* Fri Apr 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-26
- Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add additional mount/umount interfaces needed by mock - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Fix tabs - Allow initrc_domain to search rgmanager lib files - Add more fixes which make mock working together with confined users * Allow mock_t to manage rpm files * Allow mock_t to read rpm log files * Allow mock to setattr on tmpfs, devpts * Allow mount/umount filesystems - Add rpm_read_log() interface - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Allow mock to unmont tmpfs_t - Fix virt_sigkill() interface - Add additional fixes for mock. Mainly caused by mount running in mock_t - Allow mock to write sysfs_t and mount pid files - Add mailman_domain to mailman_template() - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 - Realmd needs to connect to samba ports, needs back port to F18 also - Allow colord to read /run/initial-setup- - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock - Add virt_kill() interface - Add rgmanager_search_lib() interface - Allow wdmd to getattr on all filesystems. Back ported from RHEL6
This commit is contained in:
parent
d9444b18fb
commit
f4f51d7574
@ -5515,7 +5515,7 @@ index b31c054..3a628fe 100644
|
||||
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||
index 76f285e..f7e9534 100644
|
||||
index 76f285e..059e984 100644
|
||||
--- a/policy/modules/kernel/devices.if
|
||||
+++ b/policy/modules/kernel/devices.if
|
||||
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
@ -6306,7 +6306,7 @@ index 76f285e..f7e9534 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3855,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',`
|
||||
@@ -3855,6 +4185,78 @@ interface(`dev_getattr_sysfs_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6345,11 +6345,47 @@ index 76f285e..f7e9534 100644
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Mount sysfs filesystems.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_mount_sysfs_fs',`
|
||||
+ gen_require(`
|
||||
+ type sysfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sysfs_t:filesystem mount;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Unmount sysfs filesystems.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_unmount_sysfs_fs',`
|
||||
+ gen_require(`
|
||||
+ type sysfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 sysfs_t:filesystem unmount;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Search the sysfs directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3904,6 +4270,7 @@ interface(`dev_list_sysfs',`
|
||||
@@ -3904,6 +4306,7 @@ interface(`dev_list_sysfs',`
|
||||
type sysfs_t;
|
||||
')
|
||||
|
||||
@ -6357,7 +6393,7 @@ index 76f285e..f7e9534 100644
|
||||
list_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||
')
|
||||
|
||||
@@ -3946,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
|
||||
@@ -3946,23 +4349,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6378,7 +6414,7 @@ index 76f285e..f7e9534 100644
|
||||
#
|
||||
-interface(`dev_manage_sysfs_dirs',`
|
||||
+interface(`dev_read_cpu_online',`
|
||||
+ gen_require(`
|
||||
gen_require(`
|
||||
+ type cpu_online_t;
|
||||
+ ')
|
||||
+
|
||||
@ -6397,7 +6433,7 @@ index 76f285e..f7e9534 100644
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_relabel_cpu_online',`
|
||||
gen_require(`
|
||||
+ gen_require(`
|
||||
+ type cpu_online_t;
|
||||
type sysfs_t;
|
||||
')
|
||||
@ -6411,7 +6447,7 @@ index 76f285e..f7e9534 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Read hardware state information.
