- Add mising nslcd_dontaudit_write_sock_file() interface
- one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Don't audit attempts to write to stream socket of nscld by thumbnailers - Allow git_system_t to read network state - Allow pegasas to execute mount command - Fix desc for drdb_admin - Fix condor_amin() - Interface fixes for uptime, vdagent, vnstatd - Fix labeling for moodle in /var/www/moodle/data - Add interface fixes - Allow bugzilla to read certs - /var/www/moodle needs to be writable by apache - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Fix namespace_init_t to create content with proper labels, and allow it to manage all user conten - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Fix sys_nice for cups_domain - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Kernel_t needs mac_admin in order to support labeled NFS - Fix systemd_dontaudit_dbus_chat() interface - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Allow consolehelper domain to write Xauth files in /root - Add port definition for osapi_compute por
This commit is contained in:
parent
d8b4fa387f
commit
fa447f104a
@ -15970,7 +15970,7 @@ index 649e458..cc924ae 100644
|
|||||||
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
|
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||||
index 6fac350..e7add10 100644
|
index 6fac350..06704f6 100644
|
||||||
--- a/policy/modules/kernel/kernel.te
|
--- a/policy/modules/kernel/kernel.te
|
||||||
+++ b/policy/modules/kernel/kernel.te
|
+++ b/policy/modules/kernel/kernel.te
|
||||||
@@ -25,6 +25,9 @@ attribute kern_unconfined;
|
@@ -25,6 +25,9 @@ attribute kern_unconfined;
|
||||||
@ -16021,7 +16021,15 @@ index 6fac350..e7add10 100644
|
|||||||
# /proc/sys/dev directory and files
|
# /proc/sys/dev directory and files
|
||||||
type sysctl_dev_t, sysctl_type;
|
type sysctl_dev_t, sysctl_type;
|
||||||
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
||||||
@@ -233,7 +246,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
|
@@ -189,6 +202,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||||
|
# kernel local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
+allow kernel_t self:capability2 mac_admin;
|
||||||
|
allow kernel_t self:capability ~sys_module;
|
||||||
|
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
|
allow kernel_t self:shm create_shm_perms;
|
||||||
|
@@ -233,7 +247,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
|
||||||
corenet_in_generic_if(unlabeled_t)
|
corenet_in_generic_if(unlabeled_t)
|
||||||
corenet_in_generic_node(unlabeled_t)
|
corenet_in_generic_node(unlabeled_t)
|
||||||
|
|
||||||
@ -16029,7 +16037,7 @@ index 6fac350..e7add10 100644
|
|||||||
corenet_all_recvfrom_netlabel(kernel_t)
|
corenet_all_recvfrom_netlabel(kernel_t)
|
||||||
# Kernel-generated traffic e.g., ICMP replies:
|
# Kernel-generated traffic e.g., ICMP replies:
|
||||||
corenet_raw_sendrecv_all_if(kernel_t)
|
corenet_raw_sendrecv_all_if(kernel_t)
|
||||||
@@ -244,17 +256,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
|
@@ -244,17 +257,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(kernel_t)
|
corenet_tcp_sendrecv_all_nodes(kernel_t)
|
||||||
corenet_raw_send_generic_node(kernel_t)
|
corenet_raw_send_generic_node(kernel_t)
|
||||||
corenet_send_all_packets(kernel_t)
|
corenet_send_all_packets(kernel_t)
|
||||||
@ -16055,7 +16063,7 @@ index 6fac350..e7add10 100644
|
|||||||
|
|
||||||
# Mount root file system. Used when loading a policy
|
# Mount root file system. Used when loading a policy
|
||||||
# from initrd, then mounting the root filesystem
|
# from initrd, then mounting the root filesystem
|
||||||
@@ -263,7 +279,8 @@ fs_unmount_all_fs(kernel_t)
|
@@ -263,7 +280,8 @@ fs_unmount_all_fs(kernel_t)
|
||||||
|
|
||||||
selinux_load_policy(kernel_t)
|
selinux_load_policy(kernel_t)
|
||||||
|
|
||||||
@ -16065,7 +16073,7 @@ index 6fac350..e7add10 100644
|
|||||||
|
|
||||||
corecmd_exec_shell(kernel_t)
