- Added iotop policy. Thanks William Brown
- Allow spamc to read .pyzor located in /var/spool/spampd - Allow spamc to create home content with correct labeling - Allow logwatch_mail_t to create dead.letter with correct labelign - Add labeling for min-cloud-agent - Allow geoclue to read unix in proc. - Add support for /usr/local/Brother labeling. We removed /usr/local equiv. - add support for min-cloud-agent - Allow ulogd to request the kernel to load a module - remove unconfined_domain for openwsman_t - Add openwsman_tmp_t rules - Allow openwsman to execute chkpwd and make this domain as unconfined for F20. - Allow nova-scheduler to read passwd file - Allow neutron execute arping in neutron_t - Dontaudit logrotate executing systemctl command attempting to net_admin - Allow mozilla plugins to use /dev/sr0 - svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift file - Any app that executes systemctl will attempt a net_admin - Fix path to mmap_min_addr
This commit is contained in:
parent
e929b7e20b
commit
dbf4ab85b0
File diff suppressed because it is too large
Load Diff
@ -12652,14 +12652,15 @@ index 4a5b3d1..cd146bd 100644
|
||||
')
|
||||
diff --git a/cloudform.fc b/cloudform.fc
|
||||
new file mode 100644
|
||||
index 0000000..d0501e3
|
||||
index 0000000..53f5265
|
||||
--- /dev/null
|
||||
+++ b/cloudform.fc
|
||||
@@ -0,0 +1,19 @@
|
||||
@@ -0,0 +1,21 @@
|
||||
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
|
||||
+
|
||||
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
|
||||
+/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
|
||||
+/usr/libexec/min-cloud-agent -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
|
||||
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
|
||||
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
|
||||
+
|
||||
@ -12668,6 +12669,7 @@ index 0000000..d0501e3
|
||||
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
|
||||
+
|
||||
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
|
||||
+/var/lib/min-cloud-agent(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
|
||||
+/var/log/cloud-init\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
|
||||
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
|
||||
+
|
||||
@ -18437,10 +18439,10 @@ index 001b502..3ceae52 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/cups.fc b/cups.fc
|
||||
index 949011e..afe482b 100644
|
||||
index 949011e..9437dbe 100644
|
||||
--- a/cups.fc
|
||||
+++ b/cups.fc
|
||||
@@ -1,77 +1,87 @@
|
||||
@@ -1,77 +1,91 @@
|
||||
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
|
||||
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
||||
@ -18538,23 +18540,23 @@ index 949011e..afe482b 100644
|
||||
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
|
||||
+
|
||||
|
||||
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
|
||||
+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
|
||||
+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
|
||||
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
|
||||
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
|
||||
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
|
||||
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
|
||||
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
|
||||
+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
+
|
||||
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
|
||||
@ -18568,10 +18570,14 @@ index 949011e..afe482b 100644
|
||||
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
|
||||
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||
+
|
||||
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+
|
||||
+
|
||||
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
+
|
||||
@ -28271,10 +28277,10 @@ index 0000000..04e159f
|
||||
+')
|
||||
diff --git a/gear.te b/gear.te
|
||||
new file mode 100644
|
||||
index 0000000..75d7bc3
|
||||
index 0000000..781c76d
|
||||
--- /dev/null
|
||||
+++ b/gear.te
|
||||
@@ -0,0 +1,121 @@
|
||||
@@ -0,0 +1,122 @@
|
||||
