- Allow ldconfig to write to kdumpctl fifo files
- allow neutron to connect to amqp ports - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow glance-api to connect to amqp port - Allow virt_qemu_ga_t to read meminfo - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow mpd setcap which is needed by pulseaudio - Allow smbcontrol to create content in /var/lib/samba - Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - amanda_exec_t needs to be executable file - Allow block_suspend cap for samba-net - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Treat usr_t just like bin_t for transitions and executions - Add port definition of pka_ca to port 829 for openshift - Allow selinux_store to use symlinks
This commit is contained in:
parent
0d477c9190
commit
fcf0156ca3
@ -3582,7 +3582,7 @@ index 644d4d7..f9bcd44 100644
|
||||
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
|
||||
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
|
||||
index 9e9263a..7f08657 100644
|
||||
index 9e9263a..77e6c8c 100644
|
||||
--- a/policy/modules/kernel/corecommands.if
|
||||
+++ b/policy/modules/kernel/corecommands.if
|
||||
@@ -8,6 +8,22 @@
|
||||
@ -3608,7 +3608,19 @@ index 9e9263a..7f08657 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type usable for files
|
||||
@@ -122,6 +138,7 @@ interface(`corecmd_search_bin',`
|
||||
@@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',`
|
||||
interface(`corecmd_bin_entry_type',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
+ type usr_t;
|
||||
')
|
||||
|
||||
domain_entry_file($1, bin_t)
|
||||
+ domain_entry_file($1, usr_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -122,6 +140,7 @@ interface(`corecmd_search_bin',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
@ -3616,7 +3628,7 @@ index 9e9263a..7f08657 100644
|
||||
search_dirs_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
||||
@@ -158,6 +175,7 @@ interface(`corecmd_list_bin',`
|
||||
@@ -158,6 +177,7 @@ interface(`corecmd_list_bin',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
@ -3624,7 +3636,7 @@ index 9e9263a..7f08657 100644
|
||||
list_dirs_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
||||
@@ -203,7 +221,7 @@ interface(`corecmd_getattr_bin_files',`
|
||||
@@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -3633,7 +3645,7 @@ index 9e9263a..7f08657 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -231,6 +249,7 @@ interface(`corecmd_read_bin_files',`
|
||||
@@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
@ -3641,7 +3653,7 @@ index 9e9263a..7f08657 100644
|
||||
read_files_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
||||
@@ -254,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
|
||||
@@ -254,6 +275,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -3666,7 +3678,7 @@ index 9e9263a..7f08657 100644
|
||||
## Read symbolic links in bin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -285,6 +322,7 @@ interface(`corecmd_read_bin_pipes',`
|
||||
@@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
@ -3674,7 +3686,7 @@ index 9e9263a..7f08657 100644
|
||||
read_fifo_files_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
||||
@@ -303,6 +341,7 @@ interface(`corecmd_read_bin_sockets',`
|
||||
@@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
@ -3682,7 +3694,7 @@ index 9e9263a..7f08657 100644
|
||||
read_sock_files_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
||||
@@ -345,6 +384,10 @@ interface(`corecmd_exec_bin',`
|
||||
@@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',`
|
||||
read_lnk_files_pattern($1, bin_t, bin_t)
|
||||
list_dirs_pattern($1, bin_t, bin_t)
|
||||
can_exec($1, bin_t)
|
||||
@ -3693,7 +3705,7 @@ index 9e9263a..7f08657 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -362,6 +405,7 @@ interface(`corecmd_manage_bin_files',`
|
||||
@@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
@ -3701,7 +3713,7 @@ index 9e9263a..7f08657 100644
|
||||
manage_files_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
||||
@@ -398,6 +442,7 @@ interface(`corecmd_mmap_bin_files',`
|
||||
@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
@ -3709,7 +3721,7 @@ index 9e9263a..7f08657 100644
|
||||
mmap_files_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
||||
@@ -440,10 +485,14 @@ interface(`corecmd_mmap_bin_files',`
|
||||
@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',`
|
||||
interface(`corecmd_bin_spec_domtrans',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
@ -3724,7 +3736,7 @@ index 9e9263a..7f08657 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -483,10 +532,12 @@ interface(`corecmd_bin_spec_domtrans',`
|
||||
@@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',`
|
||||
interface(`corecmd_bin_domtrans',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
@ -3737,7 +3749,7 @@ index 9e9263a..7f08657 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -945,6 +996,7 @@ interface(`corecmd_shell_domtrans',`
|
||||
@@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',`
|
||||
interface(`corecmd_exec_chroot',`
|
||||
gen_require(`
|
||||
type chroot_exec_t;
|
||||
@ -3745,7 +3757,7 @@ index 9e9263a..7f08657 100644
|
||||
')
|
||||
|
||||
read_lnk_files_pattern($1, bin_t, bin_t)
|
||||
@@ -954,6 +1006,24 @@ interface(`corecmd_exec_chroot',`
|
||||
@@ -954,6 +1008,24 @@ interface(`corecmd_exec_chroot',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -3770,7 +3782,7 @@ index 9e9263a..7f08657 100644
|
||||
## Get the attributes of all executable files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1012,6 +1082,10 @@ interface(`corecmd_exec_all_executables',`
|
||||
@@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',`
|
||||
can_exec($1, exec_type)
|
||||
list_dirs_pattern($1, bin_t, bin_t)
|
||||
read_lnk_files_pattern($1, bin_t, exec_type)
|
||||
@ -3781,7 +3793,7 @@ index 9e9263a..7f08657 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1049,6 +1123,7 @@ interface(`corecmd_manage_all_executables',`
|
||||
@@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
@ -3789,7 +3801,7 @@ index 9e9263a..7f08657 100644
|
||||
manage_files_pattern($1, bin_t, exec_type)
|
||||
manage_lnk_files_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
@@ -1091,3 +1166,36 @@ interface(`corecmd_mmap_all_executables',`
|
||||
@@ -1091,3 +1168,36 @@ interface(`corecmd_mmap_all_executables',`
|
||||
|
||||
mmap_files_pattern($1, bin_t, exec_type)
|
||||
')
|
||||
@ -5411,7 +5423,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||