|
||||
@@ -4016,6 +4409,62 @@ interface(`dev_rw_sysfs',`
|
||||
@@ -4016,6 +4445,62 @@ interface(`dev_rw_sysfs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6474,7 +6510,7 @@ index 76f285e..f7e9534 100644
|
||||
## Read and write the TPM device.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4113,6 +4562,25 @@ interface(`dev_write_urand',`
|
||||
@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6500,7 +6536,7 @@ index 76f285e..f7e9534 100644
|
||||
## Getattr generic the USB devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4557,6 +5025,24 @@ interface(`dev_rw_vhost',`
|
||||
@@ -4557,6 +5061,24 @@ interface(`dev_rw_vhost',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6525,7 +6561,7 @@ index 76f285e..f7e9534 100644
|
||||
## Read and write VMWare devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4762,6 +5248,26 @@ interface(`dev_rw_xserver_misc',`
|
||||
@@ -4762,6 +5284,26 @@ interface(`dev_rw_xserver_misc',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6552,7 +6588,7 @@ index 76f285e..f7e9534 100644
|
||||
## Read and write to the zero device (/dev/zero).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4851,3 +5357,917 @@ interface(`dev_unconfined',`
|
||||
@@ -4851,3 +5393,937 @@ interface(`dev_unconfined',`
|
||||
|
||||
typeattribute $1 devices_unconfined_type;
|
||||
')
|
||||
@ -7386,6 +7422,26 @@ index 76f285e..f7e9534 100644
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
|
||||
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
|
||||
@ -15293,7 +15349,7 @@ index 7be4ddf..f7021a0 100644
|
||||
+
|
||||
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index 649e458..31a14c8 100644
|
||||
index 649e458..cc924ae 100644
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
+++ b/policy/modules/kernel/kernel.if
|
||||
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
|
||||
@ -15305,7 +15361,32 @@ index 649e458..31a14c8 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
|
||||
@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Mount the proc filesystem.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_mount_proc',`
|
||||
+ gen_require(`
|
||||
+ type proc_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 proc_t:filesystem mount;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Unmount the proc filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15330,7 +15411,7 @@ index 649e458..31a14c8 100644
|
||||
## Get the attributes of the proc filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -991,13 +1009,10 @@ interface(`kernel_read_proc_symlinks',`
|
||||
@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',`
|
||||
#
|
||||
interface(`kernel_read_system_state',`
|
||||
gen_require(`
|
||||
@ -15346,7 +15427,7 @@ index 649e458..31a14c8 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1477,6 +1492,24 @@ interface(`kernel_dontaudit_list_all_proc',`
|
||||
@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15371,7 +15452,7 @@ index 649e458..31a14c8 100644
|
||||
## Do not audit attempts by caller to search
|
||||
## the base directory of sysctls.
|
||||
## </summary>
|
||||
@@ -2085,7 +2118,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
||||
@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
|
||||
')
|
||||
|
||||
dontaudit $1 sysctl_type:dir list_dir_perms;
|
||||
@ -15380,7 +15461,7 @@ index 649e458..31a14c8 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2282,6 +2315,25 @@ interface(`kernel_list_unlabeled',`
|
||||
@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15406,7 +15487,7 @@ index 649e458..31a14c8 100644
|
||||
## Read the process state (/proc/pid) of all unlabeled_t.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2306,7 +2358,7 @@ interface(`kernel_read_unlabeled_state',`
|
||||
@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -15415,7 +15496,7 @@ index 649e458..31a14c8 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -2488,6 +2540,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||
@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15440,7 +15521,7 @@ index 649e458..31a14c8 100644
|
||||
## Do not audit attempts by caller to get attributes for
|
||||
## unlabeled character devices.
|
||||
## </summary>
|
||||
@@ -2525,6 +2595,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15465,7 +15546,7 @@ index 649e458..31a14c8 100644
|
||||
## Allow caller to relabel unlabeled files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2632,7 +2720,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
|
||||
@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
|
||||
allow $1 unlabeled_t:association { sendto recvfrom };
|
||||
|
||||
# temporary hack until labeling on packets is supported
|
||||
@ -15474,7 +15555,7 @@ index 649e458..31a14c8 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2670,6 +2758,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||
@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15499,7 +15580,7 @@ index 649e458..31a14c8 100644
|
||||
## Receive TCP packets from an unlabeled connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -2697,6 +2803,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||
@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15525,7 +15606,7 @@ index 649e458..31a14c8 100644
|
||||
## Do not audit attempts to receive TCP packets from an unlabeled
|
||||
## connection.
|
||||
## </summary>
|
||||
@@ -2806,6 +2931,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
||||
@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
|
||||
|
||||
allow $1 unlabeled_t:rawip_socket recvfrom;
|
||||
')
|
||||
@ -15559,7 +15640,7 @@ index 649e458..31a14c8 100644
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -2961,6 +3113,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -15584,7 +15665,7 @@ index 649e458..31a14c8 100644
|
||||
## Unconfined access to kernel module resources.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2975,5 +3145,299 @@ interface(`kernel_unconfined',`
|
||||
@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',`
|
||||
')
|
||||
|
||||
typeattribute $1 kern_unconfined;
|
||||
@ -17164,7 +17245,7 @@ index 7d45d15..22c9cfe 100644
|
||||
+
|
||||
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
|
||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||
index 771bce1..8b0e5e6 100644
|
||||
index 771bce1..55ebf4b 100644
|
||||
--- a/policy/modules/kernel/terminal.if
|
||||
+++ b/policy/modules/kernel/terminal.if
|
||||
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
|
||||
@ -17226,7 +17307,50 @@ index 771bce1..8b0e5e6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -481,6 +504,24 @@ interface(`term_list_ptys',`
|
||||
@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Mount a pty filesystem
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`term_mount_pty_fs',`
|
||||
+ gen_require(`
|
||||
+ type devpts_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 devpts_t:filesystem mount;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Unmount a pty filesystem
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`term_unmount_pty_fs',`
|
||||
+ gen_require(`
|
||||
+ type devpts_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 devpts_t:filesystem unmount;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Relabel from and to pty filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -481,6 +540,24 @@ interface(`term_list_ptys',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -17251,7 +17375,7 @@ index 771bce1..8b0e5e6 100644
