* Fri Sep 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-290
- Allow virtlogd_t domain to write inhibit systemd pipes. - Add dac_override capability to openvpn_t domain - Add dac_override capability to xdm_t domain - Allow dac_override to groupadd_t domain BZ(1497081) - Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166)
This commit is contained in:
parent
233534cc51
commit
e8dfe68ada
Binary file not shown.
@ -3190,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 1d732f1e7..ae2fa67f8 100644
|
||||
index 1d732f1e7..fc127e1d7 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -26,6 +26,7 @@ type chfn_exec_t;
|
||||
@ -3519,7 +3519,7 @@ index 1d732f1e7..ae2fa67f8 100644
|
||||
|
||||
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
|
||||
-dontaudit useradd_t self:capability sys_tty_config;
|
||||
+allow useradd_t self:capability { dac_read_search chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
|
||||
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
|
||||
+
|
||||
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
|
||||
+dontaudit useradd_t self:cap_userns { sys_ptrace };
|
||||
@ -32017,7 +32017,7 @@ index 6bf0ecc2d..75b2f31f9 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index 8b403774f..fe21bfc46 100644
|
||||
index 8b403774f..7eb9dade6 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,28 +26,66 @@ gen_require(`
|
||||
@ -32382,7 +32382,7 @@ index 8b403774f..fe21bfc46 100644
|
||||
|
||||
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
||||
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
|
||||
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search dac_override fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
|
||||
+allow xdm_t self:capability2 { block_suspend };
|
||||
+allow xdm_t self:cap_userns { kill };
|
||||
+dontaudit xdm_t self:capability sys_admin;
|
||||
@ -37885,7 +37885,7 @@ index 79a45f62e..6ed0c399a 100644
|
||||
+ allow $1 init_var_lib_t:dir search_dir_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda2480..7d76c87ce 100644
|
||||
index 17eda2480..f049f18e3 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
@ -38294,17 +38294,16 @@ index 17eda2480..7d76c87ce 100644
|
||||
+optional_policy(`
|
||||
+ modutils_domtrans_insmod(init_t)
|
||||
+ modutils_list_module_config(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- auth_rw_login_records(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ postfix_exec(init_t)
|
||||
+ postfix_list_spool(init_t)
|
||||
+ mta_read_config(init_t)
|
||||
+ mta_manage_aliases(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ systemd_allow_mount_dir(init_t)
|
||||
+')
|
||||
+
|
||||
@ -38465,13 +38464,14 @@ index 17eda2480..7d76c87ce 100644
|
||||
+optional_policy(`
|
||||
+ lvm_rw_pipes(init_t)
|
||||
+ lvm_read_config(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- auth_rw_login_records(init_t)
|
||||
+ lldpad_relabel_tmpfs(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ consolekit_manage_log(init_t)
|
||||
+')
|
||||
+
|
||||
@ -38491,10 +38491,9 @@ index 17eda2480..7d76c87ce 100644
|
||||
+ # the directory. But we do not want to allow this.
|
||||
+ # The master process of dovecot will manage this file.
|
||||
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_use(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ networkmanager_stream_connect(init_t)
|
||||
+ networkmanager_stream_connect(initrc_t)
|
||||
+')
|
||||
@ -38503,14 +38502,15 @@ index 17eda2480..7d76c87ce 100644
|
||||
+ plymouthd_stream_connect(init_t)
|
||||
+ plymouthd_exec_plymouth(init_t)
|
||||
+ plymouthd_filetrans_named_content(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_use(init_t)
|
||||
+ ssh_getattr_server_keys(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +641,30 @@ optional_policy(`
|
||||
@@ -216,7 +641,34 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38524,6 +38524,10 @@ index 17eda2480..7d76c87ce 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sysnet_filetrans_cloud_net_conf(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ udev_read_db(init_t)
|
||||
+ udev_relabelto_db(init_t)
|
||||
+ udev_create_kobject_uevent_socket(init_t)
|
||||
@ -38542,7 +38546,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -225,9 +673,9 @@ optional_policy(`
|
||||
@@ -225,9 +677,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -38554,7 +38558,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -258,12 +706,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -258,12 +710,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -38571,7 +38575,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -279,23 +731,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -279,23 +735,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -38614,7 +38618,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -303,9 +768,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -303,9 +772,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
@ -38626,7 +38630,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -313,8 +780,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -313,8 +784,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
@ -38637,7 +38641,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +791,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +795,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -38647,7 +38651,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -332,7 +800,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -332,7 +804,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -38655,7 +38659,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -340,6 +807,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -340,6 +811,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
