- Allow rhsmcertd to read init state
- Allow fsetid for pkcsslotd - Fix labeling for /usr/lib/systemd/system/pkcsslotd.service - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Allow roles which can run mock to read mock lib files to view results - Allow rpcbind to use nsswitch - Fix lsm.if summary - Fix collectd_t can read /etc/passwd file - Label systemd unit files under dracut correctly - Add support for pam_mount to mount user's encrypted home When a user logs in a - Add support for .Xauthority-n - Label umount.crypt as lvm_exec_t - Allow syslogd to search psad lib files - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files
This commit is contained in:
parent
18df0dd62c
commit
ed761163c3
@ -35364,10 +35364,10 @@ index b7686d5..7a9577f 100644
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..2cd29ba
|
index 0000000..431619e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.fc
|
+++ b/policy/modules/system/systemd.fc
|
||||||
@@ -0,0 +1,43 @@
|
@@ -0,0 +1,44 @@
|
||||||
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
||||||
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
|
||||||
+
|
+
|
||||||
@ -35382,6 +35382,7 @@ index 0000000..2cd29ba
|
|||||||
+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
|
+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
|
||||||
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||||
+
|
+
|
||||||
|
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
|
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
|
||||||
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
diff --git a/abrt.fc b/abrt.fc
|
diff --git a/abrt.fc b/abrt.fc
|
||||||
index e4f84de..4e4cbd4 100644
|
index e4f84de..2fe1152 100644
|
||||||
--- a/abrt.fc
|
--- a/abrt.fc
|
||||||
+++ b/abrt.fc
|
+++ b/abrt.fc
|
||||||
@@ -1,30 +1,40 @@
|
@@ -1,30 +1,41 @@
|
||||||
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||||
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
||||||
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||||
@ -22,6 +22,7 @@ index e4f84de..4e4cbd4 100644
|
|||||||
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
||||||
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
||||||
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
||||||
|
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
|
||||||
|
|
||||||
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
||||||
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
|
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
|
||||||
@ -518,7 +519,7 @@ index 058d908..702b716 100644
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/abrt.te b/abrt.te
|
diff --git a/abrt.te b/abrt.te
|
||||||
index cc43d25..da5b191 100644
|
index cc43d25..883dd05 100644
|
||||||
--- a/abrt.te
|
--- a/abrt.te
|
||||||
+++ b/abrt.te
|
+++ b/abrt.te
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -527,7 +528,7 @@ index cc43d25..da5b191 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4)
|
@@ -6,105 +6,128 @@ policy_module(abrt, 1.3.4)
|
||||||
#
|
#
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -549,6 +550,14 @@ index cc43d25..da5b191 100644
|
|||||||
-## the abrt_handle_event_t domain to
|
-## the abrt_handle_event_t domain to
|
||||||
-## handle ABRT event scripts.
|
-## handle ABRT event scripts.
|
||||||
-## </p>
|
-## </p>
|
||||||
|
+## <p>
|
||||||
|
+## Allow abrt-handle-upload to modify public files
|
||||||
|
+## used for public file transfer services in /var/spool/abrt-upload/.
