* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
- Allow init noatsecure httpd_t - Allow mysqld_t domain to mmap mysqld db files. BZ(1483331) - Allow unconfined_t domain to create new users with proper SELinux lables - Allow init noatsecure httpd_t - Label tcp port 3269 as ldap_port_t
This commit is contained in:
Lukas Vrabec
parent
7c73871fb5
commit
fc41f8a9df
Binary file not shown.
|
|
@ -6162,7 +6162,7 @@ index 8e0f9cd14..2fe34db47 100644
|
|||
+create_ibendport_type_interfaces($*)
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index b191055f9..15ec98f76 100644
|
||||
index b191055f9..12aecdf4e 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
|
||||
|
|
@ -6386,7 +6386,7 @@ index b191055f9..15ec98f76 100644
|
|||
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||
-network_port(l2tp, tcp,1701,s0, udp,1701,s0)
|
||||
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
|
||||
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
|
||||
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0, tcp, 7389,s0)
|
||||
network_port(lirc, tcp,8765,s0)
|
||||
-network_port(lmtp, tcp,24,s0, udp,24,s0)
|
||||
+network_port(luci, tcp,8084,s0)
|
||||
|
|
@ -27377,10 +27377,10 @@ index 000000000..f73028658
|
|||
+
|
||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||
new file mode 100644
|
||||
index 000000000..883d9eaa3
|
||||
index 000000000..bdfe41b61
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/roles/unconfineduser.te
|
||||
@@ -0,0 +1,362 @@
|
||||
@@ -0,0 +1,363 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -27418,6 +27418,7 @@ index 000000000..883d9eaa3
|
|||
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
|
||||
+userdom_unpriv_type(unconfined_t)
|
||||
+userdom_login_userdomain(unconfined_t)
|
||||
+userdom_home_filetrans_user_home_dir(unconfined_t)
|
||||
+
|
||||
+type unconfined_exec_t;
|
||||
+application_domain(unconfined_t, unconfined_exec_t)
|
||||
|
|
@ -37845,7 +37846,7 @@ index 79a45f62e..6ed0c399a 100644
|
|||
+ allow $1 init_var_lib_t:dir search_dir_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda2480..6c22a0a1f 100644
|
||||
index 17eda2480..7d76c87ce 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
|
|
@ -38167,7 +38168,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
@@ -186,29 +347,292 @@ ifdef(`distro_gentoo',`
|
||||
@@ -186,29 +347,293 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
|
@ -38208,6 +38209,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
+
|
||||
+optional_policy(`
|
||||
+ apache_delete_tmp(init_t)
|
||||
+ apache_noatsecure(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
|
@ -38469,7 +38471,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +640,30 @@ optional_policy(`
|
||||
@@ -216,7 +641,30 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38501,7 +38503,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -225,9 +672,9 @@ optional_policy(`
|
||||
@@ -225,9 +673,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
|
|
@ -38513,7 +38515,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -258,12 +705,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -258,12 +706,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
|
|
@ -38530,7 +38532,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -279,23 +730,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -279,23 +731,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
|
|
@ -38573,7 +38575,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -303,9 +767,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -303,9 +768,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
|
|
@ -38585,7 +38587,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -313,8 +779,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -313,8 +780,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
|
|
@ -38596,7 +38598,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +790,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +791,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
|
|
@ -38606,7 +38608,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -332,7 +799,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -332,7 +800,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
|
|
@ -38614,7 +38616,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -340,6 +806,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -340,6 +807,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
|
|
@ -38622,7 +38624,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -347,14 +814,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -347,14 +815,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
|
|
@ -38640,7 +38642,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -364,8 +832,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -364,8 +833,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
|
|
@ -38654,7 +38656,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -375,10 +847,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -375,10 +848,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
|
|
@ -38668,7 +38670,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -387,8 +860,10 @@ mls_process_read_up(initrc_t)
|
||||
@@ -387,8 +861,10 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
|
|
@ -38679,7 +38681,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
|
||||
storage_getattr_fixed_disk_dev(initrc_t)
|
||||
storage_setattr_fixed_disk_dev(initrc_t)
|
||||
@@ -398,6 +873,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -398,6 +874,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
|
|
@ -38687,7 +38689,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -416,20 +892,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -416,20 +893,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
|
|
@ -38711,7 +38713,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -451,7 +925,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -451,7 +926,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
|
|
