Rebuild with latest code
This commit is contained in:
Dan Walsh
parent
6f934680a8
commit
dd20c25744
238
policy-F14.patch
238
policy-F14.patch
|
|
@ -858,6 +858,16 @@ index aa0dcc6..0faba2a 100644
|
|||
+ dbus_read_config(prelink_t)
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
|
||||
index 7077413..70edcd6 100644
|
||||
--- a/policy/modules/admin/readahead.fc
|
||||
+++ b/policy/modules/admin/readahead.fc
|
||||
@@ -1,3 +1,5 @@
|
||||
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||
/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
|
||||
+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
|
||||
index 2df2f1d..c1aaa79 100644
|
||||
--- a/policy/modules/admin/readahead.te
|
||||
|
|
@ -1545,11 +1555,27 @@ index c368bdc..c927b85 100644
|
|||
+type sudo_db_t;
|
||||
+files_type(sudo_db_t)
|
||||
+
|
||||
diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
|
||||
index 81077db..8208e86 100644
|
||||
--- a/policy/modules/admin/tmpreaper.fc
|
||||
+++ b/policy/modules/admin/tmpreaper.fc
|
||||
@@ -1,2 +1,3 @@
|
||||
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
|
||||
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
|
||||
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
|
||||
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
|
||||
index 6a5004b..50cd538 100644
|
||||
index 6a5004b..c59c3cd 100644
|
||||
--- a/policy/modules/admin/tmpreaper.te
|
||||
+++ b/policy/modules/admin/tmpreaper.te
|
||||
@@ -25,8 +25,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
|
||||
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
|
||||
|
||||
type tmpreaper_t;
|
||||
type tmpreaper_exec_t;
|
||||
+init_system_domain(tmpreaper_t, tmpreaper_exec_t)
|
||||
application_domain(tmpreaper_t, tmpreaper_exec_t)
|
||||
role system_r types tmpreaper_t;
|
||||
|
||||
@@ -25,8 +26,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
|
||||
files_read_etc_files(tmpreaper_t)
|
||||
files_read_var_lib_files(tmpreaper_t)
|
||||
files_purge_tmp(tmpreaper_t)
|
||||
|
|
@ -1561,7 +1587,7 @@ index 6a5004b..50cd538 100644
|
|||
files_getattr_all_dirs(tmpreaper_t)
|
||||
files_getattr_all_files(tmpreaper_t)
|
||||
|
||||
@@ -52,7 +55,9 @@ optional_policy(`
|
||||
@@ -52,7 +56,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -1571,7 +1597,7 @@ index 6a5004b..50cd538 100644
|
|||
apache_delete_cache_files(tmpreaper_t)
|
||||
apache_setattr_cache_dirs(tmpreaper_t)
|
||||
')
|
||||
@@ -66,6 +71,14 @@ optional_policy(`
|
||||
@@ -66,6 +72,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -7182,7 +7208,7 @@ index 82842a0..369c3b5 100644
|
|||
dbus_system_bus_client($1_wm_t)
|
||||
dbus_session_bus_client($1_wm_t)
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 0eb1d97..46af2a4 100644
|
||||
index 0eb1d97..303d994 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -9,8 +9,11 @@
|
||||
|
|
@ -7216,7 +7242,7 @@ index 0eb1d97..46af2a4 100644
|
|||
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -109,6 +117,8 @@ ifdef(`distro_debian',`
|
||||
@@ -109,11 +117,14 @@ ifdef(`distro_debian',`
|
||||
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
|
|
@ -7225,7 +7251,13 @@ index 0eb1d97..46af2a4 100644
|
|||
#
|
||||
# /lib
|
||||
#
|
||||
@@ -126,6 +136,8 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@@ -126,6 +137,8 @@ ifdef(`distro_gentoo',`
|
||||
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
|
@ -7234,7 +7266,7 @@ index 0eb1d97..46af2a4 100644
|
|||
|
||||
#
|
||||
# /sbin
|
||||
@@ -145,6 +157,12 @@ ifdef(`distro_gentoo',`
|
||||
@@ -145,6 +158,12 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
|
|
@ -7247,7 +7279,7 @@ index 0eb1d97..46af2a4 100644
|
|||
ifdef(`distro_gentoo',`
|
||||
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -169,6 +187,7 @@ ifdef(`distro_gentoo',`
|
