- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there
- bluetooth says they do not use /tmp and want to remove the type - Allow init to transition to colord - Mongod needs to read /proc/sys/vm/zone_reclaim_mode - Allow postfix_smtpd_t to connect to spamd - Add boolean to allow ftp to connect to all ports > 1023 - Allow sendmain to write to inherited dovecot tmp files
This commit is contained in:
parent
291b1f5075
commit
de9114f624
277
policy-F16.patch
277
policy-F16.patch
|
@ -24370,7 +24370,7 @@ index 0b827c5..7f57a98 100644
|
||||||
+ dontaudit $1 abrt_t:sock_file write;
|
+ dontaudit $1 abrt_t:sock_file write;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
||||||
index 30861ec..939e294 100644
|
index 30861ec..c66fd4a 100644
|
||||||
--- a/policy/modules/services/abrt.te
|
--- a/policy/modules/services/abrt.te
|
||||||
+++ b/policy/modules/services/abrt.te
|
+++ b/policy/modules/services/abrt.te
|
||||||
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
|
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
|
||||||
|
@ -24510,16 +24510,17 @@ index 30861ec..939e294 100644
|
||||||
files_read_var_symlinks(abrt_t)
|
files_read_var_symlinks(abrt_t)
|
||||||
files_read_var_lib_files(abrt_t)
|
files_read_var_lib_files(abrt_t)
|
||||||
files_read_usr_files(abrt_t)
|
files_read_usr_files(abrt_t)
|
||||||
@@ -121,6 +175,8 @@ files_read_generic_tmp_files(abrt_t)
|
@@ -121,6 +175,9 @@ files_read_generic_tmp_files(abrt_t)
|
||||||
files_read_kernel_modules(abrt_t)
|
files_read_kernel_modules(abrt_t)
|
||||||
files_dontaudit_list_default(abrt_t)
|
files_dontaudit_list_default(abrt_t)
|
||||||
files_dontaudit_read_default_files(abrt_t)
|
files_dontaudit_read_default_files(abrt_t)
|
||||||
+files_dontaudit_read_all_symlinks(abrt_t)
|
+files_dontaudit_read_all_symlinks(abrt_t)
|
||||||
+files_dontaudit_getattr_all_sockets(abrt_t)
|
+files_dontaudit_getattr_all_sockets(abrt_t)
|
||||||
|
+files_list_mnt(abrt_t)
|
||||||
|
|
||||||
fs_list_inotifyfs(abrt_t)
|
fs_list_inotifyfs(abrt_t)
|
||||||
fs_getattr_all_fs(abrt_t)
|
fs_getattr_all_fs(abrt_t)
|
||||||
@@ -131,22 +187,26 @@ fs_read_nfs_files(abrt_t)
|
@@ -131,22 +188,26 @@ fs_read_nfs_files(abrt_t)
|
||||||
fs_read_nfs_symlinks(abrt_t)
|
fs_read_nfs_symlinks(abrt_t)
|
||||||
fs_search_all(abrt_t)
|
fs_search_all(abrt_t)
|
||||||
|
|
||||||
|
@ -24552,7 +24553,7 @@ index 30861ec..939e294 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -167,6 +227,7 @@ optional_policy(`
|
@@ -167,6 +228,7 @@ optional_policy(`
|
||||||
rpm_exec(abrt_t)
|
rpm_exec(abrt_t)
|
||||||
rpm_dontaudit_manage_db(abrt_t)
|
rpm_dontaudit_manage_db(abrt_t)
|
||||||
rpm_manage_cache(abrt_t)
|
rpm_manage_cache(abrt_t)
|
||||||
|
@ -24560,7 +24561,7 @@ index 30861ec..939e294 100644
|
||||||
rpm_manage_pid_files(abrt_t)
|
rpm_manage_pid_files(abrt_t)
|
||||||
rpm_read_db(abrt_t)
|
rpm_read_db(abrt_t)
|
||||||
rpm_signull(abrt_t)
|
rpm_signull(abrt_t)
|
||||||
@@ -178,12 +239,35 @@ optional_policy(`
|
@@ -178,12 +240,35 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -24597,7 +24598,7 @@ index 30861ec..939e294 100644
|
||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||||
@@ -200,23 +284,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
@@ -200,23 +285,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||||
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
|
|
||||||
|
@ -24626,7 +24627,7 @@ index 30861ec..939e294 100644
|
||||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||||
@@ -224,4 +307,128 @@ ifdef(`hide_broken_symptoms', `
|
@@ -224,4 +308,128 @@ ifdef(`hide_broken_symptoms', `
|
||||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||||
|
@ -28429,7 +28430,7 @@ index 0000000..bccefc9
|
||||||
+ gnome_search_gconf(blueman_t)
|
+ gnome_search_gconf(blueman_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
|
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
|
||||||
index 3e45431..a726c09 100644
|
index 3e45431..58b9ece 100644
|
||||||
--- a/policy/modules/services/bluetooth.if
|
--- a/policy/modules/services/bluetooth.if
|
||||||
+++ b/policy/modules/services/bluetooth.if
|
+++ b/policy/modules/services/bluetooth.if
|
||||||
@@ -14,6 +14,7 @@
|
@@ -14,6 +14,7 @@
|
||||||
|
@ -28519,11 +28520,13 @@ index 3e45431..a726c09 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -194,14 +222,17 @@ interface(`bluetooth_dontaudit_read_helper_state',`
|
@@ -193,23 +221,23 @@ interface(`bluetooth_dontaudit_read_helper_state',`
|
||||||
|
#
|
||||||
interface(`bluetooth_admin',`
|
interface(`bluetooth_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
|
- type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
|
||||||
- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
|
- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
|
||||||
|
+ type bluetooth_t, bluetooth_lock_t;
|
||||||
+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
|
+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
|
||||||
type bluetooth_conf_t, bluetooth_conf_rw_t;
|
type bluetooth_conf_t, bluetooth_conf_rw_t;
|
||||||
- type bluetooth_initrc_exec_t;
