Rebuild with latest code
This commit is contained in:
parent
6f934680a8
commit
dd20c25744
238
policy-F14.patch
238
policy-F14.patch
@ -858,6 +858,16 @@ index aa0dcc6..0faba2a 100644
|
|||||||
+ dbus_read_config(prelink_t)
|
+ dbus_read_config(prelink_t)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
|
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
|
||||||
|
index 7077413..70edcd6 100644
|
||||||
|
--- a/policy/modules/admin/readahead.fc
|
||||||
|
+++ b/policy/modules/admin/readahead.fc
|
||||||
|
@@ -1,3 +1,5 @@
|
||||||
|
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||||
|
/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||||
|
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
|
||||||
|
+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||||
|
+
|
||||||
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
|
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
|
||||||
index 2df2f1d..c1aaa79 100644
|
index 2df2f1d..c1aaa79 100644
|
||||||
--- a/policy/modules/admin/readahead.te
|
--- a/policy/modules/admin/readahead.te
|
||||||
@ -1545,11 +1555,27 @@ index c368bdc..c927b85 100644
|
|||||||
+type sudo_db_t;
|
+type sudo_db_t;
|
||||||
+files_type(sudo_db_t)
|
+files_type(sudo_db_t)
|
||||||
+
|
+
|
||||||
|
diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
|
||||||
|
index 81077db..8208e86 100644
|
||||||
|
--- a/policy/modules/admin/tmpreaper.fc
|
||||||
|
+++ b/policy/modules/admin/tmpreaper.fc
|
||||||
|
@@ -1,2 +1,3 @@
|
||||||
|
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
|
||||||
|
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
|
||||||
|
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
|
||||||
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
|
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
|
||||||
index 6a5004b..50cd538 100644
|
index 6a5004b..c59c3cd 100644
|
||||||
--- a/policy/modules/admin/tmpreaper.te
|
--- a/policy/modules/admin/tmpreaper.te
|
||||||
+++ b/policy/modules/admin/tmpreaper.te
|
+++ b/policy/modules/admin/tmpreaper.te
|
||||||
@@ -25,8 +25,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
|
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
|
||||||
|
|
||||||
|
type tmpreaper_t;
|
||||||
|
type tmpreaper_exec_t;
|
||||||
|
+init_system_domain(tmpreaper_t, tmpreaper_exec_t)
|
||||||
|
application_domain(tmpreaper_t, tmpreaper_exec_t)
|
||||||
|
role system_r types tmpreaper_t;
|
||||||
|
|
||||||
|
@@ -25,8 +26,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
|
||||||
files_read_etc_files(tmpreaper_t)
|
files_read_etc_files(tmpreaper_t)
|
||||||
files_read_var_lib_files(tmpreaper_t)
|
files_read_var_lib_files(tmpreaper_t)
|
||||||
files_purge_tmp(tmpreaper_t)
|
files_purge_tmp(tmpreaper_t)
|
||||||
@ -1561,7 +1587,7 @@ index 6a5004b..50cd538 100644
|
|||||||
files_getattr_all_dirs(tmpreaper_t)
|
files_getattr_all_dirs(tmpreaper_t)
|
||||||
files_getattr_all_files(tmpreaper_t)
|
files_getattr_all_files(tmpreaper_t)
|
||||||
|
|
||||||
@@ -52,7 +55,9 @@ optional_policy(`
|
@@ -52,7 +56,9 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -1571,7 +1597,7 @@ index 6a5004b..50cd538 100644
|
|||||||
apache_delete_cache_files(tmpreaper_t)
|
apache_delete_cache_files(tmpreaper_t)
|
||||||
apache_setattr_cache_dirs(tmpreaper_t)
|
apache_setattr_cache_dirs(tmpreaper_t)
|
||||||
')
|
')
|
||||||
@@ -66,6 +71,14 @@ optional_policy(`
|
@@ -66,6 +72,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -7182,7 +7208,7 @@ index 82842a0..369c3b5 100644
|
|||||||
dbus_system_bus_client($1_wm_t)
|
dbus_system_bus_client($1_wm_t)
|
||||||
dbus_session_bus_client($1_wm_t)
|
dbus_session_bus_client($1_wm_t)
|
||||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||||
index 0eb1d97..46af2a4 100644
|
index 0eb1d97..303d994 100644
|
||||||
--- a/policy/modules/kernel/corecommands.fc
|
--- a/policy/modules/kernel/corecommands.fc
|
||||||
+++ b/policy/modules/kernel/corecommands.fc
|
+++ b/policy/modules/kernel/corecommands.fc
|
||||||
@@ -9,8 +9,11 @@
|
@@ -9,8 +9,11 @@
|
||||||
@ -7216,7 +7242,7 @@ index 0eb1d97..46af2a4 100644
|
|||||||
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -109,6 +117,8 @@ ifdef(`distro_debian',`
|
@@ -109,11 +117,14 @@ ifdef(`distro_debian',`
|
||||||
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -7225,7 +7251,13 @@ index 0eb1d97..46af2a4 100644
|
|||||||
#
|
#
|
||||||
# /lib
|
# /lib
|
||||||
#
|
#
|
||||||
@@ -126,6 +136,8 @@ ifdef(`distro_gentoo',`
|
|
||||||
|
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
|
@@ -126,6 +137,8 @@ ifdef(`distro_gentoo',`
|
||||||
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
|
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
