserver.if, so kde will work - Might be a bug but we are seeing avc's about people status on init_t:service - Make sure we label content under /var/run/lock as <<none>> - Allow daemon and systemprocesses to search init_var_run_t directory - Add boolean to allow xdm to write xauth data to the home directory - Allow mount to write keys for the unconfined domain
This commit is contained in:
Miroslav Grepl
parent
30fc9edc15
commit
d9444b18fb
File diff suppressed because it is too large
Load Diff
@ -516,7 +516,7 @@ index 058d908..702b716 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/abrt.te b/abrt.te
|
||||
index cc43d25..0842350 100644
|
||||
index cc43d25..563c773 100644
|
||||
--- a/abrt.te
|
||||
+++ b/abrt.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -732,7 +732,7 @@ index cc43d25..0842350 100644
|
||||
|
||||
dev_getattr_all_chr_files(abrt_t)
|
||||
dev_getattr_all_blk_files(abrt_t)
|
||||
@@ -163,29 +173,34 @@ files_getattr_all_files(abrt_t)
|
||||
@@ -163,29 +173,36 @@ files_getattr_all_files(abrt_t)
|
||||
files_read_config_files(abrt_t)
|
||||
files_read_etc_runtime_files(abrt_t)
|
||||
files_read_var_symlinks(abrt_t)
|
||||
@ -756,13 +756,14 @@ index cc43d25..0842350 100644
|
||||
fs_read_nfs_symlinks(abrt_t)
|
||||
fs_search_all(abrt_t)
|
||||
|
||||
-auth_use_nsswitch(abrt_t)
|
||||
-
|
||||
logging_read_generic_logs(abrt_t)
|
||||
+logging_read_generic_logs(abrt_t)
|
||||
+logging_send_syslog_msg(abrt_t)
|
||||
|
||||
+auth_use_nsswitch(abrt_t)
|
||||
+
|
||||
auth_use_nsswitch(abrt_t)
|
||||
|
||||
-logging_read_generic_logs(abrt_t)
|
||||
+init_read_utmp(abrt_t)
|
||||
|
||||
+miscfiles_read_generic_certs(abrt_t)
|
||||
miscfiles_read_public_files(abrt_t)
|
||||
|
||||
@ -771,7 +772,7 @@ index cc43d25..0842350 100644
|
||||
|
||||
tunable_policy(`abrt_anon_write',`
|
||||
miscfiles_manage_public_files(abrt_t)
|
||||
@@ -193,15 +208,11 @@ tunable_policy(`abrt_anon_write',`
|
||||
@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',`
|
||||
|
||||
optional_policy(`
|
||||
apache_list_modules(abrt_t)
|
||||
@ -788,7 +789,7 @@ index cc43d25..0842350 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -209,6 +220,12 @@ optional_policy(`
|
||||
@@ -209,6 +222,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -801,7 +802,7 @@ index cc43d25..0842350 100644
|
||||
policykit_domtrans_auth(abrt_t)
|
||||
policykit_read_lib(abrt_t)
|
||||
policykit_read_reload(abrt_t)
|
||||
@@ -220,6 +237,7 @@ optional_policy(`
|
||||
@@ -220,6 +239,7 @@ optional_policy(`
|
||||
corecmd_exec_all_executables(abrt_t)
|
||||
')
|
||||
|
||||
@ -809,7 +810,7 @@ index cc43d25..0842350 100644
|
||||
optional_policy(`
|
||||
rpm_exec(abrt_t)
|
||||
rpm_dontaudit_manage_db(abrt_t)
|
||||
@@ -230,6 +248,7 @@ optional_policy(`
|
||||
@@ -230,6 +250,7 @@ optional_policy(`
|
||||
rpm_signull(abrt_t)
|
||||
')
|
||||
|
||||
@ -817,7 +818,7 @@ index cc43d25..0842350 100644
|
||||
optional_policy(`
|
||||
sendmail_domtrans(abrt_t)
|
||||
')
|
||||
@@ -240,9 +259,17 @@ optional_policy(`
|
||||
@@ -240,9 +261,17 @@ optional_policy(`
|
||||
sosreport_delete_tmp_files(abrt_t)
|
||||
')
|
||||
|
||||
@ -836,7 +837,7 @@ index cc43d25..0842350 100644
|
||||
#
|
||||
|
||||
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -253,9 +280,13 @@ tunable_policy(`abrt_handle_event',`
|
||||
@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',`
|
||||
can_exec(abrt_t, abrt_handle_event_exec_t)
|
||||
')
|
||||
|
||||
@ -851,7 +852,7 @@ index cc43d25..0842350 100644
|
||||
#
|
||||
|
||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||
@@ -268,6 +299,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||
@ -859,7 +860,7 @@ index cc43d25..0842350 100644
|
||||
|
||||
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||
@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
||||
@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
||||
|
||||
domain_read_all_domains_state(abrt_helper_t)
|
||||
|
||||
@ -880,7 +881,7 @@ index cc43d25..0842350 100644
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||
@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||
@ -907,7 +908,7 @@ index cc43d25..0842350 100644
|
||||
#
|
||||
|
||||
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -314,10 +365,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
||||
@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
||||
|
||||
dev_read_urand(abrt_retrace_coredump_t)
|
||||
|
||||
@ -921,7 +922,7 @@ index cc43d25..0842350 100644
|
||||
optional_policy(`
|
||||
rpm_exec(abrt_retrace_coredump_t)
|
||||
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
||||
@@ -330,10 +383,11 @@ optional_policy(`
|
||||
@@ -330,10 +385,11 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -935,7 +936,7 @@ index cc43d25..0842350 100644
|
||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||
@@ -352,30 +406,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||
@@ -352,30 +408,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||
|
||||
dev_read_urand(abrt_retrace_worker_t)
|
||||
|
||||
@ -977,7 +978,7 @@ index cc43d25..0842350 100644
|
||||
kernel_read_kernel_sysctls(abrt_dump_oops_t)
|
||||
kernel_read_ring_buffer(abrt_dump_oops_t)
|
||||
|
||||