||||
@@ -169,6 +188,7 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -7255,7 +7287,7 @@ index 0eb1d97..46af2a4 100644
|
|||
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -205,7 +224,8 @@ ifdef(`distro_gentoo',`
|
||||
@@ -205,7 +225,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -7265,7 +7297,7 @@ index 0eb1d97..46af2a4 100644
|
|||
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@@ -218,8 +238,11 @@ ifdef(`distro_gentoo',`
|
||||
@@ -218,8 +239,11 @@ ifdef(`distro_gentoo',`
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
|
|
@ -7277,7 +7309,7 @@ index 0eb1d97..46af2a4 100644
|
|||
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -228,6 +251,8 @@ ifdef(`distro_gentoo',`
|
||||
@@ -228,6 +252,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -7286,7 +7318,7 @@ index 0eb1d97..46af2a4 100644
|
|||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
|
||||
@@ -314,6 +340,7 @@ ifdef(`distro_redhat', `
|
||||
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -7294,7 +7326,7 @@ index 0eb1d97..46af2a4 100644
|
|||
')
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
@@ -340,3 +366,27 @@ ifdef(`distro_suse', `
|
||||
@@ -340,3 +367,27 @@ ifdef(`distro_suse', `
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
|
@ -8987,25 +9019,31 @@ index 07352a5..12e9ecf 100644
|
|||
#Temporarily in policy until FC5 dissappears
|
||||
typealias etc_runtime_t alias firstboot_rw_t;
|
||||
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
|
||||
index 59bae6a..16f0f9e 100644
|
||||
index 59bae6a..2e55e71 100644
|
||||
--- a/policy/modules/kernel/filesystem.fc
|
||||
+++ b/policy/modules/kernel/filesystem.fc
|
||||
@@ -2,5 +2,10 @@
|
||||
@@ -2,5 +2,16 @@
|
||||
/dev/shm/.* <<none>>
|
||||
|
||||
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
|
||||
+/cgroup/.* <<none>>
|
||||
|
||||
+/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
|
||||
+/lib/udev/devices/hugepages/.* <<none>>
|
||||
+
|
||||
+/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||
+/lib/udev/devices/shm/.* <<none>>
|
||||
+
|
||||
+/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
|
||||
/sys/fs/cgroup(/.*)? <<none>>
|
||||
+
|
||||
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
|
||||
+/dev/hugepages(/.*)? <<none>>
|
||||
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
||||
index 437a42a..51d47a0 100644
|
||||
index 437a42a..c0e1d3a 100644
|
||||
--- a/policy/modules/kernel/filesystem.if
|
||||
+++ b/policy/modules/kernel/filesystem.if
|
||||
@@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',`
|
||||
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
|
||||
')
|
||||
|
||||
search_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||
|
|
@ -9013,7 +9051,31 @@ index 437a42a..51d47a0 100644
|
|||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
@@ -665,6 +666,7 @@ interface(`fs_list_cgroup_dirs', `
|
||||
########################################
|
||||
## <summary>
|
||||
+## Relabelto cgroup directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_relabelto_cgroup_dirs',`
|
||||
+ gen_require(`
|
||||
+ type cgroup_t;
|
||||
+
|
||||
+ ')
|
||||
+
|
||||
+ relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## list cgroup directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', `
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||
|
|
@ -9021,7 +9083,7 @@ index 437a42a..51d47a0 100644
|
|||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
@@ -684,6 +686,7 @@ interface(`fs_delete_cgroup_dirs', `
|
||||
@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', `
|
||||
')
|
||||
|
||||
delete_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||
|
|
@ -9029,7 +9091,7 @@ index 437a42a..51d47a0 100644
|
|||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