@ -7234,7 +7266,7 @@ index 0eb1d97..46af2a4 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# /sbin
|
# /sbin
|
||||||
@@ -145,6 +157,12 @@ ifdef(`distro_gentoo',`
|
@@ -145,6 +158,12 @@ ifdef(`distro_gentoo',`
|
||||||
|
|
||||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@ -7247,7 +7279,7 @@ index 0eb1d97..46af2a4 100644
|
|||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -169,6 +187,7 @@ ifdef(`distro_gentoo',`
|
@@ -169,6 +188,7 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -7255,7 +7287,7 @@ index 0eb1d97..46af2a4 100644
|
|||||||
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -205,7 +224,8 @@ ifdef(`distro_gentoo',`
|
@@ -205,7 +225,8 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -7265,7 +7297,7 @@ index 0eb1d97..46af2a4 100644
|
|||||||
|
|
||||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@@ -218,8 +238,11 @@ ifdef(`distro_gentoo',`
|
@@ -218,8 +239,11 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
|
|
||||||
@ -7277,7 +7309,7 @@ index 0eb1d97..46af2a4 100644
|
|||||||
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -228,6 +251,8 @@ ifdef(`distro_gentoo',`
|
@@ -228,6 +252,8 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -7286,7 +7318,7 @@ index 0eb1d97..46af2a4 100644
|
|||||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
|
@@ -314,6 +340,7 @@ ifdef(`distro_redhat', `
|
||||||
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -7294,7 +7326,7 @@ index 0eb1d97..46af2a4 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_suse', `
|
ifdef(`distro_suse', `
|
||||||
@@ -340,3 +366,27 @@ ifdef(`distro_suse', `
|
@@ -340,3 +367,27 @@ ifdef(`distro_suse', `
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
@ -8987,25 +9019,31 @@ index 07352a5..12e9ecf 100644
|
|||||||
#Temporarily in policy until FC5 dissappears
|
#Temporarily in policy until FC5 dissappears
|
||||||
typealias etc_runtime_t alias firstboot_rw_t;
|
typealias etc_runtime_t alias firstboot_rw_t;
|
||||||
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
|
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
|
||||||
index 59bae6a..16f0f9e 100644
|
index 59bae6a..2e55e71 100644
|
||||||
--- a/policy/modules/kernel/filesystem.fc
|
--- a/policy/modules/kernel/filesystem.fc
|
||||||
+++ b/policy/modules/kernel/filesystem.fc
|
+++ b/policy/modules/kernel/filesystem.fc
|
||||||
@@ -2,5 +2,10 @@
|
@@ -2,5 +2,16 @@
|
||||||
/dev/shm/.* <<none>>
|
/dev/shm/.* <<none>>
|
||||||
|
|
||||||
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
|
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
|
||||||
+/cgroup/.* <<none>>
|
+/cgroup/.* <<none>>
|
||||||
|
|
||||||
|
+/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
|
||||||
|
+/lib/udev/devices/hugepages/.* <<none>>
|
||||||
|
+
|
||||||
|
+/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||||
|
+/lib/udev/devices/shm/.* <<none>>
|
||||||
|
+
|
||||||
+/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
|
+/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
|
||||||
/sys/fs/cgroup(/.*)? <<none>>
|
/sys/fs/cgroup(/.*)? <<none>>
|
||||||
+
|
+
|
||||||
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
|
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
|
||||||
+/dev/hugepages(/.*)? <<none>>
|
+/dev/hugepages(/.*)? <<none>>
|
||||||
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
||||||
index 437a42a..51d47a0 100644
|
index 437a42a..c0e1d3a 100644
|
||||||
--- a/policy/modules/kernel/filesystem.if
|
--- a/policy/modules/kernel/filesystem.if
|
||||||
+++ b/policy/modules/kernel/filesystem.if
|
+++ b/policy/modules/kernel/filesystem.if
|
||||||
@@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',`
|
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
search_dirs_pattern($1, cgroup_t, cgroup_t)
|
search_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||||
@ -9013,7 +9051,31 @@ index 437a42a..51d47a0 100644
|
|||||||
dev_search_sysfs($1)
|
dev_search_sysfs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -665,6 +666,7 @@ interface(`fs_list_cgroup_dirs', `
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Relabelto cgroup directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`fs_relabelto_cgroup_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type cgroup_t;
|
||||||
|
+
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## list cgroup directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', `
|
||||||
')
|
')
|
||||||
|
|
||||||
list_dirs_pattern($1, cgroup_t, cgroup_t)
|
list_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||||
@ -9021,7 +9083,7 @@ index 437a42a..51d47a0 100644
|
|||||||
dev_search_sysfs($1)
|