@ -38663,7 +38667,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -347,14 +815,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -347,14 +819,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -38681,7 +38685,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -364,8 +833,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -364,8 +837,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -38695,7 +38699,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -375,10 +848,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -375,10 +852,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -38709,7 +38713,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -387,8 +861,10 @@ mls_process_read_up(initrc_t)
|
||||
@@ -387,8 +865,10 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -38720,7 +38724,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
|
||||
storage_getattr_fixed_disk_dev(initrc_t)
|
||||
storage_setattr_fixed_disk_dev(initrc_t)
|
||||
@@ -398,6 +874,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -398,6 +878,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
@ -38728,7 +38732,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -416,20 +893,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -416,20 +897,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
@ -38752,7 +38756,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -451,7 +926,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -451,7 +930,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
@ -38760,7 +38764,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -486,6 +960,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -486,6 +964,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -38771,7 +38775,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -506,7 +984,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -506,7 +988,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -38780,7 +38784,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -521,6 +999,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -521,6 +1003,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
@ -38788,7 +38792,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -541,6 +1020,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -541,6 +1024,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
@ -38796,7 +38800,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -550,8 +1030,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -550,8 +1034,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38841,7 +38845,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -559,14 +1075,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -559,14 +1079,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -38873,7 +38877,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -577,6 +1110,39 @@ ifdef(`distro_suse',`
|
||||
@@ -577,6 +1114,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -38913,7 +38917,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -589,6 +1155,8 @@ optional_policy(`
|
||||
@@ -589,6 +1159,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -38922,7 +38926,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -610,6 +1178,7 @@ optional_policy(`
|
||||
@@ -610,6 +1182,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -38930,7 +38934,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -626,6 +1195,17 @@ optional_policy(`
|
||||
@@ -626,6 +1199,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38948,7 +38952,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -642,9 +1222,13 @@ optional_policy(`
|
||||
@@ -642,9 +1226,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -38962,7 +38966,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -657,15 +1241,11 @@ optional_policy(`
|
||||
@@ -657,15 +1245,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38980,7 +38984,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -686,6 +1266,15 @@ optional_policy(`
|
||||
@@ -686,6 +1270,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -38996,7 +39000,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -726,6 +1315,7 @@ optional_policy(`
|
||||
@@ -726,6 +1319,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
@ -39004,7 +39008,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,7 +1333,13 @@ optional_policy(`
|
||||
@@ -743,7 +1337,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39019,7 +39023,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -766,6 +1362,10 @@ optional_policy(`
|
||||
@@ -766,6 +1366,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39030,7 +39034,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -775,10 +1375,20 @@ optional_policy(`
|
||||
@@ -775,10 +1379,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39051,7 +39055,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1397,10 @@ optional_policy(`
|
||||
@@ -787,6 +1401,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39062,7 +39066,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -808,8 +1422,6 @@ optional_policy(`
|
||||
@@ -808,8 +1426,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -39071,7 +39075,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -818,6 +1430,10 @@ optional_policy(`
|
||||
@@ -818,6 +1434,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39082,7 +39086,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -827,10 +1443,12 @@ optional_policy(`
|
||||
@@ -827,10 +1447,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -39095,7 +39099,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -857,21 +1475,62 @@ optional_policy(`