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(abrt_upload_watch_anon_write, true)
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
+## <p>
|
+## <p>
|
||||||
+## Allow ABRT to run in abrt_handle_event_t domain
|
+## Allow ABRT to run in abrt_handle_event_t domain
|
||||||
+## to handle ABRT event scripts
|
+## to handle ABRT event scripts
|
||||||
@ -627,15 +636,15 @@ index cc43d25..da5b191 100644
|
|||||||
+ifdef(`enable_mcs',`
|
+ifdef(`enable_mcs',`
|
||||||
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
|
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Support for ABRT retrace server
|
|
||||||
|
|
||||||
-type abrt_retrace_worker_t, abrt_domain;
|
-type abrt_retrace_worker_t, abrt_domain;
|
||||||
-type abrt_retrace_worker_exec_t;
|
-type abrt_retrace_worker_exec_t;
|
||||||
-domain_type(abrt_retrace_worker_t)
|
-domain_type(abrt_retrace_worker_t)
|
||||||
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
|
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
|
||||||
+#
|
+#
|
||||||
|
+# Support for ABRT retrace server
|
||||||
|
+
|
||||||
|
+#
|
||||||
+abrt_basic_types_template(abrt_retrace_worker)
|
+abrt_basic_types_template(abrt_retrace_worker)
|
||||||
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
|
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
|
||||||
role system_r types abrt_retrace_worker_t;
|
role system_r types abrt_retrace_worker_t;
|
||||||
@ -660,7 +669,10 @@ index cc43d25..da5b191 100644
|
|||||||
-ifdef(`enable_mcs',`
|
-ifdef(`enable_mcs',`
|
||||||
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
|
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
|
||||||
-')
|
-')
|
||||||
-
|
+# Support for abrt-upload-watch
|
||||||
|
+abrt_basic_types_template(abrt_upload_watch)
|
||||||
|
+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
-# Local policy
|
-# Local policy
|
||||||
@ -689,7 +701,7 @@ index cc43d25..da5b191 100644
|
|||||||
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
|
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
|
||||||
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
|
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
|
||||||
|
|
||||||
@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
@@ -112,23 +135,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
||||||
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
|
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
|
||||||
@ -718,7 +730,7 @@ index cc43d25..da5b191 100644
|
|||||||
kernel_request_load_module(abrt_t)
|
kernel_request_load_module(abrt_t)
|
||||||
kernel_rw_kernel_sysctl(abrt_t)
|
kernel_rw_kernel_sysctl(abrt_t)
|
||||||
|
|
||||||
@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t)
|
@@ -137,16 +162,14 @@ corecmd_exec_shell(abrt_t)
|
||||||
corecmd_read_all_executables(abrt_t)
|
corecmd_read_all_executables(abrt_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_netlabel(abrt_t)
|
corenet_all_recvfrom_netlabel(abrt_t)
|
||||||
@ -737,7 +749,7 @@ index cc43d25..da5b191 100644
|
|||||||
|
|
||||||
dev_getattr_all_chr_files(abrt_t)
|
dev_getattr_all_chr_files(abrt_t)
|
||||||
dev_getattr_all_blk_files(abrt_t)
|
dev_getattr_all_blk_files(abrt_t)
|
||||||
@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t)
|
@@ -163,29 +186,37 @@ files_getattr_all_files(abrt_t)
|
||||||
files_read_config_files(abrt_t)
|
files_read_config_files(abrt_t)
|
||||||
files_read_etc_runtime_files(abrt_t)
|
files_read_etc_runtime_files(abrt_t)
|
||||||
files_read_var_symlinks(abrt_t)
|
files_read_var_symlinks(abrt_t)
|
||||||
@ -778,7 +790,7 @@ index cc43d25..da5b191 100644
|
|||||||
|
|
||||||
tunable_policy(`abrt_anon_write',`
|
tunable_policy(`abrt_anon_write',`
|
||||||
miscfiles_manage_public_files(abrt_t)
|
miscfiles_manage_public_files(abrt_t)
|
||||||
@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',`
|
@@ -193,15 +224,11 @@ tunable_policy(`abrt_anon_write',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_list_modules(abrt_t)
|
apache_list_modules(abrt_t)
