* Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243) - Add interface firewalld_read_pid_files() - Allow iptables to read firewalld pid files. BZ(1291243) - Allow the user cronjobs to run in their userdomain - Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111) - Merge pull request #81 from rhatdan/rawhide-base - New access needed by systemd domains
This commit is contained in:
Lukas Vrabec
parent
ad3add7345
commit
f1750fb373
Binary file not shown.
@ -57,6 +57,16 @@ index 313d837..ef3c532 100644
|
|||||||
@echo "Success."
|
@echo "Success."
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
|
||||||
|
index 801d97b..698d54c 100644
|
||||||
|
--- a/config/appconfig-mcs/default_contexts
|
||||||
|
+++ b/config/appconfig-mcs/default_contexts
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||||
|
+system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||||
|
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||||
|
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
|
||||||
|
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||||
diff --git a/config/appconfig-mcs/openssh_contexts b/config/appconfig-mcs/openssh_contexts
|
diff --git a/config/appconfig-mcs/openssh_contexts b/config/appconfig-mcs/openssh_contexts
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6de0b01
|
index 0000000..6de0b01
|
||||||
@ -65,7 +75,7 @@ index 0000000..6de0b01
|
|||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+privsep_preauth=sshd_net_t
|
+privsep_preauth=sshd_net_t
|
||||||
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
|
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
|
||||||
index 881a292..80110a4 100644
|
index 881a292..5606c4e 100644
|
||||||
--- a/config/appconfig-mcs/staff_u_default_contexts
|
--- a/config/appconfig-mcs/staff_u_default_contexts
|
||||||
+++ b/config/appconfig-mcs/staff_u_default_contexts
|
+++ b/config/appconfig-mcs/staff_u_default_contexts
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
@ -73,7 +83,7 @@ index 881a292..80110a4 100644
|
|||||||
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||||
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||||
-system_r:crond_t:s0 staff_r:cronjob_t:s0
|
-system_r:crond_t:s0 staff_r:cronjob_t:s0
|
||||||
+system_r:crond_t:s0 staff_r:staff_t:s0
|
+system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
|
||||||
system_r:xdm_t:s0 staff_r:staff_t:s0
|
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||||
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||||
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||||
@ -103,7 +113,7 @@ index 0000000..ff32acc
|
|||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
||||||
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
|
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
|
||||||
index cacbc93..4f59f94 100644
|
index cacbc93..56d6071 100644
|
||||||
--- a/config/appconfig-mcs/user_u_default_contexts
|
--- a/config/appconfig-mcs/user_u_default_contexts
|
||||||
+++ b/config/appconfig-mcs/user_u_default_contexts
|
+++ b/config/appconfig-mcs/user_u_default_contexts
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
@ -111,7 +121,7 @@ index cacbc93..4f59f94 100644
|
|||||||
system_r:remote_login_t:s0 user_r:user_t:s0
|
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||||
system_r:sshd_t:s0 user_r:user_t:s0
|
system_r:sshd_t:s0 user_r:user_t:s0
|
||||||
-system_r:crond_t:s0 user_r:cronjob_t:s0
|
-system_r:crond_t:s0 user_r:cronjob_t:s0
|
||||||
+system_r:crond_t:s0 user_r:user_t:s0
|
+system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
|
||||||
system_r:xdm_t:s0 user_r:user_t:s0
|
system_r:xdm_t:s0 user_r:user_t:s0
|
||||||
user_r:user_su_t:s0 user_r:user_t:s0
|
user_r:user_su_t:s0 user_r:user_t:s0
|
||||||
user_r:user_sudo_t:s0 user_r:user_t:s0
|
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||||
@ -122,6 +132,16 @@ index d387b42..150f281 100644
|
|||||||
@@ -1 +1,2 @@
|
@@ -1 +1,2 @@
|
||||||
system_u:system_r:svirt_t:s0
|
system_u:system_r:svirt_t:s0
|
||||||
+system_u:system_r:svirt_tcg_t:s0
|
+system_u:system_r:svirt_tcg_t:s0
