* Wed Feb 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237
- Merge pull request #187 from rhatdan/container-selinux - Allow rhsmcertd domain signull kernel. - Allow container-selinux to handle all policy for container processes - Fix label for nagios plugins in nagios file conxtext file - su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 - Add SELinux support for systemd-initctl daemon - Add SELinux support for systemd-bootchart - su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 - Add module_load permission to can_load_kernmodule - Add module_load permission to class system - Add the validate_trans access vector to the security class - Restore connecto permssions for init_t
This commit is contained in:
Lukas Vrabec
parent
eb8104a967
commit
fd7fb37552
Binary file not shown.
File diff suppressed because it is too large
Load Diff
|
|
@ -57726,7 +57726,7 @@ index 0000000..79f1250
|
|||
+
|
||||
+fs_getattr_xattr_fs(naemon_t)
|
||||
diff --git a/nagios.fc b/nagios.fc
|
||||
index d78dfc3..40e1c77 100644
|
||||
index d78dfc3..c781b72 100644
|
||||
--- a/nagios.fc
|
||||
+++ b/nagios.fc
|
||||
@@ -1,88 +1,113 @@
|
||||
|
|
@ -57774,13 +57774,13 @@ index d78dfc3..40e1c77 100644
|
|||
+
|
||||
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
||||
+/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
||||
+
|
||||
|
||||
+ifdef(`distro_debian',`
|
||||
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
|
||||
+')
|
||||
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
||||
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
||||
|
||||
+
|
||||
+# admin plugins
|
||||
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
|
||||
|
||||
|
|
@ -57792,106 +57792,132 @@ index d78dfc3..40e1c77 100644
|
|||
/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
||||
|
||||
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
|
||||
+# mail plugins
|
||||
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
|
||||
|
||||
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
|
||||
+
|
||||
+# system plugins
|
||||
/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-
|
||||
-/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
|
||||
+# services plugins
|
||||
/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-
|
||||
-/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
-
|
||||
-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
|
||||
-
|
||||
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
|
||||
-
|
||||
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
||||
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
||||
-
|
||||
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
|
||||
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
|
||||
-
|
||||
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
||||
+# mail plugins
|
||||
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
|
||||
+
|
||||
+# system plugins
|
||||
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||
+
|
||||
+# services plugins
|
||||
+/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||
+
|
||||
+# openshift plugins
|
||||
+/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
|
||||
+/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
|
||||
|
||||
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
||||
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
||||
+
|
||||
+# label all nagios plugin as unconfined by default
|
||||
+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
|
||||
|
||||
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
|
||||
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
|
||||
+
|
||||
+# eventhandlers
|
||||
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
|
||||
+/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
|
||||
|
||||
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
||||
+
|
||||
diff --git a/nagios.if b/nagios.if
|
||||
index 0641e97..f3b1111 100644
|
||||
--- a/nagios.if
|
||||
|
|
@ -89271,7 +89297,7 @@ index 6dbc905..4b17c93 100644
|
|||
- admin_pattern($1, rhsmcertd_lock_t)
|
||||
')
|
||||
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
||||
index d32e1a2..1271bf3 100644
|
||||
index d32e1a2..7239c98 100644
|
||||
--- a/rhsmcertd.te
|
||||
+++ b/rhsmcertd.te
|
||||
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
|
||||
|
|
@ -89310,13 +89336,14 @@ index d32e1a2..1271bf3 100644
|
|||
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
|
||||
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
|
||||
|
||||
@@ -50,25 +56,89 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
|
||||
@@ -50,25 +56,90 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
|
||||
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
||||
|
||||
kernel_read_network_state(rhsmcertd_t)
|