@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
|
||||
@@ -384,14 +448,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
|
||||
fs_list_inotifyfs(abrt_dump_oops_t)
|
||||
|
||||
logging_read_generic_logs(abrt_dump_oops_t)
|
||||
@ -995,7 +996,7 @@ index cc43d25..0842350 100644
|
||||
|
||||
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
||||
|
||||
@@ -400,16 +463,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
||||
@@ -400,16 +465,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
||||
corecmd_exec_bin(abrt_watch_log_t)
|
||||
|
||||
logging_read_all_logs(abrt_watch_log_t)
|
||||
@ -2721,7 +2722,7 @@ index 0000000..b334e9a
|
||||
+ spamassassin_read_pid_files(antivirus_domain)
|
||||
+')
|
||||
diff --git a/apache.fc b/apache.fc
|
||||
index 550a69e..e714059 100644
|
||||
index 550a69e..78579c0 100644
|
||||
--- a/apache.fc
|
||||
+++ b/apache.fc
|
||||
@@ -1,161 +1,184 @@
|
||||
@ -3018,12 +3019,12 @@ index 550a69e..e714059 100644
|
||||
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
+
|
||||
+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
||||
+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
||||
+/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
||||
+/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
||||
+
|
||||
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+
|
||||
+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+
|
||||
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+
|
||||
@ -12410,7 +12411,7 @@ index 3fe3cb8..684b700 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/condor.te b/condor.te
|
||||
index 3f2b672..22ddc47 100644
|
||||
index 3f2b672..2af6e1e 100644
|
||||
--- a/condor.te
|
||||
+++ b/condor.te
|
||||
@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
|
||||
@ -12423,8 +12424,13 @@ index 3f2b672..22ddc47 100644
|
||||
condor_domain_template(collector)
|
||||
condor_domain_template(negotiator)
|
||||
condor_domain_template(procd)
|
||||
@@ -59,8 +62,9 @@ condor_domain_template(startd)
|
||||
@@ -57,10 +60,14 @@ condor_domain_template(startd)
|
||||
# Global local policy
|
||||
#
|
||||
|
||||
+allow condor_domain self:capability dac_override;
|
||||
+allow condor_domain self:capability2 block_suspend;
|
||||
+
|
||||
allow condor_domain self:process signal_perms;
|
||||
allow condor_domain self:fifo_file rw_fifo_file_perms;
|
||||
-allow condor_domain self:tcp_socket { accept listen };
|
||||
@ -12435,7 +12441,7 @@ index 3f2b672..22ddc47 100644
|
||||
|
||||
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
|
||||
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
|
||||
@@ -86,13 +90,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
|
||||
@@ -86,13 +93,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
|
||||
|
||||
kernel_read_kernel_sysctls(condor_domain)
|
||||
kernel_read_network_state(condor_domain)
|
||||
@ -12449,7 +12455,7 @@ index 3f2b672..22ddc47 100644
|
||||
corenet_tcp_sendrecv_generic_if(condor_domain)
|
||||
corenet_tcp_sendrecv_generic_node(condor_domain)
|
||||
|
||||
@@ -106,9 +107,7 @@ dev_read_rand(condor_domain)
|
||||
@@ -106,9 +110,7 @@ dev_read_rand(condor_domain)
|
||||
dev_read_sysfs(condor_domain)
|
||||
dev_read_urand(condor_domain)
|
||||
|
||||
@ -12460,16 +12466,36 @@ index 3f2b672..22ddc47 100644
|
||||
|
||||
tunable_policy(`condor_tcp_network_connect',`
|
||||
corenet_sendrecv_all_client_packets(condor_domain)
|
||||
@@ -150,8 +149,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
|
||||
@@ -125,7 +127,7 @@ optional_policy(`
|
||||
# Master local policy
|
||||
#
|
||||
|
||||
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
|
||||
+allow condor_master_t self:capability { setuid setgid sys_ptrace };
|
||||
|
||||
allow condor_master_t condor_domain:process { sigkill signal };
|
||||
|
||||
@@ -133,6 +135,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
|
||||
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
|
||||
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
|
||||
|
||||
+can_exec(condor_master_t, condor_master_exec_t)
|
||||
+
|
||||
+kernel_read_system_state(condor_master_tmp_t)
|
||||
+
|
||||
corenet_udp_sendrecv_generic_if(condor_master_t)
|
||||
corenet_udp_sendrecv_generic_node(condor_master_t)
|
||||
corenet_tcp_bind_generic_node(condor_master_t)
|
||||
@@ -150,7 +156,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
|
||||
|
||||
domain_read_all_domains_state(condor_master_t)
|
||||
|
||||
-auth_use_nsswitch(condor_master_t)
|
||||
-
|
||||
+auth_read_passwd(condor_master_t)
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(condor_master_t)
|
||||
mta_read_config(condor_master_t)
|
||||
@@ -178,6 +175,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
|
||||
@@ -178,6 +184,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
|
||||
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
|
||||
allow condor_negotiator_t condor_master_t:udp_socket getattr;
|
||||
|
||||
@ -12478,7 +12504,16 @@ index 3f2b672..22ddc47 100644
|
||||
######################################
|
||||
#
|
||||
# Procd local policy
|
||||
@@ -209,6 +208,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
|
||||
@@ -201,6 +209,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