|
||||
define(`create_packet_interfaces',``
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index 4edc40d..cbc0e69 100644
|
||||
index 4edc40d..836d056 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
||||
@ -5641,7 +5653,7 @@ index 4edc40d..cbc0e69 100644
|
||||
network_port(pegasus_https, tcp,5989,s0)
|
||||
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
|
||||
network_port(pingd, tcp,9125,s0)
|
||||
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
|
||||
+network_port(pki_ca, tcp, 829, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
|
||||
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
|
||||
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
|
||||
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
|
||||
@ -27634,7 +27646,7 @@ index 24e7804..c4155c7 100644
|
||||
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
|
||||
+')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index dd3be8d..b717a9e 100644
|
||||
index dd3be8d..729cc4f 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,24 @@ gen_require(`
|
||||
@ -27875,7 +27887,7 @@ index dd3be8d..b717a9e 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
@@ -186,29 +274,182 @@ ifdef(`distro_gentoo',`
|
||||
@@ -186,29 +274,186 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -27902,20 +27914,24 @@ index dd3be8d..b717a9e 100644
|
||||
+storage_raw_rw_fixed_disk(init_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kdump_read_crash(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_filetrans_home_content(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ iscsi_read_lib_files(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ modutils_domtrans_insmod(init_t)
|
||||
+ modutils_list_module_config(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- auth_rw_login_records(init_t)
|
||||
+ iscsi_read_lib_files(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ modutils_domtrans_insmod(init_t)
|
||||
+ modutils_list_module_config(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ postfix_exec(init_t)
|
||||
+ postfix_list_spool(init_t)
|
||||
+ mta_read_aliases(init_t)
|
||||
@ -28039,9 +28055,9 @@ index dd3be8d..b717a9e 100644
|
||||
+optional_policy(`
|
||||
+ lvm_rw_pipes(init_t)
|
||||
+ lvm_read_config(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ consolekit_manage_log(init_t)
|
||||
+')
|
||||
+
|
||||
@ -28049,24 +28065,24 @@ index dd3be8d..b717a9e 100644
|
||||
+ dbus_connect_system_bus(init_t)
|
||||
dbus_system_bus_client(init_t)
|
||||
+ dbus_delete_pid_files(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_use(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
|
||||
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
|
||||
+ # the directory. But we do not want to allow this.
|
||||
+ # The master process of dovecot will manage this file.
|
||||
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nscd_use(init_t)
|
||||
+ plymouthd_stream_connect(init_t)
|
||||
+ plymouthd_exec_plymouth(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +457,29 @@ optional_policy(`
|
||||
@@ -216,7 +461,29 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28096,7 +28112,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -225,8 +488,9 @@ optional_policy(`
|
||||
@@ -225,8 +492,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -28108,7 +28124,7 @@ index dd3be8d..b717a9e 100644
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -257,12 +521,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -257,12 +525,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -28125,7 +28141,7 @@ index dd3be8d..b717a9e 100644
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -278,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -278,23 +550,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -28168,7 +28184,7 @@ index dd3be8d..b717a9e 100644
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -302,9 +583,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -302,9 +587,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
@ -28180,7 +28196,7 @@ index dd3be8d..b717a9e 100644
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -312,8 +595,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -312,8 +599,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
@ -28191,7 +28207,7 @@ index dd3be8d..b717a9e 100644
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -321,8 +606,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -321,8 +610,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -28201,7 +28217,7 @@ index dd3be8d..b717a9e 100644
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -331,7 +615,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -331,7 +619,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -28209,7 +28225,7 @@ index dd3be8d..b717a9e 100644
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -339,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -339,6 +626,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
@ -28217,7 +28233,7 @@ index dd3be8d..b717a9e 100644
|
||||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -346,14 +630,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -346,14 +634,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -28235,7 +28251,7 @@ index dd3be8d..b717a9e 100644
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -363,8 +648,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -363,8 +652,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -28249,7 +28265,7 @@ index dd3be8d..b717a9e 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -374,10 +663,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -374,10 +667,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -28263,7 +28279,7 @@ index dd3be8d..b717a9e 100644
|
||||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -386,6 +676,7 @@ mls_process_read_up(initrc_t)
|
||||
@@ -386,6 +680,7 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -28271,7 +28287,7 @@ index dd3be8d..b717a9e 100644
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@@ -397,6 +688,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -397,6 +692,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
@ -28279,7 +28295,7 @@ index dd3be8d..b717a9e 100644
|
||||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -415,20 +707,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -415,20 +711,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