|
- type bluetooth_initrc_exec_t;
|
||||||
|
@ -28540,7 +28543,15 @@ index 3e45431..a726c09 100644
|
||||||
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
|
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 bluetooth_initrc_exec_t system_r;
|
role_transition $2 bluetooth_initrc_exec_t system_r;
|
||||||
@@ -217,9 +248,6 @@ interface(`bluetooth_admin',`
|
allow $2 system_r;
|
||||||
|
|
||||||
|
- files_list_tmp($1)
|
||||||
|
- admin_pattern($1, bluetooth_tmp_t)
|
||||||
|
-
|
||||||
|
files_list_var($1)
|
||||||
|
admin_pattern($1, bluetooth_lock_t)
|
||||||
|
|
||||||
|
@@ -217,9 +245,6 @@ interface(`bluetooth_admin',`
|
||||||
admin_pattern($1, bluetooth_conf_t)
|
admin_pattern($1, bluetooth_conf_t)
|
||||||
admin_pattern($1, bluetooth_conf_rw_t)
|
admin_pattern($1, bluetooth_conf_rw_t)
|
||||||
|
|
||||||
|
@ -28551,7 +28562,7 @@ index 3e45431..a726c09 100644
|
||||||
admin_pattern($1, bluetooth_var_lib_t)
|
admin_pattern($1, bluetooth_var_lib_t)
|
||||||
|
|
||||||
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
|
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
|
||||||
index 215b86b..2bb14b2 100644
|
index 215b86b..76ab538 100644
|
||||||
--- a/policy/modules/services/bluetooth.te
|
--- a/policy/modules/services/bluetooth.te
|
||||||
+++ b/policy/modules/services/bluetooth.te
|
+++ b/policy/modules/services/bluetooth.te
|
||||||
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
|
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
|
||||||
|
@ -28569,7 +28580,28 @@ index 215b86b..2bb14b2 100644
|
||||||
|
|
||||||
type bluetooth_conf_rw_t;
|
type bluetooth_conf_rw_t;
|
||||||
files_type(bluetooth_conf_rw_t)
|
files_type(bluetooth_conf_rw_t)
|
||||||
@@ -147,6 +148,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
|
@@ -39,9 +40,6 @@ init_script_file(bluetooth_initrc_exec_t)
|
||||||
|
type bluetooth_lock_t;
|
||||||
|
files_lock_file(bluetooth_lock_t)
|
||||||
|
|
||||||
|
-type bluetooth_tmp_t;
|
||||||
|
-files_tmp_file(bluetooth_tmp_t)
|
||||||
|
-
|
||||||
|
type bluetooth_var_lib_t;
|
||||||
|
files_type(bluetooth_var_lib_t)
|
||||||
|
|
||||||
|
@@ -80,10 +78,6 @@ can_exec(bluetooth_t, bluetooth_helper_exec_t)
|
||||||
|
allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
|
||||||
|
files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
|
||||||
|
|
||||||
|
-manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
||||||
|
-manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
||||||
|
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
|
||||||
|
-
|
||||||
|
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
|
||||||
|
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
|
||||||
|
files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
|
||||||
|
@@ -147,6 +141,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -28580,7 +28612,7 @@ index 215b86b..2bb14b2 100644
|
||||||
dbus_system_bus_client(bluetooth_t)
|
dbus_system_bus_client(bluetooth_t)
|
||||||
dbus_connect_system_bus(bluetooth_t)
|
dbus_connect_system_bus(bluetooth_t)
|
||||||
|
|
||||||
@@ -190,7 +195,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
|
@@ -190,7 +188,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow bluetooth_helper_t self:shm create_shm_perms;
|
allow bluetooth_helper_t self:shm create_shm_perms;
|
||||||
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
|
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
|
||||||
|
@ -28588,7 +28620,7 @@ index 215b86b..2bb14b2 100644
|
||||||
|
|
||||||
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
||||||
|
|
||||||
@@ -220,6 +224,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
|
@@ -220,6 +217,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
|
||||||
files_read_usr_files(bluetooth_helper_t)
|
files_read_usr_files(bluetooth_helper_t)
|
||||||
files_dontaudit_list_default(bluetooth_helper_t)
|
files_dontaudit_list_default(bluetooth_helper_t)
|
||||||
|
|
||||||
|
@ -28597,7 +28629,7 @@ index 215b86b..2bb14b2 100644
|
||||||
locallogin_dontaudit_use_fds(bluetooth_helper_t)
|
locallogin_dontaudit_use_fds(bluetooth_helper_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(bluetooth_helper_t)
|
logging_send_syslog_msg(bluetooth_helper_t)
|
||||||
@@ -236,9 +242,5 @@ optional_policy(`
|
@@ -236,9 +235,5 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -31101,10 +31133,10 @@ index 0000000..7f55959
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
|
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..2be12fd
|
index 0000000..8b32b57
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/services/cloudform.te
|
+++ b/policy/modules/services/cloudform.te
|
||||||
@@ -0,0 +1,220 @@
|
@@ -0,0 +1,222 @@
|
||||||
+policy_module(cloudform, 1.0)
|
+policy_module(cloudform, 1.0)
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
|
@ -31278,6 +31310,8 @@ index 0000000..2be12fd
|
||||||
+corenet_tcp_bind_generic_node(mongod_t)
|
+corenet_tcp_bind_generic_node(mongod_t)
|
||||||
+corenet_tcp_bind_mongod_port(mongod_t)
|
+corenet_tcp_bind_mongod_port(mongod_t)
|
||||||
+
|
+
|
||||||