|
||||
|
||||
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
|
||||
|
||||
+allow condor_schedd_t condor_master_tmp_t:dir getattr;
|
||||
+
|
||||
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
|
||||
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
|
||||
|
||||
@@ -209,6 +219,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
|
||||
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
|
||||
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
|
||||
|
||||
@ -12487,7 +12522,7 @@ index 3f2b672..22ddc47 100644
|
||||
#####################################
|
||||
#
|
||||
# Startd local policy
|
||||
@@ -233,11 +234,10 @@ domain_read_all_domains_state(condor_startd_t)
|
||||
@@ -233,11 +245,10 @@ domain_read_all_domains_state(condor_startd_t)
|
||||
mcs_process_set_categories(condor_startd_t)
|
||||
|
||||
init_domtrans_script(condor_startd_t)
|
||||
@ -12500,7 +12535,7 @@ index 3f2b672..22ddc47 100644
|
||||
optional_policy(`
|
||||
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
|
||||
ssh_domtrans(condor_startd_t)
|
||||
@@ -249,3 +249,7 @@ optional_policy(`
|
||||
@@ -249,3 +260,7 @@ optional_policy(`
|
||||
kerberos_use(condor_startd_ssh_t)
|
||||
')
|
||||
')
|
||||
@ -18739,7 +18774,7 @@ index d294865..3b4f593 100644
|
||||
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
|
||||
')
|
||||
diff --git a/devicekit.te b/devicekit.te
|
||||
index ff933af..41ca7ce 100644
|
||||
index ff933af..fc9d3f4 100644
|
||||
--- a/devicekit.te
|
||||
+++ b/devicekit.te
|
||||
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
|
||||
@ -18842,18 +18877,19 @@ index ff933af..41ca7ce 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -180,6 +184,10 @@ optional_policy(`
|
||||
@@ -180,6 +184,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ systemd_read_logind_sessions_files(devicekit_disk_t)
|
||||
+ systemd_write_inhibit_pipes(devicekit_disk_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
udev_domtrans(devicekit_disk_t)
|
||||
udev_read_db(devicekit_disk_t)
|
||||
')
|
||||
@@ -188,12 +196,19 @@ optional_policy(`
|
||||
@@ -188,12 +197,19 @@ optional_policy(`
|
||||
virt_manage_images(devicekit_disk_t)
|
||||
')
|
||||
|
||||
@ -18874,7 +18910,7 @@ index ff933af..41ca7ce 100644
|
||||
allow devicekit_power_t self:process { getsched signal_perms };
|
||||
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
|
||||
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
|
||||
@@ -207,9 +222,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
|
||||
|
||||
@ -18885,7 +18921,7 @@ index ff933af..41ca7ce 100644
|
||||
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
|
||||
|
||||
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
@@ -242,17 +255,16 @@ domain_read_all_domains_state(devicekit_power_t)
|
||||
@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
|
||||
|
||||
files_read_kernel_img(devicekit_power_t)
|
||||
files_read_etc_runtime_files(devicekit_power_t)
|
||||
@ -18905,7 +18941,7 @@ index ff933af..41ca7ce 100644
|
||||
|
||||
sysnet_domtrans_ifconfig(devicekit_power_t)
|
||||
sysnet_domtrans_dhcpc(devicekit_power_t)
|
||||
@@ -269,9 +281,11 @@ optional_policy(`
|
||||
@@ -269,9 +282,11 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cron_initrc_domtrans(devicekit_power_t)
|
||||
@ -18917,7 +18953,7 @@ index ff933af..41ca7ce 100644
|
||||
dbus_system_bus_client(devicekit_power_t)
|
||||
|
||||
allow devicekit_power_t devicekit_t:dbus send_msg;
|
||||
@@ -302,8 +316,11 @@ optional_policy(`
|
||||
@@ -302,8 +317,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18930,7 +18966,7 @@ index ff933af..41ca7ce 100644
|
||||
hal_manage_pid_dirs(devicekit_power_t)
|
||||
hal_manage_pid_files(devicekit_power_t)
|
||||
')
|
||||
@@ -341,3 +358,9 @@ optional_policy(`
|
||||
@@ -341,3 +359,9 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
vbetool_domtrans(devicekit_power_t)
|
||||
')
|
||||
@ -22546,7 +22582,7 @@ index 5cf6ac6..839999e 100644
|
||||
+ allow $1 firewalld_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/firewalld.te b/firewalld.te
|
||||
index c8014f8..02de884 100644
|
||||
index c8014f8..d84522b 100644
|
||||
--- a/firewalld.te
|
||||
+++ b/firewalld.te
|
||||
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
|
||||
@ -22571,7 +22607,7 @@ index c8014f8..02de884 100644
|
||||
dontaudit firewalld_t self:capability sys_tty_config;
|
||||
allow firewalld_t self:fifo_file rw_fifo_file_perms;
|
||||
allow firewalld_t self:unix_stream_socket { accept listen };
|
||||
@@ -40,8 +49,17 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
|
||||
@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
|
||||
allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
|
||||
logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
|
||||
|
||||
@ -22589,7 +22625,11 @@ index c8014f8..02de884 100644
|
||||
|
||||
kernel_read_network_state(firewalld_t)
|
||||
kernel_read_system_state(firewalld_t)
|
||||
@@ -53,20 +71,17 @@ dev_read_urand(firewalld_t)
|
||||
+kernel_rw_net_sysctls(firewalld_t)
|
||||
|
||||
corecmd_exec_bin(firewalld_t)
|
||||
corecmd_exec_shell(firewalld_t)
|
||||
@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t)