@ -38719,7 +38721,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -486,6 +959,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -486,6 +960,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38730,7 +38732,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -506,7 +983,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -506,7 +984,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
|
|
@ -38739,7 +38741,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -521,6 +998,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -521,6 +999,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
|
|
@ -38747,7 +38749,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -541,6 +1019,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -541,6 +1020,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
|
|
@ -38755,7 +38757,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -550,8 +1029,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -550,8 +1030,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38800,7 +38802,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -559,14 +1074,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -559,14 +1075,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
|
|
@ -38832,7 +38834,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
')
|
||||
|
||||
@@ -577,6 +1109,39 @@ ifdef(`distro_suse',`
|
||||
@@ -577,6 +1110,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -38872,7 +38874,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -589,6 +1154,8 @@ optional_policy(`
|
||||
@@ -589,6 +1155,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
|
|
@ -38881,7 +38883,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -610,6 +1177,7 @@ optional_policy(`
|
||||
@@ -610,6 +1178,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
|
|
@ -38889,7 +38891,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -626,6 +1194,17 @@ optional_policy(`
|
||||
@@ -626,6 +1195,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38907,7 +38909,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -642,9 +1221,13 @@ optional_policy(`
|
||||
@@ -642,9 +1222,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
|
|
@ -38921,7 +38923,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -657,15 +1240,11 @@ optional_policy(`
|
||||
@@ -657,15 +1241,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38939,7 +38941,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -686,6 +1265,15 @@ optional_policy(`
|
||||
@@ -686,6 +1266,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38955,7 +38957,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -726,6 +1314,7 @@ optional_policy(`
|
||||
@@ -726,6 +1315,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
|
|
@ -38963,7 +38965,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,7 +1332,13 @@ optional_policy(`
|
||||
@@ -743,7 +1333,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38978,7 +38980,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -766,6 +1361,10 @@ optional_policy(`
|
||||
@@ -766,6 +1362,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -38989,7 +38991,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -775,10 +1374,20 @@ optional_policy(`
|
||||
@@ -775,10 +1375,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39010,7 +39012,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1396,10 @@ optional_policy(`
|
||||
@@ -787,6 +1397,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39021,7 +39023,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -808,8 +1421,6 @@ optional_policy(`
|
||||
@@ -808,8 +1422,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
|
|
@ -39030,7 +39032,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -818,6 +1429,10 @@ optional_policy(`
|
||||
@@ -818,6 +1430,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39041,7 +39043,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -827,10 +1442,12 @@ optional_policy(`
|
||||
@@ -827,10 +1443,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
|
|
@ -39054,7 +39056,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -857,21 +1474,62 @@ optional_policy(`
|
||||
@@ -857,21 +1475,62 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39118,7 +39120,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -887,6 +1545,10 @@ optional_policy(`
|
||||
@@ -887,6 +1546,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -39129,7 +39131,7 @@ index 17eda2480..6c22a0a1f 100644
|
|||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -897,3 +1559,218 @@ optional_policy(`
|
||||
@@ -897,3 +1560,218 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -3925,7 +3925,7 @@ index 7caefc353..966c2f3e6 100644
|
|||
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
diff --git a/apache.if b/apache.if
|
||||
index f6eb4851f..422f408d4 100644
|
||||
index f6eb4851f..3628a384f 100644
|
||||
--- a/apache.if
|
||||
+++ b/apache.if
|
||||
@@ -1,9 +1,9 @@
|
||||
|
|
@ -4218,11 +4218,11 @@ index f6eb4851f..422f408d4 100644
|
|||
- ')
|
||||
+ # privileged users run the script:
|
||||
+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
|
||||
+
|
||||
+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
|
||||
|
||||
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
|
||||
+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
|
||||
+
|
||||
+ # apache runs the script:
|
||||
+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
|
||||
+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
|
||||
|
|
@ -4499,12 +4499,10 @@ index f6eb4851f..422f408d4 100644
|
|||
|
||||
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
|
||||
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to read and
|
||||
-## write httpd unix domain stream sockets.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow attempts to read and write Apache
|
||||
+## unix domain stream sockets.
|
||||
+## </summary>
|
||||
|
|
@ -4520,10 +4518,12 @@ index f6eb4851f..422f408d4 100644
|
|||
+ ')
|
||||
+
|
||||
+ allow $1 httpd_t:unix_stream_socket { getattr read write };
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to read and
|
||||
-## write httpd unix domain stream sockets.