|
corecmd_exec_shell(kernel_t)
|
||||||
corecmd_list_bin(kernel_t)
|
corecmd_list_bin(kernel_t)
|
||||||
@@ -277,25 +294,49 @@ files_list_root(kernel_t)
|
@@ -277,25 +295,49 @@ files_list_root(kernel_t)
|
||||||
files_list_etc(kernel_t)
|
files_list_etc(kernel_t)
|
||||||
files_list_home(kernel_t)
|
files_list_home(kernel_t)
|
||||||
files_read_usr_files(kernel_t)
|
files_read_usr_files(kernel_t)
|
||||||
@ -16115,7 +16123,7 @@ index 6fac350..e7add10 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -305,6 +346,19 @@ optional_policy(`
|
@@ -305,6 +347,19 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
logging_send_syslog_msg(kernel_t)
|
logging_send_syslog_msg(kernel_t)
|
||||||
@ -16135,7 +16143,7 @@ index 6fac350..e7add10 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -334,7 +388,6 @@ optional_policy(`
|
@@ -334,7 +389,6 @@ optional_policy(`
|
||||||
|
|
||||||
rpc_manage_nfs_ro_content(kernel_t)
|
rpc_manage_nfs_ro_content(kernel_t)
|
||||||
rpc_manage_nfs_rw_content(kernel_t)
|
rpc_manage_nfs_rw_content(kernel_t)
|
||||||
@ -16143,7 +16151,7 @@ index 6fac350..e7add10 100644
|
|||||||
rpc_udp_rw_nfs_sockets(kernel_t)
|
rpc_udp_rw_nfs_sockets(kernel_t)
|
||||||
|
|
||||||
tunable_policy(`nfs_export_all_ro',`
|
tunable_policy(`nfs_export_all_ro',`
|
||||||
@@ -343,9 +396,7 @@ optional_policy(`
|
@@ -343,9 +397,7 @@ optional_policy(`
|
||||||
fs_read_noxattr_fs_files(kernel_t)
|
fs_read_noxattr_fs_files(kernel_t)
|
||||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||||
|
|
||||||
@ -16154,7 +16162,7 @@ index 6fac350..e7add10 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`nfs_export_all_rw',`
|
tunable_policy(`nfs_export_all_rw',`
|
||||||
@@ -354,7 +405,7 @@ optional_policy(`
|
@@ -354,7 +406,7 @@ optional_policy(`
|
||||||
fs_read_noxattr_fs_files(kernel_t)
|
fs_read_noxattr_fs_files(kernel_t)
|
||||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||||
|
|
||||||
@ -16163,7 +16171,7 @@ index 6fac350..e7add10 100644
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -367,6 +418,15 @@ optional_policy(`
|
@@ -367,6 +419,15 @@ optional_policy(`
|
||||||
unconfined_domain_noaudit(kernel_t)
|
unconfined_domain_noaudit(kernel_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -16179,7 +16187,7 @@ index 6fac350..e7add10 100644
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Unlabeled process local policy
|
# Unlabeled process local policy
|
||||||
@@ -409,4 +469,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
||||||
allow kern_unconfined unlabeled_t:filesystem *;
|
allow kern_unconfined unlabeled_t:filesystem *;
|
||||||
allow kern_unconfined unlabeled_t:association *;
|
allow kern_unconfined unlabeled_t:association *;
|
||||||
allow kern_unconfined unlabeled_t:packet *;
|
allow kern_unconfined unlabeled_t:packet *;
|
||||||
@ -22226,7 +22234,7 @@ index d1f64a0..3be3d00 100644
|
|||||||
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
|
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
|
||||||
index 6bf0ecc..ad955d5 100644
|
index 6bf0ecc..0ef3955 100644
|
||||||
--- a/policy/modules/services/xserver.if
|
--- a/policy/modules/services/xserver.if
|
||||||
+++ b/policy/modules/services/xserver.if
|
+++ b/policy/modules/services/xserver.if
|
||||||
@@ -19,9 +19,10 @@
|
@@ -19,9 +19,10 @@
|
||||||
@ -22571,15 +22579,58 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create a Xauthority file in the user home directory.
|
## Create a Xauthority file in the user home directory.
|
||||||
@@ -598,6 +682,7 @@ interface(`xserver_read_user_xauth',`
|
@@ -567,6 +651,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Create a Xauthority file in the admin home directory.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_admin_home_dir_filetrans_xauth',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type xauth_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Read all users fonts, user font configurations,