dev_search_sysfs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -684,6 +686,7 @@ interface(`fs_delete_cgroup_dirs', `
|
@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', `
|
||||||
')
|
')
|
||||||
|
|
||||||
delete_dirs_pattern($1, cgroup_t, cgroup_t)
|
delete_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||||
@ -9029,7 +9091,7 @@ index 437a42a..51d47a0 100644
|
|||||||
dev_search_sysfs($1)
|
dev_search_sysfs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -704,6 +707,7 @@ interface(`fs_manage_cgroup_dirs',`
|
@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
manage_dirs_pattern($1, cgroup_t, cgroup_t)
|
manage_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||||
@ -9037,7 +9099,7 @@ index 437a42a..51d47a0 100644
|
|||||||
dev_search_sysfs($1)
|
dev_search_sysfs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -724,6 +728,7 @@ interface(`fs_read_cgroup_files',`
|
@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1, cgroup_t, cgroup_t)
|
read_files_pattern($1, cgroup_t, cgroup_t)
|
||||||
@ -9045,7 +9107,7 @@ index 437a42a..51d47a0 100644
|
|||||||
dev_search_sysfs($1)
|
dev_search_sysfs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -743,6 +748,7 @@ interface(`fs_write_cgroup_files', `
|
@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', `
|
||||||
')
|
')
|
||||||
|
|
||||||
write_files_pattern($1, cgroup_t, cgroup_t)
|
write_files_pattern($1, cgroup_t, cgroup_t)
|
||||||
@ -9053,7 +9115,7 @@ index 437a42a..51d47a0 100644
|
|||||||
dev_search_sysfs($1)
|
dev_search_sysfs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -763,6 +769,7 @@ interface(`fs_rw_cgroup_files',`
|
@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
rw_files_pattern($1, cgroup_t, cgroup_t)
|
rw_files_pattern($1, cgroup_t, cgroup_t)
|
||||||
@ -9061,7 +9123,7 @@ index 437a42a..51d47a0 100644
|
|||||||
dev_search_sysfs($1)
|
dev_search_sysfs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -803,6 +810,7 @@ interface(`fs_manage_cgroup_files',`
|
@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
manage_files_pattern($1, cgroup_t, cgroup_t)
|
manage_files_pattern($1, cgroup_t, cgroup_t)
|
||||||
@ -9069,7 +9131,7 @@ index 437a42a..51d47a0 100644
|
|||||||
dev_search_sysfs($1)
|
dev_search_sysfs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1227,6 +1235,24 @@ interface(`fs_dontaudit_append_cifs_files',`
|
@@ -1227,6 +1254,24 @@ interface(`fs_dontaudit_append_cifs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -9094,7 +9156,7 @@ index 437a42a..51d47a0 100644
|
|||||||
## Do not audit attempts to read or
|
## Do not audit attempts to read or
|
||||||
## write files on a CIFS or SMB filesystem.
|
## write files on a CIFS or SMB filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1241,7 +1267,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
|
@@ -1241,7 +1286,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
|
||||||
type cifs_t;
|
type cifs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -9103,7 +9165,7 @@ index 437a42a..51d47a0 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1504,6 +1530,25 @@ interface(`fs_cifs_domtrans',`
|
@@ -1504,6 +1549,25 @@ interface(`fs_cifs_domtrans',`
|
||||||
domain_auto_transition_pattern($1, cifs_t, $2)
|
domain_auto_transition_pattern($1, cifs_t, $2)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -9129,7 +9191,7 @@ index 437a42a..51d47a0 100644
|
|||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete dirs
|
## Create, read, write, and delete dirs
|
||||||
@@ -1931,7 +1976,26 @@ interface(`fs_read_fusefs_symlinks',`
|
@@ -1931,7 +1995,26 @@ interface(`fs_read_fusefs_symlinks',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -9157,7 +9219,7 @@ index 437a42a..51d47a0 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1946,6 +2010,41 @@ interface(`fs_rw_hugetlbfs_files',`
|
@@ -1946,6 +2029,41 @@ interface(`fs_rw_hugetlbfs_files',`
|
||||||
|
|
||||||
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
|
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
|
||||||
')
|
')
|
||||||
@ -9199,7 +9261,7 @@ index 437a42a..51d47a0 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1999,6 +2098,7 @@ interface(`fs_list_inotifyfs',`
|
@@ -1999,6 +2117,7 @@ interface(`fs_list_inotifyfs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 inotifyfs_t:dir list_dir_perms;
|
allow $1 inotifyfs_t:dir list_dir_perms;
|
||||||
@ -9207,7 +9269,7 @@ index 437a42a..51d47a0 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2395,6 +2495,25 @@ interface(`fs_exec_nfs_files',`
|
@@ -2395,6 +2514,25 @@ interface(`fs_exec_nfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -9233,7 +9295,7 @@ index 437a42a..51d47a0 100644