|
||||
+## Do not audit attempts to read and write Apache
|
||||
+## unix domain stream sockets.
|
||||
## </summary>
|
||||
|
|
@ -4996,32 +4996,12 @@ index f6eb4851f..422f408d4 100644
|
|||
')
|
||||
|
||||
-########################################
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to read
|
||||
+## apache system content rw files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`apache_read_sys_content_rw_files',`
|
||||
+ gen_require(`
|
||||
+ type httpd_sys_rw_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete
|
||||
-## httpd system rw content.
|
||||
+## Allow the specified domain to read
|
||||
+## apache system content rw dirs.
|
||||
+## apache system content rw files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
|
@ -5031,12 +5011,32 @@ index f6eb4851f..422f408d4 100644
|
|||
+## <rolecap/>
|
||||
#
|
||||
-interface(`apache_manage_sys_rw_content',`
|
||||
+interface(`apache_read_sys_content_rw_dirs',`
|
||||
+interface(`apache_read_sys_content_rw_files',`
|
||||
gen_require(`
|
||||
type httpd_sys_rw_content_t;
|
||||
')
|
||||
|
||||
- apache_search_sys_content($1)
|
||||
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to read
|
||||
+## apache system content rw dirs.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`apache_read_sys_content_rw_dirs',`
|
||||
+ gen_require(`
|
||||
+ type httpd_sys_rw_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||||
+')
|
||||
+
|
||||
|
|
@ -5390,7 +5390,7 @@ index f6eb4851f..422f408d4 100644
|
|||
admin_pattern($1, httpd_log_t)
|
||||
|
||||
admin_pattern($1, httpd_modules_t)
|
||||
@@ -1224,9 +1625,201 @@ interface(`apache_admin',`
|
||||
@@ -1224,9 +1625,219 @@ interface(`apache_admin',`
|
||||
admin_pattern($1, httpd_var_run_t)
|
||||
files_pid_filetrans($1, httpd_var_run_t, file)
|
||||
|
||||
|
|
@ -5591,10 +5591,28 @@ index f6eb4851f..422f408d4 100644
|
|||
+ gen_require(`
|
||||
+ type httpd_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 httpd_tmp_t:file unlink;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow httpd noatsecure
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`apache_noatsecure',`
|
||||
+ gen_require(`
|
||||
+ type httpd_t;
|
||||
+ ')
|
||||
|
||||
- apache_run_all_scripts($1, $2)
|
||||
- apache_run_helper($1, $2)
|
||||
+ allow $1 httpd_tmp_t:file unlink;
|
||||
+ allow $1 httpd_t:process { noatsecure };
|
||||
')
|
||||
diff --git a/apache.te b/apache.te
|
||||
index 6649962b6..1a0189a44 100644
|
||||
|
|
@ -58089,7 +58107,7 @@ index 687af38bb..5381f1b39 100644
|
|||
+ mysql_stream_connect($1)
|
||||
')
|
||||
diff --git a/mysql.te b/mysql.te
|
||||
index 7584bbe7c..a89f6d665 100644
|
||||
index 7584bbe7c..9c33fb9ac 100644
|
||||
--- a/mysql.te
|
||||
+++ b/mysql.te
|
||||
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
|
||||
|
|
@ -58140,7 +58158,7 @@ index 7584bbe7c..a89f6d665 100644
|
|||
type mysqld_initrc_exec_t;
|
||||
init_script_file(mysqld_initrc_exec_t)
|
||||
|
||||
@@ -62,28 +66,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
|
||||
@@ -62,28 +66,30 @@ files_pid_file(mysqlmanagerd_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
|
|
@ -58161,6 +58179,7 @@ index 7584bbe7c..a89f6d665 100644
|
|||
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
|
||||
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
|
||||
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
|
||||
+allow mysqld_t mysqld_db_t:file map;
|
||||
|
||||
-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
|
||||
-
|
||||
|
|
@ -58177,7 +58196,7 @@ index 7584bbe7c..a89f6d665 100644
|
|||
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
|
||||
@@ -95,50 +100,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
@@ -95,50 +101,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
|
||||
|
||||
|
|
@ -58262,7 +58281,7 @@ index 7584bbe7c..a89f6d665 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -146,6 +167,10 @@ optional_policy(`
