* Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
- Allow passenger to getattr filesystem xattr - Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc." - Label mdadm.conf.anackbak as mdadm_conf_t file. - Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765) - Allow dnssec-trigger to exec pidof. BZ(#1256737) - Allow blueman to create own tmp files in /tmp. (#1234647) - Add new audit_read access vector in capability2 class - Add "binder" security class and access vectors - Update netlink socket classes. - Allow getty to read network state. BZ(#1255177) - Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
This commit is contained in:
Lukas Vrabec
parent
0d70340b72
commit
f1ab24fa93
|
|
@ -801,7 +801,7 @@ index 5061a5f..0000000
|
|||
-.SH "SEE ALSO"
|
||||
-selinux(8), ypbind(8), chcon(1), setsebool(8)
|
||||
diff --git a/policy/constraints b/policy/constraints
|
||||
index 3a45f23..f4754f0 100644
|
||||
index 3a45f23..ee7d7b3 100644
|
||||
--- a/policy/constraints
|
||||
+++ b/policy/constraints
|
||||
@@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh }
|
||||
|
|
@ -823,8 +823,23 @@ index 3a45f23..f4754f0 100644
|
|||
# These permissions do not have ubac constraints:
|
||||
# fork
|
||||
# setexec
|
||||
@@ -150,6 +162,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
|
||||
exempted_ubac_constraint(appletalk_socket, ubacsock)
|
||||
exempted_ubac_constraint(dccp_socket, ubacsock)
|
||||
exempted_ubac_constraint(tun_socket, ubacsock)
|
||||
+exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
|
||||
+exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
|
||||
+exempted_ubac_constraint(netlink_connector_socket, ubacsock)
|
||||
+exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
|
||||
+exempted_ubac_constraint(netlink_generic_socket, ubacsock)
|
||||
+exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
|
||||
+exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
|
||||
+exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
|
||||
|
||||
constrain socket_class_set { create relabelto relabelfrom }
|
||||
(
|
||||
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
|
||||
index a94b169..1afd77b 100644
|
||||
index a94b169..2e137e6 100644
|
||||
--- a/policy/flask/access_vectors
|
||||
+++ b/policy/flask/access_vectors
|
||||
@@ -329,6 +329,7 @@ class process
|
||||
|
|
@ -849,7 +864,7 @@ index a94b169..1afd77b 100644
|
|||
}
|
||||
|
||||
#
|
||||
@@ -443,10 +451,12 @@ class capability
|
||||
@@ -443,10 +451,13 @@ class capability
|
||||
class capability2
|
||||
{
|
||||
mac_override # unused by SELinux
|
||||
|
|
@ -860,10 +875,11 @@ index a94b169..1afd77b 100644
|
|||
+ epolwakeup
|
||||
block_suspend
|
||||
+ compromise_kernel
|
||||
+ audit_read
|
||||
}
|
||||
|
||||
#
|
||||
@@ -690,6 +700,8 @@ class nscd
|
||||
@@ -690,6 +701,8 @@ class nscd
|
||||
shmemhost
|
||||
getserv
|
||||
shmemserv
|
||||
|
|
@ -872,7 +888,46 @@ index a94b169..1afd77b 100644
|
|||
}
|
||||
|
||||
# Define the access vector interpretation for controlling
|
||||
@@ -865,3 +877,18 @@ inherits database
|
||||
@@ -831,6 +844,38 @@ inherits socket
|
||||
attach_queue
|
||||
}
|
||||
|
||||
+class binder
|
||||
+{
|
||||
+ impersonate
|
||||
+ call
|
||||
+ set_context_mgr
|
||||
+ transfer
|
||||
+}
|
||||
+
|
||||
+class netlink_iscsi_socket
|
||||
+inherits socket
|
||||
+
|
||||
+class netlink_fib_lookup_socket
|
||||
+inherits socket
|
||||
+
|
||||
+class netlink_connector_socket
|
||||
+inherits socket
|
||||
+
|
||||
+class netlink_netfilter_socket
|
||||
+inherits socket
|
||||
+
|
||||
+class netlink_generic_socket
|
||||
+inherits socket
|
||||
+
|
||||
+class netlink_scsitransport_socket
|
||||
+inherits socket
|
||||
+
|
||||
+class netlink_rdma_socket
|
||||
+inherits socket
|
||||
+
|
||||
+class netlink_crypto_socket
|
||||
+inherits socket
|
||||
+
|
||||
class x_pointer
|
||||
inherits x_device
|
||||
|
||||
@@ -865,3 +910,18 @@ inherits database
|
||||
implement
|
||||
execute
|
||||
}
|
||||
|
|
@ -892,10 +947,29 @@ index a94b169..1afd77b 100644
|
|||
+ read
|
||||
+}
|
||||
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
|
||||
index 14a4799..db2e4a0 100644
|
||||
index 14a4799..9bb9aa4 100644
|
||||
--- a/policy/flask/security_classes
|
||||
+++ b/policy/flask/security_classes
|
||||
@@ -131,4 +131,11 @@ class db_view # userspace
|
||||
@@ -121,6 +121,18 @@ class kernel_service
|
||||
|
||||
class tun_socket
|
||||
|
||||
+class binder
|
||||
+
|
||||
+# Updated netlink classes for more recent netlink protocols.
|
||||
+class netlink_iscsi_socket
|
||||
+class netlink_fib_lookup_socket
|
||||
+class netlink_connector_socket
|
||||
+class netlink_netfilter_socket
|
||||
+class netlink_generic_socket
|
||||
+class netlink_scsitransport_socket
|
||||
+class netlink_rdma_socket
|
||||
+class netlink_crypto_socket
|
||||
+
|
||||
# Still More SE-X Windows stuff
|
||||
class x_pointer # userspace
|
||||
class x_keyboard # userspace
|
||||
@@ -131,4 +143,11 @@ class db_view # userspace
|
||||
class db_sequence # userspace
|
||||
class db_language # userspace
|
||||
|
||||
|
|
@ -1174,10 +1248,10 @@ index 216b3d1..064ec83 100644
|
|||
+
|
||||
') dnl end enable_mcs
|
||||
diff --git a/policy/mls b/policy/mls
|
||||
index f11e5e2..9e0c245 100644
|
||||
index f11e5e2..2d2ab83 100644
|
||||
--- a/policy/mls
|
||||
+++ b/policy/mls
|
||||
@@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
|
||||
@@ -156,15 +156,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
|
||||
# these access vectors have no MLS restrictions
|
||||
# filesystem { transition associate }
|
||||
|
||||
|
|
@ -1187,7 +1261,28 @@ index f11e5e2..9e0c245 100644
|
|||
#
|
||||
# MLS policy for the socket classes
|
||||
#
|
||||
@@ -195,7 +192,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
|
||||
|
||||
# new socket labels must be dominated by the relabeling subjects clearance
|
||||
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
|
||||
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
|
||||
( h1 dom h2 );
|
||||
|
||||
# the socket "read+write" ops
|
||||
@@ -180,7 +177,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
|
||||
|
||||
|
||||
# the socket "read" ops (note the check is dominance of the low level)
|
||||
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
|
||||
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
|
||||
(( l1 dom l2 ) or
|
||||
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
|
||||
( t1 == mlsnetread ));
|
||||
@@ -191,11 +188,12 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
|
||||
( t1 == mlsnetread ));
|
||||
|
||||
# the socket "write" ops
|
||||
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
|
||||
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
|
|
@ -1802,7 +1897,7 @@ index c6ca761..0c86bfd 100644
|
|||
')
|
||||
|
||||
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
|
||||
index c44c359..e679c18 100644
|
||||
index c44c359..5210ca5 100644
|
||||
--- a/policy/modules/admin/netutils.te
|
||||
+++ b/policy/modules/admin/netutils.te
|
||||
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
|
||||
|
|
@ -1818,7 +1913,7 @@ index c44c359..e679c18 100644
|
|||
|
||||
type netutils_t;
|
||||
type netutils_exec_t;
|
||||
@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
|
||||
@@ -33,25 +33,28 @@ init_system_domain(traceroute_t, traceroute_exec_t)