|
||||||
|
## and manage all users font caches.
|
||||||
|
## </summary>
|
||||||
|
@@ -598,6 +700,25 @@ interface(`xserver_read_user_xauth',`
|
||||||
|
|
||||||
allow $1 xauth_home_t:file read_file_perms;
|
allow $1 xauth_home_t:file read_file_perms;
|
||||||
userdom_search_user_home_dirs($1)
|
userdom_search_user_home_dirs($1)
|
||||||
+ xserver_read_xdm_pid($1)
|
+ xserver_read_xdm_pid($1)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage all users .Xauthority.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_manage_user_xauth',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type xauth_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 xauth_home_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -615,7 +700,7 @@ interface(`xserver_setattr_console_pipes',`
|
@@ -615,7 +736,7 @@ interface(`xserver_setattr_console_pipes',`
|
||||||
type xconsole_device_t;
|
type xconsole_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -22588,7 +22639,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -638,6 +723,25 @@ interface(`xserver_rw_console',`
|
@@ -638,6 +759,25 @@ interface(`xserver_rw_console',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -22614,7 +22665,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
## Use file descriptors for xdm.
|
## Use file descriptors for xdm.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -651,7 +755,7 @@ interface(`xserver_use_xdm_fds',`
|
@@ -651,7 +791,7 @@ interface(`xserver_use_xdm_fds',`
|
||||||
type xdm_t;
|
type xdm_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -22623,7 +22674,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -670,7 +774,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
|
@@ -670,7 +810,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
|
||||||
type xdm_t;
|
type xdm_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -22632,7 +22683,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -688,7 +792,7 @@ interface(`xserver_rw_xdm_pipes',`
|
@@ -688,7 +828,7 @@ interface(`xserver_rw_xdm_pipes',`
|
||||||
type xdm_t;
|
type xdm_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -22641,7 +22692,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -703,12 +807,11 @@ interface(`xserver_rw_xdm_pipes',`
|
@@ -703,12 +843,11 @@ interface(`xserver_rw_xdm_pipes',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`xserver_dontaudit_rw_xdm_pipes',`
|
interface(`xserver_dontaudit_rw_xdm_pipes',`
|
||||||
@ -22655,7 +22706,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -765,11 +868,71 @@ interface(`xserver_manage_xdm_spool_files',`
|
@@ -765,11 +904,71 @@ interface(`xserver_manage_xdm_spool_files',`
|
||||||
#
|
#
|
||||||
interface(`xserver_stream_connect_xdm',`
|
interface(`xserver_stream_connect_xdm',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -22729,7 +22780,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -793,6 +956,25 @@ interface(`xserver_read_xdm_rw_config',`
|
@@ -793,6 +992,25 @@ interface(`xserver_read_xdm_rw_config',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -22755,7 +22806,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
## Set the attributes of XDM temporary directories.
|
## Set the attributes of XDM temporary directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -806,7 +988,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
|
@@ -806,7 +1024,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
|
||||||
type xdm_tmp_t;
|
type xdm_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -22782,7 +22833,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -846,7 +1046,26 @@ interface(`xserver_read_xdm_pid',`
|
@@ -846,7 +1082,26 @@ interface(`xserver_read_xdm_pid',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
@ -22810,7 +22861,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -869,6 +1088,24 @@ interface(`xserver_read_xdm_lib_files',`
|
@@ -869,6 +1124,24 @@ interface(`xserver_read_xdm_lib_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -22835,7 +22886,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
## Make an X session script an entrypoint for the specified domain.
|
## Make an X session script an entrypoint for the specified domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -938,7 +1175,26 @@ interface(`xserver_getattr_log',`
|
@@ -938,7 +1211,26 @@ interface(`xserver_getattr_log',`
|
||||||
')
|
')
|
||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
@ -22863,7 +22914,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -957,7 +1213,7 @@ interface(`xserver_dontaudit_write_log',`
|
@@ -957,7 +1249,7 @@ interface(`xserver_dontaudit_write_log',`
|
||||||
type xserver_log_t;
|
type xserver_log_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -22872,7 +22923,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1004,6 +1260,45 @@ interface(`xserver_read_xkb_libs',`
|
@@ -1004,6 +1296,45 @@ interface(`xserver_read_xkb_libs',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -22918,7 +22969,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
## Read xdm temporary files.
|
## Read xdm temporary files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1017,7 +1312,7 @@ interface(`xserver_read_xdm_tmp_files',`
|
@@ -1017,7 +1348,7 @@ interface(`xserver_read_xdm_tmp_files',`
|
||||||
type xdm_tmp_t;
|
type xdm_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -22927,71 +22978,113 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1079,6 +1374,42 @@ interface(`xserver_manage_xdm_tmp_files',`
|
@@ -1079,53 +1410,91 @@ interface(`xserver_manage_xdm_tmp_files',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
|
-## Do not audit attempts to get the attributes of
|
||||||
|
-## xdm temporary named sockets.
|
||||||
+## Create, read, write, and delete xdm temporary dirs.
|
+## Create, read, write, and delete xdm temporary dirs.