|
||||
|
||||
domain_use_interactive_fds(firewalld_t)
|
||||
|
||||
@ -22615,7 +22655,7 @@ index c8014f8..02de884 100644
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_domain(firewalld_t, firewalld_exec_t)
|
||||
@@ -85,6 +100,10 @@ optional_policy(`
|
||||
@@ -85,6 +101,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28148,8 +28188,20 @@ index 94ec5f8..801417b 100644
|
||||
|
||||
logging_send_syslog_msg(iodined_t)
|
||||
|
||||
diff --git a/irc.fc b/irc.fc
|
||||
index 48e7739..c3285c2 100644
|
||||
--- a/irc.fc
|
||||
+++ b/irc.fc
|
||||
@@ -1,6 +1,6 @@
|
||||
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
|
||||
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
|
||||
-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
|
||||
+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0)
|
||||
|
||||
/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
|
||||
|
||||
diff --git a/irc.if b/irc.if
|
||||
index ac00fb0..06cb083 100644
|
||||
index ac00fb0..53e4fc7 100644
|
||||
--- a/irc.if
|
||||
+++ b/irc.if
|
||||
@@ -20,6 +20,7 @@ interface(`irc_role',`
|
||||
@ -28160,7 +28212,7 @@ index ac00fb0..06cb083 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -39,10 +40,33 @@ interface(`irc_role',`
|
||||
@@ -39,10 +40,34 @@ interface(`irc_role',`
|
||||
ps_process_pattern($2, irc_t)
|
||||
allow $2 irc_t:process { ptrace signal_perms };
|
||||
|
||||
@ -28195,16 +28247,23 @@ index ac00fb0..06cb083 100644
|
||||
+interface(`irc_filetrans_home_content',`
|
||||
+ gen_require(`
|
||||
+ type irc_home_t;
|
||||
+ type irssi_home_t;
|
||||
+ ')
|
||||
+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
|
||||
+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
|
||||
+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
|
||||
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
|
||||
')
|
||||
diff --git a/irc.te b/irc.te
|
||||
index ecad9c7..56e2b35 100644
|
||||
index ecad9c7..86d790f 100644
|
||||
--- a/irc.te
|
||||
+++ b/irc.te
|
||||
@@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t)
|
||||
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
|
||||
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
|
||||
userdom_user_home_content(irc_home_t)
|
||||
|
||||
-type irc_log_home_t;
|
||||
-userdom_user_home_content(irc_log_home_t)
|
||||
-
|
||||
type irc_tmp_t;
|
||||
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
|
||||
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
|
||||
@ -28233,12 +28292,12 @@ index ecad9c7..56e2b35 100644
|
||||
+type irssi_etc_t;
|
||||
+files_config_file(irssi_etc_t)
|
||||
+
|
||||
+type irssi_home_t;
|
||||
+type irssi_home_t alias irc_log_home_t;
|
||||
+userdom_user_home_content(irssi_home_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -53,13 +78,7 @@ allow irc_t irc_conf_t:file read_file_perms;
|
||||
@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms;
|
||||
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
|
||||
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
|
||||
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
|
||||
@ -28253,7 +28312,7 @@ index ecad9c7..56e2b35 100644
|
||||
|
||||
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
|
||||
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
|
||||
@@ -70,7 +89,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
|
||||
@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_system_state(irc_t)
|
||||
|
||||
@ -28261,7 +28320,7 @@ index ecad9c7..56e2b35 100644
|
||||
corenet_all_recvfrom_netlabel(irc_t)
|
||||
corenet_tcp_sendrecv_generic_if(irc_t)
|
||||
corenet_tcp_sendrecv_generic_node(irc_t)
|
||||
@@ -93,7 +111,6 @@ dev_read_rand(irc_t)
|
||||
@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
|
||||
|
||||
domain_use_interactive_fds(irc_t)
|
||||
|
||||
@ -28269,7 +28328,7 @@ index ecad9c7..56e2b35 100644
|
||||
|
||||
fs_getattr_all_fs(irc_t)
|
||||
fs_search_auto_mountpoints(irc_t)
|
||||
@@ -106,13 +123,15 @@ auth_use_nsswitch(irc_t)
|
||||
@@ -106,13 +120,15 @@ auth_use_nsswitch(irc_t)
|
||||
init_read_utmp(irc_t)
|
||||
init_dontaudit_lock_utmp(irc_t)
|
||||
|
||||
@ -28287,7 +28346,7 @@ index ecad9c7..56e2b35 100644
|
||||
|
||||
tunable_policy(`irc_use_any_tcp_ports',`
|
||||
corenet_sendrecv_all_server_packets(irc_t)
|
||||
@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
|
||||
@@ -122,18 +138,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
|
||||
corenet_tcp_sendrecv_all_ports(irc_t)
|
||||
')
|
||||
|
||||
@ -36110,7 +36169,7 @@ index 6ffaba2..18e3a70 100644
|
||||
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
||||
+')
|
||||
diff --git a/mozilla.if b/mozilla.if
|
||||
index 6194b80..648d041 100644
|
||||
index 6194b80..116d9d2 100644
|
||||
--- a/mozilla.if
|
||||
+++ b/mozilla.if
|
||||
@@ -1,146 +1,75 @@
|
||||
@ -36273,14 +36332,14 @@ index 6194b80..648d041 100644
|
||||
- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
|
||||
- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
||||
- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
+ mozilla_filetrans_home_content($2)
|
||||
|
||||
-
|
||||
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
|
||||
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