@ -28303,7 +28319,7 @@ index dd3be8d..b717a9e 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -450,7 +740,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -450,7 +744,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
@ -28311,7 +28327,7 @@ index dd3be8d..b717a9e 100644
|
||||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -485,6 +774,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -485,6 +778,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -28322,7 +28338,7 @@ index dd3be8d..b717a9e 100644
|
||||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -505,7 +798,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -505,7 +802,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -28331,7 +28347,7 @@ index dd3be8d..b717a9e 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -520,6 +813,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -520,6 +817,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
@ -28339,7 +28355,7 @@ index dd3be8d..b717a9e 100644
|
||||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -540,6 +834,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -540,6 +838,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
@ -28347,7 +28363,7 @@ index dd3be8d..b717a9e 100644
|
||||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -549,8 +844,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -549,8 +848,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28392,7 +28408,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -558,14 +889,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -558,14 +893,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -28424,7 +28440,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -576,6 +924,39 @@ ifdef(`distro_suse',`
|
||||
@@ -576,6 +928,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -28464,7 +28480,7 @@ index dd3be8d..b717a9e 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -588,6 +969,8 @@ optional_policy(`
|
||||
@@ -588,6 +973,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -28473,7 +28489,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -609,6 +992,7 @@ optional_policy(`
|
||||
@@ -609,6 +996,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -28481,7 +28497,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -625,6 +1009,17 @@ optional_policy(`
|
||||
@@ -625,6 +1013,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28499,7 +28515,7 @@ index dd3be8d..b717a9e 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -641,9 +1036,13 @@ optional_policy(`
|
||||
@@ -641,9 +1040,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -28513,7 +28529,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -656,15 +1055,11 @@ optional_policy(`
|
||||
@@ -656,15 +1059,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28531,7 +28547,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -685,6 +1080,15 @@ optional_policy(`
|
||||
@@ -685,6 +1084,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28547,7 +28563,7 @@ index dd3be8d..b717a9e 100644
|
||||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -725,6 +1129,7 @@ optional_policy(`
|
||||
@@ -725,6 +1133,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
@ -28555,7 +28571,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -742,7 +1147,13 @@ optional_policy(`
|
||||
@@ -742,7 +1151,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28570,7 +28586,7 @@ index dd3be8d..b717a9e 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -765,6 +1176,10 @@ optional_policy(`
|
||||
@@ -765,6 +1180,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28581,7 +28597,7 @@ index dd3be8d..b717a9e 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -774,10 +1189,20 @@ optional_policy(`
|
||||
@@ -774,10 +1193,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28602,7 +28618,7 @@ index dd3be8d..b717a9e 100644
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -786,6 +1211,10 @@ optional_policy(`
|
||||
@@ -786,6 +1215,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28613,7 +28629,7 @@ index dd3be8d..b717a9e 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -807,8 +1236,6 @@ optional_policy(`
|
||||
@@ -807,8 +1240,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -28622,7 +28638,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -817,6 +1244,10 @@ optional_policy(`
|
||||
@@ -817,6 +1248,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28633,7 +28649,7 @@ index dd3be8d..b717a9e 100644
|
||||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -826,10 +1257,12 @@ optional_policy(`
|
||||
@@ -826,10 +1261,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -28646,7 +28662,7 @@ index dd3be8d..b717a9e 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -856,12 +1289,28 @@ optional_policy(`
|
||||
@@ -856,12 +1293,28 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28676,7 +28692,7 @@ index dd3be8d..b717a9e 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# system-config-services causes avc messages that should be dontaudited
|
||||
@@ -871,6 +1320,18 @@ optional_policy(`
|
||||
@@ -871,6 +1324,18 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
@ -28695,7 +28711,7 @@ index dd3be8d..b717a9e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -886,6 +1347,10 @@ optional_policy(`
|
||||
@@ -886,6 +1351,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28706,7 +28722,7 @@ index dd3be8d..b717a9e 100644
|
||||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -896,3 +1361,196 @@ optional_policy(`
|
||||
@@ -896,3 +1365,196 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
@ -28953,10 +28969,10 @@ index 662e79b..ef9370d 100644
|
||||
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
|
||||
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
|
||||
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
|
||||
index 0d4c8d3..a89c4a2 100644
|
||||
index 0d4c8d3..f133407 100644
|
||||
--- a/policy/modules/system/ipsec.if
|
||||
+++ b/policy/modules/system/ipsec.if
|
||||
@@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',`
|
||||
@@ -55,6 +55,63 @@ interface(`ipsec_domtrans_mgmt',`
|
||||
domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
@ -29008,18 +29024,19 @@ index 0d4c8d3..a89c4a2 100644
|
||||
+#
|
||||
+interface(`ipsec_mgmt_read_pid',`
|
||||
+ gen_require(`
|
||||
+ type ipsec_var_run_t;
|
||||
+ type ipsec_mgmt_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ read_files_pattern($1, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t)
|
||||
+ read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to racoon using a unix domain stream socket.
