- Add mising nslcd_dontaudit_write_sock_file() interface

- one more fix
- Fix pki_read_tomcat_lib_files() interface
- Allow certmonger to read pki-tomcat lib files
- Allow certwatch to execute bin_t
- Allow snmp to manage /var/lib/net-snmp files
- Don't audit attempts to write to stream socket of nscld by thumbnailers
- Allow git_system_t to read network state
- Allow pegasas to execute mount command
- Fix desc for drdb_admin
- Fix condor_amin()
- Interface fixes for uptime, vdagent, vnstatd
- Fix labeling for moodle in /var/www/moodle/data
- Add interface fixes
- Allow bugzilla to read certs
- /var/www/moodle needs to be writable by apache
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
- Fix namespace_init_t to create content with proper labels, and allow it to manage all user conten
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
- Fixes for dlm_controld
- Fix apache_read_sys_content_rw_dirs() interface
- Allow logrotate to read /var/log/z-push dir
- Fix sys_nice for cups_domain
- Allow postfix_postdrop to acces postfix_public socket
- Allow sched_setscheduler for cupsd_t
- Add missing context for /usr/sbin/snmpd
- Kernel_t needs mac_admin in order to support labeled NFS
- Fix systemd_dontaudit_dbus_chat() interface
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
- Allow consolehelper domain to write Xauth files in /root
- Add port definition for osapi_compute por
This commit is contained in:
Miroslav Grepl 2013-04-11 22:49:52 +02:00
parent d8b4fa387f
commit fa447f104a
3 changed files with 717 additions and 383 deletions

View File

@ -15970,7 +15970,7 @@ index 649e458..cc924ae 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
') ')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6fac350..e7add10 100644 index 6fac350..06704f6 100644
--- a/policy/modules/kernel/kernel.te --- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -16021,7 +16021,15 @@ index 6fac350..e7add10 100644
# /proc/sys/dev directory and files # /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type; type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
@@ -233,7 +246,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; @@ -189,6 +202,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
+allow kernel_t self:capability2 mac_admin;
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
@@ -233,7 +247,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t) corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t) corenet_in_generic_node(unlabeled_t)
@ -16029,7 +16037,7 @@ index 6fac350..e7add10 100644
corenet_all_recvfrom_netlabel(kernel_t) corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies: # Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t) corenet_raw_sendrecv_all_if(kernel_t)
@@ -244,17 +256,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) @@ -244,17 +257,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t) corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t) corenet_send_all_packets(kernel_t)
@ -16055,7 +16063,7 @@ index 6fac350..e7add10 100644
# Mount root file system. Used when loading a policy # Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem # from initrd, then mounting the root filesystem
@@ -263,7 +279,8 @@ fs_unmount_all_fs(kernel_t) @@ -263,7 +280,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t) selinux_load_policy(kernel_t)
@ -16065,7 +16073,7 @@ index 6fac350..e7add10 100644
corecmd_exec_shell(kernel_t) corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t) corecmd_list_bin(kernel_t)
@@ -277,25 +294,49 @@ files_list_root(kernel_t) @@ -277,25 +295,49 @@ files_list_root(kernel_t)
files_list_etc(kernel_t) files_list_etc(kernel_t)
files_list_home(kernel_t) files_list_home(kernel_t)
files_read_usr_files(kernel_t) files_read_usr_files(kernel_t)
@ -16115,7 +16123,7 @@ index 6fac350..e7add10 100644
') ')
optional_policy(` optional_policy(`
@@ -305,6 +346,19 @@ optional_policy(` @@ -305,6 +347,19 @@ optional_policy(`
optional_policy(` optional_policy(`
logging_send_syslog_msg(kernel_t) logging_send_syslog_msg(kernel_t)
@ -16135,7 +16143,7 @@ index 6fac350..e7add10 100644
') ')
optional_policy(` optional_policy(`
