* Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-138
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. - Prepare selinux-policy package for SELinux store migration - gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te - Allow glusterd to manage nfsd and rpcd services. - Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs. - Add samba_manage_winbind_pid() interface - Allow networkmanager to communicate via dbus with systemd_hostanmed. - Allow stream connect logrotate to prosody. - Add prosody_stream_connect() interface. - httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t. - Allow prosody to create own tmp files/dirs. - Allow keepalived request kernel load module - kadmind should not read generic files in /usr - Allow kadmind_t access to /etc/krb5.keytab - Add more fixes to kerberos.te - Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0 - Add lsmd_t to nsswitch_domain. - Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc. - Add fixes to pegasus_openlmi_domain - Allow Glance Scrubber to connect to commplex_main port - Allow RabbitMQ to connect to amqp port - Allow isnsd read access on the file /proc/net/unix - Allow qpidd access to /proc/<pid>/net/psched - Allow openshift_initrc_t to communicate with firewalld over dbus. - Allow ctdbd_t send signull to samba_unconfined_net_t. - Add samba_signull_unconfined_net() - Add samba_signull_winbind() - Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()." - Fix ctdb policy - Label /var/db/ as system_db_t.
This commit is contained in:
parent
57b06e2ca9
commit
e5e6b1ee54
@ -9698,7 +9698,7 @@ index cf04cb5..ed54d58 100644
|
||||
+ unconfined_server_stream_connect(domain)
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
||||
index b876c48..6bfb954 100644
|
||||
index b876c48..a351aff 100644
|
||||
--- a/policy/modules/kernel/files.fc
|
||||
+++ b/policy/modules/kernel/files.fc
|
||||
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
|
||||
@ -9908,7 +9908,7 @@ index b876c48..6bfb954 100644
|
||||
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
|
||||
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
')
|
||||
@@ -229,7 +243,7 @@ ifndef(`distro_redhat',`
|
||||
@@ -229,19 +243,34 @@ ifndef(`distro_redhat',`
|
||||
#
|
||||
# /var
|
||||
#
|
||||
@ -9917,7 +9917,8 @@ index b876c48..6bfb954 100644
|
||||
/var/.* gen_context(system_u:object_r:var_t,s0)
|
||||
/var/\.journal <<none>>
|
||||
|
||||
@@ -237,11 +251,25 @@ ifndef(`distro_redhat',`
|
||||
+/var/db(/.*)? gen_context(system_u:object_r:system_db_t,s0)
|
||||
/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
@ -9944,7 +9945,7 @@ index b876c48..6bfb954 100644
|
||||
|
||||
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/log/lost\+found/.* <<none>>
|
||||
@@ -256,12 +284,14 @@ ifndef(`distro_redhat',`
|
||||
@@ -256,12 +285,14 @@ ifndef(`distro_redhat',`
|
||||
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.*\.*pid <<none>>
|
||||
@ -9959,7 +9960,7 @@ index b876c48..6bfb954 100644
|
||||
/var/tmp/.* <<none>>
|
||||
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/tmp/lost\+found/.* <<none>>
|
||||
@@ -271,3 +301,5 @@ ifdef(`distro_debian',`
|
||||
@@ -271,3 +302,5 @@ ifdef(`distro_debian',`
|
||||
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
')
|
||||
|
@ -5208,7 +5208,7 @@ index f6eb485..164501c 100644
|
||||
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
||||
')
|
||||
diff --git a/apache.te b/apache.te
|
||||
index 6649962..4516b9a 100644
|
||||
index 6649962..e98b712 100644
|
||||
--- a/apache.te
|
||||
+++ b/apache.te
|
||||
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
|
||||
@ -5896,7 +5896,7 @@ index 6649962..4516b9a 100644
|
||||
logging_log_filetrans(httpd_t, httpd_log_t, file)
|
||||
|
||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||
@@ -412,14 +529,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
@@ -412,13 +529,20 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
|
||||
@ -5908,16 +5908,16 @@ index 6649962..4516b9a 100644
|
||||
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
||||
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
||||
|
||||
+allow httpd_t httpd_suexec_exec_t:process { signal signull };
|
||||
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||
|
||||
-allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||
+allow httpd_t httpd_suexec_t:process { signal signull };
|
||||
+allow httpd_t httpd_suexec_t:file read_file_perms;
|
||||
+
|
||||
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
|
||||
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