|
|||||||
## Append files
|
## Append files
|
||||||
## on a NFS filesystem.
|
## on a NFS filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2435,6 +2554,24 @@ interface(`fs_dontaudit_append_nfs_files',`
|
@@ -2435,6 +2573,24 @@ interface(`fs_dontaudit_append_nfs_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -9258,7 +9320,7 @@ index 437a42a..51d47a0 100644
|
|||||||
## Do not audit attempts to read or
|
## Do not audit attempts to read or
|
||||||
## write files on a NFS filesystem.
|
## write files on a NFS filesystem.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2449,7 +2586,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
@@ -2449,7 +2605,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
||||||
type nfs_t;
|
type nfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -9267,7 +9329,7 @@ index 437a42a..51d47a0 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2637,6 +2774,24 @@ interface(`fs_dontaudit_read_removable_files',`
|
@@ -2637,6 +2793,24 @@ interface(`fs_dontaudit_read_removable_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -9292,7 +9354,7 @@ index 437a42a..51d47a0 100644
|
|||||||
## Read removable storage symbolic links.
|
## Read removable storage symbolic links.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2845,7 +3000,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
|
@@ -2845,7 +3019,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
|
||||||
#########################################
|
#########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete symbolic links
|
## Create, read, write, and delete symbolic links
|
||||||
@ -9301,7 +9363,7 @@ index 437a42a..51d47a0 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -3970,6 +4125,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
@@ -3970,6 +4144,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -9322,11 +9384,29 @@ index 437a42a..51d47a0 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Relabelfrom directory on tmpfs filesystems.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`fs_relabelfrom_tmpfs_dir',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type tmpfs_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
## Relabel character nodes on tmpfs filesystems.
|
## Relabel character nodes on tmpfs filesystems.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4662,3 +4835,24 @@ interface(`fs_unconfined',`
|
@@ -4662,3 +4872,24 @@ interface(`fs_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 filesystem_unconfined_type;
|
typeattribute $1 filesystem_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -9807,6 +9887,16 @@ index 3723150..bde6daa 100644
|
|||||||
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
|
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
|
||||||
dev_add_entry_generic_dirs($1)
|
dev_add_entry_generic_dirs($1)
|
||||||
')
|
')
|
||||||
|
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
|
||||||
|
index 3994e57..ee146ae 100644
|
||||||
|
--- a/policy/modules/kernel/terminal.fc
|
||||||
|
+++ b/policy/modules/kernel/terminal.fc
|
||||||
|
@@ -40,3 +40,5 @@ ifdef(`distro_gentoo',`
|
||||||
|
# used by init scripts to initally populate udev /dev
|
||||||
|
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
|
||||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||||
index 492bf76..87a6942 100644
|
index 492bf76..87a6942 100644
|
||||||
--- a/policy/modules/kernel/terminal.if
|
--- a/policy/modules/kernel/terminal.if
|
||||||
@ -38623,7 +38713,7 @@ index 8419a01..5865dba 100644
|
|||||||
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||||
index 698c11e..e90e509 100644
|
index 698c11e..d92e0c3 100644
|
||||||
--- a/policy/modules/system/init.te
|
--- a/policy/modules/system/init.te
|
||||||
+++ b/policy/modules/system/init.te
|
+++ b/policy/modules/system/init.te
|
||||||
@@ -16,6 +16,27 @@ gen_require(`
|
@@ -16,6 +16,27 @@ gen_require(`
|
||||||
@ -38713,7 +38803,7 @@ index 698c11e..e90e509 100644
|
|||||||
# Early devtmpfs
|
# Early devtmpfs
|
||||||
dev_rw_generic_chr_files(init_t)
|
dev_rw_generic_chr_files(init_t)
|
||||||
|
|
||||||
@@ -127,9 +154,12 @@ domain_kill_all_domains(init_t)
|
@@ -127,9 +154,13 @@ domain_kill_all_domains(init_t)
|
||||||
domain_signal_all_domains(init_t)
|
domain_signal_all_domains(init_t)
|
||||||
domain_signull_all_domains(init_t)
|
domain_signull_all_domains(init_t)
|
||||||
domain_sigstop_all_domains(init_t)
|
domain_sigstop_all_domains(init_t)
|
||||||
@ -38723,10 +38813,11 @@ index 698c11e..e90e509 100644
|
|||||||
|
|
||||||
files_read_etc_files(init_t)
|
files_read_etc_files(init_t)
|
||||||
+files_read_all_pids(init_t)
|
+files_read_all_pids(init_t)
|
||||||
|
+files_read_system_conf_files(init_t)
|
||||||
files_rw_generic_pids(init_t)
|
files_rw_generic_pids(init_t)
|
||||||
files_dontaudit_search_isid_type_dirs(init_t)
|
files_dontaudit_search_isid_type_dirs(init_t)
|
||||||
files_manage_etc_runtime_files(init_t)
|
files_manage_etc_runtime_files(init_t)
|
||||||
@@ -162,12 +192,15 @@ init_domtrans_script(init_t)
|
@@ -162,12 +193,15 @@ init_domtrans_script(init_t)
|
||||||
libs_rw_ld_so_cache(init_t)
|
libs_rw_ld_so_cache(init_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(init_t)
|
logging_send_syslog_msg(init_t)
|
||||||
@ -38742,7 +38833,7 @@ index 698c11e..e90e509 100644
|
|||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
allow init_t self:process { getcap setcap };
|
allow init_t self:process { getcap setcap };
|
||||||
')
|
')
|
||||||
@@ -178,7 +211,7 @@ ifdef(`distro_redhat',`
|
@@ -178,7 +212,7 @@ ifdef(`distro_redhat',`
|
||||||
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -38751,7 +38842,7 @@ index 698c11e..e90e509 100644
|
|||||||
corecmd_shell_domtrans(init_t, initrc_t)
|
corecmd_shell_domtrans(init_t, initrc_t)