|
+kernel_read_vm_sysctls(mongod_t)
|
||||||
|
+
|
||||||
+files_read_usr_files(mongod_t)
|
+files_read_usr_files(mongod_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
@ -32115,10 +32149,18 @@ index 0000000..ca71d08
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
|
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
|
||||||
index 74505cc..be3683b 100644
|
index 74505cc..029adf3 100644
|
||||||
--- a/policy/modules/services/colord.te
|
--- a/policy/modules/services/colord.te
|
||||||
+++ b/policy/modules/services/colord.te
|
+++ b/policy/modules/services/colord.te
|
||||||
@@ -23,9 +23,11 @@ files_type(colord_var_lib_t)
|
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
|
||||||
|
type colord_t;
|
||||||
|
type colord_exec_t;
|
||||||
|
dbus_system_domain(colord_t, colord_exec_t)
|
||||||
|
+init_daemon_domain(colord_t, colord_exec_t)
|
||||||
|
|
||||||
|
type colord_tmp_t;
|
||||||
|
files_tmp_file(colord_tmp_t)
|
||||||
|
@@ -23,9 +24,11 @@ files_type(colord_var_lib_t)
|
||||||
# colord local policy
|
# colord local policy
|
||||||
#
|
#
|
||||||
allow colord_t self:capability { dac_read_search dac_override };
|
allow colord_t self:capability { dac_read_search dac_override };
|
||||||
|
@ -32130,7 +32172,7 @@ index 74505cc..be3683b 100644
|
||||||
allow colord_t self:udp_socket create_socket_perms;
|
allow colord_t self:udp_socket create_socket_perms;
|
||||||
allow colord_t self:unix_dgram_socket create_socket_perms;
|
allow colord_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
@@ -41,8 +43,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
|
@@ -41,8 +44,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
|
||||||
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
|
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
|
||||||
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
|
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
|
||||||
|
|
||||||
|
@ -32146,7 +32188,7 @@ index 74505cc..be3683b 100644
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(colord_t)
|
corenet_all_recvfrom_unlabeled(colord_t)
|
||||||
corenet_all_recvfrom_netlabel(colord_t)
|
corenet_all_recvfrom_netlabel(colord_t)
|
||||||
@@ -50,6 +58,8 @@ corenet_udp_bind_generic_node(colord_t)
|
@@ -50,6 +59,8 @@ corenet_udp_bind_generic_node(colord_t)
|
||||||
corenet_udp_bind_ipp_port(colord_t)
|
corenet_udp_bind_ipp_port(colord_t)
|
||||||
corenet_tcp_connect_ipp_port(colord_t)
|
corenet_tcp_connect_ipp_port(colord_t)
|
||||||
|
|
||||||
|
@ -32155,7 +32197,7 @@ index 74505cc..be3683b 100644
|
||||||
dev_read_video_dev(colord_t)
|
dev_read_video_dev(colord_t)
|
||||||
dev_write_video_dev(colord_t)
|
dev_write_video_dev(colord_t)
|
||||||
dev_rw_printer(colord_t)
|
dev_rw_printer(colord_t)
|
||||||
@@ -65,19 +75,33 @@ files_list_mnt(colord_t)
|
@@ -65,19 +76,33 @@ files_list_mnt(colord_t)
|
||||||
files_read_etc_files(colord_t)
|
files_read_etc_files(colord_t)
|
||||||
files_read_usr_files(colord_t)
|
files_read_usr_files(colord_t)
|
||||||
|
|
||||||
|
@ -32190,7 +32232,7 @@ index 74505cc..be3683b 100644
|
||||||
fs_read_cifs_files(colord_t)
|
fs_read_cifs_files(colord_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -89,6 +113,12 @@ optional_policy(`
|
@@ -89,6 +114,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -32203,7 +32245,7 @@ index 74505cc..be3683b 100644
|
||||||
policykit_dbus_chat(colord_t)
|
policykit_dbus_chat(colord_t)
|
||||||
policykit_domtrans_auth(colord_t)
|
policykit_domtrans_auth(colord_t)
|
||||||
policykit_read_lib(colord_t)
|
policykit_read_lib(colord_t)
|
||||||
@@ -96,5 +126,16 @@ optional_policy(`
|
@@ -96,5 +127,16 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -33310,7 +33352,7 @@ index 35241ed..7a0913c 100644
|
||||||
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
|
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
|
||||||
index f7583ab..a4d25d9 100644
|
index f7583ab..958bd54 100644
|
||||||
--- a/policy/modules/services/cron.te
|
--- a/policy/modules/services/cron.te
|
||||||
+++ b/policy/modules/services/cron.te
|
+++ b/policy/modules/services/cron.te
|
||||||
@@ -10,18 +10,18 @@ gen_require(`
|
@@ -10,18 +10,18 @@ gen_require(`
|
||||||
|
@ -33456,7 +33498,15 @@ index f7583ab..a4d25d9 100644
|
||||||
allow crond_t self:process { setexec setfscreate };
|
allow crond_t self:process { setexec setfscreate };
|
||||||
allow crond_t self:fd use;
|
allow crond_t self:fd use;
|
||||||
allow crond_t self:fifo_file rw_fifo_file_perms;
|
allow crond_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -187,12 +203,16 @@ fs_list_inotifyfs(crond_t)
|
@@ -151,6 +167,7 @@ allow crond_t self:sem create_sem_perms;
|
||||||
|
allow crond_t self:msgq create_msgq_perms;
|
||||||
|
allow crond_t self:msg { send receive };
|
||||||
|
allow crond_t self:key { search write link };
|
||||||
|
+dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
|
||||||
|
|
||||||
|
manage_files_pattern(crond_t, cron_log_t, cron_log_t)
|
||||||
|
logging_log_filetrans(crond_t, cron_log_t, file)
|
||||||
|
@@ -187,12 +204,16 @@ fs_list_inotifyfs(crond_t)