||||
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
||||
+
|
||||
|
||||
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
@@ -450,140 +574,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@ -19712,7 +19712,7 @@ index b25b01d..6b7d687 100644
|
||||
')
|
||||
+
|
||||
diff --git a/ctdb.te b/ctdb.te
|
||||
index 001b502..28bb02c 100644
|
||||
index 001b502..4a84c8b 100644
|
||||
--- a/ctdb.te
|
||||
+++ b/ctdb.te
|
||||
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
|
||||
@ -19799,17 +19799,20 @@ index 001b502..28bb02c 100644
|
||||
optional_policy(`
|
||||
consoletype_exec(ctdbd_t)
|
||||
')
|
||||
@@ -106,9 +129,13 @@ optional_policy(`
|
||||
@@ -106,9 +129,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ samba_winbind_signull(ctdbd_t)
|
||||
+ samba_unconfined_net_signull(ctdbd_t)
|
||||
+ samba_signull_smbd(ctdbd_t)
|
||||
samba_initrc_domtrans(ctdbd_t)
|
||||
samba_domtrans_net(ctdbd_t)
|
||||
samba_rw_var_files(ctdbd_t)
|
||||
+ samba_systemctl(ctdbd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ samba_signull_winbind(ctdbd_t)
|
||||
+ samba_signull_unconfined_net(ctdbd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -30297,7 +30300,7 @@ index 9eacb2c..7b19ad2 100644
|
||||
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/glance.te b/glance.te
|
||||
index 5cd0909..cdba87f 100644
|
||||
index 5cd0909..bd3c3d2 100644
|
||||
--- a/glance.te
|
||||
+++ b/glance.te
|
||||
@@ -5,10 +5,31 @@ policy_module(glance, 1.1.0)
|
||||
@ -30432,7 +30435,7 @@ index 5cd0909..cdba87f 100644
|
||||
|
||||
logging_send_syslog_msg(glance_registry_t)
|
||||
|
||||
@@ -108,13 +157,37 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||
@@ -108,13 +157,38 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
|
||||
can_exec(glance_api_t, glance_tmp_t)
|
||||
|
||||
@ -30474,6 +30477,7 @@ index 5cd0909..cdba87f 100644
|
||||
+# Scrubber local policy
|
||||
+#
|
||||
+
|
||||
+corenet_tcp_connect_commplex_main_port(glance_scrubber_t)
|
||||
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
|
||||
diff --git a/glusterd.fc b/glusterd.fc
|
||||
new file mode 100644
|
||||
@ -30750,10 +30754,10 @@ index 0000000..fc9bf19
|
||||
+
|
||||
diff --git a/glusterd.te b/glusterd.te
|
||||
new file mode 100644
|
||||
index 0000000..918eb52
|
||||
index 0000000..bd8ad23
|
||||
--- /dev/null
|
||||
+++ b/glusterd.te
|
||||
@@ -0,0 +1,277 @@
|
||||
@@ -0,0 +1,286 @@
|
||||
+policy_module(glusterfs, 1.1.2)
|
||||
+
|
||||
+## <desc>
|
||||
@ -31023,6 +31027,15 @@ index 0000000..918eb52
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpc_systemctl_nfsd(glusterd_t)
|
||||
+ rpc_systemctl_rpcd(glusterd_t)
|
||||
+
|
||||
+ rpc_domtrans_nfsd(glusterd_t)
|
||||
+ rpc_domtrans_rpcd(glusterd_t)
|
||||
+ rpc_manage_nfs_state_data(glusterd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rhcs_dbus_chat_cluster(glusterd_t)
|
||||
+ rhcs_domtrans_cluster(glusterd_t)
|
||||
+ rhcs_systemctl_cluster(glusterd_t)
|
||||
@ -37266,7 +37279,7 @@ index ca020fa..d4ed777 100644
|
||||
+ kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
|
||||
+')
|
||||
diff --git a/isns.te b/isns.te
|
||||
index bc11034..07e6310 100644
|
||||
index bc11034..183c526 100644
|
||||
--- a/isns.te
|
||||
+++ b/isns.te
|
||||
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
|
||||
@ -37277,7 +37290,17 @@ index bc11034..07e6310 100644
|
||||
allow isnsd_t self:udp_socket { accept listen };
|
||||
allow isnsd_t self:unix_stream_socket { accept listen };
|
||||
|
||||
@@ -46,10 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
|
||||
@@ -37,6 +38,9 @@ manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
|
||||
manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
|
||||
files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file })
|
||||
|
||||
+kernel_read_system_state(isnsd_t)
|
||||
+kernel_read_network_state(isnsd_t)
|
||||
+
|
||||
corenet_all_recvfrom_unlabeled(isnsd_t)
|
||||
corenet_all_recvfrom_netlabel(isnsd_t)
|
||||
corenet_tcp_sendrecv_generic_if(isnsd_t)
|
||||
@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
|
||||
corenet_sendrecv_isns_server_packets(isnsd_t)
|
||||
corenet_tcp_bind_isns_port(isnsd_t)
|
||||
|
||||
@ -39279,10 +39302,10 @@ index 0000000..bd7e7fa
|
||||
+')
|
||||
diff --git a/keepalived.te b/keepalived.te
|
||||
new file mode 100644
|
||||
index 0000000..1a78c67
|
||||
index 0000000..20adcb3
|
||||
--- /dev/null
|
||||
+++ b/keepalived.te
|
||||
@@ -0,0 +1,89 @@
|
||||
@@ -0,0 +1,90 @@
|
||||