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+interface(`xserver_relabel_xdm_tmp_dirs',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type xdm_tmp_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Create, read, write, and delete xdm temporary dirs.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+interface(`xserver_manage_xdm_tmp_dirs',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type xdm_tmp_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
## Do not audit attempts to get the attributes of
|
|
||||||
## xdm temporary named sockets.
|
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1093,7 +1424,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
-## Domain to not audit.
|
||||||
|
+## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
|
||||||
|
+interface(`xserver_relabel_xdm_tmp_dirs',`
|
||||||
|
gen_require(`
|
||||||
type xdm_tmp_t;
|
type xdm_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
- dontaudit $1 xdm_tmp_t:sock_file getattr;
|
- dontaudit $1 xdm_tmp_t:sock_file getattr;
|
||||||
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
|
+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1111,8 +1442,10 @@ interface(`xserver_domtrans',`
|
## <summary>
|
||||||
type xserver_t, xserver_exec_t;
|
-## Execute the X server in the X server domain.
|
||||||
|
+## Create, read, write, and delete xdm temporary dirs.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
-## Domain allowed to transition.
|
||||||
|
+## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`xserver_domtrans',`
|
||||||
|
+interface(`xserver_manage_xdm_tmp_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
- type xserver_t, xserver_exec_t;
|
||||||
|
+ type xdm_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
- allow $1 xserver_t:process siginh;
|
- allow $1 xserver_t:process siginh;
|
||||||
+ allow $1 xserver_t:process siginh;
|
- domtrans_pattern($1, xserver_exec_t, xserver_t)
|
||||||
domtrans_pattern($1, xserver_exec_t, xserver_t)
|
+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||||
+
|
|
||||||
+ allow xserver_t $1:process getpgid;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1226,6 +1559,26 @@ interface(`xserver_stream_connect',`
|
## <summary>
|
||||||
|
-## Signal X servers
|
||||||
|
+## Do not audit attempts to get the attributes of
|
||||||
|
+## xdm temporary named sockets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
-## Domain allowed access.
|
||||||
|
+## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`xserver_signal',`
|
||||||
|
+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type xdm_tmp_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute the X server in the X server domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_domtrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type xserver_t, xserver_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 xserver_t:process siginh;
|
||||||
|
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
|
||||||
|
+
|
||||||
|
+ allow xserver_t $1:process getpgid;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Signal X servers
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_signal',`
|
||||||
|
gen_require(`
|
||||||
|
type xserver_t;
|
||||||
|
')
|
||||||
|
@@ -1226,6 +1595,26 @@ interface(`xserver_stream_connect',`
|
||||||
|
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
@ -23018,7 +23111,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1251,7 +1604,7 @@ interface(`xserver_read_tmp_files',`
|
@@ -1251,7 +1640,7 @@ interface(`xserver_read_tmp_files',`
|
||||||
## <summary>
|
## <summary>
|
||||||
## Interface to provide X object permissions on a given X server to
|
## Interface to provide X object permissions on a given X server to
|
||||||
## an X client domain. Gives the domain permission to read the
|
## an X client domain. Gives the domain permission to read the
|
||||||
@ -23027,7 +23120,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1261,13 +1614,23 @@ interface(`xserver_read_tmp_files',`
|
@@ -1261,13 +1650,23 @@ interface(`xserver_read_tmp_files',`
|
||||||
#
|
#
|
||||||
interface(`xserver_manage_core_devices',`
|
interface(`xserver_manage_core_devices',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -23052,7 +23145,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1284,10 +1647,604 @@ interface(`xserver_manage_core_devices',`
|
@@ -1284,10 +1683,604 @@ interface(`xserver_manage_core_devices',`
|
||||||
#
|
#
|
||||||