|
||||||
|
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
|
||||||
|
index 801d97b..698d54c 100644
|
||||||
|
--- a/config/appconfig-mls/default_contexts
|
||||||
|
+++ b/config/appconfig-mls/default_contexts
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||||
|
+system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||||
|
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||||
|
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
|
||||||
|
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||||
diff --git a/config/appconfig-mls/openssh_contexts b/config/appconfig-mls/openssh_contexts
|
diff --git a/config/appconfig-mls/openssh_contexts b/config/appconfig-mls/openssh_contexts
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6de0b01
|
index 0000000..6de0b01
|
||||||
@ -130,7 +150,7 @@ index 0000000..6de0b01
|
|||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+privsep_preauth=sshd_net_t
|
+privsep_preauth=sshd_net_t
|
||||||
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
|
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
|
||||||
index 881a292..80110a4 100644
|
index 881a292..5606c4e 100644
|
||||||
--- a/config/appconfig-mls/staff_u_default_contexts
|
--- a/config/appconfig-mls/staff_u_default_contexts
|
||||||
+++ b/config/appconfig-mls/staff_u_default_contexts
|
+++ b/config/appconfig-mls/staff_u_default_contexts
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
@ -138,7 +158,7 @@ index 881a292..80110a4 100644
|
|||||||
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||||
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||||
-system_r:crond_t:s0 staff_r:cronjob_t:s0
|
-system_r:crond_t:s0 staff_r:cronjob_t:s0
|
||||||
+system_r:crond_t:s0 staff_r:staff_t:s0
|
+system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
|
||||||
system_r:xdm_t:s0 staff_r:staff_t:s0
|
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||||
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||||
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||||
@ -150,7 +170,7 @@ index 0000000..ff32acc
|
|||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
||||||
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
|
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
|
||||||
index cacbc93..4f59f94 100644
|
index cacbc93..56d6071 100644
|
||||||
--- a/config/appconfig-mls/user_u_default_contexts
|
--- a/config/appconfig-mls/user_u_default_contexts
|
||||||
+++ b/config/appconfig-mls/user_u_default_contexts
|
+++ b/config/appconfig-mls/user_u_default_contexts
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
@ -158,10 +178,20 @@ index cacbc93..4f59f94 100644
|
|||||||
system_r:remote_login_t:s0 user_r:user_t:s0
|
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||||
system_r:sshd_t:s0 user_r:user_t:s0
|
system_r:sshd_t:s0 user_r:user_t:s0
|
||||||
-system_r:crond_t:s0 user_r:cronjob_t:s0
|
-system_r:crond_t:s0 user_r:cronjob_t:s0
|
||||||
+system_r:crond_t:s0 user_r:user_t:s0
|
+system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
|
||||||
system_r:xdm_t:s0 user_r:user_t:s0
|
system_r:xdm_t:s0 user_r:user_t:s0
|
||||||
user_r:user_su_t:s0 user_r:user_t:s0
|
user_r:user_su_t:s0 user_r:user_t:s0
|
||||||
user_r:user_sudo_t:s0 user_r:user_t:s0
|
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||||
|
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
|
||||||
|
index 64a0a90..25ee341 100644
|
||||||
|
--- a/config/appconfig-standard/default_contexts
|
||||||
|
+++ b/config/appconfig-standard/default_contexts
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
|
||||||
|
+system_r:crond_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
|
||||||
|
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
|
||||||
|
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
|
||||||
|
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
|
||||||
diff --git a/config/appconfig-standard/openssh_contexts b/config/appconfig-standard/openssh_contexts
|
diff --git a/config/appconfig-standard/openssh_contexts b/config/appconfig-standard/openssh_contexts