+policy_module(keepalived, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -39320,6 +39343,7 @@ index 0000000..1a78c67
|
||||
+
|
||||
+kernel_read_system_state(keepalived_t)
|
||||
+kernel_read_network_state(keepalived_t)
|
||||
+kernel_request_load_module(keepalived_t)
|
||||
+
|
||||
+auth_use_nsswitch(keepalived_t)
|
||||
+
|
||||
@ -39373,10 +39397,10 @@ index 0000000..1a78c67
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/kerberos.fc b/kerberos.fc
|
||||
index 4fe75fd..b05128a 100644
|
||||
index 4fe75fd..b9f07ae 100644
|
||||
--- a/kerberos.fc
|
||||
+++ b/kerberos.fc
|
||||
@@ -1,52 +1,50 @@
|
||||
@@ -1,52 +1,52 @@
|
||||
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
||||
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
||||
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
||||
@ -39414,33 +39438,25 @@ index 4fe75fd..b05128a 100644
|
||||
|
||||
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
||||
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
||||
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
|
||||
-
|
||||
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
||||
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
||||
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
||||
+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
|
||||
-
|
||||
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
|
||||
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
|
||||
|
||||
-
|
||||
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
|
||||
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
|
||||
|
||||
-
|
||||
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
||||
-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
||||
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
-
|
||||
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
|
||||
@ -39455,7 +39471,18 @@ index 4fe75fd..b05128a 100644
|
||||
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
+
|
||||
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
|
||||
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
|
||||
+
|
||||
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+
|
||||
+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
|
||||
+
|
||||
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+/var/tmp/kadmin_0 -- gen_context(system_u:object_r:kadmind_tmp_t,s0)
|
||||
+/var/tmp/kiprop_0 -- gen_context(system_u:object_r:krb5kdc_tmp_t,s0)
|
||||
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
||||
@ -40175,7 +40202,7 @@ index f6c00d8..7b777ab 100644
|
||||
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
|
||||
')
|
||||
diff --git a/kerberos.te b/kerberos.te
|
||||
index 8833d59..61910d0 100644
|
||||
index 8833d59..462e466 100644
|
||||
--- a/kerberos.te
|
||||
+++ b/kerberos.te
|
||||
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
|
||||
@ -40226,7 +40253,7 @@ index 8833d59..61910d0 100644
|
||||
type krb5kdc_principal_t;
|
||||
files_type(krb5kdc_principal_t)
|
||||
|
||||
@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t)
|
||||
@@ -74,28 +78,33 @@ files_pid_file(krb5kdc_var_run_t)
|
||||
# kadmind local policy
|
||||
#
|
||||
|
||||
@ -40259,12 +40286,14 @@ index 8833d59..61910d0 100644
|
||||
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
|
||||
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
|
||||
|
||||
+allow kadmind_t krb5_keytab_t:file read_file_perms;
|
||||
+
|
||||
+can_exec(kadmind_t, kadmind_exec_t)
|
||||
+
|
||||
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
|
||||
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
|
||||
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
|
||||
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
|
||||
|
||||
@ -40283,7 +40312,7 @@ index 8833d59..61910d0 100644
|
||||
corenet_all_recvfrom_netlabel(kadmind_t)
|
||||
corenet_tcp_sendrecv_generic_if(kadmind_t)
|
||||
corenet_udp_sendrecv_generic_if(kadmind_t)
|
||||
@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
|
||||
@@ -119,31 +130,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
|
||||
corenet_udp_sendrecv_all_ports(kadmind_t)
|
||||
corenet_tcp_bind_generic_node(kadmind_t)
|
||||
corenet_udp_bind_generic_node(kadmind_t)
|
||||
@ -40297,6 +40326,7 @@ index 8833d59..61910d0 100644
|
||||
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
|
||||
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
|
||||
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
|
||||
+corenet_tcp_bind_kprop_port(kadmind_t)
|
||||
+corenet_tcp_connect_kprop_port(kadmind_t)
|
||||
|
||||
dev_read_sysfs(kadmind_t)