@@ -334,7 +388,6 @@ optional_policy(` @@ -334,7 +389,6 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t)
@ -16143,7 +16151,7 @@ index 6fac350..e7add10 100644
rpc_udp_rw_nfs_sockets(kernel_t) rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',` tunable_policy(`nfs_export_all_ro',`
@@ -343,9 +396,7 @@ optional_policy(` @@ -343,9 +397,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t)
@ -16154,7 +16162,7 @@ index 6fac350..e7add10 100644
') ')
tunable_policy(`nfs_export_all_rw',` tunable_policy(`nfs_export_all_rw',`
@@ -354,7 +405,7 @@ optional_policy(` @@ -354,7 +406,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t)
@ -16163,7 +16171,7 @@ index 6fac350..e7add10 100644
') ')
') ')
@@ -367,6 +418,15 @@ optional_policy(` @@ -367,6 +419,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t) unconfined_domain_noaudit(kernel_t)
') ')
@ -16179,7 +16187,7 @@ index 6fac350..e7add10 100644
######################################## ########################################
# #
# Unlabeled process local policy # Unlabeled process local policy
@@ -409,4 +469,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; @@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:packet *;
@ -22226,7 +22234,7 @@ index d1f64a0..3be3d00 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ +
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..ad955d5 100644 index 6bf0ecc..0ef3955 100644
--- a/policy/modules/services/xserver.if --- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@ @@ -19,9 +19,10 @@
@ -22571,15 +22579,58 @@ index 6bf0ecc..ad955d5 100644
######################################## ########################################
## <summary> ## <summary>
## Create a Xauthority file in the user home directory. ## Create a Xauthority file in the user home directory.
@@ -598,6 +682,7 @@ interface(`xserver_read_user_xauth',` @@ -567,6 +651,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
########################################
## <summary>
+## Create a Xauthority file in the admin home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_admin_home_dir_filetrans_xauth',`
+ gen_require(`
+ type xauth_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file)
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -598,6 +700,25 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms; allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1) userdom_search_user_home_dirs($1)
+ xserver_read_xdm_pid($1) + xserver_read_xdm_pid($1)
+')
+
+########################################
+## <summary>
+## Manage all users .Xauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_user_xauth',`
+ gen_require(`
+ type xauth_home_t;
+ ')
+
+ allow $1 xauth_home_t:file manage_file_perms;
') ')
######################################## ########################################
@@ -615,7 +700,7 @@ interface(`xserver_setattr_console_pipes',` @@ -615,7 +736,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t; type xconsole_device_t;
') ')
@ -22588,7 +22639,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -638,6 +723,25 @@ interface(`xserver_rw_console',` @@ -638,6 +759,25 @@ interface(`xserver_rw_console',`
######################################## ########################################
## <summary> ## <summary>
@ -22614,7 +22665,7 @@ index 6bf0ecc..ad955d5 100644
## Use file descriptors for xdm. ## Use file descriptors for xdm.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -651,7 +755,7 @@ interface(`xserver_use_xdm_fds',` @@ -651,7 +791,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t; type xdm_t;
') ')
@ -22623,7 +22674,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -670,7 +774,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` @@ -670,7 +810,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t; type xdm_t;
') ')
@ -22632,7 +22683,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -688,7 +792,7 @@ interface(`xserver_rw_xdm_pipes',` @@ -688,7 +828,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t; type xdm_t;
') ')
@ -22641,7 +22692,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -703,12 +807,11 @@ interface(`xserver_rw_xdm_pipes',` @@ -703,12 +843,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param> ## </param>