|
||||
#
|
||||
|
||||
# Perform network administration operations and have raw access to the network.
|
||||
|
|
@ -1827,7 +1922,10 @@ index c44c359..e679c18 100644
|
|||
dontaudit netutils_t self:capability { dac_override sys_tty_config };
|
||||
allow netutils_t self:process { setcap signal_perms };
|
||||
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms;
|
||||
allow netutils_t self:netlink_socket create_socket_perms;
|
||||
+# For tcpdump.
|
||||
+allow netutils_t self:netlink_netfilter_socket create_socket_perms;
|
||||
allow netutils_t self:packet_socket create_socket_perms;
|
||||
allow netutils_t self:udp_socket create_socket_perms;
|
||||
allow netutils_t self:tcp_socket create_stream_socket_perms;
|
||||
allow netutils_t self:socket create_socket_perms;
|
||||
|
|
@ -1847,7 +1945,7 @@ index c44c359..e679c18 100644
|
|||
corenet_all_recvfrom_netlabel(netutils_t)
|
||||
corenet_tcp_sendrecv_generic_if(netutils_t)
|
||||
corenet_raw_sendrecv_generic_if(netutils_t)
|
||||
@@ -66,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
|
||||
@@ -66,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
|
||||
corenet_udp_bind_generic_node(netutils_t)
|
||||
|
||||
dev_read_sysfs(netutils_t)
|
||||
|
|
@ -1857,7 +1955,7 @@ index c44c359..e679c18 100644
|
|||
|
||||
fs_getattr_xattr_fs(netutils_t)
|
||||
|
||||
@@ -80,12 +84,12 @@ init_use_script_ptys(netutils_t)
|
||||
@@ -80,12 +86,12 @@ init_use_script_ptys(netutils_t)
|
||||
|
||||
auth_use_nsswitch(netutils_t)
|
||||
|
||||
|
|
@ -1873,7 +1971,7 @@ index c44c359..e679c18 100644
|
|||
userdom_use_all_users_fds(netutils_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -110,11 +114,10 @@ allow ping_t self:capability { setuid net_raw };
|
||||
@@ -110,11 +116,10 @@ allow ping_t self:capability { setuid net_raw };
|
||||
allow ping_t self:process { getcap setcap };
|
||||
dontaudit ping_t self:capability sys_tty_config;
|
||||
allow ping_t self:tcp_socket create_socket_perms;
|
||||
|
|
@ -1887,7 +1985,7 @@ index c44c359..e679c18 100644
|
|||
corenet_all_recvfrom_netlabel(ping_t)
|
||||
corenet_tcp_sendrecv_generic_if(ping_t)
|
||||
corenet_raw_sendrecv_generic_if(ping_t)
|
||||
@@ -124,6 +127,9 @@ corenet_raw_bind_generic_node(ping_t)
|
||||
@@ -124,6 +129,9 @@ corenet_raw_bind_generic_node(ping_t)
|
||||
corenet_tcp_sendrecv_all_ports(ping_t)
|
||||
|
||||
fs_dontaudit_getattr_xattr_fs(ping_t)
|
||||
|
|
@ -1897,7 +1995,7 @@ index c44c359..e679c18 100644
|
|||
|
||||
domain_use_interactive_fds(ping_t)
|
||||
|
||||
@@ -131,14 +137,13 @@ files_read_etc_files(ping_t)
|
||||
@@ -131,14 +139,13 @@ files_read_etc_files(ping_t)
|
||||
files_dontaudit_search_var(ping_t)
|
||||
|
||||
kernel_read_system_state(ping_t)
|
||||
|
|
@ -1915,7 +2013,7 @@ index c44c359..e679c18 100644
|
|||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
init_dontaudit_use_fds(ping_t)
|
||||
@@ -149,11 +154,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -149,11 +156,25 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -1941,7 +2039,7 @@ index c44c359..e679c18 100644
|
|||
pcmcia_use_cardmgr_fds(ping_t)
|
||||
')
|
||||
|
||||
@@ -161,6 +180,15 @@ optional_policy(`
|
||||
@@ -161,6 +182,15 @@ optional_policy(`
|
||||
hotplug_use_fds(ping_t)
|
||||
')
|
||||
|
||||
|
|
@ -1957,7 +2055,7 @@ index c44c359..e679c18 100644
|
|||
########################################
|
||||
#
|
||||
# Traceroute local policy
|
||||
@@ -174,7 +202,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
|
||||
@@ -174,7 +204,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
|
||||
kernel_read_system_state(traceroute_t)
|
||||
kernel_read_network_state(traceroute_t)
|
||||
|
||||
|
|
@ -1965,7 +2063,7 @@ index c44c359..e679c18 100644
|
|||
corenet_all_recvfrom_netlabel(traceroute_t)
|
||||
corenet_tcp_sendrecv_generic_if(traceroute_t)
|
||||
corenet_udp_sendrecv_generic_if(traceroute_t)
|
||||
@@ -198,6 +225,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
||||
@@ -198,6 +227,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
||||
domain_use_interactive_fds(traceroute_t)
|
||||
|
||||
files_read_etc_files(traceroute_t)
|
||||
|
|
@ -1973,7 +2071,7 @@ index c44c359..e679c18 100644
|
|||
files_dontaudit_search_var(traceroute_t)
|
||||
|
||||
init_use_fds(traceroute_t)
|
||||
@@ -206,11 +234,17 @@ auth_use_nsswitch(traceroute_t)
|
||||
@@ -206,11 +236,17 @@ auth_use_nsswitch(traceroute_t)
|
||||
|
||||
logging_send_syslog_msg(traceroute_t)
|
||||
|
||||
|
|
@ -10507,7 +10605,7 @@ index cf04cb5..e8da15e 100644
|
|||
+ unconfined_server_stream_connect(domain)
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
||||
index b876c48..a351aff 100644
|
||||
index b876c48..03f9342 100644
|
||||
--- a/policy/modules/kernel/files.fc
|
||||
+++ b/policy/modules/kernel/files.fc
|
||||
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
|
||||
|
|
@ -10717,7 +10815,7 @@ index b876c48..a351aff 100644
|
|||
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
|
||||
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
')
|
||||
@@ -229,19 +243,34 @@ ifndef(`distro_redhat',`
|
||||
@@ -229,19 +243,33 @@ ifndef(`distro_redhat',`
|
||||
#
|
||||
# /var
|
||||
#
|
||||
|
|
@ -10726,8 +10824,8 @@ index b876c48..a351aff 100644
|
|||
/var/.* gen_context(system_u:object_r:var_t,s0)
|
||||
/var/\.journal <<none>>
|
||||
|
||||
-/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
|
||||
+/var/db(/.*)? gen_context(system_u:object_r:system_db_t,s0)
|
||||
/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
|
|
@ -10754,7 +10852,7 @@ index b876c48..a351aff 100644
|
|||
|
||||
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/log/lost\+found/.* <<none>>
|
||||
@@ -256,12 +285,14 @@ ifndef(`distro_redhat',`
|
||||
@@ -256,12 +284,14 @@ ifndef(`distro_redhat',`
|
||||
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.*\.*pid <<none>>
|
||||
|
|
@ -10769,7 +10867,7 @@ index b876c48..a351aff 100644
|
|||
/var/tmp/.* <<none>>
|
||||
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/tmp/lost\+found/.* <<none>>
|
||||
@@ -271,3 +302,5 @@ ifdef(`distro_debian',`
|
||||
@@ -271,3 +301,5 @@ ifdef(`distro_debian',`
|
||||
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
