- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
- Allow tuned to search all file system directories - Allow alsa_t to sys_nice, to get top performance for sound management - Add support for MySQL/PostgreSQL for amavis - Allow openvpn_t to manage openvpn_var_log_t files. - Allow dirsrv_t to create tmpfs_t directories - Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label - Dontaudit leaked unix_stream_sockets into gnome keyring - Allow telepathy domains to inhibit pipes on telepathy domains - Allow cloud-init to domtrans to rpm - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - Allow nsswitch domains to manage own process key - Fix labeling for mgetty.* logs - Allow systemd to dbus chat with upower - Allow ipsec to send signull to itself - Allow setgid cap for ipsec_t - Match upstream labeling
This commit is contained in:
parent
381d00a4ba
commit
dc36731280
File diff suppressed because it is too large
Load Diff
@ -520,7 +520,7 @@ index 058d908..702b716 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/abrt.te b/abrt.te
|
diff --git a/abrt.te b/abrt.te
|
||||||
index cc43d25..f71a133 100644
|
index cc43d25..097a770 100644
|
||||||
--- a/abrt.te
|
--- a/abrt.te
|
||||||
+++ b/abrt.te
|
+++ b/abrt.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -705,7 +705,7 @@ index cc43d25..f71a133 100644
|
|||||||
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
|
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
|
||||||
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
|
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
|
||||||
|
|
||||||
@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
|
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
|
||||||
@ -727,14 +727,17 @@ index cc43d25..f71a133 100644
|
|||||||
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
|
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
|
||||||
|
|
||||||
-can_exec(abrt_t, abrt_tmp_t)
|
-can_exec(abrt_t, abrt_tmp_t)
|
||||||
-
|
+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
||||||
|
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
||||||
|
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
||||||
|
|
||||||
kernel_read_ring_buffer(abrt_t)
|
kernel_read_ring_buffer(abrt_t)
|
||||||
-kernel_read_system_state(abrt_t)
|
-kernel_read_system_state(abrt_t)
|
||||||
+kernel_read_network_state(abrt_t)
|
+kernel_read_network_state(abrt_t)
|
||||||
kernel_request_load_module(abrt_t)
|
kernel_request_load_module(abrt_t)
|
||||||
kernel_rw_kernel_sysctl(abrt_t)
|
kernel_rw_kernel_sysctl(abrt_t)
|
||||||
|
|
||||||
@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t)
|
@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t)
|
||||||
corecmd_read_all_executables(abrt_t)
|
corecmd_read_all_executables(abrt_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_netlabel(abrt_t)
|
corenet_all_recvfrom_netlabel(abrt_t)
|
||||||
@ -753,7 +756,7 @@ index cc43d25..f71a133 100644
|
|||||||
|
|
||||||
dev_getattr_all_chr_files(abrt_t)
|
dev_getattr_all_chr_files(abrt_t)
|
||||||
dev_getattr_all_blk_files(abrt_t)
|
dev_getattr_all_blk_files(abrt_t)
|
||||||
@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t)
|
@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t)
|
||||||
files_read_config_files(abrt_t)
|
files_read_config_files(abrt_t)
|
||||||
files_read_etc_runtime_files(abrt_t)
|
files_read_etc_runtime_files(abrt_t)
|
||||||
files_read_var_symlinks(abrt_t)
|
files_read_var_symlinks(abrt_t)
|
||||||
@ -794,7 +797,7 @@ index cc43d25..f71a133 100644
|
|||||||
|
|
||||||
tunable_policy(`abrt_anon_write',`
|
tunable_policy(`abrt_anon_write',`
|
||||||
miscfiles_manage_public_files(abrt_t)
|
miscfiles_manage_public_files(abrt_t)
|
||||||
@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',`
|
@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_list_modules(abrt_t)
|
apache_list_modules(abrt_t)
|
||||||
@ -811,7 +814,7 @@ index cc43d25..f71a133 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -209,6 +239,16 @@ optional_policy(`
|
@@ -209,6 +243,16 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -828,7 +831,7 @@ index cc43d25..f71a133 100644
|
|||||||
policykit_domtrans_auth(abrt_t)
|
policykit_domtrans_auth(abrt_t)
|
||||||
policykit_read_lib(abrt_t)
|
policykit_read_lib(abrt_t)
|
||||||
policykit_read_reload(abrt_t)
|
policykit_read_reload(abrt_t)
|
||||||
@@ -220,6 +260,7 @@ optional_policy(`
|
@@ -220,6 +264,7 @@ optional_policy(`
|
||||||
corecmd_exec_all_executables(abrt_t)
|
corecmd_exec_all_executables(abrt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -836,7 +839,7 @@ index cc43d25..f71a133 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_exec(abrt_t)
|
rpm_exec(abrt_t)
|
||||||
rpm_dontaudit_manage_db(abrt_t)
|
rpm_dontaudit_manage_db(abrt_t)
|
||||||
@@ -230,6 +271,7 @@ optional_policy(`
|
@@ -230,6 +275,7 @@ optional_policy(`
|
||||||
rpm_signull(abrt_t)
|
rpm_signull(abrt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -844,7 +847,7 @@ index cc43d25..f71a133 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
sendmail_domtrans(abrt_t)
|
sendmail_domtrans(abrt_t)
|
||||||
')
|
')
|
||||||
@@ -240,9 +282,17 @@ optional_policy(`
|
@@ -240,9 +286,17 @@ optional_policy(`
|
||||||
sosreport_delete_tmp_files(abrt_t)
|
sosreport_delete_tmp_files(abrt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -863,7 +866,7 @@ index cc43d25..f71a133 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',`
|
@@ -253,9 +307,13 @@ tunable_policy(`abrt_handle_event',`
|
||||||
can_exec(abrt_t, abrt_handle_event_exec_t)
|
can_exec(abrt_t, abrt_handle_event_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -878,7 +881,7 @@ index cc43d25..f71a133 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||||
@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
@@ -268,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||||
@ -886,7 +889,7 @@ index cc43d25..f71a133 100644
|
|||||||
|
|
||||||
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
@@ -276,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
||||||
|
|
||||||
domain_read_all_domains_state(abrt_helper_t)
|
domain_read_all_domains_state(abrt_helper_t)
|
||||||
|
|
||||||
@ -907,7 +910,7 @@ index cc43d25..f71a133 100644
|
|||||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||||
@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',`
|
@@ -292,11 +356,25 @@ ifdef(`hide_broken_symptoms',`
|
||||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||||
@ -934,7 +937,7 @@ index cc43d25..f71a133 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
@@ -314,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_coredump_t)
|
dev_read_urand(abrt_retrace_coredump_t)
|
||||||
|
|
||||||
@ -948,7 +951,7 @@ index cc43d25..f71a133 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_exec(abrt_retrace_coredump_t)
|
rpm_exec(abrt_retrace_coredump_t)
|
||||||
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
||||||
@@ -330,10 +406,11 @@ optional_policy(`
|
@@ -330,10 +410,11 @@ optional_policy(`