|
||||||
|
|
||||||
# need auth_chkpwd to check for locked accounts.
|
# need auth_chkpwd to check for locked accounts.
|
||||||
auth_domtrans_chk_passwd(crond_t)
|
auth_domtrans_chk_passwd(crond_t)
|
||||||
|
@ -33473,7 +33523,7 @@ index f7583ab..a4d25d9 100644
|
||||||
|
|
||||||
files_read_usr_files(crond_t)
|
files_read_usr_files(crond_t)
|
||||||
files_read_etc_runtime_files(crond_t)
|
files_read_etc_runtime_files(crond_t)
|
||||||
@@ -203,11 +223,28 @@ files_list_usr(crond_t)
|
@@ -203,11 +224,28 @@ files_list_usr(crond_t)
|
||||||
files_search_var_lib(crond_t)
|
files_search_var_lib(crond_t)
|
||||||
files_search_default(crond_t)
|
files_search_default(crond_t)
|
||||||
|
|
||||||
|
@ -33502,7 +33552,7 @@ index f7583ab..a4d25d9 100644
|
||||||
logging_send_syslog_msg(crond_t)
|
logging_send_syslog_msg(crond_t)
|
||||||
logging_set_loginuid(crond_t)
|
logging_set_loginuid(crond_t)
|
||||||
|
|
||||||
@@ -220,8 +257,11 @@ miscfiles_read_localization(crond_t)
|
@@ -220,8 +258,11 @@ miscfiles_read_localization(crond_t)
|
||||||
userdom_use_unpriv_users_fds(crond_t)
|
userdom_use_unpriv_users_fds(crond_t)
|
||||||
# Not sure why this is needed
|
# Not sure why this is needed
|
||||||
userdom_list_user_home_dirs(crond_t)
|
userdom_list_user_home_dirs(crond_t)
|
||||||
|
@ -33514,7 +33564,7 @@ index f7583ab..a4d25d9 100644
|
||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
# pam_limits is used
|
# pam_limits is used
|
||||||
@@ -233,7 +273,7 @@ ifdef(`distro_debian',`
|
@@ -233,7 +274,7 @@ ifdef(`distro_debian',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -33523,7 +33573,7 @@ index f7583ab..a4d25d9 100644
|
||||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||||
# via redirection of standard out.
|
# via redirection of standard out.
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', `
|
@@ -250,11 +291,27 @@ tunable_policy(`fcron_crond', `
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -33551,7 +33601,7 @@ index f7583ab..a4d25d9 100644
|
||||||
amanda_search_var_lib(crond_t)
|
amanda_search_var_lib(crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -264,6 +320,8 @@ optional_policy(`
|
@@ -264,6 +321,8 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
hal_dbus_chat(crond_t)
|
hal_dbus_chat(crond_t)
|
||||||
|
@ -33560,7 +33610,7 @@ index f7583ab..a4d25d9 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -286,15 +344,25 @@ optional_policy(`
|
@@ -286,15 +345,25 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -33586,7 +33636,7 @@ index f7583ab..a4d25d9 100644
|
||||||
allow system_cronjob_t self:process { signal_perms getsched setsched };
|
allow system_cronjob_t self:process { signal_perms getsched setsched };
|
||||||
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
|
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow system_cronjob_t self:passwd rootok;
|
allow system_cronjob_t self:passwd rootok;
|
||||||
@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
|
@@ -306,10 +375,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
|
||||||
|
|
||||||
# This is to handle /var/lib/misc directory. Used currently
|
# This is to handle /var/lib/misc directory. Used currently
|
||||||
# by prelink var/lib files for cron
|
# by prelink var/lib files for cron
|
||||||
|
@ -33607,7 +33657,7 @@ index f7583ab..a4d25d9 100644
|
||||||
# The entrypoint interface is not used as this is not
|
# The entrypoint interface is not used as this is not
|
||||||
# a regular entrypoint. Since crontab files are
|
# a regular entrypoint. Since crontab files are
|
||||||
# not directly executed, crond must ensure that
|
# not directly executed, crond must ensure that
|
||||||
@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use;
|
@@ -329,6 +407,7 @@ allow crond_t system_cronjob_t:fd use;
|
||||||
allow system_cronjob_t crond_t:fd use;
|
allow system_cronjob_t crond_t:fd use;
|
||||||
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
|
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
|
||||||
allow system_cronjob_t crond_t:process sigchld;
|
allow system_cronjob_t crond_t:process sigchld;
|
||||||
|
@ -33615,7 +33665,7 @@ index f7583ab..a4d25d9 100644
|
||||||
|
|
||||||
# Write /var/lock/makewhatis.lock.
|
# Write /var/lock/makewhatis.lock.
|
||||||
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
|
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
|
||||||
@@ -340,9 +418,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
|
@@ -340,9 +419,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
|
||||||
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
|
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
|
||||||
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
|
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
|
||||||
|
|
||||||
|
@ -33630,7 +33680,7 @@ index f7583ab..a4d25d9 100644
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(system_cronjob_t)
|
kernel_read_kernel_sysctls(system_cronjob_t)
|
||||||
kernel_read_system_state(system_cronjob_t)
|
kernel_read_system_state(system_cronjob_t)
|
||||||
@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
|
@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
|
||||||
dev_getattr_all_blk_files(system_cronjob_t)
|
dev_getattr_all_blk_files(system_cronjob_t)
|
||||||
dev_getattr_all_chr_files(system_cronjob_t)
|
dev_getattr_all_chr_files(system_cronjob_t)
|
||||||
dev_read_urand(system_cronjob_t)
|
dev_read_urand(system_cronjob_t)
|
||||||
|
@ -33638,7 +33688,7 @@ index f7583ab..a4d25d9 100644
|
||||||
|
|
||||||
fs_getattr_all_fs(system_cronjob_t)
|
fs_getattr_all_fs(system_cronjob_t)
|
||||||
fs_getattr_all_files(system_cronjob_t)
|
fs_getattr_all_files(system_cronjob_t)
|
||||||
@@ -391,6 +474,7 @@ files_dontaudit_search_pids(system_cronjob_t)
|
@@ -391,6 +475,7 @@ files_dontaudit_search_pids(system_cronjob_t)