|
||||||
',`
|
',`
|
||||||
# Run the shell in the sysadm role for single-user mode.
|
# Run the shell in the sysadm role for single-user mode.
|
||||||
@@ -186,12 +219,74 @@ tunable_policy(`init_upstart',`
|
@@ -186,12 +220,79 @@ tunable_policy(`init_upstart',`
|
||||||
sysadm_shell_domtrans(init_t)
|
sysadm_shell_domtrans(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -38769,6 +38860,8 @@ index 698c11e..e90e509 100644
|
|||||||
+
|
+
|
||||||
+ kernel_list_unlabeled(init_t)
|
+ kernel_list_unlabeled(init_t)
|
||||||
+ kernel_read_network_state(init_t)
|
+ kernel_read_network_state(init_t)
|
||||||
|
+ kernel_rw_kernel_sysctl(init_t)
|
||||||
|
+ kernel_read_all_sysctls(init_t)
|
||||||
+ kernel_unmount_debugfs(init_t)
|
+ kernel_unmount_debugfs(init_t)
|
||||||
+
|
+
|
||||||
+ dev_write_kmsg(init_t)
|
+ dev_write_kmsg(init_t)
|
||||||
@ -38782,14 +38875,17 @@ index 698c11e..e90e509 100644
|
|||||||
+
|
+
|
||||||
+ files_mounton_all_mountpoints(init_t)
|
+ files_mounton_all_mountpoints(init_t)
|
||||||
+ files_manage_all_pids_dirs(init_t)
|
+ files_manage_all_pids_dirs(init_t)
|
||||||
|
+ files_manage_urandom_seed(init_t)
|
||||||
+
|
+
|
||||||
+ fs_manage_cgroup_dirs(init_t)
|
+ fs_manage_cgroup_dirs(init_t)
|
||||||
+ fs_manage_hugetlbfs_dirs(init_t)
|
+ fs_manage_hugetlbfs_dirs(init_t)
|
||||||
+ fs_manage_tmpfs_dirs(init_t)
|
+ fs_manage_tmpfs_dirs(init_t)
|
||||||
|
+ fs_relabelfrom_tmpfs_dir(init_t)
|
||||||
+ fs_mount_all_fs(init_t)
|
+ fs_mount_all_fs(init_t)
|
||||||
+ fs_list_auto_mountpoints(init_t)
|
+ fs_list_auto_mountpoints(init_t)
|
||||||
+ fs_read_cgroup_files(init_t)
|
+ fs_read_cgroup_files(init_t)
|
||||||
+ fs_write_cgroup_files(init_t)
|
+ fs_write_cgroup_files(init_t)
|
||||||
|
+ fs_relabelto_cgroup_dirs(init_t)
|
||||||
+ fs_search_cgroup_dirs(daemon)
|
+ fs_search_cgroup_dirs(daemon)
|
||||||
+
|
+
|
||||||
+ selinux_compute_create_context(init_t)
|
+ selinux_compute_create_context(init_t)
|
||||||
@ -38826,7 +38922,7 @@ index 698c11e..e90e509 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -199,10 +294,19 @@ optional_policy(`
|
@@ -199,10 +300,19 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38846,7 +38942,7 @@ index 698c11e..e90e509 100644
|
|||||||
unconfined_domain(init_t)
|
unconfined_domain(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -212,7 +316,7 @@ optional_policy(`
|
@@ -212,7 +322,7 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||||
@ -38855,7 +38951,7 @@ index 698c11e..e90e509 100644
|
|||||||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||||
allow initrc_t self:passwd rootok;
|
allow initrc_t self:passwd rootok;
|
||||||
allow initrc_t self:key manage_key_perms;
|
allow initrc_t self:key manage_key_perms;
|
||||||
@@ -241,6 +345,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
@@ -241,6 +351,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||||
|
|
||||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||||
@ -38863,7 +38959,7 @@ index 698c11e..e90e509 100644
|
|||||||
|
|
||||||
can_exec(initrc_t, initrc_tmp_t)
|
can_exec(initrc_t, initrc_tmp_t)
|
||||||
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||||
@@ -258,11 +363,23 @@ kernel_change_ring_buffer_level(initrc_t)
|
@@ -258,11 +369,23 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||||
kernel_clear_ring_buffer(initrc_t)
|
kernel_clear_ring_buffer(initrc_t)
|
||||||
kernel_get_sysvipc_info(initrc_t)
|
kernel_get_sysvipc_info(initrc_t)
|
||||||
kernel_read_all_sysctls(initrc_t)
|
kernel_read_all_sysctls(initrc_t)
|
||||||
@ -38887,7 +38983,7 @@ index 698c11e..e90e509 100644
|
|||||||
|
|
||||||