|
||||
@ -40309,7 +40339,7 @@ index 8833d59..61910d0 100644
|
||||
|
||||
domain_use_interactive_fds(kadmind_t)
|
||||
|
||||
-files_read_etc_files(kadmind_t)
|
||||
files_read_etc_files(kadmind_t)
|
||||
-files_read_usr_files(kadmind_t)
|
||||
+files_read_usr_symlinks(kadmind_t)
|
||||
files_read_var_files(kadmind_t)
|
||||
@ -40320,8 +40350,8 @@ index 8833d59..61910d0 100644
|
||||
+
|
||||
logging_send_syslog_msg(kadmind_t)
|
||||
|
||||
-miscfiles_read_localization(kadmind_t)
|
||||
+miscfiles_read_generic_certs(kadmind_t)
|
||||
miscfiles_read_localization(kadmind_t)
|
||||
|
||||
+seutil_read_config(kadmind_t)
|
||||
seutil_read_file_contexts(kadmind_t)
|
||||
@ -40330,7 +40360,7 @@ index 8833d59..61910d0 100644
|
||||
sysnet_use_ldap(kadmind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
|
||||
@@ -154,11 +173,16 @@ optional_policy(`
|
||||
@@ -154,11 +178,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40347,7 +40377,7 @@ index 8833d59..61910d0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -174,24 +198,27 @@ optional_policy(`
|
||||
@@ -174,24 +203,27 @@ optional_policy(`
|
||||
# Krb5kdc local policy
|
||||
#
|
||||
|
||||
@ -40379,7 +40409,7 @@ index 8833d59..61910d0 100644
|
||||
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
|
||||
|
||||
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
|
||||
@@ -201,71 +228,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
@@ -201,71 +233,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
|
||||
@ -40471,7 +40501,7 @@ index 8833d59..61910d0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -273,6 +305,10 @@ optional_policy(`
|
||||
@@ -273,6 +310,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -40482,7 +40512,7 @@ index 8833d59..61910d0 100644
|
||||
udev_read_db(krb5kdc_t)
|
||||
')
|
||||
|
||||
@@ -281,10 +317,12 @@ optional_policy(`
|
||||
@@ -281,10 +322,12 @@ optional_policy(`
|
||||
# kpropd local policy
|
||||
#
|
||||
|
||||
@ -40498,7 +40528,7 @@ index 8833d59..61910d0 100644
|
||||
|
||||
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
|
||||
|
||||
@@ -301,27 +339,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
@@ -301,27 +344,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
|
||||
|
||||
@ -43322,7 +43352,7 @@ index dd8e01a..9cd6b0b 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/logrotate.te b/logrotate.te
|
||||
index be0ab84..2de18e1 100644
|
||||
index be0ab84..ce57aac 100644
|
||||
--- a/logrotate.te
|
||||
+++ b/logrotate.te
|
||||
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
|
||||
@ -43541,7 +43571,7 @@ index be0ab84..2de18e1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,21 +250,26 @@ optional_policy(`
|
||||
@@ -198,17 +250,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43559,20 +43589,26 @@ index be0ab84..2de18e1 100644
|
||||
|
||||
optional_policy(`
|
||||
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
|
||||
+ psad_domtrans(logrotate_t)
|
||||
+ prosody_stream_connect(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,6 +269,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- psad_domtrans(logrotate_t)
|
||||
+ rabbitmq_domtrans(logrotate_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ raid_domtrans_mdadm(logrotate_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
samba_exec_log(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -228,26 +285,43 @@ optional_policy(`
|
||||
@@ -228,26 +289,43 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44200,7 +44236,7 @@ index d314333..27ede09 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/lsm.te b/lsm.te
|
||||
index 4ec0eea..03b7f8b 100644
|
||||
index 4ec0eea..0c195ed 100644
|
||||
--- a/lsm.te
|
||||
+++ b/lsm.te
|
||||
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
|
||||
@ -44235,10 +44271,12 @@ index 4ec0eea..03b7f8b 100644
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -26,4 +44,59 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
@@ -26,4 +44,61 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
||||
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
|
||||
|
||||
+auth_use_nsswitch(lsmd_t)
|
||||
+
|
||||
+corecmd_exec_bin(lsmd_t)
|
||||
+corecmd_getattr_all_executables(lsmd_t)
|
||||
+
|
||||
@ -56077,7 +56115,7 @@ index 86dc29d..7380935 100644
|
||||
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
||||
')
|
||||
diff --git a/networkmanager.te b/networkmanager.te
|
||||
index 55f2009..35ca860 100644
|
||||
index 55f2009..e6182a2 100644
|
||||
--- a/networkmanager.te
|
||||
+++ b/networkmanager.te
|
||||