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6de0b01
|
index 0000000..6de0b01
|
||||||
@ -170,7 +200,7 @@ index 0000000..6de0b01
|
|||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+privsep_preauth=sshd_net_t
|
+privsep_preauth=sshd_net_t
|
||||||
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
|
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
|
||||||
index c2a5ea8..f63999e 100644
|
index c2a5ea8..300694c 100644
|
||||||
--- a/config/appconfig-standard/staff_u_default_contexts
|
--- a/config/appconfig-standard/staff_u_default_contexts
|
||||||
+++ b/config/appconfig-standard/staff_u_default_contexts
|
+++ b/config/appconfig-standard/staff_u_default_contexts
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
@ -178,7 +208,7 @@ index c2a5ea8..f63999e 100644
|
|||||||
system_r:remote_login_t staff_r:staff_t
|
system_r:remote_login_t staff_r:staff_t
|
||||||
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
|
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
|
||||||
-system_r:crond_t staff_r:cronjob_t
|
-system_r:crond_t staff_r:cronjob_t
|
||||||
+system_r:crond_t staff_r:staff_t
|
+system_r:crond_t staff_r:staff_t staff_r:cronjob_t
|
||||||
system_r:xdm_t staff_r:staff_t
|
system_r:xdm_t staff_r:staff_t
|
||||||
staff_r:staff_su_t staff_r:staff_t
|
staff_r:staff_su_t staff_r:staff_t
|
||||||
staff_r:staff_sudo_t staff_r:staff_t
|
staff_r:staff_sudo_t staff_r:staff_t
|
||||||
@ -208,7 +238,7 @@ index 0000000..ff32acc
|
|||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
|
||||||
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
|
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
|
||||||
index f5bfac3..639555b 100644
|
index f5bfac3..63b7eec 100644
|
||||||
--- a/config/appconfig-standard/user_u_default_contexts
|
--- a/config/appconfig-standard/user_u_default_contexts
|
||||||
+++ b/config/appconfig-standard/user_u_default_contexts
|
+++ b/config/appconfig-standard/user_u_default_contexts
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
@ -216,7 +246,7 @@ index f5bfac3..639555b 100644
|
|||||||
system_r:remote_login_t user_r:user_t
|
system_r:remote_login_t user_r:user_t
|
||||||
system_r:sshd_t user_r:user_t
|
system_r:sshd_t user_r:user_t
|
||||||
-system_r:crond_t user_r:cronjob_t
|
-system_r:crond_t user_r:cronjob_t
|
||||||
+system_r:crond_t user_r:user_t
|
+system_r:crond_t user_r:user_t user_r:cronjob_t
|
||||||
system_r:xdm_t user_r:user_t
|
system_r:xdm_t user_r:user_t
|
||||||
user_r:user_su_t user_r:user_t
|
user_r:user_su_t user_r:user_t
|
||||||
user_r:user_sudo_t user_r:user_t
|
user_r:user_sudo_t user_r:user_t
|
||||||
@ -3465,7 +3495,7 @@ index 7590165..d81185e 100644
|
|||||||
+ fs_mounton_fusefs(seunshare_domain)
|
+ fs_mounton_fusefs(seunshare_domain)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||||
index 33e0f8d..e16fba2 100644
|
index 33e0f8d..9502a72 100644
|
||||||
--- a/policy/modules/kernel/corecommands.fc
|
--- a/policy/modules/kernel/corecommands.fc
|
||||||
+++ b/policy/modules/kernel/corecommands.fc
|
+++ b/policy/modules/kernel/corecommands.fc
|
||||||
@@ -1,9 +1,10 @@
|
@@ -1,9 +1,10 @@
|
||||||
@ -3497,7 +3527,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -67,18 +71,28 @@ ifdef(`distro_redhat',`
|
@@ -67,18 +71,33 @@ ifdef(`distro_redhat',`
|
||||||
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
|
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -3510,6 +3540,11 @@ index 33e0f8d..e16fba2 100644
|
|||||||
+/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0)
|
+/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0)
|
+/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
|
+/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
+
|
||||||
|
+/etc/sddm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
+/etc/sddm/wayland-session -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
+/etc/sddm/Xsetup -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
+/etc/sddm/Xstop -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
+
|
+
|
||||||