corecmd_exec_all_executables(initrc_t)
|
corecmd_exec_all_executables(initrc_t)
|
||||||
|
|
||||||
@@ -291,6 +408,7 @@ dev_read_sound_mixer(initrc_t)
|
@@ -291,6 +414,7 @@ dev_read_sound_mixer(initrc_t)
|
||||||
dev_write_sound_mixer(initrc_t)
|
dev_write_sound_mixer(initrc_t)
|
||||||
dev_setattr_all_chr_files(initrc_t)
|
dev_setattr_all_chr_files(initrc_t)
|
||||||
dev_rw_lvm_control(initrc_t)
|
dev_rw_lvm_control(initrc_t)
|
||||||
@ -38895,7 +38991,7 @@ index 698c11e..e90e509 100644
|
|||||||
dev_delete_lvm_control_dev(initrc_t)
|
dev_delete_lvm_control_dev(initrc_t)
|
||||||
dev_manage_generic_symlinks(initrc_t)
|
dev_manage_generic_symlinks(initrc_t)
|
||||||
dev_manage_generic_files(initrc_t)
|
dev_manage_generic_files(initrc_t)
|
||||||
@@ -298,13 +416,13 @@ dev_manage_generic_files(initrc_t)
|
@@ -298,13 +422,13 @@ dev_manage_generic_files(initrc_t)
|
||||||
dev_delete_generic_symlinks(initrc_t)
|
dev_delete_generic_symlinks(initrc_t)
|
||||||
dev_getattr_all_blk_files(initrc_t)
|
dev_getattr_all_blk_files(initrc_t)
|
||||||
dev_getattr_all_chr_files(initrc_t)
|
dev_getattr_all_chr_files(initrc_t)
|
||||||
@ -38911,7 +39007,7 @@ index 698c11e..e90e509 100644
|
|||||||
domain_sigchld_all_domains(initrc_t)
|
domain_sigchld_all_domains(initrc_t)
|
||||||
domain_read_all_domains_state(initrc_t)
|
domain_read_all_domains_state(initrc_t)
|
||||||
domain_getattr_all_domains(initrc_t)
|
domain_getattr_all_domains(initrc_t)
|
||||||
@@ -323,8 +441,10 @@ files_getattr_all_symlinks(initrc_t)
|
@@ -323,8 +447,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||||
files_getattr_all_pipes(initrc_t)
|
files_getattr_all_pipes(initrc_t)
|
||||||
files_getattr_all_sockets(initrc_t)
|
files_getattr_all_sockets(initrc_t)
|
||||||
files_purge_tmp(initrc_t)
|
files_purge_tmp(initrc_t)
|
||||||
@ -38923,7 +39019,7 @@ index 698c11e..e90e509 100644
|
|||||||
files_delete_all_pids(initrc_t)
|
files_delete_all_pids(initrc_t)
|
||||||
files_delete_all_pid_dirs(initrc_t)
|
files_delete_all_pid_dirs(initrc_t)
|
||||||
files_read_etc_files(initrc_t)
|
files_read_etc_files(initrc_t)
|
||||||
@@ -340,8 +460,12 @@ files_list_isid_type_dirs(initrc_t)
|
@@ -340,8 +466,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||||
files_mounton_isid_type_dirs(initrc_t)
|
files_mounton_isid_type_dirs(initrc_t)
|
||||||
files_list_default(initrc_t)
|
files_list_default(initrc_t)
|
||||||
files_mounton_default(initrc_t)
|
files_mounton_default(initrc_t)
|
||||||
@ -38937,7 +39033,7 @@ index 698c11e..e90e509 100644
|
|||||||
fs_list_inotifyfs(initrc_t)
|
fs_list_inotifyfs(initrc_t)
|
||||||
fs_register_binary_executable_type(initrc_t)
|
fs_register_binary_executable_type(initrc_t)
|
||||||
# rhgb-console writes to ramfs
|
# rhgb-console writes to ramfs
|
||||||
@@ -351,6 +475,8 @@ fs_mount_all_fs(initrc_t)
|
@@ -351,6 +481,8 @@ fs_mount_all_fs(initrc_t)
|
||||||
fs_unmount_all_fs(initrc_t)
|
fs_unmount_all_fs(initrc_t)
|
||||||
fs_remount_all_fs(initrc_t)
|
fs_remount_all_fs(initrc_t)
|
||||||
fs_getattr_all_fs(initrc_t)
|
fs_getattr_all_fs(initrc_t)
|
||||||
@ -38946,7 +39042,7 @@ index 698c11e..e90e509 100644
|
|||||||
|
|
||||||
# initrc_t needs to do a pidof which requires ptrace
|
# initrc_t needs to do a pidof which requires ptrace
|
||||||
mcs_ptrace_all(initrc_t)
|
mcs_ptrace_all(initrc_t)
|
||||||
@@ -363,6 +489,7 @@ mls_process_read_up(initrc_t)
|
@@ -363,6 +495,7 @@ mls_process_read_up(initrc_t)
|
||||||
mls_process_write_down(initrc_t)
|
mls_process_write_down(initrc_t)
|
||||||
mls_rangetrans_source(initrc_t)
|
mls_rangetrans_source(initrc_t)
|
||||||
mls_fd_share_all_levels(initrc_t)