+policy_module(gear, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -28393,6 +28399,7 @@ index 0000000..75d7bc3
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ openshift_manage_lib_dirs(gear_t)
|
||||
+ openshift_manage_lib_files(gear_t)
|
||||
+ openshift_relabelfrom_lib(gear_t)
|
||||
+')
|
||||
@ -28572,10 +28579,10 @@ index 0000000..9e17d3e
|
||||
+')
|
||||
diff --git a/geoclue.te b/geoclue.te
|
||||
new file mode 100644
|
||||
index 0000000..7106428
|
||||
index 0000000..351f145
|
||||
--- /dev/null
|
||||
+++ b/geoclue.te
|
||||
@@ -0,0 +1,51 @@
|
||||
@@ -0,0 +1,53 @@
|
||||
+policy_module(geoclue, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -28608,6 +28615,8 @@ index 0000000..7106428
|
||||
+manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
|
||||
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
|
||||
+
|
||||
+kernel_read_network_state(geoclue_t)
|
||||
+
|
||||
+auth_read_passwd(geoclue_t)
|
||||
+
|
||||
+corenet_tcp_connect_http_port(geoclue_t)
|
||||
@ -34333,6 +34342,108 @@ index d443fee..6cbbf7d 100644
|
||||
|
||||
logging_send_syslog_msg(iodined_t)
|
||||
|
||||
diff --git a/iotop.fc b/iotop.fc
|
||||
new file mode 100644
|
||||
index 0000000..c8d2dea
|
||||
--- /dev/null
|
||||
+++ b/iotop.fc
|
||||
@@ -0,0 +1 @@
|
||||
+/usr/sbin/iotop -- gen_context(system_u:object_r:iotop_exec_t,s0)
|
||||
diff --git a/iotop.if b/iotop.if
|
||||
new file mode 100644
|
||||
index 0000000..7fc3464
|
||||
--- /dev/null
|
||||
+++ b/iotop.if
|
||||
@@ -0,0 +1,46 @@
|
||||
+## <summary>Simple top-like I/O monitor</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow execution of iotop in the iotop domain from the target domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition to iotop.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`iotop_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type iotop_t, iotop_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, iotop_exec_t, iotop_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute iotop in the iotop domain, and
|
||||
+## allow the specified role to access the iotop domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed into the iotop domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`iotop_run',`
|
||||
+ gen_require(`
|
||||
+ type iotop_t;
|
||||
+ attribute_role iotop_roles;
|
||||
+ ')
|
||||
+
|
||||
+ iotop_domtrans($1)
|
||||
+ roleattribute $2 iotop_roles;
|
||||
+')
|
||||
diff --git a/iotop.te b/iotop.te
|
||||
new file mode 100644
|
||||
index 0000000..51d7e34
|
||||
--- /dev/null
|
||||
+++ b/iotop.te
|
||||
@@ -0,0 +1,37 @@
|
||||
+policy_module(iotop, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+attribute_role iotop_roles;
|
||||
+roleattribute system_r iotop_roles;
|
||||
+
|
||||
+type iotop_t;
|
||||
+type iotop_exec_t;
|
||||
+application_domain(iotop_t, iotop_exec_t)
|
||||
+
|
||||
+role iotop_roles types iotop_t;
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# iotop local policy
|
||||
+#
|
||||
+
|
||||
+allow iotop_t self:capability net_admin;
|
||||
+allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+
|
||||
+kernel_read_system_state(iotop_t)
|
||||
+
|
||||
+auth_use_nsswitch(iotop_t)
|
||||
+
|
||||
+dev_read_urand(iotop_t)
|
||||
+
|
||||
+domain_getsched_all_domains(iotop_t)
|
||||
+domain_read_all_domains_state(iotop_t)
|
||||
+
|
||||
+corecmd_exec_bin(iotop_t)
|
||||
+
|
||||
+miscfiles_read_localization(iotop_t)
|
||||
+
|
||||
+userdom_use_user_terminals(iotop_t)
|
||||
diff --git a/ipa.fc b/ipa.fc
|
||||
new file mode 100644
|
||||
index 0000000..48d7322
|
||||
@ -40137,7 +40248,7 @@ index dd8e01a..9cd6b0b 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/logrotate.te b/logrotate.te
|
||||
index be0ab84..1859690 100644
|
||||
index be0ab84..9321951 100644
|
||||
--- a/logrotate.te
|
||||
+++ b/logrotate.te
|
||||
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
|
||||
@ -40183,7 +40294,7 @@ index be0ab84..1859690 100644
|
||||
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
|
||||
+# Change ownership on log files.