|
||||
## Do not audit attempts to read the
|
||||
## /dev/pts directory.
|
||||
## </summary>
|
||||
@@ -620,7 +661,7 @@ interface(`term_use_generic_ptys',`
|
||||
@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -17260,7 +17384,7 @@ index 771bce1..8b0e5e6 100644
|
||||
## write the generic pty type. This is
|
||||
## generally only used in the targeted policy.
|
||||
## </summary>
|
||||
@@ -635,6 +676,7 @@ interface(`term_dontaudit_use_generic_ptys',`
|
||||
@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',`
|
||||
type devpts_t;
|
||||
')
|
||||
|
||||
@ -17268,7 +17392,7 @@ index 771bce1..8b0e5e6 100644
|
||||
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
@@ -879,6 +921,26 @@ interface(`term_use_all_ptys',`
|
||||
@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -17295,7 +17419,7 @@ index 771bce1..8b0e5e6 100644
|
||||
## Do not audit attempts to read or write any ptys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -892,7 +954,7 @@ interface(`term_dontaudit_use_all_ptys',`
|
||||
@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',`
|
||||
attribute ptynode;
|
||||
')
|
||||
|
||||
@ -17304,7 +17428,7 @@ index 771bce1..8b0e5e6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -912,7 +974,7 @@ interface(`term_relabel_all_ptys',`
|
||||
@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
@ -17313,7 +17437,7 @@ index 771bce1..8b0e5e6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -940,7 +1002,7 @@ interface(`term_getattr_all_user_ptys',`
|
||||
@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -17322,7 +17446,7 @@ index 771bce1..8b0e5e6 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -1259,7 +1321,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
type tty_device_t;
|
||||
')
|
||||
|
||||
@ -17371,7 +17495,7 @@ index 771bce1..8b0e5e6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1275,11 +1377,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
#
|
||||
interface(`term_getattr_all_ttys',`
|
||||
gen_require(`
|
||||
@ -17385,7 +17509,7 @@ index 771bce1..8b0e5e6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1296,10 +1400,12 @@ interface(`term_getattr_all_ttys',`
|
||||
@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',`
|
||||
interface(`term_dontaudit_getattr_all_ttys',`
|
||||
gen_require(`
|
||||
attribute ttynode;
|
||||
@ -17398,7 +17522,7 @@ index 771bce1..8b0e5e6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1377,7 +1483,27 @@ interface(`term_use_all_ttys',`
|
||||
@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
@ -17427,7 +17551,7 @@ index 771bce1..8b0e5e6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1396,7 +1522,7 @@ interface(`term_dontaudit_use_all_ttys',`
|
||||
@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',`
|
||||
attribute ttynode;
|
||||
')
|
||||
|
||||
@ -17436,7 +17560,7 @@ index 771bce1..8b0e5e6 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1504,7 +1630,7 @@ interface(`term_use_all_user_ttys',`
|
||||
@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -17445,7 +17569,7 @@ index 771bce1..8b0e5e6 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -1512,3 +1638,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
|
||||
@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
|
||||
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
|
||||
term_dontaudit_use_all_ttys($1)
|
||||
')
|
||||
@ -26328,7 +26452,7 @@ index 016a770..1effeb4 100644
|
||||
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
|
||||
+')
|
||||
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
|
||||
index 6c4b6ee..4ea7640 100644
|
||||
index 6c4b6ee..f512b72 100644
|
||||
--- a/policy/modules/system/fstools.te
|
||||
+++ b/policy/modules/system/fstools.te
|
||||
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
|
||||
@ -26357,7 +26481,15 @@ index 6c4b6ee..4ea7640 100644
|
||||
|
||||
# log files
|
||||
allow fsadm_t fsadm_log_t:dir setattr;
|
||||
@@ -101,6 +110,8 @@ files_read_usr_files(fsadm_t)
|
||||
@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
|
||||
# Enable swapping to files
|
||||
allow fsadm_t swapfile_t:file { rw_file_perms swapon };
|
||||
|
||||
+kernel_get_sysvipc_info(fsadm_t)
|
||||
kernel_read_system_state(fsadm_t)
|
||||
kernel_read_kernel_sysctls(fsadm_t)
|
||||
kernel_request_load_module(fsadm_t)
|
||||
@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
|
||||
files_read_etc_files(fsadm_t)
|
||||
files_manage_lost_found(fsadm_t)
|
||||
files_manage_isid_type_dirs(fsadm_t)
