* Tue Feb 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-111
- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004) - Remove automatcically running filetrans_named_content form sysnet_manage_config - Allow syslogd/journal to read netlink audit socket - Allow brltty ioctl on usb_device_t. BZ(1190349) - Make sure NetworkManager configures resolv.conf correctly
This commit is contained in:
parent
ae5733a49e
commit
e793323380
@ -15771,7 +15771,7 @@ index 7be4ddf..71e675a 100644
|
|||||||
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
|
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||||
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
|
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
|
||||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||||
index e100d88..9e881e6 100644
|
index e100d88..f45a698 100644
|
||||||
--- a/policy/modules/kernel/kernel.if
|
--- a/policy/modules/kernel/kernel.if
|
||||||
+++ b/policy/modules/kernel/kernel.if
|
+++ b/policy/modules/kernel/kernel.if
|
||||||
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
|
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
|
||||||
@ -16398,7 +16398,7 @@ index e100d88..9e881e6 100644
|
|||||||
## Unconfined access to kernel module resources.
|
## Unconfined access to kernel module resources.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2972,5 +3280,565 @@ interface(`kernel_unconfined',`
|
@@ -2972,5 +3280,583 @@ interface(`kernel_unconfined',`
|
||||||
')
|
')
|
||||||
|
|
||||||
typeattribute $1 kern_unconfined;
|
typeattribute $1 kern_unconfined;
|
||||||
@ -16964,6 +16964,24 @@ index e100d88..9e881e6 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 usermodehelper_t:file relabelto;
|
+ allow $1 usermodehelper_t:file relabelto;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read netlink audit socket
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`kernel_read_netlink_audit_socket',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type kernel_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||||
index 8dbab4c..15230be 100644
|
index 8dbab4c..15230be 100644
|
||||||
@ -21737,18 +21755,20 @@ index 6d77e81..79ee03d 100644
|
|||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
|
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
|
||||||
index a26f84f..947af6c 100644
|
index a26f84f..59fe535 100644
|
||||||
--- a/policy/modules/services/postgresql.fc
|
--- a/policy/modules/services/postgresql.fc
|
||||||
+++ b/policy/modules/services/postgresql.fc
|
+++ b/policy/modules/services/postgresql.fc
|
||||||
@@ -10,6 +10,7 @@
|
@@ -10,6 +10,9 @@
|
||||||
#
|
#
|
||||||
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||||
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||||
+/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
+/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/usr/libexec/postgresql-ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||||