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
||||
@ -56461,7 +56499,7 @@ index 55f2009..35ca860 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -320,14 +401,20 @@ optional_policy(`
|
||||
@@ -320,14 +401,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -56471,6 +56509,7 @@ index 55f2009..35ca860 100644
|
||||
+ systemd_write_inhibit_pipes(NetworkManager_t)
|
||||
+ systemd_read_logind_sessions_files(NetworkManager_t)
|
||||
+ systemd_dbus_chat_logind(NetworkManager_t)
|
||||
+ systemd_dbus_chat_hostnamed(NetworkManager_t)
|
||||
+ systemd_hostnamed_manage_config(NetworkManager_t)
|
||||
')
|
||||
|
||||
@ -56487,7 +56526,7 @@ index 55f2009..35ca860 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
@@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
init_dontaudit_use_fds(wpa_cli_t)
|
||||
init_use_script_ptys(wpa_cli_t)
|
||||
|
||||
@ -61967,10 +62006,10 @@ index 0000000..c20cac3
|
||||
+')
|
||||
diff --git a/openshift.te b/openshift.te
|
||||
new file mode 100644
|
||||
index 0000000..69697c7
|
||||
index 0000000..c8e810c
|
||||
--- /dev/null
|
||||
+++ b/openshift.te
|
||||
@@ -0,0 +1,630 @@
|
||||
@@ -0,0 +1,634 @@
|
||||
+policy_module(openshift,1.0.0)
|
||||
+
|
||||
+gen_require(`
|
||||
@ -62111,6 +62150,10 @@ index 0000000..69697c7
|
||||
+init_domtrans_script(openshift_initrc_t)
|
||||
+init_initrc_domain(openshift_initrc_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ firewalld_dbus_chat(openshift_initrc_t)
|
||||
+')
|
||||
+
|
||||
+#######################################################
|
||||
+#
|
||||
+# Policy for all openshift domains
|
||||
@ -65423,14 +65466,15 @@ index 1fb1964..5212cd2 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/pegasus.fc b/pegasus.fc
|
||||
index dfd46e4..d40433a 100644
|
||||
index dfd46e4..747aa2a 100644
|
||||
--- a/pegasus.fc
|
||||
+++ b/pegasus.fc
|
||||
@@ -1,15 +1,32 @@
|
||||
@@ -1,15 +1,33 @@
|
||||
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||
+
|
||||
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||
/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
|
||||
+/etc/mdadm\.conf\.anacbak gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||
|
||||
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
|
||||
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
||||
@ -65569,7 +65613,7 @@ index d2fc677..86dce34 100644
|
||||
')
|
||||
+
|
||||
diff --git a/pegasus.te b/pegasus.te
|
||||
index 608f454..251160b 100644
|
||||
index 608f454..3e3fd3d 100644
|
||||
--- a/pegasus.te
|
||||
+++ b/pegasus.te
|
||||
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
||||
@ -65588,7 +65632,7 @@ index 608f454..251160b 100644
|
||||
type pegasus_cache_t;
|
||||
files_type(pegasus_cache_t)
|
||||
|
||||
@@ -30,20 +29,326 @@ files_type(pegasus_mof_t)
|
||||
@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
|
||||
type pegasus_var_run_t;
|
||||
files_pid_file(pegasus_var_run_t)
|
||||
|
||||
@ -65745,9 +65789,13 @@ index 608f454..251160b 100644
|
||||
+
|
||||
+kernel_read_network_state(pegasus_openlmi_system_t)
|
||||
+
|
||||
+auth_use_nsswitch(pegasus_openlmi_system_t)
|
||||
+
|
||||
+dev_rw_sysfs(pegasus_openlmi_system_t)
|
||||
+dev_read_urand(pegasus_openlmi_system_t)
|
||||
+
|
||||
+fs_getattr_all_fs(pegasus_openlmi_system_t)
|
||||
+
|
||||
+init_read_utmp(pegasus_openlmi_system_t)
|
||||
+
|
||||
+systemd_config_power_services(pegasus_openlmi_system_t)
|
||||
@ -65819,6 +65867,9 @@ index 608f454..251160b 100644
|
||||
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
|
||||
+files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
|
||||
+
|
||||
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_conf_t, pegasus_conf_t)
|
||||
+files_etc_filetrans(pegasus_openlmi_storage_t, pegasus_conf_t, file, "mdadm.conf.anacbak" )
|
||||
+
|
||||
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
|
||||
+kernel_read_network_state(pegasus_openlmi_storage_t)
|
||||
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
|
||||
@ -65860,6 +65911,10 @@ index 608f454..251160b 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_dontaudit_search_config(pegasus_openlmi_storage_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ fstools_domtrans(pegasus_openlmi_storage_t)
|
||||
+')
|
||||
+
|
||||
@ -65920,7 +65975,7 @@ index 608f454..251160b 100644
|
||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||
@@ -54,22 +359,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
@@ -54,22 +370,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
@ -65951,7 +66006,7 @@ index 608f454..251160b 100644