|
||||
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
|
||||
+dontaudit logrotate_t self:capability sys_resource;
|
||||
+dontaudit logrotate_t self:capability { sys_resource net_admin };
|
||||
+
|
||||
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
+
|
||||
@ -40418,7 +40529,7 @@ index be0ab84..1859690 100644
|
||||
logging_read_all_logs(logrotate_mail_t)
|
||||
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
|
||||
diff --git a/logwatch.te b/logwatch.te
|
||||
index ab65034..c76dbda 100644
|
||||
index ab65034..28f63b5 100644
|
||||
--- a/logwatch.te
|
||||
+++ b/logwatch.te
|
||||
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
|
||||
@ -40503,11 +40614,13 @@ index ab65034..c76dbda 100644
|
||||
rpc_search_nfs_state_data(logwatch_t)
|
||||
')
|
||||
|
||||
@@ -187,6 +192,17 @@ dev_read_sysfs(logwatch_mail_t)
|
||||
@@ -187,6 +192,19 @@ dev_read_sysfs(logwatch_mail_t)
|
||||
|
||||
logging_read_all_logs(logwatch_mail_t)
|
||||
|
||||
+mta_read_home(logwatch_mail_t)
|
||||
+mta_filetrans_home_content(logwatch_mail_t)
|
||||
+mta_filetrans_admin_home_content(logwatch_mail_t)
|
||||
+
|
||||
optional_policy(`
|
||||
cron_use_system_job_fds(logwatch_mail_t)
|
||||
@ -45601,7 +45714,7 @@ index 6194b80..cafb2b0 100644
|
||||
')
|
||||
+
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 11ac8e4..7bb38c6 100644
|
||||
index 11ac8e4..633063d 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
|
||||
@ -46039,7 +46152,7 @@ index 11ac8e4..7bb38c6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -300,259 +324,248 @@ optional_policy(`
|
||||
@@ -300,259 +324,252 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -46272,14 +46385,17 @@ index 11ac8e4..7bb38c6 100644
|
||||
fs_getattr_all_fs(mozilla_plugin_t)
|
||||
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
|
||||
-fs_search_auto_mountpoints(mozilla_plugin_t)
|
||||
-
|
||||
-term_getattr_all_ttys(mozilla_plugin_t)
|
||||
-term_getattr_all_ptys(mozilla_plugin_t)
|
||||
+fs_list_dos(mozilla_plugin_t)
|
||||
+fs_read_noxattr_fs_files(mozilla_plugin_t)
|
||||
+fs_read_hugetlbfs_files(mozilla_plugin_t)
|
||||
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
|
||||
|
||||
-term_getattr_all_ttys(mozilla_plugin_t)
|
||||
-term_getattr_all_ptys(mozilla_plugin_t)
|
||||
+storage_raw_read_removable_device(mozilla_plugin_t)
|
||||
+fs_read_removable_files(mozilla_plugin_t)
|
||||
+fs_read_removable_symlinks(mozilla_plugin_t)
|
||||
|
||||
application_exec(mozilla_plugin_t)
|
||||
+application_dontaudit_signull(mozilla_plugin_t)
|
||||
|
||||
@ -46435,7 +46551,7 @@ index 11ac8e4..7bb38c6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -560,7 +573,11 @@ optional_policy(`
|
||||
@@ -560,7 +577,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -46448,7 +46564,7 @@ index 11ac8e4..7bb38c6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -568,108 +585,131 @@ optional_policy(`
|
||||
@@ -568,108 +589,131 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -53019,10 +53135,10 @@ index 0000000..28936b4
|
||||
+')
|
||||
diff --git a/nova.te b/nova.te
|
||||
new file mode 100644
|
||||
index 0000000..f429163
|
||||
index 0000000..f691a30
|
||||
--- /dev/null
|
||||
+++ b/nova.te
|
||||
@@ -0,0 +1,311 @@
|
||||
@@ -0,0 +1,310 @@
|
||||
+policy_module(nova, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -53302,7 +53418,6 @@ index 0000000..f429163
|
||||
+# nova vncproxy local policy
|
||||
+#
|
||||
+
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# nova volume local policy
|
||||
@ -59264,10 +59379,10 @@ index 0000000..42ed4ba
|
||||
+')
|
||||
diff --git a/openwsman.te b/openwsman.te
|
||||
new file mode 100644
|
||||
index 0000000..49dc5ef
|
||||
index 0000000..a0161d5
|
||||
--- /dev/null
|
||||
+++ b/openwsman.te
|
||||
@@ -0,0 +1,43 @@
|
||||
@@ -0,0 +1,56 @@
|
||||
+policy_module(openwsman, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -59279,6 +59394,9 @@ index 0000000..49dc5ef
|
||||
+type openwsman_exec_t;
|
||||
+init_daemon_domain(openwsman_t, openwsman_exec_t)
|
||||
+
|
||||
+type openwsman_tmp_t;
|
||||
+files_tmp_file(openwsman_tmp_t)
|
||||
+
|
||||
+type openwsman_log_t;