interface(`xserver_unconfined',`
|
interface(`xserver_unconfined',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -23660,7 +23753,7 @@ index 6bf0ecc..ad955d5 100644
|
|||||||
+ files_search_tmp($1)
|
+ files_search_tmp($1)
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||||
index 2696452..0881350 100644
|
index 2696452..48c4924 100644
|
||||||
--- a/policy/modules/services/xserver.te
|
--- a/policy/modules/services/xserver.te
|
||||||
+++ b/policy/modules/services/xserver.te
|
+++ b/policy/modules/services/xserver.te
|
||||||
@@ -26,27 +26,50 @@ gen_require(`
|
@@ -26,27 +26,50 @@ gen_require(`
|
||||||
@ -24225,7 +24318,7 @@ index 2696452..0881350 100644
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -441,28 +620,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
@@ -441,28 +620,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -24254,6 +24347,7 @@ index 2696452..0881350 100644
|
|||||||
+init_status(xdm_t)
|
+init_status(xdm_t)
|
||||||
|
|
||||||
libs_exec_lib_files(xdm_t)
|
libs_exec_lib_files(xdm_t)
|
||||||
|
+libs_exec_ldconfig(xdm_t)
|
||||||
|
|
||||||
logging_read_generic_logs(xdm_t)
|
logging_read_generic_logs(xdm_t)
|
||||||
|
|
||||||
@ -24270,7 +24364,7 @@ index 2696452..0881350 100644
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
|
@@ -471,24 +664,43 @@ userdom_read_user_home_content_files(xdm_t)
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -24320,7 +24414,7 @@ index 2696452..0881350 100644
|
|||||||
tunable_policy(`xdm_sysadm_login',`
|
tunable_policy(`xdm_sysadm_login',`
|
||||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||||
# FIXME:
|
# FIXME:
|
||||||
@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
|
@@ -502,11 +714,26 @@ tunable_policy(`xdm_sysadm_login',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24347,7 +24441,7 @@ index 2696452..0881350 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -514,12 +740,72 @@ optional_policy(`
|
@@ -514,12 +741,72 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24420,7 +24514,7 @@ index 2696452..0881350 100644
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -537,28 +823,78 @@ optional_policy(`
|
@@ -537,28 +824,78 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24508,7 +24602,7 @@ index 2696452..0881350 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -570,6 +906,14 @@ optional_policy(`
|
@@ -570,6 +907,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24523,7 +24617,7 @@ index 2696452..0881350 100644
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -594,8 +938,11 @@ allow xserver_t input_xevent_t:x_event send;
|
@@ -594,8 +939,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -24536,7 +24630,7 @@ index 2696452..0881350 100644
|
|||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
@@ -608,8 +955,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
@@ -608,8 +956,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -24552,7 +24646,7 @@ index 2696452..0881350 100644
|
|||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -617,6 +971,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
@@ -617,6 +972,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||||
|
|
||||||
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
||||||
|
|
||||||
@ -24563,7 +24657,7 @@ index 2696452..0881350 100644
|
|||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -628,12 +986,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
@@ -628,12 +987,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -24585,7 +24679,7 @@ index 2696452..0881350 100644
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -641,12 +1006,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
@@ -641,12 +1007,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||||
# Xorg wants to check if kernel is tainted
|
# Xorg wants to check if kernel is tainted
|
||||||
kernel_read_kernel_sysctls(xserver_t)
|
kernel_read_kernel_sysctls(xserver_t)
|
||||||
kernel_write_proc_files(xserver_t)
|
kernel_write_proc_files(xserver_t)
|
||||||
@ -24599,7 +24693,7 @@ index 2696452..0881350 100644
|
|||||||
corenet_all_recvfrom_netlabel(xserver_t)
|
corenet_all_recvfrom_netlabel(xserver_t)
|
||||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||||
@@ -667,23 +1032,27 @@ dev_rw_apm_bios(xserver_t)
|
@@ -667,23 +1033,27 @@ dev_rw_apm_bios(xserver_t)
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
@ -24630,7 +24724,7 @@ index 2696452..0881350 100644
|
|||||||
|
|
||||||
# brought on by rhgb
|