||||
+kernel_read_net_sysctls(rhsmcertd_t)
|
||||
kernel_read_system_state(rhsmcertd_t)
|
||||
+kernel_read_sysctl(rhsmcertd_t)
|
||||
+kernel_signull(rhsmcertd_t)
|
||||
+
|
||||
+corenet_tcp_connect_http_port(rhsmcertd_t)
|
||||
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
|
||||
|
|
@ -114709,7 +114736,7 @@ index facdee8..2cff369 100644
|
|||
+ domtrans_pattern($1,container_file_t, $2)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf5..b5b9ca5 100644
|
||||
index f03dcf5..482c24b 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,451 +1,411 @@
|
||||
|
|
@ -115789,7 +115816,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
+dev_read_sysfs(virtlogd_t)
|
||||
+
|
||||
+logging_send_syslog_msg(virtlogd_t)
|
||||
+
|
||||
|
||||
+auth_use_nsswitch(virtlogd_t)
|
||||
+
|
||||
+manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
|
||||
|
|
@ -116045,7 +116072,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
+init_system_domain(virsh_t, virsh_exec_t)
|
||||
+typealias virsh_t alias xm_t;
|
||||
+typealias virsh_exec_t alias xm_exec_t;
|
||||
|
||||
+
|
||||
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
|
||||
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
|
||||
+allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
|
|
@ -116133,10 +116160,10 @@ index f03dcf5..b5b9ca5 100644
|
|||
|
||||
-logging_send_syslog_msg(virsh_t)
|
||||
+systemd_exec_systemctl(virsh_t)
|
||||
+
|
||||
+auth_read_passwd(virsh_t)
|
||||
|
||||
-miscfiles_read_localization(virsh_t)
|
||||
+auth_read_passwd(virsh_t)
|
||||
+
|
||||
+logging_send_syslog_msg(virsh_t)
|
||||
|
||||
sysnet_dns_name_resolve(virsh_t)
|
||||
|
|
@ -116301,7 +116328,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
selinux_get_enforce_mode(virtd_lxc_t)
|
||||
selinux_get_fs_mount(virtd_lxc_t)
|
||||
selinux_validate_context(virtd_lxc_t)
|
||||
@@ -974,194 +1268,355 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
@@ -974,194 +1268,296 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
selinux_compute_relabel_context(virtd_lxc_t)
|
||||
selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
|
|
@ -116328,8 +116355,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
+ hal_dbus_chat(virtd_lxc_t)
|
||||
+ ')
|
||||
+')
|
||||
|
||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ container_exec_lib(virtd_lxc_t)
|
||||
+')
|
||||
|
|
@ -116341,7 +116367,8 @@ index f03dcf5..b5b9ca5 100644
|
|||
+optional_policy(`
|
||||
+ setrans_manage_pid_files(virtd_lxc_t)
|
||||
+')
|
||||
+
|
||||
|
||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(virtd_lxc_t)
|
||||
+')
|
||||
|
|
@ -116374,89 +116401,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
+tunable_policy(`deny_ptrace',`',`
|
||||
+ allow svirt_sandbox_domain self:process ptrace;
|
||||
+')
|
||||
|
||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||
-allow svirt_lxc_domain self:sem create_sem_perms;
|
||||
-allow svirt_lxc_domain self:shm create_shm_perms;
|
||||
-allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fd use;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virsh_t:fd use;
|
||||
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virsh_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
|
||||
-
|
||||
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
|
||||
-
|
||||
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
|
||||
-
|
||||
-kernel_getattr_proc(svirt_lxc_domain)
|
||||
-kernel_list_all_proc(svirt_lxc_domain)
|
||||
-kernel_read_kernel_sysctls(svirt_lxc_domain)
|
||||
-kernel_rw_net_sysctls(svirt_lxc_domain)
|
||||
-kernel_read_system_state(svirt_lxc_domain)
|
||||
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||
-
|
||||
-corecmd_exec_all_executables(svirt_lxc_domain)
|
||||
-
|
||||
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||
-# files_entrypoint_all_files(svirt_lxc_domain)
|
||||
-files_list_var(svirt_lxc_domain)
|
||||
-files_list_var_lib(svirt_lxc_domain)
|
||||
-files_search_all(svirt_lxc_domain)
|
||||
-files_read_config_files(svirt_lxc_domain)
|
||||
-files_read_usr_files(svirt_lxc_domain)
|
||||
-files_read_usr_symlinks(svirt_lxc_domain)
|
||||
-
|
||||
-fs_getattr_all_fs(svirt_lxc_domain)
|
||||
-fs_list_inotifyfs(svirt_lxc_domain)
|
||||
-
|
||||
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
|
||||
-
|
||||
-auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||
-auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
-auth_search_pam_console_data(svirt_lxc_domain)
|
||||
-
|
||||
-clock_read_adjtime(svirt_lxc_domain)
|
||||
-
|
||||
-init_read_utmp(svirt_lxc_domain)
|
||||
-init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||
-
|
||||
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||
-
|
||||
-miscfiles_read_localization(svirt_lxc_domain)