|
||||
@ -26366,7 +26498,7 @@ index 6c4b6ee..4ea7640 100644
|
||||
# Write to /etc/mtab.
|
||||
files_manage_etc_runtime_files(fsadm_t)
|
||||
files_etc_filetrans_etc_runtime(fsadm_t, file)
|
||||
@@ -120,6 +131,9 @@ fs_list_auto_mountpoints(fsadm_t)
|
||||
@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
|
||||
fs_search_tmpfs(fsadm_t)
|
||||
fs_getattr_tmpfs_dirs(fsadm_t)
|
||||
fs_read_tmpfs_symlinks(fsadm_t)
|
||||
@ -26376,7 +26508,7 @@ index 6c4b6ee..4ea7640 100644
|
||||
# Recreate /mnt/cdrom.
|
||||
files_manage_mnt_dirs(fsadm_t)
|
||||
# for tune2fs
|
||||
@@ -133,21 +147,26 @@ storage_raw_write_fixed_disk(fsadm_t)
|
||||
@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
|
||||
storage_raw_read_removable_device(fsadm_t)
|
||||
storage_raw_write_removable_device(fsadm_t)
|
||||
storage_read_scsi_generic(fsadm_t)
|
||||
@ -26394,6 +26526,7 @@ index 6c4b6ee..4ea7640 100644
|
||||
+init_stream_connect(fsadm_t)
|
||||
|
||||
logging_send_syslog_msg(fsadm_t)
|
||||
+logging_send_audit_msgs(fsadm_t)
|
||||
+logging_stream_connect_syslog(fsadm_t)
|
||||
|
||||
-miscfiles_read_localization(fsadm_t)
|
||||
@ -26405,7 +26538,7 @@ index 6c4b6ee..4ea7640 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -166,6 +185,11 @@ optional_policy(`
|
||||
@@ -166,6 +187,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26417,7 +26550,7 @@ index 6c4b6ee..4ea7640 100644
|
||||
hal_dontaudit_write_log(fsadm_t)
|
||||
')
|
||||
|
||||
@@ -179,6 +203,10 @@ optional_policy(`
|
||||
@@ -179,6 +205,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26428,7 +26561,7 @@ index 6c4b6ee..4ea7640 100644
|
||||
nis_use_ypbind(fsadm_t)
|
||||
')
|
||||
|
||||
@@ -192,6 +220,10 @@ optional_policy(`
|
||||
@@ -192,6 +222,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27940,7 +28073,7 @@ index 24e7804..1894886 100644
|
||||
+ allow $1 init_t:system undefined;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index dd3be8d..99c538c 100644
|
||||
index dd3be8d..61531ce 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,24 @@ gen_require(`
|
||||
@ -28206,15 +28339,14 @@ index dd3be8d..99c538c 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_filetrans_home_content(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- auth_rw_login_records(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ modutils_domtrans_insmod(init_t)
|
||||
+ modutils_list_module_config(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ postfix_exec(init_t)
|
||||
+ postfix_list_spool(init_t)
|
||||
+ mta_read_aliases(init_t)
|
||||
@ -28338,28 +28470,29 @@ index dd3be8d..99c538c 100644
|
||||
+optional_policy(`
|
||||
+ lvm_rw_pipes(init_t)
|
||||
+ lvm_read_config(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- auth_rw_login_records(init_t)
|
||||
+ consolekit_manage_log(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ dbus_connect_system_bus(init_t)
|
||||
dbus_system_bus_client(init_t)
|
||||
+ dbus_delete_pid_files(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_use(init_t)
|
||||
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
|
||||
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
|
||||
+ # the directory. But we do not want to allow this.