|
||||
@@ -120,7 +176,6 @@ interface(`ipsec_exec_mgmt',`
|
||||
@@ -120,7 +177,6 @@ interface(`ipsec_exec_mgmt',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -29027,7 +29044,7 @@ index 0d4c8d3..a89c4a2 100644
|
||||
interface(`ipsec_signal_mgmt',`
|
||||
gen_require(`
|
||||
type ipsec_mgmt_t;
|
||||
@@ -139,7 +194,6 @@ interface(`ipsec_signal_mgmt',`
|
||||
@@ -139,7 +195,6 @@ interface(`ipsec_signal_mgmt',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -29035,7 +29052,7 @@ index 0d4c8d3..a89c4a2 100644
|
||||
interface(`ipsec_signull_mgmt',`
|
||||
gen_require(`
|
||||
type ipsec_mgmt_t;
|
||||
@@ -158,7 +212,6 @@ interface(`ipsec_signull_mgmt',`
|
||||
@@ -158,7 +213,6 @@ interface(`ipsec_signull_mgmt',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -29043,7 +29060,7 @@ index 0d4c8d3..a89c4a2 100644
|
||||
interface(`ipsec_kill_mgmt',`
|
||||
gen_require(`
|
||||
type ipsec_mgmt_t;
|
||||
@@ -167,6 +220,60 @@ interface(`ipsec_kill_mgmt',`
|
||||
@@ -167,6 +221,60 @@ interface(`ipsec_kill_mgmt',`
|
||||
allow $1 ipsec_mgmt_t:process sigkill;
|
||||
')
|
||||
|
||||
@ -29104,7 +29121,7 @@ index 0d4c8d3..a89c4a2 100644
|
||||
######################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
@@ -225,6 +332,7 @@ interface(`ipsec_match_default_spd',`
|
||||
@@ -225,6 +333,7 @@ interface(`ipsec_match_default_spd',`
|
||||
|
||||
allow $1 ipsec_spd_t:association polmatch;
|
||||
allow $1 self:association sendto;
|
||||
@ -29112,7 +29129,7 @@ index 0d4c8d3..a89c4a2 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -369,3 +477,26 @@ interface(`ipsec_run_setkey',`
|
||||
@@ -369,3 +478,26 @@ interface(`ipsec_run_setkey',`
|
||||
ipsec_domtrans_setkey($1)
|
||||
role $2 types setkey_t;
|
||||
')
|
||||
@ -29140,7 +29157,7 @@ index 0d4c8d3..a89c4a2 100644
|
||||
+ ps_process_pattern($1, ipsec_mgmt_t)
|
||||
+')
|
||||
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
||||
index 9e54bf9..788c774 100644
|
||||
index 9e54bf9..5975418 100644
|
||||
--- a/policy/modules/system/ipsec.te
|
||||
+++ b/policy/modules/system/ipsec.te
|
||||
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||
@ -29263,8 +29280,11 @@ index 9e54bf9..788c774 100644
|
||||
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
||||
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
||||
@@ -210,10 +228,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||
@@ -208,12 +226,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
||||
+filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
|
||||
|
||||
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
@ -29276,7 +29296,7 @@ index 9e54bf9..788c774 100644
|
||||
|
||||
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
||||
# run ps on that pid, and delete the file
|
||||
@@ -246,6 +265,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||
@@ -246,6 +266,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||
kernel_getattr_core_if(ipsec_mgmt_t)
|
||||
kernel_getattr_message_if(ipsec_mgmt_t)
|
||||
|
||||
@ -29293,7 +29313,7 @@ index 9e54bf9..788c774 100644
|
||||
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
||||
files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
|
||||
@@ -255,6 +284,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
@@ -255,6 +285,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
corecmd_exec_bin(ipsec_mgmt_t)
|
||||
corecmd_exec_shell(ipsec_mgmt_t)
|
||||
|
||||
@ -29302,7 +29322,7 @@ index 9e54bf9..788c774 100644
|
||||
dev_read_rand(ipsec_mgmt_t)
|
||||
dev_read_urand(ipsec_mgmt_t)
|
||||
|
||||
@@ -278,9 +309,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
@@ -278,9 +310,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
fs_list_tmpfs(ipsec_mgmt_t)
|
||||
|
||||
term_use_console(ipsec_mgmt_t)
|
||||
@ -29314,7 +29334,7 @@ index 9e54bf9..788c774 100644
|
||||
|
||||
init_read_utmp(ipsec_mgmt_t)
|
||||
init_use_script_ptys(ipsec_mgmt_t)
|
||||
@@ -290,15 +322,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
||||
@@ -290,15 +323,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
||||
|
||||
logging_send_syslog_msg(ipsec_mgmt_t)
|
||||
|
||||
@ -29338,7 +29358,7 @@ index 9e54bf9..788c774 100644
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ipsec_mgmt_t)
|
||||
@@ -322,6 +357,10 @@ optional_policy(`
|
||||
@@ -322,6 +358,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29349,7 +29369,7 @@ index 9e54bf9..788c774 100644
|
||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
@@ -335,7 +374,7 @@ optional_policy(`
|
||||
@@ -335,7 +375,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow racoon_t self:capability { net_admin net_bind_service };
|
||||
@ -29358,7 +29378,7 @@ index 9e54bf9..788c774 100644
|
||||
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
||||
allow racoon_t self:netlink_selinux_socket { bind create read };
|
||||