')
|
||||
|
|
@ -31758,7 +31856,7 @@ index e4376aa..2c98c56 100644
|
|||
+ allow $1 getty_unit_file_t:service start;
|
||||
+')
|
||||
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
|
||||
index f6743ea..77a3b65 100644
|
||||
index f6743ea..22425f5 100644
|
||||
--- a/policy/modules/system/getty.te
|
||||
+++ b/policy/modules/system/getty.te
|
||||
@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
|
||||
|
|
@ -31779,7 +31877,15 @@ index f6743ea..77a3b65 100644
|
|||
########################################
|
||||
#
|
||||
# Getty local policy
|
||||
@@ -83,8 +94,11 @@ term_use_unallocated_ttys(getty_t)
|
||||
@@ -56,6 +67,7 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
|
||||
files_pid_filetrans(getty_t, getty_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(getty_t)
|
||||
+kernel_read_network_state(getty_t)
|
||||
|
||||
# these two needed for receiving faxes
|
||||
corecmd_exec_bin(getty_t)
|
||||
@@ -83,8 +95,11 @@ term_use_unallocated_ttys(getty_t)
|
||||
term_setattr_all_ttys(getty_t)
|
||||
term_setattr_unallocated_ttys(getty_t)
|
||||
term_setattr_console(getty_t)
|
||||
|
|
@ -31791,7 +31897,7 @@ index f6743ea..77a3b65 100644
|
|||
|
||||
init_rw_utmp(getty_t)
|
||||
init_use_script_ptys(getty_t)
|
||||
@@ -94,7 +108,6 @@ locallogin_domtrans(getty_t)
|
||||
@@ -94,7 +109,6 @@ locallogin_domtrans(getty_t)
|
||||
|
||||
logging_send_syslog_msg(getty_t)
|
||||
|
||||
|
|
@ -31799,7 +31905,7 @@ index f6743ea..77a3b65 100644
|
|||
|
||||
ifdef(`distro_gentoo',`
|
||||
# Gentoo default /etc/issue makes agetty
|
||||
@@ -113,7 +126,7 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -113,7 +127,7 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -31808,7 +31914,7 @@ index f6743ea..77a3b65 100644
|
|||
# Support logging in from /dev/console
|
||||
term_use_console(getty_t)
|
||||
',`
|
||||
@@ -121,11 +134,19 @@ tunable_policy(`console_login',`
|
||||
@@ -121,11 +135,19 @@ tunable_policy(`console_login',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -35677,7 +35783,7 @@ index c42fbc3..277fe6c 100644
|
|||
## <summary>
|
||||
## Set the attributes of iptables config files.
|
||||
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
||||
index be8ed1e..e93440e 100644
|
||||
index be8ed1e..3c2729f 100644
|
||||
--- a/policy/modules/system/iptables.te
|
||||
+++ b/policy/modules/system/iptables.te
|
||||
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
|
||||
|
|
@ -35702,8 +35808,11 @@ index be8ed1e..e93440e 100644
|
|||
########################################
|
||||
#
|
||||
# Iptables local policy
|
||||
@@ -37,23 +40,29 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||
@@ -35,25 +38,32 @@ dontaudit iptables_t self:capability sys_tty_config;
|
||||
allow iptables_t self:fifo_file rw_fifo_file_perms;
|
||||
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||
allow iptables_t self:netlink_socket create_socket_perms;
|
||||
+allow iptables_t self:netlink_netfilter_socket create_socket_perms;
|
||||
allow iptables_t self:rawip_socket create_socket_perms;
|
||||
|
||||
-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
|
||||
|
|
@ -35735,7 +35844,7 @@ index be8ed1e..e93440e 100644
|
|||
kernel_use_fds(iptables_t)
|
||||
|
||||
# needed by ipvsadm
|
||||
@@ -64,6 +73,8 @@ corenet_relabelto_all_packets(iptables_t)
|
||||
@@ -64,6 +74,8 @@ corenet_relabelto_all_packets(iptables_t)
|
||||
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
|
||||
|
||||
dev_read_sysfs(iptables_t)
|
||||
|
|
@ -35744,7 +35853,7 @@ index be8ed1e..e93440e 100644
|
|||
|
||||
fs_getattr_xattr_fs(iptables_t)
|
||||
fs_search_auto_mountpoints(iptables_t)
|
||||
@@ -72,11 +83,12 @@ fs_list_inotifyfs(iptables_t)
|
||||
@@ -72,11 +84,12 @@ fs_list_inotifyfs(iptables_t)
|
||||
mls_file_read_all_levels(iptables_t)
|
||||
|
||||
term_dontaudit_use_console(iptables_t)
|
||||
|
|
@ -35759,7 +35868,7 @@ index be8ed1e..e93440e 100644
|
|||
|
||||
auth_use_nsswitch(iptables_t)
|
||||
|
||||
@@ -85,15 +97,14 @@ init_use_script_ptys(iptables_t)
|
||||
@@ -85,15 +98,14 @@ init_use_script_ptys(iptables_t)
|
||||
# to allow rules to be saved on reboot:
|
||||
init_rw_script_tmp_files(iptables_t)
|
||||
init_rw_script_stream_sockets(iptables_t)
|
||||
|
|
@ -35777,7 +35886,7 @@ index be8ed1e..e93440e 100644
|
|||
userdom_use_all_users_fds(iptables_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
@@ -102,6 +113,9 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -102,6 +114,9 @@ ifdef(`hide_broken_symptoms',`
|
||||
|
||||
optional_policy(`
|
||||
fail2ban_append_log(iptables_t)
|
||||
|
|
@ -35787,7 +35896,7 @@ index be8ed1e..e93440e 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -110,6 +124,11 @@ optional_policy(`
|
||||
@@ -110,6 +125,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -35799,7 +35908,7 @@ index be8ed1e..e93440e 100644
|
|||
modutils_run_insmod(iptables_t, iptables_roles)
|
||||
')
|
||||
|
||||
@@ -124,6 +143,16 @@ optional_policy(`
|
||||
@@ -124,6 +144,16 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
psad_rw_tmp_files(iptables_t)
|
||||
|
|
@ -35816,7 +35925,7 @@ index be8ed1e..e93440e 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -135,9 +164,9 @@ optional_policy(`
|
||||
@@ -135,9 +165,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -40225,7 +40334,7 @@ index b263a8a..15576ab 100644
|
|||
+/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
|
||||
+/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
|
||||
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
|
||||
index cbbda4a..b569d5f 100644
|
||||
index cbbda4a..d7c67bc 100644
|
||||
--- a/policy/modules/system/netlabel.te
|
||||
+++ b/policy/modules/system/netlabel.te
|
||||
@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0)
|
||||
|
|
@ -40242,12 +40351,14 @@ index cbbda4a..b569d5f 100644
|
|||
########################################
|
||||
#
|
||||
# NetLabel Management Tools Local policy
|
||||
@@ -19,10 +23,21 @@ role system_r types netlabel_mgmt_t;
|
||||
@@ -18,11 +22,23 @@ role system_r types netlabel_mgmt_t;
|
||||
# modify the network subsystem configuration
|
||||