|
||||
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
|
||||
-miscfiles_read_fonts(svirt_lxc_domain)
|
||||
-
|
||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+
|
||||
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
|
||||
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
|
||||
|
|
@ -116546,28 +116491,112 @@ index f03dcf5..b5b9ca5 100644
|
|||
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
|
||||
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
|
||||
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
|
||||
+
|
||||
|
||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||
-allow svirt_lxc_domain self:sem create_sem_perms;
|
||||
-allow svirt_lxc_domain self:shm create_shm_perms;
|
||||
-allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fd use;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
-
|
||||
-allow svirt_lxc_domain virsh_t:fd use;
|
||||
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
|
||||
-allow svirt_lxc_domain virsh_t:process sigchld;
|
||||
-
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
|
||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
|
||||
-
|
||||
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
|
||||
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
|
||||
-
|
||||
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
|
||||
-
|
||||
-kernel_getattr_proc(svirt_lxc_domain)
|
||||
-kernel_list_all_proc(svirt_lxc_domain)
|
||||
-kernel_read_kernel_sysctls(svirt_lxc_domain)
|
||||
-kernel_rw_net_sysctls(svirt_lxc_domain)
|
||||
-kernel_read_system_state(svirt_lxc_domain)
|
||||
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||
-
|
||||
-corecmd_exec_all_executables(svirt_lxc_domain)
|
||||
-
|
||||
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||
-# files_entrypoint_all_files(svirt_lxc_domain)
|
||||
-files_list_var(svirt_lxc_domain)
|
||||
-files_list_var_lib(svirt_lxc_domain)
|
||||
-files_search_all(svirt_lxc_domain)
|
||||
-files_read_config_files(svirt_lxc_domain)
|
||||
-files_read_usr_files(svirt_lxc_domain)
|
||||
-files_read_usr_symlinks(svirt_lxc_domain)
|
||||
-
|
||||
-fs_getattr_all_fs(svirt_lxc_domain)
|
||||
-fs_list_inotifyfs(svirt_lxc_domain)
|
||||
-
|
||||
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
|
||||
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
|
||||
-
|
||||
-auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||
-auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
-auth_search_pam_console_data(svirt_lxc_domain)
|
||||
-
|
||||
-clock_read_adjtime(svirt_lxc_domain)
|
||||
-
|
||||
-init_read_utmp(svirt_lxc_domain)
|
||||
-init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||
-
|
||||
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||
-
|
||||
-miscfiles_read_localization(svirt_lxc_domain)
|
||||
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
|
||||
-miscfiles_read_fonts(svirt_lxc_domain)
|
||||
-
|
||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+tunable_policy(`virt_sandbox_share_apache_content',`
|
||||
+ apache_exec_modules(svirt_sandbox_domain)
|
||||
+ apache_read_sys_content(svirt_sandbox_domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
- udev_read_pid_files(svirt_lxc_domain)
|
||||
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- apache_exec_modules(svirt_lxc_domain)
|
||||
- apache_read_sys_content(svirt_lxc_domain)
|
||||
+ ssh_use_ptys(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ udev_read_pid_files(svirt_sandbox_domain)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
- udev_read_pid_files(svirt_lxc_domain)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
|
|
@ -116597,11 +116626,9 @@ index f03dcf5..b5b9ca5 100644
|
|||
+ fs_mount_fusefs(svirt_sandbox_domain)
|
||||
+ fs_unmount_fusefs(svirt_sandbox_domain)
|
||||
+ fs_exec_fusefs_files(svirt_sandbox_domain)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- apache_exec_modules(svirt_lxc_domain)
|
||||
- apache_read_sys_content(svirt_lxc_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ container_read_share_files(svirt_sandbox_domain)
|
||||
+ container_exec_share_files(svirt_sandbox_domain)
|
||||
+ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
|
||||
|
|
@ -116618,16 +116645,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
#
|
||||
+virt_sandbox_domain_template(container)
|
||||
+typealias container_t alias svirt_lxc_net_t;
|
||||
+virt_default_capabilities(container_t)
|
||||
+dontaudit container_t self:capability fsetid;
|
||||
+dontaudit container_t self:capability2 block_suspend ;
|
||||
+allow container_t self:process { execstack execmem };
|
||||
+manage_chr_files_pattern(container_t, container_file_t, container_file_t)
|
||||
+manage_blk_files_pattern(container_t, container_file_t, container_file_t)