|
||||||
@ -795,7 +807,7 @@ index cc43d25..da5b191 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -209,6 +224,16 @@ optional_policy(`
|
@@ -209,6 +236,16 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -812,7 +824,7 @@ index cc43d25..da5b191 100644
|
|||||||
policykit_domtrans_auth(abrt_t)
|
policykit_domtrans_auth(abrt_t)
|
||||||
policykit_read_lib(abrt_t)
|
policykit_read_lib(abrt_t)
|
||||||
policykit_read_reload(abrt_t)
|
policykit_read_reload(abrt_t)
|
||||||
@@ -220,6 +245,7 @@ optional_policy(`
|
@@ -220,6 +257,7 @@ optional_policy(`
|
||||||
corecmd_exec_all_executables(abrt_t)
|
corecmd_exec_all_executables(abrt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -820,7 +832,7 @@ index cc43d25..da5b191 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_exec(abrt_t)
|
rpm_exec(abrt_t)
|
||||||
rpm_dontaudit_manage_db(abrt_t)
|
rpm_dontaudit_manage_db(abrt_t)
|
||||||
@@ -230,6 +256,7 @@ optional_policy(`
|
@@ -230,6 +268,7 @@ optional_policy(`
|
||||||
rpm_signull(abrt_t)
|
rpm_signull(abrt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -828,7 +840,7 @@ index cc43d25..da5b191 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
sendmail_domtrans(abrt_t)
|
sendmail_domtrans(abrt_t)
|
||||||
')
|
')
|
||||||
@@ -240,9 +267,17 @@ optional_policy(`
|
@@ -240,9 +279,17 @@ optional_policy(`
|
||||||
sosreport_delete_tmp_files(abrt_t)
|
sosreport_delete_tmp_files(abrt_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -847,7 +859,7 @@ index cc43d25..da5b191 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -253,9 +288,13 @@ tunable_policy(`abrt_handle_event',`
|
@@ -253,9 +300,13 @@ tunable_policy(`abrt_handle_event',`
|
||||||
can_exec(abrt_t, abrt_handle_event_exec_t)
|
can_exec(abrt_t, abrt_handle_event_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -862,7 +874,7 @@ index cc43d25..da5b191 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||||
@@ -268,6 +307,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
@@ -268,6 +319,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
||||||
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
||||||
@ -870,7 +882,7 @@ index cc43d25..da5b191 100644
|
|||||||
|
|
||||||
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
||||||
@@ -276,15 +316,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
@@ -276,15 +328,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
||||||
|
|
||||||
domain_read_all_domains_state(abrt_helper_t)
|
domain_read_all_domains_state(abrt_helper_t)
|
||||||
|
|
||||||
@ -891,7 +903,7 @@ index cc43d25..da5b191 100644
|
|||||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||||
@@ -292,11 +337,25 @@ ifdef(`hide_broken_symptoms',`
|
@@ -292,11 +349,25 @@ ifdef(`hide_broken_symptoms',`
|
||||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||||
@ -918,7 +930,7 @@ index cc43d25..da5b191 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -314,10 +373,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
@@ -314,10 +385,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_coredump_t)
|
dev_read_urand(abrt_retrace_coredump_t)
|
||||||
|
|
||||||
@ -932,7 +944,7 @@ index cc43d25..da5b191 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_exec(abrt_retrace_coredump_t)
|
rpm_exec(abrt_retrace_coredump_t)
|
||||||
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
||||||
@@ -330,10 +391,11 @@ optional_policy(`
|
@@ -330,10 +403,11 @@ optional_policy(`
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@ -946,7 +958,7 @@ index cc43d25..da5b191 100644
|
|||||||
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
||||||
@@ -352,46 +414,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
@@ -352,46 +426,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
||||||
|
|
||||||
dev_read_urand(abrt_retrace_worker_t)
|
dev_read_urand(abrt_retrace_worker_t)
|
||||||
|
|
||||||
@ -1008,31 +1020,41 @@ index cc43d25..da5b191 100644
|
|||||||
|
|
||||||
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
||||||
|
|
||||||