|
||||
@@ -146,6 +168,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -58273,7 +58292,7 @@ index 7584bbe7c..a89f6d665 100644
|
|||
seutil_sigchld_newrole(mysqld_t)
|
||||
')
|
||||
|
||||
@@ -155,21 +180,20 @@ optional_policy(`
|
||||
@@ -155,21 +181,20 @@ optional_policy(`
|
||||
|
||||
#######################################
|
||||
#
|
||||
|
|
@ -58301,7 +58320,7 @@ index 7584bbe7c..a89f6d665 100644
|
|||
|
||||
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
@@ -177,9 +201,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
@@ -177,9 +202,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
||||
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
|
||||
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
|
|
@ -58312,7 +58331,7 @@ index 7584bbe7c..a89f6d665 100644
|
|||
|
||||
kernel_read_system_state(mysqld_safe_t)
|
||||
kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
@@ -187,21 +209,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
@@ -187,21 +210,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
corecmd_exec_bin(mysqld_safe_t)
|
||||
corecmd_exec_shell(mysqld_safe_t)
|
||||
|
||||
|
|
@ -58348,7 +58367,7 @@ index 7584bbe7c..a89f6d665 100644
|
|||
|
||||
optional_policy(`
|
||||
hostname_exec(mysqld_safe_t)
|
||||
@@ -209,20 +239,21 @@ optional_policy(`
|
||||
@@ -209,20 +240,21 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -58377,7 +58396,7 @@ index 7584bbe7c..a89f6d665 100644
|
|||
|
||||
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
|
||||
|
||||
@@ -230,31 +261,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
@@ -230,31 +262,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
|
||||
|
||||
|
|
@ -112229,10 +112248,10 @@ index 000000000..e5cec8fda
|
|||
+')
|
||||
diff --git a/tomcat.te b/tomcat.te
|
||||
new file mode 100644
|
||||
index 000000000..9c3b00220
|
||||
index 000000000..31baf3bb8
|
||||
--- /dev/null
|
||||
+++ b/tomcat.te
|
||||
@@ -0,0 +1,117 @@
|
||||
@@ -0,0 +1,124 @@
|
||||
+policy_module(tomcat, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
|
@ -112292,8 +112311,7 @@ index 000000000..9c3b00220
|
|||
+
|
||||
+allow tomcat_t self:capability { dac_override setuid kill };
|
||||
+
|
||||
+allow tomcat_t self:process execmem;
|
||||
+allow tomcat_t self:process { setcap signal signull };
|
||||
+allow tomcat_t self:process { execmem setcap setsched signal signull };
|
||||
+
|
||||
+allow tomcat_t self:tcp_socket { accept listen };
|
||||
+allow tomcat_domain self:fifo_file rw_fifo_file_perms;
|
||||
|
|
@ -112333,6 +112351,8 @@ index 000000000..9c3b00220
|
|||
+
|
||||
+domain_use_interactive_fds(tomcat_domain)
|
||||
+
|
||||
+libs_exec_ldconfig(tomcat_domain)
|
||||
+
|
||||
+fs_getattr_all_fs(tomcat_domain)
|
||||
+fs_read_hugetlbfs_files(tomcat_domain)
|
||||
+
|
||||
|
|
@ -112343,6 +112363,12 @@ index 000000000..9c3b00220
|
|||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ # needed by FreeIPA
|
||||
+ ldap_stream_connect(tomcat_domain)
|
||||
+ ldap_read_certs(tomcat_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ tomcat_search_lib(tomcat_domain)
|
||||
+')
|
||||
+
|
||||
|
|
@ -117037,7 +117063,7 @@ index facdee8b3..2a619ba9e 100644
|
|||
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf567..529ae6612 100644
|
||||
index f03dcf567..cf9950e36 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,451 +1,424 @@
|
||||
|
|
@ -118002,7 +118028,7 @@ index f03dcf567..529ae6612 100644
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -691,99 +653,432 @@ optional_policy(`
|
||||
@@ -691,99 +653,433 @@ optional_policy(`
|
||||
dnsmasq_kill(virtd_t)
|
||||
dnsmasq_signull(virtd_t)
|
||||
dnsmasq_create_pid_dirs(virtd_t)
|
||||
|
|
@ -118247,6 +118273,7 @@ index f03dcf567..529ae6612 100644
|
|||
+dev_rw_inherited_vhost(virt_domain)
|
||||