|
||||||
# Access other spool directories like
|
# Access other spool directories like
|
||||||
# /var/spool/anacron and /var/spool/slrnpull.
|
# /var/spool/anacron and /var/spool/slrnpull.
|
||||||
files_manage_generic_spool(system_cronjob_t)
|
files_manage_generic_spool(system_cronjob_t)
|
||||||
|
@ -33646,7 +33696,7 @@ index f7583ab..a4d25d9 100644
|
||||||
|
|
||||||
init_use_script_fds(system_cronjob_t)
|
init_use_script_fds(system_cronjob_t)
|
||||||
init_read_utmp(system_cronjob_t)
|
init_read_utmp(system_cronjob_t)
|
||||||
@@ -413,8 +497,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
|
@@ -413,8 +498,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
|
||||||
|
|
||||||
seutil_read_config(system_cronjob_t)
|
seutil_read_config(system_cronjob_t)
|
||||||
|
|
||||||
|
@ -33658,7 +33708,7 @@ index f7583ab..a4d25d9 100644
|
||||||
# via redirection of standard out.
|
# via redirection of standard out.
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_manage_log(system_cronjob_t)
|
rpm_manage_log(system_cronjob_t)
|
||||||
@@ -439,6 +525,8 @@ optional_policy(`
|
@@ -439,6 +526,8 @@ optional_policy(`
|
||||||
apache_read_config(system_cronjob_t)
|
apache_read_config(system_cronjob_t)
|
||||||
apache_read_log(system_cronjob_t)
|
apache_read_log(system_cronjob_t)
|
||||||
apache_read_sys_content(system_cronjob_t)
|
apache_read_sys_content(system_cronjob_t)
|
||||||
|
@ -33667,7 +33717,7 @@ index f7583ab..a4d25d9 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -446,6 +534,14 @@ optional_policy(`
|
@@ -446,6 +535,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -33682,7 +33732,7 @@ index f7583ab..a4d25d9 100644
|
||||||
ftp_read_log(system_cronjob_t)
|
ftp_read_log(system_cronjob_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -456,6 +552,10 @@ optional_policy(`
|
@@ -456,6 +553,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -33693,7 +33743,7 @@ index f7583ab..a4d25d9 100644
|
||||||
lpd_list_spool(system_cronjob_t)
|
lpd_list_spool(system_cronjob_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -464,7 +564,9 @@ optional_policy(`
|
@@ -464,7 +565,9 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -33703,7 +33753,7 @@ index f7583ab..a4d25d9 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -472,6 +574,10 @@ optional_policy(`
|
@@ -472,6 +575,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -33714,7 +33764,7 @@ index f7583ab..a4d25d9 100644
|
||||||
postfix_read_config(system_cronjob_t)
|
postfix_read_config(system_cronjob_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -480,7 +586,7 @@ optional_policy(`
|
@@ -480,7 +587,7 @@ optional_policy(`
|
||||||
prelink_manage_lib(system_cronjob_t)
|
prelink_manage_lib(system_cronjob_t)
|
||||||
prelink_manage_log(system_cronjob_t)
|
prelink_manage_log(system_cronjob_t)
|
||||||
prelink_read_cache(system_cronjob_t)
|
prelink_read_cache(system_cronjob_t)
|
||||||
|
@ -33723,7 +33773,7 @@ index f7583ab..a4d25d9 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -495,6 +601,7 @@ optional_policy(`
|
@@ -495,6 +602,7 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
spamassassin_manage_lib_files(system_cronjob_t)
|
spamassassin_manage_lib_files(system_cronjob_t)
|
||||||
|
@ -33731,7 +33781,7 @@ index f7583ab..a4d25d9 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -502,7 +609,13 @@ optional_policy(`
|
@@ -502,7 +610,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -33745,7 +33795,7 @@ index f7583ab..a4d25d9 100644
|
||||||
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
|
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -595,9 +708,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
|
@@ -595,9 +709,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
|
||||||
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
|
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
|
||||||
|
|
||||||
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||||||
|
@ -37431,7 +37481,7 @@ index bfc880b..9a1dcba 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
|
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
|
||||||
index e1d7dc5..0557be0 100644
|
index e1d7dc5..13e4800 100644
|
||||||
--- a/policy/modules/services/dovecot.if
|
--- a/policy/modules/services/dovecot.if
|
||||||
+++ b/policy/modules/services/dovecot.if
|
+++ b/policy/modules/services/dovecot.if
|
||||||
@@ -1,5 +1,24 @@
|
@@ -1,5 +1,24 @@
|
||||||
|
@ -37482,7 +37532,33 @@ index e1d7dc5..0557be0 100644
|
||||||
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
|
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
|
||||||
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
|
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
|
||||||
')
|
')
|
||||||
@@ -93,16 +113,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
|
@@ -74,6 +94,25 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
|
||||||
|
dontaudit $1 dovecot_var_lib_t:file unlink;
|
||||||
|
')
|
||||||
|
|
||||||
|
+######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow attempts to write inherited
|
||||||
|