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@ -962,7 +965,7 @@ index cc43d25..f71a133 100644
|
|||||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||||
@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
@@ -352,46 +433,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_worker_t)
|
dev_read_urand(abrt_retrace_worker_t)
|
||||||
|
|
||||||
@ -1024,7 +1027,7 @@ index cc43d25..f71a133 100644
|
|||||||
|
|
||||||
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
||||||
|
|
||||||
@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
@@ -400,16 +491,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
||||||
corecmd_exec_bin(abrt_watch_log_t)
|
corecmd_exec_bin(abrt_watch_log_t)
|
||||||
|
|
||||||
logging_read_all_logs(abrt_watch_log_t)
|
logging_read_all_logs(abrt_watch_log_t)
|
||||||
@ -1046,17 +1049,20 @@ index cc43d25..f71a133 100644
|
|||||||
-files_read_etc_files(abrt_domain)
|
-files_read_etc_files(abrt_domain)
|
||||||
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
||||||
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
||||||
|
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
||||||
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
|
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
|
||||||
+
|
+
|
||||||
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
|
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
|
|
||||||
-logging_send_syslog_msg(abrt_domain)
|
-logging_send_syslog_msg(abrt_domain)
|
||||||
+manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
||||||
+
|
|
||||||
+corecmd_exec_bin(abrt_upload_watch_t)
|
+corecmd_exec_bin(abrt_upload_watch_t)
|
||||||
+
|
+
|
||||||
+dev_read_urand(abrt_upload_watch_t)
|
+dev_read_urand(abrt_upload_watch_t)
|
||||||
+
|
+
|
||||||
|
+files_search_spool(abrt_upload_watch_t)
|
||||||
|
+
|
||||||
+auth_read_passwd(abrt_upload_watch_t)
|
+auth_read_passwd(abrt_upload_watch_t)
|
||||||
+
|
+
|
||||||
+tunable_policy(`abrt_upload_watch_anon_write',`
|
+tunable_policy(`abrt_upload_watch_anon_write',`
|
||||||
@ -1953,7 +1959,7 @@ index 708b743..c2edd9a 100644
|
|||||||
+ ps_process_pattern($1, alsa_t)
|
+ ps_process_pattern($1, alsa_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/alsa.te b/alsa.te
|
diff --git a/alsa.te b/alsa.te
|
||||||
index cda6d20..fbe259e 100644
|
index cda6d20..443ce3c 100644
|
||||||
--- a/alsa.te
|
--- a/alsa.te
|
||||||
+++ b/alsa.te
|
+++ b/alsa.te
|
||||||
@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
|
@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
|
||||||
@ -1974,8 +1980,9 @@ index cda6d20..fbe259e 100644
|
|||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
|
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
|
||||||
-dontaudit alsa_t self:capability sys_admin;
|
-dontaudit alsa_t self:capability sys_admin;
|
||||||
|
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
|
||||||
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
|
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
|
||||||
+allow alsa_t self:process { getsched setsched signal_perms };
|
+allow alsa_t self:process { getsched setsched signal_perms };
|
||||||
allow alsa_t self:sem create_sem_perms;
|
allow alsa_t self:sem create_sem_perms;
|
||||||
@ -2011,10 +2018,17 @@ index cda6d20..fbe259e 100644
|
|||||||
userdom_manage_unpriv_user_shared_mem(alsa_t)
|
userdom_manage_unpriv_user_shared_mem(alsa_t)
|
||||||
userdom_search_user_home_dirs(alsa_t)
|
userdom_search_user_home_dirs(alsa_t)
|
||||||
diff --git a/amanda.fc b/amanda.fc
|
diff --git a/amanda.fc b/amanda.fc
|
||||||
index 7f4dfbc..4d750fa 100644
|
index 7f4dfbc..e5c9f45 100644
|
||||||
--- a/amanda.fc
|
--- a/amanda.fc
|
||||||
+++ b/amanda.fc
|
+++ b/amanda.fc
|
||||||
@@ -13,6 +13,8 @@
|
@@ -1,5 +1,6 @@
|
||||||
|
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
|
||||||
|
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
|
||||||
|
+/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
|
||||||
|
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
|
||||||
|
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
|
||||||
|
# empty m4 string so the index macro is not invoked
|
||||||
|
@@ -13,6 +14,8 @@
|
||||||
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||||
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||||
|
|
||||||
@ -2692,10 +2706,10 @@ index 0000000..df5b3be
|
|||||||
+')
|
+')
|
||||||
diff --git a/antivirus.te b/antivirus.te
|
diff --git a/antivirus.te b/antivirus.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..fd48ed9
|
index 0000000..784557c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/antivirus.te
|
+++ b/antivirus.te
|
||||||
@@ -0,0 +1,269 @@
|
@@ -0,0 +1,274 @@
|
||||||
+policy_module(antivirus, 1.0.0)
|
+policy_module(antivirus, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -2847,6 +2861,10 @@ index 0000000..fd48ed9
|
|||||||
+corenet_tcp_connect_http_cache_port(antivirus_domain)
|
+corenet_tcp_connect_http_cache_port(antivirus_domain)
|
||||||
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
|
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
|
||||||
+
|
+
|
||||||
|
+#support for MySQL/PostgreSQL
|
||||||
|
+corenet_tcp_connect_mysqld_port(antivirus_domain)
|
||||||
|
+corenet_tcp_connect_postgresql_port(antivirus_domain)
|
||||||
|
+
|
||||||
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
|
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
|
||||||
+corenet_tcp_connect_snmp_port(antivirus_domain)
|
+corenet_tcp_connect_snmp_port(antivirus_domain)
|
||||||
+
|
+
|
||||||
@ -2936,6 +2954,7 @@ index 0000000..fd48ed9
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mysql_stream_connect(antivirus_domain)
|
+ mysql_stream_connect(antivirus_domain)
|
||||||
|
+ corenet_tcp_connect_mysqld_port(antivirus_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -11851,10 +11870,10 @@ index 0000000..8ac848b
|
|||||||
+')
|
+')
|
||||||
diff --git a/cloudform.te b/cloudform.te
|
diff --git a/cloudform.te b/cloudform.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..0f133be
|
index 0000000..4e41e84
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/cloudform.te
|
+++ b/cloudform.te
|
||||||
@@ -0,0 +1,297 @@
|
@@ -0,0 +1,298 @@
|
||||||
+policy_module(cloudform, 1.0)
|
+policy_module(cloudform, 1.0)
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -12017,6 +12036,7 @@ index 0000000..0f133be
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ rpm_domtrans(cloud_init_t)
|
||||||
+ unconfined_domain(cloud_init_t)
|
+ unconfined_domain(cloud_init_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -20938,10 +20958,10 @@ index 0000000..b214253
|
|||||||
+')
|
+')
|
||||||
diff --git a/dirsrv.te b/dirsrv.te
|
diff --git a/dirsrv.te b/dirsrv.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..05c070d
|
index 0000000..73d1b46
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/dirsrv.te
|
+++ b/dirsrv.te
|
||||||
@@ -0,0 +1,194 @@
|
@@ -0,0 +1,196 @@
|
||||||
+policy_module(dirsrv,1.0.0)
|