|
||||
+
|
||||
+tunable_policy(`virt_sandbox_use_sys_admin',`
|
||||
+ allow container_t self:capability sys_admin;
|
||||
+')
|
||||
+# Policy moved to container-selinux policy package
|
||||
|
||||
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
||||
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
|
||||
|
|
@ -116640,12 +116658,18 @@ index f03dcf5..b5b9ca5 100644
|
|||
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
|
||||
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
|
||||
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
-
|
||||
+########################################
|
||||
+#
|
||||
+# container_t local policy
|
||||
+#
|
||||
+virt_sandbox_domain_template(svirt_qemu_net)
|
||||
+typeattribute svirt_qemu_net_t sandbox_net_domain;
|
||||
|
||||
-kernel_read_network_state(svirt_lxc_net_t)
|
||||
-kernel_read_irq_sysctls(svirt_lxc_net_t)
|
||||
+tunable_policy(`virt_sandbox_use_mknod',`
|
||||
+ allow container_t self:capability mknod;
|
||||
+')
|
||||
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
||||
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
|
||||
+allow svirt_qemu_net_t self:process { execstack execmem };
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
|
||||
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
|
||||
|
|
@ -116657,118 +116681,63 @@ index f03dcf5..b5b9ca5 100644
|
|||
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
|
||||
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
|
||||
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
|
||||
+tunable_policy(`virt_sandbox_use_all_caps',`
|
||||
+ allow container_t self:capability all_capability_perms;
|
||||
+ allow container_t self:capability2 all_capability2_perms;
|
||||
+')
|
||||
|
||||
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
|
||||
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
|
||||
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
|
||||
+tunable_policy(`virt_sandbox_use_netlink',`
|
||||
+ allow container_t self:netlink_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||
+ allow container_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_connector_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_crypto_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_fib_lookup_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_generic_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_iscsi_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_netfilter_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_rdma_socket create_socket_perms;
|
||||
+ allow container_t self:netlink_scsitransport_socket create_socket_perms;
|
||||
+', `
|
||||
+ logging_dontaudit_send_audit_msgs(container_t)
|
||||
+')
|
||||
|
||||
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
|
||||
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
|
||||
+allow container_t virt_lxc_var_run_t:dir list_dir_perms;
|
||||
+allow container_t virt_lxc_var_run_t:file read_file_perms;
|
||||
|
||||
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
|
||||
-dev_read_rand(svirt_lxc_net_t)
|
||||
-dev_read_sysfs(svirt_lxc_net_t)
|
||||
-dev_read_urand(svirt_lxc_net_t)
|
||||
+kernel_read_irq_sysctls(container_t)
|
||||
+kernel_read_messages(container_t)
|
||||
|
||||
-files_read_kernel_modules(svirt_lxc_net_t)
|
||||
+dev_read_sysfs(container_t)
|
||||
+dev_read_mtrr(container_t)
|
||||
+dev_read_rand(container_t)
|
||||
+dev_read_urand(container_t)
|
||||
|
||||
-fs_mount_cgroup(svirt_lxc_net_t)
|
||||
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
|
||||
-fs_rw_cgroup_files(svirt_lxc_net_t)
|
||||
+files_read_kernel_modules(container_t)
|
||||
|
||||
-auth_use_nsswitch(svirt_lxc_net_t)
|
||||
+fs_noxattr_type(container_file_t)
|
||||
|
||||
-logging_send_audit_msgs(svirt_lxc_net_t)
|
||||
+term_pty(container_file_t)
|
||||
|
||||
-userdom_use_user_ptys(svirt_lxc_net_t)
|
||||
+logging_send_syslog_msg(container_t)
|
||||
|
||||
-optional_policy(`
|
||||
- rpm_read_db(svirt_lxc_net_t)
|
||||
+tunable_policy(`virt_sandbox_use_audit',`
|
||||
+ logging_send_audit_msgs(container_t)
|
||||
')
|
||||
|
||||
-#######################################
|
||||
+userdom_use_user_ptys(container_t)
|
||||
+
|
||||
+########################################
|
||||
#
|
||||
-# Prot exec local policy
|
||||
+# container_t local policy
|
||||
#
|
||||
+virt_sandbox_domain_template(svirt_qemu_net)
|
||||
+typeattribute svirt_qemu_net_t sandbox_net_domain;
|
||||
+
|
||||
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
||||
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
|
||||
+allow svirt_qemu_net_t self:process { execstack execmem };
|
||||
+
|
||||
+tunable_policy(`virt_sandbox_use_netlink',`
|
||||