@@ -400,16 +472,18 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
@@ -400,16 +484,29 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
||||||
corecmd_exec_bin(abrt_watch_log_t)
|
corecmd_exec_bin(abrt_watch_log_t)
|
||||||
|
|
||||||
logging_read_all_logs(abrt_watch_log_t)
|
logging_read_all_logs(abrt_watch_log_t)
|
||||||
+logging_send_syslog_msg(abrt_watch_log_t)
|
+logging_send_syslog_msg(abrt_watch_log_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+#optional_policy(`
|
||||||
+ unconfined_domain(abrt_watch_log_t)
|
+# unconfined_domain(abrt_watch_log_t)
|
||||||
+')
|
+#')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
-# Global local policy
|
-# Global local policy
|
||||||
+# Local policy for all abrt domain
|
+# abrt-upload-watch local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
-kernel_read_system_state(abrt_domain)
|
-kernel_read_system_state(abrt_domain)
|
||||||
|
+corecmd_exec_bin(abrt_upload_watch_t)
|
||||||
|
|
||||||
|
-files_read_etc_files(abrt_domain)
|
||||||
|
+tunable_policy(`abrt_upload_watch_anon_write',`
|
||||||
|
+ miscfiles_manage_public_files(abrt_upload_watch_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# Local policy for all abrt domain
|
||||||
|
+#
|
||||||
|
|
||||||
|
-logging_send_syslog_msg(abrt_domain)
|
||||||
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
|
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
|
||||||
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
|
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
|
||||||
|
|
||||||
files_read_etc_files(abrt_domain)
|
|
||||||
-
|
|
||||||
-logging_send_syslog_msg(abrt_domain)
|
|
||||||
-
|
|
||||||
-miscfiles_read_localization(abrt_domain)
|
-miscfiles_read_localization(abrt_domain)
|
||||||
|
+files_read_etc_files(abrt_domain)
|
||||||
diff --git a/accountsd.fc b/accountsd.fc
|
diff --git a/accountsd.fc b/accountsd.fc
|
||||||
index f9d8d7a..0682710 100644
|
index f9d8d7a..0682710 100644
|
||||||
--- a/accountsd.fc
|
--- a/accountsd.fc
|
||||||
@ -8808,7 +8830,7 @@ index c723a0a..3e8a553 100644
|
|||||||
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
|
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/bluetooth.te b/bluetooth.te
|
diff --git a/bluetooth.te b/bluetooth.te
|
||||||
index 6f09d24..b1ec892 100644
|
index 6f09d24..231de05 100644
|
||||||
--- a/bluetooth.te
|
--- a/bluetooth.te
|
||||||
+++ b/bluetooth.te
|
+++ b/bluetooth.te
|
||||||
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
|
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
|
||||||
@ -8874,12 +8896,13 @@ index 6f09d24..b1ec892 100644
|
|||||||
miscfiles_read_fonts(bluetooth_t)
|
miscfiles_read_fonts(bluetooth_t)
|
||||||
miscfiles_read_hwdata(bluetooth_t)
|
miscfiles_read_hwdata(bluetooth_t)
|
||||||
|
|
||||||
@@ -130,8 +142,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
@@ -130,8 +142,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
||||||
userdom_dontaudit_use_user_terminals(bluetooth_t)
|
userdom_dontaudit_use_user_terminals(bluetooth_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
||||||
|
|
||||||
+# machine-info
|
+# machine-info
|
||||||
+systemd_hostnamed_read_config(bluetooth_t)
|
+systemd_hostnamed_read_config(bluetooth_t)
|
||||||
|
+systemd_dbus_chat_hostnamed(bluetooth_t)
|
||||||
+
|
+
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(bluetooth_t)
|
dbus_system_bus_client(bluetooth_t)
|
||||||
@ -8887,7 +8910,7 @@ index 6f09d24..b1ec892 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cups_dbus_chat(bluetooth_t)
|
cups_dbus_chat(bluetooth_t)
|
||||||
@@ -199,7 +215,6 @@ dev_read_urand(bluetooth_helper_t)
|
@@ -199,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
|
||||||
domain_read_all_domains_state(bluetooth_helper_t)
|
domain_read_all_domains_state(bluetooth_helper_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(bluetooth_helper_t)
|
files_read_etc_runtime_files(bluetooth_helper_t)
|
||||||
@ -12455,7 +12478,7 @@ index 954309e..f4db2ca 100644
|
|||||||
')
|
')
|
||||||
+
|
+
|