@@ -704,6 +707,7 @@ interface(`fs_manage_cgroup_dirs',`
|
||||
@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',`
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||
|
|
@ -9037,7 +9099,7 @@ index 437a42a..51d47a0 100644
|
|||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
@@ -724,6 +728,7 @@ interface(`fs_read_cgroup_files',`
|
||||
@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, cgroup_t, cgroup_t)
|
||||
|
|
@ -9045,7 +9107,7 @@ index 437a42a..51d47a0 100644
|
|||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
@@ -743,6 +748,7 @@ interface(`fs_write_cgroup_files', `
|
||||
@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', `
|
||||
')
|
||||
|
||||
write_files_pattern($1, cgroup_t, cgroup_t)
|
||||
|
|
@ -9053,7 +9115,7 @@ index 437a42a..51d47a0 100644
|
|||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
@@ -763,6 +769,7 @@ interface(`fs_rw_cgroup_files',`
|
||||
@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',`
|
||||
')
|
||||
|
||||
rw_files_pattern($1, cgroup_t, cgroup_t)
|
||||
|
|
@ -9061,7 +9123,7 @@ index 437a42a..51d47a0 100644
|
|||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
@@ -803,6 +810,7 @@ interface(`fs_manage_cgroup_files',`
|
||||
@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',`
|
||||
')
|
||||
|
||||
manage_files_pattern($1, cgroup_t, cgroup_t)
|
||||
|
|
@ -9069,7 +9131,7 @@ index 437a42a..51d47a0 100644
|
|||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
@@ -1227,6 +1235,24 @@ interface(`fs_dontaudit_append_cifs_files',`
|
||||
@@ -1227,6 +1254,24 @@ interface(`fs_dontaudit_append_cifs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -9094,7 +9156,7 @@ index 437a42a..51d47a0 100644
|
|||
## Do not audit attempts to read or
|
||||
## write files on a CIFS or SMB filesystem.
|
||||
## </summary>
|
||||
@@ -1241,7 +1267,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
|
||||
@@ -1241,7 +1286,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
|
|
@ -9103,7 +9165,7 @@ index 437a42a..51d47a0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1504,6 +1530,25 @@ interface(`fs_cifs_domtrans',`
|
||||
@@ -1504,6 +1549,25 @@ interface(`fs_cifs_domtrans',`
|
||||
domain_auto_transition_pattern($1, cifs_t, $2)
|
||||
')
|
||||
|
||||
|
|
@ -9129,7 +9191,7 @@ index 437a42a..51d47a0 100644
|
|||
#######################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete dirs
|
||||
@@ -1931,7 +1976,26 @@ interface(`fs_read_fusefs_symlinks',`
|
||||
@@ -1931,7 +1995,26 @@ interface(`fs_read_fusefs_symlinks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -9157,7 +9219,7 @@ index 437a42a..51d47a0 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1946,6 +2010,41 @@ interface(`fs_rw_hugetlbfs_files',`
|
||||
@@ -1946,6 +2029,41 @@ interface(`fs_rw_hugetlbfs_files',`
|
||||
|
||||
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
|
||||
')
|
||||
|
|
@ -9199,7 +9261,7 @@ index 437a42a..51d47a0 100644
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -1999,6 +2098,7 @@ interface(`fs_list_inotifyfs',`
|
||||
@@ -1999,6 +2117,7 @@ interface(`fs_list_inotifyfs',`
|
||||
')
|
||||
|
||||
allow $1 inotifyfs_t:dir list_dir_perms;
|
||||
|
|
@ -9207,7 +9269,7 @@ index 437a42a..51d47a0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2395,6 +2495,25 @@ interface(`fs_exec_nfs_files',`
|
||||
@@ -2395,6 +2514,25 @@ interface(`fs_exec_nfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -9233,7 +9295,7 @@ index 437a42a..51d47a0 100644
|
|||
## Append files
|
||||
## on a NFS filesystem.
|
||||
## </summary>
|
||||
@@ -2435,6 +2554,24 @@ interface(`fs_dontaudit_append_nfs_files',`
|
||||
@@ -2435,6 +2573,24 @@ interface(`fs_dontaudit_append_nfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -9258,7 +9320,7 @@ index 437a42a..51d47a0 100644