+policy_module(dirsrv,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -21000,8 +21020,10 @@ index 0000000..05c070d
|
|||||||
+allow dirsrv_t self:sem create_sem_perms;
|
+allow dirsrv_t self:sem create_sem_perms;
|
||||||
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
|
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
|
||||||
+
|
+
|
||||||
|
+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
||||||
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
||||||
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
|
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
||||||
|
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
||||||
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
||||||
@ -25929,10 +25951,10 @@ index e39de43..5818f74 100644
|
|||||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||||
diff --git a/gnome.if b/gnome.if
|
diff --git a/gnome.if b/gnome.if
|
||||||
index d03fd43..237de86 100644
|
index d03fd43..e814f72 100644
|
||||||
--- a/gnome.if
|
--- a/gnome.if
|
||||||
+++ b/gnome.if
|
+++ b/gnome.if
|
||||||
@@ -1,123 +1,155 @@
|
@@ -1,123 +1,157 @@
|
||||||
-## <summary>GNU network object model environment.</summary>
|
-## <summary>GNU network object model environment.</summary>
|
||||||
+## <summary>GNU network object model environment (GNOME)</summary>
|
+## <summary>GNU network object model environment (GNOME)</summary>
|
||||||
|
|
||||||
@ -26049,39 +26071,40 @@ index d03fd43..237de86 100644
|
|||||||
+ ubac_constrained($1_gkeyringd_t)
|
+ ubac_constrained($1_gkeyringd_t)
|
||||||
domain_user_exemption_target($1_gkeyringd_t)
|
domain_user_exemption_target($1_gkeyringd_t)
|
||||||
|
|
||||||
- role $2 types $1_gkeyringd_t;
|
|
||||||
+ userdom_home_manager($1_gkeyringd_t)
|
+ userdom_home_manager($1_gkeyringd_t)
|
||||||
|
+
|
||||||
|
role $2 types $1_gkeyringd_t;
|
||||||
|
|
||||||
- ########################################
|
- ########################################
|
||||||
- #
|
- #
|
||||||
- # Gconf policy
|
- # Gconf policy
|
||||||
- #
|
- #
|
||||||
+ role $2 types $1_gkeyringd_t;
|
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
|
||||||
|
|
||||||
- domtrans_pattern($3, gconfd_exec_t, gconfd_t)
|
- domtrans_pattern($3, gconfd_exec_t, gconfd_t)
|
||||||
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
|
+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
|
||||||
|
+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
|
||||||
|
|
||||||
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
||||||
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
|
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
|
||||||
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
|
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
|
||||||
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
|
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
|
||||||
+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
|
|
||||||
+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
|
|
||||||
|
|
||||||
- allow $3 gconfd_t:process { ptrace signal_perms };
|
|
||||||
- ps_process_pattern($3, gconfd_t)
|
|
||||||
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
|
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
|
||||||
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
|
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
|
||||||
|
|
||||||
- ########################################
|
- allow $3 gconfd_t:process { ptrace signal_perms };
|
||||||
- #
|
- ps_process_pattern($3, gconfd_t)
|
||||||
- # Gkeyringd policy
|
|
||||||
- #
|
|
||||||
+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
|
+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
|
||||||
+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
|
+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
|
||||||
+ allow $1_gkeyringd_t $3:process sigkill;
|
+ allow $1_gkeyringd_t $3:process sigkill;
|
||||||
+ allow $3 $1_gkeyringd_t:fd use;
|
+ allow $3 $1_gkeyringd_t:fd use;
|
||||||
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
|
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
|
||||||
|
+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
|
||||||
|
|
||||||
|
- ########################################
|
||||||
|
- #
|
||||||
|
- # Gkeyringd policy
|
||||||
|
- #
|
||||||
|
|
||||||
- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
|
- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
|
||||||
+ kernel_read_system_state($1_gkeyringd_t)
|
+ kernel_read_system_state($1_gkeyringd_t)
|
||||||
@ -26102,12 +26125,12 @@ index d03fd43..237de86 100644
|
|||||||
|
|
||||||
ps_process_pattern($3, $1_gkeyringd_t)
|
ps_process_pattern($3, $1_gkeyringd_t)
|
||||||
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
|
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
|
||||||
|
-
|
||||||
|
- corecmd_bin_domtrans($1_gkeyringd_t, $3)
|
||||||
|
- corecmd_shell_domtrans($1_gkeyringd_t, $3)
|
||||||
+ allow $3 $1_gkeyringd_t:process signal_perms;
|
+ allow $3 $1_gkeyringd_t:process signal_perms;
|
||||||
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
|
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
|
||||||
|
|
||||||
- corecmd_bin_domtrans($1_gkeyringd_t, $3)
|
|
||||||
- corecmd_shell_domtrans($1_gkeyringd_t, $3)
|
|
||||||
-
|
|
||||||
- gnome_stream_connect_gkeyringd($1, $3)
|
- gnome_stream_connect_gkeyringd($1, $3)
|
||||||
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
|
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
|
||||||
|
|
||||||
@ -26165,7 +26188,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -125,18 +157,18 @@ template(`gnome_role_template',`
|
@@ -125,18 +159,18 @@ template(`gnome_role_template',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26189,7 +26212,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',`
|
@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26346,7 +26369,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',`
|
@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26373,7 +26396,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',`
|
@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26481,7 +26504,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',`
|
@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26505,7 +26528,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -354,22 +422,18 @@ interface(`gnome_manage_config',`
|
@@ -354,22 +424,18 @@ interface(`gnome_manage_config',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26533,7 +26556,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',`
|
@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26595,7 +26618,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',`
|
@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26618,7 +26641,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -449,23 +498,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
|
@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26646,7 +26669,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -473,82 +517,73 @@ interface(`gnome_read_generic_gconf_home_content',`