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@ -3526,7 +3561,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
|
|
||||||
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@@ -101,8 +115,6 @@ ifdef(`distro_redhat',`
|
@@ -101,8 +120,6 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@ -3535,7 +3570,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -116,6 +128,9 @@ ifdef(`distro_redhat',`
|
@@ -116,6 +133,9 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@ -3545,7 +3580,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -135,10 +150,12 @@ ifdef(`distro_debian',`
|
@@ -135,10 +155,12 @@ ifdef(`distro_debian',`
|
||||||
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
|
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -3559,7 +3594,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
|
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -149,10 +166,12 @@ ifdef(`distro_gentoo',`
|
@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',`
|
||||||
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -3573,7 +3608,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
|
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
|
||||||
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
|
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
|
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -168,6 +187,7 @@ ifdef(`distro_gentoo',`
|
@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',`
|
||||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -3581,7 +3616,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
|
|
||||||
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@@ -179,34 +199,50 @@ ifdef(`distro_gentoo',`
|
@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',`
|
||||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -3641,7 +3676,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -218,19 +254,32 @@ ifdef(`distro_gentoo',`
|
@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -3681,7 +3716,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -245,26 +294,40 @@ ifdef(`distro_gentoo',`
|
@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -3727,7 +3762,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
@@ -280,10 +343,14 @@ ifdef(`distro_gentoo',`
|
@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -3742,7 +3777,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -298,16 +365,22 @@ ifdef(`distro_gentoo',`
|
@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -3767,7 +3802,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -325,20 +398,27 @@ ifdef(`distro_redhat', `
|
@@ -325,20 +403,27 @@ ifdef(`distro_redhat', `
|
||||||
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
|
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
|
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
@ -3796,7 +3831,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -346,6 +426,7 @@ ifdef(`distro_redhat', `
|
@@ -346,6 +431,7 @@ ifdef(`distro_redhat', `
|
||||||
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -3804,7 +3839,7 @@ index 33e0f8d..e16fba2 100644
|
|||||||
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@@ -387,17 +468,34 @@ ifdef(`distro_suse', `
|
@@ -387,17 +473,34 @@ ifdef(`distro_suse', `
|
||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
#
|
#
|
||||||
@ -36131,7 +36166,7 @@ index c42fbc3..bf211db 100644
|
|||||||
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||||
index be8ed1e..3c2729f 100644
|
index be8ed1e..660ef80 100644
|
||||||
--- a/policy/modules/system/iptables.te
|
--- a/policy/modules/system/iptables.te
|
||||||
+++ b/policy/modules/system/iptables.te
|
+++ b/policy/modules/system/iptables.te
|
||||||
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
|
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
|
||||||
@ -36244,11 +36279,12 @@ index be8ed1e..3c2729f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -110,6 +125,11 @@ optional_policy(`
|
@@ -110,6 +125,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ firewalld_read_config(iptables_t)
|
+ firewalld_read_config(iptables_t)
|
||||||
|
+ firewalld_read_pid_files(iptables_t)
|
||||||