# brought on by rhgb
|
||||||
files_search_mnt(xserver_t)
|
files_search_mnt(xserver_t)
|
||||||
@@ -694,7 +1063,16 @@ fs_getattr_xattr_fs(xserver_t)
|
@@ -694,7 +1064,16 @@ fs_getattr_xattr_fs(xserver_t)
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -24648,7 +24742,7 @@ index 2696452..0881350 100644
|
|||||||
mls_xwin_read_to_clearance(xserver_t)
|
mls_xwin_read_to_clearance(xserver_t)
|
||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
@@ -708,20 +1086,18 @@ init_getpgid(xserver_t)
|
@@ -708,20 +1087,18 @@ init_getpgid(xserver_t)
|
||||||
term_setattr_unallocated_ttys(xserver_t)
|
term_setattr_unallocated_ttys(xserver_t)
|
||||||
term_use_unallocated_ttys(xserver_t)
|
term_use_unallocated_ttys(xserver_t)
|
||||||
|
|
||||||
@ -24672,7 +24766,7 @@ index 2696452..0881350 100644
|
|||||||
|
|
||||||
userdom_search_user_home_dirs(xserver_t)
|
userdom_search_user_home_dirs(xserver_t)
|
||||||
userdom_use_user_ttys(xserver_t)
|
userdom_use_user_ttys(xserver_t)
|
||||||
@@ -729,8 +1105,6 @@ userdom_setattr_user_ttys(xserver_t)
|
@@ -729,8 +1106,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||||
userdom_read_user_tmp_files(xserver_t)
|
userdom_read_user_tmp_files(xserver_t)
|
||||||
userdom_rw_user_tmpfs_files(xserver_t)
|
userdom_rw_user_tmpfs_files(xserver_t)
|
||||||
|
|
||||||
@ -24681,7 +24775,7 @@ index 2696452..0881350 100644
|
|||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xserver_t self:process { execmem execheap execstack };
|
allow xserver_t self:process { execmem execheap execstack };
|
||||||
domain_mmap_low_uncond(xserver_t)
|
domain_mmap_low_uncond(xserver_t)
|
||||||
@@ -775,16 +1149,44 @@ optional_policy(`
|
@@ -775,16 +1150,44 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24727,7 +24821,7 @@ index 2696452..0881350 100644
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -793,6 +1195,10 @@ optional_policy(`
|
@@ -793,6 +1196,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24738,7 +24832,7 @@ index 2696452..0881350 100644
|
|||||||
xfs_stream_connect(xserver_t)
|
xfs_stream_connect(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -808,10 +1214,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
@@ -808,10 +1215,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||||
|
|
||||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||||
# handle of a file inside the dir!!!
|
# handle of a file inside the dir!!!
|
||||||
@ -24752,7 +24846,7 @@ index 2696452..0881350 100644
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -819,7 +1225,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
@@ -819,7 +1226,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
|
|
||||||
# Run xkbcomp.
|
# Run xkbcomp.
|
||||||
@ -24761,7 +24855,7 @@ index 2696452..0881350 100644
|
|||||||
can_exec(xserver_t, xkb_var_lib_t)
|
can_exec(xserver_t, xkb_var_lib_t)
|
||||||
|
|
||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
@@ -832,26 +1238,21 @@ init_use_fds(xserver_t)
|
@@ -832,26 +1239,21 @@ init_use_fds(xserver_t)
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -24796,7 +24890,7 @@ index 2696452..0881350 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -902,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
@@ -902,7 +1304,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
@ -24805,7 +24899,7 @@ index 2696452..0881350 100644
|
|||||||
# operations allowed on all windows
|
# operations allowed on all windows
|
||||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||||
|
|
||||||
@@ -956,11 +1357,31 @@ allow x_domain self:x_resource { read write };
|
@@ -956,11 +1358,31 @@ allow x_domain self:x_resource { read write };
|
||||||
# can mess with the screensaver
|
# can mess with the screensaver
|
||||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||||
|
|
||||||
@ -24837,7 +24931,7 @@ index 2696452..0881350 100644
|
|||||||
tunable_policy(`! xserver_object_manager',`
|
tunable_policy(`! xserver_object_manager',`
|
||||||
# should be xserver_unconfined(x_domain),
|
# should be xserver_unconfined(x_domain),
|
||||||
# but typeattribute doesnt work in conditionals
|
# but typeattribute doesnt work in conditionals
|
||||||
@@ -982,18 +1403,40 @@ tunable_policy(`! xserver_object_manager',`
|
@@ -982,18 +1404,40 @@ tunable_policy(`! xserver_object_manager',`
|
||||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -28076,7 +28170,7 @@ index 24e7804..1894886 100644
|
|||||||
+ allow $1 init_t:system undefined;
|
+ allow $1 init_t:system undefined;