|
@@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26753,7 +26776,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="name" optional="true">
|
## <param name="name" optional="true">
|
||||||
@@ -557,52 +592,76 @@ interface(`gnome_home_filetrans_gconf_home',`
|
@@ -557,52 +594,76 @@ interface(`gnome_home_filetrans_gconf_home',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -26851,7 +26874,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -610,93 +669,126 @@ interface(`gnome_gconf_home_filetrans',`
|
@@ -610,93 +671,126 @@ interface(`gnome_gconf_home_filetrans',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -27012,7 +27035,7 @@ index d03fd43..237de86 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -704,12 +796,851 @@ interface(`gnome_stream_connect_gkeyringd',`
|
@@ -704,12 +798,851 @@ interface(`gnome_stream_connect_gkeyringd',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -28189,19 +28212,21 @@ index 20f726b..c6ff2a1 100644
|
|||||||
+
|
+
|
||||||
+userdom_use_inherited_user_terminals(gnomedomain)
|
+userdom_use_inherited_user_terminals(gnomedomain)
|
||||||
diff --git a/gnomeclock.fc b/gnomeclock.fc
|
diff --git a/gnomeclock.fc b/gnomeclock.fc
|
||||||
index b687443..5d92f4e 100644
|
index b687443..e4c1b83 100644
|
||||||
--- a/gnomeclock.fc
|
--- a/gnomeclock.fc
|
||||||
+++ b/gnomeclock.fc
|
+++ b/gnomeclock.fc
|
||||||
@@ -1,5 +1,7 @@
|
@@ -1,5 +1,9 @@
|
||||||
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||||
+
|
+
|
||||||
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||||
|
|
||||||
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||||
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||||
|
+/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||||
|
|
||||||
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||||
+/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
|
||||||
diff --git a/gnomeclock.if b/gnomeclock.if
|
diff --git a/gnomeclock.if b/gnomeclock.if
|
||||||
index 3f55702..25c7ab8 100644
|
index 3f55702..25c7ab8 100644
|
||||||
--- a/gnomeclock.if
|
--- a/gnomeclock.if
|
||||||
@ -52500,7 +52525,7 @@ index 6837e9a..21e6dae 100644
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 openvpn_initrc_exec_t system_r;
|
role_transition $2 openvpn_initrc_exec_t system_r;
|
||||||
diff --git a/openvpn.te b/openvpn.te
|
diff --git a/openvpn.te b/openvpn.te
|
||||||
index 3270ff9..60a7af6 100644
|
index 3270ff9..5b046fe 100644
|
||||||
--- a/openvpn.te
|
--- a/openvpn.te
|
||||||
+++ b/openvpn.te
|
+++ b/openvpn.te
|
||||||
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
|
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
|
||||||
@ -52560,7 +52585,7 @@ index 3270ff9..60a7af6 100644
|
|||||||
allow openvpn_t self:process { signal getsched setsched };
|
allow openvpn_t self:process { signal getsched setsched };
|
||||||
allow openvpn_t self:fifo_file rw_fifo_file_perms;
|
allow openvpn_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow openvpn_t self:unix_dgram_socket sendto;
|
allow openvpn_t self:unix_dgram_socket sendto;
|
||||||
@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
|
@@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
|
||||||
allow openvpn_t openvpn_status_t:file manage_file_perms;
|
allow openvpn_t openvpn_status_t:file manage_file_perms;
|
||||||
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
|
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
|
||||||
|
|
||||||
@ -52571,9 +52596,14 @@ index 3270ff9..60a7af6 100644
|
|||||||
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
|
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
|
||||||
+
|
+
|
||||||
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
||||||
append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
-append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
||||||
create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
-create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
||||||
@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t)
|
-setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
||||||
|
+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
||||||
|
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
|
||||||
|
|
||||||
|
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
|
||||||
|
@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t)
|
||||||
corecmd_exec_bin(openvpn_t)
|
corecmd_exec_bin(openvpn_t)
|
||||||
corecmd_exec_shell(openvpn_t)
|
corecmd_exec_shell(openvpn_t)
|
||||||
|
|
||||||
@ -52581,7 +52611,7 @@ index 3270ff9..60a7af6 100644
|
|||||||
corenet_all_recvfrom_netlabel(openvpn_t)
|
corenet_all_recvfrom_netlabel(openvpn_t)
|
||||||
corenet_tcp_sendrecv_generic_if(openvpn_t)
|
corenet_tcp_sendrecv_generic_if(openvpn_t)
|
||||||
corenet_udp_sendrecv_generic_if(openvpn_t)
|
corenet_udp_sendrecv_generic_if(openvpn_t)
|
||||||
@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
|
@@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
|
||||||
corenet_sendrecv_http_server_packets(openvpn_t)
|
corenet_sendrecv_http_server_packets(openvpn_t)
|
||||||
corenet_tcp_bind_http_port(openvpn_t)
|
corenet_tcp_bind_http_port(openvpn_t)
|
||||||
corenet_sendrecv_http_client_packets(openvpn_t)
|
corenet_sendrecv_http_client_packets(openvpn_t)
|
||||||
@ -52598,7 +52628,7 @@ index 3270ff9..60a7af6 100644
|
|||||||
corenet_rw_tun_tap_dev(openvpn_t)
|
corenet_rw_tun_tap_dev(openvpn_t)
|
||||||
|
|
||||||
dev_read_rand(openvpn_t)
|
dev_read_rand(openvpn_t)
|
||||||
@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t)
|
@@ -121,18 +147,24 @@ fs_search_auto_mountpoints(openvpn_t)
|
||||||
|
|
||||||
auth_use_pam(openvpn_t)
|
auth_use_pam(openvpn_t)
|
||||||
|
|
||||||
@ -52626,7 +52656,7 @@ index 3270ff9..60a7af6 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
|
@@ -143,6 +175,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(openvpn_t)
|
fs_read_cifs_files(openvpn_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -52637,7 +52667,7 @@ index 3270ff9..60a7af6 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
daemontools_service_domain(openvpn_t, openvpn_exec_t)
|
daemontools_service_domain(openvpn_t, openvpn_exec_t)
|
||||||
')
|
')
|
||||||
@@ -155,3 +193,27 @@ optional_policy(`
|
@@ -155,3 +191,27 @@ optional_policy(`
|
||||||
networkmanager_dbus_chat(openvpn_t)
|
networkmanager_dbus_chat(openvpn_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@ -73188,7 +73218,7 @@ index 3bd6446..8bde316 100644
|
|||||||
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
|
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
|
||||||
')
|
')
|
||||||
diff --git a/rpc.te b/rpc.te
|
diff --git a/rpc.te b/rpc.te
|
||||||
index e5212e6..97bb4a0 100644
|
index e5212e6..022f7fc 100644
|
||||||
--- a/rpc.te
|
--- a/rpc.te
|
||||||
+++ b/rpc.te
|
+++ b/rpc.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -73206,7 +73236,7 @@ index e5212e6..97bb4a0 100644
|
|||||||
-## generic user temporary content.