|
||||
|
||||
kernel_read_network_state(pegasus_t)
|
||||
kernel_read_kernel_sysctls(pegasus_t)
|
||||
@@ -80,27 +385,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
@@ -80,27 +396,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
kernel_read_xen_state(pegasus_t)
|
||||
kernel_write_xen_state(pegasus_t)
|
||||
|
||||
@ -65984,7 +66039,7 @@ index 608f454..251160b 100644
|
||||
|
||||
corecmd_exec_bin(pegasus_t)
|
||||
corecmd_exec_shell(pegasus_t)
|
||||
@@ -114,9 +413,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
@@ -114,9 +424,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
|
||||
auth_use_nsswitch(pegasus_t)
|
||||
auth_domtrans_chk_passwd(pegasus_t)
|
||||
@ -65996,7 +66051,7 @@ index 608f454..251160b 100644
|
||||
|
||||
files_list_var_lib(pegasus_t)
|
||||
files_read_var_lib_files(pegasus_t)
|
||||
@@ -128,18 +429,29 @@ init_stream_connect_script(pegasus_t)
|
||||
@@ -128,18 +440,29 @@ init_stream_connect_script(pegasus_t)
|
||||
logging_send_audit_msgs(pegasus_t)
|
||||
logging_send_syslog_msg(pegasus_t)
|
||||
|
||||
@ -66014,10 +66069,7 @@ index 608f454..251160b 100644
|
||||
- dbus_connect_system_bus(pegasus_t)
|
||||
+ dmidecode_domtrans(pegasus_t)
|
||||
+')
|
||||
|
||||
- optional_policy(`
|
||||
- networkmanager_dbus_chat(pegasus_t)
|
||||
- ')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(pegasus_t)
|
||||
+ dbus_connect_system_bus(pegasus_t)
|
||||
@ -66026,13 +66078,16 @@ index 608f454..251160b 100644
|
||||
+ networkmanager_dbus_chat(pegasus_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
|
||||
- optional_policy(`
|
||||
- networkmanager_dbus_chat(pegasus_t)
|
||||
- ')
|
||||
+optional_policy(`
|
||||
+ rhcs_stream_connect_cluster(pegasus_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -151,16 +463,24 @@ optional_policy(`
|
||||
@@ -151,16 +474,24 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -66061,7 +66116,7 @@ index 608f454..251160b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -168,7 +488,7 @@ optional_policy(`
|
||||
@@ -168,7 +499,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -66070,7 +66125,7 @@ index 608f454..251160b 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -180,6 +500,7 @@ optional_policy(`
|
||||
@@ -180,6 +511,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -73436,10 +73491,10 @@ index 0000000..c056a2f
|
||||
+/var/log/prosody(/.*)? gen_context(system_u:object_r:prosody_log_t,s0)
|
||||
diff --git a/prosody.if b/prosody.if
|
||||
new file mode 100644
|
||||
index 0000000..44ed5ad
|
||||
index 0000000..8231f4f
|
||||
--- /dev/null
|
||||
+++ b/prosody.if
|
||||
@@ -0,0 +1,235 @@
|
||||
@@ -0,0 +1,255 @@
|
||||
+
|
||||
+## <summary>policy for prosody</summary>
|
||||
+
|
||||
@ -73609,6 +73664,26 @@ index 0000000..44ed5ad
|
||||
+ roleattribute $2 prosody_roles;
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Connect to prosody with a unix
|
||||
+## domain stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`prosody_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type prosody_t, prosody_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, prosody_var_run_t, prosody_var_run_t, prosody_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Role access for prosody
|
||||
@ -73677,10 +73752,10 @@ index 0000000..44ed5ad
|
||||
+')
|
||||
diff --git a/prosody.te b/prosody.te
|
||||
new file mode 100644
|
||||
index 0000000..f48f1b9
|
||||
index 0000000..d531fa5
|
||||
--- /dev/null
|
||||
+++ b/prosody.te
|
||||
@@ -0,0 +1,85 @@
|
||||
@@ -0,0 +1,92 @@
|
||||
+policy_module(prosody, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -73709,6 +73784,9 @@ index 0000000..f48f1b9
|
||||
+type prosody_var_run_t;
|
||||
+files_pid_file(prosody_var_run_t)
|
||||
+
|
||||
+type prosody_tmp_t;
|
||||
+files_tmp_file(prosody_tmp_t)
|
||||
+
|
||||
+type prosody_unit_file_t;
|
||||
+systemd_unit_file(prosody_unit_file_t)
|
||||
+
|
||||
@ -73735,6 +73813,10 @@ index 0000000..f48f1b9
|
||||
+setattr_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
|
||||
+logging_log_filetrans(prosody_t, prosody_log_t, { file dir })
|
||||
+
|
||||
+manage_dirs_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
|
||||
+manage_files_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
|
||||
+files_tmp_filetrans(prosody_t, prosody_tmp_t, { dir file })
|
||||
+
|
||||
+can_exec(prosody_t, prosody_exec_t)
|
||||
+
|
||||
+kernel_read_system_state(prosody_t)
|
||||
@ -77705,7 +77787,7 @@ index fe2adf8..f7e9c70 100644
|
||||
+ admin_pattern($1, qpidd_var_run_t)
|
||||
')
|