|
|
||||||
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||||
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||||
@@ -28,9 +29,10 @@ ifdef(`distro_redhat', `
|
@@ -28,9 +31,10 @@ ifdef(`distro_redhat', `
|
||||||
#
|
#
|
||||||
/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||||
|
|
||||||
@ -21761,7 +21781,7 @@ index a26f84f..947af6c 100644
|
|||||||
|
|
||||||
/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||||
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
|
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||||
@@ -45,4 +47,4 @@ ifdef(`distro_redhat', `
|
@@ -45,4 +49,4 @@ ifdef(`distro_redhat', `
|
||||||
|
|
||||||
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
|
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
|
||||||
|
|
||||||
@ -34686,7 +34706,7 @@ index 4e94884..8de26ad 100644
|
|||||||
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
|
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||||
index 59b04c1..53a6182 100644
|
index 59b04c1..d9852d4 100644
|
||||||
--- a/policy/modules/system/logging.te
|
--- a/policy/modules/system/logging.te
|
||||||
+++ b/policy/modules/system/logging.te
|
+++ b/policy/modules/system/logging.te
|
||||||
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
|
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
|
||||||
@ -34921,7 +34941,7 @@ index 59b04c1..53a6182 100644
|
|||||||
|
|
||||||
# Create and bind to /dev/log or /var/run/log.
|
# Create and bind to /dev/log or /var/run/log.
|
||||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||||
@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
@@ -389,30 +434,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||||
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||||
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
||||||
|
|
||||||
@ -34944,6 +34964,7 @@ index 59b04c1..53a6182 100644
|
|||||||
kernel_read_system_state(syslogd_t)
|
kernel_read_system_state(syslogd_t)
|
||||||
kernel_read_network_state(syslogd_t)
|
kernel_read_network_state(syslogd_t)
|
||||||
kernel_read_kernel_sysctls(syslogd_t)
|
kernel_read_kernel_sysctls(syslogd_t)
|
||||||
|
+kernel_read_netlink_audit_socket(syslogd_t)
|
||||||
kernel_read_proc_symlinks(syslogd_t)
|
kernel_read_proc_symlinks(syslogd_t)
|
||||||
# Allow access to /proc/kmsg for syslog-ng
|
# Allow access to /proc/kmsg for syslog-ng
|
||||||
kernel_read_messages(syslogd_t)
|
kernel_read_messages(syslogd_t)
|
||||||
@ -34971,7 +34992,7 @@ index 59b04c1..53a6182 100644
|
|||||||
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
||||||
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
||||||
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
||||||
@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
@@ -422,6 +484,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
|
||||||
corenet_tcp_connect_rsh_port(syslogd_t)
|
corenet_tcp_connect_rsh_port(syslogd_t)
|
||||||
# Allow users to define additional syslog ports to connect to
|
# Allow users to define additional syslog ports to connect to
|
||||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||||
@ -34980,7 +35001,7 @@ index 59b04c1..53a6182 100644
|
|||||||
corenet_tcp_connect_syslogd_port(syslogd_t)
|
corenet_tcp_connect_syslogd_port(syslogd_t)
|
||||||
corenet_tcp_connect_postgresql_port(syslogd_t)
|
corenet_tcp_connect_postgresql_port(syslogd_t)
|
||||||
corenet_tcp_connect_mysqld_port(syslogd_t)
|
corenet_tcp_connect_mysqld_port(syslogd_t)
|
||||||
@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
@@ -432,9 +496,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||||
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
||||||
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
||||||
|
|
||||||
@ -35008,7 +35029,7 @@ index 59b04c1..53a6182 100644
|
|||||||
domain_use_interactive_fds(syslogd_t)
|
domain_use_interactive_fds(syslogd_t)
|
||||||
|
|
||||||
files_read_etc_files(syslogd_t)
|
files_read_etc_files(syslogd_t)
|
||||||
@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
@@ -448,13 +529,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||||
|
|
||||||
fs_getattr_all_fs(syslogd_t)
|
fs_getattr_all_fs(syslogd_t)
|
||||||
fs_search_auto_mountpoints(syslogd_t)
|
fs_search_auto_mountpoints(syslogd_t)
|
||||||
@ -35026,7 +35047,7 @@ index 59b04c1..53a6182 100644
|
|||||||
# for sending messages to logged in users
|
# for sending messages to logged in users
|
||||||
init_read_utmp(syslogd_t)
|
init_read_utmp(syslogd_t)
|
||||||