|
-## generic user temporary content.
|
||||||
-## </p>
|
-## </p>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow gssd to read temp directory. For access to kerberos tgt.
|
+## Allow gssd to list tmp directories and read the kerberos credential cache.
|
||||||
+## </p>
|
+## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
-gen_tunable(allow_gssd_read_tmp, false)
|
-gen_tunable(allow_gssd_read_tmp, false)
|
||||||
@ -86630,7 +86660,7 @@ index 42946bc..741f2f4 100644
|
|||||||
+ can_exec($1, telepathy_executable)
|
+ can_exec($1, telepathy_executable)
|
||||||
')
|
')
|
||||||
diff --git a/telepathy.te b/telepathy.te
|
diff --git a/telepathy.te b/telepathy.te
|
||||||
index e9c0964..8d5bbdd 100644
|
index e9c0964..5a41683 100644
|
||||||
--- a/telepathy.te
|
--- a/telepathy.te
|
||||||
+++ b/telepathy.te
|
+++ b/telepathy.te
|
||||||
@@ -1,29 +1,28 @@
|
@@ -1,29 +1,28 @@
|
||||||
@ -87134,7 +87164,7 @@ index e9c0964..8d5bbdd 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
xserver_read_xdm_pid(telepathy_sunshine_t)
|
xserver_read_xdm_pid(telepathy_sunshine_t)
|
||||||
xserver_stream_connect(telepathy_sunshine_t)
|
xserver_stream_connect(telepathy_sunshine_t)
|
||||||
@@ -452,31 +385,48 @@ optional_policy(`
|
@@ -452,31 +385,49 @@ optional_policy(`
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@ -87180,6 +87210,7 @@ index e9c0964..8d5bbdd 100644
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ systemd_dbus_chat_logind(telepathy_domain)
|
+ systemd_dbus_chat_logind(telepathy_domain)
|
||||||
|
+ systemd_write_inhibit_pipes(telepathy_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -89177,7 +89208,7 @@ index e29db63..061fb98 100644
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 tuned_initrc_exec_t system_r;
|
role_transition $2 tuned_initrc_exec_t system_r;
|
||||||
diff --git a/tuned.te b/tuned.te
|
diff --git a/tuned.te b/tuned.te
|
||||||
index 7116181..971952e 100644
|
index 7116181..b957a0f 100644
|
||||||
--- a/tuned.te
|
--- a/tuned.te
|
||||||
+++ b/tuned.te
|
+++ b/tuned.te
|
||||||
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
||||||
@ -89231,7 +89262,7 @@ index 7116181..971952e 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(tuned_t)
|
corecmd_exec_bin(tuned_t)
|
||||||
corecmd_exec_shell(tuned_t)
|
corecmd_exec_shell(tuned_t)
|
||||||
@@ -64,31 +73,52 @@ corecmd_exec_shell(tuned_t)
|
@@ -64,31 +73,53 @@ corecmd_exec_shell(tuned_t)
|
||||||
dev_getattr_all_blk_files(tuned_t)
|
dev_getattr_all_blk_files(tuned_t)
|
||||||
dev_getattr_all_chr_files(tuned_t)
|
dev_getattr_all_chr_files(tuned_t)
|
||||||
dev_read_urand(tuned_t)
|
dev_read_urand(tuned_t)
|
||||||
@ -89246,6 +89277,7 @@ index 7116181..971952e 100644
|
|||||||
|
|
||||||
-fs_getattr_xattr_fs(tuned_t)
|
-fs_getattr_xattr_fs(tuned_t)
|
||||||
+fs_getattr_all_fs(tuned_t)
|
+fs_getattr_all_fs(tuned_t)
|
||||||
|
+fs_search_all(tuned_t)
|
||||||
+
|
+
|
||||||
+auth_use_nsswitch(tuned_t)
|
+auth_use_nsswitch(tuned_t)
|
||||||
|
|
||||||
@ -92611,7 +92643,7 @@ index 9dec06c..73549fd 100644
|
|||||||
+ virt_stream_connect($1)
|
+ virt_stream_connect($1)
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index 1f22fba..924d71c 100644
|
index 1f22fba..a35bf47 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,147 +1,166 @@
|
@@ -1,147 +1,166 @@
|
||||||
@ -92854,7 +92886,7 @@ index 1f22fba..924d71c 100644
|
|||||||
ifdef(`enable_mcs',`
|
ifdef(`enable_mcs',`
|
||||||
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
|
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
|
||||||
')
|
')
|
||||||
@@ -150,295 +169,139 @@ ifdef(`enable_mls',`
|
@@ -150,295 +169,140 @@ ifdef(`enable_mls',`
|
||||||
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
|
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -93217,6 +93249,7 @@ index 1f22fba..924d71c 100644
|
|||||||
-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
|
-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
|
||||||
-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
|
-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
|
||||||
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
|
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
|
||||||
|
+allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill };
|
||||||
+allow virt_domain virtd_t:fd use;
|
+allow virt_domain virtd_t:fd use;
|
||||||
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
|
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
|
||||||
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
|
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
@ -93233,7 +93266,7 @@ index 1f22fba..924d71c 100644
|
|||||||
|
|
||||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||||
@@ -448,42 +311,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
@@ -448,42 +312,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||||
|
|
||||||
@ -93280,7 +93313,7 @@ index 1f22fba..924d71c 100644
|
|||||||
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
||||||
|
|
||||||
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
|
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
|
||||||
@@ -496,16 +346,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
@@ -496,16 +347,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||||
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||||
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
||||||
|
|
||||||
@ -93302,7 +93335,7 @@ index 1f22fba..924d71c 100644
|
|||||||
kernel_read_system_state(virtd_t)
|
kernel_read_system_state(virtd_t)
|
||||||
kernel_read_network_state(virtd_t)
|