|
||||
@@ -857,21 +1479,62 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39159,7 +39163,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -887,6 +1546,10 @@ optional_policy(`
|
||||
@@ -887,6 +1550,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -39170,7 +39174,7 @@ index 17eda2480..7d76c87ce 100644
|
||||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -897,3 +1560,218 @@ optional_policy(`
|
||||
@@ -897,3 +1564,218 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -47059,10 +47063,10 @@ index 1447687d5..0b1da4d3e 100644
|
||||
seutil_read_config(setrans_t)
|
||||
|
||||
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
||||
index 40edc18ab..95f4458d2 100644
|
||||
index 40edc18ab..be7317733 100644
|
||||
--- a/policy/modules/system/sysnetwork.fc
|
||||
+++ b/policy/modules/system/sysnetwork.fc
|
||||
@@ -17,23 +17,29 @@ ifdef(`distro_debian',`
|
||||
@@ -17,23 +17,31 @@ ifdef(`distro_debian',`
|
||||
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
@ -47094,10 +47098,12 @@ index 40edc18ab..95f4458d2 100644
|
||||
+/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
')
|
||||
+/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
+
|
||||
+/var/run/cloud-init(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||
|
||||
#
|
||||
# /sbin
|
||||
@@ -44,6 +50,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -44,6 +52,7 @@ ifdef(`distro_redhat',`
|
||||
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
@ -47105,7 +47111,7 @@ index 40edc18ab..95f4458d2 100644
|
||||
/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
@@ -55,6 +62,21 @@ ifdef(`distro_redhat',`
|
||||
@@ -55,6 +64,21 @@ ifdef(`distro_redhat',`
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@ -47127,7 +47133,7 @@ index 40edc18ab..95f4458d2 100644
|
||||
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
|
||||
#
|
||||
@@ -77,3 +99,6 @@ ifdef(`distro_debian',`
|
||||
@@ -77,3 +101,6 @@ ifdef(`distro_debian',`
|
||||
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||
')
|
||||
|
||||
@ -47135,7 +47141,7 @@ index 40edc18ab..95f4458d2 100644
|
||||
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
||||
index 2cea692c0..e3cb4f2ef 100644
|
||||
index 2cea692c0..853ddefe4 100644
|
||||
--- a/policy/modules/system/sysnetwork.if
|
||||
+++ b/policy/modules/system/sysnetwork.if
|
||||
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
|
||||
@ -47562,7 +47568,7 @@ index 2cea692c0..e3cb4f2ef 100644
|
||||
corenet_tcp_sendrecv_generic_if($1)
|
||||
corenet_udp_sendrecv_generic_if($1)
|
||||
corenet_tcp_sendrecv_generic_node($1)
|
||||
@@ -796,3 +1057,144 @@ interface(`sysnet_use_portmap',`
|
||||
@@ -796,3 +1057,162 @@ interface(`sysnet_use_portmap',`
|
||||
|
||||
sysnet_read_config($1)
|
||||
')
|
||||
@ -47707,6 +47713,24 @@ index 2cea692c0..e3cb4f2ef 100644
|
||||
+
|
||||
+ files_etc_filetrans($1, net_conf_t, file)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Transition to cloud-init named content
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`sysnet_filetrans_cloud_net_conf',`
|
||||
+ gen_require(`
|
||||
+ type net_conf_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_pid_filetrans($1, net_conf_t, dir, "cloud-init")
|
||||
+')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index a392fc4bc..d29b7f6fb 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
|
@ -68669,7 +68669,7 @@ index 6837e9a2b..8d6e33b00 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 openvpn_initrc_exec_t system_r;
|
||||
diff --git a/openvpn.te b/openvpn.te
|
||||
index 63957a362..1a037b974 100644
|
||||
index 63957a362..91dead6e7 100644
|
||||
--- a/openvpn.te
|
||||
+++ b/openvpn.te
|
||||
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
|
||||
@ -68710,7 +68710,7 @@ index 63957a362..1a037b974 100644
|
||||
#
|
||||
|
||||
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
|
||||
+allow openvpn_t self:capability { dac_read_search ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
|
||||
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
|
||||
allow openvpn_t self:process { signal getsched setsched };
|
||||
allow openvpn_t self:fifo_file rw_fifo_file_perms;
|
||||
allow openvpn_t self:unix_dgram_socket sendto;
|
||||
@ -97220,7 +97220,7 @@ index 50d07fb2e..a34db489c 100644
|
||||
+ allow $1 samba_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/samba.te b/samba.te
|
||||
index 2b7c441e7..8f17d3b19 100644
|
||||
index 2b7c441e7..6d5786b06 100644
|
||||
--- a/samba.te
|
||||
+++ b/samba.te
|
||||
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
|
||||
@ -97590,10 +97590,12 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||
allow smbd_t samba_share_t:filesystem { getattr quotaget };
|
||||
|
||||
@@ -298,65 +322,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||
@@ -297,66 +321,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
|
||||
|
||||
+allow smbd_t samba_var_t:file { map } ;
|
||||
+
|
||||
+manage_dirs_pattern(smbd_t, samba_spool_t, samba_spool_t)
|
||||
+manage_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
|
||||
+manage_lnk_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
|
||||
@ -97602,7 +97604,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
+
|
||||
+allow smbd_t smbcontrol_t:process { signal signull };
|
||||
+allow smbd_t smbcontrol_t:unix_dgram_socket sendto;
|
||||
+
|
||||
|
||||
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
|
||||
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
|
||||
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