init_dontaudit_write_utmp(syslogd_t)
|
init_dontaudit_write_utmp(syslogd_t)
|
||||||
@@ -466,11 +550,11 @@ init_use_fds(syslogd_t)
|
@@ -466,11 +551,11 @@ init_use_fds(syslogd_t)
|
||||||
|
|
||||||
# cjp: this doesnt make sense
|
# cjp: this doesnt make sense
|
||||||
logging_send_syslog_msg(syslogd_t)
|
logging_send_syslog_msg(syslogd_t)
|
||||||
@ -35041,7 +35062,7 @@ index 59b04c1..53a6182 100644
|
|||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
# default gentoo syslog-ng config appends kernel
|
# default gentoo syslog-ng config appends kernel
|
||||||
@@ -497,6 +581,7 @@ optional_policy(`
|
@@ -497,6 +582,7 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_manage_log_files(syslogd_t)
|
cron_manage_log_files(syslogd_t)
|
||||||
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
|
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
|
||||||
@ -35049,7 +35070,7 @@ index 59b04c1..53a6182 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -507,15 +592,40 @@ optional_policy(`
|
@@ -507,15 +593,40 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -35090,7 +35111,7 @@ index 59b04c1..53a6182 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -526,3 +636,26 @@ optional_policy(`
|
@@ -526,3 +637,26 @@ optional_policy(`
|
||||||
# log to the xconsole
|
# log to the xconsole
|
||||||
xserver_rw_console(syslogd_t)
|
xserver_rw_console(syslogd_t)
|
||||||
')
|
')
|
||||||
@ -39082,7 +39103,7 @@ index 1447687..d5e6fb9 100644
|
|||||||
seutil_read_config(setrans_t)
|
seutil_read_config(setrans_t)
|
||||||
|
|
||||||
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
||||||
index 40edc18..963b974 100644
|
index 40edc18..b328c40 100644
|
||||||
--- a/policy/modules/system/sysnetwork.fc
|
--- a/policy/modules/system/sysnetwork.fc
|
||||||
+++ b/policy/modules/system/sysnetwork.fc
|
+++ b/policy/modules/system/sysnetwork.fc
|
||||||
@@ -17,23 +17,27 @@ ifdef(`distro_debian',`
|
@@ -17,23 +17,27 @@ ifdef(`distro_debian',`
|
||||||
@ -39114,7 +39135,7 @@ index 40edc18..963b974 100644
|
|||||||
+/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
+/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||||
+/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
|
+/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||||
')
|
')
|
||||||
+/var/run/NetworkManager/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
|
+/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /sbin
|
# /sbin
|
||||||
@ -39156,7 +39177,7 @@ index 40edc18..963b974 100644
|
|||||||
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
||||||
index 2cea692..07185cb 100644
|
index 2cea692..8dbfc5b 100644
|
||||||
--- a/policy/modules/system/sysnetwork.if
|
--- a/policy/modules/system/sysnetwork.if
|
||||||
+++ b/policy/modules/system/sysnetwork.if
|
+++ b/policy/modules/system/sysnetwork.if
|
||||||
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
|
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
|
||||||
@ -39359,7 +39380,7 @@ index 2cea692..07185cb 100644
|
|||||||
|
|
||||||
allow $1 net_conf_t:file manage_file_perms;
|
allow $1 net_conf_t:file manage_file_perms;
|
||||||
|
|
||||||
@@ -463,7 +597,42 @@ interface(`sysnet_manage_config',`
|
@@ -463,7 +597,41 @@ interface(`sysnet_manage_config',`
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
@ -39368,7 +39389,6 @@ index 2cea692..07185cb 100644
|
|||||||
+ allow $1 net_conf_t:dir list_dir_perms;
|
+ allow $1 net_conf_t:dir list_dir_perms;
|
||||||
manage_files_pattern($1, net_conf_t, net_conf_t)
|
manage_files_pattern($1, net_conf_t, net_conf_t)
|
||||||
+ manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
|
+ manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
|
||||||
+ sysnet_filetrans_named_content($1)
|
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -39402,7 +39422,7 @@ index 2cea692..07185cb 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -501,6 +670,7 @@ interface(`sysnet_delete_dhcpc_pid',`
|
@@ -501,6 +669,7 @@ interface(`sysnet_delete_dhcpc_pid',`
|
||||||
type dhcpc_var_run_t;
|
type dhcpc_var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -39410,7 +39430,7 @@ index 2cea692..07185cb 100644
|
|||||||
allow $1 dhcpc_var_run_t:file unlink;
|
allow $1 dhcpc_var_run_t:file unlink;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -610,6 +780,25 @@ interface(`sysnet_signull_ifconfig',`
|
@@ -610,6 +779,25 @@ interface(`sysnet_signull_ifconfig',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -39436,7 +39456,7 @@ index 2cea692..07185cb 100644
