Fix typo in virt.te
This commit is contained in:
parent
46a9c6067c
commit
e1fa9080b6
@ -71841,7 +71841,7 @@ index 7be4ddf..f7021a0 100644
|
|||||||
+
|
+
|
||||||
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||||
index 4bf45cb..30e39df 100644
|
index 4bf45cb..e9855e0 100644
|
||||||
--- a/policy/modules/kernel/kernel.if
|
--- a/policy/modules/kernel/kernel.if
|
||||||
+++ b/policy/modules/kernel/kernel.if
|
+++ b/policy/modules/kernel/kernel.if
|
||||||
@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
|
@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
|
||||||
@ -72065,7 +72065,7 @@ index 4bf45cb..30e39df 100644
|
|||||||
## Unconfined access to kernel module resources.
|
## Unconfined access to kernel module resources.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2956,5 +3092,79 @@ interface(`kernel_unconfined',`
|
@@ -2956,5 +3092,98 @@ interface(`kernel_unconfined',`
|
||||||
')
|
')
|
||||||
|
|
||||||
typeattribute $1 kern_unconfined;
|
typeattribute $1 kern_unconfined;
|
||||||
@ -72111,6 +72111,25 @@ index 4bf45cb..30e39df 100644
|
|||||||
+ allow $1 kernel_t:unix_stream_socket { read getattr };
|
+ allow $1 kernel_t:unix_stream_socket { read getattr };
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow the specified domain to write on
|
||||||
|
+## the kernel with a unix socket.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kernel_stream_write',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type kernel_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 kernel_t:unix_stream_socket { write getattr };
|
||||||
|
+')
|
||||||
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Make the specified type usable for regular entries in proc
|
+## Make the specified type usable for regular entries in proc
|
||||||
@ -85652,7 +85671,7 @@ index 321bb13..e7fd936 100644
|
|||||||
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
|
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||||
index 0034021..a684b91 100644
|
index 0034021..ca33705 100644
|
||||||
--- a/policy/modules/system/logging.te
|
--- a/policy/modules/system/logging.te
|
||||||
+++ b/policy/modules/system/logging.te
|
+++ b/policy/modules/system/logging.te
|
||||||
@@ -5,6 +5,20 @@ policy_module(logging, 1.19.0)
|
@@ -5,6 +5,20 @@ policy_module(logging, 1.19.0)
|
||||||
@ -85839,7 +85858,7 @@ index 0034021..a684b91 100644
|
|||||||
|
|
||||||
# Allow access for syslog-ng
|
# Allow access for syslog-ng
|
||||||
allow syslogd_t var_log_t:dir { create setattr };
|
allow syslogd_t var_log_t:dir { create setattr };
|
||||||
@@ -386,13 +430,20 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
@@ -386,13 +430,21 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||||
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||||
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
||||||
|
|
||||||
@ -85857,10 +85876,11 @@ index 0034021..a684b91 100644
|
|||||||
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
||||||
|
|
||||||
+kernel_stream_read(syslogd_t)
|
+kernel_stream_read(syslogd_t)
|
||||||
|
+kernel_stream_write(syslogd_t)
|
||||||
kernel_read_system_state(syslogd_t)
|
kernel_read_system_state(syslogd_t)
|
||||||
kernel_read_kernel_sysctls(syslogd_t)
|
kernel_read_kernel_sysctls(syslogd_t)
|
||||||
kernel_read_proc_symlinks(syslogd_t)
|
kernel_read_proc_symlinks(syslogd_t)
|
||||||
@@ -401,7 +452,10 @@ kernel_read_messages(syslogd_t)
|
@@ -401,7 +453,10 @@ kernel_read_messages(syslogd_t)
|
||||||
kernel_clear_ring_buffer(syslogd_t)
|
kernel_clear_ring_buffer(syslogd_t)
|
||||||
kernel_change_ring_buffer_level(syslogd_t)
|
kernel_change_ring_buffer_level(syslogd_t)
|
||||||
|
|
||||||
@ -85872,7 +85892,7 @@ index 0034021..a684b91 100644
|
|||||||
corenet_all_recvfrom_netlabel(syslogd_t)
|
corenet_all_recvfrom_netlabel(syslogd_t)
|
||||||
corenet_udp_sendrecv_generic_if(syslogd_t)
|
corenet_udp_sendrecv_generic_if(syslogd_t)
|
||||||
corenet_udp_sendrecv_generic_node(syslogd_t)
|
corenet_udp_sendrecv_generic_node(syslogd_t)
|
||||||
@@ -427,10 +481,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
@@ -427,10 +482,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||||
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
||||||
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
||||||
|
|
||||||
@ -85900,7 +85920,7 @@ index 0034021..a684b91 100644
|
|||||||
|
|
||||||
files_read_etc_files(syslogd_t)
|
files_read_etc_files(syslogd_t)
|
||||||
files_read_usr_files(syslogd_t)
|
files_read_usr_files(syslogd_t)
|
||||||
@@ -448,7 +519,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
|
@@ -448,7 +520,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
|
||||||
term_write_console(syslogd_t)
|
term_write_console(syslogd_t)
|
||||||
# Allow syslog to a terminal
|
# Allow syslog to a terminal
|
||||||
term_write_unallocated_ttys(syslogd_t)
|
term_write_unallocated_ttys(syslogd_t)
|
||||||
@ -85910,7 +85930,7 @@ index 0034021..a684b91 100644
|
|||||||
# for sending messages to logged in users
|
# for sending messages to logged in users
|
||||||
init_read_utmp(syslogd_t)
|
init_read_utmp(syslogd_t)
|
||||||
init_dontaudit_write_utmp(syslogd_t)
|
init_dontaudit_write_utmp(syslogd_t)
|
||||||
@@ -460,6 +533,7 @@ init_use_fds(syslogd_t)
|
@@ -460,6 +534,7 @@ init_use_fds(syslogd_t)
|
||||||
|
|
||||||
# cjp: this doesnt make sense
|
# cjp: this doesnt make sense
|
||||||
logging_send_syslog_msg(syslogd_t)
|
logging_send_syslog_msg(syslogd_t)
|
||||||
@ -85918,7 +85938,7 @@ index 0034021..a684b91 100644
|
|||||||
|
|
||||||
miscfiles_read_localization(syslogd_t)
|
miscfiles_read_localization(syslogd_t)
|
||||||
|
|
||||||
@@ -493,15 +567,29 @@ optional_policy(`
|
@@ -493,15 +568,29 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -61651,7 +61651,7 @@ index 6f0736b..2d43a63 100644
|
|||||||
+ allow svirt_lxc_domain $1:process sigchld;
|
+ allow svirt_lxc_domain $1:process sigchld;
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index 947bbc6..274140a 100644
|
index 947bbc6..b9f5601 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
|
@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
|
||||||
@ -62341,7 +62341,7 @@ index 947bbc6..274140a 100644
|
|||||||
+manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
+manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
+manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
+manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
+manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
+manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
+virt_transition_svirt_lxc(virsh_t)
|
+virt_transition_svirt_lxc(virsh_t, system_r)
|
||||||
+
|
+
|
||||||
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
|
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
|
||||||
+
|
+
|
||||||
|
Loading…
Reference in New Issue
Block a user