+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
|
||||
+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||
+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+')
|
||||
+
|
||||
|
||||
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
|
||||
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
|
||||
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
|
||||
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||
+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
|
||||
+
|
||||
|
||||
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
|
||||
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
|
||||
+term_use_generic_ptys(svirt_qemu_net_t)
|
||||
+term_use_ptmx(svirt_qemu_net_t)
|
||||
+
|
||||
|
||||
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
|
||||
-dev_read_rand(svirt_lxc_net_t)
|
||||
-dev_read_sysfs(svirt_lxc_net_t)
|
||||
-dev_read_urand(svirt_lxc_net_t)
|
||||
+dev_rw_kvm(svirt_qemu_net_t)
|
||||
+
|
||||
|
||||
-files_read_kernel_modules(svirt_lxc_net_t)
|
||||
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
|
||||
|
||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||
-fs_mount_cgroup(svirt_lxc_net_t)
|
||||
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
|
||||
-fs_rw_cgroup_files(svirt_lxc_net_t)
|
||||
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
||||
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
||||
+
|
||||
|
||||
-auth_use_nsswitch(svirt_lxc_net_t)
|
||||
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
|
||||
+
|
||||
|
||||
-logging_send_audit_msgs(svirt_lxc_net_t)
|
||||
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
||||
+
|
||||
|
||||
-userdom_use_user_ptys(svirt_lxc_net_t)
|
||||
+dev_read_sysfs(svirt_qemu_net_t)
|
||||
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
||||
+dev_read_rand(svirt_qemu_net_t)
|
||||
+dev_read_urand(svirt_qemu_net_t)
|
||||
+
|
||||
|
||||
-optional_policy(`
|
||||
- rpm_read_db(svirt_lxc_net_t)
|
||||
-')
|
||||
+files_read_kernel_modules(svirt_qemu_net_t)
|
||||
+
|
||||
|
||||
-#######################################
|
||||
-#
|
||||
-# Prot exec local policy
|
||||
-#
|
||||
+fs_noxattr_type(container_file_t)
|
||||
+fs_mount_cgroup(svirt_qemu_net_t)
|
||||
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
|
||||
|
|
@ -116781,7 +116750,8 @@ index f03dcf5..b5b9ca5 100644
|
|||
+rpm_read_db(svirt_qemu_net_t)
|
||||
+
|
||||
+logging_send_syslog_msg(svirt_qemu_net_t)
|
||||
+
|
||||
|
||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||
+tunable_policy(`virt_sandbox_use_audit',`
|
||||
+ logging_send_audit_msgs(svirt_qemu_net_t)
|
||||
+')
|
||||
|
|
@ -116802,7 +116772,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1174,12 +1629,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1174,12 +1570,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
|
|
@ -116817,7 +116787,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,7 +1647,7 @@ optional_policy(`
|
||||
@@ -1192,7 +1588,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -116826,7 +116796,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
#
|
||||
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
@@ -1201,11 +1656,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1201,11 +1597,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
|
@ -117000,7 +116970,7 @@ index f03dcf5..b5b9ca5 100644
|
|||
+
|
||||
+########################################
|
||||
+#
|
||||
+# container_t local policy
|
||||
+# svirt_kvm_net_t local policy
|
||||
+#
|
||||
+virt_sandbox_domain_template(svirt_kvm_net)
|
||||
+typeattribute svirt_kvm_net_t sandbox_net_domain;
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 236%{?dist}
|
||||
Release: 237%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -675,6 +675,20 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237
|
||||
- Merge pull request #187 from rhatdan/container-selinux
|
||||
- Allow rhsmcertd domain signull kernel.
|
||||
- Allow container-selinux to handle all policy for container processes
|
||||
- Fix label for nagios plugins in nagios file conxtext file
|
||||
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
|
||||
- Add SELinux support for systemd-initctl daemon
|
||||
- Add SELinux support for systemd-bootchart
|
||||
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
|
||||
- Add module_load permission to can_load_kernmodule
|
||||
- Add module_load permission to class system
|
||||
- Add the validate_trans access vector to the security class
|
||||
- Restore connecto permssions for init_t
|
||||
|
||||
* Thu Feb 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236
|
||||
- Allow kdumpgui domain to read nvme device
|
||||
- Add amanda_tmpfs_t label. BZ(1243752)
|
||||
|
|
|
|||
Loading…
Reference in New Issue