# #
interface(`xserver_dontaudit_rw_xdm_pipes',` interface(`xserver_dontaudit_rw_xdm_pipes',`
@ -22655,7 +22706,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -765,11 +868,71 @@ interface(`xserver_manage_xdm_spool_files',` @@ -765,11 +904,71 @@ interface(`xserver_manage_xdm_spool_files',`
# #
interface(`xserver_stream_connect_xdm',` interface(`xserver_stream_connect_xdm',`
gen_require(` gen_require(`
@ -22729,7 +22780,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -793,6 +956,25 @@ interface(`xserver_read_xdm_rw_config',` @@ -793,6 +992,25 @@ interface(`xserver_read_xdm_rw_config',`
######################################## ########################################
## <summary> ## <summary>
@ -22755,7 +22806,7 @@ index 6bf0ecc..ad955d5 100644
## Set the attributes of XDM temporary directories. ## Set the attributes of XDM temporary directories.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -806,7 +988,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` @@ -806,7 +1024,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t; type xdm_tmp_t;
') ')
@ -22782,7 +22833,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -846,7 +1046,26 @@ interface(`xserver_read_xdm_pid',` @@ -846,7 +1082,26 @@ interface(`xserver_read_xdm_pid',`
') ')
files_search_pids($1) files_search_pids($1)
@ -22810,7 +22861,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -869,6 +1088,24 @@ interface(`xserver_read_xdm_lib_files',` @@ -869,6 +1124,24 @@ interface(`xserver_read_xdm_lib_files',`
######################################## ########################################
## <summary> ## <summary>
@ -22835,7 +22886,7 @@ index 6bf0ecc..ad955d5 100644
## Make an X session script an entrypoint for the specified domain. ## Make an X session script an entrypoint for the specified domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -938,7 +1175,26 @@ interface(`xserver_getattr_log',` @@ -938,7 +1211,26 @@ interface(`xserver_getattr_log',`
') ')
logging_search_logs($1) logging_search_logs($1)
@ -22863,7 +22914,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -957,7 +1213,7 @@ interface(`xserver_dontaudit_write_log',` @@ -957,7 +1249,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t; type xserver_log_t;
') ')
@ -22872,7 +22923,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -1004,6 +1260,45 @@ interface(`xserver_read_xkb_libs',` @@ -1004,6 +1296,45 @@ interface(`xserver_read_xkb_libs',`
######################################## ########################################
## <summary> ## <summary>
@ -22918,7 +22969,7 @@ index 6bf0ecc..ad955d5 100644
## Read xdm temporary files. ## Read xdm temporary files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1017,7 +1312,7 @@ interface(`xserver_read_xdm_tmp_files',` @@ -1017,7 +1348,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t; type xdm_tmp_t;
') ')
@ -22927,71 +22978,113 @@ index 6bf0ecc..ad955d5 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
') ')
@@ -1079,6 +1374,42 @@ interface(`xserver_manage_xdm_tmp_files',` @@ -1079,53 +1410,91 @@ interface(`xserver_manage_xdm_tmp_files',`
######################################## ########################################
## <summary> ## <summary>
-## Do not audit attempts to get the attributes of
-## xdm temporary named sockets.
+## Create, read, write, and delete xdm temporary dirs. +## Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_relabel_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary> ## </summary>
@@ -1093,7 +1424,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` ## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+interface(`xserver_relabel_xdm_tmp_dirs',`
gen_require(`
type xdm_tmp_t; type xdm_tmp_t;
') ')
- dontaudit $1 xdm_tmp_t:sock_file getattr; - dontaudit $1 xdm_tmp_t:sock_file getattr;
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; + allow $1 xdm_tmp_t:dir relabel_dir_perms;
') ')
######################################## ########################################
@@ -1111,8 +1442,10 @@ interface(`xserver_domtrans',` ## <summary>
type xserver_t, xserver_exec_t; -## Execute the X server in the X server domain.