allow netlabel_mgmt_t self:capability net_admin;
|
||||
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
|
||||
|
||||
+can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
|
||||
+allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
|
||||
+
|
||||
+can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
|
||||
|
||||
kernel_read_network_state(netlabel_mgmt_t)
|
||||
+kernel_read_system_state(netlabel_mgmt_t)
|
||||
+
|
||||
|
|
@ -42585,7 +42696,7 @@ index 2cea692..57c9025 100644
|
|||
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
|
||||
+')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index a392fc4..bf8b888 100644
|
||||
index a392fc4..30cf590 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
|
||||
|
|
@ -42814,7 +42925,7 @@ index a392fc4..bf8b888 100644
|
|||
vmware_append_log(dhcpc_t)
|
||||
')
|
||||
|
||||
@@ -264,12 +308,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
@@ -264,12 +308,25 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
allow ifconfig_t self:msg { send receive };
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
|
|
@ -42822,6 +42933,7 @@ index a392fc4..bf8b888 100644
|
|||
# for /sbin/ip
|
||||
allow ifconfig_t self:packet_socket create_socket_perms;
|
||||
+allow ifconfig_t self:netlink_socket create_socket_perms;
|
||||
+allow ifconfig_t self:netlink_generic_socket create_socket_perms;
|
||||
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
|
||||
+allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms };
|
||||
|
|
@ -42839,7 +42951,7 @@ index a392fc4..bf8b888 100644
|
|||
kernel_use_fds(ifconfig_t)
|
||||
kernel_read_system_state(ifconfig_t)
|
||||
kernel_read_network_state(ifconfig_t)
|
||||
@@ -279,14 +335,32 @@ kernel_rw_net_sysctls(ifconfig_t)
|
||||
@@ -279,14 +336,32 @@ kernel_rw_net_sysctls(ifconfig_t)
|
||||
|
||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
|
||||
|
|
@ -42872,7 +42984,7 @@ index a392fc4..bf8b888 100644
|
|||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
@@ -299,33 +373,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
@@ -299,33 +374,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
term_dontaudit_use_ptmx(ifconfig_t)
|
||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
|
|
@ -42930,7 +43042,7 @@ index a392fc4..bf8b888 100644
|
|||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
')
|
||||
@@ -336,7 +428,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -336,7 +429,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -42943,7 +43055,7 @@ index a392fc4..bf8b888 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -350,7 +446,16 @@ optional_policy(`
|
||||
@@ -350,7 +447,16 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -42961,7 +43073,7 @@ index a392fc4..bf8b888 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -371,3 +476,13 @@ optional_policy(`
|
||||
@@ -371,3 +477,13 @@ optional_policy(`
|
||||
xen_append_log(ifconfig_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||
')
|
||||
|
|
@ -45562,7 +45674,7 @@ index 9a1650d..d7e8a01 100644
|
|||
|
||||
########################################
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index 39f185f..703b804 100644
|
||||
index 39f185f..125f7fe 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
|
||||
|
|
@ -45600,15 +45712,17 @@ index 39f185f..703b804 100644
|
|||
allow udev_t self:process { execmem setfscreate };
|
||||
allow udev_t self:fd use;
|
||||
allow udev_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -54,6 +55,7 @@ allow udev_t self:unix_dgram_socket sendto;
|
||||
@@ -53,7 +54,9 @@ allow udev_t self:unix_stream_socket { listen accept };
|
||||
allow udev_t self:unix_dgram_socket sendto;
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+allow udev_t self:netlink_generic_socket create_socket_perms;
|
||||
allow udev_t self:rawip_socket create_socket_perms;
|
||||
+allow udev_t self:netlink_socket create_socket_perms;
|
||||
|
||||
allow udev_t udev_exec_t:file write;
|
||||
can_exec(udev_t, udev_exec_t)
|
||||
@@ -64,31 +66,39 @@ can_exec(udev_t, udev_helper_exec_t)
|
||||
@@ -64,31 +67,39 @@ can_exec(udev_t, udev_helper_exec_t)
|
||||
# read udev config
|
||||
allow udev_t udev_etc_t:file read_file_perms;
|
||||
|
||||
|
|
@ -45655,7 +45769,7 @@ index 39f185f..703b804 100644
|
|||
|
||||
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
|
||||
kernel_rw_net_sysctls(udev_t)
|
||||
@@ -99,6 +109,7 @@ corecmd_exec_all_executables(udev_t)
|
||||
@@ -99,6 +110,7 @@ corecmd_exec_all_executables(udev_t)
|
||||
|
||||
dev_rw_sysfs(udev_t)
|
||||
dev_manage_all_dev_nodes(udev_t)
|
||||
|
|
@ -45663,7 +45777,7 @@ index 39f185f..703b804 100644
|
|||
dev_rw_generic_files(udev_t)
|
||||
dev_delete_generic_files(udev_t)
|
||||
dev_search_usbfs(udev_t)
|
||||
@@ -107,23 +118,31 @@ dev_relabel_all_dev_nodes(udev_t)
|
||||
@@ -107,23 +119,31 @@ dev_relabel_all_dev_nodes(udev_t)
|
||||
# preserved, instead of short circuiting the relabel
|
||||
dev_relabel_generic_symlinks(udev_t)
|
||||
dev_manage_generic_symlinks(udev_t)
|
||||
|
|
@ -45699,7 +45813,7 @@ index 39f185f..703b804 100644
|
|||
|
||||
mls_file_read_all_levels(udev_t)
|
||||
mls_file_write_all_levels(udev_t)
|
||||
@@ -145,17 +164,20 @@ auth_use_nsswitch(udev_t)
|
||||
@@ -145,17 +165,20 @@ auth_use_nsswitch(udev_t)
|
||||
init_read_utmp(udev_t)
|
||||
init_dontaudit_write_utmp(udev_t)
|
||||
init_getattr_initctl(udev_t)
|
||||
|
|
@ -45721,7 +45835,7 @@ index 39f185f..703b804 100644
|
|||
|
||||
seutil_read_config(udev_t)
|
||||
seutil_read_default_contexts(udev_t)
|
||||
@@ -169,9 +191,13 @@ sysnet_read_dhcpc_pid(udev_t)
|
||||
@@ -169,9 +192,13 @@ sysnet_read_dhcpc_pid(udev_t)
|
||||
sysnet_delete_dhcpc_pid(udev_t)
|
||||
sysnet_signal_dhcpc(udev_t)
|
||||
sysnet_manage_config(udev_t)
|
||||
|
|
@ -45736,7 +45850,7 @@ index 39f185f..703b804 100644
|
|||
|
||||
ifdef(`distro_debian',`
|
||||
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
|
||||
@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',`
|
||||
@@ -195,16 +222,9 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
|
@ -45755,7 +45869,7 @@ index 39f185f..703b804 100644
|
|||
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