|
|||
## Do not audit attempts to read or
|
||||
## write files on a NFS filesystem.
|
||||
## </summary>
|
||||
@@ -2449,7 +2586,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
||||
@@ -2449,7 +2605,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
|
|
@ -9267,7 +9329,7 @@ index 437a42a..51d47a0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -2637,6 +2774,24 @@ interface(`fs_dontaudit_read_removable_files',`
|
||||
@@ -2637,6 +2793,24 @@ interface(`fs_dontaudit_read_removable_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -9292,7 +9354,7 @@ index 437a42a..51d47a0 100644
|
|||
## Read removable storage symbolic links.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2845,7 +3000,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
|
||||
@@ -2845,7 +3019,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
|
||||
#########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete symbolic links
|
||||
|
|
@ -9301,7 +9363,7 @@ index 437a42a..51d47a0 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3970,6 +4125,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
||||
@@ -3970,6 +4144,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -9322,11 +9384,29 @@ index 437a42a..51d47a0 100644
|
|||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Relabelfrom directory on tmpfs filesystems.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_relabelfrom_tmpfs_dir',`
|
||||
+ gen_require(`
|
||||
+ type tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Relabel character nodes on tmpfs filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4662,3 +4835,24 @@ interface(`fs_unconfined',`
|
||||
@@ -4662,3 +4872,24 @@ interface(`fs_unconfined',`
|
||||
|
||||
typeattribute $1 filesystem_unconfined_type;
|
||||
')
|
||||
|
|
@ -9807,6 +9887,16 @@ index 3723150..bde6daa 100644
|
|||
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
|
||||
dev_add_entry_generic_dirs($1)
|
||||
')
|
||||
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
|
||||
index 3994e57..ee146ae 100644
|
||||
--- a/policy/modules/kernel/terminal.fc
|
||||
+++ b/policy/modules/kernel/terminal.fc
|
||||
@@ -40,3 +40,5 @@ ifdef(`distro_gentoo',`
|
||||
# used by init scripts to initally populate udev /dev
|
||||
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
|
||||
')
|
||||
+
|
||||
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
|
||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||
index 492bf76..87a6942 100644
|
||||
--- a/policy/modules/kernel/terminal.if
|
||||
|
|
@ -38623,7 +38713,7 @@ index 8419a01..5865dba 100644
|
|||
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 698c11e..e90e509 100644
|
||||
index 698c11e..d92e0c3 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -16,6 +16,27 @@ gen_require(`
|
||||
|
|
@ -38713,7 +38803,7 @@ index 698c11e..e90e509 100644
|
|||
# Early devtmpfs
|
||||
dev_rw_generic_chr_files(init_t)
|
||||
|
||||
@@ -127,9 +154,12 @@ domain_kill_all_domains(init_t)
|
||||
@@ -127,9 +154,13 @@ domain_kill_all_domains(init_t)
|
||||
domain_signal_all_domains(init_t)
|
||||
domain_signull_all_domains(init_t)
|
||||
domain_sigstop_all_domains(init_t)
|
||||
|
|
@ -38723,10 +38813,11 @@ index 698c11e..e90e509 100644
|
|||
|
||||
files_read_etc_files(init_t)
|
||||
+files_read_all_pids(init_t)
|
||||
+files_read_system_conf_files(init_t)
|
||||
files_rw_generic_pids(init_t)
|
||||
files_dontaudit_search_isid_type_dirs(init_t)
|
||||
files_manage_etc_runtime_files(init_t)
|
||||
@@ -162,12 +192,15 @@ init_domtrans_script(init_t)
|
||||
@@ -162,12 +193,15 @@ init_domtrans_script(init_t)
|
||||
libs_rw_ld_so_cache(init_t)
|
||||
|
||||
logging_send_syslog_msg(init_t)
|
||||
|
|
@ -38742,7 +38833,7 @@ index 698c11e..e90e509 100644
|
|||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
')
|
||||
@@ -178,7 +211,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -178,7 +212,7 @@ ifdef(`distro_redhat',`
|
||||
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
||||
')