kernel_read_network_state(virtd_t)
|
||||||
kernel_rw_net_sysctls(virtd_t)
|
kernel_rw_net_sysctls(virtd_t)
|
||||||
@@ -513,6 +359,7 @@ kernel_read_kernel_sysctls(virtd_t)
|
@@ -513,6 +360,7 @@ kernel_read_kernel_sysctls(virtd_t)
|
||||||
kernel_request_load_module(virtd_t)
|
kernel_request_load_module(virtd_t)
|
||||||
kernel_search_debugfs(virtd_t)
|
kernel_search_debugfs(virtd_t)
|
||||||
kernel_setsched(virtd_t)
|
kernel_setsched(virtd_t)
|
||||||
@ -93310,7 +93343,7 @@ index 1f22fba..924d71c 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_t)
|
corecmd_exec_bin(virtd_t)
|
||||||
corecmd_exec_shell(virtd_t)
|
corecmd_exec_shell(virtd_t)
|
||||||
@@ -520,24 +367,16 @@ corecmd_exec_shell(virtd_t)
|
@@ -520,24 +368,16 @@ corecmd_exec_shell(virtd_t)
|
||||||
corenet_all_recvfrom_netlabel(virtd_t)
|
corenet_all_recvfrom_netlabel(virtd_t)
|
||||||
corenet_tcp_sendrecv_generic_if(virtd_t)
|
corenet_tcp_sendrecv_generic_if(virtd_t)
|
||||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||||
@ -93338,7 +93371,7 @@ index 1f22fba..924d71c 100644
|
|||||||
dev_rw_sysfs(virtd_t)
|
dev_rw_sysfs(virtd_t)
|
||||||
dev_read_urand(virtd_t)
|
dev_read_urand(virtd_t)
|
||||||
dev_read_rand(virtd_t)
|
dev_read_rand(virtd_t)
|
||||||
@@ -548,22 +387,24 @@ dev_rw_vhost(virtd_t)
|
@@ -548,22 +388,27 @@ dev_rw_vhost(virtd_t)
|
||||||
dev_setattr_generic_usb_dev(virtd_t)
|
dev_setattr_generic_usb_dev(virtd_t)
|
||||||
dev_relabel_generic_usb_dev(virtd_t)
|
dev_relabel_generic_usb_dev(virtd_t)
|
||||||
|
|
||||||
@ -93354,6 +93387,9 @@ index 1f22fba..924d71c 100644
|
|||||||
files_read_usr_src_files(virtd_t)
|
files_read_usr_src_files(virtd_t)
|
||||||
+files_relabelto_system_conf_files(virtd_t)
|
+files_relabelto_system_conf_files(virtd_t)
|
||||||
+files_relabelfrom_system_conf_files(virtd_t)
|
+files_relabelfrom_system_conf_files(virtd_t)
|
||||||
|
+files_relabelfrom_boot_files(virtd_t)
|
||||||
|
+files_relabelto_boot_files(virtd_t)
|
||||||
|
+files_manage_boot_files(virtd_t)
|
||||||
|
|
||||||
# Manages /etc/sysconfig/system-config-firewall
|
# Manages /etc/sysconfig/system-config-firewall
|
||||||
-# files_relabelto_system_conf_files(virtd_t)
|
-# files_relabelto_system_conf_files(virtd_t)
|
||||||
@ -93368,7 +93404,7 @@ index 1f22fba..924d71c 100644
|
|||||||
fs_rw_anon_inodefs_files(virtd_t)
|
fs_rw_anon_inodefs_files(virtd_t)
|
||||||
fs_list_inotifyfs(virtd_t)
|
fs_list_inotifyfs(virtd_t)
|
||||||
fs_manage_cgroup_dirs(virtd_t)
|
fs_manage_cgroup_dirs(virtd_t)
|
||||||
@@ -594,15 +435,18 @@ term_use_ptmx(virtd_t)
|
@@ -594,15 +439,18 @@ term_use_ptmx(virtd_t)
|
||||||
|
|
||||||
auth_use_nsswitch(virtd_t)
|
auth_use_nsswitch(virtd_t)
|
||||||
|
|
||||||
@ -93388,7 +93424,7 @@ index 1f22fba..924d71c 100644
|
|||||||
|
|
||||||
selinux_validate_context(virtd_t)
|
selinux_validate_context(virtd_t)
|
||||||
|
|
||||||
@@ -613,18 +457,26 @@ seutil_read_file_contexts(virtd_t)
|
@@ -613,18 +461,26 @@ seutil_read_file_contexts(virtd_t)
|
||||||
sysnet_signull_ifconfig(virtd_t)
|
sysnet_signull_ifconfig(virtd_t)
|
||||||
sysnet_signal_ifconfig(virtd_t)
|
sysnet_signal_ifconfig(virtd_t)
|
||||||
sysnet_domtrans_ifconfig(virtd_t)
|
sysnet_domtrans_ifconfig(virtd_t)
|
||||||
@ -93425,7 +93461,7 @@ index 1f22fba..924d71c 100644
|
|||||||
|
|
||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virtd_t)
|
fs_manage_nfs_dirs(virtd_t)
|
||||||
@@ -633,7 +485,7 @@ tunable_policy(`virt_use_nfs',`
|
@@ -633,7 +489,7 @@ tunable_policy(`virt_use_nfs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`virt_use_samba',`
|
tunable_policy(`virt_use_samba',`
|
||||||
@ -93434,7 +93470,7 @@ index 1f22fba..924d71c 100644
|
|||||||
fs_manage_cifs_files(virtd_t)
|
fs_manage_cifs_files(virtd_t)
|
||||||
fs_read_cifs_symlinks(virtd_t)
|
fs_read_cifs_symlinks(virtd_t)
|
||||||
')
|
')
|
||||||
@@ -658,20 +510,12 @@ optional_policy(`
|
@@ -658,20 +514,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -93455,7 +93491,7 @@ index 1f22fba..924d71c 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -684,14 +528,20 @@ optional_policy(`
|
@@ -684,14 +532,20 @@ optional_policy(`
|
||||||
dnsmasq_kill(virtd_t)
|
dnsmasq_kill(virtd_t)
|
||||||
dnsmasq_signull(virtd_t)
|
dnsmasq_signull(virtd_t)
|
||||||
dnsmasq_create_pid_dirs(virtd_t)
|
dnsmasq_create_pid_dirs(virtd_t)
|
||||||
@ -93478,7 +93514,7 @@ index 1f22fba..924d71c 100644
|
|||||||
iptables_manage_config(virtd_t)
|
iptables_manage_config(virtd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -704,11 +554,13 @@ optional_policy(`
|
@@ -704,11 +558,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -93492,7 +93528,7 @@ index 1f22fba..924d71c 100644
|
|||||||
policykit_domtrans_auth(virtd_t)
|
policykit_domtrans_auth(virtd_t)
|
||||||
policykit_domtrans_resolve(virtd_t)
|
policykit_domtrans_resolve(virtd_t)
|
||||||
policykit_read_lib(virtd_t)
|
policykit_read_lib(virtd_t)
|
||||||
@@ -719,10 +571,18 @@ optional_policy(`
|
@@ -719,10 +575,18 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -93511,7 +93547,7 @@ index 1f22fba..924d71c 100644
|
|||||||
kernel_read_xen_state(virtd_t)
|
kernel_read_xen_state(virtd_t)
|
||||||
kernel_write_xen_state(virtd_t)
|
kernel_write_xen_state(virtd_t)
|
||||||
|
|
||||||
@@ -737,44 +597,262 @@ optional_policy(`
|
@@ -737,44 +601,262 @@ optional_policy(`
|
||||||
udev_read_db(virtd_t)
|
udev_read_db(virtd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -93673,7 +93709,7 @@ index 1f22fba..924d71c 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ ptchown_domtrans(virt_domain)
|