|
mls_fd_share_all_levels(initrc_t)
|
||||||
@ -38954,7 +39050,7 @@ index 698c11e..e90e509 100644
|
|||||||
|
|
||||||
selinux_get_enforce_mode(initrc_t)
|
selinux_get_enforce_mode(initrc_t)
|
||||||
|
|
||||||
@@ -380,6 +507,7 @@ auth_read_pam_pid(initrc_t)
|
@@ -380,6 +513,7 @@ auth_read_pam_pid(initrc_t)
|
||||||
auth_delete_pam_pid(initrc_t)
|
auth_delete_pam_pid(initrc_t)
|
||||||
auth_delete_pam_console_data(initrc_t)
|
auth_delete_pam_console_data(initrc_t)
|
||||||
auth_use_nsswitch(initrc_t)
|
auth_use_nsswitch(initrc_t)
|
||||||
@ -38962,7 +39058,7 @@ index 698c11e..e90e509 100644
|
|||||||
|
|
||||||
libs_rw_ld_so_cache(initrc_t)
|
libs_rw_ld_so_cache(initrc_t)
|
||||||
libs_exec_lib_files(initrc_t)
|
libs_exec_lib_files(initrc_t)
|
||||||
@@ -394,13 +522,14 @@ logging_read_audit_config(initrc_t)
|
@@ -394,13 +528,14 @@ logging_read_audit_config(initrc_t)
|
||||||
|
|
||||||
miscfiles_read_localization(initrc_t)
|
miscfiles_read_localization(initrc_t)
|
||||||
# slapd needs to read cert files from its initscript
|
# slapd needs to read cert files from its initscript
|
||||||
@ -38978,7 +39074,7 @@ index 698c11e..e90e509 100644
|
|||||||
userdom_read_user_home_content_files(initrc_t)
|
userdom_read_user_home_content_files(initrc_t)
|
||||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||||
@@ -473,7 +602,7 @@ ifdef(`distro_redhat',`
|
@@ -473,7 +608,7 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
@ -38987,7 +39083,7 @@ index 698c11e..e90e509 100644
|
|||||||
files_dontaudit_read_root_files(initrc_t)
|
files_dontaudit_read_root_files(initrc_t)
|
||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
@@ -519,6 +648,19 @@ ifdef(`distro_redhat',`
|
@@ -519,6 +654,19 @@ ifdef(`distro_redhat',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
bind_manage_config_dirs(initrc_t)
|
bind_manage_config_dirs(initrc_t)
|
||||||
bind_write_config(initrc_t)
|
bind_write_config(initrc_t)
|
||||||
@ -39007,7 +39103,7 @@ index 698c11e..e90e509 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -526,10 +668,17 @@ ifdef(`distro_redhat',`
|
@@ -526,10 +674,17 @@ ifdef(`distro_redhat',`
|
||||||
rpc_write_exports(initrc_t)
|
rpc_write_exports(initrc_t)
|
||||||
rpc_manage_nfs_state_data(initrc_t)
|
rpc_manage_nfs_state_data(initrc_t)
|
||||||
')
|
')
|
||||||
@ -39025,7 +39121,7 @@ index 698c11e..e90e509 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -544,6 +693,35 @@ ifdef(`distro_suse',`
|
@@ -544,6 +699,35 @@ ifdef(`distro_suse',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -39061,7 +39157,7 @@ index 698c11e..e90e509 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_search_lib(initrc_t)
|
amavis_search_lib(initrc_t)
|
||||||
amavis_setattr_pid_files(initrc_t)
|
amavis_setattr_pid_files(initrc_t)
|
||||||
@@ -556,6 +734,8 @@ optional_policy(`
|
@@ -556,6 +740,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_read_config(initrc_t)
|
apache_read_config(initrc_t)
|
||||||
apache_list_modules(initrc_t)
|
apache_list_modules(initrc_t)
|
||||||
@ -39070,7 +39166,7 @@ index 698c11e..e90e509 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -572,6 +752,7 @@ optional_policy(`
|
@@ -572,6 +758,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cgroup_stream_connect_cgred(initrc_t)
|
cgroup_stream_connect_cgred(initrc_t)
|
||||||
@ -39078,7 +39174,7 @@ index 698c11e..e90e509 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -584,6 +765,11 @@ optional_policy(`
|
@@ -584,6 +771,11 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -39090,7 +39186,7 @@ index 698c11e..e90e509 100644
|
|||||||
dev_getattr_printer_dev(initrc_t)
|