+## dovecot tmp files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`dovecot_write_inherited_tmp_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type dovecot_tmp_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 dovecot_tmp_t:file write;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## All of the rules required to administrate
|
||||||
|
@@ -93,16 +132,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
|
||||||
#
|
#
|
||||||
interface(`dovecot_admin',`
|
interface(`dovecot_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -37507,7 +37583,7 @@ index e1d7dc5..0557be0 100644
|
||||||
|
|
||||||
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
|
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
@@ -112,8 +133,11 @@ interface(`dovecot_admin',`
|
@@ -112,8 +152,11 @@ interface(`dovecot_admin',`
|
||||||
files_list_etc($1)
|
files_list_etc($1)
|
||||||
admin_pattern($1, dovecot_etc_t)
|
admin_pattern($1, dovecot_etc_t)
|
||||||
|
|
||||||
|
@ -37521,7 +37597,7 @@ index e1d7dc5..0557be0 100644
|
||||||
|
|
||||||
files_list_spool($1)
|
files_list_spool($1)
|
||||||
admin_pattern($1, dovecot_spool_t)
|
admin_pattern($1, dovecot_spool_t)
|
||||||
@@ -121,6 +145,9 @@ interface(`dovecot_admin',`
|
@@ -121,6 +164,9 @@ interface(`dovecot_admin',`
|
||||||
files_list_var_lib($1)
|
files_list_var_lib($1)
|
||||||
admin_pattern($1, dovecot_var_lib_t)
|
admin_pattern($1, dovecot_var_lib_t)
|
||||||
|
|
||||||
|
@ -39585,24 +39661,31 @@ index 9d3201b..41c2c99 100644
|
||||||
+ ftp_systemctl($1)
|
+ ftp_systemctl($1)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
|
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
|
||||||
index 8a74a83..6c4a30d 100644
|
index 8a74a83..84fe0c6 100644
|
||||||
--- a/policy/modules/services/ftp.te
|
--- a/policy/modules/services/ftp.te
|
||||||
+++ b/policy/modules/services/ftp.te
|
+++ b/policy/modules/services/ftp.te
|
||||||
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
|
@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
+## Allow ftp servers to use connect to mysql database
|
+## Allow ftp servers to connect to mysql database ports
|
||||||
+## </p>
|
+## </p>
|
||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(ftpd_connect_db, false)
|
+gen_tunable(ftpd_connect_db, false)
|
||||||
+
|
+
|
||||||
+## <desc>
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow ftp servers to connect to all ports > 1023
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(ftpd_connect_all_unreserved, false)
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
+## <p>
|
+## <p>
|
||||||
## Allow ftp to read and write files in the user home directories
|
## Allow ftp to read and write files in the user home directories
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false)
|
@@ -70,6 +84,14 @@ gen_tunable(sftpd_enable_homedirs, false)
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(sftpd_full_access, false)
|
gen_tunable(sftpd_full_access, false)
|
||||||
|
|
||||||
|
@ -39617,7 +39700,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
type anon_sftpd_t;
|
type anon_sftpd_t;
|
||||||
typealias anon_sftpd_t alias sftpd_anon_t;
|
typealias anon_sftpd_t alias sftpd_anon_t;
|
||||||
domain_type(anon_sftpd_t)
|
domain_type(anon_sftpd_t)
|
||||||
@@ -85,6 +100,9 @@ files_config_file(ftpd_etc_t)
|
@@ -85,6 +107,9 @@ files_config_file(ftpd_etc_t)
|
||||||
type ftpd_initrc_exec_t;
|
type ftpd_initrc_exec_t;
|
||||||
init_script_file(ftpd_initrc_exec_t)
|
init_script_file(ftpd_initrc_exec_t)
|
||||||
|
|
||||||
|
@ -39627,7 +39710,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
type ftpd_lock_t;
|
type ftpd_lock_t;
|
||||||
files_lock_file(ftpd_lock_t)
|
files_lock_file(ftpd_lock_t)
|
||||||
|
|
||||||
@@ -115,6 +133,10 @@ ifdef(`enable_mcs',`
|
@@ -115,6 +140,10 @@ ifdef(`enable_mcs',`
|
||||||
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
|
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -39638,7 +39721,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# anon-sftp local policy
|
# anon-sftp local policy
|
||||||
@@ -122,6 +144,7 @@ ifdef(`enable_mcs',`
|
@@ -122,6 +151,7 @@ ifdef(`enable_mcs',`
|
||||||
|
|
||||||
files_read_etc_files(anon_sftpd_t)
|
files_read_etc_files(anon_sftpd_t)
|
||||||
|
|
||||||
|
@ -39646,7 +39729,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
miscfiles_read_public_files(anon_sftpd_t)
|
miscfiles_read_public_files(anon_sftpd_t)
|
||||||
|
|
||||||
tunable_policy(`sftpd_anon_write',`
|
tunable_policy(`sftpd_anon_write',`
|
||||||
@@ -133,7 +156,7 @@ tunable_policy(`sftpd_anon_write',`
|
@@ -133,7 +163,7 @@ tunable_policy(`sftpd_anon_write',`
|
||||||
# ftpd local policy
|
# ftpd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -39655,7 +39738,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
dontaudit ftpd_t self:capability sys_tty_config;
|
dontaudit ftpd_t self:capability sys_tty_config;
|
||||||
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
|
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
|
||||||
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -151,7 +174,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