||||
diff --git a/qpid.te b/qpid.te
|
||||
index 83eb09e..fc17eee 100644
|
||||
index 83eb09e..9f4739c 100644
|
||||
--- a/qpid.te
|
||||
+++ b/qpid.te
|
||||
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
|
||||
@ -77718,7 +77800,7 @@ index 83eb09e..fc17eee 100644
|
||||
type qpidd_tmpfs_t;
|
||||
files_tmpfs_file(qpidd_tmpfs_t)
|
||||
|
||||
@@ -33,41 +36,54 @@ allow qpidd_t self:shm create_shm_perms;
|
||||
@@ -33,41 +36,55 @@ allow qpidd_t self:shm create_shm_perms;
|
||||
allow qpidd_t self:tcp_socket { accept listen };
|
||||
allow qpidd_t self:unix_stream_socket { accept listen };
|
||||
|
||||
@ -77743,10 +77825,11 @@ index 83eb09e..fc17eee 100644
|
||||
files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
|
||||
|
||||
kernel_read_system_state(qpidd_t)
|
||||
+kernel_read_network_state(qpidd_t)
|
||||
+
|
||||
+auth_read_passwd(qpidd_t)
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(qpidd_t)
|
||||
+auth_read_passwd(qpidd_t)
|
||||
+
|
||||
corenet_all_recvfrom_netlabel(qpidd_t)
|
||||
+corenet_tcp_bind_generic_node(qpidd_t)
|
||||
corenet_tcp_sendrecv_generic_if(qpidd_t)
|
||||
@ -78849,7 +78932,7 @@ index 2c3d338..7d49554 100644
|
||||
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/rabbitmq.te b/rabbitmq.te
|
||||
index dc3b0ed..d8858d1 100644
|
||||
index dc3b0ed..b0ae2c6 100644
|
||||
--- a/rabbitmq.te
|
||||
+++ b/rabbitmq.te
|
||||
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
|
||||
@ -78883,7 +78966,7 @@ index dc3b0ed..d8858d1 100644
|
||||
type rabbitmq_var_log_t;
|
||||
logging_log_file(rabbitmq_var_log_t)
|
||||
|
||||
@@ -27,98 +31,92 @@ files_pid_file(rabbitmq_var_run_t)
|
||||
@@ -27,98 +31,93 @@ files_pid_file(rabbitmq_var_run_t)
|
||||
|
||||
######################################
|
||||
#
|
||||
@ -79029,6 +79112,7 @@ index dc3b0ed..d8858d1 100644
|
||||
+corenet_tcp_bind_jabber_client_port(rabbitmq_t)
|
||||
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_t)
|
||||
+corenet_tcp_bind_rabbitmq_port(rabbitmq_t)
|
||||
+corenet_tcp_connect_amqp_port(rabbitmq_t)
|
||||
+corenet_tcp_connect_epmd_port(rabbitmq_t)
|
||||
+corenet_tcp_connect_jabber_interserver_port(rabbitmq_t)
|
||||
+corenet_tcp_sendrecv_epmd_port(rabbitmq_t)
|
||||
@ -88900,7 +88984,7 @@ index b8b66ff..a93346e 100644
|
||||
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
|
||||
+')
|
||||
diff --git a/samba.if b/samba.if
|
||||
index 50d07fb..3ca1c49 100644
|
||||
index 50d07fb..337a3e7 100644
|
||||
--- a/samba.if
|
||||
+++ b/samba.if
|
||||
@@ -1,8 +1,12 @@
|
||||
@ -89418,54 +89502,44 @@ index 50d07fb..3ca1c49 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -562,47 +713,63 @@ interface(`samba_rw_smbmount_tcp_sockets',`
|
||||
@@ -560,49 +711,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
|
||||
allow $1 smbmount_t:tcp_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
-########################################
|
||||
+#######################################
|
||||
## <summary>
|
||||
-## Execute winbind helper in the
|
||||
-## winbind helper domain.
|
||||
+## Allow send signull to winbind
|
||||
+## Allow to getattr on winbind binary.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## <summary>
|
||||
-## Domain allowed to transition.
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`samba_domtrans_winbind_helper',`
|
||||
+interface(`samba_winbind_signull',`
|
||||
gen_require(`
|
||||
- type winbind_helper_t, winbind_helper_exec_t;
|
||||
+ type winbind_t;
|
||||
')
|
||||
|
||||
- corecmd_search_bin($1)
|
||||
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
|
||||
+ allow $1 winbind_t:process signull;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
-## Get attributes of winbind executable files.
|
||||
+## Allow to getattr on winbind binary.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
-## </summary>
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
## </param>
|
||||
#
|
||||
-interface(`samba_domtrans_winbind_helper',`
|
||||
- gen_require(`
|
||||
- type winbind_helper_t, winbind_helper_exec_t;
|
||||
- ')
|
||||
+interface(`samba_getattr_winbind',`
|
||||
+ gen_require(`
|
||||
+ type winbind_exec_t;
|
||||
+ ')
|
||||
+
|
||||
|
||||
- corecmd_search_bin($1)
|
||||
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
|
||||
+ allow $1 winbind_exec_t:file getattr;
|
||||
+')
|
||||
+
|
||||
')
|
||||
|
||||
-#######################################
|
||||
+########################################
|
||||
+## <summary>
|
||||
## <summary>
|
||||
-## Get attributes of winbind executable files.