||||||
diff --git a/collectd.te b/collectd.te
|
diff --git a/collectd.te b/collectd.te
|
||||||
index 6471fa8..dbb3f45 100644
|
index 6471fa8..dc0423c 100644
|
||||||
--- a/collectd.te
|
--- a/collectd.te
|
||||||
+++ b/collectd.te
|
+++ b/collectd.te
|
||||||
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
|
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
|
||||||
@ -12483,7 +12506,7 @@ index 6471fa8..dbb3f45 100644
|
|||||||
|
|
||||||
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
||||||
@@ -46,23 +55,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
|
@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
|
||||||
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
|
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
|
||||||
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
|
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
|
||||||
|
|
||||||
@ -12491,6 +12514,9 @@ index 6471fa8..dbb3f45 100644
|
|||||||
+kernel_read_all_sysctls(collectd_t)
|
+kernel_read_all_sysctls(collectd_t)
|
||||||
+kernel_read_all_proc(collectd_t)
|
+kernel_read_all_proc(collectd_t)
|
||||||
+kernel_list_all_proc(collectd_t)
|
+kernel_list_all_proc(collectd_t)
|
||||||
|
+
|
||||||
|
+auth_getattr_passwd(collectd_t)
|
||||||
|
+auth_read_passwd(collectd_t)
|
||||||
|
|
||||||
-kernel_read_network_state(collectd_t)
|
-kernel_read_network_state(collectd_t)
|
||||||
-kernel_read_net_sysctls(collectd_t)
|
-kernel_read_net_sysctls(collectd_t)
|
||||||
@ -12516,7 +12542,7 @@ index 6471fa8..dbb3f45 100644
|
|||||||
|
|
||||||
logging_send_syslog_msg(collectd_t)
|
logging_send_syslog_msg(collectd_t)
|
||||||
|
|
||||||
@@ -75,16 +86,26 @@ tunable_policy(`collectd_tcp_network_connect',`
|
@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23569,7 +23595,7 @@ index 79b9273..76b7ed5 100644
|
|||||||
logging_send_syslog_msg(fcoemon_t)
|
logging_send_syslog_msg(fcoemon_t)
|
||||||
|
|
||||||
diff --git a/fetchmail.fc b/fetchmail.fc
|
diff --git a/fetchmail.fc b/fetchmail.fc
|
||||||
index 2486e2a..ea07c4f 100644
|
index 2486e2a..72143ee 100644
|
||||||
--- a/fetchmail.fc
|
--- a/fetchmail.fc
|
||||||
+++ b/fetchmail.fc
|
+++ b/fetchmail.fc
|
||||||
@@ -1,4 +1,5 @@
|
@@ -1,4 +1,5 @@
|
||||||
@ -23578,6 +23604,12 @@ index 2486e2a..ea07c4f 100644
|
|||||||
|
|
||||||
/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
|
/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
|
||||||
|
|
||||||
|
@@ -12,4 +13,4 @@ HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0)
|
||||||
|
|
||||||
|
/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
|
||||||
|
|
||||||
|
-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
|
||||||
|
+/var/run/fetchmail.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
|
||||||
diff --git a/fetchmail.if b/fetchmail.if
|
diff --git a/fetchmail.if b/fetchmail.if
|
||||||
index c3f7916..cab3954 100644
|
index c3f7916..cab3954 100644
|
||||||
--- a/fetchmail.if
|
--- a/fetchmail.if
|
||||||
@ -23603,7 +23635,7 @@ index c3f7916..cab3954 100644
|
|||||||
admin_pattern($1, fetchmail_etc_t)
|
admin_pattern($1, fetchmail_etc_t)
|
||||||
|
|
||||||
diff --git a/fetchmail.te b/fetchmail.te
|
diff --git a/fetchmail.te b/fetchmail.te
|
||||||
index f0388cb..df501ec 100644
|
index f0388cb..8e7f99e 100644
|
||||||
--- a/fetchmail.te
|
--- a/fetchmail.te
|
||||||
+++ b/fetchmail.te
|
+++ b/fetchmail.te
|
||||||
@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
|
@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
|
||||||
@ -23623,18 +23655,20 @@ index f0388cb..df501ec 100644
|
|||||||
manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
|
manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
|
||||||
append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
|
append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
|
||||||
create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
|
create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
|
||||||
@@ -54,6 +52,11 @@ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