+ ptchown_domtrans(virt_domain)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ pulseaudio_dontaudit_exec(virt_domain)
|
+ pulseaudio_dontaudit_exec(virt_domain)
|
||||||
+')
|
+')
|
||||||
@ -93742,7 +93778,7 @@ index 1f22fba..924d71c 100644
|
|||||||
+ xserver_stream_connect(virt_domain)
|
+ xserver_stream_connect(virt_domain)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# xm local policy
|
+# xm local policy
|
||||||
@ -93796,7 +93832,7 @@ index 1f22fba..924d71c 100644
|
|||||||
kernel_read_system_state(virsh_t)
|
kernel_read_system_state(virsh_t)
|
||||||
kernel_read_network_state(virsh_t)
|
kernel_read_network_state(virsh_t)
|
||||||
kernel_read_kernel_sysctls(virsh_t)
|
kernel_read_kernel_sysctls(virsh_t)
|
||||||
@@ -785,25 +863,18 @@ kernel_write_xen_state(virsh_t)
|
@@ -785,25 +867,18 @@ kernel_write_xen_state(virsh_t)
|
||||||
corecmd_exec_bin(virsh_t)
|
corecmd_exec_bin(virsh_t)
|
||||||
corecmd_exec_shell(virsh_t)
|
corecmd_exec_shell(virsh_t)
|
||||||
|
|
||||||
@ -93823,7 +93859,7 @@ index 1f22fba..924d71c 100644
|
|||||||
|
|
||||||
fs_getattr_all_fs(virsh_t)
|
fs_getattr_all_fs(virsh_t)
|
||||||
fs_manage_xenfs_dirs(virsh_t)
|
fs_manage_xenfs_dirs(virsh_t)
|
||||||
@@ -812,24 +883,22 @@ fs_search_auto_mountpoints(virsh_t)
|
@@ -812,24 +887,22 @@ fs_search_auto_mountpoints(virsh_t)
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(virsh_t)
|
storage_raw_read_fixed_disk(virsh_t)
|
||||||
|
|
||||||
@ -93855,7 +93891,7 @@ index 1f22fba..924d71c 100644
|
|||||||
tunable_policy(`virt_use_nfs',`
|
tunable_policy(`virt_use_nfs',`
|
||||||
fs_manage_nfs_dirs(virsh_t)
|
fs_manage_nfs_dirs(virsh_t)
|
||||||
fs_manage_nfs_files(virsh_t)
|
fs_manage_nfs_files(virsh_t)
|
||||||
@@ -847,14 +916,20 @@ optional_policy(`
|
@@ -847,14 +920,20 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -93877,7 +93913,7 @@ index 1f22fba..924d71c 100644
|
|||||||
xen_stream_connect(virsh_t)
|
xen_stream_connect(virsh_t)
|
||||||
xen_stream_connect_xenstore(virsh_t)
|
xen_stream_connect_xenstore(virsh_t)
|
||||||
')
|
')
|
||||||
@@ -879,49 +954,65 @@ optional_policy(`
|
@@ -879,49 +958,65 @@ optional_policy(`
|
||||||
kernel_read_xen_state(virsh_ssh_t)
|
kernel_read_xen_state(virsh_ssh_t)
|
||||||
kernel_write_xen_state(virsh_ssh_t)
|
kernel_write_xen_state(virsh_ssh_t)
|
||||||
|
|
||||||
@ -93961,7 +93997,7 @@ index 1f22fba..924d71c 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(virtd_lxc_t)
|
corecmd_exec_bin(virtd_lxc_t)
|
||||||
corecmd_exec_shell(virtd_lxc_t)
|
corecmd_exec_shell(virtd_lxc_t)
|
||||||
@@ -933,17 +1024,16 @@ dev_read_urand(virtd_lxc_t)
|
@@ -933,17 +1028,16 @@ dev_read_urand(virtd_lxc_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(virtd_lxc_t)
|
domain_use_interactive_fds(virtd_lxc_t)
|
||||||
|
|
||||||
@ -93981,7 +94017,7 @@ index 1f22fba..924d71c 100644
|
|||||||
fs_getattr_all_fs(virtd_lxc_t)
|
fs_getattr_all_fs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||||
@@ -955,8 +1045,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
@@ -955,8 +1049,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||||
fs_unmount_all_fs(virtd_lxc_t)
|
fs_unmount_all_fs(virtd_lxc_t)
|
||||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||||
|
|
||||||
@ -94005,7 +94041,7 @@ index 1f22fba..924d71c 100644
|
|||||||
selinux_get_enforce_mode(virtd_lxc_t)
|
selinux_get_enforce_mode(virtd_lxc_t)
|
||||||
selinux_get_fs_mount(virtd_lxc_t)
|
selinux_get_fs_mount(virtd_lxc_t)
|
||||||
selinux_validate_context(virtd_lxc_t)
|
selinux_validate_context(virtd_lxc_t)
|
||||||
@@ -965,194 +1070,251 @@ selinux_compute_create_context(virtd_lxc_t)
|
@@ -965,194 +1074,264 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||||
selinux_compute_relabel_context(virtd_lxc_t)
|
selinux_compute_relabel_context(virtd_lxc_t)
|
||||||
selinux_compute_user_contexts(virtd_lxc_t)
|
selinux_compute_user_contexts(virtd_lxc_t)
|
||||||
|
|
||||||
@ -94034,12 +94070,12 @@ index 1f22fba..924d71c 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gnome_read_generic_cache_files(virtd_lxc_t)
|
+ gnome_read_generic_cache_files(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
|
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ setrans_manage_pid_files(virtd_lxc_t)
|
+ setrans_manage_pid_files(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ unconfined_domain(virtd_lxc_t)
|
+ unconfined_domain(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
@ -94065,8 +94101,6 @@ index 1f22fba..924d71c 100644
|
|||||||
+
|
+
|
||||||
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
|
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
|
||||||
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
|
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
|
||||||
+allow svirt_sandbox_domain virt_lxc_var_run_t:dir list_dir_perms;
|
|
||||||
+allow svirt_sandbox_domain virt_lxc_var_run_t:file read_file_perms;
|
|
||||||
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
||||||
+
|
+
|
||||||
+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||||
@ -94135,6 +94169,10 @@ index 1f22fba..924d71c 100644
|
|||||||
+ apache_exec_modules(svirt_sandbox_domain)
|
+ apache_exec_modules(svirt_sandbox_domain)
|
||||||
+ apache_read_sys_content(svirt_sandbox_domain)
|
+ apache_read_sys_content(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
||||||
|
+')
|
||||||
|
|
||||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||||
@ -94219,21 +94257,17 @@ index 1f22fba..924d71c 100644
|
|||||||
-
|
-
|
||||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
+ ssh_use_ptys(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- udev_read_pid_files(svirt_lxc_domain)