+dev_rw_infiniband_dev(virt_domain)
|
||||
+dev_rw_dri(virt_domain)
|
||||
+dev_rw_tpm(virt_domain)
|
||||
+
|
||||
+domain_use_interactive_fds(virt_domain)
|
||||
+
|
||||
|
|
@ -118484,7 +118511,7 @@ index f03dcf567..529ae6612 100644
|
|||
kernel_read_system_state(virsh_t)
|
||||
kernel_read_network_state(virsh_t)
|
||||
kernel_read_kernel_sysctls(virsh_t)
|
||||
@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t)
|
||||
@@ -794,25 +1090,18 @@ kernel_write_xen_state(virsh_t)
|
||||
corecmd_exec_bin(virsh_t)
|
||||
corecmd_exec_shell(virsh_t)
|
||||
|
||||
|
|
@ -118511,7 +118538,7 @@ index f03dcf567..529ae6612 100644
|
|||
|
||||
fs_getattr_all_fs(virsh_t)
|
||||
fs_manage_xenfs_dirs(virsh_t)
|
||||
@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
@@ -821,23 +1110,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
|
||||
storage_raw_read_fixed_disk(virsh_t)
|
||||
|
||||
|
|
@ -118545,7 +118572,7 @@ index f03dcf567..529ae6612 100644
|
|||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virsh_t)
|
||||
@@ -856,14 +1146,20 @@ optional_policy(`
|
||||
@@ -856,14 +1147,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -118567,7 +118594,7 @@ index f03dcf567..529ae6612 100644
|
|||
xen_stream_connect(virsh_t)
|
||||
xen_stream_connect_xenstore(virsh_t)
|
||||
')
|
||||
@@ -888,49 +1184,66 @@ optional_policy(`
|
||||
@@ -888,49 +1185,66 @@ optional_policy(`
|
||||
kernel_read_xen_state(virsh_ssh_t)
|
||||
kernel_write_xen_state(virsh_ssh_t)
|
||||
|
||||
|
|
@ -118652,7 +118679,7 @@ index f03dcf567..529ae6612 100644
|
|||
|
||||
corecmd_exec_bin(virtd_lxc_t)
|
||||
corecmd_exec_shell(virtd_lxc_t)
|
||||
@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
@@ -942,17 +1256,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
|
||||
domain_use_interactive_fds(virtd_lxc_t)
|
||||
|
||||
|
|
@ -118672,7 +118699,7 @@ index f03dcf567..529ae6612 100644
|
|||
fs_getattr_all_fs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||
@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
@@ -964,8 +1277,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
fs_unmount_all_fs(virtd_lxc_t)
|
||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||
|
||||
|
|
@ -118696,7 +118723,7 @@ index f03dcf567..529ae6612 100644
|
|||
selinux_get_enforce_mode(virtd_lxc_t)
|
||||
selinux_get_fs_mount(virtd_lxc_t)
|
||||
selinux_validate_context(virtd_lxc_t)
|
||||
@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
@@ -974,194 +1302,296 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
selinux_compute_relabel_context(virtd_lxc_t)
|
||||
selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
|
|
@ -119140,7 +119167,7 @@ index f03dcf567..529ae6612 100644
|
|||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1174,12 +1604,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
|
|
@ -119155,7 +119182,7 @@ index f03dcf567..529ae6612 100644
|
|||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,7 +1621,7 @@ optional_policy(`
|
||||
@@ -1192,7 +1622,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -119164,7 +119191,7 @@ index f03dcf567..529ae6612 100644
|
|||
#
|
||||
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1201,11 +1631,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 286%{?dist}
|
||||
Release: 287%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -682,6 +682,13 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
|
||||
- Allow init noatsecure httpd_t
|
||||
- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)
|
||||
- Allow unconfined_t domain to create new users with proper SELinux lables
|
||||
- Allow init noatsecure httpd_t
|
||||
- Label tcp port 3269 as ldap_port_t
|
||||
|
||||
* Mon Sep 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-286
|
||||
- Add new boolean tomcat_read_rpm_db()
|
||||
- Allow tomcat to connect on mysqld tcp ports
|
||||
|
|
|
|||
Loading…
Reference in New Issue