netutils_domtrans(udev_t)
|
||||
@@ -242,6 +261,7 @@ optional_policy(`
|
||||
@@ -242,6 +262,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cups_domtrans_config(udev_t)
|
||||
|
|
@ -45763,7 +45877,7 @@ index 39f185f..703b804 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -249,17 +269,31 @@ optional_policy(`
|
||||
@@ -249,17 +270,31 @@ optional_policy(`
|
||||
dbus_use_system_bus_fds(udev_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -45797,7 +45911,7 @@ index 39f185f..703b804 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -289,6 +323,10 @@ optional_policy(`
|
||||
@@ -289,6 +324,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -45808,7 +45922,7 @@ index 39f185f..703b804 100644
|
|||
openct_read_pid_files(udev_t)
|
||||
openct_domtrans(udev_t)
|
||||
')
|
||||
@@ -303,6 +341,15 @@ optional_policy(`
|
||||
@@ -303,6 +342,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -45824,7 +45938,7 @@ index 39f185f..703b804 100644
|
|||
unconfined_signal(udev_t)
|
||||
')
|
||||
|
||||
@@ -315,6 +362,7 @@ optional_policy(`
|
||||
@@ -315,6 +363,7 @@ optional_policy(`
|
||||
kernel_read_xen_state(udev_t)
|
||||
xen_manage_log(udev_t)
|
||||
xen_read_image_files(udev_t)
|
||||
|
|
@ -52190,7 +52304,7 @@ index e79d545..101086d 100644
|
|||
')
|
||||
|
||||
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
||||
index 6e91317..8fc985f 100644
|
||||
index 6e91317..b80ffcb 100644
|
||||
--- a/policy/support/obj_perm_sets.spt
|
||||
+++ b/policy/support/obj_perm_sets.spt
|
||||
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
||||
|
|
@ -52199,7 +52313,7 @@ index 6e91317..8fc985f 100644
|
|||
#
|
||||
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
|
||||
-
|
||||
+define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
|
||||
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
|
||||
|
||||
#
|
||||
# Datagram socket classes.
|
||||
|
|
|
|||
|
|
@ -3394,10 +3394,10 @@ index 0000000..6183b21
|
|||
+ spamassassin_read_pid_files(antivirus_domain)
|
||||
+')
|
||||
diff --git a/apache.fc b/apache.fc
|
||||
index 7caefc3..239cefa 100644
|
||||
index 7caefc3..77e26bf 100644
|
||||
--- a/apache.fc
|
||||
+++ b/apache.fc
|
||||
@@ -1,162 +1,211 @@
|
||||
@@ -1,162 +1,210 @@
|
||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
||||
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
|
|
@ -3456,25 +3456,22 @@ index 7caefc3..239cefa 100644
|
|||
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/thttpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
||||
|
||||
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
|
||||
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
||||
|
||||
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
|
||||
|
||||
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
|
||||
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
+/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
|
||||
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
|
||||
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
|
||||
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
|
||||
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
|
|
@ -3485,7 +3482,9 @@ index 7caefc3..239cefa 100644
|
|||
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
|
||||
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
+
|
||||
+/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
|
||||
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
|
||||
|
|
@ -9937,7 +9936,7 @@ index 16ec525..1dd4059 100644
|
|||
|
||||
########################################
|
||||
diff --git a/blueman.te b/blueman.te
|
||||
index 3a5032e..7987a21 100644
|
||||
index 3a5032e..3facb71 100644
|
||||
--- a/blueman.te
|
||||
+++ b/blueman.te
|
||||
@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
|
||||
|
|
@ -9949,7 +9948,16 @@ index 3a5032e..7987a21 100644
|
|||
|
||||
type blueman_var_lib_t;
|
||||
files_type(blueman_var_lib_t)
|
||||
@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
|
||||
@@ -15,13 +15,17 @@ files_type(blueman_var_lib_t)
|
||||
type blueman_var_run_t;
|
||||
files_pid_file(blueman_var_run_t)
|
||||
|
||||
+type blueman_tmp_t;
|
||||
+files_tmp_file(blueman_tmp_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow blueman_t self:capability { net_admin sys_nice };
|
||||
|
|
@ -9959,16 +9967,21 @@ index 3a5032e..7987a21 100644
|
|||
allow blueman_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
|
||||
@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
|
||||
@@ -32,7 +36,12 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
|
||||
manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
|
||||
files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
|
||||
|
||||
-kernel_read_net_sysctls(blueman_t)
|
||||
+manage_dirs_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
|
||||
+manage_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
|
||||
+exec_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
|
||||
+files_tmp_filetrans(blueman_t, blueman_tmp_t, { file dir })
|
||||
+
|
||||
+kernel_rw_net_sysctls(blueman_t)
|
||||
kernel_read_system_state(blueman_t)
|
||||
kernel_request_load_module(blueman_t)
|
||||
|
||||
@@ -41,29 +42,45 @@ corecmd_exec_bin(blueman_t)
|
||||
@@ -41,29 +50,45 @@ corecmd_exec_bin(blueman_t)
|
||||
dev_read_rand(blueman_t)
|
||||
dev_read_urand(blueman_t)
|
||||
dev_rw_wireless(blueman_t)
|
||||
|
|
@ -25517,10 +25530,10 @@ index 0000000..d22ed69
|
|||
+')
|
||||
diff --git a/dnssec.te b/dnssec.te
|
||||
new file mode 100644
|
||||
index 0000000..225fcfd
|
||||
index 0000000..bfa9ff5
|
||||
--- /dev/null
|
||||
+++ b/dnssec.te
|
||||
@@ -0,0 +1,82 @@
|
||||
@@ -0,0 +1,86 @@
|
||||
+policy_module(dnssec, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -25545,7 +25558,7 @@ index 0000000..225fcfd
|
|||
+#
|
||||
+# dnssec_trigger local policy
|
||||
+#
|
||||
+allow dnssec_trigger_t self:capability { net_admin linux_immutable };
|
||||
+allow dnssec_trigger_t self:capability { net_admin linux_immutable sys_ptrace };
|
||||
+allow dnssec_trigger_t self:process signal;
|
||||
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
|
@ -25565,6 +25578,7 @@ index 0000000..225fcfd