|
|||||||
## Read the DHCP configuration files.
|
## Read the DHCP configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -626,6 +815,7 @@ interface(`sysnet_read_dhcp_config',`
|
@@ -626,6 +814,7 @@ interface(`sysnet_read_dhcp_config',`
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 dhcp_etc_t:dir list_dir_perms;
|
allow $1 dhcp_etc_t:dir list_dir_perms;
|
||||||
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
|
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
|
||||||
@ -39444,7 +39464,7 @@ index 2cea692..07185cb 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -647,6 +837,26 @@ interface(`sysnet_search_dhcp_state',`
|
@@ -647,6 +836,26 @@ interface(`sysnet_search_dhcp_state',`
|
||||||
allow $1 dhcp_state_t:dir search_dir_perms;
|
allow $1 dhcp_state_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -39471,7 +39491,7 @@ index 2cea692..07185cb 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create DHCP state data.
|
## Create DHCP state data.
|
||||||
@@ -711,8 +921,6 @@ interface(`sysnet_dns_name_resolve',`
|
@@ -711,8 +920,6 @@ interface(`sysnet_dns_name_resolve',`
|
||||||
allow $1 self:udp_socket create_socket_perms;
|
allow $1 self:udp_socket create_socket_perms;
|
||||||
allow $1 self:netlink_route_socket r_netlink_socket_perms;
|
allow $1 self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
@ -39480,19 +39500,21 @@ index 2cea692..07185cb 100644
|
|||||||
corenet_tcp_sendrecv_generic_if($1)
|
corenet_tcp_sendrecv_generic_if($1)
|
||||||
corenet_udp_sendrecv_generic_if($1)
|
corenet_udp_sendrecv_generic_if($1)
|
||||||
corenet_tcp_sendrecv_generic_node($1)
|
corenet_tcp_sendrecv_generic_node($1)
|
||||||
@@ -720,8 +928,11 @@ interface(`sysnet_dns_name_resolve',`
|
@@ -720,8 +927,13 @@ interface(`sysnet_dns_name_resolve',`
|
||||||
corenet_tcp_sendrecv_dns_port($1)
|
corenet_tcp_sendrecv_dns_port($1)
|
||||||
corenet_udp_sendrecv_dns_port($1)
|
corenet_udp_sendrecv_dns_port($1)
|
||||||
corenet_tcp_connect_dns_port($1)
|
corenet_tcp_connect_dns_port($1)
|
||||||
+ corenet_tcp_connect_dnssec_port($1)
|
+ corenet_tcp_connect_dnssec_port($1)
|
||||||
corenet_sendrecv_dns_client_packets($1)
|
corenet_sendrecv_dns_client_packets($1)
|
||||||
|
|
||||||
|
+ files_search_all_pids($1)
|
||||||
|
+
|
||||||
+ miscfiles_read_generic_certs($1)
|
+ miscfiles_read_generic_certs($1)
|
||||||
+
|
+
|
||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -750,8 +961,6 @@ interface(`sysnet_use_ldap',`
|
@@ -750,8 +962,6 @@ interface(`sysnet_use_ldap',`
|
||||||
|
|
||||||
allow $1 self:tcp_socket create_socket_perms;
|
allow $1 self:tcp_socket create_socket_perms;
|
||||||
|
|
||||||
@ -39501,7 +39523,7 @@ index 2cea692..07185cb 100644
|
|||||||
corenet_tcp_sendrecv_generic_if($1)
|
corenet_tcp_sendrecv_generic_if($1)
|
||||||