|
||||
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
|
||||
-
|
||||
- can_exec($2, mozilla_plugin_rw_t)
|
||||
-
|
||||
+ mozilla_filetrans_home_content($2)
|
||||
|
||||
- optional_policy(`
|
||||
- mozilla_dbus_chat_plugin($2)
|
||||
- ')
|
||||
@ -36586,7 +36645,7 @@ index 6194b80..648d041 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -433,76 +320,90 @@ interface(`mozilla_dbus_chat',`
|
||||
@@ -433,76 +320,108 @@ interface(`mozilla_dbus_chat',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -36654,6 +36713,24 @@ index 6194b80..648d041 100644
|
||||
- libs_search_lib($1)
|
||||
- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Dontaudit generict ipc read/write to a mozilla_plugin
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mozilla_plugin_dontaudit_rw_sem',`
|
||||
+ gen_require(`
|
||||
+ type mozilla_plugin_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 mozilla_plugin_t:sem { unix_read unix_write };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -36706,7 +36783,7 @@ index 6194b80..648d041 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -510,19 +411,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
|
||||
@@ -510,19 +429,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -36731,7 +36808,7 @@ index 6194b80..648d041 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -530,45 +430,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||
@@ -530,45 +448,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -42641,7 +42718,7 @@ index 0e8508c..b9c69d2 100644
|
||||
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
|
||||
')
|
||||
diff --git a/networkmanager.te b/networkmanager.te
|
||||
index 0b48a30..0c6cd41 100644
|
||||
index 0b48a30..57fe60f 100644
|
||||
--- a/networkmanager.te
|
||||
+++ b/networkmanager.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -42672,7 +42749,7 @@ index 0b48a30..0c6cd41 100644
|
||||
type NetworkManager_log_t;
|
||||
logging_log_file(NetworkManager_log_t)
|
||||
|
||||
@@ -39,24 +42,41 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
|
||||
@@ -39,24 +42,42 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
@ -42699,6 +42776,7 @@ index 0b48a30..0c6cd41 100644
|
||||
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
|
||||
allow NetworkManager_t self:netlink_socket create_socket_perms;
|
||||
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
-allow NetworkManager_t self:tcp_socket { accept listen };
|
||||
@ -42723,7 +42801,7 @@ index 0b48a30..0c6cd41 100644
|
||||
|
||||
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
|
||||
@@ -68,6 +88,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
|
||||
@@ -68,6 +89,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
|
||||
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
|
||||
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
|
||||
|
||||
@ -42731,7 +42809,7 @@ index 0b48a30..0c6cd41 100644
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
|
||||
@@ -81,9 +102,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
|
||||
@@ -81,9 +103,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
|
||||
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
|
||||
|
||||
@ -42741,7 +42819,7 @@ index 0b48a30..0c6cd41 100644
|
||||
kernel_read_system_state(NetworkManager_t)
|
||||
kernel_read_network_state(NetworkManager_t)
|
||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||
@@ -91,7 +109,6 @@ kernel_request_load_module(NetworkManager_t)
|
||||
@@ -91,7 +110,6 @@ kernel_request_load_module(NetworkManager_t)
|
||||
kernel_read_debugfs(NetworkManager_t)
|
||||
kernel_rw_net_sysctls(NetworkManager_t)
|
||||
|
||||
@ -42749,7 +42827,7 @@ index 0b48a30..0c6cd41 100644
|
||||
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
||||
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
|
||||
corenet_udp_sendrecv_generic_if(NetworkManager_t)
|
||||
@@ -102,22 +119,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
|
||||
@@ -102,22 +120,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
|
||||
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
|
||||
corenet_udp_sendrecv_all_ports(NetworkManager_t)
|
||||
corenet_udp_bind_generic_node(NetworkManager_t)
|
||||
@ -42775,7 +42853,7 @@ index 0b48a30..0c6cd41 100644
|
||||
dev_rw_sysfs(NetworkManager_t)
|
||||
dev_read_rand(NetworkManager_t)
|
||||
dev_read_urand(NetworkManager_t)
|
||||
@@ -125,13 +135,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
|
||||
@@ -125,13 +136,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
|
||||
dev_getattr_all_chr_files(NetworkManager_t)
|
||||
dev_rw_wireless(NetworkManager_t)
|
||||
|
||||
@ -42789,7 +42867,7 @@ index 0b48a30..0c6cd41 100644
|
||||
fs_getattr_all_fs(NetworkManager_t)
|
||||
fs_search_auto_mountpoints(NetworkManager_t)
|
||||
fs_list_inotifyfs(NetworkManager_t)
|
||||
@@ -140,6 +143,16 @@ mls_file_read_all_levels(NetworkManager_t)
|
||||
@@ -140,6 +144,16 @@ mls_file_read_all_levels(NetworkManager_t)
|
||||
|
||||
selinux_dontaudit_search_fs(NetworkManager_t)
|
||||
|
||||
@ -42806,7 +42884,7 @@ index 0b48a30..0c6cd41 100644
|
||||
storage_getattr_fixed_disk_dev(NetworkManager_t)
|
||||
|
||||
init_read_utmp(NetworkManager_t)