+## Create, read, write, and delete xdm temporary dirs.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`xserver_domtrans',`
+interface(`xserver_manage_xdm_tmp_dirs',`
gen_require(`
- type xserver_t, xserver_exec_t;
+ type xdm_tmp_t;
') ')
- allow $1 xserver_t:process siginh; - allow $1 xserver_t:process siginh;
+ allow $1 xserver_t:process siginh; - domtrans_pattern($1, xserver_exec_t, xserver_t)
domtrans_pattern($1, xserver_exec_t, xserver_t) + manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
+
+ allow xserver_t $1:process getpgid;
') ')
######################################## ########################################
@@ -1226,6 +1559,26 @@ interface(`xserver_stream_connect',` ## <summary>
-## Signal X servers
+## Do not audit attempts to get the attributes of
+## xdm temporary named sockets.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`xserver_signal',`
+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Execute the X server in the X server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xserver_domtrans',`
+ gen_require(`
+ type xserver_t, xserver_exec_t;
+ ')
+
+ allow $1 xserver_t:process siginh;
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+ allow xserver_t $1:process getpgid;
+')
+
+########################################
+## <summary>
+## Signal X servers
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_signal',`
gen_require(`
type xserver_t;
')
@@ -1226,6 +1595,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1) files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -23018,7 +23111,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -1251,7 +1604,7 @@ interface(`xserver_read_tmp_files',` @@ -1251,7 +1640,7 @@ interface(`xserver_read_tmp_files',`
## <summary> ## <summary>
## Interface to provide X object permissions on a given X server to ## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the ## an X client domain. Gives the domain permission to read the
@ -23027,7 +23120,7 @@ index 6bf0ecc..ad955d5 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1261,13 +1614,23 @@ interface(`xserver_read_tmp_files',` @@ -1261,13 +1650,23 @@ interface(`xserver_read_tmp_files',`
# #
interface(`xserver_manage_core_devices',` interface(`xserver_manage_core_devices',`
gen_require(` gen_require(`
@ -23052,7 +23145,7 @@ index 6bf0ecc..ad955d5 100644
') ')
######################################## ########################################
@@ -1284,10 +1647,604 @@ interface(`xserver_manage_core_devices',` @@ -1284,10 +1683,604 @@ interface(`xserver_manage_core_devices',`
# #
interface(`xserver_unconfined',` interface(`xserver_unconfined',`
gen_require(` gen_require(`
@ -23660,7 +23753,7 @@ index 6bf0ecc..ad955d5 100644
+ files_search_tmp($1) + files_search_tmp($1)
+') +')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 2696452..0881350 100644 index 2696452..48c4924 100644
--- a/policy/modules/services/xserver.te --- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(` @@ -26,27 +26,50 @@ gen_require(`
@ -24225,7 +24318,7 @@ index 2696452..0881350 100644
storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t)
@@ -441,28 +620,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t) @@ -441,28 +620,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t)
@ -24254,6 +24347,7 @@ index 2696452..0881350 100644
+init_status(xdm_t) +init_status(xdm_t)
libs_exec_lib_files(xdm_t) libs_exec_lib_files(xdm_t)
+libs_exec_ldconfig(xdm_t)
logging_read_generic_logs(xdm_t) logging_read_generic_logs(xdm_t)
@ -24270,7 +24364,7 @@ index 2696452..0881350 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t) userdom_create_all_users_keys(xdm_t)
@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t) @@ -471,24 +664,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes. # Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t) userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t) userdom_signal_all_users(xdm_t)
@ -24320,7 +24414,7 @@ index 2696452..0881350 100644
tunable_policy(`xdm_sysadm_login',` tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t) userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME: # FIXME:
@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',` @@ -502,11 +714,26 @@ tunable_policy(`xdm_sysadm_login',`
') ')
optional_policy(` optional_policy(`
@ -24347,7 +24441,7 @@ index 2696452..0881350 100644
') ')
optional_policy(` optional_policy(`
@@ -514,12 +740,72 @@ optional_policy(` @@ -514,12 +741,72 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24420,7 +24514,7 @@ index 2696452..0881350 100644
hostname_exec(xdm_t) hostname_exec(xdm_t)
') ')