corenet_tcp_sendrecv_generic_node($1)
|
corenet_tcp_sendrecv_generic_node($1)
|
||||||
corenet_tcp_sendrecv_ldap_port($1)
|
corenet_tcp_sendrecv_ldap_port($1)
|
||||||
@@ -760,9 +969,14 @@ interface(`sysnet_use_ldap',`
|
@@ -760,9 +970,14 @@ interface(`sysnet_use_ldap',`
|
||||||
|
|
||||||
# Support for LDAPS
|
# Support for LDAPS
|
||||||
dev_read_rand($1)
|
dev_read_rand($1)
|
||||||
@ -39516,7 +39538,7 @@ index 2cea692..07185cb 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -784,7 +998,6 @@ interface(`sysnet_use_portmap',`
|
@@ -784,7 +999,6 @@ interface(`sysnet_use_portmap',`
|
||||||
allow $1 self:udp_socket create_socket_perms;
|
allow $1 self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled($1)
|
corenet_all_recvfrom_unlabeled($1)
|
||||||
@ -39524,7 +39546,7 @@ index 2cea692..07185cb 100644
|
|||||||
corenet_tcp_sendrecv_generic_if($1)
|
corenet_tcp_sendrecv_generic_if($1)
|
||||||
corenet_udp_sendrecv_generic_if($1)
|
corenet_udp_sendrecv_generic_if($1)
|
||||||
corenet_tcp_sendrecv_generic_node($1)
|
corenet_tcp_sendrecv_generic_node($1)
|
||||||
@@ -796,3 +1009,122 @@ interface(`sysnet_use_portmap',`
|
@@ -796,3 +1010,122 @@ interface(`sysnet_use_portmap',`
|
||||||
|
|
||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
')
|
')
|
||||||
|
@ -10519,7 +10519,7 @@ index 0000000..968c957
|
|||||||
+')
|
+')
|
||||||
diff --git a/brltty.te b/brltty.te
|
diff --git a/brltty.te b/brltty.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..32c786b
|
index 0000000..0efa3a2
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/brltty.te
|
+++ b/brltty.te
|
||||||
@@ -0,0 +1,61 @@
|
@@ -0,0 +1,61 @@
|
||||||
@ -10573,7 +10573,7 @@ index 0000000..32c786b
|
|||||||
+corenet_tcp_bind_brlp_port(brltty_t)
|
+corenet_tcp_bind_brlp_port(brltty_t)
|
||||||
+
|
+
|
||||||
+dev_read_sysfs(brltty_t)
|
+dev_read_sysfs(brltty_t)
|
||||||
+dev_getattr_generic_usb_dev(brltty_t)
|
+dev_rw_generic_usb_dev(brltty_t)
|
||||||
+
|
+
|
||||||
+fs_getattr_all_fs(brltty_t)
|
+fs_getattr_all_fs(brltty_t)
|
||||||
+
|
+
|
||||||
@ -25259,10 +25259,10 @@ index 0000000..c8e5981
|
|||||||
+
|
+
|
||||||
diff --git a/docker.te b/docker.te
|
diff --git a/docker.te b/docker.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4561111
|
index 0000000..2bfade6
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/docker.te
|
+++ b/docker.te
|
||||||
@@ -0,0 +1,305 @@
|
@@ -0,0 +1,309 @@
|
||||||
+policy_module(docker, 1.0.0)
|
+policy_module(docker, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -25278,19 +25278,15 @@ index 0000000..4561111
|
|||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(docker_connect_any, false)
|
+gen_tunable(docker_connect_any, false)
|
||||||
+
|
+
|
||||||
+## <desc>
|
|
||||||
+## <p>
|
|
||||||
+## Allow docker to transition to unconfined containers.