+ firewalld_dontaudit_write_tmp_files(iptables_t)
|
+ firewalld_dontaudit_write_tmp_files(iptables_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -36256,7 +36292,7 @@ index be8ed1e..3c2729f 100644
|
|||||||
modutils_run_insmod(iptables_t, iptables_roles)
|
modutils_run_insmod(iptables_t, iptables_roles)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -124,6 +144,16 @@ optional_policy(`
|
@@ -124,6 +145,16 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
psad_rw_tmp_files(iptables_t)
|
psad_rw_tmp_files(iptables_t)
|
||||||
@ -36273,7 +36309,7 @@ index be8ed1e..3c2729f 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -135,9 +165,9 @@ optional_policy(`
|
@@ -135,9 +166,9 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -45222,10 +45258,10 @@ index 0000000..c253b33
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..decb7c3
|
index 0000000..56ba5a6
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,822 @@
|
@@ -0,0 +1,824 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -45892,6 +45928,7 @@ index 0000000..decb7c3
|
|||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow systemd_rfkill_t self:capability net_admin;
|
+allow systemd_rfkill_t self:capability net_admin;
|
||||||
|
+allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
+manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
+manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
||||||
+
|
+
|
||||||
@ -46021,6 +46058,7 @@ index 0000000..decb7c3
|
|||||||
+dev_read_urand(systemd_domain)
|
+dev_read_urand(systemd_domain)
|
||||||
+
|
+
|
||||||
+fs_search_all(systemd_domain)
|
+fs_search_all(systemd_domain)
|
||||||
|
+fs_getattr_all_fs(systemd_domain)
|
||||||
+
|
+
|
||||||
+files_read_etc_files(systemd_domain)
|
+files_read_etc_files(systemd_domain)
|
||||||
+files_read_etc_runtime_files(systemd_domain)
|
+files_read_etc_runtime_files(systemd_domain)
|
||||||
|
|||||||
@ -3166,10 +3166,10 @@ index 0000000..36251b9
|
|||||||
+')
|
+')
|
||||||
diff --git a/antivirus.te b/antivirus.te
|
diff --git a/antivirus.te b/antivirus.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..12349f3
|
index 0000000..d8b04b5
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/antivirus.te
|
+++ b/antivirus.te
|
||||||
@@ -0,0 +1,272 @@
|
@@ -0,0 +1,273 @@
|
||||||
+policy_module(antivirus, 1.0.0)
|
+policy_module(antivirus, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -3284,6 +3284,7 @@ index 0000000..12349f3
|
|||||||
+
|
+
|
||||||
+corenet_all_recvfrom_netlabel(antivirus_t)
|
+corenet_all_recvfrom_netlabel(antivirus_t)
|
||||||
+corenet_tcp_bind_all_unreserved_ports(antivirus_t)
|
+corenet_tcp_bind_all_unreserved_ports(antivirus_t)
|
||||||
|
+corenet_dontaudit_tcp_bind_all_reserved_ports(antivirus_t)
|
||||||
+corenet_tcp_sendrecv_generic_if(antivirus_t)
|
+corenet_tcp_sendrecv_generic_if(antivirus_t)
|
||||||
+corenet_udp_sendrecv_generic_if(antivirus_t)
|
+corenet_udp_sendrecv_generic_if(antivirus_t)
|
||||||
+corenet_tcp_sendrecv_generic_node(antivirus_domain)
|
+corenet_tcp_sendrecv_generic_node(antivirus_domain)
|
||||||
@ -28268,7 +28269,7 @@ index 21d7b84..0e272bd 100644
|
|||||||
|
|
||||||
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
|
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
|
||||||
diff --git a/firewalld.if b/firewalld.if
|
diff --git a/firewalld.if b/firewalld.if
|
||||||
index c62c567..6460877 100644
|
index c62c567..2d9e254 100644
|
||||||
--- a/firewalld.if
|
--- a/firewalld.if
|
||||||
+++ b/firewalld.if
|
+++ b/firewalld.if
|
||||||
@@ -2,7 +2,7 @@
|
@@ -2,7 +2,7 @@
|
||||||
@ -28349,7 +28350,7 @@ index c62c567..6460877 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -51,18 +93,18 @@ interface(`firewalld_dbus_chat',`
|
@@ -51,18 +93,37 @@ interface(`firewalld_dbus_chat',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -28367,12 +28368,31 @@ index c62c567..6460877 100644
|
|||||||
## <summary>
|
## <summary>
|
||||||
-## All of the rules required to
|
-## All of the rules required to
|
||||||
-## administrate an firewalld environment.
|
-## administrate an firewalld environment.