|
||||
+logging_log_file(openwsman_log_t)
|
||||
+
|
||||
@ -59292,10 +59410,17 @@ index 0000000..49dc5ef
|
||||
+#
|
||||
+# openwsman local policy
|
||||
+#
|
||||
+
|
||||
+allow openwsman_t self:capability setuid;
|
||||
+
|
||||
+allow openwsman_t self:process { fork };
|
||||
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow openwsman_t self:tcp_socket { create_socket_perms listen };
|
||||
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
|
||||
+
|
||||
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
|
||||
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
|
||||
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
|
||||
+
|
||||
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
|
||||
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
|
||||
@ -59304,12 +59429,15 @@ index 0000000..49dc5ef
|
||||
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
|
||||
+
|
||||
+auth_use_nsswitch(openwsman_t)
|
||||
+auth_domtrans_chkpwd(openwsman_t)
|
||||
+
|
||||
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
|
||||
+corenet_tcp_bind_vnc_port(openwsman_t)
|
||||
+
|
||||
+dev_read_urand(openwsman_t)
|
||||
+
|
||||
+logging_send_syslog_msg(openwsman_t)
|
||||
+logging_send_audit_msgs(openwsman_t)
|
||||
+
|
||||
diff --git a/oracleasm.fc b/oracleasm.fc
|
||||
new file mode 100644
|
||||
@ -73504,10 +73632,10 @@ index afc0068..3105104 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/quantum.te b/quantum.te
|
||||
index 8644d8b..d76fab5 100644
|
||||
index 8644d8b..9494e23 100644
|
||||
--- a/quantum.te
|
||||
+++ b/quantum.te
|
||||
@@ -5,92 +5,132 @@ policy_module(quantum, 1.1.0)
|
||||
@@ -5,92 +5,136 @@ policy_module(quantum, 1.1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -73554,7 +73682,7 @@ index 8644d8b..d76fab5 100644
|
||||
-allow quantum_t self:unix_stream_socket { accept listen };
|
||||
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
|
||||
+allow neutron_t self:capability2 block_suspend;
|
||||
+allow neutron_t self:process { setsched setrlimit signal_perms };
|
||||
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
|
||||
+
|
||||
+allow neutron_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow neutron_t self:key manage_key_perms;
|
||||
@ -73562,46 +73690,45 @@ index 8644d8b..d76fab5 100644
|
||||
+allow neutron_t self:unix_stream_socket { accept listen };
|
||||
+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
+allow neutron_t self:rawip_socket create_socket_perms;
|
||||
+allow neutron_t self:packet_socket create_socket_perms;
|
||||
+
|
||||
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
||||
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
||||
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
||||
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
||||
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
|
||||
+
|
||||
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
|
||||
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
|
||||
|
||||
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
|
||||
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
|
||||
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
|
||||
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
|
||||
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
|
||||
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
|
||||
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
|
||||
|
||||
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
|
||||
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
|
||||
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
|
||||
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
|
||||
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
|
||||
|
||||
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
|
||||
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
|
||||
+can_exec(neutron_t, neutron_tmp_t)
|
||||
|
||||
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
|
||||
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
|
||||
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
|
||||
+can_exec(neutron_t, neutron_tmp_t)
|
||||
|