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||||
index dd3be8d..61531ce 100644
|
index dd3be8d..84ffb31 100644
|
||||||
--- a/policy/modules/system/init.te
|
--- a/policy/modules/system/init.te
|
||||||
+++ b/policy/modules/system/init.te
|
+++ b/policy/modules/system/init.te
|
||||||
@@ -11,10 +11,24 @@ gen_require(`
|
@@ -11,10 +11,24 @@ gen_require(`
|
||||||
@ -29138,7 +29232,7 @@ index dd3be8d..61531ce 100644
|
|||||||
# Set device ownerships/modes.
|
# Set device ownerships/modes.
|
||||||
xserver_setattr_console_pipes(initrc_t)
|
xserver_setattr_console_pipes(initrc_t)
|
||||||
|
|
||||||
@@ -896,3 +1353,191 @@ optional_policy(`
|
@@ -896,3 +1353,196 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
zebra_read_config(initrc_t)
|
zebra_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
@ -29321,6 +29415,11 @@ index dd3be8d..61531ce 100644
|
|||||||
+allow initrc_domain systemprocess:process transition;
|
+allow initrc_domain systemprocess:process transition;
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ systemd_getattr_unit_dirs(daemon)
|
||||||
|
+ systemd_getattr_unit_dirs(systemprocess)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ rgmanager_search_lib(initrc_domain)
|
+ rgmanager_search_lib(initrc_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -35720,10 +35819,10 @@ index 0000000..4e12420
|
|||||||
+/var/run/initramfs(/.*)? <<none>>
|
+/var/run/initramfs(/.*)? <<none>>
|
||||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..16c7767
|
index 0000000..5894afb
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.if
|
+++ b/policy/modules/system/systemd.if
|
||||||
@@ -0,0 +1,1122 @@
|
@@ -0,0 +1,1159 @@
|
||||||
+## <summary>SELinux policy for systemd components</summary>
|
+## <summary>SELinux policy for systemd components</summary>
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
@ -35893,7 +35992,25 @@ index 0000000..16c7767
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_var_lib($1)
|
+ files_search_var_lib($1)
|
||||||
+ allow $1 systemd_unit_file_type:file getattr_file_perms;
|
+ getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#####################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow domain to getattr all systemd unit directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`systemd_getattr_unit_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute systemd_unit_file_type;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 systemd_unit_file_type:dir getattr;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+######################################
|
+######################################
|
||||||
@ -36846,12 +36963,31 @@ index 0000000..16c7767
|
|||||||
+ allow systemd_localed_t $1:dbus send_msg;
|
+ allow systemd_localed_t $1:dbus send_msg;
|
||||||
+ ps_process_pattern(systemd_localed_t, $1)
|
+ ps_process_pattern(systemd_localed_t, $1)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Dontaudit attempts to send dbus domains chat messages
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain to not audit.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`systemd_dontaudit_dbus_chat',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute systemd_domain;
|
||||||
|
+ class dbus send_msg;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 systemd_domain:dbus send_msg;
|
||||||
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4d56107
|
index 0000000..b3ea12d
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,641 @@
|
@@ -0,0 +1,642 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -37342,7 +37478,8 @@ index 0000000..4d56107
|
|||||||
+#
|
+#
|
||||||
+# Hostnamed policy
|
+# Hostnamed policy
|
||||||
+#
|
+#
|
||||||
+dontaudit systemd_hostnamed_t self:capability { sys_admin sys_ptrace };
|
+allow systemd_hostnamed_t self:capability sys_admin;
|
||||||
|
+dontaudit systemd_hostnamed_t self:capability sys_ptrace;
|
||||||
+
|
+
|
||||||
+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
|
+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
|
+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -37791,7 +37928,7 @@ index 0f64692..d7e8a01 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||||
index a5ec88b..32e7d9e 100644
|
index a5ec88b..1749342 100644
|
||||||
--- a/policy/modules/system/udev.te
|
--- a/policy/modules/system/udev.te
|
||||||
+++ b/policy/modules/system/udev.te
|
+++ b/policy/modules/system/udev.te
|
||||||
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
|
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
|
||||||
@ -37942,16 +38079,17 @@ index a5ec88b..32e7d9e 100644
|
|||||||
|
|
||||||
seutil_read_config(udev_t)
|
seutil_read_config(udev_t)
|
||||||
seutil_read_default_contexts(udev_t)
|