|
||||
+ # The master process of dovecot will manage this file.
|
||||
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_use(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ plymouthd_stream_connect(init_t)
|
||||
+ plymouthd_exec_plymouth(init_t)
|
||||
')
|
||||
@ -29002,7 +29135,7 @@ index dd3be8d..99c538c 100644
|
||||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -896,3 +1353,187 @@ optional_policy(`
|
||||
@@ -896,3 +1353,191 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -29184,6 +29317,10 @@ index dd3be8d..99c538c 100644
|
||||
+allow initrc_domain systemprocess_entry:file { getattr open read execute };
|
||||
+allow initrc_domain systemprocess:process transition;
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rgmanager_search_lib(initrc_domain)
|
||||
+')
|
||||
+
|
||||
+ifdef(`direct_sysadm_daemon',`
|
||||
+ allow daemon direct_run_init:fd use;
|
||||
+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
|
||||
@ -32614,7 +32751,7 @@ index 72c746e..f035d9f 100644
|
||||
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
|
||||
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
|
||||
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
|
||||
index 4584457..0755e25 100644
|
||||
index 4584457..e432df3 100644
|
||||
--- a/policy/modules/system/mount.if
|
||||
+++ b/policy/modules/system/mount.if
|
||||
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
|
||||
@ -32631,7 +32768,7 @@ index 4584457..0755e25 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -38,11 +45,103 @@ interface(`mount_domtrans',`
|
||||
@@ -38,11 +45,122 @@ interface(`mount_domtrans',`
|
||||
#
|
||||
interface(`mount_run',`
|
||||
gen_require(`
|
||||
@ -32719,6 +32856,25 @@ index 4584457..0755e25 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read/write mount PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mount_rw_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type mount_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ rw_files_pattern($1, mount_var_run_t, mount_var_run_t)
|
||||
+ files_search_pids($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage mount PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -32737,7 +32893,7 @@ index 4584457..0755e25 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -91,7 +190,7 @@ interface(`mount_signal',`
|
||||
@@ -91,7 +209,7 @@ interface(`mount_signal',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -32746,7 +32902,7 @@ index 4584457..0755e25 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',`
|
||||
@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32806,14 +32962,19 @@ index 4584457..0755e25 100644
|
||||
## <summary>
|
||||
-## Role allowed access.
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <rolecap/>
|
||||
#
|
||||
-interface(`mount_run_unconfined',`
|
||||
+interface(`mount_exec_fusermount',`
|
||||
+ gen_require(`
|
||||
gen_require(`
|
||||
- type unconfined_mount_t;
|
||||
+ type fusermount_exec_t;
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
- mount_domtrans_unconfined($1)
|
||||
- role $2 types unconfined_mount_t;
|
||||
+ can_exec($1, fusermount_exec_t)
|
||||
+')
|
||||
+
|
||||
@ -32824,19 +32985,14 @@ index 4584457..0755e25 100644
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <rolecap/>
|
||||
#
|
||||
-interface(`mount_run_unconfined',`
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mount_dontaudit_exec_fusermount',`
|
||||
gen_require(`
|
||||
- type unconfined_mount_t;
|
||||
+ gen_require(`
|
||||
+ type fusermount_exec_t;
|
||||
')
|
||||
|
||||
- mount_domtrans_unconfined($1)
|
||||
- role $2 types unconfined_mount_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
|
||||
+')
|
||||
+
|
||||
@ -32902,7 +33058,7 @@ index 4584457..0755e25 100644
|
||||
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
|
||||
')
|
||||
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
||||
index 6a50270..2fc14cd 100644
|
||||
index 6a50270..b34911e 100644
|
||||
--- a/policy/modules/system/mount.te
|
||||
+++ b/policy/modules/system/mount.te
|
||||
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
|
||||
@ -33003,7 +33159,7 @@ index 6a50270..2fc14cd 100644
|
||||
kernel_dontaudit_write_debugfs_dirs(mount_t)
|
||||
kernel_dontaudit_write_proc_dirs(mount_t)
|
||||
# To load binfmt_misc kernel module
|
||||