||||
-can_exec(quantum_t, quantum_tmp_t)
|
||||
+kernel_rw_kernel_sysctl(neutron_t)
|
||||
+kernel_rw_net_sysctls(neutron_t)
|
||||
+kernel_read_system_state(neutron_t)
|
||||
+kernel_read_network_state(neutron_t)
|
||||
+kernel_request_load_module(neutron_t)
|
||||
|
||||
-kernel_read_kernel_sysctls(quantum_t)
|
||||
-kernel_read_system_state(quantum_t)
|
||||
-can_exec(quantum_t, quantum_tmp_t)
|
||||
+corecmd_exec_shell(neutron_t)
|
||||
+corecmd_exec_bin(neutron_t)
|
||||
|
||||
-corecmd_exec_shell(quantum_t)
|
||||
-corecmd_exec_bin(quantum_t)
|
||||
-kernel_read_kernel_sysctls(quantum_t)
|
||||
-kernel_read_system_state(quantum_t)
|
||||
+corenet_all_recvfrom_unlabeled(neutron_t)
|
||||
+corenet_all_recvfrom_netlabel(neutron_t)
|
||||
+corenet_tcp_sendrecv_generic_if(neutron_t)
|
||||
@ -73609,83 +73736,88 @@ index 8644d8b..d76fab5 100644
|
||||
+corenet_tcp_sendrecv_all_ports(neutron_t)
|
||||
+corenet_tcp_bind_generic_node(neutron_t)
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(quantum_t)
|
||||
-corenet_all_recvfrom_netlabel(quantum_t)
|
||||
-corenet_tcp_sendrecv_generic_if(quantum_t)
|
||||
-corenet_tcp_sendrecv_generic_node(quantum_t)
|
||||
-corenet_tcp_sendrecv_all_ports(quantum_t)
|
||||
-corenet_tcp_bind_generic_node(quantum_t)
|
||||
-corecmd_exec_shell(quantum_t)
|
||||
-corecmd_exec_bin(quantum_t)
|
||||
+corenet_tcp_bind_neutron_port(neutron_t)
|
||||
+corenet_tcp_connect_keystone_port(neutron_t)
|
||||
+corenet_tcp_connect_amqp_port(neutron_t)
|
||||
+corenet_tcp_connect_mysqld_port(neutron_t)
|
||||
+corenet_tcp_connect_osapi_compute_port(neutron_t)
|
||||
|
||||
-dev_list_sysfs(quantum_t)
|
||||
-dev_read_urand(quantum_t)
|
||||
-corenet_all_recvfrom_unlabeled(quantum_t)
|
||||
-corenet_all_recvfrom_netlabel(quantum_t)
|
||||
-corenet_tcp_sendrecv_generic_if(quantum_t)
|
||||
-corenet_tcp_sendrecv_generic_node(quantum_t)
|
||||
-corenet_tcp_sendrecv_all_ports(quantum_t)
|
||||
-corenet_tcp_bind_generic_node(quantum_t)
|
||||
+domain_read_all_domains_state(neutron_t)
|
||||
+domain_named_filetrans(neutron_t)
|
||||
|
||||
-files_read_usr_files(quantum_t)
|
||||
-dev_list_sysfs(quantum_t)
|
||||
-dev_read_urand(quantum_t)
|
||||
+dev_read_sysfs(neutron_t)
|
||||
+dev_read_urand(neutron_t)
|
||||
+dev_mounton_sysfs(neutron_t)
|
||||
+dev_mount_sysfs_fs(neutron_t)
|
||||
+dev_unmount_sysfs_fs(neutron_t)
|
||||
|
||||
-auth_use_nsswitch(quantum_t)
|
||||
-files_read_usr_files(quantum_t)
|
||||
+files_mounton_non_security(neutron_t)
|
||||
|
||||
-libs_exec_ldconfig(quantum_t)
|
||||
-auth_use_nsswitch(quantum_t)
|
||||
+auth_use_nsswitch(neutron_t)
|
||||
|
||||
-libs_exec_ldconfig(quantum_t)
|
||||
+libs_exec_ldconfig(neutron_t)
|
||||
|
||||
-logging_send_audit_msgs(quantum_t)
|
||||
-logging_send_syslog_msg(quantum_t)
|
||||
+libs_exec_ldconfig(neutron_t)
|
||||
|
||||
-miscfiles_read_localization(quantum_t)
|
||||
+logging_send_audit_msgs(neutron_t)
|
||||
+logging_send_syslog_msg(neutron_t)
|
||||
|
||||
-miscfiles_read_localization(quantum_t)
|
||||
+netutils_exec(neutron_t)
|
||||
|
||||
-sysnet_domtrans_ifconfig(quantum_t)
|
||||
+# need to stay in neutron
|
||||
+sysnet_exec_ifconfig(neutron_t)
|
||||
+sysnet_manage_ifconfig_run(neutron_t)
|
||||
+sysnet_filetrans_named_content_ifconfig(neutron_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ brctl_domtrans(neutron_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
- brctl_domtrans(quantum_t)
|
||||
+ dnsmasq_domtrans(neutron_t)
|
||||
+ dnsmasq_signal(neutron_t)
|
||||
+ dnsmasq_read_state(neutron_t)
|
||||
+ brctl_domtrans(neutron_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mysql_stream_connect(quantum_t)
|
||||
- mysql_read_config(quantum_t)
|
||||
+ iptables_domtrans(neutron_t)
|
||||
+ dnsmasq_domtrans(neutron_t)
|
||||
+ dnsmasq_signal(neutron_t)
|
||||
+ dnsmasq_read_state(neutron_t)
|
||||
+')
|
||||
|
||||
- mysql_tcp_connect(quantum_t)
|
||||
+optional_policy(`
|
||||
+ mysql_stream_connect(neutron_t)
|
||||
+ mysql_read_db_lnk_files(neutron_t)
|
||||
+ mysql_read_config(neutron_t)
|
||||
+ mysql_tcp_connect(neutron_t)
|
||||