|
@@ -52,7 +50,12 @@ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
|
||||||
manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
|
|
||||||
files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
|
|
||||||
|
|
||||||
|
manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
|
||||||
|
manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
|
||||||
|
-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
|
||||||
|
+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir})
|
||||||
|
+
|
||||||
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
|
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
|
||||||
+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
|
+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
|
||||||
+userdom_search_user_home_dirs(fetchmail_t)
|
+userdom_search_user_home_dirs(fetchmail_t)
|
||||||
+userdom_search_admin_dir(fetchmail_t)
|
+userdom_search_admin_dir(fetchmail_t)
|
||||||
+
|
|
||||||
kernel_read_kernel_sysctls(fetchmail_t)
|
kernel_read_kernel_sysctls(fetchmail_t)
|
||||||
kernel_list_proc(fetchmail_t)
|
kernel_list_proc(fetchmail_t)
|
||||||
kernel_getattr_proc_files(fetchmail_t)
|
|
||||||
@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
|
@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
|
||||||
corecmd_exec_bin(fetchmail_t)
|
corecmd_exec_bin(fetchmail_t)
|
||||||
corecmd_exec_shell(fetchmail_t)
|
corecmd_exec_shell(fetchmail_t)
|
||||||
@ -35808,12 +35842,12 @@ index 0000000..711c04b
|
|||||||
+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
|
+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
|
||||||
diff --git a/lsm.if b/lsm.if
|
diff --git a/lsm.if b/lsm.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..f3e94d7
|
index 0000000..aaf4080
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/lsm.if
|
+++ b/lsm.if
|
||||||
@@ -0,0 +1,103 @@
|
@@ -0,0 +1,103 @@
|
||||||
+
|
+
|
||||||
+## <summary>lsmd SELINUX policy </summary>
|
+## <summary>libStorageMgmt plug-in daemon </summary>
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -37813,10 +37847,10 @@ index 0000000..8d0e473
|
|||||||
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
|
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
|
||||||
diff --git a/mock.if b/mock.if
|
diff --git a/mock.if b/mock.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..895f325
|
index 0000000..6568bfe
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/mock.if
|
+++ b/mock.if
|
||||||
@@ -0,0 +1,305 @@
|
@@ -0,0 +1,310 @@
|
||||||
+## <summary>policy for mock</summary>
|
+## <summary>policy for mock</summary>
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -38063,9 +38097,14 @@ index 0000000..895f325
|
|||||||
+
|
+
|
||||||
+ ps_process_pattern($2, mock_t)
|
+ ps_process_pattern($2, mock_t)
|
||||||
+ allow $2 mock_t:process signal_perms;
|
+ allow $2 mock_t:process signal_perms;
|
||||||
|
+
|
||||||
+ tunable_policy(`deny_ptrace',`',`
|
+ tunable_policy(`deny_ptrace',`',`
|
||||||
+ allow $2 mock_t:process ptrace;
|
+ allow $2 mock_t:process ptrace;
|
||||||
+ ')
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ mock_read_lib_files($2)
|
||||||
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -54762,17 +54801,19 @@ index 977b972..0000000
|
|||||||
-miscfiles_read_localization(pkcs_slotd_t)
|
-miscfiles_read_localization(pkcs_slotd_t)
|
||||||
diff --git a/pkcsslotd.fc b/pkcsslotd.fc
|
diff --git a/pkcsslotd.fc b/pkcsslotd.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..38fa01d
|
index 0000000..29d7c1c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pkcsslotd.fc
|
+++ b/pkcsslotd.fc
|
||||||
@@ -0,0 +1,7 @@
|
@@ -0,0 +1,9 @@
|
||||||
+/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
|
+/usr/lib/systemd/system/pkcsslotd.* -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
|
+/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
|
||||||
+
|
+
|
||||||
+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
|
+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