|
||||
|
||||
|
|
@ -38751,7 +38842,7 @@ index 698c11e..e90e509 100644
|
|||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
',`
|
||||
# Run the shell in the sysadm role for single-user mode.
|
||||
@@ -186,12 +219,74 @@ tunable_policy(`init_upstart',`
|
||||
@@ -186,12 +220,79 @@ tunable_policy(`init_upstart',`
|
||||
sysadm_shell_domtrans(init_t)
|
||||
')
|
||||
|
||||
|
|
@ -38769,6 +38860,8 @@ index 698c11e..e90e509 100644
|
|||
+
|
||||
+ kernel_list_unlabeled(init_t)
|
||||
+ kernel_read_network_state(init_t)
|
||||
+ kernel_rw_kernel_sysctl(init_t)
|
||||
+ kernel_read_all_sysctls(init_t)
|
||||
+ kernel_unmount_debugfs(init_t)
|
||||
+
|
||||
+ dev_write_kmsg(init_t)
|
||||
|
|
@ -38782,14 +38875,17 @@ index 698c11e..e90e509 100644
|
|||
+
|
||||
+ files_mounton_all_mountpoints(init_t)
|
||||
+ files_manage_all_pids_dirs(init_t)
|
||||
+ files_manage_urandom_seed(init_t)
|
||||
+
|
||||
+ fs_manage_cgroup_dirs(init_t)
|
||||
+ fs_manage_hugetlbfs_dirs(init_t)
|
||||
+ fs_manage_tmpfs_dirs(init_t)
|
||||
+ fs_relabelfrom_tmpfs_dir(init_t)
|
||||
+ fs_mount_all_fs(init_t)
|
||||
+ fs_list_auto_mountpoints(init_t)
|
||||
+ fs_read_cgroup_files(init_t)
|
||||
+ fs_write_cgroup_files(init_t)
|
||||
+ fs_relabelto_cgroup_dirs(init_t)
|
||||
+ fs_search_cgroup_dirs(daemon)
|
||||
+
|
||||
+ selinux_compute_create_context(init_t)
|
||||
|
|
@ -38826,7 +38922,7 @@ index 698c11e..e90e509 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -199,10 +294,19 @@ optional_policy(`
|
||||
@@ -199,10 +300,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38846,7 +38942,7 @@ index 698c11e..e90e509 100644
|
|||
unconfined_domain(init_t)
|
||||
')
|
||||
|
||||
@@ -212,7 +316,7 @@ optional_policy(`
|
||||
@@ -212,7 +322,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
|
|
@ -38855,7 +38951,7 @@ index 698c11e..e90e509 100644
|
|||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
@@ -241,6 +345,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -241,6 +351,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
|
|
@ -38863,7 +38959,7 @@ index 698c11e..e90e509 100644
|
|||
|
||||
can_exec(initrc_t, initrc_tmp_t)
|
||||
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
@@ -258,11 +363,23 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -258,11 +369,23 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
|
|
@ -38887,7 +38983,7 @@ index 698c11e..e90e509 100644
|
|||
|
||||
corecmd_exec_all_executables(initrc_t)
|
||||
|
||||
@@ -291,6 +408,7 @@ dev_read_sound_mixer(initrc_t)
|
||||
@@ -291,6 +414,7 @@ dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
dev_setattr_all_chr_files(initrc_t)
|
||||
dev_rw_lvm_control(initrc_t)
|
||||
|
|
@ -38895,7 +38991,7 @@ index 698c11e..e90e509 100644
|
|||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -298,13 +416,13 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -298,13 +422,13 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
|
|
@ -38911,7 +39007,7 @@ index 698c11e..e90e509 100644
|
|||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@@ -323,8 +441,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -323,8 +447,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
|
|
@ -38923,7 +39019,7 @@ index 698c11e..e90e509 100644
|
|||
files_delete_all_pids(initrc_t)
|
||||
files_delete_all_pid_dirs(initrc_t)
|
||||
files_read_etc_files(initrc_t)
|
||||
@@ -340,8 +460,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -340,8 +466,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
|
|
@ -38937,7 +39033,7 @@ index 698c11e..e90e509 100644
|
|||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -351,6 +475,8 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -351,6 +481,8 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
|
|
@ -38946,7 +39042,7 @@ index 698c11e..e90e509 100644
|
|||
|
||||
# initrc_t needs to do a pidof which requires ptrace
|
||||
mcs_ptrace_all(initrc_t)
|
||||
@@ -363,6 +489,7 @@ mls_process_read_up(initrc_t)
|
||||
@@ -363,6 +495,7 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
|
|
@ -38954,7 +39050,7 @@ index 698c11e..e90e509 100644
|
|||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@@ -380,6 +507,7 @@ auth_read_pam_pid(initrc_t)
|
||||
@@ -380,6 +513,7 @@ auth_read_pam_pid(initrc_t)
|
||||
auth_delete_pam_pid(initrc_t)
|
||||
auth_delete_pam_console_data(initrc_t)
|
||||
auth_use_nsswitch(initrc_t)
|
||||
|
|
@ -38962,7 +39058,7 @@ index 698c11e..e90e509 100644
|
|||
|
||||
libs_rw_ld_so_cache(initrc_t)
|
||||
libs_exec_lib_files(initrc_t)
|
||||