allow racoon_t self:udp_socket create_socket_perms;
|
||||
@@ -370,13 +409,12 @@ kernel_request_load_module(racoon_t)
|
||||
@@ -370,13 +410,12 @@ kernel_request_load_module(racoon_t)
|
||||
corecmd_exec_shell(racoon_t)
|
||||
corecmd_exec_bin(racoon_t)
|
||||
|
||||
@ -29378,7 +29398,7 @@ index 9e54bf9..788c774 100644
|
||||
corenet_udp_bind_isakmp_port(racoon_t)
|
||||
corenet_udp_bind_ipsecnat_port(racoon_t)
|
||||
|
||||
@@ -401,10 +439,10 @@ locallogin_use_fds(racoon_t)
|
||||
@@ -401,10 +440,10 @@ locallogin_use_fds(racoon_t)
|
||||
logging_send_syslog_msg(racoon_t)
|
||||
logging_send_audit_msgs(racoon_t)
|
||||
|
||||
@ -29391,7 +29411,7 @@ index 9e54bf9..788c774 100644
|
||||
auth_can_read_shadow_passwords(racoon_t)
|
||||
tunable_policy(`racoon_read_shadow',`
|
||||
auth_tunable_read_shadow(racoon_t)
|
||||
@@ -438,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
@@ -438,9 +477,9 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
|
||||
locallogin_use_fds(setkey_t)
|
||||
|
||||
|
@ -2023,16 +2023,17 @@ index 7f4dfbc..4d750fa 100644
|
||||
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
|
||||
|
||||
diff --git a/amanda.te b/amanda.te
|
||||
index ed45974..cd5a4fa 100644
|
||||
index ed45974..d4df671 100644
|
||||
--- a/amanda.te
|
||||
+++ b/amanda.te
|
||||
@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles;
|
||||
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
|
||||
roleattribute system_r amanda_recover_roles;
|
||||
|
||||
type amanda_t;
|
||||
+type amanda_exec_t;
|
||||
type amanda_inetd_exec_t;
|
||||
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
|
||||
+application_executable_file(amanda_exec_t)
|
||||
+init_daemon_domain(amanda_t, amanda_inetd_exec_t)
|
||||
+role system_r types amanda_t;
|
||||
|
||||
@ -2043,7 +2044,7 @@ index ed45974..cd5a4fa 100644
|
||||
|
||||
type amanda_log_t;
|
||||
logging_log_file(amanda_log_t)
|
||||
@@ -60,7 +62,7 @@ optional_policy(`
|
||||
@@ -60,7 +63,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow amanda_t self:capability { chown dac_override setuid kill };
|
||||
@ -2052,7 +2053,7 @@ index ed45974..cd5a4fa 100644
|
||||
allow amanda_t self:fifo_file rw_fifo_file_perms;
|
||||
allow amanda_t self:unix_stream_socket { accept listen };
|
||||
allow amanda_t self:tcp_socket { accept listen };
|
||||
@@ -71,6 +73,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
|
||||
@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
|
||||
|
||||
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
||||
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
||||
@ -2060,7 +2061,7 @@ index ed45974..cd5a4fa 100644
|
||||
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
|
||||
|
||||
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
|
||||
@@ -100,13 +103,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
|
||||
@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
|
||||
corecmd_exec_shell(amanda_t)
|
||||
corecmd_exec_bin(amanda_t)
|
||||
|
||||
@ -2076,7 +2077,7 @@ index ed45974..cd5a4fa 100644
|
||||
corenet_sendrecv_all_server_packets(amanda_t)
|
||||
corenet_tcp_bind_all_rpc_ports(amanda_t)
|
||||
corenet_tcp_bind_generic_port(amanda_t)
|
||||
@@ -170,7 +174,6 @@ kernel_read_system_state(amanda_recover_t)
|
||||
@@ -170,7 +175,6 @@ kernel_read_system_state(amanda_recover_t)
|
||||
corecmd_exec_shell(amanda_recover_t)
|
||||
corecmd_exec_bin(amanda_recover_t)
|
||||
|
||||
@ -2084,7 +2085,7 @@ index ed45974..cd5a4fa 100644
|
||||
corenet_all_recvfrom_netlabel(amanda_recover_t)
|
||||
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
|
||||
corenet_udp_sendrecv_generic_if(amanda_recover_t)
|
||||
@@ -195,12 +198,16 @@ files_search_tmp(amanda_recover_t)
|
||||
@@ -195,12 +199,16 @@ files_search_tmp(amanda_recover_t)
|
||||
|
||||
auth_use_nsswitch(amanda_recover_t)
|
||||
|
||||
@ -2682,10 +2683,10 @@ index 0000000..df5b3be
|
||||
+')
|
||||
diff --git a/antivirus.te b/antivirus.te
|
||||
new file mode 100644
|
||||
index 0000000..e10fe0d
|
||||
index 0000000..fd48ed9
|
||||
--- /dev/null
|
||||
+++ b/antivirus.te
|
||||
@@ -0,0 +1,261 @@
|
||||
@@ -0,0 +1,269 @@
|
||||
+policy_module(antivirus, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -2740,6 +2741,9 @@ index 0000000..e10fe0d
|
||||
+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
|
||||
+files_type(antivirus_db_t)
|
||||
+
|
||||
+type antivirus_home_t;
|
||||
+userdom_user_home_content(antivirus_home_t)
|
||||
+
|
||||
+type antivirus_tmp_t;
|
||||
+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
|
||||
+files_tmp_file(antivirus_tmp_t)
|
||||
@ -2766,6 +2770,11 @@ index 0000000..e10fe0d
|
||||
+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
|
||||
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
|
||||
+
|
||||
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
|
||||