|
||||||
|
+## Read firewalld PID files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`firewalld_read_pid_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type firewalld_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ allow $1 firewalld_var_run_t:file read_file_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## All of the rules required to administrate
|
+## All of the rules required to administrate
|
||||||
+## an firewalld environment
|
+## an firewalld environment
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -79,14 +121,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
|
@@ -79,14 +140,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
|
||||||
interface(`firewalld_admin',`
|
interface(`firewalld_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type firewalld_t, firewalld_initrc_exec_t;
|
type firewalld_t, firewalld_initrc_exec_t;
|
||||||
@ -28394,7 +28414,7 @@ index c62c567..6460877 100644
|
|||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 firewalld_initrc_exec_t system_r;
|
role_transition $2 firewalld_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
@@ -97,6 +143,9 @@ interface(`firewalld_admin',`
|
@@ -97,6 +162,9 @@ interface(`firewalld_admin',`
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
admin_pattern($1, firewalld_var_log_t)
|
admin_pattern($1, firewalld_var_log_t)
|
||||||
|
|
||||||
@ -28407,7 +28427,7 @@ index c62c567..6460877 100644
|
|||||||
+ allow $1 firewalld_unit_file_t:service all_service_perms;
|
+ allow $1 firewalld_unit_file_t:service all_service_perms;
|
||||||
')
|
')
|
||||||
diff --git a/firewalld.te b/firewalld.te
|
diff --git a/firewalld.te b/firewalld.te
|
||||||
index 98072a3..1b550dd 100644
|
index 98072a3..d5d852e 100644
|
||||||
--- a/firewalld.te
|
--- a/firewalld.te
|
||||||
+++ b/firewalld.te
|
+++ b/firewalld.te
|
||||||
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
|
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
|
||||||
@ -28435,7 +28455,7 @@ index 98072a3..1b550dd 100644
|
|||||||
|
|
||||||
allow firewalld_t firewalld_var_log_t:file append_file_perms;
|
allow firewalld_t firewalld_var_log_t:file append_file_perms;
|
||||||
allow firewalld_t firewalld_var_log_t:file create_file_perms;
|
allow firewalld_t firewalld_var_log_t:file create_file_perms;
|
||||||
@@ -48,8 +56,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
|
@@ -48,8 +56,14 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
|
||||||
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
|
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
|
||||||
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
|
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
|
||||||
|
|
||||||
@ -28444,12 +28464,14 @@ index 98072a3..1b550dd 100644
|
|||||||
+allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms;
|
+allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms;
|
||||||
+
|
+
|
||||||
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
|
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
|
||||||
files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
|
-files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
|
||||||
|
+manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
|
||||||
|
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file dir })
|
||||||
+can_exec(firewalld_t, firewalld_var_run_t)
|
+can_exec(firewalld_t, firewalld_var_run_t)
|
||||||
|
|
||||||
kernel_read_network_state(firewalld_t)
|
kernel_read_network_state(firewalld_t)
|
||||||
kernel_read_system_state(firewalld_t)
|
kernel_read_system_state(firewalld_t)
|
||||||
@@ -63,20 +76,19 @@ dev_search_sysfs(firewalld_t)
|
@@ -63,20 +77,19 @@ dev_search_sysfs(firewalld_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(firewalld_t)
|
domain_use_interactive_fds(firewalld_t)
|
||||||
|
|
||||||
@ -28476,7 +28498,7 @@ index 98072a3..1b550dd 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_domain(firewalld_t, firewalld_exec_t)
|
dbus_system_domain(firewalld_t, firewalld_exec_t)
|
||||||
@@ -95,6 +107,10 @@ optional_policy(`
|
@@ -95,6 +108,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -99807,7 +99829,7 @@ index 1499b0b..6950cab 100644
|
|||||||
- spamassassin_role($2, $1)
|
- spamassassin_role($2, $1)
|
||||||
')
|
')
|
||||||
diff --git a/spamassassin.te b/spamassassin.te