@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
|
||||
@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t)
|
||||
# required for mount.smbfs
|
||||
corecmd_exec_bin(mount_t)
|
||||
|
||||
@ -33019,6 +33175,7 @@ index 6a50270..2fc14cd 100644
|
||||
dev_dontaudit_getattr_all_chr_files(mount_t)
|
||||
dev_dontaudit_getattr_memory_dev(mount_t)
|
||||
dev_getattr_sound_dev(mount_t)
|
||||
+dev_rw_loop_control(mount_t)
|
||||
+
|
||||
+ifdef(`hide_broken_symptoms',`
|
||||
+ dev_rw_generic_blk_files(mount_t)
|
||||
@ -33053,7 +33210,7 @@ index 6a50270..2fc14cd 100644
|
||||
files_read_isid_type_files(mount_t)
|
||||
# For reading cert files
|
||||
files_read_usr_files(mount_t)
|
||||
@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
|
||||
@@ -92,28 +148,39 @@ files_list_mnt(mount_t)
|
||||
files_dontaudit_write_all_mountpoints(mount_t)
|
||||
files_dontaudit_setattr_all_mountpoints(mount_t)
|
||||
|
||||
@ -33099,7 +33256,7 @@ index 6a50270..2fc14cd 100644
|
||||
term_dontaudit_manage_pty_dirs(mount_t)
|
||||
|
||||
auth_use_nsswitch(mount_t)
|
||||
@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t)
|
||||
@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t)
|
||||
init_use_fds(mount_t)
|
||||
init_use_script_ptys(mount_t)
|
||||
init_dontaudit_getattr_initctl(mount_t)
|
||||
@ -33123,7 +33280,7 @@ index 6a50270..2fc14cd 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -33163,7 +33320,7 @@ index 6a50270..2fc14cd 100644
|
||||
corenet_tcp_bind_generic_port(mount_t)
|
||||
corenet_udp_bind_generic_port(mount_t)
|
||||
corenet_tcp_bind_reserved_port(mount_t)
|
||||
@@ -179,6 +251,8 @@ optional_policy(`
|
||||
@@ -179,6 +252,8 @@ optional_policy(`
|
||||
fs_search_rpc(mount_t)
|
||||
|
||||
rpc_stub(mount_t)
|
||||
@ -33172,7 +33329,7 @@ index 6a50270..2fc14cd 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -186,6 +260,36 @@ optional_policy(`
|
||||
@@ -186,6 +261,36 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -33209,7 +33366,7 @@ index 6a50270..2fc14cd 100644
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# for a bug in the X server
|
||||
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
||||
@@ -194,24 +298,128 @@ optional_policy(`
|
||||
@@ -194,24 +299,128 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 25%{?dist}
|
||||
Release: 26%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -526,6 +526,39 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Apr 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-26
|
||||
- Try to label on controlC devices up to 30 correctly
|
||||
- Add mount_rw_pid_files() interface
|
||||
- Add additional mount/umount interfaces needed by mock
|
||||
- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk
|
||||
- Fix tabs
|
||||
- Allow initrc_domain to search rgmanager lib files
|
||||
- Add more fixes which make mock working together with confined users
|
||||
* Allow mock_t to manage rpm files
|
||||
* Allow mock_t to read rpm log files
|
||||
* Allow mock to setattr on tmpfs, devpts
|
||||
* Allow mount/umount filesystems
|
||||
- Add rpm_read_log() interface
|
||||
- yum-cron runs rpm from within it.
|
||||
- Allow tuned to transition to dmidecode
|
||||
- Allow firewalld to do net_admin
|
||||
- Allow mock to unmont tmpfs_t
|
||||
- Fix virt_sigkill() interface
|
||||
- Add additional fixes for mock. Mainly caused by mount running in mock_t
|
||||
- Allow mock to write sysfs_t and mount pid files
|
||||
- Add mailman_domain to mailman_template()
|
||||
- Allow openvswitch to execute shell
|
||||
- Allow qpidd to use kerberos
|
||||
- Allow mailman to use fusefs, needs back port to RHEL6
|
||||
- Allow apache and its scripts to use anon_inodefs
|
||||
- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7
|
||||
- Realmd needs to connect to samba ports, needs back port to F18 also
|
||||
- Allow colord to read /run/initial-setup-
|
||||
- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock
|
||||
- Add virt_kill() interface
|
||||
- Add rgmanager_search_lib() interface
|
||||
- Allow wdmd to getattr on all filesystems. Back ported from RHEL6
|
||||
|
||||
* Tue Apr 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-25
|
||||
- Allow realmd to create tmp files
|
||||
- FIx ircssi_home_t type to irssi_home_t
|
||||
|
Loading…
Reference in New Issue
Block a user