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
|
||||
+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
|
||||
+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
|
||||
+
|
||||
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
||||
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
||||
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
||||
@ -25155,7 +25164,7 @@ index 9eacb2c..229782f 100644
|
||||
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/glance.te b/glance.te
|
||||
index e0a4f46..95cf77c 100644
|
||||
index e0a4f46..16dcb5b 100644
|
||||
--- a/glance.te
|
||||
+++ b/glance.te
|
||||
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
|
||||
@ -25236,7 +25245,7 @@ index e0a4f46..95cf77c 100644
|
||||
|
||||
logging_send_syslog_msg(glance_registry_t)
|
||||
|
||||
@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||
@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
||||
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
|
||||
can_exec(glance_api_t, glance_tmp_t)
|
||||
|
||||
@ -25249,6 +25258,7 @@ index e0a4f46..95cf77c 100644
|
||||
|
||||
+corenet_tcp_bind_glance_port(glance_api_t)
|
||||
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
|
||||
+corenet_tcp_connect_amqp_port(glance_api_t)
|
||||
corenet_tcp_connect_glance_registry_port(glance_api_t)
|
||||
+corenet_tcp_connect_mysqld_port(glance_api_t)
|
||||
+corenet_tcp_connect_http_port(glance_api_t)
|
||||
@ -31888,7 +31898,7 @@ index a49ae4e..913a0e3 100644
|
||||
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
||||
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
|
||||
diff --git a/kdump.if b/kdump.if
|
||||
index 3a00b3a..7cc27b6 100644
|
||||
index 3a00b3a..dd70d05 100644
|
||||
--- a/kdump.if
|
||||
+++ b/kdump.if
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -31959,7 +31969,7 @@ index 3a00b3a..7cc27b6 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
|
||||
@@ -56,10 +100,68 @@ interface(`kdump_read_config',`
|
||||
allow $1 kdump_etc_t:file read_file_perms;
|
||||
')
|
||||
|
||||
@ -31980,7 +31990,7 @@ index 3a00b3a..7cc27b6 100644
|
||||
+
|
||||
+ files_search_var($1)
|
||||
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
|
||||
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
|
||||
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
@ -32001,6 +32011,7 @@ index 3a00b3a..7cc27b6 100644
|
||||
+
|
||||
+ files_search_var($1)
|
||||
+ manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
|
||||
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
|
||||
+')
|
||||
+
|
||||
+#####################################
|
||||
@ -32029,7 +32040,7 @@ index 3a00b3a..7cc27b6 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -76,10 +177,31 @@ interface(`kdump_manage_config',`
|
||||
@@ -76,10 +178,32 @@ interface(`kdump_manage_config',`
|
||||
allow $1 kdump_etc_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
@ -32051,6 +32062,7 @@ index 3a00b3a..7cc27b6 100644
|
||||
+ files_search_tmp($1)
|
||||
+ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
||||
+ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
||||
+ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
||||
+ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
||||
+')
|
||||
+
|
||||
@ -32063,7 +32075,7 @@ index 3a00b3a..7cc27b6 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -88,19 +210,24 @@ interface(`kdump_manage_config',`
|
||||
@@ -88,19 +212,24 @@ interface(`kdump_manage_config',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
@ -32093,7 +32105,7 @@ index 3a00b3a..7cc27b6 100644
|
||||
|
||||
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
@@ -110,6 +237,10 @@ interface(`kdump_admin',`
|
||||
@@ -110,6 +239,10 @@ interface(`kdump_admin',`
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, kdump_etc_t)
|
||||
|
||||
@ -39189,7 +39201,7 @@ index 6ffaba2..154cade 100644
|
||||
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
||||
+')
|
||||
diff --git a/mozilla.if b/mozilla.if
|
||||
index 6194b80..f1a5676 100644
|
||||
index 6194b80..bb32d40 100644
|
||||
--- a/mozilla.if
|
||||
+++ b/mozilla.if
|
||||
@@ -1,146 +1,75 @@
|
||||
@ -39475,7 +39487,7 @@ index 6194b80..f1a5676 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -265,140 +173,152 @@ interface(`mozilla_exec_user_plugin_home_files',`
|
||||
@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`mozilla_execmod_user_home_files',`
|
||||
@ -39537,6 +39549,7 @@ index 6194b80..f1a5676 100644
|
||||
|
||||
- corecmd_search_bin($1)
|
||||
- domtrans_pattern($1, mozilla_exec_t, mozilla_t)
|
||||
+ domain_entry_file($2, mozilla_exec_t)
|
||||
+ domtrans_pattern($1, mozilla_exec_t, $2)
|
||||
')
|
||||
|
||||
@ -39688,7 +39701,7 @@ index 6194b80..f1a5676 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -424,8 +344,7 @@ interface(`mozilla_dbus_chat',`
|
||||