+ iptables_domtrans(neutron_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- postgresql_stream_connect(quantum_t)
|
||||
- postgresql_unpriv_client(quantum_t)
|
||||
+ mysql_stream_connect(neutron_t)
|
||||
+ mysql_read_db_lnk_files(neutron_t)
|
||||
+ mysql_read_config(neutron_t)
|
||||
+ mysql_tcp_connect(neutron_t)
|
||||
+')
|
||||
|
||||
- postgresql_tcp_connect(quantum_t)
|
||||
+optional_policy(`
|
||||
+ postgresql_stream_connect(neutron_t)
|
||||
+ postgresql_unpriv_client(neutron_t)
|
||||
+ postgresql_tcp_connect(neutron_t)
|
||||
+')
|
||||
|
||||
- postgresql_tcp_connect(quantum_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ openvswitch_domtrans(neutron_t)
|
||||
+ openvswitch_stream_connect(neutron_t)
|
||||
@ -91614,7 +91746,7 @@ index 1499b0b..6950cab 100644
|
||||
- spamassassin_role($2, $1)
|
||||
')
|
||||
diff --git a/spamassassin.te b/spamassassin.te
|
||||
index cc58e35..4f35a1b 100644
|
||||
index cc58e35..de9c4d9 100644
|
||||
--- a/spamassassin.te
|
||||
+++ b/spamassassin.te
|
||||
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
|
||||
@ -91918,7 +92050,7 @@ index cc58e35..4f35a1b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -167,72 +248,85 @@ optional_policy(`
|
||||
@@ -167,72 +248,90 @@ optional_policy(`
|
||||
# Client local policy
|
||||
#
|
||||
|
||||
@ -91958,6 +92090,8 @@ index cc58e35..4f35a1b 100644
|
||||
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
||||
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
||||
+userdom_append_user_home_content_files(spamc_t)
|
||||
+spamassassin_filetrans_home_content(spamc_t)
|
||||
+spamassassin_filetrans_admin_home_content(spamc_t)
|
||||
+# for /root/.pyzor
|
||||
+allow spamc_t self:capability dac_override;
|
||||
|
||||
@ -91965,6 +92099,9 @@ index cc58e35..4f35a1b 100644
|
||||
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
|
||||
-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
|
||||
+read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
|
||||
+list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
|
||||
+
|
||||
+# Allow connecting to a local spamd
|
||||
+allow spamc_t spamd_t:unix_stream_socket connectto;
|
||||
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
|
||||
@ -92035,7 +92172,7 @@ index cc58e35..4f35a1b 100644
|
||||
|
||||
optional_policy(`
|
||||
abrt_stream_connect(spamc_t)
|
||||
@@ -243,6 +337,7 @@ optional_policy(`
|
||||
@@ -243,6 +342,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -92043,7 +92180,7 @@ index cc58e35..4f35a1b 100644
|
||||
evolution_stream_connect(spamc_t)
|
||||
')
|
||||
|
||||
@@ -251,10 +346,16 @@ optional_policy(`
|
||||
@@ -251,10 +351,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -92061,7 +92198,7 @@ index cc58e35..4f35a1b 100644
|
||||
sendmail_stub(spamc_t)
|
||||
')
|
||||
|
||||
@@ -267,36 +368,38 @@ optional_policy(`
|
||||
@@ -267,36 +373,38 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -92088,17 +92225,17 @@ index cc58e35..4f35a1b 100644
|
||||
allow spamd_t self:unix_dgram_socket sendto;
|
||||
-allow spamd_t self:unix_stream_socket { accept connectto listen };
|
||||
-allow spamd_t self:tcp_socket { accept listen };
|
||||
+allow spamd_t self:unix_stream_socket connectto;
|
||||
+allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow spamd_t self:udp_socket create_socket_perms;
|
||||
|
||||
-
|
||||
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
||||
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
|
||||
-
|
||||
+allow spamd_t self:unix_stream_socket connectto;
|
||||
+allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow spamd_t self:udp_socket create_socket_perms;
|
||||
|
||||
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
||||
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
||||
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
||||
@ -92117,7 +92254,7 @@ index cc58e35..4f35a1b 100644
|
||||
logging_log_filetrans(spamd_t, spamd_log_t, file)
|
||||
|
||||
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
|
||||
@@ -308,7 +411,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
||||
@@ -308,7 +416,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
||||