|
||||
+## Execute winbind_helper in the winbind_helper domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -89497,7 +89571,7 @@ index 50d07fb..3ca1c49 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -618,16 +785,16 @@ interface(`samba_getattr_winbind_exec',`
|
||||
@@ -618,16 +767,16 @@ interface(`samba_getattr_winbind_exec',`
|
||||
#
|
||||
interface(`samba_run_winbind_helper',`
|
||||
gen_require(`
|
||||
@ -89517,18 +89591,72 @@ index 50d07fb..3ca1c49 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -637,17 +804,16 @@ interface(`samba_run_winbind_helper',`
|
||||
@@ -637,17 +786,71 @@ interface(`samba_run_winbind_helper',`
|
||||
#
|
||||
interface(`samba_read_winbind_pid',`
|
||||
gen_require(`
|
||||
- type winbind_var_run_t, smbd_var_run_t;
|
||||
+ type winbind_var_run_t;
|
||||
')
|
||||
|
||||
- files_search_pids($1)
|
||||
- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
|
||||
+ ')
|
||||
+
|
||||
+ samba_search_pid($1)
|
||||
+ allow $1 winbind_var_run_t:file read_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage winbind PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`samba_manage_winbind_pid',`
|
||||
+ gen_require(`
|
||||
+ type winbind_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
|
||||
+ manage_dirs_pattern($1, winbind_var_run_t, winbind_var_run_t)
|
||||
+ manage_files_pattern($1, winbin_var_run_t, winbind_var_run_t)
|
||||
+ manage_sock_files_pattern($1, winbind_var_run_t, winbind_var_run_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Allow domain to signull winbind
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`samba_signull_winbind',`
|
||||
+ gen_require(`
|
||||
+ type winbind_t;
|
||||
+ ')
|
||||
+ allow $1 winbind_t:process signull;
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Allow domain to signull samba_unconfined_net
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`samba_signull_unconfined_net',`
|
||||
+ gen_require(`
|
||||
+ type samba_unconfined_net_t;
|
||||
+ ')
|
||||
+ allow $1 samba_unconfined_net_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -89539,7 +89667,7 @@ index 50d07fb..3ca1c49 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -657,17 +823,79 @@ interface(`samba_read_winbind_pid',`
|
||||
@@ -657,17 +860,61 @@ interface(`samba_read_winbind_pid',`
|
||||
#
|
||||
interface(`samba_stream_connect_winbind',`
|
||||
gen_require(`
|
||||
@ -89601,30 +89729,12 @@ index 50d07fb..3ca1c49 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow send signull to samba_unconfined_net
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`samba_unconfined_net_signull',`
|
||||
+ gen_require(`
|
||||
+ type samba_uncofined_net_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 samba_uncofined_net_t:process signull;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an samba environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -676,7 +904,7 @@ interface(`samba_stream_connect_winbind',`
|
||||
@@ -676,7 +923,7 @@ interface(`samba_stream_connect_winbind',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
@ -89633,7 +89743,7 @@ index 50d07fb..3ca1c49 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
@@ -689,11 +917,30 @@ interface(`samba_admin',`
|
||||
@@ -689,11 +936,30 @@ interface(`samba_admin',`
|
||||
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
|
||||
type swat_var_run_t, swat_tmp_t, winbind_log_t;
|
||||
type winbind_var_run_t, winbind_tmp_t;
|
||||
@ -89667,7 +89777,7 @@ index 50d07fb..3ca1c49 100644
|
||||
|
||||
init_labeled_script_domtrans($1, samba_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
@@ -703,23 +950,34 @@ interface(`samba_admin',`
|
||||
@@ -703,23 +969,34 @@ interface(`samba_admin',`
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, { samba_etc_t smbd_keytab_t })
|
||||
|
||||
@ -89678,11 +89788,11 @@ index 50d07fb..3ca1c49 100644
|
||||
- files_list_var($1)
|
||||
- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
|
||||
+ admin_pattern($1, samba_secrets_t)
|
||||
+
|
||||
+ admin_pattern($1, samba_share_t)
|
||||
|
||||
- files_list_spool($1)
|
||||
- admin_pattern($1, smbd_spool_t)
|
||||
+ admin_pattern($1, samba_share_t)
|
||||
+
|
||||
+ admin_pattern($1, samba_var_t)
|
||||
+ files_list_var($1)
|
||||
|
||||
|
@ -645,6 +645,38 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-138
|
||||
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
|
||||
- Prepare selinux-policy package for SELinux store migration
|
||||
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
|
||||
- Allow glusterd to manage nfsd and rpcd services.
|
||||
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
|
||||
- Add samba_manage_winbind_pid() interface
|
||||
- Allow networkmanager to communicate via dbus with systemd_hostanmed.
|
||||
- Allow stream connect logrotate to prosody.
|
||||
- Add prosody_stream_connect() interface.
|
||||
- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
|
||||
- Allow prosody to create own tmp files/dirs.
|
||||
- Allow keepalived request kernel load module
|
||||
- kadmind should not read generic files in /usr
|
||||
- Allow kadmind_t access to /etc/krb5.keytab
|
||||
- Add more fixes to kerberos.te
|
||||
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
|
||||
- Add lsmd_t to nsswitch_domain.
|
||||
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
|
||||
- Add fixes to pegasus_openlmi_domain
|
||||
- Allow Glance Scrubber to connect to commplex_main port
|
||||
- Allow RabbitMQ to connect to amqp port
|
||||
- Allow isnsd read access on the file /proc/net/unix
|
||||
- Allow qpidd access to /proc/<pid>/net/psched
|
||||
- Allow openshift_initrc_t to communicate with firewalld over dbus.
|
||||
- Allow ctdbd_t send signull to samba_unconfined_net_t.
|
||||
- Add samba_signull_unconfined_net()
|
||||
- Add samba_signull_winbind()
|
||||
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
|
||||
- Fix ctdb policy
|
||||
- Label /var/db/ as system_db_t.
|
||||
|
||||
* Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137
|
||||
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
|
||||
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
|
||||
|
Loading…
Reference in New Issue
Block a user