@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -39698,7 +39711,7 @@ index 6194b80..f1a5676 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -433,76 +352,126 @@ interface(`mozilla_dbus_chat',`
|
||||
@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -39854,7 +39867,7 @@ index 6194b80..f1a5676 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -510,19 +479,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
|
||||
@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -39879,7 +39892,7 @@ index 6194b80..f1a5676 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -530,45 +498,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||
@@ -530,45 +499,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -41035,10 +41048,10 @@ index 5fa77c7..2e01c7d 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 mpd_initrc_exec_t system_r;
|
||||
diff --git a/mpd.te b/mpd.te
|
||||
index 7c8afcc..2f41af9 100644
|
||||
index 7c8afcc..29d8881 100644
|
||||
--- a/mpd.te
|
||||
+++ b/mpd.te
|
||||
@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t)
|
||||
@@ -62,18 +62,22 @@ files_type(mpd_var_lib_t)
|
||||
type mpd_user_data_t;
|
||||
userdom_user_home_content(mpd_user_data_t) # customizable
|
||||
|
||||
@ -41048,7 +41061,13 @@ index 7c8afcc..2f41af9 100644
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -74,6 +77,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
|
||||
#
|
||||
|
||||
allow mpd_t self:capability { dac_override kill setgid setuid };
|
||||
-allow mpd_t self:process { getsched setsched setrlimit signal signull };
|
||||
+allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
|
||||
allow mpd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow mpd_t self:unix_stream_socket { accept connectto listen };
|
||||
allow mpd_t self:unix_dgram_socket sendto;
|
||||
allow mpd_t self:tcp_socket { accept listen };
|
||||
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
@ -66565,10 +66584,10 @@ index afc0068..3105104 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/quantum.te b/quantum.te
|
||||
index 769d1fd..80a4b99 100644
|
||||
index 769d1fd..801835e 100644
|
||||
--- a/quantum.te
|
||||
+++ b/quantum.te
|
||||
@@ -1,96 +1,108 @@
|
||||
@@ -1,96 +1,109 @@
|
||||
-policy_module(quantum, 1.0.2)
|
||||
+policy_module(quantum, 1.0.3)
|
||||
|
||||
@ -66678,6 +66697,7 @@ index 769d1fd..80a4b99 100644
|
||||
-dev_read_urand(quantum_t)
|
||||
+corenet_tcp_bind_quantum_port(neutron_t)
|
||||
+corenet_tcp_connect_keystone_port(neutron_t)
|
||||
+corenet_tcp_connect_amqp_port(neutron_t)
|
||||
+corenet_tcp_connect_mysqld_port(neutron_t)
|
||||
|
||||
-files_read_usr_files(quantum_t)
|
||||
@ -76527,7 +76547,7 @@ index aee75af..a6bab06 100644
|
||||
+ allow $1 samba_unit_file_t:service all_service_perms;
|
||||
')
|
||||
diff --git a/samba.te b/samba.te
|
||||
index 57c034b..d48911d 100644
|
||||
index 57c034b..b1c78f8 100644
|
||||
--- a/samba.te
|
||||
+++ b/samba.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -77214,7 +77234,7 @@ index 57c034b..d48911d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -600,17 +600,24 @@ optional_policy(`
|
||||
@@ -600,19 +600,26 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -77241,8 +77261,11 @@ index 57c034b..d48911d 100644
|
||||
|
||||
+files_search_var_lib(smbcontrol_t)
|
||||
samba_read_config(smbcontrol_t)
|
||||
samba_rw_var_files(smbcontrol_t)
|
||||
-samba_rw_var_files(smbcontrol_t)
|
||||
+manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
|
||||
samba_search_var(smbcontrol_t)
|
||||
samba_read_winbind_pid(smbcontrol_t)
|
||||
|
||||
@@ -620,16 +627,12 @@ domain_use_interactive_fds(smbcontrol_t)
|
||||
|
||||
dev_read_urand(smbcontrol_t)
|
||||
@ -90698,10 +90721,10 @@ index 0be8535..b96e329 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/virt.fc b/virt.fc
|
||||
index c30da4c..b81eaa0 100644
|
||||
index c30da4c..459fbcf 100644
|
||||
--- a/virt.fc
|
||||
+++ b/virt.fc
|
||||
@@ -1,52 +1,86 @@
|
||||
@@ -1,52 +1,91 @@
|
||||
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
||||
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
||||
@ -90765,18 +90788,18 @@ index c30da4c..b81eaa0 100644
|
||||
-/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
||||
-/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
|
||||
-
|
||||
-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
||||
-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
||||
-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
||||
-
|
||||
-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
||||
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
||||
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
||||
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
|
||||
|
||||
-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
||||
-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