|
- udev_read_pid_files(svirt_lxc_domain)
|
||||||
+ ssh_use_ptys(svirt_sandbox_domain)
|
+ udev_read_pid_files(svirt_sandbox_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- apache_exec_modules(svirt_lxc_domain)
|
- apache_exec_modules(svirt_lxc_domain)
|
||||||
- apache_read_sys_content(svirt_lxc_domain)
|
- apache_read_sys_content(svirt_lxc_domain)
|
||||||
+ udev_read_pid_files(svirt_sandbox_domain)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -94263,6 +94297,9 @@ index 1f22fba..924d71c 100644
|
|||||||
+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||||
allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
|
|
||||||
|
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
|
||||||
|
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
|
||||||
|
+
|
||||||
kernel_read_network_state(svirt_lxc_net_t)
|
kernel_read_network_state(svirt_lxc_net_t)
|
||||||
kernel_read_irq_sysctls(svirt_lxc_net_t)
|
kernel_read_irq_sysctls(svirt_lxc_net_t)
|
||||||
|
|
||||||
@ -94339,6 +94376,18 @@ index 1f22fba..924d71c 100644
|
|||||||
+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||||
+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
|
+term_use_generic_ptys(svirt_qemu_net_t)
|
||||||
|
+term_use_ptmx(svirt_qemu_net_t)
|
||||||
|
+
|
||||||
|
+dev_rw_kvm(svirt_qemu_net_t)
|
||||||
|
+
|
||||||
|
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
|
||||||
|
+
|
||||||
|
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
||||||
|
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
||||||
|
+
|
||||||
|
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
|
||||||
|
+
|
||||||
+kernel_read_network_state(svirt_qemu_net_t)
|
+kernel_read_network_state(svirt_qemu_net_t)
|
||||||
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
||||||
+
|
+
|
||||||
@ -94346,7 +94395,8 @@ index 1f22fba..924d71c 100644
|
|||||||
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
||||||
+dev_read_rand(svirt_qemu_net_t)
|
+dev_read_rand(svirt_qemu_net_t)
|
||||||
+dev_read_urand(svirt_qemu_net_t)
|
+dev_read_urand(svirt_qemu_net_t)
|
||||||
+
|
|
||||||
|
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||||
+corenet_tcp_bind_generic_node(svirt_qemu_net_t)
|
+corenet_tcp_bind_generic_node(svirt_qemu_net_t)
|
||||||
+corenet_udp_bind_generic_node(svirt_qemu_net_t)
|
+corenet_udp_bind_generic_node(svirt_qemu_net_t)
|
||||||
+corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t)
|
+corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t)
|
||||||
@ -94354,8 +94404,7 @@ index 1f22fba..924d71c 100644
|
|||||||
+corenet_udp_bind_all_ports(svirt_qemu_net_t)
|
+corenet_udp_bind_all_ports(svirt_qemu_net_t)
|
||||||
+corenet_tcp_bind_all_ports(svirt_qemu_net_t)
|
+corenet_tcp_bind_all_ports(svirt_qemu_net_t)
|
||||||
+corenet_tcp_connect_all_ports(svirt_qemu_net_t)
|
+corenet_tcp_connect_all_ports(svirt_qemu_net_t)
|
||||||
|
+
|
||||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
|
||||||
+files_read_kernel_modules(svirt_qemu_net_t)
|
+files_read_kernel_modules(svirt_qemu_net_t)
|
||||||
+
|
+
|
||||||
+fs_noxattr_type(svirt_sandbox_file_t)
|
+fs_noxattr_type(svirt_sandbox_file_t)
|
||||||
@ -94387,7 +94436,7 @@ index 1f22fba..924d71c 100644
|
|||||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
@@ -1165,12 +1327,12 @@ dev_read_sysfs(virt_qmf_t)
|
@@ -1165,12 +1344,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||||
dev_read_rand(virt_qmf_t)
|
dev_read_rand(virt_qmf_t)
|
||||||
dev_read_urand(virt_qmf_t)
|
dev_read_urand(virt_qmf_t)
|
||||||
|
|
||||||
@ -94402,7 +94451,7 @@ index 1f22fba..924d71c 100644
|
|||||||
sysnet_read_config(virt_qmf_t)
|
sysnet_read_config(virt_qmf_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1183,9 +1345,8 @@ optional_policy(`
|
@@ -1183,9 +1362,8 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -94413,7 +94462,7 @@ index 1f22fba..924d71c 100644
|
|||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -1198,5 +1359,124 @@ kernel_read_network_state(virt_bridgehelper_t)
|
@@ -1198,5 +1376,124 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 83%{?dist}
|
Release: 84%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -571,6 +571,26 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-84
|
||||||
|
- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
|
||||||
|
- Allow tuned to search all file system directories
|
||||||
|
- Allow alsa_t to sys_nice, to get top performance for sound management
|
||||||
|
- Add support for MySQL/PostgreSQL for amavis
|
||||||
|
- Allow openvpn_t to manage openvpn_var_log_t files.
|
||||||
|
- Allow dirsrv_t to create tmpfs_t directories
|
||||||
|
- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
|
||||||
|
- Dontaudit leaked unix_stream_sockets into gnome keyring
|
||||||
|
- Allow telepathy domains to inhibit pipes on telepathy domains
|
||||||
|
- Allow cloud-init to domtrans to rpm
|
||||||
|
- Allow abrt daemon to manage abrt-watch tmp files
|
||||||
|
- Allow abrt-upload-watcher to search /var/spool directory
|
||||||
|
- Allow nsswitch domains to manage own process key
|
||||||
|
- Fix labeling for mgetty.* logs
|
||||||
|
- Allow systemd to dbus chat with upower
|
||||||
|
- Allow ipsec to send signull to itself
|
||||||
|
- Allow setgid cap for ipsec_t
|
||||||
|
- Match upstream labeling
|
||||||
|
|
||||||
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-83
|
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-83
|
||||||
- Do not build sanbox pkg on MLS
|
- Do not build sanbox pkg on MLS
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user