|
|||
+
|
||||
+corecmd_exec_bin(dnssec_trigger_t)
|
||||
+corecmd_exec_shell(dnssec_trigger_t)
|
||||
+corecmd_read_all_executables(dnssec_trigger_t)
|
||||
+
|
||||
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
|
||||
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
|
||||
|
|
@ -25574,6 +25588,7 @@ index 0000000..225fcfd
|
|||
+dev_read_urand(dnssec_trigger_t)
|
||||
+
|
||||
+domain_use_interactive_fds(dnssec_trigger_t)
|
||||
+domain_read_all_domains_state(dnssec_trigger_t)
|
||||
+
|
||||
+files_read_etc_runtime_files(dnssec_trigger_t)
|
||||
+files_dontaudit_list_tmp(dnssec_trigger_t)
|
||||
|
|
@ -25585,6 +25600,8 @@ index 0000000..225fcfd
|
|||
+sysnet_dns_name_resolve(dnssec_trigger_t)
|
||||
+sysnet_manage_config(dnssec_trigger_t)
|
||||
+sysnet_filetrans_named_content(dnssec_trigger_t)
|
||||
+sysnet_relabelfrom_net_conf(dnssec_trigger_t)
|
||||
+sysnet_relabelto_net_conf(dnssec_trigger_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(dnssec_trigger_t)
|
||||
|
|
@ -38655,27 +38672,68 @@ index a7ae153..6341e31 100644
|
|||
libs_legacy_use_shared_libs(java_domain)
|
||||
diff --git a/jetty.fc b/jetty.fc
|
||||
new file mode 100644
|
||||
index 0000000..1725b7e
|
||||
index 0000000..c7c4fba
|
||||
--- /dev/null
|
||||
+++ b/jetty.fc
|
||||
@@ -0,0 +1,9 @@
|
||||
@@ -0,0 +1,12 @@
|
||||
+
|
||||
+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
|
||||
+/usr/lib/systemd/system/jetty\.service -- gen_context(system_u:object_r:jetty_unit_file_t,s0)
|
||||
+
|
||||
+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
|
||||
+/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:jetty_exec_t,s0)
|
||||
+
|
||||
+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
|
||||
+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
|
||||
+
|
||||
+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
|
||||
+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
|
||||
+
|
||||
+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
|
||||
+
|
||||
+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
|
||||
diff --git a/jetty.if b/jetty.if
|
||||
new file mode 100644
|
||||
index 0000000..2abc285
|
||||
index 0000000..6679a02
|
||||
--- /dev/null
|
||||
+++ b/jetty.if
|
||||
@@ -0,0 +1,268 @@
|
||||
@@ -0,0 +1,415 @@
|
||||
+
|
||||
+## <summary>policy for jetty</summary>
|
||||
+## <summary>Jetty - HTTP server and Servlet container</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute jetty_exec_t in the jetty domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`jetty_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type jetty_t, jetty_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, jetty_exec_t, jetty_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute jetty in the caller domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`jetty_exec',`
|
||||
+ gen_require(`
|
||||
+ type jetty_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ can_exec($1, jetty_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
|
|
@ -38816,6 +38874,65 @@ index 0000000..2abc285
|
|||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to read,
|
||||
+## jetty tmp files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`jetty_dontaudit_read_tmp_files',`
|
||||
+ gen_require(`
|
||||
+ type jetty_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 jetty_tmp_t:file read_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read jetty tmp files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`jetty_read_tmp_files',`
|
||||
+ gen_require(`
|
||||
+ type jetty_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_tmp($1)
|
||||
+ read_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage jetty tmp files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`jetty_manage_tmp',`
|
||||
+ gen_require(`
|
||||
+ type jetty_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_tmp($1)
|
||||
+ manage_dirs_pattern($1, jetty_tmp_t, jetty_tmp_t)
|
||||
+ manage_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
|
||||
+ manage_lnk_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search jetty lib directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
|
|
@ -38906,7 +39023,31 @@ index 0000000..2abc285
|
|||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ allow $1 jetty_var_run_t:file read_file_perms;
|
||||
+ read_files_pattern($1, jetty_var_run_t, jetty_var_run_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute jetty server in the jetty domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`jetty_systemctl',`
|
||||
+ gen_require(`
|
||||
+ type jetty_t;
|
||||
+ type jetty_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ allow $1 jetty_unit_file_t:file read_file_perms;
|
||||
+ allow $1 jetty_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, jetty_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
|
|
@ -38920,34 +39061,60 @@ index 0000000..2abc285
|
|||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`jetty_admin',`
|
||||
+ gen_require(`
|
||||
+ type jetty_t;
|
||||
+ type jetty_cache_t;
|
||||
+ type jetty_log_t;
|
||||
+ type jetty_tmp_t;
|
||||
+ type jetty_var_lib_t;
|
||||
+ type jetty_var_run_t;
|
||||
+ type jetty_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 jetty_t:process { signal_perms };
|
||||
+ ps_process_pattern($1, jetty_t)
|
||||
+
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
+ allow $1 jetty_t:process ptrace;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var($1)
|
||||
+ admin_pattern($1, jetty_cache_t)
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ admin_pattern($1, jetty_log_t)
|
||||
+
|
||||
+ files_search_tmp($1)
|
||||
+ admin_pattern($1, jetty_tmp_t)
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ admin_pattern($1, jetty_var_lib_t)
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ admin_pattern($1, jetty_var_run_t)
|
||||
+
|
||||
+ jetty_systemctl($1)
|
||||
+ admin_pattern($1, jetty_unit_file_t)
|
||||
+ allow $1 jetty_unit_file_t:service all_service_perms;
|
||||
+ optional_policy(`
|
||||
+ systemd_passwd_agent_exec($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/jetty.te b/jetty.te
|
||||
new file mode 100644