@@ -537,28 +823,78 @@ optional_policy(` @@ -537,28 +824,78 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24508,7 +24602,7 @@ index 2696452..0881350 100644
') ')
optional_policy(` optional_policy(`
@@ -570,6 +906,14 @@ optional_policy(` @@ -570,6 +907,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24523,7 +24617,7 @@ index 2696452..0881350 100644
xfs_stream_connect(xdm_t) xfs_stream_connect(xdm_t)
') ')
@@ -594,8 +938,11 @@ allow xserver_t input_xevent_t:x_event send; @@ -594,8 +939,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed. # execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack # NVIDIA Needs execstack
@ -24536,7 +24630,7 @@ index 2696452..0881350 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use; allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:fifo_file rw_fifo_file_perms;
@@ -608,8 +955,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -608,8 +956,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms; allow xserver_t self:udp_socket create_socket_perms;
@ -24552,7 +24646,7 @@ index 2696452..0881350 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -617,6 +971,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) @@ -617,6 +972,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -24563,7 +24657,7 @@ index 2696452..0881350 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -628,12 +986,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) @@ -628,12 +987,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t) files_search_var_lib(xserver_t)
@ -24585,7 +24679,7 @@ index 2696452..0881350 100644
kernel_read_system_state(xserver_t) kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t) kernel_read_device_sysctls(xserver_t)
@@ -641,12 +1006,12 @@ kernel_read_modprobe_sysctls(xserver_t) @@ -641,12 +1007,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted # Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t) kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t) kernel_write_proc_files(xserver_t)
@ -24599,7 +24693,7 @@ index 2696452..0881350 100644
corenet_all_recvfrom_netlabel(xserver_t) corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t)
@@ -667,23 +1032,27 @@ dev_rw_apm_bios(xserver_t) @@ -667,23 +1033,27 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t) dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t) dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t) dev_manage_dri_dev(xserver_t)
@ -24630,7 +24724,7 @@ index 2696452..0881350 100644
# brought on by rhgb # brought on by rhgb
files_search_mnt(xserver_t) files_search_mnt(xserver_t)
@@ -694,7 +1063,16 @@ fs_getattr_xattr_fs(xserver_t) @@ -694,7 +1064,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t) fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t) fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t) fs_search_ramfs(xserver_t)
@ -24648,7 +24742,7 @@ index 2696452..0881350 100644
mls_xwin_read_to_clearance(xserver_t) mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t) selinux_validate_context(xserver_t)
@@ -708,20 +1086,18 @@ init_getpgid(xserver_t) @@ -708,20 +1087,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t) term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t)
@ -24672,7 +24766,7 @@ index 2696452..0881350 100644
userdom_search_user_home_dirs(xserver_t) userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t) userdom_use_user_ttys(xserver_t)
@@ -729,8 +1105,6 @@ userdom_setattr_user_ttys(xserver_t) @@ -729,8 +1106,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t) userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t)
@ -24681,7 +24775,7 @@ index 2696452..0881350 100644
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack }; allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t) domain_mmap_low_uncond(xserver_t)
@@ -775,16 +1149,44 @@ optional_policy(` @@ -775,16 +1150,44 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24727,7 +24821,7 @@ index 2696452..0881350 100644
unconfined_domtrans(xserver_t) unconfined_domtrans(xserver_t)
') ')
@@ -793,6 +1195,10 @@ optional_policy(` @@ -793,6 +1196,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24738,7 +24832,7 @@ index 2696452..0881350 100644
xfs_stream_connect(xserver_t) xfs_stream_connect(xserver_t)
') ')
@@ -808,10 +1214,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; @@ -808,10 +1215,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!! # handle of a file inside the dir!!!
@ -24752,7 +24846,7 @@ index 2696452..0881350 100644
# Label pid and temporary files with derived types. # Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -819,7 +1225,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) @@ -819,7 +1226,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp. # Run xkbcomp.