|
||||
@@ -148,10 +161,11 @@ init_domtrans_script(NetworkManager_t)
|
||||
@@ -148,10 +162,11 @@ init_domtrans_script(NetworkManager_t)
|
||||
|
||||
auth_use_nsswitch(NetworkManager_t)
|
||||
|
||||
@ -42819,7 +42897,7 @@ index 0b48a30..0c6cd41 100644
|
||||
|
||||
seutil_read_config(NetworkManager_t)
|
||||
|
||||
@@ -166,21 +180,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
||||
@@ -166,21 +181,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
||||
sysnet_read_dhcpc_state(NetworkManager_t)
|
||||
sysnet_delete_dhcpc_state(NetworkManager_t)
|
||||
sysnet_search_dhcp_state(NetworkManager_t)
|
||||
@ -42856,7 +42934,7 @@ index 0b48a30..0c6cd41 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -196,10 +221,6 @@ optional_policy(`
|
||||
@@ -196,10 +222,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -42867,7 +42945,7 @@ index 0b48a30..0c6cd41 100644
|
||||
consoletype_exec(NetworkManager_t)
|
||||
')
|
||||
|
||||
@@ -210,16 +231,11 @@ optional_policy(`
|
||||
@@ -210,16 +232,11 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||
|
||||
@ -42886,7 +42964,7 @@ index 0b48a30..0c6cd41 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -231,18 +247,19 @@ optional_policy(`
|
||||
@@ -231,18 +248,19 @@ optional_policy(`
|
||||
dnsmasq_kill(NetworkManager_t)
|
||||
dnsmasq_signal(NetworkManager_t)
|
||||
dnsmasq_signull(NetworkManager_t)
|
||||
@ -42909,7 +42987,18 @@ index 0b48a30..0c6cd41 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -257,11 +274,7 @@ optional_policy(`
|
||||
@@ -250,6 +268,10 @@ optional_policy(`
|
||||
ipsec_kill_mgmt(NetworkManager_t)
|
||||
ipsec_signal_mgmt(NetworkManager_t)
|
||||
ipsec_signull_mgmt(NetworkManager_t)
|
||||
+ ipsec_domtrans(NetworkManager_t)
|
||||
+ ipsec_kill(NetworkManager_t)
|
||||
+ ipsec_signal(NetworkManager_t)
|
||||
+ ipsec_signull(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -257,11 +279,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -42922,7 +43011,7 @@ index 0b48a30..0c6cd41 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -274,10 +287,17 @@ optional_policy(`
|
||||
@@ -274,10 +292,17 @@ optional_policy(`
|
||||
nscd_signull(NetworkManager_t)
|
||||
nscd_kill(NetworkManager_t)
|
||||
nscd_initrc_domtrans(NetworkManager_t)
|
||||
@ -42940,7 +43029,7 @@ index 0b48a30..0c6cd41 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -289,6 +309,7 @@ optional_policy(`
|
||||
@@ -289,6 +314,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -42948,7 +43037,7 @@ index 0b48a30..0c6cd41 100644
|
||||
policykit_domtrans_auth(NetworkManager_t)
|
||||
policykit_read_lib(NetworkManager_t)
|
||||
policykit_read_reload(NetworkManager_t)
|
||||
@@ -296,7 +317,7 @@ optional_policy(`
|
||||
@@ -296,7 +322,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -42957,7 +43046,7 @@ index 0b48a30..0c6cd41 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -307,6 +328,7 @@ optional_policy(`
|
||||
@@ -307,6 +333,7 @@ optional_policy(`
|
||||
ppp_signal(NetworkManager_t)
|
||||
ppp_signull(NetworkManager_t)
|
||||
ppp_read_config(NetworkManager_t)
|
||||
@ -42965,7 +43054,7 @@ index 0b48a30..0c6cd41 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -320,13 +342,15 @@ optional_policy(`
|
||||
@@ -320,13 +347,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -42985,7 +43074,7 @@ index 0b48a30..0c6cd41 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -356,6 +380,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
@@ -356,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
init_dontaudit_use_fds(wpa_cli_t)
|
||||
init_use_script_ptys(wpa_cli_t)
|
||||
|
||||
@ -47541,7 +47630,7 @@ index 0000000..a437f80
|
||||
+files_read_config_files(openshift_domain)
|
||||
diff --git a/openshift.fc b/openshift.fc
|
||||
new file mode 100644
|
||||
index 0000000..e108d48
|
||||
index 0000000..f2d6119
|
||||
--- /dev/null
|
||||
+++ b/openshift.fc
|
||||
@@ -0,0 +1,26 @@
|
||||
@ -47565,7 +47654,7 @@ index 0000000..e108d48
|
||||
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
|
||||
+
|
||||
+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
||||
+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
|
||||
+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0)
|
||||
+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
||||
+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
||||
+
|
||||
@ -48225,10 +48314,10 @@ index 0000000..407386d
|
||||
+')
|
||||
diff --git a/openshift.te b/openshift.te
|
||||
new file mode 100644
|
||||
index 0000000..894ce1c
|
||||
index 0000000..3c311bb
|
||||
--- /dev/null
|
||||
+++ b/openshift.te
|
||||
@@ -0,0 +1,530 @@
|
||||
@@ -0,0 +1,535 @@
|
||||
+policy_module(openshift,1.0.0)
|
||||
+
|
||||
+gen_require(`
|
||||
@ -48325,6 +48414,8 @@ index 0000000..894ce1c
|
||||
+unconfined_domain_noaudit(openshift_initrc_t)
|
||||
+mcs_process_set_categories(openshift_initrc_t)
|
||||
+
|
||||
+virt_lxc_domain(openshift_initrc_t)
|
||||
+
|
||||
+systemd_dbus_chat_logind(openshift_initrc_t)
|
||||
+
|
||||
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
|
||||
@ -48393,7 +48484,10 @@ index 0000000..894ce1c
|
||||
+
|
||||
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
||||