|
diff --git a/spamassassin.te b/spamassassin.te
|
||||||
index cc58e35..2794505 100644
|
index cc58e35..d20d0ed 100644
|
||||||
--- a/spamassassin.te
|
--- a/spamassassin.te
|
||||||
+++ b/spamassassin.te
|
+++ b/spamassassin.te
|
||||||
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
|
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
|
||||||
@ -100351,7 +100373,7 @@ index cc58e35..2794505 100644
|
|||||||
corenet_all_recvfrom_netlabel(spamd_t)
|
corenet_all_recvfrom_netlabel(spamd_t)
|
||||||
corenet_tcp_sendrecv_generic_if(spamd_t)
|
corenet_tcp_sendrecv_generic_if(spamd_t)
|
||||||
corenet_udp_sendrecv_generic_if(spamd_t)
|
corenet_udp_sendrecv_generic_if(spamd_t)
|
||||||
@@ -331,78 +450,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
|
@@ -331,78 +450,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
|
||||||
corenet_tcp_sendrecv_all_ports(spamd_t)
|
corenet_tcp_sendrecv_all_ports(spamd_t)
|
||||||
corenet_udp_sendrecv_all_ports(spamd_t)
|
corenet_udp_sendrecv_all_ports(spamd_t)
|
||||||
corenet_tcp_bind_generic_node(spamd_t)
|
corenet_tcp_bind_generic_node(spamd_t)
|
||||||
@ -100361,6 +100383,7 @@ index cc58e35..2794505 100644
|
|||||||
corenet_tcp_bind_spamd_port(spamd_t)
|
corenet_tcp_bind_spamd_port(spamd_t)
|
||||||
-
|
-
|
||||||
-corenet_sendrecv_razor_client_packets(spamd_t)
|
-corenet_sendrecv_razor_client_packets(spamd_t)
|
||||||
|
+corenet_tcp_connect_all_unreserved_ports(spamd_t)
|
||||||
+corenet_tcp_connect_spamd_port(spamd_t)
|
+corenet_tcp_connect_spamd_port(spamd_t)
|
||||||
corenet_tcp_connect_razor_port(spamd_t)
|
corenet_tcp_connect_razor_port(spamd_t)
|
||||||
-
|
-
|
||||||
@ -100455,7 +100478,7 @@ index cc58e35..2794505 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -421,21 +521,13 @@ optional_policy(`
|
@@ -421,21 +522,13 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -100479,7 +100502,7 @@ index cc58e35..2794505 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -443,8 +535,8 @@ optional_policy(`
|
@@ -443,8 +536,8 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -100489,7 +100512,7 @@ index cc58e35..2794505 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -455,7 +547,17 @@ optional_policy(`
|
@@ -455,7 +548,17 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
razor_domtrans(spamd_t)
|
razor_domtrans(spamd_t)
|
||||||
razor_read_lib_files(spamd_t)
|
razor_read_lib_files(spamd_t)
|
||||||
@ -100508,7 +100531,7 @@ index cc58e35..2794505 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -463,9 +565,9 @@ optional_policy(`
|
@@ -463,9 +566,9 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -100519,7 +100542,7 @@ index cc58e35..2794505 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -474,32 +576,32 @@ optional_policy(`
|
@@ -474,32 +577,32 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -100562,7 +100585,7 @@ index cc58e35..2794505 100644
|
|||||||
|
|
||||||
corecmd_exec_bin(spamd_update_t)
|
corecmd_exec_bin(spamd_update_t)
|
||||||
corecmd_exec_shell(spamd_update_t)
|
corecmd_exec_shell(spamd_update_t)
|
||||||
@@ -508,25 +610,21 @@ dev_read_urand(spamd_update_t)
|
@@ -508,25 +611,21 @@ dev_read_urand(spamd_update_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(spamd_update_t)
|
domain_use_interactive_fds(spamd_update_t)
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 163%{?dist}
|
Release: 164%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -664,6 +664,15 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
|
||||||
|
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
|
||||||
|
- Add interface firewalld_read_pid_files()
|
||||||
|
- Allow iptables to read firewalld pid files. BZ(1291243)
|
||||||
|
- Allow the user cronjobs to run in their userdomain
|
||||||
|
- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
|
||||||
|
- Merge pull request #81 from rhatdan/rawhide-base
|
||||||
|
- New access needed by systemd domains
|
||||||
|
|
||||||
* Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
|
* Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
|
||||||
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
|
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
|
||||||
- Add ipsec_read_pid() interface
|
- Add ipsec_read_pid() interface
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user