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
||||
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
|
||||
|
||||
@ -92127,7 +92264,7 @@ index cc58e35..4f35a1b 100644
|
||||
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
|
||||
@@ -317,12 +421,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
||||
@@ -317,12 +426,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
||||
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
||||
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
|
||||
|
||||
@ -92143,7 +92280,7 @@ index cc58e35..4f35a1b 100644
|
||||
corenet_all_recvfrom_netlabel(spamd_t)
|
||||
corenet_tcp_sendrecv_generic_if(spamd_t)
|
||||
corenet_udp_sendrecv_generic_if(spamd_t)
|
||||
@@ -331,78 +436,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
|
||||
@@ -331,78 +441,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
|
||||
corenet_tcp_sendrecv_all_ports(spamd_t)
|
||||
corenet_udp_sendrecv_all_ports(spamd_t)
|
||||
corenet_tcp_bind_generic_node(spamd_t)
|
||||
@ -92247,7 +92384,7 @@ index cc58e35..4f35a1b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -421,21 +507,13 @@ optional_policy(`
|
||||
@@ -421,21 +512,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -92271,7 +92408,7 @@ index cc58e35..4f35a1b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -443,8 +521,8 @@ optional_policy(`
|
||||
@@ -443,8 +526,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -92281,7 +92418,7 @@ index cc58e35..4f35a1b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -455,7 +533,17 @@ optional_policy(`
|
||||
@@ -455,7 +538,17 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
razor_domtrans(spamd_t)
|
||||
razor_read_lib_files(spamd_t)
|
||||
@ -92300,7 +92437,7 @@ index cc58e35..4f35a1b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -463,9 +551,9 @@ optional_policy(`
|
||||
@@ -463,9 +556,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -92311,7 +92448,7 @@ index cc58e35..4f35a1b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -474,32 +562,32 @@ optional_policy(`
|
||||
@@ -474,32 +567,32 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -92354,7 +92491,7 @@ index cc58e35..4f35a1b 100644
|
||||
|
||||
corecmd_exec_bin(spamd_update_t)
|
||||
corecmd_exec_shell(spamd_update_t)
|
||||
@@ -508,25 +596,21 @@ dev_read_urand(spamd_update_t)
|
||||
@@ -508,25 +601,21 @@ dev_read_urand(spamd_update_t)
|
||||
|
||||
domain_use_interactive_fds(spamd_update_t)
|
||||
|
||||
@ -97873,7 +98010,7 @@ index 9b95c3e..a892845 100644
|
||||
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/ulogd.te b/ulogd.te
|
||||
index de35e5f..436d24c 100644
|
||||
index de35e5f..51f2763 100644
|
||||
--- a/ulogd.te
|
||||
+++ b/ulogd.te
|
||||
@@ -29,8 +29,10 @@ logging_log_file(ulogd_var_log_t)
|
||||
@ -97894,8 +98031,9 @@ index de35e5f..436d24c 100644
|
||||
|
||||
-files_read_etc_files(ulogd_t)
|
||||
-files_read_usr_files(ulogd_t)
|
||||
|
||||
-
|
||||
-miscfiles_read_localization(ulogd_t)
|
||||
+kernel_request_load_module(ulogd_t)
|
||||
|
||||
sysnet_dns_name_resolve(ulogd_t)
|
||||
|
||||
@ -101214,7 +101352,7 @@ index facdee8..88dcafb 100644
|
||||
+ virt_stream_connect($1)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf5..a26950d 100644
|
||||
index f03dcf5..0b4a6fa 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,150 +1,212 @@
|
||||
@ -102678,7 +102816,7 @@ index f03dcf5..a26950d 100644
|
||||
selinux_get_enforce_mode(virtd_lxc_t)
|
||||
selinux_get_fs_mount(virtd_lxc_t)
|
||||
selinux_validate_context(virtd_lxc_t)
|
||||
@@ -974,194 +1133,299 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
@@ -974,194 +1133,303 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
selinux_compute_relabel_context(virtd_lxc_t)
|
||||
selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
@ -102912,21 +103050,25 @@ index f03dcf5..a26950d 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
||||
+ gear_read_pid_files(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ssh_use_ptys(svirt_sandbox_domain)
|
||||
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
- udev_read_pid_files(svirt_lxc_domain)
|
||||
+ udev_read_pid_files(svirt_sandbox_domain)