|
||||
@ -97687,7 +97689,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
fs_getattr_all_fs(smbd_t)
|
||||
fs_getattr_all_dirs(smbd_t)
|
||||
@@ -366,44 +397,53 @@ fs_getattr_rpc_dirs(smbd_t)
|
||||
@@ -366,44 +398,53 @@ fs_getattr_rpc_dirs(smbd_t)
|
||||
fs_list_inotifyfs(smbd_t)
|
||||
fs_get_all_fs_quotas(smbd_t)
|
||||
|
||||
@ -97753,7 +97755,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
')
|
||||
|
||||
tunable_policy(`samba_domain_controller',`
|
||||
@@ -419,20 +459,16 @@ tunable_policy(`samba_domain_controller',`
|
||||
@@ -419,20 +460,16 @@ tunable_policy(`samba_domain_controller',`
|
||||
')
|
||||
|
||||
tunable_policy(`samba_enable_home_dirs',`
|
||||
@ -97780,7 +97782,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
tunable_policy(`samba_share_nfs',`
|
||||
fs_manage_nfs_dirs(smbd_t)
|
||||
fs_manage_nfs_files(smbd_t)
|
||||
@@ -441,6 +477,7 @@ tunable_policy(`samba_share_nfs',`
|
||||
@@ -441,6 +478,7 @@ tunable_policy(`samba_share_nfs',`
|
||||
fs_manage_nfs_named_sockets(smbd_t)
|
||||
')
|
||||
|
||||
@ -97788,7 +97790,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
tunable_policy(`samba_share_fusefs',`
|
||||
fs_manage_fusefs_dirs(smbd_t)
|
||||
fs_manage_fusefs_files(smbd_t)
|
||||
@@ -448,15 +485,10 @@ tunable_policy(`samba_share_fusefs',`
|
||||
@@ -448,15 +486,10 @@ tunable_policy(`samba_share_fusefs',`
|
||||
fs_search_fusefs(smbd_t)
|
||||
')
|
||||
|
||||
@ -97808,7 +97810,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -466,6 +498,7 @@ optional_policy(`
|
||||
@@ -466,6 +499,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
ctdbd_stream_connect(smbd_t)
|
||||
ctdbd_manage_lib_files(smbd_t)
|
||||
@ -97816,7 +97818,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -474,11 +507,31 @@ optional_policy(`
|
||||
@@ -474,11 +508,31 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -97848,7 +97850,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
lpd_exec_lpr(smbd_t)
|
||||
')
|
||||
|
||||
@@ -488,6 +541,10 @@ optional_policy(`
|
||||
@@ -488,6 +542,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -97859,7 +97861,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
rpc_search_nfs_state_data(smbd_t)
|
||||
')
|
||||
|
||||
@@ -499,12 +556,53 @@ optional_policy(`
|
||||
@@ -499,12 +557,53 @@ optional_policy(`
|
||||
udev_read_db(smbd_t)
|
||||
')
|
||||
|
||||
@ -97914,7 +97916,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow nmbd_t self:fd use;
|
||||
allow nmbd_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -512,9 +610,11 @@ allow nmbd_t self:msg { send receive };
|
||||
@@ -512,9 +611,11 @@ allow nmbd_t self:msg { send receive };
|
||||
allow nmbd_t self:msgq create_msgq_perms;
|
||||
allow nmbd_t self:sem create_sem_perms;
|
||||
allow nmbd_t self:shm create_shm_perms;
|
||||
@ -97929,7 +97931,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
|
||||
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
|
||||
@@ -526,20 +626,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||
@@ -526,20 +627,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||
|
||||
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||
@ -97954,7 +97956,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
kernel_getattr_core_if(nmbd_t)
|
||||
kernel_getattr_message_if(nmbd_t)
|
||||
@@ -547,53 +643,44 @@ kernel_read_kernel_sysctls(nmbd_t)
|
||||
@@ -547,53 +644,44 @@ kernel_read_kernel_sysctls(nmbd_t)
|
||||
kernel_read_network_state(nmbd_t)
|
||||
kernel_read_software_raid_state(nmbd_t)
|
||||
kernel_read_system_state(nmbd_t)
|
||||
@ -98023,7 +98025,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -606,18 +693,29 @@ optional_policy(`
|
||||
@@ -606,18 +694,29 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -98059,7 +98061,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
samba_read_config(smbcontrol_t)
|
||||
samba_search_var(smbcontrol_t)
|
||||
@@ -627,39 +725,38 @@ domain_use_interactive_fds(smbcontrol_t)
|
||||
@@ -627,39 +726,38 @@ domain_use_interactive_fds(smbcontrol_t)
|
||||
|
||||
dev_read_urand(smbcontrol_t)
|
||||
|
||||
@ -98111,7 +98113,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
allow smbmount_t samba_secrets_t:file manage_file_perms;
|
||||
|
||||
@@ -668,26 +765,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
||||
@@ -668,26 +766,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
||||
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
||||
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
|
||||
|
||||
@ -98147,7 +98149,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
fs_getattr_cifs(smbmount_t)
|
||||
fs_mount_cifs(smbmount_t)
|
||||
@@ -699,58 +792,77 @@ fs_read_cifs_files(smbmount_t)
|
||||
@@ -699,58 +793,77 @@ fs_read_cifs_files(smbmount_t)
|
||||
storage_raw_read_fixed_disk(smbmount_t)
|
||||
storage_raw_write_fixed_disk(smbmount_t)
|
||||
|
||||
@ -98240,7 +98242,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||
@@ -759,17 +871,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
|
||||
@@ -759,17 +872,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
|
||||
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
|
||||
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
||||
|
||||
@ -98264,7 +98266,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
kernel_read_kernel_sysctls(swat_t)
|
||||
kernel_read_system_state(swat_t)
|
||||
@@ -777,36 +885,25 @@ kernel_read_network_state(swat_t)
|
||||
@@ -777,36 +886,25 @@ kernel_read_network_state(swat_t)
|
||||
|
||||
corecmd_search_bin(swat_t)
|
||||
|
||||
@ -98307,7 +98309,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