|
||||
index 0000000..af510ea
|
||||
index 0000000..71325e5
|
||||
--- /dev/null
|
||||
+++ b/jetty.te
|
||||
@@ -0,0 +1,25 @@
|
||||
@@ -0,0 +1,78 @@
|
||||
+policy_module(jetty, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -38955,24 +39122,77 @@ index 0000000..af510ea
|
|||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type jetty_t;
|
||||
+type jetty_exec_t;
|
||||
+init_daemon_domain(jetty_t, jetty_exec_t)
|
||||
+
|
||||
+type jetty_cache_t;
|
||||
+files_type(jetty_cache_t)
|
||||
+
|
||||
+type jetty_log_t;
|
||||
+logging_log_file(jetty_log_t)
|
||||
+
|
||||
+type jetty_tmp_t;
|
||||
+files_tmp_file(jetty_tmp_t)
|
||||
+
|
||||
+type jetty_var_lib_t;
|
||||
+files_type(jetty_var_lib_t)
|
||||
+
|
||||
+type jetty_var_run_t;
|
||||
+files_pid_file(jetty_var_run_t)
|
||||
+
|
||||
+type jetty_unit_file_t;
|
||||
+systemd_unit_file(jetty_unit_file_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# jetty local policy
|
||||
+#
|
||||
+
|
||||
+# No local policy. This module just contains type definitions
|
||||
+allow jetty_t self:process execmem;
|
||||
+allow jetty_t self:process { signal signull };
|
||||
+
|
||||
+allow jetty_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow jetty_t self:tcp_socket { accept listen };
|
||||
+
|
||||
+manage_dirs_pattern(jetty_t, jetty_cache_t, jetty_cache_t)
|
||||
+manage_files_pattern(jetty_t, jetty_cache_t, jetty_cache_t)
|
||||
+files_var_filetrans(jetty_t, jetty_cache_t, dir)
|
||||
+
|
||||
+manage_dirs_pattern(jetty_t, jetty_log_t, jetty_log_t)
|
||||
+manage_files_pattern(jetty_t, jetty_log_t, jetty_log_t)
|
||||
+logging_log_filetrans(jetty_t, jetty_log_t, dir)
|
||||
+
|
||||
+manage_dirs_pattern(jetty_t, jetty_tmp_t, jetty_tmp_t)
|
||||
+manage_files_pattern(jetty_t, jetty_tmp_t, jetty_tmp_t)
|
||||
+files_tmp_filetrans(jetty_t, jetty_tmp_t, { dir file })
|
||||
+
|
||||
+manage_dirs_pattern(jetty_t, jetty_var_lib_t, jetty_var_lib_t)
|
||||
+manage_files_pattern(jetty_t, jetty_var_lib_t, jetty_var_lib_t)
|
||||
+files_var_lib_filetrans(jetty_t, jetty_var_lib_t, dir)
|
||||
+
|
||||
+manage_dirs_pattern(jetty_t, jetty_var_run_t, jetty_var_run_t)
|
||||
+manage_files_pattern(jetty_t, jetty_var_run_t, jetty_var_run_t)
|
||||
+files_pid_filetrans(jetty_t, jetty_var_run_t, dir)
|
||||
+
|
||||
+kernel_read_system_state(jetty_t)
|
||||
+kernel_read_network_state(jetty_t)
|
||||
+
|
||||
+corecmd_exec_bin(jetty_t)
|
||||
+corecmd_exec_shell(jetty_t)
|
||||
+
|
||||
+corenet_tcp_bind_http_cache_port(jetty_t)
|
||||
+
|
||||
+dev_read_rand(jetty_t)
|
||||
+dev_read_sysfs(jetty_t)
|
||||
+dev_read_urand(jetty_t)
|
||||
+
|
||||
+auth_use_nsswitch(jetty_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ #allow access to /etc/abrt/plugins/java.conf
|
||||
+ abrt_read_config(jetty_t)
|
||||
+')
|
||||
diff --git a/jockey.if b/jockey.if
|
||||
index 2fb7a20..c6ba007 100644
|
||||
--- a/jockey.if
|
||||
|
|
@ -65712,7 +65932,7 @@ index bf59ef7..0e33327 100644
|
|||
+')
|
||||
+
|
||||
diff --git a/passenger.te b/passenger.te
|
||||
index 08ec33b..56fba2e 100644
|
||||
index 08ec33b..3b92c4d 100644
|
||||
--- a/passenger.te
|
||||
+++ b/passenger.te
|
||||
@@ -14,6 +14,9 @@ role system_r types passenger_t;
|
||||
|
|
@ -65786,7 +66006,7 @@ index 08ec33b..56fba2e 100644
|
|||
|
||||
corecmd_exec_bin(passenger_t)
|
||||
corecmd_exec_shell(passenger_t)
|
||||
@@ -68,8 +75,6 @@ dev_read_urand(passenger_t)
|
||||
@@ -68,10 +75,10 @@ dev_read_urand(passenger_t)
|
||||
|
||||
domain_read_all_domains_state(passenger_t)
|
||||
|
||||
|
|
@ -65794,8 +66014,12 @@ index 08ec33b..56fba2e 100644
|
|||
-
|
||||
auth_use_nsswitch(passenger_t)
|
||||
|
||||
+fs_getattr_xattr_fs(passenger_t)
|
||||
+
|
||||
logging_send_syslog_msg(passenger_t)
|
||||
@@ -83,6 +88,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
|
||||
|
||||
miscfiles_read_localization(passenger_t)
|
||||
@@ -83,6 +90,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
|
||||
optional_policy(`
|
||||
apache_append_log(passenger_t)
|
||||
apache_read_sys_content(passenger_t)
|
||||
|
|
@ -65803,7 +66027,7 @@ index 08ec33b..56fba2e 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -94,14 +100,21 @@ optional_policy(`
|
||||
@@ -94,14 +102,21 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -66602,15 +66826,14 @@ index 0000000..509d898
|
|||
+ ')
|
||||
+')
|
||||
diff --git a/pegasus.fc b/pegasus.fc
|
||||
index dfd46e4..747aa2a 100644
|
||||
index dfd46e4..d40433a 100644
|
||||
--- a/pegasus.fc
|
||||
+++ b/pegasus.fc
|
||||
@@ -1,15 +1,33 @@
|
||||
@@ -1,15 +1,32 @@
|
||||
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||
+
|
||||
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||
/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
|
||||
+/etc/mdadm\.conf\.anacbak gen_context(system_u:object_r:pegasus_conf_t,s0)
|
||||
|
||||
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
|
||||
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
||||
|
|
@ -66749,7 +66972,7 @@ index d2fc677..86dce34 100644
|
|||
')
|
||||
+
|
||||
diff --git a/pegasus.te b/pegasus.te
|
||||
index 608f454..3e3fd3d 100644
|
||||
index 608f454..0aa43fc 100644
|
||||
--- a/pegasus.te
|
||||
+++ b/pegasus.te
|
||||
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
||||
|
|
@ -66768,7 +66991,7 @@ index 608f454..3e3fd3d 100644
|
|||
type pegasus_cache_t;
|
||||
files_type(pegasus_cache_t)
|
||||
|
||||
@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
|
||||
@@ -30,20 +29,334 @@ files_type(pegasus_mof_t)
|
||||
type pegasus_var_run_t;
|
||||
files_pid_file(pegasus_var_run_t)
|
||||
|
||||
|
|
@ -67003,9 +67226,6 @@ index 608f454..3e3fd3d 100644
|
|||
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
|
||||
+files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
|
||||
+
|
||||
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_conf_t, pegasus_conf_t)
|
||||
+files_etc_filetrans(pegasus_openlmi_storage_t, pegasus_conf_t, file, "mdadm.conf.anacbak" )
|
||||
+
|
||||
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
|
||||
+kernel_read_network_state(pegasus_openlmi_storage_t)
|
||||
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