|
@@ -151,7 +181,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
|
||||||
|
|
||||||
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
||||||
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
||||||
|
@ -39663,7 +39746,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
|
|
||||||
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
||||||
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
||||||
@@ -163,13 +185,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
|
@@ -163,13 +192,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
|
||||||
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||||
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||||
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||||
|
@ -39679,7 +39762,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
|
|
||||||
# Create and modify /var/log/xferlog.
|
# Create and modify /var/log/xferlog.
|
||||||
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
||||||
@@ -196,9 +218,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
|
@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
|
||||||
corenet_tcp_bind_ftp_port(ftpd_t)
|
corenet_tcp_bind_ftp_port(ftpd_t)
|
||||||
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
||||||
corenet_tcp_bind_generic_port(ftpd_t)
|
corenet_tcp_bind_generic_port(ftpd_t)
|
||||||
|
@ -39691,7 +39774,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
corenet_sendrecv_ftp_server_packets(ftpd_t)
|
corenet_sendrecv_ftp_server_packets(ftpd_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(ftpd_t)
|
domain_use_interactive_fds(ftpd_t)
|
||||||
@@ -212,13 +233,11 @@ fs_search_auto_mountpoints(ftpd_t)
|
@@ -212,13 +240,11 @@ fs_search_auto_mountpoints(ftpd_t)
|
||||||
fs_getattr_all_fs(ftpd_t)
|
fs_getattr_all_fs(ftpd_t)
|
||||||
fs_search_fusefs(ftpd_t)
|
fs_search_fusefs(ftpd_t)
|
||||||
|
|
||||||
|
@ -39707,16 +39790,20 @@ index 8a74a83..6c4a30d 100644
|
||||||
|
|
||||||
init_rw_utmp(ftpd_t)
|
init_rw_utmp(ftpd_t)
|
||||||
|
|
||||||
@@ -261,7 +280,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
|
@@ -261,7 +287,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
|
||||||
|
|
||||||
tunable_policy(`allow_ftpd_full_access',`
|
tunable_policy(`allow_ftpd_full_access',`
|
||||||
allow ftpd_t self:capability { dac_override dac_read_search };
|
allow ftpd_t self:capability { dac_override dac_read_search };
|
||||||
- auth_manage_all_files_except_shadow(ftpd_t)
|
- auth_manage_all_files_except_shadow(ftpd_t)
|
||||||
+ files_manage_non_security_files(ftpd_t)
|
+ files_manage_non_security_files(ftpd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+tunable_policy(`ftpd_connect_all_unreserved',`
|
||||||
|
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`ftp_home_dir',`
|
tunable_policy(`ftp_home_dir',`
|
||||||
@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',`
|
@@ -270,10 +300,13 @@ tunable_policy(`ftp_home_dir',`
|
||||||
# allow access to /home
|
# allow access to /home
|
||||||
files_list_home(ftpd_t)
|
files_list_home(ftpd_t)
|
||||||
userdom_read_user_home_content_files(ftpd_t)
|
userdom_read_user_home_content_files(ftpd_t)
|
||||||
|
@ -39734,7 +39821,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
|
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
|
||||||
@@ -309,6 +331,10 @@ optional_policy(`
|
@@ -309,6 +342,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -39745,7 +39832,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
selinux_validate_context(ftpd_t)
|
selinux_validate_context(ftpd_t)
|
||||||
|
|
||||||
kerberos_keytab_template(ftpd, ftpd_t)
|
kerberos_keytab_template(ftpd, ftpd_t)
|
||||||
@@ -316,6 +342,25 @@ optional_policy(`
|
@@ -316,6 +353,25 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -39771,7 +39858,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
|
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -347,16 +392,17 @@ optional_policy(`
|
@@ -347,16 +403,17 @@ optional_policy(`
|
||||||
|
|
||||||
# Allow ftpdctl to talk to ftpd over a socket connection
|
# Allow ftpdctl to talk to ftpd over a socket connection
|
||||||
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
|
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
|
||||||
|
@ -39791,7 +39878,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -365,18 +411,33 @@ userdom_use_user_terminals(ftpdctl_t)
|
@@ -365,18 +422,33 @@ userdom_use_user_terminals(ftpdctl_t)
|
||||||
|
|
||||||
files_read_etc_files(sftpd_t)
|
files_read_etc_files(sftpd_t)
|
||||||
|
|
||||||
|
@ -39828,7 +39915,7 @@ index 8a74a83..6c4a30d 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -394,19 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
|
@@ -394,19 +466,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
tunable_policy(`sftpd_full_access',`
|
tunable_policy(`sftpd_full_access',`
|
||||||
allow sftpd_t self:capability { dac_override dac_read_search };
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
||||||
fs_read_noxattr_fs_files(sftpd_t)
|
fs_read_noxattr_fs_files(sftpd_t)
|
||||||
|
@ -52606,7 +52693,7 @@ index 46bee12..1fbe0fa 100644
|
||||||
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
|
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
|
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
|
||||||
index a32c4b3..c24aed3 100644
|
index a32c4b3..dda5b86 100644
|
||||||
--- a/policy/modules/services/postfix.te
|
--- a/policy/modules/services/postfix.te
|
||||||
+++ b/policy/modules/services/postfix.te
|
+++ b/policy/modules/services/postfix.te
|
||||||
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
|
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
|
||||||
|
@ -52986,19 +53073,20 @@ index a32c4b3..c24aed3 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -599,6 +689,11 @@ optional_policy(`
|
@@ -599,6 +689,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ milter_stream_connect_all(postfix_smtpd_t)
|
+ milter_stream_connect_all(postfix_smtpd_t)
|
||||||
+ spamassassin_read_pid_files(postfix_smtpd_t)
|
+ spamassassin_read_pid_files(postfix_smtpd_t)
|
||||||
|
+ spamd_stream_connect(postfix_smtpd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
postgrey_stream_connect(postfix_smtpd_t)
|
postgrey_stream_connect(postfix_smtpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -611,7 +706,6 @@ optional_policy(`
|
@@ -611,7 +707,6 @@ optional_policy(`
|
||||||
# Postfix virtual local policy
|