auth_domtrans_chk_passwd(swat_t)
|
||||
auth_use_nsswitch(swat_t)
|
||||
@@ -818,10 +915,11 @@ logging_send_syslog_msg(swat_t)
|
||||
@@ -818,10 +916,11 @@ logging_send_syslog_msg(swat_t)
|
||||
logging_send_audit_msgs(swat_t)
|
||||
logging_search_logs(swat_t)
|
||||
|
||||
@ -98321,7 +98323,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
optional_policy(`
|
||||
cups_read_rw_config(swat_t)
|
||||
cups_stream_connect(swat_t)
|
||||
@@ -840,17 +938,20 @@ optional_policy(`
|
||||
@@ -840,17 +939,20 @@ optional_policy(`
|
||||
# Winbind local policy
|
||||
#
|
||||
|
||||
@ -98348,7 +98350,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
allow winbind_t samba_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
|
||||
@@ -860,9 +961,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
|
||||
@@ -860,9 +962,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
|
||||
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
|
||||
|
||||
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
|
||||
@ -98359,7 +98361,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
||||
|
||||
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||
@@ -871,40 +970,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||
@@ -871,40 +971,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||
manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
|
||||
files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
|
||||
|
||||
@ -98416,7 +98418,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
corenet_tcp_connect_smbd_port(winbind_t)
|
||||
corenet_tcp_connect_epmap_port(winbind_t)
|
||||
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
@@ -912,38 +1015,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
@@ -912,38 +1016,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
||||
dev_read_sysfs(winbind_t)
|
||||
dev_read_urand(winbind_t)
|
||||
|
||||
@ -98475,7 +98477,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -959,31 +1076,36 @@ optional_policy(`
|
||||
@@ -959,31 +1077,36 @@ optional_policy(`
|
||||
# Winbind helper local policy
|
||||
#
|
||||
|
||||
@ -98519,7 +98521,7 @@ index 2b7c441e7..8f17d3b19 100644
|
||||
|
||||
optional_policy(`
|
||||
apache_append_log(winbind_helper_t)
|
||||
@@ -997,25 +1119,38 @@ optional_policy(`
|
||||
@@ -997,25 +1120,38 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -117240,7 +117242,7 @@ index facdee8b3..2a619ba9e 100644
|
||||
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf567..6b27ef4c9 100644
|
||||
index f03dcf567..a287ebdf0 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,451 +1,424 @@
|
||||
@ -117478,11 +117480,11 @@ index f03dcf567..6b27ef4c9 100644
|
||||
-virt_domain_template(svirt_prot_exec)
|
||||
+role system_r types svirt_t;
|
||||
+typealias svirt_t alias qemu_t;
|
||||
|
||||
-type virt_cache_t alias svirt_cache_t;
|
||||
+
|
||||
+virt_domain_template(svirt_tcg)
|
||||
+role system_r types svirt_tcg_t;
|
||||
+
|
||||
|
||||
-type virt_cache_t alias svirt_cache_t;
|
||||
+type qemu_exec_t, virt_file_type;
|
||||
+
|
||||
+type virt_cache_t alias svirt_cache_t, virt_file_type;
|
||||
@ -117845,37 +117847,37 @@ index f03dcf567..6b27ef4c9 100644
|
||||
|
||||
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
|
||||
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
|
||||
+allow svirt_t self:process ptrace;
|
||||
|
||||
-
|
||||
-dontaudit svirt_t virt_content_t:file write_file_perms;
|
||||
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
|
||||
+# it was a part of auth_use_nsswitch
|
||||
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
-
|
||||
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
|
||||
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
-
|
||||
+allow svirt_t self:process ptrace;
|
||||
|
||||
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
|
||||
-
|
||||
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
|
||||
-
|
||||
-corenet_udp_sendrecv_generic_if(svirt_t)
|
||||
-corenet_udp_sendrecv_generic_node(svirt_t)
|
||||
-corenet_udp_sendrecv_all_ports(svirt_t)
|
||||
-corenet_udp_bind_generic_node(svirt_t)
|
||||
+# it was a part of auth_use_nsswitch
|
||||
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
corenet_udp_sendrecv_generic_if(svirt_t)
|
||||
corenet_udp_sendrecv_generic_node(svirt_t)
|
||||
corenet_udp_sendrecv_all_ports(svirt_t)
|
||||
corenet_udp_bind_generic_node(svirt_t)
|
||||
-
|
||||
-corenet_all_recvfrom_unlabeled(svirt_t)
|
||||
-corenet_all_recvfrom_netlabel(svirt_t)
|
||||
-corenet_tcp_sendrecv_generic_if(svirt_t)
|
||||
corenet_udp_sendrecv_generic_if(svirt_t)
|
||||
-corenet_udp_sendrecv_generic_if(svirt_t)
|
||||
-corenet_tcp_sendrecv_generic_node(svirt_t)
|
||||
corenet_udp_sendrecv_generic_node(svirt_t)
|
||||
-corenet_udp_sendrecv_generic_node(svirt_t)
|
||||
-corenet_tcp_sendrecv_all_ports(svirt_t)
|
||||
corenet_udp_sendrecv_all_ports(svirt_t)
|
||||
-corenet_udp_sendrecv_all_ports(svirt_t)
|
||||
-corenet_tcp_bind_generic_node(svirt_t)
|
||||
corenet_udp_bind_generic_node(svirt_t)
|
||||
-corenet_udp_bind_generic_node(svirt_t)
|
||||
-
|
||||
-corenet_sendrecv_all_server_packets(svirt_t)
|
||||
corenet_udp_bind_all_ports(svirt_t)
|
||||
@ -118040,12 +118042,12 @@ index f03dcf567..6b27ef4c9 100644
|
||||
|
||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||
-
|
||||
-can_exec(virtd_t, virt_tmp_t)
|
||||
+# libvirtd is permitted to talk to virtlogd
|
||||
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
|
||||
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
|
||||
-can_exec(virtd_t, virt_tmp_t)
|
||||
-
|
||||