|
||||
|
|
@ -67111,7 +67331,7 @@ index 608f454..3e3fd3d 100644
|
|||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
||||
@@ -54,22 +370,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
@@ -54,22 +367,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
|
|
@ -67142,7 +67362,7 @@ index 608f454..3e3fd3d 100644
|
|||
|
||||
kernel_read_network_state(pegasus_t)
|
||||
kernel_read_kernel_sysctls(pegasus_t)
|
||||
@@ -80,27 +396,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
@@ -80,27 +393,21 @@ kernel_read_net_sysctls(pegasus_t)
|
||||
kernel_read_xen_state(pegasus_t)
|
||||
kernel_write_xen_state(pegasus_t)
|
||||
|
||||
|
|
@ -67175,7 +67395,7 @@ index 608f454..3e3fd3d 100644
|
|||
|
||||
corecmd_exec_bin(pegasus_t)
|
||||
corecmd_exec_shell(pegasus_t)
|
||||
@@ -114,9 +424,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
@@ -114,9 +421,11 @@ files_getattr_all_dirs(pegasus_t)
|
||||
|
||||
auth_use_nsswitch(pegasus_t)
|
||||
auth_domtrans_chk_passwd(pegasus_t)
|
||||
|
|
@ -67187,7 +67407,7 @@ index 608f454..3e3fd3d 100644
|
|||
|
||||
files_list_var_lib(pegasus_t)
|
||||
files_read_var_lib_files(pegasus_t)
|
||||
@@ -128,18 +440,29 @@ init_stream_connect_script(pegasus_t)
|
||||
@@ -128,18 +437,29 @@ init_stream_connect_script(pegasus_t)
|
||||
logging_send_audit_msgs(pegasus_t)
|
||||
logging_send_syslog_msg(pegasus_t)
|
||||
|
||||
|
|
@ -67223,7 +67443,7 @@ index 608f454..3e3fd3d 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -151,16 +474,24 @@ optional_policy(`
|
||||
@@ -151,16 +471,24 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -67252,7 +67472,7 @@ index 608f454..3e3fd3d 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -168,7 +499,7 @@ optional_policy(`
|
||||
@@ -168,7 +496,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -67261,7 +67481,7 @@ index 608f454..3e3fd3d 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -180,6 +511,7 @@ optional_policy(`
|
||||
@@ -180,6 +508,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -80533,14 +80753,15 @@ index 6d162e4..9027807 100644
|
|||
userdom_dontaudit_search_user_home_dirs(radvd_t)
|
||||
|
||||
diff --git a/raid.fc b/raid.fc
|
||||
index 5806046..8bce88f 100644
|
||||
index 5806046..2a4769f 100644
|
||||
--- a/raid.fc
|
||||
+++ b/raid.fc
|
||||
@@ -3,6 +3,11 @@
|
||||
@@ -3,6 +3,12 @@
|
||||
|
||||
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
|
||||
|
||||
+/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0)
|
||||
+/etc/mdadm\.conf\.anacbak -- gen_context(system_u:object_r:mdadm_conf_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
|
||||
|
|
@ -80548,7 +80769,7 @@ index 5806046..8bce88f 100644
|
|||
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||
@@ -16,6 +21,10 @@
|
||||
@@ -16,6 +22,10 @@
|
||||
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||
|
|
@ -80560,7 +80781,7 @@ index 5806046..8bce88f 100644
|
|||
+
|
||||
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
|
||||
diff --git a/raid.if b/raid.if
|
||||
index 951db7f..04b6dde 100644
|
||||
index 951db7f..00e699d 100644
|
||||
--- a/raid.if
|
||||
+++ b/raid.if
|
||||
@@ -1,9 +1,8 @@
|
||||
|
|
@ -80642,7 +80863,7 @@ index 951db7f..04b6dde 100644
|
|||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -57,47 +79,112 @@ interface(`raid_run_mdadm',`
|
||||
@@ -57,47 +79,113 @@ interface(`raid_run_mdadm',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -80773,12 +80994,13 @@ index 951db7f..04b6dde 100644
|
|||
|
||||
- raid_run_mdadm($2, $1)
|
||||
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
|
||||
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
|
||||
')
|
||||
diff --git a/raid.te b/raid.te
|
||||
index c99753f..f6bd1c6 100644
|
||||
index c99753f..1c950ed 100644
|
||||
--- a/raid.te
|
||||
+++ b/raid.te
|
||||
@@ -15,54 +15,100 @@ role mdadm_roles types mdadm_t;
|
||||
@@ -15,54 +15,101 @@ role mdadm_roles types mdadm_t;
|
||||
type mdadm_initrc_exec_t;
|
||||
init_script_file(mdadm_initrc_exec_t)
|
||||
|
||||
|
|
@ -80817,6 +81039,7 @@ index c99753f..f6bd1c6 100644
|
|||
+
|
||||
+manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t)
|
||||
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf")
|
||||
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf.anacbak")
|
||||
+
|
||||
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
|
||||
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
|
||||
|
|
@ -80888,7 +81111,7 @@ index c99753f..f6bd1c6 100644
|
|||
|
||||
mls_file_read_all_levels(mdadm_t)
|
||||
mls_file_write_all_levels(mdadm_t)
|
||||
@@ -71,15 +117,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
@@ -71,15 +118,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
storage_manage_fixed_disk(mdadm_t)
|
||||
storage_read_scsi_generic(mdadm_t)
|
||||
storage_write_scsi_generic(mdadm_t)
|
||||
|
|
@ -80912,7 +81135,7 @@ index c99753f..f6bd1c6 100644
|
|||
|
||||
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
|
||||
userdom_dontaudit_search_user_home_content(mdadm_t)
|
||||
@@ -90,17 +143,38 @@ optional_policy(`
|
||||
@@ -90,17 +144,38 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 145%{?dist}
|
||||
Release: 146%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -647,6 +647,19 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
|
||||
- Allow passenger to getattr filesystem xattr
|
||||
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
|
||||
- Label mdadm.conf.anackbak as mdadm_conf_t file.
|
||||
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
|
||||
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
|
||||
- Allow blueman to create own tmp files in /tmp. (#1234647)
|
||||
- Add new audit_read access vector in capability2 class
|
||||
- Add "binder" security class and access vectors
|
||||
- Update netlink socket classes.
|
||||
- Allow getty to read network state. BZ(#1255177)
|
||||
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
|
||||
|
||||
* Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
|
||||
- Allow watchdog execute fenced python script.
|
||||
- Added inferface watchdog_unconfined_exec_read_lnk_files()
|
||||
|
|
|
|||
Loading…
Reference in New Issue