@ -24761,7 +24855,7 @@ index 2696452..0881350 100644
can_exec(xserver_t, xkb_var_lib_t) can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server # VNC v4 module in X server
@@ -832,26 +1238,21 @@ init_use_fds(xserver_t) @@ -832,26 +1239,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail # to read ROLE_home_t - examine this in more detail
# (xauth?) # (xauth?)
userdom_read_user_home_content_files(xserver_t) userdom_read_user_home_content_files(xserver_t)
@ -24796,7 +24890,7 @@ index 2696452..0881350 100644
') ')
optional_policy(` optional_policy(`
@@ -902,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy @@ -902,7 +1304,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows # operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -24805,7 +24899,7 @@ index 2696452..0881350 100644
# operations allowed on all windows # operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@@ -956,11 +1357,31 @@ allow x_domain self:x_resource { read write }; @@ -956,11 +1358,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver # can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr }; allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -24837,7 +24931,7 @@ index 2696452..0881350 100644
tunable_policy(`! xserver_object_manager',` tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain), # should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals # but typeattribute doesnt work in conditionals
@@ -982,18 +1403,40 @@ tunable_policy(`! xserver_object_manager',` @@ -982,18 +1404,40 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *; allow x_domain xevent_type:{ x_event x_synthetic_event } *;
') ')
@ -28076,7 +28170,7 @@ index 24e7804..1894886 100644
+ allow $1 init_t:system undefined; + allow $1 init_t:system undefined;
+') +')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd3be8d..61531ce 100644 index dd3be8d..84ffb31 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(` @@ -11,10 +11,24 @@ gen_require(`
@ -29138,7 +29232,7 @@ index dd3be8d..61531ce 100644
# Set device ownerships/modes. # Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t) xserver_setattr_console_pipes(initrc_t)
@@ -896,3 +1353,191 @@ optional_policy(` @@ -896,3 +1353,196 @@ optional_policy(`
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')
@ -29321,6 +29415,11 @@ index dd3be8d..61531ce 100644
+allow initrc_domain systemprocess:process transition; +allow initrc_domain systemprocess:process transition;
+ +
+optional_policy(` +optional_policy(`
+ systemd_getattr_unit_dirs(daemon)
+ systemd_getattr_unit_dirs(systemprocess)
+')
+
+optional_policy(`
+ rgmanager_search_lib(initrc_domain) + rgmanager_search_lib(initrc_domain)
+') +')
+ +
@ -35720,10 +35819,10 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <<none>> +/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644 new file mode 100644
index 0000000..16c7767 index 0000000..5894afb
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if
@@ -0,0 +1,1122 @@ @@ -0,0 +1,1159 @@
+## <summary>SELinux policy for systemd components</summary> +## <summary>SELinux policy for systemd components</summary>
+ +
+###################################### +######################################
@ -35893,7 +35992,25 @@ index 0000000..16c7767
+ ') + ')
+ +
+ files_search_var_lib($1) + files_search_var_lib($1)
+ allow $1 systemd_unit_file_type:file getattr_file_perms; + getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
+#####################################
+## <summary>
+## Allow domain to getattr all systemd unit directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_getattr_unit_dirs',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ allow $1 systemd_unit_file_type:dir getattr;
+') +')
+ +
+###################################### +######################################
@ -36846,12 +36963,31 @@ index 0000000..16c7767
+ allow systemd_localed_t $1:dbus send_msg; + allow systemd_localed_t $1:dbus send_msg;
+ ps_process_pattern(systemd_localed_t, $1) + ps_process_pattern(systemd_localed_t, $1)
+') +')
+
+########################################
+## <summary>
+## Dontaudit attempts to send dbus domains chat messages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_dontaudit_dbus_chat',`
+ gen_require(`
+ attribute systemd_domain;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 systemd_domain:dbus send_msg;
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..4d56107 index 0000000..b3ea12d
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,641 @@ @@ -0,0 +1,642 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -37342,7 +37478,8 @@ index 0000000..4d56107
+# +#