-kernel_read_crypto_sysctls(virtd_t)
|
||||
kernel_read_system_state(virtd_t)
|
||||
kernel_read_network_state(virtd_t)
|
||||
@ -118145,13 +118147,13 @@ index f03dcf567..6b27ef4c9 100644
|
||||
+sysnet_read_config(virtd_t)
|
||||
|
||||
-userdom_read_all_users_state(virtd_t)
|
||||
+systemd_dbus_chat_logind(virtd_t)
|
||||
+systemd_write_inhibit_pipes(virtd_t)
|
||||
|
||||
-
|
||||
-ifdef(`hide_broken_symptoms',`
|
||||
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
||||
-')
|
||||
-
|
||||
+systemd_dbus_chat_logind(virtd_t)
|
||||
+systemd_write_inhibit_pipes(virtd_t)
|
||||
|
||||
-tunable_policy(`virt_use_fusefs',`
|
||||
- fs_manage_fusefs_dirs(virtd_t)
|
||||
- fs_manage_fusefs_files(virtd_t)
|
||||
@ -118205,7 +118207,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -691,99 +653,433 @@ optional_policy(`
|
||||
@@ -691,99 +653,437 @@ optional_policy(`
|
||||
dnsmasq_kill(virtd_t)
|
||||
dnsmasq_signull(virtd_t)
|
||||
dnsmasq_create_pid_dirs(virtd_t)
|
||||
@ -118349,6 +118351,10 @@ index f03dcf567..6b27ef4c9 100644
|
||||
+ fs_append_nfs_files(virtlogd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ systemd_write_inhibit_pipes(virtlogd_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# virtual domains common policy
|
||||
@ -118536,18 +118542,16 @@ index f03dcf567..6b27ef4c9 100644
|
||||
+ fs_manage_fusefs_files(virt_domain)
|
||||
+ fs_read_fusefs_symlinks(virt_domain)
|
||||
+ fs_getattr_fusefs(virt_domain)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- lvm_domtrans(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ tunable_policy(`virt_use_glusterd',`
|
||||
+ glusterd_manage_pid(virt_domain)
|
||||
+ ')
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- mount_domtrans(virtd_t)
|
||||
- mount_signal(virtd_t)
|
||||
- lvm_domtrans(virtd_t)
|
||||
+tunable_policy(`virt_use_nfs',`
|
||||
+ fs_manage_nfs_dirs(virt_domain)
|
||||
+ fs_manage_nfs_files(virt_domain)
|
||||
@ -118557,9 +118561,8 @@ index f03dcf567..6b27ef4c9 100644
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- policykit_domtrans_auth(virtd_t)
|
||||
- policykit_domtrans_resolve(virtd_t)
|
||||
- policykit_read_lib(virtd_t)
|
||||
- mount_domtrans(virtd_t)
|
||||
- mount_signal(virtd_t)
|
||||
+tunable_policy(`virt_use_samba',`
|
||||
+ fs_manage_cifs_dirs(virt_domain)
|
||||
+ fs_manage_cifs_files(virt_domain)
|
||||
@ -118569,7 +118572,9 @@ index f03dcf567..6b27ef4c9 100644
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- qemu_exec(virtd_t)
|
||||
- policykit_domtrans_auth(virtd_t)
|
||||
- policykit_domtrans_resolve(virtd_t)
|
||||
- policykit_read_lib(virtd_t)
|
||||
+tunable_policy(`virt_use_usb',`
|
||||
+ dev_rw_usbfs(virt_domain)
|
||||
+ dev_read_sysfs(virt_domain)
|
||||
@ -118580,20 +118585,23 @@ index f03dcf567..6b27ef4c9 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- sasl_connect(virtd_t)
|
||||
- qemu_exec(virtd_t)
|
||||
+ tunable_policy(`virt_use_pcscd',`
|
||||
+ pcscd_stream_connect(virt_domain)
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- kernel_read_xen_state(virtd_t)
|
||||
- kernel_write_xen_state(virtd_t)
|
||||
- sasl_connect(virtd_t)
|
||||
+ tunable_policy(`virt_use_sanlock',`
|
||||
+ sanlock_stream_connect(virt_domain)
|
||||
+ ')
|
||||
+')
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- kernel_read_xen_state(virtd_t)
|
||||
- kernel_write_xen_state(virtd_t)
|
||||
-
|
||||
- xen_exec(virtd_t)
|
||||
- xen_stream_connect(virtd_t)
|
||||
- xen_stream_connect_xenstore(virtd_t)
|
||||
@ -118688,7 +118696,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
kernel_read_system_state(virsh_t)
|
||||
kernel_read_network_state(virsh_t)
|
||||
kernel_read_kernel_sysctls(virsh_t)
|
||||
@@ -794,25 +1090,18 @@ kernel_write_xen_state(virsh_t)
|
||||
@@ -794,25 +1094,18 @@ kernel_write_xen_state(virsh_t)
|
||||
corecmd_exec_bin(virsh_t)
|
||||
corecmd_exec_shell(virsh_t)
|
||||
|
||||
@ -118715,7 +118723,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
|
||||
fs_getattr_all_fs(virsh_t)
|
||||
fs_manage_xenfs_dirs(virsh_t)
|
||||
@@ -821,23 +1110,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
@@ -821,23 +1114,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
|
||||
storage_raw_read_fixed_disk(virsh_t)
|
||||
|
||||
@ -118749,7 +118757,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virsh_t)
|
||||
@@ -856,14 +1147,20 @@ optional_policy(`
|
||||
@@ -856,14 +1151,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -118771,7 +118779,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
xen_stream_connect(virsh_t)
|
||||
xen_stream_connect_xenstore(virsh_t)
|
||||
')
|
||||
@@ -888,49 +1185,66 @@ optional_policy(`
|
||||
@@ -888,49 +1189,66 @@ optional_policy(`
|
||||
kernel_read_xen_state(virsh_ssh_t)
|
||||
kernel_write_xen_state(virsh_ssh_t)
|
||||
|
||||
@ -118856,7 +118864,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
|
||||
corecmd_exec_bin(virtd_lxc_t)
|
||||
corecmd_exec_shell(virtd_lxc_t)
|
||||
@@ -942,17 +1256,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
@@ -942,17 +1260,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
|
||||
domain_use_interactive_fds(virtd_lxc_t)
|
||||
|
||||
@ -118876,7 +118884,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
fs_getattr_all_fs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||
@@ -964,8 +1277,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
@@ -964,15 +1281,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
fs_unmount_all_fs(virtd_lxc_t)
|
||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||
|
||||
@ -118884,72 +118892,125 @@ index f03dcf567..6b27ef4c9 100644