||||
-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
||||
-
|
||||
-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
||||
-
|
||||
-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
||||
+/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
|
||||
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
||||
@ -90816,16 +90839,21 @@ index c30da4c..b81eaa0 100644
|
||||
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
+
|
||||
+/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
|
||||
+/etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
|
||||
+/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
|
||||
+/var/run/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
|
||||
+
|
||||
+/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
|
||||
+
|
||||
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
|
||||
+
|
||||
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
||||
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
||||
+
|
||||
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||
diff --git a/virt.if b/virt.if
|
||||
index 9dec06c..4e31afe 100644
|
||||
@ -92515,7 +92543,7 @@ index 9dec06c..4e31afe 100644
|
||||
+ allow $1 svirt_image_t:chr_file rw_file_perms;
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index 1f22fba..76ccef3 100644
|
||||
index 1f22fba..348df8f 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,94 +1,104 @@
|
||||
@ -93991,11 +94019,6 @@ index 1f22fba..76ccef3 100644
|
||||
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
|
||||
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
|
||||
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ apache_exec_modules(svirt_sandbox_domain)
|
||||
+ apache_read_sys_content(svirt_sandbox_domain)
|
||||
+')
|
||||
|
||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||
@ -94080,6 +94103,11 @@ index 1f22fba..76ccef3 100644
|
||||
-
|
||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+ apache_exec_modules(svirt_sandbox_domain)
|
||||
+ apache_read_sys_content(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
@ -94199,11 +94227,11 @@ index 1f22fba..76ccef3 100644
|
||||
+allow svirt_qemu_net_t self:rawip_socket create_socket_perms;
|
||||
+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||
+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||
+
|
||||
+kernel_read_network_state(svirt_qemu_net_t)
|
||||
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
||||
+
|
||||
|
||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||
+dev_read_sysfs(svirt_qemu_net_t)
|
||||
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
||||
+dev_read_rand(svirt_qemu_net_t)
|
||||
@ -94274,7 +94302,7 @@ index 1f22fba..76ccef3 100644
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
||||
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1198,5 +1352,120 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||
@@ -1198,5 +1352,122 @@ kernel_read_network_state(virt_bridgehelper_t)
|
||||
|
||||
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
||||
|
||||
@ -94309,6 +94337,8 @@ index 1f22fba..76ccef3 100644
|
||||
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
|
||||
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
|
||||
+
|
||||
+kernel_read_system_state(virt_qemu_ga_t)
|
||||
+
|
||||
+corecmd_exec_shell(virt_qemu_ga_t)
|
||||
+corecmd_exec_bin(virt_qemu_ga_t)
|
||||
+
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 79%{?dist}
|
||||
Release: 80%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -570,6 +570,25 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Sep 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-80
|
||||
- Allow ldconfig to write to kdumpctl fifo files
|
||||
- allow neutron to connect to amqp ports
|
||||
- Allow kdump_manage_crash to list the kdump_crash_t directory
|
||||
- Allow glance-api to connect to amqp port
|
||||
- Allow virt_qemu_ga_t to read meminfo
|
||||
- Add antivirus_home_t type for antivirus date in HOMEDIRS
|
||||
- Allow mpd setcap which is needed by pulseaudio
|
||||
- Allow smbcontrol to create content in /var/lib/samba
|
||||
- Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec
|
||||
- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts
|
||||
- amanda_exec_t needs to be executable file
|
||||
- Allow block_suspend cap for samba-net
|
||||
- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t
|
||||
- Allow init_t to run crash utility
|
||||
- Treat usr_t just like bin_t for transitions and executions
|
||||
- Add port definition of pka_ca to port 829 for openshift
|
||||
- Allow selinux_store to use symlinks
|
||||
|
||||
* Mon Sep 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-79
|
||||
- Allow block_suspend cap for samba-net
|
||||
- Allow t-mission-control to manage gabble cache files
|
||||
|
Loading…
Reference in New Issue
Block a user