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
|
||||
+manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
||||
+manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
||||
+manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file })
|
||||
+can_exec(openshift_domain, openshift_tmpfs_t)
|
||||
+
|
||||
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
|
||||
@ -63150,7 +63244,7 @@ index bff31df..e38693b 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/realmd.te b/realmd.te
|
||||
index 9a8f052..727d60a 100644
|
||||
index 9a8f052..9817f00 100644
|
||||
--- a/realmd.te
|
||||
+++ b/realmd.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -63159,7 +63253,7 @@ index 9a8f052..727d60a 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2)
|
||||
@@ -7,29 +7,37 @@ policy_module(realmd, 1.0.2)
|
||||
|
||||
type realmd_t;
|
||||
type realmd_exec_t;
|
||||
@ -63167,6 +63261,9 @@ index 9a8f052..727d60a 100644
|
||||
+application_domain(realmd_t, realmd_exec_t)
|
||||
+role system_r types realmd_t;
|
||||
+
|
||||
+type realmd_tmp_t;
|
||||
+files_tmp_file(realmd_tmp_t)
|
||||
+
|
||||
+type realmd_var_cache_t;
|
||||
+files_type(realmd_var_cache_t)
|
||||
|
||||
@ -63179,6 +63276,10 @@ index 9a8f052..727d60a 100644
|
||||
allow realmd_t self:capability sys_nice;
|
||||
allow realmd_t self:process setsched;
|
||||
|
||||
+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
|
||||
+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
|
||||
+files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
|
||||
+
|
||||
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
|
||||
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
|
||||
+
|
||||
@ -63195,17 +63296,16 @@ index 9a8f052..727d60a 100644
|
||||
-corenet_sendrecv_http_client_packets(realmd_t)
|
||||
corenet_tcp_connect_http_port(realmd_t)
|
||||
-corenet_tcp_sendrecv_http_port(realmd_t)
|
||||
+corenet_tcp_connect_ldap_port(realmd_t)
|
||||
|
||||
domain_use_interactive_fds(realmd_t)
|
||||
|
||||
dev_read_rand(realmd_t)
|
||||
dev_read_urand(realmd_t)
|
||||
@@ -38,12 +46,20 @@ dev_read_urand(realmd_t)
|
||||
|
||||
-fs_getattr_all_fs(realmd_t)
|
||||
fs_getattr_all_fs(realmd_t)
|
||||
|
||||
-files_read_usr_files(realmd_t)
|
||||
+fs_getattr_all_fs(realmd_t)
|
||||
|
||||
-
|
||||
auth_use_nsswitch(realmd_t)
|
||||
|
||||
logging_send_syslog_msg(realmd_t)
|
||||
@ -63223,7 +63323,7 @@ index 9a8f052..727d60a 100644
|
||||
optional_policy(`
|
||||
dbus_system_domain(realmd_t, realmd_exec_t)
|
||||
|
||||
@@ -67,17 +76,25 @@ optional_policy(`
|
||||
@@ -67,17 +83,25 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nis_exec_ypbind(realmd_t)
|
||||
@ -63252,13 +63352,13 @@ index 9a8f052..727d60a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -86,5 +103,26 @@ optional_policy(`
|
||||
@@ -86,5 +110,26 @@ optional_policy(`
|
||||
sssd_manage_lib_files(realmd_t)
|
||||
sssd_manage_public_files(realmd_t)
|
||||
sssd_read_pid_files(realmd_t)
|
||||
- sssd_initrc_domtrans(realmd_t)
|
||||
+ sssd_systemctl(realmd_t)
|
||||
')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_read_state_xdm(realmd_t)
|
||||
@ -63277,7 +63377,7 @@ index 9a8f052..727d60a 100644
|
||||
+ oddjob_systemctl(realmd_consolehelper_t)
|
||||
+
|
||||
+ unconfined_domain_noaudit(realmd_consolehelper_t)
|
||||
+')
|
||||
')
|
||||
+
|
||||
+
|
||||
diff --git a/remotelogin.fc b/remotelogin.fc
|
||||
@ -67080,7 +67180,7 @@ index 3bd6446..a61764b 100644
|
||||
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
|
||||
')
|
||||
diff --git a/rpc.te b/rpc.te
|
||||
index e5212e6..699925d 100644
|
||||
index e5212e6..427ea8c 100644
|
||||
--- a/rpc.te
|
||||
+++ b/rpc.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -67412,7 +67512,7 @@ index e5212e6..699925d 100644
|
||||
userdom_list_user_tmp(gssd_t)
|
||||
userdom_read_user_tmp_files(gssd_t)
|
||||
userdom_read_user_tmp_symlinks(gssd_t)
|
||||
+ userdom_write_user_tmp_files(gssd_t)
|
||||
+ userdom_manage_user_tmp_files(gssd_t)
|
||||
+ files_read_generic_tmp_files(gssd_t)
|
||||
')
|
||||
|
||||
@ -72221,10 +72321,10 @@ index 0000000..1b21b7b
|
||||
+')
|
||||
diff --git a/sandboxX.te b/sandboxX.te
|
||||
new file mode 100644
|
||||
index 0000000..449a87c
|
||||
index 0000000..5a3d049
|
||||
--- /dev/null
|
||||
+++ b/sandboxX.te
|
||||
@@ -0,0 +1,462 @@
|
||||
@@ -0,0 +1,463 @@
|
||||
+policy_module(sandboxX,1.0.0)
|
||||
+
|
||||
+dbus_stub()
|
||||
@ -72685,6 +72785,7 @@ index 0000000..449a87c
|
||||
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
|
||||
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
|
||||
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
|
||||
+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
|
||||
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
|
||||
+')
|
||||
diff --git a/sanlock.fc b/sanlock.fc
|
||||
@ -84087,7 +84188,7 @@ index c30da4c..014e40c 100644
|
||||
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
||||
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||
diff --git a/virt.if b/virt.if
|
||||
index 9dec06c..b991ec7 100644
|
||||
index 9dec06c..8f6d2a3 100644
|
||||
--- a/virt.if
|
||||
+++ b/virt.if
|
||||
@@ -1,120 +1,51 @@
|
||||