|
||||
+
|
||||
selinux_mount_fs(virtd_lxc_t)
|
||||
selinux_unmount_fs(virtd_lxc_t)
|
||||
-selinux_get_enforce_mode(virtd_lxc_t)
|
||||
-selinux_get_fs_mount(virtd_lxc_t)
|
||||
-selinux_validate_context(virtd_lxc_t)
|
||||
-selinux_compute_access_vector(virtd_lxc_t)
|
||||
-selinux_compute_create_context(virtd_lxc_t)
|
||||
-selinux_compute_relabel_context(virtd_lxc_t)
|
||||
-selinux_compute_user_contexts(virtd_lxc_t)
|
||||
+seutil_read_config(virtd_lxc_t)
|
||||
+
|
||||
+term_use_generic_ptys(virtd_lxc_t)
|
||||
+term_use_ptmx(virtd_lxc_t)
|
||||
+term_relabel_pty_fs(virtd_lxc_t)
|
||||
+
|
||||
+auth_use_nsswitch(virtd_lxc_t)
|
||||
+
|
||||
+logging_send_syslog_msg(virtd_lxc_t)
|
||||
+
|
||||
+seutil_domtrans_setfiles(virtd_lxc_t)
|
||||
+seutil_read_default_contexts(virtd_lxc_t)
|
||||
+
|
||||
selinux_get_enforce_mode(virtd_lxc_t)
|
||||
selinux_get_fs_mount(virtd_lxc_t)
|
||||
selinux_validate_context(virtd_lxc_t)
|
||||
@@ -974,194 +1302,296 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
selinux_compute_relabel_context(virtd_lxc_t)
|
||||
selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
-term_use_generic_ptys(virtd_lxc_t)
|
||||
-term_use_ptmx(virtd_lxc_t)
|
||||
-term_relabel_pty_fs(virtd_lxc_t)
|
||||
+sysnet_exec_ifconfig(virtd_lxc_t)
|
||||
term_use_generic_ptys(virtd_lxc_t)
|
||||
term_use_ptmx(virtd_lxc_t)
|
||||
@@ -982,186 +1295,307 @@ auth_use_nsswitch(virtd_lxc_t)
|
||||
|
||||
-auth_use_nsswitch(virtd_lxc_t)
|
||||
+systemd_dbus_chat_machined(virtd_lxc_t)
|
||||
|
||||
-logging_send_syslog_msg(virtd_lxc_t)
|
||||
+userdom_read_admin_home_files(virtd_lxc_t)
|
||||
logging_send_syslog_msg(virtd_lxc_t)
|
||||
|
||||
-miscfiles_read_localization(virtd_lxc_t)
|
||||
-
|
||||
seutil_domtrans_setfiles(virtd_lxc_t)
|
||||
-seutil_read_config(virtd_lxc_t)
|
||||
seutil_read_default_contexts(virtd_lxc_t)
|
||||
|
||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||
-
|
||||
-########################################
|
||||
-#
|
||||
-# Common virt lxc domain local policy
|
||||
-#
|
||||
-
|
||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||
-allow svirt_lxc_domain self:sem create_sem_perms;
|
||||
-allow svirt_lxc_domain self:shm create_shm_perms;
|
||||
-allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||
+selinux_get_enforce_mode(virtd_lxc_t)
|
||||
+selinux_get_fs_mount(virtd_lxc_t)
|
||||
+selinux_validate_context(virtd_lxc_t)
|
||||
+selinux_compute_access_vector(virtd_lxc_t)
|
||||
+selinux_compute_create_context(virtd_lxc_t)
|
||||
+selinux_compute_relabel_context(virtd_lxc_t)
|
||||
+selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fd use;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
|
||||
+sysnet_exec_ifconfig(virtd_lxc_t)
|
||||
|
||||
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
+systemd_dbus_chat_machined(virtd_lxc_t)
|
||||
|
||||
-allow svirt_lxc_domain virsh_t:fd use;
|
||||
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virsh_t:process sigchld;
|
||||
+userdom_read_admin_home_files(virtd_lxc_t)
|
||||
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(virtd_lxc_t)
|
||||
+ init_dbus_chat(virtd_lxc_t)
|
||||
|
||||
-seutil_domtrans_setfiles(virtd_lxc_t)
|
||||
-seutil_read_config(virtd_lxc_t)
|
||||
-seutil_read_default_contexts(virtd_lxc_t)
|
||||
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
+ optional_policy(`
|
||||
+ hal_dbus_chat(virtd_lxc_t)
|
||||
+ ')
|
||||
+')
|
||||
|
||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
|
||||
+optional_policy(`
|
||||
+ container_exec_lib(virtd_lxc_t)
|
||||
+')
|
||||
+
|
||||
|
||||
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
|
||||
+optional_policy(`
|
||||
+ gnome_read_generic_cache_files(virtd_lxc_t)
|
||||
+')
|
||||
+
|
||||
|
||||
-kernel_getattr_proc(svirt_lxc_domain)
|
||||
-kernel_list_all_proc(svirt_lxc_domain)
|
||||
-kernel_read_kernel_sysctls(svirt_lxc_domain)
|
||||
-kernel_rw_net_sysctls(svirt_lxc_domain)
|
||||
-kernel_read_system_state(svirt_lxc_domain)
|
||||
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+ setrans_manage_pid_files(virtd_lxc_t)
|
||||
+')
|
||||
+
|
||||
|
||||
-corecmd_exec_all_executables(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(virtd_lxc_t)
|
||||
+')
|
||||
|
||||
########################################
|
||||
#
|
||||
-# Common virt lxc domain local policy
|
||||
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||
-# files_entrypoint_all_files(svirt_lxc_domain)
|
||||
-files_list_var(svirt_lxc_domain)
|
||||
-files_list_var_lib(svirt_lxc_domain)
|
||||
-files_search_all(svirt_lxc_domain)
|
||||
-files_read_config_files(svirt_lxc_domain)
|
||||
-files_read_usr_files(svirt_lxc_domain)
|
||||
-files_read_usr_symlinks(svirt_lxc_domain)
|
||||
+########################################
|
||||
+#
|
||||
+# svirt_sandbox_domain local policy
|
||||
#
|
||||
+#
|
||||
+allow svirt_sandbox_domain self:key manage_key_perms;
|
||||
+dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search;
|
||||
+
|
||||
@ -118973,7 +119034,9 @@ index f03dcf567..6b27ef4c9 100644
|
||||
+tunable_policy(`deny_ptrace',`',`
|
||||
+ allow svirt_sandbox_domain self:process ptrace;
|
||||
+')
|
||||
+
|
||||
|
||||
-fs_getattr_all_fs(svirt_lxc_domain)
|
||||
-fs_list_inotifyfs(svirt_lxc_domain)
|
||||
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
|
||||
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
|
||||
@ -119063,113 +119126,43 @@ index f03dcf567..6b27ef4c9 100644
|
||||
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
|
||||
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
|
||||