@@ -394,13 +522,14 @@ logging_read_audit_config(initrc_t)
|
||||
@@ -394,13 +528,14 @@ logging_read_audit_config(initrc_t)
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
# slapd needs to read cert files from its initscript
|
||||
|
|
@ -38978,7 +39074,7 @@ index 698c11e..e90e509 100644
|
|||
userdom_read_user_home_content_files(initrc_t)
|
||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||
@@ -473,7 +602,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -473,7 +608,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
|
|
@ -38987,7 +39083,7 @@ index 698c11e..e90e509 100644
|
|||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -519,6 +648,19 @@ ifdef(`distro_redhat',`
|
||||
@@ -519,6 +654,19 @@ ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
bind_manage_config_dirs(initrc_t)
|
||||
bind_write_config(initrc_t)
|
||||
|
|
@ -39007,7 +39103,7 @@ index 698c11e..e90e509 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -526,10 +668,17 @@ ifdef(`distro_redhat',`
|
||||
@@ -526,10 +674,17 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
|
|
@ -39025,7 +39121,7 @@ index 698c11e..e90e509 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -544,6 +693,35 @@ ifdef(`distro_suse',`
|
||||
@@ -544,6 +699,35 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -39061,7 +39157,7 @@ index 698c11e..e90e509 100644
|
|||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -556,6 +734,8 @@ optional_policy(`
|
||||
@@ -556,6 +740,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
|
|
@ -39070,7 +39166,7 @@ index 698c11e..e90e509 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -572,6 +752,7 @@ optional_policy(`
|
||||
@@ -572,6 +758,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
|
|
@ -39078,7 +39174,7 @@ index 698c11e..e90e509 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -584,6 +765,11 @@ optional_policy(`
|
||||
@@ -584,6 +771,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39090,7 +39186,7 @@ index 698c11e..e90e509 100644
|
|||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -600,6 +786,9 @@ optional_policy(`
|
||||
@@ -600,6 +792,9 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
|
|
@ -39100,7 +39196,7 @@ index 698c11e..e90e509 100644
|
|||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(initrc_t)
|
||||
@@ -701,7 +890,13 @@ optional_policy(`
|
||||
@@ -701,7 +896,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39114,7 +39210,7 @@ index 698c11e..e90e509 100644
|
|||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -724,6 +919,10 @@ optional_policy(`
|
||||
@@ -724,6 +925,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39125,7 +39221,7 @@ index 698c11e..e90e509 100644
|
|||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -745,6 +944,10 @@ optional_policy(`
|
||||
@@ -745,6 +950,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39136,7 +39232,7 @@ index 698c11e..e90e509 100644
|
|||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -766,8 +969,6 @@ optional_policy(`
|
||||
@@ -766,8 +975,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
|
|
@ -39145,7 +39241,7 @@ index 698c11e..e90e509 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -776,14 +977,21 @@ optional_policy(`
|
||||
@@ -776,14 +983,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39167,7 +39263,7 @@ index 698c11e..e90e509 100644
|
|||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -805,11 +1013,19 @@ optional_policy(`
|
||||
@@ -805,11 +1019,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39188,7 +39284,7 @@ index 698c11e..e90e509 100644
|
|||
|
||||
ifdef(`distro_redhat',`
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
@@ -819,6 +1035,25 @@ optional_policy(`
|
||||
@@ -819,6 +1041,25 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
|
|
@ -39214,7 +39310,7 @@ index 698c11e..e90e509 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -844,3 +1079,55 @@ optional_policy(`
|
||||
@@ -844,3 +1085,55 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.6
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -470,6 +470,12 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
|
||||
* Fri Oct 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-2
|
||||
- Lots of fixes for systemd
|
||||
- systemd now executes readahead and tmpwatch type scripts
|
||||
- Needs to manage random seed
|
||||
|
||||
* Thu Oct 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-1
|
||||
- Allow smbd to use sys_admin
|
||||
- Remove duplicate file context for tcfmgr
|
||||
|
|
|
|||
Loading…
Reference in New Issue