dev_getattr_printer_dev(initrc_t)
|
||||||
|
|
||||||
cups_read_log(initrc_t)
|
cups_read_log(initrc_t)
|
||||||
@@ -600,6 +786,9 @@ optional_policy(`
|
@@ -600,6 +792,9 @@ optional_policy(`
|
||||||
dbus_connect_system_bus(initrc_t)
|
dbus_connect_system_bus(initrc_t)
|
||||||
dbus_system_bus_client(initrc_t)
|
dbus_system_bus_client(initrc_t)
|
||||||
dbus_read_config(initrc_t)
|
dbus_read_config(initrc_t)
|
||||||
@ -39100,7 +39196,7 @@ index 698c11e..e90e509 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consolekit_dbus_chat(initrc_t)
|
consolekit_dbus_chat(initrc_t)
|
||||||
@@ -701,7 +890,13 @@ optional_policy(`
|
@@ -701,7 +896,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -39114,7 +39210,7 @@ index 698c11e..e90e509 100644
|
|||||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -724,6 +919,10 @@ optional_policy(`
|
@@ -724,6 +925,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -39125,7 +39221,7 @@ index 698c11e..e90e509 100644
|
|||||||
postgresql_manage_db(initrc_t)
|
postgresql_manage_db(initrc_t)
|
||||||
postgresql_read_config(initrc_t)
|
postgresql_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@@ -745,6 +944,10 @@ optional_policy(`
|
@@ -745,6 +950,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -39136,7 +39232,7 @@ index 698c11e..e90e509 100644
|
|||||||
fs_write_ramfs_sockets(initrc_t)
|
fs_write_ramfs_sockets(initrc_t)
|
||||||
fs_search_ramfs(initrc_t)
|
fs_search_ramfs(initrc_t)
|
||||||
|
|
||||||
@@ -766,8 +969,6 @@ optional_policy(`
|
@@ -766,8 +975,6 @@ optional_policy(`
|
||||||
# bash tries ioctl for some reason
|
# bash tries ioctl for some reason
|
||||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||||
|
|
||||||
@ -39145,7 +39241,7 @@ index 698c11e..e90e509 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -776,14 +977,21 @@ optional_policy(`
|
@@ -776,14 +983,21 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -39167,7 +39263,7 @@ index 698c11e..e90e509 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_dontaudit_read_server_keys(initrc_t)
|
ssh_dontaudit_read_server_keys(initrc_t)
|
||||||
@@ -805,11 +1013,19 @@ optional_policy(`
|
@@ -805,11 +1019,19 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -39188,7 +39284,7 @@ index 698c11e..e90e509 100644
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
# system-config-services causes avc messages that should be dontaudited
|
# system-config-services causes avc messages that should be dontaudited
|
||||||
@@ -819,6 +1035,25 @@ optional_policy(`
|
@@ -819,6 +1041,25 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mono_domtrans(initrc_t)
|
mono_domtrans(initrc_t)
|
||||||
')
|
')
|
||||||
@ -39214,7 +39310,7 @@ index 698c11e..e90e509 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -844,3 +1079,55 @@ optional_policy(`
|
@@ -844,3 +1085,55 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.9.6
|
Version: 3.9.6
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -470,6 +470,12 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
|
||||||
|
* Fri Oct 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-2
|
||||||
|
- Lots of fixes for systemd
|
||||||
|
- systemd now executes readahead and tmpwatch type scripts
|
||||||
|
- Needs to manage random seed
|
||||||
|
|
||||||
* Thu Oct 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-1
|
* Thu Oct 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-1
|
||||||
- Allow smbd to use sys_admin
|
- Allow smbd to use sys_admin
|
||||||
- Remove duplicate file context for tcfmgr
|
- Remove duplicate file context for tcfmgr
|
||||||
|
Loading…
Reference in New Issue
Block a user