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
|
||||
+
|
||||
|
||||
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+tunable_policy(`virt_sandbox_share_apache_content',`
|
||||
+ apache_exec_modules(svirt_sandbox_domain)
|
||||
+ apache_read_sys_content(svirt_sandbox_domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
|
||||
-auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||
-auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
-auth_search_pam_console_data(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
||||
+')
|
||||
|
||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||
-allow svirt_lxc_domain self:sem create_sem_perms;
|
||||
-allow svirt_lxc_domain self:shm create_shm_perms;
|
||||
-allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fd use;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virsh_t:fd use;
|
||||
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virsh_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
|
||||
-
|
||||
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
|
||||
-
|
||||
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
|
||||
-
|
||||
-kernel_getattr_proc(svirt_lxc_domain)
|
||||
-kernel_list_all_proc(svirt_lxc_domain)
|
||||
-kernel_read_kernel_sysctls(svirt_lxc_domain)
|
||||
-kernel_rw_net_sysctls(svirt_lxc_domain)
|
||||
-kernel_read_system_state(svirt_lxc_domain)
|
||||
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||
-
|
||||
-corecmd_exec_all_executables(svirt_lxc_domain)
|
||||
-
|
||||
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||
-# files_entrypoint_all_files(svirt_lxc_domain)
|
||||
-files_list_var(svirt_lxc_domain)
|
||||
-files_list_var_lib(svirt_lxc_domain)
|
||||
-files_search_all(svirt_lxc_domain)
|
||||
-files_read_config_files(svirt_lxc_domain)
|
||||
-files_read_usr_files(svirt_lxc_domain)
|
||||
-files_read_usr_symlinks(svirt_lxc_domain)
|
||||
-
|
||||
-fs_getattr_all_fs(svirt_lxc_domain)
|
||||
-fs_list_inotifyfs(svirt_lxc_domain)
|
||||
-
|
||||
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
|
||||
-
|
||||
-auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||
-auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
-auth_search_pam_console_data(svirt_lxc_domain)
|
||||
-
|
||||
-clock_read_adjtime(svirt_lxc_domain)
|
||||
-
|
||||
-init_read_utmp(svirt_lxc_domain)
|
||||
-init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||
-
|
||||
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||
-
|
||||
-miscfiles_read_localization(svirt_lxc_domain)
|
||||
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
|
||||
-miscfiles_read_fonts(svirt_lxc_domain)
|
||||
-
|
||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+ ssh_use_ptys(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
|
||||
-init_read_utmp(svirt_lxc_domain)
|
||||
-init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+ udev_read_pid_files(svirt_sandbox_domain)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
- udev_read_pid_files(svirt_lxc_domain)
|
||||
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
|
||||
-miscfiles_read_localization(svirt_lxc_domain)
|
||||
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
|
||||
-miscfiles_read_fonts(svirt_lxc_domain)
|
||||
+tunable_policy(`virt_use_nfs',`
|
||||
+ fs_manage_nfs_dirs(svirt_sandbox_domain)
|
||||
+ fs_manage_nfs_files(svirt_sandbox_domain)
|
||||
@ -119180,7 +119173,8 @@ index f03dcf567..6b27ef4c9 100644
|
||||
+ fs_exec_nfs_files(svirt_sandbox_domain)
|
||||
+ kernel_rw_fs_sysctls(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
|
||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+tunable_policy(`virt_use_samba',`
|
||||
+ fs_manage_cifs_files(svirt_sandbox_domain)
|
||||
+ fs_manage_cifs_dirs(svirt_sandbox_domain)
|
||||
@ -119188,7 +119182,9 @@ index f03dcf567..6b27ef4c9 100644
|
||||
+ fs_manage_cifs_symlinks(svirt_sandbox_domain)
|
||||
+ fs_exec_cifs_files(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
|
||||
-optional_policy(`
|
||||
- udev_read_pid_files(svirt_lxc_domain)
|
||||
+tunable_policy(`virt_sandbox_use_fusefs',`
|
||||
+ fs_manage_fusefs_dirs(svirt_sandbox_domain)
|
||||
+ fs_manage_fusefs_files(svirt_sandbox_domain)
|
||||
@ -119344,7 +119340,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1174,12 +1604,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1174,12 +1608,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
@ -119359,7 +119355,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,7 +1622,7 @@ optional_policy(`
|
||||
@@ -1192,7 +1626,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119368,7 +119364,7 @@ index f03dcf567..6b27ef4c9 100644
|
||||
#
|
||||
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
@@ -1201,11 +1631,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1201,11 +1635,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 289%{?dist}
|
||||
Release: 290%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -682,6 +682,13 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Sep 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-290
|
||||
- Allow virtlogd_t domain to write inhibit systemd pipes.
|
||||
- Add dac_override capability to openvpn_t domain
|
||||
- Add dac_override capability to xdm_t domain
|
||||
- Allow dac_override to groupadd_t domain BZ(1497081)
|
||||
- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166)
|
||||
|
||||
* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
|
||||
- Allow tlp_t domain stream connect to sssd_t domain
|
||||
- Add missing dac_override capability
|
||||
|
Loading…
Reference in New Issue
Block a user