|
||||||
+
|
+
|
||||||
+/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0)
|
+/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0)
|
||||||
|
+
|
||||||
|
+/var/run/pkcsslotd.* -- gen_context(system_u:object_r:pkcsslotd_var_run_t,s0)
|
||||||
diff --git a/pkcsslotd.if b/pkcsslotd.if
|
diff --git a/pkcsslotd.if b/pkcsslotd.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..848ddc9
|
index 0000000..848ddc9
|
||||||
@ -54936,10 +54977,10 @@ index 0000000..848ddc9
|
|||||||
+')
|
+')
|
||||||
diff --git a/pkcsslotd.te b/pkcsslotd.te
|
diff --git a/pkcsslotd.te b/pkcsslotd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..f788d35
|
index 0000000..2ce92e0
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/pkcsslotd.te
|
+++ b/pkcsslotd.te
|
||||||
@@ -0,0 +1,66 @@
|
@@ -0,0 +1,67 @@
|
||||||
+policy_module(pkcsslotd, 1.0.0)
|
+policy_module(pkcsslotd, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -54974,7 +55015,7 @@ index 0000000..f788d35
|
|||||||
+# pkcsslotd local policy
|
+# pkcsslotd local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow pkcsslotd_t self:capability { chown kill };
|
+allow pkcsslotd_t self:capability { fsetid chown kill };
|
||||||
+
|
+
|
||||||
+allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
|
+allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow pkcsslotd_t self:sem create_sem_perms;
|
+allow pkcsslotd_t self:sem create_sem_perms;
|
||||||
@ -54999,7 +55040,8 @@ index 0000000..f788d35
|
|||||||
+
|
+
|
||||||
+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t)
|
+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t)
|
||||||
+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
|
+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
|
||||||
+files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { file dir })
|
+manage_sock_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
|
||||||
|
+files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { sock_file file dir })
|
||||||
+
|
+
|
||||||
+domain_use_interactive_fds(pkcsslotd_t)
|
+domain_use_interactive_fds(pkcsslotd_t)
|
||||||
+
|
+
|
||||||
@ -69216,7 +69258,7 @@ index 47de2d6..98a4280 100644
|
|||||||
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
||||||
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
|
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
|
||||||
diff --git a/rhcs.if b/rhcs.if
|
diff --git a/rhcs.if b/rhcs.if
|
||||||
index 56bc01f..4699b1b 100644
|
index 56bc01f..b8d154e 100644
|
||||||
--- a/rhcs.if
|
--- a/rhcs.if
|
||||||
+++ b/rhcs.if
|
+++ b/rhcs.if
|
||||||
@@ -1,19 +1,19 @@
|
@@ -1,19 +1,19 @@
|
||||||
@ -69245,7 +69287,7 @@ index 56bc01f..4699b1b 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
|
@@ -43,33 +43,27 @@ template(`rhcs_domain_template',`
|
||||||
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
||||||
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
|
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
|
||||||
|
|
||||||
@ -69257,9 +69299,11 @@ index 56bc01f..4699b1b 100644
|
|||||||
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
|
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
|
||||||
|
|
||||||
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
||||||
@@ -56,20 +51,19 @@ template(`rhcs_domain_template',`
|
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
||||||
|
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
||||||
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
||||||
files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
|
- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
|
||||||
|
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
|
||||||
|
|
||||||
- optional_policy(`
|
- optional_policy(`
|
||||||
- dbus_system_bus_client($1_t)
|
- dbus_system_bus_client($1_t)
|
||||||
@ -71147,7 +71191,7 @@ index 6dbc905..d803796 100644
|
|||||||
- admin_pattern($1, rhsmcertd_lock_t)
|
- admin_pattern($1, rhsmcertd_lock_t)
|
||||||
')
|
')
|
||||||
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