|
|
||||||
+## </p>
|
|
||||||
+## </desc>
|
|
||||||
+gen_tunable(docker_transition_unconfined, false)
|
|
||||||
+
|
|
||||||
+type docker_t;
|
+type docker_t;
|
||||||
+type docker_exec_t;
|
+type docker_exec_t;
|
||||||
+init_daemon_domain(docker_t, docker_exec_t)
|
+init_daemon_domain(docker_t, docker_exec_t)
|
||||||
+domain_subj_id_change_exemption(docker_t)
|
+domain_subj_id_change_exemption(docker_t)
|
||||||
+domain_role_change_exemption(docker_t)
|
+domain_role_change_exemption(docker_t)
|
||||||
+
|
+
|
||||||
|
+type spc_t;
|
||||||
|
+domain_type(spc_t)
|
||||||
|
+
|
||||||
+type docker_var_lib_t;
|
+type docker_var_lib_t;
|
||||||
+files_type(docker_var_lib_t)
|
+files_type(docker_var_lib_t)
|
||||||
+
|
+
|
||||||
@ -25562,12 +25558,20 @@ index 0000000..4561111
|
|||||||
+ corenet_tcp_sendrecv_all_ports(docker_t)
|
+ corenet_tcp_sendrecv_all_ports(docker_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+tunable_policy(`docker_transition_unconfined',`
|
+########################################
|
||||||
+ unconfined_transition(docker_t, docker_share_t)
|
+#
|
||||||
+ unconfined_transition(docker_t, docker_var_lib_t)
|
+# spc local policy
|
||||||
+ unconfined_setsched(docker_t)
|
+#
|
||||||
+ userdom_attach_admin_tun_iface(docker_t)
|
+role system_r types spc_t;
|
||||||
|
+allow docker_t spc_t:process setsched;
|
||||||
|
+
|
||||||
|
+domtrans_pattern(docker_t, docker_share_t, spc_t)
|
||||||
|
+domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(spc_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
diff --git a/dovecot.fc b/dovecot.fc
|
diff --git a/dovecot.fc b/dovecot.fc
|
||||||
index c880070..4448055 100644
|
index c880070..4448055 100644
|
||||||
--- a/dovecot.fc
|
--- a/dovecot.fc
|
||||||
@ -55596,7 +55600,7 @@ index 86dc29d..219892b 100644
|
|||||||
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
||||||
')
|
')
|
||||||
diff --git a/networkmanager.te b/networkmanager.te
|
diff --git a/networkmanager.te b/networkmanager.te
|
||||||
index 55f2009..476d363 100644
|
index 55f2009..694f99e 100644
|
||||||
--- a/networkmanager.te
|
--- a/networkmanager.te
|
||||||
+++ b/networkmanager.te
|
+++ b/networkmanager.te
|
||||||
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
||||||
@ -55794,7 +55798,8 @@ index 55f2009..476d363 100644
|
|||||||
sysnet_search_dhcp_state(NetworkManager_t)
|
sysnet_search_dhcp_state(NetworkManager_t)
|
||||||
+# in /etc created by NetworkManager will be labelled net_conf_t.
|
+# in /etc created by NetworkManager will be labelled net_conf_t.
|
||||||
sysnet_manage_config(NetworkManager_t)
|
sysnet_manage_config(NetworkManager_t)
|
||||||
sysnet_etc_filetrans_config(NetworkManager_t)
|
-sysnet_etc_filetrans_config(NetworkManager_t)
|
||||||
|
+sysnet_filetrans_named_content(NetworkManager_t)
|
||||||
|
|
||||||
-# certificates in user home directories (cert_home_t in ~/\.pki)
|
-# certificates in user home directories (cert_home_t in ~/\.pki)
|
||||||
-userdom_read_user_home_content_files(NetworkManager_t)
|
-userdom_read_user_home_content_files(NetworkManager_t)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 110%{?dist}
|
Release: 111%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -605,6 +605,13 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-111
|
||||||
|
- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004)
|
||||||
|
- Remove automatcically running filetrans_named_content form sysnet_manage_config
|
||||||
|
- Allow syslogd/journal to read netlink audit socket
|
||||||
|
- Allow brltty ioctl on usb_device_t. BZ(1190349)
|
||||||
|
- Make sure NetworkManager configures resolv.conf correctly
|
||||||
|
|
||||||
* Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110
|
* Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110
|
||||||
- Allow cockpit_session_t to create tmp files
|
- Allow cockpit_session_t to create tmp files
|
||||||
- apmd needs sys_resource when shutting down the machine
|
- apmd needs sys_resource when shutting down the machine
|
||||||
|
Loading…
Reference in New Issue
Block a user