|
||||
+ ssh_use_ptys(svirt_sandbox_domain)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- apache_exec_modules(svirt_lxc_domain)
|
||||
- apache_read_sys_content(svirt_lxc_domain)
|
||||
+ udev_read_pid_files(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
@ -102991,12 +103133,12 @@ index f03dcf5..a26950d 100644
|
||||
+', `
|
||||
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
|
||||
+')
|
||||
+
|
||||
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
|
||||
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
|
||||
|
||||
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
|
||||
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
|
||||
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
|
||||
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
|
||||
+
|
||||
+kernel_read_irq_sysctls(svirt_lxc_net_t)
|
||||
|
||||
+dev_read_sysfs(svirt_lxc_net_t)
|
||||
@ -103073,7 +103215,8 @@ index f03dcf5..a26950d 100644
|
||||
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
|
||||
+
|
||||
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
||||
+
|
||||
|
||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||
+dev_read_sysfs(svirt_qemu_net_t)
|
||||
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
||||
+dev_read_rand(svirt_qemu_net_t)
|
||||
@ -103085,8 +103228,7 @@ index f03dcf5..a26950d 100644
|
||||
+fs_mount_cgroup(svirt_qemu_net_t)
|
||||
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
|
||||
+fs_manage_cgroup_files(svirt_qemu_net_t)
|
||||
|
||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||
+
|
||||
+term_pty(svirt_sandbox_file_t)
|
||||
+
|
||||
+auth_use_nsswitch(svirt_qemu_net_t)
|
||||
@ -103115,7 +103257,7 @@ index f03dcf5..a26950d 100644
|
||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1174,12 +1438,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1174,12 +1442,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
@ -103130,7 +103272,7 @@ index f03dcf5..a26950d 100644
|
||||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,9 +1456,8 @@ optional_policy(`
|
||||
@@ -1192,9 +1460,8 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -103141,7 +103283,7 @@ index f03dcf5..a26950d 100644
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1207,5 +1470,218 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||
@@ -1207,5 +1474,216 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||
|
||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||
|
||||
@ -103360,8 +103502,6 @@ index f03dcf5..a26950d 100644
|
||||
+optional_policy(`
|
||||
+ systemd_dbus_chat_logind(sandbox_net_domain)
|
||||
+')
|
||||
+
|
||||
+
|
||||
diff --git a/vlock.te b/vlock.te
|
||||
index 6b72968..de409cc 100644
|
||||
--- a/vlock.te
|
||||
|
@ -590,6 +590,25 @@ SELinux Reference policy mls base module.
|
||||
%changelog
|
||||
* Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-52
|
||||
- More rules for gears and openshift
|
||||
- Added iotop policy. Thanks William Brown
|
||||
- Allow spamc to read .pyzor located in /var/spool/spampd
|
||||
- Allow spamc to create home content with correct labeling
|
||||
- Allow logwatch_mail_t to create dead.letter with correct labelign
|
||||
- Add labeling for min-cloud-agent
|
||||
- Allow geoclue to read unix in proc.
|
||||
- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
|
||||
- add support for min-cloud-agent
|
||||
- Allow ulogd to request the kernel to load a module
|
||||
- remove unconfined_domain for openwsman_t
|
||||
- Add openwsman_tmp_t rules
|
||||
- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
|
||||
- Allow nova-scheduler to read passwd file
|
||||
- Allow neutron execute arping in neutron_t
|
||||
- Dontaudit logrotate executing systemctl command attempting to net_admin
|
||||
- Allow mozilla plugins to use /dev/sr0
|
||||
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files
|
||||
- Any app that executes systemctl will attempt a net_admin
|
||||
- Fix path to mmap_min_addr
|
||||
|
||||
* Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-51
|
||||
- Add gear fixes from dwalsh
|
||||
|
Loading…
Reference in New Issue
Block a user