# Postfix virtual local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -53006,7 +53094,7 @@ index a32c4b3..c24aed3 100644
|
||||||
allow postfix_virtual_t self:process { setsched setrlimit };
|
allow postfix_virtual_t self:process { setsched setrlimit };
|
||||||
|
|
||||||
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
|
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
|
||||||
@@ -630,3 +724,8 @@ mta_delete_spool(postfix_virtual_t)
|
@@ -630,3 +725,8 @@ mta_delete_spool(postfix_virtual_t)
|
||||||
# For reading spamassasin
|
# For reading spamassasin
|
||||||
mta_read_config(postfix_virtual_t)
|
mta_read_config(postfix_virtual_t)
|
||||||
mta_manage_spool(postfix_virtual_t)
|
mta_manage_spool(postfix_virtual_t)
|
||||||
|
@ -58747,10 +58835,19 @@ index d6d76e1..9cb5e25 100644
|
||||||
+ nis_use_ypbind(rpcbind_t)
|
+ nis_use_ypbind(rpcbind_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
|
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
|
||||||
index 0b405d1..cdf9184 100644
|
index 0b405d1..e91eb53 100644
|
||||||
--- a/policy/modules/services/rshd.te
|
--- a/policy/modules/services/rshd.te
|
||||||
+++ b/policy/modules/services/rshd.te
|
+++ b/policy/modules/services/rshd.te
|
||||||
@@ -66,16 +66,9 @@ seutil_read_config(rshd_t)
|
@@ -39,6 +39,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t)
|
||||||
|
|
||||||
|
dev_read_urand(rshd_t)
|
||||||
|
|
||||||
|
+domain_interactive_fd(rshd_t)
|
||||||
|
+
|
||||||
|
selinux_get_fs_mount(rshd_t)
|
||||||
|
selinux_validate_context(rshd_t)
|
||||||
|
selinux_compute_access_vector(rshd_t)
|
||||||
|
@@ -66,16 +68,9 @@ seutil_read_config(rshd_t)
|
||||||
seutil_read_default_contexts(rshd_t)
|
seutil_read_default_contexts(rshd_t)
|
||||||
|
|
||||||
userdom_search_user_home_content(rshd_t)
|
userdom_search_user_home_content(rshd_t)
|
||||||
|
@ -60460,7 +60557,7 @@ index 7e94c7c..ca74cd9 100644
|
||||||
+ admin_pattern($1, mail_spool_t)
|
+ admin_pattern($1, mail_spool_t)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
|
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
|
||||||
index 22dac1f..1c27bd6 100644
|
index 22dac1f..75081a5 100644
|
||||||
--- a/policy/modules/services/sendmail.te
|
--- a/policy/modules/services/sendmail.te
|
||||||
+++ b/policy/modules/services/sendmail.te
|
+++ b/policy/modules/services/sendmail.te
|
||||||
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
|
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
|
||||||
|
@ -60499,9 +60596,14 @@ index 22dac1f..1c27bd6 100644
|
||||||
|
|
||||||
mta_read_config(sendmail_t)
|
mta_read_config(sendmail_t)
|
||||||
mta_etc_filetrans_aliases(sendmail_t)
|
mta_etc_filetrans_aliases(sendmail_t)
|
||||||
@@ -129,6 +130,9 @@ optional_policy(`
|
@@ -128,7 +129,14 @@ optional_policy(`
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ dovecot_write_inherited_tmp_files(sendmail_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
exim_domtrans(sendmail_t)
|
exim_domtrans(sendmail_t)
|
||||||
+ exim_manage_spool_files(sendmail_t)
|
+ exim_manage_spool_files(sendmail_t)
|
||||||
+ exim_manage_spool_dirs(sendmail_t)
|
+ exim_manage_spool_dirs(sendmail_t)
|
||||||
|
@ -60509,7 +60611,7 @@ index 22dac1f..1c27bd6 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -149,7 +153,9 @@ optional_policy(`
|
@@ -149,7 +157,9 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -60519,7 +60621,7 @@ index 22dac1f..1c27bd6 100644
|
||||||
postfix_read_config(sendmail_t)
|
postfix_read_config(sendmail_t)
|
||||||
postfix_search_spool(sendmail_t)
|
postfix_search_spool(sendmail_t)
|
||||||
')
|
')
|
||||||
@@ -168,20 +174,13 @@ optional_policy(`
|
@@ -168,20 +178,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -70043,7 +70145,7 @@ index c6fdab7..41198a4 100644
|
||||||
cron_sigchld(application_domain_type)
|
cron_sigchld(application_domain_type)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
|
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
|
||||||
index 28ad538..7a39e35 100644
|
index 28ad538..29f3011 100644
|
||||||
--- a/policy/modules/system/authlogin.fc
|
--- a/policy/modules/system/authlogin.fc
|
||||||
+++ b/policy/modules/system/authlogin.fc
|
+++ b/policy/modules/system/authlogin.fc
|
||||||
@@ -1,3 +1,5 @@
|
@@ -1,3 +1,5 @@
|
||||||
|
@ -70099,7 +70201,16 @@ index 28ad538..7a39e35 100644
|
||||||
|
|
||||||
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
|
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
|
||||||
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
|
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
|
||||||
@@ -45,5 +63,4 @@ ifdef(`distro_gentoo', `
|
@@ -39,11 +57,13 @@ ifdef(`distro_gentoo', `
|
||||||
|
/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
|
||||||
|
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
|
||||||
|
|
||||||
|
+/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||||
|
+/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||||
|
+
|
||||||
|
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
|
||||||
|
/var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
|
||||||
|
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
||||||
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||||
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
||||||
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.10.0
|
||||||
Release: 75%{?dist}
|
Release: 76%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -471,6 +471,15 @@ SELinux Reference policy mls base module.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 20 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-76
|
||||||
|
- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there
|
||||||
|
- bluetooth says they do not use /tmp and want to remove the type
|
||||||
|
- Allow init to transition to colord
|
||||||
|
- Mongod needs to read /proc/sys/vm/zone_reclaim_mode
|
||||||
|
- Allow postfix_smtpd_t to connect to spamd
|
||||||
|
- Add boolean to allow ftp to connect to all ports > 1023
|
||||||
|
- Allow sendmain to write to inherited dovecot tmp files
|
||||||
|
|
||||||
* Mon Jan 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-75
|
* Mon Jan 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-75
|
||||||
- Merge systemd patch
|
- Merge systemd patch
|
||||||
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online
|
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online
|
||||||
|
|
Loading…
Reference in New Issue