@ -85492,7 +85593,7 @@ index 9dec06c..b991ec7 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1091,95 +943,132 @@ interface(`virt_manage_virt_cache',`
|
||||
@@ -1091,95 +943,150 @@ interface(`virt_manage_virt_cache',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -85511,16 +85612,16 @@ index 9dec06c..b991ec7 100644
|
||||
- manage_files_pattern($1, virt_image_type, virt_image_type)
|
||||
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
|
||||
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
|
||||
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
|
||||
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
|
||||
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
|
||||
|
||||
-
|
||||
- tunable_policy(`virt_use_nfs',`
|
||||
- fs_manage_nfs_dirs($1)
|
||||
- fs_manage_nfs_files($1)
|
||||
- fs_read_nfs_symlinks($1)
|
||||
- ')
|
||||
-
|
||||
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
|
||||
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
|
||||
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
|
||||
|
||||
- tunable_policy(`virt_use_samba',`
|
||||
- fs_manage_cifs_files($1)
|
||||
- fs_manage_cifs_files($1)
|
||||
@ -85585,14 +85686,6 @@ index 9dec06c..b991ec7 100644
|
||||
- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
|
||||
- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
|
||||
- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
|
||||
-
|
||||
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
|
||||
- domain_system_change_exemption($1)
|
||||
- role_transition $2 virtd_initrc_exec_t system_r;
|
||||
- allow $2 system_r;
|
||||
-
|
||||
- fs_search_tmpfs($1)
|
||||
- admin_pattern($1, virt_tmpfs_type)
|
||||
+ type $1_t, svirt_lxc_domain;
|
||||
+ domain_type($1_t)
|
||||
+ domain_user_exemption_target($1_t)
|
||||
@ -85600,9 +85693,33 @@ index 9dec06c..b991ec7 100644
|
||||
+ mcs_constrained($1_t)
|
||||
+ role system_r types $1_t;
|
||||
|
||||
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
|
||||
- domain_system_change_exemption($1)
|
||||
- role_transition $2 virtd_initrc_exec_t system_r;
|
||||
- allow $2 system_r;
|
||||
+ kernel_read_system_state($1_t)
|
||||
+')
|
||||
|
||||
- fs_search_tmpfs($1)
|
||||
- admin_pattern($1, virt_tmpfs_type)
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Make the specified type usable as a lxc domain
|
||||
+## </summary>
|
||||
+## <param name="type">
|
||||
+## <summary>
|
||||
+## Type to be used as a lxc domain
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+template(`virt_lxc_domain',`
|
||||
+ gen_require(`
|
||||
+ attribute svirt_lxc_domain;
|
||||
+ ')
|
||||
|
||||
- files_search_tmp($1)
|
||||
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
|
||||
+ kernel_read_system_state($1_t)
|
||||
+ typeattribute $1 svirt_lxc_domain;
|
||||
+')
|
||||
|
||||
- files_search_etc($1)
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 24%{?dist}
|
||||
Release: 25%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -526,6 +526,38 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Apr 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-25
|
||||
- Allow realmd to create tmp files
|
||||
- FIx ircssi_home_t type to irssi_home_t
|
||||
- Allow adcli running as realmd_t to connect to ldap port
|
||||
- Allow NetworkManager to transition to ipsec_t, for running strongswan
|
||||
- Make openshift_initrc_t an lxc_domain
|
||||
- Allow gssd to manage user_tmp_t files
|
||||
- Fix handling of irclogs in users homedir
|
||||
- Fix labeling for drupal an wp-content in subdirs of /var/www/html
|
||||
- Allow abrt to read utmp_t file
|
||||
- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6
|
||||
- fix labeling for (oo|rhc)-restorer-wrapper.sh
|
||||
- firewalld needs to be able to write to network sysctls
|
||||
- Fix mozilla_plugin_dontaudit_rw_sem() interface
|
||||
- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains
|
||||
- Add mozilla_plugin_dontaudit_rw_sem() interface
|
||||
- Allow svirt_lxc_t to transition to openshift domains
|
||||
- Allow condor domains block_suspend and dac_override caps
|
||||
- Allow condor_master to read passd
|
||||
- Allow condor_master to read system state
|
||||
- Allow NetworkManager to transition to ipsec_t, for running strongswan
|
||||
- Lots of access required by lvm_t to created encrypted usb device
|
||||
- Allow xdm_t to dbus communicate with systemd_localed_t
|
||||
- Label strongswan content as ipsec_exec_mgmt_t for now
|
||||
- Allow users to dbus chat with systemd_localed
|
||||
- Fix handling of .xsession-errors in xserver.if, so kde will work
|
||||
- Might be a bug but we are seeing avc's about people status on init_t:service
|
||||
- Make sure we label content under /var/run/lock as <<none>>
|
||||
- Allow daemon and systemprocesses to search init_var_run_t directory
|
||||
- Add boolean to allow xdm to write xauth data to the home directory
|
||||
- Allow mount to write keys for the unconfined domain
|
||||
|
||||
* Tue Mar 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-24
|
||||
- Add labeling for /usr/share/pki
|
||||
- Allow programs that read var_run_t symlinks also read var_t symlinks
|
||||
|
||||
Loading…
Reference in New Issue
Block a user