+# Hostnamed policy +# Hostnamed policy
+# +#
+dontaudit systemd_hostnamed_t self:capability { sys_admin sys_ptrace }; +allow systemd_hostnamed_t self:capability sys_admin;
+dontaudit systemd_hostnamed_t self:capability sys_ptrace;
+ +
+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms; +allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
@ -37791,7 +37928,7 @@ index 0f64692..d7e8a01 100644
######################################## ########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a5ec88b..32e7d9e 100644 index a5ec88b..1749342 100644
--- a/policy/modules/system/udev.te --- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -37942,16 +38079,17 @@ index a5ec88b..32e7d9e 100644
seutil_read_config(udev_t) seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t) seutil_read_default_contexts(udev_t)
@@ -170,6 +188,8 @@ sysnet_signal_dhcpc(udev_t) @@ -170,6 +188,9 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t) sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t) sysnet_etc_filetrans_config(udev_t)
+systemd_login_read_pid_files(udev_t) +systemd_login_read_pid_files(udev_t)
+systemd_getattr_unit_files(udev_t)
+ +
userdom_dontaudit_search_user_home_content(udev_t) userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
@@ -179,16 +199,9 @@ ifdef(`distro_gentoo',` @@ -179,16 +200,9 @@ ifdef(`distro_gentoo',`
') ')
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@ -37970,7 +38108,7 @@ index a5ec88b..32e7d9e 100644
# for arping used for static IP addresses on PCMCIA ethernet # for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t) netutils_domtrans(udev_t)
@@ -226,19 +239,34 @@ optional_policy(` @@ -226,19 +240,34 @@ optional_policy(`
optional_policy(` optional_policy(`
cups_domtrans_config(udev_t) cups_domtrans_config(udev_t)
@ -38005,7 +38143,7 @@ index a5ec88b..32e7d9e 100644
') ')
optional_policy(` optional_policy(`
@@ -264,6 +292,10 @@ optional_policy(` @@ -264,6 +293,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38016,7 +38154,7 @@ index a5ec88b..32e7d9e 100644
openct_read_pid_files(udev_t) openct_read_pid_files(udev_t)
openct_domtrans(udev_t) openct_domtrans(udev_t)
') ')
@@ -278,6 +310,15 @@ optional_policy(` @@ -278,6 +311,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38032,7 +38170,7 @@ index a5ec88b..32e7d9e 100644
unconfined_signal(udev_t) unconfined_signal(udev_t)
') ')
@@ -290,6 +331,7 @@ optional_policy(` @@ -290,6 +332,7 @@ optional_policy(`
kernel_read_xen_state(udev_t) kernel_read_xen_state(udev_t)
xen_manage_log(udev_t) xen_manage_log(udev_t)
xen_read_image_files(udev_t) xen_read_image_files(udev_t)

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 28%{?dist} Release: 29%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -526,6 +526,41 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Thu Apr 11 2013 Miroslav Grepl <mgrpel@redhat.com> 3.12.1-29
- Add mising nslcd_dontaudit_write_sock_file() interface
- one more fix
- Fix pki_read_tomcat_lib_files() interface
- Allow certmonger to read pki-tomcat lib files
- Allow certwatch to execute bin_t
- Allow snmp to manage /var/lib/net-snmp files
- Don't audit attempts to write to stream socket of nscld by thumbnailers
- Allow git_system_t to read network state
- Allow pegasas to execute mount command
- Fix desc for drdb_admin
- Fix condor_amin()
- Interface fixes for uptime, vdagent, vnstatd
- Fix labeling for moodle in /var/www/moodle/data
- Add interface fixes
- Allow bugzilla to read certs
- /var/www/moodle needs to be writable by apache
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
- Fix namespace_init_t to create content with proper labels, and allow it to manage all user content
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
- Fixes for dlm_controld
- Fix apache_read_sys_content_rw_dirs() interface
- Allow logrotate to read /var/log/z-push dir
- Fix sys_nice for cups_domain
- Allow postfix_postdrop to acces postfix_public socket
- Allow sched_setscheduler for cupsd_t
- Add missing context for /usr/sbin/snmpd
- Kernel_t needs mac_admin in order to support labeled NFS
- Fix systemd_dontaudit_dbus_chat() interface
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
- Allow consolehelper domain to write Xauth files in /root
- Add port definition for osapi_compute port
- Allow unconfined to create /etc/hostname with correct labeling
- Add systemd_filetrans_named_hostname() interface
* Mon Apr 8 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-28 * Mon Apr 8 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-28
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
- Fixes for dlm_controld - Fixes for dlm_controld