seutil_read_default_contexts(udev_t)
|
||||||
@@ -170,6 +188,8 @@ sysnet_signal_dhcpc(udev_t)
|
@@ -170,6 +188,9 @@ sysnet_signal_dhcpc(udev_t)
|
||||||
sysnet_manage_config(udev_t)
|
sysnet_manage_config(udev_t)
|
||||||
sysnet_etc_filetrans_config(udev_t)
|
sysnet_etc_filetrans_config(udev_t)
|
||||||
|
|
||||||
+systemd_login_read_pid_files(udev_t)
|
+systemd_login_read_pid_files(udev_t)
|
||||||
|
+systemd_getattr_unit_files(udev_t)
|
||||||
+
|
+
|
||||||
userdom_dontaudit_search_user_home_content(udev_t)
|
userdom_dontaudit_search_user_home_content(udev_t)
|
||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
@@ -179,16 +199,9 @@ ifdef(`distro_gentoo',`
|
@@ -179,16 +200,9 @@ ifdef(`distro_gentoo',`
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
@ -37970,7 +38108,7 @@ index a5ec88b..32e7d9e 100644
|
|||||||
|
|
||||||
# for arping used for static IP addresses on PCMCIA ethernet
|
# for arping used for static IP addresses on PCMCIA ethernet
|
||||||
netutils_domtrans(udev_t)
|
netutils_domtrans(udev_t)
|
||||||
@@ -226,19 +239,34 @@ optional_policy(`
|
@@ -226,19 +240,34 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cups_domtrans_config(udev_t)
|
cups_domtrans_config(udev_t)
|
||||||
@ -38005,7 +38143,7 @@ index a5ec88b..32e7d9e 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -264,6 +292,10 @@ optional_policy(`
|
@@ -264,6 +293,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38016,7 +38154,7 @@ index a5ec88b..32e7d9e 100644
|
|||||||
openct_read_pid_files(udev_t)
|
openct_read_pid_files(udev_t)
|
||||||
openct_domtrans(udev_t)
|
openct_domtrans(udev_t)
|
||||||
')
|
')
|
||||||
@@ -278,6 +310,15 @@ optional_policy(`
|
@@ -278,6 +311,15 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -38032,7 +38170,7 @@ index a5ec88b..32e7d9e 100644
|
|||||||
unconfined_signal(udev_t)
|
unconfined_signal(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -290,6 +331,7 @@ optional_policy(`
|
@@ -290,6 +332,7 @@ optional_policy(`
|
||||||
kernel_read_xen_state(udev_t)
|
kernel_read_xen_state(udev_t)
|
||||||
xen_manage_log(udev_t)
|
xen_manage_log(udev_t)
|
||||||
xen_read_image_files(udev_t)
|
xen_read_image_files(udev_t)
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.12.1
|
Version: 3.12.1
|
||||||
Release: 28%{?dist}
|
Release: 29%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -526,6 +526,41 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 11 2013 Miroslav Grepl <mgrpel@redhat.com> 3.12.1-29
|
||||||
|
- Add mising nslcd_dontaudit_write_sock_file() interface
|
||||||
|
- one more fix
|
||||||
|
- Fix pki_read_tomcat_lib_files() interface
|
||||||
|
- Allow certmonger to read pki-tomcat lib files
|
||||||
|
- Allow certwatch to execute bin_t
|
||||||
|
- Allow snmp to manage /var/lib/net-snmp files
|
||||||
|
- Don't audit attempts to write to stream socket of nscld by thumbnailers
|
||||||
|
- Allow git_system_t to read network state
|
||||||
|
- Allow pegasas to execute mount command
|
||||||
|
- Fix desc for drdb_admin
|
||||||
|
- Fix condor_amin()
|
||||||
|
- Interface fixes for uptime, vdagent, vnstatd
|
||||||
|
- Fix labeling for moodle in /var/www/moodle/data
|
||||||
|
- Add interface fixes
|
||||||
|
- Allow bugzilla to read certs
|
||||||
|
- /var/www/moodle needs to be writable by apache
|
||||||
|
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
|
||||||
|
- Fix namespace_init_t to create content with proper labels, and allow it to manage all user content
|
||||||
|
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
|
||||||
|
- Fixes for dlm_controld
|
||||||
|
- Fix apache_read_sys_content_rw_dirs() interface
|
||||||
|
- Allow logrotate to read /var/log/z-push dir
|
||||||
|
- Fix sys_nice for cups_domain
|
||||||
|
- Allow postfix_postdrop to acces postfix_public socket
|
||||||
|
- Allow sched_setscheduler for cupsd_t
|
||||||
|
- Add missing context for /usr/sbin/snmpd
|
||||||
|
- Kernel_t needs mac_admin in order to support labeled NFS
|
||||||
|
- Fix systemd_dontaudit_dbus_chat() interface
|
||||||
|
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
|
||||||
|
- Allow consolehelper domain to write Xauth files in /root
|
||||||
|
- Add port definition for osapi_compute port
|
||||||
|
- Allow unconfined to create /etc/hostname with correct labeling
|
||||||
|
- Add systemd_filetrans_named_hostname() interface
|
||||||
|
|
||||||
* Mon Apr 8 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-28
|
* Mon Apr 8 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-28
|
||||||
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
|
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
|
||||||
- Fixes for dlm_controld
|
- Fixes for dlm_controld
|
||||||
|
Loading…
Reference in New Issue
Block a user