||||||
index 1cedd70..f8ae4cc 100644
|
index 1cedd70..6508b1e 100644
|
||||||
--- a/rhsmcertd.te
|
--- a/rhsmcertd.te
|
||||||
+++ b/rhsmcertd.te
|
+++ b/rhsmcertd.te
|
||||||
@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
|
@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
|
||||||
@ -71160,7 +71204,7 @@ index 1cedd70..f8ae4cc 100644
|
|||||||
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
|
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
|
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
@@ -52,21 +53,35 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
||||||
kernel_read_network_state(rhsmcertd_t)
|
kernel_read_network_state(rhsmcertd_t)
|
||||||
kernel_read_system_state(rhsmcertd_t)
|
kernel_read_system_state(rhsmcertd_t)
|
||||||
|
|
||||||
@ -71183,6 +71227,8 @@ index 1cedd70..f8ae4cc 100644
|
|||||||
|
|
||||||
-miscfiles_read_localization(rhsmcertd_t)
|
-miscfiles_read_localization(rhsmcertd_t)
|
||||||
-miscfiles_read_generic_certs(rhsmcertd_t)
|
-miscfiles_read_generic_certs(rhsmcertd_t)
|
||||||
|
+init_read_state(rhsmcertd_t)
|
||||||
|
+
|
||||||
+logging_send_syslog_msg(rhsmcertd_t)
|
+logging_send_syslog_msg(rhsmcertd_t)
|
||||||
+
|
+
|
||||||
+miscfiles_read_certs(rhsmcertd_t)
|
+miscfiles_read_certs(rhsmcertd_t)
|
||||||
@ -72877,7 +72923,7 @@ index 3b5e9ee..ff1163f 100644
|
|||||||
+ admin_pattern($1, rpcbind_var_run_t)
|
+ admin_pattern($1, rpcbind_var_run_t)
|
||||||
')
|
')
|
||||||
diff --git a/rpcbind.te b/rpcbind.te
|
diff --git a/rpcbind.te b/rpcbind.te
|
||||||
index c49828c..a323332 100644
|
index c49828c..56cb0c2 100644
|
||||||
--- a/rpcbind.te
|
--- a/rpcbind.te
|
||||||
+++ b/rpcbind.te
|
+++ b/rpcbind.te
|
||||||
@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
|
@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
|
||||||
@ -72896,7 +72942,7 @@ index c49828c..a323332 100644
|
|||||||
files_read_etc_runtime_files(rpcbind_t)
|
files_read_etc_runtime_files(rpcbind_t)
|
||||||
|
|
||||||
-logging_send_syslog_msg(rpcbind_t)
|
-logging_send_syslog_msg(rpcbind_t)
|
||||||
+auth_read_passwd(rpcbind_t)
|
+auth_use_nsswitch(rpcbind_t)
|
||||||
|
|
||||||
-miscfiles_read_localization(rpcbind_t)
|
-miscfiles_read_localization(rpcbind_t)
|
||||||
+logging_send_syslog_msg(rpcbind_t)
|
+logging_send_syslog_msg(rpcbind_t)
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 72%{?dist}
|
Release: 73%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -538,6 +538,29 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-73
|
||||||
|
0
|
||||||
|
- Allow rhsmcertd to read init state
|
||||||
|
- Allow fsetid for pkcsslotd
|
||||||
|
- Fix labeling for /usr/lib/systemd/system/pkcsslotd.service
|
||||||
|
- Allow fetchmail to create own pid with correct labeling
|
||||||
|
- Fix rhcs_domain_template()
|
||||||
|
- Allow roles which can run mock to read mock lib files to view results
|
||||||
|
- Allow rpcbind to use nsswitch
|
||||||
|
- Fix lsm.if summary
|
||||||
|
- Fix collectd_t can read /etc/passwd file
|
||||||
|
- Label systemd unit files under dracut correctly
|
||||||
|
- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh
|
||||||
|
- Add support for .Xauthority-n
|
||||||
|
- Label umount.crypt as lvm_exec_t
|
||||||
|
- Allow syslogd to search psad lib files
|
||||||
|
- Allow ssh_t to use /dev/ptmx
|
||||||
|
- Make sure /run/pluto dir is created with correct labeling
|
||||||
|
- Allow syslog to run shell and bin_t commands
|
||||||
|
- Allow ip to relabel tun_sockets
|
||||||
|
- Allow mount to create directories in files under /run
|
||||||
|
- Allow processes to use inherited fifo files
|
||||||
|
|
||||||
* Fri Aug 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-72
|
* Fri Aug 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-72
|
||||||
- Add policy for lsmd
|
- Add policy for lsmd
|
||||||
- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
|
- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
|
||||||
|
Loading…
Reference in New Issue
Block a user